Merge pull request #69 from vedetta-com/wip

horia · web-flow · commit 55eeedac2909 · 2018-04-11T14:42:31.000-05:00
- Add and bayes classification of messages
- Fix MUA Autoconfiguration
- Fix autoinstall
- Update the Installation Guide
diff --git a/INSTALL.md b/INSTALL.md
@@ -108,15 +108,15 @@ dsync [SSH](src/etc/ssh/sshd_config) limited to one "[command](src/home/dsync/.s
 su - dsync
 ssh-keygen
 echo "command=\"doas -u vmail \${SSH_ORIGINAL_COMMAND#*}\" $(cat ~/.ssh/id_rsa.pub)" | \
-	ssh puffy@hermes.example.com "cat >> ~/.ssh/authorized_keys"
+	ssh puffy@hermes.example.com "cat >> /home/dsync/.ssh/authorized_keys"
 exit
 ```
 
 Update [/home/dsync](src/home/dsync), on primary and backup MX:
 ```sh
 chown -R root:dsync /home/dsync
 chmod 750 /home/dsync/.ssh
-chmod 640 /home/dsync/.ssh/{authorized_keys,id_rsa.pub,config}
+chmod 640 /home/dsync/.ssh/{authorized_keys,id_rsa.pub}
 chmod 400 /home/dsync/.ssh/id_rsa
 chown dsync /home/dsync/.ssh/id_rsa
 ```
@@ -182,7 +182,7 @@ grep -r hermes .
 find . -type f -exec sed -i "s|hermes|$(dig +short $(hostname | sed "s/$(hostname -s).//") mx | awk -vhostname="$(hostname)" '{if ($2 != hostname".") print $2;}')|g" {} +
 ```
 
-Update the allowed mail relays [source table](https://man.openbsd.org/table.5#Source_tables) [`etc/mail/relays`](src/etc/mail/relays).
+Update the allowed mail relays [source table](https://man.openbsd.org/table.5#Source_tables) [`src/etc/mail/relays`](src/etc/mail/relays).
 
