ãã®èšäºã§ã¯ãææ°ã®ã¡ãŒã« ãµãŒããŒãã»ããã¢ããããæ¹æ³ã«ã€ããŠèª¬æããŸãã
åŸçœ® + Dovecotã SPF + DKIM + rDNSã IPv6ããã
TSLæå·åããã è€æ°ã®ãã¡ã€ã³ã®ãµããŒã - äžéšã«ã¯å®éã® SSL 蚌ææžãå«ãŸããŸãã
ã¹ãã 察çä¿è·æ©èœããããä»ã®ã¡ãŒã« ãµãŒããŒããã®é«ãã¹ãã 察çè©äŸ¡ãåããŠããŸãã
è€æ°ã®ç©çã€ã³ã¿ãŒãã§ã€ã¹ããµããŒãããŸãã
OpenVPN ã§ã¯ãæ¥ç¶ã¯ IPv4 çµç±ã§è¡ãããIPv6 ãæäŸãããŸãã
ããããã¹ãŠã®ãã¯ãããžãŒãåŠç¿ããå¿ èŠã¯ãªããããã®ãããªãµãŒããŒãã»ããã¢ãããããå Žåã¯ããã®èšäºã圹ã«ç«ã¡ãŸãã
ãã®èšäºã§ã¯ã詳现ããã¹ãŠèª¬æããã€ããã¯ãããŸããã æšæºãšããŠèšå®ãããŠããªããã®ããŸãã¯æ¶è²»è
ã®èŠ³ç¹ããéèŠãªãã®ã«ã€ããŠèª¬æããŸãã
ã¡ãŒã« ãµãŒããŒãã»ããã¢ããããåæ©ã¯ãç§ã®é·å¹Žã®å€¢ã§ããã ã°ãããŠããããã«èããããããããŸããããç§ã®æèŠã§ã¯ããæ°ã«å
¥ãã®ãã©ã³ãã®æ°è»ã倢èŠããããã¯ããã«è¯ãã§ãã
IPv6 ãèšå®ããåæ©ã¯ XNUMX ã€ãããŸãã IT ã¹ãã·ã£ãªã¹ãã¯çãæ®ãããã«ãåžžã«æ°ãããã¯ãããžãŒãåŠç¿ããå¿ èŠããããŸãã ç§ã¯æ€é²ãšã®æŠãã«ãããããªè²¢ç®ãããããšæã£ãŠããŸãã
OpenVPN ãã»ããã¢ããããåæ©ã¯ãããŒã«ã« ãã·ã³äžã§ IPv6 ãåäœãããããšã ãã§ãã
è€æ°ã®ç©çã€ã³ã¿ãŒãã§ã€ã¹ãèšå®ããåæ©ã¯ããµãŒããŒäžã«ãäœéã ãç¡å¶éãã®ã€ã³ã¿ãŒãã§ã€ã¹ãšããé«éã ãæéãããããã€ã³ã¿ãŒãã§ã€ã¹ã XNUMX ã€ããããã§ãã
ãã€ã³ãèšå®ãè¡ãåæ©ã¯ãISP ãæäŸãã DNS ãµãŒããŒãäžå®å®ã§ãGoogle ãæã 倱æããããã§ãã å人䜿çšã®ããã«å®å®ãã DNS ãµãŒããŒãå¿ èŠã§ãã
èšäºãæžãåæ© - 10 ãæåã«äžæžããæžãããã§ã« XNUMX åèŠãŸããã äœæè ãå®æçã«å¿ èŠãšããå Žåã§ããä»ã®äººãå¿ èŠãšããå¯èœæ§ãé«ããªããŸãã
ã¡ãŒã« ãµãŒããŒã«ã¯æ®éçãªãœãªã¥ãŒã·ã§ã³ã¯ãããŸããã ã§ããããããå®è¡ããŠããã¹ãŠãæ£åžžã«åäœããããäœåãªãã®ãæšãŠãããšãããããªããšãæžãããšæããŸãã
tech.ru ãšããäŒç€Ÿã«ã¯ã³ãã±ãŒã·ã§ã³ ãµãŒããŒããããŸãã OVHãHetznerãAWSãšã®æ¯èŒãå¯èœã§ãã ãã®åé¡ã解決ããã«ã¯ãtech.ru ãšã®ååãããå¹æçã§ãã
Debian 9 ããµãŒããŒã«ã€ã³ã¹ããŒã«ãããŠããŸãã
ãµãŒããŒã«ã¯ 2 ã€ã®ã€ã³ã¿ãŒãã§ã€ã¹ `eno1` ãš `eno2` ããããŸãã XNUMX ã€ç®ã¯ç¡å¶éãXNUMX ã€ç®ã¯é«éã§ãã
ãeno3ãã€ã³ã¿ãŒãã§ãŒã¹ã«ã¯ XX.XX.XX.X0ãXX.XX.XX.X1ãXX.XX.XX.X2ããeno1ãã€ã³ã¿ãŒãã§ãŒã¹ã«ã¯ XX.XX.XX.X5 ã® 2 ã€ã®éç IP ã¢ãã¬ã¹ããããŸãã ã
å©çšå¯èœ XXXX:XXXX:XXXX:XXXX::/64 ãeno6ãã€ã³ã¿ãŒãã§ãŒã¹ã«å²ãåœãŠããã IPv1 ã¢ãã¬ã¹ã®ããŒã«ãšããããã XXXX:XXXX:XXXX:XXXX:1:2::/96 ãç§ã®ãªã¯ãšã¹ãã«å¿ããŠãeno2ãã«å²ãåœãŠãããŸããã
`domain3.com`ã`domain1.com`ã`domain2.com` ã® 3 ã€ã®ãã¡ã€ã³ããããŸãã ãdomain1.comããšãdomain3.comãã«ã¯ SSL 蚌ææžããããŸãã
ã¡ãŒã«ããã¯ã¹ããªã³ã¯ããã Google ã¢ã«ãŠã³ãããããŸã[ã¡ãŒã«ä¿è·]` (Gmail ã€ã³ã¿ãŒãã§ã€ã¹ããçŽæ¥ã¡ãŒã«ãåä¿¡ããã³éä¿¡ããŸã)ã
éµäŸ¿åããããã¯ãã§ã`[ã¡ãŒã«ä¿è·]`ãGmail ã§ç¢ºèªãããã¡ãŒã«ã®ã³ããŒã ãããŠã` ã«ä»£ãã£ãŠäœããéä¿¡ã§ããããšã¯ãŸãã§ãã[ã¡ãŒã«ä¿è·]` Web ã€ã³ã¿ãŒãã§ã€ã¹çµç±ã
éµäŸ¿åããããã¯ãã§ã`[ã¡ãŒã«ä¿è·]`ãã€ã¯ãã㯠iPhone ãã䜿çšããŸãã
éä¿¡ãããé»åã¡ãŒã«ã¯ãææ°ã®ã¹ãã 察çèŠä»¶ããã¹ãŠæºãããŠããå¿
èŠããããŸãã
ãããªã㯠ãããã¯ãŒã¯ã§ã¯æé«ã¬ãã«ã®æå·åãæäŸãããå¿
èŠããããŸãã
ã¬ã¿ãŒã®éä¿¡ãšåä¿¡ã®äž¡æ¹ã§ IPv6 ããµããŒããããå¿
èŠããããŸãã
ã¡ãŒã«ã決ããŠåé€ããªã SpamAssassin ãååšããã¯ãã§ãã ãããŠãããŠã³ã¹ãŸãã¯ã¹ããããããããIMAP ã®ãã¹ãã ããã©ã«ããŒã«éä¿¡ãããŸãã
SpamAssassin ã®èªååŠç¿ãèšå®ããå¿
èŠããããŸããã¡ãŒã«ã Spam ãã©ã«ããŒã«ç§»åãããšãããããåŠç¿ããŸãã ã¡ãŒã«ãã¹ãã ãã©ã«ããŒãã移åãããšãããããåŠç¿ããŸãã SpamAssassin ã®ãã¬ãŒãã³ã°ã®çµæã¯ãæçŽãã¹ãã ãã©ã«ããŒã«å
¥ããã©ããã«åœ±é¿ãäžããŸãã
PHP ã¹ã¯ãªããã¯ãç¹å®ã®ãµãŒããŒäžã®ä»»æã®ãã¡ã€ã³ã«ä»£ãã£ãŠã¡ãŒã«ãéä¿¡ã§ããå¿
èŠããããŸãã
IPv6 ãæããªãã¯ã©ã€ã¢ã³ã㧠IPv6 ã䜿çšã§ãã openvpn ãµãŒãã¹ãå¿
èŠã§ãã
ãŸããIPv6 ãå«ãã€ã³ã¿ãŒãã§ã€ã¹ãšã«ãŒãã£ã³ã°ãæ§æããå¿
èŠããããŸãã
次ã«ãIPv4 çµç±ã§æ¥ç¶ããã¯ã©ã€ã¢ã³ãã«éçå®éã® IPv6 ã¢ãã¬ã¹ãæäŸãã OpenVPN ãæ§æããå¿
