Debian + Postfix + Dovecot + Multidomain + SSL + IPv6 + OpenVPN + Multi-interfaces + SpamAssassin-dzidza + Bind

Ichi chinyorwa chiri pamusoro pekugadzirisa sei mail server yemazuva ano.
Postfix + Dovecot. SPF + DKIM + rDNS. Ne IPv6.
Ne TSL encryption. Nerutsigiro rwenzvimbo dzakawanda - chikamu chine chaiyo SSL chitupa.
Nekudzivirira kweantispam uye yakakwira antispam rating kubva kune mamwe maseva etsamba.
Inotsigira akawanda emuviri interfaces.
Ne OpenVPN, chinongedzo kune icho chiri kuburikidza neIPv4, uye iyo inopa IPv6.

Kana iwe usingade kudzidza ese aya matekinoroji, asi uchida kuseta sevha yakadaro, saka chinyorwa ichi ndechako.

Nyaya yacho haiedzi kutsanangura zvese. Tsananguro inoenda kune izvo zvisina kugadziridzwa seyero kana yakakosha kubva pakuona kwemutengi.

Iko kurudziro yekumisikidza mail server kwave kwenguva refu kurota kwangu. Izvi zvingaite sehupenzi, asi IMHO, zviri nani pane kurota mota nyowani kubva kune yako yaunofarira brand.

Pane zviviri zvinokurudzira kumisikidza IPv6. Nyanzvi yeIT inoda kudzidza matekinoroji matsva nguva dzose kuti urarame. Ndinoda kupa mupiro wangu wakadzikama mukurwisa censorship.

Iko kukurudzira kwekumisikidza OpenVPN ndeye kungowana IPv6 kushanda pamushini wemuno.
Kurudziro yekumisikidza akati wandei maratidziro emuviri ndeyekuti pane yangu server ndine imwe interface "inononoka asi isina muganho" uye imwe "nekukurumidza asi ine mutero".

Iyo yekukurudzira yekumisikidza Bind marongero ndeyekuti ISP yangu inopa isina kugadzikana DNS server, uye google zvakare dzimwe nguva inotadza. Ini ndinoda yakagadzikana DNS server yekushandisa wega.

Kukurudzira kunyora chinyorwa - Ndakanyora gwaro mwedzi gumi yapfuura, uye ndakatozvitarisa kaviri. Kunyangwe munyori achigara achichida, pane mukana mukuru wekuti vamwe vangachidawo.

Iko hakuna mhinduro yepasirese kune sevha yetsamba. Asi ini ndichaedza kunyora chimwe chinhu senge "ita izvi uyezve, kana zvese zvashanda sezvazvinofanira, bvisa zvimwe zvinhu."

Iyo kambani tech.ru ine Colocation server. Zvinogoneka kuenzanisa neOVH, Hetzner, AWS. Kugadzirisa dambudziko iri, kubatana ne tech.ru kuchave kwakanyanya kushanda.

Debian 9 yakaiswa pane server.

Sevha ine 2 interfaces `eno1` uye `eno2`. Yokutanga haina muganhu, uye yechipiri inokurumidza, maererano.

Pane 3 static IP kero, XX.XX.XX.X0 uye XX.XX.XX.X1 uye XX.XX.XX.X2 pa `eno1` interface uye XX.XX.XX.X5 pa`eno2` interface .

Inowanikwa XXXX:XXXX:XXXX:XXXX::/64 dziva reIPv6 kero dzakapihwa ku `eno1` interface uye kubva mairi XXXX:XXXX:XXXX:XXXX:1:2::/96 yakapihwa `eno2` pakukumbira kwangu.

Pane 3 domains `domain1.com`, `domain2.com`, `domain3.com`. Pane chitupa cheSSL che `domain1.com` uye `domain3.com`.

Ndine akaundi yeGoogle yandinoda kubatanidza bhokisi retsamba[email inodzivirirwa]` (kugamuchira tsamba uye kutumira tsamba zvakananga kubva kune gmail interface).
Panofanira kuva nebhokisi retsamba`[email inodzivirirwa]`, kopi yeemail yandinoda kuona mugmail yangu. Uye kashoma kukwanisa kutumira chimwe chinhu wakamiririra `[email inodzivirirwa]` kuburikidza newebhu interface.

Panofanira kuva nebhokisi retsamba`[email inodzivirirwa]`, iyo Ivanov achashandisa kubva ku iPhone yake.

Maemail anotumirwa anofanirwa kuenderana neazvino antispam zvinodiwa.
Panofanira kuve neiyo yepamusoro nhanho ye encryption yakapihwa mumanetwork eruzhinji.
Panofanira kuva ne IPv6 tsigiro yezvose zviri zviviri kutumira nekugamuchira tsamba.
Panofanira kuva neSpamAssassin isingambofi yakadzima maemail. Uye inogona kusvetuka kana kusvetuka kana kutumira kune IMAP "Spam" folda.
SpamAssassin auto-learning inofanira kugadziriswa: kana ndikaendesa tsamba kuSpam folda, ichadzidza kubva pane izvi; kana ndikafambisa tsamba kubva kuSpam folda, ichadzidza kubva pane izvi. Mhedzisiro yekudzidziswa kweSpamAssassin inofanirwa kukanganisa kana tsamba yacho yapera muSpam folda.
PHP zvinyorwa zvinofanirwa kukwanisa kutumira tsamba pachinzvimbo chechero domain pane yakapihwa server.
Panofanira kunge paine openvpn sevhisi, ine kugona kushandisa IPv6 pane mutengi asina IPv6.

