Compare commits
No commits in common. "624fce055a4eaf997540968d89e9b3bdffa3376d" and "2bfd2e9efaac3659e60ed3e432ee1dd0686a6d5a" have entirely different histories.
624fce055a
...
2bfd2e9efa
@ -1,4 +1,4 @@
|
|||||||
# lemniskett.moe
|
# lemniskett.dev
|
||||||
|
|
||||||
_yet another personal website._
|
_yet another personal website._
|
||||||
|
|
||||||
|
@ -18,9 +18,9 @@ Here you can find stuffs that I learned that made my life easier. Feel free to c
|
|||||||
|
|
||||||
[Pleroma](https://lemniskett.space/users/lemniskett)
|
[Pleroma](https://lemniskett.space/users/lemniskett)
|
||||||
|
|
||||||
[E-mail](mailto:syahrial@lemniskett.moe)
|
[E-mail](mailto:syahrial@lemniskett.dev)
|
||||||
|
|
||||||
>All my emails are digitally signed with PGP key: [24260130A908EB5A](/pgp.txt). Do not trust emails from me that lack a valid digital signature.
|
>All my emails are digitally signed with PGP key: [4325F99CF01AB846](/pgp.txt). Do not trust emails from me that lack a valid digital signature.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>Importing my public key</summary>
|
<summary>Importing my public key</summary>
|
||||||
|
After Width: | Height: | Size: 65 KiB |
BIN
content/blog/bas-using-infection-monkey/images/cover.webp
Normal file
After Width: | Height: | Size: 52 KiB |
After Width: | Height: | Size: 26 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step1-2.webp
Normal file
After Width: | Height: | Size: 446 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step1.webp
Normal file
After Width: | Height: | Size: 66 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step10.webp
Normal file
After Width: | Height: | Size: 216 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step11-2.webp
Normal file
After Width: | Height: | Size: 70 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step11.webp
Normal file
After Width: | Height: | Size: 66 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step2.webp
Normal file
After Width: | Height: | Size: 5.1 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step3-2.webp
Normal file
After Width: | Height: | Size: 22 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step3-3.webp
Normal file
After Width: | Height: | Size: 55 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step3.webp
Normal file
After Width: | Height: | Size: 29 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step4.webp
Normal file
After Width: | Height: | Size: 114 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step5-2.webp
Normal file
After Width: | Height: | Size: 60 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step5.webp
Normal file
After Width: | Height: | Size: 24 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step6-2.webp
Normal file
After Width: | Height: | Size: 45 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step6-3.webp
Normal file
After Width: | Height: | Size: 33 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step6-4.webp
Normal file
After Width: | Height: | Size: 65 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step6-5.webp
Normal file
After Width: | Height: | Size: 64 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step6.webp
Normal file
After Width: | Height: | Size: 171 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step7-2.webp
Normal file
After Width: | Height: | Size: 53 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step7-3.webp
Normal file
After Width: | Height: | Size: 66 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step7.webp
Normal file
After Width: | Height: | Size: 29 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step8-2.webp
Normal file
After Width: | Height: | Size: 43 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step8.webp
Normal file
After Width: | Height: | Size: 43 KiB |
BIN
content/blog/bas-using-infection-monkey/images/step9.webp
Normal file
After Width: | Height: | Size: 59 KiB |
274
content/blog/bas-using-infection-monkey/index.md
Normal file
@ -0,0 +1,274 @@
|
|||||||
|
---
|
||||||
|
title: "Breach and Attack Simulation (BAS) using Infection Monkey"
|
||||||
|
description: "The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server."
|
||||||
|
summary: "The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server."
