Ko tenei tuhinga e pa ana ki te whakarite i tetahi tūmau mēra hou.
Postfix + Dovecot. SPF + DKIM + rDNS. Me te IPv6.
Me te whakamunatanga TSL. Ma te tautoko mo nga rohe maha - he waahanga me te tiwhikete SSL tuuturu.
Ma te whakamarumaru antispam me te whakatauranga antispam teitei mai i etahi atu tūmau mēra.
Ka tautoko i nga atanga tinana maha.
Ma te OpenVPN, ko te hononga ma te IPv4, me te whakarato IPv6.
Mena kaore koe e hiahia ki te ako i enei hangarau katoa, engari e hiahia ana koe ki te whakatu i taua tuumau, na tenei tuhinga mo koe.
Kaore te tuhinga e ngana ki te whakamarama i nga korero katoa. Ka haere te whakamarama ki nga mea kaore i whirihorahia hei paerewa, he mea nui ranei mai i te tirohanga a te kaihoko.
Ko te hihiri ki te whakatu i tetahi tūmau mēra he moemoea kua roa i ahau. He ahua poauau tenei, engari IMHO, he pai ake i te moemoea mo tetahi motuka hou mai i to waitohu tino pai.
E rua nga hihiko mo te whakatu IPv6. Me ako tonu tetahi tohunga IT ki nga hangarau hou kia ora tonu ai. Kei te pirangi au ki te tuku i taku koha iti ki te whawhai ki te aukati.
Ko te hihiri mo te whakatu OpenVPN he tika kia mahi IPv6 ki te miihini o te rohe.
Ko te hihiri ki te whakatu i etahi atanga tinana ko te mea kei runga i taku tuunga tetahi atanga "puturi engari kore mutunga" me tetahi atu "tere engari he utu utu".
Ko te hihiri ki te whakatu i nga tautuhinga Bind ko taku ISP e whakarato ana i tetahi tūmau DNS kore e mau, a ka taka hoki a google i etahi wa. Kei te pirangi ahau ki tetahi tūmau DNS pumau mo te whakamahi whaiaro.
Te hihiri ki te tuhi tuhinga - I tuhia e au he tauira 10 marama ki muri, kua rua kua tirohia e au. Ahakoa e hiahia ana te kaituhi i ia wa, he nui te tupono ka hiahia ano etahi atu.
Karekau he otinga o te ao mo te tūmau mēra. Engari ka ngana ahau ki te tuhi penei "Mahia tenei, katahi ka pai nga mea katoa, maka atu nga mea taapiri."
He tūmau Colocation te kamupene tech.ru. Ka taea te whakataurite ki a OVH, Hetzner, AWS. Hei whakatau i tenei raru, ka kaha ake te mahi tahi me tech.ru.
Kua whakauruhia a Debian 9 ki runga i te tūmau.
E 2 nga atanga o te tūmau `eno1` me `eno2`. He mutunga kore te tuatahi, he tere te tuarua.
E 3 nga wahitau IP pateko, XX.XX.XX.X0 me XX.XX.XX.X1 me XX.XX.XX.X2 i te atanga `eno1` me te XX.XX.XX.X5 i te atanga `eno2` .
Wātea XXXX:XXXX:XXXX:XXXX::/64 he puna o nga wahitau IPv6 kua tautapa ki te atanga `eno1` mai i a XXXX: XXXX: XXXX:XXXX:1:2::/96 i tautapa ki `eno2` i taku tono.
E toru nga waahi `domain3.com`, `domain1.com`, `domain2.com`. He tiwhikete SSL mo `domain3.com` me `domain1.com`.
He pūkete Google taku e hiahia ana ahau ki te hono atu i taku pouaka mēra[email tiakina]` (te whiwhi mēra me te tuku mēra tika mai i te atanga gmail).
Me whai pouaka mēra`[email tiakina]`, he kape o te imeera e hiahia ana ahau ki te kite i taku gmail. A he onge te taea ki te tuku i tetahi mea mo `[email tiakina]` mā te atanga tukutuku.
Me whai pouaka mēra`[email tiakina]`, ka whakamahia e Ivanov mai i tana iPhone.
Ko nga imeera kua tukuna me ū ki nga whakaritenga antispam hou.
Me noho te taumata teitei o te whakamunatanga e whakaratohia ana ki nga whatunga whanui.
Me whai tautoko IPv6 mo te tuku me te whiwhi reta.
Me noho he SpamAssassin e kore e whakakore i nga imeera. A ka peke, ka peke, ka tukuna ranei ki te kōpaki "Spam" IMAP.
Me whirihorahia te ako-aunoa SpamAssassin: ki te nekehia e ahau tetahi reta ki te kōpaki Spam, ka ako mai i tenei; ki te nekehia e ahau he reta mai i te kōpaki Spam, ka ako mai i tenei. Ko nga hua o te whakangungu SpamAssassin me awe mehemea ka mutu te reta ki te kōpaki Spam.
