Kab lus no yog hais txog yuav ua li cas los teeb tsa lub mail server niaj hnub.
Postfix + Dovecot. SPF + DKIM + rDNS. Nrog IPv6.
Nrog TSL encryption. Nrog kev txhawb nqa rau ntau qhov chaw - ib feem nrog daim ntawv pov thawj SSL tiag.
Nrog antispam kev tiv thaiv thiab kev ntsuam xyuas siab antispam los ntawm lwm cov mail servers.
Txhawb ntau lub cev interfaces.
Nrog OpenVPN, qhov kev sib txuas uas yog ntawm IPv4, thiab uas muab IPv6.
Yog tias koj tsis xav kawm tag nrho cov thev naus laus zis no, tab sis xav teeb tsa lub server zoo li no, kab lus no yog rau koj.
Tsab ntawv no ua rau tsis muaj kev sim piav qhia txhua yam. Cov lus piav qhia mus rau qhov tsis tau teeb tsa raws li tus qauv lossis tseem ceeb ntawm cov neeg siv khoom xav.
Kev txhawb siab los teeb tsa tus neeg xa ntawv tau ua npau suav ntev ntev ntawm kuv. Qhov no yuav zoo li ruam, tab sis IMHO, nws zoo dua li npau suav ntawm lub tsheb tshiab los ntawm koj lub npe nyiam.
Muaj ob qhov kev txhawb siab rau kev teeb tsa IPv6. Tus kws tshaj lij IT yuav tsum kawm cov thev naus laus zis tshiab tas li txhawm rau kom muaj sia nyob. Kuv xav ua kuv qhov kev pab cuam me me rau kev tawm tsam censorship.
Qhov kev txhawb siab rau kev teeb tsa OpenVPN tsuas yog kom tau txais IPv6 ua haujlwm ntawm lub tshuab hauv zos.
Qhov kev txhawb siab rau kev teeb tsa ntau lub cev sib cuam tshuam yog tias ntawm kuv lub server kuv muaj ib qho interface "slow but unlimited" thiab lwm "ceev tab sis nrog tus nqi".
Qhov kev txhawb siab rau kev teeb tsa Bind chaw yog tias kuv ISP muab DNS server tsis ruaj khov, thiab google kuj qee zaum ua tsis tau. Kuv xav tau DNS server ruaj khov rau kev siv tus kheej.
Kev txhawb siab los sau ib tsab xov xwm - Kuv tau sau ib tsab ntawv 10 lub hlis dhau los, thiab kuv twb tau saib nws ob zaug. Txawm hais tias tus sau tsis tu ncua xav tau nws, muaj qhov tshwm sim siab uas lwm tus yuav xav tau thiab.
Tsis muaj universal kev daws teeb meem rau ib tug mail server. Tab sis kuv yuav sim sau qee yam xws li "ua qhov no thiab tom qab ntawd, thaum txhua yam ua haujlwm raws li nws yuav tsum tau, pov tseg cov khoom ntxiv."
Lub tuam txhab tech.ru muaj Colocation server. Nws tuaj yeem piv nrog OVH, Hetzner, AWS. Txhawm rau daws qhov teeb meem no, kev koom tes nrog tech.ru yuav ua tau zoo dua.
Debian 9 tau nruab rau ntawm lub server.
Lub server muaj 2 interfaces 'eno1' thiab 'eno2'. Thawj yog unlimited, thiab qhov thib ob yog ceev, feem.
Muaj 3 qhov chaw nyob IP zoo li qub, XX.XX.XX.X0 thiab XX.XX.XX.X1 thiab XX.XX.XX.X2 ntawm "eno1" interface thiab XX.XX.XX.X5 ntawm "eno2" interface .
Available XXXX:XXXX:XXXX:XXXX::/64 ib lub pas dej ntawm IPv6 chaw nyob uas tau muab rau 'eno1' interface thiab los ntawm nws XXXX:XXXX:XXXX:XXXX:1:2::/96 raug xa mus rau 'eno2' ntawm kuv qhov kev thov.
Muaj 3 lub npe 'domain1.com', 'domain2.com', 'domain3.com'. Muaj daim ntawv pov thawj SSL rau 'domain1.com' thiab 'domain3.com'.
Kuv muaj Google account uas kuv xav txuas kuv lub mailbox rau[email tiv thaiv]`(tau txais ntawv thiab xa ntawv ncaj qha los ntawm gmail interface).
Yuav tsum muaj ib lub mailbox[email tiv thaiv]', ib daim qauv ntawm email uas kuv xav pom hauv kuv tus gmail. Thiab nws tsis tshua muaj peev xwm xa ib yam dab tsi sawv cev ntawm '[email tiv thaiv]' ntawm lub vev xaib interface.
Yuav tsum muaj ib lub mailbox[email tiv thaiv]', uas Ivanov yuav siv los ntawm nws iPhone.
Xa emails yuav tsum ua raws li tag nrho cov kev cai niaj hnub antispam.
Yuav tsum muaj qib siab tshaj plaws ntawm kev encryption muab nyob rau hauv pej xeem tes hauj lwm.
Yuav tsum muaj kev txhawb nqa IPv6 rau kev xa thiab txais cov ntawv.
Yuav tsum muaj SpamAssassin uas yuav tsis rho tawm emails. Thiab nws yuav bounce lossis hla lossis xa mus rau IMAP "Spam" nplaub tshev.
SpamAssassin auto-kev kawm yuav tsum tau teeb tsa: yog tias kuv txav ib tsab ntawv mus rau Spam nplaub tshev, nws yuav kawm los ntawm qhov no; yog tias kuv txav ib tsab ntawv los ntawm Spam folder, nws yuav kawm los ntawm qhov no. Cov txiaj ntsig ntawm SpamAssassin kev cob qhia yuav tsum cuam tshuam seb tsab ntawv xaus rau hauv Spam folder.
