Sengoliloeng sena se bua ka mokhoa oa ho theha seva sa morao-rao sa poso.
Postfix + Dovecot. SPF + DKIM + rDNS. Ka IPv6.
Ka encryption ea TSL. Ka tšehetso ea libaka tse ngata - karolo e nang le setifikeiti sa 'nete sa SSL.
Ka tšireletso ea antispam le litekanyetso tse phahameng tsa antispam ho tsoa ho li-server tse ling tsa poso.
E tšehetsa li-interfaces tse ngata tsa 'mele.
Ka OpenVPN, khokahano eo ho eona e leng ka IPv4, mme e fana ka IPv6.
Haeba u sa batle ho ithuta mahlale ana kaofela, empa u batla ho theha seva e joalo, joale sengoloa sena ke sa hau.
Sengoliloeng ha se etse boiteko ba ho hlalosa lintlha tsohle. Tlhaloso e ea ho se sa hlophisoang e le se tloaelehileng kapa se bohlokoa ho latela pono ea bareki.
Sepheo sa ho theha seva sa poso e bile toro ea ka ea nako e telele. Sena se ka utloahala e le booatla, empa IMHO, e molemo haholo ho feta ho lora ka koloi e ncha ho tsoa ho mofuta oa hau oo u o ratang.
Ho na le mabaka a mabeli a ho theha IPv6. Setsebi sa IT se hloka ho ithuta mahlale a macha khafetsa hore se phele. Ke kopa ho kenya letsoho ntoeng e khahlano le censorship.
Sepheo sa ho theha OpenVPN ke ho etsa hore IPv6 e sebetse mochine oa lehae.
Sepheo sa ho theha li-interfaces tse 'maloa tsa' mele ke hore ho seva sa ka ke na le sebopeho se le seng "e liehang empa se se na moeli" le se seng "ka potlako empa ka tefiso".
Sepheo sa ho theha litlhophiso tsa Bind ke hore ISP ea ka e fana ka seva sa DNS se sa tsitsang, 'me google le eona ka linako tse ling e hloleha. Ke batla seva e tsitsitseng ea DNS bakeng sa tšebeliso ea botho.
Khothatso ea ho ngola sengoloa - ke ngotse moralo likhoeling tse 10 tse fetileng, mme ke se ke e shebile habeli. Le haeba mongoli a e hloka khafetsa, ho na le monyetla o moholo oa hore ba bang le bona ba e hloke.
Ha ho na tharollo e akaretsang bakeng sa seva ea mangolo. Empa ke tla leka ho ngola ntho e kang "etsa sena mme, ha ntho e 'ngoe le e' ngoe e sebetsa kamoo e lokelang, lahlela lintho tse ling."
Khampani tech.ru e na le seva sa Colocation. Hoa khoneha ho bapisa le OVH, Hetzner, AWS. Ho rarolla bothata bona, tšebelisano le tech.ru e tla sebetsa haholo.
Debian 9 e kentsoe ho seva.
Seva e na le lihokelo tse 2 `eno1` le `eno2`. Ea pele ha e na moeli, 'me ea bobeli e potlakile, ka ho latellana.
Ho na le liaterese tse 3 tsa IP tse sa fetoheng, XX.XX.XX.X0 le XX.XX.XX.X1 le XX.XX.XX.X2 sehokelong sa `eno1` le XX.XX.XX.X5 sehokelong sa `eno2` .
E fumaneha XXXX:XXXX:XXXX:XXXX::/64 letamo la liaterese tsa IPv6 tse abetsoeng sebopeho sa `eno1` mme ho tsoa ho eona XXXX:XXXX:XXXX:XXXX:1:2::/96 e abetsoe `eno2` ka kopo ea ka.
Ho na le libaka tse 3 `domain1.com`, `domain2.com`, `domain3.com`. Ho na le setifikeiti sa SSL sa `domain1.com` le `domain3.com`.
Ke na le ak'haonte ea Google eo ke ratang ho hokahanya lebokoso la ka la poso ho eona[imeile e sirelelitsoe]` (ho amohela mangolo le ho romella mangolo ka kotloloho ho tsoa sebopehong sa gmail).
Ho tlameha ho ba le lebokose la mangolo`[imeile e sirelelitsoe]`, kopi ea lengolo-tsoibila leo ke batlang ho bona ho gmail ea ka. Mme ke ka seoelo o ka kgonang ho romela ntho lebitsong la `[imeile e sirelelitsoe]` ka sehokelo sa tepo.
Ho tlameha ho ba le lebokose la mangolo`[imeile e sirelelitsoe]', eo Ivanov a tla e sebelisa ho tsoa ho iPhone ea hae.
Li-imeile tse rometsoeng li tlameha ho lumellana le litlhoko tsohle tsa sejoale-joale tsa antispam.
Ho tlameha ho be le boemo bo phahameng ka ho fetesisa ba encryption bo fanoeng marang-rang a sechaba.
Ho tlameha ho ba le tšehetso ea IPv6 bakeng sa ho romella le ho amohela mangolo.
Ho lokela ho ba le SpamAssassin e ke keng ea hlakola mangolo-tsoibila. 'Me e tla qhoma kapa ea tlola kapa e romele ho foldara ea "Spam" ea IMAP.
