🥇Debian+Postfix+ Dovecot+ Multidomain+SSL+IPv6+OpenVPN+Multi-interfaces+SpamAssassin-barashada+Bind

Maqaalkani waxa uu ku saabsan yahay sida loo sameeyo server boostada casriga ah.
Postfix + Dovecot. SPF + DKIM + rDNS. Iyada oo leh IPV6.
Iyadoo TSL sir ah. Iyada oo lagu taageerayo goobo badan - qayb wata shahaadada SSL dhabta ah.
Iyada oo leh ilaalinta antispam iyo qiimeynta antispam-ka sare ee server-yada kale ee boostada.
Waxay taageertaa is dhexgalyo badan oo jireed.
Iyadoo OpenVPN, isku xirka kaas oo loo sii marayo IPv4, oo bixiya IPv6.

Haddii aadan rabin inaad barato teknoolojiyaddan oo dhan, laakiin aad rabto inaad dejiso server-ka noocaas ah, markaa maqaalkani waa adiga.

Maqaalku iskuma dayo inuu sharaxo faahfaahin kasta. Sharaxaaddu waxay ku socotaa waxa aan loo habeynin heerka caadiga ah ama ka muhiimsan aragtida macaamilka.

Dhiirigelinta in la sameeyo server-ka boostada waxay ahayd riyadeyda waqti dheer. Tani waxay u muuqan kartaa nacasnimo, laakiin IMHO, aad bay uga fiican tahay inaad ku riyootid baabuur cusub oo ka socda astaanta aad jeceshahay.

Waxaa jira laba dhiirigelin oo loogu talagalay dejinta IPV6. Khabiirka IT wuxuu u baahan yahay inuu si joogto ah u barto tignoolajiyada cusub si uu u noolaado. Waxaan jeclaan lahaa in aan gacan ka geysto la dagaalanka faafreebka.

Dhiirigelinta aasaasida OpenVPN waa kaliya in la helo IPV6 oo ku shaqeeya mashiinka maxalliga ah.
Dhiirigelinta samaynta dhowr is-dhexgal jireed ayaa ah in server-kayga aan haysto hal interface " gaabis ah laakiin aan xadidnayn "iyo mid kale "dhakhso leh laakiin leh tarif".

Dhiirigelinta dejinta Bind settings waa in ISP-gaygu uu bixiyo server DNS ah oo aan degganayn, google sidoo kale mararka qaarkood wuu guuldareystaa. Waxaan rabaa server-ka DNS deggan ee isticmaalka shakhsi ahaaneed.

Dhiirigelinta qorista maqaal - Waxaan qoray qoraal qabyo ah 10 bilood ka hor, oo aan mar hore eegay laba jeer. Xitaa haddii qoraagu si joogto ah ugu baahan yahay, waxaa jirta suurtogalnimo sare oo ay kuwa kale u baahan doonaan.

Ma jiro xal caalami ah oo loogu talagalay server-ka boostada. Laakiin waxaan isku dayi doonaa inaan qoro wax sida "kan samee ka dibna, marka wax walba u shaqeeyaan sidii la rabay, tuur alaabta dheeraadka ah."

Shirkadda tech.ru waxay leedahay server-ka Colocation. Waa suurtagal in la barbar dhigo OVH, Hetzner, AWS. Si loo xalliyo dhibaatadan, iskaashiga tech.ru wuxuu noqon doonaa mid aad waxtar u leh.

Debian 9 ayaa lagu rakibay server-ka.

Seerfarku waxa uu leeyahay 2 isdhexgal 'eno1' iyo 'eno2'. Midka koowaad waa mid aan xad lahayn, kan labaadna waa dhakhso, siday u kala horreeyaan.

Waxaa jira 3 ciwaanno IP ah oo taagan, XX.XX.XX.X0 iyo XX.XX.XX.X1 iyo XX.XX.XX.X2 ee 'eno1` interface iyo XX.XX.XX.X5 ee 'eno2` interface. .

La heli karo XXXX:XXX:XXX:XXX::/64 barkad ciwaanno IPv6 ah oo loo qoondeeyay interface 'eno1' oo laga keenay XXXX:XXX:XXX:XXX:1:2::/96 ayaa loo qoondeeyay 'eno2' codsigeyga.

Waxaa jira 3 domains `domain1.com`, `domain2.com`, `domain3.com`. Waxa jirta shahaadada SSL ee `domain1.com` iyo `domain3.com`.

Waxaan leeyahay akoon Google ah oo aan jeclaan lahaa in aan ku xidho sanduuqa boostada[emailka waa la ilaaliyay]` (qabashada boostada iyo diritaanka si toos ah barta gmailka).
Waa inuu jiraa sanduuqa boostada'[emailka waa la ilaaliyay]', koobiga iimaylka oo aan rabo in aan ku arko gmail-kayga. Waana dhif in la awoodo in wax loo soo diro magaca `[emailka waa la ilaaliyay]Iyada oo la adeegsanayo interface-ka shabakadda.

Waa inuu jiraa sanduuqa boostada'[emailka waa la ilaaliyay]', kaas oo Ivanov uu ka isticmaali doono iPhone-kiisa.

Iimayllada la soo diray waa in ay u hoggaansamaan dhammaan shuruudaha antispam-ka casriga ah.
Waa in uu jiraa heerka ugu sarreeya ee sirta lagu bixiyo shabakadaha dadweynaha.
Waa inay jirtaa taageerada IPV6 ee dirida iyo helida waraaqaha labadaba.
Waa inuu jiraa SpamAssassin oo aan waligii tirtiri doonin iimaylada. Oo waxay ku soo boodaysaa ama ka boodi doontaa ama u diri doontaa galka "Spam" IMAP.
SpamAssassin auto-Learning waa in la habeeyaa: haddii aan warqad u raro galka spamka, waxay wax ka baran doontaa tan; Haddii aan warqad ka guuro galka Spam, waxay ka baran doontaa tan. Natiijooyinka tababarka SpamAssassin waa inay saameyn ku yeeshaan haddii warqaddu ku dhammaato galka spamka.
Qoraallada PHP waa inay awood u yeeshaan inay soo diraan boostada iyagoo matalaya domain kasta oo server ah.
Waa in uu jiraa adeeg openvpn ah, oo awood u leh in uu isticmaalo IPV6 macmiilka aan haysan IPv6.

