Eli nqaku limalunga nendlela yokuseta iseva yemeyile yangoku.
Postfix + Dovecot. SPF + DKIM + rDNS. Nge IPv6.
Ngoguqulelo oluntsonkothileyo lwe-TSL. Ngenkxaso yemimandla emininzi - inxalenye enesatifikethi sokwenyani se-SSL.
Ngokukhuselwa kwe-antispam kunye nomlinganiselo ophezulu we-antispam ovela kwezinye iiseva zeposi.
Ixhasa ujongano lomzimba oluninzi.
Nge-OpenVPN, unxibelelwano oluhamba nge-IPv4, kwaye lubonelela nge-IPv6.
Ukuba awufuni ukufunda zonke ezi teknoloji, kodwa ufuna ukuseta iseva enjalo, ke eli nqaku lelakho.
Eli nqaku alizami ukuchaza zonke iinkcukacha. Inkcazo iya kwinto engamiselwanga njengomgangatho okanye ibalulekile kumbono womthengi.
Inkuthazo yokuseka iseva yeposi ibe liphupha lam elide. Oku kunokuvakala kubudenge, kodwa i-IMHO, ingcono kakhulu kunokuphupha ngemoto entsha kwi-brand yakho oyithandayo.
Kukho izinto ezimbini ezikhuthazayo zokuseta i-IPv6. Ingcali ye-IT kufuneka ifunde itekhnoloji entsha rhoqo ukuze iphile. Ndingathanda ukwenza igalelo lam elincinci kumlo ochasene nokuhlolwa.
Inkuthazo yokuseta i-OpenVPN kukufumana nje i-IPv6 kumatshini wasekhaya.
Inkuthazo yokuseta ujongano lomzimba oluninzi kukuba kwiseva yam ndinojongano olunye “olucothayo kodwa alunamda” kunye nolunye “olukhawulezayo kodwa lunomrhumo”.
Inkuthazo yokuseta i-Bind useto kukuba i-ISP yam ibonelela ngeseva ye-DNS engazinzanga, kwaye ugoogle naye ngamanye amaxesha uyasilela. Ndifuna iseva ye-DNS ezinzileyo yosetyenziso lomntu.
Inkuthazo yokubhala inqaku-ndibhale uyilo kwiinyanga ezili-10 ezidlulileyo, kwaye sele ndiyijonge kabini. Nokuba umbhali uyifuna rhoqo, kukho amathuba okuba abanye baya kuyidinga.
Akukho sicombululo jikelele somncedisi weposi. Kodwa ndiza kuzama ukubhala into efana "yenza le nto kwaye, xa yonke into isebenza njengoko kufanele, ulahle izinto ezongezelelweyo."
Inkampani tech.ru ineseva yeColocation. Kunokwenzeka ukuthelekisa ne-OVH, i-Hetzner, i-AWS. Ukusombulula le ngxaki, intsebenziswano kunye ne-tech.ru iya kusebenza ngakumbi.
I-Debian 9 ifakwe kwiseva.
Umncedisi unojongano olu-2 `eno1` kunye `no2`. Eyokuqala ayinamda, kwaye eyesibini ikhawuleza, ngokulandelanayo.
Kukho iidilesi ezi-3 ze-IP ezingatshintshiyo, XX.XX.XX.X0 kunye XX.XX.XX.X1 kunye XX.XX.XX.X2 kujongano `eno1` kunye XX.XX.XX.X5 kujongano `eno2` .
Iyafumaneka XXXX:XXXX:XXXX:XXXX::/64 udibaniso lweedilesi ze-IPv6 ezabelwe `ujongano lwe-eno1` kwaye ukusuka kulo XXXX:XXXX:XXXX:XXXX:1:2::/96 yabelwa `eno2` ngokwesicelo sam.
Kukho iindawo ezi-3 `domain1.com`, `domain2.com`, `domain3.com`. Kukho isatifikethi se-SSL se `domain1.com` kunye ne `domain3.com`.
Ndineakhawunti kaGoogle endifuna ukuqhagamshela kuyo ibhokisi yemeyile[imeyile ikhuselwe]` (ukufumana imeyile kunye nokuthumela imeyile ngqo kujongano lwe-gmail).
Kufuneka kubekho ibhokisi yeposi`[imeyile ikhuselwe]`, ikopi ye-imeyile endifuna ukuyibona kuyo kwi-gmail yam. Kwaye kunqabile ukukwazi ukuthumela into egameni lika `[imeyile ikhuselwe]` ngokusebenzisa ujongano lwewebhu.
Kufuneka kubekho ibhokisi yeposi`[imeyile ikhuselwe]`, aza kusebenzisa u-Ivanov kwi-iPhone yakhe.
Ii-imeyile ezithunyelweyo kufuneka zihambelane nazo zonke iimfuno zale mihla ze-antispam.
Kufuneka kubekho elona nqanaba liphezulu lofihlo olunikezelweyo kuthungelwano loluntu.
Kufuneka kubekho inkxaso ye-IPv6 yokuthumela nokufumana iileta.
Kufuneka kubekho i-SpamAssassin engasoze icime ii-imeyile. Kwaye iyakutsiba okanye itsibe okanye ithumele kwifolda ye-IMAP "Spam".
I-SpamAssassin auto-learning kufuneka iqwalaselwe: ukuba ndihambisa ileta kwifolda yeSpam, iya kufunda koku; ukuba ndisusa ileta ukusuka kwifolda yeSpam, iya kufunda koku. Iziphumo zoqeqesho lwe-SpamAssassin kufuneka ziphembelele ukuba ngaba ileta iphela kwifolda ye-Spam.
