Edemede a bụ maka otu esi edozi sava ozi ọgbara ọhụrụ.
Postfix + Dovecot. SPF + DKIM + rDNS. Na IPv6.
Na TSL izo ya ezo. Site na nkwado maka ọtụtụ ngalaba - akụkụ nwere ezigbo asambodo SSL.
Site na nchedo antispam yana ọkwa antispam dị elu sitere na sava ozi ndị ọzọ.
Na-akwado ọtụtụ oghere anụ ahụ.
Na OpenVPN, njikọ nke sitere na IPv4, nke na-enye IPv6.
Ọ bụrụ na ịchọghị ịmụta teknụzụ ndị a niile, mana ịchọrọ ịtọ ihe nkesa dị otú ahụ, mgbe ahụ isiokwu a bụ maka gị.
Akụkọ ahụ anaghị agbalị ịkọwa nkọwa ọ bụla. Nkọwa na-aga na ihe na-ahazighị dịka ọkọlọtọ ma ọ bụ dị mkpa site n'echiche nke ndị ahịa.
Ihe mkpali iji guzobe ihe nkesa ozi bụ nrọ ogologo oge nke m. Nke a nwere ike ịdị ka ihe nzuzu, mana IMHO, ọ ka mma karịa nrọ ụgbọ ala ọhụrụ sitere na ika ọkacha mmasị gị.
Enwere mkpali abụọ maka ịtọlite IPv6. Onye ọkachamara IT kwesịrị ịmụta teknụzụ ọhụrụ mgbe niile ka ọ dị ndụ. Ọ ga-amasị m itinye obere aka m n'ọgụ a na-alụso mmachi.
Ihe mkpali maka ịtọlite OpenVPN bụ naanị iji nweta IPv6 na-arụ ọrụ na igwe mpaghara.
Ihe mkpali maka ịtọlite ọtụtụ ihu anụ ahụ bụ na na ihe nkesa m nwere otu interface "ngwa ngwa ma na-akparaghị ókè" na nke ọzọ "ngwa ngwa ma na tarifu".
Ihe mkpali maka ịtọ ntọala Bind bụ na ISP m na-enye sava DNS anaghị akwụsi ike, google na-adakwa mgbe ụfọdụ. Achọrọ m sava DNS kwụsiri ike maka ojiji nkeonwe.
Mkpali ịde edemede - Edere m akwụkwọ akụkọ ọnwa 10 gara aga, elela m ya anya ugboro abụọ. Ọbụna ma ọ bụrụ na onye edemede ahụ na-achọ ya mgbe nile, enwere ike dị elu na ndị ọzọ ga-achọkwa ya.
Enweghị ngwọta zuru ụwa ọnụ maka ihe nkesa ozi. Ma m ga-agbalị ịde ihe dị ka "mee nke a na mgbe ahụ, mgbe ihe niile na-arụ ọrụ dị ka o kwesịrị, tụfuo ihe ndị ọzọ."
Ụlọ ọrụ tech.ru nwere ihe nkesa nke Colocation. Ọ ga-ekwe omume iji tụnyere OVH, Hetzner, AWS. Iji dozie nsogbu a, imekọ ihe ọnụ na tech.ru ga-adị irè karị.
Awụnyere Debian 9 na sava ahụ.
Ihe nkesa ahụ nwere oghere abụọ 'eno2' na 'eno1'. Nke mbụ na-akparaghị ókè, na nke abụọ bụ ngwa ngwa, n'otu n'otu.
Enwere adreesị IP 3 static, XX.XX.XX.X0 na XX.XX.XX.X1 na XX.XX.XX.X2 na interface `eno1` na XX.XX.XX.X5 na interface `eno2`. .
Dị XXXX:XXX:XXX:XXX::/64 ọdọ mmiri nke adreesị IPv6 nke e kenyere na interface `eno1` na site na ya XXXX:XXX:XXXX:XXX:1:2::/96 ka ekenyere `eno2` na arịrịọ m.
Enwere ngalaba 3 `domain1.com`, `domain2.com`, `domain3.com`. Enwere asambodo SSL maka 'domain1.com' na 'domain3.com'.
Enwere m akaụntụ Google nke m ga-achọ ijikọ igbe ozi m[email protected]` (nata ozi na izipu ozi ozugbo site na interface gmail).
A ga-enwerịrị igbe ozi'[email protected]`, oyiri email nke m chọrọ ịhụ na gmail m. Ma ọ dị ụkọ inwe ike izipu ihe n'aha '[email protected]` site na webụsaịtị.
A ga-enwerịrị igbe ozi'[email protected]', nke Ivanov ga-eji na iPhone ya.
Ozi-e ezigara ga-agbasorịrị ihe mgbochi spam nke ọgbara ọhụrụ chọrọ.
A ga-enwerịrị ọkwa nzuzo kachasị elu enyere na netwọk ọha.
Ekwesịrị inwe nkwado IPv6 maka izipu na ịnata leta.
Ekwesịrị inwe SpamAssassin nke na-agaghị ehichapụ ozi-e. Ọ ga-agbaba ma ọ bụ wụpụ ma ọ bụ ziga na nchekwa IMAP "Spam".
SpamAssassin auto-Learning ga-ahazi: ọ bụrụ na m bugharịa akwụkwọ ozi na nchekwa spam, ọ ga-amụta na nke a; ọ bụrụ na m bugharịa akwụkwọ ozi site na folda Spam, ọ ga-amụta na nke a. Nsonaazụ nke ọzụzụ SpamAssassin kwesịrị imetụta ma akwụkwọ ozi ahụ agwụ na nchekwa spam.
