E pili ana kēia ʻatikala pehea e hoʻonohonoho ai i kahi kikowaena leka uila hou.
Postfix + Dovecot. SPF + DKIM + rDNS. Me IPv6.
Me ka hoʻopunipuni TSL. Me ke kākoʻo no nā kāʻei kapu he nui - ʻāpana me kahi palapala SSL maoli.
Me ka pale antispam a me ka helu antispam kiʻekiʻe mai nā kikowaena leka ʻē aʻe.
Kākoʻo i nā pilina kino lehulehu.
Me OpenVPN, ka pilina ma o IPv4, a hāʻawi iā IPv6.
Inā ʻaʻole ʻoe makemake e aʻo i kēia mau ʻenehana āpau, akā makemake ʻoe e hoʻonohonoho i kahi kikowaena, a laila no ʻoe kēia ʻatikala.
ʻAʻole hoʻāʻo ka ʻatikala e wehewehe i kēlā me kēia kikoʻī. Hele ka wehewehe i ka mea i hoʻonohonoho ʻole ʻia e like me ke kūlana a i ʻole he mea nui mai ka manaʻo o ka mea kūʻai aku.
ʻO ka hoʻoikaika ʻana e hoʻonohonoho i kahi kikowaena leka uila he moeʻuhane lōʻihi ia iaʻu. He naʻaupō paha kēia, akā IMHO, ʻoi aku ka maikaʻi ma mua o ka moeʻuhane i kahi kaʻa hou mai kāu hōʻailona punahele.
ʻElua mau manaʻo no ka hoʻonohonoho ʻana iā IPv6. Pono ka loea IT e aʻo mau i nā ʻenehana hou i mea e ola ai. Makemake au e hāʻawi i kaʻu haʻawina haʻahaʻa i ka hakakā ʻana i ka censorship.
ʻO ke kumu no ka hoʻonohonoho ʻana iā OpenVPN ʻo ia wale nō ka loaʻa ʻana o IPv6 e hana ana ma ka mīkini kūloko.
ʻO ke kumu no ka hoʻonohonoho ʻana i kekahi mau kikowaena kino, aia ma kaʻu kikowaena hoʻokahi aʻu "slow but unlimited" a me kekahi "wikiwiki akā me ka uku".
ʻO ke kumu o ka hoʻonohonoho ʻana i nā hoʻonohonoho Bind ʻo ka hāʻawi ʻana o kaʻu ISP i kahi kikowaena DNS paʻa ʻole, a hāʻule hoʻi ʻo google i kekahi manawa. Makemake au i kahi kikowaena DNS paʻa no ka hoʻohana pilikino.
Hoʻoikaika e kākau i kahi ʻatikala - Ua kākau wau i kahi kikoʻī 10 mau mahina i hala aku nei, a ua nānā ʻelua au iā ia. ʻOiai inā makemake mau ka mea kākau iā ia, nui ka manaʻo e pono pū kekahi.
ʻAʻohe mea hoʻoponopono āpau no kahi kikowaena leka uila. Akā, e ho'āʻo wau e kākau i kekahi mea e like me "e hana i kēia a laila, i ka wā e hana ai nā mea a pau e like me ka mea e pono ai, e hoʻolei i nā mea keu."
He kikowaena Colocation ka hui tech.ru. Hiki ke hoʻohālikelike me OVH, Hetzner, AWS. No ka hoʻoponopono ʻana i kēia pilikia, ʻoi aku ka maikaʻi o ka launa pū ʻana me tech.ru.
Hoʻokomo ʻia ʻo Debian 9 ma ke kikowaena.
Loaʻa i ke kikowaena 2 mau pilina ʻeno1 a me ʻeno2. ʻO ka mua he palena ʻole, a ʻo ka lua ka wikiwiki.
He 3 mau helu IP paʻa, XX.XX.XX.X0 a me XX.XX.XX.X1 a me XX.XX.XX.X2 ma ka 'eno1' a me XX.XX.XX.X5 ma ka 'eno2'. .
Loaʻa iā XXXX:XXXX:XXXX:XXXX::/64 he pūʻulu o nā helu IPv6 i hāʻawi ʻia i ka interface ʻeno1' a mai ia mea XXXX: XXXX: XXXX:XXXX: 1:2::/96 i hāʻawi ʻia iā ʻeno2ʻ ma kaʻu noi.
Aia 3 mau kāʻei kapu `domain1.com`, `domain2.com`, `domain3.com`. Aia kahi palapala SSL no `domain1.com` a me `domain3.com`.
He moʻokāki Google kaʻu e makemake ai e loulou i kaʻu pahu leta[pale ʻia ka leka uila]ʻ (loaʻa ʻana i ka leka uila a hoʻouna pololei ʻia mai ka gmail interface).
Pono he pahu leta'[pale ʻia ka leka uila]ʻ, he kope o ka leka uila aʻu e makemake ai e ʻike ma kaʻu gmail. A he mea kakaikahi ka hiki ke hoʻouna i kekahi mea ma ka inoa o '[pale ʻia ka leka uila]` ma o ka pūnaewele puni honua.
Pono he pahu leta'[pale ʻia ka leka uila]', e hoʻohana ai ʻo Ivanov mai kāna iPhone.
Pono nā leka uila i hoʻouna ʻia me nā koi antispam hou.
Pono e loaʻa ka pae kiʻekiʻe o ka hoʻopunipuni i hāʻawi ʻia ma nā pūnaewele lehulehu.
Pono ke kākoʻo IPv6 no ka hoʻouna ʻana a me ka loaʻa ʻana o nā leka.
Pono e loaʻa kahi SpamAssassin ʻaʻole e holoi i nā leka uila. A e lele a lele paha a hoʻouna ʻia i ka waihona IMAP "Spam".
Pono e hoʻonohonoho ʻia ke aʻo ʻokoʻa SpamAssassin: inā e hoʻoneʻe au i kahi leka i ka waihona Spam, e aʻo mai ia; inā hoʻoneʻe au i kahi leka mai ka waihona Spam, e aʻo mai kēia. Pono nā hopena o ka hoʻomaʻamaʻa SpamAssassin inā pau ka leka i ka waihona Spam.
