Wannan labarin yana magana ne game da yadda ake saita sabar sabar ta zamani.
Postfix + Dovecot. SPF + DKIM + rDNS. Ya da IPv6.
Tare da ɓoyewar TSL. Tare da goyan baya ga yankuna da yawa - sashi tare da takaddun SSL na gaske.
Tare da kariyar antispam da babban ƙimar antispam daga wasu sabar saƙon.
Yana goyan bayan musaya na zahiri da yawa.
Tare da OpenVPN, haɗin zuwa wanda ke ta hanyar IPv4, kuma wanda ke ba da IPv6.
Idan ba ku so ku koyi duk waɗannan fasahohin, amma kuna son kafa irin wannan uwar garke, to wannan labarin yana gare ku.
Labarin ba ya ƙoƙarin yin bayanin kowane dalla-dalla. Bayanin yana zuwa ga abin da ba a daidaita shi azaman ma'auni ba ko yana da mahimmanci daga ra'ayi na mabukaci.
Ƙaddamar da kafa uwar garken wasiku ya kasance mafarki na na tsawon lokaci. Wannan na iya zama wauta, amma IMHO, yana da kyau fiye da mafarkin sabuwar mota daga alamar da kuka fi so.
Akwai dalilai guda biyu don kafa IPv6. Kwararren IT yana buƙatar koyan sabbin fasahohi koyaushe domin ya rayu. Ina so in ba da gudumawa ta kaɗan don yaƙi da cin hanci da rashawa.
Tushen kafa OpenVPN shine kawai don samun IPV6 yana aiki akan injin gida.
Dalilin kafa musaya na zahiri da yawa shine cewa akan sabar nawa ina da dubawa guda ɗaya "a hankali amma mara iyaka" da wani "mai sauri amma tare da jadawalin kuɗin fito".
Dalilin kafa saitunan Bind shine ISP na yana ba da uwar garken DNS mara tsayayye, kuma google ma wani lokacin yana kasawa. Ina son tsayayyen uwar garken DNS don amfanin kai.
Ƙarfafa rubuta labarin - Na rubuta daftarin watanni 10 da suka wuce, kuma na riga na duba shi sau biyu. Ko da marubucin yana buƙatar shi akai-akai, akwai yuwuwar wasu ma za su buƙaci shi.
Babu mafita na duniya don sabar wasiƙa. Amma zan yi ƙoƙarin rubuta wani abu kamar "yi wannan sannan, lokacin da komai yayi aiki yadda ya kamata, jefar da ƙarin kayan."
Kamfanin tech.ru yana da uwar garken Colocation. Yana yiwuwa a kwatanta da OVH, Hetzner, AWS. Don magance wannan matsala, haɗin gwiwa tare da tech.ru zai zama mafi tasiri.
An shigar da Debian 9 akan uwar garken.
Sabar tana da musaya guda biyu `eno2` da `eno1`. Na farko ba shi da iyaka, kuma na biyu yana da sauri, bi da bi.
Akwai adiresoshin IP na tsaye guda 3, XX.XX.XX.X0 da XX.XX.XX.X1 da XX.XX.XX.X2 akan mahallin `eno1` da XX.XX.XX.X5 akan mahallin `eno2` .
Akwai XXXX:XXX:XXX:XXX::/64 wani tafkin adiresoshin IPv6 waɗanda aka sanya wa 'eno1' interface kuma daga gare ta an sanya su XXXX:XXX:XXX:XXX:1:2::/96 zuwa 'eno2' bisa buƙatuna.
Akwai yankuna 3 `domain1.com`, `domain2.com`, `domain3.com`. Akwai takardar shaidar SSL don 'domain1.com' da 'domain3.com'.
Ina da asusun Google wanda zan so in haɗa akwatin saƙo na zuwa[email kariya]` (karbar wasiku da aika wasiku kai tsaye daga mahallin gmail).
Dole ne akwai akwatin saƙo'[email kariya]`, kwafin imel ɗin da nake son gani a cikin gmail dina. Kuma yana da wuya a iya aika wani abu a madadin `[email kariya]`ta hanyar sadarwar yanar gizo.
Dole ne akwai akwatin saƙo'[email kariya]', wanda Ivanov zai yi amfani da shi daga iPhone.
Dole ne imel ɗin da aka aiko su bi duk buƙatun antispam na zamani.
Dole ne a sami mafi girman matakin ɓoyayyen da aka bayar a cibiyoyin sadarwar jama'a.
Ya kamata a sami goyon bayan IPv6 don duka aikawa da karɓar haruffa.
Ya kamata a sami SpamAssassin wanda ba zai taɓa share imel ba. Kuma ko dai zai billa ko tsallakewa ko aika zuwa babban fayil na IMAP “Spam”.
SpamAssassin auto-koyarwa dole ne a daidaita: idan na matsar da wasiƙa zuwa babban fayil na Spam, zai koya daga wannan; idan na matsar da wasiƙa daga babban fayil ɗin Spam, zai koya daga wannan. Sakamakon horon SpamAssassin yakamata yayi tasiri ko harafin ya ƙare a cikin babban fayil ɗin Spam.