Kutanga iwe unofanirwa kugadzirisa mainterface uye nzira, kusanganisira IPv6.
Ipapo iwe uchafanirwa kugadzirisa OpenVPN, iyo inobatana neIPv4 uye inopa mutengi ine static-chaiyo IPv6 kero. Mutengi uyu achakwanisa kuwana ese IPv6 masevhisi pasevha uye kuwana chero IPv6 zviwanikwa paInternet.
Ipapo iwe unozofanirwa kugadzirisa Postfix kutumira mavara + SPF + DKIM + rDNS nezvimwe zvinhu zvidiki zvakafanana.
Ipapo iwe unozofanirwa kugadzirisa Dovecot uye kugadzirisa Multidomain.
Ipapo iwe unozofanirwa kugadzirisa SpamAssassin uye kugadzirisa kudzidziswa.
Pakupedzisira, isa Bind.

============= Multi-interfaces ==============

Kuti ugadzirise interfaces, unofanirwa kunyora izvi mu "/etc/network/interfaces".

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eno1
iface eno1 inet static
        address XX.XX.XX.X0/24
        gateway XX.XX.XX.1
        dns-nameservers 127.0.0.1 213.248.1.6
        post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
        post-up ip route add default via XX.XX.XX.1 table eno1t
        post-up ip rule add table eno1t from XX.XX.XX.X0
        post-up ip rule add table eno1t to XX.XX.XX.X0

auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X1
        post-up ip rule add table eno1t to XX.XX.XX.X1
        post-up   ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
        post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t

auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X2
        post-up ip rule add table eno1t to XX.XX.XX.X2

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
        gateway XXXX:XXXX:XXXX:XXXX::1
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE

# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
        address XX.XX.XX.X5
        netmask 255.255.255.0
        post-up   ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
        post-up   ip route add default via XX.XX.XX.1 table eno2t
        post-up   ip rule add table eno2t from XX.XX.XX.X5
        post-up   ip rule add table eno2t to XX.XX.XX.X5
        post-up   ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
        post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t

iface eno2 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:2::/96
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE

# OpenVPN network
iface tun0 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:3::/80

Aya marongero anogona kuiswa pane chero server mu tech.ru (ine kurongeka kudiki nerutsigiro) uye ichakurumidza kushanda sezvainofanirwa.

Kana uine ruzivo rwekugadzira zvinhu zvakafanana zveHetzner, OVH, zvakasiyana ipapo. Zvimwe zvakaoma.

eno1 izita retiweki kadhi #1 (inononoka asi isina muganho).
eno2 izita retiweki kadhi #2 (nekukurumidza, asi ine mutero).
tun0 izita reiyo chaiyo network kadhi kubva OpenVPN.
XX.XX.XX.X0 - IPv4 #1 pane eno1.
XX.XX.XX.X1 - IPv4 #2 pane eno1.
XX.XX.XX.X2 - IPv4 #3 pane eno1.
XX.XX.XX.X5 - IPv4 #1 pane eno2.
XX.XX.XX.1 - IPv4 gedhi.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 yesevha yese.
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 ye eno2, zvimwe zvese kubva kunze zvinopinda mune1.
XXXX:XXXX:XXXX:XXXX::1 — IPv6 gedhi (zvakakosha kuziva kuti izvi zvinogona/zvinofanira kuitwa zvakasiyana. Taura IPv6 switch).
dns-nameservers - 127.0.0.1 inoratidzwa (nokuti bind yakaiswa munharaunda) uye 213.248.1.6 (izvi zvinobva tech.ru).

"tafura eno1t" uye "tafura eno2t" - zvinoreva iyi nzira-mitemo ndeyekuti traffic inopinda neeno1 -> yaibuda nayo, uye traffic inopinda neeno2 -> yaibuda nayo. Uye zvakare zvinongedzo zvakatangwa neserver zvaizopfuura neen1.

ip route add default via XX.XX.XX.1 table eno1t

Nemurairo uyu tinotsanangura kuti chero traffic isinganzwisisike inowira pasi pemutemo chero wakanyorwa "tafura eno1t" -> inotumirwa kune eno1 interface.

ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t

Nemurairo uyu tinotsanangura kuti chero traffic yatangwa nesevha inofanirwa kunangarirwa kune eno1 interface.

ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0

Nemurairo uyu tinoisa mitemo yekumaka traffic.

auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X2
        post-up ip rule add table eno1t to XX.XX.XX.X2

Iyi block inotsanangura yechipiri IPv4 yeiyo eno1 interface.

ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t

Nemurairo uyu tinoseta nzira kubva kuOpenVPN vatengi kuenda kuIPv4 yemuno kunze kweXX.XX.XX.X0.
Ini handisati ndanzwisisa kuti sei murairo uyu wakakwana kune vese IPv4.

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
        gateway XXXX:XXXX:XXXX:XXXX::1

Apa ndipo patinoisa kero yeiyo interface pachayo. Sevha inoishandisa sekero "inobuda". Haisi kuzoshandiswa nenzira ipi zvayo zvakare.

Sei ":1:1::" yakaoma kudaro? Saka iyo OpenVPN inoshanda nemazvo uye chete kune izvi. Zvimwe pane izvi gare gare.

Panyaya yegedhi - ndiwo mashandiro ayo uye zvakanaka. Asi nzira chaiyo ndeyekuratidza pano iyo IPv6 yekuchinja kune iyo server yakabatana.

Nekudaro, nekuda kwechimwe chikonzero IPv6 inomira kushanda kana ndikaita izvi. Iyi ingangove imwe mhando ye tech.ru dambudziko.

ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE

Izvi zviri kuwedzera IPv6 kero kune iyo interface. Kana uchida zana kero, zvinoreva mitsara zana mufaira iri.

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:3::/80

Ndakacherekedza kero uye ma subnets ezvese interfaces kuti zvijeke.
eno1 - inofanira kuva "/64"- nokuti iri ndiro dziva redu rose rekero.
tun0 - subnet inofanira kunge yakakura kudarika eno1. Zvikasadaro, hazvizogone kugadzirisa IPv6 gedhi reOpenVPN vatengi.
eno2 - subnet inofanira kunge yakakura kudarika tun0. Zvikasadaro, vatengi veOpenVPN havazokwanisa kuwana kero dzepanzvimbo dzeIPv6.
Kuti zvive pachena, ndakasarudza subnet nhanho yegumi nematanhatu, asi kana uchida, unogona kuita "16" nhanho.
Naizvozvo, 64+16 = 80, uye 80+16 = 96.

