Made heading in articles into links.
This commit is contained in:
parent
3f503c7a86
commit
3b54438e04
@ -15,6 +15,12 @@ h4 {
|
|||||||
text-indent: 1.5rem;
|
text-indent: 1.5rem;
|
||||||
margin: 1rem 0 1rem 0; }
|
margin: 1rem 0 1rem 0; }
|
||||||
|
|
||||||
|
h3 a,
|
||||||
|
h4 a { color: var(--text-color); }
|
||||||
|
|
||||||
|
h3 a:hover,
|
||||||
|
h4 a:hover { color: var(--primary-color); }
|
||||||
|
|
||||||
code,
|
code,
|
||||||
pre {
|
pre {
|
||||||
font-family: 'Share Tech Mono';
|
font-family: 'Share Tech Mono';
|
||||||
|
@ -13,10 +13,10 @@ block article
|
|||||||
li #[a(href='#art-2') Userdir functionality like Apache's mod_userdir]
|
li #[a(href='#art-2') Userdir functionality like Apache's mod_userdir]
|
||||||
li #[a(href='#art-3') Note on how NGiNX works with HTTP headers]
|
li #[a(href='#art-3') Note on how NGiNX works with HTTP headers]
|
||||||
|
|
||||||
h3#art-1 1. Introduction
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
||||||
p Here I'll place recipes for implementing different functionalities and notes on webserver's behaviour.
|
p Here I'll place recipes for implementing different functionalities and notes on webserver's behaviour.
|
||||||
|
|
||||||
h3#art-2 2. Userdir functionality like Apache's mod_userdir
|
h3#art-2 #[a(href='#art-2') 2. Userdir functionality like Apache's mod_userdir]
|
||||||
p Once I wanted to have a “tilde user directories” like #[code /~user/] which is more known as Apache's #[code mod_userdir] feature. I work with NGiNX so regular expressions is the way to do that.
|
p Once I wanted to have a “tilde user directories” like #[code /~user/] which is more known as Apache's #[code mod_userdir] feature. I work with NGiNX so regular expressions is the way to do that.
|
||||||
p Nothing special in my case. I only need to keep files there, so others may get them. Thing is simple, but I took some time to realise what regexp to use here back then.
|
p Nothing special in my case. I only need to keep files there, so others may get them. Thing is simple, but I took some time to realise what regexp to use here back then.
|
||||||
p The implementation is quite simple:
|
p The implementation is quite simple:
|
||||||
@ -28,6 +28,6 @@ block article
|
|||||||
p Of course, you can choose whatever place for user's public directories. In my case you need to give a read and execute permissions to user's home directory and to public directories inside them to others (#[code chmod o=rX /home/user]), which may be a security concern.
|
p Of course, you can choose whatever place for user's public directories. In my case you need to give a read and execute permissions to user's home directory and to public directories inside them to others (#[code chmod o=rX /home/user]), which may be a security concern.
|
||||||
p #[code autoindex on] will make an index of files that lies by URL. And, of course, you can put there an #[code index.html] file.
|
p #[code autoindex on] will make an index of files that lies by URL. And, of course, you can put there an #[code index.html] file.
|
||||||
|
|
||||||
h3#art-3 3. Note on how NGiNX works with HTTP headers
|
h3#art-3 #[a(href='#art-3') 3. Note on how NGiNX works with HTTP headers]
|
||||||
p Let's say in #[code http] block you specified common headers like #[code X-Frame-Options], #[code X-XSS-Protection], and so on for all #[code server] directives to use. But, if you add some other header for a specific #[code server] or #[code location] block then all those headers would be dropped.
|
p Let's say in #[code http] block you specified common headers like #[code X-Frame-Options], #[code X-XSS-Protection], and so on for all #[code server] directives to use. But, if you add some other header for a specific #[code server] or #[code location] block then all those headers would be dropped.
|
||||||
p For now the only cure for it is to place all that headers in a separate file like #[code common-headers.inc] and using #[code include] directive to include them in all the #[code server] and #[code location] blocks where additional headers are added.
|
p For now the only cure for it is to place all that headers in a separate file like #[code common-headers.inc] and using #[code include] directive to include them in all the #[code server] and #[code location] blocks where additional headers are added.
