Nkhaniyi ikufotokoza momwe mungakhazikitsire seva yamakono yamakalata.
Postfix + Dovecot. SPF + DKIM + rDNS. Ndi IPv6.
Ndi TSL encryption. Ndi chithandizo cha madera angapo - gawo ndi satifiketi yeniyeni ya SSL.
Ndi chitetezo cha antispam komanso kuchuluka kwa antispam kuchokera kumaseva ena amakalata.
Imathandizira mawonekedwe angapo akuthupi.
Ndi OpenVPN, kulumikizana komwe kumadutsa IPv4, komanso komwe kumapereka IPv6.
Ngati simukufuna kuphunzira matekinoloje onsewa, koma mukufuna kukhazikitsa seva yotere, ndiye kuti nkhaniyi ndi yanu.
Nkhaniyi sikuyesera kufotokoza chilichonse. Kufotokozera kumapita ku zomwe sizinakhazikitsidwe ngati zovomerezeka kapena ndizofunikira kuchokera kwa ogula.
Chilimbikitso chokhazikitsa seva yamakalata chakhala cholota changa chanthawi yayitali. Izi zitha kumveka zopusa, koma IMHO, ndizabwino kwambiri kuposa kulota galimoto yatsopano kuchokera ku mtundu womwe mumakonda.
Pali zifukwa ziwiri zokhazikitsira IPv6. Katswiri wa IT amafunika kuphunzira matekinoloje atsopano nthawi zonse kuti apulumuke. Ndikufuna kupereka chothandizira changa chochepa polimbana ndi censorship.
Cholinga chokhazikitsa OpenVPN ndikungopangitsa IPv6 kugwira ntchito pamakina akomweko.
Cholinga chokhazikitsa mawonekedwe angapo akuthupi ndikuti pa seva yanga ndili ndi mawonekedwe amodzi "ochedwa koma opanda malire" ndi ena "mwachangu koma ndi mtengo".
Cholinga chokhazikitsa Bind makonda ndikuti ISP yanga imapereka seva ya DNS yosakhazikika, ndipo google nthawi zina imalephera. Ndikufuna seva yokhazikika ya DNS kuti mugwiritse ntchito.
Kulimbikitsa kulemba nkhani - Ndinalemba zolemba miyezi 10 yapitayo, ndipo ndaziyang'ana kale kawiri. Ngakhale wolemba akuzifuna nthawi zonse, pali mwayi waukulu kuti enanso adzazifuna.
Palibe yankho lachilengedwe la seva yamakalata. Koma ndiyesera kulemba zina monga "chitani izi ndiyeno, chilichonse chikagwira ntchito momwe ziyenera kukhalira, taya zina zowonjezera."
Kampani tech.ru ili ndi seva ya Colocation. Ndizotheka kufananiza ndi OVH, Hetzner, AWS. Kuti athetse vutoli, mgwirizano ndi tech.ru udzakhala wothandiza kwambiri.
Debian 9 imayikidwa pa seva.
Seva ili ndi zolumikizira ziwiri `eno2` ndi `eno1`. Yoyamba ilibe malire, ndipo yachiwiri ndi yofulumira, motero.
Pali ma adilesi atatu a IP okhazikika, XX.XX.XX.X3 ndi XX.XX.XX.X0 ndi XX.XX.XX.X1 pa mawonekedwe a `eno2` ndi XX.XX.XX.X1 pa mawonekedwe a `eno5` .
Ikupezeka XXXX:XXXX:XXXX:XXXX::/64 dziwe la ma adilesi a IPv6 omwe amaperekedwa ku mawonekedwe a `eno1` ndipo kuchokera pamenepo XXXX:XXXX:XXXX:XXXX:1:2::/96 adatumizidwa ku `eno2` mwa pempho langa.
Pali madera atatu `domain3.com`, `domain1.com`, `domain2.com`. Pali satifiketi ya SSL ya `domain3.com` ndi `domain1.com`.
Ndili ndi akaunti ya Google yomwe ndikufuna kulumikizako bokosi langa lamakalata[imelo ndiotetezedwa]` (kulandira makalata ndi kutumiza makalata mwachindunji kuchokera pa gmail mawonekedwe).
Payenera kukhala bokosi la makalata`[imelo ndiotetezedwa]`, kopi ya imelo yomwe ndikufuna kuwona mu gmail yanga. Ndipo ndizosowa kutumiza china chake m'malo mwa `[imelo ndiotetezedwa]` kudzera pa intaneti.
Payenera kukhala bokosi la makalata`[imelo ndiotetezedwa]', yomwe Ivanov adzagwiritsa ntchito kuchokera ku iPhone yake.
Maimelo otumizidwa akuyenera kutsata zofunikira zonse zamakono za antispam.
Payenera kukhala mulingo wapamwamba kwambiri wa kubisa koperekedwa pamanetiweki agulu.
Payenera kukhala chithandizo cha IPv6 potumiza ndi kulandira makalata.
Payenera kukhala SpamAssassin yomwe sidzachotsa maimelo. Ndipo idzadumpha kapena kudumpha kapena kutumiza ku chikwatu cha IMAP "Spam".
