Nkan yii jẹ nipa bi o ṣe le ṣeto olupin meeli ode oni.
Postfix + Dovecot. SPF + DKIM + rDNS. Pẹlu IPv6.
Pẹlu TSL ìsekóòdù. Pẹlu atilẹyin fun awọn ibugbe pupọ - apakan pẹlu ijẹrisi SSL gidi kan.
Pẹlu idaabobo antispam ati idiyele antispam giga lati ọdọ awọn olupin meeli miiran.
Atilẹyin ọpọ ti ara atọkun.
Pẹlu OpenVPN, asopọ si eyiti o jẹ nipasẹ IPv4, ati eyiti o pese IPv6.
Ti o ko ba fẹ lati kọ gbogbo awọn imọ-ẹrọ wọnyi, ṣugbọn fẹ lati ṣeto iru olupin kan, lẹhinna nkan yii jẹ fun ọ.
Nkan ko ṣe igbiyanju lati ṣalaye gbogbo alaye. Alaye naa lọ si ohun ti a ko tunto bi boṣewa tabi ṣe pataki lati oju wiwo olumulo.
Iwuri lati ṣeto olupin meeli kan ti jẹ ala-igba pipẹ ti mi. Eyi le dun aṣiwere, ṣugbọn IMHO, o dara julọ ju ala ala ti ọkọ ayọkẹlẹ tuntun lati ami iyasọtọ ayanfẹ rẹ.
Awọn iwuri meji wa fun iṣeto IPv6. Alamọja IT nilo lati kọ awọn imọ-ẹrọ tuntun nigbagbogbo lati le ye. Emi yoo fẹ lati ṣe ipa kekere mi si igbejako ihamon.
Iwuri fun iṣeto OpenVPN jẹ lati gba IPv6 ṣiṣẹ lori ẹrọ agbegbe.
Iwuri fun siseto ọpọlọpọ awọn atọkun ti ara ni pe lori olupin mi Mo ni wiwo kan “o lọra ṣugbọn ailopin” ati omiiran “yara ṣugbọn pẹlu idiyele”.
Iwuri fun eto awọn eto Bind ni pe ISP mi n pese olupin DNS ti ko duro, ati google tun kuna nigbakan. Mo fẹ olupin DNS iduroṣinṣin fun lilo ti ara ẹni.
Iwuri lati kọ nkan kan - Mo kọ iwe kikọ kan ni oṣu mẹwa sẹhin, ati pe Mo ti wo tẹlẹ lẹẹmeji. Paapa ti onkọwe ba nilo rẹ nigbagbogbo, iṣeeṣe giga wa pe awọn miiran yoo nilo rẹ paapaa.
Ko si ojutu gbogbo agbaye fun olupin meeli. Ṣugbọn Emi yoo gbiyanju lati kọ nkan bii “ṣe eyi ati lẹhinna, nigbati ohun gbogbo ba ṣiṣẹ bi o ti yẹ, jabọ awọn nkan afikun.”
Ile-iṣẹ tech.ru ni olupin Colocation kan. O ṣee ṣe lati ṣe afiwe pẹlu OVH, Hetzner, AWS. Lati yanju iṣoro yii, ifowosowopo pẹlu tech.ru yoo munadoko diẹ sii.
Debian 9 ti fi sori ẹrọ lori olupin naa.
Awọn olupin ni 2 atọkun `eno1` ati `eno2`. Ni igba akọkọ ti ni Kolopin, ati awọn keji ni sare, lẹsẹsẹ.
Awọn adirẹsi IP aimi mẹta wa, XX.XX.XX.X3 ati XX.XX.XX.X0 ati XX.XX.XX.X1 lori wiwo `eno2` ati XX.XX.XX.X1 lori wiwo `eno5` .
O wa XXXX:XXX:XXX:XXX::/64 adagun ti awọn adirẹsi IPv6 ti o pin si wiwo `eno1` ati lati inu rẹ XXXX:XXX:XXX:XXXX:1:2::/96 ni a yàn si `eno2` ni ibeere mi.
Awọn ibugbe 3 wa `domain1.com`, `domain2.com`, `domain3.com`. Iwe-ẹri SSL kan wa fun `domain1.com` ati `domain3.com`.
Mo ni akọọlẹ Google kan ti Emi yoo fẹ lati so apoti ifiweranṣẹ mi pọ si[imeeli ni idaabobo]` (gbigba meeli ati fifiranṣẹ meeli taara lati wiwo gmail).
Apo-ifiweranṣẹ gbọdọ wa'[imeeli ni idaabobo]`, ẹda imeeli lati eyiti Mo fẹ rii ninu gmail mi. Ati pe o ṣọwọn lati ni anfani lati fi nkan ranṣẹ ni ipo `[imeeli ni idaabobo]`nipasẹ oju opo wẹẹbu.
Apo-ifiweranṣẹ gbọdọ wa'[imeeli ni idaabobo]`, eyiti Ivanov yoo lo lati iPhone rẹ.
Awọn imeeli ti a firanṣẹ gbọdọ wa ni ibamu pẹlu gbogbo awọn ibeere antispam ode oni.
Gbọdọ jẹ ipele fifi ẹnọ kọ nkan ti o ga julọ ti a pese ni awọn nẹtiwọọki gbangba.
Atilẹyin IPv6 yẹ ki o wa fun fifiranṣẹ ati gbigba awọn lẹta mejeeji.
SpamAssassin yẹ ki o wa ti kii yoo pa awọn imeeli rẹ. Ati pe yoo boya agbesoke tabi foo tabi firanṣẹ si folda “Spam” IMAP.
SpamAssassin auto-eko gbọdọ wa ni tunto: ti o ba ti mo ti gbe kan lẹta si awọn Spam folda, o yoo ko eko lati yi; ti MO ba gbe lẹta kan lati folda Spam, yoo kọ ẹkọ lati inu eyi. Awọn abajade ti ikẹkọ SpamAssassin yẹ ki o ni ipa boya lẹta naa pari ni folda Spam.