 Update wheel user name "puffy":
 ```sh
@@ -210,7 +210,6 @@ install -o root -g wheel -m 0640 -b src/etc/acme-client.conf /etc/
 install -o root -g wheel -m 0640 -b src/etc/dhclient.conf /etc/
 install -o root -g wheel -m 0640 -b src/etc/dkimproxy_out.conf /etc/
 install -o root -g wheel -m 0640 -b src/etc/doas.conf /etc/
-install -o root -g wheel -m 0644 -b src/etc/hosts /etc/
 install -o root -g wheel -m 0640 -b src/etc/httpd.conf* /etc/
 install -o root -g wheel -m 0644 -b src/etc/login.conf /etc/
 install -o root -g wheel -m 0644 -b src/etc/newsyslog.conf /etc/
@@ -265,11 +264,8 @@ install -o root -g wheel -m 0644 -b src/var/unbound/etc/unbound.conf /var/unboun
 install -o root -g daemon -m 0755 -d src/var/www/htdocs/mercury.example.com /var/www/htdocs/$(hostname)
 install -o root -g daemon -m 0644 -b src/var/www/htdocs/mercury.example.com/index.html /var/www/htdocs/$(hostname)/
 
-install -o root -g daemon -m 0755 -d src/var/www/htdocs/autoconfig.example.com /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")
-install -o root -g daemon -m 0644 -b src/var/www/htdocs/autoconfig.example.com/index.html /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")/
-
-install -o root -g daemon -m 0755 -d src/var/www/htdocs/autoconfig.example.com/mail /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")/mail
-install -o root -g daemon -m 0644 -b src/var/www/htdocs/autoconfig.example.com/mail/config-v1.1.xml /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")/mail/
+install -o root -g daemon -m 0755 -d src/var/www/htdocs/mercury.example.com/mail /var/www/htdocs/$(hostname)/mail
+install -o root -g daemon -m 0644 -b src/var/www/htdocs/mercury.example.com/mail/config-v1.1.xml /var/www/htdocs/$(hostname)/mail/
 
 install -o root -g wheel -m 0644 -b src/root/.ssh/config /root/.ssh/
 
@@ -282,6 +278,7 @@ Unbound DNS validating resolver from root nameservers, with fallback:
 ```sh
 unbound-anchor -a "/var/unbound/db/root.key"
 ftp -o /var/unbound/etc/root.hints https://FTP.INTERNIC.NET/domain/named.cache
+rcctl enable unbound
 rcctl restart unbound
 cp src/etc/resolv.conf /etc/
 ```
@@ -299,7 +296,9 @@ sievec /var/dovecot/sieve/before/spamtest.sieve
 
 Turn off `httpd` tls:
 ```sh
-sed -i "s|^$(echo -e "\t")tls|$(echo -e "\t")#tls|" /etc/httpd.conf
+sed -i -e "s|^$(echo -e "\t")tls|$(echo -e "\t")#tls|" \
+	-e "/tls port https/s|^$(echo -e "\t")|$(echo -e "\t")#|" \
+	/etc/httpd.conf
 ```
 
 Start `httpd`:
@@ -309,33 +308,36 @@ rcctl start httpd
 
 Initialize a new account and domain key:
 ```sh
+mkdir -p /etc/ssl/acme/private
+chmod 700 /etc/ssl/acme/private
 acme-client -vAD $(hostname)
 ```
 
-OCSP response:
-```sh
-/usr/local/bin/get-ocsp.sh $(hostname)
-```
-
 Turn on `httpd` tls:
 ```sh
-sed -i "s|^$(echo -e "\t")#tls|$(echo -e "\t")tls|" /etc/httpd.conf
+sed -i -e "s|^$(echo -e "\t")#tls|$(echo -e "\t")tls|" \
+	-e "/tls port https/s|^$(echo -e "\t")#|$(echo -e "\t")|" \
+	/etc/httpd.conf
 ```
 
-Restart `httpd`:
+OCSP response:
 ```sh
-rcctl restart httpd
+/usr/local/bin/get-ocsp.sh $(hostname)
 ```
 
 Edit [`crontab`](src/var/cron/tabs/root):
 ```sh
 crontab -e
 ```
 
+*n.b.*: assuming [DKIM](https://github.com/vedetta-com/caesonia/blob/master/README.md#domain-keys-identified-mail-dkim) keys are set.
+
 ### Restart
 
 Restart the email service:
 ```sh
+touch /etc/pf.permanentban
+chmod 600 /etc/pf.permanentban
 pfctl -f /etc/pf.conf
 rcctl restart sshd dkimproxy_out rspamd dovecot smtpd
 ```
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ Root your Inbox :mailbox_with_mail:
 - Flexible: switching roles is easy, making the process of changing VPS hosts a breeze (no downtime)
 - DMARC (with DKIM and SPF) email-validation system, to detect and prevent email spoofing
 - Uncensored DNS validating resolver from root nameservers
-- MUA auto-configuration, for modern clients
+- MUA Autoconfiguration, for modern clients
 - Daily (spartan) stats, to keep track of things
 - Your sieve scripts and managesieve configuration, let's get started
 
@@ -111,10 +111,8 @@ full sync: replication_full_sync_interval\ =\ 1h
 
 Disklabel: [var/www/htdocs/mercury.example.com/disklabel.min](src/var/www/htdocs/mercury.example.com/disklabel.min)
 
-Ansible: [ansible-role-mailserver](https://github.com/gonzalo-/ansible-role-mailserver/)
-
 ## Prerequisites
-A DNS name server (from a registrar, a free service, VPS host, or self-hosted) is required, which allows editing the following record types: [A](#forward-confirmed-reverse-dns-fcrdns), [AAAA](#forward-confirmed-reverse-dns-fcrdns), [SRV](#srv-records-for-locating-email-services), [MX](#mail-exchanger-mx), [CAA](#certification-authority-authorization-caa), [SSHFP](#secure-shell-fingerprint-sshfp), [TXT](#sender-policy-framework-spf)
+A DNS name server (from a registrar, a free service, VPS host, or self-hosted) is required, which allows editing the following record types: [A](#forward-confirmed-reverse-dns-fcrdns), [AAAA](#forward-confirmed-reverse-dns-fcrdns), [CNAME](#mozilla-autoconfiguration), [SRV](#srv-records-for-locating-email-services), [MX](#mail-exchanger-mx), [CAA](#certification-authority-authorization-caa), [SSHFP](#secure-shell-fingerprint-sshfp), [TXT](#sender-policy-framework-spf)
 
 #### Forward-confirmed reverse DNS ([FCrDNS](https://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06))
 Each MX subdomain has record types A, and AAAA with the VPS' IPv4, and IPv6:
@@ -140,13 +138,12 @@ dig +short -x 2001:0db8::1
 ```
 