Nekuda kujeka kwakanyanya:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY kero dzinofanirwa kupihwa kune chaiwo masaiti kana masevhisi pane eno1 interface.
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY kero dzinofanirwa kupihwa kune chaiwo masaiti kana masevhisi pane eno2 interface.
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY kero dzinofanira kupihwa vatengi veOpenVPN kana kushandiswa sekero yeOpenVPN.

Kuti ugadzirise network, zvinofanirwa kunge zvichikwanisika kutangazve sevha.
IPv4 shanduko inotorwa kana yaitwa (ive shuwa yekuiputira muchiratidziro - zvikasadaro murairo uyu unongopwanya network pane server):

/etc/init.d/networking restart

Wedzera kusvika kumagumo efaira "/etc/iproute2/rt_tables":

100 eno1t
101 eno2t

Pasina izvi, haugone kushandisa matafura etsika mu "/etc/network/interfaces" faira.
Nhamba dzinofanirwa kuve dzakasiyana uye dzisingasviki 65535.

IPv6 shanduko inogona kuchinjwa nyore nyore pasina kutangazve, asi kuti uite izvi unofanirwa kudzidza kanenge mirairo mitatu:

ip -6 addr ...
ip -6 route ...
ip -6 neigh ...

Kuisa "/etc/sysctl.conf"

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0

# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0

# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0

# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1

Aya ndiwo marongero eserver yangu "sysctl". Rega ndikuratidze chimwe chinhu chakakosha.

net.ipv4.ip_forward = 1

Pasina izvi, OpenVPN haishande zvachose.

net.ipv6.ip_nonlocal_bind = 1

Chero ani zvake anoedza kusunga IPv6 (semuenzaniso nginx) pakarepo mushure mekunge iyo interface yasimuka anogashira kukanganisa. Kuti kero iyi haisi kuwanikwa.

Kuti udzivise mamiriro ezvinhu akadaro, gadziriro yakadaro inogadzirwa.

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

Pasina aya IPv6 marongero, traffic kubva kuOpenVPN mutengi haiendi munyika.

Mamwe marongero angave asina basa kana kuti handiyeuke kuti ndeapi.
Asi kana zvikaitika, ndinosiya "sezvazviri."

Kuti shanduko kune iyi faira itore pasina kutangazve sevha, unofanirwa kumhanya murairo:

sysctl -p

Mamwe ruzivo nezve "tafura" mitemo: habr.com/post/108690

============= OpenVPN ==============

OpenVPN IPv4 haishande isina iptables.

Ma iptables angu akadai seVPN:

iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP

YY.YY.YY.YY ikero yangu isingachinji yeIPv4 yemuchina wemuno.
10.8.0.0/24 - IPv4 openvpn network. IPv4 kero kune openvpn vatengi.
Kuenderana kwemitemo kwakakosha.

iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP

Izvi zvinogumira kuti ini chete ndigone kushandisa OpenVPN kubva kune yangu static IP.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
  -- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE

Kuendesa IPv4 mapaketi pakati peOpenVPN vatengi neInternet, unofanirwa kunyoresa imwe yeiyi mirairo.

Pazviitiko zvakasiyana, imwe yesarudzo haina kukodzera.
Mirairo miviri inokodzera nyaya yangu.
Mushure mekuverenga zvinyorwa, ndakasarudza yekutanga sarudzo nekuti inoshandisa shoma CPU.

Kuti zvese zvigadziriso zve iptables zvitore mushure mekutangazve, unofanirwa kuzvichengeta pane imwe nzvimbo.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Mazita akadai haana kusarudzwa netsaona. Iwo anoshandiswa ne "iptables-persistent" package.

apt-get install iptables-persistent

Kuisa iyo huru OpenVPN package:

apt-get install openvpn easy-rsa

Ngatimisei template yezvitupa (tsiva tsika dzako):

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf

Ngatigadzirise marongero echitupa template:

mcedit vars

...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"

# X509 Subject Field
export KEY_NAME="server"
...

Gadzira server setifiketi:

cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

Ngatigadzirirei kugona kugadzira ekupedzisira "mutengi-zita.opvn" mafaera:

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf

# Client mode
client

# Interface tunnel type
dev tun

# TCP protocol
proto tcp-client

# Address/Port of VPN server
remote XX.XX.XX.X0 1194

# Don't bind to local port/address
nobind

# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun

# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server

# Enable compression
comp-lzo

# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC

Ngatigadzirire script inozobatanidza mafaera ese kuita imwechete opvn faira.

mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} 
    <(echo -e '<ca>') 
    ${KEY_DIR}/ca.crt 
    <(echo -e '</ca>n<cert>') 
    ${KEY_DIR}/.crt 
    <(echo -e '</cert>n<key>') 
    ${KEY_DIR}/.key 
    <(echo -e '</key>n<tls-auth>') 
    ${KEY_DIR}/ta.key 
    <(echo -e '</tls-auth>') 
    > ${OUTPUT_DIR}/.ovpn

Kugadzira yekutanga OpenVPN mutengi:

cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name

Iyo faira "~/client-configs/files/client-name.ovpn" inotumirwa kune mudziyo wemutengi.

Kune vatengi veIOS iwe uchafanirwa kuita zvinotevera trick:
Zvemukati zve "tls-auth" tag zvinofanirwa kunge zvisina zvirevo.
Uye isa "kiyi-direction 1" nekukurumidza pamberi pe "tls-auth" tag.