Marka hore waxaad u baahan tahay inaad habayso interneedka iyo marinka, oo ay ku jiraan IPv6.
Markaa waxaad u baahan doontaa inaad dejiso OpenVPN, kaas oo ku xidhi doona IPv4 oo siin doona macmiilka ciwaanka dhabta ah ee IPv6. Macmiilkani waxa uu heli doonaa dhammaan adeegyada IPV6 ee server-ka iyo marin u helida agab kasta oo IPV6 ah ee Internetka.
Markaa waxaad u baahan doontaa inaad habayso Postfix si aad u dirto xarfo + SPF + DKIM + rDNS iyo waxyaabo kale oo yaryar oo la mid ah.
Markaa waxaad u baahan doontaa inaad dejiso Dovecot oo aad dejiso Multidomain.
Markaa waxaad u baahan doontaa inaad habayso SpamAssassin oo aad habayso tababarka.
Ugu dambeyntii, rakib Bind.

============ Interfaceyo badan ============

Si aad u habaynayso is-dhexgalka, waxaad u baahan tahay inaad tan ku qorto "/etc/network/interfaces".

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eno1
iface eno1 inet static
        address XX.XX.XX.X0/24
        gateway XX.XX.XX.1
        dns-nameservers 127.0.0.1 213.248.1.6
        post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
        post-up ip route add default via XX.XX.XX.1 table eno1t
        post-up ip rule add table eno1t from XX.XX.XX.X0
        post-up ip rule add table eno1t to XX.XX.XX.X0

auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X1
        post-up ip rule add table eno1t to XX.XX.XX.X1
        post-up   ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
        post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t

auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X2
        post-up ip rule add table eno1t to XX.XX.XX.X2

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
        gateway XXXX:XXXX:XXXX:XXXX::1
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE

# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
        address XX.XX.XX.X5
        netmask 255.255.255.0
        post-up   ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
        post-up   ip route add default via XX.XX.XX.1 table eno2t
        post-up   ip rule add table eno2t from XX.XX.XX.X5
        post-up   ip rule add table eno2t to XX.XX.XX.X5
        post-up   ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
        post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t

iface eno2 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:2::/96
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
        up   ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
        down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE

# OpenVPN network
iface tun0 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:3::/80

Dejintan waxaa lagu dabaqi karaa server kasta oo ku yaal tech.ru (oo leh iskudubarid yar oo taageero ah) isla markiiba waxay u shaqeyn doontaa sidii ay ahayd.

Haddii aad khibrad u leedahay inaad u dejiso waxyaabo la mid ah Hetzner, OVH, way ka duwan tahay halkaas. Aad u adag.

eno1 waa magaca kaadhka shabakada #1 ( gaabis ah laakiin aan xadidnayn).
eno2 waa magaca kaadhka shabakada #2 (dhakhso leh, laakiin leh tarif).
tun0 waa magaca kaadhka shabakada farsamada ee OpenVPN.
XX.XX.XX.X0 - IPV4 #1 on eno1.
XX.XX.XX.X1 - IPV4 #2 on eno1.
XX.XX.XX.X2 - IPV4 #3 on eno1.
XX.XX.XX.X5 - IPV4 #1 on eno2.
XX.XX.XX.1 - IPV4 albaabka.
XXXX:XXX:XXX:XXX::/64 - IPv6 dhammaan serverka.
XXXX:XXX:XXXX:XXX:1:2::/96 - IPv6 ee eno2, wax kasta oo kale oo dibadda ka yimaadaa waxay galaan eno1.
XXXX:XXXX:XXXX:XXX:: 1 — IPv6 gateway (waxaa xusid mudan in tan si ka duwan loo samayn karo. Cadee dabadalka IPv6).
dns-nameservers - 127.0.0.1 ayaa la tilmaamay (maxaa yeelay bind ayaa lagu rakibay gudaha) iyo 213.248.1.6 (tani waxay ka socotaa tech.ru).

"Table eno1t" iyo "miiska eno2t" - macnaha sharciyada-mareenadani waa in taraafikada ka soo gasha eno1 -> ay ka bixi doonto iyada, taraafikada ka soo galaya eno2 -> ayaa ka bixi doonta. Iyo sidoo kale xidhiidhada uu bilaabay seerfarku waxa ay mari doonaan eno1.

ip route add default via XX.XX.XX.1 table eno1t

Amarkan waxaan ku cadeyneynaa in taraafikada aan la fahmi karin ee hoos timaada xeer kasta oo calaamadeysan "miiska eno1t" -> loo diro interface eno1.

ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t

Amarkan waxaan ku cadeyneynaa in taraafikada kasta oo uu bilaabay server-ku ay tahay in lagu jiheeyo interface eno1.

ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0

Amarkan waxaanu dejinay xeerarka calaamadaynta gaadiidka.

auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
        post-up ip rule add table eno1t from XX.XX.XX.X2
        post-up ip rule add table eno1t to XX.XX.XX.X2

Qeybtaani waxay qeexaysaa IPV4 labaad ee interface eno1.

ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t

Amarkan waxaanu dejinay dariiqa laga bilaabo macaamiisha OpenVPN ilaa IPV4 gudaha marka laga reebo XX.XX.XX.X0.
Wali ma fahmin sababta amarkani ugu filan yahay dhammaan IPV4.

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
        gateway XXXX:XXXX:XXXX:XXXX::1

Tani waa halka aan u dejino ciwaanka interface-ka laftiisa. Seerfarku waxa uu u isticmaali doonaa sidii ciwaanka “baxaya”. Sinaba mar dambe looma isticmaali doono.

Waa maxay sababta ": 1: 1 ::" ay u adag tahay? Markaa OpenVPN waxay u shaqeysaa si sax ah oo tan kaliya. Wax badan oo arrintan ku saabsan gadaal.

Mawduuca albaabka - taasi waa sida ay u shaqeyso oo taasi waa fiican tahay. Laakiin habka saxda ah waa in lagu muujiyo halkan IPV6 ee beddelka uu serverku ku xiran yahay.

Si kastaba ha ahaatee, sabab qaar ka mid ah IPV6 ayaa joojinaya shaqada haddii aan tan sameeyo. Tani waxay u badan tahay inay tahay nooc ka mid ah dhibaatada tech.ru.

ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE

Tani waxay ku daraysaa ciwaanka IPv6 is-dhexgalka. Haddii aad u baahan tahay boqol ciwaan, taasi waxay ka dhigan tahay boqol sadar oo faylkan ku jira.

iface eno1 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
        address XXXX:XXXX:XXXX:XXXX:1:3::/80

Waxaan xusay ciwaannada iyo shabakadaha hoose ee dhammaan is-dhexgalka si aan u caddeeyo.
eno1 - waa inay noqotaa "/64"- sababtoo ah tani waa dhammaan ciwaannadayada.
tun0 - subnet-ku waa inuu ka weynaadaa eno1. Haddii kale, suurtogal ma noqon doonto in la habeeyo albaabka IPV6 ee macaamiisha OpenVPN.
eno2 - subnet-ku waa inuu ka weynaadaa tun0. Haddii kale, macaamiisha OpenVPN ma awoodi doonaan inay galaan ciwaannada IPv6 maxalliga ah.
Si loo caddeeyo, waxaan doortay tallaabo hoose oo ah 16, laakiin haddii aad rabto, waxaad xitaa samayn kartaa "1" tallaabo.
Sidaa darteed, 64+16 = 80, iyo 80+16 = 96.

