Initial commit

11 files changed, 2018 insertions, 0 deletions

diff --git a/articles/freeipa-server.html b/articles/freeipa-server.html
new file mode 100644
index 0000000..80825d0
--- /dev/null
+++ b/articles/freeipa-server.html
@@ -0,0 +1,176 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>FreeIPA Server Setup</h1></header>
+    <main>
+                        <p>FreeIPA is a centralized idenity management solution developed 
+                        by Redhat. It is in my opinion the most functional libre alternative 
+                        to Microsoft's Active Directory.  Like AD, FreeIPA integrates all of 
+                        the pieces needed to setup a domain including LDAP, Kerberos, 
+                        a Certificate Authority, and much more.</p>
+
+                        <p>I will be using Fedora 35 in this tutorial. As of Debian 11, the 
+                        FreeIPA server is still not in the Debian repos. You will need either 
+                        a Fedora or a RHEL machine. A CentOS fork may work also but I have not 
+                        tested that.</p>
+
+                        <h2>FreeIPA in an Enterprise</h2>
+
+                        <p>For readers exploring the use of FreeIPA in a business 
+                        environment, note that FreeIPA documentation explicitly states that 
+                        it is not a replacement for Active Directory.  I have not personally 
+                        tried to join a Windows computer to a FreeIPA domain, and so I can't 
+                        speak to how well that would work. FreeIPA would also not be able to push 
+                        out policy to Windows machines as is done with Group Policy. FreeIPA 
+                        is though able to create inter-domain trusts with an existing AD 
+                        infrastructure.</p>
+
+                        <h2>The Case for FreeIPA at Home</h2>
+                        <p>Using a full Kerberos and LDAP identity management server may 
+                        seem like overkill at home. And if you only have a single computer 
+                        then it probably is. But scaling up even slightly, to perhaps a small 
+                        family each with their own computer, will make having FreeIPA 
+                        advantageous (<em>your family is all using Linux, right?</em>). This 
+                        will be especially apparent if you are hosting your own services. 
+                        If you are for instance hosting a Jellyfin media server that everyone 
+                        in your family accesses, you won't want them to juggle separate 
+                        passwords for Jellyfin when you could just have them use the same 
+                        password they do on the computer. This single/same sign-on capability is 
+                        one of the most practically useful aspects of FreeIPA.</p>
+
+                        <h2>Install Packages</h2>
+                        <p>We start as usual by installing the required packages.</p>
+
+                        <pre><code>dnf install freeipa-server freeipa-dns</code></pre>
+
+                        <h2>Set Hostname</h2>
+                        <p>The server will need to have a fully qualified hostname 
+                        before setting up IPA. You will need both a hostname for the server 
+                        itself and the domain name you will want for the FreeIPA domain. I 
+                        will be using <em>ipaserver.myhome.local</em>, where 
+                        <em>ipaserver</em> is the hostname and <em>myhome.local</em> is the 
+                        domain name.</p>
+
+                        <pre><code>hostnamectl set-hostname <em>ipaserver.home.local</em></code></pre>
+
+                        <p>We'll also need to add a hosts file entry to 
+                        <strong>/etc/hosts</strong>. Open that file in an editor and add a new 
+                        line with the IP of the server, the fully qualified name, and the 
+                        hostname.</p>
+
+                        <pre><code>192.168.1.10 ipaserver.myhome.local ipaserver</code></pre>
+
+                        
+                        <p>Make sure to reboot the server before continuing to complete 
+                        the hostname change.</p>
+
+                        <h2>Firewall Configuration</h2>
+                        <p>We'll need to allow several ports for FreeIPA to function properly. 
+                        Fedora 35 uses firewalld by default but I am going to disable that 
+                        in favor of UFW here.</p>
+
+                        <pre><code><em>#Install UFW</em>
+dnf install ufw
+<em># Stop and disable firewalld</em>
+systemctl disable --now firewalld
+<em># Configure UFW</em>
+ufw enable
+ufw allow ssh
+ufw allow dns
+ufw allow 88 comment kerberos
+ufw allow 389 comment ldap
+ufw allow 443 comment webui
+ufw allow 636 comment ldaps
+ufw default deny incoming
+ufw reload</code></pre>
+
+        <h2>Configure FreeIPA</h2>
+        <p>Now we can run the FreeIPA setup script. This is an interactive but mostly 
+        automatic process that will configure all of the IPA components. The 
+        <strong>--mkhomedir</strong> flag will configure the server to create home 
+        directories for IPA users on their first login and would otherwise have to be 
+        done manually.</p>
+
+        <pre><code>ipa-server-install --mkhomedir</code></pre>
+
+        <p>That command will bring you into the install script.  You will be prompted 
+        several times before the bulk of the configuration happens. Default values 
+        are show in brackets after the prompt. Let's run through those prompts.<br><br>
+        <strong>Do you want to configure integrated DNS (BIND)?</strong>: 
+        <em>yes</em><br><br>
+        <strong>Sever host name</strong>: the default value should be showing 
+        <em>ipaserver.myhome.local</em> which is what we want. Simply hit enter to acecpt
+        the default.<br><br>
+        <strong>Please confirm the domain name</strong>: The default here should be 
+        correct <em>myhome.local</em> so hit enter to accept that.<br><br>
+        <strong>Please provide a realm name</strong>: This should just be the domain 
+        name in all uppercase. If the default looks correct just hit enter.<br><br>
+        <strong>Directory Manager password</strong>: This is the password for an 
+        administrator account used by system services. You will not need this for daily 
+        use so I recommend setting it to a long randomly generated string. I have found 
+        myself that using an extremely long password here will cause the installation to 
+        fail. A password under 40 characters should be safe.<br><br>
+        <strong>IPA admin password</strong>: This is the password for your initial admin 
+        user. Make this a strong password as this user has full admin rights for the 
+        entire domain.<br><br>
+        <strong>Do you want to configure DNS forwarders</strong>: This allows you to 
+        configure the IPA server to forward DNS requests to another DNS server for 
+        zones it is not authoratitve for. The DNS server is configured by default as 
+        a recursive DNS server so answering no does not prevent internet access. If you 
+        have another DNS server that should be used instead then answer yes and provide 
+        the IP address when prompted.<br><br>
+
+        <strong>Do you want to configure chrony with NTP server or pool address?</strong>
+        : Here you can configure a custom NTP server or pool for the NTP daemon chrony. 
+        If you already have an NTP server on your network answer yes and provide its IP. 
+        If you want to leave the deafult chrony configuration then answer no. Time 
+        synchronization is very important in Kerberos so you should consider how you 
+        want to achieve that on your network. If you do not have an NTP server you may 
+        want to configure the IPA server as one later.<br><br>
+
+        <strong>Continue to configure the system with these values?</strong>: This is a 
+        final confirmation before the script takes over and configures the IPA 
+        components. Review the information printed and enter yes if it all looks correct.
+        </p>
+
+        <p>The install script will now run through configuration. This process usually 
+        takes several minutes. When finished you should get a message saying 
+        <strong>The ipa-server-install command was successful</strong>.</p>
+
+        <p>To finish, run this command to receive a Kerberos TGT. Provide the 
+        password for the admin user when prompted.</p>
+
+        <pre><code>kinit admin</code></pre>
+
+        <h2>Accessing the Web Interface</h2>
+        
+        <p>You are now able to manage FreeIPA through the web interface. You can 
+        browse either to the IP or the hostname if your DNS is configured correctly.
+        You should see a screen similar to this.</p>
+
+        <img alt="FreeIPA Login Screen" src=../images/freeipa-webui.png>
+
+        <p>Login with the username admin and the password you set during the 
+        insallation. You are now ready to begin configuring your IPA domain.</p>
+    </main>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/icinga-agent.html b/articles/icinga-agent.html
new file mode 100644
index 0000000..e0aa6c0
--- /dev/null
+++ b/articles/icinga-agent.html
@@ -0,0 +1,135 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Icinga Agent Node Installation and Configuration</h1></header>
+    <main>
+                <p>With the Icinga master node configured, the servers we want
+                to monitor can now be added as agent nodes. As the names suggest,
+                the Icinga master node pushes the desired configuration to agent
+                nodes, while agent nodes report the configured status checks back
+                to the master. Communication between the master and agent nodes is
+                encrypted via TLS, with the master node acting as a certificate
+                authority.</p>
+
+                <p>You can find my script to automate this process 
+                <a href=https://git.chudnick.com/server-scripts/tree/monitoring/icinga-agent>
+                                here</a>.</p>
+
+                <h2>Install Pakcages</h2>
+                <p>Start by installing the required packages on the server to be 
+                monitored.</p>
+
+                <pre><code>apt install icinga2 monitoring-plugins 
+monitoring-plugins-contrib</code></pre>
+
+                <h2>Initialize PKI with master</h2>
+                <p>Now we need to setup the PKI that will be used for the communication
+                with the master node. The first step is to generate a certificate
+                signing request. Replace <em>hostname</em> with the FQDN of the server.</p>
+
+                <pre><code>icinga2 pki new-cert --cn "<em>hostname</em>" --cert "/etc/icinga2/pki/<em>hostname</em>.crt" --csr "/etc/icinga2/pki/<em>hostname</em>.csr" --key "/etc/icinga2/pki/<em>hostname</em>.key"</code></pre>
+
+                <p>Next we save the master node's public key certificate. Replace
+                <em>master</em> with the FQDN of your master node.</p>
+
+                <pre><code>icinga2 pki save-cert --host "<em>master</em>" --port 5665 --key "/etc/icinga2/pki/<em>hostname</em>.key" --trustedcert "/etc/icinga2/pki/trusted-master.crt"</code></pre>
+
+                <p>Receive signed certificate from the master node.</p>
+
+                <pre><code>icinga2 pki request --host "<em>master</em>" --port 5665 --key "/etc/icinga2/pki/<em>hostname</em>.key" --cert "/etc/icinga2/pki/<em>hostname</em>.crt" --trustedcert "/etc/icinga2/pki/trusted-master.crt" --ca "/etc/icinga2/pki/ca.crt"</code></pre>
+
+                <h2>Deploy configuration files</h2>
+                <p>Write Icinga configuration.</p>
+
+                <pre><code><strong>/etc/icinga2/icinga2.conf</strong> 
+include "constants.conf"
+const NodeName = "$nodename"
+include "zones.conf"
+include "features-enabled/*.conf"
+include &lt;itl&gt;
+include &lt;plugins&gt;
+include &lt;plugins-contrib&gt;
+include &lt;manubulon&gt;
+include &lt;windows-plugins&gt;
+include &lt;nscp&gt;"</code></pre>
+
+                <p>Write zones configuration.</p>
+
+                <pre><code><strong>/etc/icinga2/zones.conf</strong> 
+echo "object Endpoint "<em>hostname</em>" {}
+object Zone "<em>hostname</em>" {
+  parent = "<em>master</em>"
+  endpoints = [ "<em>hostname</em>" ]
+}
+object Zone "<em>master</em>" {
+  endpoints = [ "<em>master</em>" ]
+}
+object Endpoint "<em>master</em>" {
+  host = "<em>master</em>"
+}
+object Zone "director-global" {
+  global = true
+}</code></pre>
+
+                <p>Write API configuration file.</p>
+
+                <pre><code><strong>/etc/icinga2/features-available/api.conf</strong> 
+echo "object ApiListener \"api\" {
+  accept_commands = true
+  accept_config = true
+}</code></pre>
+
+                <h2>Enable API</h2>
+                <p>Next, we need to enable the API on the agent.</p>
+
+                <pre><code>icinga2 feature enable api
+
+mkdir -p /var/lib/icinga2/certs
+
+cp /etc/icinga2/pki/<em>hostname</em>.crt /etc/icinga2/pki/<em>hostname</em>.key /etc/icinga2/pki/ca.crt /var/lib/icinga2/certs/
+
+chown -R nagios: /var/lib/icinga2/certs/</code></pre>
+
+                <h2>Sign agent CSR on Master</h2>
+                <p>The only action needed on the master node is to sign the agent's
+                CSR. Logon to your master node and run the following:</p>
+
+                <pre><code>fpr="$(icinga2 ca list | tail -1 | cut -d '|' -f 1)"
+icinga2 ca sign $fpr</code></pre>
+
+                <h2>Configure Firewall</h2>
+                <p>Before finishing we need to open the proper firewall port.