SpamAssassin auto-learning iyenera kukhazikitsidwa: ngati ndisuntha kalata ku foda ya Spam, idzaphunzira kuchokera ku izi; ngati ndisuntha kalata kuchokera ku chikwatu cha Spam, iphunzira kuchokera ku izi. Zotsatira za maphunziro a SpamAssassin ziyenera kukhudza ngati kalatayo imathera mufoda ya Spam.
Zolemba za PHP ziyenera kutumiza makalata m'malo mwa domain iliyonse pa seva yoperekedwa.
Payenera kukhala ntchito ya openvpn, yokhala ndi kuthekera kogwiritsa ntchito IPv6 pa kasitomala yemwe alibe IPv6.
Choyamba muyenera kukonza zolumikizira ndi njira, kuphatikiza IPv6.
Kenako muyenera kukonza OpenVPN, yomwe idzalumikizane kudzera pa IPv4 ndikupatsa kasitomala adilesi yeniyeni ya IPv6. Makasitomalayu azitha kupeza ntchito zonse za IPv6 pa seva komanso kupeza zida zilizonse za IPv6 pa intaneti.
Kenako muyenera kukonza Postfix kutumiza zilembo + SPF + DKIM + rDNS ndi zinthu zina zazing'ono zofananira.
Kenako muyenera kukonza Dovecot ndikusintha Multidomain.
Kenako muyenera kukonza SpamAssassin ndikukonzekera maphunziro.
Pomaliza, yikani Bind.
============= Multi-interface ==============
Kuti mukonze zolumikizira, muyenera kulemba izi mu "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Zokonda izi zitha kugwiritsidwa ntchito pa seva iliyonse mu tech.ru (ndi kugwirizanitsa pang'ono ndi chithandizo) ndipo nthawi yomweyo idzagwira ntchito momwe iyenera kukhalira.
Ngati muli ndi chidziwitso chokhazikitsa zinthu zofanana za Hetzner, OVH, ndizosiyana pamenepo. Zovuta kwambiri.
eno1 ndi dzina la network card #1 (pang'onopang'ono koma yopanda malire).
eno2 ndi dzina la network card #2 (mwachangu, koma ndi tariff).
tun0 ndi dzina la kirediti kadi yochokera ku OpenVPN.
XX.XX.XX.X0 - IPv4 #1 pa eno1.
XX.XX.XX.X1 - IPv4 #2 pa eno1.
XX.XX.XX.X2 - IPv4 #3 pa eno1.
XX.XX.XX.X5 - IPv4 #1 pa eno2.
XX.XX.XX.1 - IPv4 chipata.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 pa seva yonse.
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 ya eno2, china chilichonse kuchokera kunja chimapita ku eno1.
XXXX:XXXX:XXXX:XXXX::1 β IPv6 chipata (ndikoyenera kudziwa kuti izi zitha/ziyenera kuchitidwa mosiyana. Tchulani chosinthira cha IPv6).
dns-nameservers - 127.0.0.1 ikuwonetsedwa (chifukwa kumanga kumayikidwa kwanuko) ndi 213.248.1.6 (izi zikuchokera ku tech.ru).
"table eno1t" ndi "table eno2t" - tanthawuzo la malamulo apanjira ndikuti magalimoto omwe amalowa pa eno1 -> amadutsamo, ndipo magalimoto olowera pa eno2 -> amadutsamo. Komanso maulumikizidwe oyambitsidwa ndi seva amatha kudutsa eno1.
ip route add default via XX.XX.XX.1 table eno1tNdi lamuloli timafotokoza kuti magalimoto osamvetsetseka omwe amagwera pansi pa lamulo lililonse lolembedwa "tebulo eno1t" -> atumizidwe ku mawonekedwe a eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tNdi lamuloli timalongosola kuti magalimoto aliwonse oyambitsidwa ndi seva akuyenera kupita ku mawonekedwe a eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Ndi lamulo ili timayika malamulo olembera magalimoto.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Chida ichi chimatchula IPv4 yachiwiri ya mawonekedwe a eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Ndi lamuloli timakhazikitsa njira yochokera kwa makasitomala a OpenVPN kupita ku IPv4 yapafupi kupatula XX.XX.XX.X0.
Sindikumvetsabe chifukwa chake lamulo ili ndilokwanira IPv4 yonse.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Apa ndipamene timayika adilesi ya mawonekedwe omwewo. Seva idzagwiritsa ntchito ngati adilesi "yotuluka". Sizidzagwiritsidwanso ntchito mwanjira ina iliyonse.
Chifukwa chiyani ":1:1::" ndizovuta kwambiri? Kotero kuti OpenVPN imagwira ntchito moyenera komanso chifukwa cha izi. Zambiri pa izi pambuyo pake.
Pamutu wa chipata - ndi momwe zimagwirira ntchito ndipo zili bwino. Koma njira yolondola ndikuwonetsa apa IPv6 ya switch yomwe seva imalumikizidwa.