Awọn iwe afọwọkọ PHP gbọdọ ni anfani lati firanṣẹ meeli ni ipo eyikeyi agbegbe lori olupin ti a fun.
O yẹ ki o jẹ iṣẹ openvpn kan, pẹlu agbara lati lo IPv6 lori alabara ti ko ni IPv6.
Ni akọkọ o nilo lati tunto awọn atọkun ati ipa-ọna, pẹlu IPv6.
Lẹhinna iwọ yoo nilo lati tunto OpenVPN, eyiti yoo sopọ nipasẹ IPv4 ati pese alabara pẹlu adiresi IPv6 gidi-aimi kan. Onibara yii yoo ni iwọle si gbogbo awọn iṣẹ IPv6 lori olupin ati iwọle si eyikeyi awọn orisun IPv6 lori Intanẹẹti.
Lẹhinna iwọ yoo nilo lati tunto Postfix lati firanṣẹ awọn lẹta + SPF + DKIM + rDNS ati awọn nkan kekere miiran ti o jọra.
Lẹhinna iwọ yoo nilo lati tunto Dovecot ati tunto Multidomain.
Lẹhinna iwọ yoo nilo lati tunto SpamAssassin ati tunto ikẹkọ.
Níkẹyìn, fi sori ẹrọ Bind.
============ Awọn atọkun-ọpọlọpọ =============
Lati tunto awọn atọkun, o nilo lati kọ eyi ni "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Awọn eto wọnyi le ṣee lo lori olupin eyikeyi ni tech.ru (pẹlu isọdọkan diẹ pẹlu atilẹyin) ati pe yoo ṣiṣẹ lẹsẹkẹsẹ bi o ti yẹ.
Ti o ba ni iriri eto awọn nkan ti o jọra fun Hetzner, OVH, o yatọ sibẹ. O nira sii.
eno1 ni orukọ kaadi nẹtiwọki #1 (lọra ṣugbọn ailopin).
eno2 ni orukọ kaadi nẹtiwọki #2 (yara, ṣugbọn pẹlu idiyele).
tun0 jẹ orukọ kaadi nẹtiwọọki foju lati OpenVPN.
XX.XX.XX.X0 - IPv4 # 1 lori eno1.
XX.XX.XX.X1 - IPv4 # 2 lori eno1.
XX.XX.XX.X2 - IPv4 # 3 lori eno1.
XX.XX.XX.X5 - IPv4 # 1 lori eno2.
XX.XX.XX.1 - ẹnu-ọna IPv4.
XXXX:XXX:XXX:XXX::/64 - IPv6 fun gbogbo olupin.
XXXX:XXX:XXXX:XXX:1:2::/96 - IPv6 fun eno2, ohun gbogbo miiran lati ita lọ sinu eno1.
XXXX:XXXX:XXXX:XXX:: 1 — IPv6 ẹnu-ọna (o tọ ki a kiyesi pe eyi le/yẹ ki o ṣee ṣe yatọ. Pato IPv6 yipada).
dns-nameservers - 127.0.0.1 jẹ itọkasi (nitori asopọ ti fi sori ẹrọ ni agbegbe) ati 213.248.1.6 (eyi wa lati tech.ru).
"tabili eno1t" ati "tabili eno2t" - itumọ ti awọn ofin ipa-ọna ni pe ijabọ ti nwọle nipasẹ eno1 -> yoo lọ nipasẹ rẹ, ati ijabọ ti nwọle nipasẹ eno2 -> yoo lọ nipasẹ rẹ. Ati pe awọn asopọ ti o bẹrẹ nipasẹ olupin yoo lọ nipasẹ eno1.
ip route add default via XX.XX.XX.1 table eno1tPẹlu aṣẹ yii a pato pe eyikeyi ijabọ ti ko ni oye ti o ṣubu labẹ ofin eyikeyi ti samisi “tabili eno1t” -> firanṣẹ si wiwo eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tPẹlu aṣẹ yii a pato pe eyikeyi ijabọ ti o bẹrẹ nipasẹ olupin yẹ ki o ṣe itọsọna si wiwo eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Pẹlu aṣẹ yii a ṣeto awọn ofin fun siṣamisi ijabọ.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Yi Àkọsílẹ pato kan keji IPv4 fun eno1 ni wiwo.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Pẹlu aṣẹ yii a ṣeto ọna lati ọdọ awọn alabara OpenVPN si IPv4 agbegbe ayafi XX.XX.XX.X0.
Emi ko tun loye idi ti aṣẹ yii to fun gbogbo IPv4.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Eyi ni ibi ti a ṣeto adirẹsi fun wiwo ara rẹ. Olupin naa yoo lo bi adirẹsi “ti njade”. Yoo ko ṣee lo ni eyikeyi ọna lẹẹkansi.
Kilode ti ": 1: 1:" jẹ idiju? Nitorinaa OpenVPN ṣiṣẹ ni deede ati fun eyi nikan. Siwaju sii lori eyi nigbamii.
Lori koko ti ẹnu-ọna - iyẹn ni bi o ṣe n ṣiṣẹ ati pe o dara. Ṣugbọn ọna ti o tọ ni lati tọka nibi IPv6 ti yipada si eyiti olupin ti sopọ.
