DIY Hard drive carrying case

Today’s project was a hard drive carrying case. I wanted something to securely store hard drives. When I looked around on ebay and amazon, I saw some nice cases and some crappy plastic molded ones. Even the terrible ones were at least $50, so I made my own.

HDD Carrying Case Exerior

I bought a used ammo case at the rather excellent local army surplus store. Then I padded all sides. I had spare EVA foam “puzzle piece” style mats from a gym setup lying around. I cut out the pieces with scissors. That’s it.  I was expecting more steps, but nothing needed glued in place. I was planning on adding inserts for the empty slots, but it seems secure enough. If you’re making one, you could also glue the top onto the lid, so you don’t have to take it out manually.

HDD Case Interior
Tagged , , , , , , ,

Getting the Adafruit Pro Trinket 3.3V to work in Arch Linux

I’m on Linux, and here’s what I did to get the Adafruit Pro Trinket (3.3V version) to work. I think most of this should work for other Adafruit boards as well. I’m on Arch Linux, but other distros will be similar, just find the right paths for everything. Your version of udev may vary on older distros especially.

  1. Install the Arduino IDE. If you want to install the adafruit version, be my guest. It should work out of the box, minus the udev rule below. I have multiple microprocessors I want to support, so this wasn’t an option for me.
  2. Copy the hardware profiles to your Arduino install. pacman -Ql arduino shows me that I should be installing to /usr/share/aduino.  You can find the files you need at their source (copy the entire folder) or the same thing is packaged inside of the IDE installs.

    cp adafruit-git /usr/share/arduino/adafruit
    
  3. Re-configure “ATtiny85” to work with avrdude. On arch, pacman -Ql arduino | grep "avrdude.conf says I should edit /usr/share/arduino/hardware/tools/avr/etc/avrdude.conf. Paste this revised “t85” section into avrdude.conf (credit to the author)

  4. Install a udev rule so you can program the Trinket Pro as yourself (and not as root).

    # /etc/udev/rules.d/adafruit-usbtiny.rules
    SUBSYSTEM=="usb", ATTR{product}=="USBtiny", ATTR{idProduct}=="0c9f", ATTRS{idVendor}=="1781", MODE="0660", GROUP="arduino"
    
  5. Add yourself as an arduino group user so you can program the device with usermod -G arduino -a <username>. Reload the udev rules and log in again to refresh the groups you’re in. Close and re-open the Arduino IDE if you have it open to refresh the hardware rules.

  6. You should be good to go! If you’re having trouble, start by making sure you can see the correct hardware, and that avrdude can recognize and program your device with simple test programs from the command link. The source links have some good specific suggestions.

Sources:
http://www.bacspc.com/2015/07/28/arch-linux-and-trinket/
http://andijcr.github.io/blog/2014/07/31/notes-on-trinket-on-ubuntu-14.04/

Tagged , , , , , ,

The life-changing magic of tidying up

Summary of “the life-changing magic of tidying up”:

Marie Kondo writes the “KonMari” method. The book ends up being as much about her mistakes in learning how to tidy as it is about how to tidy. The book conveys a certain positive energy that makes me want to recommend it, but the author also brings that energy in reaction to a kind of previous stress which accompanied tidying, which she does not seem to have completely dropped–if you are mysteriously anxious and feel you MUST discard everything after reading her book, this may be why.

The primary point she makes is meant to cure it: Decide what to keep and what to discard by physically touching each item, and asking if it brings you joy.

The rest of the method:

  • Positivity. Everything in your house loves and wants to help you. If it is time to send off some of the items on their next adventure, this is no reason to be sad or anxious. You had a great time meeting, and they and you were both happy.
  • Tidy all at once (at least by category, but preferably in a multi-day binge).
  • Physically gather the category in once place, touching everything and asking if it brings you joy.
  • Find out what you’ll keep and discard before putting things away or organizing.
  • Organizing: ??? [I didn’t get any big takeaways here].