Komabe, pazifukwa zina IPv6 imasiya kugwira ntchito ndikachita izi. Izi mwina ndi mtundu wina wa vuto tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACEUku ndikuwonjezera adilesi ya IPv6 ku mawonekedwe. Ngati mukufuna ma adilesi zana, ndiye kuti mizere zana mufayilo iyi.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ndidawona ma adilesi ndi ma subnet amitundu yonse kuti zimveke bwino.
eno1 - iyenera kukhala "/64"- chifukwa awa ndi ma adilesi athu onse.
tun0 - subnet iyenera kukhala yayikulu kuposa eno1. Kupanda kutero, sikungatheke kukonza chipata cha IPv6 chamakasitomala a OpenVPN.
eno2 - subnet iyenera kukhala yayikulu kuposa tun0. Kupanda kutero, makasitomala a OpenVPN sangathe kupeza ma adilesi akomweko a IPv6.
Kuti zimveke bwino, ndasankha gawo laling'ono la 16, koma ngati mukufuna, mutha kuchita "1" sitepe.
Choncho, 64+16 = 80, ndi 80+16 = 96.Kuti mumve zambiri:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY ndi ma adilesi omwe akuyenera kuperekedwa kumasamba kapena ntchito zina za eno1.
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY ndi ma adilesi omwe akuyenera kuperekedwa kumasamba kapena ntchito zina za eno2.
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY ndi ma adilesi omwe akuyenera kuperekedwa kwa makasitomala a OpenVPN kapena kugwiritsidwa ntchito ngati ma adilesi a OpenVPN.
Kuti mukonze netiweki, zikuyenera kuyambiranso seva.
Zosintha za IPv4 zimatengedwa zikachitidwa (onetsetsani kuti mukuzikulunga pazenera - apo ayi lamuloli lingosokoneza netiweki pa seva):
/etc/init.d/networking restartOnjezani mpaka kumapeto kwa fayilo "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Popanda izi, simungagwiritse ntchito matebulo amtundu wa "/etc/network/interfaces".
Ziwerengerozi ziyenera kukhala zapadera komanso zosakwana 65535.
Zosintha za IPv6 zitha kusinthidwa mosavuta osayambiranso, koma kuti muchite izi muyenera kuphunzira malamulo osachepera atatu:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Kukhazikitsa "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Izi ndi zokonda za "sysctl" za seva yanga. Ndiloleni ndikuuzeni chinthu chofunika kwambiri.
net.ipv4.ip_forward = 1Popanda izi, OpenVPN sizigwira ntchito konse.
net.ipv6.ip_nonlocal_bind = 1Aliyense amene ayesa kumanga IPv6 (mwachitsanzo nginx) mawonekedwe atangotha ββadzalandira cholakwika. Kuti adilesi iyi palibe.
Kupewa mkhalidwe wotero, malo oterowo amapangidwa.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Popanda makonda awa a IPv6, magalimoto ochokera kwa kasitomala wa OpenVPN sapita kudziko lapansi.
Zokonda zina sizoyenera kapena sindikumbukira zomwe zimapangidwira.
Koma zikangochitika, ndimasiya "monga momwe zilili."
Kuti kusintha kwa fayiloyi kutengedwe popanda kuyambitsanso seva, muyenera kuyendetsa lamulo:
sysctl -pZambiri za malamulo a "tebulo":
============= OpenVPN =============
OpenVPN IPv4 siigwira ntchito popanda iptables.
Ma iptables anga ndi awa a VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY ndi adilesi yanga ya IPv4 yokhazikika pamakina am'deralo.
10.8.0.0/24 - IPv4 openvpn network. Maadiresi a IPv4 amakasitomala a openvpn.
Kugwirizana kwa malamulo ndikofunika.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPIzi ndi malire kotero kuti ine ndekha ndingagwiritse ntchito OpenVPN kuchokera ku IP yanga yokhazikika.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- ΠΈΠ»ΠΈ --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEKuti mutumize mapaketi a IPv4 pakati pa makasitomala a OpenVPN ndi intaneti, muyenera kulembetsa limodzi mwamalamulo awa.
Pamilandu yosiyanasiyana, imodzi mwazosankha sizoyenera.
Malamulo onsewa ndi oyenera mlandu wanga.
Nditawerenga zolembazo, ndinasankha njira yoyamba chifukwa imagwiritsa ntchito CPU yochepa.
Kuti makonzedwe onse a iptables atengedwe pambuyo poyambiranso, muyenera kuwasungira kwinakwake.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Mayina oterowo sanasankhidwe mwangozi. Amagwiritsidwa ntchito ndi phukusi la "iptables-persistent".
apt-get install iptables-persistentKuyika phukusi lalikulu la OpenVPN:
apt-get install openvpn easy-rsaTiyeni tikhazikitse template ya ziphaso (m'malo mwa zikhulupiriro zanu):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfTiyeni tisinthe makonda a template ya satifiketi:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Pangani satifiketi ya seva:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyTiyeni tikonzekere kupanga mafayilo omaliza a "client-name.opvn":
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCTiyeni tikonze script yomwe ingaphatikize mafayilo onse kukhala fayilo imodzi ya opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnKupanga kasitomala woyamba wa OpenVPN:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameFayilo "~/client-configs/files/client-name.ovpn" imatumizidwa ku chipangizo cha kasitomala.