Ederede PHP ga-enwerịrị ike izipu ozi n'aha ngalaba ọ bụla na sava enyere.
Ekwesịrị inwe ọrụ openvpn, nke nwere ike iji IPv6 na onye ahịa na-enweghị IPv6.
Mbụ ị ga-ahazi interfaces na routing, gụnyere IPv6.
Mgbe ahụ, ị ga-achọ ịhazi OpenVPN, nke ga-ejikọta site na IPv4 wee nye onye ahịa ya adreesị IPv6 dị adị. Onye ahịa a ga-enwe ohere ịnweta ọrụ IPv6 niile na ihe nkesa yana ịnweta akụrụngwa IPv6 ọ bụla na ịntanetị.
Mgbe ahụ, ị ga-achọ ịhazi Postfix iji zipu mkpụrụedemede + SPF + DKIM + rDNS na obere ihe ndị ọzọ yiri ya.
Mgbe ahụ ị ga-achọ ịhazi Dovecot wee hazie Multidomain.
Mgbe ahụ ị ga-achọ ịhazi SpamAssassin ma hazie ọzụzụ.
N'ikpeazụ, wụnye Bind.
============ Multi-interfaces =============
Iji hazie interfaces, ịkwesịrị ide nke a na "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Enwere ike itinye ntọala ndị a na ihe nkesa ọ bụla na tech.ru (na obere nhazi na nkwado) na ọ ga-arụ ọrụ ozugbo dị ka o kwesịrị.
Ọ bụrụ na ị nwere ahụmịhe ịtọlite ihe ndị yiri ya maka Hetzner, OVH, ọ dị iche ebe ahụ. Kasie ike.
eno1 bụ aha kaadị netwọk #1 (dị nwayọ mana enweghị oke).
eno2 bụ aha kaadị netwọk #2 (ngwa ngwa, mana ya na tarifu).
tun0 bụ aha kaadị netwọkụ mebere site na OpenVPN.
XX.XX.XX.X0 - IPv4 #1 na eno1.
XX.XX.XX.X1 - IPv4 #2 na eno1.
XX.XX.XX.X2 - IPv4 #3 na eno1.
XX.XX.XX.X5 - IPv4 #1 na eno2.
XX.XX.XX.1 - ọnụ ụzọ ámá IPv4.
XXXX:XXX:XXX:XXX::/64 - IPv6 maka sava niile.
XXXX:XXX:XXXX:XXX:1:2::/96 - IPv6 maka eno2, ihe ọ bụla ọzọ si n'èzí na-abanye eno1.
XXXX:XXXX:XXXX:XXX:: 1 — IPv6 ọnụ ụzọ ámá (ọ kwesịrị ịrịba ama na nke a nwere ike/kwesịrị ime dị iche iche. Ezipụta IPv6 mgba ọkụ).
dns-nameservers - 127.0.0.1 ka egosiri (n'ihi na etinyere njikọ na mpaghara) na 213.248.1.6 (nke a sitere na tech.ru).
"Table eno1t" na "tebụl eno2t" - ihe iwu ụzọ ndị a pụtara bụ na okporo ụzọ na-abanye na eno1 -> ga-esi na ya pụọ, na okporo ụzọ na-abanye na eno2 -> ga-esi na ya pụọ. Ọzọkwa njikọ nke ihe nkesa malitere ga-esi na eno1.
ip route add default via XX.XX.XX.1 table eno1tSite n'iwu a, anyị na-akọwapụta na okporo ụzọ ọ bụla na-enweghị nghọta nke dabara n'okpuru iwu ọ bụla akara "table eno1t" -> ga-eziga na eno1 interface.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tSite n'iwu a, anyị na-akọwapụta na okporo ụzọ ọ bụla nke ihe nkesa malitere ga-eduga na interface eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Site n'iwu a, anyị na-edobe iwu maka akara okporo ụzọ.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Ihe mgbochi a na-akọwapụta IPv4 nke abụọ maka interface eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Site n'iwu a anyị na-edozi ụzọ site na ndị ahịa OpenVPN gaa na IPv4 mpaghara ma e wezụga XX.XX.XX.X0.
Aghọtaghị m ihe kpatara iwu a ji zuo IPv4 niile.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Nke a bụ ebe anyị debere adreesị maka interface n'onwe ya. Ihe nkesa ahụ ga-eji ya dị ka adreesị “na-apụ apụ”. Agaghị eji ụzọ ọ bụla ọzọ.
Kedu ihe kpatara ": 1: 1 ::" ji mgbagwoju anya? Yabụ na OpenVPN na-arụ ọrụ nke ọma yana naanị maka nke a. More na nke a emechaa.
Na isiokwu nke ọnụ ụzọ ámá - otú ahụ ka ọ na-arụ ọrụ na nke ahụ dị mma. Mana ụzọ ziri ezi bụ igosi ebe a IPv6 nke mgba ọkụ nke ejikọrọ ihe nkesa.