Si loo caddeeyo xitaa ka sii weyn:
XXXX:XXX:XXXX:XXX:1:1:YYY:YYY waa ciwaanno loo qoondeeyay goobo ama adeegyo gaar ah ee eno1 interface.
XXXX:XXX:XXXX:XXX:1:2:YYY:YYY waa ciwaanno loo qoondeeyay goobo ama adeegyo gaar ah ee eno2 interface.
XXXX:XXXX:XXX:XXX:1:3:YYY:YYY waa ciwaanada loo qoondeeyay macaamiisha OpenVPN ama loo isticmaalo sida ciwaanada adeega OpenVPN.

Si loo habeeyo shabakada, waa inay suurtogal tahay in dib loo bilaabo server-ka.
Isbeddellada IPV4 ayaa la soo qaadaa marka la fuliyo (hubi inaad ku duubto shaashadda - haddii kale amarkani wuxuu si fudud u burburin doonaa shabakadda serverka):

/etc/init.d/networking restart

Ku dar dhammaadka faylka "/etc/iproute2/rt_tables":

100 eno1t
101 eno2t

Taas la'aanteed, ma isticmaali kartid miisaska gaarka ah ee faylka "/etc/network/interfaces".
Tirooyinka waa inay ahaadaan kuwo gaar ah oo ka yar 65535.

Isbeddellada IPV6 si fudud ayaa loo beddeli karaa iyada oo aan dib loo kicin, laakiin si tan loo sameeyo waxaad u baahan tahay inaad barato ugu yaraan saddex amar:

ip -6 addr ...
ip -6 route ...
ip -6 neigh ...

Dejinta "/etc/sysctl.conf"

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0

# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0

# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0

# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1

Kuwaani waa server-ka "sysctl" ee Settings. Aan wax muhiim ah tilmaamo.

net.ipv4.ip_forward = 1

Taas la'aanteed, OpenVPN gabi ahaanba ma shaqayn doonto.

net.ipv6.ip_nonlocal_bind = 1

Qof kasta oo isku daya inuu xidho IPv6 (tusaale nginx) isla markiiba ka dib interface-ku wuxuu heli doonaa qalad. In aan cinwaankan la heli karin.

Si looga fogaado xaaladdan oo kale, goob noocan oo kale ah ayaa la sameeyaa.

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

La'aanteed goobahan IPv6, taraafikada macmiilka OpenVPN uma baxdo adduunka.

Goobaha kale midkoodna ma khuseeyo ama ma xasuusto waxa ay u yihiin.
Laakiin haddii ay dhacdo, waxaan u daayaa "sida ay tahay."

Si isbeddelka faylkan loo qaado adiga oo aan dib u kicin server-ka, waxaad u baahan tahay inaad socodsiiso amarka:

sysctl -p

Faahfaahin dheeraad ah oo ku saabsan xeerarka "miiska": habr.com/post/108690

============ OpenVPN ============

OpenVPN IPv4 ma shaqeyso iptables la'aanteed.

Iptable-kaygu waa sida tan VPN:

iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP

YY.YY.YY.YY waa ciwaankayga IPv4 ee joogtada ah ee mishiinka deegaanka.
10.8.0.0/24 - IPV4 shabakadda openvpn. Ciwaanka IPv4 ee macaamiisha openvpn.
Joogteynta xeerarku waa muhiim.

iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP

Tani waa xad si aan kaliya uga isticmaali karo OpenVPN IP-gayga taagan.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
  -- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE

Si aad u gudbiso xirmooyinka IPv4 ee u dhexeeya macaamiisha OpenVPN iyo internetka, waxaad u baahan tahay inaad diwaangeliso mid ka mid ah amarradan.

Kiisaska kala duwan, mid ka mid ah xulashooyinka kuma habboona.
Labada amarba way ku habboon yihiin kiiskayga.
Kadib akhrinta dukumeentiga, waxaan doortay ikhtiyaarka ugu horreeya sababtoo ah waxay isticmaashaa CPU yar.

Si dhammaan iptables-ka loo soo qaado ka dib reboot, waxaad u baahan tahay inaad meel ku badbaadiso.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Magacyada noocaas ah laguma dooran si kadis ah. Waxaa loo adeegsadaa xirmada "iptables-sistent".

apt-get install iptables-persistent

Rakibaadda xirmada ugu weyn ee OpenVPN:

apt-get install openvpn easy-rsa

Aan u samayno qaab-dhismeedka shahaadooyinka (ku beddel qiimahaaga):

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnf

Aynu tafatirno jaangooyooyinka qaabka shahaado:

mcedit vars

...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"

# X509 Subject Field
export KEY_NAME="server"
...

Samee shahaadada serverka:

cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

Aan diyaarino awooda aan ku abuurno faylalka "macmiilka-name.opvn" ugu dambeeya:

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf

# Client mode
client

# Interface tunnel type
dev tun

# TCP protocol
proto tcp-client

# Address/Port of VPN server
remote XX.XX.XX.X0 1194

# Don't bind to local port/address
nobind

# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun

# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server

# Enable compression
comp-lzo

# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC

Aynu diyaarino qoraal ku milmi doona dhammaan faylasha hal fayl opvn ah.

mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} 
    <(echo -e '<ca>') 
    ${KEY_DIR}/ca.crt 
    <(echo -e '</ca>n<cert>') 
    ${KEY_DIR}/.crt 
    <(echo -e '</cert>n<key>') 
    ${KEY_DIR}/.key 
    <(echo -e '</key>n<tls-auth>') 
    ${KEY_DIR}/ta.key 
    <(echo -e '</tls-auth>') 
    > ${OUTPUT_DIR}/.ovpn

Abuuritaanka macmiilka ugu horreeya ee OpenVPN:

cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-name

Faylka "~/client-configs/files/client-name.ovpn" waxaa loo diraa qalabka macmiilka.

Macaamiisha iOS waxaad u baahan doontaa inaad sameyso khiyaamada soo socota:
Waxa ku jira summada "tls-auth" waa inay ahaataa mid aan faallooyin lahayn.
Oo sidoo kale dhig "jihada-furaha 1" isla markiiba ka hor tag "tls-auth".

