α’ααααααααααΊα’αααΈααααααα‘αΎααααΆαααΈααααααα»αααααααΎαα
Postfix + Dovecot α SPF + DKIM + rDNS α ααΆαα½α IPv6.
ααΆαα½αααΉαααΆαα’αα·αααααΈα TSL α ααΆαα½αααΉαααΆαααΆαααααααααΆαααααα
αααΎα - ααααααααααΆααα·ααααΆαααααα SSL αα·αααααΆααα
ααΆαα½αααΉαααΆαααΆαααΆααααααΆααααΉαααΆαα₯αααΆαααΆα αα·αααΆαααΆααααααααααααααααΆααααΉαααΆαα₯αααΆαααΆαααΈαααΆαααΈααααααα»αααααααααααα
ααΆααααα
ααα»α
αααααΆααααΌαααααα
αααΎαα
ααΆαα½α OpenVPN ααΆααααααΆαααααααΆαααα IPv4 αα·ααααααααα IPv6 α
ααααα·αααΎβα’αααβαα·αβα ααβαααβαα αα αααα·ααααΆβααΆααβα’ααβαααβαα ααα»ααααβα ααβααα‘αΎαβαααΆαααΈαβαααααΎβαααβααα αααβα’αααααβαααβααΊβαααααΆααβα’αααα
α’ααααααα·αααααΆααΆαααααααααααααααα’α·αααα ααΆααααααααα
α’αααΈααααα·αααααΌαααΆααααααααΆαααααααΆα α¬ααΆαααΆααααααΆααααΆαααααααααααα’αααααααΎααααΆααα
ααΆαααΎαααΉαα
α·ααααααα»αααΆαααα‘αΎααααΆαααΈαααααΊααΆααααΈαα»αα·ααααααααα»αααΆααΌαααα αΎαα αααα’αΆα
ααααΆαααα
ααΌα
ααΆααααα ααα»αααα IMHO ααΆαααααΎαααΆαααΆααααααα
ααααΆαααααααααααΈααΈαααΆααααα’αααα
αΌαα
α·ααααα
αααα
ααΆαααΆαααΎαααΉαα α·αααααΈααααααΆααααΆαααα‘αΎα IPv6 α α’αααααααΆααααααααααααΆααα·ααααΆααααΌαααααα αα αααα·ααααΆααααΈαααΆαα·α αα ααΎααααΈαααααΆαααΆαααΈαα·αα αααα»αβα ααβα αΌαβαα½αβα ααααβαα·α αα½α βαααα»αβααΆαβααααα»αααβαααααΆααβααΉαβααΆαβα αΆααβαα·αα»αααα
ααΆαααΎαααΉαα
α·ααααααααΆααααΆαααα‘αΎα OpenVPN ααΊααααΆααααααΎααααΈααα½αααΆα IPv6 ααααΎαααΆααα
ααΎαααΆαααΈααααα»ααααα»αα
ααΆαααΎαααΉαα
α·ααααααααΆααααΆαααα‘αΎαα
ααα»α
αααααΆααααΌαααααααΆα
αααΎαααΊααΆαα
ααΎαααΆαααΈααααααααααα»ααααα»αααΆαα
ααα»α
αααααΆαααα½α "ααΊαααα»ααααααααΆααααααααα" αα·ααα½αααα "ααΏαααα»ααααααΆααααα" α
ααΆαααΎαααΉαα α·ααααααααΆααααΆαααα‘αΎαααΆαααααα Bind ααΊααΆ ISP αααααααα»ααααααααΌααααΆαααΈααα DNS ααααα·αααΆααααααααΆα α αΎαααααααα google αααααΆααααααααα αααα»αα ααααΆααααΆαααΈααα DNS αααααΆααααααααΆααααααΆααααΆαααααΎααααΆααααααΆαααααα½αα
ααΆαααΎαααΉαα α·ααααααα»αααΆααααααα’ααααα - αααα»αααΆααααααααα ααααΈααααΆαααΆαααΈ 10 αααα»α α αΎααααα»αααΆαααΎαααΆααΈααααα½α α αΎαα αααααΈααΆα’ααααα·ααααααααΌαααΆαααΆααΆαααααΆααααααα ααααΆααΆαααααΌααΆαααΈααΈααααααααααα’αααααααααααααΉαααααΌαααΆαααΆαααααα
αα·αααΆααααααααααΆαααΆααααααααΆαααααΆαααΈααααααα»αααααα ααα»ααααβαααα»αβααΉαβααααΆααΆαβαααααβα’αααΈβαα½αβααΌα βααΆ "ααααΎβαααβααα α αΎαβαααααΆααβαα αα βαααβα’αααΈβαααααβαααΆαβααααΎαααΆαβααΌα βαααβααΆβαα½αβααααΎ ααΌαβαααβααααβααααααβα αα"α
αααα»αα αα»α tech.ru ααΆααααΆαααΈααα Colocation α ααΆααΊα’αΆα ααααΎαα ααΆαααΎααααΈααααααααααΆαα½α OVH, Hetzner, AWS α ααΎααααΈαααααααΆααααα αΆααα αα·α αα αα ααααα·ααααα·ααΆαααΆαα½α tech.ru ααΉαααΆαααααα·αααααΆαααΆαα
Debian 9 ααααΌαααΆαααα‘αΎααα ααΎαααΆαααΈαααα
αααΆαααΈαααααΆα 2 α ααα»α αααααΆαα `eno1` αα·α `eno2` α ααΈαα½αααΊααααΆααααααααα α αΎαααΈααΈαααΊααΏααααααααα½αα
ααΆαα’αΆααααααΆα IP αα·αα·ααααα ααα½α 3 ααΊ XX.XX.XX.X0 αα·α XX.XX.XX.X1 αα·α XX.XX.XX.X2 αα ααΎα ααα»α αααααΆαα `eno1` αα·α XX.XX.XX.X5 αα ααΎα ααα»α αααααΆαα `eno2` .