|
||||||
|
@ -15,14 +15,14 @@ block article
|
|||||||
li #[a(href='#art-2-1') If you're doing a fresh install]
|
li #[a(href='#art-2-1') If you're doing a fresh install]
|
||||||
li #[a(href='#art-3') cmdline.txt]
|
li #[a(href='#art-3') cmdline.txt]
|
||||||
|
|
||||||
h3#art-1 1. Introduction
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
||||||
p Raspberry Pi is known for how it wears off the SD cards. Thankfully you can move the root off the SD card to an external drive and leave there just a boot partition. I'm gonna use a #[s SystemD]GNU/Linux distribution for that.
|
p Raspberry Pi is known for how it wears off the SD cards. Thankfully you can move the root off the SD card to an external drive and leave there just a boot partition. I'm gonna use a #[s SystemD]GNU/Linux distribution for that.
|
||||||
|
|
||||||
h3#art-2 2. Moving / to an external drive
|
h3#art-2 #[a(href='#art-2') 2. Moving / to an external drive]
|
||||||
p I assume that you have your drive partitioned already. Create the temporary directories for a SD card's boot and root partitions and for a drive. Mount the partitions and issue a command #[code cp -a path/to/sdcard/root/* path/to/drive]. #[code -a] stands for archive. Which recursively copies everything preserving all the attributes and links.
|
p I assume that you have your drive partitioned already. Create the temporary directories for a SD card's boot and root partitions and for a drive. Mount the partitions and issue a command #[code cp -a path/to/sdcard/root/* path/to/drive]. #[code -a] stands for archive. Which recursively copies everything preserving all the attributes and links.
|
||||||
|
|
||||||
h3#art-2-1 2.1. If you're doing a fresh install
|
h3#art-2-1 #[a(href='#art-2-1') 2.1. If you're doing a fresh install]
|
||||||
p Then you just install it right on a drive. And then move files from #[code /boot] to a SD card's boot partition. Like that: #[code mv path/to/boot/* path/to/sdcard]. Keep in mind that the boot partition should be formatted in FAT32.
|
p Then you just install it right on a drive. And then move files from #[code /boot] to a SD card's boot partition. Like that: #[code mv path/to/boot/* path/to/sdcard]. Keep in mind that the boot partition should be formatted in FAT32.
|
||||||
|
|
||||||
h3#art-3 3. cmdline.txt
|
h3#art-3 3. #[a(href='#art-3') cmdline.txt]
|
||||||
p In a #[code cmdline.txt.] file we need to change #[code root=] part. Now it'll look like #[code root=/dev/mmcblk0p2 rw rootwait], and we need to put our drive's root partition instead of that, e.g. #[code root=/dev/sda1 rw rootwait].
|
p In a #[code cmdline.txt.] file we need to change #[code root=] part. Now it'll look like #[code root=/dev/mmcblk0p2 rw rootwait], and we need to put our drive's root partition instead of that, e.g. #[code root=/dev/sda1 rw rootwait].
|
||||||
|
@ -36,19 +36,19 @@ block article
|
|||||||
li #[a(href='#art-8-5') DKIM]
|
li #[a(href='#art-8-5') DKIM]
|
||||||
li #[a(href='#art-9') Setting up a ClamAV antivirus]
|
li #[a(href='#art-9') Setting up a ClamAV antivirus]
|
||||||
|
|
||||||
h3#art-1 1. Introduction
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
||||||
p I use Postfix as a SMTP and Dovecot (with Pigeonhole (Sieve)) as an IMAP server. ClamAV for an antivirus. For anti-spam I use SpamAssassin. For DKIM and DMARC — OpenDKIM and OpenDMARC respectively. I could use rspamd instead of the latter three, but it doesn't work on Raspberry Pi.
|
p I use Postfix as a SMTP and Dovecot (with Pigeonhole (Sieve)) as an IMAP server. ClamAV for an antivirus. For anti-spam I use SpamAssassin. For DKIM and DMARC — OpenDKIM and OpenDMARC respectively. I could use rspamd instead of the latter three, but it doesn't work on Raspberry Pi.
|
||||||
p It is vital to make the DKIM, DMARC and SPF DNS records. Also, if you want your mail server to be trusted by every other mail servers then you should get a static IP-address if you don't yet. And you have to ask your ISP to edit PTR DNS record for your static IP-address to point to your domain.
|
p It is vital to make the DKIM, DMARC and SPF DNS records. Also, if you want your mail server to be trusted by every other mail servers then you should get a static IP-address if you don't yet. And you have to ask your ISP to edit PTR DNS record for your static IP-address to point to your domain.
