header image
Exim & Dovecot
January 14th, 2021 under Linux, Website Status. [ Comments: none ]

I finally set up my mail server with POP3 access. I just want to host couple of mail addresses which map to users on the (arch-)linux system. So no fancy virtual users or LDAP.

First, set up exim. The configuration is straight forward. Just read through the entire configuration file. It turns out I needed just some adjustments. First the proper primary_homename must be set.

primary_hostname = ganymede.ch

Since I want to use TLS, the certificate and private key must be set. Don’t generate any self-signed key. This just causes problems because the certificate must always be added as an exception wherever it is used. So, generate a Let’s Encrypt certificate. Point exim to Let’s Encrypt files.

tls_certificate = /etc/letsencrypt/live/ganymede.ch/fullchain.pem
tls_privatekey = /etc/letsencyrpt/live/ganymede.ch/privkey.pem

The Let’s Encrypt files can also be used for an Apache webserver. Apache is typically started with root privileges which it later drops. During this phase, the certificate and private key are read by Apache. So the default permission (mostly exclusively root access) of the Let’s Encrypt folder works just fine for Apache. Exim on the other hand read the certificate and key just when a TLS connection should be established. Hence the exim log shows some TLS Error with a message like system library:fopen:Permission denied. An easy fix for this is to set the owner of the folder /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ to the exim user and group. Clearly, this can cause problems if other users, without root privileges, need access to the files. However, this is not the case in my setup.

Next, I don’t want to allow mail delivery to all local users such as the exim or http user. I just want to whitelist certain users. This can be achieved by modifying the localuser router. Simply add local_parts = lsearch;/etc/mail/accepted_local_users. So the router looks like this:

localuser:
driver = accept
local_parts = lsearch;/etc/mail/accepted_local_users
check_local_user
transport = local_delivery
cannout_route_message = Unknown user

This router only routes if check_local_user succeeds and local_parts can be found in the accepted_local_users file. So, create the file accepted_local_users and write every username which is allowed to receive E-Mails into the file. One username per line.

That’s it… Exim with TLS done.

Let’s look at dovecot for the POP3 access. On archlinux the dovecot configuration is split into many file. The config file need to be copied into the /etc folder (see the archlinux wiki). The main config file is /etc/dovecot/dovecot.conf. There it restricted the supported protocols to pop3

protocols = pop3

This main config file loads all config files from the conf.d subdirectory. Here I rely on the system (PAM) authentication by including auth-system.conf.ext

!include auth-system.conf.ext

Again as with exim, I want only whitelisted users to be able to login and not all system users. To achive this it is possible to use the username_filter. Simply give it the username which are allowed to login.

passdb {
driver = pam
username_filter = my_user my_user2
}

Of course we also want the secure the server with SSL. This is just as easy as before. Simply point dovecot to the Let’s Encrypt certificate and private key in 10-ssl.conf

ssl_cert = </etc/letsencrypt/live/ganymede.ch/fullchain.pem
ssl_key = </etc/letsencrypt/live/ganymede.ch/privkey.pem

Since dovecot is run as root we don’t have any permission issues.

The last thing that needs to be done, is to tell dovecot about the mailbox format and the mailbox locations. In the file 10-mail.conf write

mail_location = mbox:~/mail:INBOX=/var/mail/%u

After that we are all done. You can receive email for the given user and access the mails through pop3 with the system password for that user.

You can also send email from you system (for instance through mail or with php) trough exim to any E-Mail address.


ArchLinuxARM Package Downgrading
March 18th, 2020 under Linux. [ Comments: none ]

I’m running ArchLinuxARM on my Odroid C2. After a system upgrade it wouldn’t boot anymore. So after going through some forums I figured out that systemd was the culprit. I had to downgrade to the previous version. However how do I achieve this when I have just x64 system laying around.

My goal was to take the MMC which stores the system of my Odroid C2 and mount it on my x64 so that a have access to the filesystem of the ArchLinuxARM installation. This is pretty straightforward with a memorycard adapter. Now comes the tricky part.