Marie Kondo’s best advice is realizations from her past mistakes–the sort of methods which seems reasonable to try, but end up being wrong for subtle reasons. They are:

  • Tidy by category, not place. Otherwise, you won’t realize everything you have.
  • “Storage” is storing things neatly, and lets you have more and more things. This is different than tidying, which is about bringing things in harmony, and having only things you love. Becoming better at “storage” can make you unhappy.

She also has encountered her clients making mistakes. For each category of things (clothes, books, etc) there are many reasons clients may not want to throw something out. Most of the book is meant to illustrate why these things are useless, and why throwing them out is okay and will make you happier.

The fun part is that many clients were more confident and more in touch with what they valued and who they wanted once they had only possessions they loved.

Bolded text in the book

  • Start by discarding. Then organize your space, thoroughly, completely, in one go.
  • A dramatic reorganization of the home causes coorespondingly dramatic changes in lifestyle and perspective. It is life transforming.
  • when you put your house in order, you put your affairs and your past in order, too
  • They are surrounded only by the things they love
  • the magic of tidying
  • People cannot change their habits without first changing their way of thinking
  • If you tidy up in one shot, rather than little by little, you can dramatically change your mind-set.
  • If you use the right method and concentrate your efforts on eliminating clutter thoroughly and completely with a short span of time, you’ll see instant results that will empower you to keep your space in order ever after.
  • Tidying is just a tool, not a final destination. [The true goal should be to establish the lifestyle you want most once your house has been put in order]
  • A booby trap lies within the term “storage”.
  • Putting things away creates the illusion that the clutter problem has been solved.
  • Tidying up location by location is a fatal mistake.
  • Effective tidying involves only two essential actions: discarding and deciding where to store things. Of the two, discarding must come first.
  • Tidying is a special event. Don’t do it every day.
  • Your goal is clearly in sight. The moment you have put everything in its place, you have crossed the finish line.
  • Tidy in the right order.
  • Do not even think of putting your things away until you have finished the process of discarding.
  • Think in concrete terms so that you can vividly picture what it would be like to live in a clutter-free space.
  • However, the moment you start focusing on how to choose what to throw away, you have actually veered significantly off course.
  • We should be choosing what we want to keep, not what we want to get rid of.
  • take each item in one’s hand and ask: “Does this spark joy?” If it does, keep it. If not, dispose of it.
  • Keep only those things that speak to your heart. Then take the plunge and discard all the rest.
    always think in terms of category, not place
  • People have trouble discarding things that they could still use (functional value), that contain helpful information (informational value), and that have sentimetnal value). When these things are hard to obtain or replace (rarity), they become even harder to part with.
  • The best sequence is this: clothes first, then books, papers, komono (miscellany), and lastly, mementos.
  • it’s extremely stressful for parents to see what their children discard
  • To quietly work away at disposing of your own excess is actually the best way of dealing with a family that doesn’t tidy. The urge to point out someone else’s failure to tidy is usually a sign that you are neglecting to take care of your own space.
  • To truly cherish the things that are important to you, you must first discard those that have outlived their purpose.
  • What things will bring you joy if you keep them a part of your life?
  • The most important points to remember are these: Make sure you gather every piece of clothing in the house and be sure to handle each one.
  • By neatly folding your clothes, you can solve almost every problem related to storage.
  • The key is to store things standing up rather than laid flat.
  • The goal is to fold each piece of clothing into a simple, smooth rectangle.
  • Every piece of clothing has its own “sweet spot” where it feels just right
  • Arrange your clothes so they rise to the right.
  • By category, coats would be on the far left, followed by dresses, jackets, pants, skirts, and blouses.
  • Never, ever tie up your stockings. Never, ever ball up your socks.
  • The trick is not to overcategorize. Divide your clothes roughly into “cotton-like” and “wool-like” materials when you put them in the drawer.
  • If you are planning to buy storage units in the near future, I recommend that you get a set of drawers instead.
  • The criterion is, of course, whether or not it gives you a thrill of pleasure when you touch it.
  • In the end, you are going to read very few of your books again.
  • The moment you first encounter a particular book is the right time to read it.
