captainarkdotnet/output/rss.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Sysadmining. All day. Every day.</title><link href="https://captainark.net/" rel="alternate"></link><link href="https://captainark.net/rss.xml" rel="self"></link><id>https://captainark.net/</id><updated>2016-03-26T00:00:00+01:00</updated><entry><title>WebDAV with nginx</title><link href="https://captainark.net/webdav-with-nginx.html" rel="alternate"></link><published>2016-03-26T00:00:00+01:00</published><updated>2016-03-26T00:00:00+01:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2016-03-26:/webdav-with-nginx.html</id><summary type="html">&lt;p&gt;This website has been hosted on an &lt;a href="https://www.online.net"&gt;Online.net&lt;/a&gt; dedicated server since its creation. I've been one of their customers for the past 3 years now, and I still don't have anything bad to say about them.&lt;/p&gt;
&lt;p&gt;They recently upgraded their personnal range, and I took the opportunity to upgrade …&lt;/p&gt;</summary><content type="html">&lt;p&gt;This website has been hosted on an &lt;a href="https://www.online.net"&gt;Online.net&lt;/a&gt; dedicated server since its creation. I've been one of their customers for the past 3 years now, and I still don't have anything bad to say about them.&lt;/p&gt;
&lt;p&gt;They recently upgraded their personnal range, and I took the opportunity to upgrade from a single server running all of my services to 2 servers running LXC containers that are hosting my services.&lt;/p&gt;
&lt;p&gt;It took me 2 days to migrate everything, but it was worth it. If I decide to switch servers again, I'll have to migrate the containers instead of the services themselves. Considering they are stored on a separate BTRFS volume, it shouldn't take me more than a few hours at most.&lt;/p&gt;
&lt;p&gt;During the migration, I realized that I needed to make files that were hosted on one server accessible to the other. I could have gone with CIFS or NFS, but I wanted to have encryption built-in instead of having to rely on a VPN for that. Since I figured it was a good opportunity to learn something new, I ended up going with WebDAV.&lt;/p&gt;
&lt;p&gt;In this tutorial, I'll explain how I've configured a read-only WebDAV share using &lt;a href="https://www.nginx.com/"&gt;nginx&lt;/a&gt; and &lt;a href="https://letsencrypt.org/"&gt;Let'sEncrypt&lt;/a&gt; SSL certificates between two Debian Jessie containers.&lt;/p&gt;
&lt;h2&gt;Server configuration&lt;/h2&gt;
&lt;h3&gt;Installing the required packages&lt;/h3&gt;
&lt;p&gt;First thing first, we need to install the packages we'll need for this configuration :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;apt update

apt -t jessie-backports install nginx letsencrypt
apt install apache2-utils
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Getting our first certificate from letsencrypt&lt;/h3&gt;
&lt;h4&gt;letsencrypt configuration&lt;/h4&gt;
&lt;p&gt;Let's create a configuration file for letsencrypt :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /etc/letsencrypt

&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;rsa-key-size = 3072&lt;/span&gt;
&lt;span class="s1"&gt;renew-by-default&lt;/span&gt;
&lt;span class="s1"&gt;text = True&lt;/span&gt;
&lt;span class="s1"&gt;agree-tos = True&lt;/span&gt;
&lt;span class="s1"&gt;renew-by-default = True&lt;/span&gt;
&lt;span class="s1"&gt;authenticator = webroot&lt;/span&gt;
&lt;span class="s1"&gt;email = admin@example.com&lt;/span&gt;
&lt;span class="s1"&gt;webroot-path = /var/www/letsencrypt/&amp;#39;&lt;/span&gt; &amp;gt; /etc/letsencrypt/cli.ini
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;&lt;em&gt;Please do modify admin@example.com by your actual e-mail address.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;We also need to create the directory structure where letsencrypt ACME challenge temporary files will be stored :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir -p /var/www/letsencrypt/.well-known
&lt;/pre&gt;&lt;/div&gt;


&lt;h4&gt;nginx configuration&lt;/h4&gt;
&lt;p&gt;We now need to configure nginx by adding the following in the &lt;code&gt;/etc/nginx/sites-available/default&lt;/code&gt; file, anywhere in the &lt;code&gt;server{}&lt;/code&gt; block that is configured to listen on port 80.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;location /.well-known/acme-challenge {
  root /var/www/letsencrypt;
}
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's make sure that we haven't done anything wrong :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;nginx -t
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The command should give you the following output :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="n"&gt;nginx&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="n"&gt;the&lt;/span&gt; &lt;span class="n"&gt;configuration&lt;/span&gt; &lt;span class="n"&gt;file&lt;/span&gt; &lt;span class="sr"&gt;/etc/nginx/&lt;/span&gt;&lt;span class="n"&gt;nginx&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;conf&lt;/span&gt; &lt;span class="n"&gt;syntax&lt;/span&gt; &lt;span class="k"&gt;is&lt;/span&gt; &lt;span class="n"&gt;ok&lt;/span&gt;
&lt;span class="n"&gt;nginx&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="n"&gt;configuration&lt;/span&gt; &lt;span class="n"&gt;file&lt;/span&gt; &lt;span class="sr"&gt;/etc/nginx/&lt;/span&gt;&lt;span class="n"&gt;nginx&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;conf&lt;/span&gt; &lt;span class="n"&gt;test&lt;/span&gt; &lt;span class="k"&gt;is&lt;/span&gt; &lt;span class="n"&gt;successful&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;If that's the case, you can safely reload the nginx daemon :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;nginx -s reload
&lt;/pre&gt;&lt;/div&gt;


&lt;h4&gt;Certificate request&lt;/h4&gt;
&lt;p&gt;Now that letsencrypt and nginx are properly configured, we can request our certificate from letsencrypt :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;letsencrypt --config /etc/letsencrypt/cli.ini certonly -w /var/www/letsencrypt -d www.example.com
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;&lt;em&gt;Please do modify www.example.com by your server's FQDN, and please note that the letsencrypt servers need to be able to resolve that name to your server's IP.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;If everything goes well, your certificates will be generated and stored in the /etc/letsencrypt folder.&lt;/p&gt;
&lt;h3&gt;WebDAV configuration&lt;/h3&gt;
&lt;p&gt;Now that we've obtained our certificate from letsencrypt, we can begin configuring nginx.&lt;/p&gt;
&lt;p&gt;First, we need to comment two SSL directives from the default nginx configuration :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;sed -i &amp;#39;/ssl_/ s/^/#/&amp;#39; /etc/nginx/nginx.conf
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's now create a &lt;code&gt;/etc/nginx/conf.d/ssl.conf&lt;/code&gt; with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nt"&gt;ssl_session_timeout&lt;/span&gt; &lt;span class="nt"&gt;1d&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_session_cache&lt;/span&gt; &lt;span class="nt"&gt;shared&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="nd"&gt;SSL&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="nd"&gt;50m&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_session_tickets&lt;/span&gt; &lt;span class="nt"&gt;off&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;

&lt;span class="nt"&gt;ssl_certificate&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;letsencrypt&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;live&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;www&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;example&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;com&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;fullchain&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;pem&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_certificate_key&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;letsencrypt&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;live&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;www&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;example&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;com&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;privkey&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;pem&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_trusted_certificate&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;letsencrypt&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;live&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;www&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;example&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;com&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;fullchain&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;pem&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;

&lt;span class="nt"&gt;ssl_dhparam&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;nginx&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;ssl&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;dhparam&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;pem&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;

&lt;span class="nt"&gt;ssl_protocols&lt;/span&gt; &lt;span class="nt"&gt;TLSv1&lt;/span&gt; &lt;span class="nt"&gt;TLSv1&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;1&lt;/span&gt; &lt;span class="nt"&gt;TLSv1&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;2&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_ciphers&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&amp;#39;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_prefer_server_ciphers&lt;/span&gt; &lt;span class="nt"&gt;on&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;

&lt;span class="nt"&gt;add_header&lt;/span&gt; &lt;span class="nt"&gt;Strict-Transport-Security&lt;/span&gt; &lt;span class="nt"&gt;max-age&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;15768000&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;add_header&lt;/span&gt; &lt;span class="nt"&gt;X-Frame-Options&lt;/span&gt; &lt;span class="nt"&gt;DENY&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;add_header&lt;/span&gt; &lt;span class="nt"&gt;X-Content-Type-Options&lt;/span&gt; &lt;span class="nt"&gt;nosniff&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;

&lt;span class="nt"&gt;ssl_stapling&lt;/span&gt; &lt;span class="nt"&gt;on&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;ssl_stapling_verify&lt;/span&gt; &lt;span class="nt"&gt;on&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;resolver&lt;/span&gt; &lt;span class="nt"&gt;127&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;0&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;0&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;1&lt;/span&gt; &lt;span class="nt"&gt;valid&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;300s&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="nt"&gt;resolver_timeout&lt;/span&gt; &lt;span class="nt"&gt;5s&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;&lt;em&gt;This configuration will work if you're using a single certificate on your server. If not, you'll have to remove the &lt;code&gt;ssl_certificate&lt;/code&gt;, &lt;code&gt;ssl_certificate_key&lt;/code&gt; and &lt;code&gt;ssl_trusted_certificate&lt;/code&gt; directives from this file and move them to the correct &lt;code&gt;server{}&lt;/code&gt; block.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;We now need to generate a &lt;code&gt;dhparam.pem&lt;/code&gt; file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /etc/nginx/ssl &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;700&lt;/span&gt; /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem &lt;span class="m"&gt;3072&lt;/span&gt;
chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/nginx/ssl/dhparam.pem
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's now generate a HTTP basic authentication file. This example creates a user named example :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /etc/nginx/auth

htpasswd -c /etc/nginx/auth/webdav example
New password: 
Re-type new password: 
Adding password for user user
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This file has to be readable by the user running your webserver. For security reasons, we'll make it readable only by him :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown -R www-data:nogroup /etc/nginx/auth
chmod 700 /etc/nginx/auth
chmod 400 /etc/nginx/auth/webdav
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's now modify our &lt;code&gt;/etc/nginx/sites-available/default&lt;/code&gt; file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;server {
  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;
  server_name &amp;quot;&amp;quot;;

  return 444;
}

server {
  listen 443 default_server ssl http2;
  listen [::]:443 default_server ipv6only=on ssl http2;
  server_name &amp;quot;&amp;quot;;

  return 444;
}
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to create a &lt;code&gt;/etc/nginx/sites-available/example&lt;/code&gt; file that will contain our actual webdav configuration. This example makes a &lt;code&gt;data&lt;/code&gt; folder stored in &lt;code&gt;/var/www/&lt;/code&gt; accessible.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nt"&gt;server&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="err"&gt;listen&lt;/span&gt; &lt;span class="err"&gt;80&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="n"&gt;listen&lt;/span&gt; &lt;span class="cp"&gt;[&lt;/span&gt;&lt;span class="p"&gt;::&lt;/span&gt;&lt;span class="cp"&gt;]&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="mi"&gt;80&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="err"&gt;server_name&lt;/span&gt; &lt;span class="err"&gt;www.example.com&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="err"&gt;return&lt;/span&gt; &lt;span class="err"&gt;301&lt;/span&gt; &lt;span class="n"&gt;https&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;server_name&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;request_uri&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nt"&gt;server&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="err"&gt;listen&lt;/span&gt; &lt;span class="err"&gt;443&lt;/span&gt; &lt;span class="err"&gt;ssl&lt;/span&gt; &lt;span class="err"&gt;http2&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="n"&gt;listen&lt;/span&gt; &lt;span class="cp"&gt;[&lt;/span&gt;&lt;span class="p"&gt;::&lt;/span&gt;&lt;span class="cp"&gt;]&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="mi"&gt;443&lt;/span&gt; &lt;span class="n"&gt;ssl&lt;/span&gt; &lt;span class="n"&gt;http2&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="err"&gt;server_name&lt;/span&gt; &lt;span class="err"&gt;www.example.com&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

  &lt;span class="err"&gt;root&lt;/span&gt; &lt;span class="err"&gt;/var/www&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

  &lt;span class="err"&gt;location&lt;/span&gt; &lt;span class="err"&gt;/&lt;/span&gt; &lt;span class="err"&gt;{&lt;/span&gt;
    &lt;span class="err"&gt;index&lt;/span&gt; &lt;span class="err"&gt;index.html&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;

  &lt;span class="nt"&gt;location&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;well-known&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;acme-challenge&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="err"&gt;root&lt;/span&gt; &lt;span class="err"&gt;/var/www/letsencrypt&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;

  &lt;span class="nt"&gt;location&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;data&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="err"&gt;client_body_temp_path&lt;/span&gt; &lt;span class="err"&gt;/tmp&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="err"&gt;dav_methods&lt;/span&gt; &lt;span class="err"&gt;PUT&lt;/span&gt; &lt;span class="err"&gt;DELETE&lt;/span&gt; &lt;span class="err"&gt;MKCOL&lt;/span&gt; &lt;span class="err"&gt;COPY&lt;/span&gt; &lt;span class="err"&gt;MOVE&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="err"&gt;dav_ext_methods&lt;/span&gt; &lt;span class="err"&gt;PROPFIND&lt;/span&gt; &lt;span class="err"&gt;OPTIONS&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="err"&gt;create_full_put_path&lt;/span&gt; &lt;span class="err"&gt;on&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="err"&gt;dav_access&lt;/span&gt; &lt;span class="n"&gt;user&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="n"&gt;r&lt;/span&gt; &lt;span class="n"&gt;group&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="n"&gt;r&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

    &lt;span class="err"&gt;auth_basic&lt;/span&gt; &lt;span class="err"&gt;&amp;quot;Restricted&lt;/span&gt; &lt;span class="err"&gt;access&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="err"&gt;auth_basic_user_file&lt;/span&gt; &lt;span class="err"&gt;auth/webdav&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

    &lt;span class="err"&gt;limit_except&lt;/span&gt; &lt;span class="err"&gt;GET&lt;/span&gt; &lt;span class="err"&gt;{&lt;/span&gt;
      &lt;span class="err"&gt;allow&lt;/span&gt; &lt;span class="err"&gt;&amp;lt;YOUR&lt;/span&gt; &lt;span class="err"&gt;IP&lt;/span&gt; &lt;span class="err"&gt;HERE&amp;gt;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
      &lt;span class="err"&gt;deny&lt;/span&gt; &lt;span class="err"&gt;all&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="err"&gt;}&lt;/span&gt;

