-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.json
99 lines (99 loc) · 26.3 KB
/
index.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
[
{
"uri": "/install/",
"title": "Installation overview",
"tags": [],
"description": "",
"content": "Overview Set up secrets Set up vars Set up the inventory Execute site-preinstall playbook Execute site-install playbook Execute site-extras playbook (optional) Set up secrets.yml The ansible setup needs a few passwords to be generated on the user side, with the help of scripts/gen_secrets.py, which is to be run via\n$ python3 scripts/gen_secrets.py This will create/modify the file secrets.yml, any original passwords are not overwritten, by adding the (randomly generated) passwords needed by the setup.\nSet up vars.yml It is recommended to first start with a minimal configuration of only the necessities and then re-run the installation to enable the optional extras.\nA detailed description of each option is given in the vars-sample.yml file.\n A minimal configuration using the optional, but highly recommended, nsd(8) setup would be similar to:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 hostname: mail.aisha.cc admin: aisha domains: - name: aisha.cc nsd: true enable_nsd: true # ip1 ipv4: 108.61.81.40 ipv6: 2001:19f0:5:36b:5400:2ff:fe7f:a634 # ip2 secondary_nameservers: - \u0026#39;69.65.50.192\u0026#39; # freedns2 - \u0026#39;109.201.133.111\u0026#39; # rest are cloudns - \u0026#39;209.58.140.85\u0026#39; - \u0026#39;54.36.26.145\u0026#39; - \u0026#39;185.206.180.104\u0026#39; - \u0026#39;185.136.96.66\u0026#39; - \u0026#39;185.136.97.66\u0026#39; - \u0026#39;185.136.98.66\u0026#39; - \u0026#39;185.136.99.66\u0026#39; - \u0026#39;185.206.180.193\u0026#39; - \u0026#39;2a00:1768:1001:9::31:1\u0026#39; - \u0026#39;2605:fe80:2100:a013:7::1\u0026#39; - \u0026#39;2a0b:1640:1:1:1:1:8ec:5a47\u0026#39; - \u0026#39;2a06:fb00:1::1:66\u0026#39; - \u0026#39;2a06:fb00:1::2:66\u0026#39; - \u0026#39;2a06:fb00:1::3:66\u0026#39; - \u0026#39;2a06:fb00:1::4:66\u0026#39; - \u0026#39;2a0b:1640:1:3::1\u0026#39; # ip3 public_nameservers: - name: freedns2 # freedns2 ipv4: 66.65.50.223 - name: pns31 # rest are cloudns ipv4: 185.136.96.66 ipv6: 2a06:fb00:1::1:66 - name: pns32 ipv4: 185.136.97.66 ipv6: 2a06:fb00:1::2:66 - name: pns33 ipv4: 185.136.98.66 ipv6: 2a06:fb00:1::3:66 - name: pns34 ipv4: 185.136.99.66 ipv6: 2a06:fb00:1::4:66 - name: ns31 ipv4: 109.201.133.111 ipv6: 2a00:1768:1001:9::31:1 - name: ns32 ipv4: 209.58.140.85 ipv6: 2605:fe80:2100:a013:7::1 - name: ns33 ipv4: 54.36.26.145 - name: ns34 ipv4: 185.206.180.104 ipv6: 2a0b:1640:1:1:1:1:8ec:5a47 Set up the inventory If you are running Ansible on the mail server, the default inventory-sample.ini should be enough. Just copy and rename the file to inventory.ini and it should work.\n1 2 3 4 5 6 7 8 9 [extraserver] extra ansible_connection=local ansible_python_interpreter=/usr/local/bin/python3 [mainserver] extra ansible_connection=local ansible_python_interpreter=/usr/local/bin/python3 [global:children] extraserver mainserver Execute site-preinstall playbook The first playbook to run is the site-preinstall.yml:\n$ ansible-playbook site-preinstall.yml This runs the following preliminary roles (in order) for a basic setup:\n base: Set up logging, login and cron jobs. Deploys excision commands Sets up MTA STS, OpenPGP Web Key Service and client autodiscovery infrastructure pf Sets up basic pf(5) firewall rules syslog Configures syslogd(8). knot (optional, highly recommended) Sets up knot DNS for all domains with dns option enabled and configures an authoritative nameserver for Stealth master setup zones (optional, highly recommended) Generate DNS zone files for knot Generates DKIM certificates It will take about 10-15 minutes after running the site-preinstall role for the DNS changes to be in effect. Running the site-install role too soon may cause it to abort as Lets Encrypt may not be able to find the websites.