PHP scripts yuav tsum muaj peev xwm xa xa ntawv sawv cev ntawm txhua tus sau npe ntawm tus neeg rau zaub mov muab.
Yuav tsum muaj kev pabcuam openvpn, nrog lub peev xwm siv IPv6 ntawm tus neeg siv khoom uas tsis muaj IPv6.
Ua ntej koj yuav tsum configure interfaces thiab routing, suav nrog IPv6.
Tom qab ntawd koj yuav tsum tau teeb tsa OpenVPN, uas yuav txuas ntawm IPv4 thiab muab tus neeg siv khoom nrog qhov chaw nyob IPv6 tiag tiag. Tus neeg siv khoom no yuav nkag mus rau txhua qhov kev pabcuam IPv6 ntawm lub server thiab nkag mus rau txhua qhov kev pabcuam IPv6 hauv Is Taws Nem.
Tom qab ntawd koj yuav tsum tau teeb tsa Postfix xa ntawv + SPF + DKIM + rDNS thiab lwm yam me me zoo sib xws.
Ces koj yuav tau configure Dovecot thiab configure Multidomain.
Ces koj yuav tau configure SpamAssassin thiab configure kev cob qhia.
Thaum kawg, nruab khi.
======= Multi-interfaces =======
Txhawm rau teeb tsa cov interfaces, koj yuav tsum sau qhov no hauv "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Cov kev teeb tsa no tuaj yeem siv rau ntawm txhua tus neeg rau zaub mov hauv tech.ru (nrog me ntsis kev sib koom tes nrog kev txhawb nqa) thiab nws yuav ua haujlwm tam sim ntawd raws li nws yuav tsum tau ua.
Yog tias koj muaj kev teeb tsa zoo sib xws rau Hetzner, OVH, nws txawv qhov ntawd. nyuaj dua.
eno1 yog lub npe ntawm daim npav network # 1 (qeeb tab sis tsis txwv).
eno2 yog lub npe ntawm daim npav network #2 (ceev, tab sis nrog tus nqi se).
tun0 yog lub npe ntawm daim npav virtual network los ntawm OpenVPN.
XX.XX.XX.X0 - IPv4 #1 on eno1.
XX.XX.XX.X1 - IPv4 #2 on eno1.
XX.XX.XX.X2 - IPv4 #3 on eno1.
XX.XX.XX.X5 - IPv4 #1 on eno2.
XX.XX.XX.1 - IPv4 rooj vag.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 rau tag nrho cov server.
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 rau eno2, txhua yam ntawm sab nraud nkag mus rau hauv eno1.
XXXX:XXXX:XXXX:XXXX::1 β IPv6 rooj vag (nws tsim nyog sau cia tias qhov no tuaj yeem / yuav tsum tau ua txawv. Qhia qhov hloov IPv6).
dns-nameservers - 127.0.0.1 yog qhia (vim khi yog ntsia hauv zos) thiab 213.248.1.6 (qhov no yog los ntawm tech.ru).
"table eno1t" thiab "table eno2t" - lub ntsiab lus ntawm cov kev cai-txoj cai yog tias cov tsheb nkag mus los ntawm eno1 -> yuav tawm mus los ntawm nws, thiab cov tsheb nkag mus los ntawm eno2 -> yuav tawm ntawm nws. Thiab tseem kev sib txuas pib los ntawm tus neeg rau zaub mov yuav dhau los ntawm eno1.
ip route add default via XX.XX.XX.1 table eno1tNrog rau cov lus txib no peb qhia kom meej tias txhua qhov kev nkag tsis tau zoo uas poob rau hauv ib txoj cai cim "table eno1t" -> xa mus rau eno1 interface.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tNrog rau cov lus txib no peb qhia meej tias txhua qhov kev khiav tsheb pib los ntawm tus neeg rau zaub mov yuav tsum raug coj mus rau eno1 interface.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Nrog rau cov lus txib no peb tau teeb tsa cov cai rau kev cim tsheb.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Qhov thaiv no qhia txog IPv4 thib ob rau eno1 interface.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Nrog rau cov lus txib no peb tau teeb tsa txoj hauv kev los ntawm OpenVPN cov neeg siv khoom mus rau IPv4 hauv zos tsuas yog XX.XX.XX.X0.
Kuv tseem tsis nkag siab tias vim li cas cov lus txib no txaus rau txhua tus IPv4.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Qhov no yog qhov uas peb teem qhov chaw nyob rau lub interface nws tus kheej. Tus neeg rau zaub mov yuav siv nws ua qhov chaw nyob "tawm mus". Yuav tsis siv nyob rau hauv ib txoj kev ntxiv.
Vim li cas ": 1: 1: :" thiaj li nyuaj? Yog li ntawd OpenVPN ua haujlwm raug thiab tsuas yog rau qhov no. Xav paub ntxiv txog qhov no tom qab.
Ntawm lub ntsiab lus ntawm rooj vag - yog li nws ua haujlwm thiab qhov zoo. Tab sis txoj hauv kev raug yog los qhia ntawm no IPv6 ntawm kev hloov mus rau tus neeg rau zaub mov txuas nrog.
Txawm li cas los xij, rau qee qhov laj thawj IPv6 tsis ua haujlwm yog tias kuv ua qhov no. Qhov no yog tej zaum ib yam ntawm tech.ru teeb meem.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACEQhov no yog ntxiv qhov chaw nyob IPv6 rau lub interface. Yog tias koj xav tau ib puas chaw nyob, txhais tau tias ib puas kab hauv cov ntaub ntawv no.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Kuv tau sau cov chaw nyob thiab subnets ntawm txhua qhov interfaces kom paub meej.
eno1 - yuav tsum yog "/64" - vim qhov no yog peb lub chaw nyob tag nrho.
tun0 - lub subnet yuav tsum loj dua eno1. Txwv tsis pub, nws yuav tsis tuaj yeem teeb tsa IPv6 qhov rooj rau OpenVPN cov neeg siv khoom.
eno2 - lub subnet yuav tsum loj dua tun0. Txwv tsis pub, cov neeg siv OpenVPN yuav tsis tuaj yeem nkag mus rau IPv6 chaw nyob hauv zos.
