XMPP Network Graph
Posts tagged with “selfhosting”
Thunderbird Autoconfiguration
Set up Thunderbird autoconfiguration for my lil mail server. Working good.
nginx config:
server {
listen [::]:443 ssl http2;
server_name woodpeckersnest.eu;
ssl_certificate /etc/letsencrypt/live/woodpeckersnest.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/woodpeckersnest.eu/privkey.pem;
root /var/www/mail/;
location / {
try_files /.well-known/autoconfig/mail/config-v1.1.xml =404;
}
access_log /var/log/nginx/autoconfig.log;
error_log /var/log/nginx/autoconfig_error.log;
}
config-v1.1.xml
<?xml version="1.0"?>
<clientConfig version="1.1">
<emailProvider id="woodpeckersnest.eu">
<domain>woodpeckersnest.eu</domain>
<displayName>Woodpeckers Mail</displayName>
<displayShortName>woodpeckers</displayShortName>
<!-- type=
"imap": IMAP
"pop3": POP3
-->
<incomingServer type="imap">
<hostname>woodpeckersnest.eu</hostname>
<port>993</port>
<!-- "plain": no encryption
"SSL": SSL 3 or TLS 1 on SSL-specific port
"STARTTLS": on normal plain port and mandatory upgrade to TLS via STARTTLS
-->
<socketType>SSL</socketType>
<username>%EMAILLOCALPART%</username>
<!-- Authentication methods:
"password-cleartext",
Send password in the clear
(dangerous, if SSL isn't used either).
AUTH PLAIN, LOGIN or protocol-native login.
"password-encrypted",
A secure encrypted password mechanism.
Can be CRAM-MD5 or DIGEST-MD5. Not NTLM.
"NTLM":
Use NTLM (or NTLMv2 or successors),
the Windows login mechanism.
"GSSAPI":
Use Kerberos / GSSAPI,
a single-signon mechanism used for big sites.
"client-IP-address":
The server recognizes this user based on the IP address.
No authentication needed, the server will require no username nor password.
"TLS-client-cert":
On the SSL/TLS layer, the server requests a client certificate and the client sends one (possibly after letting the user select/confirm one), if available. (Not yet supported by Thunderbird)
"OAuth2":
OAuth2. Works only on specific hardcoded servers, please see below. Should be added only as second alternative.
"none":
No authentication
-->
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>woodpeckersnest.eu</hostname>
<port>587</port>
<socketType>STARTTLS</socketType> <!-- see <incomingServer> -->
<username>%EMAILLOCALPART%</username> <!-- if smtp-auth -->
<!-- smtp-auth (RFC 2554, 4954) or other auth mechanism.
For values, see incoming.
Additional options here:
"SMTP-after-POP":
authenticate to incoming mail server first
before contacting the smtp server.
Compatibility note: Thunderbird 3.0 accepts only "plain",
"secure", "none", and "smtp-after-pop".
It will ignore the whole XML file, if other values are given.
-->
<authentication>password-cleartext</authentication>
<!-- If the server makes some additional requirements beyond
<authentication>.
"client-IP-address": The server is only reachable or works,
if the user is in a certain IP network, e.g.
the dialed into the ISP's network (DSL, cable, modem) or
connected to a company network.
Note: <authentication>client-IP-address</>
means that you may use the server without any auth.
<authentication>password-cleartext</> *and*
<restriction>client-IP-address</> means that you need to
be in the correct IP network *and* (should) authenticate.
Servers which do that are highly discouraged and
should be avoided, see {{bug|556267}}.
Not yet implemented. Spec (element name?) up to change.
-->
<!-- remove the following and leave to client/user? -->
<addThisServer>true</addThisServer>
<useGlobalPreferredServer>true</useGlobalPreferredServer>
</outgoingServer>
</emailProvider>
<!-- This allows to access the webmail service of the provider.
The URLs are loaded into a standard webbrowser for the user.
Specifying this is optional. -->
<webMail>
<!-- Webpage where the user has to log in manually by entering username
and password himself.
HTTPS required. -->
<loginPage url="https://webmail.woodpeckersnest.space/" />
<!-- Same as loginAutomaticDOM, but the website makes checks that
the user comes from the login page. So, open the login page
in the browser, get the page's DOM, fill out name and password
fields for the user, and trigger the login button.
The login button might not be an HTML button, just a div, so
to trigger it, send a click event to it.