Pono nā palapala PHP e hoʻouna i ka leka uila ma ka inoa o kēlā me kēia kikowaena ma kahi kikowaena i hāʻawi ʻia.
Pono e loaʻa kahi lawelawe openvpn, me ka hiki ke hoʻohana i ka IPv6 ma kahi mea kūʻai aku ʻaʻohe IPv6.
ʻO ka mea mua pono ʻoe e hoʻonohonoho i nā interface a me nā alahele, me IPv6.
A laila pono ʻoe e hoʻonohonoho iā OpenVPN, e hoʻopili ʻia ma o IPv4 a hāʻawi i ka mea kūʻai aku me kahi helu IPv6 maoli. Hiki i kēia mea kūʻai ke komo i nā lawelawe IPv6 a pau ma ke kikowaena a loaʻa i nā kumuwaiwai IPv6 ma ka Pūnaewele.
A laila pono ʻoe e hoʻonohonoho iā Postfix e hoʻouna i nā leka + SPF + DKIM + rDNS a me nā mea liʻiliʻi like ʻole.
A laila pono ʻoe e hoʻonohonoho iā Dovecot a hoʻonohonoho i ka Multidomain.
A laila pono ʻoe e hoʻonohonoho iā SpamAssassin a hoʻonohonoho i ka hoʻomaʻamaʻa.
ʻO ka hope, e hoʻokomo iā Bind.
============= Nui-interfaces =============
No ka hoʻonohonoho ʻana i nā interface, pono ʻoe e kākau i kēia ma "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
Hiki ke hoʻohana ʻia kēia mau hoʻonohonoho ma kekahi kikowaena ma tech.ru (me kahi hoʻonohonoho liʻiliʻi me ke kākoʻo) a e hana koke ia e like me ka mea e pono ai.
Inā ʻike ʻoe i ka hoʻonohonoho ʻana i nā mea like no Hetzner, OVH, ʻokoʻa ia ma laila. ʻOi aku ka paʻakikī.
ʻO eno1 ka inoa o ke kāleka pūnaewele #1 (lohi akā palena ʻole).
ʻO eno2 ka inoa o ke kāleka pūnaewele #2 (wikiwiki, akā me ka uku).
ʻO tun0 ka inoa o ke kāleka pūnaewele virtual mai OpenVPN.
XX.XX.XX.X0 - IPv4 #1 ma ka eno1.
XX.XX.XX.X1 - IPv4 #2 ma ka eno1.
XX.XX.XX.X2 - IPv4 #3 ma ka eno1.
XX.XX.XX.X5 - IPv4 #1 ma ka eno2.
XX.XX.XX.1 - ʻīpuka IPv4.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 no ke kikowaena holoʻokoʻa.
XXXX: XXXX: XXXX: XXXX: 1: 2:: / 96 - IPv6 no eno2, nā mea ʻē aʻe mai waho e hele i loko o eno1.
XXXX: XXXX: XXXX: XXXX:: 1 — ʻīpuka IPv6 (pono e hoʻomaopopo he hiki ke hana ʻokoʻa kēia. E wehewehe i ka hoʻololi IPv6).
dns-nameservers - 127.0.0.1 i hōʻike ʻia (no ka mea, ua hoʻokomo ʻia ʻo bind ma ka ʻāina) a me 213.248.1.6 (mai ka tech.ru kēia).
"table eno1t" a me "table eno2t" - ʻo ke ʻano o kēia mau ala-rula ʻo ia ka hele ʻana o ke kaʻa ma o eno1 -> e haʻalele i laila, a e haʻalele ke kaʻa e komo ana ma o eno2 -> ma laila. A ʻo nā pilina i hoʻomaka ʻia e ke kikowaena e hele ma eno1.
ip route add default via XX.XX.XX.1 table eno1t
Me kēia kauoha ke kuhikuhi nei mākou e hoʻouna ʻia nā kaʻa i hiki ʻole ke hoʻomaopopo ʻia ma lalo o kekahi lula i kaha ʻia "table eno1t" -> e hoʻouna ʻia i ka interface eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
Me kēia kauoha mākou e kuhikuhi i kēlā me kēia kaʻa i hoʻomaka ʻia e ke kikowaena e kuhikuhi ʻia i ka interface eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0
Me kēia kauoha mākou i hoʻonohonoho i nā lula no ka mākaʻikaʻi ʻana.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
Hōʻike kēia poloka i ka IPv4 ʻelua no ka interface eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Me kēia kauoha, hoʻonoho mākou i ke ala mai nā mea kūʻai aku OpenVPN i IPv4 kūloko koe wale nō XX.XX.XX.X0.
ʻAʻole maopopo iaʻu ke kumu i lawa ai kēia kauoha no IPv4 āpau.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
ʻO kēia kahi a mākou e hoʻonoho ai i ka helu no ka interface ponoʻī. E hoʻohana ke kikowaena iā ia ma ke ʻano he helu "puka". ʻAʻole e hoʻohana hou ʻia ma kekahi ʻano.
No ke aha i paʻakikī loa ai ka ":1:1::"? No laila e hana pololei ai ʻo OpenVPN a no kēia wale nō. Nā mea hou aʻe e pili ana i kēia ma hope.
Ma ke kumuhana o ka ʻīpuka - ʻo ia ka hana a maikaʻi kēlā. Akā ʻo ke ala pololei e hōʻike i ka IPv6 o ka hoʻololi i pili ai ke kikowaena.
Eia nō naʻe, no kekahi kumu, pau ka IPv6 i ka hana inā hana wau i kēia. ʻO kēia paha kekahi ʻano pilikia tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
Ke hoʻohui nei kēia i kahi helu IPv6 i ka interface. Inā makemake ʻoe i hoʻokahi haneli helu wahi, ʻo ia hoʻi he haneli laina ma kēia faila.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
Ua ʻike au i nā ʻōlelo a me nā subnets o nā loulou a pau e hoʻomaopopo ai.
eno1 - pono e "/64"- no ka mea, ʻo kā mākou pūʻulu helu āpau kēia.
tun0 - ʻoi aku ka nui o ka subnet ma mua o eno1. A i ʻole, ʻaʻole hiki ke hoʻonohonoho i kahi puka IPv6 no nā mea kūʻai OpenVPN.
eno2 - ʻoi aku ka nui o ka subnet ma mua o tun0. A i ʻole, ʻaʻole hiki i nā mea kūʻai aku OpenVPN ke komo i nā helu IPv6 kūloko.