Kwa makasitomala a iOS muyenera kuchita chinyengo chotsatirachi:
Zomwe zili mu tagi ya "tls-auth" ziyenera kukhala zopanda ndemanga.
Komanso ikani "key-direction 1" nthawi yomweyo pamaso pa "tls-auth" tag.
Tiyeni tikonze kasinthidwe ka seva ya OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCIzi ndizofunikira kuti mukhazikitse adilesi yokhazikika kwa kasitomala aliyense (osafunikira, koma ndimagwiritsa ntchito):
# Client config dir
client-config-dir /etc/openvpn/ccdChovuta kwambiri komanso chofunikira kwambiri.
Tsoka ilo, OpenVPN sinadziwebe kukhazikitsa paokha IPv6 chipata chamakasitomala.
Muyenera kutumiza izi "pamanja" kwa kasitomala aliyense.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Fayilo "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Fayilo "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Zolemba zonse ziwiri zimagwiritsa ntchito fayilo "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Zimandivuta kukumbukira chifukwa chake linalembedwa motere.
Tsopano netmask = 112 ikuwoneka yachilendo (iyenera kukhala 96 pomwepo).
Ndipo choyambirira ndi chachilendo, sichikugwirizana ndi netiweki ya tun0.
Koma chabwino, ndizisiya momwe zilili.
cipher DES-EDE3-CBCIzi si za aliyense - ndidasankha njira iyi yolembera kulumikizana.
============= Postfix =============
Kuyika phukusi lalikulu:
apt-get install postfixMukakhazikitsa, sankhani "tsamba la intaneti".
"/etc/postfix/main.cf" yanga ikuwoneka motere:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreTiyeni tiwone tsatanetsatane wa config.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyMalinga ndi okhala ku Khabrovsk, chipikachi chili ndi "zabodza komanso malingaliro olakwika."Zaka 8 zokha nditayamba ntchito yanga ndidayamba kumvetsetsa momwe SSL imagwirira ntchito.
Chifukwa chake, nditenga ufulu wofotokozera momwe mungagwiritsire ntchito SSL (popanda kuyankha mafunso akuti "Kodi imagwira ntchito bwanji?" ndi "Chifukwa chiyani imagwira ntchito?").
Maziko a encryption yamakono ndi kulengedwa kwa awiri ofunikira (zingwe ziwiri zazitali kwambiri za zilembo).
"Mfungulo" imodzi ndi yachinsinsi, ina ndi "pagulu". Timasunga chinsinsi chachinsinsi mosamala kwambiri. Timagawa kiyi yapagulu kwa aliyense.
Pogwiritsa ntchito kiyi yapagulu, mutha kubisa mawu angapo kuti eni ake a kiyi yachinsinsi azitha kumasulira.
Chabwino, ndiye maziko onse aukadaulo.Khwerero #1 - masamba a https.
Mukalowa patsamba, msakatuli amaphunzira kuchokera pa seva kuti tsambalo ndi https motero amapempha kiyi yapagulu.
Seva yapaintaneti imapereka kiyi yapagulu. Msakatuli amagwiritsa ntchito kiyi yapagulu kubisa http-pempho ndikutumiza.
Zomwe zili mu http-pempho zikhoza kuwerengedwa ndi iwo omwe ali ndi chinsinsi chachinsinsi, ndiko kuti, seva yokhayo yomwe pempholi likufunsidwa.
Http-pempho ili ndi URI osachepera. Chifukwa chake, ngati dziko likuyesera kuletsa mwayi wopezeka patsamba lonse, koma patsamba linalake, ndiye kuti izi sizingatheke kutsamba la https.Khwerero #2 - mayankho obisika.
Seva yapaintaneti imapereka yankho lomwe lingathe kuwerengedwa mosavuta pamsewu.
Yankho lake ndi losavuta kwambiri - msakatuli wakomweko amapanga makiyi achinsinsi pagulu lililonse la https.
Ndipo pamodzi ndi pempho la kiyi yapagulu, imatumiza kiyi yapagulu.
Seva yapaintaneti imakumbukira ndipo, potumiza http-response, imayimitsa ndi kiyi yapagulu ya kasitomala wina.
Tsopano http-response ikhoza kusinthidwa ndi eni ake achinsinsi chachinsinsi cha kasitomala (ndiko kuti, kasitomala mwiniyo).Khwerero 3 - kukhazikitsa kulumikizidwa kotetezeka kudzera panjira yapagulu.
Pali chiopsezo mu chitsanzo No.
Chifukwa chake, mkhalapakati adzawona bwino zonse zomwe zatumizidwa ndikulandila mauthenga mpaka njira yolumikizirana isinthe.
Kuchita ndi izi ndikosavuta kwambiri - ingotumizani kiyi yapagulu ya msakatuli ngati uthenga wosungidwa ndi kiyi yapagulu ya seva.
Seva yapaintaneti kenako imatumiza yankho ngati "kiyi yanu yapagulu ili motere" ndikubisa uthengawu ndi kiyi yomweyi.
