The Miscellaneous

The Simple way with MSMTP

Well I will SIMPLIFY this method, to only output email using google mail account (and others). True Simple! :)

``` bash
#!/bin/bash
###### PLEASE .... EDIT IT...
USEREMAIL="usernameemail"
DOMPROV="gmail.com"
PWDEMAIL="passwordStrong"  ## ATTENTION DONT USE Special Chars.. like as SPACE # and some others not all. Feel free to test ;)
MAILPROV="smtp.google.com:583"
MYMAIL="[email protected]$DOMPROV"
USERLOC="root"
#######
apt install -y msmtp
    ln -s /usr/bin/msmtp /usr/sbin/sendmail
#wget http://www.cacert.org/revoke.crl -O /etc/ssl/certs/revoke.crl
#chmod 644 /etc/ssl/certs/revoke.crl
touch /root/.msmtprc
cat <<EOF> .msmtprc
defaults
account gmail
host $MAILPROV
port $MAILPORT
#proxy_host 127.0.0.1
#proxy_port 9001
from $MYEMAIL
timeout off 
protocol smtp
#auto_from [(on|off)]
#from envelope_from
#maildomain [domain]
auth on
user $USRMAIL
passwordeval "gpg -q --for-your-eyes-only --no-tty -d /root/msmtp-mail.gpg"
#passwordeval "gpg --quiet --for-your-eyes-only --no-tty --decrypt /root/msmtp-mail.gpg"
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
#tls_crl_file /etc/ssl/certs/revoke.crl
#tls_fingerprint [fingerprint]
#tls_key_file [file]
#tls_cert_file [file]
tls_certcheck on
tls_force_sslv3 on
tls_min_dh_prime_bits 512
#tls_priorities [priorities]
#dsn_notify (off|condition)
#dsn_return (off|amount)
#domain argument
#keepbcc off
logfile /var/log/mail.log
syslog on
account default : gmail
EOF
chmod 0400 /root/.msmtprc

   ## In testing .. auto command
# echo -e "1\n4096\n\ny\n$MYUSRMAIL\n$MYEMAIL\nmy key\nO\n$PWDMAIL\n$PWDMAIL\n" | gpg --full-generate-key 
##
gpg --full-generate-key
gpg --output revoke.asc --gen-revoke $MYEMAIL
echo -e "$PWDEMAIL\n" | gpg -e -o /root/msmtp-mail.gpg --recipient $MYEMAIL
echo "export GPG_TTY=\$(tty)" >> .baschrc	
chmod 400 msmtp-mail.gpg

echo "Hello there" | msmtp --debug $MYEMAIL
echo"######################
## MSMTP Configured ##
######################"
```

DONE!! ;)

Gmail and Exim4 As MTA With Implicit TLS

Unless you’re planning on setting up your own mail server, you’ll need a way to send e-mails from your server. This will be important for system alerts/messages.

You can use any Gmail account. I recommend you create one specific for this server. That way if your server is compromised, the bad-actor won’t have any passwords for your primary account. Granted, if you have 2FA/MFA enabled and you use an app password, there isn’t much a bad-actor can do with just the app password, but why take the risk?

There are many guides on-line that cover how to configure Gmail as MTA using STARTTLS including a previous version of this guide. With STARTTLS, an initial unencrypted connection is made and then upgraded to an encrypted TLS or SSL connection. Instead, with the approach outlined below, an encrypted TLS connection is made from the start.

Also, as discussed in issue #29 and here, exim4 will fail for messages with long lines. We’ll fix this in this section too.

Goals

  • mail configured to send e-mails from your server using Gmail
  • long line support for exim4

Steps

  1. Install exim4. You will also need openssl and ca-certificates.

    On Debian based systems:

     sudo apt install exim4 openssl ca-certificates
    
  2. Configure exim4:

    For Debian based systems:

     sudo dpkg-reconfigure exim4-config
    

    You’ll be prompted with some questions:

    Prompt Answer
    General type of mail configuration mail sent by smarthost; no local mail
    System mail name localhost
    IP-addresses to listen on for incoming SMTP connections 127.0.0.1; ::1
    Other destinations for which mail is accepted (default)
    Visible domain name for local users localhost
    IP address or host name of the outgoing smarthost smtp.gmail.com::465
    Keep number of DNS-queries minimal (Dial-on-Demand)? No
    Split configuration into small files? No
  3. Make a backup of /etc/exim4/passwd.client:

     sudo cp --archive /etc/exim4/passwd.client /etc/exim4/passwd.client-COPY-$(date +"%Y%m%d%H%M%S")
    
  4. Add a line like this to /etc/exim4/passwd.client

     smtp.gmail.com:[email protected]:yourPassword
     *.google.com:[email protected]:yourPassword
    

    Notes:

    • Replace [email protected] and yourPassword with your details. If you have 2FA/MFA enabled on your Gmail then you’ll need to create and use an app password here.
    • Always check host smtp.gmail.com for the most up-to-date domains to list.
  5. This file has your Gmail password so we need to lock it down:

     sudo chown root:Debian-exim /etc/exim4/passwd.client
     sudo chmod 640 /etc/exim4/passwd.client
    
  6. The next step is to create an TLS certificate that exim4 will use to make the encrypted connection to smtp.gmail.com. You can use your own certificate, like one from Let’s Encrypt, or create one yourself using openssl. We will use a script that comes with exim4 that calls openssl to make our certificate:

     sudo bash /usr/share/doc/exim4-base/examples/exim-gencert
    
    [*] Creating a self signed SSL certificate for Exim!
        This may be sufficient to establish encrypted connections but for
        secure identification you need to buy a real certificate!
    
        Please enter the hostname of your MTA at the Common Name (CN) prompt!
    
    Generating a RSA private key
    ..........................................+++++
    ................................................+++++
    writing new private key to '/etc/exim4/exim.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Code (2 letters) [US]:[redacted]
    State or Province Name (full name) []:[redacted]
    Locality Name (eg, city) []:[redacted]
    Organization Name (eg, company; recommended) []:[redacted]
    Organizational Unit Name (eg, section) []:[redacted]
    Server name (eg. ssl.domain.tld; required!!!) []:localhost
    Email Address []:[redacted]
    [*] Done generating self signed certificates for exim!
        Refer to the documentation and example configuration files
        over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
        support in your mail transfer agent.
    
  7. Instruct exim4 to use TLS and port 465, and fix exim4’s long lines issue, by creating the file /etc/exim4/exim4.conf.localmacros and adding:

     MAIN_TLS_ENABLE = 1
     REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
     TLS_ON_CONNECT_PORTS = 465
     REQUIRE_PROTOCOL = smtps
     IGNORE_SMTP_LINE_LENGTH_LIMIT = true
    
     cat << EOF | sudo tee /etc/exim4/exim4.conf.localmacros
     MAIN_TLS_ENABLE = 1
     REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
     TLS_ON_CONNECT_PORTS = 465
     REQUIRE_PROTOCOL = smtps
     IGNORE_SMTP_LINE_LENGTH_LIMIT = true
     EOF
    
  8. Make a backup of exim4’s configuration file /etc/exim4/exim4.conf.template:

     sudo cp --archive /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-COPY-$(date +"%Y%m%d%H%M%S")
    
  9. Add the below to /etc/exim4/exim4.conf.template after the .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif block:

     .ifdef REQUIRE_PROTOCOL
       protocol = REQUIRE_PROTOCOL
     .endif
    
    .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
      hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
    .endif
    .ifdef REQUIRE_PROTOCOL
        protocol = REQUIRE_PROTOCOL
    .endif
    .ifdef REMOTE_SMTP_HEADERS_REWRITE
      headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
    .endif
    
     sudo sed -i -r -e '/^.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS$/I { :a; n; /^.endif$/!ba; a\# added by '"$(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")"'\n.ifdef REQUIRE_PROTOCOL\n    protocol = REQUIRE_PROTOCOL\n.endif\n# end add' -e '}' /etc/exim4/exim4.conf.template
    
  10. Add the below to /etc/exim4/exim4.conf.template inside the .ifdef MAIN_TLS_ENABLE block:

     .ifdef TLS_ON_CONNECT_PORTS
       tls_on_connect_ports = TLS_ON_CONNECT_PORTS
     .endif
    