Ngatigadzirise iyo OpenVPN server config:

cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf

# Listen port
port 1194

# Protocol
proto tcp-server

# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6

# Master certificate
ca ca.crt

# Server certificate
cert server.crt

# Server private key
key server.key

# Diffie-Hellman parameters
dh dh2048.pem

# Allow clients to communicate with each other
client-to-client

# Client config dir
client-config-dir /etc/openvpn/ccd

# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"

# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet

# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"

# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS

# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun

# Ping every 10s. Timeout of 120s.
keepalive 10 120

# Enable compression
comp-lzo

# User and group
user vpn
group vpn

# Log a short status
status openvpn-status.log

# Logging verbosity
##verb 4

# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC

Izvi zvinodikanwa kuitira kuseta static kero kune wega mutengi (hazvina basa, asi ini ndinoishandisa):

# Client config dir
client-config-dir /etc/openvpn/ccd

Iyo yakanyanya kuoma uye yakakosha tsanangudzo.

Nehurombo, OpenVPN haisati yaziva nzira yekuzvimiririra kugadzirisa IPv6 gedhi revatengi.
Iwe unofanirwa "nemaoko" kutumira izvi kune umwe neumwe mutengi.

# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"

Faira "/etc/openvpn/server-clientconnect.sh":

#!/bin/sh

# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
        echo "Missing environment variable."
        exit 1
fi

# Load server variables
. /etc/openvpn/variables

ipv6=""

# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
        # Get fixed IPv6 from client config file
        ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
        echo $ipv6
fi

# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
        ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
        if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
                echo "Invalid IPv4 part."
                exit 1
        fi
        hexipp=$(printf '%x' $ipp)
        ipv6="$prefix$hexipp"
fi

# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1

Faira "/etc/openvpn/server-clientdisconnect.sh":

#!/bin/sh

# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
        echo "Missing environment variable."
        exit 1
fi

# Load server variables
. /etc/openvpn/variables

ipv6=""

# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
        # Get fixed IPv6 from client config file
        ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi

# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
        ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
        if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
                echo "Invalid IPv4 part."
                exit 1
        fi
        hexipp=$(printf '%x' $ipp)
        ipv6="$prefix$hexipp"
fi

# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1

Zvose zvinyorwa zvinoshandisa faira "/etc/openvpn/variables":

# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112

Ndinoona zvakaoma kuyeuka kuti nei zvakanyorwa seizvi.

Iye zvino netmask = 112 inoita seisinganzwisisike (inofanira kunge iri 96 ipapo).
Uye prefix inoshamisa, haienderane netun0 network.
Asi zvakanaka, ndichazvisiya zvakadaro.

cipher DES-EDE3-CBC

Izvi hazvisi zvemunhu wese - ndakasarudza iyi nzira yekuvharidzira kubatana.

Dzidza zvakawanda nezve kumisikidza OpenVPN IPv4.

Dzidza zvakawanda nezve kumisikidza OpenVPN IPv6.

============= Postfix =============

Kuisa iyo main package:

apt-get install postfix

Paunenge uchiisa, sarudza "internet saiti".

Yangu "/etc/postfix/main.cf" inoita seizvi:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1

smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

internal_mail_filter_classes = bounce

# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        #reject_invalid_hostname,
        #reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        check_policy_service unix:private/policyd-spf

smtpd_helo_restrictions =
        #reject_invalid_helo_hostname,
        #reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname

smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_helo_hostname,
        permit

# SPF
policyd-spf_time_limit = 3600

# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock

# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

Ngatitarisei kune zvakadzama zveiyi config.

smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key

Sekureva kwevagari veKhabrovsk, bhuroka iyi ine "zvisizvo uye zvinyorwa zvisiri izvo."Makore 8 chete mushure mekutanga kwebasa rangu ndipo pandakatanga kunzwisisa kuti SSL inoshanda sei.

Naizvozvo, ini ndichatora rusununguko rwekutsanangura mashandisiro eSSL (pasina kupindura mibvunzo "Inoshanda sei?" uye "Sei inoshanda?").

Nheyo yemazuva ano encryption ndiko kusikwa kwekiyi mbiri (tambo mbiri refu refu dzemavara).

Imwe "kiyi" yakavanzika, imwe kiyi "yeruzhinji". Isu tinochengeta kiyi yakavanzika nekuchenjerera zvakavanzika. Isu tinogovera kiyi yeruzhinji kumunhu wese.

Uchishandisa kiyi yeruzhinji, unogona encrypt tambo yemavara kuitira kuti iye muridzi wekiyi yakavanzika chete anogona kuibvisa.
Zvakanaka, ndiyo nheyo yose ye teknolojia.

Nhanho #1 - https nzvimbo.
Paunenge uchiwana saiti, bhurawuza rinodzidza kubva pawebhu server kuti saiti iyi https uye saka inokumbira kiyi yeruzhinji.
Sevha yewebhu inopa kiyi yeruzhinji. Iyo browser inoshandisa kiyi yeruzhinji encrypt iyo http-chikumbiro uye kutumira.
Zvinyorwa zve-http-chikumbiro zvinogona kuverengwa chete nevaya vane kiyi yepachivande, kureva, sevha chete iyo chikumbiro chinoitwa.
Http-chikumbiro chine kanenge URI. Naizvozvo, kana nyika iri kuyedza kudzora kupinda kwete kune iyo saiti yese, asi kune yakatarwa peji, saka izvi hazvigoneke kuita kune mawebhusaiti.

Nhanho #2 - encrypted mhinduro.
Sevha yewebhu inopa mhinduro inogona kuverengeka nyore munzira.
Mhinduro yacho iri nyore kwazvo - bhurawuza munharaunda inogadzira imwechete yakavanzika-yeruzhinji kiyi peya yega yega https saiti.
Uye pamwe nechikumbiro chekiyi yeruzhinji yesaiti, inotumira kiyi yeruzhinji.
Iyo webhu server inozvirangarira uye, kana ichitumira http-mhinduro, inoinyorera nekiyi yeruzhinji yemumwe mutengi.
Ikozvino http-mhinduro inogona kungodzikiswa nemuridzi wekiyi yemutengi yakavanzika (kureva kuti, mutengi wacho).