Me kaha nga tuhinga PHP ki te tuku mēra mo tetahi rohe i runga i te tūmau kua tohua.
Me noho he ratonga openvpn, me te kaha ki te whakamahi i te IPv6 i runga i te kiritaki kaore he IPv6.
Tuatahi me whirihora e koe nga atanga me te ararere, tae atu ki te IPv6.
Na ka hiahia koe ki te whirihora OpenVPN, ka hono atu ma te IPv4 me te whakarato ki te kaihoko he wahitau IPv6 tuuturu. Ka whai waahi tenei kiritaki ki nga ratonga IPv6 katoa i runga i te tūmau me te uru ki etahi rauemi IPv6 i runga i te Ipurangi.
Na ka hiahia koe ki te whirihora i te Postfix ki te tuku reta + SPF + DKIM + rDNS me etahi atu mea iti rite.
Na ka hiahia koe ki te whirihora i te Dovecot me te whirihora i te Multidomain.
Na ka hiahia koe ki te whirihora SpamAssassin me te whakarite whakangungu.
Ka mutu, whakauruhia te Bind.
============= Maha-atanga =============
Hei whirihora i nga atanga, me tuhi koe i tenei ki "/ etc / whatunga / atanga".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ka taea te whakamahi i enei tautuhinga ki runga i tetahi tūmau i roto i te tech.ru (me te ruruku iti me te tautoko) ka mahi tonu i te mea e tika ana.
Mena he wheako koe ki te whakarite mea rite mo Hetzner, OVH, he rereke ki reira. He uaua ake.
Ko eno1 te ingoa o te kaari whatunga #1 (he puhoi engari he mutunga kore).
Ko eno2 te ingoa o te kaari whatunga #2 (tere, engari me te utu utu).
Ko tun0 te ingoa o te kaari whatunga mariko mai i OpenVPN.
XX.XX.XX.X0 - IPv4 #1 i runga i te eno1.
XX.XX.XX.X1 - IPv4 #2 i runga i te eno1.
XX.XX.XX.X2 - IPv4 #3 i runga i te eno1.
XX.XX.XX.X5 - IPv4 #1 i runga i te eno2.
XX.XX.XX.1 - kuaha IPv4.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 mo te tūmau katoa.
XXXX: XXXX: XXXX: XXXX: 1: 2 :: / 96 - IPv6 mo te eno2, nga mea katoa o waho ka uru ki te eno1.
XXXX: XXXX: XXXX: XXXX:: 1 — IPv6 gateway (he mea tika kia mohio koe ka taea/me mahi rerekee tenei. Whakaritea te whakawhiti IPv6).
dns-nameservers - 127.0.0.1 kua tohua (na te mea kua whakauruhia te here ki te rohe) me te 213.248.1.6 (mai i tech.ru tenei).
“tepu eno1t” me te “tepu eno2t” - ko te tikanga o enei huarahi-ture ko nga waka e kuhu ana ma te eno1 -> ka wehe atu, ka uru atu nga waka ki roto i te eno2 -> ka wehe ma reira. A ko nga hononga i timatahia e te tūmau ka haere ma te eno1.
ip route add default via XX.XX.XX.1 table eno1tMa tenei whakahau ka tohua e matou ko nga waka e kore e maarama ka taka ki raro i tetahi ture kua tohua "tepu eno1t" -> ka tukuna ki te atanga eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tMa tenei whakahau ka tohua e matou ko nga waka i timatahia e te tūmau me tuku ki te atanga eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Ma tenei whakahau ka whakatauhia e matou nga ture mo te tohu waka.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Ka tohua e tenei paraka tetahi IPv4 tuarua mo te atanga eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Ma tenei whakahau ka whakatauhia e matou te huarahi mai i nga kiritaki OpenVPN ki IPv4 rohe hāunga XX.XX.XX.X0.
Kaore ano au i te marama he aha tenei whakahau e ranea ana mo te IPv4 katoa.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Koinei te waahi ka tautuhia e matou te wahitau mo te atanga ake. Ka whakamahia e te tūmau hei wāhitau "putaputa". E kore e whakamahia ano i tetahi huarahi.
He aha te ":1:1::" he tino uaua? Kia tika te mahi a OpenVPN mo tenei anake. Ake ake mo tenei.
Mo te kaupapa o te kuwaha - koinei te mahi me te pai. Engari ko te huarahi tika ko te tohu i konei te IPv6 o te whakawhiti e hono ana te tūmau.
