O le tala lenei e uiga i le fa'atūina o se sau meli fa'aonaponei.
Postfix + Dovecot. SPF + DKIM + rDNS. Faatasi ai ma le IPv6.
Faatasi ai ma TSL encryption. Faatasi ai ma le lagolago mo le tele o vaega - vaega ma se tusi faamaonia SSL moni.
Faatasi ai ma le puipuiga o le antispam ma le maualuga o le antispam rating mai isi sapalai meli.
E lagolagoina le tele o fesoʻotaʻiga faaletino.
Faatasi ai ma OpenVPN, o le fesoʻotaʻiga e ala i le IPv4, ma e maua ai le IPv6.
Afai e te le manaʻo e aʻoaʻoina uma nei tekinolosi, ae e te manaʻo e faʻatūina se 'auʻaunaga, o lenei tusiga e mo oe.
E le o taumafai le tusiga e faʻamatalaina auiliiliga uma. O le faʻamatalaga e alu i le mea e le o faʻatulagaina e pei o tulaga faʻapitoa pe taua mai le manatu o le tagata faʻatau.
O le faʻaosofia e faʻatutuina se meli meli ua leva ona ou miti. Atonu e foliga faavalevalea, ae IMHO, e sili atu nai lo le moemiti i se taavale fou mai lau ituaiga e sili ona e fiafia i ai.
E lua faʻaosofiaga mo le faʻatulagaina o le IPv6. E mana'omia e se tagata poto faapitoa i le IT ona a'oa'oina i taimi uma tekinolosi fou ina ia ola ai. Ou te mana'o e fai la'u sao tauagafau i le tau faasaga i le fa'asalaga.
O le faʻaosofiaga mo le faʻatulagaina o OpenVPN e naʻo le faʻaogaina o le IPv6 i le masini i le lotoifale.
O le faʻaosofiaga mo le faʻatulagaina o le tele o fesoʻotaʻiga faʻaletino o le i luga o laʻu 'auʻaunaga e tasi laʻu atinaʻe "telegese ae le faʻatapulaʻaina" ma le isi "anapogi ae faʻatasi ai ma se tau".
O le faʻaosofiaga mo le faʻatulagaina o faʻamaufaʻailoga o loʻo tuʻuina atu e laʻu ISP se faʻaumau DNS e le mautu, ma google foi i nisi taimi e toilalo. Ou te manaʻo i se faʻaumau DNS mo le faʻaoga patino.
Faaosofia e tusi se tala - Sa ou tusia se ata faataitai i le 10 masina talu ai, ma ua uma ona ou tilotilo i ai faalua. E tusa lava pe manaʻomia e le tusitala i taimi uma, e maualuga le avanoa e manaʻomia ai foi e isi.
E leai se fofo lautele mo se sapalai meli. Ae o le a ou taumafai e tusi se mea e pei o le "faia lea ma, pe a lelei mea uma e tatau ai, lafo i fafo mea faaopoopo."
O le kamupani tech.ru e iai le Colocation server. E mafai ona faʻatusatusa i le OVH, Hetzner, AWS. Ina ia foia lenei faafitauli, o le galulue faatasi ma tech.ru o le a sili atu ona aoga.
Debian 9 ua faʻapipiʻiina i luga o le 'auʻaunaga.
O le 'au'aunaga e 2 feso'ota'iga 'eno1' ma le 'eno2'. O le muamua e le faatapulaaina, ma le lona lua e vave, faasologa.
E 3 tuatusi IP tumau, XX.XX.XX.X0 ma XX.XX.XX.X1 ma XX.XX.XX.X2 i luga o le 'eno1` fa'aoga ma le XX.XX.XX.X5 i luga o le 'eno2` fa'aoga. .
Avanoa XXXX:XXXX:XXXX:XXXX::/64 o se vaitaele o tuatusi IPv6 o loʻo tuʻuina atu i le 'eno1' interface ma mai ai XXXX: XXXX: XXXX:XXXX: 1: 2:: / 96 na tofia i le 'eno2' i laʻu talosaga.
E 3 domains `domain1.com`, `domain2.com`, `domain3.com`. O lo'o iai se fa'ailoga SSL mo le 'domain1.com' ma le 'domain3.com'.
E iai la'u Google account ou te mana'o e fa'afeso'ota'i i ai la'u pusameli[imeli puipuia]` (maua meli ma lafo sa'o le meli mai le gmail interface).
E tatau ona iai se pusameli`[imeli puipuia]', o se kopi o le imeli lea ou te fia va'ai i ai i la'u gmail. Ma e seasea mafai ona auina atu se mea e fai ma sui o '[imeli puipuia]` e ala i le upega tafaʻilagi.
E tatau ona iai se pusameli`[imeli puipuia]', lea o le a faʻaaogaina e Ivanov mai lana iPhone.
O imeli e lafo e tatau ona tausisia uma mana'oga fa'aonaponei e tetee atu i spam.
E tatau ona i ai le maualuga maualuga o faʻamatalaga e tuʻuina atu i fesoʻotaʻiga lautele.
E tatau ona iai le IPv6 lagolago mo le lafoina ma le mauaina o tusi.
E tatau ona i ai se SpamAssassin e le mafai lava ona tape imeli. Ma o le a faʻafefe pe faaseʻe pe lafo i le IMAP "Spam" folder.