|
||||||
p Unfortunately for me I don't have neither, and I'm afraid that even if I get the static IP-address, my ISP won't edit PTR record, because that's available only for bussiness customers.
|
p Unfortunately for me I don't have neither, and I'm afraid that even if I get the static IP-address, my ISP won't edit PTR record, because that's available only for bussiness customers.
|
||||||
p Server is configured in a simple way using PAM (real system users) with user's passwords and with mail stored in ~/Maildir.
|
p Server is configured in a simple way using PAM (real system users) with user's passwords and with mail stored in ~/Maildir.
|
||||||
|
|
||||||
h3#art-2 2. Installing
|
h3#art-2 #[a(href='#art-2') 2. Installing]
|
||||||
p You need to install following packages: #[code postfix], #[code dovecot], #[code pidgeonhole] (or could be #[code dovecot-sieve]), #[code clamav], #[code opendkim], #[code opendmarc] and #[code spamassassin].
|
p You need to install following packages: #[code postfix], #[code dovecot], #[code pidgeonhole] (or could be #[code dovecot-sieve]), #[code clamav], #[code opendkim], #[code opendmarc] and #[code spamassassin].
|
||||||
|
|
||||||
h3#art-3 3. Postfix SMTP server
|
h3#art-3 #[a(href='#art-3') 3. Postfix SMTP server]
|
||||||
p Its configuration files are in directory #[code /etc/postfix]. First we need to work with #[code main.cf] file. Then configure services in #[code master.cf]. Also I'll show you how to make aliases for users.
|
p Its configuration files are in directory #[code /etc/postfix]. First we need to work with #[code main.cf] file. Then configure services in #[code master.cf]. Also I'll show you how to make aliases for users.
|
||||||
|
|
||||||
h4#art-3-1 3.1. main.cf
|
h4#art-3-1 #[a(href='#art-3-1') 3.1. main.cf]
|
||||||
p Set #[code myhostname] to a hostname of a server (e.g. #[code mail.example.org]). Set #[code mydomain] to your domain name (e.g. #[code example.org]). Set #[code myorigin] to #[code $mydomain] to set origin of mail being sent from your server.
|
p Set #[code myhostname] to a hostname of a server (e.g. #[code mail.example.org]). Set #[code mydomain] to your domain name (e.g. #[code example.org]). Set #[code myorigin] to #[code $mydomain] to set origin of mail being sent from your server.
|
||||||
p #[code mydestination] is a list of domains that are delivered through a local transport. If server should go outside then this parameter must include #[code $mydomain] alongside names for the local machine. E.g. #[code $myhostname, localhost, $mydomain, mail.$mydomain].
|
p #[code mydestination] is a list of domains that are delivered through a local transport. If server should go outside then this parameter must include #[code $mydomain] alongside names for the local machine. E.g. #[code $myhostname, localhost, $mydomain, mail.$mydomain].
|
||||||
p #[code local_recipient_maps] are lookup tables with all names and/or addresses of local recipients. In my case it set to #[code unix:passwd.byname $alias_maps].
|
p #[code local_recipient_maps] are lookup tables with all names and/or addresses of local recipients. In my case it set to #[code unix:passwd.byname $alias_maps].
|
||||||
@ -86,7 +86,7 @@ block article
|
|||||||
| inet_protocols = ipv4
|
| inet_protocols = ipv4
|
||||||
p Next I'll cover how to make encryption working, set up milters (mail filters (i.e. OpenDKIM and OpenDMARC)), and restrictions.
|
p Next I'll cover how to make encryption working, set up milters (mail filters (i.e. OpenDKIM and OpenDMARC)), and restrictions.
|
||||||
|
|
||||||
h4#art-3-2 3.2. master.cf
|
h4#art-3-2 #[a(href='#art-3-2') 3.2. master.cf]
|
||||||
p Here are all needed lines to be added or modified:
|
p Here are all needed lines to be added or modified:
|
||||||
pre
|
pre
|
||||||
| smtp inet n - n - - smtpd
|
| smtp inet n - n - - smtpd
|
||||||
@ -106,21 +106,20 @@ block article
|
|||||||
| user=spamd argv=/bin/vendor_perl/spamc
|
| user=spamd argv=/bin/vendor_perl/spamc
|
||||||
| -e /sbin/sendmail -oi -f ${sender} ${recipient}
|
| -e /sbin/sendmail -oi -f ${sender} ${recipient}
|
||||||
|
|
||||||
h4#art-3-3 3.3. User aliases
|
h4#art-3-3 #[a(href='#art-3-3') 3.3. User aliases]
|
||||||
p User aliases are in #[code aliases] file. They has a form "#[code <alias>: <username>]", e.g. #[code me: arav]. Where #[code username] may be other alias. After modifications you need to run #[code newaliases] program to update #[code aliases.db] database file.
