🥇Debian + Postfix + Dovecot + Multidomain + SSL + IPv6 + OpenVPN + Multi-antarmuka + SpamAssassin-sinau + Bind

Artikel iki babagan carane nyiyapake server mail modern.
Postfix + Dovecot. SPF + DKIM + rDNS. Kanthi IPv6.
Kanthi enkripsi TSL. Kanthi dhukungan kanggo sawetara domain - bagean karo sertifikat SSL nyata.
Kanthi pangayoman antispam lan rating antispam dhuwur saka server mail liyane.
Ndhukung sawetara antarmuka fisik.
Kanthi OpenVPN, sambungan kasebut liwat IPv4, lan nyedhiyakake IPv6.

Yen sampeyan ora pengin sinau kabeh teknologi kasebut, nanging pengin nyiyapake server kasebut, mula artikel iki kanggo sampeyan.

Artikel kasebut ora nyoba nerangake saben rinci. Panjelasan menyang apa sing ora dikonfigurasi minangka standar utawa penting saka sudut pandang konsumen.

Motivasi kanggo nyiyapake server mail wis dadi impenku. Iki bisa uga muni bodho, nanging IMHO, iku luwih apik tinimbang ngimpi mobil anyar saka merek favorit.

Ana rong motivasi kanggo nyetel IPv6. Spesialis IT kudu sinau teknologi anyar supaya bisa urip. Aku pengin menehi kontribusi sing sederhana kanggo perang nglawan censorship.

Motivasi kanggo nyetel OpenVPN mung supaya IPv6 bisa digunakake ing mesin lokal.
Motivasi kanggo nyetel sawetara antarmuka fisik yaiku ing serverku aku duwe antarmuka siji "alon nanging tanpa wates" lan liyane "cepet nanging kanthi tarif".

Motivasi kanggo nyetel setelan Bind yaiku ISPku nyedhiyakake server DNS sing ora stabil, lan google uga kadhangkala gagal. Aku pengin server DNS stabil kanggo panggunaan pribadi.

Motivasi kanggo nulis artikel - Aku nulis draf 10 wulan kepungkur, lan aku wis ndeleng kaping pindho. Sanajan penulis ajeg mbutuhake, ana kemungkinan gedhe yen wong liya uga butuh.

Ora ana solusi universal kanggo server mail. Nanging aku bakal nyoba nulis kaya "nindakake iki banjur, yen kabeh bisa digunakake, mbuwang barang tambahan."

Perusahaan tech.ru duwe server Colocation. Sampeyan bisa mbandhingake karo OVH, Hetzner, AWS. Kanggo ngatasi masalah iki, kerjasama karo tech.ru bakal luwih efektif.

Debian 9 wis diinstal ing server.

Server nduweni 2 antarmuka `eno1` lan `eno2`. Kapisan ora winates, lan kaloro cepet, mungguh.

Ana 3 alamat IP statis, XX.XX.XX.X0 lan XX.XX.XX.X1 lan XX.XX.XX.X2 ing antarmuka `eno1` lan XX.XX.XX.X5 ing antarmuka `eno2` .

Kasedhiya XXXX:XXXX:XXXX:XXXX::/64 kumpulan alamat IPv6 sing ditugasake menyang antarmuka `eno1` lan saka iku XXXX: XXXX: XXXX: XXXX: 1: 2 :: / 96 ditugasake menyang `eno2` ing panjalukku.

Ana 3 domain `domain1.com`, `domain2.com`, `domain3.com`. Ana sertifikat SSL kanggo `domain1.com` lan `domain3.com`.

Aku duwe akun Google sing pengin disambungake menyang kothak layang[email dilindhungi]` (nampa surat lan ngirim surat langsung saka antarmuka gmail).
Mesthi ana kothak layang`[email dilindhungi]`, salinan email sing pengin dakdeleng ing gmailku. Lan arang banget bisa ngirim barang atas jenenge `[email dilindhungi]` liwat antarmuka web.

Mesthi ana kothak layang`[email dilindhungi]`, sing bakal digunakake Ivanov saka iPhone.

Email sing dikirim kudu tundhuk karo kabeh syarat antispam modern.
Mesthi ana tingkat enkripsi paling dhuwur sing kasedhiya ing jaringan umum.
Mesthine ana dhukungan IPv6 kanggo ngirim lan nampa layang.
Mesthine ana SpamAssassin sing ora bakal mbusak email. Lan bakal mumbul utawa skip utawa dikirim menyang folder "Spam" IMAP.
Sinau otomatis SpamAssassin kudu dikonfigurasi: yen aku mindhah layang menyang folder Spam, bakal sinau saka iki; yen aku mindhah layang saka folder Spam, iku bakal sinau saka iki. Asil latihan SpamAssassin kudu mengaruhi manawa surat kasebut ana ing folder Spam.
Skrip PHP kudu bisa ngirim email atas jenenge domain apa wae ing server tartamtu.
Mesthine ana layanan openvpn, kanthi kemampuan kanggo nggunakake IPv6 ing klien sing ora duwe IPv6.

Pisanan sampeyan kudu ngatur antarmuka lan nuntun, kalebu IPv6.
Banjur sampeyan kudu ngatur OpenVPN, sing bakal nyambung liwat IPv4 lan menehi klien alamat IPv6 statis-nyata. Klien iki bakal nduweni akses menyang kabeh layanan IPv6 ing server lan akses menyang sumber daya IPv6 ing Internet.
Banjur sampeyan kudu ngonfigurasi Postfix kanggo ngirim huruf + SPF + DKIM + rDNS lan barang cilik liyane sing padha.
Banjur sampeyan kudu ngatur Dovecot lan ngatur Multidomain.
Banjur sampeyan kudu ngatur SpamAssassin lan ngatur latihan.
Pungkasan, instal Bind.