&lt;span class="err"&gt;}&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The last thing we have to do is to create a symlink so that nginx will load our configuration :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Like before, let's make sure our configuration is correct and then reload the daemon :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;nginx -t
nginx -s reload
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That's it for the WebDAV configuration server-side !&lt;/p&gt;
&lt;h3&gt;nginx monitoring&lt;/h3&gt;
&lt;p&gt;If you're using monit, you can easily monitor the nginx daemon by copying the following in &lt;code&gt;/etc/monit/conf.d/nginx&lt;/code&gt; :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;check process nginx
  with pidfile &amp;quot;/run/nginx.pid&amp;quot;
  start program = &amp;quot;/bin/systemctl start nginx&amp;quot;
  stop program = &amp;quot;/bin/systemctl stop nginx&amp;quot;
  alert monit@example.com
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Certificates auto-renewal&lt;/h3&gt;
&lt;p&gt;This goes beyond the scope of the article, but since letsencrypt certficates are only valid for 3 months, you'll need to renew them regularily. You can do so manually or you can setup a cron that does it for you.&lt;/p&gt;
&lt;p&gt;I personnaly use the following script :&lt;/p&gt;
&lt;table class="highlighttable"&gt;&lt;tr&gt;&lt;td class="linenos"&gt;&lt;div class="linenodiv"&gt;&lt;pre&gt; 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17&lt;/pre&gt;&lt;/div&gt;&lt;/td&gt;&lt;td class="code"&gt;&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="ch"&gt;#!/bin/bash&lt;/span&gt;

&lt;span class="nv"&gt;PRG&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;/usr/bin/letsencrypt&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;CONFIG&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;/etc/letsencrypt/cli.ini&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;MAILDEST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;admin@example.com&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;GLOBAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;

&lt;span class="c1"&gt;# www.example.com&lt;/span&gt;
&lt;span class="nv"&gt;$PRG&lt;/span&gt; --config &lt;span class="nv"&gt;$CONFIG&lt;/span&gt; certonly -w /var/www/letsencrypt -d www.example.com
&lt;span class="o"&gt;[[&lt;/span&gt; &lt;span class="nv"&gt;$?&lt;/span&gt; !&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]]&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nv"&gt;GLOBAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="k"&gt;$((&lt;/span&gt; &lt;span class="nv"&gt;$GLOBAL&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="k"&gt;))&lt;/span&gt;

&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[[&lt;/span&gt; &lt;span class="nv"&gt;$GLOBAL&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
  /usr/sbin/nginx -s reload
&lt;span class="k"&gt;else&lt;/span&gt;
  &lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;Something went wrong while renewing the certificates on &lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;hostname -f&lt;span class="k"&gt;)&lt;/span&gt;&lt;span class="s2"&gt;&lt;/span&gt;
&lt;span class="s2"&gt;  Manual action needed.&amp;quot;&lt;/span&gt; &lt;span class="p"&gt;|&lt;/span&gt; mail -s &lt;span class="s2"&gt;&amp;quot;Letsencrypt error on &lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;hostname -f&lt;span class="k"&gt;)&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; &lt;span class="nv"&gt;$MAILDEST&lt;/span&gt;
&lt;span class="k"&gt;fi&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;

&lt;p&gt;You can add multiple domains in the script. As long as you add all 3 lines for each domain, it will not automatically reload nginx if one or more certificate could not be renewed and will send an e-mail to the address configured in the &lt;code&gt;MAILDEST&lt;/code&gt; variable.&lt;/p&gt;
&lt;p&gt;You can configure this script in the root user crontab using the &lt;code&gt;crontab -e&lt;/code&gt; command :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;## LETSENCRYPT CERTIFICATE AUTORENEWAL
30 03 01 */2 * /root/bin/tlsrenew
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This will run the script every two months, on the first day of the month, at 3:30 AM.&lt;/p&gt;
&lt;h2&gt;Client configuration&lt;/h2&gt;
&lt;h3&gt;Installing the required packages&lt;/h3&gt;
&lt;p&gt;A single package is required to mount a webdav volume on Debian :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;apt update &amp;amp;&amp;amp; apt install davfs2
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Mounting the share manually&lt;/h3&gt;
&lt;p&gt;If like me, you want to mount your webdav share in a LXC container, you'll first need to make sure that the following line is present in its configuration file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;lxc.cgroup.devices.allow = c 10:229 rwm
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You'll also need to create the &lt;code&gt;/dev/fuse&lt;/code&gt; node in the container :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mknod /dev/fuse c 10 229
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;In any case, we have to edit the &lt;code&gt;/etc/davfs2/secrets&lt;/code&gt; file to add the mount point, username and password that will be used to mount the share :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;echo &amp;#39;/data webdav notanactualpassword&amp;#39; &amp;gt;&amp;gt; /etc/davfs2/secrets
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Once that's done, we can mount our share with the following command :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mount -t davfs https://www.example.com/data /data -o ro,dir_mode=750,file_mode=640,uid=root,gid=root
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You might need to edit the parameters depending on which users you want to make the share available to.&lt;/p&gt;
&lt;h3&gt;Mouting the share on boot&lt;/h3&gt;
&lt;p&gt;A davfs volume can be mounted via the &lt;code&gt;/etc/fstab&lt;/code&gt; file, but I decided to use monit instead so that the volume would be mounted again automatically should my WebDAV server reboot.&lt;/p&gt;
&lt;p&gt;In order to do so, I first created a &lt;code&gt;davfs.txt&lt;/code&gt; file in the &lt;code&gt;/var/www/data&lt;/code&gt; folder on my WebDAV server :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;touch /var/www/data/davfs.txt
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;I then created the following &lt;code&gt;/root/bin/mount_davfs&lt;/code&gt; script :&lt;/p&gt;
&lt;table class="highlighttable"&gt;&lt;tr&gt;&lt;td class="linenos"&gt;&lt;div class="linenodiv"&gt;&lt;pre&gt;1
2
3
4&lt;/pre&gt;&lt;/div&gt;&lt;/td&gt;&lt;td class="code"&gt;&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="ch"&gt;#!/bin/bash&lt;/span&gt;

mknod /dev/fuse c &lt;span class="m"&gt;10&lt;/span&gt; &lt;span class="m"&gt;229&lt;/span&gt;
mount -t davfs https://www.example.com/data /data -o ro,dir_mode&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="m"&gt;750&lt;/span&gt;,file_mode&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="m"&gt;640&lt;/span&gt;,uid&lt;span class="o"&gt;=&lt;/span&gt;root,gid&lt;span class="o"&gt;=&lt;/span&gt;root
&lt;/pre&gt;&lt;/div&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;

&lt;p&gt;The last thing I did was create a &lt;code&gt;/etc/monit/conf.d/davfs&lt;/code&gt; file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;check file davfs with path /data/davfs.txt
  alert monit@example.com
  if does not exist then exec &amp;quot;/root/bin/mount_davfs&amp;quot;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That way, if monit notices that the &lt;code&gt;/data/davfs.txt&lt;/code&gt; file becomes inaccessible for some reason, it will try remouting the share.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;That's all ! Hopefully this has been useful to someone. Please do comment below if you have any question or if this has been helpful !&lt;/p&gt;</content></entry><entry><title>MySQL backup script</title><link href="https://captainark.net/mysql-backup-script.html" rel="alternate"></link><published>2016-03-13T00:00:00+01:00</published><updated>2016-03-13T00:00:00+01:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2016-03-13:/mysql-backup-script.html</id><summary type="html">&lt;p&gt;I wrote a MySQL database backup script a while back. I known they are more than enough of them already floating around the internet, but hey, I figured I'd share it here anyway.&lt;/p&gt;
&lt;h2&gt;The script&lt;/h2&gt;
&lt;p&gt;For the script to work, you'll need to edit a few variable to match your …&lt;/p&gt;</summary><content type="html">&lt;p&gt;I wrote a MySQL database backup script a while back. I known they are more than enough of them already floating around the internet, but hey, I figured I'd share it here anyway.&lt;/p&gt;
&lt;h2&gt;The script&lt;/h2&gt;
&lt;p&gt;For the script to work, you'll need to edit a few variable to match your configuration.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;BACKUPDIR&lt;/code&gt; is the path of the directory where you want your backups to be stored.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;BACKUPUSR&lt;/code&gt; is the user that will connect to MySQL to dump the databases. It should have access to all you databases without needing a password.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;EXCLUDELIST&lt;/code&gt; is a list of databases that should not be backed-up. Leaving it as is is probably fine.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="ch"&gt;#!/bin/bash&lt;/span&gt;

&lt;span class="nv"&gt;BACKUPDIR&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;/home/user/backup&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;BACKUPUSR&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;user&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;EXCLUDELIST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;^Databases&lt;/span&gt;$&lt;span class="s2"&gt;|^information_schema&lt;/span&gt;$&lt;span class="s2"&gt;|^mysql&lt;/span&gt;$&lt;span class="s2"&gt;|^performance_schema&lt;/span&gt;$&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;

sqlbk&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  &lt;span class="k"&gt;for&lt;/span&gt; each in &lt;span class="k"&gt;$(&lt;/span&gt;mysqlshow &lt;span class="p"&gt;|&lt;/span&gt; awk &lt;span class="s1"&gt;&amp;#39;/[[:alnum:]]/{print $2}&amp;#39;&lt;/span&gt;&lt;span class="k"&gt;)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;do&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[[&lt;/span&gt; &lt;span class="nv"&gt;$each&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt;~ &lt;span class="nv"&gt;$EXCLUDELIST&lt;/span&gt; &lt;span class="o"&gt;]]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
      &lt;span class="nb"&gt;true&lt;/span&gt;
    &lt;span class="k"&gt;else&lt;/span&gt;
      mysqldump &lt;span class="nv"&gt;$each&lt;/span&gt; &lt;span class="p"&gt;|&lt;/span&gt; bzip2 &amp;gt; &lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;BACKUPDIR&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;/&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;each&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;.sql.bz2
      chown &lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;BACKUPUSR&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;: &lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;BACKUPDIR&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;/&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;each&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;.sql.bz2 &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; &lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;BACKUPDIR&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;/&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;each&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;.sql.bz2
    &lt;span class="k"&gt;fi&lt;/span&gt;
  &lt;span class="k"&gt;done&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

&lt;span class="o"&gt;[[&lt;/span&gt; -e /etc/init.d/mysql &lt;span class="o"&gt;]]&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; sqlbk
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;I personnaly have this script running once a week, in my user's personnal crontab (editable using the &lt;code&gt;crontab -e&lt;/code&gt; command) :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;## WEEKLY DATABASE BACKUP
@weekly /home/user/bin/backupdb
&lt;/pre&gt;&lt;/div&gt;


&lt;h1&gt;Conclusion&lt;/h1&gt;
&lt;p&gt;You've probably noticed that the script erases the previous backup when a new one is made.&lt;/p&gt;
&lt;p&gt;I don't need to keep multiple versions of the same database backup on my servers because they are all saved remotely on a daily basis using &lt;a href="http://rsnapshot.org/"&gt;Rsnapshot&lt;/a&gt;. I'll probably write an article on the subject in the future.&lt;/p&gt;
&lt;p&gt;As usual, feedback is always appreciated !&lt;/p&gt;</content></entry><entry><title>Postfix Admin</title><link href="https://captainark.net/postfix-admin.html" rel="alternate"></link><published>2016-03-06T00:00:00+01:00</published><updated>2016-03-06T00:00:00+01:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2016-03-06:/postfix-admin.html</id><summary type="html">&lt;p&gt;As I explained in &lt;a href="https://www.captainark.net/setting-up-a-mail-server.html"&gt;this previous tutorial&lt;/a&gt;, I've been running my own mail server without any issue for some time now.&lt;/p&gt;
&lt;p&gt;However, every time I've wanted to add a domain, create a new mailbox or change a user's password, I've had to do it manually from a SQL shell. As …&lt;/p&gt;</summary><content type="html">&lt;p&gt;As I explained in &lt;a href="https://www.captainark.net/setting-up-a-mail-server.html"&gt;this previous tutorial&lt;/a&gt;, I've been running my own mail server without any issue for some time now.&lt;/p&gt;
&lt;p&gt;However, every time I've wanted to add a domain, create a new mailbox or change a user's password, I've had to do it manually from a SQL shell. As fun as it may be, it does get old very fast, so I've decided to install a web frontend to manage this database.&lt;/p&gt;
&lt;p&gt;After a bit a googling, I've settled on &lt;a href="http://postfixadmin.sourceforge.net/"&gt;Postfix Admin&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The latest stable version of Postfix Admin was released in 2009. Version 3.0 has been in the works for some time now and the project can be cloned from their &lt;a href="https://github.com/postfixadmin/postfixadmin"&gt;Github repo&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;I've also tried &lt;a href="http://www.vimbadmin.net/"&gt;ViMbAdmin&lt;/a&gt;, but it felt a little heavy considering what I was going to use it for.&lt;/p&gt;
&lt;p&gt;You'll need a web server with PHP support to run Postfix Admin. I personnaly run nginx with php5-fpm, but I won't explain how to configure it here. I'll simply explain how to migrate your current database to one managed with Postfix Admin with as little downtime as possible.&lt;/p&gt;
&lt;h1&gt;Creating a new database&lt;/h1&gt;
&lt;p&gt;Since the database managed by Postfix Admin does not use the same schema as the one we've created in my previous tutorial, we'll have to create a new one. We will give all privileges on that database to the same user as before, &lt;code&gt;'mail'@'localhost'&lt;/code&gt;.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;CREATE&lt;/span&gt; &lt;span class="k"&gt;DATABASE&lt;/span&gt; &lt;span class="n"&gt;mailnew&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;GRANT&lt;/span&gt; &lt;span class="k"&gt;ALL&lt;/span&gt; &lt;span class="k"&gt;PRIVILEGES&lt;/span&gt; &lt;span class="k"&gt;ON&lt;/span&gt; &lt;span class="n"&gt;mailnew&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="k"&gt;TO&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;mail&amp;#39;&lt;/span&gt;&lt;span class="o"&gt;@&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;localhost&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="n"&gt;FLUSH&lt;/span&gt; &lt;span class="k"&gt;PRIVILEGES&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;At this point, you can clone the Postfix Admin project from Github and go through the installation process.&lt;/p&gt;
&lt;p&gt;While editing the config.inc.php file (or config.local.php file if you've decided to copy it), make sure that the &lt;code&gt;database_name&lt;/code&gt; option is set to use the &lt;code&gt;mailnew&lt;/code&gt; database we've just created.&lt;/p&gt;
&lt;p&gt;Also, make sure that the &lt;code&gt;encrypt&lt;/code&gt; option is set to &lt;code&gt;dovecot:SHA512-CRYPT&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The installation process will create all the necessary tables in the database.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;At this point, you'll have to recreate all domains, mailboxes and aliases that you have configured in your current mail database using the Postfix Admin interface.&lt;/strong&gt;&lt;/p&gt;
&lt;h1&gt;Postfix configuration&lt;/h1&gt;
&lt;p&gt;Once you're done with Postfix Admin, it's time to configure Postfix to use its schema.&lt;/p&gt;
&lt;p&gt;First thing first, let's backup our current configuration :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /etc/postfix/mysql-backup
cp -a /etc/postfix/mysql-virtual* /etc/postfix/mysql-backup/
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, we have to edit the 3 files we've just backed-up. The only line that actually changes is the one beginning with &lt;code&gt;query&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The first file is /etc/postfix/mysql-virtual-mailbox-domains.cf :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;user = mail
password = mailpassword
hosts = 127.0.0.1
dbname = mail
query = SELECT 1 FROM domain WHERE domain=&amp;#39;%s&amp;#39; AND active=&amp;#39;1&amp;#39;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The second one is /etc/postfix/mysql-virtual-mailbox-maps.cf :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;user = mail
password = mailpassword
hosts = 127.0.0.1
dbname = mail
query = SELECT 1 FROM mailbox WHERE username=&amp;#39;%s&amp;#39; AND active=&amp;#39;1&amp;#39;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And the last one is /etc/postfix/mysql-virtual-alias-maps.cf :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;user = mail
password = mailpassword
hosts = 127.0.0.1
dbname = mail
query = SELECT goto FROM alias WHERE address=&amp;#39;%s&amp;#39; AND active=&amp;#39;1&amp;#39;
&lt;/pre&gt;&lt;/div&gt;