SpamAssassin auto-learning e tatau ona faʻatulagaina: afai ou te faʻanofoina se tusi i le pusa Spam, o le a aʻoaʻoina mai lenei mea; afai ou te siitia se tusi mai le Spam folder, o le a aʻoaʻoina mai lenei mea. O taunuʻuga o aʻoaʻoga SpamAssassin e tatau ona aʻafia pe faʻamutaina le tusi i le pusa Spam.
PHP scripts e tatau ona mafai ona lafo meli e fai ma sui o soʻo se itu i luga o se server tuʻuina atu.
E tatau ona i ai se auaunaga tatalavpn, ma le mafai ona faʻaogaina le IPv6 i luga o le kalani e leai se IPv6.
Muamua e te manaʻomia le faʻatulagaina o fesoʻotaʻiga ma taʻavale, e aofia ai le IPv6.
Ona e manaʻomia lea e faʻapipiʻi OpenVPN, lea o le a fesoʻotaʻi e ala i le IPv4 ma tuʻuina atu i le kalani se tuatusi IPv6 static-moni. O le a maua e lenei tagata o tausia auaunaga uma IPv6 i luga o le server ma avanoa i soʻo se punaoa IPv6 i luga ole Initaneti.
Ona e manaʻomia lea e faʻapipiʻi le Postfix e lafo ai tusi + SPF + DKIM + rDNS ma isi mea laiti faapena.
Ona e manaʻomia lea e faʻapipiʻi Dovecot ma faʻapipiʻi Multidomain.
Ona e manaʻomia lea e faʻapipiʻi SpamAssassin ma faʻapipiʻi aʻoaʻoga.
Mulimuli ane, faʻapipiʻi Bind.
============= Feso'ota'iga tele =============
Ina ia faʻapipiʻi fesoʻotaʻiga, e tatau ona e tusia lenei mea i le "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
O nei faʻatulagaga e mafai ona faʻaogaina i luga o soʻo se sapalai i le tech.ru (faatasi ai ma sina faʻamaopoopoina ma le lagolago) ma o le a vave ona galue e pei ona tatau ai.
Afai e iai sau poto masani i le setiina o mea tutusa mo Hetzner, OVH, e ese lava iina. Sili atu faigata.
eno1 o le igoa ole network card #1 (telegese ae le fa'atapula'aina).
eno2 o le igoa ole network card #2 (anapogi, ae i ai se tau).
tun0 o le igoa o le kata fesoʻotaʻiga virtual mai OpenVPN.
XX.XX.XX.X0 - IPv4 #1 ile eno1.
XX.XX.XX.X1 - IPv4 #2 ile eno1.
XX.XX.XX.X2 - IPv4 #3 ile eno1.
XX.XX.XX.X5 - IPv4 #1 ile eno2.
XX.XX.XX.1 - IPv4 faitotoa.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 mo le server atoa.
XXXX: XXXX: XXXX: XXXX: 1: 2:: / 96 - IPv6 mo eno2, o isi mea uma mai fafo e alu i le eno1.
XXXX: XXXX: XXXX: XXXX:: 1 — IPv6 gateway (e taua le matauina e mafai/e tatau ona ese lenei mea. Fa'ailoa le IPv6 ki).
dns-nameservers - 127.0.0.1 o loʻo faʻaalia (aua o loʻo faʻapipiʻi le fusi i le lotoifale) ma le 213.248.1.6 (e mai le tech.ru).
“table eno1t” ma le “table eno2t” - o le uiga o nei auala-tulafono e faapea o feoaiga e ui atu i le eno1 -> o le a alu ese mai ai, ae o taavale e ulufale atu i le eno2 -> o le a alu ese mai ai. Ma o fesoʻotaʻiga na amataina e le 'auʻaunaga o le a alu i le eno1.
ip route add default via XX.XX.XX.1 table eno1t
Faatasi ai ma lenei poloaiga matou te faʻamaonia ai o soʻo se auala e le mafai ona malamalama i ai o loʻo pa'ū i lalo o soʻo se tulafono ua faailogaina "table eno1t" -> e auina atu i le eno1 interface.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
Faatasi ai ma lenei poloaiga matou te faʻamaonia ai o soʻo se taʻavale na amataina e le 'auʻaunaga e tatau ona faʻatonu i le eno1 interface.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0
Faatasi ai ma lenei poloaiga matou te setiina tulafono mo le makaina o feoaiga.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
O lenei poloka o loʻo faʻamaonia ai se IPv4 lona lua mo le eno1 faʻaoga.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Faatasi ai ma lenei poloaiga matou te setiina le auala mai OpenVPN tagata faʻatau i le IPv4 i le lotoifale sei vagana ai XX.XX.XX.X0.
Ou te le o malamalama pe aisea ua lava ai lenei poloaiga mo IPv4 uma.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
O iinei tatou te setiina ai le tuatusi mo le atinaʻe lava ia. O le a faʻaaogaina e le 'auʻaunaga o se tuatusi "fafo". E le toe fa'aaogaina i so'o se auala.
Aisea ua faigata tele ai le ":1:1::"? O lea e galue lelei OpenVPN ma naʻo mo lenei. E sili atu i lenei mea mulimuli ane.
I le autu o le faitotoa - o le auala lena e galue ai ma e lelei. Ae o le auala saʻo o le faʻaalia iinei le IPv6 o le ki lea e fesoʻotaʻi ai le server.