============= Multi-antarmuka =============

Kanggo ngatur antarmuka, sampeyan kudu nulis iki ing "/etc/network/interfaces".

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eno1
iface eno1 inet static
        address XX.XX.XX.X0/24
        gateway XX.XX.XX.1
        dns-nameservers 127.0.0.1 213.248.1.6
        post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
        post-up ip route add default via XX.XX.XX.1 table eno1t
        post-up ip rule add table eno1t from XX.XX.XX.X0
        post-up ip rule add table eno1t to XX.XX.XX.X0

auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X1
        post-up ip rule add table eno1t to XX.XX.XX.X1
        post-up   ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
        post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t

auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X2
        post-up ip rule add table eno1t to XX.XX.XX.X2

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
        gateway XXXX:XXXX:XXXX:XXXX::1
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE

# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
        address XX.XX.XX.X5
        netmask 255.255.255.0
        post-up   ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
        post-up   ip route add default via XX.XX.XX.1 table eno2t
        post-up   ip rule add table eno2t from XX.XX.XX.X5
        post-up   ip rule add table eno2t to XX.XX.XX.X5
        post-up   ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
        post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t

iface eno2 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:2::/96
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE

# OpenVPN network
iface tun0 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:3::/80

Setelan iki bisa diterapake ing server apa wae ing tech.ru (kanthi koordinasi sethithik karo dhukungan) lan bakal langsung bisa digunakake.

Yen sampeyan duwe pengalaman nyetel barang sing padha kanggo Hetzner, OVH, beda ing kana. Luwih angel.

eno1 iku jeneng kertu jaringan #1 (alon nanging ora winates).
eno2 iku jeneng kertu jaringan # 2 (cepet, nanging karo tarif).
tun0 minangka jeneng kertu jaringan virtual saka OpenVPN.
XX.XX.XX.X0 - IPv4 #1 ing eno1.
XX.XX.XX.X1 - IPv4 #2 ing eno1.
XX.XX.XX.X2 - IPv4 #3 ing eno1.
XX.XX.XX.X5 - IPv4 #1 ing eno2.
XX.XX.XX.1 - gateway IPv4.
XXXX: XXXX: XXXX: XXXX::/64 - IPv6 kanggo kabeh server.
XXXX: XXXX: XXXX: XXXX: 1: 2:: / 96 - IPv6 kanggo eno2, kabeh liya saka njaba dadi eno1.
XXXX: XXXX: XXXX: XXXX :: 1 — IPv6 gateway (iku worth kang lagi nyimak sing iki bisa / kudu rampung beda. Nemtokake saklar IPv6).
dns-nameservers - 127.0.0.1 dituduhake (amarga ikatan dipasang sacara lokal) lan 213.248.1.6 (iki saka tech.ru).

"tabel eno1t" lan "tabel eno2t" - makna saka aturan rute iki yaiku lalu lintas sing mlebu liwat eno1 -> bakal metu, lan lalu lintas sing mlebu liwat eno2 -> bakal metu. Lan uga sambungan sing diwiwiti dening server bakal liwat eno1.

ip route add default via XX.XX.XX.1 table eno1t

Kanthi printah iki, kita nemtokake manawa lalu lintas sing ora bisa dingerteni sing ana ing aturan apa wae sing ditandhani "tabel eno1t" -> dikirim menyang antarmuka eno1.

ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t

Kanthi printah iki, kita nemtokake manawa lalu lintas sing diwiwiti dening server kudu diarahake menyang antarmuka eno1.

ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0

Kanthi printah iki kita nyetel aturan kanggo menehi tandha lalu lintas.

auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X2
        post-up ip rule add table eno1t to XX.XX.XX.X2

Blok iki nemtokake IPv4 kapindho kanggo antarmuka eno1.

ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t

Kanthi printah iki, kita nyetel rute saka klien OpenVPN menyang IPv4 lokal kajaba XX.XX.XX.X0.
Aku isih ora ngerti kok printah iki cukup kanggo kabeh IPv4.

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
        gateway XXXX:XXXX:XXXX:XXXX::1

Iki ngendi kita nyetel alamat kanggo antarmuka dhewe. Server bakal nggunakake minangka alamat "metu". Ora bakal digunakake maneh kanthi cara apa wae.

Kenapa ": 1: 1::" rumit banget? Supaya OpenVPN bisa digunakake kanthi bener lan mung kanggo iki. Liyane babagan iki mengko.

Ing topik gateway - iku cara kerjane lan ora apa-apa. Nanging cara sing bener yaiku kanggo nunjukake IPv6 switch sing disambungake menyang server.

Nanging, sakperangan alesan IPv6 mandheg yen aku nindakake iki. Iki mbokmenawa sawetara jenis masalah tech.ru.

ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE

Iki nambahake alamat IPv6 menyang antarmuka. Yen sampeyan butuh satus alamat, tegese satus baris ing file iki.