 #### Mozilla [Autoconfiguration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration)
-Each autoconfig subdomain has record types A, and AAAA with the VPS' IPv4, and IPv6:
+Each autoconfig subdomain has record type CNAME pointing to Autoconfiguration server:
 ```console
-autoconfig.example.com.	86400   IN      A       203.0.113.1
-autoconfig.example.com.	86400	IN	AAAA	2001:0db8::1
+autoconfig.example.com.	86400	IN	CNAME	mercury.example.com.
 ```
 
-Each *virtual* autoconfig subdomain has record type CNAME pointing to *autoconfig.example.com*:
+Each *virtual* autoconfig subdomain has record type CNAME pointing to Autoconfiguration server:
 ```console
 autoconfig.example.net.	86400	IN	CNAME	autoconfig.example.com.
 ```
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -23,7 +23,9 @@ rm libpthread-stubs.a \
 reboot
 boot: bsd.rd
 > (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? U
+...
 Set name(s) = -comp* -game* -x*
+...
 reboot
 sysmerge
 pkg_add -u
@@ -49,22 +51,17 @@ pfctl -f /etc/pf.conf
 
 Mozilla [Autoconfiguration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration)
 ```sh 
-vi src/var/www/htdocs/autoconfig.example.com/index.html
-install -o root -g daemon -m 0755 -d src/var/www/htdocs/autoconfig.example.com /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")
-install -o root -g daemon -m 0644 -b src/var/www/htdocs/autoconfig.example.com/index.html /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")/
-
-vi src/var/www/htdocs/autoconfig.example.com/mail/config-v1.1.xml
-install -o root -g daemon -m 0755 -d src/var/www/htdocs/autoconfig.example.com/mail /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")/mail
-install -o root -g daemon -m 0644 -b src/var/www/htdocs/autoconfig.example.com/mail/config-v1.1.xml /var/www/htdocs/autoconfig.$(hostname | sed "s/$(hostname -s).//")/mail/
+vi src/var/www/htdocs/mercury.example.com/mail/config-v1.1.xml
+install -o root -g daemon -m 0755 -d src/var/www/htdocs/mercury.example.com/mail /var/www/htdocs/$(hostname)/mail
+install -o root -g daemon -m 0644 -b src/var/www/htdocs/mercury.example.com/mail/config-v1.1.xml /var/www/htdocs/$(hostname)/mail/
 ```
 