Ae ui i lea, mo nisi mafuaaga e le toe galue IPv6 pe a ou faia lenei mea. Masalo o se ituaiga o faʻafitauli tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
O lo'o fa'aopoopoina se tuatusi IPv6 ile atina'e. Afai e te manaʻomia se selau tuatusi, o lona uiga e selau laina i totonu o lenei faila.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80
Sa ou matauina tuatusi ma subnets o fesootaiga uma ina ia manino.
eno1 - e tatau ona "/64" - aua o le matou vaega atoa lenei o tuatusi.
tun0 - e tatau ona lapoʻa tele le laiga nai lo le eno1. A leai, o le a le mafai ona faʻapipiʻi se faitotoa IPv6 mo OpenVPN tagata faʻatau.
eno2 - ole subnet e tatau ona sili atu nai lo tun0. A leai, o le a le mafai e tagata OpenVPN ona maua tuatusi IPv6 i le lotoifale.
Mo le manino, na ou filifilia se laʻasaga i lalo ole 16, ae afai e te manaʻo ai, e mafai foi ona e faia le "1" laasaga.
O lea la, 64+16 = 80, ma le 80+16 = 96.Mo se faʻamalamalamaga sili atu:
XXXX: XXXX: XXXX: XXXX: 1: 1: YYYY: YYYY o tuatusi e tatau ona tuʻuina atu i nofoaga patino poʻo auaunaga i luga o le eno1 interface.
XXXX: XXXX: XXXX: XXXX: 1: 2: YYYY: YYYY o tuatusi e tatau ona tuʻuina atu i nofoaga patino poʻo auaunaga i luga o le eno2 interface.
XXXX: XXXX: XXXX: XXXX: 1: 3: YYYY: YYYY o tuatusi ia e tatau ona tuʻuina atu i tagata OpenVPN poʻo faʻaoga e avea ma tuatusi tautua OpenVPN.
Ina ia faʻapipiʻi le fesoʻotaʻiga, e tatau ona mafai ona toe amata le server.
O suiga o le IPv4 e pikiina pe a faʻataunuʻuina (ia mautinoa e afifi i le mata - a leai o lenei poloaiga o le a naʻo le paʻu o le upega tafaʻilagi i luga o le server):
/etc/init.d/networking restart
Faʻaopoopo i le pito o le faila "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
A aunoa ma lenei, e le mafai ona e faʻaogaina laulau masani i le faila "/etc/network/interfaces".
Ole numera e tatau ona tulaga ese ma itiiti ifo ile 65535.
O suiga o le IPv6 e mafai ona faigofie ona suia e aunoa ma le toe faʻafouina, ae ia faia lenei mea e tatau ona e aʻoaʻoina ia le itiiti ifo ma le tolu tulafono:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...
Seti "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1
O fa'atulagaga "sysctl" a la'u 'au'aunaga. Sei ou faailoa atu se mea taua.
net.ipv4.ip_forward = 1
A aunoa ma lenei, OpenVPN o le a le aoga.
net.ipv6.ip_nonlocal_bind = 1
Soʻo se tasi e taumafai e fusifusia le IPv6 (mo se faʻataʻitaʻiga nginx) i le taimi lava e maeʻa ai le atinaʻe o le a maua se mea sese. E le o maua lenei tuatusi.
Ina ia aloese mai se tulaga faapena, ua faia se tulaga faapena.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
A aunoa ma nei tulaga IPv6, o fefaʻatauaiga mai le OpenVPN client e le alu atu i le lalolagi.
O isi tulaga e le talafeagai pe ou te le manatua pe o le a le mea e fai ai.
Ae mo le tulaga lava, ou te tuua "e pei ona i ai."
Ina ia mafai ona suʻeina suiga i lenei faila e aunoa ma le toe faʻafouina o le 'auʻaunaga, e tatau ona e faʻatinoina le poloaiga:
sysctl -p
Fa'amatalaga atili e uiga i tulafono "la'o":
============= OpenVPN ==============
OpenVPN IPv4 e le galue e aunoa ma iptables.
O aʻu iptables e pei o lenei mo VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY o laʻu tuatusi IPv4 tumau o le masini i le lotoifale.
10.8.0.0/24 - IPv4 fesoʻotaʻiga tatalavpn. tuatusi IPv4 mo tagata fa'atau openvpn.
E taua le ogatasi o tulafono.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
Ole tapula'a lea e na'o a'u e mafai ona fa'aogaina OpenVPN mai la'u IP fa'amautu.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
Ina ia tuʻuina atu pusa IPv4 i le va o tagata OpenVPN ma le Initaneti, e tatau ona e lesitala se tasi o nei tulafono.
Mo tulaga eseese, o se tasi o filifiliga e le talafeagai.
E fetaui uma poloaiga mo la'u mataupu.
Ina ua uma ona faitau le pepa, na ou filifilia le filifiliga muamua ona e faʻaaogaina le PPU.
Ina ia mafai ona piki uma tulaga iptables pe a uma ona toe faʻafouina, e tatau ona e faʻasaoina i latou i se mea.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
O igoa faapena sa lei filifilia fua. O loʻo faʻaaogaina e le pusa "iptables-persistent".
apt-get install iptables-persistent
Fa'apipi'i le afifi autu OpenVPN:
apt-get install openvpn easy-rsa
Sei o tatou seti se mamanu mo tusi faamaonia (sui i ou tulaga faatauaina):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf
Se'i o tatou fa'asa'o le fa'atulagaina o fa'ata'ita'iga tusi pasi:
mcedit vars
...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...
Fausia se tusi faamaonia a le server:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
Sei o tatou saunia le tomai e fatu ai faila mulimuli "client-name.opvn":
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf
# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC
Sei o tatou saunia se tusitusiga e tuufaatasia uma faila i se faila opvn se tasi.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpn
Fausia le tagata muamua OpenVPN client:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name
O le faila "~/client-configs/files/client-name.ovpn" e lafo i le masini a le kalani.