SpamAssassin auto-learning e tlameha ho lokisoa: haeba ke fetisetsa lengolo ho foldareng ea Spam, e tla ithuta ho sena; haeba ke tlosa lengolo ho tloha foldareng ea Spam, e tla ithuta ho sena. Liphello tsa koetliso ea SpamAssassin li lokela ho susumetsa hore na lengolo le qetella ka fensetere ea Spam.
Lingoliloeng tsa PHP li tlameha ho khona ho romella mangolo lebitsong la sebaka sefe kapa sefe ho seva se fanoeng.
Ho tlameha ho ba le ts'ebeletso ea openvpn, e nang le bokhoni ba ho sebelisa IPv6 ho moreki ea se nang IPv6.
Pele o hloka ho lokisa li-interfaces le litsela, ho kenyelletsa le IPv6.
Joale o tla hloka ho lokisa OpenVPN, e tla hokela ka IPv4 mme e fe mofani aterese ea IPv6 e tsitsitseng. Moreki enoa o tla ba le phihlello ea lits'ebeletso tsohle tsa IPv6 ho seva le phihlello ea lisebelisoa life kapa life tsa IPv6 Marang-rang.
Ebe o tla hloka ho hlophisa Postfix ho romella litlhaku + SPF + DKIM + rDNS le lintho tse ling tse nyane tse tšoanang.
Joale o tla hloka ho lokisa Dovecot le ho lokisa Multidomain.
Joale o tla hloka ho hlophisa SpamAssassin le ho hlophisa koetliso.
Qetellong, kenya Bind.
============= Likamano tse ngata-ngata ==============
Ho lokisa li-interfaces, o hloka ho ngola sena ho "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Litlhophiso tsena li ka sebelisoa ho seva efe kapa efe ho tech.ru (ka tšebelisano e nyane le ts'ehetso) mme e tla sebetsa hang-hang kamoo e lokelang.
Haeba u na le boiphihlelo ba ho theha lintho tse tšoanang bakeng sa Hetzner, OVH, ho fapane moo. Ho thata le ho feta.
eno1 ke lebitso la karete ea marang-rang #1 (e liehang empa e se na moeli).
eno2 ke lebitso la karete ea marang-rang #2 (ka potlako, empa ka tefiso).
tun0 ke lebitso la karete ea marang-rang e tsoang ho OpenVPN.
XX.XX.XX.X0 - IPv4 #1 ho eno1.
XX.XX.XX.X1 - IPv4 #2 ho eno1.
XX.XX.XX.X2 - IPv4 #3 ho eno1.
XX.XX.XX.X5 - IPv4 #1 ho eno2.
XX.XX.XX.1 - IPv4 heke.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 bakeng sa seva kaofela.
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 bakeng sa eno2, ntho e ngoe le e ngoe ho tsoa kantle e kena ho eno1.
XXXX:XXXX:XXXX:XXXX::1 — IPv6 heke (ho bohlokoa ho ela hloko hore sena se ka/lokela ho etsoa ka tsela e fapaneng. Hlalosa switch ea IPv6).
dns-nameservers - 127.0.0.1 e bontšitsoe (hobane bind e kenngoa sebakeng sa heno) le 213.248.1.6 (sena se tsoa ho tech.ru).
“tafole eno1t” le “tafole eno2t” - moelelo oa melaoana ena ea litsela ke hore sephethephethe se kenang ka eno1 -> se tla tloha ka eona, 'me sephethephethe se kenang ka eno2 -> se tla tloha ka eona. Hape likhokahano tse qaliloeng ke seva li ne li tla feta ho eno1.
ip route add default via XX.XX.XX.1 table eno1tKa taelo ena re hlakisa hore sephethephethe sefe kapa sefe se sa utloisiseheng se oelang tlas'a molao ofe kapa ofe o tšoailoeng "tafole eno1t" -> e romelloe ho interface ea eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tKa taelo ena re totobatsa hore sephethephethe sefe kapa sefe se qaliloeng ke seva se lokela ho lebisoa ho sebopeho sa eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Ka taelo ena re beha melao ea ho tšoaea sephethephethe.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Sebaka sena se totobatsa IPv4 ea bobeli bakeng sa interface ea eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Ka taelo ena re beha tsela ho tloha ho bareki ba OpenVPN ho ea ho IPv4 ea lehae ntle le XX.XX.XX.X0.
Ke ntse ke sa utloisise hore na ke hobane'ng ha taelo ena e lekane bakeng sa IPv4 eohle.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Mona ke moo re beha aterese bakeng sa segokanyimmediamentsi sa sebolokigolo ka boeona. Seva e tla e sebelisa e le aterese e "tsoang". E ke ke ea sebelisoa ka tsela efe kapa efe hape.
Hobaneng ":1:1::" e rarahane hakaale? Kahoo OpenVPN e sebetsa ka nepo le bakeng sa sena feela. Tse ling ka sena hamorao.
Sehloohong sa heke - ke kamoo e sebetsang kateng 'me ho lokile. Empa tsela e nepahetseng ke ho bonts'a mona IPv6 ea switch eo seva e hokahaneng ho eona.