èŠããããŸãã ãã®ã¯ã©ã€ã¢ã³ãã¯ããµãŒããŒäžã®ãã¹ãŠã® IPv6 ãµãŒãã¹ãšãã€ã³ã¿ãŒãããäžã®ãã¹ãŠã® IPv6 ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããŸãã
次ã«ãã¬ã¿ãŒ + SPF + DKIM + rDNS ããã³ãã®ä»åæ§ã®å°ããªãã®ãéä¿¡ããããã« Postfix ãèšå®ããå¿
èŠããããŸãã
次ã«ãDovecot ãæ§æãããã«ããã¡ã€ã³ãæ§æããå¿
èŠããããŸãã
次ã«ãSpamAssassin ãæ§æãããã¬ãŒãã³ã°ãæ§æããå¿
èŠããããŸãã
æåŸã«Bindãã€ã³ã¹ããŒã«ããŸãã
============= ãã«ãã€ã³ã¿ãŒãã§ãŒã¹ =============
ã€ã³ã¿ãŒãã§ãŒã¹ãèšå®ããã«ã¯ãã/etc/network/interfacesãã«ãããèšè¿°ããå¿ èŠããããŸãã
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
ãããã®èšå®ã¯ãtech.ru ã®ä»»æã®ãµãŒããŒã«é©çšã§ã (ãµããŒããšã®èª¿æŽãå¿ èŠã§ã)ãããã«æ£åžžã«æ©èœããŸãã
Hetzner ã OVH ã§åæ§ã®ãã®ãã»ããã¢ããããçµéšãããå Žåã¯ãããã¯ç°ãªããŸãã ããå°é£ã
eno1 ã¯ãããã¯ãŒã¯ ã«ãŒã #1 ã®ååã§ã (äœéã§ããç¡å¶é)ã
eno2 ã¯ãããã¯ãŒã¯ ã«ãŒã #2 ã®ååã§ã (é«éã§ããæéãããããŸã)ã
tun0 ã¯ãOpenVPN ã®ä»®æ³ãããã¯ãŒã¯ ã«ãŒãã®ååã§ãã
XX.XX.XX.X0 - eno4 ã® IPv1 #1ã
XX.XX.XX.X1 - eno4 ã® IPv2 #1ã
XX.XX.XX.X2 - eno4 ã® IPv3 #1ã
XX.XX.XX.X5 - eno4 ã® IPv1 #2ã
XX.XX.XX.1 - IPv4 ã²ãŒããŠã§ã€ã
XXXX:XXXX:XXXX:XXXX::/64 - ãµãŒããŒå
šäœã® IPv6ã
XXXX:XXXX:XXXX:XXXX:1:2::/96 - eno6 ã® IPv2ãå€éšããã®ãã®ä»ãã¹ãŠã¯ eno1 ã«å
¥ããŸãã
XXXX:XXXX:XXXX:XXXX::1 â IPv6 ã²ãŒããŠã§ã€ (ããã¯å¥ã®æ¹æ³ã§å®è¡ã§ãã/å®è¡ããå¿
èŠãããããšã«æ³šæããŠãã ãããIPv6 ã¹ã€ãããæå®ããŸã)ã
dns-nameservers - 127.0.0.1 (ãã€ã³ããããŒã«ã«ã«ã€ã³ã¹ããŒã«ãããŠãããã) ãš 213.248.1.6 (ãã㯠tech.ru ããã®ãã®) ã瀺ãããŠããŸãã
ãããŒãã« eno1tãããã³ãããŒãã« eno2tã - ãããã®ã«ãŒã ã«ãŒã«ã®æå³ã¯ãeno1 ããå ¥ã£ããã©ãã£ãã¯ã¯ããããåºãŠãããeno2 ããå ¥ã£ããã©ãã£ãã¯ã¯ããããåºãŠãããšããããšã§ãã ãŸãããµãŒããŒã«ãã£ãŠéå§ãããæ¥ç¶ã eno1 ãçµç±ããŸãã
ip route add default via XX.XX.XX.1 table eno1t
ãã®ã³ãã³ãã§ã¯ããtable eno1tããšããŒã¯ãããã«ãŒã«ã«è©²åœããç解ã§ããªããã©ãã£ãã¯ã eno1 ã€ã³ã¿ãŒãã§ã€ã¹ã«éä¿¡ãããããã«æå®ããŸãã
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
ãã®ã³ãã³ãã䜿çšããŠããµãŒããŒã«ãã£ãŠéå§ããããã©ãã£ãã¯ã eno1 ã€ã³ã¿ãŒãã§ã€ã¹ã«éä¿¡ãããããã«æå®ããŸãã
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0
ãã®ã³ãã³ãã䜿çšããŠããã©ãã£ãã¯ãããŒãã³ã°ããããã®ã«ãŒã«ãèšå®ããŸãã
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
ãã®ãããã¯ã¯ãeno4 ã€ã³ã¿ãŒãã§ã€ã¹ã® 1 çªç®ã® IPvXNUMX ãæå®ããŸãã
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
ãã®ã³ãã³ãã䜿çšããŠãOpenVPN ã¯ã©ã€ã¢ã³ããã XX.XX.XX.X4 ãé€ãããŒã«ã« IPv0 ãžã®ã«ãŒããèšå®ããŸãã
ãªããã®ã³ãã³ãããã¹ãŠã® IPv4 ã«ååãªã®ãã¯ãŸã ããããŸããã
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
ããã§ã€ã³ã¿ãŒãã§ãŒã¹èªäœã®ã¢ãã¬ã¹ãèšå®ããŸãã ãµãŒããŒã¯ããããéä¿¡ãã¢ãã¬ã¹ãšããŠäœ¿çšããŸãã äºåºŠãšãããªã圢ã§ã䜿çšãããŸããã
ã:1:1::ãã¯ãªããããªã«è€éãªã®ã§ãããã? OpenVPN ãæ£ããæ©èœããã®ã¯ããã®ããã ãã§ãã ããã«ã€ããŠã¯åŸã§è©³ãã説æããŸãã
ã²ãŒããŠã§ã€ã®è©±ã«ã€ããŠã¯ãããããã®ããã«æ©èœãããã®ã§ãããããã§åé¡ãããŸããã ãã ããæ£ããæ¹æ³ã¯ããµãŒããŒãæ¥ç¶ãããŠããã¹ã€ããã® IPv6 ãããã§æå®ããããšã§ãã
ãã ãããããè¡ããšãäœããã®çç±ã§ IPv6 ãæ©èœããªããªããŸãã ããã¯ãããããtech.ru ã®åé¡ã®äžçš®ã§ãã
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
ããã¯ãã€ã³ã¿ãŒãã§ã€ã¹ã« IPv6 ã¢ãã¬ã¹ãè¿œå ããŸãã XNUMX åã®ã¢ãã¬ã¹ãå¿ èŠãªå Žåããã®ãã¡ã€ã«ã«ã¯ XNUMX è¡ãå«ãŸããããšã«ãªããŸãã
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
æ確ã«ããããã«ããã¹ãŠã®ã€ã³ã¿ãŒãã§ã€ã¹ã®ã¢ãã¬ã¹ãšãµãããããæžãçããŸããã
eno1 - ããã§ããå¿ èŠããããŸã/64" - ãããç§ãã¡ã®ã¢ãã¬ã¹ã®ããŒã«å šäœã ããã§ãã
tun0 - ãµãããã㯠eno1 ãã倧ãããªããã°ãªããŸããã ããããªããšãOpenVPN ã¯ã©ã€ã¢ã³ãçšã« IPv6 ã²ãŒããŠã§ã€ãæ§æã§ããªããªããŸãã