Imibhalo ye-PHP kufuneka ikwazi ukuthumela i-imeyile egameni layo nayiphi na indawo kwiseva enikiweyo.
Kufuneka kubekho inkonzo ye-openvpn, ekwaziyo ukusebenzisa i-IPv6 kumxhasi ongena-IPv6.
Okokuqala kufuneka uqwalasele ujongano kunye nendlela, ukuquka IPv6.
Emva koko kuya kufuneka uqwalasele i-OpenVPN, eya kudibanisa nge-IPv4 kwaye inike umxhasi ngedilesi ye-static-real IPv6. Lo mxhasi uya kuba nofikelelo kuzo zonke iinkonzo ze-IPv6 kumncedisi kunye nokufikelela kuyo nayiphi na imithombo ye-IPv6 kwi-Intanethi.
Emva koko kuya kufuneka uqwalasele iPostfix ukuthumela iileta + SPF + DKIM + rDNS kunye nezinye izinto ezincinci ezifanayo.
Emva koko kuya kufuneka uqwalasele iDovecot kwaye uqwalasele i-Multidomain.
Emva koko kuya kufuneka ulungiselele i-SpamAssassin kwaye uqwalasele uqeqesho.
Ekugqibeleni, faka i-Bind.
============== Ujongano oluninzi ===============
Ukuqwalasela ujongano, kufuneka ubhale oku "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ezi zicwangciso zingasetyenziswa kuyo nayiphi na iseva kwi-tech.ru (kunye nokulungelelaniswa okuncinci kunye nenkxaso) kwaye iya kusebenza ngokukhawuleza njengoko kufanelekile.
Ukuba unamava okuseta izinto ezifanayo zeHetzner, i-OVH, yahlukile apho. Kunzima ngakumbi.
I-eno1 ligama lekhadi lenethiwekhi #1 (ecothayo kodwa ayinamda).
I-eno2 ligama lekhadi lomsebenzi womnatha #2 (ngokukhawuleza, kodwa ngomrhumo).
tun0 ligama lekhadi lenethiwekhi yenyani evela kwi-OpenVPN.
XX.XX.XX.X0 - IPv4 #1 kwi-eno1.
XX.XX.XX.X1 - IPv4 #2 kwi-eno1.
XX.XX.XX.X2 - IPv4 #3 kwi-eno1.
XX.XX.XX.X5 - IPv4 #1 kwi-eno2.
XX.XX.XX.1 - IPv4 isango.
XXXX:XXXX:XXXX:XXXX::/64 -IPv6 yeseva yonke.
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 ye-eno2, yonke enye into esuka ngaphandle iya kwi-eno1.
XXXX:XXXX:XXXX:XXXX::1 — IPv6 isango (kuyafaneleka ukuqaphela ukuba oku kunokwenziwa/kufuneka kwenziwe ngokwahlukileyo. Chaza iswitshi ye-IPv6).
dns-nameservers - 127.0.0.1 ibonisiwe (kuba i-bind ifakwe kwindawo) kunye ne-213.248.1.6 (oku kuvela kwi-tech.ru).
“itheyibhile eno1t” kunye “netheyibhile eno2t” - intsingiselo yale migaqo-nkqubo kukuba i-traffic engena nge-eno1 -> iphuma ngayo, kwaye i-traffic engena nge-eno2 -> iya kuphuma ngayo. Kwaye kananjalo imidibaniso eqalwe ngumncedisi ingadlula kwi eno1.
ip route add default via XX.XX.XX.1 table eno1tNgalo myalelo sicacisa ukuba nayiphi na itrafikhi engaqondakaliyo ewela phantsi kwawo nawuphi na umthetho ophawulwe “itafile eno1t” -> ithunyelwe kujongano lwe-eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tNgalo myalelo sicacisa ukuba nayiphi na itrafikhi eqalwe ngumncedisi kufuneka iqondiswe kujongano lwe-eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Ngalo myalelo sibeka imigaqo yokumakisha i-traffic.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Le bhloko ixela i-IPv4 yesibini yojongano lwe-eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Ngalo myalelo sibeka indlela esuka kubathengi be-OpenVPN ukuya kwi-IPv4 yasekuhlaleni ngaphandle kwe-XX.XX.XX.X0.
Andikasiqondi isizathu sokuba lo myalelo wanele yonke i-IPv4.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Apha kulapho sibeka khona idilesi yojongano ngokwalo. Umncedisi uya kuyisebenzisa njengedilesi "ephumayo". Ayisayi kusetyenziswa nangayiphi na indlela kwakhona.
Kutheni ":1:1::" intsonkothe kangaka? Ke ukuba i-OpenVPN isebenza ngokuchanekileyo kwaye kuphela oku. Okunye malunga noku kamva.
Kwisihloko sesango - yindlela esebenza ngayo kwaye ilungile. Kodwa indlela echanekileyo kukubonisa apha IPv6 yokutshintsha apho umncedisi udityanisiwe.
