nitrolife

nitrolife@rekabu.ru · edit-2 23 hours ago

But in reality, this will only allow you to receive incoming mail. In order for outgoing mail to work, it is necessary that the mail server and all the strapping go through the VPS to the Internet. This requires a rather complicated configuration of iptables, and I recommend that you simply either fill up the mailer on a VPS (there will be a maximum of gigabytes of mail. it’s not that heavy), or buy a static address at home.

If you still decide to go the hard way, here’s an approximate plan for what you need to do in the spirit of iptables, because setting it up in firewalld is a real torment.:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -m owner --uid-owner 924 -j MARK --set-mark 0x300
COMMIT

where 924 is the postfix user ID, you may have a different number. check it out

ip route add default via 10.8.12.4 dev wg0 table 100

adding the default route via the VPS address to the routing table 100. replace 10.8.12.4 with the address of your VPS and wg0 with the name of the interface for communication between the VPS and home. Then

ip rule add from all fwmark 0x300 lookup 100

We are sending all packets with the label 0x300 to the routing table 100. In other words, the postfix user will have his own custom routing table via VPS.

This creates several problems due to the fact that with this configuration, it may not be possible to connect to postfix via your server’s interfaces. But in basic case all will work. Bypassing this problem will create even more complex routing rules and will generally be overkill. But if you’re interested, write to me and I’ll sign it.

nitrolife@rekabu.ru · edit-2 23 hours ago

Well… as I already wrote, my home server is literally on the Internet because I rent a static public IP address from the provider.

But if you have a VPS, then you just need to do port forwarding to your server with a VPS, and then add the following entries to the mx DNS server:

you.domain.              21600   IN      MX      10 you.first.vps.
you.domain.              21600   IN      MX      20 you.second.vps.

Where 10 and 20 are the server priority Or if the VPS is part of your domain then:

you.domain.              21600   IN      MX      10 first.vps.you.domain. 
you.domain.              21600   IN      MX      20 second.vps.you.domain. 

first.vps.you.domain.             21600   IN      A       1.1.1.1
second.vps.you.domain.        21600   IN      A       2.2.2.2

And if you also have IPv6, you can do

first.vps.you.domain.             21600   IN      AAAA       fd00::1
second.vps.you.domain.        21600   IN      AAAA       fd00::2

Where 1.1.1.1, 2.2.2.2, fd00::1 and fd00::2 are the addresses of your VPS

You also need to enter the address in the SPF:

you.domain.              21600   IN      TXT     "v=spf1 +mx -all"

What does it mean

v=spf1 is the SPF version.

+mx – it is allowed to send mail from the IP addresses specified in the MX records of the domain.

-all – prohibits sending from any other servers (hard refusal).

Also, in order for the signature to work on the mail server, you need to make several TXT entries (for a detailed explanation, see my links about DKIM):

keyname.__domainkey.you.domain. TXT "v=DKIM1; ...%DKIM params%"

and

you.domain.             86400   IN      TXT     "v=DMARC1...%dmarc params%"

And you need ask you VPS provider set PTR for you VPS IP address with first.vps.you.domain. Or some providers access that config in web panel.

nitrolife@rekabu.ru · 23 hours ago

Thanks, I’ll give it a try sometime.

nitrolife@rekabu.ru · 23 hours ago

On my home server. My ISP gives me a static address and makes PTR records for only about $1.5 per month.

nitrolife@rekabu.ru · 23 hours ago

I have been using my own email for many years (to this day). Everything is working great. The main thing is to have a static IP and be able to specify your domain in the PTR record of the ip address.

In general, you will need: postfix (https://wiki.archlinux.org/title/Postfix) OpenDMARC (https://wiki.archlinux.org/title/OpenDMARC) OpenDKIM (https://wiki.archlinux.org/title/OpenDKIM) Dovecot (https://wiki.archlinux.org/title/Dovecot) Some interface to choose from (soGO, roundcube) Maybe graylists, ClamAV, SpamAssassin, or something else to protect your mailbox from spam and viruses. And if you want filtering functionality, then you also need Sieve.

nitrolife@rekabu.ru · 12 days ago

It all depends on the greed of the campaign. I worked in a campaign where it was considered normal to keep a degraded raid without repair. Of course, data loss is a normal story in such companies. The raid guarantees data security only when one disk is being pulled (except for some raids), so it also needs to be monitored and replaced. On the other hand, with proper operation, you probably won’t lose any data.

P.S. RAID0 - raid that can’t be restored when degraded any disk in RAID. This is exactly worse choice for data save. STRIPE also writes blocks one at a time to the first disk and to the second, so that you would definitely lose exactly 50% of data blocks. Best choice raid10 for performance and raid5 if you need save money.

nitrolife@rekabu.ru · edit-2 1 month ago

ISC DHCP switched to KEA DHCP, They don’t have package in Debian repo, but you can add repo and install: https://cloudsmith.io/~isc/repos/kea-3-0/packages/

nitrolife@rekabu.ru · 1 month ago

ISC really deprecated… =( You can install dnsmasq of course, but he is much more slow. But nice for small networks.

