- [Show page]
- [Old revisions]
- [[unknown link type]]
- []
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:skoleni:mailserver [2014/04/24 16:14] admin |
linux:skoleni:mailserver [2014/05/02 00:50] (current) admin [SPF, cast druha] |
||
|---|---|---|---|
| Line 399: | Line 399: | ||
| root@xen-skoleni-10:/srv/mail# | root@xen-skoleni-10:/srv/mail# | ||
| </code> | </code> | ||
| + | |||
| + | ===== SSL ===== | ||
| + | <code> | ||
| + | cd /etc/postfix | ||
| + | mkdir ssl | ||
| + | cd ssl | ||
| + | openssl req -new -x509 -nodes -out cert.pem -keyout key.pem | ||
| + | </code> | ||
| + | |||
| + | <file bash main.cf> | ||
| + | # TLS | ||
| + | smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem | ||
| + | smtpd_tls_key_file=/etc/postfix/ssl/key.pem | ||
| + | smtpd_use_tls=yes | ||
| + | </file> | ||
| + | |||
| + | ====== Dorucovani pres Dovecot ====== | ||
| + | Pozor, nefunguje ''dovecot_destination_recipient_limit = 1'' | ||
| + | <file bash master.cf> | ||
| + | dovecot unix - n n - - pipe | ||
| + | # flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} | ||
| + | flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${user}@${nexthop} | ||
| + | </file> | ||
| + | |||
| + | |||
| + | ====== Antispam, antivir, blacklisty a greylisting ======== | ||
| + | <code> | ||
| + | apt-get install amavis clamav | ||
| + | </code> | ||
| + | Odkomentovat v /etc/amavis/conf.d/15-content-filter-mode radky pro predani e-mailu ke kontrole | ||
| + | <file perl /etc/amavis/conf.d/15-content-filter-mode> | ||
| + | @bypass_virus_checks_maps = ( | ||
| + | \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); | ||
| + | @bypass_spam_checks_maps = ( | ||
| + | \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); | ||
| + | </file> | ||
| + | |||
| + | <file bash main.cf> | ||
| + | # Anti spam/vir/komunista | ||
| + | content_filter = zabijak:[127.0.0.1]:10024 | ||
| + | </file> | ||
| + | |||
| + | <file bash master.cf> | ||
| + | zabijak unix - - - - 5 smtp | ||
| + | -o smtp_data_done_timeout=1200 | ||
| + | -o smtp_send_xforward_command=yes | ||
| + | 127.0.0.1:10025 inet n - - - - smtpd | ||
| + | -o content_filter= | ||
| + | -o local_recipient_maps= | ||
| + | -o relay_recipient_maps= | ||
| + | -o smtpd_restriction_classes= | ||
| + | -o smtpd_client_restrictions= | ||
| + | -o smtpd_helo_restrictions= | ||
| + | -o smtpd_sender_restrictions= | ||
| + | -o smtpd_recipient_restrictions=permit_mynetworks,reject | ||
| + | -o mynetworks=127.0.0.0/8 | ||
| + | -o strict_rfc821_envelopes=yes | ||