Nangona kunjalo, ngesizathu esithile IPv6 iyayeka ukusebenza ukuba ndenza oku. Oku mhlawumbi luhlobo oluthile lwengxaki ye-tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACEOku kongeza idilesi ye-IPv6 kujongano. Ukuba ufuna iidilesi ezilikhulu, oko kuthetha imigca elikhulu kule fayile.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ndiqaphele iidilesi kunye ne-subnets yazo zonke ii-interfaces ukuze zicace.
eno1 - kufuneka ibe "/64"- kuba eli lichibi lethu lonke leedilesi.
tun0 - i-subnet kufuneka ibenkulu kune-eno1. Kungenjalo, akunakwenzeka ukumisela isango le-IPv6 labathengi be-OpenVPN.
eno2 - isubnet kufuneka ibenkulu kuno tun0. Ngaphandle koko, abathengi be-OpenVPN abayi kukwazi ukufikelela kwiidilesi ze-IPv6 zendawo.
Ukucaca, ndikhethe inyathelo le-subnet ye-16, kodwa ukuba unqwenela, unokwenza "1" inyathelo.
Ngokuhambelanayo, 64+16 = 80, kunye 80+16 = 96.Ukucacisa ngakumbi:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY ziidilesi ekumele ukuba zabelwe iisayithi ezithile okanye iinkonzo kujongano lwe-eno1.
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY ziidilesi ekumele ukuba zabelwe iisayithi ezithile okanye iinkonzo kujongano lwe-eno2.
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY ziidilesi ekumele zinikezelwe kubaxhasi be-OpenVPN okanye zisetyenziswe njengeedilesi zenkonzo ye-OpenVPN.
Ukuqwalasela umsebenzi womnatha, kufanele ukuba uqalise kwakhona umncedisi.
Utshintsho lwe-IPv4 luyacholwa xa lusenziwa (qiniseka ukuba uyisongele kwikhusi-ngaphandle koko lo myalelo uya kungqubana nomsebenzi womnatha kumncedisi):
/etc/init.d/networking restartYongeza ekupheleni kwefayile "/etc/iproute2/rt_tables":
100 eno1t
101 eno2t
Ngaphandle koku, awukwazi ukusebenzisa iitafile zesiko kwifayile "/etc/network/interfaces".
Amanani kufuneka abe yedwa kwaye abe ngaphantsi kwe-65535.
Utshintsho lwe-IPv6 lunokutshintshwa ngokulula ngaphandle kokuphinda uqalise, kodwa ukwenza oku kufuneka ufunde ubuncinane imiyalelo emithathu:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Ukucwangcisa "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Ezi zisetingi zeseva yam "sysctl". Makhe ndibonise into ebalulekileyo.
net.ipv4.ip_forward = 1Ngaphandle koku, i-OpenVPN ayizukusebenza konke konke.
net.ipv6.ip_nonlocal_bind = 1Nabani na ozama ukubopha i-IPv6 (umzekelo nginx) ngoko nangoko emva kokuba ujongano luphezulu uya kufumana impazamo. Ukuba le dilesi ayifumaneki.
Ukuphepha imeko enjalo, ulungiselelo olunjalo lwenziwa.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Ngaphandle kwezi setingi ze-IPv6, itrafikhi evela kumthengi we-OpenVPN ayiphumi emhlabeni.
Ezinye iisetingi azihambelani okanye andikhumbuli ukuba zenzelwe ntoni.
Kodwa ukuba kunokwenzeka, ndiyishiya "njengoko injalo."
Ukuze utshintsho kule fayile luthathwe ngaphandle kokuqalisa kwakhona iseva, kufuneka usebenzise umyalelo:
sysctl -pIinkcukacha ezithe vetshe malunga nemithetho "yetafile":
============== OpenVPN ==============
I-OpenVPN IPv4 ayisebenzi ngaphandle kwee-iptables.
Iiiptables zam zinje ngeVPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY yidilesi yam ye-IPv4 engatshintshiyo yomatshini wasekhaya.
10.8.0.0/24 - IPv4 openvpn network. IPv4 iidilesi kubaxumi openvpn.
Ukuhambelana kwemithetho kubalulekile.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPLo ngumda ukuze ndim kuphela onokusebenzisa i-OpenVPN kwi-IP yam engatshintshiyo.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEUkudlulisa iipakethi ze-IPv4 phakathi kwabathengi be-OpenVPN kunye ne-Intanethi, kufuneka ubhalise enye yale miyalelo.
Kwiimeko ezahlukeneyo, enye yeenketho ayifanelekanga.
Yomibini imiyalelo ifanelekile kwimeko yam.
Emva kokufunda amaxwebhu, ndakhetha inketho yokuqala kuba isebenzisa i-CPU encinci.
Ukuze zonke izicwangciso ze-iptables zithathwe emva kokuqalisa ngokutsha, kufuneka uzigcine kwenye indawo.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Amagama anjalo akazange akhethwe ngamabona-ndenzile. Zisetyenziswa yipakethe ethi "iptables-persistent".
apt-get install iptables-persistentUkufakela iphakheji ye-OpenVPN engundoqo:
apt-get install openvpn easy-rsaMasiseke itemplate yezatifikethi ( endaweni yamaxabiso akho):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfMasihlele imimiselo yetemplate yesatifikethi:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Yenza isatifikethi seseva:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyMasilungiselele ukukwazi ukwenza iifayile zokugqibela ze "client-name.opvn":
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCMasilungiselele umbhalo oza kudibanisa zonke iifayile kwifayile enye ye-opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnUkwenza umxhasi wokuqala we-OpenVPN:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameIfayile "~/client-configs/files/client-name.ovpn" ithunyelwa kwisixhobo somthengi.
