Compare commits

..

3 Commits

Author SHA1 Message Date
Adrian 65dda1f790 Proper PAM config to disable session logging 2020-08-28 00:51:28 +02:00
Adrian 67dbae6477 Add postfix recipient access restrictions 2020-08-28 00:46:57 +02:00
Adrian 527a120468 Fix sshd user config 2020-08-28 00:27:51 +02:00
8 changed files with 27 additions and 3 deletions

View File

@ -0,0 +1,2 @@
dbpath = /data/mail/config/vmail.db
query = SELECT action FROM access WHERE address = '%s'

View File

@ -38,3 +38,5 @@ smtpd_sender_login_maps = sqlite:/etc/postfix/login.cf, $virtual_alias_maps
smtpd_milters = unix:private/opendkim smtpd_milters = unix:private/opendkim
non_smtpd_milters = $smtpd_milters non_smtpd_milters = $smtpd_milters
smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access.cf

View File

@ -4,3 +4,4 @@ create table mailbox (username varchar(255) not null primary key, password varch
create table dkim (match varchar(255) not null primary key, key varchar(255) not null); create table dkim (match varchar(255) not null primary key, key varchar(255) not null);
create table dkim_key (key varchar(255) not null primary key, domain varchar(255) not null, selector varchar(255) not null, private_key varchar(65535) not null); create table dkim_key (key varchar(255) not null primary key, domain varchar(255) not null, selector varchar(255) not null, private_key varchar(65535) not null);
create table access (address varchar(255) not null primary key, action varchar(255) not null);

View File

@ -18,8 +18,9 @@ sudo cp 99-no-wifi-on-ethernet /etc/NetworkManager/dispatcher.d
sudo sed -i '$ a EXTRA_OPTS=-L 4' /etc/default/cron sudo sed -i '$ a EXTRA_OPTS=-L 4' /etc/default/cron
``` ```
## Do not log cron sessions ## Do not log sessions
```sh ```sh
sudo sed -i '/pam_unix.so/ i session [success=1 default=ignore] pam_succeed_if.so service in cron quiet' /etc/pam.d/common-session-noninteractive sudo cp unix-no-session-log /usr/share/pam-configs
sudo pam-auth-update # Select OK to update
``` ```

View File

@ -0,0 +1,6 @@
Name: Unix authentication - no session logging
Default: yes
Priority: 257
Session-Type: Additional
Session:
[success=1 default=ignore] pam_succeed_if.so service in cron:sudo quiet

View File

@ -5,7 +5,9 @@ Switch to your main user with `su - adminuser` afterwards.
```sh ```sh
sudo sed -i '$ a sshlogin:*:1001:65534::/home/sshlogin:/bin/sh' /etc/passwd sudo sed -i '$ a sshlogin:*:1001:65534::/home/sshlogin:/bin/sh' /etc/passwd
sudo cp *.conf /etc/ssh/sshd_config.d sudo sed -i '$ a Match User *' /etc/ssh/sshd_config
sudo sed -i '$ a Include /etc/ssh/sshd_config.d/*.user' /etc/ssh/sshd_config
sudo cp *.conf *.user /etc/ssh/sshd_config.d
sudo mkdir -p /home/sshlogin/.ssh sudo mkdir -p /home/sshlogin/.ssh
sudo chown sshlogin:root /home/sshlogin/.ssh sudo chown sshlogin:root /home/sshlogin/.ssh
@ -13,3 +15,13 @@ sudo chown sshlogin:root /home/sshlogin/.ssh
* Either create a password with `sudo passwd sshlogin` or * Either create a password with `sudo passwd sshlogin` or
* Add a key `sudo -u sshlogin editor /home/sshlogin/.ssh/authorized_keys` * Add a key `sudo -u sshlogin editor /home/sshlogin/.ssh/authorized_keys`
* Test config for user with `sudo sshd -T -C user=sshlogin`
## Notes
> Included files do not affect the match context of the file including them.
https://bugzilla.mindrot.org/show_bug.cgi?id=2468#c26
According to the tests, the above is possible:
https://github.com/openssh/openssh-portable/blob/master/regress/servcfginclude.sh