Guia Servidor Wheezy

To: debian-user-spanish@lists.debian.org
Subject: Guia Servidor Wheezy
From: latinfo@vcn.bc.ca
Date: Fri, 8 Nov 2013 04:51:33 -0800
Message-id: <[🔎] 00a4030d3fad83daa49c6b22b249a43a.squirrel@mail.vcn.bc.ca>
Hola a todos.

Guia para montar Servidor Wheezy seguro y privado: correo, dokuwiki,
mailman, ftp anonimo y sshd. (incompleta)

1. Instalacion como experto.
2. En Tasksel, seleccione correo electronico, servidor web, herramientas
basicas y servidor ssh.
3. Al finalizar la instalacion; instale DokuWiki, Mailman y Vsftpd. Ya
estan instalados exim4, dovecot y otros. # dpkg -l
4. Para la seguridad, instale Tiger, Snort, RKHunter, Lynis.
5. Para revisar actividad, instale LogWatch.
6. Para revisar la Integridad, Tripwire, Debsums y Snort.
7. Configurar DokuWiki: # dpkg-reconfigure dokuwiki y responder de acuerdo
a necesidad.
8. Configurar Mailman:
/usr/share/doc/README.Exim4.Debian.gz.

Here's a way to integrate mailman with Exim4 that will automatically
play nice with mailman's virtual domains support and VERP. It does not
require dedicating domain(s) to mailman.

Configure your Mailman (in /etc/mailman/mm_cfg.py) with:

MTA = 'Postfix'
POSTFIX_ALIAS_CMD = '/bin/true'
POSTFIX_MAP_CMD = 'chgrp Debian-exim'

and list all your Mailman domains in "POSTFIX_STYLE_VIRTUAL_DOMAINS":

POSTFIX_STYLE_VIRTUAL_DOMAINS = [ 'example.com', 'example.org' ]

Please note that the chgrp command above will not work when creating a
list in the web interface: the user www-data will not be allowed to do
this. You can circumvent this problem by creating new lists with the
'newlist' command line command or using instead:
POSTFIX_MAP_CMD = 'chmod o+r'
This will allow local users (with shell access to the list server) to
see the list of all Mailman mailing lists, but not much more.

If you have created lists before making those changes to mm_cfg.py
(and you are not going to create others before running the system in
production), you need to run /var/lib/mailman/bin/genaliases once; it
will be done automatically every time you create / delete a mailing
list in the future.

And yes, the "Postfix" there is on purpose, it should not be replaced
by "exim4". It causes mailman to (among others) create a list of
mailman lists, including what virtual domain they should be in. That
is the information that is used here; the rest is ignored.

Put this in your exim4 main configuration (if you use a split config,
for example /etc/exim4/conf.d/main/04_local_mailman_macros)

---------------------- BEGIN EXIM4 MAIN   ----------------------------
# Home dir for your Mailman installation -- aka Mailman's prefix
# directory.
MAILMAN_HOME=/var/lib/mailman
MAILMAN_WRAP=MAILMAN_HOME/mail/mailman

# User and group for Mailman, should match your --with-mail-gid
# switch to Mailman's configure script.
MAILMAN_USER=list
MAILMAN_GROUP=daemon

# Where to store messages sent to mailman-loop - used if the
# mailman-owner addressbounces.
MAILMAN_LOOP=MAILMAN_HOME/data/owner-bounces.mbox
----------------------  END EXIM4 MAIN    ----------------------------

Put this in your exim4 router configuration (if you use a split
config, then for example /etc/exim4/conf.d/router/970_local_mailman)

---------------------- BEGIN EXIM4 ROUTER ----------------------------
# Messages get sent out with
# envelope from "mailman-bounces@virtual_domain"
# But mailman doesn't put such addresses
# in the aliases. Recognise these here.
mailman_workaround:
  debug_print = "R: mailman_workaround for $local_part@$domain"
  domains = +local_domains
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  driver = accept
  local_parts = mailman
  local_part_suffix_optional
  local_part_suffix = -bounces : -bounces+* : \
           -confirm+* : -join : -leave : \
           -subscribe : -unsubscribe : \
           -owner : -request : -admin
  transport = mailman_transport
  group = MAILMAN_GROUP