  • [Papers] I recommend you dispose of anything that does not fall into one of three categories: currently in use, needed for a limited period of time, or must be kept indefinitely.
  • [Papers that need to be dealt with] Make sure that you keep all such papers in one spot only. Never let them spread to other parts of the house.
  • [On lecture/seminar papers] It’s paradoxical, but I believe precisely because we hang on to such materials, we fail to put what we learn into practice.
  • Too many people live surrounded by things they don’t need “just because”.
  • Presents are not “things” but a means for conveying someone’s feelings.
  • Mysterious cords will always remain just that–a mystery.
  • Despite the fact that coins are perfectly good cash, they are treated with far less respect than paper money.
  • No matter how wonderful things used to be, we cannot live in the past. The joy and excitement we feel here and now are more important.
  • People never retrieve the boxes they send “home”. Once sent, they will never again be opened.
  • By handling each sentimental item and deciding what to discard, you process your past.
  • As you reduce your belongings through the process of tidying, you will come to a point where you suddenly know how much is just right for you.
  • The fact that you possess a surplus of things that you can’t bring yourself to discard doesn’t mean you are taking good care of them. In fact, it is quite the opposite.
  • Believe what your heart tells you when you ask, “Does this spark joy?”
  • The point in deciding specific places to keep things is to designate a spot for every thing.
  • Once you learn to choose your belongings properly, you will be left only with the amount that fits perfectly in the space you currently own.
  • pursue ultimate simplicity in storage
  • I have only two rules: store all items of the same type in the same place and don’t scatter storage space.
  • If you live with your family, first clearly define separate storage spaces for each family member.
  • Everyone needs a sanctuary
  • Clutter is caused by a failure to return things to where they belong. Therefore, storage should reduce the effort needed to put things away, not the effort needed to get them out.
  • If you are aiming for an uncluttered room, it is much more important to arrange your storage so that you can tell at a glance where everything is than to worry about the details of who does what, where, and when.
  • When you are choosing what to keep, ask your heart; when you are choosing where to store something, ask your house.
  • stacking is very hard on the things at the bottom
  • Rather than buying something to make do for now, wait until you have completed the entire process and then take your time looking for storage items that you really like.
  • The key is to put the same type of bags together.
  • One theme underlying my method of tidying is transforming the home into a sacred place, a power spot filled with pure energy.
  • Transform your closet into your own private space, one that gives you a thrill of pleasure.
  • Stockings take up 25 percent less room once they are out of the package and folded up.
  • By eliminating excess visual information that doesn’t inspire joy, you can make your space much more peaceful and comfortable.
  • [homework assignment to clients] appreciate their belongings [by actually expressing appreciation to them]
  • At their core, the things we really like do not change over time. Putting your house in order is a great way to discover what they are.
  • letting go is even more important than adding
  • The lives of those who tidy thoroughly and completely, in a single shot, are without exception dramatically altered.
  • one of the magical effects of tidying is confidence in your decision-making capacity
  • But when we really delve into the reasons for why we can’t let something go, there are only two: an attachment to the past or a fear for the future.
  • The question of what you want to own is actually the question of how you want to live your life.
  • The sum total of all the garbage so far would exceed twenty-eight thousand bags, and the number of items discarded must be over one million.
  • The fact that they do not need to search is actually an invaluable stress reliever..
  • Life becomes far easier once you know that things will still work out even if you are lacking something.
  • I believe that tidying is a celebration, a special send-off for those things that will be departing from the house, and therefore I dress accordingly.
  • In essence, tidying ought to be the act of restoring balance among people, their possessions, and the house they live in.
  • Make your parting a ceremony to launch them on a new journey.
  • It’s a very strange phenomenon, but when we reduce what we own and essentially “detox” our house, it has a detox effect on our bodies as well.
  • If you can say without a doubt, “I really life this!” no matter what anyone else says, and if you like yourself for having it, then ignore what other people think.
  • As for you, pour your time and passion into what brings you the most joy, your mission in life.
Tagged ,

DDoS

za3k.com was the site of a DDoS attack. I’m pretty sure this was because my wordpress installation was compromised, and the hacker who took control of my server was herself DDoSed.