Mo iOS tagata fa'atau e tatau ona e faia le togafiti lenei:
O mea o lo'o i totonu o le fa'ailoga "tls-auth" e tatau ona leai ni fa'amatalaga.
Ma tuu foi le “key-direction 1” i luma o le “tls-auth” tag.
Sei o tatou fetuutuunai le OpenVPN server config:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf
# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC
E manaʻomia lenei mea ina ia mafai ai ona seti se tuatusi faʻapitoa mo tagata taʻitasi (e le manaʻomia, ae ou te faʻaaogaina):
# Client config dir
client-config-dir /etc/openvpn/ccd
O faʻamatalaga sili ona faigata ma taua.
Ae paga lea, e leʻi iloa e OpenVPN pe faʻafefea ona faʻapipiʻi tutoatasi se faitotoa IPv6 mo tagata faʻatau.
E tatau ona e "manu'a" lafo atu lenei mea mo tagata fa'atau ta'itasi.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
Faila "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1
Faila "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1
O tusitusiga uma e lua e faʻaoga le faila "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112
Ua faigata ona ou manatua pe aisea ua tusia ai faapenei.
O lea la netmask = 112 foliga ese (e tatau ona 96 iina).
Ma o le prefix e ese, e le fetaui ma le tun0 network.
Ae lelei, o le a ou tu'u ai lava.
cipher DES-EDE3-CBC
E le mo tagata uma - na ou filifilia lenei metotia o le faʻailogaina o le fesoʻotaʻiga.
============= Postfix =============
Fa'apipi'i le afifi autu:
apt-get install postfix
A faʻapipiʻi, filifili "nofoaga initaneti".
O laʻu "/etc/postfix/main.cf" e pei o lenei:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
Se'i tatou va'ai i fa'amatalaga o lenei config.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
E tusa ai ma tagata o Khabrovsk, o lenei poloka o loʻo i ai "faʻamatalaga sese ma faʻamatalaga sese."Na o le 8 tausaga talu ona amata laʻu galuega na amata ona ou malamalama i le auala e galue ai SSL.
O le mea lea, o le a ou faʻaaogaina le saolotoga e faʻamatala ai le faʻaogaina o le SSL (e aunoa ma le taliina o fesili "E faʻapefea ona galue?" ma le "Aisea e aoga ai?").
O le faʻavae o faʻamatalaga faʻaonapo nei o le fatuina lea o se paga autu (lua manoa umi tele o mataitusi).
O le tasi "ki" e faalilolilo, o le isi ki o le "lautele". Matou te fa'alilolilo le ki fa'apitoa. Matou te tufatufa atu le ki faʻasalalau i tagata uma.
I le fa'aogaina o se ki fa'alaua'itele, e mafai ona e fa'aigoaina se manoa o tusitusiga ina ia na'o lē e ona le ki fa'apitoa e mafai ona fa'apala.
Ia, o le faavae atoa lena o tekinolosi.Laasaga #1 - https sites.
A o'o atu i se 'upega tafa'ilagi, e a'oa'oina e le su'esu'e mai le 'upega tafa'ilagi o le saite o le https ma o lea e talosagaina ai se ki fa'alaua'itele.
E tu'uina atu e le 'upega tafa'ilagi le ki lautele. E fa'aoga e le su'esu'e le ki fa'alilolilo e fa'ailoga le http-request ma lafo.
O mea o loʻo i totonu o se http-request e mafai ona faitau naʻo i latou o loʻo i ai le ki faʻapitoa, o lona uiga, naʻo le server lea e faia ai le talosaga.
Http-request e iai se URI. O le mea lea, afai o loʻo taumafai se atunuʻu e faʻatapulaʻaina le avanoa e le o le saite atoa, ae i se itulau patino, ona le mafai lea ona faia mo https sites.Laasaga #2 - tali fa'ailoga.
O le upega tafaʻilagi e maua ai se tali e faigofie ona faitau i luga o le auala.
O le fofo e matua faigofie lava - o le su'esu'ega i le lotoifale e fa'atupuina le pa'aga autu e tasi mo le https site ta'itasi.
Ma faʻatasi ai ma le talosaga mo le faʻasalalauga lautele o le upega tafaʻilagi, e tuʻuina atu lana ki faʻalapotopotoga lautele.
E manatua e le 'upega tafaʻilagi ma, pe a tuʻuina atu le http-tali, faʻapipiʻi i le ki faʻasalalau a se tagata faʻapitoa.
O le taimi nei e mafai ona fa'amuta le http-response e lē e ona le 'upega tafa'ilagi a le kalani (o lona uiga, o le kalani lava ia).Laasaga Nu. 3 - fa'atuina se feso'ota'iga malupuipuia e ala i se alalaupapa lautele.
O loʻo i ai se faʻafitauli i le faʻataʻitaʻiga Nu. 2 - e leai se mea e taofia ai le manuia mai le faʻalavelaveina o se http-talosaga ma le faʻasaʻoina o faʻamatalaga e uiga i le ki lautele.
O le mea lea, o le a vaʻaia manino e le tagata faufautua mea uma o loʻo i totonu o feʻau na lafoina ma mauaina seia oʻo ina suia le ala fesoʻotaʻiga.
O le taulimaina o lenei mea e matua faigofie lava - na'o le auina atu o le ki faʻasalalau a le browser e fai ma feʻau faʻailoga i le ki faʻasalalau a le upega tafaʻilagi.