Msakatuli amayang'ana yankho - ngati uthenga "kiyi yanu yapagulu ili ngati iyi" yalandiridwa - ndiye kuti ichi ndi chitsimikizo cha 100% kuti njira yolumikiziranayi ndi yotetezeka.
Ndi chitetezo chotani?
Kupanga komweko kwa njira yolumikizirana yotetezeka yotere kumachitika pa liwiro la ping * 2. Mwachitsanzo 20ms.
Wowukirayo ayenera kukhala ndi kiyi yachinsinsi ya m'modzi wamaguluwo pasadakhale. Kapena pezani kiyi yachinsinsi mu ma milliseconds angapo.
Kubera kiyi imodzi yamakono yachinsinsi kudzatenga zaka zambiri pakompyuta yayikulu.Khwerero #4 - nkhokwe yapagulu yamakiyi apagulu.
Mwachiwonekere, m'nkhani yonseyi pali mwayi wotsutsa kuti akhale pa njira yolumikizirana pakati pa kasitomala ndi seva.
Wothandizira amatha kudziyesa ngati seva, ndipo seva imatha kudziyesa ngati kasitomala. Ndipo tengerani makiyi awiri mbali zonse ziwiri.
Ndiye wowukirayo adzawona magalimoto onse ndipo adzatha "kusintha" magalimoto.
Mwachitsanzo, sinthani adilesi yotumizira ndalama kapena kukopera mawu achinsinsi kuchokera kubanki yapaintaneti kapena lekani zinthu "zotsutsa".
Kuti athane ndi zigawenga zotere, adabwera ndi nkhokwe yapagulu yokhala ndi makiyi apagulu pa tsamba lililonse la https.
Msakatuli aliyense "amadziwa" za kukhalapo kwa nkhokwe 200 zotere. Izi zimabwera zitayikidwatu mu msakatuli aliyense.
"Chidziwitso" chimathandizidwa ndi kiyi yapagulu kuchokera pa satifiketi iliyonse. Ndiko kuti, kulumikizana kwaulamuliro uliwonse wa certification sikungayikidwe.Tsopano pali kumvetsetsa kosavuta kwamomwe mungagwiritsire ntchito SSL pa https.
Ngati mugwiritsa ntchito ubongo wanu, zidzadziwikiratu momwe mautumiki apadera amatha kuthyolako china chake mwadongosolo. Koma izi zidzawawonongera khama lalikulu.
Ndipo mabungwe ang'onoang'ono kuposa NSA kapena CIA - ndizosatheka kuthyolako chitetezo chomwe chilipo, ngakhale ma VIP.Ndiwonjezeranso za kulumikizana kwa ssh. Palibe makiyi apagulu pamenepo, ndiye mungatani? Nkhaniyi imathetsedwa mβnjira ziwiri.
Njira ssh-by-password:
Pakulumikiza koyamba, kasitomala wa ssh ayenera kuchenjeza kuti tili ndi kiyi yatsopano yapagulu kuchokera ku seva ya ssh.
Ndipo pakulumikizana kwina, ngati chenjezo la "kiyi watsopano wapagulu kuchokera pa seva ya ssh" likuwonekera, zikutanthauza kuti akuyesera kukumverani.
Kapena munamvedwa pamalumikizidwe anu oyamba, koma tsopano mumalumikizana ndi seva popanda oyimira.
Kwenikweni, chifukwa chakuti wiretapping ndi yosavuta, mofulumira komanso mopanda mphamvu, kuukira kumeneku kumagwiritsidwa ntchito pazochitika zapadera kwa kasitomala.Njira ssh-by-key:
Timatenga flash drive, lembani chinsinsi chachinsinsi cha seva ya ssh pa izo (pali mawu ndi zofunikira zambiri za izi, koma ndikulemba pulogalamu ya maphunziro, osati malangizo ogwiritsira ntchito).
Timasiya kiyi yapagulu pamakina pomwe kasitomala wa ssh adzakhala ndipo timasunganso chinsinsi.
Timabweretsa flash drive ku seva, kuiyika, kukopera kiyi yachinsinsi, ndikuwotcha flash drive ndikumwaza phulusa kumphepo (kapena kuyipanga ndi zero).
Ndizo zonse - pambuyo pa opaleshoni yotere sizingatheke kuthyolako kulumikizana kwa ssh. Zachidziwikire, m'zaka 10 zitha kuwona kuchuluka kwa magalimoto pamakompyuta apamwamba - koma ndi nkhani ina.Pepani chifukwa cha offtopic.
Kotero tsopano kuti chiphunzitsocho chikudziwika. Ndikuuzani za kuyenda kwa kupanga satifiketi ya SSL.
Pogwiritsa ntchito "openssl genrsa" timapanga kiyi yachinsinsi ndi "zopanda kanthu" za kiyi ya anthu onse.
Timatumiza "zosowa" ku kampani ya chipani chachitatu, komwe timalipira pafupifupi $9 pa chiphaso chosavuta.
Pambuyo pa maola angapo, timalandira makiyi athu a "public" ndi makiyi angapo agulu kuchokera ku kampani yachitatu.