    .ifdef MAIN_TLS_ENABLE
    .ifdef TLS_ON_CONNECT_PORTS
        tls_on_connect_ports = TLS_ON_CONNECT_PORTS
    .endif
    
     sudo sed -i -r -e "/\.ifdef MAIN_TLS_ENABLE/ a # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n.ifdef TLS_ON_CONNECT_PORTS\n    tls_on_connect_ports = TLS_ON_CONNECT_PORTS\n.endif\n# end add" /etc/exim4/exim4.conf.template
    
  11. Update exim4 configuration to use TLS and then restart the service:

     sudo update-exim4.conf
     sudo service exim4 restart
    
  12. If you’re using UFW, you’ll need to allow outbound traffic on 465. To do this we’ll create a custom UFW application profile and then enable it. Create the file /etc/ufw/applications.d/smtptls, add this, then run ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails':

     [SMTPTLS]
     title=SMTP through TLS
     description=This opens up the TLS port 465 for use with SMPT to send e-mails.
     ports=465/tcp
    
     cat << EOF | sudo tee /etc/ufw/applications.d/smtptls
     [SMTPTLS]
     title=SMTP through TLS
     description=This opens up the TLS port 465 for use with SMPT to send e-mails.
     ports=465/tcp
     EOF
    
     sudo ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'
    
  13. Add some mail aliases so we can send e-mails to local accounts by adding lines like this to /etc/aliases:

    You’ll need to add all the local accounts that exist on your server.

  14. Test your setup:

     echo "test" | mail -s "Test" [email protected]
     sudo tail /var/log/exim4/mainlog
    

Separate iptables Log File

There will come a time when you’ll need to look through your iptables logs. Having all the iptables logs go to their own file will make it a lot easier to find what you’re looking for.

Steps

  1. The first step is by telling your firewall to prefix all log entries with some unique string. If you’re using iptables directly, you would do something like --log-prefix "[IPTABLES] " for all the rules. We took care of this in step step 4 of installing psad.

  2. After you’ve added a prefix to the firewall logs, we need to tell rsyslog to send those lines to its own file. Do this by creating the file /etc/rsyslog.d/10-iptables.conf and adding this:

     :msg, contains, "[IPTABLES] " /var/log/iptables.log
     & stop
    

    If you’re expecting a lot if data being logged by your firewall, prefix the filename with a - “to omit syncing the file after every logging”. For example:

     :msg, contains, "[IPTABLES] " -/var/log/iptables.log
     & stop
    

    Note: Remember to change the prefix to whatever you use.

     cat << EOF | sudo tee /etc/rsyslog.d/10-iptables.conf
     :msg, contains, "[IPTABLES] " /var/log/iptables.log
     & stop
     EOF
    
  3. Since we’re logging firewall messages to a different file, we need to tell psad where the new file is. Edit /etc/psad/psad.conf and set IPT_SYSLOG_FILE to the path of the log file. For example:

     IPT_SYSLOG_FILE /var/log/iptables.log;
    

    Note: Remember to change the prefix to whatever you use.

     sudo sed -i -r -e "s/^(IPT_SYSLOG_FILE\s+)([^;]+)(;)$/# \1\2\3       # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n\1\/var\/log\/iptables.log\3       # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/psad/psad.conf 
    
  4. Restart psad and rsyslog to activate the changes (or reboot):

     sudo psad -R
     sudo psad --sig-update
     sudo psad -H
     sudo service rsyslog restart
    
  5. The last thing we have to do is tell logrotate to rotate the new log file so it doesn’t get to big and fill up our disk. Create the file /etc/logrotate.d/iptables and add this:

     /var/log/iptables.log
     {
         rotate 7
         daily
         missingok
         notifempty
         delaycompress
         compress
         postrotate
             invoke-rc.d rsyslog rotate > /dev/null
         endscript
     }
    
     cat << EOF | sudo tee /etc/logrotate.d/iptables
     /var/log/iptables.log
     {
         rotate 7
         daily
         missingok
         notifempty
         delaycompress
         compress
         postrotate
             invoke-rc.d rsyslog rotate > /dev/null
         endscript
     }
     EOF
    

Licenses and Attributions


Speak Your Mind