&lt;h1&gt;Dovecot configuration&lt;/h1&gt;
&lt;p&gt;Same as with Postfix, we now need to configure Dovecot to use the Postfix Admin schema.&lt;/p&gt;
&lt;p&gt;First, let's backup our current configuration :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;cp -a /etc/dovecot/sql.conf /etc/dovecot/sql.conf.bak
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, we have to edit the /etc/dovecot/sql.conf file. The only line that changes is the one beginning with &lt;code&gt;password_query&lt;/code&gt;.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;driver = mysql
connect = host=localhost dbname=mail user=mail password=mailpassword
default_pass_scheme = SHA512-CRYPT
password_query = SELECT username as user, password FROM mailbox WHERE username=&amp;#39;%u&amp;#39; AND active=&amp;#39;1&amp;#39;;
&lt;/pre&gt;&lt;/div&gt;


&lt;h1&gt;Migrating to the new schema&lt;/h1&gt;
&lt;p&gt;We're done with the configuration part. Time to migrate to the new schema.&lt;/p&gt;
&lt;p&gt;First, let's create a backup of our current mail database :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mysqldump mail &lt;span class="p"&gt;|&lt;/span&gt; bzip2 &amp;gt; /home/user/mail.sql.bz2
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, in a SQL shell, we're going to drop and recreate the mail database :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;DROP&lt;/span&gt; &lt;span class="k"&gt;DATABASE&lt;/span&gt; &lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;CREATE&lt;/span&gt; &lt;span class="k"&gt;DATABASE&lt;/span&gt; &lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to dump the contents of the mailnew database into the newly created mail database :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mysqldump mailnew &lt;span class="p"&gt;|&lt;/span&gt; mysql mail
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, let's restart Postfix and Dovecot so that they start using the new database schema :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart postfix
systemctl restart dovecot
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;At this point, Postfix and Dovecot are using the Postfix Admin schema in the mail database.&lt;/p&gt;
&lt;p&gt;The last thing we have to do is to edit Postfix Admin's config.inc.php file to use the mail database as well instead of the mailnew database that it should be currently using.&lt;/p&gt;
&lt;h1&gt;Cleanup&lt;/h1&gt;
&lt;p&gt;Once you've confirmed that everything is working properly, you can delete the backup files we've created :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;rm -rf /etc/postfix/mysql-backup
rm /etc/dovecot/sql.conf.bak 
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You can drop the mailnew database as well :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;DROP&lt;/span&gt; &lt;span class="k"&gt;DATABASE&lt;/span&gt; &lt;span class="n"&gt;mailnew&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h1&gt;Conclusion&lt;/h1&gt;
&lt;p&gt;That's all ! As always, please do leave a comment if this article has been of any use to you !&lt;/p&gt;</content></entry><entry><title>My tmux configuration</title><link href="https://captainark.net/my-tmux-configuration.html" rel="alternate"></link><published>2016-02-02T00:00:00+01:00</published><updated>2016-02-02T00:00:00+01:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2016-02-02:/my-tmux-configuration.html</id><summary type="html">&lt;p&gt;&lt;a href="https://tmux.github.io/"&gt;tmux&lt;/a&gt; is a terminal mutiplexer. It lets you have multiples shells running in a single terminal emulator window and it keeps those shells running in the background should you need to close your terminal emulator.&lt;/p&gt;
&lt;p&gt;I've played around with the configuration quite a bit to find settings that suit my …&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="https://tmux.github.io/"&gt;tmux&lt;/a&gt; is a terminal mutiplexer. It lets you have multiples shells running in a single terminal emulator window and it keeps those shells running in the background should you need to close your terminal emulator.&lt;/p&gt;
&lt;p&gt;I've played around with the configuration quite a bit to find settings that suit my needs. Here's what it ended up looking like :&lt;/p&gt;
&lt;p&gt;&lt;a href="images/tmux_fullsize.png"&gt;&lt;img alt="tmux" src="images/tmux.png"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;This screenshot was done on Mac OS X, using the Terminal app and this &lt;a href="https://github.com/tomislav/osx-terminal.app-colors-solarized"&gt;Solarized theme&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;I figured I'd share my tmux configuration here !&lt;/p&gt;
&lt;h2&gt;Installing tmux&lt;/h2&gt;
&lt;p&gt;tmux is available on Debian. I suggest using the &lt;a href="https://packages.debian.org/jessie-backports/tmux"&gt;jessie backports&lt;/a&gt; version :&lt;/p&gt;
&lt;p&gt;&lt;code&gt;apt -t jessie-backports install tmux&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;tmux is also available on Mac OS X using &lt;a href="http://brew.sh/"&gt;brew&lt;/a&gt; :&lt;/p&gt;
&lt;p&gt;&lt;code&gt;brew install tmux&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;tmux.conf&lt;/h2&gt;
&lt;p&gt;I used screen before tmux, so I configured the prefix key on C-a instead of C-b. tmux has the advantage of being &lt;em&gt;much&lt;/em&gt; simpler to configure than screen.&lt;/p&gt;
&lt;p&gt;If you want to use this configuration, simply copy the following in ~/.tmux.conf. This file is read by default when tmux starts.&lt;/p&gt;
&lt;p&gt;If you simply want to try it out, copy it in a file somewhere else and have tmux load with the -f parameter (&lt;code&gt;tmux -f ~/tmux-test.conf&lt;/code&gt;).&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;# use utf8
set -g utf8
set-option -g status-utf8 on
set-window-option -g utf8 on

# do not wait on esc key
set-option -g escape-time 0

# completely disable automatic rename
set-window-option -g automatic-rename off

# basic settings
set -g default-terminal &amp;quot;screen-256color&amp;quot;
set -g aggressive-resize off
set-window-option -g xterm-keys on
#set-window-option -g mode-mouse off

# command history
set -g history-limit 10000

# messages
set -g message-bg default
set -g message-fg red

# no visual activity
set -g visual-activity off
set -g visual-bell off

# status bar
set-option -g status-justify centre
set-option -g status-bg default
set-option -g status-fg blue
set-option -g status-interval 5
set-option -g status-left-length 30
set-option -g status-left &amp;#39;#[fg=red][ #[fg=white]#H #[fg=red]]#[default]&amp;#39;
set-option -g status-right &amp;#39;#[fg=red][ #[fg=white]%R %d/%m #[fg=red]]#[default]&amp;#39;

# modes
set-option -g mode-bg default
set-option -g mode-fg blue

# inactive window format
set-window-option -g window-status-format &amp;#39;#I:#W#F&amp;#39;
set-window-option -g monitor-activity on
#set-window-option -g monitor-content on # not available in tmux 2.0

# activity in a window
set-window-option -g window-status-activity-attr dim
set-window-option -g window-status-activity-bg default
set-window-option -g window-status-activity-fg yellow

# content in a window # not available in tmux 2.0
#set-window-option -g window-status-content-attr dim
#set-window-option -g window-status-content-bg default
#set-window-option -g window-status-content-fg red

# active window format
set-window-option -g window-status-current-fg white
set-window-option -g window-status-current-bg default
set-window-option -g window-status-current-format &amp;#39;#[fg=red](#[default]#I:#W#F#[fg=red])#[default]&amp;#39;

# reload tmux configuration
unbind r
bind r source-file ~/.tmux.conf \; display &amp;quot;Configuration reloaded!&amp;quot;

# Screen-like keybinds
unbind C-b
set -g prefix ^A
set -g prefix2 ^Q
bind a send-prefix
bind q send-prefix

unbind c
bind c new-window
unbind ^C
bind ^C new-window

unbind n
bind n next-window
unbind ^N
bind ^N next-window

unbind A
bind A command-prompt &amp;quot;rename-window %%&amp;quot;

unbind p
bind p previous-window
unbind ^P
bind ^P previous-window

unbind a
bind a last-window
unbind ^A
bind ^A last-window

unbind [
bind Escape copy-mode

unbind w
bind w list-windows

unbind k
bind k confirm-before &amp;quot;kill-window&amp;quot;

unbind l
bind l refresh-client

unbind &amp;#39;&amp;quot;&amp;#39;
bind &amp;#39;&amp;quot;&amp;#39; choose-window
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Aliases&lt;/h2&gt;
&lt;p&gt;I also use two functions with tmux (in ~/.bash_aliases).&lt;/p&gt;
&lt;p&gt;The first one creates a new "mytmux" tmux session if one doesn't exist yet, opens 10 shells and selects the first one.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mytmux&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  tmux has-session -t mytmux
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nv"&gt;$?&lt;/span&gt; !&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    tmux new-session -s mytmux -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt; -d
    tmux new-window -t mytmux:1 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:2 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:3 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:4 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:5 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:6 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:7 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:8 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux new-window -t mytmux:9 -n &lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;
    tmux &lt;span class="k"&gt;select&lt;/span&gt;-window -t mytmux:0
  &lt;span class="k"&gt;fi&lt;/span&gt;
  tmux attach -t mytmux
&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The second one changes the tmux window name whenever I ssh to a remote host, and switches the window name back to the name of my computer when I logout from the host.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -n &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$TMUX&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
  ssh&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nv"&gt;$#&lt;/span&gt; -le &lt;span class="m"&gt;2&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
      tmux rename-window &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="p"&gt;@: -1&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
      &lt;span class="nb"&gt;command&lt;/span&gt; ssh &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$@&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
      tmux rename-window &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;hostname&lt;span class="k"&gt;)&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
    &lt;span class="k"&gt;else&lt;/span&gt;
      &lt;span class="nb"&gt;command&lt;/span&gt; ssh &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$@&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
    &lt;span class="k"&gt;fi&lt;/span&gt;
  &lt;span class="o"&gt;}&lt;/span&gt;
&lt;span class="k"&gt;fi&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;That's all ! As always, please do leave a comment if you've found something useful in this article !&lt;/p&gt;</content></entry><entry><title>Debian updates with Ansible</title><link href="https://captainark.net/debian-updates-with-ansible.html" rel="alternate"></link><published>2016-01-31T00:00:00+01:00</published><updated>2016-01-31T00:00:00+01:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2016-01-31:/debian-updates-with-ansible.html</id><summary type="html">&lt;p&gt;I've recently bought a &lt;a href="http://www8.hp.com/us/en/products/proliant-servers/product-detail.html?oid=5379860"&gt;HP Proliant Microserver Gen8&lt;/a&gt; to play around with LXC and try new stuff.&lt;/p&gt;
&lt;p&gt;From the 4 Debian machines I had to keep up-to-date, I now have 7, so it became quite time-consumming to manually SSH to each of them whenever an update became available.&lt;/p&gt;
&lt;p&gt;I ended …&lt;/p&gt;</summary><content type="html">&lt;p&gt;I've recently bought a &lt;a href="http://www8.hp.com/us/en/products/proliant-servers/product-detail.html?oid=5379860"&gt;HP Proliant Microserver Gen8&lt;/a&gt; to play around with LXC and try new stuff.&lt;/p&gt;
&lt;p&gt;From the 4 Debian machines I had to keep up-to-date, I now have 7, so it became quite time-consumming to manually SSH to each of them whenever an update became available.&lt;/p&gt;
&lt;p&gt;I ended up looking at &lt;a href="http://www.ansible.com/"&gt;Ansible&lt;/a&gt; to speed up the process and, within an hour, I had a working playbook that updates the debian packages, pip packages and git repos installed on all of my servers with a single command.&lt;/p&gt;
&lt;p&gt;I figured I'd share the playbook I use to update the Debian packages !&lt;/p&gt;
&lt;h2&gt;The playbook&lt;/h2&gt;
&lt;p&gt;I modified &lt;a href="https://gist.github.com/maethor/380676f6b1cec8cc7439"&gt;this gist&lt;/a&gt; to only use apt-get instead of both apt-get and aptitude.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;hosts&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;all&lt;/span&gt;
  &lt;span class="l l-Scalar l-Scalar-Plain"&gt;tasks&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;update cache&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;apt&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;update_cache=yes&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;list packages to upgrade (1/2)&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;shell&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;apt-get upgrade -s -V | awk &amp;#39;/=&amp;gt;/{print $1}&amp;#39;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;register&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;updates&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;changed_when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;False&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;list packages to upgrade (2/2)&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;debug&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;msg=&amp;quot;{{ updates.stdout_lines | count }} packages to upgrade ({{ updates.stdout_lines | join(&amp;#39;, &amp;#39;) }})&amp;quot;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;(updates.stdout_lines)&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;upgrade packages&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;apt&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;upgrade=dist&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;(updates.stdout_lines)&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;check what the new version is&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;shell&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;lsb_release -r | awk &amp;#39;{print $2}&amp;#39;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;changed_when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;False&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;register&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;new_release&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;notify distribution version upgrade&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;debug&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;msg=&amp;quot;Debian has been upgraded from {{ ansible_lsb.release }} to {{ new_release.stdout }}&amp;quot;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;ansible_lsb.release != new_release.stdout&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;/wheezy/ install the debian-goodies package if it is missing&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;apt&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name=debian-goodies state=present&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;ansible_distribution_release == &amp;#39;wheezy&amp;#39;&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;/jessie/ install the needrestart package if it is missing&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;apt&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name=needrestart state=present default_release=jessie-backports&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;ansible_distribution_release == &amp;#39;jessie&amp;#39;&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;/wheezy/ list services to restart (1/3)&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;shell&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;checkrestart | awk &amp;#39;/^service/{print $2}&amp;#39;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;register&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;wheezy_services&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;changed_when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;False&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;ansible_distribution_release == &amp;#39;wheezy&amp;#39;&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;/jessie/ list services to restart (1/3)&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;shell&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;needrestart -blrl | awk &amp;#39;/^NEEDRESTART-SVC/{print $2}&amp;#39;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;register&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;jessie_services&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;changed_when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;False&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;ansible_distribution_release != &amp;#39;wheezy&amp;#39;&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;merge services list (2/3)&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;set_fact&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt;
        &lt;span class="l l-Scalar l-Scalar-Plain"&gt;services&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="s"&gt;&amp;quot;{{&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;wheezy_services&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;if&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;ansible_distribution_release&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;==&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#39;wheezy&amp;#39;&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;else&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;jessie_services&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;}}&amp;quot;&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;list services to restart (3/3)&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;debug&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;msg=&amp;quot;{{ services.stdout_lines | count }} services to restart ({{ services.stdout_lines | join (&amp;#39;, &amp;#39;) }})&amp;quot;&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;when&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;(services.stdout_lines)&lt;/span&gt;