|
||||||
|
date: 2023-09-29T11:40:41+07:00
|
||||||
|
draft: false
|
||||||
|
author: "Hiiruki" # ["Me", "You"] # multiple authors
|
||||||
|
tags: ["infection-monkey", "breach-and-attack-simulation", "linux", "tutorial", "server", "security", "pentest", "penetration-testing", "bas", "monkey-island", "offensive-security", "cybersecurity", "red-team", "blue-team", "purple-team", "security-automation", "security-tools", " adversary-emulation", "infection-monkey"]
|
||||||
|
canonicalURL: ""
|
||||||
|
showToc: true
|
||||||
|
TocOpen: false
|
||||||
|
TocSide: 'right' # or 'left'
|
||||||
|
# weight: 1
|
||||||
|
# aliases: ["/first"]
|
||||||
|
hidemeta: false
|
||||||
|
comments: false
|
||||||
|
disableHLJS: true # to disable highlightjs
|
||||||
|
disableShare: true
|
||||||
|
hideSummary: false
|
||||||
|
searchHidden: false
|
||||||
|
ShowReadingTime: true
|
||||||
|
ShowBreadCrumbs: true
|
||||||
|
ShowPostNavLinks: true
|
||||||
|
ShowWordCount: true
|
||||||
|
ShowRssButtonInSectionTermList: true
|
||||||
|
# UseHugoToc: true
|
||||||
|
cover:
|
||||||
|
image: "images/cover.webp" # image path/url
|
||||||
|
alt: "Cover: Breach and Attack Simulation Workflow" # alt text
|
||||||
|
caption: "Breach and Attack Simulation Workflow | [Dig8Labs](https://www.dig8labs.com/offensive-security/breach-and-attack-simulation/) " # display caption under cover
|
||||||
|
relative: false # when using page bundles set this to true
|
||||||
|
hidden: false # only hide on current single page
|
||||||
|
# editPost:
|
||||||
|
# URL: "https://github.com/hiiruki/hiiruki.dev/tree/main/content/blog/bas-using-infection-monkey/index.md"
|
||||||
|
# Text: "Suggest Changes" # edit text
|
||||||
|
# appendFilePath: true # to append file path to Edit link
|
||||||
|
---
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
Breach and Attack Simulation (BAS) is an advanced and state-of-the-art computer security testing method that helps identify vulnerabilities or loopholes in security environments and set-ups by mimicking the likely attack paths and techniques used by threat actors. It is a safe and controlled way to test the security posture of an organization and its ability to detect and respond to attacks. It is also known as a Purple Team exercise. The goal of BAS is to identify the gaps in the security posture of an organization and to provide actionable insights to improve the security posture. It is a continuous process and should be performed regularly to ensure that the security posture of an organization is up to date and can withstand the latest threats.
|
||||||
|
|
||||||
|
The [Infection Monkey](https://github.com/guardicore/monkey) is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. This is a great tool for testing the security of your network and servers. It is also a great tool for learning about network security and penetration testing.
|
||||||
|
|
||||||
|
The Monkey is consists of three components:
|
||||||
|
|
||||||
|
- Infection Monkey: Self propagation tool
|
||||||
|
- Monkey Island: Command and Control (C&C) server
|
||||||
|
- Monkey Business: Integrates with orchestration
|
||||||
|
|
||||||
|
![Monkey Components](./images/monkey_components.webp#center)
|
||||||
|
|
||||||
|
## Scenario
|
||||||
|
|
||||||
|
In this tutorial, we will use the Infection Monkey to test the security of a network. We will use the Monkey to infect a server and then use the Monkey to infect other servers on the network.
|
||||||
|
|
||||||
|
My setup is as follows:
|
||||||
|
|
||||||
|
- Kali Linux 2023.3 with Infection Monkey (Attacker)
|
||||||
|
- CentOS 7 (Victim)
|
||||||
|
- IBM QRadar Community Edition (SIEM)
|
||||||
|
|
||||||
|
See the diagram below for a visual representation of the setup:
|
||||||
|
|
||||||
|
![Attack Diagram](./images/attack_diagram.webp#center)
|
||||||
|
|
||||||
|
## Steps
|
||||||
|
|
||||||
|
### 1. Install Infection Monkey
|
||||||
|
|
||||||
|
You can download the Infection Monkey from the [official website](https://www.guardicore.com/infectionmonkey/). You can also install it from the [GitHub repository](https://github.com/guardicore/monkey). The Infection Monkey is available for Windows, Linux, Docker, AWS, and Azure. In this case I downloaded the Linux version from the GitHub repository.
|
||||||
|
|
||||||
|
![Download Infection Monkey](./images/step1.webp#center)
|
||||||
|
|
||||||
|
Download the Infection Monkey AppImage from the GitHub repository:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
wget https://github.com/guardicore/monkey/releases/download/v2.3.0/InfectionMonkey-v2.3.0.AppImage --no-check-certificate
|
||||||
|
```
|
||||||
|
|
||||||
|
![Download Infection Monkey AppImage](./images/step1-2.webp#center)
|
||||||
|
|
||||||
|
`--no-check-certificate` is used to bypass the SSL certificate check. This is useful if you are using a self-signed certificate.
|
||||||
|
|
||||||
|
### 2. Make the AppImage executable
|
||||||
|
|
||||||
|
Make the AppImage executable with the following command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chmod u+x InfectionMonkey-v2.3.0.AppImage
|
||||||
|
```
|
||||||
|
|
||||||
|
chmod u+x is used to make the AppImage executable for the current user.