# We need to handle the mailman-loop separately from the other addresses
# since the loop action is not handled by the wrapper.
mailman_loop_router:
  debug_print = "R: mailman_loop for $local_part@$domain"
  domains = +local_domains
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  driver = accept
  local_parts = mailman
  transport = mailman_loop_transport
  local_part_suffix = -loop
  group = MAILMAN_GROUP

# Mailman lists
mailman_router:
  debug_print = "R: mailman_router for $local_part@$domain"
  domains = +local_domains
  condition =
${lookup{$local_part@$domain}lsearch{MAILMAN_HOME/data/virtual-mailman}{1}{0}}
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  driver = accept
  local_part_suffix_optional
  local_part_suffix = -bounces : -bounces+* : \
                      -confirm+* : -join : -leave : \
                      -subscribe : -unsubscribe : \
                      -owner : -request : -admin
  transport = mailman_transport
  group = MAILMAN_GROUP
----------------------  END EXIM4 ROUTER  ----------------------------

Put this in your exim4 transport configuration (if you use a split
config, then for example /etc/exim4/conf.d/transport/40_local_mailman)

---------------------- BEGIN EXIM4 TRANSPORT -------------------------
mailman_transport:
  debug_print = "T: mailman_transport for $local_part@$domain"
  driver = pipe
  command = MAILMAN_WRAP \
            '${if def:local_part_suffix \
                  {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                  {post}}' \
            $local_part
  current_directory = MAILMAN_HOME
  home_directory = MAILMAN_HOME
  user = MAILMAN_USER
  group = MAILMAN_GROUP
  freeze_exec_fail = true

mailman_loop_transport:
  driver = appendfile
  file = MAILMAN_LOOP
  delivery_date_add
  envelope_to_add
  return_path_add
  user = MAILMAN_USER
  group = MAILMAN_GROUP
----------------------  END EXIM4 TRANSPORT  -------------------------

You are done!

 -- Lionel Elie Mamane <lmamane@debian.org>, Fri, 20 Mar 2009 09:27:39 +0100

Luego; # dpkg-reconfigure mailman y se configura el idioma solamente.
Luego; copiar /etc/mailman/apache.conf en /etc/apache2/conf.d/
Luego, # newlist mailman y responder de acuerdo a necesidad.
Luego, # check_perms -f dos veces; y con los que sobran son enlaces y yo
los chequee uno por uno; pero debe haber otro modo.

9. Configuracion de Exim4: # dpkg-reconfigure exim4-config y listo,
tenemos servidor de correo funcionando al exterior, si eso se quiere.
10. La configuraciom de TLS y SSL esta pendiente (por los certificados
auto-firmados), asi como la salida por canal seguro; openvpn, no me ha
parecido lo mas seguro, pero sigo probando. Persigo 1 layer 2, dentro de 1
layer 3.

PD:
Esta informacion es para las personas que quieran iniciar un servidor
seguro/privado, en Debian. y lo pongo aqui, por que me llama la atencion,
que la mayoria cambia lo que viene por defecto, por soluciones mas
complicadas y menos seguras. Yo solo uso Sendmail, OpenSMTPD y Exim4, en
correo electronico; y son los que vienen por defecto en los SOs que
administro. (solo administro 4 servidores desde hace 13 anos).

La escritura de este mensaje ha sido motivado por la urgencia de mantener
las narices de los metidos muy lejos de mis cositas y las de mis amigos (4
ONGs); aunque estas sean sin importancia.

Gracias y si hay preguntas, adelante; aqui hay varios Gurus en esta lista.
Reply to:
Follow-Ups:
- Re: Guia Servidor Wheezy
  - From: latinfo@vcn.bc.ca
Prev by Date: Re: Duda sobre el uso de ssd
Next by Date: Porque separar /boot a otra partición
Previous by thread: Re: Enviar un aporte monetario a Debian
Next by thread: Re: Guia Servidor Wheezy
Index(es):
- Date
- Thread