Txhawm rau kom pom tseeb, kuv xaiv lub subnet kauj ruam ntawm 16, tab sis yog tias koj xav tau, koj tuaj yeem ua "1" kauj ruam.
Raws li, 64 + 16 = 80, thiab 80 + 16 = 96.Rau ntau dua clarity:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY yog qhov chaw nyob uas yuav tsum tau muab rau cov chaw tshwj xeeb lossis cov kev pabcuam ntawm eno1 interface.
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY yog qhov chaw nyob uas yuav tsum tau muab rau cov chaw tshwj xeeb lossis cov kev pabcuam ntawm eno2 interface.
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY yog qhov chaw nyob uas yuav tsum tau muab rau OpenVPN cov neeg siv lossis siv los ua qhov chaw nyob OpenVPN.
Txhawm rau teeb tsa lub network, nws yuav tsum tau rov pib dua lub server.
IPv4 hloov pauv tau khaws thaum ua tiav (nco ntsoov qhwv nws hauv npo - txwv tsis pub cov lus txib no tsuas yog cuam tshuam lub network ntawm lub server):
/etc/init.d/networking restartNtxiv rau qhov kawg ntawm cov ntaub ntawv β/etc/iproute2/rt_tablesβ:
100 eno1t
101 eno2t
Yog tsis muaj qhov no, koj tsis tuaj yeem siv cov ntxhuav kev cai hauv cov ntaub ntawv "/etc/network/interfaces".
Cov lej yuav tsum yog qhov tshwj xeeb thiab tsawg dua 65535.
Kev hloov pauv IPv6 tuaj yeem hloov tau yooj yim yam tsis muaj rebooting, tab sis ua qhov no koj yuav tsum kawm tsawg kawg peb cov lus txib:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Teem "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Cov no yog kuv lub server "sysctl" chaw. Cia kuv taw tes ib yam tseem ceeb.
net.ipv4.ip_forward = 1Yog tsis muaj qhov no, OpenVPN yuav tsis ua haujlwm txhua.
net.ipv6.ip_nonlocal_bind = 1Tus neeg twg uas sim khi IPv6 (piv txwv li nginx) tam sim ntawd tom qab qhov kev sib tshuam yuav tau txais qhov yuam kev. Tias qhov chaw nyob no tsis muaj.
Txhawm rau zam qhov xwm txheej zoo li no, kev teeb tsa zoo li no tau tsim.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Yog tias tsis muaj qhov teeb tsa IPv6 no, kev khiav tsheb los ntawm OpenVPN tus neeg siv yuav tsis tawm mus rau hauv lub ntiaj teb.
Lwm qhov chaw tsis cuam tshuam los yog kuv tsis nco qab qhov lawv yog rau.
Tab sis nyob rau hauv rooj plaub no, kuv tso nws "raws li yog."
Txhawm rau hloov pauv cov ntaub ntawv no tuaj yeem khaws yam tsis muaj rebooting server, koj yuav tsum khiav cov lus txib:
sysctl -pXav paub ntau ntxiv txog cov cai "table":
======= OpenVPN =======
OpenVPN IPv4 tsis ua haujlwm yam tsis muaj iptables.
Kuv iptables zoo li no rau VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY yog kuv qhov chaw nyob IPv4 zoo li qub ntawm lub tshuab hauv zos.
10.8.0.0/24 - IPv4 openvpn network. IPv4 chaw nyob rau cov neeg siv khoom openvpn.
Qhov sib xws ntawm cov kev cai yog qhov tseem ceeb.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPQhov no yog qhov txwv kom tsuas yog kuv tuaj yeem siv OpenVPN los ntawm kuv tus IP zoo li qub.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- ΠΈΠ»ΠΈ --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADETxhawm rau xa IPv4 pob ntawv ntawm OpenVPN cov neeg siv khoom thiab Is Taws Nem, koj yuav tsum sau npe ib qho ntawm cov lus txib no.
Rau qhov sib txawv, ib qho ntawm cov kev xaiv tsis haum.
Ob qho lus txib yog tsim nyog rau kuv rooj plaub.
Tom qab nyeem cov ntaub ntawv, kuv xaiv thawj qhov kev xaiv vim nws siv CPU tsawg dua.
Txhawm rau kom txhua qhov chaw iptables tuaj tos tom qab reboot, koj yuav tsum tau txuag lawv qhov chaw.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Cov npe zoo li no tsis raug xaiv los ntawm lub sijhawm. Lawv tau siv los ntawm pob "iptables-persistent".
apt-get install iptables-persistentTxhim kho lub ntsiab OpenVPN pob:
apt-get install openvpn easy-rsaCia peb teeb tsa tus qauv rau daim ntawv pov thawj (hloov koj cov txiaj ntsig):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfCia peb hloov daim ntawv pov thawj template nqis:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Tsim ib daim ntawv pov thawj server:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyCia peb npaj lub peev xwm los tsim cov ntaub ntawv kawg "client-name.opvn":
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCCia peb npaj ib tsab ntawv uas yuav muab tag nrho cov ntaub ntawv ua ke rau hauv ib qho ntaub ntawv opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnTsim thawj tus neeg siv khoom OpenVPN:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameCov ntaub ntawv "~/client-configs/files/client-name.ovpn" raug xa mus rau tus neeg siv khoom.
Rau cov neeg siv iOS no koj yuav tau ua cov nram qab no ua kom yuam kev:
Cov ntsiab lus ntawm "tls-auth" tag yuav tsum tsis muaj lus pom.
Thiab tseem muab "key-direction 1" tam sim ntawd ua ntej "tls-auth" tag.