+                I will use UFW in the example here and allow traffic only only
+                from the master node for best security.</p>
+
+                <pre><code>ufw allow proto tcp from <em>master-ip</em> to any port 5665</code></pre>
+
+                <h2>Restart Icinga on Agent</h2>
+                <p>Finally, restart the icinga service on the agent node.</p>
+
+                <pre><code>systemctl restart icinga2</code></pre>
+
+                <p>The Icinga agent node will now pull down configuration from the master.
+                You will know that this worked if <em>/var/lib/icinga2/api/zones</em> 
+                begins to populate with new files.</p>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+    </main>
+    <footer>
+                        <a href=../kb.html>Knowledge Base</a>
+                        <br>
+                        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/icinga-director.html b/articles/icinga-director.html
new file mode 100644
index 0000000..3993949
--- /dev/null
+++ b/articles/icinga-director.html
@@ -0,0 +1,112 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Icinga Director</h1></header>
+    <main>
+                <p>Icinga Director is the web-based configuration tool for Icinga2.
+                Director provides a simple interface for configuring the various parts
+                of your monitoring environment.  Even if you would rather do all of 
+                the configuration from a terminal, I still recommend using Director for
+                its self-service API which allows new nodes to register with no interaction
+                required on the node (i.e. via a script).</p>
+
+                <p>Start by logging into your Icinga instance. If you followed the 
+                <a href=icinga2-master.html>master installation guide</a> you should have
+                a tab labeled <strong>Icinga Director</strong>. Click on that, and you should
+                see something similar to this:</p>
+                <img src=../images/director/director.png>
+
+                <h2>Hosts</h2>
+                <p>Let's start by looking at the hosts section. Clicking on the hosts
+                button from the Director menu will present you with several options.
+                Click on host templates, and then click add to define our first host
+                template.  Host templates are the building blocks of Icinga, they allow
+                for your nodes to be structured however you see fit, and then to have
+                monitoring checks automatically applied to them based on that structure.</p>
+                <p>I like to structure my host templates by operating system. For example,
+                I have a template called <strong>Linux Server</strong>, which is designed
+                to encompass all of the Linux servers in my environment. I then get more
+                specific, creating templates based on distro. These templates are children
+                of the Linux Server template, so they inherit whatever is applied to the
+                parent, but then can have distro-specific checks applied to themselves.</p>
+                <p>Start by giving your template a name - I will use <strong>Linux Server
+                </strong> here. Groups can be left empty for now, but you may want to
+                add groups and apply them to templates later. The check command should
+                be set to hostalive. Expand <strong>Icinga Agent and zone settings</strong> 
+                and set <em>Icinga2 Agent</em>, <em>Establish connection</em>,  
+                and <em>Accepts config</em> to Yes. Click store to save the template.
+                Your template should look like this:</p>
+
+                <img src=../images/director/hosttemplate.png>
+
+                <h2>Service templates</h2>
+                <p>Let's turn to services now. Return to the Director menu and select 
+                Services. The services menu is structured similar to hosts, and we will
+                start with the service templates section. The idea behind service templates
+                is very similar to host templates. Typically, a service template corresponds
+                to a single monitoring command.</p>
+                <p>As an example, we'll create a service template for a monitoring
+                command that checks the status of a web server. Give the template a
+                name, set the check command to http, and finally expand <strong>Icinga
+                Agent and zone settings</strong> and set <strong>Run on agent
+                </strong> to no. We set this to no because we want Icinga to query
+                the web server externally instead of from the web server itself.</p>
+
+                <img src=../images/director/service-template.png>
+
+                <h2>Service sets</h2>
+                <p>Service sets are simply groups of service templates. They can be
+                structured however you see fit. Service sets can then be applied to
+                hosts/host templates to have the checks be automatically applied.</p>
+
+                <p>Add a new service set and give it a name. Then click on the services
+                tab and add all of the services you want to group into that set.
+                Here is an example of a service set <strong>Linux Standard</strong> 
+                 that has service checks that should be applied to all Linux servers.</p>
+
+                <img src=../images/director/service-set.png>
+
+                <p>To bring service sets and host templates together, return to your host
+                templates, select Linux Server, select the services tab, and then select
+                add service set and choose your desired set from the dropdown menu.</p>
+
+                <img src=../images/director/host-services.png>
+
+                <h2>Render your config</h2>
+                <p>When you have made all of the changes you need you will need to
+                render the Director configuration. Return to the Director menu,
+                select Config Deployment, and then select Render config.</p>
+
+                <h2>Self Service API</h2>
+                <p>In this last section we will look at what I think is the best feature
+                of Director which is the self service API. To enroll a host template
+                in the self service API, select the host template, select the agent
+                tab, and select generate self service api key.  That's it!
+                The string of letters and numbers is the API key associated with this
+                host template. Hosts can be enrolled with this API key and Icinga
+                will automatically assign the host to this template. With proper
+                structuring, you can have hosts be completely provisioned without
+                touching Director. In the next article, we will use this to enroll
+                a host in Icinga with a shell script.</p>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+    </main>
+    <footer>
+                        <a href=../kb.html>Knowledge Base</a>
+                        <br>
+                        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+
+</body>
+</html>
+
diff --git a/articles/icinga-influx.html b/articles/icinga-influx.html
new file mode 100644
index 0000000..8d96c88
--- /dev/null
+++ b/articles/icinga-influx.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Integrating InfluxDB and Icinga</h1></header>
+    <main>
+        <p>Icinga2 has built-in support for writing monitoring data to InfluxDB. 
+        This makes Icinga quite extensible as it allows for other programs to read 
+        the gathered data from InfluxDB. For example, Icinga does not have built-in 
+        graphing support. But monitoring data can be written to InfluxDB and then 
+        consumed by a dedicated graphing tool like Grafana.</p>
+
+        <h2>Install Packages</h2>
+        <p>Let's install a few necessary packages</p>
+
+        <pre><code>apt install influxdb influxdb-client ssl-cert</code></pre>
+
+        <h2>Generate self-signed certificate</h2>
+        <p>Now generate a self-signed certificate for accessing InfluxDB over TLS</p>
+
+        <pre><code>make-ssl-cert generate-default-snakeoil
+usermod -aG ssl-cert influxdb</code></pre>
+
+        <h2>Create Database and Users</h2>
+        <p>Start and enable the InfluxDB service</p>
+
+        <pre><code>systemctl enable --now influxdb</code></pre>
+
+        <p>Now we'll create our database and users. We'll be creating 3 users with 
+        different access rights. An admin user with full control over the database, a 
+        user with write access that Icinga will use to write data to the database, and 
+        a read-only user to allow external programs to read data from the database.</p>
+
+        <pre><code>influx -ssl -unsafeSsl -execute "create database icinga2; create user admin with password '<em>changeme</em>'; create user icingauser with password '<em>changeme</em>'; create user readonly with password '<em>changeme</em>'; grant all to admin; grant write on icinga2 to icingauser; grant read on icinga2 to readonly;"
+</code></pre>
+
+<h2>Configuration Files</h2>
+
+        <p>Then write InfluxDB's configuration file at 
+        <em>/etc/influxdb/influxdb.conf</em></p>
+
+        <pre><code>reporting-enabled = false
+[meta]
+  dir = "/var/lib/influxdb/meta"
+[data]
+  dir = "/var/lib/influxdb/data"
+  wal-dir = "/var/lib/influxdb/wal"
+[coordinator]
+[retention]
+[shard-precreation]
+[monitor]
+[http]
+  enabled = true
+  bind-address = ":8086"
+  auth-enabled = true
+  https-enabled = true
+  https-certificate = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+  https-private-key = "/etc/ssl/private/ssl-cert-snakeoil.key"
+[ifql]
+[logging]
+[subscriber]
+[[graphite]]
+[[collectd]]
+[[opentsdb]]
+[[udp]]
+[continuous_queries]
+[tls]
+  min-version = "tls1.2"</code></pre>
+
+        <p>And restart InfluxDB to pickup the changes</p>
+
+        <pre><code>systemctl restart influxdb</code></pre>
+
+        <p>Then we need to configure Icinga to write data to our database. Start by 
+        enabling the influxdb feature in Icinga</p>
+
+        <pre><code>icinga2 feature enable influxdb</code></pre>
+
+        <p>Now we tell Icinga how to write to our database. Open the configuration
+        file at <em>/etc/icinga2/features-available/influxdb.conf</em> and replace
+        with the following</p>
+
+        <pre><code>object InfluxdbWriter \"influxdb\" {
+  host = "127.0.0.1"
+  port = 8086
+  username = "icingauser"
+  password = "<em>icinga_password</em>"
+  ssl_enable = true
+  database = "icinga2"
+  flush_threshold = 1024
+  flush_interval = 10s
+  host_template = {
+  measurement = "$host.check_command$"
+    tags = {
+      hostname = "$host.name$"
+    }
+  }
+  service_template = {
+    measurement = "$service.check_command$"
+    tags = {
+      hostname = "$host.name$"
+      service = "$service.name$"
+    }
+  }
+}</code></pre>
+
+        <p>And finally restart Icinga to make those changes live.</p>
+
+        <pre><code>systemctl restart icinga2</code></pre>
+
+        <p>Icinga2 will now be writing the data it collects to your InfluxDB instance.</p>
+
+    </main>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/icinga-master.html b/articles/icinga-master.html
new file mode 100644
index 0000000..0cafcdd
--- /dev/null
+++ b/articles/icinga-master.html
@@ -0,0 +1,276 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+<header><h1>Icinga2 Master Installation</h1></header>
+<main>
+<p>
+This tutorial will cover the installation of the Icinga2
+monitoring application master node.  This includes the base
+program, the web frontend, and the web-based configuration tool.