Rubutun PHP dole ne su iya aika wasiku a madadin kowane yanki akan sabar da aka bayar.
Ya kamata a sami sabis na openvpn, tare da ikon yin amfani da IPv6 akan abokin ciniki wanda bashi da IPv6.
Da farko kuna buƙatar saita musaya da hanyoyin sadarwa, gami da IPv6.
Bayan haka kuna buƙatar saita OpenVPN, wanda zai haɗa ta hanyar IPv4 kuma ya ba abokin ciniki adireshin IPv6 na ainihi. Wannan abokin ciniki zai sami damar yin amfani da duk sabis na IPv6 akan uwar garken da samun dama ga kowane albarkatun IPv6 akan Intanet.
Sannan kuna buƙatar saita Postfix don aika haruffa + SPF + DKIM + rDNS da sauran ƙananan abubuwa makamantan su.
Sannan zaku buƙaci saita Dovecot kuma saita Multidomain.
Sannan kuna buƙatar saita SpamAssassin kuma saita horo.
A ƙarshe, shigar da Bind.
============ Multi-interfaces =============
Don saita musaya, kuna buƙatar rubuta wannan a cikin "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ana iya amfani da waɗannan saitunan akan kowane uwar garke a cikin tech.ru (tare da ɗan daidaitawa tare da tallafi) kuma nan da nan zai yi aiki kamar yadda ya kamata.
Idan kuna da gogewa don saita abubuwa iri ɗaya don Hetzner, OVH, ya bambanta a can. Mai wahala.
eno1 shine sunan katin cibiyar sadarwa #1 (a hankali amma mara iyaka).
eno2 shine sunan katin cibiyar sadarwa #2 (sauri, amma tare da jadawalin kuɗin fito).
tun0 shine sunan katin cibiyar sadarwar kama-da-wane daga OpenVPN.
XX.XX.XX.X0 - IPv4 #1 akan eno1.
XX.XX.XX.X1 - IPv4 #2 akan eno1.
XX.XX.XX.X2 - IPv4 #3 akan eno1.
XX.XX.XX.X5 - IPv4 #1 akan eno2.
XX.XX.XX.1 - Ƙofar IPv4.
XXXX:XXX:XXX:XXX::/64 - IPv6 ga duk uwar garken.
XXXX:XXX:XXXX:XXX:1:2::/96 - IPv6 don eno2, komai daga waje yana shiga cikin eno1.
XXXX:XXXX:XXXX:XXXX:: 1 — ƙofar IPv6 (yana da kyau a lura cewa ana iya yin wannan daban. Ƙayyade canjin IPv6).
dns-nameservers - 127.0.0.1 an nuna (saboda an shigar da ɗaure a gida) da 213.248.1.6 (wannan daga tech.ru ne).
"tebur eno1t" da "tebur eno2t" - ma'anar waɗannan ƙa'idodin hanya shine cewa zirga-zirgar zirga-zirgar da ke shiga ta hanyar eno1 -> za ta fita ta hanyarsa, kuma zirga-zirgar da ke shiga ta eno2 -> za ta fita ta cikinsa. Hakanan haɗin haɗin da uwar garken ya ƙaddamar zai bi ta eno1.
ip route add default via XX.XX.XX.1 table eno1tTare da wannan umarni mun ƙayyade cewa duk wani zirga-zirgar da ba a iya fahimta ba wanda ya faɗi ƙarƙashin kowace doka da aka yiwa alama "tebur eno1t" -> za a aika zuwa ƙirar eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tTare da wannan umarni mun ƙididdige cewa duk wani zirga-zirgar da uwar garken ya fara ya kamata a karkatar da shi zuwa ƙirar eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Tare da wannan umarni mun saita ƙa'idodi don yiwa zirga-zirga alama.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Wannan toshe yana ƙayyade IPv4 na biyu don ƙirar eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Tare da wannan umarnin mun saita hanya daga abokan ciniki na OpenVPN zuwa IPv4 na gida ban da XX.XX.XX.X0.
Har yanzu ban fahimci dalilin da yasa wannan umarnin ya isa ga duk IPv4 ba.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Wannan shi ne inda muka saita adireshin don dubawa kanta. Sabar za ta yi amfani da shi azaman adireshin “mai fita”. Ba za a sake amfani da ita ta kowace hanya ba.
Me yasa ": 1: 1::" yake da rikitarwa? Don haka OpenVPN yana aiki daidai kuma don wannan kawai. Karin bayani kan wannan daga baya.
A kan batun ƙofa - wannan shine yadda yake aiki kuma yana da kyau. Amma hanyar da ta dace ita ce a nuna a nan IPv6 na canjin da aka haɗa uwar garken.