Aynu habaynno server-ka OpenVPN:

cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf

# Listen port
port 1194

# Protocol
proto tcp-server

# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6

# Master certificate
ca ca.crt

# Server certificate
cert server.crt

# Server private key
key server.key

# Diffie-Hellman parameters
dh dh2048.pem

# Allow clients to communicate with each other
client-to-client

# Client config dir
client-config-dir /etc/openvpn/ccd

# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"

# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet

# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"

# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS

# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun

# Ping every 10s. Timeout of 120s.
keepalive 10 120

# Enable compression
comp-lzo

# User and group
user vpn
group vpn

# Log a short status
status openvpn-status.log

# Logging verbosity
##verb 4

# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBC

Tan waxa loo baahan yahay si loogu dejiyo ciwaanka taagan macmiil kasta (looma baahna, laakiin waan isticmaalaa):

# Client config dir
client-config-dir /etc/openvpn/ccd

Faahfaahinta ugu adag uguna muhiimsan.

Nasiib darro, OpenVPN weli ma garanayo sida loo habeeyo albaabka IPV6 ee macaamiisha.
Waa inaad "gacan" ugu gudbisaa tan macmiil kasta.

# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"

Faylka "/etc/openvpn/server-clientconnect.sh":

#!/bin/sh

# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
        echo "Missing environment variable."
        exit 1
fi

# Load server variables
. /etc/openvpn/variables

ipv6=""

# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
        # Get fixed IPv6 from client config file
        ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
        echo $ipv6
fi

# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
        ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
        if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
                echo "Invalid IPv4 part."
                exit 1
        fi
        hexipp=$(printf '%x' $ipp)
        ipv6="$prefix$hexipp"
fi

# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1

Faylka "/etc/openvpn/server-clientdisconnect.sh":

#!/bin/sh

# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
        echo "Missing environment variable."
        exit 1
fi

# Load server variables
. /etc/openvpn/variables

ipv6=""

# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
        # Get fixed IPv6 from client config file
        ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi

# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
        ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
        if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
                echo "Invalid IPv4 part."
                exit 1
        fi
        hexipp=$(printf '%x' $ipp)
        ipv6="$prefix$hexipp"
fi

# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1

Labada qoraalba waxay isticmaalaan faylka "/etc/openvpn/variables":

# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112

Way igu adagtahay inaan xasuusto sababta sidan loogu qoray.

Hadda netmask = 112 waxay u egtahay qariib (waa inay ahaataa 96 isla halkaas).
Horgalayaashana waa qariib, kuma eka shabakadda tun0.
Laakiin waayahay, waan uga tagayaa sida ay tahay.

cipher DES-EDE3-CBC

Tani maaha mid loogu talagalay qof kasta - waxaan doortay habkan qarsoodiga ah ee xiriirka.

Baro wax badan oo ku saabsan dejinta OpenVPN IPv4.

Baro wax badan oo ku saabsan dejinta OpenVPN IPv6.

============= Postfix ===============

Ku rakibida xirmada ugu weyn:

apt-get install postfix

Markaad rakibayso, dooro "goobta internetka".

My "/etc/postfix/main.cf" waxay u egtahay sidan:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1

smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

internal_mail_filter_classes = bounce

# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        #reject_invalid_hostname,
        #reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        check_policy_service unix:private/policyd-spf

smtpd_helo_restrictions =
        #reject_invalid_helo_hostname,
        #reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname

smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_helo_hostname,
        permit

# SPF
policyd-spf_time_limit = 3600

# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock

# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

Aynu eegno faahfaahinta qaabayntan.

smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key

Sida laga soo xigtay dadka deggan Khabrovsk, qaybtan waxay ka kooban tahay "xog khaldan iyo waxyaabo khaldan."Kaliya 8 sano kadib bilawga shaqadayda ayaan bilaabay inaan fahmo sida SSL u shaqeeyo.

Sidaa darteed, waxaan qaadan doonaa xoriyada ah inaan sharaxo sida loo isticmaalo SSL (adiga oo aan ka jawaabin su'aalaha "Sidee u shaqeysaa?" iyo "Waa maxay sababta ay u shaqeyso?").

Saldhigga qarsoodiga casriga ah waa abuurista lamaane fure ah (laba xargo oo aad u dheer oo xarfo ah).

Mid ka mid ah "furaha" waa mid gaar ah, furaha kale waa "guud". Waxaan si taxadar leh u ilaalinaa furaha gaarka ah. Waxaan u qaybineynaa furaha dadweynaha qof walba.

Adigoo isticmaalaya furaha guud, waxaad sirin kartaa xarkaha qoraalka si milkiilaha furaha gaarka ah kaliya uu u furto.
Hagaag, taasi waa saldhigga tignoolajiyada oo dhan.

Talaabada #1 - https sites.
Marka la gelayo goobta, browserku wuxuu ka bartaa server-ka webka in goobta ay tahay https oo sidaas darteed ay codsato fure dadweyne.
Adeegaha shabakada waxa uu bixiyaa furaha dadweynaha. Barrawsarku wuxuu isticmaalaa furaha dadweynaha si uu u xafido codsiga http oo u soo diro.
Nuxurka codsiga http-codsi waxaa akhrin kara oo keliya kuwa haysta furaha gaarka ah, taas oo ah, kaliya server-ka codsiga loo sameeyay.
Codsiga Http wuxuu ka kooban yahay ugu yaraan URI. Sidaa darteed, haddii waddan uu isku dayayo inuu xaddido gelitaanka goobta oo dhan, laakiin bog gaar ah, markaa tani waa wax aan suurtagal ahayn in lagu sameeyo goobaha https.

Talaabada #2 - jawaabta sir ah
Server-ku wuxuu bixiyaa jawaab si fudud loogu akhriyi karo wadada.
Xalku aad buu ufududyahay - browserka gudaha wuxuu soo saaraa lamaane muhiim ah oo gaar ah oo gaar ah goob kasta oo https ah.
Oo ay la socoto codsiga furaha dadweynaha ee goobta, waxay soo dirtaa furaha dadweynaha ee degaanka.
Adeegaha shabakadu wuu xasuusan yahay oo, marka uu dirayo http-jawaab, wuxuu ku sireeyaa furaha dadweynaha ee macmiil gaar ah.
Hadda http-jawaab-celinta waxa kaliya oo ka saari kara milkiilaha furaha khaaska ah ee browserka (taas oo ah macmiilka laftiisa).