|
||||||
|
|
||||||
|
![Make the AppImage executable](./images/step2.webp#center)
|
||||||
|
|
||||||
|
### 3. Run the AppImage
|
||||||
|
|
||||||
|
Start Monkey Island by running the Infection Monkey AppImage package:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./InfectionMonkey-v2.3.0.AppImage
|
||||||
|
```
|
||||||
|
|
||||||
|
If you get errors related to FUSE, you may need to install FUSE 2.X first:
|
||||||
|
|
||||||
|
![FUSE error](./images/step3.webp#center)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt update
|
||||||
|
sudo apt install libfuse2
|
||||||
|
```
|
||||||
|
|
||||||
|
![Install FUSE 2.X](./images/step3-2.webp#center)
|
||||||
|
|
||||||
|
Docs: [Fuse Troubleshooting](https://docs.appimage.org/user-guide/troubleshooting/fuse.html)
|
||||||
|
|
||||||
|
> **Note:** If the error still occurs, you may need to redownload the AppImage it may be corrupted.
|
||||||
|
|
||||||
|
Then run the AppImage again:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./InfectionMonkey-v2.3.0.AppImage
|
||||||
|
```
|
||||||
|
|
||||||
|
![Run the AppImage](./images/step3-3.webp#center)
|
||||||
|
|
||||||
|
### 4. Access Infection Monkey web UI
|
||||||
|
|
||||||
|
Open your browser and go to `https://localhost:5000` to access the Infection Monkey web UI.
|
||||||
|
|
||||||
|
> **Note:** If you are using a self-signed certificate, you will get a warning message. Click on the Advanced button and then click on the Proceed to localhost (unsafe) link or click on the Accept the Risk and Continue button if you are using Firefox.
|
||||||
|
|
||||||
|
![Browser Warning](./images/step4.webp#center)
|
||||||
|
|
||||||
|
### 5. Register a new user
|
||||||
|
|
||||||
|
The account registration page will appear. Enter your username and password and click on the `Let's go!` button to register a new user.
|
||||||
|
This account will be used to log in to Monkey Island and to import/export Monkey Island configuration.
|
||||||
|
|
||||||
|
![Register a new user](./images/step5.webp#center)
|
||||||
|
|
||||||
|
Infection Monkey Dashboard
|
||||||
|
|
||||||
|
![Infection Monkey Dashboard](./images/step5-2.webp#center)
|
||||||
|
|
||||||
|
### 6. Configure the Infection Monkey
|
||||||
|
|
||||||
|
Click on the `Configuration` or `Configure Monkey` button to configure the Infection Monkey.
|
||||||
|
|
||||||
|
![Configure the Infection Monkey](./images/step6.webp#center)
|
||||||
|
|
||||||
|
You can configure the Propagation, Payloads, Credentials collectors, Masquerade, Polymorphism, Advanced, Exploiters, Network analysis, Credentials, and the General tab from the Configuration page. Configure the Infection Monkey according to your needs.
|
||||||
|
|
||||||
|
In this tutorial, we will configure the Infection Monkey to use the SSH Exploiter (Attempts a brute-force attack against SSH using known credentials, including SSH keys).
|
||||||
|
|
||||||
|
Enable the SSH Exploiter from the `Exploiters` tab.
|
||||||
|
|
||||||
|
![Configure the Infection Monkey](./images/step6-2.webp#center)
|
||||||
|
|
||||||
|
Configure the credentials from the `Credentials` tab. This will be used by the SSH Exploiter to brute-force the SSH server.
|
||||||
|
|
||||||
|
![Configure the Infection Monkey](./images/step6-3.webp#center)
|
||||||
|
|
||||||
|
You can enable the `Scan Agent's networks` from the `Network analysis` tab. This will allow the Infection Monkey to scan the network for other machines to infect.
|
||||||
|
|
||||||
|
![Configure the Infection Monkey](./images/step6-4.webp#center)
|
||||||
|
|
||||||
|
If the exploiter or the payload are not there, you can install them from the `Plugins` tab.
|
||||||
|
|
||||||
|
![Install Plugins](./images/step6-5.webp#center)
|
||||||
|
|
||||||
|
If you are done configuring the Infection Monkey, click on the `Submit` button to save the configuration.
|
||||||
|
|
||||||
|
### 7. Start the Infection Monkey
|
||||||
|
|
||||||
|
Go to the `Run Monkey` section and click on the `From Island` button to start the Infection Monkey to start the Monkey from the Monkey Island server.
|
||||||
|
|
||||||
|
![Start the Infection Monkey](./images/step7.webp#center)
|
||||||
|
|
||||||
|
Or you can run the Infection Monkey on other machines by clicking on the `Manual` button and selecting the operating system of the machine you want to run the Infection Monkey on.