More updates to come, but the short story is that I’ll be formalizing my install and eventually containerizing + hardening everything

Tagged ,

Archiving all bash commands typed

This one’s a quickie. Just a second of my config to record all bash commands to a file (.bash_eternal_history) forever. The default bash HISTFILESIZE is 500. Setting it to a non-numeric value will make the history file grow forever (although not your actual history size, which is controlled by HISTSIZE).

I do this in addition:

#~/.bash.d/eternal-history
# don't put duplicate lines in the history
HISTCONTROL=ignoredups
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTFILESIZE=infinite
# Creates an eternal bash log in the form
# PID USER INDEX TIMESTAMP COMMAND
export HISTTIMEFORMAT="%s "

PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER \
"$(history 1)" >> ~/.bash_eternal_history'
Tagged , , ,

Archiving all web traffic

Today I’m going to walk through a setup on how to archive all web (HTTP/S) traffic passing over your Linux desktop. The basic approach is going to be to install a proxy which records traffic. It will record the traffic to WARC files. You can’t proxy non-HTTP traffic (for example, chat or email) because we’re using an HTTP proxy approach.

The end result is pretty slow for reasons I’m not totally sure of yet. It’s possible warcproxy isn’t streaming results.

  1. Install the server

    # pip install warcproxy
    
  2. Make a warcprox user to run the proxy as.

    # useradd -M --shell=/bin/false warcprox
    
  3. Make a root certificate. You’re going to intercept HTTPS traffic by pretending to be the website, so if anyone gets ahold of this, they can fake being every website to you. Don’t give it out.

    # mkdir /etc/warcprox
    # cd /etc/warcprox
    # sudo openssl genrsa -out ca.key 409
    # sudo openssl req -new -x509 -key ca.key -out ca.crt
    # cat ca.crt ca.key >ca.pem
    # chown root:warcprox ca.pem ca.key
    # chmod 640 ca.pem ca.key
    
  4. Set up a directory where you’re going to store the WARC files. You’re saving all web traffic, so this will get pretty big.

    # mkdir /var/warcprox
    # chown -R warcprox:warcprox /var/warcprox
    
  5. Set up a boot script for warcproxy. Here’s mine. I’m using supervisorctl rather than systemd.

    #/etc/supervisor.d/warcprox.ini
    [program:warcprox]
    command=/usr/bin/warcprox -p 18000 -c /etc/warcprox/ca.pem --certs-dir ./generated-certs -g sha1
    directory=/var/warcprox
    user=warcprox
    autostart=true
    autorestart=unexpected
    
  6. Set up any browers, etc to use localhost:18000 as your proxy. You could also do some kind of global firewall config. Chromium in particular was pretty irritating on Arch Linux. It doesn’t respect $http_proxy, so you have to pass it separate options. This is also a good point to make sure anything you don’t want recorded BYPASSES the proxy (for example, maybe large things like youtube, etc).

Tagged , , , ,

Open NNTP server

I’m opening the NNTP server at nttp.za3k.com (TLS or unencrypted) to the public. These are the newsgroups currently on it. It is virtually zero-traffic (no users, but also users post little).

If you don’t have a news reader, Thunderbird can do the job, or take a look at the list here.

art.agency.applied
art.autonomy
art.programming
news.announce.newusers
news.discuss
research.fai
research.fai.decisiontheory
research.math
research.philosophy
research.strategy
research.xrisk
talk.math
talk.news
talk.other
talk.personal
talk.philosophy
talk.programming
talk.psychology
talk.reading
talk.reading.collaborative
talk.science
talk.writing
talk.writing.collaborative
test.posts

Tagged , ,

Mail filtering with Dovecot

This expands on my previous post about how to set up an email server.

We’re going to set up a few spam filters in Dovecot under Debian. We’re going to use Sieve, which lets the user set up whichever filters they want. However, we’re going to run a couple pre-baked spam filters regardless of what the user sets up.