Agbanyeghị, n'ihi ihe ụfọdụ IPv6 na-akwụsị ịrụ ọrụ ma ọ bụrụ na m eme nke a. Nke a nwere ike ịbụ ụfọdụ ụdị nsogbu tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACENke a na-agbakwunye adreesị IPv6 na interface ahụ. Ọ bụrụ na ịchọrọ otu narị adreesị, nke ahụ pụtara otu narị ahịrị na faịlụ a.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Achọpụtara m adreesị na subnets nke interface niile iji mee ka ọ pụta ìhè.
eno1 - ga-abụ"/64"- n'ihi na nke a bụ ọdọ mmiri anyị niile.
tun0 - subnet ga-abụrịrị ibu karịa eno1. Ma ọ bụghị ya, ọ gaghị ekwe omume ịhazi ọnụ ụzọ IPv6 maka ndị ahịa OpenVPN.
eno2 - subnet ga-adịrịrị karịa tun0. Ma ọ bụghị ya, ndị ahịa OpenVPN agaghị enwe ike ịnweta adreesị IPv6 mpaghara.
Maka idoanya, ahọpụtara m nzọụkwụ subnet nke 16, mana ọ bụrụ na ịchọrọ, ị nwere ike ịme nzọụkwụ "1".
N'ihi ya, 64+16 = 80, na 80+16 = 96.Maka idoanya ka ukwuu:
XXXX:XXX:XXX:XXX:XXX:1:1:YYY:YYY bụ adreesị ekwesịrị ekenye na saịtị ma ọ bụ ọrụ akọwapụtara na interface eno1.
XXXX:XXX:XXX:XXX:XXX:1:2:YYY:YYY bụ adreesị ekwesịrị ekenye na saịtị ma ọ bụ ọrụ akọwapụtara na interface eno2.
XXXX:XXX:XXXX:XXX:1:3:YYY:YYY bụ adreesị ekwesịrị ekenye ndị ahịa OpenVPN ma ọ bụ jiri dị ka adreesị ọrụ OpenVPN.
Iji hazie netwọk ahụ, ọ ga-ekwe omume ịmalitegharị ihe nkesa ahụ.
A na-ewere mgbanwe IPv4 mgbe emechara ya (jide n'aka na ị kechie ya na ihuenyo - ma ọ bụghị ya, iwu a ga-akụda netwọkụ ahụ na sava ahụ):
/etc/init.d/networking restartTinye na njedebe nke faịlụ "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Enweghị nke a, ịnweghị ike iji tebụl omenala na faịlụ "/etc/network/interfaces".
Ọnụọgụ ahụ ga-abụrịrị ihe pụrụ iche na ihe na-erughị 65535.
Enwere ike ịgbanwe mgbanwe IPv6 n'ụzọ dị mfe na-enweghị ịmalitegharị, mana iji mee nke a, ị ga-amụta ma ọ dịkarịa ala iwu atọ:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Ịtọ ntọala "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Ndị a bụ ntọala "sysctl" nkesa m. Ka m rụtụ aka n’ihe dị mkpa.
net.ipv4.ip_forward = 1Enweghị nke a, OpenVPN agaghị arụ ọrụ ma ọlị.
net.ipv6.ip_nonlocal_bind = 1Onye ọ bụla nwara ijikọ IPv6 (dịka ọmụmaatụ nginx) ozugbo interface ahụ kwụsịrị ga-enweta njehie. Na adreesị a adịghị.
Iji zere ọnọdụ dị otú ahụ, a na-eme ntọala dị otú ahụ.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Enweghị ntọala IPv6 ndị a, okporo ụzọ sitere na onye ahịa OpenVPN anaghị apụ n'ụwa.
Ntọala ndị ọzọ adịghị mkpa ma ọ bụ anaghị m echeta ihe ha bụ maka.
Ma ọ bụrụ na m na-ahapụ ya "dị ka ọ dị."
Ka ewelie mgbanwe na faịlụ a na-enweghị ịmalitegharị ihe nkesa ahụ, ị ga-emerịrị iwu:
sysctl -pNkọwa ndị ọzọ gbasara iwu “tebụl”:
============ OpenVPN =============
OpenVPN IPv4 anaghị arụ ọrụ na-enweghị iptables.
My iptables dị ka nke a maka VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY bụ adreesị IPv4 m static nke igwe mpaghara.
10.8.0.0/24 - IPv4 openvpn netwọk. Adreesị IPv4 maka ndị ahịa openvpn.
Nkwekọrịta nke iwu dị mkpa.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPNke a bụ mmachi ka naanị m nwere ike iji OpenVPN site na IP static m.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEIji zipu ngwugwu IPv4 n'etiti ndị ahịa OpenVPN na ịntanetị, ịkwesịrị ịdebanye aha otu n'ime iwu ndị a.
Maka ikpe dị iche iche, otu n'ime nhọrọ adịghị mma.
Iwu abụọ a dabara maka ikpe m.
Mgbe m gụchara akwụkwọ ahụ, ahọpụtara m nhọrọ mbụ n'ihi na ọ na-eji obere CPU.
Ka ewelite ntọala iptables niile ka ịmalitegharịa, ịkwesịrị ịchekwaa ha ebe.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6E nweghị aha ndị dị otú ahụ na mberede. A na-eji ha na ngwugwu "iptables-na-adịgide adịgide".
apt-get install iptables-persistentỊwụnye ngwugwu OpenVPN bụ isi:
apt-get install openvpn easy-rsaKa anyị guzobe ndebiri maka asambodo (dochie ụkpụrụ gị):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfKa anyị dezie ntọala ndebiri asambodo:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Mepụta asambodo nkesa:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyKa anyị kwado ikike imepụta faịlụ “client-name.opvn” ikpeazụ:
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCKa anyị kwadoo edemede ga-ejikọta faịlụ niile na otu faịlụ opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnMepụta onye ahịa OpenVPN mbụ:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameA na-eziga faịlụ "~/client-configs/files/client-name.ovpn" na ngwaọrụ onye ahịa.