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:3::/80

Aku nyathet alamat lan subnet kabeh antarmuka supaya jelas.
eno1 - kudu "/64"- amarga iki kabeh alamat kita.
tun0 - subnet kudu luwih gedhe tinimbang eno1. Yen ora, ora bisa ngatur gateway IPv6 kanggo klien OpenVPN.
eno2 - subnet kudu luwih gedhe tinimbang tun0. Yen ora, klien OpenVPN ora bakal bisa ngakses alamat IPv6 lokal.
Kanggo gamblang, aku milih subnet langkah 16, nanging yen sampeyan pengin, sampeyan bisa malah nindakake "1" langkah.
Dadi, 64+16 = 80, lan 80+16 = 96.

Kanggo luwih jelas:
XXXX: XXXX: XXXX: XXXX: 1: 1: YYYY: YYYY minangka alamat sing kudu ditugasake menyang situs utawa layanan tartamtu ing antarmuka eno1.
XXXX: XXXX: XXXX: XXXX: 1: 2: YYYY: YYYY minangka alamat sing kudu ditugasake menyang situs utawa layanan tartamtu ing antarmuka eno2.
XXXX: XXXX: XXXX: XXXX: 1: 3: YYYY: YYYY minangka alamat sing kudu ditugasake menyang klien OpenVPN utawa digunakake minangka alamat layanan OpenVPN.

Kanggo ngatur jaringan, sampeyan kudu bisa miwiti maneh server.
Owah-owahan IPv4 dijupuk nalika dieksekusi (dadi mbungkus ing layar - yen printah iki mung bakal nabrak jaringan ing server):

/etc/init.d/networking restart

Tambah ing mburi file "/etc/iproute2/rt_tables":

100 eno1t
101 eno2t

Tanpa iki, sampeyan ora bisa nggunakake tabel khusus ing file "/etc/network/interfaces".
Nomer kudu unik lan kurang saka 65535.

Pangowahan IPv6 bisa diganti kanthi gampang tanpa reboot, nanging kanggo nindakake iki, sampeyan kudu sinau paling ora telung prentah:

ip -6 addr ...
ip -6 route ...
ip -6 neigh ...

Setelan "/etc/sysctl.conf"

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0

# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0

# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0

# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1

Iki minangka setelan "sysctl" serverku. Ayo kula nuduhake soko penting.

net.ipv4.ip_forward = 1

Tanpa iki, OpenVPN ora bakal bisa digunakake.

net.ipv6.ip_nonlocal_bind = 1

Sapa wae sing nyoba ngiket IPv6 (contone nginx) sanalika antarmuka munggah bakal nampa kesalahan. Sing alamat iki ora kasedhiya.

Kanggo ngindhari kahanan kasebut, setelan kasebut digawe.

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

Tanpa setelan IPv6 iki, lalu lintas saka klien OpenVPN ora metu menyang donya.

Setelan liyane ora cocog utawa aku ora ngelingi kanggo apa.
Nanging yen ngono, aku ninggalake "kaya."

Supaya owah-owahan ing file iki bisa dijupuk tanpa rebooting server, sampeyan kudu mbukak printah:

sysctl -p

Rincian liyane babagan aturan "tabel": habr.com/post/108690

============= OpenVPN ==============

OpenVPN IPv4 ora bisa digunakake tanpa iptables.

IPtablesku kaya iki kanggo VPN:

iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP

YY.YY.YY.YY iku alamat IPv4 statis saka mesin lokal.
10.8.0.0/24 - IPv4 jaringan openvpn. Alamat IPv4 kanggo klien openvpn.
Konsistensi aturan penting.

iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP

Iki minangka watesan supaya mung bisa nggunakake OpenVPN saka IP statis.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
  -- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE

Kanggo nerusake paket IPv4 antarane klien OpenVPN lan Internet, sampeyan kudu ndhaptar salah sawijining prentah kasebut.

Kanggo macem-macem kasus, salah siji opsi ora cocok.
Kanggo kasusku, loro perintah kasebut cocog.
Sawise maca dokumentasi, aku milih pilihan pisanan amarga nggunakake CPU kurang.

Supaya kabeh setelan iptables bisa dijupuk sawise urip maneh, sampeyan kudu nyimpen ing endi wae.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Jeneng-jeneng kasebut ora dipilih kanthi kebetulan. Iki digunakake dening paket "iptables-persistent".

apt-get install iptables-persistent

Nginstal paket OpenVPN utama:

apt-get install openvpn easy-rsa

Ayo nyiyapake cithakan kanggo sertifikat (ganti nilai sampeyan):

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf

Ayo nyunting setelan template sertifikat:

mcedit vars

...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"

# X509 Subject Field
export KEY_NAME="server"
...

Nggawe sertifikat server:

cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

Ayo nyiyapake kemampuan kanggo nggawe file "client-name.opvn" pungkasan:

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf

# Client mode
client

# Interface tunnel type
dev tun

# TCP protocol
proto tcp-client

# Address/Port of VPN server
remote XX.XX.XX.X0 1194

# Don't bind to local port/address
nobind

# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun

# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server

# Enable compression
comp-lzo

# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC

Ayo nyiyapake skrip sing bakal nggabungake kabeh file dadi siji file opvn.

mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} 
    <(echo -e '<ca>') 
    ${KEY_DIR}/ca.crt 
    <(echo -e '</ca>n<cert>') 
    ${KEY_DIR}/.crt 
    <(echo -e '</cert>n<key>') 
    ${KEY_DIR}/.key 
    <(echo -e '</key>n<tls-auth>') 
    ${KEY_DIR}/ta.key 
    <(echo -e '</tls-auth>') 
    > ${OUTPUT_DIR}/.ovpn

Nggawe klien OpenVPN pisanan:

cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name

Berkas "~/client-configs/files/client-name.ovpn" dikirim menyang piranti klien.