Sibẹsibẹ, fun idi kan IPv6 duro ṣiṣẹ ti MO ba ṣe eyi. Eyi ṣee ṣe diẹ ninu iru iṣoro tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACEEyi n ṣafikun adirẹsi IPv6 kan si wiwo. Ti o ba nilo awọn adirẹsi ọgọrun, iyẹn tumọ si awọn laini ọgọrun ninu faili yii.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Mo ṣe akiyesi awọn adirẹsi ati awọn subnets ti gbogbo awọn atọkun lati jẹ ki o ye.
eno1 - gbọdọ jẹ "/64"- nitori eyi ni gbogbo adagun awọn adirẹsi wa.
tun0 - subnet gbọdọ jẹ tobi ju eno1. Bibẹẹkọ, kii yoo ṣee ṣe lati tunto ẹnu-ọna IPv6 kan fun awọn alabara OpenVPN.
eno2 - subnet gbọdọ jẹ tobi ju tun0. Bibẹẹkọ, awọn alabara OpenVPN kii yoo ni anfani lati wọle si awọn adirẹsi IPv6 agbegbe.
Fun mimọ, Mo yan igbesẹ subnet kan ti 16, ṣugbọn ti o ba fẹ, o le paapaa ṣe igbesẹ “1”.
Gẹgẹ bẹ, 64+16 = 80, ati 80+16 = 96.Fun paapaa alaye diẹ sii:
XXXX:XXX:XXXX:XXX:XXX:1:1:YYY:YYY jẹ awọn adirẹsi ti o yẹ ki o sọtọ si awọn aaye tabi awọn iṣẹ kan pato lori wiwo eno1.
XXXX:XXX:XXXX:XXX:XXX:1:2:YYY:YYY jẹ awọn adirẹsi ti o yẹ ki o sọtọ si awọn aaye tabi awọn iṣẹ kan pato lori wiwo eno2.
XXXX:XXXX:XXXX:XXX:XXX:1:3:YYY:YYY jẹ awọn adirẹsi ti o yẹ ki o pin si awọn alabara OpenVPN tabi lo bi awọn adirẹsi iṣẹ OpenVPN.
Lati tunto nẹtiwọki, o yẹ ki o ṣee ṣe lati tun olupin naa bẹrẹ.
Awọn ayipada IPv4 ni a mu nigbati o ba ṣiṣẹ (rii daju pe o fi ipari si ni iboju - bibẹẹkọ aṣẹ yii yoo kan jamba nẹtiwọọki lori olupin):
/etc/init.d/networking restartṢafikun si ipari faili “/etc/iproute2/rt_tables”:
100 eno1t
101 eno2t
Laisi eyi, o ko le lo awọn tabili aṣa ni faili "/etc/network/interfaces".
Awọn nọmba gbọdọ jẹ alailẹgbẹ ati pe o kere ju 65535.
Awọn iyipada IPv6 le yipada ni irọrun laisi atunbere, ṣugbọn lati ṣe eyi o nilo lati kọ ẹkọ o kere ju awọn ofin mẹta:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Ṣiṣeto "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Iwọnyi ni awọn eto “sysctl” olupin mi. Jẹ ki n tọka nkan pataki kan.
net.ipv4.ip_forward = 1Laisi eyi, OpenVPN kii yoo ṣiṣẹ rara.
net.ipv6.ip_nonlocal_bind = 1Ẹnikẹni ti o ba gbiyanju lati di IPv6 (fun apẹẹrẹ nginx) lẹsẹkẹsẹ lẹhin wiwo naa yoo gba aṣiṣe kan. Wipe adiresi yii ko si.
Lati yago fun iru ipo bẹẹ, a ṣe iru eto kan.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Laisi awọn eto IPv6 wọnyi, ijabọ lati ọdọ alabara OpenVPN ko jade lọ si agbaye.
Awọn eto miiran jẹ boya ko ṣe pataki tabi Emi ko ranti ohun ti wọn jẹ fun.
Ṣugbọn ni ọran, Mo fi silẹ “bi o ti ri.”
Ni ibere fun awọn ayipada si faili yii lati gbe laisi atunbere olupin naa, o nilo lati ṣiṣẹ aṣẹ naa:
sysctl -pAwọn alaye diẹ sii nipa awọn ofin “tabili”:
============ OpenVPN =============
OpenVPN IPv4 ko ṣiṣẹ laisi awọn iptables.
Awọn iptables mi dabi eyi fun VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
YY.YY.YY.YY jẹ adiresi IPv4 aimi mi ti ẹrọ agbegbe.
10.8.0.0/24 - IPv4 openvpn nẹtiwọki. Awọn adirẹsi IPv4 fun awọn onibara openvpn.
Awọn aitasera ti awọn ofin jẹ pataki.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPEyi jẹ aropin ki Emi nikan le lo OpenVPN lati IP aimi mi.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADELati dari awọn apo-iwe IPv4 laarin awọn alabara OpenVPN ati Intanẹẹti, o nilo lati forukọsilẹ ọkan ninu awọn aṣẹ wọnyi.
Fun awọn ọran oriṣiriṣi, ọkan ninu awọn aṣayan ko dara.
Awọn ofin mejeeji dara fun ọran mi.
Lẹhin kika iwe naa, Mo yan aṣayan akọkọ nitori pe o nlo Sipiyu kere si.
Ni ibere fun gbogbo awọn eto iptables lati gbe soke lẹhin atunbere, o nilo lati fi wọn pamọ si ibikan.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Irú àwọn orúkọ bẹ́ẹ̀ ni a kò yan látìgbàdégbà. Wọn ti wa ni lilo nipasẹ awọn "iptables-jubẹẹlo" package.
apt-get install iptables-persistentFifi idii OpenVPN akọkọ sori ẹrọ:
apt-get install openvpn easy-rsaJẹ ki a ṣeto apẹrẹ fun awọn iwe-ẹri (fi awọn iye rẹ rọpo):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfJẹ ki a ṣatunkọ awọn eto awoṣe ijẹrisi:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Ṣẹda ijẹrisi olupin kan:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyJẹ ki a mura agbara lati ṣẹda awọn faili “client-name.opvn” ikẹhin:
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCJẹ ki a mura iwe afọwọkọ kan ti yoo dapọ gbogbo awọn faili sinu faili opvn kan.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnṢiṣẹda alabara OpenVPN akọkọ:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameFaili "~/client-configs/files/client-name.ovpn" ni a fi ranṣẹ si ẹrọ onibara.