Koyaya, saboda wasu dalilai IPv6 yana daina aiki idan na yi wannan. Wannan tabbas wata matsala ce ta tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACEWannan yana ƙara adireshi IPv6 zuwa mahaɗin. Idan kuna buƙatar adireshi ɗari, wannan yana nufin layi ɗari a cikin wannan fayil ɗin.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Na lura da adireshi da rafukan yanar gizo na duk hanyoyin sadarwa don bayyana shi.
eno1 - dole ne"/64"- saboda wannan ita ce dukkanin adiresoshin mu.
tun0 - subnet dole ne ya fi girma fiye da eno1. In ba haka ba, ba zai yiwu a saita ƙofar IPv6 don abokan ciniki na OpenVPN ba.
eno2 - subnet dole ne ya fi girma fiye da tun0. In ba haka ba, abokan ciniki na OpenVPN ba za su sami damar shiga adiresoshin IPv6 na gida ba.
Don bayyanawa, na zaɓi matakin subnet na 16, amma idan kuna so, kuna iya yin matakin “1”.
Don haka, 64+16 = 80, da 80+16 = 96.Don ƙarin haske:
XXXX:XXXX:XXXX:XXX:1:1:YYY:YYY adireshi ne da ya kamata a sanya su zuwa takamaiman shafuka ko ayyuka akan mahallin eno1.
XXXX:XXXX:XXXX:XXX:1:2:YYY:YYY adireshi ne da ya kamata a sanya su zuwa takamaiman shafuka ko ayyuka akan mahallin eno2.
XXXX:XXXX:XXX:XXX:1:3:YYY:YYY adireshi ne da yakamata a sanya wa abokan ciniki na OpenVPN ko kuma a yi amfani da su azaman adiresoshin sabis na OpenVPN.
Don saita hanyar sadarwar, yakamata a sake kunna uwar garken.
Ana ɗaukar canje-canjen IPV4 lokacin da aka kashe (tabbatar ku nannade shi a allo - in ba haka ba wannan umarnin zai lalata hanyar sadarwa akan sabar):
/etc/init.d/networking restartƘara zuwa ƙarshen fayil ɗin "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Ba tare da wannan ba, ba za ku iya amfani da tebur na al'ada a cikin fayil ɗin "/etc/network/interfaces".
Dole ne lambobin su zama na musamman kuma ƙasa da 65535.
Ana iya canza canje-canjen IPV6 cikin sauƙi ba tare da sake kunnawa ba, amma don yin wannan kuna buƙatar koyan aƙalla umarni uku:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Saitin "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Waɗannan su ne saitunan "sysctl" uwar garken. Bari in nuna wani muhimmin abu.
net.ipv4.ip_forward = 1Idan ba tare da wannan ba, OpenVPN ba zai yi aiki kwata-kwata ba.
net.ipv6.ip_nonlocal_bind = 1Duk wanda yayi ƙoƙari ya ɗaure IPv6 (misali nginx) nan da nan bayan an gama aikin zai sami kuskure. Cewa wannan adireshin baya samuwa.
Don guje wa irin wannan yanayin, ana yin irin wannan saitin.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Ba tare da waɗannan saitunan IPv6 ba, zirga-zirga daga abokin ciniki na OpenVPN baya fita cikin duniya.
Sauran saitunan ko dai ba su dace ba ko kuma ban tuna abin da suke yi ba.
Amma kawai a yanayin, na bar shi "kamar yadda yake."
Domin a ɗauki canje-canje ga wannan fayil ɗin ba tare da sake kunna uwar garken ba, kuna buƙatar aiwatar da umarnin:
sysctl -pƘarin cikakkun bayanai game da dokokin "tebur":
============ OpenVPN ============
OpenVPN IPv4 baya aiki ba tare da iptables ba.
My iptables suna kamar haka don VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY shine adireshi IPv4 na tsaye na injin gida.
10.8.0.0/24 - IPv4 openvpn cibiyar sadarwa. Adireshin IPv4 don abokan ciniki na openvpn.
Daidaiton ƙa'idodin yana da mahimmanci.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPWannan iyakance ne ta yadda ni kaɗai zan iya amfani da OpenVPN daga tsayayyen IP na.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEDon tura fakitin IPv4 tsakanin abokan ciniki na OpenVPN da Intanet, kuna buƙatar yin rajistar ɗayan waɗannan umarni.
Don lokuta daban-daban, ɗayan zaɓuɓɓukan bai dace ba.
Duk umarnin biyu sun dace da shari'ata.
Bayan karanta takaddun, na zaɓi zaɓi na farko saboda yana amfani da ƙarancin CPU.
Domin a ɗauka duk saitunan iptables bayan sake kunnawa, kuna buƙatar adana su a wani wuri.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Irin waɗannan sunaye ba a zaɓi kwatsam ba. Ana amfani da su ta fakitin "iptables-juyawa".
apt-get install iptables-persistentShigar da babban kunshin OpenVPN:
apt-get install openvpn easy-rsaBari mu saita samfuri don takaddun shaida (maye gurbin ƙimar ku):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfBari mu gyara saitunan samfur ɗin takaddun shaida:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Ƙirƙiri takardar shaidar uwar garken:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyBari mu shirya ikon ƙirƙirar fayilolin “abokin ciniki-name.opvn” na ƙarshe:
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCBari mu shirya rubutun da zai haɗa duk fayiloli zuwa fayil ɗin opvn guda ɗaya.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnƘirƙirar abokin ciniki na farko na OpenVPN:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameAna aika fayil ɗin "~/client-configs/files/client-name.ovpn" zuwa na'urar abokin ciniki.