|
||||||
|
|
||||||
|
Linux:
|
||||||
|
|
||||||
|
![Start the Infection Monkey on Linux](./images/step7-2.webp#center)
|
||||||
|
|
||||||
|
Windows:
|
||||||
|
|
||||||
|
![Start the Infection Monkey on Windows](./images/step7-3.webp#center)
|
||||||
|
|
||||||
|
### 8. View the Infection Map
|
||||||
|
|
||||||
|
Go to the `Infection Map` section to view the Infection Map.
|
||||||
|
|
||||||
|
![View the Infection Map](./images/step8.webp#center)
|
||||||
|
|
||||||
|
![View the Infection Map](./images/step8-2.webp#center)
|
||||||
|
|
||||||
|
You can see the Infection Map of the Infection Monkey. The Infection Monkey has infected the `CentOS 7` server and the `IBM QRadar Community Edition` server.
|
||||||
|
|
||||||
|
The network consists of 3 machines:
|
||||||
|
|
||||||
|
- Kali Linux 2023.3 with Infection Monkey (Attacker) with IP address `192.168.211.130`
|
||||||
|
- CentOS 7 (Victim) with IP address `192.168.211.128`
|
||||||
|
- IBM QRadar Community Edition (SIEM) with IP address `192.168.211.129`
|
||||||
|
|
||||||
|
> **Note:** The Windows machine shown in the Infection Map is not part of the network. It is ther
|
||||||
|
|
||||||
|
### 9. View the Events
|
||||||
|
|
||||||
|
Go to the `Events` section to view the Agent Events.
|
||||||
|
|
||||||
|
![View the Events](./images/step9.webp#center)
|
||||||
|
|
||||||
|
### 10. Monitor the Attack using a SIEM
|
||||||
|
|
||||||
|
In this tutorial, I will use IBM QRadar Community Edition as the SIEM. You can use other SIEMs such as Splunk, Elastic Stack, ArcSight, AlienVault, Azure Sentinel, etc.
|
||||||
|
|
||||||
|
![IBM QRadar Community Edition](./images/step10.webp#center)
|
||||||
|
|
||||||
|
You can see the Infection Monkey has infected the `CentOS 7` server and the `IBM QRadar Community Edition` server using the SSH Exploiter.
|
||||||
|
|
||||||
|
### 11. View the Security Reports
|
||||||
|
|
||||||
|
You can also export the Security Reports to a PDF file or print it.
|
||||||
|
|
||||||
|
![View the Security Reports](./images/step11.webp#center)
|
||||||
|
|
||||||
|
![View the Security Reports](./images/step11-2.webp#center)
|
||||||
|
|
||||||
|
## Conclusion
|
||||||
|
|
||||||
|
In this tutorial, we have learned how to use the Infection Monkey to test the security of a network. We have also learned how to use the Infection Monkey to infect a server and then use the Infection Monkey to infect other servers on the network.
|
||||||
|
|
||||||
|
The Infection Monkey is a great tool for testing the security of your network and servers. It is also a great tool for learning about network security and penetration testing.
|
||||||
|
|
||||||
|
Some of the advantages of using the Infection Monkey are:
|
||||||
|
|
||||||
|
1) Resilience testing
|
||||||
|
- Simulates a real attacker
|
||||||
|
- Propagate in-depth
|
||||||
|
2) Scale
|
||||||
|
- "Pentester" in every VLAN
|
||||||
|
- Full coverage
|
||||||
|
3) Automated tool
|
||||||
|
- Continuous execution
|
||||||
|
- Easy to use
|
||||||
|
4) Open source
|
||||||
|
- Free
|
||||||
|
- Community support
|
||||||
|
5) Integration
|
||||||
|
- Monkey Business
|
||||||
|
- Monkey Island API
|
||||||
|
6) Reporting
|
||||||
|
- Security reports
|
||||||
|
- Security events
|
||||||
|
7) Safe testing
|
||||||
|
- Safely test your network or servers
|
||||||
|
- The Infection Monkey is designed to be 100 percent safe, with no reconnaissance or propagation features that can impact server or network stability.