+This guide was made for Debian but should be similar
+on other distributions.
+</p>
+<p>
+I have a script available to automate the steps described in this
+tutorial available
+<a href=https://git.chudnick.com/server-scripts/tree/monitoring/icinga-master>from my git repo</a>.
+<h2>Install Packages</h2>
+<p>Here we will install the required packages. Icinga can use either MySQL 
+or PostgreSQL, however this tutorial will use MySQL/MariaDB.</p>
+<pre><code>apt install icinga2 icingaweb2 icinga2-ido-mysql icingaweb2-module-director monitoring-plugins monitoring-plugins-contrib default-mysql-server</code></pre>
+<h2>Secure MySQL</h2>
+<p>This step is optional but strongly recommended.
+The mysql_secure_installation script will harden your MySQL instance.</p>
+<pre><code>mysql_secure_installation</code></pre>
+<p>I recommend the following responses:
+<ul>
+        <li><em>Switch to unix_socket authentication?</em><strong> Y</strong></li>
+        <li><em>Change the root password?</em><strong> Y</strong></li>
+        <li><em>Remove anonymous users?</em><strong> Y</strong></li>
+        <li><em>Disallow root login remotely?</em><strong> Y</strong></li>
+        <li><em>Remove the test database and access to it?</em><strong> Y</strong></li>
+        <li><em>Reload privilege tables now?</em><strong> Y</strong></li>
+</ul>
+</p>
+
+<h2>Create Monitoring Database</h2>
+<p>The next several sections will cover creating databases for the various
+parts of Icinga. We'll start with the monitoring database.
+The following command creates a MySQL database named <em>icinga2</em>
+and grants permissions to a user named <em>ido_admin</em>. These values
+are arbitrary, but I use them throughout the tutorial so I recommend leaving them
+as is. You should definitely change the password though, which in the command
+is <em>change me</em>.  You will need this password and the passwords for the
+other databases later, so make sure you save them.</p>
+<pre><code>mysql -u root -e "CREATE DATABASE icinga2; GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON icinga2.* TO <em>ido_admin</em>@'localhost' IDENTIFIED BY '<em>change me</em>'; FLUSH PRIVILEGES;</code></pre>
+
+<p>We then need to import the ido schema into the database.</p>
+
+<pre><code>mysql -u root icinga2 &lt;/usr/share/icinga2-ido-mysql/schema/mysql.sql</code></pre>
+
+<p>After importing the schema, we then write the configuration file that tells
+the monitoring module how to connect to the database.</p>
+<pre><code><strong>/etc/icinga2/features-available/ido-mysql.conf</strong>
+library "db_ido_mysql"
+object IdoMysqlConnection "ido-mysql" {
+        user = "ido_admin",
+        password = "<em>ido_password</em>",
+        host = "localhost",
+        database = "icinga2"
+}"</code></pre>
+
+<p>And finally we enable the monitoring module in Icinga.</p>
+<pre><code>icinga2 feature enable ido-mysql</code></pre>
+
+<h2>Create Icingaweb2 Database</h2>
+<p>This step is nearly identical to the last. This time we create a database
+named <em>icingaweb2</em> and grant permissions to the user named
+<em>icingaweb2_admin</em>.</p>
+<pre><code>mysql -u root -e "CREATE DATABASE icingaweb2;GRANT ALL ON icingaweb2.* TO 'icingaweb2_admin'@'localhost' IDENTIFIED BY '<em>changeme</em>'; FLUSH PRIVILEGES;</code></pre>
+
+<p>Again we will need to import required schema into the database.</p>
+<pre><code>mysql -u root icingaweb2 &lt;/usr/share/icingawbe2/etc/schema/mysql.schema.sql</code></pre>
+
+
+<p>In this step we create the initial admin user that will be used to login
+to the web interface.  As is, this would create a user named <em>admin</em>
+with the password <em>changme</em>. You should at least change the password.</p>
+<pre><code>passhash="$(php -r "echo password_hash(\"<em>changeme</em>\", PASSWORD_DEFAULT);")"
+mysql -u root -e "USE icingaweb2; INSERT INTO icingaweb_user (name, active, password_hash) VALUES (\"<em>admin</em>\", 1, \"$passhash\"); FLUSH PRIVILEGES;"</code></pre>       
+
+<h2>Create Icinga Director Database</h2>
+<p>Here we create the database for Director. Director will require more
+configuration later, so for now we will just be creating the database.</p>
+<pre><code>mysql -u root -e "CREATE DATABASE director CHARACTER SET 'utf8'; GRANT ALL on director.* TO 'director'@'localhost' IDENTIFIED BY '$director_password';FLUSH PRIVILEGES;"</code></pre>
+
+<h2>Setup Icinga2 API</h2>
+<p>Run the following command to initialize the Icinga API.</p>
+<pre><code>icinga2 api setup</code></pre>
+<p>And then restart Icinga to apply the changes.</p>
+<pre><code>systemctl restart icinga2</code></pre>
+
+<h2>Configure Web Server</h2>
+<p>In this section we will configure the web server for accessing
+Icinga's web interface and Director configuration tool.
+This tutorial will use nginx but apache could be used as well.
+We'll start by installing the necessary packages.</p>
+<pre><code>apt install nginx php-fpm</code></pre>
+<p>Then we need to create the site configuration file.<p>
+<pre><code><strong>/etc/nginx/sites-available/icingaweb2.conf</strong>
+server {
+  listen 80;
+  server_name <em>monitoring.example.com</em>
+  location ~ ^/icingaweb2/index\.php(.*)$ {
+    fastcgi_pass unix:/var/run/php/php-fpm.sock;
+    fastcgi_index index.php;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
+    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+    fastcgi_param REMOTE_USER $remote_user;
+  }
+
+  location ~ ^/icingaweb2(.+)? {
+    alias /usr/share/icingaweb2/public;
+    index index.php;
+    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
+  }
+
+  <em># Not strictly necessary but allows you to get to icinga without 
+  # specifying /icingaweb2 in the URL.</em>
+  location = / {
+    return 302 http://$host/icingaweb2;
+  }
+
+}</code></pre>
+<p>And then restart nginx to pick up the changes.</p>
+<pre><code>systemctl restart nginx</code></pre>
+
+<p>At this point we are done with the Icinga setup module and so we
+can disable it.</p>
+<pre><code>icingacli module disable setup</code></pre>
+
+<h2>Write Configuration Files</h2>
+<p>In this section we will write several configuration files. Icinga uses
+the INI format for its web interface configuration files.</p>
+<p>In this first file we tell Icinga about the various resources it should have
+access to. These resources are the three databases created previously.
+Replace the password in each section with the corresponding password you set
+for that database earlier.</p>
+<pre><code><strong>/etc/icingaweb2/resources.ini</strong>
+[icinga2]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "icinga2"
+username = "ido_admin"
+password = "<em>ido password</em>"
+charset = ""
+use_ssl = "0"
+
+[icingaweb2]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "icingaweb2"
+username = "icingaweb2_admin"
+password = "<em>ido password</em>"
+charset = ""
+use_ssl = "0"
+
+
+[director]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "director"
+username = "director"
+password = "<em>director password</em>"
+charset = "utf8"
+use_ssl = "0"
+</code></pre>
+
+<p>This file controls the authentication settings for the web interface.
+Here we tell Icinga to look at the icingaweb2 database for
+authentication purposes.</p>
+<pre><code><strong>/etc/icingaweb2/authentication.ini</strong>
+[icingaweb2]
+backend = "db"
+resource = "icingaweb2"</code></pre>
+
+<p>Now we tell icinga which users should have admin permissions.
+If you changed the username value from <em>admin</em> previously, be sure to update
+it here.</p>
+<pre><code><strong>/etc/icingaweb2/roles.ini</strong>
+[admins]
+users = "<em>admin</em>"
+resource = "icingaweb2"</code></pre>
+
+<p>Enable the web interface monitoring module.</p>
+<pre><code>icingacli module enable monitoring</code></pre>
+<p>Then write the configuration file pointing the monitoring module to the 
+monitoring database.</p>
+<pre><code><strong>/etc/icingaweb2/modules/monitoring/backends.ini</strong>
+[icinga]
+type = "ido"
+resource = "icinga2"</code></pre>
+
+<p>Here we configure Icinga to use the API for communication. 
+You will need to get your unique API password generated during the API setup from
+from <strong>/etc/icinga2/conf.d/api-users.conf</strong>.
