From 43919c11a05a44063fcfa22f1cbc88b59d76e119 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Sat, 8 Jun 2019 14:12:13 +0300 Subject: [PATCH] Multiple improvements Re-organize the repository. Improve permission model (use internal mail user to send mails). Add more instructions about how to set-up. --- README.md | 48 ++++++------- ssmtp_conf-sample/README.md | 70 ++++++++++++++----- ssmtp_conf-sample/revaliases | 2 +- .../wanchecker.sh | 6 +- wanchecker@.service => wanchecker.service | 6 +- wanchecker@.timer => wanchecker.timer | 2 +- 6 files changed, 82 insertions(+), 52 deletions(-) rename wanchecker.sh => ssmtp_conf-sample/wanchecker.sh (97%) mode change 100644 => 100755 rename wanchecker@.service => wanchecker.service (54%) rename wanchecker@.timer => wanchecker.timer (82%) diff --git a/README.md b/README.md index f4463f6..84b6cd0 100644 --- a/README.md +++ b/README.md @@ -20,9 +20,9 @@ This repository contains a systemd service file & a simple bash script to refres - Linux OS - - systemd - service file + - systemd - - [SSMTP](https://wiki.archlinux.org/index.php/SSMTP) - (SMTP) email client (package: `ssmtp` (Arch Linux), `ssmtp` (Ubuntu)) + - [sSMTP](https://wiki.archlinux.org/index.php/SSMTP) - (SMTP) email client (package: `ssmtp` (Arch Linux), `ssmtp` (Ubuntu)) - dig (package: `bind-tools` (Arch Linux), `dnsutils` (Ubuntu)) @@ -32,44 +32,42 @@ This repository contains a systemd service file & a simple bash script to refres ## Contents -- systemd **system** service file: `wanchecker@.service` +- systemd **system** service file: [wanchecker.service](wanchecker.service) -- systemd **system** timer file: `wanchecker@.timer` +- systemd **system** timer file: [wanchecker.timer](wanchecker.timer) -- bash script: `wanchecker.sh` +- [sSMTP sample configuration files](ssmtp_conf-sample) -## Installation + - [ssmtp.conf](ssmtp_conf-sample/ssmtp.conf) + + - [revaliases](ssmtp_conf-sample/revaliases) + + - [wanchecker.sh](ssmtp_conf-sample/wanchecker.sh) -Configuration can be splitted into two parts as follows. +## Installation & configuration -### ssmtp +**1)** Install `ssmtp` package -To-be-added +**2)** Configure files `/etc/ssmtp/revaliases` ([sample](ssmtp_conf-sample/revaliases)) and `/etc/ssmtp/ssmtp.conf` ([sample](ssmtp_conf-sample/ssmtp.conf)). More information about these files on [sSMTP Arch Wiki site](https://wiki.archlinux.org/index.php/SSMTP). -### wanip-checker +**3)** Insert [wanchecker.sh](ssmtp_conf-sample/wanchecker.sh) into `/etc/ssmtp/` folder. -**1)** Insert `wanchecker@.service` and `wanchecker@.timer` into `/usr/lib/systemd/system/` folder +**4)** Configure sSMTP as described in [sSMTP Readme file](ssmtp_conf-sample/README.md). -- WAN IP check interval is customizable in systemd timer file. Default value is `20min` - -**2)** Insert `wanchecker.sh` into your `/home/myuser/` folder (where `myuser` is your real username on your Linux system) - -**3)** Configure your email address and message form in `wanchecker.sh` file. Configure WAN IPv4 log file location (default is `$HOME`) +**5)** Insert `wanchecker.service` and `wanchecker.timer` into `/usr/lib/systemd/system/` folder -- log file is updated only when WAN IPv4 changes have been detected +- WAN IP check interval is customizable in systemd timer file. Default value is `20min` -**3)** Install `ssmtp`, and configure files `/etc/ssmtp/revaliases` and `/etc/ssmtp/ssmtp.conf` as described on [SSMTP Arch Wiki site](https://wiki.archlinux.org/index.php/SSMTP). +- This log file is updated only when WAN IPv4 changes have been detected -**4)** Run (as root or with `sudo) +**6)** Run (as root or with `sudo`) ``` -systemctl enable wanchecker@my_system_username.timer && \ -systemctl start wanchecker@my_system_username.timer +systemctl enable