No ka maopopo, ua koho au i kahi ʻanuʻu subnet o 16, akā inā makemake ʻoe, hiki iā ʻoe ke hana i ka hana "1".
No laila, 64+16 = 80, a me 80+16 = 96.No ka akaka ʻoi aku ka maikaʻi:
ʻO XXXX: XXXX: XXXX: XXXX: 1: 1: YYYY: YYYY he mau helu wahi e pono e hāʻawi ʻia i nā wahi kikoʻī a i ʻole nā lawelawe ma ka interface eno1.
ʻO XXXX: XXXX: XXXX: XXXX: 1: 2: YYYY: YYYY he mau helu wahi e pono e hāʻawi ʻia i nā wahi kikoʻī a i ʻole nā lawelawe ma ka interface eno2.
XXXX: XXXX: XXXX: XXXX: 1: 3: YYYY: YYYY he mau helu wahi e hāʻawi ʻia i nā mea kūʻai OpenVPN a hoʻohana ʻia ma ke ʻano he mau helu lawelawe OpenVPN.
No ka hoʻonohonoho ʻana i ka pūnaewele, pono e hiki ke hoʻomaka hou i ke kikowaena.
Lawe ʻia nā loli IPv4 i ka wā e hoʻokō ʻia ai (e hoʻopaʻa pono iā ia i ka pale - inā ʻaʻole e hāʻule kēia kauoha i ka pūnaewele ma ka kikowaena):
/etc/init.d/networking restart
Hoʻohui i ka hope o ka faila "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Me ka ʻole o kēia, ʻaʻole hiki iā ʻoe ke hoʻohana i nā papa maʻamau i ka faila "/etc/network/interfaces".
Pono ʻokoʻa nā helu a emi iho ma mua o 65535.
Hiki ke hoʻololi maʻalahi ʻia nā loli IPv6 me ka ʻole o ka rebooting, akā no ka hana ʻana i kēia pono ʻoe e aʻo i ʻekolu mau kauoha:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...
Hoʻonohonoho "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1
ʻO kēia nā hoʻonohonoho "sysctl" o kaʻu kikowaena. E ʻae mai iaʻu e kuhikuhi i kahi mea nui.
net.ipv4.ip_forward = 1
Me ka ʻole o kēia, ʻaʻole e hana ʻo OpenVPN.
net.ipv6.ip_nonlocal_bind = 1
ʻO ka mea e hoʻāʻo e hoʻopaʻa i ka IPv6 (e like me ka nginx) ma hope koke o ka piʻi ʻana o ka interface e loaʻa iā ia kahi hewa. ʻAʻole loaʻa kēia helu wahi.
No ka paleʻana i kēlāʻano kūlana, hanaʻia kēlāʻano hoʻonohonoho.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
Me ka ʻole o kēia mau hoʻonohonoho IPv6, ʻaʻole hele ka huakaʻi mai ka mea kūʻai aku OpenVPN i ka honua.
ʻAʻole pili nā hoʻonohonoho ʻē aʻe a ʻaʻole wau e hoʻomanaʻo no ke aha lākou.
Akā, inā wale nō, waiho wau "e like me."
I mea e kiʻi ʻia ai nā loli i kēia faila me ka ʻole e hoʻomaka hou i ke kikowaena, pono ʻoe e holo i ke kauoha:
sysctl -p
Nā kikoʻī hou aku e pili ana i nā lula "papakaukau":
============= OpenVPN ==============
ʻAʻole hana ʻo OpenVPN IPv4 me ka ʻole o nā iptables.
Penei kaʻu mau iptables no VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
ʻO YY.YY.YY.YY kaʻu helu IPv4 paʻa o ka mīkini kūloko.
10.8.0.0/24 - IPv4 openvpn pūnaewele. Nā helu IPv4 no nā mea kūʻai openvpn.
He mea nui ke kūlike o nā lula.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
He palena kēia i hiki iaʻu ke hoʻohana wale iā OpenVPN mai kaʻu IP static.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
No ka hoʻouna ʻana i nā ʻeke IPv4 ma waena o nā mea kūʻai aku OpenVPN a me ka Pūnaewele, pono ʻoe e hoʻopaʻa inoa i kekahi o kēia mau kauoha.
No nā hihia like ʻole, ʻaʻole kūpono kekahi o nā koho.
Ua kūpono nā kauoha ʻelua no kaʻu hihia.
Ma hope o ka heluhelu ʻana i ka palapala, ua koho wau i ke koho mua no ka mea hoʻohana ʻo ia i ka CPU liʻiliʻi.
I mea e kiʻi ʻia ai nā hoʻonohonoho iptables ma hope o ka reboot, pono ʻoe e mālama iā lākou ma kahi.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
ʻAʻole i koho wale ʻia kēlā mau inoa. Hoʻohana ʻia lākou e ka pūʻolo "iptables-persistent".
apt-get install iptables-persistent
Ke hoʻokomo nei i ka pūʻolo OpenVPN nui:
apt-get install openvpn easy-rsa
E hoʻonohonoho i kahi laʻana no nā palapala hōʻoia (e pani i kāu mau waiwai):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf
E hoʻoponopono i nā hoʻonohonoho maʻamau palapala hōʻoia:
mcedit vars
...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...
E hana i kahi palapala kikowaena:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
E hoʻomākaukau kākou i ka hiki ke hana i nā faila hope loa "client-name.opvn":
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf
# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC
E hoʻomākaukau kākou i palapala e hoʻohui i nā faila a pau i hoʻokahi faila opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpn
Ke hana nei i ka mea kūʻai OpenVPN mua:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name
Hoʻouna ʻia ka faila "~/client-configs/files/client-name.ovpn" i ka mea kūʻai aku.