eno2 - ãµãããã㯠tun0 ãã倧ãããªããã°ãªããŸããã ããããªããšãOpenVPN ã¯ã©ã€ã¢ã³ãã¯ããŒã«ã« IPv6 ã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ã§ããªããªããŸãã
ããããããããããã«ããµãããã ã¹ããã 16 ãéžæããŸããããå¿ èŠã«å¿ããŠã1ãã¹ããããå®è¡ããããšãã§ããŸãã
ãããã£ãŠã64+16 = 80ã80+16 = 96 ãšãªããŸããããã«æ確ã«ããããã«:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY ã¯ãeno1 ã€ã³ã¿ãŒãã§ã€ã¹äžã®ç¹å®ã®ãµã€ããŸãã¯ãµãŒãã¹ã«å²ãåœãŠãå¿ èŠãããã¢ãã¬ã¹ã§ãã
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY ã¯ãeno2 ã€ã³ã¿ãŒãã§ã€ã¹äžã®ç¹å®ã®ãµã€ããŸãã¯ãµãŒãã¹ã«å²ãåœãŠãå¿ èŠãããã¢ãã¬ã¹ã§ãã
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY ã¯ãOpenVPN ã¯ã©ã€ã¢ã³ãã«å²ãåœãŠãããOpenVPN ãµãŒãã¹ ã¢ãã¬ã¹ãšããŠäœ¿çšããã¢ãã¬ã¹ã§ãã
ãããã¯ãŒã¯ãæ§æããã«ã¯ããµãŒããŒãåèµ·åã§ããå¿
èŠããããŸãã
IPv4 ã®å€æŽã¯ãå®è¡æã«ååŸãããŸã (å¿
ãç»é¢å
ã§ã©ããããŠãã ãããããããªããšããã®ã³ãã³ãã¯ãµãŒããŒäžã®ãããã¯ãŒã¯ãã¯ã©ãã·ã¥ãããã ãã§ã)ã
/etc/init.d/networking restart
ãã¡ã€ã«ã/etc/iproute2/rt_tablesãã®æ«å°Ÿã«æ¬¡ã®å 容ãè¿œå ããŸãã
100 eno1t
101 eno2t
ããããªããšãã/etc/network/interfacesããã¡ã€ã«å
ã®ã«ã¹ã¿ã ããŒãã«ã䜿çšã§ããŸããã
çªå·ã¯äžæã§ããã65535 æªæºã§ããå¿
èŠããããŸãã
IPv6 ã®å€æŽã¯åèµ·åããã«ç°¡åã«å€æŽã§ããŸããããããè¡ãã«ã¯å°ãªããšã XNUMX ã€ã®ã³ãã³ããåŠã¶å¿ èŠããããŸãã
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...
ã/etc/sysctl.confãã®èšå®
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1
ãããã¯ç§ã®ãµãŒããŒã®ãsysctlãèšå®ã§ãã éèŠãªããšãææãããŠãã ããã
net.ipv4.ip_forward = 1
ããããªããšãOpenVPN ã¯ãŸã£ããæ©èœããŸããã
net.ipv6.ip_nonlocal_bind = 1
ã€ã³ã¿ãŒãã§ã€ã¹ãèµ·åããçŽåŸã« IPv6 (nginx ãªã©) ããã€ã³ãããããšãããšããšã©ãŒãçºçããŸãã ãã®ã¢ãã¬ã¹ã¯å©çšã§ããªããšããããšã§ãã
ãã®ãããªäºæ ãé¿ããããã«ããã®ãããªèšå®ããªãããŠããã
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
ãããã® IPv6 èšå®ããªããšãOpenVPN ã¯ã©ã€ã¢ã³ãããã®ãã©ãã£ãã¯ã¯äžçã«éä¿¡ãããŸããã
ä»ã®èšå®ã¯é¢é£æ§ããªãããäœã®ããã«ããã®ãæãåºããŸããã
ãã ãã念ã®ããããã®ãŸãŸãã«ããŠãããŸãã
ãµãŒããŒãåèµ·åããã«ãã®ãã¡ã€ã«ãžã®å€æŽãåæ ããã«ã¯ã次ã®ã³ãã³ããå®è¡ããå¿ èŠããããŸãã
sysctl -p
ãããŒãã«ãã«ãŒã«ã®è©³çŽ°:
============= OpenVPN =============
OpenVPN IPv4 㯠iptables ãªãã§ã¯æ©èœããŸããã
ç§ã® iptables 㯠VPN ã§ã¯æ¬¡ã®ããã«ãªããŸãã
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY ã¯ãããŒã«ã« ãã·ã³ã®éç IPv4 ã¢ãã¬ã¹ã§ãã
10.8.0.0/24 - IPv4 openvpn ãããã¯ãŒã¯ã openvpn ã¯ã©ã€ã¢ã³ãã® IPv4 ã¢ãã¬ã¹ã
ã«ãŒã«ã®äžè²«æ§ã¯éèŠã§ãã
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
ããã¯ãç§ã ããç§ã®éç IP ãã OpenVPN ã䜿çšã§ããããã«ããããã®å¶éã§ãã
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- ОлО --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
OpenVPN ã¯ã©ã€ã¢ã³ããšã€ã³ã¿ãŒãããã®é㧠IPv4 ãã±ããã転éããã«ã¯ã次ã®ã³ãã³ãã®ãããããç»é²ããå¿ èŠããããŸãã
ããŸããŸãªã±ãŒã¹ã§ãããããã®ãªãã·ã§ã³ãé©åã§ã¯ãããŸããã
ã©ã¡ãã®ã³ãã³ããç§ã®å Žåã«é©ããŠããŸãã
ããã¥ã¡ã³ããèªãã åŸãCPU 䜿çšéãå°ãªãæåã®ãªãã·ã§ã³ãéžæããŸããã
åèµ·ååŸã«ãã¹ãŠã® iptables èšå®ãååŸããã«ã¯ãããããã©ããã«ä¿åããå¿ èŠããããŸãã
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
ãã®ãããªååã¯å¶ç¶ã«éžã°ããããã§ã¯ãããŸããã ãããã¯ãiptables-persistentãããã±ãŒãžã«ãã£ãŠäœ¿çšãããŸãã
apt-get install iptables-persistent
ã¡ã€ã³ã® OpenVPN ããã±ãŒãžãã€ã³ã¹ããŒã«ããŸãã
apt-get install openvpn easy-rsa
蚌ææžã®ãã³ãã¬ãŒããèšå®ããŸããã (å€ã眮ãæããŸã)ã
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf
蚌ææžãã³ãã¬ãŒãã®èšå®ãç·šéããŸãããã
mcedit vars
...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...