Maka ndị ahịa iOS ị ga-eme aghụghọ a:
Ọdịnaya nke mkpado "tls-auth" ga-abụrịrị enweghị nkọwa.
Ma tinyekwa “igodo-direction 1” ozugbo tupu mkpado “tls-auth”.
Ka anyị hazie nhazi ihe nkesa OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCNke a dị mkpa ka ịtọọ adreesị static maka onye ahịa ọ bụla (ọ dịghị mkpa, mana m na-eji ya):
# Client config dir
client-config-dir /etc/openvpn/ccdIhe kacha sie ike na isi nkọwa.
Ọ dị nwute, OpenVPN amabeghị ka esi ahazi ọnụ ụzọ IPv6 maka ndị ahịa n'onwe ya.
Ị ga-eji "aka" nyefee nke a maka onye ahịa ọ bụla.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Faịlụ "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Faịlụ "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Edemede abụọ a na-eji faịlụ "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Ọ na-esiri m ike icheta ihe mere e ji dee ya otú a.
Ugbu a netmask = 112 dị iju (ọ kwesịrị ịbụ 96 ebe ahụ).
Na prefix bụ ihe ijuanya, ọ dabara na netwọk tun0.
Mana ọ dị mma, m ga-ahapụ ya ka ọ dị.
cipher DES-EDE3-CBCNke a abụghị maka onye ọ bụla - ahọpụtara m usoro a iji zoo njikọ ahụ.
============ Postfix =============
Ịwụnye ngwugwu bụ isi:
apt-get install postfixMgbe ị na-etinye, họrọ "saịtị ịntanetị".
My "/etc/postfix/main.cf" dị ka nke a:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreKa anyị lelee nkọwa nke nhazi a.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyDị ka ndị bi na Khabrovsk si kwuo, ngọngọ a nwere "ozi na-ezighi ezi na ihe odide ezighi ezi."Naanị afọ 8 ka mmalite nke ọrụ m malitere ịghọta ka SSL si arụ ọrụ.
Ya mere, m ga-enwere onwe nke ịkọwa otú e si eji SSL (na-azaghị ajụjụ ndị a "Olee otú o si arụ ọrụ?" na "Gịnị mere ọ na-arụ ọrụ?").
Ndabere nke izo ya ezo nke oge a bụ imepụta ụzọ ụzọ igodo (ụdọ mkpụrụedemede abụọ dị ogologo).
Otu "igodo" bụ nkeonwe, igodo nke ọzọ bụ "ọha". Anyị na-edobe igodo nzuzo nke ọma. Anyị na-ekesa igodo ọha maka onye ọ bụla.
Iji igodo ọha, ị nwere ike izochi eriri ederede ka ọ bụ naanị onye nwe igodo nzuzo nwere ike mebie ya.
Ọfọn, nke ahụ bụ ihe ndabere niile nke teknụzụ.Nzọụkwụ #1 - saịtị https.
Mgbe ị na-abanye na saịtị, ihe nchọgharị ahụ na-amụta site na sava weebụ na saịtị ahụ bụ https wee rịọ igodo ọha.
Sava webụ na-enye igodo ọha. Ihe nchọgharị ahụ na-eji igodo ọha ezobe arịrịọ http-request wee zipụ ya.
Ọdịnaya nke http-request nwere ike ịgụ naanị ndị nwere igodo nzuzo, ya bụ, naanị ihe nkesa a rịọrọ arịrịọ ahụ.
Arịrịọ Http nwere opekata mpe URI. Ya mere, ọ bụrụ na obodo na-agbalị igbochi ịnweta ọ bụghị na saịtị ahụ dum, kama na otu ibe, mgbe ahụ, nke a agaghị ekwe omume ime maka saịtị https.Nzọụkwụ #2 - nzaghachi ezoro ezo.
Sava webụ na-enye azịza nwere ike ịgụ ngwa ngwa n'okporo ụzọ.
Ngwọta a dị oke mfe - ihe nchọgharị na mpaghara na-ewepụta otu ụzọ igodo nzuzo-ọha maka saịtị https ọ bụla.
Na yana arịrịọ maka igodo ọha nke saịtị ahụ, ọ na-eziga igodo ọha obodo ya.
Sava webụ na-echeta ya na, mgbe ị na-eziga http-azaghachi, jiri igodo ọha nke otu onye ahịa ezobe ya.
Ugbu a http-azịza nwere ike mebie naanị onye nwe igodo nzuzo nke ihe nchọgharị onye ahịa (ya bụ, onye ahịa n'onwe ya).Nzọụkwụ Nke 3 - ịmepụta njikọ echekwara site na ọwa ọha.
Enwere adịghị ike dịka ọmụmaatụ No. 2 - ọ dịghị ihe na-egbochi ndị na-achọ ihe ọma ịbanye na http-arịrịọ na-edezi ozi gbasara igodo ọha.
Ya mere, onye na-ahụ maka etiti ga-ahụ nke ọma ọdịnaya niile ezigara na natara ozi ruo mgbe ọwa nkwukọrịta gbanwere.
Ime nke a dị nnọọ mfe - naanị zipu igodo ọha nke ihe nchọgharị ka ọ bụrụ ozi ezoro ezo na igodo ọha nke sava weebụ.