ααΆα XXXX:XXXX:XXXX:XXXX::/64 ααααα»αααα’αΆααααααΆα IPv6 αααααααΌαααΆαααααααα α ααα»α αααααΆαα `eno1` α αΎαααΈααΆ XXXX:XXXX:XXXX:XXXX:1:2::/96 ααααΌαααΆαα αΆααα αααα `eno2` ααΆαααααΎαααααααα»αα
ααΆα 3 domains `domain1.com`, `domain2.com`, `domain3.com`α ααΆααα·ααααΆαααααα SSL αααααΆαα `domain1.com` αα·α `domain3.com`α
αααα»αααΆαααααΈ Google ααααααα»αα
ααααααΆαααααα’αααααα»ααααααααααα»ααα
[α’ααΈαααααΆαααΆα]` (ααΆαααα½ααααα»ααα αα·αααααΎαααα»ααααααααααΆααααΈα
ααα»α
αααααΆαα gmail) α
ααααΌαααααΆααααα’αααααα»ααα[α’ααΈαααααΆαααΆα]`, α
αααΆααα
ααααααα’ααΈαααααααααα»αα
ααααΎααα
αααα»α gmail αααααααα»αα α αΎαααΆααααααΆαααααα’αΆα
ααααΎα’αααΈαα½ααααα½αα±αα `[α’ααΈαααααΆαααΆα]` ααΆααααα
ααα»α
αααααΆαααααααΆαα
ααααΌαααααΆααααα’αααααα»ααα[α’ααΈαααααΆαααΆα]` ααα Ivanov ααΉαααααΎααΈ iPhone ααααααΆααα
α’ααΈααααααααΆαααααΎααααΌαααααααααΆααααααΌαααΆααααααΆααααΆαα₯αααΆαααΆαααααΎαααΆααα’ααα
ααααΌαααααΆαααααα·αααααααααα»αααααΆαα’αα·αααααΈααααααΆαααααααα
αααα»ααααααΆαααΆααΆαααα
αα½αααααΆαααΆαααΆαααα IPv6 αααααΆααααΆααααΆαααααΎ αα·αααα½ααααα»αααα
ααΆαα½αααααΆα SpamAssassin ααααα·ααα»αα’ααΈαααα α αΎαααΆααΉαααα α¬αααα α¬ααααΎαα
ααΆαααα IMAP βSpamβα
ααΆαααααααααααααααααααα· SpamAssassin ααααΌαααααααααα
ααΆααααααααα ααααα·αααΎαααα»αααααΆααααΈαααα»ααααα
αα Spam αααααΆααΉααααααΈααΏααααα ααααα·αααΎαααα»αααααΆααααΈαααα»αααααΈαα Spam ααΆααΉααααααΈαααα ααααααααααΆαααααα»ααααααΆα SpamAssassin αα½αααααΆαα₯αααα·ααααΆααΎαααα»ααααααα
αααα
αααα»ααα Spam αααα¬ααα
ααααααΈα PHP ααααΌαααα’αΆα
ααααΎαααα»ααααααα½αα±αααααααΆαα½ααα
ααΎαααΆαααΈααααααααΆααααααα±ααα
αα½αααααΆαααααΆαααα openvpn αααααΆααααααααΆαααααΎ IPv6 ααΎαααΆαααΈααααααααααα·αααΆα IPv6 α
ααααΌαα’αααααααΌαααααααα
ααΆααααααααα
ααα»α
αααααΆαα αα·αααΆααααααααααΌα αα½αααΆαα IPv6 α
αααααΆααααα’αααααΉαααααΌαααααααα
ααΆαααααααα OpenVPN αααααΉαααααΆααααΆαααα IPv4 αα·ααααααα±ααα’αα·αα·ααααΌαα’αΆααααααΆα IPv6 αα·αα·αααααα·αααααΆααα αααΆαααΈαααααααααααΉαααΆααα·αααα·α
αΌαααααΎααααΆαααα IPv6 ααΆααα’αααα
ααΎαααΆαααΈααα αα·αααΆαα
αΌαααααΎααααΆα IPv6 ααΆαα½ααα
ααΎα’ααΈαααΊαα·αα
αααααΆααααα’αααααΉαααααΌαααααααα
ααΆαααααααα Postfix ααΎααααΈααααΎαααα»ααα + SPF + DKIM + rDNS αα·αααααααΌα
αααααααααααΆααααααααα
αααααΆααααα’αααααΉαααααΌαααααααα
ααΆαααααααα Dovecot αα·αααααααα
ααΆαααααααα Multidomain α
αααααΆααααα’αααααΉαααααΌαααααααα
ααΆαααααααα SpamAssassin αα·αααααααα
ααΆααααααααααΆαααααα»ααααααΆαα
ααΆα
α»αααααα ααα‘αΎα Bind α
============= αα α»α ααα»α αααααΆαα =============
ααΎααααΈααααααα ααΆααααααααα ααα»α αααααΆαα α’αααααααΌααααααααΆαα αααα»α β/etc/network/interfacesβα
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
ααΆααααααααΆαααααα’αΆα ααααΌαααΆαα’αα»αααααα ααΎαααΆαααΈαααααΆαα½ααα αααα»α tech.ru (αααααΆαααΆααααααααααα½αααααα·α ααααα½α ααΆαα½αααΆαααΆαααα) α αΎαααΆααΉαααααΎαααΆαααααΆααααΌα αααααΆαα½αααα
ααααα·αααΎα’αααααΆααααα·ααααααααα αααααααααααααααΆαααααΆαα Hetzner, OVH ααΆαα»αααααΆαα ααΈαααα αα·ααΆαααΆαα
eno1 ααΊααΆαααααααααΆααααααΆαααα 1 (ααΊα ααα»ααααααααΆααααααααα)α
eno2 ααΊααΆβαααααβααΆαβαααααΆαβααα 2 (ααΏα ααα»ααααβααΆαβαααα)α
tun0 ααΊααΆαααααααΆααααααΆααα·αααα·αααΈ OpenVPN α
XX.XX.XX.X0 - IPv4 #1 αα
ααΎ eno1α
XX.XX.XX.X1 - IPv4 #2 αα
ααΎ eno1α
XX.XX.XX.X2 - IPv4 #3 αα
ααΎ eno1α
XX.XX.XX.X5 - IPv4 #1 αα
ααΎ eno2α
XX.XX.XX.1 - α
ααα IPv4 α
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 αααααΆαααααΆαααΈαααααΆααααΌαα
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 αααααΆαα eno2 α’αααΈαααααααααααΈααΆααααα
α
αΌααα
αααα»α eno1α
XXXX:XXXX:XXXX:XXXX::1 β IPv6 gateway (αα½ααααααααΆααααΆαααα’αΆα
/αα½αααααΌαααΆαααααΎαα»αααααΆα αααααΆαα IPv6 switch)α
dns-nameservers - 127.0.0.1 ααααΌαααΆαα
ααα’α»ααααα αΆα (αααααΆααα bind ααααΌαααΆαααα‘αΎααααα»αααΌαααααΆα) αα·α 213.248.1.6 (αααααΊααααΈ tech.ru)α
"ααΆααΆα eno1t" αα·α "ααΆααΆα eno2t" - α’ααααααααααααΌα - α αααΆαααααααΊααΆα ααΆα ααααααα αΌαααΆαααα eno1 -> ααΉαα αΆαα ααααΆααααααΆα αΎαα ααΆα ααααα αΌαααΆαααα eno2 -> ααΉαα αΆαα ααααΆααααααΆα α αΎαααΆααααααΆααααααααα½α ααααΎαααααααΆαααΈαααααΉαααααααΆααα’ααΈααΌα‘α
ip route add default via XX.XX.XX.1 table eno1t
ααΆαα½αααΉαααΆααααααααΆααα ααΎααααααΆααααΆα ααΆα αααααααα·αα’αΆα αααααΆαααααααα·ααα αααααα αααΆααααΆαα½ααααααΆααααααΆαα "table eno1t" -> ααααΌαααΆαααααΎαα ααΆααα ααα»α αααααΆαα eno1 α
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
ααΆαα½αααΉαααΆααααααααΆααα ααΎααααααΆααααΆα ααΆα αααΆαα½αααααααα½α ααααΎαααααααΆαααΈααα αα½αααααααΌαααΆαααΉαααΆααα ααΆααα ααα»α αααααΆαα eno1 α
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0
ααΆαα½αααΉαααΆααααααααΆαααααΎααααααα αααΆαααααααΆααααΆααααααΆααα ααΆα αααα
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
αααα»αααααααααΆαα IPv4 ααΈααΈααααααΆααα ααα»α αααααΆαα eno1 α
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
ααΆαα½αααΉαααΆααααααααΆααα ααΎααααααααααΌαααΈα’αα·αα·αα OpenVPN αα
IPv4 ααΌαααααΆα ααΎαααααα XX.XX.XX.X0 α
αααα»ααα
αααα·ααααααΈααΌαα ααα»αααααΆααααααααΆαααααΊαααααααααΆαααααααΆαα IPv4 ααΆααα’ααα
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
αααααΊααΆαααααααααααΎααααααα’αΆααααααΆααααααΆααα ααα»α αααααΆαααααα½αα―αα αααΆαααΈαααααΉαααααΎααΆααΆα’αΆααααααΆα "α αα" α ααΉαβαα·αβααααΌαβααΆαβααααΎβαααα»αβαα·ααΈβααΆβαα½αβααααβαααβα
α ααα»α’αααΈ ":1:1::" αααα»αααααΆααααααα? ααΌα αααα OpenVPN ααααΎαααΆαααΆαααααΉαααααΌα α αΎααααααΆααααααΏααααααα»αααααα αααααααααα’αααΈααΏαααααα ααααααααα