    &lt;span class="p p-Indicator"&gt;-&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;name&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;cache cleanup&lt;/span&gt;
      &lt;span class="l l-Scalar l-Scalar-Plain"&gt;shell&lt;/span&gt;&lt;span class="p p-Indicator"&gt;:&lt;/span&gt; &lt;span class="l l-Scalar l-Scalar-Plain"&gt;apt-get autoclean&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;That's all ! Please leave a comment if you've found this playbook helpful !&lt;/p&gt;</content></entry><entry><title>Private Git Repo</title><link href="https://captainark.net/private-git-repo.html" rel="alternate"></link><published>2016-01-31T00:00:00+01:00</published><updated>2016-01-31T00:00:00+01:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2016-01-31:/private-git-repo.html</id><summary type="html">&lt;p&gt;I've decided to migrate this blog to &lt;a href="http://blog.getpelican.com/"&gt;Pelican&lt;/a&gt;. I've been playing around with it over the week-end, and it turns out to be way easier to manage than &lt;a href="https://jekyllrb.com/"&gt;Jekyll&lt;/a&gt;. Themes are much easier to install and configure, so it ends up looking better as well !&lt;/p&gt;
&lt;p&gt;Since I'm basically recreating this …&lt;/p&gt;</summary><content type="html">&lt;p&gt;I've decided to migrate this blog to &lt;a href="http://blog.getpelican.com/"&gt;Pelican&lt;/a&gt;. I've been playing around with it over the week-end, and it turns out to be way easier to manage than &lt;a href="https://jekyllrb.com/"&gt;Jekyll&lt;/a&gt;. Themes are much easier to install and configure, so it ends up looking better as well !&lt;/p&gt;
&lt;p&gt;Since I'm basically recreating this blog from scratch, I've decided to delete the old git repo that was hosting it and to create a new one.&lt;/p&gt;
&lt;p&gt;Setting up your own private git repo is pretty easy to achieve and is already well-documented on the &lt;a href="https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server"&gt;Git&lt;/a&gt; website.&lt;/p&gt;
&lt;p&gt;Every time I want to create a new repo, I've had time to forget how to do it and I end up looking for that page, so I figured I'd write a few lines on the subject.&lt;/p&gt;
&lt;p&gt;In this tutorial, I'll configure a git repo on a distant server running Debian 8 (Jessie). This repo will be remotely accessible using SSH. Two users will be able to connect to it : me and the www-data user on my webserver.&lt;/p&gt;
&lt;h2&gt;SSH Keys&lt;/h2&gt;
&lt;p&gt;If you don't have one already, you'll need a ssh-key to connect to the git repo.&lt;/p&gt;
&lt;p&gt;On your computer, in a shell, as your usual user :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;ssh-keygen -t rsa -b &lt;span class="m"&gt;3072&lt;/span&gt;
Generating public/private rsa key pair.
Enter file in which to save the key &lt;span class="o"&gt;(&lt;/span&gt;/home/user/.ssh/id_rsa&lt;span class="o"&gt;)&lt;/span&gt;: 
Enter passphrase &lt;span class="o"&gt;(&lt;/span&gt;empty &lt;span class="k"&gt;for&lt;/span&gt; no passphrase&lt;span class="o"&gt;)&lt;/span&gt;: 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/id_rsa.pub.
The key fingerprint is:
&lt;span class="o"&gt;[&lt;/span&gt;Redacted&lt;span class="o"&gt;]&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;For security reasons, configuring a passphrase is recommended. On Mac OS X and most desktop environnements on Linux, you can store this passphrase for the duration of your session using the &lt;code&gt;ssh-add&lt;/code&gt; command, so you won't have to type it every time you want to connect to a host.&lt;/p&gt;
&lt;p&gt;On the server, we also have to create a ssh-key for the user that is running our webserver (you'll need to have sudo installed) :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;sudo -H -u www-data ssh-keygen -t rsa -b &lt;span class="m"&gt;3072&lt;/span&gt;
Generating public/private rsa key pair.
Enter file in which to save the key &lt;span class="o"&gt;(&lt;/span&gt;/var/www/.ssh/id_rsa&lt;span class="o"&gt;)&lt;/span&gt;: 
Enter passphrase &lt;span class="o"&gt;(&lt;/span&gt;empty &lt;span class="k"&gt;for&lt;/span&gt; no passphrase&lt;span class="o"&gt;)&lt;/span&gt;: 
Enter same passphrase again: 
Your identification has been saved in /var/www/.ssh/id_rsa.
Your public key has been saved in /var/www/.ssh/id_rsa.pub.
The key fingerprint is:
&lt;span class="o"&gt;[&lt;/span&gt;Redacted&lt;span class="o"&gt;]&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;If you decide to configure a passphrase for that ssh-key, you'll have to type it every time you'll want to pull from your repo.&lt;/p&gt;
&lt;h2&gt;Server management&lt;/h2&gt;
&lt;p&gt;All of the commands in this section have to be run as root.&lt;/p&gt;
&lt;p&gt;First thing first, we have to install the git package on the server that will be hosting our git repos :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;apt update &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; apt install git -y
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, we have to create a user named git :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;useradd -s /usr/bin/git-shell -m -r git
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This will create a system user (UID &amp;lt; 1000) with a /home/git home directory. If you want to host your git repos somewhere else on your filesystem, you should add a &lt;code&gt;-d /home/directory/for/git&lt;/code&gt; in the previous command.&lt;/p&gt;
&lt;p&gt;This user will use the git-shell shell. This limits remote connection to that user to git commands (like the rssh shell can limit remote connection to a user to scp or rsync commands).&lt;/p&gt;
&lt;p&gt;We have to configure our system to allow the use of this shell :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;/usr/bin/git-shell&amp;#39;&lt;/span&gt; &amp;gt;&amp;gt; /etc/shells
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;From this point, you should have to following output if you try to SSH to your server with that user :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;ssh git@git.captainark.net
fatal: Interactive git shell is not enabled.
hint: ~/git-shell-commands should exist and have &lt;span class="nb"&gt;read&lt;/span&gt; and execute access.
Connection to git@git.captainark.net closed.
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now need to create the .ssh/authorized_keys file for the git user with the correct permissions :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;sudo -H -u git mkdir /home/git/.ssh &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;700&lt;/span&gt; /home/git/.ssh
sudo -H -u git touch /home/git/.ssh/authorized_keys &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; /home/git/.ssh/authorized_keys
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You can now copy/paste the content of the two &lt;code&gt;$HOME/.ssh/id_rsa.pub&lt;/code&gt; files we've created earlier using the &lt;code&gt;ssh-keygen&lt;/code&gt; command in &lt;code&gt;/home/git/.ssh/authorized_keys&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The last thing we have to do is to create our first git repo. In this example, my project will be called 'captainarkdotnet' as it will be hosting this blog :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;sudo -H -u git mkdir /home/git/captainarkdotnet.git
&lt;span class="nb"&gt;cd&lt;/span&gt; /home/git/captainarkdotnet.git
sudo -H -u git git init --bare
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The last command should give you the following output :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;Initialized empty Git repository in /home/git/captainarkdotnet.git/.git/
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We're done with the server configuration. Let's now actually push stuff to our repo !&lt;/p&gt;
&lt;h3&gt;Initial push&lt;/h3&gt;
&lt;p&gt;The files for my blog are store in the ~/Documents/projects/captainarkdotnet on my computer. Before doing anything else, we first have to make sure that we currently are in that folder :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nb"&gt;cd&lt;/span&gt; ~/Documents/projects/captainarkdotnet
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's now push the content of that folder to our repo :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;git init
git add .
git commit -m &lt;span class="s1"&gt;&amp;#39;initial commit&amp;#39;&lt;/span&gt;
git remote add origin git@git.captainark.net:captainarkdotnet.git
git push origin master
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Please note that you'll need to edit &lt;strong&gt;git.captainark.net&lt;/strong&gt; to the FQDN or IP of your git server, and &lt;strong&gt;captainarkdotnet.git&lt;/strong&gt; to the name of the git project on your server.&lt;/p&gt;
&lt;p&gt;If everything went well, the last command should give you the following output :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;Counting objects: &lt;span class="m"&gt;69&lt;/span&gt;, &lt;span class="k"&gt;done&lt;/span&gt;.
Delta compression using up to &lt;span class="m"&gt;4&lt;/span&gt; threads.
Compressing objects: &lt;span class="m"&gt;100&lt;/span&gt;% &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;64&lt;/span&gt;/64&lt;span class="o"&gt;)&lt;/span&gt;, &lt;span class="k"&gt;done&lt;/span&gt;.
Writing objects: &lt;span class="m"&gt;100&lt;/span&gt;% &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;69&lt;/span&gt;/69&lt;span class="o"&gt;)&lt;/span&gt;, &lt;span class="m"&gt;1&lt;/span&gt;.01 MiB &lt;span class="p"&gt;|&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; bytes/s, &lt;span class="k"&gt;done&lt;/span&gt;.
Total &lt;span class="m"&gt;69&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;delta &lt;span class="m"&gt;15&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;, reused &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;delta &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
To git@git.captainark.net:captainarkdotnet.git
 * &lt;span class="o"&gt;[&lt;/span&gt;new branch&lt;span class="o"&gt;]&lt;/span&gt;      master -&amp;gt; master
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That's it, we've now pushed our first commit to our server !&lt;/p&gt;
&lt;h2&gt;First pull&lt;/h2&gt;
&lt;p&gt;Alright, time to pull the files we've just pushed on our webserver. I personally store my web content in &lt;code&gt;/var/www&lt;/code&gt; ; if you don't, you'll have to adjust the path accordingly :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nb"&gt;cd&lt;/span&gt; /var/www
sudo -H -u www-data git clone git@git.captainark.net:captainarkdotnet.git
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;SSH will ask you to type 'yes' since it's the first time the www-data user connects to the server. If everything goes well, you should have the following output :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;Cloning into &lt;span class="s1"&gt;&amp;#39;captainarkdotnet&amp;#39;&lt;/span&gt;...
remote: Counting objects: &lt;span class="m"&gt;70&lt;/span&gt;, &lt;span class="k"&gt;done&lt;/span&gt;.
remote: Compressing objects: &lt;span class="m"&gt;100&lt;/span&gt;% &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;65&lt;/span&gt;/65&lt;span class="o"&gt;)&lt;/span&gt;, &lt;span class="k"&gt;done&lt;/span&gt;.
remote: Total &lt;span class="m"&gt;70&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;delta &lt;span class="m"&gt;16&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;, reused &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;delta &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
Receiving objects: &lt;span class="m"&gt;100&lt;/span&gt;% &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;70&lt;/span&gt;/70&lt;span class="o"&gt;)&lt;/span&gt;, &lt;span class="m"&gt;1&lt;/span&gt;.01 MiB &lt;span class="p"&gt;|&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; bytes/s, &lt;span class="k"&gt;done&lt;/span&gt;.
Resolving deltas: &lt;span class="m"&gt;100&lt;/span&gt;% &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;16&lt;/span&gt;/16&lt;span class="o"&gt;)&lt;/span&gt;, &lt;span class="k"&gt;done&lt;/span&gt;.
Checking connectivity... &lt;span class="k"&gt;done&lt;/span&gt;.
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;That's it ! We now have a working private git repo ! I won't go into details into the git commands in this tutorial, but here's a quick overwiew of the ones I use the most :&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;git add .&lt;/code&gt; recursively adds all files from the directory to the repo ;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;git commit -a -m 'This is a comment'&lt;/code&gt; commits the current state of your local repo with the 'This is a comment' comment ;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;git push&lt;/code&gt; pushes your commits to the distant repo ;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;git pull&lt;/code&gt; pulls the latest version of the distant repo locally ;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;git branch -av&lt;/code&gt; shows all available branches for the repo ;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;git checkout -b testing remotes/origin/testing&lt;/code&gt; create a local 'testing' branch based on the remote 'remotes/origin/testing' branch ;&lt;/li&gt;
&lt;li&gt;once a branch has been copied locally, you can switch to it with the &lt;code&gt;git checkout {branch}&lt;/code&gt; command.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For more information on git a command, use &lt;code&gt;man git-{command}&lt;/code&gt; !&lt;/p&gt;
&lt;p&gt;If you've found this tutorial in any way helpful, please feel free to leave a comment !&lt;/p&gt;</content></entry><entry><title>Flexget init script</title><link href="https://captainark.net/flexget-init-script.html" rel="alternate"></link><published>2015-05-05T00:00:00+02:00</published><updated>2015-05-05T00:00:00+02:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2015-05-05:/flexget-init-script.html</id><summary type="html">&lt;p&gt;I've been using &lt;a href="http://flexget.com/"&gt;Flexget&lt;/a&gt; for the past two years or so as a download automator.&lt;/p&gt;
&lt;p&gt;Since I wrote an &lt;a href="http://flexget.com/wiki/Daemon/Startup#InsservscriptDebiancompatible"&gt;init script&lt;/a&gt; for it a while back, and it is compatible with Debian Jessie / systemd, I figured I'd share it here.&lt;/p&gt;
&lt;h2&gt;The script&lt;/h2&gt;
&lt;p&gt;All of the following should be done as …&lt;/p&gt;</summary><content type="html">&lt;p&gt;I've been using &lt;a href="http://flexget.com/"&gt;Flexget&lt;/a&gt; for the past two years or so as a download automator.&lt;/p&gt;
&lt;p&gt;Since I wrote an &lt;a href="http://flexget.com/wiki/Daemon/Startup#InsservscriptDebiancompatible"&gt;init script&lt;/a&gt; for it a while back, and it is compatible with Debian Jessie / systemd, I figured I'd share it here.&lt;/p&gt;
&lt;h2&gt;The script&lt;/h2&gt;
&lt;p&gt;All of the following should be done as the root user.&lt;/p&gt;
&lt;p&gt;First, create a /etc/default/flexget file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="c1"&gt;# Configuration file for /etc/init.d/flexget&lt;/span&gt;