Ga abokan ciniki na iOS kuna buƙatar yin abin zamba:
Abinda ke cikin alamar "tls-auth" dole ne ya kasance ba tare da sharhi ba.
Kuma kuma sanya "maɓalli-direction 1" nan da nan kafin alamar "tls-auth".
Bari mu saita saitunan uwar garken OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCAna buƙatar wannan don saita adireshi na tsaye ga kowane abokin ciniki (ba dole ba, amma ina amfani da shi):
# Client config dir
client-config-dir /etc/openvpn/ccdMafi wuya da mabuɗin daki-daki.
Abin takaici, OpenVPN bai san yadda ake saita ƙofar IPv6 da kansa don abokan ciniki ba.
Dole ne ku tura wannan "da hannu" ga kowane abokin ciniki.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Fayil "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Fayil "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Duk rubutun suna amfani da fayil ɗin "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Ina da wuya in tuna dalilin da yasa aka rubuta haka.
Yanzu netmask = 112 yana da ban mamaki (ya kamata ya zama 96 a can).
Kuma prefix ɗin baƙon abu ne, bai dace da cibiyar sadarwar tun0 ba.
Amma lafiya, zan bar shi kamar yadda yake.
cipher DES-EDE3-CBCWannan ba ga kowa ba ne - Na zaɓi wannan hanyar ɓoye haɗin.
============ Postfix =============
Shigar da babban kunshin:
apt-get install postfixLokacin shigarwa, zaɓi "Shafin Intanet".
My "/etc/postfix/main.cf" yayi kama da wannan:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreBari mu dubi cikakkun bayanai na wannan tsarin.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyA cewar mazauna Khabrovsk, wannan shingen ya ƙunshi "bayanan da ba daidai ba da kuma abubuwan da ba daidai ba."Shekaru 8 kawai bayan fara aiki na na fara fahimtar yadda SSL ke aiki.
Saboda haka, zan ɗauki 'yancin yin bayanin yadda ake amfani da SSL (ba tare da amsa tambayoyin "Yaya yake aiki ba?" da "Me yasa yake aiki?").
Tushen boye-boye na zamani shine ƙirƙirar maɓalli guda biyu (nau'i-nau'i masu tsayi masu tsayi biyu).
Ɗayan "maɓalli" na sirri ne, ɗayan kuma "jama'a". Muna kiyaye maɓallin keɓaɓɓen sirri sosai. Muna rarraba maɓallin jama'a ga kowa da kowa.
Yin amfani da maɓalli na jama'a, zaku iya rufaffen rufaffiyar saƙon rubutu ta yadda mai keɓaɓɓen maɓalli kawai zai iya yanke shi.
To, shi ke nan duka tushen fasahar.Mataki #1 - Shafukan https.
Lokacin shiga wani shafi, mai binciken yana koya daga sabar gidan yanar gizon cewa rukunin yanar gizon shine https don haka yana buƙatar maɓallin jama'a.
Sabar gidan yanar gizo tana ba da maɓallin jama'a. Mai lilo yana amfani da maɓallin jama'a don ɓoye buƙatar http-request da aika shi.
Abubuwan da ke cikin buƙatar http-request ne kawai waɗanda ke da maɓalli na sirri ke iya karantawa, wato, uwar garken da aka yi buƙatar kawai.
Http-request ya ƙunshi aƙalla URI. Don haka, idan wata ƙasa tana ƙoƙarin hana shiga ba duk rukunin yanar gizon ba, amma zuwa takamaiman shafi, to wannan ba shi yiwuwa a yi don rukunin yanar gizon https.Mataki #2 - amsawar rufaffen.
Sabar gidan yanar gizon tana ba da amsar da za a iya karantawa cikin sauƙi akan hanya.
Maganin yana da sauƙi mai sauƙi - mai lilo a cikin gida yana samar da maɓalli iri ɗaya na jama'a masu zaman kansu ga kowane rukunin yanar gizon https.
Kuma tare da buƙatar maɓallin jama'a na rukunin yanar gizon, yana aika maɓallin jama'a na gida.
Sabar gidan yanar gizon tana tunawa da shi kuma, lokacin aika da amsa http, yana ɓoye shi tare da maɓallin jama'a na takamaiman abokin ciniki.
Yanzu za a iya soke amsawar http kawai ta mai maɓalli na sirri na abokin ciniki (wato abokin ciniki da kansa).Mataki na 3 - kafa amintaccen haɗi ta tashar jama'a.
Akwai rashin lahani a cikin misali No. 2 - babu abin da zai hana masu buƙatun shiga tsakani da buƙatun http da gyara bayanai game da maɓallin jama'a.
