Books / How To Secure A Linux Server / Chapter 12
The Miscellaneous
The Simple way with MSMTP
Well I will SIMPLIFY this method, to only output email using google mail account (and others). True Simple! :)
``` bash
#!/bin/bash
###### PLEASE .... EDIT IT...
USEREMAIL="usernameemail"
DOMPROV="gmail.com"
PWDEMAIL="passwordStrong" ## ATTENTION DONT USE Special Chars.. like as SPACE # and some others not all. Feel free to test ;)
MAILPROV="smtp.google.com:583"
MYMAIL="$USRMAIL@$DOMPROV"
USERLOC="root"
#######
apt install -y msmtp
ln -s /usr/bin/msmtp /usr/sbin/sendmail
#wget http://www.cacert.org/revoke.crl -O /etc/ssl/certs/revoke.crl
#chmod 644 /etc/ssl/certs/revoke.crl
touch /root/.msmtprc
cat <<EOF> .msmtprc
defaults
account gmail
host $MAILPROV
port $MAILPORT
#proxy_host 127.0.0.1
#proxy_port 9001
from $MYEMAIL
timeout off
protocol smtp
#auto_from [(on|off)]
#from envelope_from
#maildomain [domain]
auth on
user $USRMAIL
passwordeval "gpg -q --for-your-eyes-only --no-tty -d /root/msmtp-mail.gpg"
#passwordeval "gpg --quiet --for-your-eyes-only --no-tty --decrypt /root/msmtp-mail.gpg"
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
#tls_crl_file /etc/ssl/certs/revoke.crl
#tls_fingerprint [fingerprint]
#tls_key_file [file]
#tls_cert_file [file]
tls_certcheck on
tls_force_sslv3 on
tls_min_dh_prime_bits 512
#tls_priorities [priorities]
#dsn_notify (off|condition)
#dsn_return (off|amount)
#domain argument
#keepbcc off
logfile /var/log/mail.log
syslog on
account default : gmail
EOF
chmod 0400 /root/.msmtprc
## In testing .. auto command
# echo -e "1\n4096\n\ny\n$MYUSRMAIL\n$MYEMAIL\nmy key\nO\n$PWDMAIL\n$PWDMAIL\n" | gpg --full-generate-key
##
gpg --full-generate-key
gpg --output revoke.asc --gen-revoke $MYEMAIL
echo -e "$PWDEMAIL\n" | gpg -e -o /root/msmtp-mail.gpg --recipient $MYEMAIL
echo "export GPG_TTY=\$(tty)" >> .baschrc
chmod 400 msmtp-mail.gpg
echo "Hello there" | msmtp --debug $MYEMAIL
echo"######################
## MSMTP Configured ##
######################"
```
DONE!! ;)
Gmail and Exim4 As MTA With Implicit TLS
Unless you’re planning on setting up your own mail server, you’ll need a way to send e-mails from your server. This will be important for system alerts/messages.
You can use any Gmail account. I recommend you create one specific for this server. That way if your server is compromised, the bad-actor won’t have any passwords for your primary account. Granted, if you have 2FA/MFA enabled and you use an app password, there isn’t much a bad-actor can do with just the app password, but why take the risk?
There are many guides on-line that cover how to configure Gmail as MTA using STARTTLS including a previous version of this guide. With STARTTLS, an initial unencrypted connection is made and then upgraded to an encrypted TLS or SSL connection. Instead, with the approach outlined below, an encrypted TLS connection is made from the start.
Also, as discussed in issue #29 and here, exim4 will fail for messages with long lines. We’ll fix this in this section too.
Goals
mail
configured to send e-mails from your server using Gmail- long line support for exim4
Steps
-
Install exim4. You will also need openssl and ca-certificates.