No nā mea kūʻai aku ʻo iOS pono ʻoe e hana i kēia hana:
Pono ka ʻike o ka tag "tls-auth" me ka ʻole o ka manaʻo.
A kau pū i ka "key-direction 1" ma mua o ka "tls-auth" tag.
E hoʻonohonoho i ka hoʻonohonoho kikowaena OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf
# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC
Pono kēia i mea e hoʻonohonoho ai i kahi helu static no kēlā me kēia mea kūʻai (ʻaʻole pono, akā hoʻohana wau ia):
# Client config dir
client-config-dir /etc/openvpn/ccd
ʻO nā kikoʻī paʻakikī loa.
ʻO ka mea pōʻino, ʻaʻole ʻike ʻo OpenVPN pehea e hoʻonohonoho kūʻokoʻa ai i kahi puka IPv6 no nā mea kūʻai aku.
Pono ʻoe e "manual" i kēia no kēlā me kēia mea kūʻai.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
Kōnae "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1
Kōnae "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1
Hoʻohana nā palapala ʻelua i ka faila "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112
He mea paʻakikī ke hoʻomanaʻo i ke kumu i kākau ʻia ai e like me kēia.
I kēia manawa netmask = 112 he mea ʻē aʻe (pono ʻo 96 ma laila).
A he mea ʻē ka prefix, ʻaʻole ia i kūlike me ka pūnaewele tun0.
Akā, ʻae, e waiho wau e like me ia.
cipher DES-EDE3-CBC
ʻAʻole kēia no ka poʻe āpau - ua koho wau i kēia ʻano o ka hoʻopili ʻana i ka pilina.
============= Postfix =============
Ke hoʻokomo nei i ka pūʻolo nui:
apt-get install postfix
I ka hoʻouka ʻana, koho i ka "pūnaewele pūnaewele".
ʻO kaʻu "/etc/postfix/main.cf" ka like me kēia:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
E nānā kākou i nā kikoʻī o kēia config.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Wahi a nā kamaʻāina ʻo Khabrovsk, aia kēia poloka i "ka ʻike kuhi hewa a me nā ʻōlelo pololei ʻole."ʻO 8 mau makahiki wale nō ma hope o ka hoʻomaka ʻana o kaʻu ʻoihana i hoʻomaka wau e hoʻomaopopo i ka hana ʻana o SSL.
No laila, e lawe wau i ke kūʻokoʻa o ka wehewehe ʻana i ka hoʻohana ʻana i ka SSL (me ka ʻole o ka pane ʻana i nā nīnau "Pehea e hana ai?" a "No ke aha e hana ai?").
ʻO ke kumu o ka hoʻopili ʻana i kēia wā ʻo ia ka hana ʻana i kahi kī (ʻelua mau kaula lōʻihi loa o nā huaʻōlelo).
Hoʻokahi "kī" he pilikino, ʻo kekahi kī he "lehulehu". Mālama mākou i ke kī pilikino me kahi huna. Hāʻawi mākou i ke kī ākea i kēlā me kēia.
Ke hoʻohana nei i kahi kī lehulehu, hiki iā ʻoe ke hoʻopili i kahi kaula kikokikona i hiki i ka mea nona ke kī pilikino ke hoʻokaʻawale iā ia.
ʻAe, ʻo ia ke kumu holoʻokoʻa o ka ʻenehana.KaʻAnuʻu #1 - nā pūnaewele https.
I ke komo ʻana i kahi pūnaewele, ʻike ka polokalamu kele pūnaewele mai ka kikowaena pūnaewele ʻo https ka pūnaewele a no laila ke noi nei i kahi kī lehulehu.
Hāʻawi ke kikowaena pūnaewele i ke kī lehulehu. Hoʻohana ka polokalamu kele i ke kī lehulehu e hoʻopili i ka http-noi a hoʻouna.
Hiki ke heluhelu ʻia ka ʻike o kahi http-noi e ka poʻe i loaʻa ke kī pilikino, ʻo ia hoʻi, ʻo ke kikowaena wale nō kahi i noi ʻia ai.
Http-noi i loaʻa i ka liʻiliʻi loa he URI. No laila, inā e hoʻāʻo ka ʻāina e kaupalena i ke komo ʻana ʻaʻole i ka pūnaewele holoʻokoʻa, akā i kahi ʻaoʻao kikoʻī, a laila hiki ʻole ke hana no nā pūnaewele https.KaʻAnuʻu #2 - pane hoʻopunipuni.
Hāʻawi ke kikowaena pūnaewele i kahi pane e hiki ke heluhelu maʻalahi ma ke alanui.
He mea maʻalahi loa ka hoʻonā - hoʻopuka ka polokalamu kele pūnaewele i nā kī kī pilikino like ʻole no kēlā me kēia pūnaewele https.
A me ke noi ʻana i ke kī lehulehu o ka pūnaewele, hoʻouna ʻo ia i kāna kī ākea kūloko.
Hoʻomanaʻo ke kikowaena pūnaewele iā ia a, i ka wā e hoʻouna ai i ka http-pane, hoʻopili iā ia me ke kī ākea o kahi mea kūʻai aku.
I kēia manawa hiki ke hoʻokaʻawale ʻia ka http-pane e ka mea nona ke kī pilikino o ka mea kūʻai aku (ʻo ia hoʻi, ka mea kūʻai aku).KaʻAnuʻu No. 3 - hoʻokumu i kahi pilina paʻa ma o kahi ala ākea.
Aia kekahi vulnerability ma ka laʻana No. 2 - ʻaʻohe mea e pale aku i ka poʻe makemake maikaʻi mai ka hoʻopaʻa ʻana i kahi http-noi a me ka hoʻoponopono ʻana i ka ʻike e pili ana i ke kī lehulehu.
No laila, e ʻike maopopo ka mea waena i nā ʻike a pau o nā memo i hoʻouna ʻia a loaʻa a hiki i ka hoʻololi ʻana o ke kahawai kamaʻilio.