ãµãŒããŒèšŒææžãäœæããŸãã
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
æçµçãªãclient-name.opvnããã¡ã€ã«ãäœæããæ©èœãæºåããŸãããã
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf
# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC
ãã¹ãŠã®ãã¡ã€ã«ã XNUMX ã€ã® opvn ãã¡ã€ã«ã«ããŒãžããã¹ã¯ãªãããæºåããŸãããã
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpn
æåã® OpenVPN ã¯ã©ã€ã¢ã³ãã®äœæ:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name
ãã¡ã€ã«ã~/client-configs/files/client-name.ovpnããã¯ã©ã€ã¢ã³ãã®ããã€ã¹ã«éä¿¡ãããŸãã
iOS ã¯ã©ã€ã¢ã³ãã®å Žåã¯ã次ã®ããªãã¯ãå®è¡ããå¿
èŠããããŸãã
ãtls-authãã¿ã°ã®å
容ã«ã¯ã³ã¡ã³ããå«ããªãã§ãã ããã
ãŸãããtls-authãã¿ã°ã®çŽåã«ãkey-direction 1ããè¿œå ããŸãã
OpenVPN ãµãŒããŒæ§æãæ§æããŸãããã
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf
# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC
ããã¯ãåã¯ã©ã€ã¢ã³ãã«éçã¢ãã¬ã¹ãèšå®ããããã«å¿ èŠã§ã (å¿ é ã§ã¯ãããŸããããç§ã¯äœ¿çšããŠããŸã)ã
# Client config dir
client-config-dir /etc/openvpn/ccd
æãé£ããéèŠãªè©³çŽ°ã§ãã
æ®å¿µãªãããOpenVPN ã¯ã¯ã©ã€ã¢ã³ãçšã« IPv6 ã²ãŒããŠã§ã€ãåå¥ã«æ§æããæ¹æ³ããŸã ç¥ããŸããã
ãããã¯ã©ã€ã¢ã³ãããšã«ãæåã§ã転éããå¿
èŠããããŸãã
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
ãã¡ã€ã«ã/etc/openvpn/server-clientconnect.shãïŒ
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1
ãã¡ã€ã«ã/etc/openvpn/server-clientdisconnect.shãïŒ
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1
ã©ã¡ãã®ã¹ã¯ãªããããã¡ã€ã«ã/etc/openvpn/variablesãã䜿çšããŸãã
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112
ãªããã®ããã«æžãããã®ããæãåºãã®ã¯é£ãããšæããŸãã
ããããã¹ã¯ = 112 ã¯å¥åŠã«èŠããŸã (æ¬æ¥ã¯ 96 ã§ããã¯ãã§ã)ã
ãããŠããã¬ãã£ãã¯ã¹ãå¥åŠã§ãtun0 ãããã¯ãŒã¯ãšäžèŽããŸããã
ã§ã倧äžå€«ããã®ãŸãŸã«ããŠãããŸãã
cipher DES-EDE3-CBC
ããã¯ãã¹ãŠã®äººã«é©ããŠããããã§ã¯ãããŸãããç§ã¯ãã®æ¥ç¶æå·åæ¹æ³ãéžæããŸããã
============= åŸçœ® =============
ã¡ã€ã³ããã±ãŒãžã®ã€ã³ã¹ããŒã«:
apt-get install postfix
ã€ã³ã¹ããŒã«ã®éã¯ãã€ã³ã¿ãŒããããµã€ãããéžæããŠãã ããã
ç§ã®ã/etc/postfix/main.cfãã¯æ¬¡ã®ããã«ãªããŸãã
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
ãã®èšå®ã®è©³çŽ°ãèŠãŠã¿ãŸãããã
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
ããããã¹ã¯ã®äœæ°ã«ããã°ããã®åºç»ã«ã¯ã誀ã£ãæ å ±ãšèª€ã£ãè«æããå«ãŸããŠãããšããããã£ãªã¢ãã¹ã¿ãŒãããŠããããã 8 幎åŸã«ãç§ã¯ SSL ãã©ã®ããã«æ©èœããããç解ãå§ããŸããã
ãããã£ãŠãSSL ã®äœ¿çšæ¹æ³ã«ã€ããŠèª¬æããŸã (ãã©ã®ããã«æ©èœããã®ã§ãã?ãããã³ââããªãæ©èœããã®ã§ãã?ããšãã質åã«ã¯çããŸãã)ã
ææ°ã®æå·åã®åºç€ã¯ãã㌠ã㢠(XNUMX ã€ã®éåžžã«é·ãæåå) ã®äœæã§ãã
äžæ¹ã®ãããŒãã¯ãã©ã€ããŒãããŒã§ãããäžæ¹ã®ããŒã¯ããããªãã¯ãããŒã§ãã ç§ãã¡ã¯ç§å¯ããŒã现å¿ã®æ³šæãæã£ãŠç§å¯ã«ä¿ã¡ãŸãã å ¬ééµãå šå¡ã«é åžããŸãã
å ¬éããŒã䜿çšãããšãç§å¯ããŒã®ææè ã ããããã¹ãæååã埩å·åã§ããããã«ããã¹ãæååãæå·åã§ããŸãã
ãŸããããããã¯ãããžãŒã®åºç€å šäœã§ããã¹ããã #1 - https ãµã€ãã
ãµã€ãã«ã¢ã¯ã»ã¹ãããšããã©ãŠã¶ã¯ Web ãµãŒããŒãããµã€ãã https ã§ããããšãåŠç¿ããå ¬éããŒãèŠæ±ããŸãã
Web ãµãŒããŒã¯å ¬éããŒãæäŸããŸãã ãã©ãŠã¶ã¯å ¬éããŒã䜿çšã㊠http ãªã¯ãšã¹ããæå·åããéä¿¡ããŸãã
http ãªã¯ãšã¹ãã®å 容ãèªã¿åãããšãã§ããã®ã¯ãç§å¯ããŒãæã£ãŠãã人ãã€ãŸããªã¯ãšã¹ããè¡ããããµãŒããŒã ãã§ãã
HTTP ãªã¯ãšã¹ãã«ã¯å°ãªããšã URI ãå«ãŸããŸãã ãããã£ãŠãåœããµã€ãå šäœã§ã¯ãªãç¹å®ã®ããŒãžãžã®ã¢ã¯ã»ã¹ãå¶éããããšããŠããå Žåãhttps ãµã€ãã«å¯ŸããŠãããè¡ãããšã¯äžå¯èœã§ããã¹ããã #2 - æå·åãããå¿çã
Web ãµãŒããŒã¯ãå€åºå ã§ãç°¡åã«èªããçããæäŸããŸãã
解決çã¯éåžžã«ç°¡åã§ãããã©ãŠã¶ã¯ãhttps ãµã€ãããšã«åãç§å¯éµãšå ¬ééµã®ãã¢ãããŒã«ã«ã«çæããŸãã
ãããŠããµã€ãã®å ¬ééµã®ãªã¯ãšã¹ããšãšãã«ãããŒã«ã«å ¬ééµãéä¿¡ããŸãã
Web ãµãŒããŒã¯ãããèšæ¶ããhttp å¿çãéä¿¡ãããšãã«ãç¹å®ã®ã¯ã©ã€ã¢ã³ãã®å ¬éããŒã䜿çšããŠæå·åããŸãã
çŸåšãhttp å¿çã¯ã¯ã©ã€ã¢ã³ãã®ãã©ãŠã¶ç§å¯ããŒã®ææè (ã€ãŸããã¯ã©ã€ã¢ã³ãèªäœ) ã®ã¿ã埩å·åã§ããŸããã¹ããã 3 - ãããªã㯠ãã£ãã«çµç±ã§å®å šãªæ¥ç¶ã確ç«ããŸãã
äŸ 2 ã«ã¯è匱æ§ããããŸããåæã®ãããŠãŒã¶ãŒã http ãªã¯ãšã¹ããååããå ¬éããŒã«é¢ããæ å ±ãç·šéããããšã劚ãããã®ã¯ãããŸããã
ãããã£ãŠã仲ä»è ã¯ãéä¿¡ãã£ãã«ãå€æŽããããŸã§ãéåä¿¡ãããã¡ãã»ãŒãžã®ãã¹ãŠã®å 容ãæ確ã«ç¢ºèªã§ããŸãã
ãããžã®å¯ŸåŠã¯éåžžã«ç°¡åã§ãããã©ãŠã¶ã®å ¬éããŒããWeb ãµãŒããŒã®å ¬éããŒã§æå·åãããã¡ãã»ãŒãžãšããŠéä¿¡ããã ãã§ãã
次ã«ãWeb ãµãŒããŒã¯ãŸããããªãã®å ¬ééµã¯æ¬¡ã®ãšããã§ããã®ãããªå¿çãéä¿¡ãããã®ã¡ãã»ãŒãžãåãå ¬ééµã§æå·åããŸãã
ãã©ãŠã¶ã¯å¿çã調ã¹ãŸãããããªãã®å ¬ééµã¯æ¬¡ã®ãããªãã®ã§ãããšããã¡ãã»ãŒãžãåä¿¡ããå Žåããã®éä¿¡ãã£ãã«ãå®å šã§ããããšã 100% ä¿èšŒãããŸãã
ã©ããããå®å šã§ãã?