You need to be able to run arm executables (im my case aarch64). So the first step is to get qemu-user-static unto my x64 system. AUR has a package for this. After having built and installed this package copy the executable for your architecture to the mounted mmc. I mounted it to /mnt

1
cp /usr/bin/qemu-aarch64-static /mnt/usr/bin/
cp /usr/bin/qemu-aarch64-static /mnt/usr/bin/

Next you need the arch-install-scripts to get the arch-chroot command. This is a modified chroot command which sets up all ArchLinux specific configurations.

Now we execute pacman to downgrade the package on the mounted mmc.

1
arch-chroot /mnt qemu-aarch64-static /bin/pacman -U /var/cache/pacman/pkg/systemd-244.3-1-aarch64.pkg.tar.xz
arch-chroot /mnt qemu-aarch64-static /bin/pacman -U /var/cache/pacman/pkg/systemd-244.3-1-aarch64.pkg.tar.xz


Http Git Server
August 30th, 2011 under Linux, Programming. [ Comments: none ]

Eventually, I decided to give GIT a try. Therefore, I set up a GIT server on ganymede.ch. The server uses the handy git-http-backend

The git-http-backend is basically a cgi script that processes git requests. The set up is straight forward. First you have to make sure that apache can access and execute the git scripts. On Arch Linux this look like this:

1
2
3
4
<Directory "/usr/lib/git-core*">
    Order allow,deny
    Allow from all
</Directory>
<Directory "/usr/lib/git-core*">
    Order allow,deny
    Allow from all
</Directory>

To get the cgi script working I followed the manpage and added

1
2
3
4
SetEnv GIT_PROJECT_ROOT /srv/git
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
SetEnv GIT_PROJECT_ROOT /srv/git
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/

Finally, we want some authentication and this can be done by

1
2
3
4
5
6
<Location /git/reposname>
        AuthType Basic
        AuthName "Private Git Access"
        Require group committers
        ...
</Location>
<Location /git/reposname>
        AuthType Basic
        AuthName "Private Git Access"
        Require group committers
        ...
</Location>

for read/write authentication or

1
2
3
4
5
6
7
<LocationMatch "^/git/reposname/git-receive-pack$">
      AuthType Digest
      AuthName "Git Repositories"
      AuthUserFile /srv/git/.git-auth-file
      AuthGroupFile /srv/git/.git-group-file
      Require group mygroup
</LocationMatch>
<LocationMatch "^/git/reposname/git-receive-pack$">
      AuthType Digest
      AuthName "Git Repositories"
      AuthUserFile /srv/git/.git-auth-file
      AuthGroupFile /srv/git/.git-group-file
      Require group mygroup
</LocationMatch>

I have an entry for each separate repository. This way I can have a fine grained access scheme by using different groups for different repositories.

NOTE: Unfortunately, I couldn’t figure out how to ScriptAlias / instead of /git to the CGI script. For more information see: stackoverflow

This gives a already a working GIT server. I installed also cgit to provide a webinterface.

What remains to be done is to create a repository. For this we execute git –bare init reposname. Make sure apache has all the necessary rights for this newly created repository.

That’s it!

Note: When you experience error messages during clone that mention something about update-server-info then you should execute git update-server-info in your repository and then enable the post-update hook containing exec git update-server-info (In my case this was the default in the post-update file). Btw: the hooks are located under hooks in the repository folder. Another issue is that right after git –bare init there is nothing in the repository. So, I had to do an explicit push the first time. This means I specified where I want to push (git push http://my_git_server/git/repos master).

On the client side it might be worth using

1
~/.netrc
~/.netrc
file with

1
2
3
    machine git_server.com
    login your_git_login
    password your_git_password
    machine git_server.com
    login your_git_login
    password your_git_password

This way you don’t have to pass the password everytime you push/pull to/from the GIT server.


A List of Useful Applications, Plugins, etc.
February 23rd, 2011 under Linux. [ Comments: none ]

Websites:

  • serchilo.net: a website that allows you to select a search engine with a single character (very handy as the default search engine in a browser)

Plugins:

  • LanguageTool, OpenOffice Plugin for grammer checking in multiple languages

Applications:


Detach a command from a terminal
January 10th, 2011 under Linux. [ Comments: none ]

When you run an application from a terminal and you close the terminal then the application terminates. This is also the case when you run the application in the background (

at the end).

To detach a application entirely from a terminal and therefore daemonized it, we can use the

command.

1
nohup cmd &
nohup cmd &


« Previous entries