Lately I have tried to upgrade a server, and its services.
It was already running with a openssl certificates from a CA I set
up a few years ago, using this guide :
http://www.debian-administration.org/articles/284
I have had several services running happilly with passphrased certificate
keys.

Now, first the trouble started with OpenLDAP not wanting an openssl certificate.
Gnutls is the new standard and openssl support is not compiled in.
But gnutls does not support openssl encrypted keys.
Also if you convert them to PKCS #8, they have a limited passphrase (50 bytes?).
Still openldap with gnutls does not support encrypted keys. So a loss to security.
0-1.

Installing the new calendarserver got me into the same trouble. The
calendar server uses an apple script to read the passphrase that is not
included. Returning the key using echo in a script did also not help.
Another loss and another removal of the passphrase made it work.
0-2.

So before digging any further in the openssl/gnutls djungle and find out
what services supports what combination of secure certificate I wanted to ask you what you use.

I have used openssl + scripts to run my CA, is there a better tool ?
http://en.wikipedia.org/wiki/Certificate_authority
lists a few open source ones, what do you use ?
(EJBCA is not packaged?)

I am not intereseted in a fast snakeoil cert but a real structured CA with
certificates for many virtual hosts and different services
(in Openssl adding each host in the same certificate, SNI would be better though.)

How do you add the CA correctly to the /etc/ssl/certs ?
is there some special script ?
(git happend to look there for certs I think, or I have another ssl problem)

Also if anyone has a link to a website describing how to add a CA to each of the common webbrowsers I would be thankful. Depending on what browser version and os the user uses adding the CA.pem to the browser varies a lot.

So, I guess I am done with my SSL questions for now, and I look forward to
good *secure* tips.

I have been working along with my server, and it is running. Lately I have been attacking the only real peice that is missing. Email.

I picked exim4 as it is the standard mail server in debian.

I am running two domains on one server. example.net and example.com

I have created a ldap route (using split configuration)

850_exim4-config_ldap_user
ldap_user:
  debug_print = "R: ldap_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
  local_parts = ${extract {uid}{${lookup ldap {USER_LOOKUP} {$value} fail }}}@$domain
  transport = LOCAL_DELIVERY

But the problem is the $domain ends up beeing debian.example.com for an email to user@example.com. The actual lookup works if the correct domain is supplied.

The paniclog shows the expanded query :

ldaps://ldap.example.com/ou=people,dc=debian,dc=example?uid,uidNumber?sub?(&(mail=user@debian.example.com)(uidNumber=*))

What fails is the dc=debian which is constructed by

dc=${extract{1}{.}{${lc:$domain}}}

It is not possible to set up matching if the local hostname is used. What am I doing wrong ? How can I access the the server part of the incommming email ? Do I have to set up one ldap router per domain ?

The second problem is how to treat SMTP auth. How does that work with virtual servers ? One option is to have the user supply the full mail address as username. I guess apache like dns matching is not possible.. user X loging in to mail.example.net becomes authenticated under X@example.net and user Y loggint into mail.example.com becomes authenticated under Y@example.com.

Thirdly what options and permissions do one has to set to have directories created ?

Want to store all mails to /srv/mail/$domain/$local_parts/Maildir and have created /srv/mail with owner Debian-exim.

MAILDIR_HOME_MAILDIR_LOCATION = /srv/mail/${lc:$domain}/${lc:$local_part}/Maildir
MAILDIR_HOME_CREATE_DIRECTORY = true
MAILDIR_HOME_CREATE_FILE = anywhere

are set but I get :

(13): Permission denied: stat(
) error for /srv/mail/example.com/user/Maildir: Permission denied

(strangly gives the ${lc:$domain} here example.com and not debian.example.com.

Otherwise I am working on a write up of all my experiences with other programs on the server. Everything else is nicely controlled by LDAP. I will publish it once I have a propper draft.

So I am growing up. I want to be a full Internet grownup. Running an Internet server. A proper citizen in the Internet society, doing everything according to best practices and standards. And I would like to do it with deb packages.