Leha ho le joalo, ka lebaka le itseng IPv6 e khaotsa ho sebetsa haeba ke etsa sena. Mohlomong ena ke mofuta o mong oa bothata ba tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACESena ke ho eketsa aterese ea IPv6 ho sehokelo. Haeba o hloka liaterese tse lekholo, ho bolela mela e lekholo faeleng ena.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ke hlokometse liaterese le li-subnets tsa li-interfaces tsohle ho hlakisa.
eno1 - e tlameha ho ba "/64"- hobane lena ke letamo la rona la liaterese.
tun0 - subnet e tlameha ho ba kholo ho feta eno1. Ho seng joalo, ho ke ke ha khoneha ho lokisa tsela ea IPv6 bakeng sa bareki ba OpenVPN.
eno2 - subnet e tlameha ho ba kholo ho feta tun0. Ho seng joalo, bareki ba OpenVPN ba ke ke ba khona ho fumana liaterese tsa lehae tsa IPv6.
Bakeng sa ho hlaka, ke khethile mohato oa subnet oa 16, empa haeba u lakatsa, u ka etsa "1" mohato.
Ka hona, 64+16 = 80, le 80+16 = 96.Bakeng sa ho hlaka le ho feta:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY ke liaterese tse lokelang ho abeloa libaka tse itseng kapa litšebeletso ho sebopeho sa eno1.
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY ke liaterese tse lokelang ho abeloa libaka tse itseng kapa litšebeletso ho sebopeho sa eno2.
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY ke liaterese tse lokelang ho fuoa bareki ba OpenVPN kapa ho sebelisoa e le liaterese tsa tšebeletso tsa OpenVPN.
Ho lokisa marang-rang, ho lokela ho khoneha ho qala seva hape.
Liphetoho tsa IPv4 li nkuoa ha li etsoa (etsa bonnete ba hore u li phuthela skrineng - ho seng joalo taelo ena e tla senya marang-rang ho seva):
/etc/init.d/networking restartEketsa qetellong ea faele "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Ntle le sena, u ke ke ua sebelisa litafole tsa tloaelo faeleng ea "/etc/network/interfaces".
Linomoro li tlameha ho ikhetha 'me li be ka tlase ho 65535.
Liphetoho tsa IPv6 li ka fetoloa habonolo ntle le ho qala bocha, empa ho etsa sena u hloka ho ithuta bonyane litaelo tse tharo:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Ho beha "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Tsena ke litlhophiso tsa "sysctl" tsa seva sa ka. E-re ke bontše ntho ea bohlokoa.
net.ipv4.ip_forward = 1Ntle le sena, OpenVPN e ke ke ea sebetsa ho hang.
net.ipv6.ip_nonlocal_bind = 1Mang kapa mang ea lekang ho tlama IPv6 (mohlala nginx) hang ka mor'a hore sebopeho se eme o tla fumana phoso. Hore aterese ena ha e fumanehe.
Ho qoba boemo bo joalo, boemo bo joalo bo etsoa.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Ntle le litlhophiso tsena tsa IPv6, sephethephethe se tsoang ho moreki oa OpenVPN ha se ee lefatšeng.
Litlhophiso tse ling ha li na thuso kapa ha ke hopole hore na li etselitsoe eng.
Empa haeba ho ka etsahala, ke e tlohela "joalokaha e le joalo."
E le hore liphetoho faeleng ena li nkuoe ntle le ho qala seva, o hloka ho tsamaisa taelo:
sysctl -pLintlha tse ling mabapi le melao ea "tafole":
============= OpenVPN ==============
OpenVPN IPv4 ha e sebetse ntle le li-iptables.
Li-iptables tsa ka li tjena bakeng sa VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY ke aterese ea ka ea IPv4 e tsitsitseng ea mochini oa lehae.
10.8.0.0/24 - IPv4 openvpn netweke. Liaterese tsa IPv4 bakeng sa bareki ba openvpn.
Ho lumellana ha melao ho bohlokoa.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPEna ke moeli hore ke 'na feela nka sebelisang OpenVPN ho tloha ho IP ea ka e tsitsitseng.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEHo fetisetsa lipakete tsa IPv4 lipakeng tsa bareki ba OpenVPN le Marang-rang, o hloka ho ngolisa e 'ngoe ea litaelo tsena.
Bakeng sa linyeoe tse fapaneng, e 'ngoe ea likhetho ha e tšoanelehe.
Litaelo ka bobeli li loketse nyeoe ea ka.
Kamora ho bala litokomane, ke khethile khetho ea pele hobane e sebelisa CPU e nyane.
E le hore litlhophiso tsohle tsa iptables li nkoe ka mor'a ho qala bocha, u lokela ho li boloka kae-kae.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Mabitso a joalo ha aa ka a khethoa ka tsietsi. Li sebelisoa ke sephutheloana sa "iptables-persistent".
apt-get install iptables-persistentHo kenya sephutheloana sa mantlha sa OpenVPN:
apt-get install openvpn easy-rsaHa re theheng sets'oants'o sa litifikeiti (emisa boleng ba hau):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfHa re fetole litlhophiso tsa template ea setifikeiti:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Theha setifikeiti sa seva:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyHa re lokisetse bokhoni ba ho theha lifaele tsa ho qetela tsa "client-name.opvn":
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCHa re lokiseng mongolo o tla kopanya lifaele tsohle faeleng e le 'ngoe ea opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnHo theha moreki oa pele oa OpenVPN:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameFaele "~/client-configs/files/client-name.ovpn" e romelloa sesebelisoa sa moreki.