\n If you skipped the setup and configuration of knot, you should now follow the Manual DNS Setup guide to create the DNS records in your provider\u0026rsquo;s interface. For DKIM keys, login to the mailserver and create DKIM keys manually with:\n$ excision ensure-dkim Add the TXT records excisionRSA._domainkey (for outgoing mails signed by rspamd) and davRSA._domainkey (optional, for outgoing scheduling requests by davical) with the values shown in the above command\u0026rsquo;s output.\nExecute site-install playbook The buld of the work is done in the site-install.yml playbook:\n$ ansible-playbook site-install.yml The following roles are run (in order):\n nginx_core Installs nginx and configures basic webserver settings Web server for all domains and subdomains acme: Creates the SSL certificates with acme-client(1). nginx_main_sites Configures nginx to serve ACME challenges, MTA STS information, OpenPGP Web Key Service and client autodiscovery. openldap (work in progress) Sets up LDAP for all services to bind against (support in OpenSMTPD pending) spamd (optional): Sets up grey listing and tarpitting for spam protection. redis Sets up redis for use in rspamd Update and enrich installation guide\n clamav (optional): Sets up an antivirus which scans all attachments and emails. WARNING: this is quite heavy and may cripple smaller servers. rspamd: Gives a lot of spam protection setup techniques. Enables DKIM signing for outgoing mails. smtpd: Finally sets up the actual OpenSMTPD MTA. dovecot: Sets up the IMAP/POP3 servers. Sets up the local MDA for virtuals users. Execute site-extras playbook (optional) This enables extra functionality that is not inherently needed for an email server but has become ubiquitous for almost all email setups.\n$ ansible-playbook site-extra.yml This installs and configures (in order):\n php mariadb baikal: Calendar + contacts server roundcube: Webmail server, along with a managesieve plugin for server side mail filtering. "
},
{
"uri": "/features/",
"title": "Feature Highlights",
"tags": [],
"description": "",
"content": "Security Email Calendar and Contacts System Management "
},
{
"uri": "/install/expert/",
"title": "Expert Installation",
"tags": [],
"description": "",
"content": "Overview The overall structure is similar to the standard installation process, wherein you run the three roles in order.\nThe only catch here is that the installation is going to be on two separate servers, which necessitates a more complex vars.yml file.\nArchitecture overview document.addEventListener('DOMContentLoaded', function () { var myChart = Highcharts.chart('expert_map', { chart: { backgroundColor: 'white', events: { load: function () { // Draw the flow chart var ren = this.renderer, colors = Highcharts.getOptions().colors; // servers ren.label('Main Server\n(small)', 40, 250) .attr({ stroke: 'cyan', 'stroke-width': 4, r: 7, padding: 10, width: 120, height: 47, }) .css({ color: 'black', fontSize: '20px', }) .add() .shadow(true); ren.label('Extras Server(medium)', 40, 100) .attr({ stroke: 'magenta', 'stroke-width': 4, r: 7, padding: 10, width: 120, height: 47, }) .css({ color: 'black', fontSize: '20px', }) .add() .shadow(true); ren.label('Secondary DNS Server(medium)', 400, 100) .attr({ stroke: 'orange', 'stroke-width': 2, r: 5, padding: 10, width: 120, height: 70, }) .css({ color: 'black', fontSize: '20px', }) .add() .shadow(true); ren.label('Public facing DNS