Chifukwa chiyani kampani yachitatu iyenera kulipira kulembetsa kiyi yanga yapagulu ndi funso losiyana, sitingaganizire pano.
Tsopano zikuwonekeratu tanthauzo la zolembedwazo:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Foda ya "/etc/ssl" ili ndi mafayilo onse a nkhani za ssl.
domain1.com - dzina lachidziwitso.
2018 ndi chaka cha chilengedwe chofunikira.
"kiyi" - kutanthauza kuti fayilo ndi kiyi yachinsinsi.
Ndipo tanthauzo la fayiloyi:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - dzina lachidziwitso.
2018 ndi chaka cha chilengedwe chofunikira.
omangidwa ndi unyolo - kutanthauza kuti pali makiyi apagulu (oyamba ndi kiyi yathu yapagulu ndipo ena onse ndi omwe adachokera ku kampani yomwe idapereka makiyi a anthu onse).
crt - kutanthauza kuti pali satifiketi yopangidwa kale (kiyi yapagulu yokhala ndi mafotokozedwe aukadaulo).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Izi sizikugwiritsidwa ntchito pano, koma zalembedwa ngati chitsanzo.
Chifukwa cholakwika mu parameter iyi chidzapangitsa kuti sipamu itumizidwe kuchokera ku seva yanu (popanda chifuniro chanu).
Kenako tsimikizirani kwa aliyense kuti mulibe mlandu.
recipient_delimiter = +Anthu ambiri sangadziwe, koma ichi ndi chikhalidwe chodziwika bwino cha maimelo, ndipo chimathandizidwa ndi ma seva amakono amakono.
Mwachitsanzo, ngati muli ndi bokosi la makalata "[imelo ndiotetezedwa]"yesa kutumiza ku"[imelo ndiotetezedwa]"- taonani zomwe zimachokera.
inet_protocols = ipv4Izi zitha kukhala zosokoneza.
Koma sizili choncho. Chigawo chilichonse chatsopano chimakhala ndi IPv4 yokha, kenako ndimayatsa IPv6 pa chilichonse padera.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Apa tikufotokoza kuti makalata onse omwe akubwera amapita ku dovecot.
Ndipo malamulo a domain, mailbox, alias - yang'anani mu database.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesTsopano postfix ikudziwa kuti makalata amatha kulandiridwa kuti atumizidwenso pokhapokha atavomerezedwa ndi dovecot.
Sindikumvetsa chifukwa chake izi zikubwerezedwa apa. Tafotokoza kale zonse zofunika mu "virtual_transport".
Koma dongosolo la postfix ndilakale kwambiri - mwina ndikubweza kumbuyo kwamasiku akale.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Izi zitha kukhazikitsidwa mosiyana pa seva iliyonse yamakalata.
Ndili ndi ma seva atatu amakalata omwe ndili nawo ndipo zosinthazi ndizosiyana kwambiri chifukwa chazofunikira zosiyanasiyana.
Muyenera kuyikonza mosamala - apo ayi sipamu idzakutsanulirani, kapena zoipitsitsa - sipamu idzatuluka kuchokera kwa inu.
# SPF
policyd-spf_time_limit = 3600Kukhazikitsa pulogalamu yowonjezera yokhudzana ndi kuyang'ana SPF ya zilembo zomwe zikubwera.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockZosintha ndikuti tiyenera kupereka siginecha ya DKIM ndi maimelo onse omwe amatuluka.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreIchi ndi tsatanetsatane wofunikira pakuwongolera makalata mukatumiza makalata kuchokera ku zolemba za PHP.
Fayilo "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Kumanzere kuli mawu okhazikika. Kumanja kuli chizindikiro cholemba chilembocho.
Postfix molingana ndi chizindikirocho - idzaganiziranso mizere ingapo yosinthira chilembo china.Momwe postfix idzakonzedweranso kalata inayake idzawonetsedwa mu "master.cf".
Mizere 4, 5, 6 ndiyo ikuluikulu. M'malo mwa dera lomwe tikutumiza kalatayo, timayika chizindikiro ichi.
Koma gawo la "kuchokera" silimawonetsedwa nthawi zonse muzolemba za PHP mu code yakale. Ndiye dzina lolowera limabwera kudzapulumutsa.Nkhaniyi ndiyambiri kale - sindikufuna kusokonezedwa ndikukhazikitsa nginx + fpm.
Mwachidule, pa tsamba lililonse timayika eni ake a linux. Ndipo motero fpm-dziwe lanu.
Fpm-pool imagwiritsa ntchito mtundu uliwonse wa php (ndibwino pamene pa seva yomweyi mungagwiritse ntchito mitundu yosiyanasiyana ya php komanso php.ini yosiyana ndi malo oyandikana nawo popanda mavuto).
Chifukwa chake, wogwiritsa ntchito linux "www-domain2" ali ndi tsamba lawebusayiti2.com. Tsambali lili ndi code yotumizira maimelo popanda kufotokoza kuchokera kumunda.
Kotero, ngakhale mu nkhani iyi, makalata adzatumizidwa molondola ndipo sadzatha mu sipamu.