Don haka, mai shiga tsakani zai ga dukkan abubuwan da aka aika da karɓa a sarari har sai tashar sadarwa ta canza.
Ma'amala da wannan abu ne mai sauƙi - kawai aika maɓallin jama'a na mai binciken azaman saƙon da aka rufaffen maɓalli na jama'a na sabar gidan yanar gizo.
Sabar gidan yanar gizon ta fara aika da martani kamar "maɓallin jama'a kamar haka" kuma ya ɓoye wannan sakon da maɓallin jama'a iri ɗaya.
Mai binciken yana duba martanin - idan an karɓi saƙon "maɓallin jama'a kamar haka" - to wannan shine tabbacin 100% cewa wannan tashar sadarwa tana da tsaro.
Yaya lafiya yake?
Ƙirƙirar irin wannan amintacciyar tashar sadarwa tana faruwa a saurin ping*2. Misali 20ms.
Dole ne maharin ya kasance yana da maɓalli na sirri na ɗaya daga cikin ɓangarori a gaba. Ko nemo maɓalli na sirri a cikin daƙiƙa guda biyu.
Hacking maɓalli na zamani guda ɗaya zai ɗauki shekaru da yawa akan na'urar kwamfuta.Mataki #4 - bayanan jama'a na maɓallan jama'a.
Babu shakka, a cikin wannan duka labarin akwai damar da maharin ya zauna a tashar sadarwa tsakanin abokin ciniki da uwar garken.
Abokin ciniki zai iya yin kamar ya zama uwar garken, kuma uwar garken na iya yin kamar abokin ciniki. Kuma kuyi koyi da maɓallai guda biyu a bangarorin biyu.
Sa'an nan kuma maharin zai ga duk zirga-zirgar zirga-zirga kuma zai iya "gyara" zirga-zirga.
Misali, canza adireshin inda za a aika kuɗi ko kwafi kalmar sirri daga banki ta kan layi ko toshe abun cikin “marasa ƙima”.
Don yaƙar irin waɗannan maharan, sun fito da bayanan jama'a tare da maɓallan jama'a na kowane rukunin yanar gizon https.
Kowane mai bincike ya “san” game da wanzuwar irin waɗannan bayanai kusan 200. Wannan yana zuwa an riga an shigar dashi a cikin kowane mai bincike.
"Ilimi" yana samun goyon bayan maɓalli na jama'a daga kowace takaddun shaida. Wato, haɗin kai zuwa kowace takamaiman takamaiman ikon ba za a iya karya ba.Yanzu akwai sauƙin fahimtar yadda ake amfani da SSL don https.
Idan kun yi amfani da kwakwalwar ku, zai bayyana a fili yadda sabis na musamman za su iya hacking wani abu a cikin wannan tsarin. Amma zai ba su hasara mai yawa.
Kuma ƙungiyoyin da ba su da NSA ko CIA - kusan ba zai yuwu a yi hacking matakin kariya na yanzu ba, har ma ga VIPs.Zan kuma ƙara game da haɗin ssh. Babu maɓallan jama'a a wurin, to me za ku iya yi? Ana magance matsalar ta hanyoyi biyu.
Zaɓin ssh-by-password:
A lokacin haɗin farko, abokin ciniki na ssh ya kamata ya yi gargaɗi cewa muna da sabon maɓalli na jama'a daga uwar garken ssh.
Kuma yayin ƙarin haɗin kai, idan gargaɗin "sabon maɓalli na jama'a daga uwar garken ssh" ya bayyana, yana nufin suna ƙoƙarin sauraren ku.
Ko kuma an saurare ku akan haɗin ku na farko, amma yanzu kuna sadarwa tare da uwar garken ba tare da masu shiga tsakani ba.
A gaskiya, saboda gaskiyar cewa ta hanyar wayar hannu yana da sauƙi, da sauri kuma ba tare da ƙoƙari ba, ana amfani da wannan harin kawai a lokuta na musamman don takamaiman abokin ciniki.Zaɓin ssh-by-key:
Muna ɗaukar faifan filasha, rubuta maɓallin keɓaɓɓen don uwar garken ssh akan shi (akwai sharuɗɗa da mahimman nuances don wannan, amma ina rubuta shirin ilimi, ba umarnin amfani ba).
Muna barin maɓallin jama'a akan na'ura inda abokin ciniki na ssh zai kasance kuma muna ɓoye shi.
Muna kawo filasha zuwa uwar garken, mu saka shi, mu kwafi maɓalli na sirri, sannan mu ƙone filasha kuma mu watsar da toka zuwa iska (ko aƙalla tsara shi da sifili).
Wannan ke nan - bayan irin wannan aiki ba zai yuwu a hack irin wannan haɗin ssh ba. Tabbas, a cikin shekaru 10 za'a iya duba zirga-zirgar ababen hawa akan na'ura mai kwakwalwa - amma wannan labari ne daban.Ina neman afuwa akan batun waje.
To yanzu da aka san ka'idar. Zan gaya muku game da kwararar ƙirƙirar takardar shaidar SSL.