| + | -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks | ||
| + | </file> | ||
| + | |||
| + | ====== SPF - cast prvni====== | ||
| + | Kdyz jsme venovali tolik prace DNS, ukazeme si pomerne hezkou antispamovou techniku. Jedna se o hlubsi overovani domeny odesilatele. Konkretne se dotazeme serveru jahoda.cz, jestli adresa 1.2.3.4 mohla odeslat e-mail From:<nekdo@jahoda.cz>. | ||
| + | |||
| + | Pokud spravce domeny jahoda.cz presne vi, ze vsichni jeho uzivatele pouzivaji jeden centralni server, vuci kteremu se overuji a odesilaji pres nej postu, pak muze vesele do DNS napsat informaci: | ||
| + | "Mame jeden centralni server pres ktery odesilame postu na IPv4: 9.8.7.6, jine jsou podvod." | ||
| + | |||
| + | Akorat se to zapisuje takto: | ||
| + | jahoda.cz. IN TXT "v=spf1 ip4:9.8.7.6 -all" | ||
| + | |||
| + | Zaznamy, ktere nemaji pred sebou znamenko +/- se berou, jako by mely +. Tedy "+ipv4" v nasem prikladu. | ||
| + | |||
| + | Vysvetleni: | ||
| + | * spf1 - zaznam popisuje Sender Policy Framework | ||
| + | * ipv4 - oznamuje ip aderesu, ktera patri mezi povolene | ||
| + | * -all - oznamuje ze vse ostatni je neplatne | ||
| + | |||
| + | Kdyby nekoho zajimalo, jak vypada nas SPF zaznam, tady je: | ||
| + | starlab.cz. IN TXT "v=spf1 mx -all". | ||
| + | Promite mi, ze to sem pisu, vdyt' vsichni umite | ||
| + | host -t txt starlab.cz | ||
| + | |||
| + | **Upozorneni: Tim ovsem pomahate jen druhym, aby e-maily s vasi podvrzenou domenou nikde nezpusobovali spam.** Jeste je potreba take nastavit druhou cast tj. implementovat ochranu na vlastnim serveru. | ||
| + | |||
| + | ====== SPF - cast druha ======= | ||
| + | Zarazeni do postfixu je obvykla trojkombinace | ||
| + | * apt-get install <neceho> | ||
| + | * pridani do main.cf | ||
| + | * pridani do master.cf | ||
| + | A pak trocha ladeni a opravovani preklepu. | ||
| + | |||
| + | Existuje python i perl verze. | ||
| + | apt-get install postfix-policyd-spf-python | ||
| + | apt-get install postfix-policyd-spf-perl | ||
| + | Pro ty co se nudi mohou napsat pojednani, jaky je mezi nimi rozdil. | ||
| + | |||
| + | Do ''main.cf'' pridame kamkoliv <code>policy-spf_time_limit = 3600s</code> | ||
| + | |||
| + | A do ''master.cf'' pridame treba pythonovsky skript | ||
| + | <code> | ||
| + | policy-spf unix - n n - - spawn | ||
| + | user=nobody argv=/usr/bin/policyd-spf | ||
| + | </code> | ||
| + | |||
| + | A obohatime ''smtpd_recipient_restrictions'' v main.cf: | ||
| + | |||
| + | <code> | ||
| + | smtpd_recipient_restrictions = | ||
| + | ... | ||
| + | permit_sasl_authenticated | ||
| + | permit_mynetworks | ||