HTTPS is required for the URL. -->
<loginPageInfo url="https://webmail.woodpeckersnest.space">
<!-- What to fill into the usernameField.
Format is the same as for <username> within <incomingServer>,
including placeholders. See below for valid placeholders. -->
<username>%EMAILLOCALPART%</username>
</loginPageInfo>
</webMail>
<clientConfigUpdate url="https://woodpeckersnest.eu/.well-known/autoconfig/mail/config-v1.1.xml" />
</clientConfig>
Slixfeed RSS XMPP BoT
Interesting project, features' rich and almost complete. Thanks goes to its main developer Schimon AKA "sch".
Here is the support room
Dendrite (Matrix) is live
Several months ago I was running a "matrix-docker-ansible" playbook on OVH, but limited resources led me to take it down.
More than one time I thought about reliving that server (which I have backups of), but reading on the changes that the playbook got so far and the difficulties in running a Matrix environment without exposing web ports (80 and 443), I thought to better give up.
Yesterday I looked into Dendrite (a Matrix server written in GO), which looks a lot simpler than the whole lot the docker-ansible playbook offers, so I went ahead and installed it the manual way with nginx as reverse proxy. Easy peasy - documentation is quite good.
Today I also installed "Cinny" as a web client and I'm done for the moment... Federation works, registrations are closed (can invite friends though) and apart from RAM peaks and quite long waiting times when joining rooms (up to 2K members), the server is doing quite well: started with 700MB of RAM (at joining time) and went down to less than 300 in normal usage. CPU gets high spikes when sending messages but other than that is just a few points %. Just don't even think to join the official #matrix room or shit will happen 😀
My new Matrix username is: @roughnecks:woodpeckersnest.space, feel free to add me.
Radicale Cal/Card DAV
Radicale
Descrizione
Radicale è un piccolo ma potente server CalDAV (calendari, elenchi di cose da fare) e CardDAV (contatti), che:
- Condivide calendari ed elenchi di contatti tramite CalDAV, CardDAV e HTTP.
- Supporta eventi, todos, voci del diario e biglietti da visita.
- Funziona subito, senza bisogno di complicate impostazioni o configurazioni.
- Può limitare l'accesso tramite autenticazione.
- Può proteggere le connessioni con TLS.
- Funziona con molti client CalDAV e CardDAV.
- Memorizza tutti i dati sul file system in una semplice struttura di cartelle.
- Può essere esteso con plugin.
- È un software libero con licenza GPLv3.
Requisiti/Installazione
Innanzitutto, assicurarsi che python 3.5 o successivo (si consiglia python ≥ 3.6) sia installato. Sarà poi necessario un web server come Apache o nginx; in questa guida verrà usato nginx e verranno installati pacchetti presenti in Debian, anziché usare "pip".
Installazione
# apt install radicale apache2-utils python3-passlib
Configurazione
# nano /etc/radicale/config
Cambiare le linee seguenti:
[server]
hosts = 127.0.0.1:5232
[auth]
type = http_x_remote_user
[rights]
type = owner_only
file = /etc/radicale/rights
[storage]
type = multifilesystem_nolock
[logging]
level = info
mask_passwords = True
[headers]
Access-Control-Allow-Origin = *
Ora possiamo avviare il servizio:
# systemctl start radicale.service
# systemctl status radicale.service
Per leggere i log, digitare:
# journalctl -xe -u radicale.service
Quando avremo sistemato tutto e Radicale funzionerà correttamente, potremo abilitare il servizio al boot:
# systemctl enable radicale.service
Reverse proxy
Esempio di configurazione di nginx:
server {
listen 443 ssl http2;
server_name cal.woodpeckersnest.space;
ssl_certificate /etc/letsencrypt/live/cal.woodpeckersnest.space/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cal.woodpeckersnest.space/privkey.pem;
error_log /var/log/nginx/radicale.err;
access_log /var/log/nginx/radicale.log;
add_header "X-XSS-Protection" "0";
location / {
return 301 /radicale/;
}
location /radicale/ { # The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-User $remote_user;
proxy_set_header Host $http_host;
proxy_pass_header Authorization;
auth_basic "Radicale - Password Required";
auth_basic_user_file /etc/nginx/radicale-users;
}
}
server {
listen 0.0.0.0:80;
server_name cal.woodpeckersnest.space;
location / {
return 301 /radicale/;
}
location /radicale/ {
return 301 https://$host$request_uri;
}
}
la riga che recita:
auth_basic_user_file /etc/nginx/radicale-users;
ci indica che dovremmo creare il file a quel percorso con le credenziali degli utenti che vorranno usare il servizio.