Kanggo klien iOS sampeyan kudu nindakake trik ing ngisor iki:
Isi tag "tls-auth" kudu tanpa komentar.
Lan uga sijine "key-direction 1" langsung sadurunge tag "tls-auth".

Ayo konfigurasi server OpenVPN:

cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf

# Listen port
port 1194

# Protocol
proto tcp-server

# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6

# Master certificate
ca ca.crt

# Server certificate
cert server.crt

# Server private key
key server.key

# Diffie-Hellman parameters
dh dh2048.pem

# Allow clients to communicate with each other
client-to-client

# Client config dir
client-config-dir /etc/openvpn/ccd

# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"

# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet

# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"

# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS

# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun

# Ping every 10s. Timeout of 120s.
keepalive 10 120

# Enable compression
comp-lzo

# User and group
user vpn
group vpn

# Log a short status
status openvpn-status.log

# Logging verbosity
##verb 4

# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC

Iki dibutuhake kanggo nyetel alamat statis kanggo saben klien (ora perlu, nanging aku nggunakake):

# Client config dir
client-config-dir /etc/openvpn/ccd

Rincian paling angel lan kunci.

Sayange, OpenVPN durung ngerti carane ngatur gateway IPv6 kanggo klien kanthi mandiri.
Sampeyan kudu "manual" nerusake iki kanggo saben klien.

# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"

File "/etc/openvpn/server-clientconnect.sh":

#!/bin/sh

# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
        echo "Missing environment variable."
        exit 1
fi

# Load server variables
. /etc/openvpn/variables

ipv6=""

# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
        # Get fixed IPv6 from client config file
        ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
        echo $ipv6
fi

# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
        ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
        if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
                echo "Invalid IPv4 part."
                exit 1
        fi
        hexipp=$(printf '%x' $ipp)
        ipv6="$prefix$hexipp"
fi

# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1

File "/etc/openvpn/server-clientdisconnect.sh":

#!/bin/sh

# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
        echo "Missing environment variable."
        exit 1
fi

# Load server variables
. /etc/openvpn/variables

ipv6=""

# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
        # Get fixed IPv6 from client config file
        ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi

# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
        ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
        if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
                echo "Invalid IPv4 part."
                exit 1
        fi
        hexipp=$(printf '%x' $ipp)
        ipv6="$prefix$hexipp"
fi

# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1

Kaloro skrip nggunakake file "/etc/openvpn/variables":

# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112

Aku dadi angel ngelingi kenapa ditulis kaya ngono.

Saiki netmask = 112 katon aneh (kudu ana 96).
Lan awalan aneh, ora cocog karo jaringan tun0.
Nanging oke, aku bakal ninggalake iku.

cipher DES-EDE3-CBC

Iki ora kanggo kabeh wong - Aku milih cara iki kanggo enkripsi sambungan.

Sinau luwih lengkap babagan nyiyapake OpenVPN IPv4.

Sinau luwih lengkap babagan nyiyapake OpenVPN IPv6.

============= Postfix ==============

Nginstal paket utama:

apt-get install postfix

Nalika nginstal, pilih "situs internet".

Kula "/etc/postfix/main.cf" katon kaya iki:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1

smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

internal_mail_filter_classes = bounce

# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        #reject_invalid_hostname,
        #reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        check_policy_service unix:private/policyd-spf

smtpd_helo_restrictions =
        #reject_invalid_helo_hostname,
        #reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname

smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_helo_hostname,
        permit

# SPF
policyd-spf_time_limit = 3600

# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock

# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

Ayo ndeleng rincian konfigurasi iki.

smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key

Miturut warga Khabrovsk, blok iki ngemot "salah informasi lan tesis sing salah."Mung 8 taun sawise wiwitan karir, aku wiwit ngerti cara kerja SSL.

Mulane, aku bakal njupuk kebebasan kanggo njlentrehake carane nggunakake SSL (tanpa mangsuli pitakonan "Kepiye cara kerjane?" Lan "Kenapa bisa?").

Basis enkripsi modern yaiku nggawe pasangan kunci (loro karakter sing dawa banget).

Siji "kunci" pribadi, tombol liyane "umum". Kita njaga kunci pribadhi kanthi ati-ati banget. Kita nyebarake kunci umum kanggo kabeh wong.

Nggunakake kunci umum, sampeyan bisa ngenkripsi senar teks supaya mung sing nduweni kunci pribadi sing bisa dekripsi.
Inggih, iku kabeh basis saka teknologi.

Langkah #1 - situs https.
Nalika ngakses situs, browser sinau saka server web yen situs kasebut https lan mulane njaluk kunci umum.
Server web menehi kunci umum. Browser nggunakake kunci umum kanggo encrypt http-request lan ngirim.
Isi panjalukan http mung bisa diwaca dening wong-wong sing duwe kunci pribadi, yaiku, mung server sing njaluk panjaluk kasebut.
Http-request ngemot paling ora URI. Mulane, yen negara nyoba mbatesi akses ora menyang kabeh situs, nanging menyang kaca tartamtu, mula iki ora bisa ditindakake kanggo situs https.

Langkah # 2 - respon ndhelik.
Server web menehi jawaban sing bisa gampang diwaca ing dalan.
Solusi kasebut gampang banget - browser lokal ngasilake pasangan kunci pribadi-publik sing padha kanggo saben situs https.
Lan bebarengan karo panjalukan kanggo kunci umum situs, ngirim kunci publik lokal.
Server web ngelingi lan, nalika ngirim http-response, encrypts karo kunci umum saka klien tartamtu.
Saiki http-respon mung bisa didekripsi dening pemilik kunci pribadi browser klien (yaiku, klien dhewe).

