{"id":64,"date":"2019-07-02T14:50:03","date_gmt":"2019-07-02T14:50:03","guid":{"rendered":"https:\/\/silviamarin.ro\/?p=64"},"modified":"2019-07-02T14:50:03","modified_gmt":"2019-07-02T14:50:03","slug":"instalare-server-de-mail-cu-dovecot-si-postfix-2","status":"publish","type":"post","link":"https:\/\/marinelvis.xyz\/index.php\/2019\/07\/02\/instalare-server-de-mail-cu-dovecot-si-postfix-2\/","title":{"rendered":"INSTALARE SERVER DE MAIL CU DOVECOT SI POSTFIX"},"content":{"rendered":"

Se instaleaza pachetele \u201cdnsutils\u201d si \u201ctelnet\u201d<\/strong><\/em><\/p>\n

apt-get install dnsutils telnet -y<\/pre>\n
Se verifica daca portul 25 este deblocat:<\/p>\n
dig mx +short yahoo.com |awk -F ' '\u00a0 '{print $2}'<\/pre>\n
mta6.am0.yahoodns.net.<\/em>
\nmta5.am0.yahoodns.net.<\/em>
\nmta7.am0.yahoodns.net.<\/em><\/p><\/blockquote>\n
telnet mta6.am0.yahoodns.net 25<\/pre>\n
Trying 98.138.112.34\u2026<\/em>
\nConnected to mta6.am0.yahoodns.net.<\/em>
\nEscape character is \u2018^]\u2019.<\/em>
\n220 mta1278.mail.ne1.yahoo.com ESMTP ready<\/em><\/p><\/blockquote>\n
Daca output-ul este \u201cConection timed out\u201d<\/em> atunci portul este blocat
\nSe concateneaza certificatele digitale:<\/p>\n
cat domeniu.com<\/span>.crt intermediate.crt > domeniu.com.<\/span>chain.crt<\/pre>\n
Se instaleaza Dovecot si Postfix<\/strong><\/em><\/p>\n
apt-get install dovecot-imapd dovecot-lmtpd\u00a0\napt-get install postfix postgrey postfix-policyd-spf-python<\/pre>\n
Se elimina pachetul Exim instalat odata cu sistemul de operare:<\/p>\n
apt-get purge exim4 exim4-*<\/pre>\n
Postfix asculta porturile SMTP(25) si Submission(587) iar Dovecot asculta portul IMAP(993).
\nConfigurari initiale<\/strong><\/em><\/p>\n
POSTFIX<\/strong>
\nPentru configurarea porturilor se editeaza master.cf<\/p>\n
nano \/etc\/postfix\/master.cf<\/pre>\n
Se activeaza serviciul Submission eliminand comentariul (#) de la linia 17<\/p>\n
\u2026\u2026<\/em>
\nsmtp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 inet\u00a0 n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 smtpd<\/em>
\n#smtp\u00a0\u00a0\u00a0\u00a0\u00a0 inet\u00a0 n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 postscreen<\/em>
\n\u2026\u2026<\/em>
\nsubmission inet n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 smtpd<\/em>
\n#\u00a0 -o syslog_name=postfix\/submission<\/em>
\n\u2026\u2026<\/em><\/p><\/blockquote>\n
Serviciul SMTP este activat implicit.
\nSe editeaza fisierul de configurare main.cf<\/em>:<\/p>\n
nano \/etc\/postfix\/main.cf<\/pre>\n
Se specifica certificatele de siguranta
\nSe inlocuieste\u00a0 smtpd_use_tls = yes<\/em> cu smtpd_tls_security_level = may<\/em>
\nSe introduce smtp_tls_security_level = may<\/em><\/p>\n
smtpd_tls_cert_file=\/var\/SSL\/marinelvis.biz.chain.crt<\/em>
\nsmtpd_tls_key_file=\/var\/SSL\/marinelvis.biz.key<\/em>
\nsmtpd_tls_security_level = may<\/em>
\nsmtp_tls_security_level = may<\/em><\/p><\/blockquote>\n
DOVECOT<\/span>
\nSe creeaza un singur fisier de configurare dovecot.conf<\/em>:<\/p>\n
doveconf -n > \/etc\/dovecot\/dovecot.conf.new\nmv \/etc\/dovecot\/dovecot.conf \/etc\/dovecot\/dovecot.conf.orig\nmv \/etc\/dovecot\/dovecot.conf.new \/etc\/dovecot\/dovecot.conf\nnano \/etc\/dovecot\/dovecot.conf<\/pre>\n
Linia ssl = no<\/em> se sterge si se inlocuieste cu urmatorul bloc:<\/p>\n
service imap-login {<\/em>
\ninet_listener imap {<\/em>
\nport = 0<\/em>