Server(small)', 400, 250) .attr({ stroke: 'red', 'stroke-width': 2, r: 5, padding: 10, width: 120, height: 70, }) .css({ color: 'black', fontSize: '20px', }) .add() .shadow(true); ren.label('User PC(small)', 240, 400) .attr({ stroke: 'black', 'stroke-width': 1, r: 3, padding: 10, width: 70, height: 47, }) .css({ color: 'black', fontSize: '20px', }) .add() .shadow(true); ren.label('Registrar(large)', 440, 440) .attr({ stroke: 'blue', 'stroke-width': 1, r: 3, padding: 10, width: 85, height: 47, }) .css({ color: 'black', fontSize: '20px', }) .add() .shadow(true); } } }, title: { text: 'Excision Mail: Distributed Setup', style: { color: 'black' } }, accessibility: { typeDescription: 'Flowchart' } }); }); Set up vars.yml An example vars.yml for the above installation:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 hostname: mail.aisha.cc admin: aisha domains: - name: aisha.cc nsd: true - name: epsilonknot.xyz nsd: true - name: bsd.ac nsd: true enable_nsd: true username_delimiter: \u0026#34;.\u0026#34; enable_spamd: true rspamd_enable_pretrain: true private_interface: wg0 enable_extras: true extras_not_home: true extras_interface: wg0 extras_ip: 10.7.0.3 # needed as second server is a -current server # which has a newer version of php set as default php_pkg_version: 7.3.22 pgsql_password_roundcube: prollySOMEpassword rc_encryption_key: somethingsomethingencrypt davical_dba_password: \u0026#34;somedavicalpassword!!!!\u0026#34; davical_app_password: \u0026#34;someotherdavicalappPASSWD123123\u0026#34; davical_tmp_admin_password: \u0026#34;sup3rc00ltempPASSWD\u0026#34; # ip1 ipv4: 108.61.81.40 ipv6: 2001:19f0:5:36b:5400:2ff:fe7f:a634 # ip2 secondary_nameservers: - ipv4: 69.65.50.192 # freedns2 - ipv4: 109.201.133.111 # rest are cloudns - ipv4: 209.58.140.85 - ipv4: 54.36.26.145 - ipv4: 185.206.180.104 - ipv4: 185.136.96.66 - ipv4: 185.136.97.66 - ipv4: 185.136.98.66 - ipv4: 185.136.99.66 - ipv4: 185.206.180.193 - ipv6: 2a00:1768:1001:9::31:1 - ipv6: 2605:fe80:2100:a013:7::1 - ipv6: 2a0b:1640:1:1:1:1:8ec:5a47 - ipv6: 2a06:fb00:1::1:66 - ipv6: 2a06:fb00:1::2:66 - ipv6: 2a06:fb00:1::3:66 - ipv6: 2a06:fb00:1::4:66 - ipv6: 2a0b:1640:1:3::1 # ip3 public_nameservers: - name: freedns2 # freedns2 ipv4: 66.65.50.223 ipv6: 2001:1850:1:5:800::6b - name: pns31 # rest are cloudns ipv4: 185.136.96.66 ipv6: 2a06:fb00:1::1:66 - name: pns32 ipv4: 185.136.97.66 ipv6: 2a06:fb00:1::2:66 - name: pns33 ipv4: 185.136.98.66 ipv6: 2a06:fb00:1::3:66 - name: pns34 ipv4: 185.136.99.66 ipv6: 2a06:fb00:1::4:66 - name: ns31 ipv4: 109.201.133.111 ipv6: 2a00:1768:1001:9::31:1 - name: ns32 ipv4: 209.58.140.85 ipv6: 2605:fe80:2100:a013:7::1 - name: ns33 ipv4: 54.36.26.145 - name: ns34 ipv4: 185.206.180.104 ipv6: 2a0b:1640:1:1:1:1:8ec:5a47 Set up the inventory 1 2 3 4 5 6 7 8 9 10 # this is a -current server [extraserver] extra ansible_host=10.7.0.3 ansible_python_interpreter=/usr/local/bin/python3.9 [mainserver] main ansible_host=10.7.0.1 ansible_python_interpreter=/usr/local/bin/python3.8 [global:children] extraserver mainserver Execute the playbook roles "
},
{
"uri": "/overview/",
"title": "System Overview",
"tags": [],
"description": "",
"content": "Overview of the general system design principles and workings of Excision Mail\n"
},
{
"uri": "/backups/",
"title": "System Backups",
"tags": [],
"description": "",