Yin amfani da "openssl genrsa" muna ƙirƙirar maɓalli na sirri da "blanks" don maɓallin jama'a.
Mun aika da "blanks" zuwa wani kamfani na ɓangare na uku, wanda muke biya kusan $ 9 don takardar shaidar mafi sauƙi.
Bayan sa'o'i biyu, muna karɓar maɓallin "jama'a" da saitin maɓallan jama'a da yawa daga wannan kamfani na ɓangare na uku.
Me yasa wani kamfani zai biya kuɗin rajistar maɓalli na jama'a tambaya ce daban, ba za mu yi la'akari da shi a nan ba.
Yanzu ya bayyana a sarari menene ma'anar rubutun:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Babban fayil ɗin "/etc/ssl" ya ƙunshi duk fayilolin don batutuwan ssl.
domain1.com - sunan yankin.
2018 ita ce shekarar ƙirƙirar key.
“maɓalli” - nadi cewa fayil ɗin maɓalli ne na sirri.
Kuma ma'anar wannan fayil:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - sunan yankin.
2018 ita ce shekarar ƙirƙirar key.
sarkake - nadi cewa akwai jerin maɓallan jama'a (na farko shine maɓalli na jama'a sauran kuma shine abin da ya fito daga kamfanin da ya ba da maɓallin jama'a).
crt - ƙayyadaddun cewa akwai takaddun shaida (maɓallin jama'a tare da bayanin fasaha).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Ba a amfani da wannan saitin a wannan yanayin, amma an rubuta shi azaman misali.
Domin kuskure a cikin wannan sigar zai haifar da aika spam daga uwar garken ku (ba tare da son ku ba).
Sannan ka tabbatar wa kowa cewa ba ka da laifi.
recipient_delimiter = +Mutane da yawa ƙila ba su sani ba, amma wannan daidaitaccen hali ne na saƙon imel, kuma galibin sabar saƙon wasiku na zamani ne ke tallafawa.
Misali, idan kana da akwatin wasiku"[email kariya]"kokarin aika zuwa"[email kariya]"- duba abin da ya zo daga gare ta.
inet_protocols = ipv4Wannan na iya zama mai ruɗani.
Amma ba haka kawai yake ba. Kowane sabon yanki ta tsohuwa ne kawai IPv4, sannan na kunna IPv6 ga kowane ɗayan daban.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Anan mun ƙayyade cewa duk wasiku masu shigowa yana zuwa dovecot.
Kuma ka'idodin yanki, akwatin gidan waya, alias - duba cikin bayanan bayanai.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesYanzu postfix ya san cewa ana iya karɓar wasiku don ƙarin aikawa kawai bayan izini tare da dovecot.
A gaske ban fahimci dalilin da yasa aka kwafi wannan a nan ba. Mun riga mun ƙayyade duk abin da ake buƙata a cikin "virtual_transport".
Amma tsarin bayan gyara ya tsufa sosai - mai yiwuwa jifa ne daga zamanin da.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Ana iya saita wannan daban don kowane uwar garken saƙon.
Ina da sabar saƙo guda 3 a hannuna kuma waɗannan saitunan sun bambanta sosai saboda buƙatun amfani daban-daban.
Kuna buƙatar saita shi a hankali - in ba haka ba spam zai zubo muku, ko ma mafi muni - spam zai fito daga gare ku.
# SPF
policyd-spf_time_limit = 3600Saita don wasu plugins masu alaƙa da duba SPF na haruffa masu shigowa.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockSaitin shine dole ne mu samar da sa hannun DKIM tare da duk imel masu fita.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreWannan shine mahimmin dalla-dalla a cikin sarrafa wasiƙa lokacin aika haruffa daga rubutun PHP.
Fayil "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:A gefen hagu akwai maganganu na yau da kullum. A hannun dama akwai lakabin da ke alamar harafin.
Postfix daidai da lakabin - zai yi la'akari da wasu ƙarin layukan daidaitawa don takamaiman harafi.Yadda za a sake saita ainihin postfix don takamaiman wasiƙa za a nuna a cikin “master.cf”.
Layi 4, 5, 6 sune manyan. A madadin wane yanki ne muke aika wasiƙar, mun sanya wannan alamar.
Amma filin "daga" ba koyaushe ake nunawa a cikin rubutun PHP a cikin tsohuwar lambar ba. Sannan sunan mai amfani ya zo wurin ceto.Labarin ya riga ya faɗi - Ba zan so in shagala ta hanyar kafa nginx+fpm ba.
A taƙaice, ga kowane rukunin yanar gizon mun saita nasa mai amfani da Linux. Kuma bisa ga fpm-pool.
Fpm-pool yana amfani da kowane nau'in php (yana da kyau idan akan sabar guda ɗaya zaku iya amfani da nau'ikan php daban-daban har ma da php.ini daban-daban don rukunin maƙwabta ba tare da matsala ba).