Kubathengi be-iOS kuya kufuneka wenze eli qhinga lilandelayo:
Umxholo wethegi ethi "tls-auth" mayingabinazimvo.
Kwaye ubeke u-“key-direction 1” ngokukhawuleza phambi kwethegi ethi “tls-auth”.
Makhe siqwalasele iseva ye-OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCOku kuyafuneka ukuze kusetelwe idilesi engatshintshiyo kumxhasi ngamnye (akuyomfuneko, kodwa ndiyayisebenzisa):
# Client config dir
client-config-dir /etc/openvpn/ccdEyona nkcukacha inzima kwaye ingundoqo.
Ngelishwa, i-OpenVPN ayikayazi indlela yokuzimela ngokuzimeleyo isango le-IPv6 kubathengi.
Kufuneka "ngesandla" uthumele oku kumxhasi ngamnye.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Ifayile "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Ifayile "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Zombini izikripthi zisebenzisa ifayile "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Ndikufumanisa kunzima ukukhumbula isizathu sokuba ibhalwe ngolu hlobo.
Ngoku i-netmask = 112 ibonakala ingaqhelekanga (kufuneka ibe ngu-96 kanye apho).
Kwaye isimaphambili siyamangalisa, asihambelani nenethiwekhi ye-tun0.
Kodwa kulungile, ndiza kuyishiya injalo.
cipher DES-EDE3-CBCOku akuyena wonke umntu-ndikhethe le ndlela yokufihla umdibaniso.
============= Ulungiso lweposi ==============
Kuhlohlwa ipakethe engundoqo:
apt-get install postfixXa ufaka, khetha "isayithi ye-intanethi".
Eyam "/etc/postfix/main.cf" ibonakala ngolu hlobo:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreMakhe sijonge iinkcukacha zolu qwalaselo.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyNgokutsho kwabahlali baseKhabrovsk, le block iqulethe "ulwazi olungeyonyani kunye neethisisi ezingachanekanga."Kuphela iminyaka eyi-8 emva kokuqala komsebenzi wam apho ndaqala ukuqonda indlela i-SSL esebenza ngayo.
Ngoko ke, ndiya kuthatha inkululeko yokuchaza indlela yokusebenzisa i-SSL (ngaphandle kokuphendula imibuzo ethi "Isebenza njani?" kwaye "Kutheni isebenza?").
Isiseko se-encryption yanamhlanje kukwenza isibini esibalulekileyo (iintambo ezimbini ezide kakhulu zabalinganiswa).
Esinye "isitshixo" siyimfihlo, esinye isitshixo "sesidlangalaleni". Sigcina isitshixo sabucala ngononophelo kakhulu siyimfihlo. Sisasaza isitshixo sikawonke-wonke kumntu wonke.
Usebenzisa isitshixo sikawonke-wonke, unokuguqulela ngokuntsonkothileyo uluhlu lwamagama ukuze kube ngumnini weqhosha labucala kuphela onokulisusa ukuntsonkotha.
Ewe, siso sonke isiseko sobuchwephesha.Inyathelo #1 - https sites.
Xa ufikelela kwisiza, isikhangeli sifunda kwiseva yewebhu ukuba indawo yi-https kwaye ke icela isitshixo sikawonke-wonke.
Iseva yewebhu inika isitshixo sikawonke-wonke. Isikhangeli sisebenzisa isitshixo sikawonke-wonke ukufihla i-http-sicelo kwaye uyithumele.
Umxholo we-http-sicelo unokufundwa kuphela ngabo banezitshixo zangasese, oko kukuthi, umncedisi kuphela apho isicelo senziwe khona.
Http-isicelo siqulathe noko i-URI. Ke ngoko, ukuba ilizwe lizama ukunqanda ukufikelela hayi kuyo yonke indawo, kodwa kwiphepha elithile, ke oku akunakwenzeka ukwenza iisayithi ze-https.Inyathelo #2 - impendulo efihliweyo.
Umncedisi wewebhu unika impendulo enokufundwa ngokulula endleleni.
Isisombululo silula kakhulu - isikhangeli sasekhaya sivelisa isitshixo esifanayo sabucala-kawonkewonke kwindawo nganye ye-https.
Kwaye kunye nesicelo sesitshixo sikawonke-wonke sesiza, sithumela isitshixo saso soluntu sasekhaya.
Umncedisi wewebhu uyayikhumbula kwaye, xa uthumela i-http-impendulo, uyifihla ngesitshixo sikawonke-wonke somthengi othile.
Ngoku i-http-impendulo inokucocwa kuphela ngumnini wesitshixo sabucala sesikhangeli somthengi (oko kukuthi, umxhasi ngokwakhe).Isinyathelo sesi-3 - ukuseka uxhumano olukhuselekileyo ngokusebenzisa umjelo woluntu.
Kukho ubuthathaka kumzekelo weNombolo ye-2 - akukho nto ithintela abanqwenelekayo ukuba bathintele i-http-sicelo kunye nokuhlela ulwazi malunga nesitshixo sikawonkewonke.
Ke, umlamli uya kubona ngokucacileyo yonke imixholo yemiyalezo ethunyelweyo nefunyenweyo de umjelo wonxibelelwano utshintshe.
Ukujongana nale nto kulula kakhulu - thumela nje isitshixo sikawonke-wonke sesikhangeli njengomyalezo ofihliweyo ngesitshixo sikawonke-wonke seseva yewebhu.
Umncedisi wewebhu kuqala athumele impendulo efana "nesitshixo sakho sikawonke-wonke sinje" kwaye ifihla lo myalezo ngeqhosha elifanayo likawonkewonke.