+<em>hostname</em> should be the FQDN of the server.</p>
+<pre><code><strong>/etc/icingaweb2/modules/monitoring/commandtransports.ini</strong>
+[icinga2]
+transport = "api"
+host = <em>hostname</em>
+port = "5665"
+username = "root"
+password = "<em>api password</em>"</code></pre>
+
+<p>Lastly, tell Icinga to protect variables with potentially sensitive values.</p>
+<pre><code><strong>/etc/icingaweb2/modules/monitoring/config.ini</strong>
+[security]
+protected_customvars = "*pw*,*pass*,*community*"</code></pre>
+
+
+<h2>Configure Director</h2>
+<p>This section will cover configuring Director configuration tool.</p>
+<p>Create Director module configuration directory.</p>
+<pre><code>mkdir -p /etc/icingaweb2/modules/director</code></pre>
+
+<p>Write the Director configuration file.</p>
+<pre><code><strong>/etc/icingaweb2/modules/director/config.ini</strong>
+[db]
+resource = "director"</code></pre>
+
+<p>Enable Director module and run the initial migration.</p>
+<pre><code>icingacli module enable director
+icingacli director migration run</code></pre>
+
+<p>Write Director kickstart configuration file.</p>
+<pre><code><strong>/etc/icingaweb2/modules/director/kickstart.ini</strong>
+[config]
+endpoint = "<em>hostname</em>"
+username = "root"
+password = "<em>api password</em>"</code></pre>
+
+<p>Kickstart Director, then render and deploy the configuration.</p>
+<pre><code>icingacli director kickstart run
+icingacli director config render
+icingacli director config deploy</code></pre>
+
+<p>Director is setup at this point so we will shred the unneeded configuration
+file containing sensitive information.</p>
+<pre><code>shred -uz /etc/icingaweb2/modules/director/kickstart.ini</code></pre>
+
+<h2>Login to your Monitoring Instance</h2>
+<p>You are now ready to login to your monitoring instance with the admin
+user created previously. Open a web browser and go to 
+http://<em>hostname</em>/icingaweb2.  You should see a screen similar to this:</p>
+<a href=../images/icinga-login.png><img src=../images/icinga-login.png alt="Icinagweb2 Login Screen"></a>
+
+<h2>Next Steps</h2>
+<p>In the following articles we will go through setting up Icinga2 agents on servers, and configure your monitoring instance through Icinga Director.</p>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+    </main>
+    <footer>
+                        <a href=../kb.html>Knowledge Base</a>
+                        <br>
+                        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/luks.html b/articles/luks.html
new file mode 100644
index 0000000..d2bbc5e
--- /dev/null
+++ b/articles/luks.html
@@ -0,0 +1,132 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>LUKS Block Device Encryption</h1></header>
+    <main>
+                        <p>Linux Unified Key Setup (LUKS) is a method for encrypting 
+                        block devices that is built-in to the Linux Kernel. In this tutorial 
+                        I will be showing how to create an encrypted USB drive with LUKS, but 
+                        this process is applicable to other types of storage. 
+                        <strong>This process will wipe all data on the device that you 
+                        encrypt so make backups beforehand if needed</strong>.</p>
+
+                        <h2>Install Packages</h2>
+                        <p>Install cryptsetup and its dependencies</p>
+
+                        <pre><code>apt install cryptsetup</code></pre>
+
+                        <h2>Prepare the Drive</h2>
+                        <p>If the device you are encrypting was previously used, you will 
+                        want to completely overwrite any data on it before encryption. This 
+                        can be done using <strong>dd</strong> as shown below. This could take 
+                        a very long time depending on the size and type of your drive. 
+                        Be sure that you enter the correct path to your drive as the 
+                        argument to <strong>of</strong>, and do not specify a partition:
+                        <strong>/dev/sdb</strong> is correct, <strong>/dev/sdb1</strong> is 
+                        wrong. Obviously this will destroy any data on the device so be 
+                        absolutely sure you specify the correct device in the command 
+                        and have backups of data previously stored if needed.</p>
+
+                        <pre><code>dd if=/dev/zero of=<em>/dev/sdX</em> status=progress</code></pre>
+
+                        <h2>Encrypt the Drive</h2>
+                        <p><strong>cryptsetup</strong> is the main command used to perform 
+                        LUKS-related tasks. This main command is followed by a subcommand 
+                        that specifies which action to perform. To create a LUKS partition 
+                        on a drive we need to use the subcommand <strong>luksFormat</strong>. 
+                        We also use the type option to explicitly say to use LUKS version 2 
+                        encryption. Run the command and then enter and confirm the 
+                        encryption password.</p>
+
+                        <pre><code>cryptsetup --type luks2 luksFormat <em>/dev/sdX</em></code></pre>
+
+                        <p>Now we need to open and map the encrypted LUKS device. This is done 
+                        by using the <strong>luksOpen</strong> subcommand. This subcommand takes 
+                        the device as the first argument and then a map target as the second. The 
+                        map target can be any string as long as a map does not already exist with 
+                        that name. In the example I will use <em>crypt</em>.
+
+                        <pre><code>cryptsetup luksOpen <em>/dev/sdX crypt</em></code></pre>
+
+                        <p>And then we just need to create a filesystem on the device; I will 
+                        be making an ext4 filesystem in the example. To 
+                        interact with an encrypted drive after it has been opened you need 
+                        to refer to its device mapper target, which is found under /dev/mapper. 
+                        Since we used <em>crypt</em> as the map target, our encrypted drive 
+                        is /dev/mapper/<em>crypt</em>. </p>
+
+                        <pre><code>mkfs.ext4 /dev/mapper/<em>crypt</em></code></pre>
+
+                        <p>After creating the filesystem created the encrypted drive 
+                        can now be mounted and used like any other device. Remember that 
+                        when mounting the device you refer to the device mapper target 
+                        (mount /dev/mapper/<em>crypt</em> /mnt/crypt).</p>
+
+                        <p>In addition to unmounting the filesystem you should always close 
+                        the device mapping before removing your encrypted drive. This is 
+                        done with the <strong>luksClose</strong> subcommand and takes 
+                        the device mapping as the argument.</p>
+
+                        <pre><code>cryptsetup luksClose /dev/mapper/<em>crypt</em></code></pre>
+
+                        <h2>The LUKS Header</h2>
+                        <p>The LUKS header sits at the front of your encrypted drive and is 
+                        responsible for managing access to the device. If the header is 
+                        damaged accessing your encrypted data will not be possible. Because of 
+                        this, you may want to make backups of the header, but before doing so 
+                        you need to weigh the risks and benefits.</p>
+
+                        <p>The obvious benefit is that 
+                        in the event of damage to the LUKS header, you can easily restore a 
+                        backup and regain access to the data. However, having a backup of the 
+                        header makes it harder to wipe the LUKS device. Without a header 
+                        backup, overwriting the LUKS header on the device is enough to securely 
+                        wipe the drive. With backups, you need to either destroy all header 
+                        backups or overwrite all encrypted data on the device. The other main risk 
+                        is that an encryption password that is valid at the time you make a 
+                        backup will always be valid for that backup. For example, say you change 
+                        the encryption password on your device after making a backup because it 
+                        has been compromised. An attacker would be able to restore the header 
+                        backup and then use the compromised password to access the data.</p>
+
+                        <p>The cryptsetup documentation refers to creating header backups 
+                        as making a trade-off between safety and security. You need to make a 
+                        decision based on your individual use-case. It's a good idea to 
+                        routinely update your header backups if you do choose to make them</p>
+
+                        <p>When creating or restoring a header backup you always refer to the 
+                        block device in the command, not the device mapper taget. To create 
+                        a header backup:</p>
+
+                        <pre><code>cryptsetup luksHeaderBackup <em>/dev/sdX</em> --header-backup-file <em>path/to/backup</em></code></pre>
+
+                        <p>To restore a header from a backup:</p>
+
+                        <pre><code>cryptsetup luksHeaderRestore <em>/dev/sdX</em> --header-backup-file <em>path/to/backup</em></code></pre>
+
+                        <p>Note that is not necessary to store header backups on an encrypted 
+                        device. I would recommend storing backups on at least one non-encrypted 
+                        drive in case of an emergency.</p>
+
+    </main>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/mail-server.html b/articles/mail-server.html
new file mode 100644
index 0000000..12a3264
--- /dev/null
+++ b/articles/mail-server.html
@@ -0,0 +1,723 @@
+<!DOCTYPE html>
+<html lang=en>
+<head>
+<title></title>
+<meta charset="utf-8"/>
+<link rel="shortcut icon" href="favicon.ico"/>
+<link rel='stylesheet' href='../style.css'/>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+</head>
+<body>
+<header><h1>Postfix and Dovecot Mail Server</h1></header>
+<main>  
+
+<p>Postfix and dovecot will be the two primary pieces of our mail sever.
+Postfix is the mail transport agent that handles the sending and 
+receiving of mail and dovecot is the IMAP server that will allow us to 
+access our mail from a mail client such as mutt. The server will also
+have several other supporting components, a complete list of which is:</p>
+
+<ul>
+                <li><em>SpamAssassin</em> for spam filtering</li> 
+                <li><em>OpenDKIM</em> for DKIM verification and signing</li> 
+                <li><em>Postgrey</em> for greylisting</li> 
+                <li><em>Policyd-SPF</em> for SPF verification</li> 
+                <li><em>OpenDMARC</em> for DMARC verification</li> 
+</ul>
+
+<p>You can use <a href=https://git.chudnick.com/mail-tools/tree/server/deploy-server>
+this script</a> I have written to automate this process, but I would
+recommend that you run through the tutorial first to understand 
+what is being done.</p>
+
+<p>Please note that this tutorial is loosely intended for small personal mail 
+servers. Using PAM for authentication, as is done here, is not a scalable solution 
+for working with a large number of users. I do plan on covering Dovecot LDAP 
+authentication at some point which would be a better solution in an enterprise 
+setting.</p>
+
+<h2>Install Packages</h2>
+<p>Let's start by installing the required packages. Note that if you already 
+have Apache installed on the server, replace <em>python3-certbot-nginx</em> 
+with <em>python3-certbot-apache</em>.</p>
+<pre><code>apt install postfix dovecot-imapd dovecot-sieve opendkim opendkim-tools spamassassin gnupg postgrey postfix-policyd-spf-python opendmarc dbconfig-no-thanks certbot python3-certbot-nginx</code></pre>
+<p>During the installation of Postfix you will get a Debconf prompt in which 
+you need to select "Internet Site" and then provide your domain name,
+<strong>example.com</strong>.</p>
+
+<h2>Get a certificate</h2>
+<p>Now we'll use Certbot to get a certificate for our server. If you are 
+using Apache replace <em>nginx</em> with <em>apache2</em>.</p>
+
+<pre><code>systemctl stop nginx
+certbot certonly --standalone -d <strong>mail.example.com</strong> 
+systemctl start nginx</code></pre>
+
+<h2>Postfix Main Configuration</h2>
+<p>In this section we will be doing the bulk of the postfix configuration. 