αα ααΎαααααΆαααααα αααααααΌα - αααα αΎαααΆαααααααααΆααααΎαααΆαα αΎααααααΆααΆαααα’α ααα»αααααα·ααΈααααΉαααααΌαααΊααααΌαα ααα’α»ααααα αΆααα ααΈααα IPv6 αααα»αααΆααααααααΆαααΈαααααααΌαααΆαααααΆααα
ααααααΆαααΆααααα αααααΆααα ααα»αααα½αα ααα½α IPv6 αααααααΎαααΆα ααααα·αααΎαααα»αααααΎααααααα ααααααα ααααΆαααααααααααα αΆ tech.ru αα½αα ααα½αα
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
ααααααα»αααααααα’αΆααααααΆα IPv6 αα α ααα»α αααααΆααα ααααα·αααΎα’αααααααΌαααΆαα’αΆααααααΆααα½ααα αααααΆααααααΆαα½ααααααααΆαααα αααα»αα―αααΆααααα
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
αααα»αααΆαααααααααΆααα’αΆααααααΆα αα·ααααααΆαααααα ααα»α αααααΆααααΆααα’ααααΎααααΈααααΎα±ααααΆα αααΆααα
eno1 - ααααΌααα "/64" - αααααΆααααααααΊααΆααααα»αααα’αΆααααααΆαααααααΎαα
tun0 - αααααΆαααααααΌαααααααΆα eno1 α ααΎαα·αααΌα αααααα ααΆααΉααα·αα’αΆα ααααααα ααΆααααααααα ααα IPv6 αααααΆααα’αα·αα·αα OpenVPN ααΆαααα
eno2 - αααααΆαααααααΌαααααααΆα tun0 α ααΎαα·αααΌα αααααα α’αα·αα·αα OpenVPN ααΉααα·αα’αΆα α αΌαααααΎα’αΆααααααΆα IPv6 αααα»ααααα»αααΆαααα
αααααΆααααΆαα αααΆααααΆαα αααα»αααΆαααααΎαααΎαααα αΆααααααΆααααα 16 ααα»ααααααααα·αααΎα’αααα αα α’αααααα’αΆα ααααΎααα αΆα "1" αααααα
ααΌα ααααα αΎα 64+16=80 αα·α 80+16=96αααΎααααΈα±ααααΆααααα αααΆααα
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY ααΊααΆα’αΆααααααΆαααααα½αααααααΌαααΆαααααααα ααα ααααα α¬ααααΆααααααΆααααΆαααα ααΎα ααα»α αααααΆαα eno1α
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY ααΊααΆα’αΆααααααΆαααααα½αααααααΌαααΆαααααααα ααα ααααα α¬ααααΆααααααΆααααΆαααα ααΎα ααα»α αααααΆαα eno2α
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY ααΊααΆα’αΆααααααΆαααααα½αααααααΌαααΆαααααααα α’αα·αα·αα OpenVPN α¬ααααΎααΆα’αΆααααααΆαααααΆαααα OpenVPNα
ααΎααααΈααααααα
ααΆαααααααααααααΆα ααΆαα½αααα’αΆα
α
αΆααααααΎααααΆαααΈαααα‘αΎααα·αα
ααΆαααααΆααααααΌα IPv4 ααααΌαααΆαααααΎαααΎααα
αααααααα·ααααα· (ααααΌαααααΆααααΆαα»αααΆαα
ααΎα’αααααα - ααΎαα·αααΌα
ααααααααΆααααααααΆαααααΉαααΆαααααααΆααα
ααΎαααΆαααΈααα):
/etc/init.d/networking restart
αααααααα α α»ααααα ααααα―αααΆα β/etc/iproute2/rt_tablesβα
100 eno1t
101 eno2t
ααΎααααΆαααααα α’ααααα·αα’αΆα
ααααΎααΆααΆαααααΆαααααα½ααα
αααα»αα―αααΆα β/etc/network/interfacesβ ααΆαααα
αααααααΌαααααΆααααα½αααα αα·ααα·α
ααΆα 65535α
ααΆαααααΆααααααΌα IPv6 α’αΆα ααααΌαααΆαααααΆααααααΌααααΆαααΆααααα½αααααα·αα αΆαααΆα αα αΆααααααΎαα‘αΎααα·α ααα»ααααααΎααααΈααααΎααΌα ααααα’αααααααΌαααααααΆαα αα ααΆααααΈααΆααααααααΆα
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...
ααΆαααααα "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1
ααΆαααααααΊααΆααΆαααααα "sysctl" αααααααΆαααΈααααααααααα»αα αααα»αβααΌαβα ααα’α»αβαααα αΆαβααΏαβααααΆααα
net.ipv4.ip_forward = 1
ααΎααααΆαααααα OpenVPN ααΉααα·αααααΎαααΆαααΆαααααααα
net.ipv6.ip_nonlocal_bind = 1
ααααΆααααΆαααααααααΆααΆαααααΆαα IPv6 (α§ααΆα ααα nginx) ααααΆαααααααΆααααΈα ααα»α αααααΆααααααΌαααΆαααα‘αΎαααΉαααα½αααΆαααα α»αα ααΆα’αΆααααααΆαααααα·αααΆαααα
ααΎααααΈαααααΆαααααΆαααΆααααααα ααΆααααααααααααααααΌαααΆαααααΎα‘αΎαα
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
ααΎααααΆαααΆαααααα IPv6 ααΆααααααα α ααΆα αααααΈαααΆαααΈαααααα OpenVPN αα·αα αααα αααα αα·αααααααα
ααΆαβαααααβαααααβαααβαα·αβααΆααααααα α¬βαααα»αβαα·αβα
αΆαβααΆβααΆβαααααΆααβα’αααΈβααα
ααα»αααααααα»αααααΈαααα»ααα»αααΆ "ααΌα
αααααααΆααααΆα"α
ααΎααααΈα±ααααΆαααααΆααααααΌαα―αααΆααααααααΌαααΆαααΆαααααααα·αα αΆαααΆα αα αΆααααααΎααααΆαααΈαααα‘αΎααα·α α’αααααααΌαααααΎαααΆαααΆααααααααΆα
sysctl -p
ααααααΆααααα’α·αααααααα’αααΈα
αααΆαα "ααΆααΆα"α
============= OpenVPN =============
OpenVPN IPv4 αα·αααααΎαααΆααααααααΆα iptables ααα
iptables αααααααα»αααΊααΌα ααααααααΆαα VPNα
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY ααΊααΆα’αΆααααααΆα IPv4 αα·αα·αααααααααααα»ααααααΆαααΈαααΌαααααΆαα
10.8.0.0/24 - αααααΆα IPv4 openvpn α α’αΆααααααΆα IPv4 αααααΆααα’αα·αα·αα openvpn α
ααΆαααΆααααΆααααα
αααΆααααΆαααΆααααααΆααα
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
αααααΊααΆαααααααα ααΌα ααααααΆααααααα»ααααααα’αΆα ααααΎ OpenVPN ααΈ IP αα·αα·αααααααααααα»αα
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- ΠΈΠ»ΠΈ --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
ααΎααααΈαααααΌααααααααα αα IPv4 αααΆααααΆαααΈαααααα OpenVPN αα·αα’ααΈαααΊαα·α α’αααααααΌαα α»ααααααααΆααααααααΆαα½ααααα»αα ααααααΆααααααααΆααΆαααααα
αααααΆααααααΈααααααααααΆ αααααΎααα½ααααα»αα
αααααααααΎααα·αααααααααα
ααΆααααααααΆααΆααααΈαααΊαααααααααααΆααααααΈαααααααα»αα
αααααΆααβααΈβααΆαβα’αΆαβα―αααΆαβαα½α
αααα»αβααΆαβααααΎαααΎαβαααααΎαβααααΌαβαααααβααΆβααααΎ CPU αα·α
α
ααΎααααΈα±ααααΆαααααα iptables ααΆααα’ααααααΌαααΆαααααΎαααΎααααααΆααααΈααΆαα αΆααααααΎαα‘αΎααα·α α’αααααααΌααααααΆαα»ααα½αααΆαα ααααααααΆαα½αα
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
ααααααααααααα·αααααΌαααΆαααααΎαααΎααααα αααααααα αα½αααΆααααΌαααΆαααααΎααααααα αα "iptables-persistent" α
apt-get install iptables-persistent
ααΆαααα‘αΎααααα αα OpenVPN α ααααα
apt-get install openvpn easy-rsa
ααααααα αααααΌαααααΆαααα·ααααΆαααααα (αααα½ααααααααααα’ααα)α
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf
αααααααααα½αααΆααααααααααΌαα·ααααΆααααααα
mcedit vars
...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...