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Infection Monkey Documentation](https://techdocs.akamai.com/infection-monkey/docs/setting-up-infection-monkey)
|
||||||
|
- [Unleash the Infection Monkey: A Modern Alternative to Pen-Tests @ Black Hat USA 2016](https://youtu.be/M_kJ7zfAagc?si=OwghlC4wSKTG_7yB)
|
||||||
|
- [Making Breach & Attack Simulation Accessible and Actionable with Infection Monkey by Shay Nehmad @ Red Team Village](https://youtu.be/gOS1c375Hbg?si=iuuJ_5zhggbU4pm-)
|
||||||
|
- [Tutorial: Breach and Attack Simulation (BAS) with Infection Monkey by Semi Yulianto @ YouTube](https://youtu.be/ZJDAtFEI2g4?si=OimumknAtm6q5AHX)
|
||||||
|
- [Integrating Adversary Emulation using Infection Monkey with Azure Sentinel by Sartaj Ahmed Shaik @ Medium](https://tajsecguy.medium.com/integrating-adversary-emulation-using-infection-monkey-with-azure-sentinel-2ddf933a7af6)
|
||||||
|
- [Breach & Attack Simulation – What is that? by Priyank Gahlot @ LinkedIn](https://www.linkedin.com/pulse/breach-attack-simulation-what-priyank-gahlot)
|
||||||
|
- [Difference Between Breach and Attack Simulation(BAS), Red teaming, and VAPT by Raghav S. @ LinkedIn](https://www.linkedin.com/pulse/difference-between-breach-attack-simulationbas-red-teaming-raghav-som)
|
||||||
|
- [Automated Breach and Attack Simulation by Renier Steyn @ LinkedIn](https://www.linkedin.com/pulse/automated-breach-attack-simulation-renier-steyn)
|
||||||
|
- [Infection monkey - Automated Penetration Testing and Breach-Attack Simulation by Motasem Hamdan @ YouTube](https://youtu.be/qy6RqCPLV8Y?si=0m_U06ZP8UVThVFC)
|
||||||
|
- [Fuse Troubleshooting @ AppImage Docs](https://docs.appimage.org/user-guide/troubleshooting/fuse.html)
|
||||||
|
- [Breach and attack simulation (BAS) @ Wikipedia](https://en.wikipedia.org/wiki/Breach_and_attack_simulation)
|
||||||
|
- [Breach and Attack Simulation (BAS) @ dig8labs](https://www.dig8labs.com/offensive-security/breach-and-attack-simulation/)
|
@ -30,6 +30,10 @@ cover:
|
|||||||
caption: "<text>" # display caption under cover
|
caption: "<text>" # display caption under cover
|
||||||
relative: false # when using page bundles set this to true
|
relative: false # when using page bundles set this to true
|
||||||
hidden: true # only hide on current single page
|
hidden: true # only hide on current single page
|
||||||
|
# editPost:
|
||||||
|
# URL: "https://github.com/hiiruki/hiiruki.dev/blob/main/writeups/GSP101/index.md"
|
||||||
|
# Text: "Suggest Changes" # edit text
|
||||||
|
# appendFilePath: true # to append file path to Edit link
|
||||||
---
|
---
|
||||||
|
|
||||||
Hello World!
|
Hello World!
|
||||||
|
Before Width: | Height: | Size: 142 KiB |
Before Width: | Height: | Size: 187 KiB |
Before Width: | Height: | Size: 43 KiB |
Before Width: | Height: | Size: 34 KiB |
Before Width: | Height: | Size: 137 KiB |
Before Width: | Height: | Size: 152 KiB |
Before Width: | Height: | Size: 113 KiB |
Before Width: | Height: | Size: 148 KiB |
Before Width: | Height: | Size: 68 KiB |
Before Width: | Height: | Size: 202 KiB |
Before Width: | Height: | Size: 149 KiB |
Before Width: | Height: | Size: 69 KiB |
Before Width: | Height: | Size: 141 KiB |
Before Width: | Height: | Size: 90 KiB |
@ -1,132 +0,0 @@
|
|||||||
---
|
|
||||||
title: "Mail Failover with Cloudflare Email Routing"
|
|
||||||
description: "For the peace of mind of mail self-hosters."
|
|
||||||
summary: "For the peace of mind of mail self-hosters."
|
|
||||||
date: 2023-10-10T11:58:53+07:00
|
|
||||||
draft: false
|
|
||||||
author: "Lemniskett"
|
|
||||||
tags: ["cloudflare", "email", "self-host"]
|
|
||||||
canonicalURL: ""
|
|
||||||
showToc: true
|
|
||||||
TocOpen: false
|
|
||||||
TocSide: 'right' # or 'left'
|
|
||||||
hidemeta: false
|
|
||||||
comments: false
|
|
||||||
disableHLJS: true # to disable highlightjs
|
|
||||||
disableShare: true
|
|
||||||
hideSummary: false
|
|
||||||
searchHidden: false
|
|
||||||
ShowReadingTime: true
|
|
||||||
ShowBreadCrumbs: true
|
|
||||||
ShowPostNavLinks: true
|
|
||||||
ShowWordCount: true
|
|
||||||
ShowRssButtonInSectionTermList: true
|
|
||||||
UseHugoToc: true
|
|
||||||
cover:
|
|
||||||
image: images/cloudflare_email_routing.png
|
|
||||||
alt: "CloudFlare Email Routing"
|
|
||||||
relative: true
|
|
||||||
hidden: false
|
|
||||||
---
|
|
||||||
|
|
||||||
## Introduction
|
|
||||||
|
|
||||||
Most of self-hosters (or at least myself) couldn't care less about the uptime of their own services since they're the only user of the service, and maybe some of their family members or close friends.