On Debian based systems:
sudo apt install exim4 openssl ca-certificates
-
Configure exim4:
For Debian based systems:
sudo dpkg-reconfigure exim4-config
You’ll be prompted with some questions:
Prompt Answer General type of mail configuration mail sent by smarthost; no local mail
System mail name localhost
IP-addresses to listen on for incoming SMTP connections 127.0.0.1; ::1
Other destinations for which mail is accepted (default) Visible domain name for local users localhost
IP address or host name of the outgoing smarthost smtp.gmail.com::465
Keep number of DNS-queries minimal (Dial-on-Demand)? No
Split configuration into small files? No
-
Make a backup of
/etc/exim4/passwd.client
:sudo cp --archive /etc/exim4/passwd.client /etc/exim4/passwd.client-COPY-$(date +"%Y%m%d%H%M%S")
-
Add a line like this to
/etc/exim4/passwd.client
smtp.gmail.com:[email protected]:yourPassword *.google.com:[email protected]:yourPassword
Notes:
- Replace
[email protected]
andyourPassword
with your details. If you have 2FA/MFA enabled on your Gmail then you’ll need to create and use an app password here. - Always check
host smtp.gmail.com
for the most up-to-date domains to list.
- Replace
-
This file has your Gmail password so we need to lock it down:
sudo chown root:Debian-exim /etc/exim4/passwd.client sudo chmod 640 /etc/exim4/passwd.client
-
The next step is to create an TLS certificate that exim4 will use to make the encrypted connection to
smtp.gmail.com
. You can use your own certificate, like one from Let’s Encrypt, or create one yourself using openssl. We will use a script that comes with exim4 that calls openssl to make our certificate:sudo bash /usr/share/doc/exim4-base/examples/exim-gencert
[*] Creating a self signed SSL certificate for Exim! This may be sufficient to establish encrypted connections but for secure identification you need to buy a real certificate! Please enter the hostname of your MTA at the Common Name (CN) prompt! Generating a RSA private key ..........................................+++++ ................................................+++++ writing new private key to '/etc/exim4/exim.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Code (2 letters) [US]:[redacted] State or Province Name (full name) []:[redacted] Locality Name (eg, city) []:[redacted] Organization Name (eg, company; recommended) []:[redacted] Organizational Unit Name (eg, section) []:[redacted] Server name (eg. ssl.domain.tld; required!!!) []:localhost Email Address []:[redacted] [*] Done generating self signed certificates for exim! Refer to the documentation and example configuration files over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS support in your mail transfer agent.
-
Instruct exim4 to use TLS and port 465, and fix exim4’s long lines issue, by creating the file
/etc/exim4/exim4.conf.localmacros
and adding:MAIN_TLS_ENABLE = 1 REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * TLS_ON_CONNECT_PORTS = 465 REQUIRE_PROTOCOL = smtps IGNORE_SMTP_LINE_LENGTH_LIMIT = true
cat << EOF | sudo tee /etc/exim4/exim4.conf.localmacros MAIN_TLS_ENABLE = 1 REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * TLS_ON_CONNECT_PORTS = 465 REQUIRE_PROTOCOL = smtps IGNORE_SMTP_LINE_LENGTH_LIMIT = true EOF
-
Make a backup of exim4’s configuration file
/etc/exim4/exim4.conf.template
:sudo cp --archive /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-COPY-$(date +"%Y%m%d%H%M%S")
-
Add the below to
/etc/exim4/exim4.conf.template
after the.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif
block:.ifdef REQUIRE_PROTOCOL protocol = REQUIRE_PROTOCOL .endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS .endif .ifdef REQUIRE_PROTOCOL protocol = REQUIRE_PROTOCOL .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif
sudo sed -i -r -e '/^.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS$/I { :a; n; /^.endif$/!ba; a\# added by '"$(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")"'\n.ifdef REQUIRE_PROTOCOL\n protocol = REQUIRE_PROTOCOL\n.endif\n# end add' -e '}' /etc/exim4/exim4.conf.template