Fun awọn onibara iOS iwọ yoo nilo lati ṣe ẹtan wọnyi:
Akoonu ti tag "tls-auth" gbọdọ jẹ laisi awọn asọye.
Ati tun fi “bọtini-itọsọna 1” lẹsẹkẹsẹ ṣaaju tag “tls-auth”.
Jẹ ki a tunto atunto olupin OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCEyi nilo lati ṣeto adiresi aimi fun alabara kọọkan (kii ṣe pataki, ṣugbọn Mo lo):
# Client config dir
client-config-dir /etc/openvpn/ccdAwọn alaye ti o nira julọ ati bọtini.
Laanu, OpenVPN ko tii mọ bi o ṣe le tunto ni ominira ẹnu-ọna IPv6 fun awọn alabara.
O ni lati “fi ọwọ” dari eyi fun alabara kọọkan.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Faili "/etc/openvpn/server-clientconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Faili "/etc/openvpn/server-clientdisconnect.sh":
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Awọn iwe afọwọkọ mejeeji lo faili “/etc/openvpn/variables”:
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Ó ṣòro fún mi láti rántí ìdí tí wọ́n fi kọ ọ́ báyìí.
Bayi netmask = 112 dabi ajeji (o yẹ ki o jẹ 96 ọtun nibẹ).
Ati pe asọtẹlẹ jẹ ajeji, ko baamu nẹtiwọọki tun0.
Ṣugbọn dara, Emi yoo fi silẹ bi o ṣe jẹ.
cipher DES-EDE3-CBCEyi kii ṣe fun gbogbo eniyan - Mo yan ọna yii ti fifipamọ asopọ naa.
=========== Postfix =============
Fifi sori ẹrọ package akọkọ:
apt-get install postfixNigbati o ba n fi sii, yan "aaye ayelujara".
Mi "/etc/postfix/main.cf" dabi eyi:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreJẹ ká wo ni awọn alaye ti yi konfigi.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyGẹgẹbi awọn olugbe Khabrovsk, bulọọki yii ni “alaye ti ko tọ ati awọn ilana ti ko tọ.”Nikan 8 ọdun lẹhin ibẹrẹ ti iṣẹ mi ni mo bẹrẹ lati ni oye bi SSL ṣe n ṣiṣẹ.
Nitorinaa, Emi yoo gba ominira ti n ṣalaye bi o ṣe le lo SSL (laisi dahun awọn ibeere “Bawo ni o ṣe n ṣiṣẹ?” ati “Kini idi ti o fi ṣiṣẹ?”).
Ipilẹ ti fifi ẹnọ kọ nkan ode oni jẹ ẹda ti bata bọtini (awọn gbolohun ọrọ gigun pupọ ti awọn ohun kikọ).
Ọkan "bọtini" jẹ ikọkọ, bọtini miiran jẹ "gbangba". A tọju bọtini ikọkọ ni aṣiri pupọ. A pin bọtini ita gbangba fun gbogbo eniyan.
Lilo bọtini ti gbogbo eniyan, o le encrypt okun ọrọ kan ki oniwun bọtini ikọkọ nikan le ge.
O dara, iyẹn ni gbogbo ipilẹ ti imọ-ẹrọ.Igbesẹ #1 - Awọn aaye https.
Nigbati o ba n wọle si aaye kan, aṣawakiri naa kọ ẹkọ lati ọdọ olupin wẹẹbu pe aaye naa jẹ https ati nitorinaa beere bọtini gbogbo eniyan.
Olupin wẹẹbu n funni ni bọtini gbogbo eniyan. Aṣàwákiri náà ń lo kọ́kọ́rọ́ gbogbo ènìyàn láti fi ìpamọ́ http-ìbéèrè kí o sì fi ránṣẹ́.
Awọn akoonu ti ohun http-ibeere le nikan wa ni ka nipa awon ti o ni awọn ikọkọ bọtini, ti o ni, nikan ni olupin ti awọn ibeere ti wa ni ṣe.
Http-ibeere ni o kere ju URI kan. Nitorinaa, ti orilẹ-ede kan n gbiyanju lati ni ihamọ iwọle kii ṣe si gbogbo aaye, ṣugbọn si oju-iwe kan pato, lẹhinna eyi ko ṣee ṣe lati ṣe fun awọn aaye https.Igbesẹ #2 - esi ti paroko.
Olupin wẹẹbu n pese idahun ti o le ni irọrun ka ni opopona.
Ojutu naa rọrun pupọju - ẹrọ aṣawakiri ni agbegbe n ṣe agbekalẹ bata bọtini ikọkọ-gbangba kanna fun aaye https kọọkan.
Ati pẹlu ibeere fun bọtini gbogbo eniyan aaye naa, o firanṣẹ bọtini gbangba agbegbe rẹ.
Olupin wẹẹbu naa ranti rẹ ati, nigbati o ba nfi idahun http ranṣẹ, ṣe fifipamọ rẹ pẹlu bọtini gbangba ti alabara kan pato.
Bayi http-idahun le jẹ idinku nipasẹ eni to ni bọtini ikọkọ aṣawakiri alabara (iyẹn ni, alabara funrararẹ).Igbesẹ No.. 3 – Igbekale kan ni aabo asopọ nipasẹ kan àkọsílẹ ikanni.
Ailagbara kan wa ni apẹẹrẹ No.. 2 - ko si ohun ti o ṣe idiwọ fun awọn ololufẹ daradara lati ṣe idilọwọ ibeere http-ibeere ati alaye ṣiṣatunṣe nipa bọtini gbangba.
Nitorinaa, agbedemeji yoo rii kedere gbogbo akoonu ti firanṣẹ ati gba awọn ifiranṣẹ titi ikanni ibaraẹnisọrọ yoo yipada.