+The postconf command used throughout appends (or changes) 
+the specified configuration item in /etc/postfix/main.cf</p>
+
+<h3>Network Configuration</h3>
+
+<p>Let's start by configuring some network and domain information.</p>
+
+<pre><code>postconf -e "myorigin = <strong>example.com</strong>"
+postconf -e "mydestination = \$myhostname, \$mydomain, localhost"
+postconf -e "mynetworks = 127.0.0.0/8 [::1]/128"
+postconf -e "myhostname = <strong>mail.example.com</strong>"
+</code></pre>
+
+<p>Next, point postfix to the cerbot key and certificate, as well as the distro's
+CA certificates.</p>
+
+<pre><code>postconf -e "smtpd_tls_key_file=/etc/letsencrypt/live/<strong>mail.example.com</strong>/privkey.pem"
+postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/live/<strong>mail.example.com</strong>/fullchain.pem"
+postconf -e "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
+</code></pre>
+
+<p>Harden the TLS configuration by forcing strong
+protocols and ciphers, and requiring that authentication occur only over an
+encrypted session.</p>
+<pre><code><em># Require authentication over TLS and optionally use it for sending and receiving mail</em>
+postconf -e "smtpd_tls_auth_only = yes"
+postconf -e "smtpd_tls_security_level = may"
+postconf -e "smtp_tls_security_level = may"
+
+<em># Force the use of TLSv1.2 or TLSv1.3</em>
+postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+
+<em># Prefer server ciphers</em>
+postconf -e "tls_preempt_cipherlist = yes"
+
+<em># Force strong ciphers</em>
+postconf -e "smtpd_tls_ciphers = high"
+postconf -e "smtpd_tls_mandatory_ciphers = high"
+postconf -e "smtp_tls_ciphers = high"
+postconf -e "smtp_tls_mandatory_ciphers = high"
+postconf -e "smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH"
+postconf -e "smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH"
+</code></pre>
+
+<h3>Local Recipients and Aliases</h3>
+
+<p>Here we configure the bulk of the postfix built-in security settings which are
+structured as a series of access restrictions. Do not edit these settings without 
+first reading the Postfix documentation as an incorrect change could inadvertently 
+make your server an open relay.</p>
+
+<pre><code>postconf -e "smtpd_helo_required = yes"
+postconf -e "smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps"
+postconf -e "smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname" 
+postconf -e "smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain"
+postconf -e "smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org"
+postconf -e "smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination"
+postconf -e "smtpd_data_restrictions = reject_unauth_pipelining"
+
+<em># Disable VRFY command to prevent harvesting of user accounts on system</em>
+postconf -e "disable_vrfy_command = yes"
+
+<em># Change smptd banner (hide distribution)</em>
+postconf -e "smtpd_banner = \$myhostname ESMTP \$mail_name"</code></pre>
+
+<p>Now, configure the local mail recipients and some aliases. We'll create 
+an account called <strong>mailadmin</strong> to receive mail addressed to 
+several other accounts. This is to keep <em>administrative</em> mail separate, but 
+you can certainly alias these to your main account later if you would prefer to see 
+it there.</p>
+
+<pre><code><em># Set a custom local_recipient_maps here in order to avoid accepting mail for all local accounts</em>
+postconf -e "local_recipient_maps = proxy:hash:/etc/postfix/local_maps \$alias_maps"
+
+<em># You will need to manually set a password later to login as mailadmin</em>
+adduser --disabled-login --shell /usr/sbin/nologin --gecos "" mailadmin
+echo "# postfix aliases
+postmaster:     mailadmin
+root:           mailadmin
+dmarc:          mailadmin
+" &gt; /etc/aliases
+
+<em># Update address databases</em>
+echo "mailadmin@<em>mail.example.com</em>    mailadmin" &gt; /etc/postfix/login_maps
+echo "mailadmin mailadmin" &gt; /etc/postfix/local_maps
+newaliases
+postmap /etc/postfix/login_maps
+postmap /etc/postfix/local_maps
+</code></pre>
+
+<h3>Mail Delivery</h3>
+
+
+<p>These commands configure our mail delivery preferences. Mail will be 
+delivered inside a user's home folder with a maildir-style mailbox using
+dovecot.</p>
+
+<pre><code><em># Maildir delivery to $HOME/Mail/Inbox/</em>
+postconf -e "home_mailbox = Mail/Inbox/"
+<em># Deliver mail with Dovecot</em>
+postconf -e "mailbox_command = /usr/lib/dovecot/deliver"</code></pre>
+
+<h3>Header and Body Checks</h3>
+
+<p>Header and body checks allow for some simple content filtering within Postfix. 
+This is done by scanning a message line by line for a configured regex string, 
+nothing more. For example, the first header check listed will reject a message 
+with an attachment of <em>ransomware.exe</em> but will not block it if sent with 
+no extension. This is mostly a protection against uneducated users and poorly 
+written mail clients. Other checks block vulnerabilities and improve privacy.</p>
+
+<p>Create a new file <strong>/etc/postfix/header_checks</strong>, then open it in a 
+text editor and add the following</p>
+<pre><code><em># Block files with common executable extensions</em>
+/name=[^&gt;]*\.(exe|pif|com|dll|vbs|bat|sh|bash|so|zip|tar|gz|cpio)/ REJECT
+
+<em># Block message/partial vulnerability</em>
+/message\/partial/ REJECT
+
+<em># Remove Received string that is created when spamassassin reinjects message into postfix</em>
+<em># This is to prevent leaking the userid of the spamassassin user</em>
+/^Received:.*userid.*/  IGNORE
+
+<em># Remove User-Agent strings from headers</em>
+/^User-Agent: .*/       IGNORE</code></pre>
+
+<p>Create another new file <strong>/etc/postfix/body_checks</strong>, and add this</p>
+<pre><code><em># Block messages with iframes</em>
+/&lt;iframe/ REJECT" &gt; /etc/postfix/body_checks</code></pre>
+
+<p>And then run these commands to point postfix to the check files.</p>
+<pre><code>postconf -e "header_checks = regexp:/etc/postfix/header_checks"
+postconf -e "body_checks = regexp:/etc/postfix/body_checks"</code></pre>
+
+<h2>Postfix Master Configuration</h2>
+<h3>SMTP client</h3>
+<p>This simple command configures the SMTP client process that is responsible 
+for sending your mail to other mail servers.</p>
+
+<pre><code>postconf -M "smtp/unix=smtp unix - - y - - smtp"</code></pre>
+
+<h3>Postscreen and SMTP Recipient</h3>
+<p>Postscreen is a kind of firewall that sits in front of the Postfix SMTPD 
+process and receives all incoming traffic. Postscreen will drop connections 
+from IPs on a DNS blacklst, or from clients that violate the SMTP protocol by 
+speaking out of turn or sending non-SMTP commands. This adds up to less spam 
+connections and therefore a much lighter workload for your server.</p>
+
+<pre><code>postconf -M "smtp/inet=smtp inet n - y - 1 postscreen"
+postconf -M "smtpd/pass=smtpd pass - - y - - smtpd"
+postconf -P "smtpd/pass/content_filter=spamassassin"
+postconf -M "tlsproxy/unix=tlsproxy unix - - y - 0 tlsproxy"
+postconf -M "dnsblog/unix=dnsblog unix - - y - 0 dnsblog"
+postconf -e "postscreen_dnsbl_sites = zen.spamhaus.org"
+postconf -e "postscreen_dnsbl_action = enforce"
+postconf -e "postscreen_greet_action = enforce"
+</code></pre>
+
+<h3>Submission over TLS (submissions)</h3>
+<p>Submission over TLS (aka submissions) is the process you will use to submit 
+mail to your server from a mail client. These commands configure submissions to 
+use a fully-encrypted session, as opposed to STARTTLS, and to only allow access 
+to authenticated clients.</p>
+
+<pre><code>postconf -M "submissions/inet=submissions inet n - y - - smtpd"
+postconf -P "submissions/inet/smtpd_tls_wrappermode=yes"
+postconf -P "submissions/inet/smtpd_tls_security_level=encrypt"
+postconf -P "submissions/inet/smtpd_tls_auth_only=yes"
+postconf -P "submissions/inet/smtpd_sasl_auth_enable=yes"
+postconf -P "submissions/inet/smtpd_client_restrictions=permit_sasl_authenticated,reject"
+postconf -P "submissions/inet/smtpd_helo_restrictions="
+postconf -P "submissions/inet/smtpd_sender_restrictions=reject_sender_login_mismatch"
+postconf -P "submissions/inet/smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"
+postconf -P "submissions/inet/syslog_name=postfix/submissions"
+postconf -P 'submissions/inet/smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
+postconf -P 'submissions/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'</code></pre>
+
+<h3>OPTIONAL - submission with mandatory STARTTLS</h3>
+<p>Having configured submission over TLS on port 465 this step is optional. 