αααααΎααα·ααααΆαααααααααΆαααΈαααα
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
ααααααα ααααααααΆααααα»αααΆααααααΎαα―αααΆα "client-name.opvn" α α»ααααααα
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf
# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC
α αΌαααΎααααα αααααααΈααααααΉααααα αΌαα―αααΆαααΆααα’αααα αααα»αα―αααΆα opvn αααα½αα
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpn
ααΆααααααΎααααΆαααΈαααααα OpenVPN ααααΌαα
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name
α―αααΆα β~/client-configs/files/client-name.ovpnβ ααααΌαααΆαααααΎαα ααΆααα§αααααααααα’αα·αα·ααα
αααααΆααβα’αα·αα·αα iOS α’αααβααΉαβααααΌαβααααΎβαααα·α
βααΌα
βααΆαβαααααα
ααααΉαααΆαααααααΆα "tls-auth" ααααΌαααααααΆαααα·αααααα
α αΎαααΆαα βkey-direction 1β ααααΆαααα»αααααΆα βtls-authβ α
αααααααααα ααΆαααααααααααΆαααΈααα OpenVPNα
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf
# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC
ααΆα αΆαααΆα αααΎααααΈαααααα’αΆααααααΆααα·αα·αααααααααΆααα’αα·αα·ααααΈαα½αα (αα·αα αΆαααΆα α ααα»αααααααα»αααααΎααΆ)α
# Client config dir
client-config-dir /etc/openvpn/ccd
ααααααΆααααα’α·ααα·ααα·ααΆααααα»αα
ααΆα’αα»αα OpenVPN αα·αααΆααααΉαααΈααααααααααα
ααΆααααααααα
ααα IPv6 αααα―αααΆααααααααΆααα’αα·αα·ααααα
α’αααααααΌααα "ααααα" αααααΌαααααααααααααΆααα’αα·αα·ααααΈαα½ααα
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
α―αααΆα β/etc/openvpn/server-clientconnect.shβα
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1
α―αααΆα β/etc/openvpn/server-clientdisconnect.shβα
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1
ααααααΈαααΆααααΈαααααΎα―αααΆα β/etc/openvpn/variablesβα
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112
αααα»ααα·ααΆαα αΆαααΆα ααα»α’αααΈααΆαααΆαααααααααααααα
α₯α‘αΌαααα netmask = 112 ααΎααα
α
ααααα (ααΆαα½αααααΆα 96 αα
ααΈααα) α
α αΎααα»αααααααΊα
αααααααΆαα·αααααΌαααααΆααΉααααααΆα tun0 ααα
ααα»αααααα·αα’αΈαα αααα»αααΉααα»αααΆα
ααααΌα
ααΎαα
cipher DES-EDE3-CBC
ααααα·αααααααααΆααααα»ααααααααααααΆαα - αααα»αααΆαααααΎαααΎααα·ααΈααΆαααααααααΆαα’αα·αααααΈαααΆααααααΆαααααα
============= Postfix =============
ααΆαααα‘αΎααααα ααααααΆααα
apt-get install postfix
αα αααααα‘αΎαααΌαααααΎαααΎα "ααα αααααα’ααΈαααΊαα·α" α
"/etc/postfix/main.cf" αααααααα»αααΎααα ααΌα αααα
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
ααΌααααα‘ααααΎαααααααΆααααα’α·αααααΆαααααααααα
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
αααααΆαα’ααααααα»α Khabrovsk αααα»ααααααΆα "ααααααΆααα·αααααΉαααααΌα αα·αααααααΆαααΆααααααα·αααααΉαααααΌα" αααααΉααα 8 ααααΆααααααΆααααΈααΆαα αΆααααααΎαα’αΆααΈααααααααα»α αααα»αα αΆααααααΎααααααΈααααααα SSL ααααΎαααΆαα
ααΌα αααα αααα»αααΉαααα½αααααααΈααΆααααα»αααΆααα·αααααΆα’αααΈααααααααΎ SSL (ααααα·αααααΎααααα½α "ααΎααΆααααΎαααΆααααΆαααΌα ααααα ?" αα·α "α ααα»α’αααΈααΆααααΎαααΆα?") α
ααΌαααααΆαααααΆαα’αα·αααααΈαααααΎαααΊααΆααααααΎαααΌαααα½α (ααααα’ααααααααααα»αααΈα) α
"ααΌααα" αα½αααΊα―ααα ααααααααααααΊ "ααΆααΆααα" α ααΎααααααΆααα―ααααααΆααααα»αααααααααααΆαααααΆααα ααΎαα ααα αΆαααΌαααααΆααΆααααααα’αααααΆααααααΆα
αααααααΎααααΆααΆααα α’αααα’αΆα α’αα·αααααΈαα’αααααα½αααααΆ ααΌα ααααααΆαααααα αΆααααα―αααααα»ααααααααα’αΆα αα·ααααΈαααΆααΆαα
ααΆααΆααααααΎαααΆαα, αααα αΎαααΆααΌαααααΆαααΆααααΌααααα αα αααα·ααααΆαααα αΆαααΈ 1 - ααα ααααα https α
αα αααα αΌαααααΎααα ααααα αααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·ααααααΈαααΆαααΈαααααα αααααααΆααα αααααααΊ https ααΌα ααααα αΎαααααΎαα»αααααΆααΆαααα
αααΆαααΈαααααα ααααααααααααααΆααΆαααα αααααα·ααΈαα»αααααααΎααααΆααΆαααααΎααααΈα’αα·αααααΈαααααΎα http α αΎαααααΎααΆα
ααααΉαααΆαααααααΎα http α’αΆα α’αΆαααΆαααα’ααααααααΆαααΌαααα―ααα αααααΊααΆααααααΆαααΈαααααα»ααααααααααααΎαααααααΌαααΆαααααΎα‘αΎαα
Http-request ααΆααααΆαα αα ααΆαα URI α ααΌα αααα ααααα·αααΎαααααααα½ααααα»αααααΆααΆαααΆααααααα·αααΆαα αΌαααααΎαα·αααααα ααΆααααα αααααααΆααααΌαααααα ααα»αααααα ααΆαααααααααΆααααΆααααα ααΆαα·αα’αΆα αα αα½α αααααα»αααΆαααααΎαααααΆααααα ααααα https αααα αΆαααΈ 2 - ααΆαααααΎααααααααΆαα’αα·αααααΈαα
αααΆαααΈαααααα ααααααααααα ααααΎααααα’αΆα α’αΆαααΆααααΆαααΆααααα½ααα ααΎααααΌαα
αααααααααΆαααΊααΆαααααααα»α - αααααα·ααΈαα»αααααΆαααΌαααααΆααααααΎαααΌααα―ααα-ααΆααΆαααααΌα ααααΆαααααΆααααα ααααα https ααΈαα½ααα
α αΎααα½αααΆαα½αααΉαααΆαααααΎαα»αααααΆααΆαααααααααα ααααα ααΆααααΎααααΆααΆααααααα»ααααααααααααΆα
αααΆαααΈαααααα αααααα αα αΆαααΆ α αΎααα αααααααΎ http-response α’αα·αααααΈαααΆαααααααΎααααΆααΆαααααααα’αα·αα·ααααΆααααΆααα
α₯α‘αΌαααα http-response α’αΆα ααααΌαααΆααα·ααααΈαααΆααααααααα αΆαααα browser private key ααααα’αα·αα·αα (αααααΊα’αα·αα·αααααα½αα―α)αααα αΆαααΈ 3 - ααΆααααααΎαααΆααααααΆαααα»ααααα·ααΆαααΆααααααΆαααααΆααΆαααα
ααΆαααΆαααΆαααααααααα αααα»αα§ααΆα αααααα 2 - ααααΆαα’αααΈααΆααΆααα’αααααααΆααααΆααα’ααΈααΆαααααΆααα αΆααααααΎ http αα·αααααααα½αααααααΆαα’αααΈααααΆααΆααααααααα
ααΌα αααα α’ααααααΆααΈααΉαααΎααααΆαα αααΆααααΌαααααΉαααΆαααΆααα’ααααααΆααααααΆαααααΎ αα·αααα½α αα αΌααααααΆαααααΆααααααΌααααααΆαααααΆααααααα
ααΆααααααααΆααααα αΆαααααΊααΆαααααααα»α - ααααΆααααααααΎααααΆααΆααααααααααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αααΆααΆααααααΆαα’αα·αααααΈαααΆαα½αααΉαααααΆααΆααααααααααΆαααΈαααααα αααααα
αααααΆαααααααΆαααΈαααααα αααααααααΌαααααΎααΆαααααΎαααααΌα ααΆ "ααααΆααΆαααααααα’αααααΊααΌα ααα" α αΎαα’αα·αααααΈαααΆαααααααααααΎααααΆααΆαααααΌα ααααΆα
αααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αααΎαααΆαααααΎααα - ααααα·αααΎααΆα "ααααΆααΆαααααααα’αααααΊααΌα ααα" ααααΌαααΆαααα½α - αααααΊααΆααΆαααΆααΆ 100% ααΆαααααΆαααααΆαααααααααααΆααα»ααααα·ααΆαα
ααΎααΆααΆααα»ααααα·ααΆαααα»ααααΆ?