| + | reject_unauth_destination | ||
| + | check_policy_service unix:private/policy-spf | ||
| + | </code> | ||
| + | |||
| + | ====== Sieve filtry v akci ====== | ||
| + | Globalni filtr pro razeni spamu vsem uzivatelum do slozky spam. | ||
| + | <file text /srv/mail/globalsieverc> | ||
| + | require "fileinto"; | ||
| + | if header :contains "X-Spam-Flag" "YES" { | ||
| + | fileinto "spam"; | ||
| + | stop; | ||
| + | } | ||
| + | </file> | ||
| + | ====== Ladeni vykonu a statistiky ====== | ||
| + | <code> | ||
| + | apt-get install mailgraph | ||
| + | apt-get install collectd --no-install-recommends | ||
| + | </code> | ||
| + | |||
| + | ======= Automaticka odpoved v dobe nepritomnosti ====== | ||
| + | <file postfix master.cf> | ||
| + | moje_prazdniny unix - n n - - pipe | ||
| + | flags=Rq user=autoreply argv=/home/autoreply/autoreply.pl -f ${sender} -- ${recipient} | ||
| + | </file> | ||
| + | |||
| + | <file base64 vacation.pl.gz.base64> | ||
| + | H4sICKCBWlMAA3ZhY2F0aW9uLnBsAK1Ze3fTyA7/m3wK4bYnzjaPBpZ9JLTbkoZL7iltTxPY5dCS | ||
| + | dewJma1jG3vStIf2fvYrafyKHQIXbnpI7BlJI/2kkTTD1uPWIgpbE+m1AhG60FhWtipb8FaGamG5 | ||
| + | 8NayLSV9D5422zg8uYPXMrJnFpwLJcIIns/1q6VgJj/OnoHjK/CEOkDinh/chTiowLRr8GRv7wk0 | ||
| + | 6OcZvCLSx0hyIm3hRQIG3tTvwEypoNNqLZfLZuBHaipvLWcuvabtz1t/TKUr9k8Gvf7psN8c/TVi | ||
| + | NY8cR5J6UQdfUPTPrb1fW+2nAMfWjXTgLJr4oQfP/ShyxA0p6Vi+7bNE0jD/iVQobVWHIPRtEUUi | ||
| + | QlPmlvTAFTfCBcuVFg7WYe6Hosi6mIT+QkmP5iPhORCKwL2DaejPwUcIpIdQKh8sxwlRNqvO2rbb | ||
| + | rb3fv0dbNFw4EN1Frv8R1w8CP1TZbIF46JIXUKGJUOg1QB5U6SMsZ9KegfRsd+GgvXNUzfoopFNc | ||
| + | 68ZH7aQ3lZ5UArn9IIKlVLMEoRgbNGuBvjx+Mejyg0a0W6nM72DbmYzVXSBgH6rzu+iTW+0mwzN0 | ||
| + | NQ27vm259JJNoZSQpvLRkM0GVhTRbHTtu8KT2YRnzcUX2Mg7qLOL0wYHfkSRn4wamgjxoWhjGjUP | ||
| + | WjfxJmjihNElSLYgCoQtp3dgAZPykjMRCpj6IYhbax64ogN5Tq2dmCy+IJynSDwKF8H/Ipw5tXk6 | ||
| + | IPZhr8tatkFOyd0gPHQG+jia+QvXwUCgOFUUk5olcdIMedGBjQOMO0/YyjTwrZN4r5Og20kcZ9TB | ||
| + | SDyVPJNf8PkzXFgyEv0wRKX3D1CXhxoGwxYgrUMrO5hCbJUFVrw7KMCuF4GOs9gffmD7C0/t76EA | ||
| + | 3G0YeONPCxHewecK2ok05ja/11D9w3E3HtyOFNlDZjUOAtyTVihSQlTKkQKMnuVVFcSzoGc7MY8I | ||
| + | QwziS89giSQOx26FvUBtV/mTUTUTkIjQ5CxCCwiFWuAGp4lu5SG1hN2Xs0R67Trg9xP+fsrfP/P3 | ||
| + | M/7+JWclutfMR1UtlbPtWEowjR8ID8zj/os3/0IPHRzk6I0UB9N441kTlICOYQatlSZiMfbMD1A7 | ||
| + | Eovr/82/xu7Ou9bOvLXjwM6rzs7rzs7Q+FuTB6HEAONVwdjnD8TM/ElQTUinCe1OBPew/gt5GIGv | ||
| + | 4KPVdX3MQdpsrdFDDnPbstFTGebKR1bK14UI0lG2D58+fR72T/q9EWjOlxdnr9MNCH++6l/0QVAK | ||
| + | 2a+irCocnR7Dy8Hp8XhwOh72R2aVhVfrzF17KERoGs5JdKbz4Q0FMEdS6C+j1Oc8gds89jdFZ07V | ||