Nhanho Nhanho 3 - kumisikidza kubatana kwakachengeteka kuburikidza nechiteshi cheruzhinji.
Pane kushaya simba semuenzaniso Nha.
Saka, murevereri achaona zvakajeka zvese zvemukati zvakatumirwa uye zvakagamuchirwa mameseji kudzamara nzira yekutaurirana yachinja.
Kuita neizvi kuri nyore kwazvo - ingotumira kiyi yebrowser yeruzhinji semeseji yakavharidzirwa nekiyi yeruzhinji yewebhu server.
Iyo webhu server inozotanga yatumira mhinduro senge "kiyi yako yeruzhinji yakaita seiyi" uye inovharira meseji iyi nekiyi yeruzhinji.
Iyo bhurawuza inotarisa mhinduro - kana meseji "kiyi yako yeruzhinji yakaita seiyi" yakagamuchirwa - saka iyi ivimbiso ye100% yekuti iyi nzira yekutaurirana yakachengeteka.
Yakachengeteka sei?
Iko kusikwa kweiyo nzira yakachengeteka yekutaurirana kunoitika nekumhanya kweping * 2. Somuenzaniso 20ms.
Anorwisa anofanira kunge aine kiyi yakavanzika yemumwe wemapato pamberi. Kana kuti tsvaga kiyi yakavanzika mumamilliseconds akati wandei.
Kubira kiyi yemazuva ano yakavanzika kunotora makumi emakore pane supercomputer.

Nhanho #4 - yeruzhinji dhatabhesi yemakiyi eruzhinji.
Zviripachena, mune iyi nyaya yese pane mukana weanorwisa kuti agare panzira yekutaurirana pakati pemutengi neserver.
Mutengi anogona kunyepedzera sevha, uye sevha inogona kunyepedzera kunge mutengi. Uye tevedzera makiyi maviri mumativi ese.
Ipapo anorwisa achaona traffic yese uye achakwanisa "kugadzirisa" traffic.
Semuenzaniso, shandura kero yekutumira mari kana kukopa password kubva kubhangi yepamhepo kana kuvhara "zvinopokana" zvemukati.
Kuti varwise vakadai, vakauya nedatabase yeruzhinji ine makiyi eruzhinji kune yega https saiti.
Browser yega yega "inoziva" nezve kuvapo kweanosvika mazana maviri edhatabhesi akadaro. Izvi zvinouya pre-yakaiswa mubrowser yega yega.
"Zivo" inotsigirwa nekiyi yeruzhinji kubva kune yega yega chitupa. Ndokunge, kubatana kune yega yega certification chiremera hachigone kunyengedzwa.

Ikozvino pane kunzwisisa kuri nyore kwekushandisa SSL ye https.
Kana iwe ukashandisa huropi hwako, zvichava pachena kuti iwo akakosha masevhisi anogona kubira chimwe chinhu muchimiro ichi. Asi zvichavatorera nhamburiko dzinotyisa.
Uye masangano madiki pane NSA kana CIA - hazvigoneke kubira iyo iripo nhanho yekudzivirira, kunyangwe yeVIPs.

Ini zvakare ndichawedzera nezve ssh yekubatanidza. Iko hakuna makiyi eruzhinji ipapo, saka chii chaungaite? Nyaya inogadziriswa nenzira mbiri.
Sarudzo ssh-ne-password:
Munguva yekutanga yekubatanidza, ssh mutengi anofanira kunyevera kuti isu tine kiyi yeruzhinji kubva kune ssh server.
Uye panguva yekubatanidza, kana yambiro "itsva yeruzhinji kiyi kubva kune ssh server" ikaonekwa, zvinoreva kuti vari kuyedza kukuteerera.
Kana kuti iwe wakateererwa pane yako yekutanga kubatana, asi ikozvino unotaurirana nesevha pasina vamiriri.
Chaizvoizvo, nekuda kwekuti chokwadi chekubata waya chiri nyore, nekukurumidza uye pasina simba kuratidzwa, kurwiswa uku kunoshandiswa chete muzviitiko zvakakosha kune chaiyo mutengi.

Sarudzo ssh-ne-kiyi:
Isu tinotora flash drive, nyora kiyi yega yega ye ssh server pairi (pane mazwi uye akawanda akakosha nuances eizvi, asi ini ndiri kunyora chirongwa chedzidzo, kwete mirairo yekushandisa).
Isu tinosiya kiyi yeruzhinji pamushini pachange paine ssh mutengi uye isu tinozvichengetawo zvakavanzika.
Isu tinounza iyo flash drive kune sevha, kuiisa, kukopa kiyi yakavanzika, uye kupisa flash drive uye kuparadzira madota kumhepo (kana kuti kuifomesa ne zero).
Ndizvo chete - mushure mekuvhiyiwa kwakadaro hazvizogoneke kubaya ssh yekubatanidza. Ehe, mumakore gumi zvinogoneka kuona traffic pane supercomputer - asi iyo inyaya yakasiyana.

Ndinokumbira ruregerero kune offtopic.

Saka ikozvino kuti dzidziso inozivikanwa. Ini ndichakuudza nezve kuyerera kwekugadzira SSL chitupa.

Tichishandisa "openssl genrsa" tinogadzira kiyi yakavanzika uye "zvisina basa" zvekiyi yeruzhinji.
Isu tinotumira "zvisina basa" kune yechitatu-bato kambani, iyo yatinobhadhara ingangoita madhora mapfumbamwe kune yakapusa chitupa.

Mushure memaawa akati wandei, tinogashira kiyi yedu "yeruzhinji" uye seti yemakiyi akati wandei kubva kune ino kambani yechitatu.

Nei kambani yechitatu ichifanira kubhadhara kunyoreswa kwekiyi yangu yeruzhinji mubvunzo wakasiyana, isu hatizvifunge pano.

Zvino zvave pachena kuti chirevo chekunyora chii:

smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key

Iyo "/etc/ssl" folda ine ese mafaera e ssl nyaya.
domain1.com - zita rezita.
2018 igore rekugadzira kiyi.
"kiyi" - kudanwa kuti faira ikiyi yakavanzika.