|
|
||||||
|
|
||||||
For many of us, the primary goal of self-hosting is to have complete control over our data and the tools we use, rather than achieving reliability. The joy of tinkering with configurations, customizing every detail, and experimenting with new software without constraints is what encourages me to self-host.
|
|
||||||
|
|
||||||
However, this isn't the case for a mail server. For obvious reasons, while my emails are still stored on the server's disk when it's down, being temporarily disconnected from the outside world can be frustrating. What if I miss some booking emails, invoice emails, or any other important emails? I'd be lucky if the platform I'm using alerts me that they can't send their emails (such as LinkedIn), but this isn't the case for every platform, where it doesn't even aware that your mail server is failing and didn't try to resend the emails.
|
|
||||||
|
|
||||||
You can configure high availability for your emails by setting up multiple mail servers and MX records, but here, I'm attempting to minimize costs and offload the task to CloudFlare's Email Routing service.
|
|
||||||
|
|
||||||
## CloudFlare Email Routing
|
|
||||||
|
|
||||||
### Overview
|
|
||||||
|
|
||||||
Now, what is Cloudflare Email Routing?
|
|
||||||
|
|
||||||
>Cloudflare Email Routing is designed to simplify the way you create and manage email addresses, without needing to keep an eye on additional mailboxes. With Email Routing, you can create any number of custom email addresses to use in situations where you do not want to share your primary email address, such as when you subscribe to a new service or newsletter. Emails are then routed to your preferred email inbox, without you ever having to expose your primary email address.
|
|
||||||
|
|
||||||
_- [Cloudflare Email Routing's Overview](https://developers.cloudflare.com/email-routing/)_
|
|
||||||
|
|
||||||
How does email routing help in this case? One approach is to set up an email account with another provider, such as Gmail, ProtonMail, or any other preferred email service, and then configure CloudFlare Email Routing to act as a fallback for your domain's email address by forwarding the emails to the email account you have just set up.
|
|
||||||
|
|
||||||
**IMPORTANT**: This won't work if you're using subdomains in your email address, e.g. `anon@poste.example.com`, because CloudFlare doesn't support it.
|
|
||||||
|
|
||||||
### Setting Up DNS records
|
|
||||||
|
|
||||||
Go to CloudFlare Dashboard and select your domain.
|
|
||||||
|
|
||||||
![Dashboard](./images/01-dashboard.png)
|
|
||||||
|
|
||||||
Now go to the "Email Routing" section, if you've set up your mail server, CloudFlare will prompt you that the existing MX records will conflict with Email Routing's MX records. You can ignore this by clicking "Skip Getting Started"
|
|
||||||
|
|
||||||
![Email Routing Config](./images/02-email-routing-config.png)
|
|
||||||
|
|
||||||
Since we're skipping the automatic configuration, we'll need to create the DNS records ourselves, make your your own mail server has the highest priority.
|
|
||||||
|
|
||||||
![MX Records](./images/03-mx-records.png)
|
|
||||||
|
|
||||||
Don't forget to merge Cloudflare's SPF records with your mail server's SPF records otherwise Cloudflare may not be able to forward the emails. For example, if you have the following SPF record:
|
|
||||||
```
|
|
||||||
v=spf1 a:mail.example.com ~all
|
|
||||||
```
|
|
||||||
|
|
||||||
You can add Cloudflare's SPF records by including `include:_spf.mx.cloudflare.net` snippet:
|
|
||||||
```
|
|
||||||
v=spf1 a:mail.example.com include:_spf.mx.cloudflare.net ~all
|
|
||||||
```
|
|
||||||
|
|
||||||
In my case, it would look like this:
|
|
||||||
|
|
||||||
![SPF Records](./images/04-spf-records.png)
|
|
||||||
|
|
||||||
And that's it! It may prompt you that Email Routing is misconfigured, but it's fine as it doesn't expect other MX records to be configured.