ααΆααααααΎααααααΆαααααΆαααααααααααΆααα»ααααα·ααΆαααααααααΎαα‘αΎααααα»αααααΏα ping*2α α§ααΆα ααα 20ms α
α’αααααΆααααα αΆαααααΌαααααΆαααα―αααααααααΆααΈααΆαα½αααΆαα»αα α¬αααααααααα―ααααααα»αααααααααΈαααΈαα·ααααΈαα·ααΆααΈα
ααΆααα½α ααααα―αααααααΎααα½αααΉαα αααΆααααα αααΎαααααααααααΎαα»αααααΌαααααααΎααααα αΆαααΈ 4 - ααΌαααααΆααα·ααααααααΆααΆαααααααααΆααΆαααα
ααΆααααααααα αααα»αααΏαααΆααααΌαααα ααΆαα±ααΆααααααΆααα’αααααΆααααα αΆαα’αααα»αααΎαααααΆαααααΆαααααααααΆααααΆαααΈαααααα αα·ααααΆαααΈαααα
αααΆαααΈααααααα’αΆα ααααΎαα»αααΆαααΆαααΈααα α αΎααααΆαααΈαααα’αΆα ααααΎαα»αααΆα’αα·αα·ααα α αΎαααααΆααααΆαααΌααααα½αααΌαααα»ααα·ααα ααΆααααΈαα
αααααΆαααα α’αααααΆααααα αΆαααΉαααΎαα ααΆα αααααΆααα’αα α αΎαααΉαα’αΆα "ααααααα½α" α ααΆα αααααΆαα
α§ααΆα ααα ααααΆααααααΌαα’αΆααααααΆααααααααααααααΌαααααΎααααΆαα α¬α ααααααΆααααααααΆααααΈαααΆααΆαααΆαα’ααΈαααΊαα·α α¬ααΆααΆααααααΉαααΆα "αα·ααααα α·ααα"α
ααΎααααΈααααα»ααααααααΆααααΉαα’αααααΆααααα αΆααααααα αα½αααααΆααααααΎαααΌαααααΆααα·ααααααααΆααΆααααααααΆαααααΆααΆααααααααΆααααα ααααα https ααΈαα½ααα
αααααα·ααΈαα»αααααΈαα½αα "ααΉα" α’αααΈα’αααα·ααΆαααααΌαααααΆααα·αααααααααααααααα αα 200 α ααΆααααΌαααΆαααα‘αΎαααΆαα»ααα αααα»ααααααα·ααΈαα»αααααΈαα½ααα
βα ααααααΉαβ ααααΌαααΆαααΆαααααααααααΆααΆαααααΈαα·ααααΆααααααααΈαα½ααα αααααΊααΆαααααΆαααα α’αΆααααΆαααααααΆααααΆααααΆααααΈαα½αααα·αα’αΆα ααααααααααααΆααααα₯α‘αΌααααααΆαααΆααααααΉαααΆααααα’αααΈααααααααΎ SSL αααααΆαα https α
ααααα·αααΎα’αααααααΎαα½αααααΆαααααα’ααα ααΆααΉαα αααΆααα’αααΈαααααααααααΆαααααα·αααα’αΆα hack α’αααΈαα½ααα αααα»ααα ααΆαααααααααααα ααα»ααααβαααβααΉαβααααΎβα±ααβαα½αβααβα αααΆαβααΆαβααααΉααααααβαααΆαβαααααΎαα
αα·αα’αααααΆαααΌα ααΆα NSA α¬ CIA - ααΆααααΎααααα·αα’αΆα αα αα½α αααααα»αααΆα hack ααααα·αααααΆαααΆαααΆααααααΆαααααΆαα ααΌααααΈαα VIPs αααααααααα»αααααΉαααααααα’αααΈααΆαααααΆαα ssh αααααα αα·αααΆαααααΆααΆααααα ααΈααααα ααΌα ααααααΎα’αααα’αΆα ααααΎα’αααΈααΆα? αααα αΆααααΌαααΆααααααααΆαααΆαααΈααα·ααΈα
αααααΎα ssh-by-passwordα
ααα‘α»ααααααααΆααααααΌα α’αα·αα·αα ssh αα½ααααααααΆαααΆααΎαααΆαααααΆααΆαααααααΈααΈαααΆαααΈααα ssh α
α αΎααααα»αα’αα‘α»ααααααααΆααααααααααα ααααα·αααΎααΆααααααΆα "ααααΆααΆαααααααΈααΈαααΆαααΈααα ssh" ααα α‘αΎα ααΆααΉαααΆααααααΆαα½ααααααα»αααααΆααΆααα½α ααααΆααα’αααα
α¬α’αααααααΌαααΆααααα½α ααααΆαααα ααΎααΆααααααΆααααααΌαααααα’ααα ααα»ααααα₯α‘αΌααααα’αααααΆααααααΆαα½ααααΆαααΈααααααααααΆαα’ααααααΆααΈα
ααΆααΆααα·αααΆαα αααααΆαααααΆααα·αααααΆαααααΆααααααααΊααΆααααα½α αα αα αα·αααααα·αααααΉαααααα ααΆαααΆααααα αΆααααααααΌαααΆαααααΎαααα αααα»αααααΈαα·ααααααααΆααα’αα·αα·ααααΆααααΆααααα»αααααααααααΎα ssh-by-keyα
ααΎααα flash drive αααααααΌαααα―ααααααααΆαααααΆαααΈααα ssh αα ααΎααΆ (ααΆααααααααα αα·αα ααα»α ααααΆαααααΆα αααΎααααααΆααααΏαααα ααα»αααααααα»ααααα»αααααααααααα·ααΈα’αααα αα·ααααααΆαααααΆααααααΆααααααΎαα)α
ααΎααα»αααααΆααΆααααα ααΎαααΆαααΈαααααααΆαααΈαααααα ssh ααΉααα α αΎαααΎααααααααΆααΆαα»αααΆαααααΆαααααααα
ααΎαααΆααα flash drive αα αααΆαααΈααα αααα αΌαααΆ α ααααααα―ααα α αΎααα»α flash drive α αΎαααα αΆααααα αΆαααααα ααααα (α¬αααΆαα αα ααΆααααααΎαααααααααΆαααΆααααααααΌααα)α
αααα αΎαααΆααΆααα’αα - αααααΆααααΈααααα·ααααα·ααΆαααααααααΆααΉααα·αα’αΆα αα αα½α αααααα»αααΆα hack ααΆααααααΆαα ssh ααααααα ααΆααΆααα·αααΆαααααα»ααααααα 10 ααααΆα ααΆααΉαα’αΆα ααΎαα ααΆα ααααα ααΎαα»αααααΌαααααααΎαααΆα ααα»ααααααΆααΆααΏααααααααααα»ααα»ααααα αααααααααΆααααααα α
ααΌα ααααβα₯α‘αΌαβαααβααΆβααααΉααααΈβααααΌαβααΆαβααβααΉαβα αααα»αααΉαααααΆααα’αααα’αααΈααα αΌαααααΆααααααΎααα·ααααΆαααααα SSL α
αααααααΎ "openssl genrsa" ααΎααααααΎαααα―ααα αα·α "α
ααααα" αααααΆααααααΆααΆαααα
ααΎαααααΎ "α
ααααα" αα
αααα»αα αα»αααΆααΈααΈααΈ αααααΎαα
αααΆααααα αα 9 αα»ααααΆααααααΆαααα·ααααΆααααααααΆαααααααα»αα
αααααΆααααΈααΈαααΈαααα ααΎαααα½αααΆααα "ααΆααΆααα" ααααααΎα αα·ααααα»αααααααΆααΆαααααΆα αααΎαααΈαααα»αα αα»αααΆααΈααΈααΈαααα
α ααα»α’αααΈααΆαααΆαααα»αα αα»αααΆααΈααΈααΈαα½ααααααααααΆαααααααΆααααΆαα α»ααααααααααΆααΆααααααααααα»αααΊααΆαααα½αααΆα ααααα‘αααα½α ααΎαααΉααα·ααα·α αΆαααΆααΆαα ααΈαααααα
α₯α‘αΌααααααΆα αααΆααααΆα’αααααααααα·ααΆα αΆααΉαααΊα
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
αα β/etc/sslβ ααΆαα―αααΆαααΆααα’αααααααΆαααααα αΆ ssl α
domain1.com - ααααααααα
ααααΆα 2018 ααΊααΆααααΆαααααΆααααααΎααααααΉαα
"ααΌααα" - ααΆααααααααΆα―αααΆαααΊααΆααα―αααα
α αΎαα’ααααααααα―αααΆααααα
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - ααααααααα
ααααΆα 2018 ααΊααΆααααΆαααααΆααααααΎααααααΉαα
chained - ααΆαβαααααβααΆβααΆαβα
ααααΆααβααβααβααΆααΆααα (ααΈαα½αβααΊβααΆβααΌαααβααΆααΆαααβααααβααΎα α αΎαβα’αααΈβαααβαα