Langkah No.. 3 - nggawe sambungan aman liwat saluran umum.
Ana kerentanan ing contone No.. 2 - ora ana sing ngalangi wong-wong sing seneng nyegat http-request lan nyunting informasi babagan kunci umum.
Mangkono, perantara bakal ndeleng kanthi jelas kabeh isi pesen sing dikirim lan ditampa nganti saluran komunikasi diganti.
Nanggulangi iki gampang banget - mung ngirim kunci umum browser minangka pesen sing dienkripsi nganggo kunci umum server web.
Server web banjur ngirim tanggapan kaya "kunci umum sampeyan kaya iki" lan ngenkripsi pesen iki nganggo kunci umum sing padha.
Browser ndeleng respon - yen pesen "kunci umum sampeyan kaya iki" ditampa - mula iki minangka jaminan 100% manawa saluran komunikasi iki aman.
Carane aman iku?
Nggawe saluran komunikasi sing aman kasebut dumadi kanthi kacepetan ping*2. Contone 20ms.
Penyerang kudu duwe kunci pribadhi saka salah sawijining pihak sadurunge. Utawa temokake kunci pribadi sajrone sawetara milidetik.
Hacking siji kunci pribadi modern bakal njupuk dekade ing superkomputer.

Langkah #4 - database umum kunci umum.
Temenan, ing kabeh crita iki ana kesempatan kanggo penyerang njagong ing saluran komunikasi antarane klien lan server.
Klien bisa pura-pura dadi server, lan server bisa pura-pura dadi klien. Lan emulate sepasang tombol ing loro arah.
Banjur panyerang bakal weruh kabeh lalu lintas lan bakal bisa "nyunting" lalu lintas.
Contone, ngganti alamat ngendi ngirim dhuwit utawa nyalin sandhi saka online banking utawa mblokir isi "objectionable".
Kanggo nglawan panyerang kasebut, dheweke nggawe database umum kanthi kunci umum kanggo saben situs https.
Saben browser "ngerti" babagan ana sekitar 200 database kasebut. Iki wis diinstal ing saben browser.
"Kawruh" didhukung dening kunci umum saka saben sertifikat. Tegese, sambungan menyang saben panguwasa sertifikasi tartamtu ora bisa dipalsukan.

Saiki ana pangerten prasaja babagan carane nggunakake SSL kanggo https.
Yen sampeyan nggunakake otak, bakal dadi cetha carane layanan khusus bisa hack soko ing struktur iki. Nanging bakal biaya monstrous efforts .
Lan organisasi sing luwih cilik tinimbang NSA utawa CIA - meh ora bisa hack tingkat perlindungan sing ana, sanajan kanggo VIP.

Aku uga bakal nambah babagan sambungan ssh. Ora ana kunci umum ing kana, mula sampeyan bisa nindakake apa? Masalah dirampungake kanthi rong cara.
Pilihan ssh-by-sandi:
Sajrone sambungan pisanan, klien ssh kudu ngelingake yen kita duwe kunci publik anyar saka server ssh.
Lan sajrone sambungan luwih lanjut, yen peringatan "kunci umum anyar saka server ssh" katon, tegese dheweke nyoba nguping sampeyan.
Utawa sampeyan wis eavesdropped sambungan pisanan, nanging saiki sampeyan komunikasi karo server tanpa perantara.
Bener, amarga kasunyatan penyadapan gampang, cepet lan gampang diungkapake, serangan iki mung digunakake ing kasus khusus kanggo klien tartamtu.

Pilihan ssh-by-key:
Kita njupuk flash drive, nulis tombol pribadi kanggo server ssh ing (ana istilah lan akeh nuansa penting kanggo iki, nanging aku nulis program pendidikan, ora instruksi kanggo nggunakake).
Kita ninggalake kunci umum ing mesin ing ngendi klien ssh lan kita uga tetep rahasia.
Kita nggawa flash drive menyang server, lebokake, nyalin kunci pribadi, lan ngobong flash drive lan nyebarake awu menyang angin (utawa paling ora format karo nol).
Iku kabeh - sawise operasi kuwi ora bisa hack sambungan ssh kuwi. Mesthine, ing 10 taun bisa ndeleng lalu lintas ing superkomputer - nanging iki crita sing beda.

Aku njaluk ngapura kanggo offtopic.

Dadi saiki teori kasebut dikenal. Aku bakal ngandhani babagan aliran nggawe sertifikat SSL.

Nggunakake "openssl genrsa" kita nggawe kunci pribadi lan "kosong" kanggo kunci umum.
Kita ngirim "kosong" menyang perusahaan pihak katelu, sing mbayar kira-kira $9 kanggo sertifikat sing paling gampang.

Sawise sawetara jam, kita nampa kunci "umum" lan sawetara kunci umum saka perusahaan pihak katelu iki.

Napa perusahaan pihak katelu kudu mbayar registrasi kunci umumku minangka pitakonan sing kapisah, kita ora bakal nimbang ing kene.

Saiki wis cetha apa tegese prasasti:

smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key

Folder "/ etc / ssl" ngemot kabeh file kanggo pitakonan ssl.
domain1.com — jeneng domain.
2018 minangka taun nggawe kunci.
"kunci" - sebutan yen file kasebut minangka kunci pribadi.