|
|
||||||
|
|
||||||
![Email Routing Dashboard](./images/05-email-routing-dashboard.png)
|
|
||||||
|
|
||||||
### Setting Up Routes
|
|
||||||
|
|
||||||
Now we configure the fallback email inbox by adding a destination address in Email Routing > Routes
|
|
||||||
|
|
||||||
![Add Destination Address](./images/06-add-destination-address.png)
|
|
||||||
|
|
||||||
An email will arrive in your fallback email inbox for verification
|
|
||||||
|
|
||||||
![Address Verification](./images/07-address-verification.png)
|
|
||||||
|
|
||||||
Since we want to forward all addresses, configure the fallback email inbox as catch-all address
|
|
||||||
|
|
||||||
![Catch All Address](./images/08-catchall-address.png)
|
|
||||||
|
|
||||||
We're done with the configuration, now it's time to test it!
|
|
||||||
|
|
||||||
### Testing the Fallback Email
|
|
||||||
|
|
||||||
We have 3 actors in this testing:
|
|
||||||
|
|
||||||
- Main recipient (Self-hosted)
|
|
||||||
- Fallback recipient (Email platform of your choice)
|
|
||||||
- Sender (The one that will send an email)
|
|
||||||
|
|
||||||
Here I'm using ProtonMail as sender and Gmail as fallback recipient. Let's confirm if my main address can receive emails from the sender:
|
|
||||||
|
|
||||||
![Sender Before Fallback](./images/09-sender-before-fallback.png)
|
|
||||||
![Recipient Before Fallback](./images/10-recipient-before-fallback.png)
|
|
||||||
|
|
||||||
It works as expected, now let's shut down the server that is hosting the mail server:
|
|
||||||
|
|
||||||
![Biznet Giocloud Console](./images/11-biznet-giocloud-console.png)
|
|
||||||
|
|
||||||
Now, let's try sending an email to my address and see if the fallback recipient is handling it:
|
|
||||||
|
|
||||||
![Sender After Fallback](./images/12-sender-after-fallback.png)
|
|
||||||
![Recipient Before Fallbacl](./images/13-recipient-after-fallback.png)
|
|
||||||
|
|
||||||
The fallback works!
|
|
||||||
|
|
||||||
## Last Words
|
|
||||||
|
|
||||||
We have successfully created a fallback mail using CloudFlare Email Routing. As of now, CloudFlare Email Routing seems to be working correctly even if we modified the MX records, who knows if eventually CloudFlare Email Routing no longer works if the MX records aren't enforced.
|
|
||||||
|
|
||||||
Also, If you're already familiar with CloudFlare Workers, you may consider to route the emails to a worker instead, and send it to an API that can notify you, e.g. Telegram, Slack, etc. But it's outside the scope of this article `¯\_(ツ)_/¯`.
|
|
18
hugo.yml
@ -1,9 +1,9 @@
|
|||||||
# Basic Information
|
# Basic Information
|
||||||
baseURL: "https://lemniskett.moe/"
|
baseURL: "https://lemniskett.dev/"
|
||||||
languageCode: en-us
|
languageCode: en-us
|
||||||
title: "Lemniskett's Stash"
|
title: "Lemniskett's Stash"
|
||||||
theme: Kamigo
|
theme: Kamigo
|
||||||
copyright: '© 2023 [lemniskett.moe](https://lemniskett.moe) | [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/) | [Privacy Policy](/privacy) | [Disclaimer](/disclaimer)'
|
copyright: '© 2023 [lemniskett.dev](https://lemniskett.dev) | [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/) | [Privacy Policy](/privacy) | [Disclaimer](/disclaimer)'
|
||||||
|
|
||||||
enableRobotsTXT: true
|
enableRobotsTXT: true
|
||||||
buildDrafts: false
|
buildDrafts: false
|
||||||
@ -22,15 +22,15 @@ minify:
|
|||||||
params:
|
params:
|
||||||
env: production
|
env: production
|
||||||
title: "Lemniskett's Stash"
|
title: "Lemniskett's Stash"
|
||||||
description: "Where I publish my personal notes."
|
description: "Thoughts and research on security, privacy, *nix based systems, and other IT stuff."