"/etc/postfix/master.cf" yanga ikuwoneka motere:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Fayiloyo sinaperekedwe kwathunthu - ndi yayikulu kale.
Ndidangowona zomwe zidasinthidwa.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Izi ndi makonda okhudzana ndi spamassasin, zambiri pambuyo pake.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Timakulolani kuti mulumikizane ndi seva yamakalata kudzera padoko 587.
Kuti muchite izi, muyenera kulowa.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfYambitsani cheke cha SPF.
apt-get install postfix-policyd-spf-pythonTiyeni tiyike phukusi la macheke a SPF pamwambapa.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Ndipo ichi ndi chinthu chosangalatsa kwambiri. Uku ndikutha kutumiza zilembo kudera linalake kuchokera ku adilesi inayake ya IPv4/IPv6.
Izi zimachitika chifukwa cha rDNS. rDNS ndi njira yolandirira chingwe ndi adilesi ya IP.
Ndipo pamakalata, izi zimagwiritsidwa ntchito kutsimikizira kuti helo ikufanana ndendende ndi rDNS ya adilesi yomwe imelo idatumizidwa.Ngati helo sichikufanana ndi tsamba la imelo m'malo mwa omwe kalatayo idatumizidwa, ma spam amaperekedwa.
Helo sichikugwirizana ndi rDNS - ma spam ambiri amaperekedwa.
Chifukwa chake, dera lililonse liyenera kukhala ndi adilesi yake ya IP.
Kwa OVH - mu console ndizotheka kutchula rDNS.
Kwa tech.ru - nkhaniyi imathetsedwa kudzera mu chithandizo.
Kwa AWS, vutoli limathetsedwa ndi chithandizo.
"inet_protocols" ndi "smtp_bind_address6" - timatsegula chithandizo cha IPv6.
Kwa IPv6 muyeneranso kulembetsa rDNS.
"syslog_name" - ndipo izi ndizosavuta kuwerenga zolemba.
Gulani ziphaso .
.
============== Dovecot ==============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamKukhazikitsa mysql, kukhazikitsa mapaketiwo.
Fayilo "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginChilolezo chimangobisidwa.
Fayilo "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nApa tikuwonetsa malo osungira zilembo.
Ndikufuna kuti asungidwe m'mafayilo ndikuphatikizidwa ndi domain.
Fayilo "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Ili ndiye fayilo yayikulu yosinthira dovecot.
Apa tikuyimitsa kulumikizana kosatetezedwa.
Ndipo yambitsani kulumikizana kotetezeka.
Fayilo "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Kupanga ssl. Tikuwonetsa kuti ssl ndiyofunika.
Ndipo satifiketi yokha. Ndipo tsatanetsatane wofunikira ndi malangizo a "local". Imawonetsa satifiketi ya SSL yoti mugwiritse ntchito polumikizana ndi IPv4 yapafupi.Mwa njira, IPv6 sinakhazikitsidwe apa, ndikonza izi posachedwa.
XX.XX.XX.X5 (domain2) - palibe satifiketi. Kuti mulumikizane ndi makasitomala muyenera kutchula domain1.com.
XX.XX.XX.X2 (domain3) - pali satifiketi, mutha kutchula domain1.com kapena domain3.com kuti mulumikizane ndi makasitomala.
Fayilo "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Izi zidzafunika spamassassin m'tsogolomu.
Fayilo "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Ichi ndi pulogalamu yowonjezera ya antispam. Zofunikira pakuphunzitsa spamassasin panthawi yosamukira ku/kuchokera kufoda ya "Spam".
Fayilo "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Pali fayilo yotereyi.
Fayilo "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Kupanga lmtp.
Fayilo "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Zokonda zophunzitsira za Spamassasin panthawi yosamukira ku/kuchokera ku chikwatu cha Spam.
Fayilo "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Fayilo yomwe imafotokoza zoyenera kuchita ndi zilembo zomwe zikubwera.
Fayilo "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Muyenera kupanga fayilo: "sievec default.sieve".
Fayilo "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Kufotokozera mafayilo a sql kuti avomerezedwe.
Ndipo fayilo yokhayo imagwiritsidwa ntchito ngati njira yololeza.
Fayilo "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Izi zikufanana ndi makonda ofanana a postfix.
Fayilo "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Main kasinthidwe wapamwamba.
Chofunikira ndichakuti tikuwonetsa apa - onjezerani ma protocol.
============= SpamAssassin ==============
apt-get install spamassassin spamcTiyeni tiyike mapaketi.
adduser spamd --disabled-loginTiyeni tiwonjezere wogwiritsa ntchito m'malo mwake.
systemctl enable spamassassin.serviceTimayatsa ntchito yotsitsa spamassassin potsitsa.
Fayilo "/etc/default/spamassassin":
CRON=1Mwa kuthandizira kusinthidwa kwa malamulo "mwachisawawa".
Fayilo "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordMuyenera kupanga nkhokwe "sa" mu mysql ndi wogwiritsa ntchito "sa" ndi mawu achinsinsi "achinsinsi" (m'malo ndi chinachake chokwanira).
report_safe - izi zitumiza lipoti la sipamu imelo m'malo mwa kalata.
use_bayes ndi makina ophunzirira makina a spamassassin.