Ona lafo muamua lea e le upegatafa'ilagi se tali e pei o le "o lau ki lautele e pei o lenei" ma fa'ailogaina lenei fe'au i le ki lautele tutusa.
O le suʻesuʻega e vaʻavaʻai i le tali - afai e maua le feʻau "o lau ki faʻasalalau faʻapenei" - o lona uiga o le 100% faʻamautinoa o loʻo saogalemu lenei auala fesoʻotaʻiga.
O le a le saogalemu?
O le fa'atupuina o sea auala fa'afeso'ota'i saogalemu e tupu ile saoasaoa ole ping*2. Mo se faataitaiga 20ms.
E tatau i le tagata osofa'i ona i ai le ki patino a se tasi o itu i luma atu. Po'o le su'e se ki patino i ni nai milliseconds.
O le hacking o se tasi ki fa'aonaponei fa'aonaponei e alu ai le tele o tausaga i luga o se supercomputer.Laasaga #4 - fa'amaumauga lautele o ki lautele.
E manino lava, i lenei tala atoa o loʻo i ai se avanoa mo se tagata osofaʻi e nofo i luga o le auala fesoʻotaʻiga i le va o le kalani ma le 'auʻaunaga.
E mafai e le kalani ona faafoliga o ia o le server, ma e mafai e le server ona faafoliga o ia o le kalani. Ma faataitai i se pea o ki i itu uma e lua.
Ona vaʻaia lea e le tagata osofaʻi auala uma ma o le a mafai ona "faʻasaʻo" le auala.
Mo se faʻataʻitaʻiga, sui le tuatusi e lafo ai tupe pe kopi le faʻaupuga mai le faletupe i luga ole laiga pe poloka mea e "tetee".
Ina ia faʻafefea ia tagata osofaʻi, na latou o mai ma se faʻamaumauga lautele faʻatasi ai ma ki lautele mo taʻitasi https site.
O suʻesuʻega taʻitasi e "iloa" e uiga i le i ai o le tusa ma le 200 ia faʻamaumauga. E sau muamua fa'apipi'i i so'o se su'esu'ega.
"Malamalama" e lagolagoina e se ki faʻasalalau mai tusi faamaonia taʻitasi. O lona uiga, e le mafai ona fa'asese le feso'ota'iga i pulega fa'amaonia ta'itasi.O loʻo i ai nei se malamalamaga faigofie ile faʻaogaina o le SSL mo https.
Afai e te faʻaogaina lou faiʻai, o le a manino le auala e mafai ai e auaunaga faʻapitoa ona taʻavale se mea i lenei fausaga. Ae o le a alu ai i latou taumafaiga mataʻutia.
Ma faʻalapotopotoga laʻititi nai lo le NSA poʻo le CIA - e toetoe lava a le mafai ona taʻavale le tulaga o loʻo i ai nei o le puipuiga, e oʻo lava mo VIPs.O le a ou faʻaopoopoina foi e uiga i fesoʻotaʻiga ssh. E leai ni ki fa'alaua'itele iina, o le a la se mea e mafai ona e faia? E lua auala e foia ai le mataupu.
Filifiliga ssh-by-password:
I le taimi muamua o fesoʻotaʻiga, e tatau i le ssh client ona lapatai mai o loʻo i ai sa matou ki faʻasalalauga fou mai le ssh server.
Ma i le taimi o isi fesoʻotaʻiga, afai e aliali mai le lapataiga "new public key from the ssh server", o lona uiga o loʻo latou taumafai e faʻalogo ia oe.
Pe na e faʻalogo i lau fesoʻotaʻiga muamua, ae o lea ua e fesoʻotaʻi ma le server e aunoa ma ni faufautua.
O le mea moni, ona o le mea moni o le telefoni e faigofie, vave ma faʻaalia le faʻaalia, o lenei osofaʻiga e faʻaaogaina naʻo mataupu faʻapitoa mo se tagata faʻapitoa.Filifiliga ssh-by-key:
Matou te ave se uila uila, tusi le ki patino mo le ssh server i luga (o loʻo i ai faʻamatalaga ma le tele o nuances taua mo lenei mea, ae o loʻo ou tusia se polokalame faʻaleaʻoaʻoga, ae le o faʻatonuga mo le faʻaaogaina).
Matou te tuʻuina le ki faʻasalalau i luga o le masini lea o le a i ai le ssh client ma matou faʻamauina foi.
Matou te aumaia le flash drive i le 'auʻaunaga, faʻapipiʻi, kopi le ki tumaoti, ma susunu le uila afi ma faʻasalalau le lefulefu i le matagi (poʻo le sili atu ona faʻatulagaina i zeros).
Na'o le pau lava lea - a mae'a se fa'agaioiga fa'apea o le a le mafai ona ta'avale sea feso'ota'iga ssh. Ioe, i totonu o le 10 tausaga o le a mafai ona vaʻai i fefaʻatauaiga i luga o se supercomputer - ae o se tala ese.Ou te faamalulu atu mo le le mautonu.
O lea la ua iloa le talitonuga. O le a ou taʻu atu ia te oe le tafe o le fatuina o se tusi faamaonia SSL.
I le fa'aaogaina o le "openssl genrsa" matou te fatuina ai se ki patino ma "ganoa" mo le ki lautele.
Matou te auina atu "gaogao" i se kamupani lona tolu, lea matou te totogia pe a ma le $9 mo le tusi faamaonia sili ona faigofie.