|
p User aliases are in #[code aliases] file. They has a form "#[code <alias>: <username>]", e.g. #[code me: arav]. Where #[code username] may be other alias. After modifications you need to run #[code newaliases] program to update #[code aliases.db] database file.
|
||||||
|
|
||||||
h4#art-3-4 3.4. Starting Postfix
|
h4#art-3-4 #[a(href='#art-3-4') 3.4. Starting Postfix]
|
||||||
p To start a Postfix service on systemd-based Linux distro run #[code systemctl start postfix]. To make Postfix run on every boot run #[code systemctl enable postfix].
|
p To start a Postfix service on systemd-based Linux distro run #[code systemctl start postfix]. To make Postfix run on every boot run #[code systemctl enable postfix].
|
||||||
|
|
||||||
|
h3#art-4 #[a(href='#art-4') 4. Dovecot POP3/IMAP server with Sieve mail filter]
|
||||||
|
|
||||||
h3#art-4 4. Dovecot POP3/IMAP server with Sieve mail filter
|
h3#art-5 #[a(href='#art-5') 5. SpamAssassin spam filter]
|
||||||
|
|
||||||
h3#art-5 5. SpamAssassin spam filter
|
h3#art-6 #[a(href='#art-6') 6. OpenDKIM signing and verifying filter]
|
||||||
|
|
||||||
h3#art-6 6. OpenDKIM signing and verifying filter
|
|
||||||
p On ArchLinux OpenDKIM is unable to write in #[code /run], so I created #[code /var/spool/opendkim] directory for it.
|
p On ArchLinux OpenDKIM is unable to write in #[code /run], so I created #[code /var/spool/opendkim] directory for it.
|
||||||
|
|
||||||
h4#art-6-1 6.1. opendkim.conf
|
h4#art-6-1 #[a(href='#art-6-1') 6.1. opendkim.conf]
|
||||||
p Well, that's main config file
|
p Well, that's main config file
|
||||||
pre
|
pre
|
||||||
| KeyTable refile:/etc/opendkim/keytable
|
| KeyTable refile:/etc/opendkim/keytable
|
||||||
@ -152,7 +151,7 @@ block article
|
|||||||
p Below are logging options that tells to write in syslog.
|
p Below are logging options that tells to write in syslog.
|
||||||
p With #[code SoftwareHeader] set to yes OpenDKIM will be always adding "DKIM-Filter" header field.
|
p With #[code SoftwareHeader] set to yes OpenDKIM will be always adding "DKIM-Filter" header field.
|
||||||
|
|
||||||
h4#art-6-2 6.2. Generating keys
|
h4#art-6-2 #[a(href='#art-6-2') 6.2. Generating keys]
|
||||||
pre
|
pre
|
||||||
| opendkim-genkey -r -s myselector -b 2048 -d example.com
|
| opendkim-genkey -r -s myselector -b 2048 -d example.com
|
||||||
p This command will generate a key pair stored in files "myselector.private" and "myselector.txt" for a given domain.
|
p This command will generate a key pair stored in files "myselector.private" and "myselector.txt" for a given domain.
|
||||||
@ -160,7 +159,7 @@ block article
|
|||||||
p Name of a selector is usually a #[code mail], but that's just what I use, you can choose whatever you want.
|
p Name of a selector is usually a #[code mail], but that's just what I use, you can choose whatever you want.
|
||||||
|
|
||||||
|
|
||||||
h4#art-6-3 6.3. Populating KeyTable and SigningTable
|
h4#art-6-3 #[a(href='#art-6-3') 6.3. Populating KeyTable and SigningTable]
|
||||||
p KeyTable has following structure (a line per domain):
|
p KeyTable has following structure (a line per domain):
|
||||||
pre
|
pre
|
||||||
| myselector._domainkey.example.com example.com:myselector:/etc/opendkim/myselector.private
|
| myselector._domainkey.example.com example.com:myselector:/etc/opendkim/myselector.private
|
||||||
@ -168,7 +167,7 @@ block article
|
|||||||
pre
|
pre
|
||||||
| *@example.com myselector._domainkey.example.com
|
| *@example.com myselector._domainkey.example.com
|
||||||
|
|
||||||
h4#art-6-4 6.4. internal-hosts file
|
h4#art-6-4 #[a(href='#art-6-4') 6.4. internal-hosts file]
|
||||||
p As stated above in this file we put hosts whose mail should be signed rather than verified. And its structure is the following:
|
p As stated above in this file we put hosts whose mail should be signed rather than verified. And its structure is the following:
|
||||||
pre
|
pre
|
||||||
| 127.0.0.1
|
| 127.0.0.1
|
||||||
@ -176,10 +175,10 @@ block article
|
|||||||
p #[code 127.0.0.1] is necessary to be there according to a manual.
