I set APP_URL to my domain (example.com), but the issue still remained.

I wasn’t sure if Winter CMS stored the URL somewhere else. After checking the source code, I found this:

/*
|--------------------------------------------------------------------------
| Linking policy
|--------------------------------------------------------------------------
|
| Controls how URL links are generated throughout the application.
|
| detect   - detect hostname and use the current scheme
| secure   - detect hostname and force HTTPS scheme
| insecure - detect hostname and force HTTP scheme
| force    - force hostname and scheme using app.url config value
|
| NOTE: force will ensure that the app.url value is used as the host for
| URLs generated through the URL helpers, which might have unintended
| consequences for projects that support multiple hostnames.
|
*/

I changed LINK_POLICY in the .env file from detect to force, and the insecure connection issue was resolved.

Driver download:
https://vn.canon/vi/support/0100595001?model=imageCLASS+LBP6030__+LBP6030B__+LBP6030w

Linux Mint

1sudo bash ./install.sh

Ubuntu Server

Missing dependency:

1sudo apt install libcupsimage2t64

No GUI → add printer via CUPS web UI.

Notes

• Driver does not support ARM (cannot use Raspberry Pi)
• Using AMD64 as print server

Setup

1. Docker Compose

Set the RPC port to 443:

1ARIA2RPCPORT=443

This setup is used inside a private VPN only, so there is no need to set RPC_SECRET.

2. Caddy Reverse Proxy

Configure Caddy normally for AriaNg:

 1ariang.example.com {
 2    reverse_proxy ariang:8080 {
 3        header_up Host {host}
 4        header_up X-Real-IP {remote}
 5
 6        transport http {
 7            read_timeout 1h
 8            write_timeout 1h
 9        }
10    }
11}

Caddy automatically handles TLS and WebSocket upgrades.

3. AriaNg WebUI Settings

In AriaNg Settings → RPC:

• Aria2 RPC Address

  https://ariang.example.com:443/jsonrpc

  or

  wss://ariang.example.com:443/jsonrpc

Notes

• wss:// is recommended for better WebSocket stability.
• No extra Caddy configuration is required for WebSockets.
• Access is restricted to the VPN, so disabling RPC_SECRET is acceptable in this case.

Update (2025-11-22): I have since switched from Twikoo to meh (https://github.com/splitbrain/meh).
This post remains for reference.

Adding Twikoo Comments to My Hugo Website

This is me trying to add a comment system to my website (this website).

Hugo has plenty of comment integrations available:
https://gohugo.io/content-management/comments

Disqus, Comentario, giscus, Isso, Remark42, Talkyard… you name it.

However, since I already use Twikoo for other services, it makes sense to reuse it here. This post documents how I integrated Twikoo into a Hugo site using the hugo-simple theme.

1. Override Hugo’s single.html

Because I only want comments on blog posts, I created:

layouts/blog/single.html

I copied it from the theme’s layouts/single.html and inserted the comment partial right after the <content> block:

1<content>
2  {{ .Content }}
3</content>
4
5{{ partial "comments.html" . }}

2. Create the comments.html partial

Next, I added a central comment selector at:

layouts/_partials/comments.html

 1{{/* determine provider: page-level overrides site-level */}}
 2{{ $provider := .Params.comments | default .Site.Params.comments.provider }}
 3
 4{{ if eq $provider "twikoo" }}
 5  {{ partial "comments/twikoo.html" . }}
 6{{ end }}
 7
 8{{ if eq $provider "giscus" }}
 9  {{ partial "comments/giscus.html" . }}
10{{ end }}
11
12{{/* more systems can be added here */}}

3. Add the Twikoo partial

I created the Twikoo implementation at:

layouts/_partials/comments/twikoo.html

 1<div id="twikoo"></div>
 2
 3<script src="https://cdn.jsdelivr.net/npm/twikoo@1.6.44/dist/twikoo.min.js"></script>
 4
 5<script>
 6twikoo.init({
 7  envId: "{{ .Site.Params.twikoo.endpoint }}",
 8  el: "#twikoo",
 9  path: "{{ .Permalink }}",
10  lang: "{{ .Site.Params.twikoo.language | default "en" }}"
11});
12</script>

4. Configure Twikoo in hugo.toml

Finally, I added the following settings:

1[params.comments]
2provider = "twikoo"
3
4[params.twikoo]
5endpoint = "https://your.twikoo.api"
6language = "en"

That’s it

After these changes, Twikoo successfully loads at the bottom of each blog post.

If I ever want to switch to another system (e.g., giscus), I can just update provider:

1[params.comments]
2provider = "giscus"

• People use multiple devices
• They move between locations
• ISPs constantly change IP addresses
• Mobile networks rotate IPs all the time

In 2025, IP filtering is simply not enough.

Why Tailscale Solves This

Caddy can serve your site directly over the Tailscale network interface, meaning the service is only reachable through your private 100.x.x.x Tailscale IP.

You gain:

• Private access by default
  Only devices on your Tailscale network can connect.

• Reliable HTTPS certificates
  Caddy still obtains valid certificates via DNS-01, even for private-only services.

• Simplified security
  Tailscale handles authentication and access control — no messy allowlists or firewall rules.

To begin, point your DNS A / AAAA record to the Tailscale IP of your server.

Why DNS-01 Is Required

HTTP-01 and TLS-ALPN-01 challenges won’t work because the service is not publicly reachable.
The ACME server simply cannot connect.

DNS-01 solves this by verifying domain ownership through DNS API calls instead of network access.

If you use Cloudflare, the caddy-cloudflare build makes this process seamless:

https://github.com/CaddyBuilds/caddy-cloudflare

Step 1 — Add Cloudflare API Token to Docker Compose

Your compose.yaml should include:

1environment:
2  - CLOUDFLARE_API_TOKEN=your_cloudflare_api_token

The token must have:
Zone → DNS → Edit

Step 2 — Configure Caddy to Use Cloudflare DNS

Add this to the global block of your Caddyfile:

1{
2  # Use Cloudflare for all ACME DNS challenges
3  acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
4}

This tells Caddy to always use Cloudflare’s API for certificate validation.

Done — Your Private HTTPS Domain

You can now visit:

https://secret.example.com

The site is:

• Fully private (Tailscale-only)
• Fully encrypted (valid HTTPS)
• Fully managed (automatic renewals via DNS-01)

No public exposure.
No complicated firewall rules.
No unstable IP allowlists.

Just clean, modern, private infrastructure.

Every time I changed the Caddyfile, I had to restart the entire Caddy container.

It’s only a few seconds of downtime, but when Caddy is sitting in front of many services, those seconds hurt — logs go red, monitors fire alerts, and of course I hit refresh like a caveman wondering why everything’s dead.

Then I finally learned that Caddy can actually reload its configuration live.
No restart. No interruption. Zero downtime.

This post is me writing down how I got it working in Docker — partly to help others, partly so that future-me doesn’t forget.

Why restarting is not ideal

Restarting Caddy seems harmless, but in practice it:

• briefly stops forwarding traffic
• closes existing connections
• delays TLS initialization
• makes other containers look offline
• annoys anyone using your services at that moment (including yourself)

The good news: you don’t have to restart anything.

Caddy can hot-reload

Caddy has two built-in ways to reload its configuration:

• via the CLI (caddy reload)
• via the Admin API (:2019)

Both validate the config and apply it without restarting the process.

My setup

My Caddyfile lives next to my docker-compose.yml, and I mount it into the container like this:

1volumes:
2  - ./Caddyfile:/etc/caddy/Caddyfile
3  - ./config:/config
4  - ./data:/data

So Caddy always reads /etc/caddy/Caddyfile.

The easiest way: docker exec

This is the method I use most:

1docker exec <container_name> caddy reload \
2    --config /etc/caddy/Caddyfile \
3    --adapter caddyfile

Replace <container_name> with your actual Caddy container name.

Example:

1docker exec caddy caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile

And that’s it — Caddy reloads instantly with zero downtime.

Reloading via the Admin API (optional)

If you prefer using curl, you can expose the admin API safely by binding it only to localhost:

1ports:
2  - "127.0.0.1:2019:2019"

Then enable it in your Caddyfile:

{
    admin :2019
}

Now you can run:

1curl -X POST \
2    -H "Content-Type: text/caddyfile" \
3    --data-binary @Caddyfile \
4    http://localhost:2019/load

This is useful if you want automation or external tools to reload Caddy.

But personally, I still prefer:

docker exec caddy caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile

My tiny reload script

Because why not:

1#!/bin/bash
2docker exec caddy caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile

Now I just type:

1bash ./reload.sh

and Caddy refreshes instantly.

Final thoughts

Caddy has been great for my Docker setup, and hot-reloading the config makes it even smoother. No restarts, no interruptions, and no more “why is everything down again?” moments.

If you’re running Caddy in Docker, switch to the caddy reload workflow.
Your future self (and your uptime graphs) will thank you.

🧩 Architecture

Applications → 127.0.0.53:53 (systemd-resolved)
               → 127.0.0.1:65353 (SmartDNS)
               → NextDNS (DoH3 / DoH2, encrypted)

• systemd-resolved — local stub resolver (127.0.0.53)
• SmartDNS — local cache and resolver (127.0.0.1:65353)
• NextDNS — encrypted upstream resolver
• NetworkManager — DNS disabled and unmanaged

⚙️ Configuration

1️⃣ Disable NetworkManager DNS control

Create:

1sudo mkdir -p /etc/NetworkManager/conf.d
2sudo nano /etc/NetworkManager/conf.d/dns.conf

Paste:

1[main]
2dns=none
3rc-manager=unmanaged
4systemd-resolved=false

Restart NetworkManager:

1sudo systemctl restart NetworkManager

💡 Explanation

Together, these settings disable NetworkManager’s internal DNS management and hand full DNS control to systemd-resolved and SmartDNS.
This ensures no unwanted DNS overrides or leaks from DHCP and provides a stable, predictable DNS setup even when switching networks.

📝 Note:
The directive dns=none already implies rc-manager=unmanaged, meaning NetworkManager will not modify /etc/resolv.conf.
It’s included here explicitly for clarity and to ensure consistent behavior across distributions like Linux Mint.

2️⃣ Point systemd-resolved to SmartDNS

Create a drop-in:

1sudo mkdir -p /etc/systemd/resolved.conf.d
2sudo nano /etc/systemd/resolved.conf.d/smartdns.conf

Contents:

1[Resolve]
2DNS=127.0.0.1:65353
3FallbackDNS=
4DNSStubListener=yes

💡 Explanation

This configuration ensures all DNS queries are handled exclusively by SmartDNS, with no fallback to default or ISP resolvers, creating a fully leak-proof chain.

Apply:

1sudo systemctl restart systemd-resolved
2sudo resolvectl flush-caches

Verify:

1resolvectl status

Expected:

Current DNS Server: 127.0.0.1:65353
DNS Servers: 127.0.0.1:65353

3️⃣ Configure SmartDNS

Edit:

1sudo nano /etc/smartdns/smartdns.conf

Minimal configuration:

 1bind 127.0.0.1:65353
 2bind-tcp 127.0.0.1:65353
 3
 4server-tls 1.1.1.1:853 -bootstrap-dns -host-name cloudflare-dns.com
 5server-tls 8.8.8.8:853 -bootstrap-dns -host-name dns.google
 6
 7server-h3 h3://dns.nextdns.io/<YOUR_NEXTDNS_ID> -host-name dns.nextdns.io -tls-host-verify dns.nextdns.io
 8server-https https://dns.nextdns.io/<YOUR_NEXTDNS_ID> -host-name dns.nextdns.io -tls-host-verify dns.nextdns.io
 9
10ca-file /etc/ssl/certs/ca-certificates.crt
11ca-path /etc/ssl/certs

Replace <YOUR_NEXTDNS_ID> with your unique ID from
🔗 https://my.nextdns.io/setup

Restart SmartDNS:

1sudo systemctl restart smartdns

🧪 Verification

Check the resolver chain

1resolvectl status

✅ DNS = 127.0.0.1:65353

Confirm NextDNS

1dig @127.0.0.1 -p 65353 whoami.nextdns.io TXT +short

Expected:

"Your NextDNS ID"

Verify no leaks

1sudo tcpdump -ni any port 53

✅ No outbound DNS traffic to your router or ISP.

✅ Result

✔ SmartDNS listens only on 127.0.0.1:65353
✔ systemd-resolved forwards all DNS → SmartDNS
✔ NextDNS encrypts and filters DNS traffic
✔ No DHCP or ISP DNS overwrites
✔ Works flawlessly on Linux Mint 22.2 Cinnamon

🧾 Summary

Enjoy your private, encrypted, and leak-free DNS setup on Linux Mint 22.2 Cinnamon.

⚙️ Note (2025 Update)
I’ve since developed my own tool — cleanfy — a fully cross-platform CLI utility for cleaning and normalizing filenames.
It works on Windows, macOS, and Linux natively, so this older MSYS2-based workflow is no longer necessary.

Still, if you prefer using MSYS2 Bash with tools like notox and date2name, the guide below remains a solid reference.

If you handle messy filenames every day — photos, invoices, USB dumps — you know the pain:
spaces, accents, duplicate #copy files, and random dates everywhere.

This is my Windows-native workflow for cleaning and normalizing filenames fast:

Alacritty + MSYS2 Bash + cross-platform CLI tools (notox, date2name, pipx)

No WSL. No emulation.
Everything runs natively on Windows, but with the power and convenience of Unix commands.