  1. Install Sieve.

    sudo apt-get install dovecot-sieve dovecot-managesieved
    
  2. Add Sieve to Dovecot

    # /etc/dovecot/dovecot.conf
    # Sieve and ManageSieve
    protocols = $protocols sieve
    protocol lmtp {
     mail_plugins = $mail_plugins sieve
    }
    service managesieve-login {
     inet_listener sieve {
     port = 4190
     }
    }
    protocol sieve {
     managesieve_logout_format = bytes ( in=%i : out=%o )
    }
    plugin {
     # Settings for the Sieve and ManageSieve plugin
     sieve = file:~/sieve;active=~/.dovecot.sieve
     sieve_before = /etc/dovecot/sieve.d/
     sieve_dir = ~/sieve # For old version of ManageSieve
     #sieve_extensions = +vnd.dovecot.filter
     #sieve_plugins = sieve_extprograms
    }
    
  3. Install and update SpamAssassin, a heuristic perl script for spam filtering.

    sudo apt-get install spamasssassin
    sudo sa-update
    
    # /etc/default/spamassassin
    ENABLED=1
    #CRON=1 # Update automatically
    
    # /etc/spamassassin/local.cf
    report_safe 0 # Don't modify headers
    
    sudo service spamassassin start
    
  4. There’s a lot of custom configuration and training you should do to get SpamAssassin to accurately categorize what you consider spam. I’m including a minimal amount here. The following will train SpamAssassin system-wide based on what users sort into spam folders.

    #!/bin/sh
    # /etc/cron.daily/spamassassin-train
    all_folders() {
            find /var/mail/vmail -type d -regextype posix-extended -regex '.*/cur|new$'
    }
    
    all_folders | grep "Spam" | sa-learn --spam -f - >/dev/null 2>/dev/null
    all_folders | grep -v "Spam" | sa-learn --ham -f - >/dev/null 2>/dev/null
    
  5. Make Postfix run SpamAssassin as a filter, so that it can add headers as mail comes in.

    # /etc/postfix/master.cf
    smtp inet n - - - - smtpd
     -o content_filter=spamassassin
    # ...
    spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
    
    sudo service postfix restart
    
  6. Add SpamAssassin to Sieve. Dovecot (via Sieve) will now move messages with spam headers from SpamAssassin to your spam folder. Make sure you have a “Spam” folder and that it’s set to autosubscribe.

    # /etc/dovecot/sieve.d/spam-assassin.sieve
    require ["fileinto"];
    # Move spam to spam folder
    if header :contains "X-Spam-Flag" "YES" {
     fileinto "Spam";
     # Stop here - if there are other rules, ignore them for spam messages
     stop;
    }
    
    cd /etc/dovecot/sieve.d
    sudo sievec spam-assassin.sieve
    
  7. Restart Dovecot

    sudo service dovecot restart
    
  8. Test spam. The GTUBE is designed to definitely get rejected. Set the content of your email to this:

    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
    
  9. You should also be able to create user-defined filters in Sieve, via the ManageSieve protocol. I tested this using a Sieve thunderbird extension. You’re on your own here.

Tagged , , , , ,

Installing email with Postfix and Dovecot (with Postgres)

I’m posting my email setup here. The end result will:

  • Use Postfix for SMTP
  • Use Dovecot for IMAP and authentication
  • Store usernames, email forwards, and passwords in a Postgres SQL database
  • Only be accessible over encrypted channels
  • Pass all common spam checks
  • Support SMTP sending and IMAP email checking. I did not include POP3 because I don’t use it, but it should be easy to add
  • NOT add spam filtering or web mail (this article is long enough as it is, maybe in a follow-up)

Note: My set up is pretty standard, except that rDNS for smtp.za3k.com resolves to za3k.com because I only have one IP. You may need to change your hostnames if you’re using mail.example.com or smtp.example.com.

On to the install!