|
p #[code 127.0.0.1] is necessary to be there according to a manual.
|
||||||
|
|
||||||
|
|
||||||
h4#art-6-5 6.5. Starting OpenDKIM
|
h4#art-6-5 #[a(href='#art-6-5') 6.5. Starting OpenDKIM]
|
||||||
p #[code systemctl start opendkim] and #[code systemctl enable opendkim] to start and enable OpenDKIM service to run on OS start up if you got Poetteringed just like me. :)
|
p #[code systemctl start opendkim] and #[code systemctl enable opendkim] to start and enable OpenDKIM service to run on OS start up if you got Poetteringed just like me. :)
|
||||||
|
|
||||||
h3#art-7 7. OpenDMARC email policy filter
|
h3#art-7 #[a(href='#art-7') 7. OpenDMARC email policy filter]
|
||||||
p Its configuration lies in #[code /etc/opendmarc/opendmarc.conf] and is fully documented. Here are the options I changed:
|
p Its configuration lies in #[code /etc/opendmarc/opendmarc.conf] and is fully documented. Here are the options I changed:
|
||||||
pre
|
pre
|
||||||
| AuthservID OpenDMARC
|
| AuthservID OpenDMARC
|
||||||
@ -198,9 +197,9 @@ block article
|
|||||||
p What's in a #[code Socket] option should be added to Postfix's #[code smtpd_milters] and #[code non_smtpd_milters].
|
p What's in a #[code Socket] option should be added to Postfix's #[code smtpd_milters] and #[code non_smtpd_milters].
|
||||||
p Creating DMARC DNS record covered in <a href="#art-7-4">7.4</a>.
|
p Creating DMARC DNS record covered in <a href="#art-7-4">7.4</a>.
|
||||||
|
|
||||||
h3#art-8 8. DNS records
|
h3#art-8 #[a(href='#art-8') 8. DNS records]
|
||||||
|
|
||||||
h4#art-8-1 8.1. MX and A/AAAA
|
h4#art-8-1 #[a(href='#art-8-1') 8.1. MX and A/AAAA]
|
||||||
p It's good to have a dedicated A (IPv4 address) or AAAA (IPv6 address) record for a mail server's hostname instead of a CNAME record so other servers won't need to do two DNS requests. Hostname is usually mail.example.org if there's just one server, you can call it whatever you want. Remind you that we set it in Postfix in #[code myhostname] parameter.
|
p It's good to have a dedicated A (IPv4 address) or AAAA (IPv6 address) record for a mail server's hostname instead of a CNAME record so other servers won't need to do two DNS requests. Hostname is usually mail.example.org if there's just one server, you can call it whatever you want. Remind you that we set it in Postfix in #[code myhostname] parameter.
|
||||||
p And A record looks like this:
|
p And A record looks like this:
|
||||||
pre
|
pre
|
||||||
@ -212,20 +211,20 @@ block article
|
|||||||
p Here 10 is a priority of a record. The lower a number the higher a priority.
|
p Here 10 is a priority of a record. The lower a number the higher a priority.
|
||||||
p A period at the end of the hostnames is necessary in DNS records.
|
p A period at the end of the hostnames is necessary in DNS records.
|
||||||
|
|
||||||
h4#art-8-2 8.2. PTR
|
h4#art-8-2 #[a(href='#art-8-2') 8.2. PTR]
|
||||||
p PTR is a reverse DNS record that stands for pointer and is used to “bind” a hostname to IP-address. Mail servers looks for this record and check so this name equals to a hostname provided in EHLO. Most servers will reject your mail if your PTR looks something like 1.2.3.4.pppoe.someisp.net or not set at all.