Don haka, takamaiman mai amfani da Linux “www-domain2” yana da gidan yanar gizon domain2.com. Wannan rukunin yanar gizon yana da lambar don aika imel ba tare da tantancewa daga filin ba.
Don haka, ko da a wannan yanayin, za a aika wasiƙun daidai kuma ba za su taɓa ƙarewa cikin spam ba.
My "/etc/postfix/master.cf" yayi kama da wannan:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Ba a samar da fayil ɗin cikakke ba - ya riga ya girma sosai.
Na lura kawai abin da aka canza.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Waɗannan saitunan ne masu alaƙa da spamassasin, ƙari akan wancan daga baya.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Muna ba ku damar haɗi zuwa uwar garken mail ta tashar jiragen ruwa 587.
Don yin wannan, dole ne ka shiga.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfKunna rajistan SPF.
apt-get install postfix-policyd-spf-pythonBari mu shigar da kunshin don SPF cak a sama.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Kuma wannan shine abu mafi ban sha'awa. Wannan shine ikon aika haruffa don takamaiman yanki daga takamaiman adireshin IPv4/IPv6.
Ana yin wannan don kare rDNS. rDNS shine tsarin karɓar kirtani ta adireshin IP.
Kuma ga wasiƙa, ana amfani da wannan fasalin don tabbatar da cewa samun daidai yake daidai da rDNS na adireshin da aka aiko da imel ɗin daga gare shi.Idan helo bai dace da yankin imel a madadin wanda aka aiko da wasiƙar ba, ana ba da maki spam.
Helo bai dace da rDNS ba - ana ba da maki da yawa na spam.
Saboda haka, kowane yanki dole ne ya sami adireshin IP na kansa.
Don OVH - a cikin na'ura wasan bidiyo yana yiwuwa a saka rDNS.
Don tech.ru - an warware batun ta hanyar tallafi.
Don AWS, ana warware batun ta hanyar tallafi.
"inet_protocols" da "smtp_bind_address6" - muna ba da tallafin IPv6.
Don IPV6 kuma kuna buƙatar yin rijistar rDNS.
"syslog_name" - kuma wannan don sauƙin karanta rajistan ayyukan.
Sayi takaddun shaida .
.
============ Dovecot =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamSaita mysql, shigar da fakitin da kansu.
Fayil "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginAn rufaffen izini kawai.
Fayil "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nAnan mun nuna wurin ajiyar haruffan.
Ina so a adana su cikin fayiloli kuma a haɗa su ta yanki.
Fayil "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Wannan shine babban fayil ɗin daidaitawar kurciya.
Anan muna kashe haɗin haɗin da ba su da tsaro.
Kuma kunna amintattun hanyoyin sadarwa.
Fayil "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Saita ssl. Mun nuna cewa ana buƙatar ssl.
Kuma takardar shaidar kanta. Kuma muhimmin daki-daki shine umarnin "na gida". Yana nuna wace takardar shaidar SSL don amfani yayin haɗawa zuwa wacce IPv4 ta gida.Af, IPv6 ba a saita shi anan, zan gyara wannan tsallake daga baya.
XX.XX.XX.X5 (yanki2) - babu takaddun shaida. Don haɗa abokan ciniki kuna buƙatar saka domain1.com.
XX.XX.XX.X2 (domain3) - akwai takaddun shaida, zaku iya saka domain1.com ko domain3.com don haɗa abokan ciniki.
Fayil "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Ana buƙatar wannan don spamassassin a nan gaba.
Fayil "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Wannan plugin ɗin antispam ne. Ana buƙata don horar da spamassasin a lokacin canja wuri zuwa / daga babban fayil "Spam".
Fayil "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Akwai irin wannan fayil ɗin.
Fayil "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Saita lmtp.
Fayil "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Saitunan horo na Spamassasin a lokacin canja wuri zuwa/daga babban fayil na Spam.
Fayil "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Fayil ɗin da ke ƙayyadaddun abin da za a yi da haruffa masu shigowa.
Fayil "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Kuna buƙatar tattara fayil ɗin: "sievec default.sieve".
Fayil "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Ƙayyadaddun fayilolin sql don izini.
Kuma fayil ɗin kanta ana amfani dashi azaman hanyar izini.
Fayil "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Wannan yayi daidai da saitunan makamancin haka don gyarawa.
Fayil "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Babban fayil ɗin sanyi.
Muhimmin abu shine mu nuna anan - ƙara ladabi.
============ SpamAssassin =============
apt-get install spamassassin spamcBari mu shigar da fakitin.
adduser spamd --disabled-loginBari mu ƙara mai amfani a madadin wane.
systemctl enable spamassassin.serviceMuna ba da damar yin lodi ta atomatik sabis na spamassassin yayin lodawa.
Fayil "/etc/default/spamassassin":
CRON=1Ta hanyar kunna sabunta ƙa'idodi ta atomatik "ta tsohuwa".
Fayil "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordKuna buƙatar ƙirƙirar bayanan "sa" a cikin mysql tare da mai amfani "sa" tare da kalmar sirri "kalmar sirri" (maye gurbin da wani abu da ya dace).
report_safe - wannan zai aika da rahoton imel ɗin spam maimakon wasiƙa.
use_bayes sune saitunan koyan injin spamassassin.