Umkhangeli zincwadi ujonga impendulo - ukuba umyalezo "isitshixo sakho sikawonke-wonke sinje" sifunyenwe - ke esi sisiqinisekiso se-100% sokuba eli jelo lonxibelelwano likhuselekile.
Ikhuseleke kangakanani?
Ukudalwa kwejelo lonxibelelwano olukhuselekileyo lwenzeka ngesantya se-ping * 2. Umzekelo 20ms.
Umhlaseli kufuneka abe nesitshixo sabucala somnye wamaqela kwangaphambili. Okanye fumana iqhosha labucala kwi-milliseconds ezimbalwa.
Ukugqekeza iqhosha elinye langoku labucala kuya kuthatha amashumi eminyaka kwi-supercomputer.Inyathelo #4 - idatabase yoluntu yezitshixo zoluntu.
Ngokucacileyo, kulo lonke ibali kukho ithuba lokuba umhlaseli ahlale kwijelo lonxibelelwano phakathi komxhasi kunye nomncedisi.
Umxhasi unokuzenza umncedisi, kwaye umncedisi unokuzenza umxhasi. Kwaye ulinganise ipere yezitshixo kumacala omabini.
Emva koko umhlaseli uya kubona yonke i-traffic kwaye uya kukwazi "ukulungisa" i-traffic.
Umzekelo, tshintsha idilesi apho ungathumela khona imali okanye ukope igama eliyimfihlo kwibhanki ye-intanethi okanye uvimbele umxholo "ophikisayo".
Ukulwa nabahlaseli abanjalo, beza nedathabheyisi yoluntu enezitshixo zoluntu kwindawo nganye ye-https.
Umkhangeli zincwadi ngamnye "uyazi" malunga nobukho beenkcukacha ezingama-200 ezinjalo. Oku kuza kufakelwe kwangaphambili kwisikhangeli ngasinye.
“Ulwazi” luxhaswa sisitshixo sikawonke-wonke esisuka kwisatifikethi ngasinye. Oko kukuthi, uqhagamshelo kwigunya ngalinye lesatifikethi alinakwenziwa.Ngoku kukho ukuqonda okulula kwendlela yokusebenzisa i-SSL ye-https.
Ukuba usebenzisa ingqondo yakho, kuya kucaca ukuba iinkonzo ezikhethekileyo zinokungena njani into kwesi sakhiwo. Kodwa kuya kubalahlekisela ngemizamo eyoyikekayo.
Kwaye imibutho emincinci kune-NSA okanye i-CIA - phantse akunakwenzeka ukukrazula umgangatho okhoyo wokukhusela, nakwi-VIPs.Ndiza kongeza malunga nonxibelelwano lwe-ssh. Akukho zitshixo zikawonke-wonke apho, ngoko ungenza ntoni? Lo mbandela usonjululwa ngeendlela ezimbini.
Ukhetho lwe-ssh-nge-password:
Ngexesha loqhagamshelo lokuqala, umxhasi we-ssh kufuneka alumkise ukuba sineqhosha elitsha likawonke-wonke elisuka kwiseva ye-ssh.
Kwaye ngexesha loqhagamshelo olongezelelweyo, ukuba isilumkiso "isitshixo esitsha sikawonke-wonke esivela kwiseva ye-ssh" siyavela, oko kuya kuthetha ukuba bazama ukukuva.
Okanye uye wavinjwa kuqhagamshelo lwakho lokuqala, kodwa ngoku unxibelelana nomncedisi ngaphandle kwabalamli.
Enyanisweni, ngenxa yokuba i-wiretapping ilula, ngokukhawuleza kwaye ingabonakali, olu hlaselo lusetyenziswa kuphela kwiimeko ezikhethekileyo kumthengi othile.Ukhetho luka-ssh-nge-key:
Sithatha i-flash drive, bhala isitshixo sangasese somncedisi we-ssh kuyo (kukho imimiselo kunye neengqungquthela ezininzi ezibalulekileyo kule nto, kodwa ndibhala inkqubo yemfundo, kungekhona imiyalelo yokusetyenziswa).
Sishiya isitshixo sikawonkewonke kumatshini apho umthengi we-ssh uya kuba khona kwaye sigcina imfihlo.
Sizisa i-flash drive kumncedisi, uyifake, ukopishe isitshixo sangasese, kwaye utshise i-flash drive kwaye usasaze umlotha emoyeni (okanye ubuncinci uyifomethe nge-zero).
Yiyo yonke loo nto - emva kokusebenza okunjalo akuyi kuba nzima ukukrazula uxhulumaniso olunjalo lwe-ssh. Ewe kunjalo, kwiminyaka eli-10 kuya kwenzeka ukujonga itrafikhi kwi-supercomputer - kodwa libali elahlukileyo elo.Ndicela uxolo nge offtopic.
Ke ngoku ukuba ithiyori iyaziwa. Ndiza kukuxelela malunga nokuhamba kokwenza isatifikethi se-SSL.
Sisebenzisa "openssl genrsa" sidala isitshixo sabucala kunye "nezikhewu" zeqhosha likawonke-wonke.
Sithumela "izithuba ezingenanto" kwinkampani yesithathu, apho sihlawula malunga ne-$ 9 ngesona satifikethi esilula.
Emva kweeyure ezimbalwa, sifumana isitshixo sethu “sesidlangalaleni” kunye neseti yezitshixo ezininzi zikawonke-wonke kule nkampani yomntu wesithathu.