Cia peb teeb tsa OpenVPN server config:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCQhov no yog qhov xav tau txhawm rau txhawm rau teeb tsa qhov chaw nyob zoo li qub rau txhua tus neeg siv khoom (tsis tsim nyog, tab sis kuv siv nws):
# Client config dir
client-config-dir /etc/openvpn/ccdQhov nyuaj tshaj plaws thiab nthuav dav.
Hmoov tsis zoo, OpenVPN tseem tsis tau paub yuav ua li cas rau nws tus kheej teeb tsa lub rooj vag IPv6 rau cov neeg siv khoom.
Koj yuav tsum "manually" xa qhov no rau txhua tus neeg siv khoom.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Cov ntaub ntawv β/etc/openvpn/server-clientconnect.shβ:
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Cov ntaub ntawv β/etc/openvpn/server-clientdisconnect.shβ:
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Ob tsab ntawv siv cov ntaub ntawv β/etc/openvpn/variablesβ:
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Kuv pom tias nws nyuaj rau nco ntsoov vim li cas nws thiaj li sau li no.
Tam sim no netmask = 112 zoo li coj txawv txawv (nws yuav tsum yog 96 nyob ntawd).
Thiab cov prefix txawv txawv, nws tsis phim lub tun0 network.
Tab sis tsis ua li cas, kuv mam li tso nws li yog.
cipher DES-EDE3-CBCQhov no tsis yog rau txhua leej txhua tus - Kuv tau xaiv txoj kev encrypting kev sib txuas.
======= Postfix =======
Txhim kho lub ntsiab pob:
apt-get install postfixThaum txhim kho, xaiv "internet site".
Kuv "/etc/postfix/main.cf" zoo li no:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreCia peb saib cov ntsiab lus ntawm qhov kev teeb tsa no.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyRaws li cov neeg nyob hauv Khabrovsk, qhov thaiv no muaj "cov ntaub ntawv tsis raug thiab cov ntaub ntawv tsis raug."Tsuas yog 8 xyoo tom qab pib kuv txoj haujlwm kuv pib nkag siab tias SSL ua haujlwm li cas.
Yog li ntawd, kuv yuav muaj kev ywj pheej ntawm kev piav qhia yuav ua li cas siv SSL (tsis teb cov lus nug "Nws ua haujlwm li cas?" thiab "Vim li cas nws ua haujlwm?").
Lub hauv paus ntawm niaj hnub encryption yog tsim ntawm ib khub tseem ceeb (ob txoj hlua ntev heev ntawm cov cim).
Ib qho "key" yog ntiag tug, lwm qhov tseem ceeb yog "public". Peb khaws tus yuam sij ntiag tug ua tib zoo tsis pub leej twg paub. Peb faib tus yuam sij rau pej xeem rau txhua tus.
Siv tus yuam sij pej xeem, koj tuaj yeem encrypt ib txoj hlua ntawm cov ntawv kom tsuas yog tus tswv ntawm tus yuam sij ntiag tug tuaj yeem decrypt nws.
Zoo, qhov ntawd yog tag nrho cov hauv paus ntawm kev siv tshuab.Kauj Ruam #1 - https qhov chaw.
Thaum nkag mus rau ib lub xaib, tus browser kawm los ntawm lub vev xaib server uas lub vev xaib yog https thiab yog li thov tus yuam sij pej xeem.
Lub web server muab tus yuam sij rau pej xeem. Tus browser siv tus yuam sij pej xeem los encrypt qhov http-thov thiab xa nws.
Cov ntsiab lus ntawm http-thov tsuas yog nyeem tau los ntawm cov neeg uas muaj tus yuam sij ntiag tug, uas yog, tsuas yog lub server uas tau thov.
Http-thov muaj tsawg kawg yog URI. Yog li ntawd, yog tias ib lub teb chaws tab tom sim txwv tsis pub nkag mus rau tag nrho lub xaib, tab sis mus rau nplooj ntawv tshwj xeeb, ces qhov no tsis tuaj yeem ua rau https qhov chaw.Kauj Ruam #2 - teb encrypted.
Lub web server muab cov lus teb uas tuaj yeem nyeem tau yooj yim ntawm txoj kev.
Txoj kev daws teeb meem yog qhov yooj yim heev - qhov browser hauv zos tsim tib tus kheej ntiag tug-public key khub rau txhua qhov https.
Thiab nrog rau kev thov rau lub vev xaib pej xeem tus yuam sij, nws xa nws cov yuam sij pej xeem hauv zos.
Lub web server nco txog nws thiab, thaum xa http- teb, encrypts nws nrog pej xeem tus yuam sij ntawm ib tus neeg siv khoom tshwj xeeb.
Tam sim no http- teb tuaj yeem tsuas yog decrypted los ntawm tus tswv ntawm tus neeg siv lub browser ntiag tug tus yuam sij (uas yog, tus neeg siv khoom nws tus kheej).Kauj Ruam 3 - tsim kom muaj kev ruaj ntseg ntawm kev sib txuas ntawm pej xeem.
Muaj qhov tsis zoo hauv qhov piv txwv No. 2 - tsis muaj dab tsi tiv thaiv cov neeg xav tau zoo los ntawm kev cuam tshuam http-thov thiab kho cov ntaub ntawv hais txog pej xeem tus yuam sij.
Yog li, tus neeg nruab nrab yuav pom meej meej tag nrho cov ntsiab lus ntawm kev xa thiab tau txais cov lus kom txog thaum kev sib txuas lus hloov pauv.
Kev daws qhov no yog qhov yooj yim heev - tsuas yog xa tus browser tus yuam sij rau pej xeem raws li cov lus encrypted nrog lub web server tus yuam sij pej xeem.
Lub vev xaib neeg rau zaub mov thawj zaug xa cov lus teb zoo li "koj tus yuam sij pej xeem zoo li qhov no" thiab encrypts cov lus no nrog tib tus yuam sij pej xeem.