Lan makna file iki:

smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com — jeneng domain.
2018 minangka taun nggawe kunci.
chained - sebutan sing ana rantai kunci umum (sing pisanan yaiku kunci publik kita lan liyane yaiku apa sing teka saka perusahaan sing ngetokake kunci publik).
crt - sebutan sing ana sertifikat siap (kunci umum kanthi panjelasan teknis).

smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1

Setelan iki ora digunakake ing kasus iki, nanging ditulis minangka conto.

Amarga kesalahan ing parameter iki bakal nyebabake spam dikirim saka server sampeyan (tanpa kekarepan sampeyan).

Banjur mbuktèkaké marang saben wong nèk kowé ora salah.

recipient_delimiter = +

Akeh wong sing ora ngerti, nanging iki minangka karakter standar kanggo peringkat email, lan didhukung dening paling server mail modern.

Contone, yen sampeyan duwe kothak layang "[email dilindhungi]"Coba kirim"[email dilindhungi]"- Deleng apa sing kedadeyan.

inet_protocols = ipv4

Iki bisa uga mbingungake.

Nanging ora mung kaya ngono. Saben domain anyar minangka standar mung IPv4, banjur aku nguripake IPv6 kanggo saben siji kanthi kapisah.

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

Ing kene kita nemtokake manawa kabeh surat sing mlebu menyang dovecot.
Lan aturan kanggo domain, kothak layang, alias - katon ing database.

/etc/postfix/mysql-virtual-mailbox-domains.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'

/etc/postfix/mysql-virtual-mailbox-maps.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'

/etc/postfix/mysql-virtual-alias-maps.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Saiki postfix ngerti manawa layang bisa ditampa kanggo dikirim mung sawise wewenang karo dovecot.

Aku pancene ora ngerti apa iki duplikat kene. Kita wis nemtokake kabeh sing dibutuhake ing "virtual_transport".

Nanging sistem postfix wis lawas banget - bisa uga mundur saka jaman biyen.

smtpd_recipient_restrictions =
        ...

smtpd_helo_restrictions =
        ...

smtpd_client_restrictions =
        ...

Iki bisa diatur beda kanggo saben server mail.

Aku duwe 3 server mail ing pembuangan lan setelan iki beda banget amarga syarat panggunaan beda.

Sampeyan kudu ngatur kanthi ati-ati - yen ora, spam bakal mlebu menyang sampeyan, utawa luwih elek - spam bakal metu saka sampeyan.

# SPF
policyd-spf_time_limit = 3600

Nyetel sawetara plugin sing ana gandhengane karo mriksa SPF huruf sing mlebu.

# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock

Setelan kasebut yaiku kita kudu menehi tandha DKIM karo kabeh email sing metu.

# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

Iki minangka rincian kunci ing rute layang nalika ngirim layang saka skrip PHP.

File "/etc/postfix/sdd_transport.pcre":

/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/             domain1:
/@domain2.com$/             domain2:
/@domain3.com$/             domain3:

Ing sisih kiwa ana ekspresi reguler. Ing sisih tengen ana label sing menehi tandha huruf kasebut.
Postfix sesuai karo label - bakal njupuk sawetara baris konfigurasi liyane kanggo huruf tartamtu.

Carane persis postfix bakal reconfigured kanggo layang tartamtu bakal dituduhake ing "master.cf".

Baris 4, 5, 6 minangka sing utama. Atas jenenge domain sing kita kirim layang, kita sijine label iki.
Nanging kolom "saka" ora tansah dituduhake ing skrip PHP ing kode lawas. Banjur jeneng panganggo teka kanggo ngluwari.

Artikel kasebut wis ekstensif - aku ora pengin diganggu kanthi nyetel nginx+fpm.

Sedhela, kanggo saben situs kita nyetel pemilik linux-user dhewe. Lan manut Panjenengan fpm-blumbang.

Fpm-pool nggunakake sembarang versi php (iku apik nalika ing server padha sampeyan bisa nggunakake versi beda php lan malah php.ini beda kanggo situs tetanggan tanpa masalah).

Dadi, pangguna linux tartamtu "www-domain2" duwe situs web domain2.com. Situs iki nduweni kode kanggo ngirim email tanpa nemtokake kolom saka.

Dadi, sanajan ing kasus iki, surat bakal dikirim kanthi bener lan ora bakal dadi spam.

Kula "/etc/postfix/master.cf" katon kaya iki:

...
smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X1
   -o smtp_helo_name=domain1.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
   -o syslog_name=postfix-domain1

domain2  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X5
   -o smtp_helo_name=domain2.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
   -o syslog_name=postfix-domain2

domain3  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X2
   -o smtp_helo_name=domain3
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
   -o syslog_name=postfix-domain3

File kasebut ora kasedhiya kanthi lengkap - wis gedhe banget.
Aku mung nyathet apa sing diganti.

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Iki minangka setelan sing ana gandhengane karo spamassasin, luwih akeh babagan mengko.

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Kita ngidini sampeyan nyambung menyang server mail liwat port 587.
Kanggo nindakake iki, sampeyan kudu mlebu.

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Aktifake mriksa SPF.

apt-get install postfix-policyd-spf-python

Ayo nginstal paket kanggo mriksa SPF ing ndhuwur.

domain1  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X1
   -o smtp_helo_name=domain1.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
   -o syslog_name=postfix-domain1

Lan iki sing paling menarik. Iki minangka kemampuan kanggo ngirim layang kanggo domain tartamtu saka alamat IPv4/IPv6 tartamtu.