A maeʻa ni nai itula, matou te mauaina la matou ki "lautele" ma se seti o nisi ki faʻasalalau mai lenei kamupani lona tolu.
Aisea e tatau ai ona totogi e se kamupani lona tolu le resitalaina o laʻu ki lautele o se fesili ese, matou te le mafaufau i ai iinei.
O lea la ua manino le uiga o le tusitusiga:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
O le faila "/ etc / ssl" o loʻo i ai faila uma mo mataupu ssl.
domain1.com - igoa ole igoa.
2018 o le tausaga o le foafoaga autu.
“ki” - fa'ailoga o le faila o se ki fa'apitoa.
Ma le uiga o lenei faila:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - igoa ole igoa.
2018 o le tausaga o le foafoaga autu.
filifili - fa'ailoga o lo'o i ai se filifili o ki fa'alaua'itele (o le mea muamua o la tatou ki fa'asalalau ma isi mea na maua mai i le kamupani na tu'uina atu le ki fa'asalalau).
crt - faʻailoga o loʻo i ai se tusi pasi ua saunia (faʻasalalauga lautele ma faʻamatalaga faʻapitoa).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
E le fa'aogaina lenei fa'atulagaga i lenei tulaga, ae ua tusia e fai ma fa'ata'ita'iga.
Ona o se mea sese i lenei parakalafa o le a taʻitaʻia ai le spam e lafoina mai lau 'auʻaunaga (e aunoa ma lou manaʻo).
Ona faamaonia lea i tagata uma e te le o nofosala.
recipient_delimiter = +
Atonu e le iloa e le toʻatele o tagata, ae o se uiga masani lea mo imeli faʻavasega, ma e lagolagoina e le tele o sapalai meli faʻaonaponei.
Mo se faʻataʻitaʻiga, afai e iai sau pusameli "[imeli puipuia]"taumafai lafo i"[imeli puipuia]"- va'ai i le mea e tupu mai ai.
inet_protocols = ipv4
Atonu e fenumiai lenei mea.
Ae e le na o lena. O vaega fou ta'itasi e na'o le IPv4 e le mafai ona fa'aogaina, ona ou kilia lea o le IPv6 mo ta'itasi ta'itasi.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
O iinei matou te faʻamaonia ai o meli uma e sau e alu i dovecot.
Ma tulafono mo le vaega, pusa meli, igoa - vaʻai i totonu o faʻamaumauga.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'
/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'
/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
O lea la ua iloa e le postfix e mafai ona talia le meli mo le toe auina atu pe a uma le faatagaga ma le dovecot.
Ou te matua le malamalama lava pe aisea ua faaluaina ai iinei. Ua uma ona matou faʻamaonia mea uma e manaʻomia i le "virtual_transport".
Ae o le postfix system e matua tuai lava - masalo o se toe foʻi mai aso tuai.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...
E mafai ona fa'atulaga ese'ese lenei mea mo 'au meli ta'itasi.
E 3 a'u meli meli o lo'o ou fa'aogaina ma o nei fa'atulagaga e matua'i ese lava ona o mana'oga fa'aoga eseese.
E tatau ona e fa'atulaga lelei - a leai o le a sasaa atu le spam ia oe, pe sili atu le leaga - o le a sasaa atu le spam mai ia oe.
# SPF
policyd-spf_time_limit = 3600
Faʻatulagaina mo nisi faʻapipiʻi e fesoʻotaʻi ma le siakiina o le SPF o tusi o loʻo oʻo mai.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
O le fa'atulagaga e tatau ona matou tu'uina atu se saini DKIM ma imeli uma e alu i fafo.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
Ole fa'amatalaga autu lea ile fa'asologa o tusi pe a lafo tusi mai fa'amaumauga PHP.
Faila "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:
I le agavale o fa'amatalaga masani. I le itu taumatau o loʻo i ai se faʻailoga e maka ai le mataitusi.
Postfix e tusa ai ma le igoa - o le a amanaʻia ni nai laina faʻatulagaina mo se tusi faʻapitoa.E fa'afefea tonu ona toe fa'atulagaina le postfix mo se mata'itusi patino o le a fa'aalia i le "master.cf".
Laina 4, 5, 6 o mea autu ia. I le avea ai ma sui o le vaega o loʻo matou lafoina le tusi, matou te tuʻuina lenei igoa.
Ae o le "mai" fanua e le o faʻaalia i taimi uma i PHP scripts i le code tuai. Ona sau ai lea o le username e laveai.Ua leva ona lautele le tusiga - Ou te le manaʻo e faʻalavelaveina i le setiina o le nginx + fpm.
Fa'apuupuu, mo 'upega tafaʻilagi taʻitasi matou te setiina lona lava linux-user owner. Ma e tusa ai ma lau fpm-pool.
Fpm-pool e faʻaaogaina soʻo se faʻamatalaga o le php (e manaia tele pe a i luga o le server lava e tasi e mafai ona e faʻaogaina ituaiga eseese o php ma e oʻo lava i php.ini eseese mo nofoaga tuaoi e aunoa ma ni faʻafitauli).
O lea la, o se linux-tagata faʻaoga "www-domain2" o loʻo i ai se upega tafaʻilagi domain2.com. O lenei 'upega tafaʻilagi o loʻo i ai se faʻailoga mo le lafoina o imeli e aunoa ma le faʻamalamalamaina o le mai fanua.
O lea la, e oʻo lava i lenei tulaga, o le a lafoina saʻo mataʻitusi ma o le a le iʻu lava ile spam.