He mea maʻalahi loa ka hana ʻana me kēia - e hoʻouna wale i ke kī lehulehu o ka polokalamu kele pūnaewele ma ke ʻano he leka i hoʻopili ʻia me ke kī ākea o ka mea kikowaena pūnaewele.
Hoʻouna mua ke kikowaena pūnaewele i kahi pane e like me "ʻo kāu kī lehulehu e like me kēia" a hoʻopili i kēia memo me ke kī lehulehu like.
Nānā ka polokalamu kele pūnaewele i ka pane - inā loaʻa ka memo "ʻo kāu kī lehulehu e like me kēia" - a laila he 100% kēia e hōʻoiaʻiʻo i ka paʻa ʻana o kēia kaila kamaʻilio.
Pehea ka palekana?
ʻO ka hana pono ʻana o ia ala kamaʻilio paʻa i ka wikiwiki o ka ping*2. No ka laʻana 20ms.
Pono e loaʻa i ka mea hoʻouka ke kī pilikino o kekahi o nā ʻaoʻao ma mua. A i ʻole e ʻimi i kahi kī pilikino i loko o ʻelua mau milliseconds.
ʻO ka hacking i hoʻokahi kī pilikino hou e lawe i nā makahiki he nui ma kahi supercomputer.KaʻAnuʻu #4 - ʻikepili lehulehu o nā kī lehulehu.
ʻIke loa, ma kēia moʻolelo holoʻokoʻa he manawa kūpono no ka mea hoʻouka e noho ma ke ala kamaʻilio ma waena o ka mea kūʻai aku a me ke kikowaena.
Hiki i ka mea kūʻai ke hoʻohālike i ke kikowaena, a hiki i ke kikowaena ke hoʻohālike i ka mea kūʻai. A e hoʻohālike i nā kī ʻelua ma nā ʻaoʻao ʻelua.
A laila ʻike ka mea hoʻouka i nā kaʻa āpau a hiki iā ia ke "hoʻoponopono" i ke kaʻa.
No ka laʻana, e hoʻololi i ka helu wahi e hoʻouna ai i ke kālā a i ʻole kope i ka ʻōlelo huna mai ka waihona kālā pūnaewele a i ʻole e ālai i ka ʻike "kūpono".
No ka hakakā ʻana i kēlā mau mea hoʻouka, ua hele mai lākou me kahi waihona lehulehu me nā kī ākea no kēlā me kēia pūnaewele https.
ʻO kēlā me kēia polokalamu kele pūnaewele "ʻike" e pili ana i ke ola o 200 mau waihona. Hoʻokomo mua kēia i kēlā me kēia polokalamu kele pūnaewele.
Kākoʻo ʻia ʻo "Knowledge" e kahi kī ākea mai kēlā me kēia palapala. ʻO ia hoʻi, ʻaʻole hiki ke hoʻopunipuni ka pilina i kēlā me kēia mana hōʻoia.I kēia manawa aia kahi ʻike maʻalahi o ka hoʻohana ʻana i ka SSL no https.
Inā hoʻohana ʻoe i kou lolo, e ʻike ʻia pehea e hiki ai i nā lawelawe kūikawā ke hack i kekahi mea i kēia ʻano. Akā, e lilo ia i kā lākou hana nui.
A ʻo nā hui liʻiliʻi ma mua o ka NSA a i ʻole CIA - aneane hiki ʻole ke hack i ka pae o ka pale o kēia manawa, ʻoiai no nā VIP.E hoʻohui pū wau e pili ana i nā pili ssh. ʻAʻohe kī lehulehu ma laila, he aha kāu e hana ai? Hoʻoholo ʻia ka pilikia ma nā ʻano ʻelua.
Ke koho ssh-by-password:
I ka wā o ka pilina mua, pono e ʻōlelo aku ka mea kūʻai aku he kī lehulehu hou mai ka server ssh.
A i ka wā e pili ana, inā ʻike ʻia ka ʻōlelo aʻoaʻo "kī lehulehu hou mai ka server ssh", ʻo ia ka mea e hoʻāʻo nei lākou e hoʻolohe iā ʻoe.
A i ʻole ua hoʻolohe ʻia ʻoe i kāu pilina mua, akā i kēia manawa ke kamaʻilio nei ʻoe me ke kikowaena me ka ʻole o nā mea hoʻopili.
ʻOiaʻiʻo, ma muli o ka maʻalahi o ka wiretapping e hōʻike koke ʻia, hoʻohana ʻia kēia hoʻouka ʻana i nā hihia kūikawā no kahi mea kūʻai aku.Ke koho ssh-by-key:
Lawe mākou i kahi flash drive, kākau i ke kī pilikino no ka server ssh ma luna o ia (he mau huaʻōlelo a he nui nā nuances koʻikoʻi no kēia, akā ke kākau nei wau i kahi papahana hoʻonaʻauao, ʻaʻole nā kuhikuhi no ka hoʻohana).
Haʻalele mākou i ke kī ākea ma ka mīkini kahi e noho ai ka mea kūʻai aku ssh a hūnā pū mākou iā ia.
Lawe mākou i ka flash drive i ke kikowaena, hoʻokomo iā ia, kope i ke kī pilikino, a puhi i ka flash drive a hoʻopuehu i ka lehu i ka makani (a i ʻole ka liʻiliʻi loa me nā zeros).
ʻO ia wale nō - ma hope o ia hana ʻaʻole hiki ke hack i kahi pilina ssh. ʻOiaʻiʻo, i loko o 10 mau makahiki hiki ke ʻike i ke kaʻa ma kahi supercomputer - akā he moʻolelo ʻokoʻa kēlā.E kala mai no ka offtopic.
No laila i kēia manawa ua ʻike ʻia ke kumumanaʻo. E haʻi wau iā ʻoe e pili ana i ke kahe o ka hana ʻana i kahi palapala SSL.
Ke hoʻohana nei i "openssl genrsa" hana mākou i kahi kī pilikino a me nā "blanks" no ke kī lehulehu.