ãã®ãããªå®å šãªéä¿¡ãã£ãã«ã®äœæèªäœã¯ãping*2 ã®é床ã§è¡ãããŸãã ããšãã°ã20msã
æ»æè ã¯ãã©ã¡ããã®åœäºè ã®ç§å¯éµãäºåã«å ¥æããŠããå¿ èŠããããŸãã ãŸãã¯ãæ°ããªç§ã§ç§å¯ããŒãèŠã€ããŸãã
XNUMX ã€ã®ææ°ã®ç§å¯éµããããã³ã°ããã«ã¯ãã¹ãŒããŒã³ã³ãã¥ãŒã¿ãŒã§ã¯æ°å幎ããããŸããã¹ããã #4 - å ¬ééµã®å ¬éããŒã¿ããŒã¹ã
æããã«ããã®å šäœã®ã¹ããŒãªãŒã«ãããŠãæ»æè ãã¯ã©ã€ã¢ã³ããšãµãŒããŒéã®éä¿¡ãã£ãã«ã«äŸµå ¥ããæ©äŒãååšããŸãã
ã¯ã©ã€ã¢ã³ãã¯ãµãŒããŒã®ãµããããããšãã§ãããµãŒããŒã¯ã¯ã©ã€ã¢ã³ãã®ãµããããããšãã§ããŸãã ãããŠãããŒã®ãã¢ãäž¡æ¹åã§ãšãã¥ã¬ãŒãããŸãã
ãã®åŸãæ»æè ã¯ãã¹ãŠã®ãã©ãã£ãã¯ã確èªãããã©ãã£ãã¯ããç·šéãã§ããããã«ãªããŸãã
ããšãã°ãééå ã®ã¢ãã¬ã¹ãå€æŽãããããªã³ã©ã€ã³ ãã³ãã³ã°ãããã¹ã¯ãŒããã³ããŒãããããäžå¿«ãªãã³ã³ãã³ãããããã¯ãããã§ããŸãã
ãã®ãããªæ»æè ã«å¯Ÿæããããã«ã圌ãã¯å https ãµã€ãã®å ¬ééµãå«ãå ¬éããŒã¿ããŒã¹ãèæ¡ããŸããã
åãã©ãŠã¶ã¯ãçŽ 200 ã®ãã®ãããªããŒã¿ããŒã¹ã®ååšããèªèãããŠããŸãã ããã¯ãã¹ãŠã®ãã©ãŠã¶ã«ããªã€ã³ã¹ããŒã«ãããŠããŸãã
ãç¥èãã¯ãå蚌ææžã®å ¬ééµã«ãã£ãŠè£ä»ããããŸãã ã€ãŸããããããã®ç¹å®ã®èªèšŒå±ãžã®æ¥ç¶ãåœè£ ããããšã¯ã§ããŸãããããã§ãhttps 㧠SSL ã䜿çšããæ¹æ³ãç°¡åã«ç解ã§ããŸããã
é ã䜿ãã°ãç¹å¥ãªãµãŒãã¹ãã©ã®ããã«ããŠãã®æ§é å ã®äœãããããã³ã°ã§ããããæããã«ãªãã§ãããã ããããããã«ã¯éæ¹ããªãåªåãå¿ èŠã«ãªãã ããã
NSA ã CIA ãããå°èŠæš¡ãªçµç¹ã§ã¯ãããšã VIP ã§ãã£ãŠããæ¢åã®ä¿è·ã¬ãã«ããããã³ã°ããããšã¯ã»ãŒäžå¯èœã§ããsshæ¥ç¶ã«ã€ããŠãè¿œèšããŠãããŸãã ããã«ã¯å ¬ééµããªãã®ã§ãäœãã§ããã§ãããã? ãã®åé¡ã¯ XNUMX ã€ã®æ¹æ³ã§è§£æ±ºãããŸãã
ãªãã·ã§ã³ ssh-by-password:
æåã®æ¥ç¶äžã«ãssh ã¯ã©ã€ã¢ã³ã㯠ssh ãµãŒããŒããæ°ããå ¬éããŒãååŸããããšãèŠåããå¿ èŠããããŸãã
ããã«æ¥ç¶äžã«ãssh ãµãŒããŒããã®æ°ããå ¬éããŒããšããèŠåã衚瀺ãããå Žåã¯ãçèŽããããšããŠããããšãæå³ããŸãã
ãŸãã¯ãæåã®æ¥ç¶æã«çèŽãããŸããããçŸåšã¯ä»²ä»è ãªãã§ãµãŒããŒãšéä¿¡ããŠããŸãã
å®éã«ã¯ããã®æ»æã¯çèŽã®äºå®ãç°¡åãã€è¿ éã«å®¹æã«æããã«ããããããç¹å®ã®ã¯ã©ã€ã¢ã³ãã«å¯Ÿããç¹å¥ãªå Žåã«ã®ã¿äœ¿çšãããŸãããªãã·ã§ã³ ssh-by-key:
ãã©ãã·ã¥ãã©ã€ããçšæããããã« ssh ãµãŒããŒã®ç§å¯ããŒãæžã蟌ã¿ãŸã (ããã«ã¯çšèªãéèŠãªãã¥ã¢ã³ã¹ããããããããŸãããç§ã¯äœ¿çšèª¬ææžã§ã¯ãªãæè²ããã°ã©ã ãæžããŠããŸã)ã
å ¬ééµã¯ ssh ã¯ã©ã€ã¢ã³ããååšãããã·ã³äžã«æ®ãããããç§å¯ã«ããŸãã
ãã©ãã·ã¥ãã©ã€ãããµãŒããŒã«æã¡èŸŒã¿ãæ¿å ¥ããç§å¯ããŒãã³ããŒããŠããã©ãã·ã¥ãã©ã€ããçŒããç°ã颚ã«é£ã°ããŸãïŒãŸãã¯å°ãªããšããŒãã§ãã©ãŒãããããŸãïŒã
ããã ãã§ã - ãã®ãããªæäœã®åŸã¯ããã®ãã㪠ssh æ¥ç¶ããããã³ã°ããããšã¯äžå¯èœã«ãªããŸãã ãã¡ããã10 幎åŸã«ã¯ã¹ãŒããŒã³ã³ãã¥ãŒã¿ãŒã§ãã©ãã£ãã¯ã衚瀺ã§ããããã«ãªãã§ãããããããã¯å¥ã®è©±ã§ãããªããããã¯ããè©«ã³ç³ãäžããŸãã
ããã§çè«ã¯å€æããŸããã SSL蚌ææžã®äœæã®æµãã説æããŸãã
ãopenssl genrsaãã䜿çšããŠãç§å¯ããŒãšå
¬éããŒã®ã空çœããäœæããŸãã
åœç€Ÿã¯ããã©ã³ã¯ãããµãŒãããŒãã£äŒç€Ÿã«éä¿¡ããæãåçŽãªèšŒææžã«å¯ŸããŠçŽ 9 ãã«ãæ¯æããŸãã
æ°æéåŸããã®ãµãŒãããŒãã£äŒæ¥ãããå ¬éãããŒãšããã€ãã®å ¬éããŒã®ã»ãããåãåããŸãã
ãªããµãŒãããŒãã£äŒæ¥ãç§ã®å ¬ééµã®ç»é²è²»çšãæ¯æããªããã°ãªããªãã®ãã¯å¥ã®åé¡ã§ãããããã§ã¯æ€èšããŸããã
ããã§ãç¢æã®æå³ãæããã«ãªããŸããã
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
ã/etc/sslããã©ã«ããŒã«ã¯ãSSL åé¡ã«é¢ãããã¹ãŠã®ãã¡ã€ã«ãå«ãŸããŠããŸãã
Domain1.com â ãã¡ã€ã³åã
2018 幎ã¯éµäœæã®å¹Žã§ãã
ãkeyã - ãã¡ã€ã«ãç§å¯éµã§ããããšãæå®ããŸãã
ãããŠããã®ãã¡ã€ã«ã®æå³ã¯æ¬¡ã®ãšããã§ãã
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
Domain1.com â ãã¡ã€ã³åã
2018 幎ã¯éµäœæã®å¹Žã§ãã
é£é - å
¬ééµã®é£éãããããšã瀺ããŸã (æåã®å
¬ééµã¯ç§ãã¡ã®å
¬ééµã§ãæ®ãã¯å
¬ééµãçºè¡ããäŒç€Ÿããã®ãã®ã§ã)ã
crt - æ¢è£œã®èšŒææž (æè¡çãªèª¬æä»ãã®å
¬éããŒ) ãããããšã瀺ããŸãã
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
ãã®èšå®ã¯ãã®å Žåã«ã¯äœ¿çšãããŸããããäŸãšããŠæžãããŠããŸãã
ãã®ãã©ã¡ãŒã¿ã«ãšã©ãŒããããšã(ãŠãŒã¶ãŒã®æå¿ã«é¢ä¿ãªã) ãµãŒããŒããã¹ãã ãéä¿¡ãããããšã«ãªãããã§ãã
ãããŠãããªããç¡çœªã§ããããšãçã«èšŒæããŠãã ããã
recipient_delimiter = +
