cheatsheet.zwischenspeicher.info

Some tech documentation and snippets, finally organized.
Posts tagged as e-mail

Devuan Jessie (beta) on a Raspberry Pi 2 as LAN router with WiFi uplink.

Featuring dnsmasq, openntpd and the simple webfsd HTTP server. As I don't need a full-grown mail server on the LAN, exim4-daemon-light is configured to only deliver local mail, which will be served by dovecot-imapd to mail clients on the LAN. Finally, the RPi's underclocking capabilities will be enabled to save idle CPU cycles.

Image used: devuan_jessie_1.0.0-beta_armhf_raspi2.img.xz from files.devuan.org.

Basic setup

xzcat the image to an SD card and boot the Pi with connected WiFi adapter and ethernet. Connect via wired LAN, login with ssh (root:toor) and adjust the defaults with the command raspi-config. Create an unprivileged user "piuser" and change the root password:

$ adduser piuser
$ passwd

Disable ssh root login and restart sshd to apply the changes:

### File: /etc/ssh/sshd_config

PermitRootLogin no

Hint: Connect with ssh as the new user and su before logging off from the current root shell.

Configuring apt

Add Devuan's security repository:

### File: /etc/apt/sources.list

deb http://auto.mirror.devuan.org/merged/ jessie-security main
deb-src http://auto.mirror.devuan.org/merged/ jessie-security main

Avoid the automatic installation of recommended packages:

### File /etc/apt/apt.conf.d/01norecommends

APT::Install-Recommends "0";
APT::Install-Suggests "0";

​Update the system:

$ apt-get update && apt-get dist-upgrade

Install additional software:

$ apt-get install dnsmasq wireless-tools iptables-persistent \
    dovecot-imapd exim4-daemon-light webfsd cpufrequtils \
    openntpd

Local mail transport

Create a mail alias to forward root's mail to the newly created unprivileged user:

$ echo "root: piuser" >> /etc/aliases

To configure exim4, run "dpkg-reconfigure exim4-config" and change the respective options to:

"local delivery only; not on a network"
"Maildir format in home directory"

Test local mail delivery:

$ echo test | mailx -s test1 postmaster@localhost

Network setup

Enable port forwarding:

### File: /etc/sysctl.conf

net.ipv4.ip_forward=1

Configure the network interfaces:

### File: /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address     192.168.21.1
    netmask     255.255.255.0
    network     192.168.21.0
    broadcast   192.168.21.255

auto wlan0
iface wlan0 inet dhcp
    wpa-ssid    $WIFI_SSID
    wpa-psk     $WIFI_PASSWD

Note: SSID and passphrase for wlan0 need to be defined.

Disable IPv6 by blacklisting the IPv6 kernel module:

$ echo "install ipv6 /bin/true" >> /etc/modprobe.d/blacklist.conf

Configure iptables with some basic NAT and filtering rules:

### File: /etc/iptables/rules.v4

*nat
#-A PREROUTING -i wlan0 -p tcp --dport 10022 -j DNAT --to 192.168.21.10:22
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp --dport 8000 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i eth0 -o wlan0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -p tcp -d 192.168.21.10 --dport 22 -j ACCEPT
-A FORWARD -j DROP
COMMIT

NOTE: Rules for webfsd listening at port 8000 and ssh port forwarding from the WAN interface to 192.168.21.10 are commented out.

Optionally, change the IPv6 default rules:

### File: /etc/iptables/rules.v6

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

Configure the dnsmasq DHCP and DNS server:

### File: /etc/dnsmasq.conf

domain-needed
bogus-priv
no-resolv
local=/lan/
interface=eth0
listen-address=192.168.21.1
expand-hosts
domain=lan
dhcp-range=192.168.21.100,192.168.21.150,24h

Add some nearby DNS servers (See here for a full OpenNic DNS server list.)

### File: /etc/dnsmasq.d/10opennic

server=$IP1
server=$IP2
server=...

Define static DHCP leases:

### File: /etc/dnsmasq.d/20static_leases

dhcp-host=00:11:22:33:44:55,$HOSTNAME,192.168.21.10,24h
dhcp-host=01:11:22:33:44:55,$HOSTNAME,192.168.21.11,24h

As a workaround for the RPi's lack of a hardwareclock, add the -s flag to the DAEMON_OPTS variable in /etc/default/openntpd.

To apply the previously made changes and turn the RPi from DHCP client to server / router mode, run:

$ sysctl -p /etc/sysctl.conf
$ iptables-restore < /etc/iptables/rules.v4
$ ip6tables-restore < /etc/iptables/rules.v6
$ /etc/init.d openntpd restart
$ /etc/init.d/dnsmasq restart

Note: To unload the IPv6 kernel module, a reboot may be necessary.