⚙️ Setup Overview

I already have:

1. MSYS2 installed (msys2.org) — provides a native Unix-like shell on Windows
2. Scoop installed (scoop.sh) — a lightweight package manager for Windows
3. pipx installed via Scoop — manages and runs Python-based CLI tools (requires Python from python.org)
4. Rust installed via rustup.rs — compiles and installs Rust-based CLI tools
5. Alacritty (alacritty.org) — a lightweight, GPU-accelerated terminal that works beautifully with MSYS2 Bash

Then I simply:

1. Set MSYS2 Bash as the default shell in Alacritty via bash.exe
2. Adjusted my Alacritty configuration so it launches directly into the UCRT64 environment.

Alacritty automatically adds an “Open Alacritty here” option to the Windows right-click menu, so I can open any folder in the same Bash environment instantly.

Here’s the relevant part of my alacritty.toml:

1[terminal.shell]
2program = "C:\\msys64\\usr\\bin\\bash.exe"
3args = ["--login", "-i"]
4
5[env]
6MSYSTEM = "UCRT64"
7CHERE_INVOKING = "1"
8LANG = "en_US.UTF-8"
9LC_ALL = "en_US.UTF-8"

This ensures Alacritty opens MSYS2 Bash directly, keeps the working directory when launched via the right-click menu, and uses UTF-8 everywhere for consistent filenames and Unicode output.

🧩 1. Make MSYS2 See Your Windows Tools

By default, MSYS2 doesn’t automatically detect CLI tools installed on Windows (for example, via pipx, cargo, or scoop).
To bridge them, add their install paths manually to your Bash config.

Open your MSYS2 Bash inside Alacritty, then edit:

1vim ~/.bashrc

Append this at the end:

1# Access Windows-native binaries from MSYS2
2export PATH="$PATH:/c/Users/USERNAME/.local/bin"
3export PATH="$PATH:/c/Users/USERNAME/.cargo/bin"
4export PATH="$PATH:/c/Users/USERNAME/scoop/shims"

Reload your shell:

1source ~/.bashrc

Now MSYS2 can run tools installed by pipx, Rust, and Scoop directly:

1pipx --version
2cargo --version

If those commands respond normally, your environment is ready.

🧽 2. Install notox (Rust)

notox cleans filenames — removes accents, replaces spaces, and strips unsafe characters.

1cargo install notox

🗂 The binary is installed to:

C:\Users\USERNAME\.cargo\bin\notox.exe

You can test it immediately in MSYS2 Bash:

1notox --help

🗓️ 3. Install date2name (Python via pipx)

date2name renames files based on EXIF metadata or last-modified dates.

Since pipx is installed via Scoop, it automatically links its executables under:

C:\Users\USERNAME\.local\bin

So installing is simple:

1pipx install date2name

Verify it’s available:

1date2name --help

🔁 4. The Workflow

Once everything’s in place:

1. Right-click any folder → “Open Alacritty here”
2. Run:

1notox -r .
2date2name -r .

That’s it — clean, normalized filenames in seconds.

📦 Example

Before:

Ảnh chụp (2) #Copy.JPG
Thử nghiệm 03.2024 - final.docx

After:

2024-03-05_Anh_chup_2_Copy.JPG
2024-03-05_Thu_nghiem_03_2024_final.docx

✔️ Safe
✔️ Sortable
✔️ Cross-platform ready

🧭 Why This Setup Works

System overview:
Windows → Alacritty → MSYS2 Bash → CLI tools (notox, date2name)

⚠️ Why PowerShell Fails (and MSYS2 Works)

date2name and notox don’t run reliably in PowerShell because it’s not a POSIX shell.
They expect Unix-style path handling and argument behavior that PowerShell doesn’t provide.

If you try a command like:

1PS C:\Users\USERNAME\Temp> date2name.exe .\dada\

you’ll likely see an error such as:

FileNotFoundError: [WinError 3] The system cannot find the path specified: ''

That happens because PowerShell passes .\dada\ as a Windows-style path, while the script’s internal logic expects POSIX-style behavior.

MSYS2 Bash fixes this automatically — it converts /c/... paths to real Windows locations and provides the POSIX environment these tools expect.
So if you hit errors like this in PowerShell, just rerun the same command in Alacritty’s MSYS2 Bash — it’ll work perfectly there.

💡 Pro Tips

• Use --dry-run before committing changes.
• You can chain both commands with &&:

  1notox -r . && date2name -r .

• Right-click any folder → Open Alacritty here → run cleanup instantly.

🔗 References

• Cleanfy
• MSYS2
• Alacritty
• Scoop
• notox on GitHub
• date2name on GitHub
• pipx

In short:
Use Alacritty with MSYS2 Bash as your compatibility layer on Windows.
Install your CLI tools once — notox, date2name, or anything provided by Scoop, pipx, Cargo, or MSYS2.
Open any folder in Bash via Alacritty, run your cleanup commands, and get perfectly normalized filenames in seconds.
If PowerShell throws path errors or nothing happens, switch to MSYS2 Bash — it’s built for Unix-style tools.

And that’s why I don’t use PowerShell.
Alacritty with MSYS2 Bash just works — paths, UTF-8, globs, and all.

• sạch và nhanh
• lọc quảng cáo ngay ở tầng DNS
• hỗ trợ DoH, DoT và DoQ
• không mở nhiều cổng
• dễ bảo trì, dễ nâng cấp

Cuối cùng tôi chọn mô hình:

• NPMplus: HTTPS, reverse proxy, DoH
• AdGuard Home: DNS, DoT, DoQ
• Hai docker-compose tách biệt, cùng dùng network reverse_proxy

🌐 1. Tạo network chung

1docker network create reverse_proxy

🧩 2. NPMplus – cổng HTTPS cho toàn hệ thống

 1services:
 2  npmplus:
 3    container_name: npmplus
 4    image: docker.io/zoeyvid/npmplus:latest
 5    restart: unless-stopped
 6    ports:
 7      - 80:80
 8      - 443:443
 9    volumes:
10      - ./npmplus-data:/data
11      - ./npmplus-ssl:/etc/letsencrypt
12    networks:
13      - reverse_proxy
14    environment:
15      - TZ=Asia/Ho_Chi_Minh
16
17networks:
18  reverse_proxy:
19    external: true

NPM xử lý DoH, dashboard AdGuard, chứng chỉ Let’s Encrypt (cho DoH) và reverse proxy.

🛡️ 3. AdGuard Home – DNS + DoT/DoQ

 1services:
 2  adguardhome:
 3    container_name: adguardhome
 4    image: adguard/adguardhome:latest
 5    restart: unless-stopped
 6    ports:
 7      - 53:53/tcp
 8      - 53:53/udp
 9      - 853:853/tcp
10      - 853:853/udp
11    volumes:
12      - ./workdir:/opt/adguardhome/work
13      - ./confdir:/opt/adguardhome/conf
14      - /opt/certbot/live/dns.example.com:/opt/adguardhome/certs:ro
15    networks:
16      - reverse_proxy
17    environment:
18      - TZ=Asia/Ho_Chi_Minh
19
20networks:
21  reverse_proxy:
22    external: true

Dashboard chạy nội bộ port 8080 và chỉ NPM truy cập.

🔐 4. Cấp chứng chỉ TLS cho DoT/DoQ bằng Certbot

Wildcard không bao gồm root domain, nên tôi xin hai SAN:

• dns.example.com
• *.dns.example.com

4.1 Container Certbot

1services:
2  certbot:
3    container_name: certbot
4    image: certbot/certbot:latest
5    restart: unless-stopped
6    volumes:
7      - /opt/certbot:/etc/letsencrypt
8    command: sleep infinity

4.2 Xin chứng chỉ SAN (DNS-01 tự động)

Tôi dùng DNS-01 tự động để Certbot tự thêm TXT record qua API của DNS provider (ví dụ Cloudflare → certbot-dns-cloudflare, Porkbun → certbot-dns-porkbun, …).

Ví dụ với Cloudflare:

1docker exec -it certbot bash

1certbot certonly \
2  --dns-cloudflare \
3  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
4  -d dns.example.com \
5  -d '*.dns.example.com'

Certbot tự tạo TXT → tự xác thực → tự ra cert → không phải thao tác thủ công.

Cert (trên container) nằm tại:

1/etc/letsencrypt/live/dns.example.com/

Cert (trên host) nằm tại:

1/opt/certbot/live/dns.example.com/

4.3 Mount cert vào AdGuard

1volumes:
2  - /opt/certbot/live/dns.example.com:/opt/adguardhome/certs:ro

4.4 Cấu hình HTTP / TLS trong AdGuard

 1http:
 2  address: 0.0.0.0:8080
 3
 4dns:
 5  bind_hosts:
 6    - 0.0.0.0
 7  port: 53
 8
 9tls:
10  enabled: true
11  certificate_path: /opt/adguardhome/certs/fullchain.pem
12  private_key_path: /opt/adguardhome/certs/privkey.pem
13  port_dns_over_tls: 853
14  port_dns_over_quic: 853
15  port_https: 0

4.5 Gia hạn chứng chỉ

10 */12 * * * docker exec certbot certbot renew

🔁 5. Reverse proxy cho DoH + Dashboard trong NPM

 1location ~ ^/dns-query(/.*)?$ {
 2    set $clientid "";
 3    if ($1 != "") { set $clientid $1; }
 4    proxy_pass http://adguardhome:8080/dns-query;
 5    proxy_set_header X-Client-ID $clientid;
 6    proxy_set_header X-Real-IP  $remote_addr;
 7}
 8
 9location / {
10    proxy_pass http://adguardhome:8080;
11}

DoH: https://dns.example.com/dns-query/my-device
Dashboard: https://dns.example.com/

🧬 6. Định danh thiết bị trong AdGuard

 1clients:
 2  persistent:
 3    - name: Windows YogaDNS (Hanoi)
 4      ids: [100.68.0.11, hn-p1]
 5
 6    - name: iPhone15
 7      ids: [my-ip15]
 8
 9    - name: Android ZTE
10      ids: [my-zte]
11
12    - name: Laptop Dell3558
13      ids: [my-d58]

📱 7. Cách tôi cấu hình DNS trên từng thiết bị

LAN/Tailscale → Plain DNS
Internet → DoH/DoQ

🧪 8. Kiểm tra nhanh

1doggo example.com @udp://192.168.2.2 --time

🎯 Kết luận

• Stack tách biệt, dễ nâng cấp
• Không rối port
• Dashboard chạy sau HTTPS
• Đầy đủ DoH / DoT / DoQ
• Chứng chỉ chia đúng vai trò
• Hoạt động tốt nhiều site

Dựng một lần và gần như không phải đụng vào nữa.

💡 Lưu ý:

• Trong bài viết, địa chỉ mặc định là http://localhost:8090 (chạy thử trên máy cá nhân).
• Nếu triển khai UpSnap trong mạng LAN, hãy thay localhost bằng địa chỉ IP thực tế, ví dụ http://192.168.1.100:8090.
• Khi điều khiển từ xa, bạn có thể sử dụng VPN hoặc reverse proxy (Nginx, Caddy, Cloudflare Tunnel, v.v.) và thay localhost bằng tên miền của bạn.

🧭 Mục lục

1. Giới thiệu về UpSnap API
2. Tạo người dùng mới
3. Phân quyền người dùng
4. Đăng nhập và điều khiển thiết bị qua API
5. Tóm tắt nhanh (TL;DR)
6. Tài liệu tham khảo

1. Giới thiệu về UpSnap API

UpSnap cung cấp REST API theo chuẩn HTTP, sử dụng dữ liệu JSON.
Thông qua API, bạn có thể:

• Đăng nhập và nhận mã xác thực (JWT)
• Liệt kê danh sách thiết bị
• Bật, tắt hoặc khởi động lại máy tính
• Gửi lệnh cho nhiều thiết bị cùng lúc

Sơ đồ minh họa quá trình Client → UpSnap Server → Máy đích (Wake-on-LAN).
Người dùng gửi POST để đăng nhập và GET để điều khiển thiết bị qua API của UpSnap.

2. Tạo người dùng mới

Sau khi cài đặt, UpSnap mặc định chỉ có tài khoản quản trị (superuser).
Để sử dụng API an toàn hơn, bạn nên tạo người dùng thông thường có quyền hạn giới hạn.

Cách tạo người dùng trong giao diện quản trị

1. Mở trình duyệt và truy cập:

   http://localhost:8090

2. Đăng nhập bằng tài khoản quản trị viên (superuser)
3. Ở góc trên bên trái, chọn Users (Người dùng)
4. Bên dưới danh sách, bạn sẽ thấy biểu mẫu “Create new user (Tạo người dùng mới)”
5. Nhập thông tin:
   • Email: nguoidung1@example.com
   • Mật khẩu: matkhaucuatoi
6. Nhấn Add (Thêm) để tạo tài khoản.

⚠️ Không nên dùng tài khoản superuser cho thao tác điều khiển hàng ngày.
Hãy tạo người dùng riêng cho từng người để đảm bảo an toàn và dễ quản lý.

3. Phân quyền người dùng

Bạn có thể giới hạn quyền thao tác của từng người dùng để tăng cường bảo mật.
Trong giao diện Users, chọn người dùng cần chỉnh, sau đó vào phần Device permissions để bật hoặc tắt các quyền:

• Read – Xem thông tin thiết bị
• Update – Thay đổi cấu hình thiết bị
• Delete – Xóa thiết bị
• Power – Gửi lệnh bật, tắt, khởi động lại

👉 Nếu chỉ cần điều khiển từ xa, bạn nên chỉ bật quyền Power.