ç¥ããªã人ãå€ããããããŸããããããã¯ã¡ãŒã«ãã©ã³ã¯ä»ãããããã®æšæºæåã§ãããææ°ã®ã¡ãŒã« ãµãŒããŒã®ã»ãšãã©ã§ãµããŒããããŠããŸãã
ããšãã°ãã¡ãŒã«ããã¯ã¹ãããå Žåãã[ã¡ãŒã«ä¿è·]ãã«éä¿¡ããŠã¿ãŠãã ããã[ã¡ãŒã«ä¿è·]ãââãããã©ããªãããèŠãŠãã ããã
inet_protocols = ipv4
ããã¯æ··ä¹±ãæããããããŸããã
ããããããã ãã§ã¯ãããŸããã æ°ãããã¡ã€ã³ã¯ããããããã©ã«ã㧠IPv4 ã®ã¿ãªã®ã§ãããããã®ãã¡ã€ã³ã§åå¥ã« IPv6 ããªã³ã«ããŸãã
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
ããã§ã¯ããã¹ãŠã®åä¿¡ã¡ãŒã«ã dovecot ã«éä¿¡ãããããã«æå®ããŸãã
ãããŠããã¡ã€ã³ãã¡ãŒã«ããã¯ã¹ããšã€ãªã¢ã¹ã®ã«ãŒã«ã«ã€ããŠã¯ãããŒã¿ããŒã¹ã調ã¹ãŠãã ããã
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'
/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'
/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
ããã§ãpostfix 㯠dovecot ã«ããæ¿èªåŸã«ã®ã¿ã¡ãŒã«ã®ãããªãéä¿¡ãåãå ¥ããããããšãèªèããŸããã
ãªããããããã§éè€ããã®ãæ¬åœã«ããããŸããã ãvirtual_transportãã«å¿ èŠãªãã®ã¯ãã¹ãŠãã§ã«æå®ãããŠããŸãã
ããããpostfix ã·ã¹ãã ã¯éåžžã«å€ããããããæããã®éæ»ãã§ãã
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...
ããã¯ã¡ãŒã«ãµãŒããŒããšã«ç°ãªãæ§æãå¯èœã§ãã
ç§ã¯ 3 ã€ã®ã¡ãŒã« ãµãŒããŒãèªç±ã«äœ¿çšã§ããŸããã䜿çšèŠä»¶ãç°ãªãããããããã®èšå®ã¯å€§ããç°ãªããŸãã
æ éã«èšå®ããå¿ èŠããããŸããèšå®ããªããšãã¹ãã ã倧éã«æµå ¥ããããšã«ãªããŸããããã«æªãããšã«ãã¹ãã ãæµåºããããšã«ãªããŸãã
# SPF
policyd-spf_time_limit = 3600
åä¿¡ã¬ã¿ãŒã® SPF ãã§ãã¯ã«é¢é£ãããã©ã°ã€ã³ã®ã»ããã¢ããã
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
ãã¹ãŠã®éä¿¡é»åã¡ãŒã«ã« DKIM 眲åãæäŸããå¿ èŠããããšããèšå®ã§ãã
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
ããã¯ãPHP ã¹ã¯ãªããããã¬ã¿ãŒãéä¿¡ãããšãã®ã¬ã¿ãŒ ã«ãŒãã£ã³ã°ã®éèŠãªè©³çŽ°ã§ãã
ãã¡ã€ã«ã/etc/postfix/sdd_transport.pcreãïŒ
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:
å·ŠåŽã¯æ£èŠè¡šçŸã§ãã å³åŽã«ã¯æåãããŒã¯ããã©ãã«ããããŸãã
ã©ãã«ã«åŸã£ãŠ Postfix - ç¹å®ã®æåã«å¯ŸããŠããã«ããã€ãã®èšå®è¡ãèæ ®ãããŸããç¹å®ã®æåã«å¯Ÿã㊠postfix ãã©ã®ããã«æ£ç¢ºã«åèšå®ããããã¯ããmaster.cfãã«ç€ºãããŸãã
4ã5ã6è¡ç®ãã¡ã€ã³ã§ãã ã¬ã¿ãŒãéä¿¡ãããã¡ã€ã³ã代衚ããŠããã®ã©ãã«ãä»ããŸãã
ãã ããå€ãã³ãŒãã® PHP ã¹ã¯ãªããã§ã¯ããfromããã£ãŒã«ããåžžã«ç€ºãããŠããããã§ã¯ãããŸããã ããã§åœ¹ã«ç«ã€ã®ããŠãŒã¶ãŒåã§ãããã®èšäºã¯ãã§ã«åºç¯å²ã«ããã£ãŠããŸããnginx+fpm ã®èšå®ã«æ°ããšãããããããŸããã
ç°¡åã«èšããšããµã€ãããšã«ç¬èªã® Linux ãŠãŒã¶ãŒææè ãèšå®ããŸãã ããã«å¿ã㊠fpm ããŒã«ãäœæããŸãã
Fpm-pool ã¯ä»»æã®ããŒãžã§ã³ã® php ã䜿çšããŸã (åããµãŒããŒäžã§ç°ãªãããŒãžã§ã³ã® php ã䜿çšããããé£æ¥ãããµã€ãã§ç°ãªã php.ini ãåé¡ãªã䜿çšãããã§ããã®ã¯çŽ æŽãããããšã§ã)ã
ãããã£ãŠãç¹å®ã® Linux ãŠãŒã¶ãŒãwww-domain2ãã«ã¯ Web ãµã€ããdomain2.comãããããŸãã ãã®ãµã€ãã«ã¯ãå·®åºäººãã£ãŒã«ããæå®ããã«ã¡ãŒã«ãéä¿¡ããããã®ã³ãŒãããããŸãã
ãããã£ãŠããã®å Žåã§ããã¬ã¿ãŒã¯æ£ããéä¿¡ãããã¹ãã ã«ãªãããšã¯ãããŸããã
ç§ã®ã/etc/postfix/master.cfãã¯æ¬¡ã®ããã«ãªããŸãã
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
ãã¡ã€ã«ã¯å®å
šã«ã¯æäŸãããŠããŸããããã§ã«éåžžã«å€§ãããã¡ã€ã«ã§ãã
å€æŽç¹ã®ã¿ã¡ã¢ããŸããã
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
ããã㯠spamassasin ã«é¢é£ããèšå®ã§ãã詳现ã«ã€ããŠã¯åŸã»ã©èª¬æããŸãã
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
ããŒã 587 çµç±ã§ã¡ãŒã« ãµãŒããŒã«æ¥ç¶ã§ããããã«ããŸãã
ãããè¡ãã«ã¯ããã°ã€ã³ããå¿
èŠããããŸãã
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
SPFãã§ãã¯ãæå¹ã«ããŸãã
apt-get install postfix-policyd-spf-python
äžèšã®SPFãã§ãã¯çšã®ããã±ãŒãžãã€ã³ã¹ããŒã«ããŸãããã
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
ãããŠããããæãèå³æ·±ãããšã§ãã ããã¯ãç¹å®ã® IPv4/IPv6 ã¢ãã¬ã¹ããç¹å®ã®ãã¡ã€ã³ã«ã¬ã¿ãŒãéä¿¡ããæ©èœã§ãã
ãã㯠rDNS ã®ããã«è¡ãããŸãã rDNS ã¯ãIP ã¢ãã¬ã¹ã«ãã£ãŠæååãåä¿¡ããããã»ã¹ã§ãã