Also I think there are more people like me. That is why I think it would be cool to write some kind of article series or a proper guide how to bring a modern Debian box to the Internet in the best way. There are a lot of information online, but sometimes old or for other distributions. If someone knows a good guide I'd love to hear it. (of course Debian Administration has a lot of good material already)

Why not some kind of Wiki sandbox somewhere, and then when the guide is done, it could added to the site.

I have been using Debian since 1998, and I feel I know my way around Debian. Before Christmas I reserved 3 domainnames via a service that does not offer webhosting. I wanted it this way since I would like to take the next step, from running small servers at home to a real internet server.

I have arranged for a fast internet link, 10 Mbit (fiber to the ISP, not sure about the exact bandwidth to the Internet) with my own computer attached to it. It runs Debian and I have full control over it. Currently it runs Debian stable. I only have one IP.

I have spent some time reading up on DNS and email and other things that Internet grownups needs. Still it is a bit of dark magic, and I want to have a properly configured thing.

I want to use this server for all the things that one can need to have accessible over the Internet. That to the highest possible security and encryption. I do not wear a tinfoil hat but I think privacy is important. I want to be able to differentiate what the general public and my familly sees. Living abroad, this is one way to share photoes or other more private thougths.

I would like to ask for tips and hint from all you Debian Administration gurus that already are running this kinds of servers on the Internet.

The services I have in mind so far is :
For the 3 domains

• WWW - apache2
  • Proper SSL certificate hierachy that works with all three sites. I have only one IP.
  • Should be easy to add subdomains, not only www.example.com but also another.example.com. The SSL certificate should handle that too. The apache rewrite mod might be a solution, I am not sure how proper DNS handling would work. Also running 3 apache sites should be enough. One per domainname.
  • I will run a couple of webapps. Beeing a DocBook fan I am trying to build up something like Norman Walsh site, for interesting in-depth articles. Have a start but needs more work.
  • Some python framework for SQL apps, still looking into which. Hoped that the Python BDFL would give some nice hint in his evaluation, but I am still looking.
  • I know my ways around Apache good enough and I will use Apache2.
• Email - exim3/exim4/postfix/cyrus ?
  • IMAP
  • Sieve
  • Secure connections (SSL, TSL, SALS, SMTP Auth)
  • Easy to add private users, I would like to be able to add users when registrating for different webforums etc. To sort out spam etc, from where it originates, etc.
  • Email lists - with SSL user protected Archive, if needed, some lists will be open
  • Other things ? (currently I have a private and a work email, both on IMAP, so I am just a user)
  • have no idea which email package is best for this task.
• LDAP
  • I want to build different type of users. shellaccess, email access, emaillist access, website access (some different levels there too), subversion. Still I want it easy and managable.
  • Secure setup, but currently I am only looking at one machine, and the LDAP does not have to authenticate on different machines. Might be needed in the future, if I go xen or vmware, or get more machines.
  • Secondary LDAP server when needed.
• DNS
  • Not sure if it helps to run ones own DNS server ? Running on external free DNS services like Xname is still a needed I guess?
  • Treatment of subdomains like www.example.com and another.example.com. No experience.
• Bastille
  • Generaly hardening the system.
• Timeserver
  • Configure NTP properly.

For my main domain

• Subversion
  • WebDAV
  • Have set that up before, just need to make sure it is secure, and look into if LDAP is possible to use in authentication.
• WebDAV calendar
  • not sure yet, but I do run Sunbird alpha. I'd like to be prepared as the Sunbird becomes better. In a dreamworld I'd like to securely share a private calendar with others, to schedule apointments etc.
• ssh/scp/rsync+ssh
  • normal ssh server - secure setup with SSH host key protection
  • passwordless access with keys - secure setup
• Backup
  • Local back up solution - currently mirrored home (no backup)
  • For all important data (digital photoes, so space is needed)
  • Some ideas but needs work. DVD-R is maybe too weak ?

There are many other questions. Is a pure Debian box the way to go? or Xen or WMware to separate the services better ? Can I script everything so I can rebuild a broken server fast? What goes where ? Webserver in /var/www or in /srv ? since subversion should go to /srv ? Keeping the configurational details in subversion, saving only files that I change ?

What are the best practices to become a real Internet grownup ?