"content": "Important non-replaceable files These files are generated over time when using Excision and cannot be restored by the ansible scripts:\n# excision config files folder /etc/excision/ # excision-passwd home folder # - contains ssh keys of users /var/excision-passwd/ # excision user home folder # - contains important gpg keys /var/excision-home/ # published gpg keys of users /var/www/openpgpkey/ # and of course, the whole email folder /var/excision/ Example backup using restic Here is a sample configuration using restic which does a daily back up to a remote repo, using /etc/daily.local:\n# set up a restic repo somewhere which can be accessed # using your desired method RESTIC_REPO=\u0026#34;sftp:truenas:/mnt/Media/backups/mail.aisha.cc\u0026#34; env RESTIC_PASSWORD_FILE=\u0026#34;/root/.ssh/restic\u0026#34; \\ HOME=\u0026#34;/root\u0026#34; \\ /usr/local/bin/restic --repo ${RESTIC_REPO} \\ \t--verbose backup \\ \t--exclude-if-present=no_restic \\ \t--exclude-file=/etc/restic.exclude \\ \t--files-from=/etc/restic.include \\ \t--tag=\u0026#34;$(date +%c)\u0026#34; # list changes PREV=$(env RESTIC_PASSWORD_FILE=\u0026#34;/root/.ssh/restic\u0026#34; HOME=\u0026#34;/root\u0026#34; \\ \t/usr/local/bin/restic --repo ${RESTIC_REPO} \\ \tsnapshots --compact | tail -4 | head -1 | awk \u0026#39;{print $1}\u0026#39;) LAST=$(env RESTIC_PASSWORD_FILE=\u0026#34;/root/.ssh/restic\u0026#34; HOME=\u0026#34;/root\u0026#34; \\ \t/usr/local/bin/restic --repo ${RESTIC_REPO} \\ \tsnapshots --compact | tail -3 | head -1 | awk \u0026#39;{print $1}\u0026#39;) RDIFF_FILE=\u0026#34;/tmp/rdiff.${RANDOM}\u0026#34; env RESTIC_PASSWORD_FILE=\u0026#34;/root/.ssh/restic\u0026#34; HOME=\u0026#34;/root\u0026#34; \\ \t/usr/local/bin/restic --repo ${RESTIC_REPO} \\ \tdiff ${PREV} ${LAST} \u0026gt; ${RDIFF_FILE} NLINES=$(wc -l \u0026#34;${RDIFF_FILE}\u0026#34; | awk \u0026#39;{print $1}\u0026#39;) if [ $NLINES -gt 108 ] ; then \thead -n 100 ${RDIFF_FILE} \tprintf \u0026#34;======= SNIP ======\\n\u0026#34; \ttail -n 8 ${RDIFF_FILE} else \tcat ${RDIFF_FILE} fi rm -f ${RDIFF_FILE} unset RDIFF_FILE RESTIC_REPO NLINES The recommended restic.include :\n/bin /etc /home /root /sbin /usr /var and /etc/restic.exclude :\n/var/run "
},
{
"uri": "/guides/",
"title": "Extra guides",
"tags": [],
"description": "",
"content": "Guides not directly related to the base Excision Mail system\n"
},
{
"uri": "/guides/secondary/",
"title": "Secondary nameserver overview",
"tags": [],
"description": "",
"content": "Secondary and Primary DNS explanations First let us look at the big picture of the stealth master configuration of a DNS server\n LARGE, SMALL, MEDIUM show the computing capabilities of the server. ------------------- ----------------------- --------------------- | (SMALL) | NOTIFY | (MEDIUM) | (internal) | (LARGE) | | Personal | ---------------\u0026gt; | Secondary DNS |\u0026lt;------------\u0026gt;| Public facing | | VPS | \u0026lt;--------------- | server IP | | DNS server | | [ip1] | AXFR request | [ip2] | | [ip3] | ------------------- ----------------------- --------------------- | ^ | --------------------------------------------------- | | two way communication between VPS and user | | | | | | ------------------- primary NS query -------------- | | | (LARGE) | \u0026lt;--------------- | (USER) | domain ip query | | | Registrar | ---------------\u0026gt; | user | ------------------ | | | ip3 as primary | |\u0026lt;--------------------- ------------------- NS -------------- ip1 as address of domain Quick overview of DNS DNS stands for domain name server/system and is the first step in establishing communication with a host.\nDNS is the method to translate a name of the form https://openbsd.org to an ipv4 address, which can be of the form 129.128.5.194 or an ipv6 address, which is a lot more complex, of the form dead::beef.\nDNS flow overview A user does not necessarily store all the translation information in their local server.\nThe way a user gets this translation is by querying primary nameservers of the domain and making query for the ip of the domain.