Bakeng sa basebelisi ba iOS u tla hloka ho etsa maqheka a latelang:
Likahare tsa tag ea "tls-auth" li tlameha ho hloka maikutlo.
Hape beha "key-direction 1" hang-hang pele ho tag ea "tls-auth".
Ha re lokiseng tlhophiso ea seva sa OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCSena sea hlokahala ho theha aterese e tsitsitseng bakeng sa moreki e mong le e mong (ha ho hlokahale, empa kea e sebelisa):
# Client config dir
client-config-dir /etc/openvpn/ccdLintlha tse thata ka ho fetisisa le tsa bohlokoa.
Ka bomalimabe, OpenVPN ha e e-so tsebe mokhoa oa ho iketsetsa boikemelo ba IPv6 heke bakeng sa bareki.
U tlameha ho "fetisa" ka letsoho bakeng sa moreki e mong le e mong.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Faele "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Faele "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Lingoliloeng ka bobeli li sebelisa faele "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Ho thata ho hopola hore na ke hobane'ng ha e ngotsoe joalo mona.
Hona joale netmask = 112 e shebahala e makatsa (e lokela ho ba 96 hona moo).
'Me sehlomathiso sea makatsa, ha se tsamaellane le netweke ea tun0.
Empa ho lokile, ke tla e tlohela e le jwalo.
cipher DES-EDE3-CBCSena ha se sa motho e mong le e mong - ke khethile mokhoa ona oa ho koala khokahano.
============= Ho lokisa poso =============
Ho kenya sephutheloana sa mantlha:
apt-get install postfixHa u kenya, khetha "sebaka sa Marang-rang".
"/etc/postfix/main.cf" ea ka e shebahala tjena:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreHa re shebeng lintlha tsa config.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyHo ea ka baahi ba Khabrovsk, sebaka sena se na le "litaba tse fosahetseng le lintlha tse fosahetseng."Ke lilemo tse 8 feela ka mor'a hore ke qale mosebetsi oa ka moo ke ileng ka qala ho utloisisa hore na SSL e sebetsa joang.
Ka hona, ke tla nka bolokolohi ba ho hlalosa mokhoa oa ho sebelisa SSL (ntle le ho araba lipotso "E sebetsa joang?" le "Ke hobane'ng ha e sebetsa?").
Motheo oa encryption ea sejoale-joale ke ho theha para ea bohlokoa (likhoele tse peli tse telele haholo tsa litlhaku).
“Senotlolo” se seng ke sa lekunutu, se seng ke sa “sechaba”. Re boloka senotlolo sa lekunutu e le lekunutu ka hloko haholo. Re abela bohle senotlolo sa sechaba.
U sebelisa senotlolo sa sechaba, u ka koala lethathamo la mongolo hore ke mong'a senotlolo sa lekunutu feela a ka se hlakola.
Hantle, ke motheo oohle oa theknoloji.Mohato oa #1 - libaka tsa https.
Ha o kena sebakeng sa marang-rang, sebatli se ithuta ho tsoa ho seva sa marang-rang hore sebaka sena ke https mme ka hona se kopa senotlolo sa sechaba.
Seva ea tepo e fana ka senotlolo sa sechaba. Sebatli se sebelisa senotlolo sa sechaba ho patala http-kopo le ho e romella.
Litaba tsa http-kopo li ka baloa feela ke ba nang le senotlolo sa poraefete, ke hore, seva feela eo kopo e etsoang ho eona.
Http-kopo e na le bonyane URI. Ka hona, haeba naha e leka ho thibela phihlello eseng setšeng kaofela, empa leqepheng le itseng, joale sena ha se khonehe bakeng sa libaka tsa https.Mohato oa #2 - karabo e patiloeng.
Seva ea marang-rang e fana ka karabo e ka baloang habonolo tseleng.
Tharollo e bonolo haholo - sebatli sebakeng sa heno se hlahisa para e tšoanang ea senotlolo sa sechaba bakeng sa sebaka ka seng sa https.
'Me hammoho le kopo ea senotlolo sa sechaba sa sebaka sa marang-rang, e romella senotlolo sa eona sa lehae sa sechaba.
Seva sa marang-rang se e hopola, 'me ha e romela http-response, e e patala ka senotlolo sa sechaba sa moreki ea itseng.
Hona joale http-response e ka hlakoloa feela ke mong'a senotlolo sa lekunutu sa sebatli (ke hore, moreki ka boeena).Mohato oa 3 - ho theha khokahanyo e sireletsehileng ka mocha oa sechaba.
Ho na le ts'oaetso ka mohlala No. 2 - ha ho letho le thibelang batho ba nang le takatso e ntle ho thibela http-kopo le tlhahisoleseding ea ho hlophisa ka senotlolo sa sechaba.
Kahoo, mokena-lipakeng o tla bona ka ho hlaka litaba tsohle tsa melaetsa e rometsoeng le e amoheloang ho fihlela mocha oa puisano o fetoha.
Ho sebetsana le sena ho bonolo haholo - romella feela senotlolo sa sechaba sa sebatli e le molaetsa o kentsoeng ka senotlolo sa sechaba sa marang-rang.