Firewalld is much worse for small sustems. Who is really need mark ports? But in difficult cases you need write iptables rich rules anyway. So, as result I love old school with clean iptables without any upperlevel daemons.

nitrolife@rekabu.ru · edit-2 1 month ago

Enable packet forwarding via interfaces:

# cat /etc/sysctl.d/01-forward.conf  

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

Then install isc-dhcp-server and configure ipv4 and ipv6 dhcp server. (only on local ports or you internet prowider will be angry)

short example:

# cat /etc/dhcpd.conf  
ddns-update-style interim;
ddns-updates on;
ddns-domainname "my.local";
ddns-rev-domainname "in-addr.arpa";
allow client-updates;
update-conflict-detection true;
update-optimization true;
authoritative;
default-lease-time 86400;
preferred-lifetime 80000;
max-lease-time 86400;
allow leasequery;
option domain-name "my.local";
option domain-name-servers 192.168.1.1;
lease-file-name "/var/lib/dhcp/dhcpd.leases";

# cat /etc/dhcpd6.conf  
ddns-update-style interim;
ddns-updates on;
ddns-domainname "my.local";
ddns-rev-domainname "ip6.arpa";
allow client-updates;
update-conflict-detection true;
update-optimization true;
authoritative;
default-lease-time 86400;
preferred-lifetime 80000;
max-lease-time 86400;
allow leasequery;
option domain-name "my.local";
option dhcp6.name-servers fd00:1::1;
option dhcp6.domain-search "my.local";
option dhcp6.preference 255;
dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";

don’t forget start dhcpd@lan and dhcpd6@lan

Then install radvd and configure RA ipv6 broadcasting. (only on local ports or you internet prowider will be angry)

# cat /etc/radvd.conf

interface br0
{
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvDefaultPreference low;
        AdvHomeAgentFlag off;

        prefix fd00:1::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        };

        RDNSS fd00:1::1
        {
                AdvRDNSSLifetime 30;
        };

        DNSSL my.local
        {
                AdvDNSSLLifetime 30;
        };

};

Then install iptables-persistent and configure ipv4 and ipv6 rules in /etc/iptables/ . Change lan and internet to you real interfaces.

# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Mon Dec 30 18:53:43 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o internet -j MASQUERADE
COMMIT
# Completed on Mon Dec 30 18:53:43 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#UNBRICK IF YOU WANT ACCESS FROM INTERNET
-A INPUT -s x.x.x.x -j ACCEPT
-A INPUT -s y.y.y.y -j ACCEPT
#BASE
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

# cat /etc/iptables/rules.v6
# Generated by ip6tables-save v1.6.0 on Thu Sep  8 13:29:11 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o internet -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#BASE INPUT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Then install dns relay. I user bind, but that some overkill. But anyway:

install named / bind9

# cat /etc/named.conf

...
acl "lan" {
           192.168.1.0/24;
           127.0.0.1;
           fd00:1::/64;
           ::1/128;
};

tls google-DoT {
    ca-file "/var/named/google.crt"; //SET google cert path here
    remote-hostname "dns.google";
};

tls local-cert { //if you want local SSL requests
    cert-file "/etc/letsencrypt/live/local/cert.pem";
    key-file "/etc/letsencrypt/live/local/privkey.pem";
};


options {
    directory "/var/named";
    pid-file "/run/named/named.pid";

    forwarders port 853 tls google-DoT {
      8.8.8.8;
      8.8.4.4;
    };

    // Uncomment these to enable IPv6 connections support
    // IPv4 will still work:
    //listen-on-v6 { any; };
    // Add this for no IPv4:
    //listen-on { any; };

    listen-on-v6 { fd00:1::1; ::1; };
    listen-on { 192.168.1.1; 127.0.0.1; };

    listen-on-v6 tls local-cert { fd00:1::1; ::1; }; //if you want local SSL requests
    listen-on    tls local-cert { 192.168.1.1; 127.0.0.1; }; //if you want local SSL requests

    allow-recursion { lan; };
    allow-recursion-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; };
    allow-transfer { none; };
    allow-update { none; };
    allow-query { lan; };
    allow-query-cache { lan; };
    allow-query-cache-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; };

    version "DNS Server 1";
    hostname "interesting server";
    server-id "realy interesting server";

    dnssec-validation auto;
    empty-zones-enable no;
    minimal-responses yes;
    http-port 8888;

    listen-on http local tls none { any; };
    listen-on-v6 http local tls none { any; };

    auth-nxdomain no;    # conform to RFC1035
};
...

All done.

nitrolife@rekabu.ru · edit-2 1 month ago

archlinux + podman / libvirtd + nomad (libvirt and docker plugins) + ansible / terraform + vault / consul sometimes

UPD:

archlinux - base os. You never need change major version and that is great. I update core systems every weekend.

podman / libvirtd - 2 types of core abstractions. podman - docker containers management, libvirtd - VM management.

nomad - Hashicorp orcestrator. You can run exec, java application, container or virtual machine on one way with that. Can integrate with podman and libvirtd.

ansible - VM configuration playbooks + core system updates

terraform - engine for deploy nomad jobs (docker containers. VMs. execs or something else)

Vault - K/V storage. I save here secrets for containers and VMs

consul - service networking solution if you need realy hard network layer

As a result, I’m not really sure if it’s a simple level or a complex one, but it’s very flexible and convenient for me.

UPD2: As a result, I described the applications level, but in fact it is 1 very thick server on AMD Epic with archlinux. XD By the way, the lemmy node from which I write is just on it. =) And yes, it’s still selfhosted.

nitrolife@rekabu.ru · edit-2 2 months ago

The only way to connect the SIM number directly is to hack the VoWiFi protocol, but this is not trivial and you still need to install the SIM in the server.

Option 2 - Buy a home SIP2GSM gateway. But it’s quite expensive (by the standards of my region anyway). SMS work with SMPP, calls work too. For goIP I wrote telegram SMS gateway if you interesting: https://github.com/lifespirit/telegram-smpp-bot

Or use SIP providers from your region/operators that support SIP connectivity and then enable full calls redirection. For calls ok.

UPD: or just use VoWiFi from mobile phone. But you need sim slot in phone.

Anyway in all another way you need install asterisk/freeswitch and write config fot it. And linphone client.