Professional Documents
Culture Documents
-----------------------------------
For home or cloud servers depend on ports availables where every services will be directly hosted.
This configuration is not the most secure, if both, services or pf are misconfigured, the integrity
of the operating system could be compromised.
OpenBSD Installation:
Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
[X] bsd [X] comp74.tgz [X] xbase74.tgz [X] xserv74.tgz
[X] bsd.rd [X] man74.tgz [X] xshare74.tgz
[X] base74.tgz [X] game74.tgz [X] xfont74.tgz
Set name(s)? (or 'abort' or 'done') [done]
Directory does not contain SHA256.sig. Continue without verification? [no] yes
Installing bsd 100% |**************************| 24750 KB 00:02
Installing bsd.rd 100% |**************************| 4550 KB 00:00
Installing base74.tgz 100% |**************************| 368 MB 01:23
Extracting etc.tgz 100% |**************************| 257 KB 00:00
Installing comp74.tgz 100% |**************************| 75644 KB 00:24
Installing man74.tgz 100% |**************************| 7831 KB 00:03
Installing game74.tgz 100% |**************************| 2748 KB 00:01
Installing xbase74.tgz 100% |**************************| 57135 KB 00:16
Extracting xetc.tgz 100% |**************************| 7266 00:00
Installing xshare74.tgz 100% |**************************| 4578 KB 00:02
Installing xfont74.tgz 100% |**************************| 22968 KB 00:05
Installing xserv74.tgz 100% |**************************| 14951 KB 00:03
Location of sets? (cd0 disk http nfs or 'done') [done]
Saving configuration files... done.
Making all device nodes... done.
fw_update:fw_update: firmware.openbsd.org: no address associated with name
add none; update none
Cannot fetch http://firmware.openbsd.org/firmware/7.4/SHA256.sig
Relinking to create unique kernel...
done.
When you login to your new system the first time, please read your mail
using the 'mail' command.
- You will to remark "/" and "swap" partition only. With about 10G disk space you could result full
disk space if you separate into multiple partitions.
- Once terminated, reboot and connect with your login/password
example$ su
Password:
example# echo "permit nopass :wheel" > /etc/doas.conf
example# exit
example$ doas syspatch
Get/Verify syspatch74-001_xserver... 100%
|**************************************************************************************************
***| 4466 KB 00:00
Installing patch 001_xserver
Get/Verify syspatch74-002_msplit.tgz 100%
|**************************************************************************************************
***| 93204 00:00
Installing patch 002_msplit
Relinking to create unique kernel... done; reboot to load the new kernel
Errata can be reviewed under /var/syspatch
example$ doas fw_update
fw_update: add intel; update none
example$ doas pkg_add ee
example$ doas reboot
We have apply patch, configured doas and installed favorite text editor.
Now let's make initial configuration to the /etc/pf.conf
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
zone:
name: "example.org"
zonefile: "/zones/master/example.org.zone"
zone:
name: "1.168.192.IN-ADDR.ARPA"
zonefile: "/zones/master/1.168.192.zone"
IN NS ns1.example.org.
IN NS ns2.example.org.
IN MX 10 mail.example.org.
ns1 IN A 192.168.1.2
ns2 IN A 172.16.1.2
mail IN A 192.168.1.2
www IN A 192.168.1.2
@ IN A 192.168.1.2
IN TXT "v=spf1 ip4:192.168.1.2 ~all"
- Once name server is hosting example.org, we can configure the web server to generate letsencrypt
certificates
Be sure port 80 tcp is open and remotly visible, you have 5 try before getting banned 1 hour. Most
of problems come
from filtred port 80.
We have now certificates from Letsencrypt, lets reconfigure /etc/httpd.conf to use them for https
- We want mail services with its own certificates, so we have to make change in /etc/acme-
client.conf for mail.example.org
- Create rsa key on the domain name server, this key should be copied to the mail server
example$ doas -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 2048
IN NS ns1.example.org.
IN NS ns2.example.org.
IN MX 10 mail.example.org.
ns1 IN A 192.168.1.2
ns2 IN A 172.16.1.2
mail IN A 192.168.1.2
www IN A 192.168.1.2
@ IN A 192.168.1.2
IN TXT "v=spf1 ip4:192.168.1.2 ~all"
_dmarc IN TXT "v=DMARC1;p=quarantine; pct=100;
rua=mailto:dmarcreport@example.org"
example._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MFDSwerereferferwgrtgrtjrwjrtigwtijgpwijtgpwijtpgwijrgtpjwprgtojiwprtgijopwrtigjpwrjgtipworjgtio
pwrgtijpowrjtgiorwtgijorwtgjwporgjwrotgjowrtjgpwortjgowrjtgowrijtgopwrjtgopwrtjgwortgjopwrtgjpowrtg
jpworgtjpwrjtgporwgtjworgjorwjgtporgtjwpgtjwrgtpwrjgoprwjw"
"fdsfTETevsfwfvkw^vjtjgwdmvs;lfvrt^tvmslvmw^vmwvw^vmdfl;vw^;vlrmw^mvlw^vl^dflv,wvrnvjrivkjvsvvslwvi
rvwrvlwkvwkvddsjlsjkfsjdfqjjfpqfjpreqjpqr" )
# Listeners ------------------------------------------------------------
listen on socket filter dkimsign_rsa
listen on all tls pki mail filter { "dkimsign_rsa", "rdns", "fcrdns", "senderscore", "rspamd" }
listen on all port submission tls-require pki mail auth mask-src filter { "rspamd", "dkimsign_rsa"
}
- Domains names that are allowed for mail, may have more than one
- Rspamd Setup
- Dovecot Setup
plugin {
zlib_save = zstd
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
}
example$ cd /usr/local/lib/dovecot/sieve/
example$ doas chmod 0755 *sh
example$ doas sievec report-ham.sieve
example$ doas sievec report-spam.sieve
example$ doas rcctl enable dovecot
example$ doas rcctl start dovecot
example$ doas rcctl restart nsd smtpd redis rspamd dovecot