Ṣiṣe pẹlu eyi rọrun pupọ - kan firanṣẹ bọtini gbangba aṣawakiri bi ifiranṣẹ ti paroko pẹlu bọtini gbangba olupin wẹẹbu naa.
Olupin wẹẹbu lẹhinna kọkọ fi esi ranṣẹ bii “bọtini gbogbo eniyan rẹ bii eyi” ati pe o fi ọrọ yii pamọ pẹlu bọtini gbogbogbo kanna.
Ẹrọ aṣawakiri naa wo idahun naa - ti ifiranṣẹ naa ba gba “bọtini gbogbogbo rẹ bi eyi” - lẹhinna eyi jẹ iṣeduro 100% pe ikanni ibaraẹnisọrọ wa ni aabo.
Bawo ni ailewu?
Ṣiṣẹda pupọ ti iru ikanni ibaraẹnisọrọ to ni aabo waye ni iyara ti ping * 2. Fun apẹẹrẹ 20ms.
Olukọni gbọdọ ni bọtini ikọkọ ti ọkan ninu awọn ẹgbẹ ni ilosiwaju. Tabi wa bọtini ikọkọ ni tọkọtaya milliseconds.
Sakasaka ọkan bọtini ikọkọ igbalode yoo gba ewadun lori supercomputer kan.Igbesẹ #4 - ibi ipamọ data gbangba ti awọn bọtini ita gbangba.
O han ni, ninu gbogbo itan yii aye wa fun ikọlu lati joko lori ikanni ibaraẹnisọrọ laarin alabara ati olupin naa.
Onibara le dibọn lati jẹ olupin, ati olupin le dibọn lati jẹ alabara. Ati ki o farawe awọn bọtini meji ni awọn itọnisọna mejeeji.
Lẹhinna ikọlu yoo rii gbogbo awọn ijabọ ati pe yoo ni anfani lati “satunkọ” ijabọ naa.
Fun apẹẹrẹ, yi adirẹsi pada nibiti o ti le fi owo ranṣẹ tabi daakọ ọrọ igbaniwọle lati ile-ifowopamọ ori ayelujara tabi dènà akoonu “atako”.
Lati dojuko iru awọn ikọlu, wọn wa pẹlu data data ti gbogbo eniyan pẹlu awọn bọtini ita fun aaye https kọọkan.
Ẹrọ aṣawakiri kọọkan “mọ” nipa aye ti bii 200 iru awọn apoti isura data. Eyi wa ni fifi sori ẹrọ tẹlẹ ni gbogbo ẹrọ aṣawakiri.
“Imọ” jẹ atilẹyin nipasẹ bọtini gbangba lati ijẹrisi kọọkan. Iyẹn ni, asopọ si aṣẹ ijẹrisi pato kọọkan ko le ṣe iro.Bayi oye ti o rọrun wa ti bii o ṣe le lo SSL fun https.
Ti o ba lo ọpọlọ rẹ, yoo han gbangba bi awọn iṣẹ pataki ṣe le gige nkan kan ninu eto yii. Sugbon o yoo na wọn ibanilẹru akitiyan.
Ati awọn ajo ti o kere ju NSA tabi CIA - o fẹrẹ jẹ pe ko ṣee ṣe lati gige ipele aabo ti o wa, paapaa fun awọn VIPs.Emi yoo tun ṣafikun nipa awọn asopọ ssh. Ko si awọn bọtini ita gbangba nibẹ, nitorina kini o le ṣe? Ọrọ naa ti yanju ni awọn ọna meji.
Aṣayan ssh-nipasẹ-ọrọigbaniwọle:
Lakoko asopọ akọkọ, alabara ssh yẹ ki o kilo pe a ni bọtini gbangba tuntun lati olupin ssh.
Ati lakoko awọn asopọ siwaju, ti ikilọ “bọtini gbangba tuntun lati olupin ssh” ba han, yoo tumọ si pe wọn n gbiyanju lati gbọ ọ.
Tabi ti o ti eavesdropped lori rẹ akọkọ asopọ, ṣugbọn nisisiyi o ibasọrọ pẹlu awọn olupin lai intermediaries.
Lootọ, nitori otitọ pe otitọ ti wiwa waya jẹ irọrun, ni iyara ati laiparuwo, ikọlu yii ni a lo nikan ni awọn ọran pataki fun alabara kan pato.Aṣayan ssh-nipasẹ-bọtini:
A mu kọnputa filasi kan, kọ bọtini ikọkọ fun olupin ssh lori rẹ (awọn ofin ati ọpọlọpọ awọn nuances pataki fun eyi, ṣugbọn Mo n kọ eto ẹkọ, kii ṣe awọn ilana fun lilo).
A fi bọtini gbangba silẹ lori ẹrọ nibiti alabara ssh yoo wa ati pe a tun tọju rẹ ni aṣiri.
A mu kọnputa filasi wa si olupin, fi sii, daakọ bọtini ikọkọ, ki o sun kọnputa filasi ati tuka ẽru si afẹfẹ (tabi o kere ṣe ọna kika rẹ pẹlu awọn odo).
Iyẹn ni gbogbo - lẹhin iru iṣẹ bẹ kii yoo ṣee ṣe lati gige iru asopọ ssh kan. Nitoribẹẹ, ni ọdun 10 o yoo ṣee ṣe lati wo ijabọ lori supercomputer - ṣugbọn iyẹn jẹ itan ti o yatọ.Mo gafara fun awọn offtopic.
Nitorina ni bayi ti a ti mọ ẹkọ naa. Emi yoo sọ fun ọ nipa sisan ti ṣiṣẹda ijẹrisi SSL kan.
Lilo “openssl genrsa” a ṣẹda bọtini ikọkọ ati “awọn òfo” fun bọtini gbogbo eniyan.
A fi awọn “ofo” ranṣẹ si ile-iṣẹ ẹnikẹta, eyiti a sanwo to $9 fun ijẹrisi ti o rọrun julọ.