4. Đăng nhập và điều khiển thiết bị qua API

Để điều khiển thiết bị qua API của UpSnap, trước hết bạn cần đăng nhập để lấy mã xác thực (JWT token).
Sau đó, dùng mã này trong tiêu đề (HTTP header) của các yêu cầu (HTTP request) để bật, tắt hoặc khởi động lại máy tính từ xa.

🔍 Hiểu về phương thức GET và POST khi gọi API

Khi gửi yêu cầu đến API, có hai phương thức (HTTP request method) chính bạn cần nắm rõ:

• POST – Dùng để gửi dữ liệu đến máy chủ, ví dụ: đăng nhập để nhận token.
• GET – Dùng để lấy dữ liệu hoặc kích hoạt hành động, ví dụ: gửi lệnh bật/tắt thiết bị.

Hầu hết các công cụ gửi API (như HTTPie, cURL, Postman, hoặc ứng dụng di động)
đều cho phép bạn chọn phương thức và thêm tiêu đề khi gửi yêu cầu.

🔐 Đăng nhập và lấy mã xác thực

Chúng ta sử dụng người dùng thường để đăng nhập (sử dụng POST):

POST http://localhost:8090/api/collections/users/auth-with-password
Content-Type: application/json

{
  "identity": "nguoidung1",
  "password": "matkhaucuatoi"
}

Kết quả phản hồi:

{
  "token": "eyJhbGciOi...",
  "record": { "id": "abcd1234", "email": "nguoidung1@example.com" }
}

Ghi nhớ mã xác thực ở phần token trả về để gửi kèm trong các yêu cầu điều khiển về sau:

<ma_xac_thuc> = eyJhbGciOi...

⚙️ Gửi yêu cầu điều khiển thiết bị

Sau khi đã có mã xác thực, bạn có thể gửi các yêu cầu điều khiển đến API của UpSnap.
Tất cả các yêu cầu này đều cần thêm tiêu đề xác thực:

Authorization: Bearer <ma_xac_thuc>

Các thao tác phổ biến:

Bật máy (Wake-on-LAN)

GET http://localhost:8090/api/upsnap/wake/<ma_thiet_bi>
Authorization: Bearer <ma_xac_thuc>

Tắt máy

GET http://localhost:8090/api/upsnap/shutdown/<ma_thiet_bi>
Authorization: Bearer <ma_xac_thuc>

Khởi động lại máy

GET http://localhost:8090/api/upsnap/reboot/<ma_thiet_bi>
Authorization: Bearer <ma_xac_thuc>

🧩 Ví dụ lệnh GET / POST trên các ứng dụng

🟦 HTTPie CLI

Cài đặt:

pipx install httpie

Đăng nhập (POST):

http POST http://localhost:8090/api/collections/users/auth-with-password \
  identity=nguoidung1 password=matkhaucuatoi

Bật máy (GET):

http GET http://localhost:8090/api/upsnap/wake/<ma_thiet_bi> \
  "Authorization: Bearer <ma_xac_thuc>"

🟦 HTTPie Desktop

• Tạo Draft Request
• Chọn phương thức POST hoặc GET
• Khi đăng nhập, thêm Body -> Text -> JSON: {"identity": "nguoidung1", "password": "matkhaucuatoi" }
• Khi điều khiển thiết bị, thêm Auth -> Bearer token: <ma_xac_thuc>
• Nhấn Send để gửi yêu cầu.

🟩 HTTP Request Shortcuts (Android)

• Tạo Shortcut mới.
• Chọn POST để đăng nhập hoặc GET để bật máy.
• Nhập URL API.
• Khi đăng nhập thêm header JSON: {"identity": "nguoidung1", "password": "matkhaucuatoi" }
• Khi điều khiển thiết bị, bật Bearer Authentication và dán token vào ô Token.

🟦 Phím tắt (Shortcuts – iPhone)

• Tạo Phím tắt mới → thêm hành động Lấy nội dung từ URL
• Chọn Phương thức: POST (đăng nhập) hoặc GET (bật/tắt máy).
• Khi gửi POST, chọn Yêu cầu dạng JSON và nhập thông tin đăng nhập:

  {"identity": "nguoidung1", "password": "matkhaucuatoi" }

• Khi gửi GET thêm Header:

  Key: Authorization
  Value: Bearer <ma_xac_thuc>

• Nhấn Chạy (Run) để xem kết quả phản hồi.
• 📱 Bạn có thể lưu phím tắt này và kích hoạt bằng Siri để bật/tắt máy chỉ bằng giọng nói.

💡 Lưu ý:

• Các yêu cầu GET dùng cho hành động như bật, tắt, khởi động lại.
• Các yêu cầu POST dùng để đăng nhập hoặc gửi dữ liệu.
• Wake-on-LAN chỉ hoạt động khi thiết bị điều khiển và máy đích cùng mạng LAN hoặc Wi-Fi.
• Khi điều khiển qua Internet, hãy dùng VPN hoặc reverse proxy để bảo mật kết nối.
• Đảm bảo Wake on Magic Packet đã được bật trong BIOS hoặc driver mạng của máy đích.

5. 📘 Tóm tắt nhanh (TL;DR)

1️⃣ Đăng nhập để lấy token

POST http://localhost:8090/api/collections/users/auth-with-password \
  identity=nguoidung1 password=matkhaucuatoi

2️⃣ Bật máy tính từ xa

GET http://localhost:8090/api/upsnap/wake/<ma_thiet_bi> \
  "Authorization: Bearer <ma_xac_thuc>"

3️⃣ Tắt máy tính từ xa

GET http://localhost:8090/api/upsnap/shutdown/<ma_thiet_bi> \
  "Authorization: Bearer <ma_xac_thuc>"

🔑 Chỉ cần 3 lệnh trên — bạn có thể đăng nhập, bật hoặc tắt máy tính từ xa bằng API của UpSnap.

6. Tài liệu tham khảo

👉 UpSnap Wiki – REST API Documentation
https://github.com/seriousm4x/UpSnap/wiki/Rest-API

👉 Xem thêm: UpSnap - Wake-on-LAN tắt mở máy tính từ xa trong mạng nội bộ

After a bit of searching, I discovered that OpenSSL can do the same thing with a single command:

openssl passwd -apr1

This command prompts you to enter a password and returns its Apache MD5-based hash, which works perfectly for WUD or any service expecting an .htpasswd format.

There are several other ways to create password hashes, but since openssl is usually preinstalled on most systems, this method is quick and convenient.

💡 Tip: You can also use flags like -stdin to pass passwords directly from scripts if needed — just remember not to expose plain text passwords in your shell history.

TrueNAS Connect là nền tảng quản lý tập trung mới của iXsystems, giúp quản trị viên và đội ngũ IT có thể giám sát và kiểm soát tất cả các hệ thống TrueNAS — bao gồm TrueNAS CORE, SCALE, và Enterprise — từ một bảng điều khiển duy nhất và an toàn.

Bảng điều khiển tập trung cho mọi thiết bị NAS

TrueNAS Connect cung cấp giao diện duy nhất giúp bạn xem tình trạng, hiệu suất và hoạt động của tất cả hệ thống NAS được kết nối. Thay vì đăng nhập từng thiết bị riêng lẻ, quản trị viên có thể theo dõi toàn bộ thông tin trong một bảng tổng hợp duy nhất.

Các thông tin chính trên bảng điều khiển:

• Giám sát tình trạng hệ thống: CPU, RAM, đĩa, và mạng
• Trạng thái cụm lưu trữ: Dung lượng, hiệu năng, và tác vụ sao chép
• Cảnh báo thời gian thực: Thông báo khi có sự cố, bản cập nhật, hoặc thay đổi cấu hình

Quản lý và cập nhật dễ dàng hơn

Việc quản lý firmware, plugin, và cấu hình nhiều thiết bị NAS thường mất thời gian. TrueNAS Connect giúp đơn giản hóa quy trình này với:

• Cập nhật tập trung: Cập nhật một hoặc nhiều hệ thống cùng lúc
• Đồng bộ cấu hình: Giữ cài đặt nhất quán giữa các thiết bị
• Quản lý từ xa: Truy cập và điều khiển an toàn ở mọi nơi

Bảo mật và kết nối được tăng cường

TrueNAS Connect sử dụng kết nối mã hóa giữa NAS và cổng dịch vụ đám mây để bảo vệ dữ liệu và thông tin đăng nhập. Quản trị viên có thể xác thực an toàn, quản lý quyền truy cập, và kiểm soát hoàn toàn việc liên kết hệ thống.

Phù hợp cho cả phòng lab tại nhà và môi trường doanh nghiệp

Dù bạn đang quản lý vài thiết bị TrueNAS Mini tại nhà hay hàng chục hệ thống Enterprise ở nhiều địa điểm, TrueNAS Connect đều có thể mở rộng để đáp ứng nhu cầu. Giải pháp này giúp giảm gánh nặng quản trị và cung cấp cái nhìn sâu hơn về hạ tầng lưu trữ của bạn.

Lợi ích chính

✅ Quản lý tập trung cho tất cả hệ thống TrueNAS
✅ Giám sát và cảnh báo theo thời gian thực
✅ Cập nhật nhanh hơn, an toàn hơn
✅ Tăng khả năng quan sát và kiểm soát hệ thống phân tán
✅ Hỗ trợ cả bản open-source và enterprise

TrueNAS Connect là bước tiến mới trong việc hợp nhất quản lý lưu trữ, mang toàn bộ sức mạnh của hệ sinh thái TrueNAS vào một nền tảng kết nối duy nhất.

Step 1: Upscale and Clean the Image

Low-quality images are pretty common, especially old logos or screenshots. That’s where Upscayl comes in.

Upscayl is an AI-powered image upscaler. You just drop in your blurry image, and it makes it sharper, cleaner, and bigger. It’s not magic, but most of the time it gives me a version that’s much easier to work with.

👉 Example: A 200px logo suddenly becomes a crisp 800px version with clear edges.

Step 2: Convert to Vector with VTracer

Once I’ve got a decent-looking image, the next step is turning it into a vector. For that, I use VTracer.

VTracer takes a raster image (JPG, PNG, etc.) and converts it into vector paths (SVG). The cool thing is that the output is fully scalable, so I can resize it without ever losing quality.

It works especially well for logos, icons, and simple graphics with clear shapes. For photos, it’s not perfect (you’ll get a very abstract look), but for anything graphic-style, it’s great.

👉 I usually set Curve Fitting → Simplify to Polygon, which gives me cleaner, more accurate shapes.

Why I Love This Workflow

• Fast: It takes me less than 5 minutes to go from a blurry JPG to a clean SVG.
• Free & Open Source: Both Upscayl and VTracer are open-source projects, so no subscriptions or paywalls.
• Saves me from redrawing: Honestly, tracing logos by hand is one of my least favorite tasks.

Final Thoughts

This little trick has saved me so many times when working on quick design projects. Whether it’s a client logo, a random icon I found online, or even a hand-drawn sketch, this workflow makes it super easy to get a vector version without pulling my hair out.

If you work with graphics a lot, give Upscayl + VTracer a try. You’ll probably end up saving yourself hours of work, too.

Hardware

• Routers
  • 1 × Celeron N4100 Intel I226 router with 4 × 2.5 GbE NICs (chosen for affordability)
• Switches
  • 1 × MERCUSYS MS105G 5-Port Gigabit switch (may upgrade to 2.5 GbE in the future)
• Servers
  • No physical server yet
  • 1 × bhyve VM
• Cables & Access Points
  • Cat 6 cables
  • 1 × Xiaomi CR8808

Software

Network Operating Systems

• Operating System: FreeBSD (preferred)
• Virtualization: bhyve (lightweight and efficient)
• Firewall/Router: OpenWrt (running in a bhyve VM)
• Docker Host: Debian (running in a bhyve VM)

Management & Monitoring Tools

Not implemented yet

Security Applications

Not implemented yet

My Network

• WAN
  • ISP: Viettel
  • IPv6 prefix: 2001:1900:iced:cafe::/64
• Host
  • MAC: bb:bf:1b:71:fe:20 (example)
  • IPv6 address: 2001:1900:iced:cafe:b9bf:1bff:fe71:fe20 (calculated via EUI-64)

OpenWrt Config

Interfaces → WAN

• Advanced Settings
  • Delegate IPv6 prefixes: ✅
• DHCP Server → IPv6 Settings
  • RA-Service: disabled
  • DHCPv6-Service: disabled
  • NDP-Proxy: disabled

Interfaces → LAN

• Advanced Settings
  • Delegate IPv6 prefixes: ✅
• DHCP Server → IPv6 Settings
  • Designated master: ❌ (unchecked)
  • RA-Service: server mode
  • DHCPv6-Service: disabled
  • Announced IPv6 DNS servers: null
  • Local IPv6 DNS server: ✅
  • Announced DNS domains: null
  • NDP-Proxy: disabled
• IPv6 RA Settings
  • Default router: automatic
  • Enable SLAAC: ✅
  • RA Flags: other config (O) (set to none for Android compatibility)
  • NAT64 prefix: null

Firewall → Traffic Rules

Allow-IPv6-HTTP

• General Settings
  • Name: Allow-IPv6-HTTP
  • Protocol: TCP
  • Source zone: wan
  • Source port: any
  • Destination zone: lan
  • Destination address: ::b9bf:1bff:fe71:fe20/-64
  • Destination port: 80
  • Action: accept

• Advanced Settings
  • Restrict to address family: IPv6 only

Allow-IPv6-HTTPS

• General Settings
  • Name: Allow-IPv6-HTTPS
  • Protocol: TCP, UDP
  • Source zone: wan
  • Source port: any
  • Destination zone: lan
  • Destination address: ::b9bf:1bff:fe71:fe20/-64
  • Destination port: 443
  • Action: accept

• Advanced Settings
  • Restrict to address family: IPv6 only

Docker

Not configured yet.
Maybe enable IPv6 and assign an IPv6 address to the NPMplus container, and use a link-local address for the reverse proxy. Need to read more docs.