Zokonda zotsalira za spamassassin zidagwiritsidwa ntchito kale m'nkhaniyi.
.
.
.
.
============= Kudandaula kwa anthu ammudzi ==============
Ndikufunanso kuponya lingaliro m'dera la momwe mungawonjezere chitetezo cha makalata otumizidwa. Popeza ndakhazikika kwambiri pamutu wamakalata.
Kotero kuti wosuta akhoza kupanga makiyi awiri pa kasitomala wake (mawonekedwe, thunderbird, browser-plugin, ...). Pagulu komanso payekha. Pagulu - tumizani ku DNS. Zachinsinsi - sungani pa kasitomala. Ma seva atsamba atha kugwiritsa ntchito kiyi yapagulu kutumiza kwa wowalandira.
Ndipo kuti muteteze ku spam ndi zilembo zotere (inde, seva yamakalata siyitha kuwona zomwe zili) - muyenera kuyambitsa malamulo atatu:
- Siginecha yeniyeni ya DKIM yovomerezeka, SPF yovomerezeka, rDNS yovomerezeka.
- Neural network pamutu wa maphunziro a antispam + database yake kumbali ya kasitomala.
- Ma algorithm a encryption ayenera kukhala kotero kuti mbali yotumizayo iyenera kugwiritsa ntchito mphamvu za CPU nthawi 100 pakubisa kuposa mbali yolandila.
Kuphatikiza pamakalata apagulu, pangani kalata yokhazikika "yoyambitsa makalata otetezeka." Mmodzi mwa ogwiritsa ntchito (bokosi la makalata) amatumiza kalata yokhala ndi cholumikizira kubokosi lina la makalata. Kalatayo ili ndi mawu oti ayambitse njira yolumikizirana yotetezeka pamakalata komanso kiyi yapagulu ya eni ake a imelo (yokhala ndi kiyi yachinsinsi kumbali ya kasitomala).
Mutha kupanga makiyi angapo makamaka pamakalata aliwonse. Wogwiritsa ntchito akhoza kuvomereza izi ndikutumiza kiyi yake yapagulu (yopangidwanso makamaka pamakalata awa). Chotsatira, wogwiritsa ntchito woyamba amatumiza kalata yoyang'anira ntchito (yosungidwa ndi kiyi yapagulu ya wogwiritsa ntchito wachiwiri) - atalandira pomwe wogwiritsa wachiwiri angaganizire njira yolumikizirana yopangidwa yodalirika. Kenako, wogwiritsa wachiwiri amatumiza kalata yowongolera - ndiyeno wogwiritsa ntchito woyamba angaganizirenso kuti njira yopangidwa ndi yotetezeka.
Pofuna kuthana ndi kutsekeka kwa makiyi pamsewu, protocol iyenera kupereka mwayi wotumizira makiyi amodzi pagulu pogwiritsa ntchito flash drive.
Ndipo chofunika kwambiri ndi chakuti zonse zimagwira ntchito (funso ndilo "ndani adzalipirira?"):
Lowetsani ziphaso za positi kuyambira $10 kwa zaka 3. Zomwe zidzalola wotumizayo kuwonetsa mu dns kuti "makiyi anga apagulu ali uko." Ndipo adzakupatsani mwayi woti muyambe kugwirizana kotetezeka. Pa nthawi yomweyo, kuvomereza kugwirizana koteroko ndi kwaulere.
gmail pamapeto pake ikupangira ndalama kwa ogwiritsa ntchito. Kwa $ 10 pazaka 3 - ufulu wopanga njira zamakalata otetezeka.
============= Mapeto =============
Kuti ndiyese nkhani yonseyo, ndimati ndibwereke seva yodzipatulira kwa mwezi umodzi ndikugula domain yokhala ndi satifiketi ya SSL.
Koma zochitika za moyo zidakula kotero nkhaniyi idapitilira miyezi iwiri.
Ndipo kotero, nditakhala ndi nthawi yaulere kachiwiri, ndinaganiza zofalitsa nkhaniyo momwe ilili, m'malo moika moyo pachiswe kuti bukulo lipitirire kwa chaka china.
Ngati pali mafunso ambiri ngati "koma izi sizinafotokozedwe mokwanira", ndiye kuti padzakhala mphamvu yotengera seva yodzipatulira yokhala ndi domain yatsopano ndi satifiketi yatsopano ya SSL ndikulongosola mwatsatanetsatane komanso, ambiri. Chofunika kwambiri, zindikirani zonse zomwe zikusowa.
Ndikufunanso kulandila ndemanga pamaganizidwe okhudza ziphaso za positi. Ngati mukufuna lingaliro, ndiyesetsa kupeza mphamvu zolembera zolemba za rfc.
Mukamakopera mbali zazikulu zankhani, perekani ulalo wa nkhaniyi.
Mukamamasulira m'chinenero china chilichonse, perekani ulalo wa nkhaniyi.
Ndiyesetsa kumasulira m'Chingerezi ndekha ndikusiya maulalo apambali.
Source: www.habr.com