Hoʻouna mākou i nā "blanks" i kahi hui ʻaoʻao ʻekolu, kahi a mākou e uku ai ma kahi o $9 no ka palapala maʻalahi.
Ma hope o nā hola ʻelua, loaʻa iā mākou kā mākou kī "lehulehu" a me kahi hoʻonohonoho o nā kī lehulehu mai kēia hui ʻaoʻao ʻekolu.
No ke aha e uku ai kahi hui ʻekolu no ka hoʻopaʻa inoa ʻana i kaʻu kī lehulehu he nīnau ʻokoʻa, ʻaʻole mākou e noʻonoʻo ma aneʻi.
I kēia manawa ua maopopo ke ʻano o ka palapala:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Aia ka waihona "/ etc / ssl" i nā faila āpau no nā pilikia ssl.
domain1.com — inoa inoa.
ʻO 2018 ka makahiki o ka hana nui.
"kī" - ka inoa o ka faila he kī pilikino.
A me ke ano o keia waihona:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com — inoa inoa.
ʻO 2018 ka makahiki o ka hana nui.
kaulahao - ka inoa aia he kaulahao o na kī lehulehu (ʻo ka mea mua ko mākou kī lehulehu a ʻo ke koena ka mea i loaʻa mai ka hui nāna i hoʻopuka i ke kī lehulehu).
crt - ka inoa i loaʻa kahi palapala i hoʻomākaukau ʻia (kī lehulehu me nā wehewehe ʻenehana).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
ʻAʻole hoʻohana ʻia kēia hoʻonohonoho i kēia hihia, akā ua kākau ʻia ma ke ʻano he laʻana.
No ka mea, e hoʻouna ʻia ka spam mai kāu kikowaena (me ka ʻole o kou makemake).
A laila e hōʻoia i nā mea a pau ʻaʻole ʻoe i hewa.
recipient_delimiter = +
ʻAʻole ʻike paha ka poʻe he nui, akā he ʻano maʻamau kēia no ka hoʻonohonoho ʻana i nā leka uila, a kākoʻo ʻia e ka hapa nui o nā kikowaena leka uila hou.
No ka laʻana, inā loaʻa iā ʻoe kahi pahu leta "[pale ʻia ka leka uila]"ho'āʻo e hoʻouna i"[pale ʻia ka leka uila]"- e nānā i ka mea e hiki mai ana.
inet_protocols = ipv4
Huikau paha keia.
Akā ʻaʻole pēlā wale nō. ʻO kēlā me kēia kikowaena hou he IPv4 wale nō, a laila hoʻohuli wau i ka IPv6 no kēlā me kēia.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Maanei mākou e kuhikuhi nei e hele ana nā leka uila a pau i dovecot.
A me nā lula no ka domain, pahu leta, alias - e nānā i ka waihona.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'
/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'
/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
I kēia manawa ʻike ʻo postfix hiki ke ʻae ʻia ka leka uila no ka hoʻouna hou ʻana ma hope o ka ʻae ʻia me dovecot.
ʻAʻole maopopo loa iaʻu ke kumu i hoʻopalike ʻia ai kēia ma ʻaneʻi. Ua hōʻike mua mākou i nā mea āpau e pono ai ma "virtual_transport".
Akā kahiko loa ka ʻōnaehana postfix - he kiola paha ia mai ka wā kahiko.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...
Hiki ke hoʻonohonoho ʻokoʻa kēia no kēlā me kēia kikowaena leka uila.
Loaʻa iaʻu nā kikowaena leka uila 3 a he ʻokoʻa loa kēia mau hoʻonohonoho ma muli o nā koi hoʻohana like ʻole.
Pono ʻoe e hoʻonohonoho pono iā ia - inā ʻaʻole e ninini ʻia ka spam iā ʻoe, a i ʻole ka ʻoi aku ka maikaʻi - e kahe ka spam mai ou aku.
# SPF
policyd-spf_time_limit = 3600
Hoʻonohonoho no kekahi plugin e pili ana i ka nānā ʻana i ka SPF o nā leka e hiki mai ana.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
ʻO ka hoʻonohonoho, pono mākou e hāʻawi i kahi pūlima DKIM me nā leka uila puka a pau.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
He kikoʻī koʻikoʻi kēia i ka hoʻouna ʻana i nā leka mai nā palapala PHP.
Kōnae "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:
Aia ma ka hema nā hōʻike maʻamau. Aia ma ka ʻākau kahi lepili e kaha ana i ka leka.
Postfix e like me ka lepili - e noʻonoʻo i kekahi mau laina hoʻonohonoho hou no kahi leka kikoʻī.Pehea e hoʻonohonoho hou ʻia ai ka postfix no kahi leka kikoʻī e hōʻike ʻia ma "master.cf".
ʻO nā laina 4, 5, 6 nā mea nui. Ma ka inoa o ka mana mākou e hoʻouna nei i ka leka, kau mākou i kēia lepili.
Akā ʻaʻole i hōʻike mau ʻia ke kahua "mai" i nā palapala PHP ma ka code kahiko. A laila hele mai ka inoa inoa e hoʻopakele.Ua nui ka ʻatikala - ʻaʻole wau makemake e hoʻopilikia ʻia e ka hoʻonohonoho ʻana i ka nginx+fpm.
ʻO ka pōkole, no kēlā me kēia pūnaewele mākou i hoʻonohonoho i kāna mea hoʻohana linux. A e like me kāu fpm-pool.
Hoʻohana ʻo Fpm-pool i kekahi mana o php (ʻoi aku ka maikaʻi inā ma ka server like hiki iā ʻoe ke hoʻohana i nā mana like ʻole o php a me nā php.ini ʻē aʻe no nā pūnaewele pili me ka pilikia ʻole).
No laila, loaʻa i kahi linux-mea hoʻohana "www-domain2" kahi pūnaewele domain2.com. He code kēia paena no ka hoʻouna ʻana i nā leka uila me ka ʻole o ka wehewehe ʻana i ke kahua mai.
No laila, i kēia hihia, e hoʻouna pololei ʻia nā leka a ʻaʻole e pau i ka spam.