Temporary solution: run the NPMplus container in host mode — Nginx will automatically handle IPv6-to-IPv4.
I run separate GoDNS containers to update both IPv4 and IPv6 addresses to Cloudflare.

Tools

• EUI-64 Calculator
• ping.pe — for testing
• go-httpbin — for testing

References

• IPv6 configuration
• Dynamic prefix forwarding — negative netmask notation /-64

How It Works

Notes

• Set the permissions of the extracted-wims directory to 775 (otherwise you may get an access denied error).
• Enable Bypass Windows 11 requirements check (TPM, Secure Boot, etc.) in autounattend.xml.

Software

• netboot.xyz
• Generate autounattend.xml files for Windows 10/11

References

• Boot and install Windows
• Boot to WinPE
• Download Windows PE (WinPE)
• Create bootable Windows PE media
• UnattendGenerator
• Installing Windows with netboot.xyz
• Install Windows 11 over the network with netboot.xyz

VLANs were too complicated for me. All I knew was that they could split a physical network into smaller subnetworks.

After I read Computer Networking: A Top-Down Approach, I thought I should try again.

I’m running an OpenWRT router that connects to my ISP via PPPoE (WAN). My LAN is a bridge that runs DHCP.

It’s very simple and suitable for a home network, but I wanted something more.

I searched for “OpenWRT VLAN” on Google but had no luck; every tutorial was hard to understand.

Then I searched for “OPNsense VLAN” and found this.

OPNsense docs are clearer and easier to understand. As always, Linux networking docs are a mess — FreeBSD is definitely better.

So I created VLANs, tagged them on a trunk port, and created an interface that runs DHCP.

Then I created a firewall zone and set the rules.

I don’t have any managed switch, so I connected my laptop (Windows 11) directly to the trunk port and tagged the VLAN on Windows 11.

Everything works.

I’ll look more into it when I have free time. That’s it for now.

Some diagrams / flows you may be interested in:

Ref:

• IEEE 802.1Q
• OpenWrt VLAN
• OpenWrt DSA Networking
• OPNsense VLAN and LAGG Setup
• pfSense Virtual LANs (VLANs)
• Cisco Configure Port to VLAN Interface Settings on a Switch through the CLI

The machine is running TrueNAS 25.04 (Fangtooth) that have a ZFS pool for all data.

I will need a USB to storge my key plug to my NAS when it running. If this USB connected the data will unlock, if there is none then no one can steal the data.

Ref

• TrueNAS 25.04/TrueNAS Tutorials/Datasets/Storage Encryption
• ArchWiki: ZFS Native encryption
• Native data and metadata encryption for zfs

I used to have Dockge on my system. It’s simple and easy-to-use.

Today I heard about Komodo - an other Docker management tool.

With Komodo you can:

• Connect all of your servers, alert on CPU usage, memory usage, and disk usage, and connect to shell sessions.
• Create, start, stop, and restart Docker containers on the connected servers, view their status and logs, and connect to container shell.
• Deploy docker compose stacks. The file can be defined in UI, or in a git repo, with auto deploy on git push.
• Build application source into auto-versioned Docker images, auto built on webhook. Deploy single-use AWS instances for infinite capacity.
• Manage repositories on connected servers, which can perform automation via scripting / webhooks.
• Manage all your configuration / environment variables, with shared global variable and secret interpolation.
• Keep a record of all the actions that are performed and by whom.

Sound good?

After Install Komodo I couldn’t make it work. When I clicked to Signup button it responsed an error.

So I checked some videos on Youtube and all I needed to do is type username and password BEFORE I click signup button.

It was weird and the dev should change that.

I didn’t have much of time so I was only try:

• Servers (Connect servers for alerting, building, and deploying)
• Stacks (Deploy docker compose files)
• Deployments (Deploy containers on your servers)

All of them worked as I expected.

You can connect multi servers in one web-ui, all you need is expose port 8120 correctly so web-ui can connect to Periphery agent.

Deployments is something like TrueNAS SCALE Apps. You can create Docker container with a pretty UI.

Stacks is something like Dockge, it’s for someone love to write compose.yaml. I prefer this way.

After all it was a good tool, I will learn more about it:

• Builds (Build docker images)
• Repos (Build using custom scripts or anything else)
• Procedures (Compose Komodo actions together)
• Actions (Custom scripts using the Komodo client)
• Resource Syncs (Declare resources in TOML files)

• Lalamove
• Ahamove
• ShopeeFood
• Grab
• TADA
• Xanh SM
• Maxim
• inDrive
• Bolt

Hình mẫu

Link tải .ai

Cập nhật thêm vài sticker

Link tải .ai

Cái này làm để dán lên xe hoặc nón bảo hiểm, móc khóa..

File .ai có thể chỉnh sửa thoải mái.

Hỗ trợ:

1. Phương tiện
   1. 2 bánh
   2. 4 bánh
2. Ứng dụng
   1. Grab
   2. Be
   3. Xanh SM
   4. TADA
3. Ngân hàng
   1. MoMo
   2. ACB
   3. BIDV

Kích thước khuyến nghị cho 2 bánh 4cm x 4cm.

Hình mẫu

Link tải .ai

Font: Iosevka

Tham khảo

• qrtool - tạo mã QR hỗ trợ SVG
• VIETQR - tạo mã VIETQR
• VietQR Code Format Technical Specification

Link tải .ai

Fonts

• Rowdies
• Roboto Mono

Need to change something:

1. iStoreOS (OpenWrt) Adblock
   1. Force Local DNS: ✅
   2. Forced Zones: LAN
   3. Forced Ports: 53, 853, 5353
2. iPhone: turn off Private Wi-Fi Address.

Use private Wi-Fi addresses on Apple devices.

Wifi 5Ghz issue:

• Disable DFS by change AP chanel to 36

Will update photos very soon ^^.

• Bike:
  • HONDA WAVE RSX FI SPORT EDITION (AFP110CSFR V)
    • Motorbike manual
  • Accessories
    • Multi-function extended navigation balance bar
      • 适用九号Nzmix/Fz/Mzmix f2z CZ/NZ90铝合金多功能扩展导航平衡杆
    • Phone Mount
      • Kewig凯威格摩托车手机导航架减震外卖骑行电动车支架防雨遮阳帽
    • SAE Battery Connector
      • 凯威格摩托车usb充电接口SAE转换快插线汽车电瓶快拆无损改装防水
    • Motorcycle USB charging port
      • 凯威格摩托车改装usb充电口加装手机充电器车充PD口超级快充防水
    • SAE to DC 5521 cable (for portable tire pump)
      • 纯铜sae转DC延长线sae转监控电源线sae to dc5521线SAE转接线1.5m
    • Tire pump
      • Baseus Super Mini Inflator Pump Air Compressor Portable Hand-Held Auto Tire Pump - Black
    • Bungee cord
      • Dây Thun Ràng Tăng Chỉnh DARAVIN
• Helmet
  • Tada Motorcycle half helmets
    • with Kính Chắn Gió Andes 105L – Dành Cho Các Loại Mũ Bảo Hiểm Không Kính, Có Lưỡi Trai (3 nút bấm) Phía Trước
• Clothing
  • Tada safety vest (my favorites)
  • Tada jacket (sunny and night)
  • Tactical pants
  • Sun gloves and sun sleeves (sunny)
  • Footwear
    • Dép Eva Biti’s Nam DEM057010
• XYZ
  • Phone
    • Điện thoại ZTE Libero 5G III - 4/64GB Dimensity 700 ,Màn OLED ,Kháng nước IP57 - Mới nguyên seal - Hàng nhập khẩu
  • Power bank
    • Sạc dự phòng Baseus sạc nhanh Airpow 20W - 20000mAh dành cho iPhone 15/14/13/12 Xiaomi
  • Bluetooth speaker
    • Monster M3 Bluetooth Speaker Outdoor Wearable Magnetic Clip-on Portable Bluetooth 5.4 Sound Box IPX5 Waterproof Subwoofer Powerful Bass D127
  • Vacuum flask
    • Bình giữ nhiệt thể thao 532ml Lafonte 011037-RED
  • Bag
    • Túi Chiến Thuật Cho Nam Túi Đeo Chéo Hệ Thống Mollle Túi Xách Thể Thao Túi Đeo Vai Túi Đeo Chéo Quân Đội Túi Điện Thoại Cắm Trại Du Lịch
  • Rain coat
    • Áo Mưa EASYTRUM
    • Bộ áo mưa thông thoáng GEM

They provide download link but I couldn’t download it because it’s Baidu Wangpan 百度网盘.

A guy from VOZ forum helped me download it and now I’m seeding it on torrent. My computer are not online 24/24 so if you want to download it please contact.

magnet:?xt=urn:btih:kld4ult542s6pshxmb3neo5wdffz4ox2&dn=Hinlink_H68K_OpenWrt_OP_250102.7z&xl=74662551&fc=1

You can also download iStoreOS from koolcenter. (docs).

It asked for FTP, but maybe it lost permission. Default USER is www-data, Alpine image UID is 82 and Debian image is 33.

So I change owner to www-data:

$ sudo chown -R 33:33 /opt/stack/wordpress/html

Now it works.

Ref:

• wordpress docker

It was funny because he knew his way to his place, he pointed to every turns on the trip.

He worried that I (as a driver) don’t know the direction and can not take him to the right place. He may think that I was slow on the road.

Sorry but even if he’s been here for a long time, he should let the driver do their job.

He didn’t realize that the traffic in Vietnam is very dangerous. It’s not safe, it’s not like what he saw on Tiktok..

I drove around 200km per day in this city, I saw a lot. You know what I mean.

It’s risky on the road and I just don’t want to die.

Cũng rất tình cờ vì mình bình luận dạo trên Facebook một ngưởi đồng nghiệp cũ, bạn này gặp tình trạng tương tự và liên hệ mình.

Bạn không sử dụng Dropbox / OneDrive / Google Drive nên không phục hồi được từ đám mây. Sau khi thử Excel Open and Repair và Recover Unsaved Workbooks không được mình đã dùng Disk Drill Data Recovery Software để khôi phục về phiên bản gần nhất.

ℹ️ Ghi chú: This saved her alot of time, I guess.

1. Khôi phục dữ liệu hoạt động như thế nào

ℹ️ Ghi chú: nội dung chỉ vừa đủ hiểu nguyên lý để có thể sử dụng các phần mềm phục hồi dữ liệu trên Windows.

Xem thêm chi tiết tại File Recovery Basics: How Data Recovery Works.

1.1. Dữ liệu được lưu trữ trên đĩa và các thiết bị nhớ

Nếu bạn muốn phục hồi dữ liệu vật lý bạn nên tìm hiểu thêm về những thứ này.

1.2. Các tập tin được lưu trữ trên đĩa

ℹ️ Ghi chú: cho Windows và NTFS là hệ điều hành và hệ thống tệp tin phổ biến nhất.

Bảng tệp chính (MFT) là tệp hệ thống trong hệ thống tệp NTFS (có tên là $MFT) lưu trữ metadata information về tất cả các tệp và thư mục trên ổ đĩa NTFS. MFT hoạt động như một chỉ mục cho tất cả các tệp và thư mục trên ổ đĩa, cung cấp quyền truy cập nhanh vào thông tin cần thiết để truy xuất tệp.

Mỗi tệp và thư mục trên ổ đĩa NTFS có một bản ghi duy nhất trong MFT, được gọi là mục nhập MFT. Mục nhập MFT chứa thông tin như tên tệp, dấu thời gian, quyền và con trỏ đến dữ liệu của tệp. Mục nhập MFT tương ứng được cập nhật khi tệp được tạo hoặc sửa đổi.

Khi tệp bị xóa, mục nhập MFT tương ứng được đánh dấu là free, nhưng dữ liệu tệp thực tế vẫn nằm trên đĩa cho đến khi bị ghi đè bởi dữ liệu mới. Điều này có thể hữu ích trong các tình huống khôi phục dữ liệu, vì dữ liệu của tệp đã xóa vẫn có thể khôi phục được. Khôi phục dữ liệu thành công yêu cầu các vùng đĩa bị dữ liệu đã xóa chiếm giữ không bị ghi đè.

1.3. Các phương pháp phục hồi tập tin

1.3.1. Phục hồi tập tin thông qua phân tích thông tin về tập tin và thư mục

Phần mềm khôi phục tệp bắt đầu bằng cách cố gắng đọc và xử lý thông tin về tệp và thư mục. Nếu hệ thống tập tin trên đĩa không bị hỏng nghiêm trọng, thường có thể khôi phục toàn bộ cấu trúc tập tin và thư mục.

1.3.2. Phục hồi tập tin bằng cách tìm kiếm các loại tập tin đã biết (raw file recovery)

Nếu phương pháp đầu tiên không tạo ra kết quả thỏa đáng, thì sẽ thực hiện tìm kiếm tệp thô. Phương pháp khôi phục dữ liệu thứ hai này có thể khôi phục dữ liệu tệp thành công hơn phương pháp đầu tiên, nhưng không thể khôi phục tên tệp gốc, dấu ngày/giờ hoặc toàn bộ cấu trúc thư mục và tệp của đĩa.