\nPrimary nameservers Primary nameservers are the one which answer the users query for the ip of a domain.\nThese are queried millions of times a second from different places for different domains, hence they are hosted on highly powerful computers.\nFor the first step, even before communicating with the server, the user must know the ip address of the primary nameservers.\nThe user gets the primary nameserver by querying different registrars for the primary nameserver of a domain.\nThere are a lot of registrars and they have their own methods of making sure that the information between registrars is in sync. Typically, you update the ip addresses of the primary nameservers at your registrar, where you bought the domain name from, and this information is synced all throughout the world very soon (we don\u0026rsquo;t cover explaining recursive dns and other complex things here).\nThis way it is fairly fast for a user to get the primary nameservers of your domain.\nSecondary nameservers But how does the primary nameserver get the information?\nThe answer to that is the stealth master configuration.\nThe DNS service provider will query your personal VPS for all the information and then will start answering the queries of users.\nBut the DNS provider does not do this through the same servers that it answers queries from.\nIt is done via other medium sized servers, which are called secondary nameservers, who query your VPS in two ways\n Either by doing queries periodically, or Your VPS sends a notification (NOTIFY) to the secondary nameserver, informing them that some change has happened and it should query you asap. The second method is called the NOTIFY from your VPS to the secondary DNS.\nHence it is vital to get the DNS service from a provider who supports the NOTIFY protocol.\nThe query made by the secondary nameserver is called a zone transfer, AXFR, query, wherein it asks your VPS for the full zone file of the domain.\nThis method to query for the zone file of a domain from a computer has been exploited to do DDOS attacks and needs careful adjustment to only allow the proper IPs to make AXFR requests.\nNow the DNS providers secondary nameserver will take your zone file and then update the public facing nameservers fairly soon (typically \u0026lt;5 mins).\nStealth master For the DNS provider to get the full zone info, it first needs the IP address of your VPS. This is one of the reasons why hosting services at home is a tough situation as your home address is fairly fickle.\nHence your VPS is the master provider of the DNS information, but because it is a small server, we delegate the responsibility to answer the users queries to the LARGE servers from your DNS service provider.\nNone of the users ever know that the actual authoritative information is coming stored in a different location, your VPS server, hence it is called a stealth master.\nExcision setup Excision does this automatically provided that you give the ip2 and ip3 in the configuration.\n ip2 - This is the address that is allowed to make AXFR requests and also the address that NOTIFY updates are sent to ip3 - This is added in the zone file for a cross check with your registrar to make sure that the proper nameservers are used. Typically, when you buy a DNS service, they will have the information of the public facing nameservers and the secondary namerservers, somewhere in their web ui.\nJust take the two lists of ip addresses and add them in the appropriate place in the vars.yml file.\n"
},
{
"uri": "/guides/freedns/",
"title": "FreeDNS setup",
"tags": [],
"description": "",