An yi amfani da sauran saitunan spamassassin a baya a cikin labarin.
.
.
.
.
=========== Kira ga al'umma ===============
Ina kuma so in jefa ra'ayi a cikin al'umma game da yadda za a kara matakan tsaro na wasiƙun da aka tura. Tun da na nutsu sosai a cikin batun wasiƙar.
Ta yadda mai amfani zai iya ƙirƙirar maɓallai biyu akan abokin ciniki (hangen nesa, thunderbird, plugin-browser, ...). Jama'a da na sirri. Jama'a - aika zuwa DNS. Na sirri - ajiyewa akan abokin ciniki. Sabar saƙo za su iya amfani da maɓallin jama'a don aikawa zuwa takamaiman mai karɓa.
Kuma don kare kariya daga spam tare da irin waɗannan haruffa (eh, uwar garken imel ba zai iya duba abun ciki ba) - kuna buƙatar gabatar da dokoki 3:
- Sa hannun DKIM na tilas, SPF na tilas, rDNS na tilas.
- Cibiyar sadarwa na jijiyoyi akan batun horon antispam + bayanan bayanai don shi a gefen abokin ciniki.
- Algorithm ɗin boye-boye dole ne ya zama irin wanda bangaren aikawa dole ne ya ciyar da ƙarfin CPU sau 100 akan ɓoyewa fiye da ɓangaren karɓa.
Baya ga haruffan jama'a, haɓaka daidaitaccen wasiƙar shawara "don fara amintattun wasiku." Ɗaya daga cikin masu amfani (akwatin wasiƙa) yana aika wasiƙa tare da abin da aka makala zuwa wani akwatin saƙo. Wasiƙar ta ƙunshi shawarwarin rubutu don fara amintacciyar tashar sadarwa don wasiku da maɓalli na jama'a na mai akwatin saƙo (tare da maɓalli na sirri a gefen abokin ciniki).
Hakanan zaka iya yin maɓallai biyu na musamman don kowane rubutu. Mai amfani da mai karɓa zai iya karɓar wannan tayin kuma ya aika maɓallin jama'a (wanda aka yi shi musamman don wannan wasiƙun). Bayan haka, mai amfani na farko ya aika da wasiƙar sarrafa sabis (rufewa tare da maɓallin jama'a na mai amfani na biyu) - bayan karɓar abin da mai amfani na biyu zai iya la'akari da ingantaccen tashar sadarwar da aka kafa. Na gaba, mai amfani na biyu ya aika da wasiƙar sarrafawa - sannan mai amfani na farko kuma zai iya la'akari da kafaffen tashar tashar.
Don magance kutsewar maɓallai a kan hanya, dole ne ka'idar ta samar da yiwuwar watsa aƙalla maɓallin jama'a ɗaya ta amfani da filasha.
Kuma mafi mahimmanci shine cewa duk yana aiki (tambayar ita ce "wa zai biya shi?"):
Shigar da takaddun gidan waya farawa daga $10 na shekaru 3. Wanne zai ba da damar mai aikawa ya nuna a cikin dns cewa "maɓallan jama'a na suna can." Kuma za su ba ku damar fara amintaccen haɗi. A lokaci guda, karɓar irin waɗannan haɗin yanar gizon kyauta ne.
gmail a ƙarshe yana yin kuɗaɗen masu amfani da shi. Don $10 a kowace shekara 3 - haƙƙin ƙirƙirar tashoshi masu aminci.
=========== Kammalawa =============
Don gwada dukan labarin, zan yi hayan sabar sadaukarwa na wata guda kuma in sayi yanki tare da takardar shaidar SSL.
Amma yanayin rayuwa ya ci gaba don haka wannan batu ya ci gaba har tsawon watanni 2.
Sabili da haka, lokacin da na sami lokaci kuma, na yanke shawarar buga labarin kamar yadda yake, maimakon haɗarin cewa littafin zai ci gaba har tsawon shekara guda.
Idan akwai tambayoyi da yawa kamar "amma wannan ba a bayyana shi da cikakkun bayanai ba", to tabbas za a sami ƙarfi don ɗaukar sabar da aka keɓe tare da sabon yanki da sabon takardar shaidar SSL kuma a kwatanta shi daki-daki kuma, mafi yawa. mahimmanci, gano duk mahimman bayanai da suka ɓace.
Ina kuma son samun ra'ayoyi game da takaddun shaida na gidan waya. Idan kuna son ra'ayin, zan yi ƙoƙarin samun ƙarfin rubuta daftarin don rfc.
Lokacin yin kwafin manyan sassan labarin, samar da hanyar haɗi zuwa wannan labarin.
Lokacin fassara zuwa kowane harshe, samar da hanyar haɗi zuwa wannan labarin.
Zan yi ƙoƙarin fassara shi zuwa Turanci da kaina kuma in bar maƙasudi.
source: www.habr.com