Lẹhin awọn wakati meji, a gba bọtini “gbangba” wa ati ṣeto ti ọpọlọpọ awọn bọtini gbangba lati ile-iṣẹ ẹnikẹta yii.
Kini idi ti ile-iṣẹ ẹnikẹta yẹ ki o sanwo fun iforukọsilẹ ti bọtini gbangba mi jẹ ibeere lọtọ, a kii yoo gbero nibi.
Bayi o ti han kini itumọ akọle naa:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Awọn folda "/etc/ssl" ni gbogbo awọn faili fun ssl oran.
domain1.com - ašẹ orukọ.
2018 jẹ ọdun ti ẹda bọtini.
“bọtini” - yiyan pe faili jẹ bọtini ikọkọ.
Ati itumọ faili yii:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - ašẹ orukọ.
2018 jẹ ọdun ti ẹda bọtini.
dè - yiyan pe o wa ni a pq ti gbangba awọn bọtini (akọkọ ni wa àkọsílẹ bọtini ati awọn iyokù ni ohun ti o wa lati awọn ile-ti o ti oniṣowo awọn àkọsílẹ bọtini).
crt - yiyan pe iwe-ẹri ti o ti ṣetan wa (bọtini gbogbogbo pẹlu awọn alaye imọ-ẹrọ).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Eto yii ko lo ninu ọran yii, ṣugbọn a kọ bi apẹẹrẹ.
Nitoripe aṣiṣe ninu paramita yii yoo yorisi àwúrúju ti a firanṣẹ lati olupin rẹ (laisi ifẹ rẹ).
Lẹhinna jẹri fun gbogbo eniyan pe iwọ ko jẹbi.
recipient_delimiter = +Ọpọlọpọ eniyan le ma mọ, ṣugbọn eyi jẹ ohun kikọ boṣewa fun awọn imeeli ipo, ati pe o ni atilẹyin nipasẹ ọpọlọpọ awọn olupin meeli ode oni.
Fun apẹẹrẹ, ti o ba ni apoti ifiweranṣẹ"[imeeli ni idaabobo]"gbiyanju lati firanṣẹ si"[imeeli ni idaabobo]"- wo ohun ti o wa.
inet_protocols = ipv4Eyi le jẹ airoju.
Ṣugbọn kii ṣe bẹ nikan. Agbegbe tuntun kọọkan jẹ nipasẹ aiyipada nikan IPv4, lẹhinna Mo tan IPv6 fun ọkọọkan lọtọ.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Nibi a pato pe gbogbo meeli ti nwọle lọ si dovecot.
Ati awọn ofin fun ašẹ, apoti leta, inagijẹ - wo ninu database.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesBayi postfix mọ pe meeli le gba fun fifiranṣẹ siwaju nikan lẹhin aṣẹ pẹlu dovecot.
Emi ko loye gaan idi ti eyi fi ṣe pidánpidán nibi. A ti sọ tẹlẹ ohun gbogbo ti o nilo ni “virtual_transport”.
Ṣugbọn eto postfix ti darugbo pupọ - boya o jẹ jiju lati awọn ọjọ atijọ.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Eyi le tunto ni oriṣiriṣi fun olupin meeli kọọkan.
Mo ni awọn olupin meeli 3 ni ọwọ mi ati pe awọn eto wọnyi yatọ pupọ nitori awọn ibeere lilo oriṣiriṣi.
O nilo lati tunto rẹ ni pẹkipẹki - bibẹẹkọ àwúrúju yoo tú sinu rẹ, tabi paapaa buru – àwúrúju yoo tú jade lati ọdọ rẹ.
# SPF
policyd-spf_time_limit = 3600Ṣiṣeto fun ohun itanna kan ti o ni ibatan si ṣayẹwo SPF ti awọn lẹta ti nwọle.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockEto naa ni pe a gbọdọ pese ibuwọlu DKIM pẹlu gbogbo awọn imeeli ti njade.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreEyi jẹ alaye bọtini ni ipa ọna lẹta nigba fifiranṣẹ awọn lẹta lati awọn iwe afọwọkọ PHP.
Faili "/etc/postfix/sdd_transport.pcre":
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Ni apa osi ni awọn ikosile deede. Ni apa ọtun ni aami ti o samisi lẹta naa.
Postfix ni ibamu pẹlu aami - yoo ṣe akiyesi awọn laini iṣeto diẹ diẹ sii fun lẹta kan pato.Bawo ni deede postfix yoo ṣe atunto fun lẹta kan pato yoo jẹ itọkasi ni “master.cf”.
Awọn ila 4, 5, 6 jẹ awọn akọkọ. Ni aṣoju iru agbegbe ti a nfi lẹta ranṣẹ, a fi aami yii sii.
Ṣugbọn aaye “lati” kii ṣe itọkasi nigbagbogbo ni awọn iwe afọwọkọ PHP ni koodu atijọ. Lẹhinna orukọ olumulo wa si igbala.Nkan naa ti gbooro tẹlẹ - Emi kii yoo fẹ lati ni idamu nipasẹ ṣiṣeto nginx+fpm.
Ni ṣoki, fun aaye kọọkan a ṣeto oniwun olumulo linux tirẹ. Ati ni ibamu rẹ fpm-pool.
Fpm-pool nlo eyikeyi ẹya ti php (o jẹ nla nigbati o wa lori olupin kanna o le lo awọn ẹya oriṣiriṣi ti php ati paapaa php.ini oriṣiriṣi fun awọn aaye adugbo laisi awọn iṣoro).
Nitorinaa, olumulo Linux kan pato “www-domain2” ni oju opo wẹẹbu kan domain2.com. Aaye yii ni koodu kan fun fifiranṣẹ awọn imeeli laisi pato lati aaye.