Seva ea marang-rang e qala ho romela karabo e kang "senotlolo sa hau sa sechaba se tjena" 'me se koala molaetsa ona ka senotlolo se tšoanang sa sechaba.
Sebatli se sheba karabelo - haeba molaetsa "senotlolo sa hau sa sechaba se joalo" se amoheloa - joale sena ke tiisetso ea 100% ea hore mocha ona oa puisano o bolokehile.
E bolokehile hakae?
Ho bōptjoa ha mocha o joalo oa puisano o sireletsehileng ho etsahala ka lebelo la ping * 2. Ka mohlala, 20ms.
Mohlaseli o tlameha ho ba le senotlolo sa lekunutu sa e mong oa mekha esale pele. Kapa fumana senotlolo sa lekunutu ka metsotsoana e seng mekae.
Ho qhekella senotlolo se le seng sa sejoale-joale ho tla nka lilemo tse mashome ho komporo e kholo.Mohato oa #4 - database ea sechaba ea linotlolo tsa sechaba.
Ho totobetse hore pale ena eohle ho na le monyetla oa hore mohlaseli a lule mocha oa puisano pakeng tsa mofani le seva.
Moreki a ka iketsa seva, mme seva se ka iketsa eka ke moreki. 'Me u etsise para ea linotlolo ka mahlakore ka bobeli.
Joale mohlaseli o tla bona sephethephethe sohle mme o tla khona ho "fetola" sephethephethe.
Ka mohlala, fetola aterese ea moo u lokelang ho romela chelete kapa u kopitse phasewete ho tsoa bankeng ea inthaneteng kapa u thibele litaba tse "hanyehang".
Ho loantša bahlaseli ba joalo, ba ile ba tla le database ea sechaba e nang le linotlolo tsa sechaba bakeng sa sebaka se seng le se seng sa https.
Sebatli se seng le se seng se "tseba" ka boteng ba li-database tse joalo tse ka bang 200. Sena se tla se kentsoe pele ho sebatli se seng le se seng.
"Tsebo" e tšehelitsoe ke senotlolo sa sechaba se tsoang setifikeiting ka seng. Ke hore, khokahanyo ho bolaoli bo bong le bo bong bo khethehileng ba setifikeiti e ke ke ea etsoa.Hona joale ho na le kutloisiso e bonolo ea mokhoa oa ho sebelisa SSL bakeng sa https.
Haeba u sebelisa boko ba hao, ho tla hlaka hore na litšebeletso tse khethehileng li ka senya ntho joang mohahong ona. Empa ho tla etsa hore ba lahleheloe ke boiteko bo matla.
Le mekhatlo e menyenyane ho feta NSA kapa CIA - ho ke ke ha khoneha ho senya boemo bo teng ba tšireletso, esita le bakeng sa VIPs.Ke tla eketsa ka likhokahano tsa ssh. Ha ho na linotlolo tsa sechaba moo, joale u ka etsa joang? Taba ena e rarolloa ka litsela tse peli.
Khetho ea ssh-by-password:
Nakong ea khokahano ea pele, moreki oa ssh o lokela ho lemosa hore re na le senotlolo se secha sa sechaba ho tsoa ho seva sa ssh.
'Me nakong ea likhokahano tse ling, haeba temoso "senotlolo se secha sa sechaba se tsoang ho seva sa ssh" se hlaha, ho tla bolela hore ba leka ho u mamela.
Kapa u ile ua utluoa khokahanyo ea hau ea pele, empa joale u buisana le seva ntle le bakena-lipakeng.
Ha e le hantle, ka lebaka la hore 'nete ea wiretapping e bonolo, ka potlako le ka thata e senoloa, tlhaselo ena e sebelisoa feela maemong a khethehileng bakeng sa moreki ea itseng.Khetho ea ssh-by-key:
Re nka flash drive, ngola senotlolo sa poraefete bakeng sa seva sa ssh ho eona (ho na le mantsoe le lintlha tse ngata tsa bohlokoa bakeng sa sena, empa ke ngola lenaneo la thuto, eseng litaelo tsa tšebeliso).
Re siea senotlolo sa sechaba mochining moo moreki oa ssh a tla ba teng mme hape re e boloka e le lekunutu.
Re tlisa flash drive ho seva, re e kenye, re kopitsa senotlolo sa poraefete, 'me re chese flash drive ebe re hasanya molora moeeng (kapa bonyane re e fomate ka zero).
Ke tsohle - kamora ts'ebetso e joalo ho ke ke ha khoneha ho senya khokahano e joalo ea ssh. Ehlile, ka lilemo tse 10 ho tla khonahala ho bona sephethephethe ho komporo e kholo - empa ke pale e fapaneng.Ke kopa tšoarelo bakeng sa offtopic.
Kahoo joale kaha khopolo e tsejoa. Ke tla u bolella ka phallo ea ho theha setifikeiti sa SSL.
Re sebelisa "openssl genrsa" re theha senotlolo sa lekunutu le "likheo" tsa senotlolo sa sechaba.
Re romela "likheo" ho k'hamphani ea motho oa boraro, eo re lefang chelete e ka bang $ 9 bakeng sa setifikeiti se bonolo ka ho fetisisa.