+STARTTLS is considered by some to be less secure than full-session TLS and
+may be vulnerable to exploitation.</p>
+
+<pre><code>postconf -M "submission/inet=submission inet n - y - - smtpd"
+postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
+postconf -P 'submission/inet/smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
+postconf -P 'submission/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
+postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
+postconf -P "submission/inet/smtpd_tls_auth_only=yes"
+postconf -P "submission/inet/syslog_name=postfix/submission"
+postconf -P "submission/inet/smtpd_helo_restrictions="
+postconf -P "submission/inet/smtpd_client_restrictions=permit_sasl_authenticated,reject"
+postconf -P "submission/inet/smtpd_helo_restrictions="
+postconf -P "submission/inet/smtpd_sender_restrictions=reject_sender_login_mismatch"
+postconf -P "submission/inet/smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"
+</code></pre>
+
+<h3>SpamAssassin Configuration</h3>
+<p>Finally, this command tells Postfix how to interact with SpamAssassin.</p>
+
+<pre><code>postconf -M "spamassassin/unix=spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc --socket=/var/run/spamd.sock -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" </code></pre>
+
+<h2>Dovecot Configuration</h2>
+<p>Dovecot configuration is usually split up into many different files under
+<strong>/etc/dovecot/conf.d/</strong> but here will be doing all of the
+configuration in the primary config file 
+<strong>/etc/dovecot/dovecot.conf</strong>. Open that file with your editor
+of choice, clear all of its contents, and then replace it with the following.</p>
+
+<pre><code><em># /etc/dovecot/conf.d/10-auth.conf</em>
+disable_plaintext_auth = yes
+auth_username_format = %n
+auth_mechanisms = plain
+userdb {
+        driver = passwd
+}
+passdb {
+        driver = pam
+}
+
+<em># /etc/dovecot/conf.d/10-mail.conf</em>
+mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+namespace inbox {
+        type = private
+        prefix = 
+        separator = /
+        inbox = yes
+        subscriptions = yes
+        list = yes
+}
+
+<em># /etc/dovecot/conf.d/10-master.conf</em>
+service imap-login {
+# Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs)
+service_count = 1
+# Disable unencrypted IMAP by setting port for plain IMAP to 0
+        inet_listener imap {
+                port = 0
+        }
+        inet_listener imaps {
+                port = 993
+                ssl = yes
+        }
+}
+
+<em># Allow postfix to use dovecot SASL</em>
+service auth {
+        unix_listener /var/spool/postfix/private/auth {
+                mode = 0660
+                user = postfix
+                group = postfix
+        }
+}
+
+<em># /etc/dovecot/conf.d/10-ssl.conf</em>
+ssl = required
+ssl_key = &lt;/etc/letsencrypt/live/<strong>mail.example.com</strong>/privkey.pem
+ssl_cert = &lt;/etc/letsencrypt/live/<strong>mail.example.com</strong>/fullchain.pem
+ssl_client_ca_dir = /etc/ssl/certs
+ssl_dh = &lt;/usr/share/dovecot/dh.pem
+
+<em># Mozilla intermediate compatibility</em>
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL
+
+ssl_prefer_server_ciphers = yes
+ssl_client_require_valid_cert = yes
+
+
+<em># /etc/dovecot/conf.d/15-lda.conf</em>
+protocol lda {
+        mail_plugins = \$mail_plugins sieve
+}
+
+<em># /etc/dovecot/conf.d/15-mailboxes.conf</em>
+namespace inbox {
+        mailbox Sent {
+                        special_use = \Sent
+                        auto = subscribe
+        }
+        mailbox Trash {
+                        special_use = \Trash
+                        auto = create
+                        autoexpunge = 30d
+        }
+        mailbox Drafts {
+                        special_use = \Drafts
+                        auto = subscribe
+        }
+        mailbox Spam {
+                        special_use = \Junk
+                        auto = create
+                        autoexpunge = 30d
+        }
+        mailbox Archive {
+                        special_use = \Archive
+                        auto = create
+        }
+}
+
+<em># /etc/dovecot/conf.d/20-imap.conf</em>
+imap_capability = +SPECIAL-USE
+
+<em># /etc/dovecot/conf.d/90-sieve.conf</em>
+plugin {
+        sieve = ~/.dovecot.sieve
+        sieve_default = /var/lib/dovecot/sieve/default.sieve
+        sieve_global = /var/lib/dovecot/sieve/
+}</code></pre>
+
+<p>Then create the default sieve filtering script at
+<strong>/var/lib/dovecot/sieve/default.sieve</strong></p>
+<pre><code>require ["fileinto", "mailbox"];
+/*
+* Discard mail that has a spam score greater than or equal to 10
+*/
+if header :contains "X-Spam-Level" "**********" {
+        discard;
+        stop;
+}
+/*
+* Discard messages marked as infected by a virus scanner
+*/
+if header :contains "X-Virus-Scan" "infected" {
+        discard;
+        stop;
+}
+/*
+* If message is marked as spam (and falls below discard threshold) put into spam mailbox
+*/
+if header :contains "X-Spam-Flag" "YES" {
+        fileinto "Spam";
+}</code></pre>
+
+<p>And compile the script</p>
+
+<pre><code>sievec /var/lib/dovecot/sieve/default.sieve</code></pre>
+
+
+<p>Finally, configure PAM authentication for dovecot at
+<strong>/etc/pam.d/dovecot</strong>. Append these changes leaving any include
+statements intact.</p>
+<pre><code>auth    required        pam_unix.so
+account required        pam_unix.so</code></pre>
+
+<h2>OpenDKIM</h2>
+<p>DKIM is a mail-verification method that cryptographically signs mail
+to allow receivers to verify the authenticity of the sender. Our mail server
+will use DKIM to validate signatures on incoming mail and sign outgoing mail. DKIM
+requires a public key to be published via DNS, which will be done near the end of
+the guide.</p>
+
+<p>Start by generating the DKIM key</p>
+
+<pre><code>opendkim-genkey -D /etc/dkimkeys -d <em>example.com</em> -s mail
+chown opendkim: /etc/dkimkeys/*
+chmod 600 /etc/dkimkeys/*
+mv /etc/dkimkeys/mail.private /etc/dkimkeys/mail.pem</code></pre>
+
+<p>Here we make a directory for the opendkim socket inside the postfix chroot and 
+make it accessible to the postfix user.</p>
+
+<pre><code>mkdir /var/spool/postfix/opendkim
+chmod 770 /var/spool/postfix/opendkim
+chown opendkim:opendkim /var/spool/postfix/opendkim
+usermod -aG opendkim postfix</code></pre>
+
+<p>Edit the configuration file at <strong>/etc/opendkim.conf</strong> 
+to be as follows:</p>
+
+<pre><code>On-BadSignature              reject
+On-Security             reject
+Syslog                  yes
+SyslogSuccess           yes
+LogResults              yes
+Canonicalization                simple
+Mode                    sv
+OversignHeaders         From
+Domain                  <strong>example.com</strong>
+Selector                        mail
+KeyFile                 /etc/dkimkeys/mail.pem     
+UserID                  opendkim
+UMask                   007
+Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
+PidFile                 /run/opendkim/opendkim.pid
+TemporaryDirectory              /run/opendkim
+InternalHosts           127.0.0.1
+TrustAnchorFile         /usr/share/dns/root.key
+RequireSafeKeys         True
+AlwaysAddARHeader               True
+</code></pre>
+
+<h2>OpenDMARC</h2>
+<p>DMARC is another mail-verification technology that provides verification of the 
+address seen by end-users and either or both of SPF and DKIM. 
+
+<p>Like with OpenDKIM, we need to make a directory inside the postfix chroot
+for the socket and assign proper permissions.</p>
+<pre><code>mkdir /var/spool/postfix/opendmarc
+chmod 770 /var/spool/postfix/opendmarc
+chown opendmarc:opendmarc /var/spool/postfix/opendmarc
+usermod -aG opendmarc postfix
+</code></pre>
+
+<p>Now we write the configuration file at <strong>/etc/opendmarc.conf</strong></p>
+
+<pre><code>PidFile              /run/opendmarc/opendmarc.pid
+PublicSuffixList        /usr/share/publicsuffix/public_suffix_list.dat
+RejectFailures          True
+Socket                  local:/var/spool/postfix/opendmarc/opendmarc.sock
+Syslog                  True
+SyslogFacility          mail
+UMask                   002
+UserID                  opendmarc
+HistoryFile     /var/run/opendmarc/opendmarc.hist
+SPFIgnoreResults        True
+SPFSelfValidate True
+</code></pre>
+
+<p>Then create the history file and set permissions.</p>
+
+<pre><code>touch /var/run/opendmarc/opendmarc.hist
+chown opendmarc:opendmarc /var/run/opendmarc/opendmarc.hist
+chmod 664 /var/run/opendmarc/opendmarc.hist
+</code></pre>
+
+<p>Now that both OpenDKIM and OpenDMARC are configured we can define them as milters
+in postfix. This will tell postfix to route mail through one or both of these milters
+depending on whether it is incoming or outgoing.</p>
+
+<pre><code>postconf -P "smtpd/pass/smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock"
+postconf -P "submissions/inet/smtpd_milters=unix:opendkim/opendkim.sock"
+<em># If you enabled submission on port 587 run this too</em>
+postconf -P "submission/inet/smtpd_milters=unix:opendkim/opendkim.sock"
+</code></pre>
+
+<h2>Postgrey</h2>
+<p>Postgrey implements a spam-filter technique known as greylisting, which
+always rejects mail on the first try and for a period of time afterwards known
+as the greylist period. The idea behind this being that legitimate senders will
+send the mail again later, while spammers, in a rush to send as many messages as
+possible before being blacklisted, will not.</p>
+
+<p>Postgrey ships with an extensive whitelist domains that are known
+to cause issues (mainly large providers that constantly send from different
+addresses). This whitelist file is located at 
+<strong>/etc/postgrey/whitelist_clients</strong> and can be appended to include
+any domain you do not wish to be subject to greylisting.</p>
+
+<p>The configuration needed here is minimal, just open 
+<strong>/etc/default/postgrey</strong> and make these changes</p>
+
+<pre><code>POSTGREY_OPTS="--unix=/var/spool/postfix/private/postgrey --privacy"
