Mar 032012

Add MX records (A and AAAA) to zone file for at HE
Primary files involved:

  • /etc/postfix/
  • /etc/postfix/sasl/smtpd.conf
  • /etc/postfix/sasl/smtpd.conf


  • /etc/init.d/postfix restart
  • /etc/init.d/saslauthd start
  • /etc/init.d/dovecot restart

POSTFIX (send)

$ sudo apt-get update
$ sudoapt-get install postfix
$dpkg-reconfigure postfix
$ sudo sudo apt-get install mailutils
$ sudo mkdir /etc/skel/mail/
$ mkdir ~/mail/
$ su
# mkdir ~/mail/

test send:

$ mail -s Subject_Line
testing new mail. This is the body .
$$mail -s "log file" < /etc/nginx/nginx.conf
[CTRL+D to send]


DOVECOT (receive)
config at: /etc/dovecot/dovecot.conf (do the usual back-up, re-create); mail folders in /var/mail/$USER

$ sudo apt-get install dovecot-imapd dovecot-pop3d
$cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf-backup
$rm /etc/dovecot/dovecot.conf
$nano /etc/dovecot/dovecot.conf

Backup /etc/dovecot/dovecot.conf, recreate it as below:

#sjy2 2012-03-01
protocols = imap imaps pop3 pop3s
listen = *, [::]
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = mail
ssl_cert_file = /etc/ssl/certs/postfix.pem
ssl_key_file = /etc/ssl/private/postfix.key
mail_location = maildir:~/mail:LAYOUT=fs:INBOX=~/mail/
protocol imap {}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
protocol managesieve {}
auth default {
mechanisms = plain login
passdb pam {}
userdb passwd {}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
dict {}
plugin {}

Continue reading »

Feb 282012

1. Ensure everything up to date (as / ):

#apt-get update
#apt-get upgrade --show-upgraded

2. Install OpenVPN and the udev dependency

#apt-get install openvpn udev

3. Configure Public Key Infrastructure Variables

$nano /etc/openvpn/easy-rsa/2.0/vars
edited the default to (roughly as CA_Cert: NB to update CACerts):
export KEY_CITY="Newton"
export KEY_ORG="US.Yearl" #perhaps should have used
export KEY_EMAIL=""

4. initialize PKI Issued

All 3 commands in sequence. Unlike CA_Cert left certain fields not present in /etc/openvpn/easy-rsa/2.0/vars blank. Not necessary anyway. The point is to create a DN (Distinguished Name).

cd /etc/openvpn/easy-rsa/2.0/
 . /etc/openvpn/easy-rsa/2.0/clean-all
 . /etc/openvpn/easy-rsa/2.0/build-ca
 Organizational Unit Name (eg, section) []:.
 Common Name (eg, your name or your server's hostname) [US.Yearl CA]:.
 Name []:.

5. Generate Certificates and Private Keys

. /etc/openvpn/easy-rsa/2.0/build-key-server yearlus

writing new private key to ‘yearlus.key’ … some questions matching info in /etc/openvpn/easy-rsa/2.0/vars then A challenge password []: **MYAWESOMEPASSWORD** An optional company name []: US.Yearl

6. Create client certs. In this case the name of two machines on my LAN

. /etc/openvpn/easy-rsa/2.0/build-key huitzil
. /etc/openvpn/easy-rsa/2.0/build-key centzon

The same questions as before re building a DN. Hmm. I’m going to run with the server settings for huitzil (except for email: that will be that machine’s owner) and something different for centzon and see which one (or both) are valid. The doco is unclear on how the client DN should be constructed may have answered own question as
Common Name (eg, your name or your server's hostname) {huitzil}:

7. Generate Diffie Hellman Parameters

DH parms govern the method of key exchange and authentication used by the OpenVPN server. Generate these:

. /etc/openvpn/easy-rsa/2.0/build-dh

8. Relocate Secure Keys

/etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys generated by easy-rsa tools. In order to authenticate to the VPN, you’ll need to copy a number of certificate and key files to the remote client machines. They are: ca.crt client1.crt client1.key

# cp -r /etc/openvpn/easy-rsa/2.0/keys /home/sjy2/openvpn_keys
# chown -R sjy2 /home/sjy2/openvpn_keys

Then SFTP, and delete the non-root keys in the user dir. SCP would have been easier direct from the src dir, but neither endpoint was readily accessible. Root login is additionally prevented on the server (see XXX), hence he need to temporarily transfer ownership. Keys and certificates for the server then to /etc/openvpn so OpenVPN server process can access them.