Kutheni kufuneka inkampani yesithathu ihlawule ukubhaliswa kwesitshixo sam sikawonkewonke ngumbuzo owahlukileyo, asiyi kukuqwalasela apha.
Ngoku kucacile ukuba yintoni intsingiselo yombhalo:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Ifolda ethi "/etc/ssl" iqulethe zonke iifayile zemiba ye-ssl.
domain1.com - igama lesizinda.
I-2018 ngunyaka wokudala okubalulekileyo.
“isitshixo”-igama lokuba ifayile liqhosha labucala.
Kwaye intsingiselo yale fayile:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - igama lesizinda.
I-2018 ngunyaka wokudala okubalulekileyo.
ibotshiwe - ukutyunjwa ukuba kukho ikhonkco lezitshixo zoluntu (eyokuqala sisitshixo sethu sikawonke-wonke kwaye ezinye zivela kwinkampani ekhuphe isitshixo sikawonkewonke).
crt - ukutyunjwa ukuba kukho isatifikethi esenziwe eselenziwe (isitshixo sikawonke-wonke esineenkcazo zobugcisa).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Olu seto alusetyenziswanga kulo mzekelo, kodwa lubhaliwe njengomzekelo.
Ngenxa yokuba impazamo kule parameter iya kukhokelela ekuthunyelweni kogaxekile kumncedisi wakho (ngaphandle kwentando yakho).
Uze ke ubonise wonke umntu ukuba awunatyala.
recipient_delimiter = +Abantu abaninzi basenokungazi, kodwa lo ngunobumba oqhelekileyo wokulinganisa ii-imeyile, kwaye ixhaswa ngoninzi lweeseva zemeyile zanamhlanje.
Umzekelo, ukuba unebhokisi yeposi "[imeyile ikhuselwe]"zama ukuthumela ku"[imeyile ikhuselwe]"-jonga oko kuza kuyo.
inet_protocols = ipv4Oku kunokubhida.
Kodwa akunjalo nje. Indawo nganye entsha ngokungagqibekanga yi-IPv4 kuphela, emva koko ndivule i-IPv6 kwindawo nganye ngokwahlukeneyo.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Apha sichaza ukuba yonke imeyile engenayo iya kwi dovecot.
Kwaye imigaqo ye-domain, ibhokisi yeposi, i-alias - jonga kwi-database.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesNgoku i-postfix iyazi ukuba i-imeyile inokwamkelwa ukuba ithunyelwe ngakumbi emva kogunyaziso kunye ne-dovecot.
Andiqondi kakuhle ukuba kutheni le nto iphindwe apha. Sele siyibalule yonke into efunekayo kwi-"virtual_transport".
Kodwa inkqubo ye-postfix indala kakhulu - mhlawumbi kukuphosa umva kwimihla yakudala.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Oku kungaqwalaselwa ngokwahlukileyo kumncedisi weposi ngamnye.
Ndineeseva ezi-3 zeposi endinazo kwaye ezi setingi zahluke kakhulu ngenxa yeemfuno zosetyenziso ezahlukeneyo.
Kufuneka uyiqwalasele ngononophelo - kungenjalo ugaxekile uya kugalela kuwe, okanye okubi nakakhulu - ugaxekile uya kugalela kuwe.
# SPF
policyd-spf_time_limit = 3600Ukumisela iplagin ethile enxulumene nokujonga i-SPF yeeleta ezingenayo.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockIsetingi kukuba kufuneka sinikeze umsayino we-DKIM ngazo zonke ii-imeyile eziphumayo.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreLe yinkcukacha engundoqo kumzila weeleta xa uthumela iileta ezivela kwimibhalo ye-PHP.
Ifayile "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Ngasekhohlo kukho intetho eqhelekileyo. Ekunene kukho ileyibhile ephawula unobumba.
I-Postfix ngokuhambelana neleyibhile - iya kuthathela ingqalelo imigca embalwa yoqwalaselo lweleta ethile.Indlela echanekileyo ngayo i-postfix iya kulungiswa kwakhona kwileta ethile iya kuboniswa kwi-"master.cf".
Umgca 4, 5, 6 yeyona iphambili. Egameni lawuphi ummandla esiwuthumelayo ileta, sibeka le lebhile.
Kodwa indawo ethi "ukusuka" ayisoloko iboniswa kwizikripthi ze-PHP kwikhowudi endala. Emva koko igama lomsebenzisi liza kuhlangula.Inqaku sele libanzi-andifuni kuphazanyiswa ngokuseta nginx+fpm.
Ngokufutshane, kwisiza ngasinye sibeka umnini-msebenzisi we-linux. Kwaye ngokufanelekileyo i-fpm-pool yakho.
I-Fpm-pool isebenzisa nayiphi na inguqulelo yephp (ilungile xa kwiseva enye ungasebenzisa iinguqulelo ezahlukeneyo zephp kunye nephp.ini ezahlukeneyo kwiindawo ezingabamelwane ngaphandle kweengxaki).
Ke, umsebenzisi othile we-linux "www-domain2" unesizinda sewebhusayithi2.com. Le ndawo inekhowudi yokuthumela ii-imeyile ngaphandle kokuchaza indawo evela endle.
Ngoko ke, nakule meko, iileta ziya kuthunyelwa ngokuchanekileyo kwaye azisoze ziphele kwi-spam.