Tus browser saib cov lus teb - yog tias cov lus "koj tus yuam sij pej xeem zoo li qhov no" tau txais - ces qhov no yog 100% lav tias qhov kev sib txuas lus no muaj kev nyab xeeb.
Nws muaj kev nyab xeeb npaum li cas?
Qhov tsim ntawm xws li kev sib txuas lus ruaj ntseg channel tshwm sim ntawm qhov nrawm ntawm ping * 2. ej., 20ms.
Tus neeg tawm tsam yuav tsum muaj tus yuam sij ntiag tug ntawm ib tog ua ntej. Los yog nrhiav tus yuam sij ntiag tug hauv ob peb milliseconds.
Hacking ib tus yuam sij ntiag tug niaj hnub yuav siv sijhawm ntau xyoo ntawm lub tshuab computer.Kauj ruam #4 - pej xeem database ntawm pej xeem yuam sij.
Obviously, nyob rau hauv tag nrho cov dab neeg no muaj lub sijhawm rau tus neeg tawm tsam los zaum ntawm kev sib txuas lus ntawm tus neeg siv khoom thiab cov neeg rau zaub mov.
Tus neeg siv khoom tuaj yeem ua tus neeg rau zaub mov, thiab tus neeg rau zaub mov tuaj yeem ua tus neeg siv khoom. Thiab emulate ib khub ntawm cov yuam sij hauv ob qho tib si.
Tom qab ntawd tus neeg tawm tsam yuav pom tag nrho cov tsheb khiav thiab yuav tuaj yeem "kho" cov tsheb khiav.
Piv txwv li, hloov qhov chaw nyob qhov twg xa nyiaj los yog luam tus password los ntawm kev lag luam online lossis thaiv cov ntsiab lus "tsis pom zoo".
Txhawm rau tawm tsam cov neeg tawm tsam zoo li no, lawv tuaj nrog cov ntaub ntawv pej xeem nrog cov yuam sij pej xeem rau txhua qhov chaw https.
Txhua tus browser "paub" txog qhov muaj txog 200 cov ntaub ntawv zoo li no. Qhov no los pre-installed nyob rau hauv txhua txhua browser.
"Kev Paub" yog txhawb nqa los ntawm pej xeem tus yuam sij los ntawm txhua daim ntawv pov thawj. Ntawd yog, kev sib txuas mus rau txhua txoj cai pov thawj tshwj xeeb tsis tuaj yeem raug dag.Tam sim no muaj kev nkag siab yooj yim ntawm kev siv SSL rau https.
Yog tias koj siv koj lub hlwb, nws yuav paub meej tias cov kev pabcuam tshwj xeeb tuaj yeem hack ib yam dab tsi hauv cov qauv no. Tab sis nws yuav raug nqi lawv cov kev siv zog loj heev.
Thiab cov koom haum me dua NSA lossis CIA - nws yuav luag tsis yooj yim rau hack cov qib kev tiv thaiv uas twb muaj lawm, txawm tias yog VIPs.Kuv tseem yuav ntxiv txog kev sib txuas ssh. Tsis muaj cov yuam sij pej xeem nyob ntawd, yog li koj tuaj yeem ua dab tsi? Qhov teeb meem yog daws nyob rau hauv ob txoj kev.
Option ssh-by-password:
Thaum thawj qhov kev sib txuas, tus neeg siv ssh yuav tsum ceeb toom tias peb muaj tus yuam sij pej xeem tshiab los ntawm ssh server.
Thiab thaum muaj kev sib txuas ntxiv, yog tias cov lus ceeb toom "tshiab pej xeem yuam sij los ntawm ssh server" tshwm, nws yuav txhais tau tias lawv tab tom sim eavesdrop rau koj.
Los yog koj tau eavesdropped ntawm koj thawj kev sib txuas, tab sis tam sim no koj sib txuas lus nrog cov neeg rau zaub mov tsis muaj intermediaries.
Qhov tseeb, vim tias qhov tseeb ntawm wiretapping tau yooj yim, sai thiab siv zog tshaj tawm, qhov kev tawm tsam no tsuas yog siv tshwj xeeb rau cov neeg siv khoom tshwj xeeb.Option ssh-by-key:
Peb siv lub flash drive, sau tus yuam sij ntiag tug rau ssh server ntawm nws (muaj cov ntsiab lus thiab ntau qhov tseem ceeb rau qhov no, tab sis kuv sau cov kev kawm, tsis yog cov lus qhia siv).
Peb tso tus yuam sij rau pej xeem ntawm lub tshuab uas tus neeg siv khoom ssh yuav nyob thiab peb kuj khaws nws zais cia.
Peb nqa lub flash drive mus rau tus neeg rau zaub mov, ntxig nws, luam tus yuam sij ntiag tug, thiab hlawv lub flash drive thiab tawg cov tshauv rau cua (lossis tsawg kawg format nws nrog xoom).
Qhov ntawd yog tag nrho - tom qab xws li kev ua haujlwm nws yuav tsis yooj yim rau hack xws li kev sib txuas ssh. Tau kawg, hauv 10 xyoo nws yuav tuaj yeem pom kev tsheb khiav ntawm lub tshuab computer - tab sis qhov ntawd yog ib zaj dab neeg sib txawv.Kuv thov txim rau qhov offtopic.
Yog li tam sim no paub qhov kev xav. Kuv mam li qhia koj txog kev khiav ntawm kev tsim daim ntawv pov thawj SSL.
Siv "openssl genrsa" peb tsim tus yuam sij ntiag tug thiab "blanks" rau pej xeem tus yuam sij.
Peb xa cov "blanks" mus rau lub tuam txhab thib peb, uas peb them kwv yees li $ 9 rau daim ntawv pov thawj yooj yim tshaj plaws.
Tom qab ob peb teev, peb tau txais peb tus yuam sij "public" thiab ib txheej ntawm ntau tus yuam sij pej xeem los ntawm lub tuam txhab thib peb.