Il comando per fare ciò è "htpasswd"
$ htpasswd -c /etc/nginx/radicale-users <nome_utente>
Una volta battuto enter vi verrà chiesta la password per l'utente <nome_utente> che avrete scelto ed il tutto verrà salvato nel file "/etc/nginx/radicale-users". Riavviate nginx per terminare.
Come potete vedere dal file di configurazione nginx, avrete bisogno di un sottodominio DNS e del relativo certificato (tutto ciò non è scopo di questa guida).
Abbiamo terminato: connettetevi al vostro sottodominio e dovreste poter accedere alla pagina di login di Radicale. Seguendo il file di configurazione nginx, per il mio caso il link sarà il seguente:
https://cal.woodpeckersnest.space/
conversejs community plugins
Thanks to Zash and Jcbrand in the "Converse" MUC and a bit of hacking I was able to set up a few community plugins for my conversejs install as a prosody module.
Here's the configuration in /etc/prosody/prosody.cfg.lua:
conversejs_resources = "/usr/local/lib/prosody/modules/mod_conversejs/dist"
conversejs_tags = {
-- Load favicon
[[<link rel="shortcut icon" href="https://woodpeckersnest.space/images/converse-js.ico">]];
-- Load libsignal-protocol.js for OMEMO support (GPLv3; be aware of licence implications)
[[<script src="https://cdn.conversejs.org/3rdparty/libsignal-protocol.min.js"></script>]];
-- Load community plugins
[[<link type="text/css" rel="stylesheet" media="screen" href="conversejs/dist/plugins/search/search.css" />]];
[[<script src="conversejs/dist/plugins/actions/actions.js"></script>]];
[[<script src="conversejs/dist/plugins/search/search.js"></script>]];
[[<script src="conversejs/dist/plugins/search/jspdf.debug.js"></script>]];
[[<script src="conversejs/dist/plugins/search/jspdf.plugin.autotable.js"></script>]];
[[<script src="conversejs/dist/plugins/toolbar-utilities/toolbar-utilities.js"></script>]];
[[<script src="conversejs/dist/plugins/screencast/screencast.js"></script>]];
}
conversejs_options = {
locked_domain = "woodpeckersnest.space";
auto_focus = true;
view_mode = "fullscreen";
allow_registration = false;
auto_reconnect = true;
reuse_scram_keys = true;
muc_clear_messages_on_leave = true;
clear_cache_on_logout = false;
play_sounds = true;
whitelisted_plugins = {"actions", "search", "toolbar-utilities", "screencast"};
}
You'll have to copy the plugins directories (actions, search etc..) in this path:
/usr/local/lib/prosody/modules/mod_conversejs/dist/plugins/
Then reload configuration and conversejs module or restart prosody.
Already found a bug in "toolbar-utilities" and haven't still had a chance to try the screencast plugin, but they look good for the most part.
Maybe I will add Jitsi Meet or Voice Chat at some point.. Not now though. ¹
EDIT: screencast is working alright, but not in the way you'd expect it. It's not a live streaming, instead it's a recording of your screen which gets uploaded once you stop the cast.. I wouldn't say it's perfect but not even bad.
¹ I've added them 😛
Unauthenticated email from [DOMAIN] is not accepted due to 550-5.7.26 domain's DMARC policy.
I was enabling Exim on my IONOS VPS to deliver email through a smarthost and encountered the error message in this post's title (unable to send to Gmail users.. It's always them!)
After fiddling a while with DMARK and SPF I reconfigured Exim itself to rewrite sender address, so that emails coming from "spacenest.it" (IONOS domain) were sent as coming from "woodpeckersnest.eu", the smarthost and real email server.
Everything is done via this command:
# dpkg-reconfigure exim4-config
And the resulting configuration in /etc/exim4/update-exim4.conf is:
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='cassandra.spacenest.it;spacenest.it'
dc_local_interfaces='127.0.0.1'
dc_readhost='woodpeckersnest.eu'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='pandora.woodpeckersnest.space::587'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
On OVH's postfix I just had to modify this line in /etc/postfix/main.cf:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 94.143.138.27/32
where that last IP is the IP Address of my IONOS server.
Awesome Selfhosted
This is where I found the idea for a blog with chyrp-lite. That repo is full of awesomeness 😎