Sava webụ ahụ buru ụzọ ziga nzaghachi dị ka “igodo ọha gị dị ka nke a” wee jiri otu igodo ọha zoo ozi a.
Ihe nchọgharị ahụ na-elele nzaghachi - ọ bụrụ na enwetara ozi "igodo ọha gị dị ka nke a" - mgbe ahụ nke a bụ nkwa 100% na ọwa nkwukọrịta a nwere nchebe.
Kedu ka ọ dị mma?
Ịmepụta ọwa nkwurịta okwu dị nchebe na-eme n'ọsọ ping*2. Dịka ọmụmaatụ 20ms.
Onye mwakpo ahụ ga-enwerịrị igodo nzuzo nke otu n'ime ndị otu ahụ tupu oge eruo. Ma ọ bụ chọta igodo nzuzo n'ime nkeji ole na ole.
Ịbanye otu igodo nzuzo ọgbara ọhụrụ ga-ewe ọtụtụ iri afọ na supercomputer.Nzọụkwụ #4 - nchekwa data ọha nke igodo ọha.
N'ụzọ doro anya, na akụkọ a dum enwere ohere maka onye na-awakpo ịnọdụ ala na ọwa nkwukọrịta n'etiti onye ahịa na ihe nkesa.
Onye ahịa ahụ nwere ike ime ka ọ bụ ihe nkesa, na ihe nkesa nwere ike mee ka ọ bụrụ onye ahịa. Ma ṅomie otu ụzọ igodo n'akụkụ abụọ ahụ.
Mgbe ahụ, onye na-awakpo ahụ ga-ahụ okporo ụzọ niile ma nwee ike "dezie" okporo ụzọ.
Dịka ọmụmaatụ, gbanwee adreesị ebe ị ga-eziga ego ma ọ bụ detuo okwuntughe site na ụlọ akụ ịntanetị ma ọ bụ gbochie ọdịnaya "enweghị ike ime".
Iji luso ndị mwakpo dị otú ahụ ọgụ, ha weputara nchekwa data ọha nwere igodo ọha maka saịtị https ọ bụla.
Ihe nchọgharị ọ bụla “mara” banyere ịdị adị nke ihe dị ka 200 ọdụ data dị otú ahụ. Nke a na-abịa tupu etinye ya na ihe nchọgharị ọ bụla.
"Ọmụma" bụ igodo ọha sitere na asambodo ọ bụla kwadoro. Ya bụ, njikọ nke ọ bụla kpọmkwem asambodo ikike enweghị ike adịgboroja.Ugbu a enwere nghọta dị mfe maka otu esi eji SSL maka https.
Ọ bụrụ na ị na-eji ụbụrụ gị, ọ ga-edo anya ka ndị ọrụ pụrụ iche nwere ike isi mebie ihe dị na nhazi a. Ma ọ ga-efunahụ ha nnukwu mbọ.
Na otu dị obere karịa NSA ma ọ bụ CIA - ọ fọrọ nke nta ka ọ bụrụ ihe na-agaghị ekwe omume mbanye anataghị ikike nchekwa dị adị, ọbụlagodi ndị VIP.M ga-agbakwunyekwa gbasara njikọ ssh. Enweghị igodo ọha ebe ahụ, yabụ kedu ihe ị ga-eme? A na-edozi okwu ahụ n'ụzọ abụọ.
Nhọrọ ssh-site-paswọọdụ:
N'oge njikọ mbụ, onye ahịa ssh kwesịrị ịdọ aka ná ntị na anyị nwere igodo ọha ọhụrụ site na sava ssh.
Na n'oge njikọ ọzọ, ọ bụrụ na ịdọ aka ná ntị "igodo ọha ọhụrụ sitere na sava ssh" pụtara, ọ ga-apụta na ha na-anwa ịge gị ntị.
Ma ọ bụ na-ege ntị na mbụ njikọ gị, ma ugbu a ị na-akpakọrịta na ihe nkesa na-enweghị intermediaries.
N'ezie, n'ihi na eziokwu nke wayatapping dị mfe, ngwa ngwa na-agbalịsi ike na-ekpughe, a na-eji ọgụ a naanị n'ọnọdụ pụrụ iche maka otu onye ahịa.Nhọrọ ssh-site-igodo:
Anyị na-ewere draịva flash, dee igodo nzuzo maka ihe nkesa ssh na ya (enwere okwu na ọtụtụ nuances dị mkpa maka nke a, mana m na-ede ihe omume agụmakwụkwọ, ọ bụghị ntụziaka maka ojiji).
Anyị na-ahapụ igodo ọha na igwe ebe onye ahịa ssh ga-adị ma anyị na-echekwa ya na nzuzo.
Anyị na-ebute draịvụ ahụ na ihe nkesa ahụ, tinye ya, detuo igodo nzuzo, wee gbaa draịvụ ike ọkụ wee gbasaa ntụ na ikuku (ma ọ bụ ma ọ dịkarịa ala na-eji zeros mee ya).
Nke ahụ bụ ihe niile - mgbe ọrụ dị otú ahụ gasịrị, ọ gaghị ekwe omume ịmebanye njikọ ssh dị otú ahụ. N'ezie, n'ime afọ 10, ọ ga-ekwe omume ịlele okporo ụzọ na supercomputer - mana nke ahụ bụ akụkọ dị iche.A na m arịọ mgbaghara maka okwu ahụ.
Ya mere, ugbu a na a mara tiori. Aga m agwa gị maka etu esi emepụta asambodo SSL.