Vim li cas lub tuam txhab thib peb yuav tsum them rau kev sau npe ntawm kuv qhov tseem ceeb rau pej xeem yog cov lus nug cais, peb yuav tsis xav txog qhov no.
Tam sim no nws paub meej tias lub ntsiab lus ntawm cov ntawv sau yog dab tsi:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Lub "/etc/ssl" folder muaj tag nrho cov ntaub ntawv rau cov teeb meem ssl.
domain1.com β sau npe.
2018 yog xyoo ntawm kev tsim tseem ceeb.
"key" - lub npe tias cov ntaub ntawv yog tus yuam sij ntiag tug.
Thiab lub ntsiab lus ntawm cov ntaub ntawv no:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com β sau npe.
2018 yog xyoo ntawm kev tsim tseem ceeb.
chained - lub npe hais tias muaj ib tug saw ntawm pej xeem cov yuam sij (thawj yog peb pej xeem tus yuam sij thiab tus so yog dab tsi los ntawm lub tuam txhab uas muab cov pej xeem yuam sij).
crt - xaiv tias muaj daim ntawv pov thawj npaj tau (public key nrog cov lus piav qhia).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Qhov kev teeb tsa no tsis yog siv rau qhov no, tab sis sau ua piv txwv.
Vim tias qhov yuam kev hauv qhov ntsuas no yuav ua rau spam xa los ntawm koj lub server (tsis muaj koj lub siab nyiam).
Tom qab ntawd ua pov thawj rau txhua tus tias koj tsis ua txhaum.
recipient_delimiter = +Ntau tus neeg yuav tsis paub, tab sis qhov no yog tus qauv cim rau qeb duas email, thiab nws tau txais kev txhawb nqa los ntawm cov neeg xa ntawv niaj hnub no.
Piv txwv li, yog tias koj muaj ib lub mailbox "[email tiv thaiv]"sim xa mus rau"[email tiv thaiv]"- saib dab tsi los ntawm nws.
inet_protocols = ipv4Qhov no tej zaum yuav tsis meej pem.
Tab sis tsis yog li ntawd xwb. Txhua tus sau tshiab yog los ntawm lub neej ntawd tsuas yog IPv4, ces kuv tig rau IPv6 rau txhua tus nyias.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Ntawm no peb qhia meej tias tag nrho cov ntawv xa tuaj mus rau dovecot.
Thiab cov kev cai rau sau, mailbox, alias - saib nyob rau hauv lub database.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesTam sim no postfix paub tias kev xa ntawv tuaj yeem lees txais xa mus ntxiv tom qab kev tso cai nrog dovecot.
Kuv yeej tsis to taub yog vim li cas qhov no yog duplicated ntawm no. Peb twb tau teev txhua yam uas xav tau hauv "virtual_transport".
Tab sis cov txheej txheem postfix yog qub heev - tej zaum nws yog ib qho pov tseg los ntawm cov hnub qub.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Qhov no tuaj yeem teeb tsa sib txawv rau txhua tus xa ntawv xa ntawv.
Kuv muaj 3 mail servers ntawm kuv qhov chaw pov tseg thiab cov kev teeb tsa no txawv heev vim muaj kev siv sib txawv.
Koj yuav tsum tau teeb tsa kom zoo - txwv tsis pub spam yuav nchuav rau koj, lossis tseem phem dua - spam yuav nchuav tawm ntawm koj.
# SPF
policyd-spf_time_limit = 3600Teeb tsa rau qee qhov plugin ntsig txog kev kuaj xyuas SPF ntawm cov ntawv tuaj.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockQhov teeb tsa yog tias peb yuav tsum muab DKIM kos npe nrog txhua tus email tawm.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreQhov no yog cov ntsiab lus tseem ceeb hauv tsab ntawv routing thaum xa ntawv los ntawm PHP scripts.
Cov ntaub ntawv β/etc/postfix/sdd_transport.pcreβ:
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Sab laug yog cov lus hais tsis tu ncua. Ntawm sab xis yog ib daim ntawv lo uas cim tsab ntawv.
Postfix raws li daim ntawv lo - yuav coj mus rau hauv tus account ob peb kab ntxiv rau ib tsab ntawv tshwj xeeb.Yuav ua li cas raws nraim postfix reconfigured rau ib tsab ntawv tshwj xeeb yuav raug qhia nyob rau hauv "master.cf".
Kab 4, 5, 6 yog cov tseem ceeb. Sawv cev ntawm lub npe twg peb xa tsab ntawv, peb muab daim ntawv lo no.
Tab sis qhov "los ntawm" teb tsis yog ib txwm qhia hauv PHP scripts hauv cov cai qub. Ces tus username los cawm.Cov kab lus twb nthuav dav - Kuv yuav tsis xav kom cuam tshuam los ntawm kev teeb tsa nginx + fpm.
Luv luv, rau txhua qhov chaw peb tau teeb tsa nws tus kheej linux-neeg siv tus tswv. Thiab raws li koj fpm-pool.
Fpm-pool siv ib qho version ntawm php (nws zoo heev thaum nyob rau tib lub server koj tuaj yeem siv ntau hom php thiab txawm tias txawv php.ini rau cov chaw nyob sib ze tsis muaj teeb meem).
Yog li, ib qho tshwj xeeb linux-neeg siv "www-domain2" muaj lub vev xaib domain2.com. Lub vev xaib no muaj cov lej xa email yam tsis tau qhia meej ntawm qhov chaw.
Yog li, txawm nyob rau hauv cov ntaub ntawv no, cov ntawv yuav raug xa mus kom raug thiab yuav tsis xaus rau spam.
Kuv "/etc/postfix/master.cf" zoo li no:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Cov ntaub ntawv tsis tau muab tag nrho - nws twb loj heev.