Eyam "/etc/postfix/master.cf" ibonakala ngolu hlobo:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Ifayile ayibonelelwanga ngokupheleleyo - sele inkulu kakhulu.
Ndaqaphela kuphela oko kwatshintshile.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Ezi ziseto ezinxulumene ne-spamassasin, ngakumbi emva koko.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Siyakuvumela ukuba uqhagamshele kwiseva yemeyile usebenzisa izibuko 587.
Ukwenza oku, kufuneka ungene.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfVula ukujonga kwe-SPF.
apt-get install postfix-policyd-spf-pythonMasifakele ipakethe yeetshekhi ze-SPF ngasentla.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Kwaye le yeyona nto inomdla kakhulu. Oku kukwazi ukuthumela iileta zesizinda esithile ukusuka kwidilesi ethile ye-IPv4/IPv6.
Oku kwenziwa ngenxa ye-rDNS. I-rDNS yinkqubo yokufumana umtya ngedilesi ye-IP.
Kwaye kwimeyile, eli nqaku lisetyenziselwa ukuqinisekisa ukuba i-helo ihambelana ngqo ne-rDNS yedilesi apho i-imeyile ithunyelwe khona.Ukuba i-helo ayihambelani ne-domain ye-imeyile egameni lalowo ileta ithunyelwe, amanqaku e-spam anikezelwa.
I-Helo ayihambelani ne-rDNS - amanqaku amaninzi e-spam anikezelwayo.
Ngokufanelekileyo, i-domain nganye kufuneka ibe nedilesi ye-IP yayo.
Kwi-OVH - kwi-console kunokwenzeka ukucacisa i-rDNS.
Kwi-tech.ru - umba usonjululwe ngenkxaso.
Kwi-AWS, umba usonjululwa ngenkxaso.
"inet_protocols" kunye "smtp_bind_address6" - sivumela inkxaso ye-IPv6.
Kwi-IPv6 kufuneka ubhalise i-rDNS.
“syslog_name” - kwaye le yenzelwe lula ukufunda iilog.
Thenga izatifikethi .
.
============== Dovecot ==============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamUkuseta i-mysql, ukufaka iiphakheji ngokwazo.
Ifayile "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginUgunyaziso luguqulelwe ngokuntsonkothileyo kuphela.
Ifayile "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nApha sibonisa indawo yokugcina iileta.
Ndifuna ukuba zigcinwe kwiifayile kwaye zidityaniswe yi-domain.
Ifayile "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Le yifayile yoqwalaselo ye dovecot engundoqo.
Apha sivala imidibaniso engakhuselekanga.
Kwaye uvule imidibaniso ekhuselekileyo.
Ifayile "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Ukumisela i-ssl. Sibonisa ukuba i-ssl iyafuneka.
Kwaye isiqinisekiso ngokwaso. Kwaye ingcaciso ebalulekileyo ngumyalelo "wendawo". Ibonisa ukuba sesiphi isatifikethi se-SSL emasisetyenziswe xa uqhagamshela kweyiphi i-IPv4 yobulali.Ngendlela, i-IPv6 ayimiselwanga apha, ndiza kuyilungisa le nto ingenziwanga kamva.
XX.XX.XX.X5 (domain2) - akukho siqinisekiso. Ukuqhagamshela abathengi kufuneka ucacise i-domain1.com.
XX.XX.XX.X2 (domain3) - kukho isatifikethi, ungacacisa i-domain1.com okanye i-domain3.com ukuxhuma abathengi.
Ifayile "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Oku kuya kufuneka kwi-spamassassin kwixesha elizayo.
Ifayile "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Le yiplagi ye-antispam. Okufunekayo kuqeqesho lwe-spamassasin ngexesha lokudluliselwa kwi-"Spam" ifolda.
Ifayile "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Kukho ifayile enjalo.
Ifayile "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Ukumisela i-lmtp.
Ifayile "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Izicwangciso zoqeqesho lwe-Spamassasin ngexesha lokudluliselwa / ukusuka kwifolda ye-Spam.
Ifayile "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Ifayile echaza omakwenziwe ngoonobumba abangenayo.
Ifayile "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Kufuneka uqokelele ifayile: "sievec default.sieve".
Ifayile "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Ichaza iifayile ze-sql zogunyaziso.
Kwaye ifayile ngokwayo isetyenziswe njengendlela yogunyaziso.
Ifayile "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Oku kuhambelana nemimiselo efanayo yokulungiswa kweposi.
Ifayile "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Ifayile yoqwalaselo engundoqo.
Into ebalulekileyo kukuba sibonise apha - yongeza iiprotocol.
============= SpamAssassin ===============
apt-get install spamassassin spamcMasifake iipakethe.
adduser spamd --disabled-loginMakhe songeze umsebenzisi egameni likabani.
systemctl enable spamassassin.serviceSenza ukuba kulayishwe ngokuzenzekelayo inkonzo ye-spamassassin xa ilayishwa.
Ifayile "/ etc/default/spamassassin":
CRON=1Ngokwenza uhlaziyo oluzenzekelayo lwemithetho "ngokwakhona".
Ifayile "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordKufuneka wenze i-database "sa" kwi-mysql kunye nomsebenzisi "sa" kunye negama lokugqitha "igama lokugqitha" (buyisela into eyaneleyo).
report_safe - oku kuya kuthumela ingxelo ye-spam email endaweni yeleta.
use_bayes zizisetingi zokufunda zomatshini we-spamassassin.