Tillaabada 3-aad - samaynta xiriir sugan oo la adeegsanayo kanaalka dadweynaha.
Waxaa jirta nuglaanta tusaale ahaan lambarka 2-ma jiro wax ka celinaya dadka wanaaga jecel inay farageliyaan codsi http-codsi ah iyo tafatirka macluumaadka ku saabsan furaha dadweynaha.
Sidaa darteed, dhexdhexaadiyuhu wuxuu si cad u arki doonaa dhammaan waxa ku jira fariimaha la soo diray iyo kuwa la helay ilaa kanaalka isgaarsiintu isbeddelo.
Wax ka qabashada tan aad bay u fudud tahay - kaliya u dir furaha guud ee browserka sida fariin sir ah oo ku jirta furaha guud ee serverka.
Server-ku waxa uu marka hore soo diraa jawaab sida "Furahaaga dadwaynuhu waa sidan" oo waxa uu fariintan ku sifeeyaa isla furihii dadweynaha.
browser-ku wuxuu eegayaa jawaabta - haddii fariinta "furahaaga dadweynuhu uu yahay sidan oo kale" la helay - markaa tani waa 100% dammaanad ah in kanaalkan isgaarsiineed uu yahay mid ammaan ah.
Intee bay nabad tahay?
Abuuritaanka kanaalka isgaarsiineed ee sugan wuxuu ku dhacaa xawaare ping*2 ah. Tusaale ahaan 20ms.
Weerarku waa inuu hore u sii haystaa furaha gaarka ah ee labada dhinac. Ama ku hel furaha gaarka ah dhowr ilbiriqsi gudahood.
Jabsashada hal fure gaar ah oo casri ah waxay qaadan doontaa tobanaan sano oo kombuyuutar super ah.

Talaabada #4 - xogta guud ee furayaasha dadweynaha.
Sida iska cad, sheekadan oo dhan waxaa jirta fursad loogu talagalay weeraryahan inuu ku fadhiisto kanaalka isgaarsiinta ee u dhexeeya macmiilka iyo serverka.
Macmiilku waxa uu iska dhigi karaa in uu yahay adeegaha, adeeguhuna waxa uu iska dhigi karaa macmiilka. Oo ku daydo furayaasha labada dhinac.
Kadibna weeraryahanku wuxuu arki doonaa dhammaan taraafikada wuxuuna awood u yeelan doonaa inuu "wax ka beddelo" taraafikada.
Tusaale ahaan, beddel ciwaanka meesha aad lacag uga diri karto ama koobiyayso erayga sirta ah ee bangiga internetka ama xannibi nuxurka "la diidi karo".
Si loola dagaallamo weeraryahannada noocaas ah, waxay la yimaadeen xog-ururin dadweyne oo leh furayaal dadweyne goob kasta oo https ah.
browser kastaa wuxuu "ogyahay" jiritaanka ilaa 200 oo xog ururin oo noocaas ah. Tani waxay ku timaadaa horay loogu sii rakibay browser kasta.
"Aqoontu" waxaa taageera furaha dadweynaha ee shahaado kasta. Taasi waa, xidhiidhka hay'ad kasta oo shahaado gaar ah lama been abuuran karo.

Hadda waxaa jira faham fudud oo ku saabsan sida loogu isticmaalo SSL ee https.
Haddii aad isticmaasho maskaxdaada, waxa ay cadaan doontaa sida adeegyada gaarka ah ay wax u jabsadaan dhismahan. Laakiin waxay ku kici doontaa dadaallo waaweyn.
Iyo ururada ka yar NSA ama CIA - waa wax aan macquul aheyn in la jabsado heerka ilaalinta ee jira, xitaa VIP-yada.

Waxaan sidoo kale ku dari doonaa ku saabsan isku xirka ssh. Meeshaas ma jiraan furayaal dadweyne, haddaba maxaad sameyn kartaa? Arinta waxa lagu xaliyaa laba qaab.
Ikhtiyaarka ssh-by-password:
Inta lagu guda jiro isku xirka koowaad, macmiilka ssh waa inuu ka digaa inaan haysano fure dadweyne oo cusub serverka ssh.
Iyo inta lagu jiro xiriirinta dheeriga ah, haddii digniinta "furaha cusub ee dadweynaha ee server-ka ssh" uu soo baxo, waxay la macno tahay inay isku dayayaan inay ku dhegaystaan.
Ama waxaa lagu dhageystey xiriirkaagii ugu horreeyay, laakiin hadda waxaad la xiriirtaa server-ka adigoon dhexdhexaadin.
Dhab ahaantii, iyada oo ay ugu wacan tahay xaqiiqda ah in xaqiiqda ah in dhageysiga taleefoonku si sahlan, si degdeg ah iyo dadaal la'aan ah loo muujiyo, weerarkan waxaa loo isticmaalaa oo kaliya kiisaska gaarka ah ee macmiilka gaarka ah.

Ikhtiyaarka ssh-by-key:
Waxaan qaadanaa flash drive, ku qor furaha gaarka ah ee server-ka ssh (waxaa jira shuruudo iyo waxyaabo badan oo muhiim ah oo tan ah, laakiin waxaan qorayaa barnaamij waxbarasho, ma aha tilmaamaha isticmaalka).
Waxaan uga tagnaa furaha dadweynaha mashiinka halka macmiilka ssh uu joogi doono oo aanu sidoo kale ilaalino sirta.
Waxaan keenaynaa flash-ka serferka, gelina, koobiyeeyo furaha gaarka ah, oo gubi flash drive oo dambaska u kala firdhinaa dabaysha (ama ugu yaraan waxaan ku qaabaynnaa eber).
Taasi waa dhan - ka dib qalliinka noocan oo kale ah waxay noqon doontaa mid aan suurtagal ahayn in la jabsado xiriirka ssh sida. Dabcan, 10 sano gudahood waxaa suurtogal ah in lagu daawado taraafikada supercomputer - laakiin taasi waa sheeko ka duwan.

Waan ka cudur daaranayaa mowduuca ka baxsan.

Markaa hadda oo aragtida la ogaaday. Waxaan kuu sheegi doonaa socodka abuurista shahaadada SSL.

Isticmaalka "openssl genrsa" waxaan u abuurnaa fure gaar ah iyo "madhan" furaha dadweynaha.
Waxaan u dirnaa "meel bannaan" shirkad saddexaad, taas oo aan ku bixinno ku dhawaad $9 shahaadada ugu fudud.

Dhowr saacadood ka dib, waxaan helnaa furahayaga "dadweynaha" iyo dhowr furayaal dadweyne oo ka socda shirkaddan dhinac saddexaad.

Waa maxay sababta ay shirkad saddexaad u bixinayso diiwaangelinta furahayga dadweynaha waa su'aal gooni ah, halkan kama tixgelin doono.