Heoi, mo etahi take ka mutu te mahi a IPv6 ki te mahia e au tenei. Koinei pea te ahua o te raru hangarau.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACEKei te taapiri he wahitau IPv6 ki te atanga. Mena ka hiahia koe kia kotahi rau nga wahitau, ko te tikanga he rau rarangi kei roto i tenei konae.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80I tuhia e ahau nga wahitau me nga kupenga iti o nga atanga katoa kia marama ai.
eno1 - me "/64"- no te mea koinei ta matou puna katoa o nga wahitau.
tun0 - me nui ake te kupengaroto i te eno1. Ki te kore, e kore e taea te whirihora i tetahi kuaha IPv6 mo nga kiritaki OpenVPN.
eno2 - me nui ake te kupengaroto i te tun0. Ki te kore, e kore e taea e nga kiritaki OpenVPN te uru ki nga wahitau IPv6 rohe.
Mo te whakamarama, i whiriwhiria e ahau tetahi taahiraa kupenga-roto o te 16, engari ki te hiahia koe, ka taea e koe te mahi "1" taahiraa.
Na, 64+16 = 80, me te 80+16 = 96.Mo te tino marama ake:
XXXX: XXXX: XXXX: XXXX: 1: 1: YYYY: YYYY he wāhitau me tautapa ki nga waahi motuhake, ratonga ranei i runga i te atanga eno1.
XXXX: XXXX: XXXX: XXXX: 1: 2: YYYY: YYYY he wāhitau me tautapa ki nga waahi motuhake, ratonga ranei i runga i te atanga eno2.
XXXX: XXXX: XXXX: XXXX: 1: 3: YYYY: YYYY he wāhitau e tika ana kia tautapa ki nga kiritaki OpenVPN ka whakamahia ranei hei wahitau ratonga OpenVPN.
Hei whirihora i te whatunga, me taea te whakaara ano i te tūmau.
Ka kohia nga huringa IPv4 ina mahia (kia mau ki te takai ki te mata - mena ka pakaru noa tenei whakahau i te whatunga i runga i te tūmau):
/etc/init.d/networking restartTāpirihia ki te mutunga o te konae "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Ki te kore tenei, kaore e taea e koe te whakamahi i nga ripanga ritenga i roto i te konae "/etc/network/interfaces".
Me ahurei nga nama me te iti iho i te 65535.
Ka taea te whakarereke i nga huringa IPv6 me te kore e whakaara ano, engari ki te mahi i tenei me ako koe kia toru nga whakahau:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Tautuhinga "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Koinei nga tautuhinga "sysctl" o taku tūmau. Kia tohu ahau i tetahi mea nui.
net.ipv4.ip_forward = 1Ki te kore tenei, ka kore e mahi a OpenVPN.
net.ipv6.ip_nonlocal_bind = 1Ko nga tangata katoa e ngana ana ki te here i te IPv6 (hei tauira nginx) i muri tonu mai i te wa o te atanga ka whiwhi hapa. Kaore tenei wahitau i te waatea.
Hei karo i tenei ahuatanga, ka mahia he ahuatanga penei.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Ki te kore enei tautuhinga IPv6, karekau nga waka mai i te kiritaki OpenVPN e puta ki te ao.
Ko etahi atu tautuhinga kaore e tika ana, kaore ranei au e mahara mo te aha.
Engari mo te take, ka waiho e ahau "kia rite tonu."
Kia taea ai te tango i nga huringa ki tenei konae me te kore e whakaara ano i te tūmau, me whakahaere e koe te whakahau:
sysctl -pHe taipitopito atu mo nga ture "tepu":
============= OpenVPN ==============
OpenVPN IPv4 e kore e mahi me te kore iptables.
He penei aku iptables mo VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
Ko YY.YY.YY.YY taku wāhitau IPv4 pūmau o te mihini rohe.
10.8.0.0/24 - IPv4 whatunga tuwheravpn. Nga wahitau IPv4 mo nga kiritaki openvpn.
He mea nui te riterite o nga ture.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPHe here tenei kia taea e au anake te whakamahi OpenVPN mai i taku IP pateko.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEHei tuku i nga paakete IPv4 i waenga i nga kaihoko OpenVPN me te Ipurangi, me rehita koe i tetahi o enei whakahau.
Mo nga keehi rereke, kaore i te pai tetahi o nga whiringa.
He pai nga whakahau e rua mo taku keehi.
I muri i te panui i nga tuhinga, i whiriwhiria e ahau te waahanga tuatahi na te mea he iti ake te PTM.
Kia taea ai te tango i nga tautuhinga iptables katoa i muri i te whakaara ano, me tiaki e koe ki tetahi waahi.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Ko enei ingoa karekau i whiriwhiri noa. Ka whakamahia e te kete "iptables-persistent".
apt-get install iptables-persistentTe whakauru i te kete matua OpenVPN:
apt-get install openvpn easy-rsaMe whakarite he tauira mo nga tiwhikete (whakakapi i o uara):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfMe whakatika nga tautuhinga tauira tiwhikete:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Waihangatia he tiwhikete tūmau:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyMe whakarite te kaha ki te hanga i nga konae "client-name.opvn" whakamutunga:
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCMe whakarite he tuhinga ka hanumi nga konae katoa ki te konae opvn kotahi.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnTe hanga i te kiritaki OpenVPN tuatahi:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameKo te kōnae "~/client-configs/files/client-name.ovpn" ka tukuna ki te taputapu a te kiritaki.