&lt;span class="c1"&gt;# User to run flexget as.&lt;/span&gt;
&lt;span class="c1"&gt;# Daemon will not start if left empty.&lt;/span&gt;
&lt;span class="nv"&gt;FGUSER&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;

&lt;span class="c1"&gt;# Full path to the flexget config.yml file to use.&lt;/span&gt;
&lt;span class="c1"&gt;# Defaults to FGUSER $HOME/.flexget/config.yml&lt;/span&gt;
&lt;span class="nv"&gt;CONFIG&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;

&lt;span class="c1"&gt;# Path to the directory where flexget should log. Do not add trailing slash.&lt;/span&gt;
&lt;span class="c1"&gt;# Defaults to the FGUSER $HOME/.flexget directory&lt;/span&gt;
&lt;span class="nv"&gt;LOG&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;

&lt;span class="c1"&gt;# Log verbosity &lt;/span&gt;
&lt;span class="c1"&gt;# Available options : none critical error warning info verbose debug trace&lt;/span&gt;
&lt;span class="c1"&gt;# Defaults to info&lt;/span&gt;
&lt;span class="nv"&gt;LEVEL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Please note that the FGUSER variable needs to be defined for the daemon to start. It can be set to your current user, or you can run flexget as its own user.&lt;/p&gt;
&lt;p&gt;You can create a flexget user with the following command :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;useradd -m -d /var/lib/flexget -r -s /bin/false flexget
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, create the /etc/init.d/flexget file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="ch"&gt;#!/bin/bash&lt;/span&gt;

&lt;span class="c1"&gt;### BEGIN INIT INFO&lt;/span&gt;
&lt;span class="c1"&gt;# Provides:          flexget&lt;/span&gt;
&lt;span class="c1"&gt;# Required-Start:    $network $remote_fs&lt;/span&gt;
&lt;span class="c1"&gt;# Required-Stop:     $network $remote_fs&lt;/span&gt;
&lt;span class="c1"&gt;# Should-Start:      &lt;/span&gt;
&lt;span class="c1"&gt;# Should-Stop:       &lt;/span&gt;
&lt;span class="c1"&gt;# Default-Start:     2 3 4 5&lt;/span&gt;
&lt;span class="c1"&gt;# Default-Stop:      0 1 6&lt;/span&gt;
&lt;span class="c1"&gt;# Short-Description: Flexget&lt;/span&gt;
&lt;span class="c1"&gt;# Description:       FlexGet is a multipurpose automation tool &lt;/span&gt;
&lt;span class="c1"&gt;#                    for content like torrents, nzbs, podcasts,&lt;/span&gt;
&lt;span class="c1"&gt;#                    comics, series, movies, etc.&lt;/span&gt;
&lt;span class="c1"&gt;### END INIT INFO&lt;/span&gt;

&lt;span class="c1"&gt;# Author: Antoine Joubert, 19/01/2014&lt;/span&gt;

&lt;span class="nv"&gt;NAME&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;flexget&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;DAEMON&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;/usr/local/bin/flexget&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;SETTINGS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;/etc/default/&lt;/span&gt;&lt;span class="nv"&gt;$NAME&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;

&lt;span class="nv"&gt;DESC&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;Flexget&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;PIDFILE&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;/var/run/&lt;/span&gt;&lt;span class="nv"&gt;$NAME&lt;/span&gt;&lt;span class="s2"&gt;.pid&amp;quot;&lt;/span&gt;

&lt;span class="nb"&gt;set&lt;/span&gt; -e

. /lib/lsb/init-functions

&lt;span class="nb"&gt;unset&lt;/span&gt; FGUSER CONFIG LOG LEVEL

&lt;span class="c1"&gt;# Exit if flexget not installed&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; ! -x &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DAEMON&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
  log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Could not find flexget executable. Exiting.&amp;quot;&lt;/span&gt;
  &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
&lt;span class="k"&gt;fi&lt;/span&gt;

&lt;span class="c1"&gt;# Read configuration variables&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -r /etc/default/&lt;span class="nv"&gt;$NAME&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
  . /etc/default/&lt;span class="nv"&gt;$NAME&lt;/span&gt;
&lt;span class="k"&gt;else&lt;/span&gt;
  log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: /etc/default/&lt;/span&gt;&lt;span class="nv"&gt;$NAME&lt;/span&gt;&lt;span class="s2"&gt; not found. Exiting.&amp;quot;&lt;/span&gt;
  &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
&lt;span class="k"&gt;fi&lt;/span&gt;

&lt;span class="c1"&gt;# Exit if FGUSER has not been set in /etc/default/flexget&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -z &lt;span class="nv"&gt;$FGUSER&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
  log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: FGUSER not set in /etc/default/&lt;/span&gt;&lt;span class="nv"&gt;$NAME&lt;/span&gt;&lt;span class="s2"&gt;. Exiting.&amp;quot;&lt;/span&gt;
  &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
&lt;span class="k"&gt;fi&lt;/span&gt;

&lt;span class="c1"&gt;# Function to verify if flexget is already running&lt;/span&gt;
run_check&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -e &lt;span class="nv"&gt;$PIDFILE&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    status_of_proc -p &lt;span class="nv"&gt;$PIDFILE&lt;/span&gt; &lt;span class="nv"&gt;$DAEMON&lt;/span&gt; &lt;span class="nv"&gt;$NAME&lt;/span&gt; &amp;gt; /dev/null &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nv"&gt;RETVAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;||&lt;/span&gt; &lt;span class="nv"&gt;RETVAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$?&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    &lt;span class="nv"&gt;RETVAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;2&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

end_log&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nv"&gt;$RETVAL&lt;/span&gt; -eq &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    log_end_msg &lt;span class="m"&gt;0&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    log_end_msg &lt;span class="m"&gt;1&lt;/span&gt;
    &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Function to define config file, log file and log level&lt;/span&gt;
conf_check&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -z &lt;span class="nv"&gt;$CONFIG&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    &lt;span class="nv"&gt;OPTIONS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$OPTIONS&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    &lt;span class="nv"&gt;OPTIONS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;-c &lt;/span&gt;&lt;span class="nv"&gt;$CONFIG&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;

  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -z &lt;span class="nv"&gt;$LOG&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    &lt;span class="nv"&gt;OPTIONS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$OPTIONS&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    &lt;span class="nv"&gt;OPTIONS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$OPTIONS&lt;/span&gt;&lt;span class="s2"&gt; -l &lt;/span&gt;&lt;span class="nv"&gt;$LOG&lt;/span&gt;&lt;span class="s2"&gt;/flexget.log&amp;quot;&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; ! -d &lt;span class="nv"&gt;$LOG&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt; 
      mkdir -p -m &lt;span class="m"&gt;750&lt;/span&gt; &lt;span class="nv"&gt;$LOG&lt;/span&gt;
      chown &lt;span class="nv"&gt;$FGUSER&lt;/span&gt; &lt;span class="nv"&gt;$LOG&lt;/span&gt;
    &lt;span class="k"&gt;fi&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;

  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; -z &lt;span class="nv"&gt;$LEVEL&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    &lt;span class="nv"&gt;OPTIONS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$OPTIONS&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    &lt;span class="nv"&gt;OPTIONS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$OPTIONS&lt;/span&gt;&lt;span class="s2"&gt; -L &lt;/span&gt;&lt;span class="nv"&gt;$LEVEL&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

start_flexget&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  run_check
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nv"&gt;$RETVAL&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Already running with PID &lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;cat &lt;span class="nv"&gt;$PIDFILE&lt;/span&gt;&lt;span class="k"&gt;)&lt;/span&gt;&lt;span class="s2"&gt;. Aborting.&amp;quot;&lt;/span&gt;
    &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    conf_check
    log_daemon_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Starting the daemon.&amp;quot;&lt;/span&gt;
    start-stop-daemon --start --background --quiet --pidfile &lt;span class="nv"&gt;$PIDFILE&lt;/span&gt; --make-pidfile &lt;span class="se"&gt;\&lt;/span&gt;
    --chuid &lt;span class="nv"&gt;$FGUSER&lt;/span&gt; --user &lt;span class="nv"&gt;$FGUSER&lt;/span&gt; --exec &lt;span class="nv"&gt;$DAEMON&lt;/span&gt; -- &lt;span class="nv"&gt;$OPTIONS&lt;/span&gt; daemon start
    &lt;span class="nv"&gt;RETVAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;$?&lt;/span&gt;
    end_log
  &lt;span class="k"&gt;fi&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

stop_flexget&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  run_check
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nv"&gt;$RETVAL&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    log_daemon_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Stopping the daemon.&amp;quot;&lt;/span&gt;
    start-stop-daemon --stop --quiet --chuid &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$FGUSER&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; --pidfile &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$PIDFILE&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; --retry &lt;span class="m"&gt;30&lt;/span&gt;
    &lt;span class="nv"&gt;RETVAL&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;$?&lt;/span&gt;
    &lt;span class="o"&gt;[&lt;/span&gt; -e &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$PIDFILE&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; rm -f &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$PIDFILE&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;
    end_log
  &lt;span class="k"&gt;else&lt;/span&gt;
    log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Not currently running. Aborting.&amp;quot;&lt;/span&gt;
  &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

status_flexget&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  run_check
  &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nv"&gt;$RETVAL&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then&lt;/span&gt;
    log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Currently running with PID &lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;cat &lt;span class="nv"&gt;$PIDFILE&lt;/span&gt;&lt;span class="k"&gt;)&lt;/span&gt;&lt;span class="s2"&gt;.&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;else&lt;/span&gt;
    log_action_msg &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$DESC&lt;/span&gt;&lt;span class="s2"&gt;: Not currently running.&amp;quot;&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;
  &lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="nv"&gt;$RETVAL&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

&lt;span class="k"&gt;case&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$1&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt; in
  start&lt;span class="o"&gt;)&lt;/span&gt;
    start_flexget
  &lt;span class="p"&gt;;;&lt;/span&gt;
  stop&lt;span class="o"&gt;)&lt;/span&gt;
    stop_flexget
  &lt;span class="p"&gt;;;&lt;/span&gt;
  restart&lt;span class="o"&gt;)&lt;/span&gt;
    stop_flexget &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; sleep &lt;span class="m"&gt;2&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; start_flexget
  &lt;span class="p"&gt;;;&lt;/span&gt;
  status&lt;span class="o"&gt;)&lt;/span&gt;
    status_flexget
  &lt;span class="p"&gt;;;&lt;/span&gt;
  *&lt;span class="o"&gt;)&lt;/span&gt;
    &lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;Usage: &lt;/span&gt;&lt;span class="nv"&gt;$0&lt;/span&gt;&lt;span class="s2"&gt; {start|stop|restart|status}&amp;quot;&lt;/span&gt;
  &lt;span class="p"&gt;;;&lt;/span&gt;
&lt;span class="k"&gt;esac&lt;/span&gt;

&lt;span class="nb"&gt;exit&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, give execution rights to the script :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chmod +x /etc/init.d/flexget
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And then, generate the necessary symlinks for the service to start on boot :&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Debian Jessie&lt;/em&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl &lt;span class="nb"&gt;enable&lt;/span&gt; flexget
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;&lt;em&gt;Debian Wheezy&lt;/em&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;insserv flexget
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;To start, stop or check if the daemon is running :&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Debian Jessie&lt;/em&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl start flexget
systemctl stop flexget
systemctl status flexget
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;&lt;em&gt;Debian Wheezy / Jessie&lt;/em&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;service flexget start
service flexget stop
service flexget status
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;&lt;em&gt;Debian Wheezy&lt;/em&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;/etc/init.d/flexget start
/etc/init.d/flexget stop
/etc/init.d/flexget status
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;That's all ! If you are using this script, please let me know in the comment section below !&lt;/p&gt;</content></entry><entry><title>Setting up a mail server</title><link href="https://captainark.net/setting-up-a-mail-server.html" rel="alternate"></link><published>2015-04-24T00:00:00+02:00</published><updated>2015-04-24T00:00:00+02:00</updated><author><name>Antoine Joubert</name></author><id>tag:captainark.net,2015-04-24:/setting-up-a-mail-server.html</id><summary type="html">&lt;p&gt;In this first tutorial, I'll explain how I've configured my mail server using the following :&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A server running Linux Debian (jessie) ;&lt;/li&gt;
&lt;li&gt;Postfix ;&lt;/li&gt;
&lt;li&gt;Postfix-policyd-spf-python ;&lt;/li&gt;
&lt;li&gt;Dovecot ;&lt;/li&gt;
&lt;li&gt;Spamassassin ;&lt;/li&gt;
&lt;li&gt;OpenDKIM ;&lt;/li&gt;
&lt;li&gt;OpenDMARC ;&lt;/li&gt;
&lt;li&gt;Monit ;&lt;/li&gt;
&lt;li&gt;Rainloop.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I'm assuming you have some basic knowledge of Linux and DNS configuration.&lt;/p&gt;
&lt;p&gt;You can host this server at home, but you …&lt;/p&gt;</summary><content type="html">&lt;p&gt;In this first tutorial, I'll explain how I've configured my mail server using the following :&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A server running Linux Debian (jessie) ;&lt;/li&gt;
&lt;li&gt;Postfix ;&lt;/li&gt;
&lt;li&gt;Postfix-policyd-spf-python ;&lt;/li&gt;
&lt;li&gt;Dovecot ;&lt;/li&gt;
&lt;li&gt;Spamassassin ;&lt;/li&gt;
&lt;li&gt;OpenDKIM ;&lt;/li&gt;
&lt;li&gt;OpenDMARC ;&lt;/li&gt;
&lt;li&gt;Monit ;&lt;/li&gt;
&lt;li&gt;Rainloop.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I'm assuming you have some basic knowledge of Linux and DNS configuration.&lt;/p&gt;
&lt;p&gt;You can host this server at home, but you might have issues with your ISP not allowing outbound traffic on TCP port 25, and your emails might be considered to be spam by other providers if your IP is dynamic and/or you can't configure a reverse DNS record on it.&lt;/p&gt;
&lt;p&gt;The cheapest VMs from &lt;a href="https://www.digitalocean.com/?refcode=1cd69e4c3389"&gt;DigitalOcean&lt;/a&gt; or &lt;a href="http://www.vultr.com/?ref=6804947"&gt;Vultr&lt;/a&gt; are powerful enough to have this configuration running smoothly.&lt;/p&gt;
&lt;p&gt;We'll also need a SSL certificate for this configuration. You can create an auto-signed one or get a free valid one from &lt;a href="http://www.startssl.com/"&gt;StartSSL&lt;/a&gt;. For the purpose of this tutorial, I'll consider you've chosen the latter.&lt;/p&gt;
&lt;p&gt;You'll also need a domain name. I've chosen &lt;a href="http://www.namecheap.com/?aff=85990"&gt;Namecheap&lt;/a&gt; as a registrar. I won't go into details on how to configure it, but you'll need at the very least a A record on your server's IP as well as a MX record pointing to it.&lt;/p&gt;
&lt;p&gt;I use the captainark.net domain as an example throughout this tutorial. You'll have to use your actual domain for your configuration to work !&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Note: links in this section are sponsored.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Initial configuration&lt;/h2&gt;
&lt;h3&gt;Installing the required packages&lt;/h3&gt;
&lt;p&gt;First thing first, we need to install the packages we'll need for this configuration :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;apt update