Iki rampung kanggo rDNS. rDNS minangka proses nampa senar kanthi alamat IP.
Lan kanggo mail, fitur iki digunakake kanggo konfirmasi sing helo persis cocog karo rDNS saka alamat email sing dikirim.

Yen helo ora cocog karo domain email kanggo wong sing ngirim surat, poin spam bakal dianugerahi.

Helo ora cocog karo rDNS - akeh poin spam sing dianugerahi.
Mulane, saben domain kudu duwe alamat IP dhewe.
Kanggo OVH - ing console bisa kanggo nemtokake rDNS.
Kanggo tech.ru - masalah ditanggulangi liwat dhukungan.
Kanggo AWS, masalah ditanggulangi liwat dhukungan.
"inet_protocols" lan "smtp_bind_address6" - kita ngaktifake dhukungan IPv6.
Kanggo IPv6 sampeyan uga kudu ndhaptar rDNS.
"syslog_name" - lan iki kanggo gampang maca log.

Tuku sertifikat Aku nyaranake kene.

Nggawe link postfix+dovecot ing kene.

Setelan SPF.

============= Dovecot =============

apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam

Nyetel mysql, nginstal paket kasebut dhewe.

File "/etc/dovecot/conf.d/10-auth.conf"

disable_plaintext_auth = yes
auth_mechanisms = plain login

Wewenang mung ndhelik.

File "/etc/dovecot/conf.d/10-mail.conf"

mail_location = maildir:/var/mail/vhosts/%d/%n

Ing kene kita nuduhake lokasi panyimpenan kanggo huruf kasebut.

Aku pengin supaya disimpen ing file lan diklompokaké miturut domain.

File "/etc/dovecot/conf.d/10-master.conf"

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
    port = 995
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
service imap {
}
service pop3 {
}
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  user = dovecot
}
service auth-worker {
  user = vmail
}
service dict {
  unix_listener dict {
  }
}

Iki minangka file konfigurasi dovecot utama.
Ing kene kita mateni sambungan sing ora aman.
Lan ngaktifake sambungan aman.

File "/etc/dovecot/conf.d/10-ssl.conf"

ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
  ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
  ssl_key =  </etc/nginx/ssl/domain2.com.2018.key
}

Nyetel ssl. Kita nuduhake yen ssl dibutuhake.
Lan sertifikat dhewe. Lan rincian penting yaiku arahan "lokal". Nuduhake sertifikat SSL sing digunakake nalika nyambung menyang IPv4 lokal.

Miturut cara, IPv6 ora dikonfigurasi ing kene, aku bakal mbenerake omission iki mengko.
XX.XX.XX.X5 (domain2) - ora ana sertifikat. Kanggo nyambungake klien sampeyan kudu nemtokake domain1.com.
XX.XX.XX.X2 (domain3) - ana sertifikat, sampeyan bisa nemtokake domain1.com utawa domain3.com kanggo nyambungake klien.

File "/etc/dovecot/conf.d/15-lda.conf"

protocol lda {
  mail_plugins = $mail_plugins sieve
}

Iki bakal dibutuhake kanggo spammassassin ing mangsa ngarep.

File "/etc/dovecot/conf.d/20-imap.conf"

protocol imap {
  mail_plugins = $mail_plugins antispam
}

Iki minangka plugin antispam. Dibutuhake kanggo latihan spamassasin nalika transfer menyang / saka folder "Spam".

File "/etc/dovecot/conf.d/20-pop3.conf"

protocol pop3 {
}

Ana mung file kuwi.

File "/etc/dovecot/conf.d/20-lmtp.conf"

protocol lmtp {
  mail_plugins = $mail_plugins sieve
  postmaster_address = [email protected]
}

Nyetel lmtp.

File "/etc/dovecot/conf.d/90-antispam.conf"

plugin {
  antispam_backend = pipe
  antispam_trash = Trash;trash
  antispam_spam = Junk;Spam;SPAM
  antispam_pipe_program_spam_arg = --spam
  antispam_pipe_program_notspam_arg = --ham
  antispam_pipe_program = /usr/bin/sa-learn
  antispam_pipe_program_args = --username=%Lu
}

Setelan latihan Spamassasin nalika transfer menyang / saka folder Spam.

File "/etc/dovecot/conf.d/90-sieve.conf"

plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_after = /var/lib/dovecot/sieve/default.sieve
}

File sing nemtokake apa sing kudu dilakoni karo huruf sing mlebu.

File "/var/lib/dovecot/sieve/default.sieve"

require ["fileinto", "mailbox"];

if header :contains "X-Spam-Flag" "YES" {
        fileinto :create "Spam";
}

Sampeyan kudu ngumpulake file: "sievec default.sieve".

File "/etc/dovecot/conf.d/auth-sql.conf.ext"

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

Nemtokake file sql kanggo wewenang.
Lan file kasebut dhewe digunakake minangka cara wewenang.

File "/etc/dovecot/dovecot-sql.conf.ext"

driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

Iki cocog karo setelan sing padha kanggo postfix.

File "/etc/dovecot/dovecot.conf"

protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf

File konfigurasi utama.
Sing penting yaiku kita nuduhake ing kene - nambah protokol.

============= SpamAssassin ==============

apt-get install spamassassin spamc

Ayo nginstal paket kasebut.

adduser spamd --disabled-login

Ayo nambah pangguna kanggo jenenge.

systemctl enable spamassassin.service

Kita ngaktifake layanan spammassasin kanthi otomatis nalika dimuat.