Mo nga kaihoko iOS ka hiahia koe ki te mahi i nga mahi e whai ake nei:
Ko nga ihirangi o te tohu "tls-auth" me noho kore korero.
Me hoatu ano hoki "te ahunga matua 1" i mua tonu i te tohu "tls-auth".
Me whirihora tatou i te whirihora tūmau OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCKa hiahiatia tenei hei whakarite i te waahi noho mo ia kiritaki (kaore e tika, engari ka whakamahia e au):
# Client config dir
client-config-dir /etc/openvpn/ccdKo nga korero tino uaua me te matua.
Kia aroha mai, kare ano a OpenVPN i te mohio me pehea te whirihora takitahi i te kuaha IPv6 mo nga kaihoko.
Me tuku "ma te ringa" tenei mo ia kaihoko.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Kōnae "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Kōnae "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Ka whakamahi nga tuhinga e rua i te konae "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112He uaua ki ahau te mahara he aha i penei ai te tuhi.
Inaianei he netmask = 112 he ahua ke (me 96 kei reira tonu).
A he mea rereke te prefix, kaore i te rite ki te whatunga tun0.
Engari ka pai, ka waiho e au.
cipher DES-EDE3-CBCEhara tenei mo te katoa - I whiriwhiria e au tenei tikanga mo te whakamuna i te hononga.
============= Postfix =============
Tāuta ana i te mōkihi matua:
apt-get install postfixI te wa e whakauru ana, tohua "pae ipurangi".
Ko taku "/etc/postfix/main.cf" te ahua penei:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreKia titiro tatou ki nga korero mo tenei whirihora.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyE ai ki nga kainoho o Khabrovsk, kei roto i tenei poraka "nga korero pohehe me nga korero he."8 noa nga tau i muri i te tiimata o taku mahi ka tiimata ahau ki te mohio ki te mahi a SSL.
Na reira, ka whai waahi ahau ki te whakaahua me pehea te whakamahi SSL (kaore e whakautu i nga patai "Me pehea te mahi?" me "He aha te mahi?").
Ko te putake o te whakamunatanga hou ko te hanga i tetahi takirua matua (e rua nga aho tino roa o nga tohu).
Ko tetahi "matua" he mea motuhake, ko tetahi atu ko te "iwi". Ka tino huna e matou te taviri tūmataiti. Ka tohatohahia e matou te taviri mo te iwi katoa.
Ma te whakamahi i te taviri tūmatanui, ka taea e koe te whakamuna i te aho o te kuputuhi kia taea e te rangatira o te ki motuhake anake te wetemuna.
Ana, koinei te putake katoa o te hangarau.Hipanga #1 - nga pae https.
I te wa e uru ana ki tetahi pae, ka ako te kaitirotiro mai i te kaimau tukutuku ko te paetukutuku he https, na reira ka tono ki tetahi matua whanui.
Ka hoatu e te tūmau tukutuku te kī tūmatanui. Ka whakamahia e te kaitirotiro te kī tūmatanui hei whakamuna i te tono-http me te tuku.
Ko nga ihirangi o te tono-http ka taea anake te panui e te hunga kei a raatau te kii motuhake, ara, ko te tūmau anake i tukuna ai te tono.
Http-tono kei roto i te iti rawa he URI. No reira, mena kei te ngana tetahi whenua ki te aukati i te uru ki te waahi katoa, engari ki tetahi wharangi motuhake, kaore e taea te mahi mo nga pae https.Hipanga #2 - whakautu whakamunatia.
Ka whakaratohia e te tūmau tukutuku he whakautu ka taea te panui i runga i te huarahi.
He tino ngawari te otinga - ka whakaputahia e te kaitirotiro a rohe te takirua matua-a-iwi mo ia pae https.
A me te tono mo te taviri tūmatanui o te pae, ka tukuna e ia tana kī tūmatanui ā-rohe.
Ka maumahara te tūmau tukutuku, ā, i te tuku http-whakautu, whakamuna ki te kī tūmatanui o tētahi kiritaki motuhake.
Inaianei ka taea te wetemuna te http-whakautu e te rangatira o te matua tirotiro a te kiritaki (ara, ko te kaihoko tonu).Hipanga No. 3 - te whakarite hononga haumaru ma te hongere whanui.
He whakaraeraetanga kei roto i te tauira Nama 2 - kaore he mea e arai i te hunga pai ki te haukoti i tetahi http-tono me te whakatika i nga korero mo te kii a te iwi.
No reira, ka tino kitea e te kaitakawaenga nga korero katoa o nga karere kua tukuna me te whiwhi kia huri ra ano te hongere korero.
He tino ngawari te whakahaere i tenei - me tuku noa te kii whanui o te kaitirotiro hei karere kua whakamunatia ki te kii whanui a te tūmau tukutuku.