| + | N+fHR6N+ph9qoPXe752d9o5GJr/Uq/SnFauVbXhI3LNRyYd8YIc3+bimvJMhnFYXBDpFG3+Q+B9M | ||
| + | AwXc0+DVAR7ntczaOKiH74YnZxTV92kXQ8UNq0YjADKlidnFh4ZKG5kNEa85MdohWSQOTL0KGGdY | ||
| + | yhsjbFQwHF+i9vzwWts1OOa3obaGno2CoXkAYqMThJNg1QvFCjxk5icFKbZf264Np+0cT2827Qe2 | ||
| + | cgoFMAzM1wECAg2MkWArM/MTC/PwZAhAsvlju9no4hblMp3FT4wiIxoLx6eJ7+STvkbm9dHghGIi | ||
| + | V+4xAhpTreQGmNI+IJ/CSBoYOSsT5fPTMRjrpkqYrCPq+Z7CgtwYUZUFJW5VK3Cxt+qir6wwEmpf | ||
| + | Rn7jt9+e/d54so7/r8YJFskOnOuWB/tD7HlKXfylt46XQVzxB43X0q2M5dkZh8Jyx0mFzrzC+aJQ | ||
| + | j3Z3s4oNB9joZts2zgqmUZZJLI+phbAXYYhQuFRCWTwN9i8uzi6yh2yPakNMA3u9SJIvV/pUfFuj | ||
| + | PnVRz7Xsgyb0ZsK+5jHuY5kPYUpDX9xKBe0s2XFaRnHMv6FQ8PzGQsG/VbDwwGDZSt6I/fYPVIYK | ||
| + | d3wX2JYGknq7GdqSLFwoG+1c2UhNIXGxTWwrCDcSa8tLbOBHn3Y/2aeB08bFIKfmfVsZYU3WWVQw | ||
| + | SkYIl16vjluDPId20UIT/7ZkctnqNLUziIe4TrrmVCh7hgNjKwytu+4K4ba2EEmR4P3eVW72uzzP | ||
| + | 4tZ5/tug2oQWA3bE6q6B44txsC4aWMvcmg+ZR/6k4510XVzjhvMnNe28idadmpvNZsyZRNWqH8xt | ||
| + | Oj9gOtfMlE+iwJXKbB226nFU1jZj/pVgvDyMZVd/GOd0Kg/4CHvCUNgit/esNVB80Quw4oZvDk1N | ||
| + | u72UrmNboYNHCT5Ll6M0wZkoY6zpcT3eK+Jq+chiW3XCzJ/9VwjYsmSdkmn4IbvruVCj5ctJ2iyq | ||
| + | 8WhFTiE9rcDhieU4DWK+Q2hC9bCK3zmju9+rViq9pFKl9PhQbJFLi6RVlnqPcbJbY/ULdRYZ6TZp | ||
| + | nLU//Bp3RvzM7RE/pc3WV080iThqA76hXv3fDi+57PNtAU+86dmtgAmf3SjaNNDd1AXpAds03g/7 | ||
| + | eCy76A/Pz06H/StOVwWwOnzENAiFpP0AM0a2k2Jc01Sjs05udT02fPPi3whqZ9VVeu7tEZ69Bmen | ||
| + | kBHpjVqYfnF2/C6ea1/lW5GkK15jez2RVU8Y81zcdBVMLYdMPpCSY1lyFqEw3fryBzgZbCDQH75m | ||
| + | Wu3lbXuloc/Clu+KRtY1XX1ZDl02W4EVqspyRkch8/lwdDw4PYhjyLUw8VF8tD5st2pppLU+0FKd | ||
| + | y2jXbP6EXttuSYoRfVjBYGt3s2NW6wO6uESJVaVEZ9tlOtsu08VWlYmTw1GJI7a+QYFYZMpOTyW2 | ||
| + | gEqPIzxbMNtk4V7fuzJS9/8svOua5uc21tyrrTDeNqjbJab4rvQS+Lb0Em700eEyzQVlKRQRMJiC | ||
| + | kGqGOVafkHBL0VmI7tI8X2FWQ6cSU4UWfKyBv7+HxwhsUV4lcYtrxzGiY6CXtHlSVbn98yc30l9E | ||
| + | nDKplKXyYwH/gZb5/nJ52WjuXO1eHuJjs3G1W2uVXZ8xiU9gGKRZJuODv/RE2LhvmKHAzIZw8kDt | ||
| + | 8vD+g0n7DycdS8x9757Qm2MI8mwZKTRiqEIZaGiw6evZ+jdYRDO6M5zTQYVzHW2QQ7o5D8a2Hac/ | ||
| + | yA0qXw9mJbsOP+E/xowwRcw4TwqsXcKhwCRtCiLXchMlq8tamYUF60UZNX2zfxgJK7RnSaZOTdW5 | ||
| + | Mz1yEajxPq5Q3i2Kj/cxO2S82YWVR4mCuZUxdbR1snq0kvFHF4NzTPm9wfmgfzoaXnXAKNzFtDH1 | ||
| + | NozsK3cTgbbwEvrefcUg/X8nKx12bFZOqVqugnPd39hYjGsbKmShkr08e4OlLKkYa6zKp9ikWKQ5 | ||
| + | vfJoXbthligLcvK5OYFor1v5L3Gl/PBDHAAA | ||
| + | </file> | ||
| + | |||
| + | ======= LDAP ======= | ||
| + | [[http://www.howtoforge.com/postfix-virtual-hosting-with-ldap-backend-and-with-dovecot-as-imap-pop3-server-on-ubuntu-karmic-koala-9.10-p2]] | ||
linux/skoleni/mailserver.1398348853.txt.gz · Last modified: 2014/04/24 16:14 by admin