  1. Install debian packages

    sudo apt-get install postfix # Postfix \
          dovecot-core dovecot-imapd dovecot-lmtpd # Dovecot \
          postgresql dovecot-pgsql postfix-pgsql # Postgres \
          opendkim opendkim-tools # DKIM
    
  2. Set up security. smtp.za3k.com cert is at /etc/certs/zak3.com.pem, the key is at /etc/ssl/private/smtp.za3k.com.key. dhparams for postfix are at /etc/postfix/dhparams.pem. (If you need a certificate and don’t know how to get one, you can read Setting up SSL certificates using StartSSL)

  3. Install Postfix

    # /etc/postfix/master.cf
    smtp       inet  n       -       -       -       -       smtpd
    submission inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_recipient=no
      -o milter_macro_daemon_name=ORIGINATING
    
    # /etc/postfix/main.cf additions
    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/smtp.za3k.com.pem
    smtpd_tls_key_file=/etc/ssl/private/smtp.za3k.com.key
    smtpd_use_tls=yes
    smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
    smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
    smtpd_tls_protocols=!SSLv2,!SSLv3
    smtp_tls_protocols=!SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    
    # Relay and recipient settings
    myhostname = za3k.com
    myorigin = /etc/mailname
    mydestination = za3k.com, smtp.za3k.com, localhost.com, localhost
    relayhost =
    mynetworks_style = host
    mailbox_size_limit = 0
    inet_interfaces = all
    smtpd_relay_restrictions = permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination
    
    alias_maps = hash:/etc/aliases
    local_recipient_maps = $alias_maps
    mailbox_transport = lmtp:unix:private/dovecot-lmtp
    
  4. Install Dovecot

    # /etc/dovecot/dovecot.cf
    mail_privileged_group = mail # Local mail
    disable_plaintext_auth = no
    
    protocols = imap
    
    ssl=required
    ssl_cert = </etc/ssl/certs/imap.za3k.com.pem
    ssl_key = </etc/ssl/private/imap.za3k.com.key
    
    # IMAP Folders
    namespace {
     inbox = yes
     mailbox Trash {
     auto = create
     special_use = \Trash
     }
     mailbox Drafts {
     auto = no
     special_use = \Drafts
     }
     mailbox Sent {
     auto = subscribe
     special_use = \Sent
     }
     mailbox Spam {
     auto = subscribe
     special_use = \Junk
     }
    }
    
    # Expunging / deleting mail should FAIL, use the lazy_expunge plugin for this
    namespace {
     prefix = .EXPUNGED/
     hidden = yes
     list = no
     location = maildir:~/expunged
    }
    mail_plugins = $mail_plugins lazy_expunge
    plugin {
     lazy_expunge = .EXPUNGED/
    }
    
    # /etc/postfix/main.cf
    # SASL authentication is done through Dovecot to let users relay mail
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    
  5. Set up the database and virtual users. Commands

    # Create the user vmail for storing virtual mail
    # vmail:x:5000:5000::/var/mail/vmail:/usr/bin/nologin
    groupadd -g 5000 vmail
    mkdir /var/mail/vmail
    useradd -M -d /var/mail/vmail --shell=/usr/bin/nologin -u 5000 -g vmail vmail
    chown vmail:vmail /var/mail/vmail
    chmod 700 /var/mail/vmail
    
    psql -U postgres
    ; Set up the users
    CREATE USER 'postfix' PASSWORD 'XXX';
    CREATE USER 'dovecot' PASSWORD 'XXX';
    
    ; Create the database
    CREATE DATABASE email;
    \connect email
    
    ; Set up the schema 
    
    CREATE TABLE aliases (
        alias text NOT NULL,
        email text NOT NULL
    );
    
    CREATE TABLE users (
        username text NOT NULL,
        domain text NOT NULL,
        created timestamp with time zone DEFAULT now(),
        password text NOT NULL
    );
    
    REVOKE ALL ON TABLE aliases FROM PUBLIC;
    GRANT ALL ON TABLE aliases TO postfix;
    GRANT ALL ON TABLE aliases TO dovecot;
    
    REVOKE ALL ON TABLE users FROM PUBLIC;
    GRANT ALL ON TABLE users TO dovecot;
    GRANT ALL ON TABLE users TO postfix;
    