βαααβααΊβααΆβα’αααΈβαααβααΆαβααβααΈβαααα»αα αα»αβαααβααΆαβα
ααβααααΆααΆααα)α
crt - ααΆααααααααΆααΆααα·ααααΆαααααααααααααααα½α
ααΆααααα
(ααααΆααΆαααααΆαα½αααΉαααΆααααααααα
αα
ααααα) α
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
ααΆααααααααααα·αααααΌαααΆαααααΎαααα»αααααΈααααα ααα»ααααααααΌαααΆααααααααΆα§ααΆα αααα
αααααΆαααααα α»ααα αααα»ααααΆαααΆαααααααααααΉαααΆαα±ααααΆαααΆαα₯αααΆαααΆαααααΌαααΆαααααΎααΈαααΆαααΈαααααααα’ααα (αααααααΆααααααααααα’ααα) α
αααααΆααβααβαααααΆααβαααβα’αααβααΆααβααααΆβααΆβα’αααβαα·αβααΆαβααα α»αβααα
recipient_delimiter = +
ααα»αααααΆα αααΎααααα ααααΆαα·αααΉα ααα»αααααααααΊααΆαα½α’αααααααααααΆααααααΆααα αααΆααααααΆααα’ααΈααα α αΎαααΆααααΌαααΆαααΆααααααααααΆαααΈααααααα»αααααααΎαααΆαα αααΎαα
α§ααΆα ααα ααααα·αααΎα’αααααΆααααα’αααααα»ααα "[α’ααΈαααααΆαααΆα]"ααααΆααΆαααααΎαα "[α’ααΈαααααΆαααΆα]"- ααΎαα’αααΈαααααααΈααΆα
inet_protocols = ipv4
ααααααα ααααΆααΆαααΆααααααα ααα‘αα
ααα»ααααααΆαα·ααααααααΆααααααααααααα αααααααΈααΈαα½ααααΊααΆαααααΆαααΎααα IPv4 αααααΆαααααααα»αααΎα IPv6 αααααΆααααΈαα½ααααΆα ααααα‘ααα
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
αα
ααΈαααααΎααααααΆααααΆαααα»αααα
αΌαααΆααα’αααα
dovecot α
αα·αα
αααΆαααααααΆααααα αααα’αααααα»ααα ααααααααααααααΆα - ααααΎααα
αααα»αααΌαααααΆααα·ααααααα
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'
/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'
/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
α₯α‘αΌαααα postfix ααΉαααΆαααα»αααα’αΆα ααααΌαααΆαααα½ααααααααΆααααΆαααααΎααααααααααααααΆααααΈααΆαα’αα»ααααΆαααΆαα½α dovecot α
αααα»αβαα·αβααΆβαα·αβαααβααΆβα ααα»βα’αααΈβααΆαβα ααααβαα βααΈαααα ααΎαααΆααααααΆαααα½α α αΎαααΌαα’αααΈααααααααΆααααααααΌαααΆααα αααα»α "virtual_transport"α
ααα»αααααααααααα postfix ααΊα αΆααααΆαα - αααα ααααΆααΆααΆααΆααααα ααααΈααααα αΆααα
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...
αααα’αΆα ααααΌαααΆαααααααα ααΆαααααααααααααααααΆαααααΆαααααΆαααΈααααααα»αααααΈαα½ααα
αααα»αβααΆαβαααΆαααΈαβααβαααα»αααβα ααα½α 3 αα βαααα»αβααΆαβαααβα ααβααααβαααα»α α αΎαβααΆαβαααααβααΆααβαααβααΆαβααΆαβαα»αβααααΆβααααΆααβαααβααΆαβαααααΌαβααΆαβααααΎβααααΆααβαα»αβααααΆα
α’αααααααΌαααααααα ααΆααααααααααΆααααααα»ααααααααα - ααΎαα·αααΌα αααααα ααΆαα₯αααΆαααΆαααΉαα αΌαα αΌαααα’ααα α¬ααΌααααΈααα’αΆαααααααΆαααααα ααα ααΆαα₯αααΆαααΆαααΉαα αΌαα ααααΈα’αααα
# SPF
policyd-spf_time_limit = 3600
ααΆαααα‘αΎααααααα·ααΈαααα½ααα½αα ααα½αααΆααααααΉαααΆααα·αα·αααααΎα SPF ααα’ααααα αΌαα
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
ααΆααααααααΊααΆααΎαααααΌααααααα αααααααΆ DKIM ααΆαα½αααΉαα’ααΈααααααα ααααΆααα’ααα
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
αααβααΆβααααααΆαβαααα’α·αβααααΆααβαααα»αβααΆαβαααααΌαβαααα»αααβααΈβααααααΈα PHPα
α―αααΆα β/etc/postfix/sdd_transport.pcreβα
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:
αα ααΆααααααααΊααΆααααααααααααΆα αα ααΆαααααΆαααΊααΆααααΆααααααΆαααααΆααα’ααααα
Postfix α’αα»αααααΆαααααΆα - ααΉααα·α αΆαααΆααΎαααααΆααααααααα ααΆαααααααααα½αα ααα½αααααααααααααααΆαααα·αα·αααΆααααΆαααα½ααααααααα postfix ααΉαααααΌαααΆααααααα‘αΎααα·ααααααΆαααα·αα·αααΆααααΆαααα½αααΉαααααΌαααΆαα ααα’α»ααααα αΆααα αααα»α "master.cf" α
αα½αααΈ 4, 5, 6 ααΊααΆααααααααΆααα αααα»αααΆααααααΆαα½ααααααΎααααα»αααααΎαα·αα·αααα ααΎαααΆααααααΆααααα
ααα»ααααααΆα "ααΈ" αα·ααααααααααΌαααΆαα ααα’α»ααααα αΆααα αααα»αααααααΈα PHP αα αααα»αααΌαα αΆαααααααα αααααΆαααααααααα’αααααααΎαααα½ααααααααααα’αααααααΊααΌααααΌααΆααα½α α αΎα - αααα»ααα·αα ααααααΆααααααΆαααα‘αΎα nginx+fpm ααα
ααααααααα αααααΆααααα αααααααΈαα½αα ααΎααααααααα αΆααα’αααααααΎααααΆαα linux ααααΆαααααα½αα α αΎαααααα ααΆα fpm-pool ααααα’αααα
Fpm-pool ααααΎααααααΆαα½ααα php (ααΆααα’ααΆαααα αααααααα ααΎαααΆαααΈαααααΌα ααααΆα’αααα’αΆα ααααΎαααααααααααααΆαα php αα·αααΌααααΈαα php.ini αααααααααΆαααααΆααααα ααααααα·αααΆααααααααΆααααα αΆ) α
ααΌα αααα α’αααααααΎααααΆααααΈαα»α ααΆααααΆαα βwww-domain2β ααΆαααα ααααα domain2.com α ααα ααααααααααΆααααααΌααααααΆααααααΎα’ααΈαααααααα·ααααααΆααααΈααΆαα
ααΌα αααα αααααΈααΆαααα»αααααΈαααααααα αααα»αααααΉαααααΌαααΆαααααΎαααΆαααααΉαααααΌα α αΎαααΉααα·ααααα αααααααΆαα₯αααΆαααΆαα‘αΎαα
"/etc/postfix/master.cf" αααααααα»αααΎααα ααΌα αααα
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
α―αααΆααα·αααααΌαααΆααααααα±αααααααααα - ααΆααΆαααα αααααΆαααα½α
αα
α αΎαα
αααα»αααααΆααααααααααααΆααα’αααΈαααααΆαααααΆααααααΌαα
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
ααΆαααααααΊααΆααΆααααααααΆααααααΉα spamassasin ααααααααααα ααααααααα
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
ααΎαα’αα»ααααΆαα±ααα’αααααααΆαααα
αααΆαααΈαααααΆααααα