"content": "FreeDNS (afraid.org) Example setup for stealth master configuration using freedns.afraid.org\nFreeDNS configuration First make an account on FreeDNS and then go to add backup dns:\nhttps://freedns.afraid.org/secondary/add.php\n Secondary servers The information related to secondary nameservers is available on their website: https://freedns.afraid.org/secondary/instructions.php\n NOTE: This still hasn\u0026rsquo;t given you the ip of ns2.afraid.org. You should poke around on their website to find the relevant information or use the host command on OpenBSD to get the ip addresses of ns2.afraid.org. 1 2 3 $ host ns2.afraid.org ns2.afraid.org has address 69.65.50.223 ns2.afraid.org has IPv6 address 2001:1850:1:5:800::6b \nRegistrar configuration (namecheap) You can set up the configuration at your registrar, depending on your provider. E.g. on NameCheap:\n "
},
{
"uri": "/guides/manualdns/",
"title": "Manual DNS setup",
"tags": [],
"description": "",
"content": "If enable_dns has not been selected and DNS is managed manually, the DNS records described in the following sections must be enabled.\nAssumptions Domain name: domain.xyz IPv4 address: x.x.x.x IPv6 address: xx::xx Mail subdomain: {{ mail }} Subdomains used The following subdomains are used and should point to x.x.x.x and xx::xx:\n{{ mail }} autoconfig autodiscover dav imap mta-sts openpgpkey pop3 rspamd smtp webmail wkd MX records Subdomain Mail provider @ {{ mail }}.domain.xyz. If domain.zyx is an extra domain added on the server for primary_domain.abc, then the above MX record should point to {{ mail }}.primary_domain.abc.\n SRV records SRV record Priority Weight Port Domain _autodiscover._tcp 0 0 443 autodiscover.domain.xyz. _submissions._tcp 0 1 465 smtp.domain.xyz. _submission._tcp 0 1 587 smtp.domain.xyz. _imaps._tcp 0 1 993 imap.domain.xyz. _pop3s._tcp 0 1 995 pop3.domain.xyz. _carddav._tcp 5 1 80 dav.domain.xyz. _carddavs._tcp 0 1 443 dav.domain.xyz. _caldav._tcp 5 1 80 dav.domain.xyz. _caldavs._tcp 0 1 443 dav.domain.xyz. _ischedules._tcp 0 1 443 dav.domain.xyz. _imap._tcp 0 0 0 . (OPTIONAL, depending on DNS provider compatibility) _pop3._tcp 0 0 0 . (OPTIONAL, depending on DNS provider compatibility) TXT records ID TEXT @ \u0026quot;v=spf1 mx:pdomain.abc -all\u0026quot; _dmarc \u0026quot;v=DMARC1;p=reject;pct=100;rua=mailto:dmarcreports@domain.xyz\u0026quot; _smtp._tls \u0026quot;v=TLSRPTv1;rua=mailto:tlsreports@domain.xyz;\u0026quot; _mta-sts \u0026quot;v=STSv1;id={MTA-STS-ID};\u0026quot; excisionRSA._domainkey \u0026quot;v=DKIM1;k=rsa;p={EXCISIONKEY}\u0026quot; davRSA._domainkey \u0026quot;k=rsa;t=s;p={DAVKEY}\u0026quot; The {MTA-STS-ID} is an ID which should only increase over time. It represents the last time the MTA-STS information for a domain was changed. Realistically, this can be set to the date and time of creating (or modifying) this record, e.g. 20220114T165521.\n{EXCISIONKEY} and {DAVKEY} are the keys stored in /etc/excision/dkim/excisionRSA.domain.xyz.pub and /etc/excision/dkim/davRSA.domain.xyz.pub, respectively. The text records are created and stored in /etc/excision/dkim/excisionRSA.domain.xyz.txt and /etc/excision/dkim/davRSA.domain.xyz.txt.\nDepending on the DNS provider the key generated by Excision is going to be too large to fit in one record. The DNS providers documentation should show how to fit a large key into a TXT record. The work around this is to store more than one string in a DNS record (yes, this is possible to do, but the implementation depends on the hosting providers UI). Excision Mail breaks down the record into correct sizes and stores it in the text files above in the format:\n( \u0026quot;v=DKIM1;k=rsa;p=oQWCm252...\u0026quot; \u0026quot;....NnsPq;\u0026quot; )\n "
},
{
"uri": "/guides/web-key-directory/",
