Różnice między wybraną wersją a wersją aktualną.
Poprzednia rewizja po obu stronachPoprzednia wersjaNowa wersja | Poprzednia wersja | ||
poczta [2021/01/07 18:56] – [Użytkownik skrzynek pocztowych] kamil | poczta [2023/12/18 12:53] (aktualna) – [Przydatne narzędzia] kamil | ||
---|---|---|---|
Linia 8: | Linia 8: | ||
Instalujemy czystego Debiana 10 (Serwer SSH i Podstawowe narzędzia systemowe). | Instalujemy czystego Debiana 10 (Serwer SSH i Podstawowe narzędzia systemowe). | ||
+ | |||
+ | Jeśli system postawiliśmy na maszynie wirtualnej to proszę dodać taki oto wpis do pliku / | ||
+ | < | ||
+ | net.ipv4.tcp_window_scaling = 0 | ||
+ | </ | ||
+ | |||
+ | Oraz przeładować ustawienia kernela: | ||
+ | < | ||
+ | sysctl -p | ||
+ | </ | ||
Uaktualnienie systemu: | Uaktualnienie systemu: | ||
Linia 50: | Linia 60: | ||
Podczas instalacji zostaniemy zapytani w sprawie konfiguracji Posfixa - wybieramy: brak konfiguracji. | Podczas instalacji zostaniemy zapytani w sprawie konfiguracji Posfixa - wybieramy: brak konfiguracji. | ||
< | < | ||
- | apt install postfix postfix-mysql postgrey dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesieved mariadb-server mariadb-client | + | apt install postfix postfix-mysql |
</ | </ | ||
Linia 163: | Linia 173: | ||
quota int(11) NOT NULL DEFAULT ' | quota int(11) NOT NULL DEFAULT ' | ||
active tinyint(1) NOT NULL DEFAULT ' | active tinyint(1) NOT NULL DEFAULT ' | ||
+ | PRIMARY KEY (id) | ||
+ | ); | ||
+ | |||
+ | CREATE TABLE virtual_black_white_list ( | ||
+ | id int(11) NOT NULL AUTO_INCREMENT, | ||
+ | source varchar(32) NOT NULL UNIQUE COMMENT ' | ||
+ | access enum(' | ||
+ | reason varchar(128) NOT NULL DEFAULT '', | ||
+ | `type` enum(' | ||
PRIMARY KEY (id) | PRIMARY KEY (id) | ||
); | ); | ||
Linia 206: | Linia 225: | ||
mysql -e " | mysql -e " | ||
</ | </ | ||
+ | |||
+ | Dodanie do białej listy domeny: | ||
+ | < | ||
+ | INSERT INTO virtual_black_white_list (source, access, type) VALUES (' | ||
+ | </ | ||
+ | |||
+ | Dodanie do czarnej listy domeny: | ||
+ | < | ||
+ | INSERT INTO virtual_black_white_list (source, access, reason, type) VALUES (' | ||
+ | </ | ||
+ | |||
+ | Dodanie adresu IP do białej listy: | ||
+ | < | ||
+ | INSERT INTO virtual_black_white_list (source, access, type) VALUES (' | ||
+ | </ | ||
+ | |||
+ | Dodanie adresu IP do czarnej listy: | ||
+ | < | ||
+ | INSERT INTO virtual_black_white_list (source, access, reason, type) VALUES (' | ||
+ | </ | ||
+ | |||
+ | Domeny do białej/ | ||
+ | * user@domain - adres email | ||
+ | * domain.ltd - cała domena | ||
+ | * .domain.tld - wszystkie subdomeny w danej domenie | ||
+ | * user@ - użytkownik we wszystkich domenach | ||
+ | |||
+ | Adresy IP definiujemy wg schematy CIDR. Dokumentacja: | ||
+ | |||
+ | Możemy zarządzać bazą danych aplikacją napisaną pod w/w strukturę tabel: [[https:// | ||
==== Użytkownik skrzynek pocztowych ==== | ==== Użytkownik skrzynek pocztowych ==== | ||
Linia 227: | Linia 276: | ||
cp / | cp / | ||
cp / | cp / | ||
+ | / | ||
</ | </ | ||
Linia 281: | Linia 331: | ||
mynetworks = 127.0.0.0/8 [:: | mynetworks = 127.0.0.0/8 [:: | ||
mailbox_size_limit = 0 | mailbox_size_limit = 0 | ||
+ | #zalaczniki 100MB | ||
+ | message_size_limit = 102400000 | ||
recipient_delimiter = + | recipient_delimiter = + | ||