-
Add the below to
/etc/exim4/exim4.conf.template
inside the.ifdef MAIN_TLS_ENABLE
block:.ifdef TLS_ON_CONNECT_PORTS tls_on_connect_ports = TLS_ON_CONNECT_PORTS .endif
.ifdef MAIN_TLS_ENABLE .ifdef TLS_ON_CONNECT_PORTS tls_on_connect_ports = TLS_ON_CONNECT_PORTS .endif
sudo sed -i -r -e "/\.ifdef MAIN_TLS_ENABLE/ a # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n.ifdef TLS_ON_CONNECT_PORTS\n tls_on_connect_ports = TLS_ON_CONNECT_PORTS\n.endif\n# end add" /etc/exim4/exim4.conf.template
-
Update exim4 configuration to use TLS and then restart the service:
sudo update-exim4.conf sudo service exim4 restart
-
If you’re using UFW, you’ll need to allow outbound traffic on 465. To do this we’ll create a custom UFW application profile and then enable it. Create the file
/etc/ufw/applications.d/smtptls
, add this, then runufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'
:[SMTPTLS] title=SMTP through TLS description=This opens up the TLS port 465 for use with SMPT to send e-mails. ports=465/tcp
cat << EOF | sudo tee /etc/ufw/applications.d/smtptls [SMTPTLS] title=SMTP through TLS description=This opens up the TLS port 465 for use with SMPT to send e-mails. ports=465/tcp EOF sudo ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'
-
Add some mail aliases so we can send e-mails to local accounts by adding lines like this to
/etc/aliases
:user1: [email protected] user2: [email protected] ...
You’ll need to add all the local accounts that exist on your server.
-
Test your setup:
echo "test" | mail -s "Test" [email protected] sudo tail /var/log/exim4/mainlog
Separate iptables Log File
There will come a time when you’ll need to look through your iptables logs. Having all the iptables logs go to their own file will make it a lot easier to find what you’re looking for.
Steps
-
The first step is by telling your firewall to prefix all log entries with some unique string. If you’re using iptables directly, you would do something like
--log-prefix "[IPTABLES] "
for all the rules. We took care of this in step step 4 of installing psad. -
After you’ve added a prefix to the firewall logs, we need to tell rsyslog to send those lines to its own file. Do this by creating the file
/etc/rsyslog.d/10-iptables.conf
and adding this::msg, contains, "[IPTABLES] " /var/log/iptables.log & stop
If you’re expecting a lot if data being logged by your firewall, prefix the filename with a
-
“to omit syncing the file after every logging”. For example::msg, contains, "[IPTABLES] " -/var/log/iptables.log & stop
Note: Remember to change the prefix to whatever you use.
cat << EOF | sudo tee /etc/rsyslog.d/10-iptables.conf :msg, contains, "[IPTABLES] " /var/log/iptables.log & stop EOF
-
Since we’re logging firewall messages to a different file, we need to tell psad where the new file is. Edit
/etc/psad/psad.conf
and setIPT_SYSLOG_FILE
to the path of the log file. For example:IPT_SYSLOG_FILE /var/log/iptables.log;
Note: Remember to change the prefix to whatever you use.
sudo sed -i -r -e "s/^(IPT_SYSLOG_FILE\s+)([^;]+)(;)$/# \1\2\3 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n\1\/var\/log\/iptables.log\3 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/psad/psad.conf
-
Restart psad and rsyslog to activate the changes (or reboot):
sudo psad -R sudo psad --sig-update sudo psad -H sudo service rsyslog restart
-
The last thing we have to do is tell logrotate to rotate the new log file so it doesn’t get to big and fill up our disk. Create the file
/etc/logrotate.d/iptables
and add this:/var/log/iptables.log { rotate 7 daily missingok notifempty delaycompress compress postrotate invoke-rc.d rsyslog rotate > /dev/null endscript }
cat << EOF | sudo tee /etc/logrotate.d/iptables /var/log/iptables.log { rotate 7 daily missingok notifempty delaycompress compress postrotate invoke-rc.d rsyslog rotate > /dev/null endscript } EOF