ααα 587 α
ααΎααααΈααααΎααΌα
αααα’αααααααΌαα
αΌαα
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
ααΎαααΆααααα½ααα·αα·ααα SPF α
apt-get install postfix-policyd-spf-python
αααααα‘αΎααααα αααααααΆααααΆααα·αα·ααα SPF ααΆαααΎα
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
α αΎααααααΊααΆα’αααΈααααα½αα±ααα αΆααα’αΆαααααααααα»αα αααααΊααΆαααααααΆααααα»αααΆαααααΎαααα»ααααααααΆαααααααΆααααΆαααα½αααΈα’αΆααααααΆα IPv4/IPv6 ααΆααααΆααα
αααααααΌαααΆαααααΎαααααΆααααΆαααααααααα rDNS α rDNS ααΊααΆααααΎαααΆαααααΆαααα½αααααα’αααααααα’αΆααααααΆα IP α
α αΎααααααΆαααααα»ααα αα»αααΆααααααααΌαααΆαααααΎααΎααααΈαααααΆααααΆ α αα‘αΌαα·αααΆααααΌαααααΆααΉα rDNS ααα’αΆααααααΆααααα’ααΈαααααααΌαααΆαααααΎαααααα·αααΎα αα‘αΌαα·αααααΌαααααΆααΉααααα’ααΈααααααα»αααΆαα’αααααααααα»αααααααΌαααΆαααααΎααα αα·αααα»ααΆαα₯αααΆαααΆαααααΌαααΆαααααααααααΆααα
Helo αα·αααααΌαααααΆααΉα rDNS αα - αα·αααα» spam ααΆα αααΎαααααΌαααΆαααααααααααΆααα
ααΌα ααααα αΎα αααααΈαα½ααααααΌαααααΆαα’αΆααααααΆα IP ααααΆαααααα½αα
αααααΆαα OVH - αα αααα»ααα»αααΌαααΆα’αΆα ααααΎαα ααΆαααΎααααΈαααααΆαα rDNS α
αααααΆαα tech.ru - αααα αΆααααΌαααΆααααααααΆαααΆααααααΆαααΆααααα
αααααΆαα AWS αααα αΆααααΌαααΆααααααααΆαααΆααααααΆαααΆααααα
"inet_protocols" αα·α "smtp_bind_address6" - ααΎαααΎαααΆαααΆαααα IPv6 α
αααααΆαα IPv6 α’αααααααααΌαα α»αααααα rDNS αααααα
βsyslog_nameβ - α αΎααααααΊαααααΆααααΆαααΆααααα½αααααΆαα’αΆααααααα ααα»α
αα·ααα·ααααΆαααααα
============= Dovecot =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam
ααΆαααα‘αΎα mysql ααα‘αΎααααα ααααααααα½αα―αα
α―αααΆα "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain login
ααΆαα’αα»ααααΆαααααΌαααΆαα’αα·αααααΈαααααα»αααααα
α―αααΆα β/etc/dovecot/conf.d/10-mail.confβ
mail_location = maildir:/var/mail/vhosts/%d/%n
αα ααΈαααααΎαα ααα’α»ααααα αΆαααΈααΆαααααα»ααααααΆααα’ααααα
αααα»αα ααα±αααα½αααΆααααΌαααΆααααααΆαα»ααααα»αα―αααΆα αα·αααΆααααΆαααα»αααΆααααα
α―αααΆα "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
αααααΊααΆα―αααΆαααααααα
ααΆαααααααα dovecot α
ααααα
αα
ααΈαααααΎααα·αααΆαααααΆααααααα·αααΆααα»ααααα·ααΆαα
αα·αααΎαααΆααααααΆαααα»ααααα·ααΆαα
α―αααΆα "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}
ααΆαααα‘αΎα ssl α ααΎααααα αΆαααΆ ssl ααααΌαααΆαααΆαααΆαα
αα·ααα·ααααΆαααααααααα½αα―αα α αΎαααααααΆααααα’α·αααααΆααααΊααΆαααααΆα "αααα»ααααα»α" α α ααα’α»ααααα αΆαααΆαα·ααααΆαααααα ssl αα½αααΆαααααααΌαααααΎαα αααααααΆαααα IPv4 ααΌαααααΆαααΆαα½αααα·ααΆαα’ααα αΉα IPv6 αα·αααααΌαααΆαααααααα ααΈααααα αααα»αααΉααααααααΌαααΆαααααΆαααααα ααααααααα
XX.XX.XX.X5 (domain2) - ααααΆααα·ααααΆααααααα ααΎααααΈααααΆααα’αα·αα·αα α’αααααααΌααααααΆαα domain1.comα
XX.XX.XX.X2 (domain3) - ααΆααα·ααααΆαααααα α’αααα’αΆα αααααΆαα domain1.com α¬ domain3.com ααΎααααΈααααΆααα’αα·αα·ααα
α―αααΆα "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}
ααΆααΉαα αΆαααΆα ααααααΆαα spamassassin ααΆαααα’ααΆααα
α―αααΆα "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}
αααααΊααΆαααααα·ααΈαααα½ααααααΆααααΆαα₯αααΆαααΆαα ααααΌαααΆααααααΆααααΆαααααα»ααααααΆα spamassasin αα αααααααααα /ααΈαα βSpamβα
α―αααΆα "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}
ααΆαααα―αααΆαααααααααα
α―αααΆα β/etc/dovecot/conf.d/20-lmtp.confβ
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}
ααΆαααα‘αΎα lmtp α
α―αααΆα "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}
ααΆααααααααΆαααααα»ααααααΆα Spamassasin αα αααααααααα /ααΈααααΆαα₯αααΆαααΆαα
α―αααΆα "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}
α―αααΆαααααααααΆααααΈα’αααΈαααααααΌαααααΎααΆαα½αα’ααααα αΌαα
α―αααΆα "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}
α’αααααααΌαα αααααα―αααΆαα βsievec default.sieveβα
α―αααΆα "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
αααααΆααα―αααΆα sql αααααΆααααΆαα’αα»ααααΆαα
α αΎαα―αααΆααααα½αααΆααααΌαααΆαααααααΎααΆαα·ααΈααΆαααααααααΆαα’αα»ααααΆαα
α―αααΆα "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
αααααααΌαααααΆαα ααΉαααΆααααααααααααααααΆαααααΆαα postfix α
α―αααΆα "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
α―αααΆαααααααα
ααΆααααααααααααΆααα
ααΏαααααΆααααΊααΆααΎαα
ααα’α»ααααα αΆααα
ααΈααα - αααααααα·ααΈααΆαα
============= SpamAssassin =============
apt-get install spamassassin spamc
αααααα‘αΎααααα ααα
adduser spamd --disabled-login
αααααααααα’αααααααΎααααΆαααααα»αααΆαα’αααααΆα
systemctl enable spamassassin.service
ααΎαααΎαααααΆαααα spamassassin αααα»ααααααααααααααααα·αα ααααααα»αα
α―αααΆα "/etc/default/spamassassin":
CRON=1
αααααΎαααααΎαααΆαααΆαααααΎαα αα α»ααααααααΆααααααααααααααααα·ααα αααΆαα "ααΆαααααΆαααΎα"α