wanchecker.timer && \ +systemctl start wanchecker.timer ``` -where `my_system_username` refers to your true username on your Linux system. - ## Images When server computer discovers a change in its WAN IPv4, it automatically sends an email notification to system administrator(s): @@ -84,9 +82,9 @@ Additionally, server computer keeps a log file which include WAN IPv4 changes an - `systemctl --all list-timers` = list all system timers on Linux system, including `wanchecker` -- `systemctl is-active wanchecker@my_system_username.timer` = tells whether wanchecker is running or not +- `systemctl is-active wanchecker.timer` = tells whether `wanchecker` is running or not -- `systemctl status wanchecker@my_system_username.timer` = more compherensive output about the status of `wanchecker` +- `systemctl status wanchecker.timer` = more compherensive output about the status of `wanchecker` ## License diff --git a/ssmtp_conf-sample/README.md b/ssmtp_conf-sample/README.md index 779c35c..c4aa61f 100644 --- a/ssmtp_conf-sample/README.md +++ b/ssmtp_conf-sample/README.md @@ -1,26 +1,28 @@ ## sSMTP system pre-configuration -Once you have installed sSMTP on your Linux system, make sure the following applies. Run the configuration commands as root or with `sudo` prefix. +Once you have installed sSMTP on your Linux system, make sure the following applies. Run these configuration commands as root or with `sudo`. ---------- -Symbolic link from `/usr/bin/ssmtp` to `/usr/bin/sendmail`: +**1)** Create symbolic link from `/usr/bin/ssmtp` to `/usr/bin/sendmail` exists: ``` ln -s /usr/bin/ssmtp /usr/bin/sendmail ``` -``` Test: - > stat -c "%A %a %U:%G %N" /usr/bin/sendmail +``` +> stat -c "%A %a %U:%G %N" /usr/bin/sendmail - lrwxrwxrwx 777 root:root /usr/bin/sendmail -> ssmtp + lrwxrwxrwx 777 root:root /usr/bin/sendmail -> ssmtp ``` ---------- -User & group mail exists, directory /`var/spool/mail` exists: +**NOTE:** User & group `mail` are defined on Arch Linux by default, preinstalled with `filesystem` package. If they do not exist, then do the following. + +**2)** Make sure user & group `mail` exists, and directory /`var/spool/mail` exists with proper permissions: ``` mkdir -p /var/spool/mail @@ -30,36 +32,66 @@ groupadd -g 12 mail useradd -r -d /var/spool/mail -s /sbin/nologin -u 12 -g 12 mail ``` -``` Test: +``` + ----- - > sudo stat -c "%A %a %U:%G %n" /var/spool/mail +> sudo stat -c "%A %a %U:%G %n" /var/spool/mail - drwxrwxrwt 1777 root:root /var/spool/mail + drwxrwxrwt 1777 root:root /var/spool/mail ----- - > grep mail /etc/passwd +> grep mail /etc/passwd - mail:x:12:12::/var/spool/mail:/sbin/nologin + mail:x:12:12::/var/spool/mail:/sbin/nologin ----- - > grep mail /etc/group +> grep mail /etc/group - mail:x:12: + mail:x:12: ``` ## sSMTP configuration files -Once you have sSMTP installed on your Linux system, insert [ssmtp.conf](ssmtp.conf), [revaliases](revaliases) and [wanchecker.sh](wanchecker.sh) into `/etc/ssmtp/` folder. These files should have following permissions: +Once you have sSMTP installed on your Linux system, configure [ssmtp.conf](ssmtp.conf) and [revaliases](revaliases) in `/etc/ssmtp/` folder. + +## Mail message formatting & email address + +Configure your message defined in [wanchecker.sh](wanchecker.sh) file. + +`wanchecker.sh` variables: + +| Variable | Value | Type | +|------------------|-----------------------------------------------------------------------------|------------| +| EMAIL_SENDER | Sender's address | String | +| EMAIL_RECIPIENTS | Email recipients. Multiple allowed | Bash array | +| SUBJECT_EMAIL | Email title | String | +| MESSAGE_EMAIL | Email message contents | String | +| MESSAGE_STDOUT | Internal Linux system message about sent email message | String | +| WANIP_DIR | Log file