Tìm kiếm các loại tệp đã biết hoặc khôi phục tệp thô hoạt động bằng cách phân tích nội dung của đĩa để tìm “chữ ký tệp”. Chữ ký tệp là các mẫu chung biểu thị phần đầu hoặc phần cuối của tệp. Hầu như mọi loại tệp đều có ít nhất một chữ ký tệp. Ví dụ: tất cả các tệp thuộc loại tệp png (portable network graphics) đều bắt đầu bằng chuỗi “‰PNG” và nhiều tệp MP3 bắt đầu bằng chuỗi “ID3”. Các chữ ký tệp như vậy có thể được sử dụng để nhận dạng rằng một phần dữ liệu trên đĩa thuộc về một loại tệp nhất định và do đó có thể khôi phục được.

2. Nên sao lưu an toàn

Khôi phục dữ liệu chỉ nên là phương án cuối cùng, tốt hơn hết bạn nên sao lưu dữ liệu quan trọng một cách thường xuyên.

Trước đây mình sao lưu thủ công bằng cách sao chép tệp tin hàng ngày ra phân vùng khác và ổ cứng ngoài, hiện tại dùng thêm các giải pháp lưu trữ đám mây.

💡 Lời khuyên: Quy tắc 3-2-1 (hoặc Chiến lược dự phòng 3-2-1): Ý tưởng cho rằng giải pháp sao lưu tối thiểu phải bao gồm ba bản sao dữ liệu, bao gồm hai bản sao cục bộ và một bản sao từ xa.

3. Thông tin hữu ích

Phần mềm khôi phục dữ liệu

• EaseUS Data Recovery Wizard Free - up to 2GB of data GUI
• Disk Drill Data Recovery Software - up to 500 MB of data GUI
• MiniTool® Data Recovery Free - up to 1 GB of data GUI
• Ontrack EasyRecovery - up to 1 GB of data for files sizes less than 25 MB GUI
• Wise Data Recovery - up to 2GB of data GUI
• DMDE Free Edition - up to 4,000 files from a chosen directory per request GUI
• Recuva - file recovery GUI
• Windows File Recovery - aka winfr CLI
• TestDisk and PhotoRec - free and open-source CLI
• TestDisk Alternatives

Phần mềm sao lưu dữ liệu

• Microsoft OneDrive
• Windows File History Windows 8+
• Windows Backup and Restore Windows 7
• Danh sách các chương trình đồng bộ hóa và sao lưu dữ liệu
• Microsoft OneDrive Alternatives

Thông tin tham khảo

• Excel Repair a corrupted workbook
• HDD vs. SSD: How Do They Store Data?
• File Recovery Basics: How Data Recovery Works
• Wikipedia Data recovery
• Wikipedia File system
• Wikipedia NTFS
• Master File Table (Local File Systems)

I use Grav as flat-file CMS before but Wordpress is far more popular and now it support SQLite.

So first you need to install a temp wordpress website as ussual, install SQLite Database Integration plugin.

Then install an actual wordpress after active this plug-in.

Remove your temp MySQL database and it’s all set.

Now you can move this website to any host that support Wordpress and SQLite.

Video how-to:

• Django and Flask
• htmx
• pandas
• openpyxl

Ref

• Django + HTMX tutorial
• Django + htmx patterns

python-patterns

For bank transaction alert.

virt-install

provision new virtual machines

# virt-install --name vm0 --memory 1024 --vcpus 2 \
--os-variant ubuntu24.04 \
--disk size=10 --network bridge=br0 --graphics none --console pty,target_type=serial \
--location /usr/local/etc/iso/ubuntu-24.04.1-live-server-amd64.iso,kernel=casper/vmlinuz,initrd=casper/initrd \
--extra-args 'console=ttyS0,115200n8 serial'

virsh

management user interface

virsh list --all

virsh start vm0

virsh autostart vm0

virsh autostart --disable vm0

virsh shutdown vm0

virsh destroy vm0

virsh undefine vm0 --remove-all-storage

usb passthrough

$ lsusb   
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 2c7c:0125 Quectel Wireless Solutions Co., Ltd. EC25 LTE modem
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

$ cat usb_ec25.xml 
<hostdev mode='subsystem' type='usb' managed='yes'>
    <source>
        <vendor id='0x2c7c'/>
        <product id='0x0125'/>
    </source>
</hostdev>

# virsh attach-device vm0 --file usb_ec25.xml --config

Attaching and Updating a Device with virsh

We’re running a STUN/TURN server, it work well but we don’t have a static IP address. Everytime we got a new IP address we need to change coturn config and restart the service.

There is a way to get it work by a cron job that run a shell script check public ip every 5 minutes and restart service if the public IP address has changed.

#!/bin/bash

# Linux only, doesn't work on FreeBSD
current_external_ip_config=$(cat /etc/turnserver.conf | grep "^external-ip" | cut -d'=' -f2)
current_external_ip=$(dig +short <MY_DOMAIN>)

if [[ -n "$current_external_ip" ]] && [[ $current_external_ip_config != $current_external_ip ]]; then
        sed -i "/^external-ip=/ c external-ip=$current_external_ip" /etc/turnserver.conf
        systemctl restart coturn
fi

ref: set up with dynamic ip address

Since we’re running a godns daemon to update our IP to Cloudflare DNS server we also want godns send a webhook to coturn server whenever it update IP to Cloudflare. That may be more effective.

So this is what we have:

godns

$ cat /etc/godns/config.json 
{
  "provider": "Cloudflare",
  "login_token": "YOUR_TOKEN",
  "domains": [
    {
      "domain_name": "yourdomain.com",
      "sub_domains": [
        "@"
      ]
    }
  ],
  "ip_urls": [
    "https://api.ipify.org"
  ],
  "ip_type": "IPv4",
  "interval": 300,
  "resolver": "8.8.8.8",
  "webhook": {
    "enabled": true,
    "url": "http://your.coturn.webhook.endpoint:9000/hooks/godns",
    "request_body": "{ \"domain\": \"{{.Domain}}\", \"ip\": \"{{.CurrentIP}}\", \"ip_type\": \"{{.IPType}}\" }"
  }
}

webhook

$ cat /usr/local/etc/webhook.yaml
---
# See https://github.com/adnanh/webhook/wiki for further information on this
# file and its options.  Instead of YAML, you can also define your
# configuration as JSON.  We've picked YAML for these examples because it
# supports comments, whereas JSON does not.
#
# In the default configuration, webhook runs as user nobody.  Depending on
# the actions you want your webhooks to take, you might want to run it as
# user root.  Set the rc.conf(5) variable webhook_user to the desired user,
# and restart webhook.

# An example for a simple webhook you can call from a browser or with
# wget(1) or curl(1):
#   curl -v 'localhost:9000/hooks/samplewebhook?secret=geheim'
- id: godns
  execute-command: "/usr/local/etc/godns.sh"
  command-working-directory: "/usr/local/etc"
  pass-arguments-to-command:
  - source: payload
    name: domain
  - source: payload
    name: ip
  - source: payload
    name: ip_type
  trigger-rule:
    and:
      - match:
          type: value
          value: "your.domain.com"
          parameter:
            source: payload
            name: domain

shell script

$ cat /usr/local/etc/godns.sh
#!/bin/sh

# write ip log to a file
now="$(date +'%y%m%d%H%M%S%N')"
echo $now $1 $2 $3 >> godns.txt

# restart coturn when ip changed
turnserver_config="/usr/local/etc/turnserver.conf"
current_external_ip_config=$(cat $turnserver_config | grep "^external-ip" | cut -d'=' -f2)
current_external_ip_webhook=$2

if [ -n "$current_external_ip_webhook" ] && [ $current_external_ip_config != $current_external_ip_webhook ]; then
        sed -i .old -e "s/external-ip=$current_external_ip_config/external-ip=$current_external_ip_webhook/g" $turnserver_config
        service turnserver restart
fi

It may not work well enough, if something happen and godns can not send webhook to coturn server. But for now we stick with it.

gpart destroy -F ada0

We’re buiding our all-in-one server for our business.

The network is complicate when we want to run serveral virtual machine and still want to connect to outside. The router will be virtualized, it run OpenWrt or OPNsense as we want.

We have several choice:

1. Traditional way

if_bridge and tap.

It was not so efficiently.

We test on N4100 CPU:

Our config:

$ cat /etc/rc.conf
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="dhcp addm em0 addm tap0"
ifconfig_em0="up"

$ cat /boot/loader.conf
if_bridge_load="YES"
if_tap_load="YES"

$ cat /pool/vm/openwrt/openwrt.conf 
loader="uefi"
cpu=2
memory=512M
network0_type="e1000"
network0_switch="public"
network0_device="tap0"
disk0_type="ahci-hd"
disk0_name="immortalwrt-23.05.4-x86-64-generic-ext4-combined-efi.img"

2. More modern way

vale and vether.

Of course there is epair that we can connect between host and vm.

We test on N4100 CPU:

Our config:

$ cat /etc/rc.conf
defaultrouter="192.168.1.1"
cloned_interfaces="vether0"
ifconfig_vether0="192.168.1.2/24 up"

$ cat /boot/loader.conf
if_vether_load="YES" 

$ cat /pool/vm/openwrt/openwrt.conf 
loader="uefi"
cpu=2
memory=512M
network0_type="e1000"
network0_switch="public"
disk0_type="ahci-hd"
disk0_name="immortalwrt-23.05.4-x86-64-generic-ext4-combined-efi.img"

Need to run following script everytime after openwrt vm start (connect host to vm). If you have vm-bhyve you can put it to prestart, remember to chmod +x for it.

valectl -h vale-name:vether-name, for example valectl -h vale0:vether0.

3. The most complex thing

netgraph.

We test on N4100 CPU:

ng_bridge is much faster than vether in this case: vm to host.

We think we could keep VALE as our vm switch, and replace vether by netgraph or epair?

netgraph as host virtual interface and vale as bridge, report bad pkt??? something was not right. we will look into it further and do it manually.

Ref:

• rc.d/ngbridge
• Netgraph Bridge

$ cat /boot/loader.conf
ng_eiface_load="YES"
ng_bridge_load="YES"
ng_ether_load="YES"

$ cat /etc/rc.conf
ngbridge_enable="YES"
ngbridge_names="lan"
ngbridge_lan_eifaces="nge_1u"
ngbridge_nge_1u_mac="00:37:92:01:02:02"
ngbridge_nge_1u_addr_num="1"
ngbridge_nge_1u_addr_1="inet 192.168.1.2/24"
ngbridge_lan_eifaces_keep="nge_1u"
ngbridge_lan_route_num=1
ngbridge_lan_route_1="-net default 192.168.1.1"
ngbridge_lan_vlans="NO"

$ cat /pool/vm/openwrt/openwrt.conf 
loader="uefi"
cpu=2
memory=512M
network0_type="e1000"
network0_switch="lanbridge"
disk0_type="ahci-hd"
disk0_name="immortalwrt-23.05.4-x86-64-generic-ext4-combined-efi.img"

Đây là những ghi chép trong quá trình triển khai nhúng live streaming camera video lên website trangtraihuounai.com.

1. Yêu cầu

Không quá nhiều điểm đặc biệt:

• Nhúng livestream camera của trang trại lên website
• Hệ thống đơn giản, có thể dễ dàng mở rộng khi cần thiết

2. Ý tưởng

Gọn nhẹ nhất có thể:

• Sử dụng máy tính all-in-one cho tất cả các tác vụ
• Lấy luồng RTSP từ camera phát lại bằng go2rtc
• Nhúng trực tiếp vào website hoặc phát kênh Youtube?

2.1. Thiết bị thử nghiệm

Đang có sẵn các thứ sau:

• Mini PC N4100: 4x1GB Ethernet
• PoE Switch không biết tên
• Imou Cruiser 2 (5MP Outdoor Wi-Fi P&T Camera)

Thay thế thiết bị khác sau khi chạy thử:

• All-in-one box: HP / Dell
• Camera: Dahua / Hikvision

2.2. Sơ đồ hệ thống

Sẽ tách router trong tương lai, hiện tại chạy ImmortalWrt trên môi trường ảo hóa.

2.3. Các bước triển khai

Task List

• Cài đặt FreeBSD box
• Cấu hình hệ thống mạng sẵn sàng cho máy ảo
• Cài đặt máy ảo chạy ImmortalWrt làm router
• Cấu hình ImmortalWrt, quy hoạch VLAN
• Cài đặt máy ảo chạy Debian làm docker host
• Cài đặt nginx làm reverse proxy, nat port 80/443 từ router
• Cài đặt go2rtc lấy luồng RTSP / ONVIF từ camera
• Cài đặt nginx làm web server, nhúng stream vào trang web
• Chuyển thiết bị đến trang trại, quay pppoe mở port 80/443
• Chạy thử trong 30 ngày

3. Các vấn đề gặp phải

• high latency from cameras to web media player: check bridge+tap on bhyve, maybe passthru all nics and use something like vether / epair / vale / netgraph.. done.
  • Deploy TURN server and stream by WebRTC, much better latency
• transcoding video requires high CPU load, checked bhyve GPU passthru but it didn’t work. moved to Linux instead of FreeBSD. needed something like CUDA
• can not pull rtsp stream from EZVIZ camera, they use their own protocol. best camera brand for this job: Dahua, Imou
• security risk when expose go2rtc API
  • Deploy a mediamtx WebRTC endpoint, expose via a reverse proxy

4. New proposal

4.1. Network

Router on baremetal:

• HINLINK OPC-H28K Board run KWrt
• DHCP Static Mappings for services and cameras

4.2. Server

Hardware:

• PC: HP EliteDesk 800 G4 SFF Business PC
  • Hardware Reference Guide
  • Maintenance and Service Guide
  • HP PC Commercial BIOS (UEFI) Setup
  • Interactive BIOS simulator
• Graphics card: NVIDIA Quadro P600
  • Datasheet

Software:

• Operating System
  • Ubuntu 24.04 (Noble Numbat)
  • HP BIOS config
    • Advanced -> Secure Boot Configuration -> Legacy Support Disable and Secure Boot Enable
  • Install detail
    • Ubuntu Server (minimised)
    • No LVM
  • GPU Driver
    • NVIDIA Driver Installation Guide for Linux: use legacy kernel module flavor cuda-drivers for this card
    • NVIDIA CUDA Installation Guide for Linux
    • NVIDIA Container Toolkit
• Virtualization
  • Docker
    • Dockge
  • KVM
• Streaming
  • go2rtc
  • MediaMTX
• DDNS
  • GoDNS
• STUN/TURN
  • Coturn
  • webhook for auto restart turn server when public ip changed
• Reverse proxy
  • Zoraxy
• Website
  • Grav
  • shinsenter/grav
• Remote access
  • Tailscale / WireGuard on a KVM virtual machine

5. Live website

(https://trangtraihuounai.com)

1. Requirement and concept

We’re building a PBX system for our business. It will handle:

• automatic distribute incoming calls
• call outside by specific phone numbers, automatic route to reduce call cost
• sms send api for OTP maybe?