Uye zvinoreva faira iyi:

smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - zita rezita.
2018 igore rekugadzira kiyi.
akasungwa - zita rekuti kune ketani yemakiyi eruzhinji (yekutanga ndiyo kiyi yedu yeruzhinji uye mamwe ese ndiwo akabva kukambani yakapa kiyi yeruzhinji).
crt - kudomwa kuti kune chitupa chakagadzirirwa (kiyi yeruzhinji ine tsananguro dzehunyanzvi).

smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1

Iyi gadziriro haina kushandiswa munyaya iyi, asi yakanyorwa semuenzaniso.

Nekuti kukanganisa mune iyi parameter kuchaita kuti spam itumirwe kubva kuseva yako (pasina kuda kwako).

Wobva waratidza kumunhu wese kuti hauna mhosva.

recipient_delimiter = +

Vanhu vazhinji vanogona kunge vasingazive, asi iyi hunhu hwakajairwa hwekuisa maemail, uye inotsigirwa neakawanda emazuva ano maseva etsamba.

Semuenzaniso, kana uine bhokisi retsamba "[email inodzivirirwa]"edza kutumira ku"[email inodzivirirwa]"- tarisa zvinouya nazvo.

inet_protocols = ipv4

Izvi zvinogona kuvhiringa.

Asi hazvina kungodaro. Imwe neimwe dhomeni nyowani ndeye default chete IPv4, ipapo ini ndinobatidza IPv6 kune yega yega zvakasiyana.

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

Pano tinotsanangura kuti tsamba dzese dzinopinda dzinoenda kudovecot.
Uye iyo mitemo yedomasi, bhokisi retsamba, alias - tarisa mudhatabhesi.

/etc/postfix/mysql-virtual-mailbox-domains.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'

/etc/postfix/mysql-virtual-mailbox-maps.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'

/etc/postfix/mysql-virtual-alias-maps.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Iye zvino postfix inoziva kuti tsamba inogona kugamuchirwa kuti iwedzere kutumira chete mushure memvumo nedovecot.

Ini handisi kunyatsonzwisisa kuti sei izvi zvadzokororwa pano. Takatotaura zvese zvinodiwa mu "virtual_transport".

Asi iyo postfix sisitimu yasakara - pamwe iko kukanda kumashure kubva kumazuva ekare.

smtpd_recipient_restrictions =
        ...

smtpd_helo_restrictions =
        ...

smtpd_client_restrictions =
        ...

Izvi zvinogona kugadzirwa zvakasiyana kune yega yega mail server.

Ndine 3 mail maseva kwandiri uye aya marongero akasiyana zvakanyanya nekuda kwekusiyana kwekushandisa zvinodiwa.

Iwe unofanirwa kuigadzirisa zvakanyatsonaka - zvikasadaro spam ichadururira mukati mako, kana kutonyanya kuipa - spam ichadururwa kubva kwauri.

# SPF
policyd-spf_time_limit = 3600

Kugadzirira imwe plugin ine chekuita nekutarisa iyo SPF yemavara anouya.

# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock

Mamiriro acho ndeekuti tinofanira kupa siginecha yeDKIM nemaemail ese anobuda.

# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

Ichi chinhu chakakosha mukufambisa tsamba paunenge uchitumira mavara kubva kuPHP zvinyorwa.

Faira "/etc/postfix/sdd_transport.pcre":

/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/             domain1:
/@domain2.com$/             domain2:
/@domain3.com$/             domain3:

Kuruboshwe kune mazwi enguva dzose. Kurudyi kune chikwangwani chinoisa mavara.
Postfix inoenderana neiyo label - ichafunga nezve mishoma mitsetse yekumisikidza kune chaiyo tsamba.

Kuti postfix ichagadziridzwa sei kune imwe tsamba icharatidzwa mu "master.cf".

Mitsetse 4, 5, 6 ndiyo mikuru. Pamusoro penzvimbo ipi yatiri kutumira tsamba, tinoisa iyi label.
Asi iyo "kubva" munda haiwanzo kuratidzwa mune PHP zvinyorwa mune yekare kodhi. Ipapo zita rekushandisa rinouya kununura.

Chinyorwa chatowanda - ini handingade kukanganiswa nekumisikidza nginx + fpm.

Muchidimbu, kune yega saiti isu tinoisa yayo linux-mushandisi muridzi. Uye saizvozvo yako fpm-dziva.

Fpm-dziva rinoshandisa chero shanduro ye php (yakanaka kana pane imwechete sevha iwe unogona kushandisa shanduro dzakasiyana dze php uye kunyange dzakasiyana php.ini dzevakidzani nzvimbo pasina matambudziko).

Saka, chaiyo linux-mushandisi "www-domain2" ine webhusaiti domain2.com. Saiti ino ine kodhi yekutumira maemail pasina kutsanangura kubva kumunda.

Saka, kunyange munyaya iyi, mavara achatumirwa nenzira yakarurama uye haazoperi mu spam.

Yangu "/etc/postfix/master.cf" inoita seizvi:

...
smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X1
   -o smtp_helo_name=domain1.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
   -o syslog_name=postfix-domain1

domain2  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X5
   -o smtp_helo_name=domain2.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
   -o syslog_name=postfix-domain2

domain3  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X2
   -o smtp_helo_name=domain3
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
   -o syslog_name=postfix-domain3

Iyo faira haina kupihwa yakazara - yakatokura kwazvo.
Ndakangoona zvakachinjwa.

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Aya ndiwo marongero ane hukama ne spamassasin, zvimwe pane izvo gare gare.

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Isu tinokubvumidza kuti ubatanidze kune mail server kuburikidza nechiteshi 587.
Kuti uite izvi, unofanirwa kupinda.

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Gonesa SPF cheki.

apt-get install postfix-policyd-spf-python

Ngatiise pasuru ye SPF cheki pamusoro.

domain1  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X1
   -o smtp_helo_name=domain1.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
   -o syslog_name=postfix-domain1

Uye ichi ndicho chinhu chinonyanya kufadza. Uku ndiko kugona kutumira mavara kune imwe nzvimbo kubva kune chaiyo IPv4/IPv6 kero.