α―αααΆα β/etc/spamassassin/local.cfβα
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password
α’αααααααΌααααααΎαααΌαααααΆααα·αααααα βsaβ αα αααα»α mysql ααΆαα½αα’αααααααΎααααΆαα βsaβ ααΆαα½αααΉαααΆααααααααΆαα βpasswordβ (αααα½ααααα’αααΈαα½αααααααααααααΆαα)α
report_safe - ααΆααΉαααααΎαααΆαααΆαααααα’ααΈααααααΆαα₯αααΆαααΆααααα½αα±αααα·αα·ααα½αα
use_bayes ααΊααΆααΆααααααααΆαααααααΆαααΈα spamassassin α
ααΆαααααα spamassassin ααααα ααααααααααΌαααΆαααααΎααααΆαααα»ααααα»αα’αααααα
============= α’αααΆαααΆαααααα αααα =============
αααα»αβααβα ααβαααβαααα·αβαα½αβαα βαα ααααβα’αααΈβααααβαααααΎαβααααα·αβαα»ααααα·ααΆαβααβαααα»αααβαααααΌαβααααα αααααΆαβααβαααα»αβα αΌαβα α·αααβαααΆαβααααΆααβαααα»αβαααααΆαααβαααα»αααα
ααΌα ααααβα’αααβααααΎβα’αΆα βαααααΎαβααβαα½αβααΌβαα βααΎβαααΆαααΈαβαααααβααααβααΆαα (ααααααα·ααα, ααααααΆαα, αααααα·ααΈβαααα½αβαααααα·ααΈβα’ααΈαααΊαα·α, ... )α ααΆααΆααα αα·αα―αααα ααΆααΆααα - ααααΎαα DNS α α―ααα - αααααΆαα»ααα ααΎαααΆαααΈααααααα αααΆαααΈαααα’ααΈαααααΉαα’αΆα ααααΎααααΆααΆαααααΎααααΈααααΎαα α’αααααα½αααΆααααΆααα
α αΎαααΎααααΈααΆαααΆααααααΆααααΉαααΆαα₯αααΆαααΆαααΆαα½αααΉαα’αααααααααα (ααΆα αααΆαααΈαααααΉααα·αα’αΆα ααΎαααααΉαααΆαααΆααα) - α’αααααΉαααααΌαααααΆαα αααΆααα ααα½α 3α
- α αααααααΆ DKIM αα·αααααΆααα αΆαααΆα α SPF α αΆαααΆα α rDNS α αΆαααΆα αα
- αααααΆααααααααααΆαααΎαααααΆαααααααΆαααααα»ααααααΆααααααΆααααΆαα₯αααΆαααΆα + ααΌαααααΆααα·αααααααααααΆααααΆαα ααΆαα’αα·αα·ααα
- αααα½ααααααααΆαααΆαα’αα·αααααΈαααααΌαααααΆαααΌα αααααΆααΈαααααΌαααααΌαα αααΆαααΆααααααΈααΈααΌ 100 ααααΎααΆαα’αα·αααααΈαααΆααααααααα½αα
ααααααααΈααΎαα·αα·αααΆααΆααα ααΌααααααΎααα·αα·αααααΎαα»ααααααααΆα βααΎααααΈα αΆααααααΎαααΆαααααΎααααααααααααααα»ααααα·ααΆαβα α’αααααααΎααααΆααααααΆαα (αααα’αααααα»ααα) ααααΎαααα»ααααααααΆαα―αααΆαααααΆαααα ααΆαααααα’αααααα»αααααααααααα αααα»αααααΆαααααΎααΆα’αααααααΎααααΈα αΆααααααΎααααααΆαααααΆαααααααααααΆααα»ααααα·ααΆααααααΆααααΆαααααΎααααα αα·αααααΆααΆαααααααααα αΆαααααα’αααααα»ααα (ααΆαα½αααα―ααααα ααΆαα’αα·αα·αα)α
α’ααααααααΆααα’αΆα αααααΎαααΌαααααΈααααΆααα·ααααααααΆααααΆαααααΎαααααααΈαα½ααα α’αααααααΎααααΆααα’αααααα½αα’αΆα ααα½αααααΆααααααααΌαααα α αΎαααααΎααααΆααΆαααααααααΆαα (ααααααΎα‘αΎαααΆαα·ααααααααΆααααΆαααααΎααααααααααααα)α αααααΆαααα α’αααααααΎααααΆααααΈαα½αααααΎαα·αα·ααααα½ααα·αα·αααααααΆαααα (α’αα·αααααΈααααααααΎααααΆααΆαααααααα’αααααααΎααΈααΈα) - αα αααααα½αααΆαα’αααααααΎααααΆααααΈααΈαα’αΆα αα·α αΆαααΆαααααΆαααααΆαααααααααααΆααααααΎαα‘αΎααααα’αΆα αα»αα α·αααααΆαα αααααΆαααα α’αααααααΎααααΆααααΈααΈαααααΎαα·αα·ααααααΆ - α αΎααααααΆαααα α’αααααααΎααααΆααααΈαα½αααα’αΆα αα·α αΆαααΆααΆααααααααΆααααααΎαααΆααα»ααααα·ααΆααααααα
ααΎααααΈααααα»ααααααααΆααααΉαααΆαααααΆααα αΆαααααα ααΎααααΌα αα·ααΈααΆαααααΌααααααααααααααΆαααααΆααααααΌαααααΆααΆααααααΆαα αα ααΆαααα½ααααααααΎ flash driveα
α αΎαα’αααΈαααααααΆαααααα»ααααααΊααΆααΆααααΎαααΆαααΆααα’αα (αααα½αααΊ "ααΎα’αααααΆααΉαα
αααΆααααααΆααααΆ?")α
αααα
αΌααα·ααααΆαααααααααααααΈααα
αΆααααΈ $10 αααααΆαααααααα 3 ααααΆαα αααααΉαα’αα»ααααΆαα±ααα’αααααααΎαααα αΆααα
αααα»α dns ααΆ "ααααΆααΆααααααααααα»αααΊαα
ααΈααα" α α αΎααα½αααααΉααααααα±ααα’αααααΌαα±ααΆαααΎααααΈα
αΆααααααΎαααΆααααααΆαααααααΆααα»ααααα·ααΆαα αααααΉαααΉααααααΆαααα½αααααΆααααααΆααααααααααΊαα·ααα·αααααααα
ααΈαααα»α gmail αααα»αααααααΆααααΈα’αααααααΎααααΆαααααααααα½αα αααααΆαα $10 αααα»ααααααα 3 ααααΆα - αα·αααα·αααα»αααΆααααααΎααααααΆαααααΎααααααααααΆααα»ααααα·ααΆαα
============= ααα ααααΈααααα·ααααΆα =============
ααΎααααΈααΆαααααα’αααααααΆααααΌα αααα»αααΉααα½ααααΆαααΈααααααααΆαααα½ααα α αΎααα·αααααααααΆααα·ααααΆαααααα SSL α
ααα»ααααβααααΆαααΆαβααΈαα·αβααΆαβαα·αααααα ααΌα
ααααβαααα αΆβαααβααΆαβα’αΌααααααΆαβαααααα α’ ααα
ααΌα
ααααα αΎα αα
αααααααααα»αααΆαααααααααααααααα αααα»αααΆααααααα
α
α·αααααααα»αααα’αααααααΌα
αα»α ααΆααΆαααααα»αααΉαααΆαααααα»αααααααααααααα½αααααΆααααα
ααααα·αααΎααΆααααα½αααΆα αααΎαααΌα ααΆ "ααα»ααααααααα·αααααΌαααΆααα·αααααΆαααα’α·ααααααααααΆαααα" ααααααα ααααΆααΆααααααΆααααΎααααΈαααααΆαααΈαααααααα·αααααααΉααααααααΆαα½ααααααααΈ αα·ααα·ααααΆαααααα SSL ααααΈ α αΎααα·αααααΆααΆα±ααααΆαααααααα’α·α α αΎαααΆαα αααΎα ααααΆαα αααααα’ααααααααΆαααααααΆααααα’α·αααααΆααααααααΆααα
αααα»αααα ααααα½αααΆαααα·αααααα’ααΎαααα·αα’αααΈαα·ααααΆαααααααααααααΈαααααααα ααααα·αααΎα’αααα αΌαα α·ααααααα·α αααα»αααΉαααααΆααΆαααααααααααααΆααααΎααααΈαααααααα ααααΈααααΆααααααΆαα rfc α
αα
αααα
αααααααααααααα’ααααα ααΌαααααααααααααΆαααα
ααΆααα’ααααααααα
αα
αααααααααααΆααΆααΆαααααααα ααΌααααααααααα
ααΆααα’ααααααααα
αααα»αααΉαααααΆααΆαααααααααΆααΆααΆααΆα’αααααααααααααα½αα―α α αΎααα»αα―αααΆααααααααααΆααα
ααααα: www.habr.com