    # /etc/dovecot/dovecot.conf
    # Since we're giving each virtual user their own directory under /var/mail/vmail, just use that directly and not a subdirectory
    mail_location = maildir:~/
    
    # /etc/dovecot/dovecot-sql.conf defines the DB queries used for authorization
    passdb {
      driver = sql
      args = /etc/dovecot/dovecot-sql.conf
    }
    userdb {
      driver = prefetch
    }
    userdb {
      driver = sql
      args = /etc/dovecot/dovecot-sql.conf
    }
    
    # /etc/postfix/main.cf
    pgsql:/etc/postfix/pgsql-virtual-aliases.cf
    local_recipient_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox.cf 
    
    # /etc/postfix/pgsql-virtual-aliases.cf
    # hosts = localhost
    user = postfix
    password = XXXXXX
    dbname = email
    
    query = SELECT email FROM aliases WHERE alias='%s'
    
    # /etc/postfix/pgsql-virtual-mailbox.cf
    # hosts = localhost
    user = postfix
    password = XXXXXX
    dbname = email
    
    query = SELECT concat(username,'@',domain,'/') as email FROM users WHERE username='%s'
    
    # /etc/dovecot/dovecot-sql.conf
    driver = pgsql
    connect = host=localhost dbname=email user=dovecot password=XXXXXX
    default_pass_scheme = SHA512
    password_query = SELECT \
      CONCAT(username,'@',domain) as user, \
      password, \
      'vmail' AS userdb_uid, \
      'vmail' AS userdb_gid, \
      '/var/mail/vmail/%u' as userdb_home \
      FROM users \
      WHERE concat(username,'@',domain) = '%u';
    
    user_query = SELECT username, \
      CONCAT('maildir:/var/mail/vmail/',username,'@',domain) as mail, \
      '/var/mail/vmail/%u' as home, \
      'vmail' as uid, \
      'vmail' as gid \
      FROM users \
      WHERE concat(username,'@',domain) = '%u';
    
  6. Set up users. Example user creation:

    # Generate a password
    $ doveadm pw -s sha512 -r 100
    Enter new password: ...
    Retype new password: ...
    {SHA512}.............................................................==
    
    psql -U dovecot -d email
    ; Create a user za3k@za3k.com
    mail=# INSERT INTO users (
        username,
        domain,
        password
    ) VALUES (
        'za3k',
        'za3k.com'
        '{SHA512}.............................................................==',
    );
    
  7. Set up aliases/redirects. Example redirect creation:

    psql -U dovecot -d email
    ; Redirect mail from foo@example.com to bar@example.net
    mail=# INSERT INTO users ( email, alias ) VALUES (
        'bar@example.net',
        'foo@example.com'
    );
    
  8. Test setup locally by hand. Try using TELNET. Test remote setup using STARTSSL. This is similar to the previous step, but to start the connection use:

    openssl s_client -connect smtp.za3k.com:587 -starttls smtp
    

    Make sure to test email to addresses at your domain or that you’ve set up (final destination), and emails you’re trying to send somewhere else (relay email)

    A small digression: port 25 is used for unencrypted email and support STARTTLS, 587 is used for STARTTLS only, and 465 (obsolete) is used for TLS. My ISP, Comcast, blocks access to port 25 on outgoing traffic.

  9. Make sure you’re not running an open relay at http://mxtoolbox.com/diagnostic.aspx

  10. Set your DNS so that the MX record points at your new mailserver. You’ll probably want a store and forward backup mail server (mine is provided by my registrar). Email should arrive at your mail server from now on. This is the absolute minimum setup. Everything from here on is to help the community combat spam (and you not to get blacklisted).
  11. Set up DKIM (DomainKeys Identified Mail). DKIM signs outgoing mail to show that it’s from your server, which helps you not get flagged as spam.
    None of these files or folders exist to begin with in debian.