inet_interfaces = all | inet_interfaces = all | ||
inet_protocols = all | inet_protocols = all | ||
+ | |||
+ | smtpd_sender_login_maps = mysql:/ | ||
smtpd_recipient_restrictions = check_policy_service inet: | smtpd_recipient_restrictions = check_policy_service inet: | ||
Linia 289: | Linia 343: | ||
permit_mynetworks, | permit_mynetworks, | ||
reject_unauth_destination, | reject_unauth_destination, | ||
+ | check_client_access mysql:/ | ||
+ | check_sender_access mysql:/ | ||
reject_non_fqdn_hostname, | reject_non_fqdn_hostname, | ||
reject_non_fqdn_sender, | reject_non_fqdn_sender, | ||
Linia 318: | Linia 374: | ||
permit_sasl_authenticated, | permit_sasl_authenticated, | ||
defer_unauth_destination | defer_unauth_destination | ||
+ | |||
+ | mime_header_checks = pcre:/ | ||
# Even more Restrictions and MTA params | # Even more Restrictions and MTA params | ||
Linia 359: | Linia 417: | ||
virtual_alias_maps = mysql:/ | virtual_alias_maps = mysql:/ | ||
mysql:/ | mysql:/ | ||
+ | |||
+ | maximal_queue_lifetime = 1d | ||
+ | bounce_queue_lifetime = 1d | ||
+ | </ | ||
+ | |||
+ | Tworzymy plik / | ||
+ | < | ||
+ | / | ||
+ | app|bat|chm|cmd|com|cpl|diagcab|dll|exe|fxp|gadget|grp| | ||
+ | hlp|hpj|hta|htc|inf|ins|img|iso|isp|its|jar|jnlp|js|jse| | ||
+ | ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf| | ||
+ | mda|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi| | ||
+ | msp|mst|msu|ops|osd|pcd|pif|plg|prf|prg|printerexport| | ||
+ | ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|py|pyc|pyo| | ||
+ | pyw|pyz|pyzw|reg|scf|scr|sct|shb|shs|theme|tmp|url|vb| | ||
+ | vbe|vbp|vbs|vhd|vhdx|vsmacros|vsw|webpnp|website|ws|wsc| | ||
+ | wsf|wsh|xbap|xll|xnk))(\? | ||
+ | REJECT Attachment of type $2 not accepted | ||
</ | </ | ||
Linia 395: | Linia 471: | ||
dbname = postfix | dbname = postfix | ||
query = SELECT email FROM virtual_users WHERE email=' | query = SELECT email FROM virtual_users WHERE email=' | ||
+ | </ | ||
+ | |||
+ | Tworzymy plik / | ||
+ | < | ||
+ | user = postfix | ||
+ | password = tajnehaslo | ||
+ | hosts = 127.0.0.1 | ||
+ | dbname = postfix | ||
+ | query = SELECT CONCAT(access, | ||
+ | </ | ||
+ | |||
+ | Tworzymy plik / | ||
+ | < | ||
+ | user = postfix | ||
+ | password = tajnehaslo | ||
+ | hosts = 127.0.0.1 | ||
+ | dbname = postfix | ||
+ | query = SELECT CONCAT(access, | ||
+ | </ | ||
+ | |||
+ | Tworzymy plik / | ||
+ | < | ||
+ | user = postfix | ||
+ | password = tajnehaslo | ||
+ | hosts = 127.0.0.1 | ||
+ | dbname = postfix | ||
+ | query = SELECT email FROM virtual_users WHERE email = ' | ||
</ | </ | ||
Linia 487: | Linia 590: | ||
cd conf.d | cd conf.d | ||
for f in ./* ; do cp $f $f.bak; done | for f in ./* ; do cp $f $f.bak; done | ||
+ | / | ||
</ | </ | ||
Linia 772: | Linia 876: | ||
< | < | ||
plugin { | plugin { | ||
+ | sieve_extensions = +vacation-seconds | ||
+ | sieve_vacation_min_period = 5m | ||
+ | sieve_vacation_default_period = 10m | ||
+ | sieve_vacation_max_period = 15m | ||
+ | |||
sieve = / | sieve = / | ||
sieve_default = / | sieve_default = / | ||
Linia 866: | Linia 975: | ||
... | ... | ||
$config[' | $config[' | ||
+ | $config[' | ||
+ | $config[' | ||
+ | $config[' | ||
+ | $config[' | ||
... | ... | ||
$config[' | $config[' | ||
Linia 963: | Linia 1076: | ||