+POSTGREY_TEXT="Greylisted - see https://www.greylisting.org"</code></pre>
+
+<p>And then enable the service</p>
+
+<pre><code>systemctl enable --now postgrey</code></pre>
+
+<h2>Policyd-SPF</h2>
+<p>SPF is yet another mail-verification technology that uses DNS records to 
+delegate specific servers as being authorized to send mail for the domain 
+(and implicitly all other servers as unauthorized). Policyd-SPF will perform
+SPF checking of received mail and reject mail that fails SPF verfication.</p>
+
+<p>First, tell postfix how to access Policyd-SPF</p>
+
+<pre><code>postconf -e "policyd-spf_time_limit = 3600"
+postconf -M "policyd-spf/unix=policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf"</code></pre>
+
+<p>And then edit the configuration file at 
+<strong>/etc/postfix-policyd-spf-python/policyd-spf.conf</strong></p>
+
+<pre><code>debugLevel = 1
+TestOnly = 1
+HELO_reject = Fail
+Mail_From_reject = Fail
+Header_Type = AR
+<em># These settings increase false-positive risk</em>
+<em># Comment them if you want to reduce that risk</em>
+PermError_reject = True
+TempError_Defer = True</code></pre>
+
+
+<h2>SpamAssassin</h2>
+<p>SpamAssassin is a spam-filter that will scan all received mail and assign
+a spam score based on configured rules. SpamAssassin is much heavier and more
+resource-intensive than any of the previous spam-filtering/verification programs
+we have configured. The postfix spam-filtering philosophy emphasizes the use
+of lightweight checks before passing to an external content filter such as 
+SpamAssassin. Ideally, non-legitimate mail will have already been caught by one
+of the previous methods, and SpamAssassin will only have to operate on a much
+smaller subset of the mail that is sent to our server.</p>
+
+<p>We have actually already told postfix to use SpamAssassin as a content filter
+so in this section we just need to edit the configuration file 
+<strong>/etc/spamassassin/local.cf</strong>.</p>
+
+<pre><code><em># Clearly indicate message is spam to user</em>
+rewrite_header Subject *****SPAM*****
+rewrite_header From *****SPAM*****
+
+<em># Set required score to be marked as spam, 5.0 is default.</em>
+<em># Lower to make policy more strict or raise to be more lenient.</em>
+required_score 5.0
+
+<em># Attach original messages as text/plain instead of message/rfc822 to spam reports</em>
+report_safe 2
+
+<em>Do not implicitly trust mail based on IP address except localhost</em>
+trusted_networks       127.0.0.1/32
+</code></pre>
+
+<p>And finally make a few changes to the defaults file at
+<strong>/etc/default/spamassassin</strong></p>
+
+<pre><code>OPTIONS="--listen /var/run/spamd.sock --max-children 5"
+PIDFILE=/var/run/spamd.pid
+CRON=1</code></pre>
+
+<h2>Wrapping Up</h2>
+<p>At this point we have done all of the necessary configuration of the mail
+server programs.  We have just a few more minor tasks before your mail server
+is operational.</p>
+
+<h3>Configure Firewall</h3>
+<p>We need to open the proper ports in the firewall. This example uses UFW.</p>
+
+<pre><code>ufw allow 25 comment "smtp"
+ufw allow 465 comment "submission over TLS"
+<em># Run this next command only if you enabled submission on port 587</em>
+ufw allow 587 comment "mail submission"
+ufw allow 993 comment "IMAP over TLS"
+ufw reload</code></pre>
+
+<h3>Restart services</h3>
+<p>Now let's restart the services to pick up any configuration changes.</p>
+
+<pre><code>systemctl restart postfix
+systemctl restart dovecot
+systemctl restart opendkim
+systemctl restart opendmarc
+systemctl enable --now spamassassin
+systemctl restart spamassassin
+systemctl restart postgrey</code></pre>
+
+<h3>DNS Entries</h3>
+<p>Finally, we needs to set some required DNS records to enable mail flow and 
+verification.  Begin by logging into your registrar or DNS host and editing
+your DNS records.</p>
+
+<h3>A Record</h3>
+<p>If you did not set a wildcard A record earlier, you will need to set one now
+for <strong>mail</strong>. 
+Alternatively, if you are running the mail server on the same server as your 
+website, you may want to instead make a CNAME record pointing mail to www.</p>
+
+<h3>MX Record</h3>
+<p>MX records tell servers attempting to send you mail where to send it. Open the 
+MX records section on your registrar and add a new record. An MX
+record consists of a priority and a destination. Set the priority to 10 and the 
+destination to <strong>mail</strong>, or whatever your subdomain for this mail
+server is. The host value can be left blank or may need to be set to "@" 
+depending on your registrar.</p>
+
+<h3>DKIM TXT Record</h3>
+<p>Now we will set the three TXT records we need. Open the TXT records tab on 
+your registrar.</p>
+
+<p>We'll set the DKIM record first. The command we ran to 
+generate our DKIM keys also generates a DNS record for us which will be helpful 
+here. Print that to the screen with:</p>
+
+<pre><code>cat /etc/dkimkeys/mail.txt</code></pre>
+
+<p>You should get a lengthy output that looks something like the following. The 
+bolded portion is the value.</p>
+
+<pre><code>mail._domainkey      IN      TXT     ( <strong>"v=DKIM1; h=sha256; k=rsa; "
+          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz50PSYL0Ob+OlF/0B77rwlzLe7zF6JKnxQNtMqcOCZ0Dar2FPhSUSz1FR0YmNuoShjMogdgKeojIzgRUqwK5GZ5Lz456qiXWkfAtLPc6UQ/WPoyEBGbJpRBYPGWdN4VoNcHkk/I4csvXW6MOI55ghPOwDmootPkCzNPR6gmNAXMe0duS4Lb+bIjy9QMOxGYVUaQ/b+7xar+fWw"
+          "bA3DjQa3jTLCydzzJpjEMfVaKqNhQ4N+ve7O2Mb3LF5k5B977mtok/6POjVG5HY8g6Pba+GzMFItR6nJO5EE2fyfv6cNbRLsZiM+WQmqvDBst5ejaeapy86F5PdJFlX/TUgXjtuwIDAQAB"</strong> )  ; ----- DKIM key mail for example.com</code></pre>
+
+<p>You can cleanup the spacing of the value as your registrar should automatically 
+handle any needed splitting of the record. The parts you need to paste into your 
+registrar's web interface should then look like this.</p>
+
+<pre><code><em># Name/Host</em> 
+mail._domainkey
+<em># TXT Value</em>
+"v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz50PSYL0Ob+OlF/0B77rwlzLe7zF6JKnxQNtMqcOCZ0Dar2FPhSUSz1FR0YmNuoShjMogdgKeojIzgRUqwK5GZ5Lz456qiXWkfAtLPc6UQ/WPoyEBGbJpRBYPGWdN4VoNcHkk/I4csvXW6MOI55ghPOwDmootPkCzNPR6gmNAXMe0duS4Lb+bIjy9QMOxGYVUaQ/b+7xar+fWwbA3DjQa3jTLCydzzJpjEMfVaKqNhQ4N+ve7O2Mb3LF5k5B977mtok/6POjVG5HY8g6Pba+GzMFItR6nJO5EE2fyfv6cNbRLsZiM+WQmqvDBst5ejaeapy86F5PdJFlX/TUgXjtuwIDAQAB"</code></pre>
+
+<h3>DMARC TXT Record</h3>
+<p>The DMARC record should be as follows:</p>
+
+<pre><code><em># Name/Host</em> 
+_dmarc
+<em># Value</em> 
+"v=DMARC1; p=reject; rua=mailto:dmarc@<strong>example.com</strong>; fo=1"
+</code></pre>
+
+<h3>SPF Record</h3>
+<p>Your SPF record will look like this.  Remember to replace 
+<strong>mail.example.com</strong> with your server name.</p>
+
+<pre><code><em># Name/Host</em> 
+@
+<em># Value</em>
+"v=spf1 a:<strong>mail.example.com</strong> -all"
+</code></pre>
+
+<h3>PTR Record</h3>
+<p>Many mail servers rely on PTR records for verification purposes so we need 
+to make sure our server's IP address resolves to the proper domain name. If 
+your mail server is residing on a VPS, you will need to add this record on your 
+VPS provider's interface, consult their documentation for details.</p>
+
+<h2>Creating your own Mail User</h2>
+<p>Your mail server is now up and running. Let's create an email for you to 
+receive mail.</p>
+
+<pre><code>useradd --shell /usr/sbin/nologin --create-home --user-group <strong>user</strong>
+echo "<strong>user@example.com  user</strong>" &gt;&gt; /etc/postfix/login_maps
+echo "<strong>user      user</strong>" &gt;&gt; /etc/postfix/local_maps
+postmap /etc/postfix/login_maps
+postmap /etc/postfix/local_maps
+postfix reload
+</code></pre>
+
+<p>I have a script available for adding and removing users that you can find
+<a href=https://git.chudnick.com/mail-tools/tree/server/mailadm>here</a>.
+
+<h3>Connecting From a Mail Client</h3>
+<p>When connecting your account to a mail client you need to use these settings.</p>
+
+<ul>
+                <li>Username: <strong>user@example.com</strong> </li>
+
+                <li>Password: the password for <strong>user@example.com</strong> </li>
+
+                <li>Server name: <strong>mail.example.com</strong> </li>
+
+                <li>IMAP Port: 993</li>
+
+                <li>IMAP Connection: SSL/TLS</li>
+
+                <li>SMTP Port: 465</li>
+
+                <li>SMTP Connection Type: SSL/TLS</li>
+                
+</ul> 
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+    </main>
+    <footer>
+                        <a href=../kb.html>Knowledge Base</a>
+                        <br>
+                        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/mdadm-raid.html b/articles/mdadm-raid.html
new file mode 100644
index 0000000..dd2a014
--- /dev/null
+++ b/articles/mdadm-raid.html
@@ -0,0 +1,120 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Linux Software RAID</h1></header>
+    <main>
+                        <p><strong>mdadm</strong> is a tool that allows for creation and 
+                        management of software RAID arrays on Linux. Creating an array 
+                        is a rather straightforward process.</p>
+
+                        <h2>Install packages</h2>
+                        <p>The only package needed is mdadm itself</p>
+                        <pre><code>apt install mdadm</code></pre>
+
+                        <h2>Partition disks</h2>
+                        <p>We'll need to parition the disks to be used in the array before 
+                        creating it. This isn't anything complicated, we will just be 
+                        creating a single partition using all the space on each disk.</p>
+
+                        <p>Use <strong>lsblk</strong> to get a list of disks attached to your system.</p>
+                        
+                        <img src=../images/raid/lsblk.png alt="lsblk command">
+
+                        <p>Then use <strong>fdisk</strong> to edit the partition table of the 
+                        first disk. In my case this would be <strong>/dev/sdb</strong>. 