Iji "openssl genrsa" anyị na-emepụta igodo nzuzo yana "oghere" maka igodo ọha.
Anyị na-eziga "oghere" na ụlọ ọrụ ndị ọzọ, nke anyị na-akwụ ihe dị ka $9 maka akwụkwọ kacha mfe.
Mgbe awa ole na ole gachara, anyị na-enweta igodo “ọha” na ọtụtụ igodo ọha n'aka ụlọ ọrụ ndị ọzọ a.
Kedu ihe kpatara ụlọ ọrụ nke atọ ga-akwụ ụgwọ maka ndebanye aha nke igodo ọha m bụ ajụjụ dị iche, anyị agaghị atụle ya ebe a.
Ugbu a, o doro anya ihe ihe odide ahụ pụtara:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Ebe nchekwa "/etc/ssl" nwere faịlụ niile maka okwu ssl.
domain1.com - ngalaba aha.
2018 bụ afọ nke isi okike.
“igodo” - nhọpụta na faịlụ ahụ bụ igodo nzuzo.
Na ihe faịlụ a pụtara:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - ngalaba aha.
2018 bụ afọ nke isi okike.
agbụ - aha na e nwere agbụ nke igodo ọha (nke mbụ bụ igodo ọha anyị na ndị ọzọ bụ ihe sitere na ụlọ ọrụ ahụ nyere igodo ọha).
crt - nhọpụta na enwere asambodo emebere (igodo ọha nwere nkọwa ọrụ aka).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Ejighị ntọala a na nke a, mana edere ya dịka ọmụmaatụ.
N'ihi na njehie na oke a ga-eduga na spam na-ezigara na ihe nkesa gị (na-enweghị uche gị).
Mgbe ahụ gosi onye ọ bụla na ikpe adịghị gị.
recipient_delimiter = +Ọtụtụ ndị mmadụ nwere ike ha amaghị, mana nke a bụ ụkpụrụ maka ozi ịntanetị ogo, yana ọtụtụ sava ozi ọgbara ọhụrụ na-akwado ya.
Dịka ọmụmaatụ, ọ bụrụ na ị nwere igbe ozi "[email protected]"gbalịa iziga na"[email protected]"- lee ihe si na ya pụta.
inet_protocols = ipv4Nke a nwere ike ịgbagwoju anya.
Ma ọ bụghị nnọọ otú ahụ. Ngalaba ọhụrụ ọ bụla bụ na ndabara naanị IPv4, mgbe ahụ m na-agbanye IPv6 maka onye ọ bụla iche.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
N'ebe a, anyị na-akọwapụta na ozi niile na-abata na-aga dovecot.
Na iwu maka ngalaba, igbe ozi, utu aha - lee anya na nchekwa data.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesUgbu a postfix maara na enwere ike ịnakwere mail maka izipu ọzọ naanị ka enyere ikike na dovecot.
Aghọtaghị m n'ezie ihe kpatara eji emegharị nke a ebe a. Anyị akọwapụtalarị ihe niile achọrọ na “virtual_transport”.
Ma usoro postfix adịla agadi - ma eleghị anya ọ bụ ntufu site n'oge ochie.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Enwere ike ịhazi nke a dị iche iche maka nkesa ozi ọ bụla.
Enwere m ihe nkesa ozi 3 n'aka m na ntọala ndị a dị nnọọ iche n'ihi ihe dị iche iche chọrọ.
Ịkwesịrị ịhazi ya nke ọma - ma ọ bụghị spam ga-abata gị, ma ọ bụ nke ka njọ - spam ga-esi n'aka gị pụta.
# SPF
policyd-spf_time_limit = 3600Ịtọlite ụfọdụ ngwa mgbakwunye metụtara ịlele SPF nke mkpụrụedemede mbata.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockNtọala a bụ na anyị ga-enyerịrị mbinye aka DKIM na ozi-e niile na-apụ apụ.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreNke a bụ nkọwa dị mkpa na ntụgharị akwụkwọ ozi mgbe ị na-ezipụ mkpụrụedemede sitere na script PHP.
Faịlụ "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:N'aka ekpe bụ okwu mgbe niile. N'aka nri ka akara akara mkpụrụedemede.
Postfix dị ka akara ahụ si dị - ga-eburu n'uche ahịrị nhazi ole na ole maka otu mkpụrụedemede.A ga-egosipụta otu esi ahazigharị postfix kpọmkwem maka otu mkpụrụedemede na “master.cf”.
Ahịrị 4, 5, 6 bụ ndị bụ isi. N'aha ngalaba nke anyị na-eziga leta ahụ, anyị na-etinye akara a.
Mana “site na” ubi anaghị egosipụta mgbe niile na ederede PHP na koodu ochie. Mgbe ahụ, aha njirimara na-abịa napụta.Edemede a adịlarị ọtụtụ - Achọghị m ịdọpụ uche m site na ịtọlite nginx+fpm.
Na nkenke, maka saịtị ọ bụla anyị na-edobe onye nwe linux-onye nwe ya. Ya mere, fpm-pool gị.
Fpm-pool na-eji ụdị php ọ bụla (ọ dị mma mgbe na otu ihe nkesa ị nwere ike iji ụdị php dị iche iche na ọbụna php.ini dị iche iche maka saịtị ndị agbata obi na-enweghị nsogbu).
Yabụ, otu onye ọrụ linux “www-domain2” nwere weebụsaịtị domain2.com. Saịtị a nwere koodu maka izipu ozi-e na-akọwapụtaghị nke sitere na ubi.