File "/etc/default/spamassassin":

CRON=1

Kanthi ngaktifake nganyari otomatis aturan "kanthi standar".

File "/etc/spamassassin/local.cf":

report_safe 0

use_bayes          1
bayes_auto_learn   1
bayes_auto_expire  1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn      DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password

Sampeyan kudu nggawe database "sa" ing mysql karo pangguna "sa" karo sandi "sandi" (ganti karo soko nyukupi).

report_safe - iki bakal ngirim laporan email spam tinimbang layang.
use_bayes minangka setelan learning machine spamassassin.

Setelan spammassassin sing isih digunakake sadurunge ing artikel kasebut.

Setelan umum "spamassassin".
Babagan mindhah email Spam anyar menyang folder "Spam" IMAP.
Babagan kombinasi prasaja Dovecot + SpamAssassin.
Aku nyaranake maca teori sinau spamassasin nalika mindhah huruf ing folder imap (lan aku ora nyaranake nggunakake).

============= Njaluk masyarakat =============

Aku uga kaya kanggo uncalan idea menyang masyarakat babagan carane nambah tingkat keamanan saka huruf diterusake. Awit aku wis kecemplung banget ing topik mail.

Supaya pangguna bisa nggawe sepasang tombol ing klien (outlook, thunderbird, browser-plugin, ...). Umum lan pribadi. Umum - kirim menyang DNS. Pribadi - nyimpen ing klien. Server mail bakal bisa nggunakake kunci umum kanggo ngirim menyang panampa tartamtu.

Lan kanggo nglindhungi spam nganggo huruf kasebut (ya, server email ora bakal bisa ndeleng konten kasebut) - sampeyan kudu ngenalake 3 aturan:

Tandha DKIM nyata wajib, SPF wajib, rDNS wajib.
Jaringan saraf babagan subyek latihan antispam + basis data ing sisih klien.
Algoritma enkripsi kudu kaya sing sisih ngirim kudu nglampahi 100 kaping daya CPU ing enkripsi saka sisih nampa.

Saliyane surat umum, gawe surat proposal standar "kanggo miwiti korespondensi sing aman." Salah sawijining pangguna (kotak surat) ngirim layang kanthi lampiran menyang kothak layang liyane. Surat kasebut ngemot proposal teks kanggo miwiti saluran komunikasi sing aman kanggo korespondensi lan kunci umum saka pemilik kothak layang (kanthi kunci pribadi ing sisih klien).

Sampeyan bisa malah nggawe sawetara tombol khusus kanggo saben korespondensi. Pangguna panampa bisa nampa tawaran iki lan ngirim kunci umum (uga digawe khusus kanggo korespondensi iki). Sabanjure, pangguna pisanan ngirim surat kontrol layanan (dienkripsi nganggo kunci umum pangguna nomer loro) - nalika ditampa, pangguna nomer loro bisa nganggep saluran komunikasi sing dibentuk bisa dipercaya. Sabanjure, pangguna kapindho ngirim surat kontrol - banjur pangguna pisanan uga bisa nimbang saluran sing dibentuk kanthi aman.

Kanggo nglawan interception tombol ing dalan, protokol kudu nyedhiyakake kamungkinan ngirim paling ora siji kunci umum nggunakake flash drive.

Lan sing paling penting yaiku kabeh bisa digunakake (pitakonan yaiku "sapa sing bakal mbayar?"):
Ketik sertifikat pos wiwit $10 suwene 3 taun. Sing bakal ngidini pangirim nuduhake ing dns yen "kunci umumku ana ing kana." Lan bakal menehi sampeyan kesempatan kanggo miwiti sambungan aman. Ing wektu sing padha, nrima sambungan kasebut gratis.
gmail pungkasanipun monetizing sawijining kedhaftar. Kanggo $10 saben 3 taun - hak kanggo nggawe saluran Correspondence aman.

============= Kesimpulan ==============

Kanggo nyoba kabeh artikel, aku arep nyewa server darmabakti kanggo sasi lan tuku domain karo sertifikat SSL.

Nanging kahanan urip berkembang dadi masalah iki nyeret nganti 2 wulan.
Dadi, nalika aku duwe wektu luang maneh, aku mutusake kanggo nerbitake artikel kasebut kaya apa wae, tinimbang risiko manawa publikasi kasebut bakal terus setaun maneh.

Yen ana cukup akeh pitakonan kaya "nanging iki ora diterangake ing cukup rinci", banjur bakal ana kekuatan kanggo njupuk server darmabakti karo domain anyar lan sertifikat SSL anyar lan njlèntrèhaké ing malah luwih rinci lan, paling penting, ngenali kabeh rincian penting ilang.

Aku uga pengin njaluk saran babagan ide babagan sertifikat pos. Yen sampeyan seneng ide kasebut, aku bakal nyoba golek kekuwatan kanggo nulis draf kanggo rfc.

Nalika nyalin bagean gedhe saka artikel, wenehake link menyang artikel iki.
Nalika nerjemahake menyang basa liyane, wenehake link menyang artikel iki.
Aku bakal nyoba nerjemahake menyang Inggris dhewe lan ninggalake referensi silang.

Source: www.habr.com

Debian + Postfix + Dovecot + Multidomain + SSL + IPv6 + OpenVPN + Multi-antarmuka + SpamAssassin-sinau + Bind