apt install mysql-server mysql-client postfix postfix-mysql &lt;span class="se"&gt;\&lt;/span&gt;
postfix-policyd-spf-python dovecot-core dovecot-imapd dovecot-lmtpd &lt;span class="se"&gt;\&lt;/span&gt;
dovecot-mysql dovecot-sieve dovecot-managesieved dovecot-antispam &lt;span class="se"&gt;\&lt;/span&gt;
opendkim opendkim-tools monit opendmarc spamassassin spamc
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;During its installation, Postfix will prompt you with configuration questions. Choose "Internet Site", and when asked about your System mail name, provide it with your server's FQDN (it should be the output of the &lt;code&gt;hostname -f&lt;/code&gt; command on your server).&lt;/p&gt;
&lt;p&gt;You'll also have to set-up a password for the MySQL root user.&lt;/p&gt;
&lt;h3&gt;Additional configuration&lt;/h3&gt;
&lt;p&gt;The PTR records on your server's IPv4 and/or IPv6 should match your server's FQDN (a &lt;code&gt;dig -x&lt;/code&gt; on your server's IP should match a &lt;code&gt;hostname -f&lt;/code&gt; on your server).&lt;/p&gt;
&lt;p&gt;You'll have to open the following TCP ports on your server for this configuration to work : 25, 465, 587 and 993.&lt;/p&gt;
&lt;p&gt;If you don't want to have to remember the root user MySQL password, you can create a .my.cnf file in your current user home directory containing the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;client&lt;span class="o"&gt;]&lt;/span&gt;
&lt;span class="nv"&gt;host&lt;/span&gt;     &lt;span class="o"&gt;=&lt;/span&gt; localhost
&lt;span class="nv"&gt;user&lt;/span&gt;     &lt;span class="o"&gt;=&lt;/span&gt; root
&lt;span class="nv"&gt;password&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; myverysecurepassword
&lt;span class="nv"&gt;socket&lt;/span&gt;   &lt;span class="o"&gt;=&lt;/span&gt; /var/run/mysqld/mysqld.sock
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Once it has been created, change the permissions on the file to make sure no other user can read it :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chmod &lt;span class="m"&gt;600&lt;/span&gt; ~/.my.cnf
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;I also like to change the default MySQL shell to see what database I'm using at any given time. Since I use bash, I achieve this the following way :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;export MYSQL_PS1=&amp;quot;[\u@\h] (\d)&amp;gt; &amp;quot;&amp;#39;&lt;/span&gt; &amp;gt; ~/.bash_aliases
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You'll have to logout from the current shell for the modification to be taken into account (if you're using SSH, log out and back into your server).&lt;/p&gt;
&lt;p&gt;You should now be able to log into MySQL without specifying a password, and it should look like this :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;:~$ mysql mysql
&lt;span class="o"&gt;[&lt;/span&gt;...&lt;span class="o"&gt;]&lt;/span&gt;
&lt;span class="o"&gt;[&lt;/span&gt;root@localhost&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;mysql&lt;span class="o"&gt;)&lt;/span&gt;&amp;gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Configuring the MySQL database&lt;/h2&gt;
&lt;h3&gt;Initial configuration&lt;/h3&gt;
&lt;p&gt;We now need to configure the MySQL database Postfix and Dovecot will be using. In this tutorial, we'll be calling it "mail", but you can name it whatever you want.&lt;/p&gt;
&lt;p&gt;First, in a mysql shell, let's create the MySQL database :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;CREATE&lt;/span&gt; &lt;span class="k"&gt;DATABASE&lt;/span&gt; &lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Now, we are going to create the user that Postfix and Dovecot will be using to access the database. We will only be granting this user select permission :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;GRANT&lt;/span&gt; &lt;span class="k"&gt;SELECT&lt;/span&gt; &lt;span class="k"&gt;ON&lt;/span&gt; &lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="k"&gt;TO&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;mail&amp;#39;&lt;/span&gt;&lt;span class="o"&gt;@&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;localhost&amp;#39;&lt;/span&gt; &lt;span class="n"&gt;IDENTIFIED&lt;/span&gt; &lt;span class="k"&gt;BY&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;mailpassword&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="n"&gt;FLUSH&lt;/span&gt; &lt;span class="k"&gt;PRIVILEGES&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We are now going to create the necessary tables for our needs. Let's first use the mail database :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="n"&gt;USE&lt;/span&gt; &lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The first table we are going to create will contain the domains we will be using with our mail server :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;CREATE&lt;/span&gt; &lt;span class="k"&gt;TABLE&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;virtual_domains&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;  &lt;span class="nb"&gt;INT&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt; &lt;span class="n"&gt;AUTO_INCREMENT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;VARCHAR&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;50&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="k"&gt;PRIMARY&lt;/span&gt; &lt;span class="k"&gt;KEY&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;ENGINE&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;InnoDB&lt;/span&gt; &lt;span class="k"&gt;DEFAULT&lt;/span&gt; &lt;span class="n"&gt;CHARSET&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;utf8&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, we are going to create the table that will contain our users and their password :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;CREATE&lt;/span&gt; &lt;span class="k"&gt;TABLE&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;virtual_users&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;INT&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt; &lt;span class="n"&gt;AUTO_INCREMENT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;domain_id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;INT&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;password&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;VARCHAR&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;106&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;email&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;VARCHAR&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;120&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="k"&gt;PRIMARY&lt;/span&gt; &lt;span class="k"&gt;KEY&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="k"&gt;UNIQUE&lt;/span&gt; &lt;span class="k"&gt;KEY&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;email&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;email&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="k"&gt;FOREIGN&lt;/span&gt; &lt;span class="k"&gt;KEY&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;domain_id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;REFERENCES&lt;/span&gt; &lt;span class="n"&gt;virtual_domains&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;ON&lt;/span&gt; &lt;span class="k"&gt;DELETE&lt;/span&gt; &lt;span class="k"&gt;CASCADE&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;ENGINE&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;InnoDB&lt;/span&gt; &lt;span class="k"&gt;DEFAULT&lt;/span&gt; &lt;span class="n"&gt;CHARSET&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;utf8&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Finally, the last table we are going to create will contain our mail aliases :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;CREATE&lt;/span&gt; &lt;span class="k"&gt;TABLE&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;virtual_aliases&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;INT&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt; &lt;span class="n"&gt;AUTO_INCREMENT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;domain_id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;INT&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="k"&gt;source&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;varchar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;destination&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="nb"&gt;varchar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;NOT&lt;/span&gt; &lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="k"&gt;PRIMARY&lt;/span&gt; &lt;span class="k"&gt;KEY&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="k"&gt;FOREIGN&lt;/span&gt; &lt;span class="k"&gt;KEY&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;domain_id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;REFERENCES&lt;/span&gt; &lt;span class="n"&gt;virtual_domains&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;ON&lt;/span&gt; &lt;span class="k"&gt;DELETE&lt;/span&gt; &lt;span class="k"&gt;CASCADE&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;ENGINE&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;InnoDB&lt;/span&gt; &lt;span class="k"&gt;DEFAULT&lt;/span&gt; &lt;span class="n"&gt;CHARSET&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;utf8&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Domains, users and aliases management&lt;/h3&gt;
&lt;p&gt;We are now going to add data to the tables we have created.&lt;/p&gt;
&lt;p&gt;First, let's add a domain to the virtual_domains table :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;INSERT&lt;/span&gt; &lt;span class="k"&gt;INTO&lt;/span&gt; &lt;span class="n"&gt;virtual_domains&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;VALUES&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;captainark.net&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We can now create users associated with this domain in the virtual_users table :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;INSERT&lt;/span&gt; &lt;span class="k"&gt;INTO&lt;/span&gt; &lt;span class="n"&gt;virtual_users&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;domain_id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;password&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt; &lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;email&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;VALUES&lt;/span&gt;
&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;1&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;ENCRYPT&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;notanactualpassword&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;CONCAT&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;$6$&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;SUBSTRING&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;SHA&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;RAND&lt;/span&gt;&lt;span class="p"&gt;()),&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;16&lt;/span&gt;&lt;span class="p"&gt;))),&lt;/span&gt;
&lt;span class="s1"&gt;&amp;#39;example@captainark.net&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This is not mandatory, but we can also create our first mail alias :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="k"&gt;INSERT&lt;/span&gt; &lt;span class="k"&gt;INTO&lt;/span&gt; &lt;span class="n"&gt;virtual_aliases&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;domain_id&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="k"&gt;source&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="n"&gt;destination&lt;/span&gt;&lt;span class="o"&gt;`&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;VALUES&lt;/span&gt;
&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;1&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;alias@captainark.net&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;example@captainark.net&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Now, all messages sent to alias@captainark.net will be forwarded to example@captainark.net.&lt;/p&gt;
&lt;p&gt;Use the same syntax to create additional domains, users and aliases. If you have more than one domains configured, be sure to associate your users and aliases with the correct domain_id.&lt;/p&gt;
&lt;h2&gt;Configuring Postfix&lt;/h2&gt;
&lt;p&gt;Next, we are going to configure &lt;a href="http://www.postfix.org/"&gt;Postfix&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;Configuration backup&lt;/h3&gt;
&lt;p&gt;First, let's backup the original configuration files :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
cp /etc/postfix/master.cf /etc/postfix/master.cf.orig
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;User and group creation&lt;/h3&gt;
&lt;p&gt;We are now going to create a user and group called vmail that will be used by both Postfix and Dovecot :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;groupadd -g &lt;span class="m"&gt;5000&lt;/span&gt; vmail
useradd -g vmail -u &lt;span class="m"&gt;5000&lt;/span&gt; vmail -d /var/mail -m -s /bin/false
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;SSL certificates&lt;/h3&gt;
&lt;p&gt;Next, we are going to create the folder where we will store the SSL certificates :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /etc/postfix/ssl
chown root: /etc/postfix/ssl &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/postfix/ssl
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Purists will probably want to store their certificates in /etc/ssl/private. If you choose to do so, you'll have to adapt the path of those files for the remainder of this tutorial.&lt;/p&gt;
&lt;p&gt;If you've decided to create a certificate with StartSSL, you'll end up with two files, a .crt and a .key. I'll name those files server.crt and server-with-passphrase.key. Put both these files in the folder we've just created.&lt;/p&gt;
&lt;p&gt;Now, let's remove the passphrase from the key :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nb"&gt;cd&lt;/span&gt; /etc/postfix/ssl
openssl rsa -in server-with-passphrase.key -out server.key
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You'll be prompted for the passphrase you chose during the certificate generation.&lt;/p&gt;
&lt;p&gt;Next, we have to download the appropriate intermediate certificate :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;wget -O /etc/postfix/ssl/sub.class1.server.ca.pem &lt;span class="se"&gt;\&lt;/span&gt;
http://www.startssl.com/certs/sub.class1.server.ca.pem
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to make sure that the permissions on those files are correct :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown root: /etc/postfix/ssl/* &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/postfix/ssl/*
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The last thing we have to do here is to generate Diffie-Hellman keys for Perfect Forward Secrecy (PFS) :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;openssl gendh -out /etc/postfix/dh_512.pem -2 &lt;span class="m"&gt;512&lt;/span&gt;
openssl gendh -out /etc/postfix/dh_1024.pem -2 &lt;span class="m"&gt;1024&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Postifx configuration&lt;/h3&gt;
&lt;p&gt;First, let's edit the /etc/postfix/main.cf file. It should end up looking something like that :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;smtpd_banner = &lt;span class="nv"&gt;$myhostname&lt;/span&gt; ESMTP &lt;span class="nv"&gt;$mail_name&lt;/span&gt; (Debian/GNU)
biff = no

broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes

queue_directory = /var/spool/postfix
append_dot_mydomain = no
readme_directory = no

smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/postfix/ssl/server.crt
smtpd_tls_key_file=/etc/postfix/ssl/server.key
smtpd_tls_CAfile=/etc/postfix/ssl/sub.class1.server.ca.pem
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers=high
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:&lt;span class="cp"&gt;${&lt;/span&gt;&lt;span class="n"&gt;data_directory&lt;/span&gt;&lt;span class="cp"&gt;}&lt;/span&gt;/smtpd_scache

tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom

smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes

smtp_tls_CAfile = &lt;span class="nv"&gt;$smtpd_tls_CAfile&lt;/span&gt;
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:&lt;span class="cp"&gt;${&lt;/span&gt;&lt;span class="n"&gt;data_directory&lt;/span&gt;&lt;span class="cp"&gt;}&lt;/span&gt;/smtp_scache

smtpd_milters =
non_smtpd_milters = &lt;span class="nv"&gt;$smtpd_milters&lt;/span&gt;
milter_protocol = 2
milter_default_action = accept

smtpd_recipient_restrictions =
  reject_invalid_hostname,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = &lt;span class="nv"&gt;$myhostname&lt;/span&gt;
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = &lt;span class="nv"&gt;$smtpd_sasl_security_options&lt;/span&gt;
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

myhostname = myserver.captainark.net ### CHANGE THIS
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, myserver.captainark.net ### CHANGE THIS
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
default_transport = smtp
relay_transport = smtp
inet_interfaces = all
inet_protocols = all

