From b1434398186edfbe4dcb2542c51d7c4e3b42086a Mon Sep 17 00:00:00 2001 From: Simon Larsen Date: Tue, 15 Aug 2023 14:39:57 +0100 Subject: [PATCH] add haraka files --- .gitignore | 3 + Haraka/README.md | 136 +++++++++++++------------------ Haraka/config/auth_flat_file.ini | 4 + Haraka/config/dkim_sign.ini | 3 + Haraka/config/plugins | 3 + Haraka/config/smtp.ini | 64 +++++++++++++++ Haraka/config/tls.ini | 1 + Haraka/dkim/generate.sh | 12 +++ Haraka/dkim/keys/README.md | 1 + Haraka/dkim/show-info.sh | 30 +++++++ Haraka/init.sh | 21 +++++ 11 files changed, 197 insertions(+), 81 deletions(-) create mode 100644 Haraka/config/auth_flat_file.ini create mode 100644 Haraka/config/dkim_sign.ini create mode 100644 Haraka/config/plugins create mode 100644 Haraka/config/smtp.ini create mode 100644 Haraka/config/tls.ini create mode 100644 Haraka/dkim/generate.sh create mode 100644 Haraka/dkim/keys/README.md create mode 100644 Haraka/dkim/show-info.sh create mode 100644 Haraka/init.sh diff --git a/.gitignore b/.gitignore index 1849002859..1af69a36a8 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,6 @@ Backups/*.sql Backups/*.tar .env + +Haraka/dkim/keys/private_base64.txt +Haraka/dkim/keys/public_base64.txt diff --git a/Haraka/README.md b/Haraka/README.md index 00f9fb92a3..74dac7c831 100644 --- a/Haraka/README.md +++ b/Haraka/README.md @@ -1,108 +1,82 @@ -# SMTP Server Container for OneUptime - -This is a simple SMTP server which is used to send bulk emails. This can be used to send email alerts to subscribers and team. - -> This will not work on your local machine because email sending is blocked by ISP. You need to run these on the server and test. - -## Run a OneUptime Haraka Docker Container - -### Setup Private Key (Optional) +# Build haraka container. ``` -# Unix machine - - -# generate private key - -openssl genrsa -out private 2048 - -# Encode it to base64 and export it - -export DKIM_PRIVATE_KEY=$(cat private | base64) - +sudo docker build . -t haraka:latest ``` -> If you already have a private key, you can point the export command to it, and export as base64 encoded -### Setup DKIM on DNS TXT Record (Optional) +# To update a stack ``` -# Unix machine - -# private should point to the private key generated previously - -chmod 0400 private -openssl rsa -in private -out public -pubout - -# value of DKIM dns record - -echo "v=DKIM1;p=$(grep -v '^-' public | tr -d '\n')" - +cd haraka +sudo docker stack deploy haraka -c docker-compose.yml ``` -> When setting up the DKIM dns txt record (recommended), the selector should be `oneuptime._domainkey` then the value should be the output of the echo command - -### Setup DMARC and SPF DNS TXT Record (Optional) - -To setup dmarc for the smtp server, you need to create a new dns record with the following values - -| Type | Name | Content | -| ---- | ------- | ---------------------------------------------------------------------------------------- | -| TXT | \_dmarc | v=DMARC1; p=reject; adkim=s; aspf=r; rua=mailto:youremail; ruf=mailto:youremail; pct=100 | - -> For SPF dns record, you need to setup with appropriate values, if the ip of the smtp mail server is static, you can add that to the spf ip list - -### Setup tls Keys (Optional) +# To restart a service ``` -# Unix machine - - -# generate tls_cert.pem and tls_key.pem files with there keys -# this command will open a prompt for you to fill in your details - -openssl req -x509 -nodes -days 2190 -newkey rsa:2048 -keyout tls_key.pem -out tls_cert.pem - -# Encode your tls to base64 and export it - -export TLS_KEY=$(cat tls_key.pem | base64) -export TLS_CERT=$(cat tls_cert.pem | base64) - +sudo docker service update haraka_haraka --force ``` -> If you already have tls_key and tls_cert for your domain, you can point the export command to the tls files to generate base64 encoded value -## Build Docker Container +# Send Test Outbound Email ``` -docker build --build-arg PORT="2525" . -t haraka:latest +swaks --to hello@nawazdhandala.com --from hello@genosyn.com --server 192.168.1.100 --port 2525 --auth-user homelab --auth-password password ``` -### Run Haraka SMTP Server +# Set a domain to send email + + +Generate a DKIM key: ``` -docker run -p 2525:2525 -e SMTP_USER="user@oneuptime.com" -e SMTP_PASSWORD="oneuptime" -e DOMAIN="oneuptime.com" -e DKIM_PRIVATE_KEY=$DKIM_PRIVATE_KEY -e TLS_CERT=$TLS_CERT -e TLS_KEY=$TLS_KEY haraka:latest +cd dkim + +bash generate.sh + +cd .. ``` -> The following envs are optional `DKIM_PRIVATE_KEY`, `TLS_CERT`, `TLS_KEY` and `DOMAIN` +`public` and `private` files should have been generated inside of `dkim` folder. Please also add DNS and env vars to docker-compose files. Values of that should be shown on the console. -## Test + + +Add an A record: ``` -# Install swaks on Linux machine - -sudo apt-get update -sudo apt-get install swaks -y - -# MacOS - -brew install swaks - -# Test - -swaks --to jude@oneuptime.com --from support@oneuptime.com --server localhost \ - --port 2525 --auth-user user@oneuptime.com --auth-password oneuptime - +mailer.company.com ``` -Check the logs for running container and see if you get a mail in your inbox. +Set SPF record: + +``` +# Any MX or A servers can send emails. +v=spf1 mx a -all +``` + +Example: + +``` +v=spf1 mx a ip4:37.26.74.9 include:_spf.google.com include:mail.genosyn.com ~all +``` + +Set DMARC record: + +``` +Type: TXT +Key: _dmarc +Value: "v=DMARC1; p=reject; adkim=s; aspf=r; rua=mailto:dmarc-feedback@; ruf=mailto:dmarc-feedback@; pct=100" +``` + +Example: + + +``` +_dmarc TXT "v=DMARC1; p=reject; adkim=s; aspf=r; rua=mailto:dmarc-feedback@genosyn.com; ruf=mailto:dmarc-feedback@genosyn.com; pct=100" +``` + + +# Test, Test, Test. + +Use https://www.mail-tester.com/ to test emails. \ No newline at end of file diff --git a/Haraka/config/auth_flat_file.ini b/Haraka/config/auth_flat_file.ini new file mode 100644 index 0000000000..856bfad544 --- /dev/null +++ b/Haraka/config/auth_flat_file.ini @@ -0,0 +1,4 @@ +[core] +methods=PLAIN + +[users] diff --git a/Haraka/config/dkim_sign.ini b/Haraka/config/dkim_sign.ini new file mode 100644 index 0000000000..b0f1d962d3 --- /dev/null +++ b/Haraka/config/dkim_sign.ini @@ -0,0 +1,3 @@ +disabled = false +selector = haraka +headers_to_sign = From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version diff --git a/Haraka/config/plugins b/Haraka/config/plugins new file mode 100644 index 0000000000..6d4a984bc9 --- /dev/null +++ b/Haraka/config/plugins @@ -0,0 +1,3 @@ +tls +auth/flat_file +dkim_sign \ No newline at end of file diff --git a/Haraka/config/smtp.ini b/Haraka/config/smtp.ini new file mode 100644 index 0000000000..8b9c94a586 --- /dev/null +++ b/Haraka/config/smtp.ini @@ -0,0 +1,64 @@ +; address to listen on (default: all IPv6 and IPv4 addresses, port 25) +; use "[::0]:25" to listen on IPv6 and IPv4 (not all OSes) +listen=[::0]:2525 + +; Note you can listen on multiple IPs/ports using commas: +;listen=127.0.0.1:2529,127.0.0.2:2529,127.0.0.3:2530 + +; public IP address (default: none) +; If your machine is behind a NAT, some plugins (SPF, GeoIP) gain features +; if they know the servers public IP. If 'stun' is installed, Haraka will +; try to figure it out. If that doesn't work, set it here. +;public_ip=N.N.N.N + +; Time in seconds to let sockets be idle with no activity +;inactivity_timeout=300 + +; Drop privileges to this user/group +;user=smtp +;group=smtp + +; Don't stop Haraka if plugins fail to compile +;ignore_bad_plugins=0 + +; Run using cluster to fork multiple backend processes +;nodes=cpus + +; Daemonize +;daemonize=true +;daemon_log_file=/var/log/haraka.log +;daemon_pid_file=/var/run/haraka.pid + +; Spooling +; Save memory by spooling large messages to disk +;spool_dir=/var/spool/haraka +; Specify -1 to never spool to disk +; Specify 0 to always spool to disk +; Otherwise specify a size in bytes, once reached the +; message will be spooled to disk to save memory. +;spool_after= + +; Force Shutdown Timeout +; - Haraka tries to close down gracefully, but if everything is shut down +; after this time it will hard close. 30s is usually long enough to +; wait for outbound connections to finish. +;force_shutdown_timeout=30 + +; SMTP service extensions: https://tools.ietf.org/html/rfc1869 +; strict_rfc1869 = false + +; Advertise support for SMTPUTF8 (RFC-6531) +;smtputf8=true + +[headers] +;add_received=true +;clean_auth_results=true + +; replace header_hide_version +;show_version=true + +; replace max_header_lines +max_lines=1000 + +; replace max_received_count +max_received=100 diff --git a/Haraka/config/tls.ini b/Haraka/config/tls.ini new file mode 100644 index 0000000000..754bc32f38 --- /dev/null +++ b/Haraka/config/tls.ini @@ -0,0 +1 @@ +no_starttls_ports[]=2525 \ No newline at end of file diff --git a/Haraka/dkim/generate.sh b/Haraka/dkim/generate.sh new file mode 100644 index 0000000000..1bee2b44d8 --- /dev/null +++ b/Haraka/dkim/generate.sh @@ -0,0 +1,12 @@ +#!/bin/sh + + +cd keys + +openssl genrsa -out private 4096 +chmod 0400 private +openssl rsa -in private -out public -pubout + +cd .. + +bash show-info.sh diff --git a/Haraka/dkim/keys/README.md b/Haraka/dkim/keys/README.md new file mode 100644 index 0000000000..9d54cb9810 --- /dev/null +++ b/Haraka/dkim/keys/README.md @@ -0,0 +1 @@ +This is where all the keys are stored. \ No newline at end of file diff --git a/Haraka/dkim/show-info.sh b/Haraka/dkim/show-info.sh new file mode 100644 index 0000000000..1495b2a09a --- /dev/null +++ b/Haraka/dkim/show-info.sh @@ -0,0 +1,30 @@ +cd keys + +cat private | base64 -w0 > private_base64.txt +cat public | base64 -w0 > public_base64.txt + +echo "" +echo "" +echo "" + + +echo "Add this to docker compose file - DKIM private key for env var is:" +cat private_base64.txt + +echo "" +echo "" +echo "" + +echo "Add this to docker compose file - DKIM public key for env var is:" +cat public_base64.txt + +echo "" +echo "" +echo "" + +echo "You need to add this to DNS" +echo "Type: TXT" +echo "Key: haraka._domainkey" +echo "v=DKIM1;p=$(grep -v '^-' public | tr -d '\n')" + +cd .. \ No newline at end of file diff --git a/Haraka/init.sh b/Haraka/init.sh new file mode 100644 index 0000000000..3fca1a1412 --- /dev/null +++ b/Haraka/init.sh @@ -0,0 +1,21 @@ + + +# Setup auth +echo "domain = $DOMAIN" >> /harakaapp/config/dkim_sign.ini +echo "$DOMAIN" > /harakaapp/config/host_list +echo "$DOMAIN" > /harakaapp/config/me +echo "$SMTP_USERNAME=$SMTP_PASSWORD" >> /harakaapp/config/auth_flat_file.ini + +openssl req -x509 -nodes -days 2190 -newkey rsa:2048 -keyout /harakaapp/config/tls_key.pem -out /harakaapp/config/tls_cert.pem -subj "/C=US/ST=Massachusetts/L=Boston/O=Hackerbay/CN=$DOMAIN" + +# DKIM +mkdir -p /harakaapp/config/dkim/$DOMAIN +touch /harakaapp/config/dkim/$DOMAIN/selector +echo "haraka" > /harakaapp/config/dkim/$DOMAIN/selector + +# Decode keys from base64 +echo "$DKIM_PUBLIC_KEY" | base64 -d > /harakaapp/config/dkim/$DOMAIN/public +echo "$DKIM_PRIVATE_KEY" | base64 -d > /harakaapp/config/dkim/$DOMAIN/private + +# Run haraka +haraka -c /harakaapp \ No newline at end of file