|
p PTR is a reverse DNS record that stands for pointer and is used to “bind” a hostname to IP-address. Mail servers looks for this record and check so this name equals to a hostname provided in EHLO. Most servers will reject your mail if your PTR looks something like 1.2.3.4.pppoe.someisp.net or not set at all.
|
||||||
p There are three ways to set this record: ask your hosting or internet-provider, or get your own Autonomous System (:^)).
|
p There are three ways to set this record: ask your hosting or internet-provider, or get your own Autonomous System (:^)).
|
||||||
p Example of this record:
|
p Example of this record:
|
||||||
pre
|
pre
|
||||||
| 1 IN PTR mail.example.org.
|
| 1 IN PTR mail.example.org.
|
||||||
|
|
||||||
h4#art-8-3 8.3. SPF
|
h4#art-8-3 #[a(href='#art-8-3') 8.3. SPF]
|
||||||
p SPF stands for Sender Policy Framework and in my case it looks exactly like this:
|
p SPF stands for Sender Policy Framework and in my case it looks exactly like this:
|
||||||
pre
|
pre
|
||||||
| v=spf1 +a +mx -all
|
| v=spf1 +a +mx -all
|
||||||
p So, #[code v] is a version of a protocol. #[code +a +mx] means that only servers specified in the A and MX DNS records could send email, and #[code -all] that no one else could do that.
|
p So, #[code v] is a version of a protocol. #[code +a +mx] means that only servers specified in the A and MX DNS records could send email, and #[code -all] that no one else could do that.
|
||||||
|
|
||||||
h4#art-8-4 8.4. DMARC
|
h4#art-8-4 #[a(href='#art-8-4') 8.4. DMARC]
|
||||||
p DMARC stands for Domain-based Message Authentication Reporting and Conformance. And its DNS record could be like this one that I use:
|
p DMARC stands for Domain-based Message Authentication Reporting and Conformance. And its DNS record could be like this one that I use:
|
||||||
pre
|
pre
|
||||||
| _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@example.org; ruf=mailto:admin@example.org"
|
| _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:admin@example.org; ruf=mailto:admin@example.org"
|
||||||
@ -233,14 +232,14 @@ block article
|
|||||||
p #[code p] is a default policy that could be set to #[code none], #[code quarantine] and #[code reject]. I chose to #[code reject] mail that comes from «me” if there's something wrong with a origin of a message. If you could get email from subdomains then you need to set #[code sp] as well.
|
p #[code p] is a default policy that could be set to #[code none], #[code quarantine] and #[code reject]. I chose to #[code reject] mail that comes from «me” if there's something wrong with a origin of a message. If you could get email from subdomains then you need to set #[code sp] as well.
|
||||||
p #[code rua] is an address for the reports and #[code ruf] is for the forensic reports.
|
p #[code rua] is an address for the reports and #[code ruf] is for the forensic reports.
|
||||||
|
|
||||||
h4#art-8-5 8.5. DKIM
|
h4#art-8-5 #[a(href='#art-8-5') 8.5. DKIM]
|
||||||
p In 5.2 we generated a key pair for our domain and now we'll take what's inside a #[code myselector.txt] file and add it to our DNS.
|
p In 5.2 we generated a key pair for our domain and now we'll take what's inside a #[code myselector.txt] file and add it to our DNS.
|
||||||
p DKIM DNS record looks like this:
|
p DKIM DNS record looks like this:
|
||||||
pre
|
pre
|
||||||
| myselector._domainkey IN TXT ( "v=DKIMv1; k=rsa; s=email; p=<public key goes here>" )
|
| myselector._domainkey IN TXT ( "v=DKIMv1; k=rsa; s=email; p=<public key goes here>" )
|
||||||
p By the way, brackets are used in case a content of a record doesn't fit on one line.
|
p By the way, brackets are used in case a content of a record doesn't fit on one line.
|
||||||
|
|
||||||
h3#art-9 9. Setting up a ClamAV antivirus
|
h3#art-9 #[a(href='#art-9') 9. Setting up a ClamAV antivirus]
|
||||||
p All you need to make it work together with Postfix is to add #[code /run/clamav/milter.sock] to #[code smtpd_milters] and #[code non_smtpd_milters] options in Postfix, also make some changes in configs of ClamAV.
|
p All you need to make it work together with Postfix is to add #[code /run/clamav/milter.sock] to #[code smtpd_milters] and #[code non_smtpd_milters] options in Postfix, also make some changes in configs of ClamAV.