Ka tukuna tuatahitia e te tūmau tukutuku he whakautu penei "he penei to kī tūmatanui" ka whakamuna i tēnei karere ki te kī tūmatanui kotahi.
Ka titiro te kaitirotiro ki te whakautu - mena ka tae mai te panui "ko to taviri tūmatanui penei" - katahi ka 100% te taurangi kei te noho haumaru tenei hongere korero.
He pehea te haumaru?
Ko te hanga o taua hongere korero haumaru ka puta i te tere o te ping*2. Hei tauira 20ms.
Me whai ki te kaipahua te ki motuhake o tetahi o nga roopu i mua. Rapua ranei he taviri motuhake i roto i te rua manomano.
Ko te taumanu i tetahi taviri motuhake hou ka pau nga tau tekau ki runga rorohiko nui.Hipanga #4 - pātengi raraunga tūmatanui o ngā kī tūmatanui.
Ma te mohio, kei roto i tenei korero katoa he waahi mo te tangata whakaeke ki te noho ki runga i te hongere korero i waenga i te kaihoko me te kaimau.
Ka taea e te kiritaki te kii ko ia te tūmau, ka taea e te tūmau te kii ko ia te kaihoko. A pee i te rua o nga taviri i nga taha e rua.
Na ka kite te kaiwhaiwhai i nga waka katoa ka taea te "whakatika" i nga waka.
Hei tauira, hurihia te wahitau hei tuku moni, kape ranei i te kupuhipa mai i te peeke ipurangi, aukati ranei i nga ihirangi "whakahe".
Hei whawhai i aua kai whakaeke, i puta mai he papa korero mo te iwi me nga taviri a te iwi mo ia pae https.
Ko ia kaitirotiro "mohio" mo te noho o te 200 nga papaa raraunga penei. Ka tae mai tenei i mua i te whakaurunga ki ia kaitirotiro.
Ko te "Mohiotanga" kei te tautokohia e tetahi kii whanui mai i ia tiwhikete. Arā, ko te hononga ki ia mana tiwhikete motuhake e kore e taea te tinihanga.Inaianei he maarama ngawari ki te whakamahi SSL mo https.
Mena ka whakamahi koe i to roro, ka marama me pehea e taea ai e nga ratonga motuhake te tarai i tetahi mea i roto i tenei hanganga. Engari ka pau i a raatau nga mahi nanakia.
Me nga whakahaere iti ake i te NSA, i te CIA ranei - kaore e taea te tarai i te taumata whakamarumaru o naianei, ahakoa mo nga VIP.Ka taapiri atu ano ahau mo nga hononga ssh. Karekau he taviri a te iwi kei reira, ka aha koe? E rua nga huarahi ka whakatauhia te take.
Kōwhiringa ssh-ma-kupuhipa:
I te wa o te hononga tuatahi, me whakatupato te kaihoko ssh kei a matou he taviri whanui hou mai i te tūmau ssh.
A, i nga wa e hono atu ana, mena ka puta te whakatupato "ki te iwi whanui hou mai i te ssh server", ko te tikanga kei te ngana ratou ki te whakarongo ki a koe.
I rongo ranei koe i to hononga tuatahi, engari inaianei ka korero koe ki te tūmau kaore he takawaenga.
Inaa, na te mea he ngawari, he tere me te ngawari te whakaatu o te waea waea, ka whakamahia tenei whakaeke i nga keehi motuhake mo tetahi kaihoko motuhake.Kōwhiringa ssh-by-key:
Ka tango matou i te puku kohiko, tuhia te kii motuhake mo te ssh server ki runga (he kupu me te maha o nga ahuatanga nui mo tenei, engari kei te tuhi ahau i tetahi kaupapa ako, ehara i nga tohutohu mo te whakamahi).
Ka waiho e matou te taviri a te iwi i runga i te miihini kei reira te kaihoko ssh ka huna ano e matou.
Ka kawea mai e matou te puku kohiko ki te tūmau, ka whakauruhia, ka kape i te taviri tūmataiti, ka tahuna te puku kohiko me te whakamarara i nga pungarehu ki te hau (he iti rawa ranei te whakatakoto ki te kore).
Ko te katoa - i muri i taua mahi ka kore e taea te tarai i taua hononga ssh. Ae ra, i roto i nga tau 10 ka taea te tiro i nga waka i runga rorohiko nui - engari he korero rereke tera.Kei te mihi ahau mo te kaupapa o waho.
Na inaianei kua mohiotia te ariā. Ka korero ahau ki a koe mo te rere o te hanga tiwhikete SSL.
Ma te whakamahi i te "openssl genrsa" ka waihangahia e matou he kii motuhake me nga "patea" mo te kii whanui.
Ka tukuna e matou nga "patea" ki tetahi kamupene tuatoru, ka utua e matou te $9 mo te tiwhikete ngawari rawa atu.