Kamora lihora tse 'maloa, re fumana senotlolo sa rona sa "sechaba" le sete ea linotlolo tse 'maloa tsa sechaba ho tsoa k'hamphaning ena ea batho ba bang.
Hobaneng ha k'hamphani ea motho oa boraro e lokela ho lefa bakeng sa ho ngolisoa ha senotlolo sa ka sa sechaba ke potso e fapaneng, re ke ke ra e nka mona.
Joale ho hlakile hore na moelelo oa mongolo ke ofe:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Foldara ea "/etc/ssl" e na le lifaele tsohle tsa litaba tsa ssl.
domain1.com - lebitso la sebaka.
2018 ke selemo sa pōpo ea bohlokoa.
"key" - tlhaloso ea hore faele ke senotlolo sa lekunutu.
Le moelelo oa faele ena:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - lebitso la sebaka.
2018 ke selemo sa pōpo ea bohlokoa.
ketane - lebitso la hore ho na le ketane ea linotlolo tsa sechaba (ea pele ke senotlolo sa rona sa sechaba mme tse ling kaofela ke tse tsoang k'hamphaning e faneng ka senotlolo sa sechaba).
crt - lebitso la hore ho na le setifikeiti se entsoeng esale pele (senotlolo sa sechaba se nang le litlhaloso tsa tekheniki).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Boemo bona ha bo sebelisoe tabeng ena, empa bo ngotsoe e le mohlala.
Hobane phoso e teng paramenteng ena e tla lebisa ho spam ho romelloa ho tsoa ho seva sa hau (ntle le thato ea hau).
Ebe u paka ho bohle hore ha u na molato.
recipient_delimiter = +Batho ba bangata ba kanna ba se tsebe, empa sena ke sebopeho se tloaelehileng sa li-imeile tsa maemo, 'me se tšehetsoa ke li-server tse ngata tsa sejoale-joale.
Ka mohlala, haeba u na le lebokose la poso "[imeile e sirelelitsoe]"leka ho romela ho"[imeile e sirelelitsoe]"- sheba hore na ho etsahala'ng ka eona.
inet_protocols = ipv4Sena se ka ferekanya.
Empa ha ho joalo feela. Sebaka se seng le se seng se secha ke IPv4 feela, ebe ke bulela IPv6 bakeng sa e 'ngoe le e 'ngoe ka thoko.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Mona re totobatsa hore mangolo ohle a kenang a ea ho dovecot.
Le melao bakeng sa domain, mailbox, alias - sheba ka har'a database.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesJoale postfix ea tseba hore mangolo a ka amoheloa bakeng sa ho romelloa hape ka mor'a tumello le dovecot.
Ha e le hantle ha ke utloisise hore na ke hobane'ng ha sena se kopitsoa mona. Re se re hlalositse tsohle tse hlokahalang ho "virtual_transport".
Empa tsamaiso ea postfix ke ea khale haholo - mohlomong ke ho lahlela morao ho tloha mehleng ea khale.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Sena se ka hlophisoa ka tsela e fapaneng bakeng sa seva se seng le se seng sa mangolo.
Ke na le li-server tse 3 tsa poso mme litlhophiso tsena li fapane haholo ka lebaka la litlhoko tse fapaneng tsa ts'ebeliso.
U hloka ho e hlophisa ka hloko - ho seng joalo spam e tla tšollela ho uena, kapa ho hobe le ho feta - spam e tla tsoa ho uena.
# SPF
policyd-spf_time_limit = 3600Ho theha plugin e 'ngoe e amanang le ho hlahloba SPF ea litlhaku tse kenang.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockBoemo ke hore re tlameha ho fana ka signature ea DKIM ka li-imeile tsohle tse tsoang.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreEna ke lintlha tsa bohlokoa mabapi le ho tsamaisa mangolo ha u romella mangolo ho tsoa mangolong a PHP.
Faele "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Ka ho le letšehali ho na le lipolelo tse tloaelehileng. Ka ho le letona ho na le letšoao le tšoaeang tlhaku.
Postfix ho latela label - e tla ela hloko mela e meng e seng mekae ea tlhophiso bakeng sa lengolo le itseng.Hore na hantle postfix e tla lokisoa joang bakeng sa lengolo le itseng e tla bontšoa ho "master.cf".
Mela ea 4, 5, 6 ke eona e ka sehloohong. Lebitsong la sebaka sefe seo re se romellang lengolo, re beha label ena.
Empa tšimo ea "ho tloha" ha e bontšoe kamehla mangolong a PHP ka khoutu ea khale. Ebe lebitso la mosebelisi le tla thusa.Sengoliloeng se se se pharalletse - ha ke batle ho sitisoa ke ho theha nginx+fpm.
Ka bokhutšoanyane, bakeng sa sebaka se seng le se seng re ipehela mong'a lona oa linux. Mme ka hona, letamo la hau la fpm.
Fpm-pool e sebelisa mofuta ofe kapa ofe oa php (e ntle ha ho seva e le 'ngoe u ka sebelisa mefuta e fapaneng ea php esita le php.ini e fapaneng bakeng sa libaka tsa boahelani ntle le mathata).
Kahoo, mosebelisi ea itseng oa linux "www-domain2" o na le sebaka sa marang-rang2.com. Sebaka sena se na le khoutu ea ho romella mangolo-tsoibila ntle le ho hlakisa hore na ho tsoa lebaleng.