O laʻu "/etc/postfix/master.cf" e pei o lenei:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
E le'o tu'uina atoatoa le faila - ua matua tele lava.
Na ona ou matauina le mea na suia.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
O tulaga ia e fesoʻotaʻi ma spamassasin, sili atu i lena mea mulimuli ane.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Matou te faʻatagaina oe e faʻafesoʻotaʻi i le meli meli e ala i le taulaga 587.
Ina ia faia lenei mea, e tatau ona e ulufale i totonu.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Fa'aaga le siaki SPF.
apt-get install postfix-policyd-spf-python
Tatou fa'apipi'i le afifi mo siaki SPF i luga.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
Ma o le mea sili lea ona manaia. O le mafai lea ona lafo tusi mo se vaega patino mai se tuatusi IPv4/IPv6 patino.
Ua faia lenei mea mo le lelei o le rDNS. rDNS o le faagasologa o le mauaina o se manoa e ala ile tuatusi IP.
Ma mo meli, o lenei faʻaoga e faʻaaogaina e faʻamaonia ai o le helo e fetaui tonu ma le rDNS o le tuatusi na lafo mai ai le imeli.Afai e le fetaui le helo ma le tuatusi imeli e fai ma sui o le na auina atu le tusi, e maua ai le spam points.
E le fetaui le Helo i le rDNS - o le tele o spam points e maua.
E tusa ai, e tatau ona i ai i vaega taʻitasi lana lava tuatusi IP.
Mo OVH - i totonu o le faʻamafanafanaga e mafai ona faʻamaonia rDNS.
Mo tech.ru - o le mataupu e foia e ala i le lagolago.
Mo le AWS, o le mataupu e foia e ala i le lagolago.
"inet_protocols" ma le "smtp_bind_address6" - matou te mafaia le IPv6 lagolago.
Mo le IPv6 e te manaʻomia foʻi e lesitala le rDNS.
"syslog_name" - ma e mo le faigofie o le faitauina o ogalaau.
Fa'atau tusi pasi
============= Fale Lupe =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam
Faʻatulagaina mysql, faʻapipiʻi afifi lava latou.
Faila "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain login
O le faatagaga e na'o fa'ailoga.
Faila “/etc/dovecot/conf.d/10-mail.conf”
mail_location = maildir:/var/mail/vhosts/%d/%n
O iinei tatou te faailoa atu ai le nofoaga e teu ai tusi.
Ou te manaʻo latou te teuina i faila ma faʻapipiʻi i vaega.
Faila "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
O le faila autu lea o le dovecot configuration.
O iinei matou te faʻamalo ai fesoʻotaʻiga le malupuipuia.
Ma fa'atagaina feso'ota'iga malupuipuia.
Faila "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}
Fa'atonu ssl. Matou te faʻaalia e manaʻomia le ssl.
Ma le tusi faamaonia lava ia. Ma o se faʻamatalaga taua o le "faʻalapotopotoga" faʻatonuga. Fa'ailoa mai po'o fea le tusi fa'amaonia SSL e fa'aoga pe a feso'ota'i i le IPv4 i le lotoifale.I le auala, IPv6 e le o faʻatulagaina iinei, o le a ou faʻasaʻoina lenei mea e le o faia mulimuli ane.
XX.XX.XX.X5 (domain2) - leai se tusi faamaonia. Ina ia faʻafesoʻotaʻi tagata faʻatau e te manaʻomia le faʻamaonia domain1.com.
XX.XX.XX.X2 (domain3) - o loʻo i ai se tusi faamaonia, e mafai ona e faʻamaonia domain1.com poʻo domain3.com e faʻafesoʻotaʻi tagata faʻatau.
Faila "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}
O le a manaʻomia lenei mea mo spammassassin i le lumanaʻi.
Faila "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}
Ole mea lea ole antispam plugin. Manaomia mo aʻoaʻoga spamassasin i le taimi o le fesiitaiga i / mai le "Spam" folder.
Faila "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}
E i ai lava se faila faapena.
Faila “/etc/dovecot/conf.d/20-lmtp.conf”
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}
Fa'atulagaina lmtp.
File "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}
Spamassasin tulaga aʻoaʻoga i le taimi o le fesiitaiga i / mai le pusa Spam.
Faila "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}
O se faila e faʻamaoti ai mea e fai i tusi o loʻo oʻo mai.
Faila "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}
E te manaʻomia le faʻapipiʻiina o le faila: "sievec default.sieve".
Faila "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Fa'atonu faila sql mo fa'atagaga.
Ma o le faila lava ia o loʻo faʻaaogaina o se auala faʻatagaina.
Faila "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
E fetaui lea ma tulaga tutusa mo postfix.
Faila "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Fa'atonu faila autu.
O le mea taua o loʻo matou faʻaalia iinei - faʻaopoopo protocols.
============= SpamAssassin =============
apt-get install spamassassin spamc
Tatou fa'apipi'i afifi.
adduser spamd --disabled-login
Tatou fa'aopoopo se tagata fa'aoga e fai ma ona sui.
systemctl enable spamassassin.service
Matou te faʻatagaina le tuʻuina atu o le spammassassin auaunaga i luga o le utaina.
Faila "/etc/default/spamassassin":
CRON=1
E ala i le fa'atagaina o le fa'afouina otometi o tulafono "fa'aleaogaina".
Faila "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password
E te manaʻomia le fatuina o se faʻamaumauga "sa" i mysql ma le tagata faʻaoga "sa" faʻatasi ai ma le upu "password" (sui i se mea talafeagai).
report_safe - o le a auina atu se lipoti ole imeli spam nai lo se tusi.
use_bayes o spammassassin masini a'oa'oga tulaga.
