Posts From Category: server

Install Haraka SMTP Server On Ubuntu 20.04

sudo -i

Install NVM (Node Version Manager)

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash

export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"

[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"

Install Node (LTS)

nvm install --lts

Install Haraka

apt install build-essential

npm -g config set user root

npm install -g Haraka

cd /var/mail && haraka -i .

vim /var/mail/config/smtp.ini

; Server public IP
public_ip=x.x.x.x

; Daemonize
daemonize=true
daemon_log_file=/var/log/haraka.log
daemon_pid_file=/var/run/haraka.pid

; Spooling
; Save memory by spooling large messages to disk
spool_dir=/var/spool/haraka

haraka -c /var/mail

Allows incoming SMTP request on port 25 for server IP address x.x.x.x

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d x.x.x.x --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s x.x.x.x --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Allow outgoing SMTP requst for server IP address x.x.x.

iptables -A OUTPUT -p tcp -s x.x.x.x --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 25 -d x.x.x.x --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Read More

Install Nginx and Let's Encrypt on Ubuntu 20.04

Prerequisites

  • You have domain name pointing to your server public IP.

Installation process

  • sudo apt update

  • sudo apt install nginx

  • sudo systemctl enable nginx

  • sudo apt install certbot

  • sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

  • sudo mkdir -p /var/lib/letsencrypt/.well-known

  • sudo chgrp www-data /var/lib/letsencrypt

  • sudo chmod g+s /var/lib/letsencrypt

  • sudo vim /etc/nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}
  • sudo vim /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
  • sudo vim /etc/nginx/sites-available/dev.cmsnesia.com.conf
server {
  listen 80;
  listen [::]:80;
  server_name dev.cmsnesia.com;
  
  root /var/www/html
  
  include snippets/letsencrypt.conf;
}
  • sudo ln -s /etc/nginx/sites-available/dev.cmsnesia.com.conf /etc/nginx/sites-enabled/

  • sudo systemctl restart nginx

  • sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d dev.cmsnesia.com

  • sudo vim /etc/nginx/sites-available/dev.cmsnesia.com.conf

server {
    listen 80;
    listen [::]:80;
    server_name dev.cmsnesia.com;
  
    root /var/www/html
    include snippets/letsencrypt.conf;
    return 301 https://dev.cmsnesia.com$request_uri; # redirect http to https
}

server {
    listen 443 ssl http2;
    server_name dev.cmsnesia.com;

    ssl_certificate /etc/letsencrypt/live/dev.cmsnesia.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.cmsnesia.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/dev.cmsnesia.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;
}

  • sudo vim /etc/cron.d/certbot
    0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
    
  • sudo certbot renew --dry-run

Read More