"title": "Web Key Directory and Service",
"tags": [],
"description": "",
"content": "Web Key Directory is a method of public key discovery through HTTPS. Web Key Service is a protocol to allow users to publish their public key to a WKD server.\nExcision Mail comes with a setup of Web Key Directory (WKD) and GnuPG Web Key Service (WKS) which work out of the box for all providers and consumers, allowing publication of PGP keys on the mail hosting server, as opposed to centralized keyservers. One of the key advantages of PGP is to decentralize information to build a web of trust, hence hosting a WKD plays a vital part in ensuring a rich ecosystem. The WKD/WKS RFC details the technical specifications to host a WKD server. This documentaion only goes over the user side setup, showing how a user can publish their PGP key to the Excision Mail system.\nTo publish a key using WKS, a mail client is required. Many mail clients support the GnuPG-WKS protocol, such as KMail, mutt, neomutt, Claws Mail (through the enigmail plugin).\nNeoMutt This configuration setup uses mutt-wizard a very handy setup to configure NeoMutt, which should work for most users. The OpenBSD package also supports WKD/WKS out of the box.\nThe general outline of the process:\n Add an account using mutt-wizard.\nWhile adding an account, specify the port as 587. Create a GnuPG key (or skip if already exists). Start neomutt and begin a key publishing request - Alt + g. Receive a confirmation request.\nPress o (small-oh) to sync mail. Send a mail confirming publication - Alt + h.\nThe confirmation request must be highlighted while pressing this shortcut. Receive a mail confirming publication. Press o (small-oh) to sync mail. Manually verify that the key has been published. $ mw -a test-user@bsd.ac -S 587 Give your email server\u0026#39;s IMAP address (excluding the port number): imap.bsd.ac Give your email server\u0026#39;s SMTP address (excluding the port number): smtp.bsd.ac Enter password for test-user@bsd.ac: Retype password for test-user@bsd.ac: test-user (account #1) added successfully. $ mw -l 1 test-user@bsd.ac $ gpg --quick-generate-key test-user@bsd.ac About to create a key for: \u0026#34;test-user@bsd.ac\u0026#34; Continue? (Y/n) We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ... ... ... $ neomutt \u0026lt;Alt + g\u0026gt; # begin a WKS publication request ... ... ... Enter email ID of user to publish: test-user@bsd.ac Enter fingerprint of GPG key to publish: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx gpg-wks-client: submitting request to \u0026#39;wks@bsd.ac\u0026#39; \u0026lt;o\u0026gt; # small-oh (sync mail) 1 Ns+ 21/10/31 06:58PM wks@bsd Confirm your key publication (2.4K) \u0026lt;Alt + h\u0026gt; # the confirmation request must be highlighted ... ... ... gpg-wks-client: wkd data found gpg-wks-client: draft version 2 requested \u0026lt;o\u0026gt; # small-oh (sync mail) 1 NP+ 21/10/31 07:02PM wks@bsd Your key has been published (1.5K) \u0026lt;q\u0026gt; # quit neomutt $ gpg -v --auto-key-locate=clear,wkd,nodefault --locate-key test-user@bsd.ac ... ... ... gpg: automatically retrieved \u0026#39;test-user@bsd.ac\u0026#39; via WKD ... ... ... "
},
{
"uri": "/",
"title": "Excision Mail",
"tags": [],
"description": "",
"content": "Excision Mail Fullstack, security focused mailserver based on OpenSMTPD for OpenBSD.\nWebsite is still a WIP but feel free to explore and give feedback.\n "
},
{
"uri": "/categories/",
"title": "Categories",
"tags": [],
"description": "",
"content": ""
},
{
"uri": "/categories/main/",
"title": "main",
"tags": [],
"description": "",
"content": ""
},
{
"uri": "/tags/",
"title": "Tags",
"tags": [],
"description": "",
"content": ""
}]