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The variable "myhostname" has to be defined to you server's FQDN. The file /etc/mailname should contain your server's FQDN as well.&lt;/p&gt;
&lt;p&gt;Next, we need to edit the /etc/postfix/master.cf file. You need to uncomment the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o tls_preempt_cipherlist=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You also have to add the following lines at the end of the file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;dovecot    unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f &lt;span class="cp"&gt;${&lt;/span&gt;&lt;span class="n"&gt;sender&lt;/span&gt;&lt;span class="cp"&gt;}&lt;/span&gt; -d &lt;span class="cp"&gt;${&lt;/span&gt;&lt;span class="n"&gt;recipient&lt;/span&gt;&lt;span class="cp"&gt;}&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;MySQL access for Postfix&lt;/h3&gt;
&lt;p&gt;We now need to allow Postfix to connect to the MySQL database we have created earlier. To that end, we must create three files.&lt;/p&gt;
&lt;p&gt;/etc/postfix/mysql-virtual-mailbox-domains.cf should contain the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;user = mail
password = mailpassword
hosts = 127.0.0.1
dbname = mail
query = SELECT 1 FROM virtual_domains WHERE name=&amp;#39;%s&amp;#39;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;/etc/postfix/mysql-virtual-mailbox-maps.cf should contain the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;user = mail
password = mailpassword
hosts = 127.0.0.1
dbname = mail
query = SELECT 1 FROM virtual_users WHERE email=&amp;#39;%s&amp;#39;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;/etc/postfix/mysql-virtual-alias-maps.cf should contain the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;user = mail
password = mailpassword
hosts = 127.0.0.1
dbname = mail
query = SELECT destination FROM virtual_aliases WHERE source=&amp;#39;%s&amp;#39;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Since these files contain a password, let's make sure they are not world-readable :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown root: /etc/postfix/mysql* &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/postfix/mysql*
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You can use the command postmap to confirm that everything is working properly :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;postmap -q captainark.net mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

postmap -q example@captainark.net mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

postmap -q alias@captainark.net mysql:/etc/postfix/mysql-virtual-alias-maps.cf
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's restart postfix for our modifications to be taken into account :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart postfix
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That's it for Postfix, for now ; Dovecot is next !&lt;/p&gt;
&lt;h2&gt;Configuring Dovecot&lt;/h2&gt;
&lt;h3&gt;Dovecot global configuration&lt;/h3&gt;
&lt;p&gt;By default, on Debian, &lt;a href="http://www.dovecot.org/"&gt;Dovecot&lt;/a&gt; uses multiple configuration files in /etc/dovecot/conf.d. I found it annoying to maintain, and I ended up only using the /etc/doveconf.conf file.&lt;/p&gt;
&lt;p&gt;As always, let's start by backing up the original configuration file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, we are going to create a new /etc/dovecot/dovecot.conf file. It should contain the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="sx"&gt;!include_try /usr/share/dovecot/protocols.d/*.protocol&lt;/span&gt;
&lt;span class="n"&gt;protocols&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;imap&lt;/span&gt; &lt;span class="n"&gt;lmtp&lt;/span&gt; &lt;span class="n"&gt;sieve&lt;/span&gt;

&lt;span class="n"&gt;mail_location&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;maildir&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="c"&gt;%d/%n&lt;/span&gt;
&lt;span class="n"&gt;mail_privileged_group&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;vmail&lt;/span&gt;
&lt;span class="n"&gt;mail_plugin_dir&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;usr&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;lib&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;dovecot&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;modules&lt;/span&gt;
&lt;span class="n"&gt;mail_plugins&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt;

&lt;span class="n"&gt;disable_plaintext_auth&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;yes&lt;/span&gt;
&lt;span class="n"&gt;auth_mechanisms&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;plain&lt;/span&gt; &lt;span class="n"&gt;login&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;director&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;unix_listener&lt;/span&gt; &lt;span class="n"&gt;login&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;director&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;fifo_listener&lt;/span&gt; &lt;span class="n"&gt;login&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;proxy&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;notify&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;unix_listener&lt;/span&gt; &lt;span class="n"&gt;director&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;userdb&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;inet_listener&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;namespace&lt;/span&gt; &lt;span class="n"&gt;inbox&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;inbox&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;yes&lt;/span&gt;
  &lt;span class="n"&gt;type&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;private&lt;/span&gt;
    &lt;span class="n"&gt;mailbox&lt;/span&gt; &lt;span class="n"&gt;Drafts&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
      &lt;span class="n"&gt;auto&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subscribe&lt;/span&gt;
      &lt;span class="n"&gt;special_use&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;\&lt;/span&gt;&lt;span class="n"&gt;Drafts&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="n"&gt;mailbox&lt;/span&gt; &lt;span class="n"&gt;Junk&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
      &lt;span class="n"&gt;auto&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subscribe&lt;/span&gt;
      &lt;span class="n"&gt;special_use&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;\&lt;/span&gt;&lt;span class="n"&gt;Junk&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="n"&gt;mailbox&lt;/span&gt; &lt;span class="n"&gt;Sent&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
      &lt;span class="n"&gt;auto&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subscribe&lt;/span&gt;
      &lt;span class="n"&gt;special_use&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;\&lt;/span&gt;&lt;span class="n"&gt;Sent&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="n"&gt;mailbox&lt;/span&gt; &lt;span class="n"&gt;Trash&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
      &lt;span class="n"&gt;auto&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subscribe&lt;/span&gt;
      &lt;span class="n"&gt;special_use&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;\&lt;/span&gt;&lt;span class="n"&gt;Trash&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;imap&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;login&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;inet_listener&lt;/span&gt; &lt;span class="n"&gt;imap&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;port&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;inet_listener&lt;/span&gt; &lt;span class="n"&gt;imaps&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;port&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;993&lt;/span&gt;
    &lt;span class="n"&gt;ssl&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;yes&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;pop3&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;login&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;inet_listener&lt;/span&gt; &lt;span class="n"&gt;pop3&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;port&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;inet_listener&lt;/span&gt; &lt;span class="n"&gt;pop3s&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;port&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;lmtp&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;unix_listener&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;spool&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;postfix&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;private&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;dovecot&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;lmtp&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;mode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0600&lt;/span&gt;
    &lt;span class="n"&gt;user&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;postfix&lt;/span&gt;
    &lt;span class="n"&gt;group&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;postfix&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;imap&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;pop3&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;unix_listener&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;spool&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;postfix&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;private&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;mode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0666&lt;/span&gt;
    &lt;span class="n"&gt;user&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;postfix&lt;/span&gt;
    &lt;span class="n"&gt;group&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;postfix&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;unix_listener&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;userdb&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;mode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0600&lt;/span&gt;
    &lt;span class="n"&gt;user&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;vmail&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="n"&gt;user&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;dovecot&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;worker&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;user&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;vmail&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;service&lt;/span&gt; &lt;span class="n"&gt;dict&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;unix_listener&lt;/span&gt; &lt;span class="n"&gt;dict&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;ssl&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;required&lt;/span&gt;
&lt;span class="n"&gt;ssl_cert&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="n"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;postfix&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;ssl&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;crt&lt;/span&gt;
&lt;span class="n"&gt;ssl_key&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="n"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;postfix&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;ssl&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;key&lt;/span&gt;
&lt;span class="n"&gt;ssl_ca&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="n"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;postfix&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;ssl&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sub&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;class1&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ca&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;pem&lt;/span&gt;
&lt;span class="n"&gt;ssl_protocols&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; !&lt;span class="n"&gt;SSLv2&lt;/span&gt; !&lt;span class="n"&gt;SSLv3&lt;/span&gt;
&lt;span class="n"&gt;ssl_cipher_list&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;AES128&lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="n"&gt;EECDH&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="n"&gt;AES128&lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="n"&gt;EDH&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;!&lt;span class="n"&gt;aNULL&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="n"&gt;protocol&lt;/span&gt; &lt;span class="n"&gt;lda&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;mail_plugins&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; $&lt;span class="n"&gt;mail_plugins&lt;/span&gt; &lt;span class="n"&gt;sieve&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;protocol&lt;/span&gt; &lt;span class="n"&gt;imap&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;mail_plugins&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; $&lt;span class="n"&gt;mail_plugins&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="n"&gt;protocol&lt;/span&gt; &lt;span class="n"&gt;lmtp&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;mail_plugins&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; $&lt;span class="n"&gt;mail_plugins&lt;/span&gt; &lt;span class="n"&gt;sieve&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;plugin&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;sieve&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sieve&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;users&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="c"&gt;%u.sieve&lt;/span&gt;
  &lt;span class="n"&gt;sieve_after&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sieve&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;after&lt;/span&gt;
  &lt;span class="n"&gt;sieve_before&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sieve&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;before&lt;/span&gt;
  &lt;span class="n"&gt;sieve_global_dir&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;lib&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;dovecot&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sieve&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;
  &lt;span class="n"&gt;sieve_dir&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;~/&lt;/span&gt;&lt;span class="n"&gt;sieve&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;passdb&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;driver&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;sql&lt;/span&gt;
  &lt;span class="n"&gt;args&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;dovecot&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sql&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;conf&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="n"&gt;userdb&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="n"&gt;driver&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;static&lt;/span&gt;
  &lt;span class="n"&gt;args&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;uid&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="n"&gt;vmail&lt;/span&gt; &lt;span class="n"&gt;gid&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="n"&gt;vmail&lt;/span&gt; &lt;span class="n"&gt;home&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;mail&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="c"&gt;%d/%n&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Dovecot will use the same SSL certificate as Postfix.&lt;/p&gt;
&lt;p&gt;Using this configuration, your virtual users' emails will be stored in /var/mail/$domain/$user/ and will be owned by the vmail user.&lt;/p&gt;
&lt;p&gt;For this to work, we have to create the domain folder :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir -p /var/mail/captainark.net
chown vmail: /var/mail/captainark.net &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;770&lt;/span&gt; /var/mail/captainark.net
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Dovecot will create the virtual users' folders automatically.&lt;/p&gt;
&lt;h3&gt;Dovecot access to the MySQL database&lt;/h3&gt;
&lt;p&gt;We now need to allow Dovecot to connect to the mail database we have populated earlier. To do so, we are going to create a /etc/dovecot/sql.conf file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;driver = mysql
connect = host=localhost dbname=mail user=mail password=mailpassword
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email=&amp;#39;%u&amp;#39;;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You'll have to change the password to the one you have defined earlier. Since this file contains a password, let's make sure it's not world-readable :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown root: /etc/dovecot/sql.conf &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/dovecot/sql.conf
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Configuring Sieve&lt;/h3&gt;
&lt;p&gt;The last thing we need to configure here is sieve. The idea is to have all messages flagged as spam automatically moved to the mailbox Junk folder.&lt;/p&gt;
&lt;p&gt;To do so, let's first create the required folders :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir -p /var/mail/sieve/before
mkdir /var/mail/sieve/after
mkdir /var/mail/sieve/users
chown -R vmail: /var/mail/sieve &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod -R &lt;span class="m"&gt;770&lt;/span&gt; /var/mail/sieve
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;If you want to have sieve rules for a specific user, simply create $user@$domain.sieve file in the users folder (example@captainark.net in my case).&lt;/p&gt;
&lt;p&gt;All .sieve files in the before folder will be used for all your virtual users, before their individual configuration ; the .sieve files in the after folder will be used, well, you guessed it, after.&lt;/p&gt;
&lt;p&gt;Let's create a filter.sieve file in the /var/mail/sieve/before folder with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;require [&amp;quot;envelope&amp;quot;, &amp;quot;fileinto&amp;quot;, &amp;quot;imap4flags&amp;quot;, &amp;quot;regex&amp;quot;];

if not header :regex &amp;quot;message-id&amp;quot; &amp;quot;.*@.*\.&amp;quot; {
      fileinto &amp;quot;Junk&amp;quot;;
}

if header :contains &amp;quot;X-Spam-Level&amp;quot; &amp;quot;*****&amp;quot; {
      fileinto &amp;quot;Junk&amp;quot;;
}
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Last thing we have to do is to change the permissions on the newly created file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown vmail: /var/mail/sieve/before/filter.sieve &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
chmod &lt;span class="m"&gt;660&lt;/span&gt; /var/mail/sieve/before/filter.sieve
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That's all ; now, all email we receive that is flagged as spam by SpamAssassin will be moved to the Junk folder.&lt;/p&gt;
&lt;p&gt;Let's restart dovecot :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart dovecot
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have a working mail server !&lt;/p&gt;
&lt;p&gt;To connect to it and access your mailbox, configure your email client as follow :&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Username: example@captainark.net ;&lt;/li&gt;
&lt;li&gt;Password: the password you chose for your virtual user ;&lt;/li&gt;
&lt;li&gt;IMAP: your server's FQDN, port 993 (SSL/TLS with normal password) ;&lt;/li&gt;
&lt;li&gt;SMTP: your server's FQDN, port 465 (SSL/TLS with normal password).&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Configuring SpamAssassin&lt;/h2&gt;
&lt;h3&gt;The alternatives&lt;/h3&gt;
&lt;p&gt;Next thing we have to do is to configure the actual anti-spam. I tried a few, but I ended up sticking with &lt;a href="http://spamassassin.apache.org/"&gt;SpamAssassin&lt;/a&gt;. Here's why :&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="http://dspam.nuclearelephant.com/"&gt;DSPAM&lt;/a&gt; is &lt;a href="http://sourceforge.net/p/dspam/mailman/message/32585111/"&gt;no longer maintained&lt;/a&gt; and &lt;a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754810"&gt;has been removed from Debian Jessie&lt;/a&gt; ;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://rspamd.com/"&gt;Rspamd&lt;/a&gt; is interesting, has been &lt;a href="https://packages.debian.org/source/jessie/rspamd"&gt;integrated in Debian Jessie&lt;/a&gt;, but is poorly documented at this time ;&lt;/li&gt;
&lt;li&gt;&lt;a href="http://bogofilter.sourceforge.net/"&gt;Bogofilter&lt;/a&gt; does not seem to have the greatest server integration.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;The actual configuration&lt;/h3&gt;
&lt;p&gt;SpamAssassin's configuration is pretty straightforward. First, let's edit the /etc/default/spamassassin file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;ENABLED=1
[...]
CRON=1
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Before the cron runs for the first time, we have to manually update SpamAssassin's ruleset :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;sa-learn
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, as usual, let's back up the original configuration file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mv /etc/spamassassin/local.cf /etc/spamassassin/local.cf.orig
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's create a new /etc/spamassassin/local.cf file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;rewrite_header Subject [SPAM]
report_safe 0
required_score 5.0
use_bayes 1
bayes_auto_learn 1