ʻO kaʻu "/etc/postfix/master.cf" ka like me kēia:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
ʻAʻole i hoʻolako piha ʻia ka faila - ua nui loa ia.
Ua ʻike wale au i ka mea i hoʻololi ʻia.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
ʻO kēia nā hoʻonohonoho e pili ana i ka spamassasin, ʻoi aku ma hope.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
ʻAe mākou iā ʻoe e hoʻopili i ke kikowaena leka ma o ke awa 587.
No ka hana ʻana i kēia, pono ʻoe e komo.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
E ho'ā i ka nānā SPF.
apt-get install postfix-policyd-spf-python
E hoʻokomo i ka pūʻolo no nā loiloi SPF ma luna.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
A ʻo kēia ka mea hoihoi loa. ʻO kēia ka hiki ke hoʻouna i nā leka no kahi kikowaena kikoʻī mai kahi helu IPv4/IPv6 kikoʻī.
Hana ʻia kēia no ka rDNS. ʻO rDNS ke kaʻina hana o ka loaʻa ʻana o kahi kaula ma ka helu IP.
A no ka leka uila, hoʻohana ʻia kēia hiʻohiʻona e hōʻoia e pili pono ana ka helo i ka rDNS o ka helu wahi i hoʻouna ʻia ai ka leka uila.Inā ʻaʻole kūlike ka helo i ka waihona leka uila no ka mea i hoʻouna ʻia ai ka leka, hāʻawi ʻia nā helu spam.
ʻAʻole kūlike ʻo Helo i ka rDNS - hāʻawi ʻia nā helu spam he nui.
No laila, pono e loaʻa i kēlā me kēia kikowaena kona wahi IP ponoʻī.
No ka OVH - i ka console hiki ke kuhikuhi i rDNS.
No tech.ru - ua hoʻoholo ʻia ka pilikia ma o ke kākoʻo.
No AWS, hoʻoholo ʻia ka pilikia ma o ke kākoʻo.
"inet_protocols" a me "smtp_bind_address6" - hiki iā mākou ke kākoʻo IPv6.
No IPv6 pono ʻoe e hoʻopaʻa inoa rDNS.
"syslog_name" - a no ka maʻalahi o ka heluhelu ʻana i nā lāʻau.
E kūʻai i nā palapala hōʻoia
============= Dovecot =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam
Hoʻonohonoho i ka mysql, hoʻokomo i nā pūʻolo iā lākou iho.
Kōnae "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain login
Hoʻopili wale ʻia ka mana.
Kōnae "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%n
Maʻaneʻi mākou e hōʻike i kahi e mālama ai i nā leka.
Makemake au e mālama ʻia lākou i nā faila a hui pū ʻia e ka domain.
Kōnae "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
ʻO kēia ka faila hoʻonohonoho dovecot nui.
Maʻaneʻi mākou e hoʻopau i nā pilina paʻa ʻole.
A hiki i nā pilina paʻa.
Kōnae "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}
Hoʻonohonoho i ka ssl. Hōʻike mākou e koi ʻia ka ssl.
A ʻo ka palapala hōʻoia ponoʻī. A ʻo kahi kikoʻī koʻikoʻi ka kuhikuhi "local". Hōʻike i ka palapala SSL e hoʻohana i ka wā e hoʻopili ai i kahi IPv4 kūloko.Ma ke ala, ʻaʻole i hoʻonohonoho ʻia ʻo IPv6 ma aneʻi, e hoʻoponopono wau i kēia hana ma hope.
XX.XX.XX.X5 (domain2) - ʻaʻohe palapala. No ka hoʻohui ʻana i nā mea kūʻai aku pono ʻoe e kuhikuhi domain1.com.
XX.XX.XX.X2 (domain3) - aia kahi palapala, hiki iā ʻoe ke kuhikuhi domain1.com a i ʻole domain3.com e hoʻopili i nā mea kūʻai aku.
Kōnae "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}
Pono kēia no ka spamassassin i ka wā e hiki mai ana.
Kōnae "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}
He polokalamu antispam kēia. Pono no ka hoʻomaʻamaʻa ʻana i ka spamassasin i ka manawa o ka hoʻoili ʻana i/mai ka waihona "Spam".
Kōnae "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}
Aia wale nō kahi faila.
Waihona “/etc/dovecot/conf.d/20-lmtp.conf”
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}
Hoʻonohonoho lmtp.
Kōnae "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}
Nā hoʻonohonoho hoʻomaʻamaʻa Spamassasin i ka manawa o ka hoʻoili ʻana i/mai ka waihona Spam.
Kōnae "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}
He waihona e wehewehe ana i ka mea e hana ai me nā leka e hiki mai ana.
Kōnae "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}
Pono ʻoe e hōʻuluʻulu i ka faila: "sievec default.sieve".
Kōnae "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Ke kuhikuhi nei i nā faila sql no ka ʻae.
A hoʻohana ʻia ka faila ma ke ʻano o ka ʻae ʻana.
Kōnae "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
Pili kēia i nā hoʻonohonoho like no ka postfix.
Kōnae "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
waihona hoʻonohonoho nui.
ʻO ka mea nui e hōʻike mākou ma aneʻi - hoʻohui i nā protocols.
============= SpamAssassin ==============
apt-get install spamassassin spamc
E hoʻokomo i nā pūʻolo.
adduser spamd --disabled-login
E hoʻohui kākou i mea hoʻohana nona.
systemctl enable spamassassin.service
Hiki iā mākou ke hoʻouka i ka lawelawe spammassassin ma ka hoʻouka ʻana.
Kōnae "/etc/default/spamassassin":
CRON=1
Ma ka ʻae ʻana i ka hoʻonui ʻana i nā lula "ma ka paʻamau".
Kōnae "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password
Pono ʻoe e hana i kahi waihona "sa" ma mysql me ka mea hoʻohana "sa" me ka ʻōlelo huna "password" (hoʻololi me kahi mea kūpono).
report_safe - e hoʻouna kēia i kahi hōʻike o ka leka uila spam ma kahi o kahi leka.