+                        Be sure that you are selecting the correct disk as selecting the 
+                        wrong one can result in data being lost.</p>
+
+                        <pre><code>fdisk /dev/sdb</code></pre>
+
+                        <p>Use <strong>g</strong> to create a new GUID partition table.
+                        Use <strong>n</strong> to create a new partition, and then just press 
+                        enter at all of the prompts to accept the defaults. Finally use 
+                        <strong>w</strong> to write the changes. You can use lsblk again 
+                        to verify the change and you should see that /dev/sdb now has a 
+                        partition <strong>/dev/sdb1</strong>.</p>
+
+                        <img src=../images/raid/fdisk.png alt="fdisk command">
+
+                        <p>Repeat this process for your other disks before continuing.</p>
+
+
+                        <h2>Create the array</h2>
+                        <p>Creating the array is done with a single command, but takes just a 
+                        bit of planning.</p>
+                        <ul>
+                                        <li>Define an ID for the array, which is just a 
+                                        number identifier. I use <em>0</em> in the command.</li>
+                                        <li>Determine the RAID level you want to use. I am going to 
+                                        use RAID5 in this example. The argument to --level is the 
+                                        number of the RAID level</li> 
+                                        <li>Determine the devices that will be used in the array. 
+                                        Somewhat contrary to the argument name, these devices 
+                                        will actually be the partitions of the disks and not the 
+                                        disks themselves. In the command, give the number of 
+                                        partitions (<em>3</em>) and then a space-separated list of the 
+                                        partitions that will be active in the array 
+                                        (<em>/dev/sdb1 /dev/sdc1 /dev/sdd1</em>).</li> 
+                                        <li>If you want to have any spare devices in the array you 
+                                        will define them with the --spare-devices argument. These are 
+                                        defined in the exact same way as the active RAID devices. In 
+                                        the example I use <em>1</em> spare <em>/dev/sde1</em>. Spare 
+                                        devices are hot-spares that will automatically be inserted into 
+                                        the array if one of the disks fails.</li> 
+                        </ul>
+
+                        <pre><code>mdadm --create /dev/md<em>0</em> --level=<em>5</em> --raid-devices=<em>3</em> <em>/dev/sdb1 /dev/sdc1 /dev/sdd1</em> --spare-devices=<em>1</em> <em>/dev/sde1</em></code></pre>
+
+                        <p>After creating the array run the following command to get details 
+                        and the status of the array. It will take a bit to initialize the 
+                        array, you will know this is done when the state is clean. You do not 
+                        need to wait for the array to completely intialize to continue.</p>
+
+                        <pre><code>mdadm --detail /dev/md<em>0</em></code></pre>
+
+                        <p>Take note of the UUID and name values as we will need them in the 
+                        next step.</p>
+
+                        <p>Before moving on we need to make a filesystem on the array. I'm 
+                        going to make a simple EXT4 filesystem here.</p>
+
+                        <pre><code>mkfs.ext4 /dev/md<em>0</em></code></pre>
+
+                        
+                        <h2>Configuration Files</h2>
+                        
+                        <p>Open the mdadm configuration file at 
+                        <strong>/etc/mdadm/mdadm.conf</strong> and append this line. Replace 
+                        <em>uuid</em> and <em>name</em> with the values you got when running 
+                        mdadm --detail, replace <em>0</em> whatever ID you chose.</p>
+
+                        <pre><code>ARRAY /dev/md<em>0</em> metadata=1.2 UUID=<em>uuid</em> name=<em>name</em></code></pre>
+
+                        <p>Optionally, create an <strong>/etc/fstab</strong> entry for 
+                        automounting of the array. Replace /mnt/raid with the directory 
+                        where you want to mount the array. If you made a filesystem other than 
+                        ext4 make sure to change that value.</p>
+
+                        <pre><code>/dev/md<em>0</em> /mnt/raid ext4 defaults 0 1</code></pre>
+
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/mutt.html b/articles/mutt.html
new file mode 100644
index 0000000..962ae33
--- /dev/null
+++ b/articles/mutt.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Mutt - Terminal Email Client</h1></header>
+    <main>
+    </main>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/pam-tfa.html b/articles/pam-tfa.html
new file mode 100644
index 0000000..7bdc551
--- /dev/null
+++ b/articles/pam-tfa.html
@@ -0,0 +1,157 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>PAM OATH Two Factor Authentication</h1></header>
+    <main>
+                        <p>In this article we are going to look at configuring two factor 
+                        authentication via PAM using OATH. This is a simple and private way 
+                        to increase the security of your systems. Even if you are not familiar 
+                        with the term, it is likely that you 
+                        have used OATH before. OATH (specifically TOTP) is the rotating 6 
+                        digit code that you get from scanning a QR code when setting up 2FA 
+                        on an account.</p>
+
+                        <p>This example will show how to configure 2FA for SSH logins to a 
+                        server, but can easily be generalized to cover other programs or 
+                        even all authentication on a system. The two factors here will be 
+                        public key authentication and then the OATH/TOTP code. 
+                        <em>It is highly recommended that you remain SSHd into your server 
+                        until after testing to avoid locking yourself out in the event 
+                        of a configuration error.</em></p>
+
+                        <h2>Install Packages</h2>
+                        <p>You only need to install a single package on the server side.</p>
+
+                        <pre><code>apt install libpam-oath</code></pre>
+
+                        <p>On the client machine that will be SSHing to the server install 
+                        these two packages.</p>
+
+                        <pre><code>apt install oathtool qrencode</code></pre>
+
+                        <h2>Configure OATH</h2>
+                        <p>Create the OATH configuration file <strong>/etc/users.oath</strong>. 
+                        This file will contain the OATH secret keys so permissions need to be 
+                        set to only allow the root user to view it.</p>
+
+                        <pre><code>touch /etc/users.oath
+chown root: /etc/users.oath
+chmod 600 /etc/users.oath</code></pre>
+
+                        <p>Generate a secret key for the TOTP. Treat this secret key as you 
+                        would your SSH or GPG private key. Anyone who has this key will be able 
+                        to generate the code needed to authenticate.</p>
+
+                        <pre><code>openssl rand -hex 10</code></pre>
+
+                        <p>Now we define the TOTP configuration for our user. If you were 
+                        setting this up for multiple users you would make one entry per line. 
+                        Open <strong>/etc/users.oath</strong> and add this line. 
+                        <em>user</em> is the username of the account you will SSH into. 
+                        Replace the long string of numbers and letters with the secret key 
+                        you just generated.</p>
+
+                        <pre><code>HOTP/T30/6 <em>user</em> - <em>00112233445566aabbcc</em></code></pre>
+
+
+                        <h2>Configure PAM</h2>
+                        <p>Now we need to tell PAM to use OATH to authenticate sshd. Do that 
+                        by opening <strong>/etc/pam.d/sshd</strong> and adding the following 
+                        line to the top of the file.</p>
+
+                        <pre><code>auth sufficient pam_oath.so usersfile=/etc/users.oath window=30 digits=6</code></pre>
+
+                        <p>This tells PAM to consider a valid 6 digit code as fully authenticated 
+                        and to skip any other processing that may normally occur, such as 
+                        requesting a password.</p>
+
+                        <h2>Configure SSHD</h2>
+                        <p>We need to make a few changes to the sshd configuration to allow 
+                        OATH to work properly. Open the sshd configuration file at 
+                        <strong>/etc/ssh/sshd_config</strong> and make the following changes.</p>
+
+                        <pre><code>AuthenticationMethods publickey,keyboard-interactive
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication yes
+UsePAM yes</code></pre>
+
+                        <p>The <strong>AuthenticationMethods</strong> line specifically tells 
+                        sshd that a user needs to both have an authorized SSH key and know 
+                        the proper 6 digit code to login.</p>
+
+                        <p>Restart sshd to apply the changes</p>
+
+                        <pre><code>systemctl restart sshd</code></pre>
+
+                        <h2>Test the Changes</h2>
+                        <p>From your client ssh into your server as normal. Instead of 
+                        connecting as you have been, you should now see a prompt for your 
+                        one time password. You can use <strong>oathtool</strong> to get 
+                        the code. Again, replace the long string of numbers and letters 
+                        with the secret key you generated on the server.</p>
+
+                        <pre><code>oathtool --totp -d6 <em>00112233445566aabbcc</em></code></pre>
+
+                        <p>Enter that 6 digit code into the prompt and you will be logged 
+                        into your server.</p>
+
+                        <p>Now, in the unlikely event that your SSH private key is stolen, 
+                        an attacker still won't be able to access your server!</p>
+
+                        <h2>Managing your TOTP</h2>
+                        <p>You probably don't want to run the oathtool command everytime you 
+                        need your code, and while you could make an alias, that would require 
+                        storing your secret key in plaintext. Here are some better options.</p>
+
+                        <ul>
+                                        <li><strong>pass otp</strong> is an extension to the command-line 
+                                        password manager <strong>pass</strong> for handling TOTP. 
+                                        Use this if you are already using pass</li> 
+                                        <li><strong>KeePassXC</strong> is a graphical password 
+                                        manager that can manage TOTP</li> 
+                                        <li><strong>Gnome Authenticator</strong> is a graphical 
+                                        TOTP manager for the GNOME desktop environment</li>
+                        </ul>
+
+                        <p>You may also want to generate a QR code for easy setup on another 
+                        device.  Rerun the same oathtool command as before with the -v flag 
+                        to get the base32 version of your secret key.</p>
+
+                        <pre><code>oathtool --totp -v -d6 <em>00112233445566aabbcc</em>
+--------------------------------
+Hex secret: 00112233445566aabbcc
+Base32 secret: <strong>AAISEM2EKVTKVO6M</strong>
+Digits: 6
+Window size: 0
+TOTP mode: SHA1
+Step size (seconds): 30
+</code></pre>
+
+                        <p>Then use qrencode to generate the QR code image.</p>
+
+                        <pre><code>qrencode -o <em>totp.png</em> 'otpauth://totp/<em>user</em>@<em>server</em>?secret=<em>AAISEM2EKVTKVO6M</em>'</code></pre>
+
+    </main>
+        
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+
diff --git a/articles/template.html b/articles/template.html
new file mode 100644
index 0000000..f908cab
--- /dev/null
+++ b/articles/template.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Article</h1></header>
+    <main>
+    </main>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+