Kahoo, esita le tabeng ena, mangolo a tla romelloa ka nepo 'me a ke ke a qetella a le spam.
"/etc/postfix/master.cf" ea ka e shebahala tjena:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Faele ha e fanoe ka botlalo - e se e le khōlō haholo.
Ke ile ka hlokomela feela se fetotsoeng.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Tsena ke litlhophiso tse amanang le spamassasin, ho feta moo hamorao.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Re u lumella ho hokela ho seva ea mangolo ka port 587.
Ho etsa sena, o tlameha ho kena.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfLumella tlhahlobo ea SPF.
apt-get install postfix-policyd-spf-pythonHa re kenye sephutheloana sa licheke tsa SPF ka holimo.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1'Me sena ke ntho e thahasellisang ka ho fetisisa. Bona ke bokhoni ba ho romella mangolo sebakeng se itseng ho tsoa atereseng e itseng ea IPv4/IPv6.
Sena se etsoa molemong oa rDNS. rDNS ke mokhoa oa ho amohela mohala ka aterese ea IP.
'Me bakeng sa mangolo, tšobotsi ena e sebelisetsoa ho netefatsa hore helo e lumellana hantle le rDNS ea aterese eo lengolo-tsoibila le rometsoeng ho eona.Haeba helo e sa lumellane le sebaka sa lengolo-tsoibila leo lengolo le rometsoeng ho lona, lintlha tsa spam li fanoa.
Helo ha e tsamaellane le rDNS - ho fanoa ka lintlha tse ngata tsa spam.
Ka hona, domain name ka 'ngoe e tlameha ho ba le aterese ea eona ea IP.
Bakeng sa OVH - ho console hoa khoneha ho hlakisa rDNS.
Bakeng sa tech.ru - taba e rarolloa ka tšehetso.
Bakeng sa AWS, bothata bo rarolloa ka tšehetso.
"inet_protocols" le "smtp_bind_address6" - re nolofalletsa tšehetso ea IPv6.
Bakeng sa IPv6 hape o hloka ho ngolisa rDNS.
“syslog_name” - mme sena ke bakeng sa ho bala lintlha habonolo.
Reka litifikeiti .
.
============= Dovecot ==============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamHo theha mysql, ho kenya liphutheloana ka botsona.
Faele "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginTumello e ngotsoe feela.
Faele "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nMona re bontša sebaka sa polokelo bakeng sa mangolo.
Ke batla hore li bolokoe ka har'a lifaele 'me li hlophisoe ka domain.
Faele "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Ena ke faele ea mantlha ea litlhophiso tsa dovecot.
Mona re tima likhokahano tse sa sireletsehang.
'Me u lumelle likhokahano tse sireletsehileng.
Faele "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Ho theha ssl. Re bontša hore ssl ea hlokahala.
Le setifikeiti ka bosona. 'Me lintlha tsa bohlokoa ke taelo ea "lehae". E bontša hore na u ka sebelisa setifikeiti sefe sa SSL ha u hokela ho IPv4 ea lehae.Ka tsela, IPv6 ha e ea hlophisoa mona, ke tla lokisa se sieo hamorao.
XX.XX.XX.X5 (domain2) - ha ho na setifikeiti. Ho hokela bareki o hloka ho hlakisa domain1.com.
XX.XX.XX.X2 (domain3) - ho na le setifikeiti, o ka hlakisa domain1.com kapa domain3.com ho hokahanya bareki.
Faele "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Sena se tla hlokahala bakeng sa spamassassin nakong e tlang.
Faele "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Ena ke plugin ea antispam. E hlokahalang bakeng sa ho koetlisa spamassasin nakong ea ho fetisetsa ho / ho tloha "spam" foldareng.
Faele "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Ho na le faele e joalo feela.
Faele "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Ho theha lmtp.
Faele "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Litlhophiso tsa koetliso ea Spamassasin nakong ea ho fetisetsoa ho / ho tloha ho foldara ea Spam.
Faele "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Faele e hlalosang seo o lokelang ho se etsa ka litlhaku tse kenang.
Faele "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}U hloka ho bokella faele: "sievec default.sieve".
Faele "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
E hlalosa lifaele tsa sql bakeng sa tumello.
'Me faele ka boeona e sebelisoa e le mokhoa oa tumello.
Faele "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Sena se lumellana le litlhophiso tse tšoanang tsa postfix.
Faele "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Faele e ka sehloohong ea tlhophiso.
Ntho ea bohlokoa ke hore re bonts'a mona - eketsa liprothokholo.
============= SpamAssassin ==============
apt-get install spamassassin spamcHa re kenye liphutheloana.
adduser spamd --disabled-loginHa re kenye mosebelisi lebitsong la mang.
systemctl enable spamassassin.serviceRe nolofalletsa tšebeletso ea spamassassin ea auto-loading ha e kenya.
Faele "/etc/default/spamassassin":
CRON=1Ka ho etsa hore ntlafatso ea othomathike ea melao "ka kamehla".
Faele "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordU hloka ho theha database "sa" ho mysql le mosebelisi "sa" ka "password" ea "password" (fetola ntho e lekaneng).
report_safe - sena se tla romela tlaleho ea lengolo-tsoibila la spam sebakeng sa lengolo.
use_bayes ke litlhophiso tsa ho ithuta mochini oa spamassassin.