whitelist_from *@captainark.net
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Next, to have Postfix send incoming emails through SpamAssassin, we have to edit the /etc/postfix/master.cf file. At the very beginning, we have to add a line under the smtp definition :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;At the very end of the same file, we have to add the following lines :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;spamassassin unix -     n       n       -       -       pipe
  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f &lt;span class="cp"&gt;${&lt;/span&gt;&lt;span class="n"&gt;sender&lt;/span&gt;&lt;span class="cp"&gt;}&lt;/span&gt; &lt;span class="cp"&gt;${&lt;/span&gt;&lt;span class="n"&gt;recipient&lt;/span&gt;&lt;span class="cp"&gt;}&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's restart SpamAssassin and Postfix :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart postfix
systemctl restart spamassassin
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That's all for SpamAssassin ! To check if it is working, send yourself an email from another provider. You should see the following headers in it :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    myserver.captainark.net
X-Spam-Level:
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Configuring SPF&lt;/h2&gt;
&lt;h3&gt;Allowing your server to send emails for your domain&lt;/h3&gt;
&lt;p&gt;&lt;a href="http://www.openspf.org/"&gt;SPF&lt;/a&gt; (Sender Policy Framework) is a mechanism that confirms that your server's IP is allowed to send emails for your domain. Technically, it is a TXT DNS record which looks something like this :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;captainark.net IN TXT &amp;quot;v=spf1 mx ~all&amp;quot;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This DNS record lets other mail servers know that hosts that have a MX record for my domain are also allowed to send emails for it.&lt;/p&gt;
&lt;p&gt;For more information on SPF syntax, you can consult the &lt;a href="http://www.openspf.org/SPF_Record_Syntax"&gt;official documentation&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Without a properly configured SPF record, other mail servers might flag your emails as spam or outright drop them.&lt;/p&gt;
&lt;h3&gt;Checking SPF record for inbound mail&lt;/h3&gt;
&lt;p&gt;Now that we have set up our own SPF record, let's configure Postfix to check that other mail servers communicating with us have done the same.&lt;/p&gt;
&lt;p&gt;First, let's add the two following lines at the end of /etc/postfix-policyd-spf-python/policyd-spf.conf :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;Header_Type = AR
Authserv_Id = &amp;quot;&amp;lt;server&amp;#39;s FQDN&amp;gt;&amp;quot;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, let's edit the /etc/postfix/master.cf file and add the following lines at the end :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;policy-spf  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/policyd-spf
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's now edit the /etc/postfix/main.cf. In the "smtpd_recipient_restrictions" section, add the "check_policy_service" line as seen below :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;smtpd_recipient_restrictions =
[...]
  reject_unauth_destination,
  check_policy_service unix:private/policy-spf,
  permit
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to restart postfix :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart postfix
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Our server is now checking other mail server's SPF records.&lt;/p&gt;
&lt;p&gt;To make sure that it is working, send yourself an email from another provider. You should see the following header in it :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nt"&gt;Authentication-Results&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="nt"&gt;myserver&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;captainark&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;net&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt; &lt;span class="nt"&gt;spf&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;pass&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nt"&gt;sender&lt;/span&gt; &lt;span class="nt"&gt;SPF&lt;/span&gt; &lt;span class="nt"&gt;authorized&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="cp"&gt;[&lt;/span&gt;&lt;span class="nx"&gt;...&lt;/span&gt;&lt;span class="cp"&gt;]&lt;/span&gt; &lt;span class="nt"&gt;receiver&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;example&lt;/span&gt;&lt;span class="p"&gt;@&lt;/span&gt;&lt;span class="k"&gt;captainark&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;net&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Configuring OpenDKIM&lt;/h2&gt;
&lt;p&gt;&lt;a href="http://www.dkim.org/"&gt;DKIM&lt;/a&gt; (DomainKeys Identified Mail) is a mechanism that validates a domain name identity for an email through cryptographic authentication.&lt;/p&gt;
&lt;p&gt;While not mandatory, setting up DKIM improves the odds of emails sent from your server not being flagged as spam by other providers.&lt;/p&gt;
&lt;p&gt;With this configuration, OpenDKIM will also check the key for inbound emails.&lt;/p&gt;
&lt;h3&gt;Software side&lt;/h3&gt;
&lt;p&gt;First, let's backup the original configuration file and create a folder for the configuration files :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mv /etc/opendkim.conf /etc/opendkim.conf.orig
mkdir /etc/opendkim.d
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to create a /etc/opendkim.conf file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

OversignHeaders         From
AlwaysAddARHeader       yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim.d/TrustedHosts
InternalHosts           refile:/etc/opendkim.d/dkim/TrustedHosts
KeyTable                refile:/etc/opendkim.d/dkim/KeyTable
SigningTable            refile:/etc/opendkim.d/dkim/SigningTable

Mode                    sv
PidFile                 /run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's then create the necessary folders :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir -p /etc/opendkim.d/keys/captainark.net/
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Now, we are going to create the /etc/opendkim.d/TrustedHosts file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;localhost
127.0.0.1
::1
captainark.net
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This file contains the hosts and domains for which OpenDKIM should sign emails.&lt;/p&gt;
&lt;p&gt;Next, let's create the /etc/opendkim.d/KeyTable :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mail._domainkey.captainark.net captainark.net:mail:/etc/opendkim.d/keys/captainark.net/mail.private
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This file tells OpenDKIM which key it should use for each selector.&lt;/p&gt;
&lt;p&gt;Finally, let's create the /etc/opendkim.d/SigningTable file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;*@captainark.net mail._domainkey.captainark.net
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This file tells OpenDKIM which selector it should use for each domain.&lt;/p&gt;
&lt;p&gt;We now have to generate the private/public key pair for our domain :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nb"&gt;cd&lt;/span&gt; /etc/opendkim.d/keys/captainark.net/
opendkim-genkey -s mail -d captainark.net
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This creates two files ; mail.private contains our private key, mail.txt contains our public key.&lt;/p&gt;
&lt;p&gt;Let's change the permissions on those files :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown -R opendkim: /etc/opendkim.d/keys
chmod -R &lt;span class="m"&gt;700&lt;/span&gt; /etc/opendkim.d/keys
chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/opendkim.d/captainark.net/*
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Postfix integration&lt;/h3&gt;
&lt;p&gt;The last thing we have to do is to configure Postfix to communicate with OpenDKIM.&lt;/p&gt;
&lt;p&gt;First, let's create the necessary folders :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /var/spool/postfix/opendkim
chown opendkim: /var/spool/postfix/opendkim
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We also have to add the postfix user to the opendkim group :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;useradd -G opendkim postfix
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Now, let's edit the /etc/postfix/master.cf file, like so :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;smtpd_milters = unix:/opendkim/opendkim.sock
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to restart OpenDKIM and Postfix :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart opendkim
systemctl restart postfix
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;DNS side&lt;/h3&gt;
&lt;p&gt;For DKIM to work, you have to configure a DNS TXT record in your zone. This record was automatically generated by OpenDKIM in the mail.txt file mentioned earlier :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mail._domainkey IN TXT &amp;quot;v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkJq0CW3tl2XHZ1CN5XdbqRDU7KfXOJ70nlwI09bHmDU63/Yz3J5rl863S0t2ncVHfIudZANj0OaiJe5HRR7WCsjuNIhQFfPFGIWLNClpxqdQVQURI38sAGeyn7Ed/Cor1AiWABzFWzel0kvXILw8K/NTzxaAPeSa9ttwQEgSmowIDAQAB&amp;quot; ; ----- DKIM key mail for captainark.net
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;All you have to do is to copy and paste this record in your DNS zone file.&lt;/p&gt;
&lt;p&gt;To make sure that OpenDKIM is working, you can send an empty email to &lt;a href="mailto:check-auth@verifier.port25.com"&gt;check-auth@verifier.port25.com&lt;/a&gt;. You should receive a response with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Configuring OpenDMARC&lt;/h2&gt;
&lt;p&gt;&lt;a href="http://dmarc.org/"&gt;DMARC&lt;/a&gt; (Domain-based Message Authentication, Reporting &amp;amp; Conformance) standardizes SPF and DKIM authentication mechanisms.&lt;/p&gt;
&lt;p&gt;It lets the owner of a domain name indicate that his email is protected by SPF and/or DKIM and what other providers should do with emails that do not pass those checks.&lt;/p&gt;
&lt;h3&gt;Software side&lt;/h3&gt;
&lt;p&gt;Once again, let's backup the original configuration file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mv /etc/opendmarc.conf /etc/opendmarc.conf.orig
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to create a /etc/opendmarc.conf file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   0002
Syslog                  true

AuthservID              &amp;quot;&amp;lt;your server&amp;#39;s FQDN&amp;gt;&amp;quot;
TrustedAuthservIDs      &amp;quot;&amp;lt;your server&amp;#39;s FQDN&amp;gt;&amp;quot;
IgnoreHosts             /etc/opendkim.d/TrustedHosts

RejectFailures          false

UserID                  opendmarc:opendmarc
PidFile                 /run/opendmarc.pid
Socket                  local:/var/spool/postfix/opendmarc/opendmarc.sock
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;Postfix integration&lt;/h3&gt;
&lt;p&gt;The last thing we have to do is to configure Postfix to communicate with OpenDMARC.&lt;/p&gt;
&lt;p&gt;First, let's create the necessary folders :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mkdir /var/spool/postfix/opendmarc
chown opendmarc: /var/spool/postfix/opendmarc
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We also have to add the postfix user to the opendmarc group :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;useradd -G opendmarc postfix
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Now, let's edit the /etc/postfix/master.cf file, like so :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;smtpd_milters = unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to restart OpenDMARC and Postfix :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;systemctl restart opendmarc
systemctl restart postfix
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You should now see the following headers in your incoming emails :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nt"&gt;Authentication-Results&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="nt"&gt;myserver&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;captainark&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;net&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt; &lt;span class="nt"&gt;dmarc&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;pass&lt;/span&gt; &lt;span class="nt"&gt;header&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;from&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;gmail&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;com&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;DNS side&lt;/h3&gt;
&lt;p&gt;DMARC, like SPF and DKIM, is based on DNS TXT records.&lt;/p&gt;
&lt;p&gt;Here is how I configured it for the captainark.net domain :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;span class="nt"&gt;_dmarc&lt;/span&gt; &lt;span class="nt"&gt;IN&lt;/span&gt; &lt;span class="nt"&gt;TXT&lt;/span&gt; &lt;span class="s2"&gt;&amp;quot;v=DMARC1; p=none; rua=mailto:postmaster@captainark.net; ruf=mailto:postmaster@captainark.net&amp;quot;&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This tells other providers to not reject or quarantine emails should a SPF or DKIM check fail, but to send a daily report of those checks to postmaster@captainark.net.&lt;/p&gt;
&lt;p&gt;For more information on the DMARC syntax, here is an &lt;a href="https://support.google.com/a/answer/2466563?hl=en"&gt;article from Google&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Configuring Monit&lt;/h2&gt;
&lt;p&gt;&lt;a href="http://mmonit.com/monit/"&gt;Monit&lt;/a&gt; is a daemon that makes sure that other daemons are running. If they crash, it restarts them automatically. Is is not directly related to a mail server per say, but it's pretty easy to set up.&lt;/p&gt;
&lt;p&gt;First, as always, let's backup the original configuration file :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;mv /etc/monit/monitrc /etc/monit/monitrc.orig
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;We now have to create a new /etc/monit/monitrc file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;set daemon 30
set logfile syslog facility log_daemon

set httpd port 2812 and
use address localhost
allow localhost

set mailserver localhost
with timeout 30 seconds
using hostname myserver.captainark.net

set mail-format { from: monit@captainark.net }

include /etc/monit/conf.d/*
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, we are going to create a /etc/monit/conf.d/mail file with the following content :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;check process postfix
  with pidfile &amp;quot;/var/spool/postfix/pid/master.pid&amp;quot;
  start program = &amp;quot;/bin/systemctl start postfix&amp;quot;
  stop program = &amp;quot;/bin/systemctl stop postfix&amp;quot;
  alert monit@captainark.net
  group mail

check process dovecot
  with pidfile &amp;quot;/run/dovecot/master.pid&amp;quot;
  start program = &amp;quot;/bin/systemctl start dovecot&amp;quot;
  stop program = &amp;quot;/bin/systemctl stop dovecot&amp;quot;
  alert monit@captainark.net
  group mail
  depends on postfix

check process spamassassin
  with pidfile &amp;quot;/run/spamassassin.pid&amp;quot;
  start program = &amp;quot;/bin/systemctl start spamassassin&amp;quot;
  stop program = &amp;quot;/bin/systemctl stop spamassassin&amp;quot;
  alert monit@captainark.net
  group mail
  depends on postfix, dovecot

check process opendkim
  with pidfile &amp;quot;/run/opendkim/opendkim.pid&amp;quot;
  start program = &amp;quot;/bin/systemctl start opendkim&amp;quot;
  stop program = &amp;quot;/bin/systemctl stop opendkim&amp;quot;
  alert monit@captainark.net
  group mail
  depends on postfix, dovecot

check process opendmarc
  with pidfile &amp;quot;/run/opendmarc/opendmarc.pid&amp;quot;
  start program = &amp;quot;/bin/systemctl start opendmarc&amp;quot;
  stop program = &amp;quot;/bin/systemctl stop opendmarc&amp;quot;
  alert monit@captainark.net
  group mail
  depends on postfix, dovecot
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Let's make sure that permissions on the file are correct :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;chown root: /etc/monit/conf.d/mail &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; chmod &lt;span class="m"&gt;600&lt;/span&gt; /etc/monit/conf.d/mail
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then, we have to reload the monit daemon :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;monit reload
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Now, the &lt;code&gt;monit summary&lt;/code&gt; command should have the following output :&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;The Monit daemon 5.4 uptime: 3d 0h 41m

Process &amp;#39;postfix&amp;#39;                   Running
Process &amp;#39;dovecot&amp;#39;                   Running
Process &amp;#39;spamassassin&amp;#39;              Running
Process &amp;#39;opendkim&amp;#39;                  Running
Process &amp;#39;opendmarc&amp;#39;                 Running
&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Configuring Rainloop&lt;/h2&gt;
&lt;p&gt;&lt;a href="http://www.rainloop.net/"&gt;Rainloop&lt;/a&gt; is a web-based email client. I won't go into details on how to configure it in this tutorial ; here's a link to the &lt;a href="http://www.rainloop.net/docs/installation/"&gt;official documentation&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;You'll need a web server with PHP 5.3+ to run Rainloop. You do not have to run Rainloop on the same host as your mail server. No database is required.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;We now have a mail server that should be running pretty smoothly. It could still be improved by setting up things such as greylisting or virus detection.&lt;/p&gt;
&lt;p&gt;If you have found this tutorial useful, if you've found an error in it or if you have any question, please feel free to leave a comment below or to contact me on &lt;a href="https://twitter.com/captainark"&gt;Twitter&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;References&lt;/h2&gt;
&lt;p&gt;Here are the tutorials I used to set up my own mail server :&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/"&gt;A complete tutorial on setting up a mail server&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.raccoon.io/mail-server-setup-with-postfix-dovecot/"&gt;Another complete tutorial&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassasin"&gt;A third tutorial from DigitalOcean&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy"&gt;A tutorial on setting up OpenDKIM&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://guillaume.vaillant.me/?p=481"&gt;A tutorial on setting up OpenDMARC&lt;/a&gt; (in french)&lt;/li&gt;
&lt;/ul&gt;</content></entry></feed>