-Each autoconfig subdomain has record types A, and AAAA with the VPS' IPv4, and IPv6:
-```console   
-autoconfig.example.com.	86400	IN	A	203.0.113.1
-autoconfig.example.com.	86400	IN	AAAA	2001:0db8::1
+Each autoconfig subdomain has record type CNAME pointing to Autoconfiguration server:
+```console
+autoconfig.example.com.	86400	IN	CNAME	mercury.example.com
 ```  
 
-Each *virtual* autoconfig subdomain has record type CNAME pointing to *autoconfig.example.com*:
+Each *virtual* autoconfig subdomain has record type CNAME pointing to Autoconfiguration server:
 ```console
 autoconfig.example.net.	86400	IN	CNAME	autoconfig.example.com.
 ```
@@ -80,8 +77,17 @@ Each autoconfig subdomain needs a TXT record with SPF data:
 autoconfig.example.com.	86400	IN	TXT	"v=spf1 -all"
 ```
 
-Edit and add the following configuration directive to [`/etc/httpd.conf`](src/etc/httpd.conf):
+Edit *autoconfig.example.com*, and add the following configuration directive to [`/etc/httpd.conf`](src/etc/httpd.conf):
 ```console
+...
+# Host
+server "mercury.example.com" {
+	alias "autoconfig.example.com"
+
+	listen on $IPv4 port http
+...
+}
+
 # Mozilla Autoconfiguration
 server "autoconfig.*" {
 	listen on $IPv4 port http
@@ -95,15 +101,32 @@ server "autoconfig.*" {
 	block
 
 	location "/*" {
-		root "/htdocs/autoconfig.example.com"
-		pass
+		block return 302 "https://autoconfig.example.com$REQUEST_URI"
 	}
 }
+...
+```
+
+Revoke `mercury.example.com` certificate:
+```sh
+acme-client -vr mercury.example.com
+```
+
+Update [`/etc/acme-client.conf`](src/etc/acme-client.conf):
+```sh
+sed -i -e '/alternative names/s|secure.example.com|autoconfig.example.com|' \
+	-e '/alternative names/s/^#//' /etc/acme-client.conf
+```
+
+Get a new certificate for *mercury.example.com*:
+```sh
+acme-client -v mercury.example.com
+get-ocsp.sh mercury.example.com
 ```
 
-Reload:
+Restart:
 ```sh
-rcctl reload httpd
+rcctl restart smtpd dovecot
 ```
 
 When relaying as backup MX, enforce STARTTLS and certificate verification:
@@ -115,3 +138,18 @@ Restart backup MX:
 ```sh
 rcctl restart smtpd
 ```
+
+Add `per_user` and `per_language` bayes classification of messages:
+```sh
+rcctl stop rspamd
+rm /tmp/*.shm
+cp src/etc/rspamd/local.d/classifier-bayes.conf /etc/rspamd/local.d/
+cp src/usr/local/bin/learn_*.sh /usr/local/bin/
+```
+
+Start with a fresh database:
+```
+rm /var/rspamd/*
+rcctl start rspamd
+```
+
diff --git a/src/etc/acme-client.conf b/src/etc/acme-client.conf
@@ -2,17 +2,17 @@
 # $OpenBSD: acme-client.conf,v 1.6 2017/11/27 01:59:55 florian Exp $
 #
 authority letsencrypt {
-        api url "https://acme-v01.api.letsencrypt.org/directory"
-        account key "/etc/acme/letsencrypt-privkey.pem"
+	api url "https://acme-v01.api.letsencrypt.org/directory"
+	account key "/etc/acme/letsencrypt-privkey.pem"
 }
 
 authority letsencrypt-staging {
-        api url "https://acme-staging.api.letsencrypt.org/directory"
-        account key "/etc/acme/letsencrypt-staging-privkey.pem"
+	api url "https://acme-staging.api.letsencrypt.org/directory"
+	account key "/etc/acme/letsencrypt-staging-privkey.pem"
 }
 