Hadda way caddaatay macnaha qoraalku:

smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key

Galka "/etc/ssl" wuxuu ka kooban yahay dhammaan faylasha arrimaha ssl.
domain1.com - magac domain.
2018 waa sanadka abuurista muhiimka ah.
"furaha" - qeexida in feylku yahay fure gaar ah.

Iyo macnaha faylkan:

smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - magac domain.
2018 waa sanadka abuurista muhiimka ah.
silsilado - magacaabista in ay jiraan silsilado furayaal dadweyne ah (ka hore waa furahayaga dadweynaha inta kalena waa waxa ka yimid shirkadii soo saartay furaha dadweynaha).
crt - magacaabista inay jirto shahaado diyaar ah (furaha dadweynaha oo leh sharraxaad farsamo).

smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1

Goobtan looma adeegsan kiiskan, laakiin waxa loo qoray tusaale ahaan.

Sababtoo ah cilad ku jirta halbeegyadan waxay horseedi doontaa in spam laga soo diro server-kaaga (la'aanteed).

Markaa qof walba u caddee in aanad dambiile ahayn.

recipient_delimiter = +

Dad badan ayaa laga yaabaa inaysan garanayn, laakiin tani waa dabeecadda heerka sare ee iimaylada, waxaana taageera inta badan server-yada boostada casriga ah.

Tusaale ahaan, haddii aad haysato sanduuq boosto"[emailka waa la ilaaliyay]"isku day inaad u dirto"[emailka waa la ilaaliyay]"- fiiri waxa ka yimaada.

inet_protocols = ipv4

Tani waxay noqon kartaa jahawareer.

Laakiin sidaas oo kale maaha. Domain kasta oo cusub waa asal ahaan kaliya IPV4, ka dib waxaan u daaraa IPV6 mid kasta si gaar ah.

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

Halkan waxaan ku cadeyneynaa in dhammaan waraaqaha soo gala ay ku socdaan qoolley.
Iyo xeerarka domainka, sanduuqa boostada, alias - ka eeg kaydka xogta.

/etc/postfix/mysql-virtual-mailbox-domains.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'

/etc/postfix/mysql-virtual-mailbox-maps.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'

/etc/postfix/mysql-virtual-alias-maps.cf

user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Hadda postfix wuxuu ogyahay in boostada la aqbali karo in la sii diro kaliya ka dib ogolaanshaha qoolleyda.

Runtii ma fahmin sababta tan halkan loogu koobiyay. Waxaan horay u qeexnay wax kasta oo looga baahan yahay "transport_virtual".

Laakiin nidaamka postfix waa mid aad u da 'weyn - malaha waa dib u dhac ku yimid maalmihii hore.

smtpd_recipient_restrictions =
        ...

smtpd_helo_restrictions =
        ...

smtpd_client_restrictions =
        ...

Tan waxaa loo habayn karaa si kala duwan server kasta oo boosto ah.

Waxaan haystaa 3 xabbo oo boosteejo ah oo goobahan aad bay uga duwan yihiin shuruudaha isticmaalka kala duwan awgeed.

Waxaad u baahan tahay inaad si taxadar leh u habayso - haddii kale spam ayaa kugu soo qulquli doona, ama xitaa ka sii daran - spam ayaa kaa soo qulquli doona.

# SPF
policyd-spf_time_limit = 3600

Dejinta qaar ka mid ah plugin ee la xidhiidha hubinta SPF ee xarfaha soo socda.

# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock

Goobtu waa inaan bixino saxeex DKIM oo wata dhammaan iimayllada baxaya.

# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

Tani waa tafaasiisha muhiimka ah ee habaynta xarfaha marka waraaqaha laga dirayo qoraallada PHP.

Faylka "/etc/postfix/sdd_transport.pcre":

/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/             domain1:
/@domain2.com$/             domain2:
/@domain3.com$/             domain3:

Dhanka bidix waxaa ku yaal tibaaxo joogto ah. Dhanka midig waxaa ku yaal calaamad calaamadeysa xarafka.
Postfix sida waafaqsan calaamadda - waxay ku xisaabtami doontaa dhowr xariiq oo qaabeynta xaraf gaar ah.

Sida saxda ah ee postfix dib loogu habayn doono xaraf gaar ah ayaa lagu tilmaami doonaa "master.cf".

Sadarka 4, 5, 6 waa kuwa ugu waaweyn. Annaga oo ku hadlaya magaca domain-ka aan warqadda u dirayno, waxaan dhignay summadan.
Laakiin goobta "laga bilaabo" had iyo jeer laguma tilmaamo qoraallada PHP ee koodkii hore. Markaa magaca isticmaalaha ayaa u soo gurmada.

Maqaalku horeyba wuu u balaadhnaa - Ma rabo in lagu mashquuliyo dejinta nginx+fpm.

Si kooban, goob kasta waxaan u dejinay milkiilaha linux-user. Iyo si waafaqsan fpm-pool-kaaga.

Fpm-pool waxay isticmaashaa nooc kasta oo php ah (waa wax aad u fiican marka isla isla server-ka aad isticmaali karto noocyo kala duwan oo php ah iyo xitaa php.ini kala duwan ee goobaha deriska ah iyada oo aan dhibaato lahayn).

Markaa, isticmaale linux-gaar ah “www-domain2” wuxuu leeyahay degel2.com. Goobtani waxay leedahay kood lagu diro iimaylada iyadoon lagu sheegin goobta.

Marka, xitaa kiiskan, waraaqaha si sax ah ayaa loo soo diri doonaa oo waligood kuma dhammaan doonaan spam.

My "/etc/postfix/master.cf" waxay u egtahay sidan:

...
smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X1
   -o smtp_helo_name=domain1.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
   -o syslog_name=postfix-domain1

domain2  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X5
   -o smtp_helo_name=domain2.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
   -o syslog_name=postfix-domain2

domain3  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X2
   -o smtp_helo_name=domain3
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
   -o syslog_name=postfix-domain3

Faylka si buuxda looma bixin - awalba aad buu u weynaa.
Kaliya waxaan xusay waxa la bedelay.

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Kuwani waa jaangooyooyin la xiriira spamassasin, inbadan oo intaas ka dib.

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Waxaan kuu oggolaaneynaa inaad ku xirto server-ka boostada adigoo isticmaalaya dekedda 587.
Si tan loo sameeyo, waa inaad gasho

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Daar hubinta SPF

apt-get install postfix-policyd-spf-python

Aan ku rakibno xirmada hubinta SPF ee kore.

domain1  unix -       -       n       -       -       smtp
   -o smtp_bind_address=XX.XX.XX.X1
   -o smtp_helo_name=domain1.com
   -o inet_protocols=all
   -o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
   -o syslog_name=postfix-domain1

Tanina waa tan ugu xiisaha badan. Tani waa awooda lagu soo diro xarfo domain gaar ah oo laga soo diro ciwaan gaar ah oo IPv4/IPv6 ah.