Ya mere, ọbụlagodi na nke a, a ga-eziga akwụkwọ ozi ndị ahụ n'ụzọ ziri ezi ma ọ dịghị mgbe ọ ga-agwụ na spam.
My "/etc/postfix/master.cf" dị ka nke a:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
A naghị enye faịlụ ahụ n'uju - ọ burularị nnukwu ibu.
Naanị ihe m mere bụ ihe gbanwere.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Ndị a bụ ntọala metụtara spamassasin, karịa na nke ahụ emechaa.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Anyị na-ahapụ gị ka ị jikọọ na ihe nkesa ozi site na ọdụ ụgbọ mmiri 587.
Iji mee nke a, ị ga-abanyerịrị.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfKwado nlele SPF.
apt-get install postfix-policyd-spf-pythonKa anyị tinye ngwugwu maka nlele SPF n'elu.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Na nke a bụ ihe kacha atọ ụtọ. Nke a bụ ikike izipu mkpụrụedemede maka ngalaba akọwapụtara site na adreesị IPv4/IPv6 akọwapụtara.
A na-eme nke a n'ihi rDNS. rDNS bụ usoro ịnata eriri site na adreesị IP.
Na maka mail, a na-eji njirimara a iji gosi na heli ahụ dabara kpọmkwem rDNS nke adreesị ebe ezitere ozi-e.Ọ bụrụ na heli ahụ adabaghị na ngalaba ozi-e n'aha onye ezitere akwụkwọ ozi ahụ, a na-enye akara spam.
Helo adabaghị na rDNS - a na-enye ọtụtụ ebe spam.
N'ihi ya, ngalaba ọ bụla ga-enwerịrị adreesị IP nke ya.
Maka OVH - na njikwa ọ ga-ekwe omume ịkọwapụta rDNS.
Maka tech.ru - a na-edozi nsogbu ahụ site na nkwado.
Maka AWS, a na-edozi nsogbu ahụ site na nkwado.
"inet_protocols" na "smtp_bind_address6" - anyị na-enyere IPv6 nkwado.
Maka IPv6 ị ga-edebanye aha rDNS.
"syslog_name" - na nke a bụ maka mfe ịgụ ndekọ.
Zụrụ asambodo .
.
============ Dovecot =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamỊtọlite mysql, ịwụnye ngwugwu n'onwe ha.
Faịlụ "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginNaanị ezoro ezo ikike ikike.
Faịlụ "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nN'ebe a, anyị na-egosi ebe nchekwa maka mkpụrụedemede.
Achọrọ m ka echekwa ha na faịlụ ma chịkọta ha site na ngalaba.
Faịlụ "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Nke a bụ isi faịlụ nhazi dovecot.
N'ebe a, anyị na-ewepụ njikọ na-enweghị nchebe.
Ma mee ka njikọ echekwabara.
Faịlụ "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Ịtọlite ssl. Anyị na-egosi na ssl chọrọ.
Na asambodo n'onwe ya. Na nkọwa dị mkpa bụ ntuziaka "mpaghara". Na-egosi asambodo SSL ga-eji mgbe ejikọtara na nke IPv4 mpaghara.Site n'ụzọ, IPv6 adịghị ahazi ebe a, m ga-edozi ihe a ma emechaa.
XX.XX.XX.X5 (ngalaba2) - enweghị akwụkwọ. Iji jikọọ ndị ahịa ị ga-ezipụta domain1.com.
XX.XX.XX.X2 (domain3) - enwere asambodo, ị nwere ike ezipụta domain1.com ma ọ bụ domain3.com iji jikọọ ndị ahịa.
Faịlụ "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Nke a ga-adị mkpa maka spamassassin n'ọdịnihu.
Faịlụ "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Nke a bụ ngwa mgbakwunye antispam. Achọrọ maka ọzụzụ spamassasin n'oge mbufe na / site na nchekwa "Spam".
Faịlụ "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Enwere faịlụ dị otú ahụ.
Faịlụ "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Ịtọlite lmtp.
Faịlụ "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Ntọala ọzụzụ Spamassasin n'oge mbufe na / site na nchekwa spam.
Faịlụ "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Faịlụ na-akọwapụta ihe a ga-eme mkpụrụedemede na-abata.
Faịlụ "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Ịkwesịrị ịchịkọta faịlụ: "sievec default.sieve".
Faịlụ "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Na-akọwapụta faịlụ sql maka ikike.
Na faịlụ n'onwe ya ka a na-eji dị ka usoro ikike.
Faịlụ "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Nke a dabara na ntọala ndị yiri ya maka postfix.
Faịlụ "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Isi nhazi faịlụ.
Ihe dị mkpa bụ na anyị na-egosi ebe a - tinye protocols.
=========== SpamAssassin =============
apt-get install spamassassin spamcKa anyị tinye ngwugwu.
adduser spamd --disabled-loginKa anyị tinye onye ọrụ n'aha ya.
systemctl enable spamassassin.serviceAnyị na-eme ka ọrụ spamassassin na-ebunye onwe ya mgbe ị na-ebunye ya.
Faịlụ "/etc/default/spamassassin":
CRON=1Site n'ịkwalite mmelite akpaka nke iwu "site na ndabara".
Faịlụ "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordỊkwesịrị ịmepụta nchekwa data "sa" na mysql na onye ọrụ "sa" na paswọọdụ "paswọọdụ" (dochie ya na ihe zuru oke).
report_safe - nke a ga-eziga akụkọ nke spam email kama akwụkwọ ozi.
use_bayes bụ ntọala mmụta igwe spamassassin.