Kuv tsuas sau qhov hloov pauv xwb.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Cov no yog cov chaw cuam tshuam nrog spamassasin, ntxiv rau tom qab ntawd.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Peb tso cai rau koj mus txuas rau tus neeg rau zaub mov ntawm chaw nres nkoj 587.
Txhawm rau ua qhov no, koj yuav tsum nkag mus.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfQhib kev kuaj xyuas SPF.
apt-get install postfix-policyd-spf-pythonCia peb nruab lub pob rau SPF daim tshev saum toj no.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Thiab qhov no yog qhov nthuav tshaj plaws. Qhov no yog lub peev xwm xa cov ntawv rau ib qho chaw tshwj xeeb los ntawm qhov chaw nyob IPv4 / IPv6.
Qhov no yog ua tiav rau lub hom phiaj ntawm rDNS. rDNS yog tus txheej txheem ntawm kev txais ib txoj hlua los ntawm IP chaw nyob.
Thiab rau kev xa ntawv, qhov tshwj xeeb no yog siv los lees paub tias helo raws nraim qhov rDNS ntawm qhov chaw nyob uas tau xa email.Yog hais tias lub helo tsis phim tus email sau sawv cev ntawm tus neeg xa ntawv, spam ntsiab lus tau txais txiaj ntsig.
Helo tsis phim rDNS - ntau cov ntsiab lus spam tau txais txiaj ntsig.
Raws li, txhua tus sau yuav tsum muaj nws tus kheej IP chaw nyob.
Rau OVH - nyob rau hauv lub console nws muaj peev xwm hais kom meej rDNS.
Rau tech.ru - qhov teeb meem yog daws los ntawm kev txhawb nqa.
Rau AWS, qhov teeb meem raug daws los ntawm kev txhawb nqa.
"inet_protocols" thiab "smtp_bind_address6" - peb pab txhawb IPv6.
Rau IPv6 koj kuj yuav tsum tau sau npe rDNS.
"syslog_name" - thiab qhov no yog qhov yooj yim ntawm kev nyeem cov cav.
Yuav daim ntawv pov thawj .
.
======= Dovecot =======
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamTeeb tsa mysql, txhim kho cov pob khoom lawv tus kheej.
Cov ntaub ntawv "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginKev tso cai tsuas yog encrypted.
Cov ntaub ntawv β/etc/dovecot/conf.d/10-mail.confβ
mail_location = maildir:/var/mail/vhosts/%d/%nNtawm no peb qhia qhov chaw cia rau cov ntawv.
Kuv xav kom lawv muab khaws cia rau hauv cov ntaub ntawv thiab pab pawg los ntawm sau npe.
Cov ntaub ntawv "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Qhov no yog lub ntsiab dovecot configuration file.
Ntawm no peb lov tes taw unsecured kev twb kev txuas.
Thiab pab kom ruaj ntseg kev sib txuas.
Cov ntaub ntawv "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Kev teeb tsa ssl. Peb qhia tias yuav tsum tau ssl.
Thiab daim ntawv pov thawj nws tus kheej. Thiab cov ntsiab lus tseem ceeb yog cov lus qhia "hauv zos". Qhia seb daim ntawv pov thawj SSL siv thaum txuas rau IPv4 hauv zos twg.Los ntawm txoj kev, IPv6 tsis tau teeb tsa ntawm no, Kuv yuav kho qhov kev tshem tawm tom qab.
XX.XX.XX.X5 (domain2) - tsis muaj ntawv pov thawj. Txhawm rau txuas cov neeg siv khoom koj yuav tsum tau qhia meej domain1.com.
XX.XX.XX.X2 (domain3) - muaj daim ntawv pov thawj, koj tuaj yeem teev npe domain1.com lossis domain3.com los txuas cov neeg siv khoom.
Cov ntaub ntawv "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Qhov no yuav xav tau rau spamassassin yav tom ntej.
Cov ntaub ntawv "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Qhov no yog ib qho antispam plugin. Xav tau kev cob qhia spamassasin thaum lub sijhawm hloov mus rau / los ntawm "Spam" nplaub tshev.
Cov ntaub ntawv "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Tsuas muaj cov ntaub ntawv no xwb.
Cov ntaub ntawv β/etc/dovecot/conf.d/20-lmtp.confβ
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Teeb tsa lmtp.
Cov ntaub ntawv β/etc/dovecot/conf.d/90-antispam.confβ
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Spamassasin chaw cob qhia thaum lub sijhawm hloov mus rau / los ntawm Spam nplaub tshev.
Cov ntaub ntawv "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Ib cov ntaub ntawv uas qhia tias yuav ua li cas nrog cov ntawv tuaj.
File "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Koj yuav tsum tau sau cov ntaub ntawv: "sievec default.sieve".
Cov ntaub ntawv "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Qhia meej cov ntaub ntawv sql rau kev tso cai.
Thiab cov ntaub ntawv nws tus kheej yog siv los ua ib txoj kev tso cai.
Cov ntaub ntawv "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Qhov no sib raug rau cov chaw zoo sib xws rau postfix.
Cov ntaub ntawv "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Main configuration file.
Qhov tseem ceeb yog qhov peb qhia ntawm no - ntxiv cov txheej txheem.
======= SpamAssassin =======
apt-get install spamassassin spamcCia peb nruab cov pob.
adduser spamd --disabled-loginCia peb ntxiv tus neeg siv rau nws tus kheej.
systemctl enable spamassassin.servicePeb qhib nws pib-loading spamassassin kev pabcuam thaum thauj khoom.
Cov ntaub ntawv "/etc/default/spamassassin":
CRON=1Los ntawm kev ua kom tsis siv neeg hloov kho cov cai "los ntawm lub neej ntawd".
Cov ntaub ntawv β/etc/spamassassin/local.cfβ:
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordKoj yuav tsum tsim cov ntaub ntawv "sa" hauv mysql nrog tus neeg siv "sa" nrog tus password "password" (hloov nrog qee yam txaus).
report_safe - qhov no yuav xa ib tsab ntawv ceeb toom ntawm spam email tsis yog tsab ntawv.
use_bayes yog spamassassin tshuab kev kawm.