Izicwangciso eziseleyo ze-spamassassin zisetyenziswe ngaphambili kwinqaku.
.
.
.
.
============== Isibheno kuluntu ===============
Ndingathanda kwakhona ukuphosa ingcamango kuluntu malunga nendlela yokunyusa izinga lokhuseleko lweeleta ezithunyelwe. Ekubeni ndingene nzulu kumxholo weposi.
Ukuze umsebenzisi enze ipere yezitshixo kumxhasi wakhe (umbono, i-thunderbird, i-browser-plugin, ...). Uluntu nabucala. Uluntu - thumela kwi-DNS. Yabucala - gcina kumxhasi. Iiseva zemeyile ziya kukwazi ukusebenzisa isitshixo sikawonke-wonke ukuthumela kumamkeli othile.
Kwaye ukukhusela kwi-spam ngeeleta ezinjalo (ewe, umncedisi weposi akayi kukwazi ukujonga umxholo) - kuya kufuneka ukuba uqalise imithetho emi-3:
- Isiginitsha yokwenyani ye-DKIM enyanzelekileyo, i-SPF enyanzelekileyo, i-rDNS enyanzelekileyo.
- Inethiwekhi ye-neural kumxholo woqeqesho lwe-antispam + i-database yayo kwicala lomxhasi.
- I-algorithm yoguqulelo oluntsonkothileyo kufuneka ibe yeyokuba icala lokuthumela kufuneka lichithe amaxesha angama-100 ngaphezulu kwamandla e-CPU kufihlo kunecala elifumanayo.
Ukongeza kwiileta zoluntu, phuhlisa ileta yesindululo esisemgangathweni "ukuqalisa imbalelwano ekhuselekileyo." Omnye wabasebenzisi (ibhokisi yeposi) uthumela ileta enencamathisela kwenye ibhokisi yeposi. Ileta iqulethe isiphakamiso sombhalo ukuqalisa umjelo wonxibelelwano okhuselekileyo wembalelwano kunye nesitshixo sikawonke-wonke somnini webhokisi yeposi (ngesitshixo sabucala kwicala lomxhasi).
Unokwenza isibini sezitshixo ngokukodwa kwimbalelwano nganye. Umsebenzisi umamkeli unokwamkela olu nikezelo kwaye athumele isitshixo sakhe sikawonke-wonke (nenziwe ngokukodwa kule mbalelwano). Okulandelayo, umsebenzisi wokuqala uthumela ileta yolawulo lwenkonzo (efihliweyo ngesitshixo sikawonke-wonke somsebenzisi wesibini) - ekufumaneni apho umsebenzisi wesibini unokuqwalasela umjelo wonxibelelwano owenziweyo othembekileyo. Okulandelayo, umsebenzisi wesibini uthumela ileta yolawulo - kwaye ke umsebenzisi wokuqala unokuqwalasela itshaneli eyenziweyo ikhuselekile.
Ukulwa nokunqanyulwa kwezitshixo endleleni, iprotocol kufuneka ibonelele ithuba lokuhambisa ubuncinane iqhosha likawonkewonke usebenzisa i-flash drive.
Kwaye into ebaluleke kakhulu kukuba yonke iyasebenza (umbuzo uthi "ngubani oya kuhlawula?"):
Ngenisa izatifikethi zeposi eziqala kwi-10 yeedola ze-3 iminyaka. Okuya kuvumela umthumeli ukuba abonise kwi-dns ukuba "izitshixo zam zikawonke-wonke ziphaya." Kwaye baya kukunika ithuba lokuqala uxhumano olukhuselekileyo. Kwangaxeshanye, ukwamkela unxibelelwano olunjalo lukhululekile.
I-gmail ekugqibeleni yenza imali kubasebenzisi bayo. I-10 yeedola nge-3 iminyaka - ilungelo lokudala amajelo embalelwano akhuselekileyo.
============= Isiphelo ==============
Ukuvavanya lonke inqaku, ndiza kuqesha iseva ezinikeleyo kwinyanga kwaye ndithenge isizinda kunye nesatifikethi se-SSL.
Kodwa iimeko zobomi zaphuhliswa ngoko lo mbandela watsala iinyanga ezi-2.
Kwaye ke, xa ndinexesha lokukhululeka kwakhona, ndagqiba ekubeni ndilipapashe inqaku njengoko linjalo, kunokuba ndibeke umngcipheko wokuba upapasho luya kutsala omnye unyaka.
Ukuba kukho imibuzo emininzi efana "kodwa oku akuchazwanga ngokweenkcukacha ezaneleyo", ngoko kuya kubakho amandla okuthatha iseva ezinikeleyo kunye nesizinda esitsha kunye nesatifikethi esitsha se-SSL kwaye uyichaze ngakumbi kwaye, uninzi. okubalulekileyo, chonga zonke iinkcukacha ezibalulekileyo ezingekhoyo.
Ndingathanda kwakhona ukufumana ingxelo malunga neembono malunga nezatifikethi zokuposa. Ukuba uyawuthanda umbono, ndiza kuzama ukufumana amandla okubhala uyilo lwe-rfc.
Xa ukopisha iindawo ezinkulu zenqaku, nikezela ngekhonkco kweli nqaku.
Xa uguqulela kulo naluphi na olunye ulwimi, nika ikhonkco kweli nqaku.
Ndiza kuzama ukuyiguqulela kwisiNgesi ngokwam kwaye ndishiye iireferensi ezinqamlezileyo.
umthombo: www.habr.com