Since we don’t have any SIP trunk from our carriers, we will take incoming calls from regular sim cards.

• Disadvantage:
  • Single-line: only one concurrent call per SIM card at a time
  • Need more work to handle system failure due to OS, power..
• Not sure:
  • Voice over LTE (VoLTE) are supported by all carriers.
  • Voice over Wi‑Fi (VoWiFi) are supported by VinaPhone, Mobifone?

Call flow as bellow:

Our stack:

• Hardwares:
  • Mini PC / Router: ZOTAC ZBOX CI323 nano
  • 2G/3G/4G/5G module: Quectel EC20CEFRG-MINIPCIE-C (Vietnam frequency bands: B1/B3/B8), PCIE to USB adapter (sim card slot included), antena
  • VoIP phone: haven’t bought yet
• Softwares
  • OS: TrueNAS SCALE 24.10 - Electric Eel
  • VM: jailmaker
  • PBX: Asterisk
  • Softphone: Linphone (Linux / iOS), Baresip (Android), MicroSIP (Windows)

2. Step by step

2.1 Asterisk Installation

• OS: Debian 12 (“Bookworm”)

$ mkdir tmp
$ cd tmp/
$ wget https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22-current.tar.gz
$ tar zxvf asterisk-22-current.tar.gz
$ cd asterisk-22*/
$ sudo ./contrib/scripts/install_prereq install
$ ./configure
$ make menuselect

Most of IP phones are support G722 and / or G729 codecs now.

• Under Add-ons:
  • Select [*] format_mp3
• Under Codec Translators:
  • Select [*] codec_opus
  • Select [*] codec_silk
  • Select [*] codec_siren7
  • Select [*] codec_siren14
  • Select [*] codec_g729a
• Under Core Sound Packages:
  • Deselect [*] CORE-SOUNDS-EN-GSM
  • Select [*] CORE-SOUNDS-EN-WAV
  • Select [*] CORE-SOUNDS-EN-G722
  • Select [*] CORE-SOUNDS-EN-G729
• Under Extras Sound Packages:
  • Select [*] EXTRA-SOUNDS-EN-WAV
  • Select [*] EXTRA-SOUNDS-EN-G722
  • Select [*] EXTRA-SOUNDS-EN-G729

$ make
$ sudo ./contrib/scripts/get_mp3_source.sh
$ sudo make install
$ sudo make config
$ sudo make samples
$ sudo mkdir /etc/asterisk/samples
$ sudo mv /etc/asterisk/*.*  /etc/asterisk/samples/
$ sudo asterisk -rvvvv

Most important config files:

• extensions.conf
• pjsip.conf

2.2. Virtual machine vm1

Purpose: VoIP GSM Gateway to handle voice call from and or to 3G/4G/5G MNOs.

• OS: Debian 12
• IP: 192.168.1.11
• Software: Asterisk
• Driver: asterisk-chan-quectel

2.3. Virtual machine vm0

Purpose: Local PBX.

• OS: Debian 12
• IP: 192.168.1.10
• Software: MikoPBX

3. Resource

Softwares:

• Servers:
  • Asterisk
    • asterisk-chan-quectel
    • asterisk-chan-dongle
  • FreeSWITCH
  • Kamailio
  • Yate
  • Routr
  • FreePBX
  • MikoPBX
  • docker-asterisk
  • asterisk-sound-generator
  • Light Speed for text-to-speech
• Clients:
  • Baresip
  • Linphone
  • Jami
  • MicroSIP
• Docs:
  • Official Asterisk documentation
  • Official Asterisk YouTube Channel
  • Asterisk: The Definitive Guide
• Ref:
  • 使用EC20模块配合asterisk及freepbx实现短信转发和网络电话
  • 如何把SIM卡从手机中取出
  • Quectel LTE 모뎀으로 Asterisk에서 KT, SKT, LG U+ VoLTE 전화 사용하기
  • Simple test bed set-up
  • Thực trạng mạng di động viễn thông tại Việt Nam

4. Miscellaneous

• Linux KVM is much more complicated than FreeBSD Bhyve so maybe we sould run FreeBSD host and Linux guest
• Debian has no Asterisk in their repo, we moved our guest to Ubuntu since we don’t want to complie Asterisk ourself
• Run MikoPBX as a Local PBX, Asterisk as a trunk provider. We found that MikoPBX is better than FreePBX in our case.
• Call quality seems not good enough, need to check jitter buffer again
• https://github.com/RoEdAl/asterisk-chan-quectel

test@vm0:~$ cat /etc/asterisk/pjsip.conf 
;===============TRANSPORT

[system-udp]
type=transport
protocol=udp
bind=0.0.0.0

;===============TRUNK

[miko0]
type=aor
contact=sip:192.168.1.11:5060

[miko0]
type=endpoint
context=quectel-incoming
disallow=all
allow=ulaw
aors=miko0

[miko0]
type=identify
endpoint=miko0
match=192.168.1.11

test@vm0:~$ cat /etc/asterisk/extensions.conf 
[quectel-incoming]
exten => _+84XXXXXXXXX,1,Dial(PJSIP/200@miko0)
exten => s,n,Hangup()

edit /etc/asterisk/indications.conf on vm1

#!/bin/bash 

configPath="$1" # Path to the original config file

sed -i 's/country=ru/country=vn/g' "$configPath"
cat >> "$configPath" <<EOF

[vn]
description = Vietnam
; Clone from China
ringcadence = 1000,4000
dial = 450
busy = 450/350,0/350
ring = 450/1000,0/4000
congestion = 450/700,0/700
callwaiting = 450/400,0/4000
dialrecall = 450
record = 950/400,0/10000
info = 450/100,0/100,450/100,0/100,450/100,0/100,450/400,0/400
stutter = 450+425
EOF

5. Test

Number: 0918026858

• Voice
• SMS
• 4G internet?

We decided to going back to a more mature solution.

1. Should know

Some information that we think you should know when you want to run your own mail server.

1.1. Protocols:

• Simple Mail Transfer Protocol (SMTP)
• Internet Message Access Protocol (IMAP)
• Local Mail Transfer Protocol (LMTP)

1.2. Formats:

• Maildir
• Mbox

1.3. Software components:

• Message transfer agent (MTA): Sendmail, Exim, Postfix
• Message delivery agent (MDA): Dovecot, Cyrus IMAP
• Email filtering: Rspamd, SpamAssassin, ClamAV
• Webmail: Roundcube, Cypht, SnappyMail

1.4. Resources:

• awesome-emails
• awesome-opensource-email

2. Software stack

We’re running FreeBSD so we want to run our mail server on it. The solution need to be easy to deploy and maintain.

• FreeBSD (operating system)
• OpenSMTPD (SMTP)
• Dovecot (IMAP)
• Rspamd (spam filtering)

For small businesses we will not store usernames and passwords in LDAP or SQL databases, we store such information in flat-file databases.

2.1. FreeBSD (operating system)

There is nothing to say. FreeBSD is quite boring, it just works ^^.

We’re going to run our mail server in a FreeBSD jail (managed by AppJail). We already have HAProxy as our Load Balancer.

! FreeBSD is a good operating system. Please donate to their work.

We just need to make sure our FreeBSD server is up to date.

# pkg update
# pkg upgrade

Create vmail user and vmail group. This is the user/group that’s used to access the mails.

# pw useradd vmail -u 5000 -d /home/vmail -s /usr/sbin/nologin -m

Get a free TLS/SSL certificate for your domain from a certificate authority (ZeroSSL, Let’s Encrypt..) by acme.sh or Certbot.

2.2. OpenSMTPD (SMTP)

We consider Postfix which is more popular but we found that OpenSMTPD is easier to config so we will choose it as our MTA.

We love the config syntax, it remind us about PF.

2.2.1. Install OpenSMTPD

# pkg install opensmtpd opensmtpd-extras

2.2.2. Config OpenSMTPD

2.2.2.1. smtpd.conf

Please read:

• smtpd.conf — SMTP daemon configuration file

Please read it carefully and make your own config file. It’s very important.

Modify your file /usr/local/etc/mail/smtpd.conf:

2.2.2.1.1. TLS/SSL certificate

declare your certificate as follow, pkiname named mail.example.com:

pki mail.example.com cert "/usr/local/etc/certs/example.com/fullchain.pem"
pki mail.example.com key "/usr/local/etc/certs/example.com/key.pem

2.2.2.1.2. Tables

declare your tables

table aliases file:/usr/local/etc/mail/aliases
table virtuals file:/usr/local/etc/mail/virtuals
table domains file:/usr/local/etc/mail/domains
table credentials file:/usr/local/etc/mail/credentials
table secrets file:/usr/local/etc/mail/secrets
table passwds file:/usr/local/etc/mail/passwds

We will have: aliases, virtuals, domains, credentials, secrets and passwds.

See OpenSMTPD tables below for more information.

2.2.2.1.3. Bind

# STARTTLS port 25
listen on 0.0.0.0 port 25 tls pki mail.example.com
# SMTPS port 465
listen on 0.0.0.0 port 465 smtps pki mail.example.com auth <credentials>
# SUBMISSION port 587
listen on 0.0.0.0 port 587 tls-require pki mail.example.com auth <credentials>

Listen to IPv4 only 0.0.0.0.

For SMTPS (port 465), SUBMISSION (port 587) users must provide their credentials. TLS is mandatory for both, pkiname = mail.example.com.

For SMTP (port 25) we will not require it because we want our server receive email from other MTA (other mail server). TLS is not mandatory, pkiname = mail.example.com.

2.2.2.1.4. Define actions

action "recv" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <virtuals>
action "send" relay host smtp+tls://mailjet@in-v3.mailjet.com auth <secrets>

For simple use case, we define only 2 “action"s. For receive and send emails.

recv deliver emails to dovecot via lmtp socket.

send deliver emails to mailjet SMPT relay.

2.2.2.1.4. Define matchs

match from any for domain <domains> action "recv"
match from any auth for any action "send"

For any emails to our defined domains, OpenSMTPD will do action recv, which is deliver to Dovecot.

For any email from authenticated users to any where, OpenSMTPD will do action send, which is deliver to mailjet relay.

root@mailserver:~ # cat /usr/local/etc/mail/smtpd.conf
#	$OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# table aliases file:/etc/mail/aliases

# To also accept external mail over IPv4 or IPv6,
# respectively replace "listen on localhost" with:
#
# listen on 0.0.0.0
# listen on ::
# listen on localhost

# action "local" maildir alias <aliases>
# action "relay" relay

# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local"
# match for local action "local"
# match from local for any action "relay"

# USER
# CONFIG
# BELOW
# Public key infrastructure
pki mail.example.com cert "/usr/local/etc/certs/example.com/fullchain.pem"
pki mail.example.com key "/usr/local/etc/certs/example.com/key.pem"

# Tables
table aliases file:/usr/local/etc/mail/aliases
table virtuals file:/usr/local/etc/mail/virtuals
table domains file:/usr/local/etc/mail/domains
table credentials file:/usr/local/etc/mail/credentials
table secrets file:/usr/local/etc/mail/secrets
table passwds file:/usr/local/etc/mail/passwds

# STARTTLS port 25
listen on 0.0.0.0 port 25 tls pki mail.example.com
# SMTPS port 465
listen on 0.0.0.0 port 465 smtps pki mail.example.com auth <credentials>
# SUBMISSION port 587
listen on 0.0.0.0 port 587 tls-require pki mail.example.com auth <credentials>

action "recv" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <virtuals>
# https://dev.mailjet.com/smtp-relay/configuration
action "send" relay host smtp+tls://mailjet@in-v3.mailjet.com auth <secrets>

match from any for domain <domains> action "recv"
match from any auth for any action "send"

2.2.2.2. OpenSMTPD tables

OpenSMTPD and Dovecot can share a same passwd-like file as their authentication table (credentials or passwds). If you don’t want separate authentication databases so just choose one, make sure its format compatible with both OpenSMTPD and Dovecot.

one `credentials` file for both.

root@mailserver:~ # cat /usr/local/etc/mail/credentials 
john@example.com:$6$0UWgneRDOFLnWRnh$UbNpTu4UexIDRaI8hhFMnV8r7Z6x4y4fKH8q5AUD39seTX0EyiG124F7GZHdfxzhF87RpbWR7/A9FmZvR60MN0

2.2.2.2.1. aliases

we simply copy from /etc/mail/aliases to /usr/local/etc/mail/aliases.

add vmail: /dev/null to the end of /usr/local/etc/mail/aliases.

root@mailserver:~ # cat /usr/local/etc/mail/aliases
#	@(#)aliases	5.3 (Berkeley) 5/24/90
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks.
#
#	>>>>>>>>>>	The program "newaliases" must be run after
#	>> NOTE >>	this file is updated for any changes to
#	>>>>>>>>>>	show through to sendmail.
#
#
# See also RFC 2142, `MAILBOX NAMES FOR COMMON SERVICES, ROLES
# AND FUNCTIONS', May 1997
# 	http://tools.ietf.org/html/rfc2142

# Pretty much everything else in this file points to "root", so
# you would do well in either reading root's mailbox or forwarding
# root's email from here.