 domain mercury.example.com {
-#	alternative names { secure.example.com }
+	alternative names { autoconfig.example.com }
 	domain key "/etc/ssl/acme/private/mercury.example.com.key"
 	domain certificate "/etc/ssl/acme/mercury.example.com.crt"
 	domain full chain certificate "/etc/ssl/acme/mercury.example.com.fullchain.pem"
diff --git a/src/etc/hostname.vio0 b/src/etc/hostname.vio0
@@ -1,9 +1,10 @@
 # https://man.openbsd.org/hostname.if
 -inet # reset interface to its default state
 -inet6 # reset interface to its default state
-dhcp # static IP
-inet6 -autoconfprivacy # static IP
-inet6 -soii # disable persistent Semantically Opaque Interface Identifiers
-inet6 autoconf # slaac
-#inet6 2001:0db8::1 64 # no slaac
-#inet6 alias 2001:0db8::2 64 # prefixlen 56 for gateways on different network
+dhcp
+inet6 -autoconfprivacy
+inet6 -soii
+inet6 autoconf
+# prefixlen 56 for gateways on different network
+#inet6 2001:0db8::1 64
+#inet6 alias 2001:0db8::2 64
diff --git a/src/etc/httpd.conf b/src/etc/httpd.conf
@@ -19,6 +19,8 @@ prefork 1
 
 # Host
 server "mercury.example.com" {
+	alias "autoconfig.example.com"
+
 	listen on $IPv4 port http
 	listen on $IPv4 tls port https
 	listen on $IPv6 port http
@@ -63,8 +65,7 @@ server "autoconfig.*" {
 	block
 
 	location "/*" {
-		root "/htdocs/autoconfig.example.com"
-		pass
+		block return 302 "https://autoconfig.example.com$REQUEST_URI"
 	}
 }
 
diff --git a/src/etc/rspamd/local.d/classifier-bayes.conf b/src/etc/rspamd/local.d/classifier-bayes.conf
@@ -8,6 +8,8 @@
 
 # Classifier's algorithm is BAYES
 
+# Unique name used to learn the specific classifier (default: bayes)
+#name = "bayes";
 # Minimum number of words required for statistics processing
 min_tokens = 11;
 # Minimum learn count for both spam and ham classes to perform classification
@@ -20,5 +22,12 @@ autolearn = true;
 # or use the following Lua function to detect if autolearn is needed (return "ham", "spam", or nil)
 #autolearn = "return function(task) ... end";
 
-# v1.7
-#backend = "redis";
+# Enable per-user statistics
+users_enabled = true;
+# Use per-user statistics
+per_user = true;
+# Enable per-language statistics
+languages_enabled = true;
+# Use per-language statistics
+per_language = true;
+
diff --git a/src/usr/local/bin/learn_ham.sh b/src/usr/local/bin/learn_ham.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
-exec /usr/local/bin/rspamc -h /var/run/rspamd/rspamd.sock learn_ham
+exec /usr/local/bin/rspamc -h /var/run/rspamd/rspamd.sock -d "${1}" learn_ham
 # we don't care about the exit status in this case
 exit 0
diff --git a/src/usr/local/bin/learn_spam.sh b/src/usr/local/bin/learn_spam.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
-exec /usr/local/bin/rspamc -h /var/run/rspamd/rspamd.sock learn_spam
+exec /usr/local/bin/rspamc -h /var/run/rspamd/rspamd.sock -d "${1}" learn_spam
 # we don't care about the exit status in this case
 exit 0
diff --git a/src/var/www/htdocs/autoconfig.example.com/index.html b/src/var/www/htdocs/autoconfig.example.com/index.html
diff --git a/src/var/www/htdocs/mercury.example.com/disklabel.min b/src/var/www/htdocs/mercury.example.com/disklabel.min
@@ -5,4 +5,4 @@ swap		1G
 /usr		1G
 /usr/local	512M
 /home		8M
-/var		*
+/var		10G-*
diff --git a/src/var/www/htdocs/mercury.example.com/install.conf b/src/var/www/htdocs/mercury.example.com/install.conf
diff --git a/src/var/www/htdocs/mercury.example.com/mail/config-v1.1.xml b/src/var/www/htdocs/mercury.example.com/mail/config-v1.1.xml