Qhov seem spamassassin nqis tau siv ua ntej hauv kab lus.
.
.
.
.
======= Thov txim rau zej zog =======
Kuv kuj xav pov ib lub tswv yim rau hauv zej zog txog yuav ua li cas nce qib kev ruaj ntseg ntawm cov ntawv xa mus. Txij li thaum kuv nkag siab txog lub ntsiab lus ntawm mail.
Yog li ntawd tus neeg siv tuaj yeem tsim ib khub ntawm tus yuam sij ntawm nws cov neeg siv khoom (kev pom, thunderbird, browser-plugin, ...). Public thiab private. Public - xa mus rau DNS. Private - txuag ntawm tus neeg siv khoom. Mail servers yuav siv tau tus yuam sij pej xeem xa mus rau ib tus neeg tau txais kev tshwj xeeb.
Thiab txhawm rau tiv thaiv spam nrog cov ntawv zoo li no (yog, tus xa ntawv yuav tsis tuaj yeem saib cov ntsiab lus) - koj yuav tsum qhia 3 txoj cai:
- Yuav tsum tau kos npe DKIM tiag, yuav tsum tau SPF, yuav tsum tau rDNS.
- Neural network ntawm cov ncauj lus ntawm kev qhia antispam + database rau nws ntawm tus neeg siv khoom.
- Lub encryption algorithm yuav tsum yog xws li hais tias sab xa yuav tsum siv 100 npaug ntau dua CPU zog ntawm encryption tshaj qhov tau txais.
Ntxiv nrog rau cov ntawv pej xeem, tsim ib tsab ntawv thov tswv yim "kom pib sau ntawv zoo." Ib tug ntawm cov neeg siv (mailbox) xa ib tsab ntawv nrog ib tug txuas mus rau lwm lub mailbox. Tsab ntawv muaj cov lus pom zoo los pib qhov kev sib txuas lus ruaj ntseg rau kev sau ntawv thiab tus yuam sij pej xeem ntawm tus tswv ntawm lub thawv ntawv (nrog tus yuam sij ntiag tug ntawm tus neeg siv khoom).
Koj tuaj yeem ua ob peb tus yuam sij tshwj xeeb rau txhua qhov kev sau ntawv. Tus neeg tau txais kev pabcuam tuaj yeem lees txais qhov kev thov no thiab xa nws qhov tseem ceeb rau pej xeem (tseem tau tsim tshwj xeeb rau cov ntawv sau no). Tom ntej no, thawj tus neeg siv xa ib tsab ntawv tswj kev pabcuam (encrypted nrog pej xeem tus yuam sij ntawm tus neeg siv thib ob) - thaum tau txais cov neeg siv thib ob tuaj yeem xav txog cov kev sib txuas lus tsim nyog. Tom ntej no, tus neeg siv thib ob xa tsab ntawv tswj hwm - thiab tom qab ntawd tus neeg siv thawj zaug tuaj yeem xav txog qhov tsim channel ruaj ntseg.
Txhawm rau tiv thaiv kev cuam tshuam ntawm cov yuam sij ntawm txoj kev, cov txheej txheem yuav tsum muaj peev xwm kis tau tsawg kawg ib tus yuam sij pej xeem siv lub flash drive.
Thiab qhov tseem ceeb tshaj plaws yog tias nws ua haujlwm tag nrho (cov lus nug yog "leej twg yuav them rau nws?"):
Nkag mus rau daim ntawv pov thawj xa ntawv pib ntawm $ 10 rau 3 xyoos. Uas yuav tso cai rau tus neeg xa ntawv qhia hauv dns tias "kuv cov yuam sij pej xeem nyob ntawd." Thiab lawv yuav muab sijhawm rau koj los pib qhov kev sib txuas ruaj ntseg. Tib lub sijhawm, lees txais cov kev sib txuas zoo li no yog dawb.
gmail yog thaum kawg monetizing nws cov neeg siv. Rau $ 10 toj ib 3 xyoos - txoj cai los tsim kev sib txuas lus ruaj ntseg.
======= Conclusion =======
Txhawm rau kuaj tag nrho cov kab lus, Kuv yuav mus xauj ib lub server tshwj xeeb rau ib hlis thiab yuav lub npe nrog daim ntawv pov thawj SSL.
Tab sis cov xwm txheej hauv lub neej tau txhim kho yog li qhov teeb meem no tau rub rau 2 lub hlis.
Thiab yog li ntawd, thaum kuv muaj sij hawm dawb dua, kuv txiav txim siab luam tawm tsab xov xwm raws li yog, es tsis muaj kev pheej hmoo tias cov ntawv tshaj tawm yuav luag rau lwm xyoo.
Yog tias muaj ntau cov lus nug xws li "tab sis qhov no tsis tau piav qhia hauv cov ntsiab lus txaus", ces tej zaum yuav muaj lub zog los coj tus neeg rau zaub mov tshwj xeeb nrog lub npe tshiab thiab daim ntawv pov thawj SSL tshiab thiab piav qhia nws ntau dua thiab, feem ntau. qhov tseem ceeb, txheeb xyuas tag nrho cov ntsiab lus tseem ceeb uas ploj lawm.
Kuv kuj xav tau cov lus tawm tswv yim txog cov ntawv pov thawj xa ntawv. Yog tias koj nyiam lub tswv yim, kuv yuav sim nrhiav lub zog los sau cov ntawv sau rau rfc.
Thaum luam qhov loj ntawm ib tsab xov xwm, muab qhov txuas rau kab lus no.
Thaum txhais ua lwm yam lus, muab qhov txuas rau kab lus no.
Kuv yuav sim txhais nws ua lus Askiv kuv tus kheej thiab tawm ntawm cov ntaub ntawv sib txawv.
Tau qhov twg los: www.hab.com