ãŸããã¡ãŒã«ã®å Žåããã®æ©èœã¯ãhelo ãé»åã¡ãŒã«ã®éä¿¡å ã¢ãã¬ã¹ã® rDNS ãšæ£ç¢ºã«äžèŽããããšã確èªããããã«äœ¿çšãããŸããhelo ãæçŽã®éä¿¡è ã«ä»£ãã£ãŠé»åã¡ãŒã« ãã¡ã€ã³ãšäžèŽããªãå Žåãã¹ãã ãã€ã³ããä»äžãããŸãã
Helo 㯠rDNS ãšäžèŽããŸãã - å€ãã®ã¹ãã ãã€ã³ããä»äžãããŸãã
ãããã£ãŠãåãã¡ã€ã³ã«ã¯ç¬èªã® IP ã¢ãã¬ã¹ãå¿ èŠã§ãã
OVH ã®å Žåãã³ã³ãœãŒã«ã§ rDNS ãæå®ã§ããŸãã
tech.ru ã®å Žå - åé¡ã¯ãµããŒããéããŠè§£æ±ºãããŸãã
AWS ã®å Žåããã®åé¡ã¯ãµããŒããéããŠè§£æ±ºãããŸãã
ãinet_protocolsãããã³ãsmtp_bind_address6ã - IPv6 ãµããŒããæå¹ã«ããŸãã
IPv6 ã®å Žåã¯ãrDNS ãç»é²ããå¿ èŠããããŸãã
ãsyslog_nameã - ããã¯ãã°ãèªã¿ãããããããã®ãã®ã§ãã
蚌ææžã賌å
¥ãã
============= Dovecot =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam
mysql ãã»ããã¢ããããããã±ãŒãžèªäœãã€ã³ã¹ããŒã«ããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/10-auth.confã
disable_plaintext_auth = yes
auth_mechanisms = plain login
èªèšŒã¯æå·åã®ã¿ãããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/10-mail.confã
mail_location = maildir:/var/mail/vhosts/%d/%n
ããã§æçŽã®ä¿ç®¡å Žæã瀺ããŸãã
ãããããã¡ã€ã«ã«ä¿åãããã¡ã€ã³ããšã«ã°ã«ãŒãåããããšèããŠããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/10-master.confã
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
ããã¯ãdovecot ã®ã¡ã€ã³æ§æãã¡ã€ã«ã§ãã
ããã§ã¯ãä¿è·ãããŠããªãæ¥ç¶ãç¡å¹ã«ããŸãã
ãããŠå®å
šãªæ¥ç¶ãæå¹ã«ããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/10-ssl.confã
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}
SSLã®èšå®ãããŠããŸãã ssl ãå¿ èŠã§ããããšã瀺ããŸãã
ãããŠèšŒææžãã®ãã®ã ãããŠéèŠãªç¹ã¯ãããŒã«ã«ããã£ã¬ã¯ãã£ãã§ãã ã©ã®ããŒã«ã« IPv4 ã«æ¥ç¶ãããšãã«ã©ã® SSL 蚌ææžã䜿çšãããã瀺ããŸããã¡ãªã¿ã«ããã§ã¯IPv6ã®èšå®ã¯ããŠããŸããã®ã§ãåŸã»ã©ä¿®æ£ããŸãã
XX.XX.XX.X5 (ãã¡ã€ã³ 2) - 蚌ææžããããŸããã ã¯ã©ã€ã¢ã³ãã«æ¥ç¶ããã«ã¯ãdomain1.com ãæå®ããå¿ èŠããããŸãã
XX.XX.XX.X2 (ãã¡ã€ã³ 3) - 蚌ææžããããã¯ã©ã€ã¢ã³ãã«æ¥ç¶ããããã«ãã¡ã€ã³ 1.com ãŸãã¯ãã¡ã€ã³ 3.com ãæå®ã§ããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/15-lda.confã
protocol lda {
mail_plugins = $mail_plugins sieve
}
ããã¯å°æ¥ã¹ãããµã·ã³ã«å¿ èŠã«ãªããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/20-imap.confã
protocol imap {
mail_plugins = $mail_plugins antispam
}
ããã¯ã¹ãã 察çãã©ã°ã€ã³ã§ãã ãã¹ãã ããã©ã«ããžã®è»¢éæããŸãã¯ãã¹ãã ããã©ã«ãããã®è»¢éæã«ã¹ãããµã·ã³ãèšç·Žããããã«å¿ èŠã§ãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/20-pop3.confã
protocol pop3 {
}
ã¡ããã©ãã®ãããªãã¡ã€ã«ããããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/20-lmtp.confã
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}
lmtpã®èšå®ãããŠããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/90-antispam.confã
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}
ã¹ãã ãã©ã«ããŒãžã®è»¢éãŸãã¯ã¹ãã ãã©ã«ããŒããã®è»¢éæã®ã¹ãããµã·ã³ã®ãã¬ãŒãã³ã°èšå®ã
ãã¡ã€ã«ã/etc/dovecot/conf.d/90-sieve.confã
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}
åä¿¡ããæåãã©ãåŠçããããæå®ãããã¡ã€ã«ã
ãã¡ã€ã«ã/var/lib/dovecot/sieve/default.sieveã
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}
ãã¡ã€ã«ãsievecdefault.sieveããã³ã³ãã€ã«ããå¿ èŠããããŸãã
ãã¡ã€ã«ã/etc/dovecot/conf.d/auth-sql.conf.extã
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
èªå¯çšã®SQLãã¡ã€ã«ãæå®ããŸãã
ãããŠããã¡ã€ã«èªäœãèªèšŒæ¹æ³ãšããŠäœ¿çšãããŸãã
ãã¡ã€ã«ã/etc/dovecot/dovecot-sql.conf.extã
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
ããã¯ãpostfix ã®åæ§ã®èšå®ã«å¯Ÿå¿ããŸãã
ãã¡ã€ã«ã/etc/dovecot/dovecot.confã
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
ã¡ã€ã³ã®èšå®ãã¡ã€ã«ã
éèŠãªããšã¯ãããã§ãããã³ã«ãè¿œå ããããšã瀺ããŠããããšã§ãã
