Installing Debian 11 on a Protectli VP2410 (Part 2)

The next step is to install the public-facing applications for email and web sites and the certificates they require. Certbot will be used to obtain letsencrypt certs, but Apache httpd is installed first to enable the challenges to be satisfied. And before that, we need to install python for the cgi-bin scripts (and certbot).

Python

Installed python3.9 using apt. In order to make this the default for python, I ran update-alternatives:

  sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.9 10

Apache web server

Copied fuligin.conf from fuligin to /etc/apache2/sites-available/010-ash.conf and removed stanzas for fuligin virtual host. Also renamed opal/fuligin to ash for server aliases. This configuration file includes the necessary setup to handle the letsencrypt challenge.

Enabled the sites with a2ensite 010-ash

Enabled the following modules with a2enmod:

  a2enmod ssl
  a2enmod cgi
  a2enmod dav_fs
  a2enmod dav_lock

This creates links from mods-enabled to mods-available.

Also added sites-available configuration for pix: 020-pix.conf, and enabled it.

To build websites, must apt install tidy and also ensure python is installed (see above).

To enable emacs org files to be updated by both Orgzly (on an Android phone) and local emacs, I needed set the webdav directory as owned by www-data, with my user group, setting group permissions to rwx. Also added the following line to /etc/apache2/envvars to ensure apache2 doesn't remove group write access:

umask 002

Certbot

Certs are needed by three applications: httpd, dovecot and exim, supporting two websites: hydrus.org.uk and reunuiongang.org.uk.

Certbot was installed via apt. To obtain the certs (when ash is internet facing web server):

  certbot certonly --apache -d hydrus.org.uk,ash.hydrus.org.uk,\
    chrome.hydrus.org.uk,crimson.hydrus.org.uk,mail.hydrus.org.uk,\
    www.hydrus.org.uk
  certbot certonly --apache -d reuniongang.org.uk,www.reuniongang.org.uk

Installing certbot also installs a cron job to update certs. Seems to run twice a day, which appears overkill.

Exim4 runs as user Debian-exim, so cannot read the certs as downloaded by certbot. We therefore need a script to make the certs readable by exim. This is placed in /etc/letsencrypt/renewal-hooks/post. The contents of post-cert.sh script are as follows:

  #!/bin/sh

  # Enable cert access for exim4
  # Run as post-hook for certbot

  CERTDIR=/etc/letsencrypt/live/hydrus.org.uk
  EXIMDIR=/etc/exim4/certs

  for file in privkey.pem fullchain.pem; do
          cp ${CERTDIR}/${file} ${EXIMDIR}
          chown Debian-exim ${EXIMDIR}/${file}
          chmod 400 ${EXIMDIR}/${file}
  done
  systemctl restart exim4

Exim4

Exim4 was already installed as part of the Debian flavour I'd installed (XFCE4). I ran dpkg-reconfigure exim4 to end up with these contents in update-exim4.conf.conf:

  dc_eximconfig_configtype='smarthost'
  dc_other_hostnames='ash.hydrus.org.uk;hydrus.org.uk;reuniongang.org.uk'
  dc_local_interfaces=''
  dc_readhost=''
  dc_relay_domains=''
  dc_minimaldns='false'
  dc_relay_nets=''
  dc_smarthost='smarthost.co.uk::587'
  CFILEMODE='644'
  dc_use_split_config='false'
  dc_hide_mailname='false'
  dc_mailname_in_oh='true'
  dc_localdelivery='mail_spool'

Additional Local Configuration

Followed this guide (mostly). I'm using STARTTLS and port 578 for my smarthost.

Defined local macros in /etc/exim4/exim4.conf.localmacros:

# Local macros for ash

# TLS
MAIN_TLS_ENABLE = yes
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *

# letsencrypt hydrus.org.uk certs, copied here after certbot renews them
MAIN_TLS_PRIVATEKEY = /etc/exim4/certs/privkey.pem
MAIN_TLS_CERTIFICATE = /etc/exim4/certs/fullchain.pem

# Email appears to come from user@hydrus.org.uk
REMOTE_SMTP_HEADERS_REWRITE = *@*.hydrus.org.uk  $1@hydrus.org.uk  f

Sending mail to local network machines

This required adding a new router and transport to the exim configuration file. The least intrusive way of doing this, for the unsplit configuration I'm using, involves creating the appropriate new configurations in /etc/exim4/conf.d.

The router is defined in the router sub-directory (050_exim4-config_local_network):

  # Invoke local_smpt transport for recipient addresses on domain machines
  # (except those defined as local to ash)  - anything ending in
  # the domain name, or unadorned host names (assuming they
  # contain no digits).  If the recipient does not match anything
  # in the domains value the smarthost router is used.
  local_network:
    driver = dnslookup
    transport = local_smtp
    domains = ! +local_domains:*.hydrus.org.uk:^[A-Za-z]*\$

The new transport is defined in the transport sub-directory (20_exim4-config_local_smtp):

  # Define a transport for local machines. This invokes
  # the smtp transport with no extras.
  local_smtp:
    driver = smtp

Once the new configuration files have been created, the main exim4 configuration file, exim4.conf.template is re-created by running update-exim4.conf.template -r.

Keeping the additional configuration in separate files should make an upgrade easier.

User authentication for mail relay

Setup user by running /usr/share/doc/exim4-base/examples/exim-adduser. This creates /etc/exim4/passwd. It contains the plaintext password, so edit file to remove it (plus leading :). Then:

# chgrp Debian-exim passwd
# chmod 640 passwd

Then, copy this stanza in /etc/exim4/conf.d/auth/30_exim4-config_examples to /etc/exim4/conf.d/auth/20_exim4-config_plain_server, removing comment characters. This will create a plain authenticator, protected by STARTTLS.

  plain_server:
    driver=plaintext
    public_name =PLAIN
    server_condition ="${ifcrypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lse$  server_set_id = $auth2
    server_prompts = :
    .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
       server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
    .endif

Run update-exim4.conf.template -r to regenerate the exim4.conf.template file, Edit /etc/default/exim4 to add port 587 to listener options:

  SMTPLISTENEROPTIONS='-oX 25:587 -oP /run/exim4/exim.pid'

Don't forget to ensure /etc/aliases is updated as required by the local setup.

Now we can restart exim4 with:

  sudo systemctl restart exim4

Spambayes3

I run spambayes as the spam detection agent, updated (mostly) to Python 3. The biggest issue is the Berkeley database spambayes requires. I have a copy of the source code for db-6.2.38.NC, so rebuilt it on ash with:

  cd ~/dev/db-6.2.38.NC/build_unix
  make clean #(if necessary)
  make
  sudo make install

The python bindings is installed with sudo apt install python3-bsddb3. All seems to work.

Music Player Daemon

I have a USB sound card, which connects ash to a Ruark MR1 system. I installed mpd, which is controlled from an Android phone using MALP. For this USB sound card to be fully used by mpd, I had to add the following to /etc/mpd.conf:

  audio_output {
        type            "alsa"
        name            "USB Audio"
        device          "hw:1,0"
        mixer_device    "hw:1"
        mixer_type      "hardware"
        mixer_control   "Speaker"
  }

Cribbed from here.