|
||||||
p In #[code clamav-milter.conf] you need the following:
|
p In #[code clamav-milter.conf] you need the following:
|
||||||
pre
|
pre
|
||||||
|
@ -21,18 +21,18 @@ block article
|
|||||||
li #[a(href='#art-4-1') Nyx — status monitor for Tor nodes]
|
li #[a(href='#art-4-1') Nyx — status monitor for Tor nodes]
|
||||||
li #[a(href='#art-4-2') Notes]
|
li #[a(href='#art-4-2') Notes]
|
||||||
|
|
||||||
h3#art-1 1. Introduction
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
||||||
p In this article I'll show you how to setup your own Tor proxy (SOCKS5 and HTTP), relay, and hidden service.
|
p In this article I'll show you how to setup your own Tor proxy (SOCKS5 and HTTP), relay, and hidden service.
|
||||||
|
|
||||||
h3#art-2 2. Installation
|
h3#art-2 #[a(href='#art-2') 2. Installation]
|
||||||
p Install #[code tor] package using your package manager.
|
p Install #[code tor] package using your package manager.
|
||||||
p You definitely want to have control over your node and monitor it. For that purpose there is #[code nyx] tool. I'll cover it in 3.1 section.
|
p You definitely want to have control over your node and monitor it. For that purpose there is #[code nyx] tool. I'll cover it in 3.1 section.
|
||||||
p Any program can be passed through Tor using #[code torify] from #[code torsocks] package.
|
p Any program can be passed through Tor using #[code torify] from #[code torsocks] package.
|
||||||
|
|
||||||
h3#art-3 3. Configuration
|
h3#art-3 #[a(href='#art-3') 3. Configuration]
|
||||||
p Tor is already bundled with a great documented #[code torrc-dist] file. You may just copy a #[code torrc-dist] file and name it as #[code torrc] and change what you need.
|
p Tor is already bundled with a great documented #[code torrc-dist] file. You may just copy a #[code torrc-dist] file and name it as #[code torrc] and change what you need.
|
||||||
|
|
||||||
h4#art-3-1 3.1. Tor SOCKS/HTTP proxy
|
h4#art-3-1 #[a(href='#art-3-1') 3.1. Tor SOCKS/HTTP proxy]
|
||||||
p Here is an example of SOCKS/HTTP proxy settings:
|
p Here is an example of SOCKS/HTTP proxy settings:
|
||||||
pre
|
pre
|
||||||
| SocksPort 192.168.0.100:9050, [ipv6 address]:9050
|
| SocksPort 192.168.0.100:9050, [ipv6 address]:9050
|
||||||
@ -53,7 +53,7 @@ block article
|
|||||||
p #[code HTTPTunnelPort] enables HTTP proxy, set it to desireable IP:Port.
|
p #[code HTTPTunnelPort] enables HTTP proxy, set it to desireable IP:Port.
|
||||||
p There are also #[code ExcludeNodes] and #[code ExcludeExitNodes] options that are the comma separated lists of forbidden nodes. There may be placed country codes, address patterns and identity fingerprints of nodes to never use in circuits. They are looking like #[code {ru}, {??}, 123.45.*]. I recommend to leave there at least #[code {??}] to forbid misconfigured nodes or nodes of an unknown origin, especially for exit nodes.
|
p There are also #[code ExcludeNodes] and #[code ExcludeExitNodes] options that are the comma separated lists of forbidden nodes. There may be placed country codes, address patterns and identity fingerprints of nodes to never use in circuits. They are looking like #[code {ru}, {??}, 123.45.*]. I recommend to leave there at least #[code {??}] to forbid misconfigured nodes or nodes of an unknown origin, especially for exit nodes.
|
||||||
|
|
||||||
h4#art-3-2 3.2. Tor relay
|
h4#art-3-2 #[a(href='#art-3-2') 3.2. Tor relay]
|
||||||
p Here is an example of relay settings.
|
p Here is an example of relay settings.
|
||||||
pre
|
pre
|
||||||
| ORPort 8443, [::]:8443
|
| ORPort 8443, [::]:8443
|
||||||
@ -80,7 +80,7 @@ block article
|
|||||||
p Add #[code ExitPolicy reject *:*] to disable exit node if you don't need it. I found out that setting #[code ExitRelay] to 0 doesn't disable an exit node, so you must add rejecting policy.
|
p Add #[code ExitPolicy reject *:*] to disable exit node if you don't need it. I found out that setting #[code ExitRelay] to 0 doesn't disable an exit node, so you must add rejecting policy.
