Differences between revisions 9 and 12 (spanning 3 versions)
Revision 9 as of 2020-05-04 11:50:28
Size: 4304
Editor: BrianEMWD
Comment:
Revision 12 as of 2020-05-04 23:20:56
Size: 5781
Editor: BrianEMWD
Comment:
Deletions are marked like this. Additions are marked like this.
Line 147: Line 147:
1. The first step in securing Nginx is to install Certbot. This means first installing the dependencies for Certbot.

{{{
# apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface
}}}

Now we are ready to install Certbot:

{{{
# apt install python3-certbot-nginx
}}}

Normally you would need to allow SSL traffic through the AFW firewall but we have already done previously in this how-to so we can continue on.


2. The next step is to fetch a SSL certificate for your Mailman 3 list domain name. This how-to assumes you know how to add a server block to Nginx. I keep my server blocks in /etc/nginx/conf.d/. You will need to make sure you have a server block setup already for your domain name before proceeding.

To obtain a SSL certificate for your domain name run:

{{{
# certbot --nginx -d your_domain
}}}

Certbox will go through its motions. At the end it is going to ask you whether you want to redirect all HTTP traffic to HTTPS. Choose 2 if yes which is what I recommend doing.

That's it! We are now ready to install Postfix because after all, Mailman 3 needs to send out mail.
Line 155: Line 182:
Now that we have a working web, email and database server it’s time to install a number of potentially needed applications. Install the following applications as root:

{{{
# apt install ruby-sass
# apt install memcached
# apt install fail2ban
# apt install gettext
}}}

How to Install Mailman 3 on a Debian 10 Server.

This document is a How-To on installing Mailman 3 on a Debian 10 server. The server environment will include Debian 10, NGINX, Let's Encrypt, Postfix, and PosgresDB.

Prepare Server Environment

1. Create a VPS running Debian 10. I recommend something from Digital Ocean or Linode. The server should be a minimum of 1 CPU and 2 Gigabyte of Memory. 25-50 Gb of storage should be sufficient.

2. Log into the server as root.

$ ssh root@your_server_ip

3. Create a New User: mailman

# adduser mailman

You will be asked some questions about this new user when running the above command. Please make sure you use a strong password for mailman as it will be typically known that any server running Mailman 3 will have a mailman user setup on it.

4. Let's go ahead and grant the 'mailman' user SUDO privileges while logged in as root:

# usermod -aG sudo mailman

5. I recommend setting up a basic firewall to tighten up security on this Mailman 3 server. UFW is one that can be installed on a Debian 10 server:

# apt update
# apt install ufw

Once UFW is installed, you need to make sure you allow the various applications that Mailman 3 will be using through UFW. Some of these applications are the following: OpenSSH, Nginx Full, and Postfix.

So here is an example of what to do immediately after you install UFW:

# ufw app list

Output
Available applications:
 . . .
 OpenSSH
 . . .

This tells us what available applications we can configure UFW to allow. So let's add OpenSSH to UFW:

# ufw allow OpenSSH

Now we can enable UFW:

# ufw enable

You can see what is allowed through the UFW firewall by running the following command:

# ufw status

Output
Status: active

To             Action   From
--             ------   ----
OpenSSH          ALLOW    Anywhere
OpenSSH (v6)     ALLOW    Anywhere (v6)

Webserver Installation: NGINX

1. Both Django, Postorius, and Hyperkitty requires a web server. So let's install NGINX.

apt install nginx

2. Now that Nginx is installed, we need to allow it through the UFW Firewall.

# ufw allow 'Nginx Full'

Let's verify the change.

# ufw status

Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

3. Let's make sure Nginx is running.

# systemctl status nginx

Output
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-07-03 12:52:54 UTC; 4min 23s ago
     Docs: man:nginx(8)
 Main PID: 3942 (nginx)
    Tasks: 3 (limit: 4719)
   Memory: 6.1M
   CGroup: /system.slice/nginx.service
           ├─3942 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─3943 nginx: worker process
           └─3944 nginx: worker process

If your output has Active: active (running) then you are good to go.

With Nginx confirmed to be running you should be able to access it via your server' IP address:

http://your_server_ipaddress

Learning how to manage the Nginx processes and setting up server blocks is beyond the scope of this How-To. However feel free to contact me if you would like for me to edit this document and add those instructions into this particular section.

Securing Your Nginx Installation: Let's Encrypt

1. The first step in securing Nginx is to install Certbot. This means first installing the dependencies for Certbot.

# apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface

Now we are ready to install Certbot:

# apt install python3-certbot-nginx

Normally you would need to allow SSL traffic through the AFW firewall but we have already done previously in this how-to so we can continue on.

2. The next step is to fetch a SSL certificate for your Mailman 3 list domain name. This how-to assumes you know how to add a server block to Nginx. I keep my server blocks in /etc/nginx/conf.d/. You will need to make sure you have a server block setup already for your domain name before proceeding.

To obtain a SSL certificate for your domain name run:

# certbot --nginx -d your_domain

Certbox will go through its motions. At the end it is going to ask you whether you want to redirect all HTTP traffic to HTTPS. Choose 2 if yes which is what I recommend doing.

That's it! We are now ready to install Postfix because after all, Mailman 3 needs to send out mail.

Mail Server Installation: Postfix

Database Server Installation: Postgres

Setup of a Python Virtual Environment

Installation of Potentially Needed Applications

Now that we have a working web, email and database server it’s time to install a number of potentially needed applications. Install the following applications as root:

# apt install ruby-sass
# apt install memcached
# apt install fail2ban
# apt install gettext

Setup Directories and Files for Mailman 3

Create and Enter Virtual Environment

Installation of Additional Applications via PIP

Setup Startup Scripts

MailmanWiki: DOC/Howto_Install_Mailman3_On_Debian10 (last edited 2023-11-24 16:09:02 by msapiro)