Nitorinaa, paapaa ninu ọran yii, awọn lẹta naa yoo firanṣẹ ni deede ati pe kii yoo pari ni àwúrúju.
Mi "/etc/postfix/master.cf" dabi eyi:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Faili naa ko pese ni kikun - o ti tobi pupọ tẹlẹ.
Mo ṣe akiyesi ohun ti o yipada nikan.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Iwọnyi jẹ awọn eto ti o ni ibatan si spamassasin, diẹ sii lori iyẹn nigbamii.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
A gba ọ laaye lati sopọ si olupin meeli nipasẹ ibudo 587.
Lati ṣe eyi, o gbọdọ wọle.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfMu ayẹwo SPF ṣiṣẹ.
apt-get install postfix-policyd-spf-pythonJẹ ki ká fi sori ẹrọ ni package fun SPF sọwedowo loke.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Ati pe eyi ni ohun ti o nifẹ julọ. Eyi ni agbara lati fi awọn lẹta ranṣẹ fun agbegbe kan pato lati adiresi IPv4/IPv6 kan pato.
Eyi ni a ṣe fun nitori rDNS. rDNS jẹ ilana ti gbigba okun nipasẹ adiresi IP.
Ati fun meeli, ẹya yii ni a lo lati jẹrisi pe helo ni deede ni ibamu pẹlu rDNS ti adirẹsi lati eyiti o ti fi imeeli ranṣẹ.Ti helo ko ba ni ibamu pẹlu aaye imeeli fun ẹniti o fi lẹta ranṣẹ, awọn aaye àwúrúju ni a fun.
Helo ko baramu rDNS - ọpọlọpọ awọn aaye àwúrúju ni a fun ni.
Nitorinaa, agbegbe kọọkan gbọdọ ni adiresi IP tirẹ.
Fun OVH - ninu console o ṣee ṣe lati pato rDNS.
Fun tech.ru - ọrọ naa jẹ ipinnu nipasẹ atilẹyin.
Fun AWS, ọrọ naa jẹ ipinnu nipasẹ atilẹyin.
"inet_protocols" ati "smtp_bind_address6" - a jeki IPv6 support.
Fun IPv6 o tun nilo lati forukọsilẹ rDNS.
"syslog_name" - ati pe eyi jẹ fun irọrun ti awọn iwe kika.
Ra awọn iwe-ẹri .
.
=========== Adaba =============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamṢiṣeto mysql, fifi sori awọn idii funrararẹ.
Faili "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginAṣẹ ti wa ni ìpàrokò nikan.
Faili "/etc/dovecot/conf.d/10-mail.conf"
mail_location = maildir:/var/mail/vhosts/%d/%nNibi ti a tọkasi awọn ibi ipamọ ipo fun awọn lẹta.
Mo fẹ ki wọn fipamọ sinu awọn faili ati ki o ṣe akojọpọ nipasẹ agbegbe.
Faili "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Eyi ni faili iṣeto dovecot akọkọ.
Nibi a mu awọn asopọ ti ko ni aabo kuro.
Ati ki o mu awọn asopọ to ni aabo ṣiṣẹ.
Faili "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Ṣiṣeto ssl. A fihan pe ssl nilo.
Ati iwe-ẹri funrararẹ. Ati pe alaye pataki kan jẹ itọsọna “agbegbe”. Tọkasi iru ijẹrisi SSL wo lati lo nigbati o ba sopọ si iru IPv4 agbegbe.Nipa ọna, IPv6 ko ni tunto nibi, Emi yoo ṣe atunṣe imukuro yii nigbamii.
XX.XX.XX.X5 (domain2) - ko si iwe-ẹri. Lati so awọn onibara pọ o nilo lati pato domain1.com.
XX.XX.XX.X2 (domain3) - ijẹrisi kan wa, o le pato domain1.com tabi domain3.com lati so awọn onibara pọ.
Faili "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Eyi yoo nilo fun spamassassin ni ojo iwaju.
Faili "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Eyi jẹ ohun itanna antispam. Ti nilo fun ikẹkọ spamassasin ni akoko gbigbe si / lati folda "Spam".
Faili "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Iru faili kan wa.
Faili "/etc/dovecot/conf.d/20-lmtp.conf"
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Ṣiṣeto lmtp.
Faili "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Awọn eto ikẹkọ Spamassasin ni akoko gbigbe si / lati folda Spam.
Faili "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Faili ti o pato kini lati ṣe pẹlu awọn lẹta ti nwọle.
Faili "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}O nilo lati ṣajọ faili naa: "sievec default.sieve".
Faili "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Ṣeto awọn faili sql fun aṣẹ.
Ati pe faili funrararẹ lo bi ọna ti aṣẹ.
Faili "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Eyi ni ibamu si awọn eto ti o jọra fun postfix.
Faili "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Faili iṣeto akọkọ.
Ohun pataki ni pe a tọka si nibi - ṣafikun awọn ilana.
============ SpamAssassin =============
apt-get install spamassassin spamcJẹ ki a fi sori ẹrọ awọn idii.
adduser spamd --disabled-loginJẹ ki a ṣafikun olumulo kan fun ẹniti o jẹ.
systemctl enable spamassassin.serviceA jeki auto-ikojọpọ spamassassin iṣẹ lori ikojọpọ.
Faili "/etc/default/spamassassin":
CRON=1Nipa mimuṣe imudojuiwọn awọn ofin laifọwọyi “nipasẹ aiyipada”.
Faili "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordO nilo lati ṣẹda aaye data “sa” ni mysql pẹlu olumulo “sa” pẹlu ọrọ igbaniwọle “ọrọigbaniwọle” (rọpo pẹlu nkan to pe).
report_safe - eyi yoo fi ijabọ imeeli ranṣẹ dipo lẹta kan.
use_bayes ni o wa spamassassin ẹrọ eko eto.
Awọn eto spamassassin to ku ni a lo ni iṣaaju ninu nkan naa.