Litlhophiso tse setseng tsa spamassassin li sebelisitsoe pejana sehloohong sena.
.
.
.
.
============= Boipiletso ho setjhaba ==============
Ke kopa hape ho lahlela maikutlo sechabeng mabapi le mokhoa oa ho eketsa boemo ba tšireletso ea mangolo a fetisitsoeng. Kaha ke kenelletse haholo tabeng ea mangolo.
E le hore mosebelisi a ka etsa linotlolo ho moreki oa hae (pono, sealuma, sebatli-plugin, ...). Ea sechaba le ea lekunutu. Ho sechaba - romella ho DNS. Poraefete - boloka ho moreki. Li-server li tla khona ho sebelisa senotlolo sa sechaba ho romella motho ea itseng.
Le ho itšireletsa khahlanong le spam ka litlhaku tse joalo (e, seva sa poso se ke ke sa khona ho bona litaba) - o tla hloka ho hlahisa melao e 3:
- Saeno ea 'nete ea DKIM e tlamang, SPF e tlamang, rDNS e tlamang.
- Neural network ka taba ea koetliso ea antispam + database bakeng sa eona ka lehlakoreng la bareki.
- Algorithm ea encryption e tlameha ho ba joalo hoo lehlakore le romellang le tlamehang ho sebelisa matla a CPU ka makhetlo a 100 ho encryption ho feta lehlakore le amohelang.
Ntle le mangolo a sechaba, hlahisa lengolo le tloaelehileng la tlhahiso "ho qala mangolo a sireletsehileng." E mong oa basebelisi (lebokose la poso) o romella lengolo le nang le sehokelo ho lebokose le leng la poso. Lengolo le na le tlhahiso ea mongolo ho qala mocha oa puisano o sireletsehileng bakeng sa mangolo le senotlolo sa sechaba sa mong'a lebokose la poso (ka senotlolo sa poraefete lehlakoreng la bareki).
U ka ba ua etsa linotlolo tse 'maloa ka ho khetheha bakeng sa ngollano ka' ngoe. Mosebelisi a ka amohela tlhahiso ena mme a romella senotlolo sa hae sa sechaba (hape se etselitsoe lengolo lena ka ho khetheha). Ka mor'a moo, mosebedisi oa pele o romela lengolo la taolo ea tšebeletso (e kentsoeng ka senotlolo sa sechaba sa mosebedisi oa bobeli) - ha a fumana mosebedisi oa bobeli a ka nka hore mocha oa puisano o thehiloeng o tšepahala. Ka mor'a moo, mosebedisi oa bobeli o romela lengolo la taolo - ebe mosebedisi oa pele a ka boela a nka hore mocha o entsoeng o sireletsehile.
Ho loantša ho thibeloa ha linotlolo tseleng, protocol e tlameha ho fana ka monyetla oa ho fetisetsa bonyane senotlolo se le seng sa sechaba ho sebelisa flash drive.
'Me ntho ea bohlokoa ka ho fetisisa ke hore tsohle lia sebetsa (potso ke "ke mang ea tla lefa?"):
Kenya litifikeiti tsa poso ho qala ho $10 bakeng sa lilemo tse 3. E tla lumella motho ea rometseng hore a bontše ho dns hore "linotlolo tsa ka tsa sechaba li teng." 'Me ba tla u fa monyetla oa ho qala khokahano e sireletsehileng. Ka nako e ts'oanang, ho amohela likhokahano tse joalo ke mahala.
gmail e qetella e etsa chelete ho basebelisi ba eona. Bakeng sa $10 ka lilemo tse 3 - tokelo ea ho theha likanale tse sireletsehileng tsa mangolo.
============= Qetello =============
Ho leka sengoloa kaofela, ke ne ke tla hira seva e inehetseng bakeng sa khoeli mme ke reke domain e nang le setifikeiti sa SSL.
Empa maemo a bophelo a ile a hlaha kahoo taba ena e ile ea hula likhoeli tse peli.
Kahoo, ha ke se ke e-na le nako ea ho phomola hape, ke ile ka etsa qeto ea ho hatisa sengoloa kamoo se leng kateng, ho e-na le ho ipeha kotsing ea hore khatiso e tsoele pele ka selemo se seng.
Haeba ho na le lipotso tse ngata tse kang "empa sena ha se hlalosoe ka botlalo", joale ho tla ba le matla a ho nka seva e inehetseng e nang le sebaka se secha le setifikeiti se secha sa SSL le ho se hlalosa ka botlalo le ho feta. habohlokoa, hlokomela lintlha tsohle tsa bohlokoa tse sieo.
Ke kopa hape ho fumana maikutlo mabapi le mehopolo mabapi le setifikeiti sa poso. Haeba u rata mohopolo, ke tla leka ho fumana matla a ho ngola moralo oa rfc.
Ha u kopitsa likarolo tse kholo tsa sengoloa, fana ka sehokelo sa sengoloa sena.
Ha u fetolela puong efe kapa efe, fana ka sehokelo sa sengoloa sena.
Ke tla leka ho e fetolela Sekhooa ka bonna ebe ke siea litšupiso tse fapaneng.
Source: www.habr.com