Tan waxaa loo sameeyaa rDNS dartiis. rDNS waa habka lagu helo xargaha ciwaanka IP-ga.
Boostada, sifadan waxaa loo isticmaalaa in lagu xaqiijiyo in helidu ay si sax ah u la mid tahay rDNS ee ciwaanka laga soo diray iimaylka.

Haddii helo uusan u dhigmin iimaylka magaca qofka warqadda loo soo diray, dhibcooyinka spamka waa la bixiyaa.

Helo kuma eka rDNS - dhibco badan oo spam ah ayaa la bixiyaa.
Sidaa darteed, domain kastaa waa inuu lahaadaa cinwaan IP u gaar ah.
Wixii OVH - console-ka waxaa suurtogal ah in lagu qeexo rDNS.
Wixii tech.ru ah - arrinta waxaa lagu xalliyaa taageero.
Wixii AWS ah, arrinta waxaa lagu xalliyaa taageero.
"inet_protocols" iyo "smtp_bind_address6" - waxaan awoodnaa taageerada IPV6.
IPV6 waxaad sidoo kale u baahan tahay inaad iska diiwaan geliso rDNS.
"syslog_name" - oo tan waxaa loogu talagalay fududaynta akhrinta diiwaannada.

Iibso shahaadooyinka Waxaan ku talinayaa halkan.

Dejinta xiriirka postfix+Dovecot halkan.

Dejinta SPF.

=========== Dovecot =============

apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispam

Dejinta mysql, rakibida baakadaha laftooda.

Faylka "/etc/dovecot/conf.d/10-auth.conf"

disable_plaintext_auth = yes
auth_mechanisms = plain login

Oggolaanshaha kaliya ayaa la sir ah.

Faylka "/etc/dovecot/conf.d/10-mail.conf"

mail_location = maildir:/var/mail/vhosts/%d/%n

Halkan waxaan ku muujineynaa meesha lagu keydiyo xarfaha.

Waxaan rabaa in lagu kaydiyo faylal oo lagu kooxeeyo domain.

Faylka "/etc/dovecot/conf.d/10-master.conf"

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
    port = 995
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
service imap {
}
service pop3 {
}
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  user = dovecot
}
service auth-worker {
  user = vmail
}
service dict {
  unix_listener dict {
  }
}

Tani waa faylka qaabeynta qoolleyda ugu weyn.
Halkaan waxaan ka joojineynaa isku xirka aan la hubin.
Oo awood xiriiryo sugan

Faylka "/etc/dovecot/conf.d/10-ssl.conf"

ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
  ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
  ssl_key =  </etc/nginx/ssl/domain2.com.2018.key
}

Dejinta ssl. Waxaan tilmaamaynaa in ssl loo baahan yahay.
Iyo shahaadada lafteeda. Faahfaahin muhiim ahina waa dardaaranka "maxaliga". Waxay tuseysaa shahaadada SSL-ka ee la isticmaalayo marka lagu xirayo IPV4 maxalli ah.

Jid ahaan, IPv6 halkan kuma habaysan, dib ayaan u sixi doonaa maqnaanshahan.
XX.XX.XX.X5 (domain2) - shahaado la'aan. Si aad ugu xirto macaamiisha waxaad u baahan tahay inaad qeexdo domain1.com.
XX.XX.XX.X2 (domain3) - waxaa jira shahaado, waxaad cayimi kartaa domain1.com ama domain3.com si aad ugu xirto macaamiisha.

Faylka "/etc/dovecot/conf.d/15-lda.conf"

protocol lda {
  mail_plugins = $mail_plugins sieve
}

Tan waxaa loogu baahan doonaa spamassassin mustaqbalka.

Faylka "/etc/dovecot/conf.d/20-imap.conf"

protocol imap {
  mail_plugins = $mail_plugins antispam
}

Kani waa plugin antispam ah. Loo baahan yahay in la tababaro spamassasin wakhtiga wareejinta/ka soo wareejinta galka "Spam"

Faylka "/etc/dovecot/conf.d/20-pop3.conf"

protocol pop3 {
}

Waxa jira kaliya fayl noocaas ah.

Faylka "/etc/dovecot/conf.d/20-lmtp.conf"

protocol lmtp {
  mail_plugins = $mail_plugins sieve
  postmaster_address = [email protected]
}

Dejinta lmtp.

Faylka "/etc/dovecot/conf.d/90-antispam.conf"

plugin {
  antispam_backend = pipe
  antispam_trash = Trash;trash
  antispam_spam = Junk;Spam;SPAM
  antispam_pipe_program_spam_arg = --spam
  antispam_pipe_program_notspam_arg = --ham
  antispam_pipe_program = /usr/bin/sa-learn
  antispam_pipe_program_args = --username=%Lu
}

Goobaha tababarka Spamassasin wakhtiga wareejinta/ka-soo-celinta galka spamka.

Faylka "/etc/dovecot/conf.d/90-sieve.conf"

plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_after = /var/lib/dovecot/sieve/default.sieve
}

Fayl qeexaya waxa lagu sameeyo xarfaha soo socda.

Faylka "/var/lib/dovecot/sieve/default.sieve"

require ["fileinto", "mailbox"];

if header :contains "X-Spam-Flag" "YES" {
        fileinto :create "Spam";
}

Waxaad u baahan tahay inaad ururiso faylka: "sievec default.sieve".

Faylka "/etc/dovecot/conf.d/auth-sql.conf.ext"

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

Sheegida faylasha sql ee ogolaanshaha
Faylka laftiisana waxaa loo isticmaalaa habka oggolaanshaha.

Faylka "/etc/dovecot/dovecot-sql.conf.ext"

driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

Tani waxay u dhigantaa goobaha la midka ah ee postfix.

Faylka "/etc/dovecot/dovecot.conf"

protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf

Faylka qaabeynta ugu weyn.
Muhiimadu waa in aan halkan ku tilmaamno - ku dar borotokoolka.

============ SpamAssassin =============

apt-get install spamassassin spamc

Aynu rakibno baakadaha.

adduser spamd --disabled-login

Aan ku darno isticmaale isaga oo wakiil ka ah.

systemctl enable spamassassin.service

Waxaan awood u soo shubista adeega spamassassinka marka la soo shubayo.

Faylka "/etc/default/spamassassin":

CRON=1

Adiga oo awood u siinaya in si toos ah loo cusboonaysiiyo xeerarka “by default”.

