Let's Encrypt / Dovecot / Postfix / UFW firewall / Certbot

This tutorial describes how to install TLS to a mail server consisting of Postfix and/or Dovecot by using Let's Encrypt certificates with automatic renewing and firewall management.

This tutorial assumes the following prerequisites:

Setting up a Linux system as a mail server with virtual users

Introduction

Mail Transfer Agent

A Mail Transfer Agent (MTA) is the program which receives and sends out the email from your server, and is therefore the key part. In this guide is used Postfix.

Mail filtering

You can add filtering in your mail chain, mainly in order to detect spam and viruses. This how-to only covers spam filter: SpamassAssin.

curl -sSf --max-time 120 'https://websitetomonitor.url' --compressed || echo "do something with alarm on failure"

-s means silent -S show error -f Fail silently (no output at all) on server errors --max-time maximum time allowed for request

Using cron to run script

*/2 * * * * /usr/local/bin/check_website.sh

Every 2 minutes

Create swapfile

sudo install -o root -g root -m 0600 /dev/null /swapfile

Write out a 4GB file named ‘swapfile’

dd if=/dev/zero of=/swapfile bs=1k count=4096k

Let linux know about swap file

mkswap /swapfile

Activate

swapon /swapfile

activate swap also after boot. Add to the file system table

echo "/swapfile       swap    swap    auto      0       0" | sudo tee -a /etc/fstab

$HTTP["host"] =~ "exampledomain.tld" {
server.document-root = "/var/www/replacedomain/public_html/"
server.error-handler-404 = "/index.php"
dir-listing.activate = "disable"
url.rewrite-final = (
"^/(sitemap.xml)" => "$0",
  "^/(.*).(.*)" => "$0",
  "^/(.*).(css|js|gif|jpg|png)$" => "$0",
   "^/(images|javascript|style)(.*)$" => "$0",
    "^/(.+)/?$" => "/index.php/$1"
)

}

Be sure to keep handler-404 when you have apps installed like classifieds

NGINX Tuning For Best Performance

For this configuration you can use web server you like, i decided, because i work mostly with it to use nginx.

Generally, properly configured nginx can handle up to 400K to 500K requests per second (clustered), most what i saw is 50K to 80K (non-clustered) requests per second and 30% CPU load, course, this was 2 x Intel Xeon with HyperThreading enabled, but it can work without problem on slower machines.

We will try something roughly equivalent to the following ProxyPass directives in Apache2:

ServerName www.example.com
...
ProxyPass        /foo/  http://foo.local
ProxyPassReverse /foo/  http://foo.local

In haproxy.cfg define a backend named foo, to reverse-proxy to foo.local backend server.

Setting up

yum install proftpd

cd ~/

wget https://gist.github.com/raw/4296200/proftpd.conf.patch

cd /etc/

patch < ~/proftpd.conf.patch 

touch /etc/proftpd.sftp.passwd

chown nobody:nobody /etc/proftpd.sftp.passwd

chmod 600 /etc/proftpd.sftp.passwd

cd ~/

wget http://www.castaglia.org/proftpd/contrib/ftpasswd

Steps to setup easy-openvpn on Ubuntu Core

This gist is to accompany a more wordy blog post which covers everything in much more detail. These are the easily copy/pastable steps.

For this you will need:-

Configuring the OpenWhisk server

Manually setting up Openwhisk and CouchDB on a fresh Ubuntu 16.04 server.

Based on the OpenWhisk Ansible README, which at the time of writing is missing some key steps - hence this new guide.