Izvi zvinoitirwa nekuda kwerDNS. rDNS inzira yekugamuchira tambo ne IP kero.
Uye kune tsamba, chimiro ichi chinoshandiswa kusimbisa kuti iyo helo inonyatsoenderana nerDNS yekero kubva kwatumirwa email.

Kana iyo helo isingaenderane neiyo email domain pachinzvimbo chaakatumirwa tsamba, spam mapoinzi anopihwa.

Helo haienderane nerDNS - akawanda e spam mapoinzi anopihwa.
Saizvozvo, imwe neimwe domain inofanirwa kuve neyayo IP kero.
Kune OVH - mune koni zvinokwanisika kutsanangura rDNS.
For tech.ru - nyaya inogadziriswa kuburikidza nekutsigirwa.
Kune AWS, nyaya inogadziriswa kuburikidza nerutsigiro.
"inet_protocols" uye "smtp_bind_address6" - tinogonesa IPv6 rutsigiro.
Kune IPv6 iwe zvakare unofanirwa kunyoresa rDNS.
"syslog_name" - uye izvi ndezvekurerutsira kuverenga matanda.

Tenga zvitupa Ndinokurudzira pano.

Kumisikidza postfix+dovecot link pano.

Kuisa SPF.

============= Dovecot ==============

apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam

Kumisikidza mysql, kuisa iwo mapakeji ivo pachavo.

Faira "/etc/dovecot/conf.d/10-auth.conf"

disable_plaintext_auth = yes
auth_mechanisms = plain login

Mvumo inonyorwa chete.

Faira "/etc/dovecot/conf.d/10-mail.conf"

mail_location = maildir:/var/mail/vhosts/%d/%n

Pano tinoratidza nzvimbo yekuchengetedza mavara.

Ndinoda kuti achengetwe mumafaira uye aunganidzwe nedomain.

Faira "/etc/dovecot/conf.d/10-master.conf"

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
    port = 995
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
service imap {
}
service pop3 {
}
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  user = dovecot
}
service auth-worker {
  user = vmail
}
service dict {
  unix_listener dict {
  }
}

Iyi ndiyo huru dovecot yekumisikidza faira.
Pano tinodzima zvibatanidza zvisina kuchengetedzwa.
Uye gonesa kubatana kwakachengeteka.

Faira "/etc/dovecot/conf.d/10-ssl.conf"

ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
  ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
  ssl_key =  </etc/nginx/ssl/domain2.com.2018.key
}

Kugadzika ssl. Isu tinoratidza kuti ssl inodiwa.
Uye chitupa pachacho. Uye ruzivo rwakakosha ndeye "yemunharaunda" rairo. Inoratidza kuti ndechipi chitupa cheSSL chekushandisa kana uchibatanidza kune iyo yemuno IPv4.

Nenzira, IPv6 haina kugadzirwa pano, ini ndichagadzirisa kusasiiwa uku gare gare.
XX.XX.XX.X5 (domain2) - hapana chitupa. Kuti ubatanidze vatengi unofanirwa kutsanangura domain1.com.
XX.XX.XX.X2 (domain3) - pane chitupa, unogona kudoma domain1.com kana domain3.com kuti ubatanidze vatengi.

Faira "/etc/dovecot/conf.d/15-lda.conf"

protocol lda {
  mail_plugins = $mail_plugins sieve
}

Izvi zvichadikanwa kune spamassassin mune ramangwana.

Faira "/etc/dovecot/conf.d/20-imap.conf"

protocol imap {
  mail_plugins = $mail_plugins antispam
}

Iyi i antispam plugin. Inodiwa pakudzidzisa spamassasin panguva yekuendesa kune / kubva ku "Spam" folda.

Faira "/etc/dovecot/conf.d/20-pop3.conf"

protocol pop3 {
}

Pane faira rakadaro.

Faira "/etc/dovecot/conf.d/20-lmtp.conf"

protocol lmtp {
  mail_plugins = $mail_plugins sieve
  postmaster_address = [email protected]
}

Kugadzika lmtp.

Faira "/etc/dovecot/conf.d/90-antispam.conf"

plugin {
  antispam_backend = pipe
  antispam_trash = Trash;trash
  antispam_spam = Junk;Spam;SPAM
  antispam_pipe_program_spam_arg = --spam
  antispam_pipe_program_notspam_arg = --ham
  antispam_pipe_program = /usr/bin/sa-learn
  antispam_pipe_program_args = --username=%Lu
}

Spamassasin kudzidzisa marongero panguva yekuendesa kune / kubva kuSpam folda.

Faira "/etc/dovecot/conf.d/90-sieve.conf"

plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_after = /var/lib/dovecot/sieve/default.sieve
}

Faera rinotsanangura zvekuita nemabhii anouya.

Faira "/var/lib/dovecot/sieve/default.sieve"

require ["fileinto", "mailbox"];

if header :contains "X-Spam-Flag" "YES" {
        fileinto :create "Spam";
}

Iwe unofanirwa kuunganidza faira: "sievec default.sieve".

Faira "/etc/dovecot/conf.d/auth-sql.conf.ext"

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

Kutsanangura mafaera esql emvumo.
Uye iyo faira pachayo inoshandiswa senzira yekubvumidza.

Faira "/etc/dovecot/dovecot-sql.conf.ext"

driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

Izvi zvinoenderana nemaitiro akafanana epostfix.

Faira "/etc/dovecot/dovecot.conf"

protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf

Main configuration file.
Chinhu chakakosha ndechekuti isu tinoratidza pano - wedzera maprotocol.

============= SpamAssassin ==============

apt-get install spamassassin spamc

Ngatiisei mapakeji.

adduser spamd --disabled-login

Ngatiwedzerei mushandisi panzvimbo yaani.

systemctl enable spamassassin.service

Isu tinogonesa auto-kurodha spamassassin sevhisi pakurodha.