# root:	john@example.com

# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root

# General redirections for pseudo accounts
_dhcp:	root
_pflogd: root
auditdistd:	root
bin:	root
bind:	root
daemon:	root
games:	root
hast:	root
kmem:	root
mailnull: postmaster
man:	root
news:	root
nobody:	root
operator: root
pop:	root
proxy:	root
smmsp:	postmaster
sshd:	root
system:	root
toor:	root
tty:	root
usenet: news
uucp:	root

# Well-known aliases -- these should be filled in!
# manager:
# dumper:

# BUSINESS-RELATED MAILBOX NAMES
# info:
# marketing:
# sales:
# support:

# NETWORK OPERATIONS MAILBOX NAMES
abuse:	root
# noc:		root
security:	root

# SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET SERVICES
ftp: 		root
ftp-bugs: 	ftp
# hostmaster: 	root
# webmaster: 	root
# www: 		webmaster

# NOTE: /var/msgs and /var/msgs/bounds must be owned by sendmail's
#	DefaultUser (defaults to mailnull) for the msgs alias to work.
#
# msgs: "| /usr/bin/msgs -s"

# bit-bucket: /dev/null
# dev-null: bit-bucket
vmail: /dev/null

2.2.2.2.2. virtuals

add @: vmail to /usr/local/etc/mail/virtuals.

root@mailserver:~ # cat /usr/local/etc/mail/virtuals
@: vmail

2.2.2.2.3. domains

add your domains line by line to /usr/local/etc/mail/domains.

root@mailserver:~ # cat /usr/local/etc/mail/domains
example.com
example.net

2.2.2.2.4. credentials

get your password, hash it by smtpctl then write username and hashed password into /usr/local/etc/mail/credentials.

root@mailserver:~ # cat /usr/local/etc/mail/credentials
john@example.com: $6$0UWgneRDOFLnWRnh$UbNpTu4UexIDRaI8hhFMnV8r7Z6x4y4fKH8q5AUD39seTX0EyiG124F7GZHdfxzhF87RpbWR7/A9FmZvR60MN0

2.2.2.2.5. secrets

supply mailjet relay account in /usr/local/etc/mail/secrets.

root@mailserver:~ # cat /usr/local/etc/mail/secrets
mailjet username:password

2.2.2.2.6. passwds

see dovecot config /usr/local/etc/mail/passwds.

2.2.2.2.7. Check config

Test our config:

root@mailserver:~ # smtpd -n
configuration OK

root@mailserver:~ # cat /usr/local/etc/mail/passwds 
john@example.com:$6$0UWgneRDOFLnWRnh$UbNpTu4UexIDRaI8hhFMnV8r7Z6x4y4fKH8q5AUD39seTX0EyiG124F7GZHdfxzhF87RpbWR7/A9FmZvR60MN0::::::
catchall@example.com:$6$ltEXtOxtMOY/5VxD$Ad/7Cce0Rsk5EDMLcZTXBzsB.AxcumZwUHUVpWaSYohL99pjsOTYrLqK40DiYwSd6Mup8Be/Hoo6mZDhZ2CVc::::::

2.3. Dovecot (IMAP)

Of course Dovecot for our MDA, the best we know.

2.3.1. Install Dovecot

# pkg install dovecot
# cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot

2.3.2. Config Dovecot

2.3.2.1. dovecot.conf

Please read:

• Configuration Manual.

Edit file /usr/local/etc/dovecot/dovecot.conf, change / add as below:

We will need imap of course, and lmtp for listen to mail messages from OpenSMTPD.

protocols = imap lmtp

We will not use IPv6 so listen only on IPv4.

listen = *

root@mailserver:~ # cat /usr/local/etc/dovecot/dovecot.conf
## Dovecot configuration file

# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration

# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "

# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }

# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/usr/local/etc --localstatedir=/var

# Protocols we want to be serving.
#protocols = imap pop3 lmtp submission
protocols = imap lmtp

# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
listen = *

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 

# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ

##
## Dictionary server settings
##

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".

dict {
  #quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
}

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

2.3.2.2. 10-mail.conf

Please read:

• Mail Location Settings.

Edit file /usr/local/etc/dovecot/conf.d/10-mail.conf, change / add as below:

We will use Maildir as our email format.

mail_location = maildir:~/Maildir

root@mailserver:~ # cat /usr/local/etc/dovecot/conf.d/10-mail.conf
##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:~/Maildir

# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
  # Namespace type: private, shared or public
  #type = private

  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
  #separator = 

  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
  #prefix = 

  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
  #location =

  # There can be only one INBOX, and this setting defines which namespace
  # has it.
  inbox = yes

  # If namespace is hidden, it's not advertised to clients via NAMESPACE
  # extension. You'll most likely also want to set list=no. This is mostly
  # useful when converting from another server with different namespaces which
  # you want to deprecate but still keep working. For example you can create
  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
  #hidden = no

  # Show the mailboxes under this namespace with LIST command. This makes the
  # namespace visible for clients that don't support NAMESPACE extension.
  # "children" value lists child mailboxes, but hides the namespace prefix.
  #list = yes

  # Namespace handles its own subscriptions. If set to "no", the parent
  # namespace handles them (empty prefix should always have this as "yes")
  #subscriptions = yes

  # See 15-mailboxes.conf for definitions of special mailboxes.
}

# Example shared namespace configuration
#namespace {
  #type = shared
  #separator = /

  # Mailboxes are visible under "shared/user@domain/"
  # %%n, %%d and %%u are expanded to the destination user.
  #prefix = shared/%%u/

  # Mail location for other users' mailboxes. Note that %variables and ~/
  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
  # destination user's data.
  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  # Use the default namespace for saving subscriptions.
  #subscriptions = no

  # List the shared/ namespace only if there are visible shared mailboxes.
  #list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no

# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =

# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group =

# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =

# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no

# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =

# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment". 
#mail_server_comment = ""

# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin = 

##
## Mail processes
##

# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no

# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes

# When to use fsync() or fdatasync() calls:
#   optimized (default): Whenever necessary to avoid losing important data
#   always: Useful with e.g. NFS when write()s are delayed
#   never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized

# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl

# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0

# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0

# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50

# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs = 

# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot = 

# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb

# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot

# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins = 

##
## Mailbox handling optimizations
##

# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes

# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes

# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no

# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0

# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs

# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no

# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0

# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w

# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0

protocol !indexer-worker {
  # If folder vsize calculation requires opening more than this many mails from
  # disk (i.e. mail sizes aren't in cache already), return failure and finish
  # the calculation via indexer process. Disabled by default. This setting must
  # be 0 for indexer-worker processes.
  #mail_vsize_bg_after_count = 0
}

##
## Maildir-specific settings
##

# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no

# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes

# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no

# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no

# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no

##
## mbox-specific settings
##

# Which locking methods to use for locking mbox. There are four available:
#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
#           solution. If you want to use /var/mail/ like directory, the users
#           will need write access to that directory.
#  dotlock_try: Same as dotlock, but if it fails because of permissions or
#               because there isn't enough disk space, just skip it.
#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
#  flock  : May not exist in all systems. Doesn't work with NFS.
#  lockf  : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl

# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins

# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins

# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
# commands.
#mbox_dirty_syncs = yes

# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no

# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes

# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0

# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d

##
## mdbox-specific settings
##

# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M

# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0

# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no

##
## Mail attachments
##

# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.

# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =

# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k

# Filesystem backend to use for saving attachments:
#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
#  sis posix : SiS with immediate byte-by-byte comparison during saving
#  sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix

# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}

# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
#   add-flags - Add the keywords when saving new mails or when fetching can
#      do it efficiently.
#   content-type=type or !type - Include/exclude content type. Excluding will
#     never consider the matched MIME part as attachment. Including will only
#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =

2.3.2.3. 10-ssl.conf

Please read:

• Dovecot SSL configuration.

Edit file /usr/local/etc/dovecot/conf.d/10-ssl.conf, change / add as below:

ssl = required

ssl_key = </your/ssl/key.pem
ssl_cert = </your/ssl/etc//fullchain.pem

root@mailserver:~ # cat /usr/local/etc/dovecot/conf.d/10-ssl.conf
you have mail
##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </usr/local/etc/certs/example.com/fullchain.pem
ssl_key = </usr/local/etc/certs/example.com/key.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca = 

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
#ssl_client_ca_file =

# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# SSL DH parameters
# Generate new params with `openssl dhparam -out /usr/local/etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
#ssl_dh = </usr/local/etc/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
#
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
# version, and LATEST matches with the latest version supported by library.
#ssl_min_protocol = TLSv1.2

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   compression - Enable compression.
#   no_ticket - Disable SSL session tickets.
#ssl_options =

2.3.2.4. 15-mailboxes.conf

Please read:

• Mailbox Settings.

Dovecot uses some standard mailboxes like Drafts, Junk, Trash and Sent additional to the Inbox. These are not created automatically, which will possibly yield some error messages when connecting a mail client. So we can set up Dovecot to create those mailboxes automatically.

Edit file /usr/local/etc/dovecot/conf.d/15-mailboxes.conf, and add auto = create to the standard mailboxes:

root@mailserver:~ # cat /usr/local/etc/dovecot/conf.d/15-mailboxes.conf
##
## Mailbox definitions
##

# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
#   Indicates whether the mailbox with this name is automatically created
#   implicitly when it is first accessed. The user can also be automatically
#   subscribed to the mailbox after creation. The following values are
#   defined for this setting:
# 
#     no        - Never created automatically.
#     create    - Automatically created, but no automatic subscription.
#     subscribe - Automatically created and subscribed.
#  
# special_use:
#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
#   mailbox. There are no validity checks, so you could specify anything
#   you want in here, but it's not a good idea to use flags other than the
#   standard ones specified in the RFC:
#
#     \All       - This (virtual) mailbox presents all messages in the
#                  user's message store.
#     \Archive   - This mailbox is used to archive messages.
#     \Drafts    - This mailbox is used to hold draft messages.
#     \Flagged   - This (virtual) mailbox presents all messages in the
#                  user's message store marked with the IMAP \Flagged flag.
#     \Important - This (virtual) mailbox presents all messages in the
#                  user's message store deemed important to user.
#     \Junk      - This mailbox is where messages deemed to be junk mail
#                  are held.
#     \Sent      - This mailbox is used to hold copies of messages that
#                  have been sent.
#     \Trash     - This mailbox is used to hold messages that have been
#                  deleted.
#
# comment:
#   Defines a default comment or note associated with the mailbox. This
#   value is accessible through the IMAP METADATA mailbox entries
#   "/shared/comment" and "/private/comment". Users with sufficient
#   privileges can override the default value for entries with a custom
#   value.

# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
    auto = create
  }
  mailbox Junk {
    special_use = \Junk
    auto = create
  }
  mailbox Trash {
    special_use = \Trash
    auto = create
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox Sent {
    special_use = \Sent
    auto = create
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }

  # If you have a virtual "All messages" mailbox:
  #mailbox virtual/All {
  #  special_use = \All
  #  comment = All my messages
  #}

  # If you have a virtual "Flagged" mailbox:
  #mailbox virtual/Flagged {
  #  special_use = \Flagged
  #  comment = All my flagged messages
  #}

  # If you have a virtual "Important" mailbox:
  #mailbox virtual/Important {
  #  special_use = \Important
  #  comment = All my important messages
  #}
}

2.3.2.5. 10-auth.conf

Please read:

• Authentication.

We will configure Dovecot to use virtual users. Dovecot supports many different password databases and user databases. With virtual users the most commonly used ones are LDAP, SQL and passwd-file.

Since we have only several users so we will auth by Passwd-file.

Edit file /usr/local/etc/dovecot/conf.d/10-auth.conf, change / add as below:

Comment out !include auth-system.conf.ext to disable system user auth.

#!include auth-system.conf.ext

Dovecot splits all authentication lookups into two categories:

• passdb
• userdb

passdb lookup most importantly authenticate the user. They also provide any other pre-login information needed for users, such as:

• Which server user is proxied to.
• If user should be allowed to log in at all (temporarily or permanently).

We will use Passwd-file with our encrypted password. Password scheme = CRYPT.

passdb {
  driver = passwd-file
  args = scheme=CRYPT /usr/local/etc/mail/passwds
}

Of course we will need a passwd-like file in /usr/local/etc/mail/passwds.

FOR EXAMPLE

Get your encrypted password by smtpctl or doveadm-pw:

$ smtpctl encrypt passw0rd

or:

$ doveadm pw -p passw0rd

Note that change passw0rd to your actual password.