.
.
.
.
============= Rawọ si agbegbe =============
Emi yoo tun fẹ lati jabọ imọran sinu agbegbe nipa bi o ṣe le mu ipele aabo ti awọn lẹta ti a firanṣẹ siwaju sii. Niwọn igba ti Mo ti ni immersed pupọ ninu koko ti meeli.
Ki olumulo le ṣẹda awọn bọtini meji lori alabara rẹ (oju, thunderbird, ohun itanna-kiri, ...). Gbangba ati ni ikọkọ. Gbangba - firanṣẹ si DNS. Ikọkọ - fipamọ sori alabara. Awọn olupin ifiweranṣẹ yoo ni anfani lati lo bọtini ita gbangba lati firanṣẹ si olugba kan pato.
Ati lati daabobo lodi si àwúrúju pẹlu iru awọn lẹta (bẹẹni, olupin meeli kii yoo ni anfani lati wo akoonu) - iwọ yoo nilo lati ṣafihan awọn ofin 3:
- Dandan ibuwọlu DKIM gidi, dandan SPF, dandan rDNS.
- Nẹtiwọọki nkankikan lori koko-ọrọ ti ikẹkọ antispam + data data kan fun ni ẹgbẹ alabara.
- algorithm fifi ẹnọ kọ nkan gbọdọ jẹ iru pe ẹgbẹ fifiranṣẹ gbọdọ lo awọn akoko 100 diẹ sii agbara Sipiyu lori fifi ẹnọ kọ nkan ju ẹgbẹ gbigba lọ.
Ni afikun si awọn lẹta ti gbogbo eniyan, ṣe agbekalẹ lẹta igbero boṣewa “lati bẹrẹ ifọrọranṣẹ to ni aabo.” Ọkan ninu awọn olumulo (apoti leta) firanṣẹ lẹta kan pẹlu asomọ si apoti ifiweranṣẹ miiran. Lẹta naa ni igbero ọrọ kan lati bẹrẹ ikanni ibaraẹnisọrọ to ni aabo fun ifọrọranṣẹ ati bọtini gbogbogbo ti eni ti apoti leta (pẹlu bọtini ikọkọ ni ẹgbẹ alabara).
O le paapaa ṣe awọn bọtini meji pataki fun iwe-kikọ kọọkan. Olumulo olugba le gba ipese yii ki o firanṣẹ bọtini ita gbangba rẹ (tun ṣe pataki fun ifọrọranṣẹ yii). Nigbamii, olumulo akọkọ firanṣẹ lẹta iṣakoso iṣẹ kan (ti paroko pẹlu bọtini gbangba ti olumulo keji) - lori gbigba eyiti olumulo keji le ro pe ikanni ibaraẹnisọrọ ti o ṣẹda ni igbẹkẹle. Nigbamii, olumulo keji firanṣẹ lẹta iṣakoso kan - ati lẹhinna olumulo akọkọ tun le gbero ikanni ti o ni aabo.
Lati dojuko awọn interception ti awọn bọtini lori ni opopona, awọn Ilana gbọdọ pese fun awọn seese ti atagba o kere kan àkọsílẹ bọtini lilo a filasi drive.
Ati ohun ti o ṣe pataki julọ ni pe gbogbo rẹ ṣiṣẹ (ibeere naa ni "Ta ni yoo sanwo fun rẹ?"):
Tẹ awọn iwe-ẹri ifiweranṣẹ ti o bẹrẹ ni $10 fun ọdun 3. Eyi ti yoo gba olufiranṣẹ laaye lati tọka ninu awọn dns pe “awọn bọtini gbangba mi wa nibẹ.” Ati pe wọn yoo fun ọ ni aye lati bẹrẹ asopọ to ni aabo. Ni akoko kanna, gbigba iru awọn asopọ jẹ ọfẹ.
gmail n ṣe monetizing nipari awọn olumulo rẹ. Fun $10 fun ọdun mẹta - ẹtọ lati ṣẹda awọn ikanni ifọrọranṣẹ to ni aabo.
=========== Ipari ==============
Lati ṣe idanwo gbogbo nkan naa, Emi yoo yalo olupin ifiṣootọ fun oṣu kan ati ra aaye kan pẹlu ijẹrisi SSL kan.
Ṣugbọn awọn ipo igbesi aye ni idagbasoke nitorina ọran yii fa fun awọn oṣu 2.
Nítorí náà, nígbà tí mo ní àkókò òmìnira lẹ́ẹ̀kan sí i, mo pinnu láti tẹ àpilẹ̀kọ náà jáde gẹ́gẹ́ bí ó ti rí, dípò tí a ó fi léwu pé ìtẹ̀jáde náà yóò máa bá a lọ fún ọdún mìíràn.
Ti ọpọlọpọ awọn ibeere ba wa bii “ṣugbọn eyi ko ṣe apejuwe ni awọn alaye to”, lẹhinna o ṣee ṣe agbara yoo wa lati mu olupin ifiṣootọ pẹlu agbegbe tuntun kan ati ijẹrisi SSL tuntun kan ati ṣapejuwe rẹ paapaa ni awọn alaye diẹ sii ati, pupọ julọ. pataki, da gbogbo awọn sonu pataki awọn alaye.
Emi yoo tun fẹ lati gba esi lori awọn imọran nipa awọn iwe-ẹri ifiweranṣẹ. Ti o ba fẹran imọran naa, Emi yoo gbiyanju lati wa agbara lati kọ iwe kan fun rfc.
Nigbati didakọ awọn ẹya nla ti nkan kan, pese ọna asopọ si nkan yii.
Nigbati o ba tumọ si eyikeyi ede miiran, pese ọna asopọ si nkan yii.
Emi yoo gbiyanju lati tumọ rẹ si Gẹẹsi funrarami ati fi awọn itọkasi agbelebu silẹ.
orisun: www.habr.com