    # Add to /etc/opendkim.conf
    KeyTable                /etc/opendkim/KeyTable
    SigningTable            /etc/opendkim/SigningTable
    ExternalIgnoreList      /etc/opendkim/TrustedHosts
    InternalHosts           /etc/opendkim/TrustedHosts
    LogWhy yes
    
    # /etc/opendkim/TrustedHosts
    127.0.0.1
    [::1]
    localhost
    za3k.com
    smtp.za3k.com
    
    mkdir -p /etc/opendkim/keys/za3k.com
    cd /etc/opendkim/keys/za3k.com
    opendkim-genkey -s default -d za3k.com
    chown opendkim:opendkim default.private
    
    # /etc/opendkim/KeyTable
    default._domainkey.za3k.com za3k.com:default:/etc/opendkim/keys/za3k.com/default.private
    
    # /etc/opendkim/SigningTable
    za3k.com default._domainkey.za3k.com
    

    Display the DNS public key to set in a TXT record with:

    # sudo cat /etc/opendkim/keys/za3k.com/default.txt
    default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
              "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCggdv3OtQMek/fnu+hRrHYZTUcpUFcSGL/+Sbq+GffR98RCgabx/jjPJo3HmqsB8czaXf7yjO2UiSN/a8Ae6/yu23d7hyTPUDacatEM+2Xc4/zG+eAlAMQOLRJeo3z53sNiq0SmJET6R6yH4HCv9VkuS0TQczkvME5hApft+ZedwIDAQAB" )  ; ----- DKIM
    
    # My registrar doesn't support this syntax so it ends up looking like: 
    $ dig txt default._domainkey.za3k.com txt
    default._domainkey.za3k.com. 10800 IN   TXT     "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCggdv3OtQMek/fnu+hRrHYZTUcpUFcSGL/+Sbq+GffR98RCgabx/jjPJo3HmqsB8czaXf7yjO2UiSN/a8Ae6/yu23d7hyTPUDacatEM+2Xc4/zG+eAlAMQOLRJeo3z53sNiq0SmJET6R6yH4HCv9VkuS0TQczkvME5hApft+ZedwIDAQAB"
    
    # Uncomment in /etc/default/opendkim
    SOCKET="inet:12345@localhost" # listen on loopback on port 12345
    
    # /etc/postfix/main.cf
    # DKIM
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = inet:localhost:12345
    non_smtpd_milters = inet:localhost:12345
    
  12. Set up SPF (Sender Policy Framework). SPF explains to other services which IPs can send email on your behalf. You can set up whatever policy you like. A guide to the syntax is at: http://www.openspf.org/SPF_Record_Syntax.  Mine is

    @ 10800 IN TXT "v=spf1 +a:za3k.com +mx:za3k.com ~all"
    

    You should also be verifying this on your end as part of combating spam, but as far as outgoing mail all you need to do is add a TXT record to your DNS record.

  13. Set your rDNS (reverse DNS) if it’s not already. This should point at the same hostname reported by Postfix during SMTP. This will be handled by whoever assigns your IP address (in my case, my hosting provider).

  14. Test your spam reputability using https://www.mail-tester.com or https://www.port25.com/support/authentication-center/email-verification. You can monitor if you’re on any blacklists at http://mxtoolbox.com/blacklists.aspx.
  15. Set up DMARC. DMARC declares your policy around DKIM being mandatory. You can set up whatever policy you like.  Mine is

    _dmarc 10800 IN TXT "v=DMARC1;p=reject;aspf=s;adkim=s;pct=100;rua=mailto:postmaster@za3k.com"
    

My sources writing this:

Takeaways

  • You can set up store-and-forward mail servers, so if your mail server goes down, you don’t lose all the email for that period. It’s generally a free thing.
  • Postfix’s configuration files were badly designed and crufty, so you might pick a different SMTP server.
  • Email was REALLY not designed to do authentication, which is why proving you’re not a spammer is so difficult. This would all be trivial with decent crypto baked in (or really, almost any backwards-incompatible change)
  • The option to specify a SQL query as a configuration file option is wonderful. Thanks, Dovecot.
  • Overall, although it was a lot of work, I do feel like it was worth it to run my own email server.
Tagged , , , , ,