Then add username and this password to your passwds file.

root@mailserver:~ # cat /usr/local/etc/mail/passwds 
john@example.com:$6$0UWgneRDOFLnWRnh$UbNpTu4UexIDRaI8hhFMnV8r7Z6x4y4fKH8q5AUD39seTX0EyiG124F7GZHdfxzhF87RpbWR7/A9FmZvR60MN0::::::
catchall@example.com:$6$ltEXtOxtMOY/5VxD$Ad/7Cce0Rsk5EDMLcZTXBzsB.AxcumZwUHUVpWaSYohL99pjsOTYrLqK40DiYwSd6Mup8Be/Hoo6mZDhZ2CVc::::::

userdb lookup retrieves post-login information specific to this user. This may include:

• Mailbox location information
• Quota limit
• Overriding settings for the user (almost any setting can be overridden)

We already set our email format and mail_location = maildir:~/Maildir before.

We also need to set Home directories to /home/vmail/%u. %u for full username and %d for domain as the docs.

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/home/vmail/%u
}

This makes Dovecot look up the mails from /home/vmail/<user>/Maildir/ directory, which should be owned by vmail user and vmail group.

If you have many domains so you may want to change it to home=/home/vmail/%d/%n ~ /home/vmail/<domain>/<user>/Maildir/.

root@mailserver:~ # cat /usr/local/etc/dovecot/conf.d/10-auth.conf
##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm = 

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName. 
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

# Authentication configuration:
auth_verbose = yes
passdb {
  driver = passwd-file
  args = scheme=CRYPT /usr/local/etc/mail/passwds
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/home/vmail/%u
}

2.4. Rspamd (spam filtering)

And Rspamd for spam filtering system.

2.4.1. Install and config Rspamd

# pkg install rspamd opensmtpd-filter-rspamd

create local.d folder

# mkdir /usr/local/etc/rspamd/local.d

create a new file /usr/local/etc/rspamd/local.d/redis.conf with folowing code:

servers = "your_redis_ip";
password = "your_redis_password";

Make sure your Redis server listen to an appropriate network.

2.4.2. Configure OpenSMTPD

Modify your OpenSMTPD config at /usr/local/etc/mail/smtpd.conf:

delare “rspamd” filter:

filter "rspamd" proc-exec "/usr/local/libexec/opensmtpd/opensmtpd-filter-rspamd"

attach this filter to listeners:

listen on 0.0.0.0 port 25 tls pki mail.example.com filter "rspamd"
listen on 0.0.0.0 port 465 smtps pki mail.example.com auth <credentials> filter "rspamd"
listen on 0.0.0.0 port 587 tls-require pki mail.example.com auth <credentials> filter "rspamd"

2.4.3. Fix Rspamd bug in FreeBSD jail

When we read Rspamd log, there are some errors:

2024-10-16 15:27:05 #25098(controller) <zdedds>; monitored; rspamd_monitored_dns_mon: cannot make request to resolve 1.0.0.127.bl.spameatingmonkey.net (bl.spameatingmonkey.net monitored url)

It happens because Rspamd use dns nameserver from /etc/resolv.conf. It may not being config correctly in FreeBSD jail.

Of course you can edit /etc/resolv.conf, set it into a public dns server (for example: 8.8.8.8).

Or we prefer change it in the config file /usr/local/etc/rspamd/local.d/options.inc, add code bellow:

dns {
    timeout = 1s;
    sockets = 16;
    retransmits = 5;
    nameserver = "master-slave:127.0.0.1:53:10,8.8.8.8:53:1";
}

root@mailserver:~ # cat /usr/local/etc/rspamd/local.d/options.inc 
# DNS options
dns {
    timeout = 1s;
    sockets = 16;
    retransmits = 5;
    nameserver = "master-slave:127.0.0.1:53:10,8.8.8.8:53:1";
}

Please read:

• DNS options

2.5. DNS configuration

2.5.1. MX record

Please read:

• DNS MX record

Just need to tell people that which server is your mail server.

For example:

2.5.2. SPF

Sender Policy Framework (SPF) is a way for a domain to list all the servers they send emails from.

Please read:

• Authenticating Domains with SPF & DKIM
• DNS SPF record

We use Mailjet as our relay so we need to set DNS records to Mailjet.

2.5.3. DKIM

DomainKeys Identified Mail (DKIM) enables domain owners to automatically “sign” emails from their domain, just as the signature on a check helps confirm who wrote the check.

Please read:

• Authenticating Domains with SPF & DKIM
• DNS DKIM record
• Rspamd DKIM signing module
• Adding DKIM support to OpenSMTPD with custom filters

We use Mailjet as our relay so we need to set DNS records to Mailjet. They will sign all outgoing emails automaticly.

Of course we can also sign messages ourself by filter-rspamd or opensmtpd-filters.

See below:

2.5.3.1 Rspamd DKIM signing module

To generate DKIM keys for your domain, utilize the in-built rspamadm dkim_keygen utility, For an RSA key of 2048 bits:

$ mkdir /usr/local/etc/mail/dkim
$ cd /usr/local/etc/mail/dkim
$ rspamadm dkim_keygen -s 'selector1' -b 2048 -d example.com -k example.key > example.txt

• < example.txt re-directs the DNS TXT record output to example.txt
• -k example.key saves your private key to the file example.key
• -d example.com specifies the domain as example.com (currently meaningless)
• -b 2048 specifies a 2048 bit key size (the standard default 1024 bit size is weak)
• -s ‘selector1’ names the selector selector1 i.e. selector1._domainkey

Or by OpenSSL:

$ openssl genrsa -out /usr/local/etc/mail/dkim/example.key 2048
$ openssl rsa -in /usr/local/etc/mail/dkim/domain.key -pubout -out /usr/local/etc/mail/dkim/domain.crt

Add DNS TXT record as their guide in example.txt or just create it manually:

<your_pub_key> is the content of domain.crt, something like:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlNFNiVKm/eyVz+kBh+mr
LhlulQlFNa1u3YWQa08HsiDg0pO3y/FQHfsnmMwZ9eIzIupIb3zEGudEzGYMUnOm
B8kxbe8b6FKt82r4mt+y+EHoWeIZQWWMwCZ/2WetBsw28CezAU4nB59RNq6Z1uE/
OwnS9K9pS8WXxgmoel4m4KiOo9ZeiC1aBffg2jmStyavvp12p0XW6VsRPVCPQPjt
COjVjjRJ+UXgWqJkEqwn9csXQu/cJO6lTpQD0bukUJlrByBJDO5peuoj+q7ntviL
Cc3UHcxYrUVmEOLnn6gx0vdC1Xup+sjZrpxRN7ZYMHUD5Re3YB2+sYicWHQzla+t
VQIDAQAB
-----END PUBLIC KEY-----

Change ownership of your KEYS so Rspamd can read it:

# chown -R rspamd:rspamd /usr/local/etc/mail/dkim

Add / modify Rspamd DKIM signing config file in /usr/local/etc/rspamd/local.d/dkim_signing.conf:

allow_username_mismatch = true;

domain {
  example.com {
    path = "/usr/local/etc/mail/dkim/example.key";
    selector = "selector1";
  }
}

Restart Rspamd and check if it works.

2.5.4. DMARC

A DMARC policy allows a sender’s domain to indicate that their email messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it. The policy can also specify how an email receiver can report back to the sender’s domain about messages that pass and/or fail.

Please read:

• DMARC DNS records

2.5.5. DANE for SMTP

RFC 7672 introduced the ability for DNS records to declare the encryption capabilities of a mail server. Utilising DNSSEC, mail server operators are able to publish a hash of their TLS certificate, thereby mitigating the possibility of unencrypted communications.

DANE is not implement on OpenSMTPD I guess.

2.5.6. MTA-STS and SMTP TLS Reporting

SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

RFC 8460 “SMTP TLS Reporting” describes a reporting mechanism and format for sharing statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations.

Please read Microsoft and / or Google articles:

• Enhancing mail flow with MTA-STS
• Increase email security with MTA-STS and TLS reporting

Turn on MTA-STS and TLS reporting:

• Create a mailbox to get reports
• Update DNS Records
• Verify MTA-STS and TLS reporting are turned on

MTA-STS policy publishing:

• Create a MTA-STS policy file (mta-sts.txt)
• Hosts it by some web server (nginx / apache)
• Verify at https://mta-sts.<domain name>/.well-known/mta-sts.txt

2.6. Behind proxy

Please read:

• PROXY protocol
• Mailserver behind Proxy
• Forwarding parameters in IMAP/POP3/LMTP/SMTP proxying

It’s a common practice we run a mail server behind a load balancer / proxy server (HAProxy, Traefik..).

We lost information about originating IP address of clients connecting to our server (through a proxy server) that needed for spam filtering.

It might be complicated in Layer 7 (something like X-Forwarded-For in HTTP protocol) but it’s possible?

Instead we can do it easy in Layer 4 with PROXY protocol which are supported by both OpenSMTPD and Dovecot.

2.6.1. HAProxy

Please read:

• HAProxy Enable the Proxy Protocol

Add send-proxy-v2 in haproxy.conf to send a Proxy Protocol version 2 header (binary format) to the backend servers.

You may want to increase timeout value for IMAP IDLE (clients using IDLE are advised to terminate the IDLE and re-issue it at least every 29 minutes).

root@proxy:~ # cat /usr/local/etc/haproxy/haproxy.conf 
global

defaults
  log global
  mode tcp
  timeout connect 10s
  timeout client 30m # keep TCP connection for IMAP IDLE
  timeout server 30m # keep TCP conectionfor IMAP IDLE

frontend rspamd
  bind :11334
  mode tcp
  default_backend rspamd

backend rspamd
  mode tcp
  server rspamd 10.0.0.2

frontend opensmtpd
  bind :25,:465,:587
  mode tcp
  default_backend opensmtpd

backend opensmtpd
  mode tcp
  server opensmtpd 10.0.0.2 send-proxy-v2

frontend dovecot
  bind :143,:993
  mode tcp
  default_backend dovecot

backend dovecot
  mode tcp
  server imap 10.0.0.2 send-proxy-v2

2.6.2. OpenSMTPD

Please read:

• OpenSMTPD PROXYv2 protocol

Add proxy-v2 to listen blocks in /usr/local/etc/mail/smtpd.conf.

# STARTTLS port 25
listen on 0.0.0.0 port 25 tls pki mail.example.com proxy-v2 filter "rspamd"
# SMTPS port 465
listen on 0.0.0.0 port 465 smtps pki mail.example.com proxy-v2 auth <credentials> filter "rspamd"
# submission port 587
listen on 0.0.0.0 port 587 tls-require pki mail.example.com proxy-v2 auth <credentials> filter "rspamd"

2.6.1. Dovecot

Please read:

• Dovecot PROXY protocol

Add haproxy_trusted_networks = "YOUR_PROXY_NETWORK" and haproxy = yes in /usr/local/etc/dovecot/conf.d/10-master.conf.

FOR EXAMPLE:

haproxy_trusted_networks = "10.0.0.0/8"

service imap-login {
  inet_listener imaps {
    haproxy = yes
  }
}

root@mailserver:~ # cat /usr/local/etc/dovecot/conf.d/10-master.conf 
#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

haproxy_trusted_networks = "10.0.0.0/8"

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    # port = 993
    # ssl = yes
    haproxy = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    #port = 587
  }
  inet_listener submissions {
    #port = 465
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user = 
    #group = 
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}

2.7. Don’t know yet

We will consider a Webmail but for now we don’t need it.

We’re using some traditional Email client (MUA) like Thunderbird which speak IMAP and SMTP directly to our server.

zfs list -H -o name -t snapshot -r pool | xargs -n1 zfs holds -H

the properties will be listed as property:stuff

with that information we can free the snapshots..

zfs list -H -o name -t snapshot -r pool | xargs -n1 zfs holds -H | awk '{print $1}' | xargs -n1 zfs release property:stuff

(replace ‘property:stuff’ with whatever is holding your dataset)

..and finally delete them

zfs destroy -r [pool]/[dataset][@snapshot]

source: How to check that all ZFS snapshots within a pool are without holds before destroying that pool

There are many LDAP tutorials we found but we don’t think it’s good enough. They wrote about how deploy OpenLDAP instead of LDAP protocol itself.

LDAP is a complex topic so we can’t just install some software, It’s better if we can understand the protocol so we can using it in a proper way.

We found a book that we think it’s good. You can read it if you want to know about LDAP.

• LDAP for Rocket Scientists by ZyTrax

So we tried to mount it manually:

sudo mount /dev/sdb1 /media

It still gave an error:

Error mounting /dev/sdb1 at /media/: Command-line `mount -t "ntfs" -o "uhelper=udisks2,nodev,nosuid,uid=1000,gid=1000" "/dev/sdb1" "/media/sorin/LICENTA"' exited with non-zero exit status 13: $MFTMirr does not match $MFT (record 0).
Failed to mount '/dev/sdb1': Input/output error
NTFS is either inconsistent, or there is a hardware fault, or it's a
SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows
then reboot into Windows twice. The usage of the /f parameter is very
important! If the device is a SoftRAID/FakeRAID then first activate
it and mount a different device under the /dev/mapper/ directory, (e.g.
/dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation
for more details.

This is how we fix:

sudo ntfsfix /dev/sdb1

Now we can mount this HDD manual but the GUI mount still not work when he plug it to the machine.

So we fix it as follow:

• Open Disks (GNOME Disks), select the external disk, Edit Mount Options.
• Disable the User Session Defaults and click OK in the Mount Options dialog box.

Then it works!