|
||||||
keywords: [Blog, Homelab, Self-Host, Linux, DevOps]
|
keywords: [Blog, Research, Security, Privacy, Linux]
|
||||||
DateFormat: "January 2, 2006"
|
DateFormat: "January 2, 2006"
|
||||||
defaultTheme: auto # dark, light
|
defaultTheme: auto # dark, light
|
||||||
disableThemeToggle: false
|
disableThemeToggle: false
|
||||||
mainSections:
|
mainSections:
|
||||||
- blog
|
- blog
|
||||||
|
|
||||||
author: Lemniskett
|
author: Hiiruki
|
||||||
ShowReadingTime: true
|
ShowReadingTime: true
|
||||||
ShowShareButtons: false
|
ShowShareButtons: false
|
||||||
ShowPostNavLinks: false
|
ShowPostNavLinks: false
|
||||||
@ -64,7 +64,7 @@ params:
|
|||||||
profileMode:
|
profileMode:
|
||||||
enabled: true # needs to be explicitly set
|
enabled: true # needs to be explicitly set
|
||||||
title: Lemniskett
|
title: Lemniskett
|
||||||
subtitle: "`./bin/publish.sh ~/Personal\\ Notes/*`"
|
subtitle: "`./scripts/publish.sh ~/Personal\\ Notes/*`"
|
||||||
imageUrl: "/images/profile.webp"
|
imageUrl: "/images/profile.webp"
|
||||||
imageWidth: 120
|
imageWidth: 120
|
||||||
imageHeight: 120
|
imageHeight: 120
|
||||||
@ -76,11 +76,11 @@ params:
|
|||||||
# Social
|
# Social
|
||||||
socialIcons:
|
socialIcons:
|
||||||
- name: email
|
- name: email
|
||||||
url: "mailto:syahrial@lemniskett.moe"
|
url: "mailto:syahrial@lemniskett.dev"
|
||||||
- name: github
|
- name: github
|
||||||
url: "https://github.com/lemniskett"
|
url: "https://github.com/lemniskett"
|
||||||
- name: linkedin
|
- name: pleroma
|
||||||
url: "https://www.linkedin.com/in/lemniskett/"
|
url: "https://lemniskett.space/users/lemniskett"
|
||||||
- name: telegram
|
- name: telegram
|
||||||
url: "https://t.me/lemniskett"
|
url: "https://t.me/lemniskett"
|
||||||
- name: pgp
|
- name: pgp
|
||||||
|
@ -1,13 +1,14 @@
|
|||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
mDMEZWmi9RYJKwYBBAHaRw8BAQdAAoJmAuh/4uD1zqph26KWThhju+llfNomDdpx
|
mDMEZQUA4hYJKwYBBAHaRw8BAQdA5jNsJ/mNAHJvRy7pQaMHTonqcv1UizcsWpVG
|
||||||
3ArwwRu0MFN5YWhyaWFsIEFnbmkgUHJhc2V0eWEgPHN5YWhyaWFsQGxlbW5pc2tl
|
GXJdHMC0MFN5YWhyaWFsIEFnbmkgUHJhc2V0eWEgPHN5YWhyaWFsQGxlbW5pc2tl
|
||||||
dHQubW9lPoiMBBAWCgAdBQJlaaL1BAsJBwgDFQgKBBYAAgECGQECGwMCHgEAIQkQ
|
dHQuZGV2PoiWBBMWCAA+FiEEgVCMXVBAFlBu1g1dQyX5nPAauEYFAmUFAOICGyMF
|
||||||
JCYBMKkI61oWIQQUurxoh4KV232U4DQkJgEwqQjrWlsNAPwLBBybc1zX/OlR8cbm
|
CSWYBgAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQQyX5nPAauEZ42QEAiF8Q
|
||||||
sU3F9o0HK3CjH6lrNAyGT1iZnwEA1Lwy27PMgDjWJTgeIujWZ6+9rpITShx+iYlB
|
lgjhCxlwJpaOwh0SqXVnf6qdPIYDqH4U8koMmzwA/RJQ2vUKlvvTmQ/UxbOaMTg9
|
||||||
vhHo6wm4OARlaaL1EgorBgEEAZdVAQUBAQdAG1xn4a/ooLpG/z9Q9GlkF0VM5FJW
|
u0vdkWTr6y4UY6YrnX4BuDgEZQUCMRIKKwYBBAGXVQEFAQEHQHJvWB8zFktqnJiv
|
||||||
i2JbEVJRAYe2wGEDAQgHiHgEGBYIAAkFAmVpovUCGwwAIQkQJCYBMKkI61oWIQQU
|
chNPEotoslfyZSm/E+W4NZmGyDwyAwEIB4h+BBgWCAAmFiEEgVCMXVBAFlBu1g1d
|
||||||
urxoh4KV232U4DQkJgEwqQjrWpSPAP9Bl1LEFZZJ+M9MSTAFmwyE0unit8MGZ3fS
|
QyX5nPAauEYFAmUFAjECGwwFCSWYBgAACgkQQyX5nPAauEbCdwEAk6a/tzTYMZZA
|
||||||
H/4slWbYDwEArIpYYJ7iU+ZG3hq7hFCfuVIGuD04FvgKGo+gYQ35ng4=
|
xgwSmQTSC27lq5C+mJ0VrfKiuG7dgQ4A/A/BmovgTdeLTwk6GqbJIZbVmgehzgZx
|
||||||
=+ez0
|
2nrs5uSs7EUA
|
||||||
|
=xj2a
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|