O isi vaega o le spammassassin na faʻaaogaina muamua i le tusiga.
============= Talosaga i le afioaga =============
Ou te fia tuʻuina atu foi se manatu i totonu o le nuʻu e uiga i le faʻaleleia o le maualuga o le saogalemu o tusi na tuʻuina atu. Talu ai ua ou matua loloto lava i le autu o le meli.
Ina ia mafai e le tagata faʻaoga ona fatuina se pea o ki i luga o lana tagata faʻatau (vaaiga, thunderbird, browser-plugin, ...). Lautele ma tumaoti. Tagata lautele - lafo ile DNS. Tumaoti - fa'asaoina ile kalani. E mafai e 'au'aunaga meli ona fa'aogaina se ki fa'alaua'itele e lafo i se tagata e mauaina.
Ma ia puipuia mai le spam ma ia mataitusi (ioe, o le a le mafai e le meli meli ona vaʻai i mea o loʻo i totonu) - e tatau ona e faʻalauiloa tulafono e 3:
- Fa'atonu saini DKIM moni, SPF fa'atulafonoina, rDNS fa'atulafonoina.
- Neural network i luga o le mataupu o aʻoaʻoga antispam + database mo i le itu o le kalani.
- O le fa'ailoga algorithm e tatau ona fa'apea e tatau ona fa'aalu e le itu e auina atu le 100 taimi sili atu le malosi o le PPU i fa'ailoga nai lo le itu e mauaina.
I le faaopoopo atu i tusi lautele, ia atiaʻe se tusi talosaga masani "e amata faʻamautu fesoʻotaʻiga." O se tasi o tagata faʻaoga (pusa meli) e lafo se tusi ma se faʻapipiʻi i se isi pusameli. O le tusi o loʻo i ai se tusi talosaga e amata ai se fesoʻotaʻiga saogalemu mo fesoʻotaʻiga ma le ki faʻasalalau a lē e ona le pusameli (faʻatasi ai ma se ki patino i le itu o le kalani).
E mafai fo'i ona e faia ni ki fa'apitoa mo feso'ota'iga ta'itasi. E mafai e le tagata e mauaina le fa'aoga ona talia lenei ofo ma lafo atu lana ki fa'alaua'itele (fa'apitoa fo'i na faia mo lenei feso'ota'iga). O le isi, e tuʻuina atu e le tagata muamua se tusi faʻatonuina o le tautua (faʻailogaina ma le ki lautele o le tagata faʻaoga lona lua) - i luga o le mauaina lea e mafai ai e le tagata faʻaoga lona lua ona mafaufau i le fesoʻotaʻiga fesoʻotaʻiga faʻalagolago. O le isi, e tuʻuina atu e le tagata faʻaoga lona lua se tusi faʻatonu - ona mafai ai lea e le tagata muamua ona mafaufau i le auala na fausia ai le saogalemu.
Ina ia faʻafefeina le faʻalavelaveina o ki i luga o le auala, e tatau i le protocol ona tuʻuina atu le avanoa e faʻafeiloaʻi ai le itiiti ifo ma le tasi le ki faʻasalalau e faʻaaoga ai se flash drive.
Ma o le mea pito sili ona taua o le aoga uma (o le fesili "o ai na te totogiina?"):
Ulufale tusi pasi e amata ile $10 mo le 3 tausaga. O le a mafai ai e le tagata auina atu ona faʻaalia i le dns "o aʻu ki lautele o loʻo i ai iina." Ma o le a latou tuʻuina atu ia te oe le avanoa e amata ai se fesoʻotaʻiga saogalemu. I le taimi lava e tasi, o le taliaina o ia fesoʻotaʻiga e leai se totogi.
gmail ua iu lava monetizing ona tagata faaaoga. Mo le $10 i le 3 tausaga - o le aia tatau e fausia ai fesoʻotaʻiga saogalemu.
============= Fa'ai'uga ==============
Ina ia faʻataʻitaʻiina le tusiga atoa, o le a ou lisiina se faʻaumau tuʻufaʻatasia mo le masina ma faʻatau se vaega ma se tusi faamaonia SSL.
Ae o tulaga o le olaga na atiina ae o lea na toso ai lenei mataupu mo le 2 masina.
Ma o lea, ina ua ou toe maua se taimi avanoa, sa ou filifili e lolomi le tusiga e pei ona i ai, nai lo le lamatia o le lomiga o le a toso i luga mo se isi tausaga.
Afai o loʻo i ai le tele o fesili e pei o le "ae leʻo faʻamatalaina i se auiliiliga atoatoa", ona ono iai lea o le malosi e ave ai se faʻaumau faʻamaonia ma se vaega fou ma se tusi faamaonia SSL fou ma faʻamatala atili i auiliiliga ma, tele. taua, faailoa uma faamatalaga taua o loo misi.
Ou te fia maua foi ni manatu faaalia i manatu e uiga i tusi meli. Afai e te fiafia i le manatu, o le a ou taumafai e suʻe le malosi e tusi ai se ata mo rfc.
Pe a kopiina ni vaega tetele o se tala, saunia se sootaga i lenei tusiga.
A fa'aliliu i so'o se isi gagana, tu'u mai se feso'ota'iga i lenei tala.
O le a ou taumafai e fa'aliliu i le Igilisi a'u lava ia ma tu'u fa'asagatau.
puna: www.habr.com