A na-eji ntọala spamassassin fọdụrụnụ mee ihe na mbụ na isiokwu ahụ.
.
.
.
.
============ Kpọọ ndị obodo ===============
Ọ ga-amasị m ịtụba echiche n'ime obodo gbasara otu esi emewanye ọkwa nchekwa nke akwụkwọ ozi ezigara. Ebe ọ bụ na m na-emikpu nke ukwuu na isiokwu nke mail.
Ka onye ọrụ nwee ike ịmepụta ụzọ igodo ụzọ na onye ahịa ya (echiche, thunderbird, ihe nchọgharị nchọgharị, ...). Ọha na nzuzo. Ọhaneze - zipu na DNS. Nkeonwe - chekwaa na onye ahịa. Sava mail ga-enwe ike iji igodo ọha iziga otu onye nnata.
Na iji chebe megide spam na akwụkwọ ozi ndị dị otú ahụ (ee, ihe nkesa ozi agaghị enwe ike ịlele ọdịnaya) - ị ga-achọ iwebata iwu 3:
- Mmanyere ezigbo mbinye aka DKIM, mmanye SPF, rDNS amanyere iwu.
- Netwọk akwara na isiokwu nke ọzụzụ antispam + nchekwa data maka ya n'akụkụ ndị ahịa.
- Algọridim nzuzo ga-abụrịrị nke na akụkụ na-ezipụ ga-etinyerịrị ike CPU ugboro 100 na izo ya ezo karịa akụkụ nnata.
Na mgbakwunye na akwụkwọ ozi ọha, mepụta akwụkwọ ozi amụma “iji malite akwụkwọ ozi nwere nchebe.” Otu n'ime ndị ọrụ (igbe ozi) na-eziga leta nwere mgbakwunye na igbe ozi ọzọ. Akwụkwọ ozi ahụ nwere atụmatụ ederede ka ịmalite ọwa nzikọrịta ozi echekwara maka ozi yana igodo ọha nke onye nwe igbe ozi (ya na igodo nzuzo n'akụkụ ndị ahịa).
Ị nwere ike ịme igodo ole na ole kpọmkwem maka akwụkwọ ozi ọ bụla. Onye nnata nwere ike ịnakwere onyinye a wee zipụ igodo ọha ya (emekwara ya maka akwụkwọ ozi a). Na-esote, onye ọrụ mbụ na-eziga leta njikwa ọrụ (ezoro ezo na igodo ọha nke onye ọrụ nke abụọ) - mgbe nnata nke onye ọrụ nke abụọ nwere ike ịtụle ọwa nkwurịta okwu kpụrụ akpụ. Na-esote, onye ọrụ nke abụọ na-eziga leta njikwa - mgbe ahụ onye ọrụ mbụ nwekwara ike ịtụle ọwa kpụrụ akpụ.
Iji luso nchichi nke igodo n'okporo ụzọ ọgụ, protocol ga-enyerịrị ohere ịnyefe ma ọ dịkarịa ala otu igodo ọha site na iji draịva flash.
Ihe kachasị mkpa bụ na ọ na-arụ ọrụ (ajụjụ bụ "onye ga-akwụ ụgwọ ya?"):
Tinye asambodo nzi ozi malite na $10 maka afọ 3. Nke ga-eme ka onye zitere ya gosi na dns na "igodo ọha m dị ebe ahụ." Ha ga-enyekwa gị ohere ịmalite njikọ echekwara. N'otu oge ahụ, ịnakwere njikọ ndị dị otú ahụ bụ n'efu.
gmail na-emecha nweta ndị ọrụ ya ego. Maka $10 kwa afọ 3 - ikike ịmepụta ọwa ozi echekwara echekwabara.
=========== Mmechi =============
Iji nwalee akụkọ dum, m ga-agbazinye ihe nkesa raara onwe ya nye maka otu ọnwa wee zụta ngalaba nwere akwụkwọ SSL.
Mana ọnọdụ ndụ malitere ya mere okwu a na-adọkpụ maka ọnwa 2.
Ya mere, mgbe m nwere ohere ọzọ, ekpebiri m ibipụta akụkọ ahụ dị ka ọ dị, kama itinye n'ihe ize ndụ na mbipụta ahụ ga-adịgide ruo afọ ọzọ.
Ọ bụrụ na enwere ọtụtụ ajụjụ dị ka "mana akọwaghị nke a n'ụzọ zuru ezu", mgbe ahụ enwere ike ịnwe ike iwere ihe nkesa raara onwe ya nye na ngalaba ọhụrụ yana asambodo SSL ọhụrụ wee kọwaa ya n'ụzọ zuru ezu na, ọtụtụ. dị mkpa, chọpụta nkọwa niile dị mkpa na-efu efu.
Ọ ga-amasị m ịnweta nzaghachi na echiche gbasara asambodo nzi ozi. Ọ bụrụ na-amasị gị echiche, m ga-agbalị ịchọta ike ịde a draft maka rfc.
Mgbe ị na-edegharị akụkụ buru ibu nke akụkọ, nye njikọ maka edemede a.
Mgbe ị na-atụgharị asụsụ n'asụsụ ọ bụla ọzọ, nye njikọ maka edemede a.
M ga-agbalị ịsụgharị ya na Bekee n'onwe m wee hapụ ntụaka aka.
isi: www.habr.com