$cd /etc/openvpn/easy-rsa/2.0/keys
$cp ca.crt ca.key dh1024.pem yearlus.crt yearlus.key /etc/openvpn

9. Configuring the VPN

Example config in There is an example file in /usr/share/doc/openvpn/examples/sample-config-files

$cd /usr/share/doc/openvpn/examples/sample-config-files
$gunzip -d server.conf.gz
$cp server.conf /etc/openvpn/
$mv /etc/openvpn/server.conf /etc/vpn/yearlus.conf
$cp client.conf ~/
$cd ~/
$nano client.conf

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1194

$nano yearlus.conf

# Any X509 key management system can be used.
# OpenVPN can also use a PKCS
#12 formatted key file
# (see “pkcs12” directive in man page). ca ca.crt cert yearlus.crt key yearlus.key
# This file should be kept secret

10. start the VPN server

generally use “/etc/init.d/openvpn start“, but this is my first outing so let me be verbose:

$./usr/sbin/openvpn --config /etc/openvpn/yearlus.conf
 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
 Wed Feb 29 23:01:08 2012 Initialization Sequence Completed

Copy over a client.conf to /etc/openvpn, start server as daemon

# cp ~/centzon.conf /etc/openvpn
# /etc/init.d/openvpn start
Starting virtual private network daemon: centzon yearlus failed!

Hmmm. Problem with the client, centzon.conf? No. I’m a doofus… hunt and kill the previous PID. then:

#cp ~/centzon.conf /etc/openvpn
#/etc/init.d/openvpn start
 Starting virtual private network daemon: centzon huitzil yearlus.

Now over to a Mac client. So install and fire her up. Asking whether to “open a private configurations folder” or “create tunnelblick VPN Configuration”. Not sure. somewhat randomly chose the former. copy client .crt and .key to tunnelbrick’s config. dir: /Users/sjy2/Library/Application\ Support/Tunnelblick/Configurations and last pic.
Not thoroughly happy as the connection is reset every 231s or so… that may be a DNS issue? That’s not the point right now. Also pretty sure the server keys should not have left the server. Also, it would be nice to generate a .tblk file for ease of distribution.

11. So, almost there.

Now to route/tunnel incoming connections through the VPN…

nano /etc/openvpn/yearlus.conf

uncomment: push “redirect-gateway def1 bypass-dhcp”

Now edit /etc/sysctl.conf (Configuration file for setting system variables) adding the following line to ensure that your system is able to forward IPv4/6 traffic:

nano /etc/sysctl.conf


Followed largely from

Feb 122012

New VPS ordered today: £7 per quarter, 256MB OpenVZ, Deb. 5 (Lenny), 1 ipv4, 10 ipv6 from

general setup:

  • update, upgrade-stable, update
  • change root
  • disable root ssh
  • change ssh port
  • add vps label to zonefile; AAAA only– 1st ipv6 addr
  • add usr
  • add sudo
  • mail — ipv6 only?
  • rdns
  • iptables
  • certs
  • WWW — nginix?
  • mySQL | postgres
  • PHP
  • VPN– 4 or 6?
  • backups/ vm export

1. Upgrade & update

#apt-get update
#apt-get upgrade
#apt-get dist-upgrade #apt-get update

Boomshaka! == Debian 6 (squeeze), but after upgrade terminal is in Spanish.

— OS X side:

$sudo languagesetup

— Deb side:

$ nano ~/.profile

add: export LANG=en to ~/.profile

$ sudo dpkg-reconfigure locales
... /usr/sbin/dpkg-reconfigure: locales no está instalado
$ sudo apt-get install locales



$nano /etc/ssh/sshd_config

change to:

Protocol 2
PermitRootLogin no
StrictModes yes
Port [myObscurePort#]
ListenAddress [oneIPv6Addr]
ChallengeResponseAuthentication no
LoginGraceTime 600
# /etc/init.d/ssh restart
# netstat -tulpn | grep :[myObscurePort#]


3. sudo

Sudo sandwich

Sudo sandwich

#apt-get install sudo

4. Email (Postfix and Dovecot, SASL, Alpine)

Relocated to

5. WWW with nginix

Nginix is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Let’s give it a whirl instead of Apache!

$ sudo apt-get install nginx
$ sudo /etc/init.d/nginx start
$ sudo mkdir /var/www
$ sudo chown www-data:www-data /var/www
$ sudo nano /var/www/index.html
$ /etc/nginx/nginx.conf