Faira "/etc/default/spamassassin":

CRON=1

Nekugonesa otomatiki kuvandudzwa kwemitemo "ne default".

Faira "/etc/spamassassin/local.cf":

report_safe 0

use_bayes          1
bayes_auto_learn   1
bayes_auto_expire  1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn      DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password

Iwe unofanirwa kugadzira dhatabhesi "sa" mumysql nemushandisi "sa" nepassword "password" (tsiva nechimwe chinhu chakakwana).

report_safe - izvi zvinotumira chirevo che spam email pane tsamba.
use_bayes ari spamassassin muchina kudzidza marongero.

Iyo yakasara spamassassin marongero akashandiswa kare muchinyorwa.

General setting "spamassassin".
Nezve kufambisa maemail matsva kuIMAP "Spam" folda.
Nezve musanganiswa wakapusa weDovecot + SpamAssassin.
Ini ndinokurudzira kuverenga iyo spamassasin kudzidza dzidziso kana uchifambisa mavara mumap mafolda (uye ini handikurudzire kuishandisa).

============= Kukwidza nyaya kunharaunda ==============

Ndinodawo kukanda pfungwa munharaunda pamusoro pekuti ndingawedzera sei kuchengetedzwa kwemabhii anotumirwa. Sezvo ndakanyura zvakanyanya mumusoro wetsamba.

Kuti mushandisi agadzire makiyi maviri pamutengi wake (maonero, thunderbird, browser-plugin, ...). Paruzhinji uye zvakavanzika. Veruzhinji - tumira kuDNS. Zvakavanzika - chengetedza pane mutengi. Masevha etsamba aizokwanisa kushandisa kiyi yeruzhinji kutumira kune mumwe munhu aigamuchira.

Uye kudzivirira kubva kune spam nemabhii akadaro (hongu, sevha yetsamba haizokwanisi kuona zvirimo) - iwe uchafanirwa kuunza 3 mitemo:

1. Inosungirwa chaiyo DKIM siginecha, inosungirwa SPF, inosungirwa rDNS.
2. Iyo neural network pane nyaya yeantispam kudzidziswa + dhatabhesi yayo padivi revatengi.
3. Iyo encryption algorithm inofanirwa kunge yakaita zvekuti iyo yekutumira inofanirwa kushandisa ka100 nguva yakawanda CPU simba pane encryption pane yekugamuchira divi.

Pamusoro petsamba dzeruzhinji, gadzira tsamba yekurudziro yakajairika "kutanga tsamba dzakachengeteka." Mumwe wevashandisi (bhokisi retsamba) anotumira tsamba ine chinongedzo kune imwe mailbox. Tsamba iyi ine chinyorwa chinyorwa chekutanga nzira yakachengeteka yekutaurirana yetsamba uye kiyi yeruzhinji yemuridzi webhokisi retsamba (ine kiyi yakavanzika padivi remutengi).

Iwe unogona kutogadzira akati wandei makiyi zvakananga kune imwe neimwe tsamba. Mushandisi anogamuchira anogona kugamuchira ichi chinopihwa uye kutumira kiyi yake yeruzhinji (yakagadzirirwawo zvakanangana netsamba iyi). Tevere, mushandisi wekutanga anotumira tsamba yekudzora sevhisi (yakavharidzirwa nekiyi yeruzhinji yemushandisi wechipiri) - kana yagamuchira iyo yechipiri mushandisi anogona kuona yakaumbwa nzira yekutaurirana yakavimbika. Tevere, mushandisi wechipiri anotumira tsamba yekudzora - uye ipapo mushandisi wekutanga anogona zvakare kufunga chiteshi chakaumbwa chakachengeteka.

Kurwisa kubatwa kwemakiyi munzira, iyo protocol inofanirwa kupa mukana wekufambisa kanenge kiyi yeruzhinji uchishandisa flash drive.

Uye chinonyanya kukosha ndechekuti zvese zvinoshanda (mubvunzo ndewekuti "ndiani achabhadhara?"):
Pinda zvitupa zveposita kutanga pamadhora gumi kwemakore matatu. Izvo zvinobvumira anotumira kuratidza mu dns kuti "makiyi angu eruzhinji ari uko." Uye ivo vanokupa iwe mukana wekutanga kubatana kwakachengeteka. Panguva imwecheteyo, kubvuma kubatana kwakadaro kwakasununguka.
gmail inopedzisira yaita mari vashandisi vayo. Kwe $ 10 pamakore matatu - kodzero yekugadzira nzira dzakachengeteka dzetsamba.

============= Mhedziso =============

Kuti ndiedze chinyorwa chose, ndanga ndichienda kunorenda sevha yakatsaurirwa kwemwedzi uye kutenga domain ine SSL chitupa.

Asi mamiriro ehupenyu akakura saka nyaya iyi yakadhonza kwemwedzi miviri.
Uye saka, pandakanga ndava nenguva yekusununguka zvakare, ndakasarudza kubudisa chinyorwa sezvazviri, pane kuisa pangozi kuti chinyorwa chacho chaizokwevera mberi kwerimwe gore.

Kana paine mibvunzo yakawandisa senge "asi izvi zvisina kutsanangurwa zvakadzama", ipapo panogona kunge paine simba rekutora sevha yakatsaurirwa ine domain nyowani uye nyowani SSL chitupa uye kuitsanangura zvakadzama uye, zvakanyanya. zvakakosha, tsvaga zvese zvisipo zvakakosha ruzivo.

Ndinodawo kuwana mhinduro pamazano pamusoro pezvitupa zvetsamba. Kana iwe uchida zano, ini ndichaedza kutsvaga simba rekunyora dhizaini yerfc.

Paunenge uchikopa zvikamu zvakakura zvechinyorwa, ipa chinongedzo kune ichi chinyorwa.
Kana uchiturikira mune mumwe mutauro, ipa chinongedzo chechinyorwa chino.
Ndichaedza kuiturikira muchiRungu ini ndosiya mareferensi.

Source: www.habr.com