Now it's time to take the RPi off the LAN and connect your workstation, again wired, directly to your new RPi2 Devuan router. Log back in:

$ ssh piuser@192.168.21.1 
$ su -

If everything went fine, you can now ping LAN and WAN from the Pi, as well as access the WAN from within the LAN.

The webfsd http server

There's not much configuration needed to bring webfsd up:

### File: /etc/webfsd.conf

web_root="/path/to/export/"
web_port="8000"
web_user="www-data"
web_group="www-data"
web_extras="-4 -b user:pass"

Start the daemon:

$ /etc/init.d/webfs restart

Sufficient file permissions given, the content of $web_root will now be served at port 8000 on all interfaces; login with user:pass.

Setting up the dovecot IMAP server

Generate a self-signed SSL certificate:

$ openssl genrsa -out /etc/dovecot/private/dovecot.key 1024
$ openssl req -new -x509 -key /etc/dovecot/private/dovecot.key \
-out /etc/dovecot/dovecot.pem -days 365

Some minimal configuration:

### File: /etc/dovecot/dovecot.conf AND/OR /etc/dovecot/conf.d/*

disable_plaintext_auth = yes
auth_mechanisms = plain
listen = 192.168.21.1
mail_location = maildir:~/Maildir
protocols = "imap"
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key

By disabling any auth_mechanisms but plain while setting disable_plaintext_auth, SSL/TLS login will be forced. Note: This won't prevent misconfigured clients from sending unencrypted passwords. To start the server, run "/etc/init.d/dovecot restart".

CPU underclocking

(This might void the RPi's warranty.)

Mount the boot partition:

$ mount /dev/mmcblk0p1 /mnt/

Edit / create the following file; the values here have proven to not cause instabilities:

### File: /mnt/config.txt

arm_freq=800
arm_freq_min=100
core_freq=300
core_freq_min=75
sdram_freq=400
over_voltage=0

Although cpufrequtils defaults to the governor ondemand, it can be explicitely defined or changed by creating the following file; avilable governors are listed in /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors.

### File: /etc/default/cpufrequtils

GOVERNOR="ondemand"

Reboot to activate and watch the changes in /sys/devices/system/cpu/cpu[0-3]/cpufreq/cpuinfo_cur_freq.

Automatic system update

To keep the new Devuan system up to date, I let cron execute my update-script every four hours: Open/edit the crontab with the command "cronatb -e".

### File: root crontab (/var/spool/cron/crontabs/root)

25 */4 * * * PATH='/usr/sbin:/usr/bin:/sbin:/bin' /path/to/safe-upgrade.sh

Testing

Test the upgrade script and mail transport, e.g. by downgrading the tzdata package, then running safe-upgrade.sh and receiving the upgrade log with an IMAP client (StartTLS/Port143 or SSL/Port993 with piuser login credentials) over the new LAN.

Final steps

Delete the content of /var/cache/apt/archives, then "dd if=/dev/zero" the free space on the SD card, shut down the Pi and pull a disk image!

Dynamic IP workaround

When running on a NATed computer (e.g. a NAS), this shell script checks an external service for the router's WAN IP in an configurable interval. Whenever it detects a change, an e-mail with the new IP address will be sent via msmtp. As long as the $APIURL is valid, only the $MAILTO definition needs to be adapted.

#!/bin/sh

MAILTO="YOUR_E-MAIL_ADDRESS"
MSG="Subject: Home IP\n\nCurrent IP: "
APIURL="http://api.ipify.org/"
INTERVAL="1800"
GETIP="/usr/bin/curl -s "$APIURL""
SENDCMD="/usr/bin/msmtp"

IP=`$GETIP`
printf "$MSG""$IP" | "$SENDCMD" "$MAILTO"
sleep "$INTERVAL"

while : ; do
    IPNEW=`$GETIP`
    if [ "$IPNEW" = "$IP" ] ; then
        sleep "$INTERVAL"
        IPNEW=`$GETIP`
    else
        IP="$IPNEW"
        echo "$MSG""$IP" | "$SENDCMD" "$MAILTO"
    fi
done

And here a simple msmtp configuration with TLS enabled – be aware that the mail password is stored on the host computer in plaintext.

### File: ~/.msmtprc or /etc/msmtprc

defaults
auth            on
tls             on
tls_starttls    off
tls_trust_file  /etc/ssl/certs/ca-certificates.crt
logfile         ~/.msmtp.log

account         ACCOUNT_1
host            SMTP_SERVER
user            USER_NAME
password        PASSWORD
from            FROM_ADDRESS

account default : ACCOUNT_1