I muri i nga haora e rua, ka riro mai i a maatau taviri "iwi" me te huinga o nga taviri a te iwi mai i tenei kamupene tuatoru.
He aha te take e utu ai tetahi kamupene tuatoru mo te rehitatanga o taku taviri whanui he patai motuhake, kaore matou e whakaaro ki konei.
Inaianei kua marama he aha te tikanga o te tuhituhinga:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Kei roto i te kōpaki "/ etc / ssl" nga konae katoa mo nga take ssl.
domain1.com — ingoa rohe.
Ko 2018 te tau o te hanga matua.
“Kī” - tohu he kī tūmataiti te kōnae.
Me te tikanga o tenei kōnae:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com — ingoa rohe.
Ko 2018 te tau o te hanga matua.
kua herea - te tohu he mekameka o nga taviri a te iwi (ko te tuatahi ko to maatau ki te iwi whanui, ko te toenga ko nga mea i ahu mai i te kamupene nana i tuku te kii whanui).
crt - te tohu kei reira he tiwhikete kua rite (matua whanui me nga whakamarama hangarau).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Ko tenei tautuhinga kaore e whakamahia i tenei keehi, engari ka tuhia hei tauira.
Na te hapa i roto i tenei tawhā ka arahi ki te tuku mokowhiti mai i to kaimau (kaore to hiahia).
Na ka whakaatu ki nga tangata katoa kaore koe i te he.
recipient_delimiter = +He maha nga tangata kaore pea i te mohio, engari he ahua paerewa tenei mo nga imeera rangatira, a kei te tautokohia e te nuinga o nga kaitoro mēra hou.
Hei tauira, mena kei a koe he pouaka mēra "[email tiakina]"whakamātauria te tuku ki"[email tiakina]"- titiro he aha te putanga mai.
inet_protocols = ipv4He rangirua pea tenei.
Engari ehara i te pera noa. Ko ia rohe hou he IPv4 anake, katahi ka whakahurihia e ahau te IPv6 mo ia rohe motuhake.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
I konei ka tohua e matou ko nga mēra taumai katoa ka haere ki te dovecot.
Me nga ture mo te rohe, pouaka mēra, ingoa ingoa - tirohia i roto i te papanga raraunga.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesInaianei kei te mohio a postfix ka whakaaehia nga mēra mo te tuku atu i muri i te whakamanatanga me te dovecot.
Kare rawa ahau i te tino marama he aha te take i taaruatia ai i konei. Kua tohua e matou nga mea katoa e hiahiatia ana i roto i te "virtual_transport".
Engari he tawhito rawa te punaha postfix - tera pea he hokinga mai i nga ra o mua.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Ka taea te whirihora rereke mo ia tūmau mēra.
E 3 aku kaitoi mēra kei a au, he rerekee enei tautuhinga na te rereke o nga whakaritenga whakamahi.
Me ata whirihora e koe - ki te kore ka uru mai te mokowhiti ki roto ki a koe, me te kino atu - ka rere atu te mokowhiti mai i a koe.
# SPF
policyd-spf_time_limit = 3600Te whakarite mo etahi mono e pa ana ki te tirotiro i te SPF o nga reta taumai.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockKo te whakatakotoranga me tuku he waitohu DKIM me nga imeera puta katoa.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreHe korero nui tenei mo te ararere reta ina tuku reta mai i nga tuhinga PHP.
Kōnae "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Kei te taha maui ko nga korero auau. Kei te taha matau he tapanga e tohu ana i te reta.
Postfix i runga i te tapanga - ka whai whakaaro ki etahi atu rarangi whirihoranga mo tetahi reta motuhake.Me pehea te whirihora o te postfix mo te reta motuhake ka tohuhia ki "master.cf".
Ko nga rarangi 4, 5, 6 nga mea matua. Mo te rohe e tukuna ana e matou te reta, ka tuhia tenei tapanga.
Engari ko te mara "mai" kaore i te tohuhia i nga wa katoa i nga tuhinga PHP i roto i te waehere tawhito. Na ka tae mai te ingoa kaiwhakamahi ki te whakaora.Kua nui kee te tuhinga - kare au e pai ki te whakararu ma te whakarite i te nginx+fpm.
He poto, mo ia papaanga ka whakatauhia e matou tana ake rangatira linux-kaiwhakamahi. Na to koutou fpm-pool.
Ka whakamahia e te Fpm-pool tetahi momo putanga o te php (he pai ka taea e koe te whakamahi i nga putanga rereke o te php me te php.ini rereke mo nga waahi tata kaore he raru).
Na, he linux-kaiwhakamahi "www-domain2" he paetukutuku domain2.com. He waehere to tenei pae mo te tuku imeera me te kore e tohu mai i te mara.
Na, ahakoa i roto i tenei keehi, ka tukuna tika nga reta, kaore rawa e mutu ki te mokowhiti.
Ko taku "/etc/postfix/master.cf" te ahua penei:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Ko te konae kaore i te tino whakaratohia - kua tino nui kee.