|
||||||
p #[code AccountingMax] and #[code AccountingStart] are used to limit traffic for given period.
|
p #[code AccountingMax] and #[code AccountingStart] are used to limit traffic for given period.
|
||||||
|
|
||||||
h4#art-3-3 3.3. Hidden service
|
h4#art-3-3 #[a(href='#art-3-3') 3.3. Hidden service]
|
||||||
p There are two mandatory options to work with: #[code HiddenServiceDir] and #[code HiddenServicePort].
|
p There are two mandatory options to work with: #[code HiddenServiceDir] and #[code HiddenServicePort].
|
||||||
p Of course, there are many other options, e.g. client authentication. But in simple case all you need are those two options above.
|
p Of course, there are many other options, e.g. client authentication. But in simple case all you need are those two options above.
|
||||||
p Every hidden service starts with #[code HiddenServiceDir <path>] directory that contains public and secret keys, hostname for a hidden service and a directory called #[code authorized_clients] that stores info on all clients that are authorized to access this hidden service.
|
p Every hidden service starts with #[code HiddenServiceDir <path>] directory that contains public and secret keys, hostname for a hidden service and a directory called #[code authorized_clients] that stores info on all clients that are authorized to access this hidden service.
|
||||||
@ -92,9 +92,9 @@ block article
|
|||||||
| HiddenServicePort 80 localhost:8201
|
| HiddenServicePort 80 localhost:8201
|
||||||
| HiddenServicePort 25 192.168.1.160:25
|
| HiddenServicePort 25 192.168.1.160:25
|
||||||
|
|
||||||
h3#art-4 4. Miscellaneous
|
h3#art-4 #[a(href='#art-4') 4. Miscellaneous]
|
||||||
|
|
||||||
h4#art-4-1 4.1. Nyx — status monitor for Tor nodes
|
h4#art-4-1 #[a(href='#art-4-1') 4.1. Nyx — status monitor for Tor nodes]
|
||||||
p You have to set #[code ControlPort] option to desired port, it will listen on localhost. If you need access from outside then set it to IP:9051. Also, you need to set #[code DisableDebuggerAttachment] option to 0, otherwise you'll not be able to use nyx. At least in my case nyx cannot connect with this option being set to 1.
|
p You have to set #[code ControlPort] option to desired port, it will listen on localhost. If you need access from outside then set it to IP:9051. Also, you need to set #[code DisableDebuggerAttachment] option to 0, otherwise you'll not be able to use nyx. At least in my case nyx cannot connect with this option being set to 1.
|
||||||
p Example:
|
p Example:
|
||||||
pre
|
pre
|
||||||
@ -102,7 +102,7 @@ block article
|
|||||||
| DisableDebuggerAttachment 0
|
| DisableDebuggerAttachment 0
|
||||||
p You may install it using package manager, but guaranteed last version can be installed from Python's #[code pip] package manager (#[code pip install nyx]).
|
p You may install it using package manager, but guaranteed last version can be installed from Python's #[code pip] package manager (#[code pip install nyx]).
|
||||||
|
|
||||||
h4#art-4-2 4.2. Notes
|
h4#art-4-2 #[a(href='#art-4-2') 4.2. Notes]
|
||||||
p I hope you have a static IP-address or your IP changes once a month at least, otherwise you'll never become a guard (entry) node.
|
p I hope you have a static IP-address or your IP changes once a month at least, otherwise you'll never become a guard (entry) node.
|
||||||
p An option #[code AvoidDiskWrites] is usefull in case you're running from SSD or SD card.
|
p An option #[code AvoidDiskWrites] is usefull in case you're running from SSD or SD card.
|
||||||
p You have to make a backup of #[code /var/lib/tor/keys] folder to save your node's cryptographic identity keys. They are used to identify your node. You can see stats on your node at #[a(href="https://metrics.torproject.org" rel="noopener noreferrer" target="_blank") metrics.torproject.org]. To find your node use what you put in #[code Nickname] parameter or a fingerprint that is shown in nyx.
|
p You have to make a backup of #[code /var/lib/tor/keys] folder to save your node's cryptographic identity keys. They are used to identify your node. You can see stats on your node at #[a(href="https://metrics.torproject.org" rel="noopener noreferrer" target="_blank") metrics.torproject.org]. To find your node use what you put in #[code Nickname] parameter or a fingerprint that is shown in nyx.
|
Loading…
Reference in New Issue
Block a user