* IMAP: 993 (SSL/TLS) | * IMAP: 993 (SSL/TLS) | ||
+ | ==== Fail2Ban ==== | ||
+ | |||
+ | Instalujemy: | ||
+ | < | ||
+ | apt install fail2ban | ||
+ | </ | ||
+ | |||
+ | W pliku / | ||
+ | < | ||
+ | ... | ||
+ | ignoreip = 127.0.0.1/8 ::1 | ||
+ | ... | ||
+ | bantime | ||
+ | ... | ||
+ | findtime | ||
+ | ... | ||
+ | [roundcube-auth] | ||
+ | port = http,https | ||
+ | logpath | ||
+ | enabled = true | ||
+ | ... | ||
+ | [postfix-sasl] | ||
+ | enabled = true | ||
+ | filter | ||
+ | port = smtp, | ||
+ | # You might consider monitoring / | ||
+ | # running postfix since it would provide the same log lines at the | ||
+ | # " | ||
+ | logpath | ||
+ | backend | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Restart: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Status fail2bana sprawdzamy poleceniem: | ||
+ | < | ||
+ | root@mars:/ | ||
+ | Status | ||
+ | |- Number of jail: 3 | ||
+ | `- Jail list: | ||
+ | root@mars:/ | ||
+ | Status for the jail: postfix-sasl | ||
+ | |- Filter | ||
+ | | |- Currently failed: 0 | ||
+ | | |- Total failed: | ||
+ | | `- File list: / | ||
+ | `- Actions | ||
+ | |- Currently banned: 0 | ||
+ | |- Total banned: | ||
+ | `- Banned IP list: | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Munin ==== | ||
+ | |||
+ | Monitoring zasobów serwera. | ||
+ | |||
+ | Instalacja: | ||
+ | < | ||
+ | apt install munin munin-node munin-plugins-extra | ||
+ | </ | ||
+ | |||
+ | Konfigurujemy plik / | ||
+ | < | ||
+ | ScriptAlias / | ||
+ | Alias / | ||
+ | |||
+ | < | ||
+ | #Require local | ||
+ | Require ip nasz_adres_ip | ||
+ | Options FollowSymLinks SymLinksIfOwnerMatch | ||
+ | Options None | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | #Require local | ||
+ | Require ip nasz_adres_ip | ||
+ | Options FollowSymLinks SymLinksIfOwnerMatch | ||
+ | < | ||
+ | SetHandler fcgid-script | ||
+ | </ | ||
+ | < | ||
+ | SetHandler cgi-script | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Alias /munin / | ||
+ | </ | ||
+ | |||
+ | Reload konfiguracji Apache: | ||
+ | < | ||
+ | systemctl apache2 reload | ||
+ | </ | ||
+ | |||
+ | Munin będzie dostępny pod: http:// | ||
+ | |||
+ | ==== Przydatne narzędzia ==== | ||
+ | |||
+ | * postqueue | ||
+ | < | ||
+ | # postqueue -p | ||
+ | -Queue ID- --Size-- ----Arrival Time---- -Sender/ | ||
+ | 56008207DE | ||
+ | | ||
+ | | ||
+ | |||
+ | -- 190 Kbytes in 1 Request. | ||
+ | </ | ||
+ | |||
+ | * postsuper | ||
+ | < | ||
+ | # postsuper -d 56008207DE | ||
+ | postsuper: 56008207DE: removed | ||
+ | postsuper: Deleted: 1 message | ||
+ | </ | ||
+ | |||
+ | * postmap | ||
+ | < | ||
+ | # postmap -q ' | ||
+ | REJECT | ||
+ | # postmap -q ' | ||
+ | REJECT Attachment of type test.img not accepted | ||
+ | </ | ||
+ | |||
+ | * rblcheck | ||
+ | < | ||
+ | rblcheck -s dnsbl.sorbs.net adresiplubdomena | ||
+ | </ | ||
+ | |||
+ | * przenoszenie skrzynek pocztowych via IMAP: [[https:// | ||
+ | * sprawdzanie czy nasza domena oraz adres IP jest na czarnych listach: [[https:// | ||
+ | * tester naszego serwera: [[https:// | ||
+ | * sprawdzanie DNSów naszej domeny: [[https:// | ||
+ | * Dodanie naszej domeny do zaufanych w Google: [[https:// | ||
+ | * Dodanie naszej domeny do zaufanych w Microsoft: [[https:// | ||
+ | * Sprawdzenie domeny oraz maili: [[https:// | ||