I kite noa ahau i nga mea i whakarereke.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}He tautuhinga enei e pa ana ki te spamassasin, he nui ake mo tera i muri mai.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Ka whakaaetia koe ki te hono atu ki te tūmau mēra mā te tauranga 587.
Ki te mahi i tenei, me takiuru koe.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfWhakahohehia te tirotiro SPF.
apt-get install postfix-policyd-spf-pythonTāutahia te mōkihi mō ngā arowhai SPF i runga ake nei.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1A koinei te mea tino whakamere. Koinei te kaha ki te tuku reta mo tetahi rohe motuhake mai i tetahi wahitau IPv4/IPv6.
Ka mahia tenei mo te rDNS. Ko rDNS te tukanga o te whiwhi aho ma te wahitau IP.
A, mo te mēra, ka whakamahia tenei waahanga hei whakaū i te rite o te helo ki te rDNS o te wahitau i tukuna mai ai te imeera.Ki te kore te helo e taurite ki te rohe imeera mo wai te reta i tukuna, ka whakawhiwhia nga tohu mokowhiti.
Kare a Helo e taurite ki te rDNS - he maha nga tohu mokowhiti ka whakawhiwhia.
No reira, me whai wahitau IP o ia rohe.
Mo te OVH - i roto i te papatohu ka taea te tohu rDNS.
Mo tech.ru - ka whakatauhia te take ma te tautoko.
Mo AWS, ka whakatauhia te take ma te tautoko.
"inet_protocols" me "smtp_bind_address6" - ka taea e matou te tautoko IPv6.
Mo te IPv6 me rehita rDNS koe.
“syslog_name” - he ngawari tenei ki te panui i nga raarangi.
Hokona nga tiwhikete .
.
============= Dovecot =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamTe whakatu mysql, te whakauru i nga kete.
Kōnae "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginKa whakamunatia anake te whakamanatanga.
Kōnae "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nI konei ka tohuhia te waahi rokiroki mo nga reta.
E hiahia ana ahau kia penapenahia ki roto i nga konae ka whakarōpūhia ma te rohe.
Kōnae "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Koinei te kōnae whirihoranga dovecot matua.
I konei ka whakakorehia e matou nga hononga kore haumaru.
A ka taea nga hononga haumaru.
Kōnae "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Te whakatu ssl. Ka tohuhia e hiahiatia ana te ssl.
Me te tiwhikete ano. A ko tetahi korero nui ko te tohutohu "rohe". Ka tohu ko tehea tiwhikete SSL hei whakamahi ina hono ana ki te IPv4 rohe.Ma te ara, kaore i te whirihorahia te IPv6 i konei, ka whakatikahia e ahau tenei hapa i muri mai.
XX.XX.XX.X5 (rohe2) - kore tiwhikete. Hei hono i nga kiritaki me tohu koe domain1.com.
XX.XX.XX.X2 (domain3) - he tiwhikete, ka taea e koe te tohu domain1.com ranei domain3.com hei hono i nga kiritaki.
Kōnae "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Ka hiahiatia tenei mo te kaipatu spam a muri ake nei.
Kōnae "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}He mono antispam tenei. E hiahiatia ana mo te whakangungu spamassasin i te wa o te whakawhiti ki / mai i te kōpaki "Spam".
Kōnae "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}He pera noa te konae.
Kōnae "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Te whakatu lmtp.
Kōnae "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Tautuhinga whakangungu Spamassasin i te wa whakawhiti ki/mai i te kōpaki Spam.
Kōnae "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}He kōnae e tohu ana me aha ki nga reta taumai.
Kōnae "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Me whakahiato te konae: “sievec default.sieve”.
Kōnae "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Te tautuhi i nga konae sql mo te whakamana.
A ko te konae ake ka whakamahia hei tikanga whakamana.
Kōnae "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';He rite tenei ki nga tautuhinga rite mo te postfix.
Kōnae "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Kōnae whirihoranga matua.
Ko te mea nui ko ta matou tohu i konei - taapirihia nga tikanga.
============= SpamAssassin =============
apt-get install spamassassin spamcKia tāutahia ngā mōkihi.
adduser spamd --disabled-loginMe taapiri he kaiwhakamahi mo wai.
systemctl enable spamassassin.serviceKa taea e matou te uta-aunoa i te ratonga spamassassin i runga i te uta.
Kōnae "/etc/default/spamassassin":
CRON=1Ma te whakahohe i te whakahou aunoa i nga ture "ma te taunoa".
Kōnae "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordMe hanga e koe he patengi raraunga "sa" ki mysql me te kaiwhakamahi "sa" me te kupuhipa "kupuhipa" (whakakapihia ki tetahi mea e tika ana).
report_safe - ka tukuna he purongo mo te imeera mokowhiti kaore he reta.
Ko nga use_bayes he tautuhinga ako miihini spamassassin.