ʻO use_bayes nā hoʻonohonoho aʻo ʻana i nā mīkini spamassassin.
Ua hoʻohana ʻia nā hoʻonohonoho spamassassin i koe ma mua o ka ʻatikala.
============= Hoopii i ke kaiāulu =============
Makemake au e hoʻolei i kahi manaʻo i ke kaiāulu e pili ana i ka hoʻonui ʻana i ka pae o ka palekana o nā leka i hoʻouna ʻia. No ka mea, ua komo loa au i ke kumuhana o ka leka uila.
I mea e hiki ai i ka mea hoʻohana ke hana i ʻelua kī ma kāna mea kūʻai aku (outlook, thunderbird, browser-plugin, ...). Aupuni a pilikino. Ka lehulehu - hoʻouna iā DNS. Pilikino - mālama i ka mea kūʻai. Hiki i nā kikowaena leka ke hoʻohana i ke kī lehulehu e hoʻouna i kahi mea loaʻa.
A no ka pale ʻana i ka spam me nā leka like ʻole (ʻae, ʻaʻole hiki i ka mea leka uila ke ʻike i ka ʻike) - pono ʻoe e hoʻokomo i nā lula 3:
- Pono ka pūlima DKIM maoli, SPF pono, rDNS pono.
- Pūnaewele neural ma ke kumuhana o ka hoʻomaʻamaʻa antispam + waihona no ia ma ka ʻaoʻao o ka mea kūʻai aku.
- Pono ka algorithm encryption e lilo ka ʻaoʻao hoʻouna i 100 mau manawa ʻoi aku ka mana CPU ma ka hoʻopili ʻana ma mua o ka ʻaoʻao e loaʻa.
Ma waho aʻe o nā leka lehulehu, e hoʻomohala i kahi leka noi maʻamau "e hoʻomaka i ka hoʻopaʻa ʻana." Hoʻouna kekahi o nā mea hoʻohana (pahu leta) i kahi leka me kahi hoʻopili i kahi pahu leta ʻē aʻe. Aia i loko o ka leka kekahi manaʻo kikokikona e hoʻomaka i kahi ala kamaʻilio paʻa no ka leka a me ke kī ākea o ka mea nona ka pahu leta (me kahi kī pilikino ma ka ʻaoʻao o ka mea kūʻai aku).
Hiki iā ʻoe ke hana i ʻelua mau kī kikoʻī no kēlā me kēia leka. Hiki i ka mea hoʻohana ke ʻae i kēia hāʻawi a hoʻouna i kāna kī lehulehu (i hana ʻia no kēia leka). A laila, hoʻouna ka mea hoʻohana mua i kahi leka mana lawelawe (i hoʻopili ʻia me ke kī ākea o ka mea hoʻohana ʻelua) - ma ka loaʻa ʻana o ka mea hoʻohana ʻelua e noʻonoʻo ai i ke ala kamaʻilio i kūkulu ʻia. Ma hope aʻe, hoʻouna ka mea hoʻohana ʻelua i kahi leka hoʻomalu - a laila hiki i ka mea hoʻohana mua ke noʻonoʻo pono i ke kahawai i kūkulu ʻia.
No ka hakakā ʻana i ka interception o nā kī ma ke alanui, pono e hāʻawi ka protocol i ka hiki ke hoʻouna i hoʻokahi kī lehulehu ma ka hoʻohana ʻana i kahi flash drive.
A ʻo ka mea nui loa, ʻo ia ka hana a pau (ʻo ka nīnau "ʻo wai e uku no ia?"):
E hoʻokomo i nā palapala leka uila e hoʻomaka ana ma $10 no 3 makahiki. ʻO ia ka mea e hiki ai i ka mea hoʻouna ke hōʻike i ka dns "ʻo kaʻu mau kī ākea ma laila." A hāʻawi lākou iā ʻoe i ka manawa e hoʻomaka ai i kahi pilina paʻa. I ka manawa like, ʻaʻole manuahi ka ʻae ʻana i ia mau pilina.
Ke hoʻolilo nei ʻo gmail i kāna mau mea hoʻohana. No $10 i kēlā me kēia 3 makahiki - ke kuleana e hoʻokumu i nā ala leka paʻa.
============= Ka hopena ==============
No ka hoʻāʻo ʻana i ka ʻatikala holoʻokoʻa, e hoʻolimalima wau i kahi kikowaena hoʻolaʻa no hoʻokahi mahina a kūʻai i kahi kikowaena me kahi palapala SSL.
Akā ua ulu nā kūlana ola no laila ua hoʻomau kēia pilikia no 2 mau mahina.
A no laila, i koʻu loaʻa ʻana o ka manawa kaʻawale, ua hoʻoholo wau e hoʻopuka i ka ʻatikala e like me ia, ma mua o ka pilikia e kau ʻia ka paʻi ʻana no kekahi makahiki ʻē aʻe.
Inā he nui nā nīnau e like me "akā ʻaʻole i wehewehe ʻia kēia i nā kikoʻī kikoʻī", a laila e loaʻa paha ka ikaika e lawe i kahi kikowaena paʻa me kahi kikowaena hou a me kahi palapala SSL hou a wehewehe i nā kikoʻī hou aʻe a, ʻo ka hapa nui. ʻO ka mea nui, e ʻike i nā kikoʻī koʻikoʻi a pau i nalowale.
Makemake au e loaʻa i nā manaʻo e pili ana i nā palapala leka. Inā makemake ʻoe i ka manaʻo, e hoʻāʻo wau e ʻimi i ka ikaika e kākau i kahi kikoʻī no rfc.
Ke kope ʻana i nā ʻāpana nui o kahi ʻatikala, e hāʻawi i kahi loulou i kēia ʻatikala.
I ka unuhi ʻana i kekahi ʻōlelo ʻē aʻe, e hāʻawi i loulou i kēia ʻatikala.
E hoʻāʻo wau e unuhi i ka ʻōlelo Pelekania iaʻu iho a waiho i nā kuhikuhi pili.
Source: www.habr.com