============= SpamAssassin =============
apt-get install spamassassin spamc
ããã±ãŒãžãã€ã³ã¹ããŒã«ããŸãããã
adduser spamd --disabled-login
誰ã«ä»£ãã£ãŠãŠãŒã¶ãŒãè¿œå ããŸãããã
systemctl enable spamassassin.service
spamassassin ãµãŒãã¹ã®èªã¿èŸŒã¿æã«èªåèªã¿èŸŒã¿ãæå¹ã«ããŸãã
ãã¡ã€ã«ã/etc/default/spamassassinã:
CRON=1
ãããã©ã«ãã§ãã«ãŒã«ã®èªåæŽæ°ãæå¹ã«ããã
ãã¡ã€ã«ã/etc/spamassassin/local.cfã:
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password
mysql ã«ããŒã¿ããŒã¹ãsaããäœæãããŠãŒã¶ãŒãsaãããã¹ã¯ãŒããpasswordã(é©åãªãã®ã«çœ®ãæããŠãã ãã)ãäœæããå¿ èŠããããŸãã
report_safe - æçŽã®ä»£ããã«ã¹ãã ã¡ãŒã«ã®ã¬ããŒããéä¿¡ããŸãã
use_bayes 㯠spamassassin ã®æ©æ¢°åŠç¿èšå®ã§ãã
æ®ãã® spamassassin èšå®ã¯ããã®èšäºã®ååã§äœ¿çšãããã®ã§ãã
============= ã³ãã¥ããã£ãžã®ã¢ããŒã« =============
ãŸãã転éãããæçŽã®ã»ãã¥ãªã㣠ã¬ãã«ãé«ããæ¹æ³ã«ã€ããŠã®ã¢ã€ãã¢ãã³ãã¥ããã£ã«ææ¡ããããšèããŠããŸãã ç§ã¯ã¡ãŒã«ã®è©±é¡ã«ã©ã£ã·ã浞ãã£ãŠããŸã£ãŠããã®ã§ã
ããã«ããããŠãŒã¶ãŒã¯ã¯ã©ã€ã¢ã³ã (OutlookãThunderbirdããã©ãŠã¶ ãã©ã°ã€ã³ãªã©) ã§ããŒã®ãã¢ãäœæã§ããããã«ãªããŸãã ãããªãã¯ãšãã©ã€ããŒãã ãããªã㯠- DNS ã«éä¿¡ããŸãã ãã©ã€ããŒã - ã¯ã©ã€ã¢ã³ãã«ä¿åããŸãã ã¡ãŒã«ãµãŒããŒã¯å ¬éããŒã䜿çšããŠç¹å®ã®åä¿¡è ã«éä¿¡ã§ããŸãã
ãããŠããã®ãããªæåãå«ãã¹ãã ããä¿è·ããã«ã¯ (ã¯ããã¡ãŒã«ãµãŒããŒã¯ã³ã³ãã³ãã衚瀺ã§ããŸãã)ã次㮠3 ã€ã®ã«ãŒã«ãå°å ¥ããå¿ èŠããããŸãã
- å¿ é ã®å®éã® DKIM 眲åãå¿ é ã® SPFãå¿ é ã® rDNSã
- ã¹ãã 察çãã¬ãŒãã³ã°ãããŒããšãããã¥ãŒã©ã« ãããã¯ãŒã¯ãšã¯ã©ã€ã¢ã³ãåŽã®ããŒã¿ããŒã¹ã
- æå·åã¢ã«ãŽãªãºã ã¯ãéä¿¡åŽãåä¿¡åŽã® 100 åã® CPU ãã¯ãŒãæå·åã«è²»ããå¿ èŠããããŸãã
å ¬éæžç°¡ã«å ããŠããå®å šãªéä¿¡ãéå§ãããããã®æšæºçãªææ¡æžãäœæããŸãã ãŠãŒã¶ãŒã® XNUMX 人 (ã¡ãŒã«ããã¯ã¹) ãæ·»ä»ãã¡ã€ã«ä»ãã®ã¬ã¿ãŒãå¥ã®ã¡ãŒã«ããã¯ã¹ã«éä¿¡ããŸãã ãã®ã¬ã¿ãŒã«ã¯ãéä¿¡çšã®å®å šãªéä¿¡ãã£ãã«ãéå§ããããã®ææ¡æãšãã¡ãŒã«ããã¯ã¹ã®ææè ã®å ¬éã㌠(ã¯ã©ã€ã¢ã³ãåŽã®ç§å¯ããŒã䜿çš) ãå«ãŸããŠããŸãã
éä¿¡ããšã«ç¹å¥ã«ããã€ãã®ããŒãäœæããããšãã§ããŸãã åä¿¡åŽãŠãŒã¶ãŒã¯ãã®ãªãã¡ãŒãåãå ¥ããèªåã®å ¬éã㌠(ããããã®éä¿¡ã®ããã«ç¹å¥ã«äœæããããã®) ãéä¿¡ã§ããŸãã 次ã«ãæåã®ãŠãŒã¶ãŒã¯ãµãŒãã¹å¶åŸ¡ã¬ã¿ãŒ (XNUMX çªç®ã®ãŠãŒã¶ãŒã®å ¬éããŒã§æå·åããã) ãéä¿¡ããŸãããããåä¿¡ãããšãXNUMX çªç®ã®ãŠãŒã¶ãŒã¯ã圢æãããéä¿¡ãã£ãã«ãä¿¡é Œã§ãããšå€æã§ããŸãã 次ã«ãXNUMX çªç®ã®ãŠãŒã¶ãŒãã³ã³ãããŒã« ã¬ã¿ãŒãéä¿¡ããŸãããã®åŸãæåã®ãŠãŒã¶ãŒãã圢æããããã£ãã«ãå®å šã§ãããšã¿ãªãããšãã§ããŸãã
è·¯äžã§ã®ããŒã®ååã«å¯Ÿæããããã«ããããã³ã«ã¯ãã©ãã·ã¥ ãã©ã€ãã䜿çšããŠå°ãªããšã XNUMX ã€ã®å ¬éããŒãéä¿¡ã§ããããã«ããå¿ èŠããããŸãã
ãããŠæãéèŠãªããšã¯ãããããã¹ãŠæ©èœãããšããããšã§ã (åé¡ã¯ã誰ããã®è²»çšãæ¯æãã®ã?ããšããããšã§ã)ã
10 幎é 3 ãã«ããã®éµäŸ¿èšŒææžãå
¥åããŠãã ããã ããã«ãããéä¿¡è
㯠DNS ã§ãç§ã®å
¬ééµã¯ããã«ãããŸãããšç€ºãããšãã§ããŸãã ãããŠãå®å
šãªæ¥ç¶ãéå§ããæ©äŒãäžããããŸãã åæã«ããã®ãããªæ¥ç¶ãåãå
¥ããããšã¯ç¡æã§ãã
Gmail ã¯ã€ãã«ãŠãŒã¶ãŒãåçåããŸãã 10 幎éããã 3 ãã«ã§ãå®å
šãªéä¿¡ãã£ãã«ãäœæããæš©å©ã
============= çµè« =============
èšäºå šäœããã¹ãããããã«ãå°çšãµãŒããŒã XNUMX ãæéã¬ã³ã¿ã«ããSSL 蚌ææžã®ãããã¡ã€ã³ãè³Œå ¥ããã€ããã§ããã
ããããç掻ç¶æ³ãæªåããããããã®åé¡ã¯2ãæéç¶ããŸããã
ããã§ãåã³èªç±ãªæéãã§ãããšãã«ãåºçãããã« XNUMX 幎ç¶ãå±éºãåãããããèšäºããã®ãŸãŸå
¬éããããšã«ããŸããã
ãããããååã«è©³çŽ°ã«èª¬æãããŠããªãããšãããããªè³ªåãéåžžã«å€ãããå Žåã¯ãæ°ãããã¡ã€ã³ãšæ°ãã SSL 蚌ææžãåããå°çšãµãŒããŒã䜿çšããŠãããã«è©³çŽ°ã«èª¬æããããšãã§ããã§ããããéèŠãªã®ã¯ãæ¬ ããŠããéèŠãªè©³çŽ°ããã¹ãŠç¹å®ããããšã§ãã
éµäŸ¿èšŒææžã«é¢ããã¢ã€ãã¢ã«ã€ããŠããã£ãŒãããã¯ãããã ããããšæã£ãŠããŸãã ãã®ã¢ã€ãã¢ãæ°ã«å ¥ã£ãŠããã ããã°ãrfc çšã®èçš¿ãæžãåãé€ãããšæããŸãã
èšäºã®å€§éšåãã³ããŒããå Žåã¯ããã®èšäºãžã®ãªã³ã¯ãæäŸããŠãã ããã
ä»ã®èšèªã«ç¿»èš³ããå Žåã¯ããã®èšäºãžã®ãªã³ã¯ãæäŸããŠãã ããã
èªåã§è±èªã«ç¿»èš³ããŠãçžäºåç
§ãæ®ããŠãããŸãã
åºæïŒ habr.com