directory path. User `mail` must have write access to this folder. | String | +| WANIP_LOG | Log file name | String | + +**NOTE:** At minimum, you should configure proper email addresses in variables `EMAIL_SENDER` and `EMAIL_RECIPIENTS`. `EMAIL_SENDER` takes same value as defined in `/etc/ssmtp/ssmtp.conf` ([sample](ssmtp.conf)) and `/etc/ssmtp/revaliases` ([sample](revaliases)) files. + +## Folder & file permissions + +Permissions for `/etc/ssmtp` folder should be: ``` -> stat -c "%A %a %U:%G %n" /etc/ssmtp/* +> stat -c "%A %a %U:%G %n" /etc/ssmtp --rw-r----- 640 root:mail /etc/ssmtp/revaliases --rw-r----- 640 root:mail /etc/ssmtp/ssmtp.conf --rwxr-x--- 750 root:mail /etc/ssmtp/wanchecker.sh + drwxr-x--- 750 root:mail /etc/ssmtp +``` + +Contents of `/etc/ssmtp/` folder should contain the following files & permissions: + +``` +> stat -c "%A %a %U:%G %n" /etc/ssmtp/* + -rw-r----- 640 root:mail /etc/ssmtp/revaliases + -rw-r----- 640 root:mail /etc/ssmtp/ssmtp.conf + -rwxr-x--- 750 root:mail /etc/ssmtp/wanchecker.sh ``` -where group `mail` refers to Arch Linux mail group, preinstalled with `filesystem` package. \ No newline at end of file +**NOTE:** As `/etc/ssmtp/ssmtp.conf` contains a _clear-text email password_, the file must be protected from any eavesdropping with correct permission policy! The file must not be readable to any other than `mail` user, and `mail` user must not be available for normal usage. Still, any `sudo` group member can access the file, so make sure `sudo` group does not contain hostile or unwanted members, and configure your `/etc/sudoers` file properly. diff --git a/ssmtp_conf-sample/revaliases b/ssmtp_conf-sample/revaliases index 0e32b4f..1f520e2 100644 --- a/ssmtp_conf-sample/revaliases +++ b/ssmtp_conf-sample/revaliases @@ -5,4 +5,4 @@ # Example: root:your_login@your.domain:mailhub.your.domain[:port] # where [:port] is an optional port number that defaults to 25. -my_system_username:mailsender@foo.com:smtp.live.com:587 \ No newline at end of file +mail:mailsender@foo.com:smtp.live.com:587 diff --git a/wanchecker.sh b/ssmtp_conf-sample/wanchecker.sh old mode 100644 new mode 100755 similarity index 97% rename from wanchecker.sh rename to ssmtp_conf-sample/wanchecker.sh index 58f6164..5ddac11 --- a/wanchecker.sh +++ b/ssmtp_conf-sample/wanchecker.sh @@ -27,7 +27,7 @@ # Script requirements # -# SSMTP +# sSMTP # https://wiki.archlinux.org/index.php/SSMTP # Relevant conf files @@ -81,10 +81,10 @@ function checkWANIP { ############################ # Cache/Log directory of the script - local WANIP_DIR="$HOME" + local WANIP_DIR="/var/spool/mail" # Log file for checked/resolved IPv4 WAN addresses - local WANIP_LOG="$WANIP_DIR/.ip_wan.log" + local WANIP_LOG="$WANIP_DIR/ip_wan.log" if [[ ! -d "${WANIP_DIR}" ]]; then mkdir -p "${WANIP_DIR}" diff --git a/wanchecker@.service b/wanchecker.service similarity index 54% rename from wanchecker@.service rename to wanchecker.service index fedddd1..eb5f2ca 100644 --- a/wanchecker@.service +++ b/wanchecker.service @@ -1,9 +1,9 @@ -# Should be placed to /usr/lib/systemd/user/ +# Should be placed to /usr/lib/systemd/system/ [Unit] Description=WAN IPv4 checker & email sender for dynamic IPv4 server environments After=network-online.target [Service] -User=%i -ExecStart=/usr/bin/bash /home/%i/wanchecker.sh \ No newline at end of file +User=mail +ExecStart=/usr/bin/bash /etc/ssmtp/wanchecker.sh diff --git a/wanchecker@.timer b/wanchecker.timer similarity index 82% rename from wanchecker@.timer rename to wanchecker.timer index 587f929..ce3b7b5 100644 --- a/wanchecker@.timer +++ b/wanchecker.timer @@ -1,4 +1,4 @@ -# Should be placed to /usr/lib/systemd/user/ +# Should be placed to /usr/lib/systemd/system/ # https://wiki.archlinux.org/index.php/Systemd/Timers