Ko nga toenga o te spammassassin i whakamahia i mua i te tuhinga.
.
.
.
.
============= Piira ki te hapori =============
Kei te pirangi ano ahau ki te tuku whakaaro ki te hapori me pehea te whakanui ake i te taumata o te haumarutanga o nga reta tuku. I te mea kua tino ruku au ki te kaupapa o te mēra.
Kia taea ai e te kaiwhakamahi te hanga i nga taviri takirua ki runga i tana kiritaki (te tirohanga, te whatitiri, te mono-tirotiro, ...). Tūmatanui me te tūmataiti. Tūmatanui - tuku ki DNS. Tūmataiti - tiaki i runga i te kiritaki. Ka taea e nga tūmau mēra te whakamahi i te kī tūmatanui ki te tuku ki tetahi kaiwhiwhi.
A ki te whakamarumaru ki te mokowhiti me nga reta penei (ae, kare e taea e te kaitoro mēra te tiro i nga ihirangi) - me whakauru e koe nga ture e 3:
- Ko te hainatanga DKIM tuuturu, SPF whakahau, rDNS whakahau.
- He whatunga neural i runga i te kaupapa whakangungu antispam + he papa korero mo te taha o te kiritaki.
- Ko te algorithm whakamunatanga me penei me whakapau te taha tuku kia 100 nga wa nui ake te mana PTM mo te whakamunatanga i te taha tango.
I tua atu i nga reta a te iwi, hangaia he reta tono paerewa "ki te timata i nga reta haumaru." Ka tukuna e tetahi o nga kaiwhakamahi (pouaka reta) he reta me te taapiri ki tetahi atu pouaka mēra. Kei roto i te reta he tono kupu ki te timata i tetahi hongere korero haumaru mo nga reta me te taviri a te iwi rangatira o te pouaka mēra (me te kii motuhake kei te taha o te kiritaki).
Ka taea e koe te hanga etahi taviri mo ia reta korero. Ka taea e te kaiwhiwhi te whakaae ki tenei tuku me te tuku i tana kii whanui (he mea hanga motuhake mo tenei reta). I muri mai, ka tukuna e te kaiwhakamahi tuatahi he reta mana whakahaere (kua whakamunatia me te taviri a te iwi tuarua o te kaiwhakamahi tuarua) - i te wa i riro mai ai ka taea e te kaiwhakamahi tuarua te whakaaro he pono te hongere whakawhitiwhiti korero. I muri mai, ka tukuna e te kaiwhakamahi tuarua he reta mana - katahi ano ka taea e te kaiwhakamahi tuatahi te whakaaro kia mau te hongere i hangaia.
Hei karo i te haukoti o nga taviri i runga i te huarahi, me whakarite te kawa mo te tuku kia kotahi te iti rawa o te taviri ma te whakamahi i te puku kohiko.
A ko te mea nui ko te mahi katoa (ko te patai "ma wai e utu?"):
Whakauruhia nga tiwhikete poutapeta timata mai i te $10 mo te 3 tau. Ka taea e te kaituku ki te tohu i roto i nga dns "kei reira aku taviri whanui." A ka hoatu e ratou ki a koe te whai waahi ki te timata i tetahi hononga haumaru. I te wa ano, he kore utu te whakaae ki enei hononga.
Ko te mutunga ko gmail te moni mo ana kaiwhakamahi. Mo te $10 mo ia 3 tau - te tika ki te hanga hongere reta haumaru.
============= Whakamutunga ==============
Hei whakamatautau i te tuhinga katoa, ka haea e ahau tetahi tūmau i whakatapua mo te marama ka hoko i tetahi rohe me te tiwhikete SSL.
Engari i tipu nga ahuatanga o te ora na reira i toia tenei take mo te 2 marama.
Na, i te wa e waatea ana ahau, ka whakatau ahau ki te whakaputa i te tuhinga penei, kaua ki te tupono ka toia te whakaputanga mo tetahi atu tau.
Mena he maha nga paatai penei "engari kaore tenei i te whakaahuahia i roto i nga korero taipitopito", katahi ka kaha ki te tango i tetahi tūmau i whakatapua me te rohe hou me te tiwhikete SSL hou me te whakamaarama i nga korero nui atu, me te nuinga. Ko te mea nui, tautuhi i nga korero nui katoa e ngaro ana.
Kei te pirangi ano au ki te whakahoki korero mo nga whakaaro mo nga tiwhikete poutapeta. Mena he pai ki a koe te whakaaro, ka ngana ahau ki te kimi i te kaha ki te tuhi tauira mo te rfc.
I te kape i nga waahanga nui o te tuhinga, hoatu he hononga ki tenei tuhinga.
Ina whakamaoritia ki tetahi atu reo, homai he hononga ki tenei tuhinga.
Ka ngana ahau ki te whakamaori ki te reo Ingarihi me te waiho i nga tohutoro whakawhiti.
Source: will.com