Faylka "/etc/spamassassin/local.cf":

report_safe 0

use_bayes          1
bayes_auto_learn   1
bayes_auto_expire  1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn      DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password password

Waxaad u baahan tahay inaad ku abuurto xog-ururin "sa" gudaha mysql adoo isticmaalaya isticmaalaha "sa" oo wata ereyga "password" (ku beddel wax ku filan).

report_safe - tani waxay soo diri doontaa warbixinta spam iimaylka halkii warqad.
use_bayes waa goobaha barashada mashiinka spamassassin.

Goobaha haray ee spamassassin-ka ayaa hore loogu isticmaalay maqaalka.

Dejinta guud "spamassassin".
Ku saabsan u raridda iimaylada cusub ee spamka ee IMAP "Spam" galka.
Ku saabsan isku dhafka fudud ee Dovecot + SpamAssassin.
Waxaan kugula talinayaa inaad akhrido aragtida barashada spamassasin marka aad xarfaha ku dhex wareejinayso galka imap (mana ku talinayo in la isticmaalo).

===============================================================

Waxaan sidoo kale jeclaan lahaa inaan bulshada ku dhex tuuro fikrad ku saabsan sidii kor loogu qaadi lahaa heerka amniga waraaqaha la gudbiyo. Maadaama aan si qoto dheer ugu dhex milmay mawduuca boostada.

Si uu adeegsaduhu ugu abuuro lammaane furayaal ah (aragti, thunderbird, browser-plugin, ...). mid guud iyo mid gaar ah. Dadweynaha - u dir DNS. Gaar ah - ku badbaadi macmiilka. Adeegayaasha boostada ayaa isticmaali kara furaha dadweynaha si ay ugu diraan hele gaar ah.

Iyo si aad uga ilaaliso spamka xarfaha noocaas ah (haa, server-ka boostada ma awoodi doono inuu arko waxa ku jira) - waxaad u baahan doontaa inaad soo bandhigto 3 xeer:

Saxeexa dhabta ah ee DKIM, SPF qasab ah, rDNS qasab ah.
Shabakadda neerfaha ee mawduuca tababarka antispam + database-ka ee dhinaca macmiilka.
Algorithm-ka sireedku waa inuu noqdaa mid dhinaca soo diraya ay ku bixiyaan 100 jeer ka badan awoodda CPU sirta marka loo eego dhinaca hesha.

Marka laga soo tago waraaqaha dadweynaha, samee warqad soo jeedin ah oo caadi ah "si loo bilaabo waraaqo sugan." Mid ka mid ah isticmaalayaasha (sanduuqa boostada) ayaa soo diraya warqad ay ku lifaaqan tahay sanduuqa boostada kale. Warqaddu waxay ka kooban tahay soo jeedin qoraal ah si loo bilaabo kanaal isgaarsiineed oo sugan oo loogu talagalay waraaqaha iyo furaha guud ee milkiilaha sanduuqa boostada (oo fure gaar ah ku leh dhinaca macmiilka).

Xitaa waxaad samayn kartaa dhowr fure oo gaar ah warqad kasta. Isticmaalaha qaataha ayaa aqbali kara dalabkan oo u diri kara furihiisa dadweynaha (sidoo kale loo sameeyay waraaqahan). Marka xigta, isticmaalaha ugu horreeya wuxuu soo diraa warqad xakameynta adeegga (oo lagu sifeeyay furaha dadweynaha ee isticmaalaha labaad) - marka la helo kaas oo isticmaalaha labaad uu tixgelin karo kanaalka isgaarsiinta la sameeyay. Marka xigta, isticmaalaha labaad wuxuu soo diraa warqad xakameyn ah - ka dibna isticmaalaha ugu horreeya wuxuu sidoo kale tixgelin karaa kanaalka la sameeyay.

Si loola dagaallamo dhex galka furayaasha waddada, hab-maamuusku waa inuu bixiyaa suurtagalnimada gudbinta ugu yaraan hal fure dadweyne iyadoo la adeegsanayo flash drive.

Iyo waxa ugu muhiimsan waa in ay wada shaqeeyaan (su'aashu waa "yaa bixin doona?"):
Geli shahaadooyinka boostada laga bilaabo $10 ilaa 3 sano. Taas oo u oggolaan doonta soo-diraha inuu ku muujiyo DNS-ka in "furayaashayda dadweynuhu ay halkaas joogaan." Waxayna ku siin doonaan fursad aad ku bilowdo xidhiidh sugan. Isla mar ahaantaana, aqbalida isku xirka noocaas ah waa bilaash.
gmail ayaa ugu dambayntii kacaya isticmaaleyaasheeda. $10 3dii sanoba - xaq aad u leedahay in la abuuro kanaalo waraaqo ah oo sugan.

============ Gabagabo ==============

Si aan u tijaabiyo maqaalka oo dhan, waxa aan doonayey in aan kireeyo server-ka heeganka ah muddo bil ah oo aan iibsado domain wata shahaadada SSL.

Laakin duruufo nololeed ayaa soo kordhay sidaas awgeed arrintani waxay soo jiitamaysay 2 bilood.
Oo sidaas daraaddeed, markii aan helay wakhti firaaqo ah mar kale, waxaan go'aansaday in aan daabaco maqaalka sida uu yahay, halkii aan khatar gelin lahaa in daabacaaddu ay sii socoto sannad kale.

Haddii ay jiraan su'aalo aad u badan sida "laakin tan si faahfaahsan looguma sifeyn karo", markaa waxay u badan tahay inay jiri doonto xoog lagu qaato server u go'an oo leh domain cusub iyo shahaadada SSL cusub oo lagu sharaxo xitaa faahfaahin dheeraad ah iyo, inta badan. Muhiimad ahaan, ogow dhammaan faahfaahinta muhiimka ah ee maqan.

Waxaan sidoo kale jeclaan lahaa inaan helo jawaab celin ku saabsan fikradaha ku saabsan shahaadooyinka boostada. Haddii aad jeceshahay fikradda, waxaan isku dayi doonaa inaan helo xoogga aan ku qoro qabyo qoraalka rfc.

Markaad koobiyayso qaybo badan oo maqaal ah, bixi xidhiidhka maqaalkan.
Markaad u turjumayso luqad kale, bixi linkiga maqaalkan.
Waxaan isku dayi doonaa inaan lafteyda u turjumo Ingiriis oo aan ka tago tixraacyo isdhaafsan.

Source: www.habr.com

Debian + Postfix + Dovecot + Multidomain + SSL + IPv6 + OpenVPN + Interfacesyo badan + SpamAssassin-barro + Ku xidh