\n}<\/em>
\ninet_listener imaps {<\/em>
\nport = 993<\/em>
\n}<\/em>
\n}<\/em>
\nssl = required<\/em>
\nssl_ca = <\/etc\/ssl\/certs\/ca-certificates.crt<\/em>
\nssl_cert = \/var\/SSL\/domeniu.com<\/span>.chain.crt<\/em>
\nssl_key = <\/var\/SSL\/domeniu.com<\/span>.key<\/em><\/p><\/blockquote>\n
Se elimina monitorizarea de catre systemd a portului IMAP(143) pentru a preveni aparitia de erori:<\/p>\n
cp \/lib\/systemd\/system\/dovecot.socket \/etc\/systemd\/system\/\nsystemctl reenable dovecot.socket\nsed -i '\/:143$\/s\/^\/#\/' \/etc\/systemd\/system\/dovecot.socket<\/pre>\n
PROBA<\/em>
\nPe serverul unde se instaleaza:<\/p>\n
systemctl restart postfix\nsystemctl restart dovecot\nnetstat -lnpt<\/pre>\n
In output trebuie sa fie listate porturile 25, 587 si 993 in coloana \u201eLocal Address\u201d
\nSe verifica daca sunt semnalate erori in log-uri:<\/p>\n
less | \/var\/log\/mail.log\nless | \/var\/log\/syslog<\/pre>\n
Din calculatorul local:<\/p>\n
openssl s_client -starttls smtp -crlf -connect domeniu.com<\/span>:587\nopenssl s_client -connect domeniu.com<\/span>:993<\/pre>\n
In ambele cazuri antepenultimul rand din output trebuie sa fie:<\/p>\n
\u2026\u2026<\/em>
\nVerify return code: 0 (ok)<\/em>
\n\u2026\u2026<\/em><\/p><\/blockquote>\n
Se revine la root cu Ctrl + c
\nAutentificare si mailbox-uri<\/strong><\/em><\/p>\n
POSTFIX<\/strong><\/p>\n
nano \/etc\/postfix\/main.cf<\/pre>\n
Se modifica modul de autentificare in Dovecot.
\nSe introduce urmatorul bloc:<\/p>\n
smtpd_sasl_auth_enable = yes<\/em>
\nsmtpd_sasl_type = dovecot<\/em>
\n# The path is relative to $queue_directory:<\/em>
\n#\u00a0\u00a0 postconf |grep queue_directory<\/em>
\n#\u00a0\u00a0 queue_directory = \/var\/spool\/postfix<\/em>
\nsmtpd_sasl_path = private\/auth<\/em>
\n# Do not accept SASL authentication over unencrypted connections<\/em>
\nsmtpd_tls_auth_only = yes<\/em><\/p><\/blockquote>\n
DOVECOT<\/strong><\/p>\n
nano \/etc\/dovecot\/dovecot.conf<\/pre>\n
Se introduce urmatorul bloc:<\/p>\n
# Allows plaintext authentication only when SSL\/TLS is used first.<\/em>
\n# http:\/\/wiki2.dovecot.org\/Authentication<\/a><\/em>
\nauth_mechanisms = plain login<\/em>
\ndisable_plaintext_auth = yes<\/em>
\nservice auth-worker {<\/em>
\n# Forbid to access \/etc\/shadow<\/em>
\nuser = $default_internal_user<\/em>
\n}<\/em>
\nservice auth {<\/em>
\n# IMPORTANT: Match the path to smtpd_sasl_path of Postfix<\/em>
\nunix_listener \/var\/spool\/postfix\/private\/auth {<\/em>
\ngroup = postfix<\/em>
\nuser = postfix<\/em>
\nmode = 0666<\/em>
\n}<\/em>
\n}<\/em><\/p><\/blockquote>\n
Se inlocuiesc mail_location, passdb<\/em> si userdb<\/em>:<\/p>\n
mail_location = maildir:\/var\/vmail\/%d\/%n<\/em><\/p><\/blockquote>\n
 <\/p>\n
passdb {<\/em>
\ndriver = passwd-file<\/em>
\n# The entire email address will be used as the username for email client.<\/em>
\n# Don\u2019t bother about the scheme here, will be overwritten by a strong scheme from file.<\/em>
\n#\u00a0\u00a0\u00a0 (http:\/\/wiki2.dovecot.org\/AuthDatabase\/PasswdFile<\/a>)<\/em>
\nargs = scheme=CRYPT username_format=%u \/etc\/dovecot\/users<\/em>
\n}<\/em><\/p><\/blockquote>\n
 <\/p>\n
userdb {<\/em>
\n# For static type, LDA verify the user\u2019s existence by lookup passdb<\/em>
\n#\u00a0\u00a0 ( http:\/\/wiki2.dovecot.org\/UserDatabase\/Static<\/a> )<\/em>
\ndriver = static<\/em>
\nargs = uid=vmail gid=vmail home=\/var\/vmail\/%d\/%n<\/em>
\n}<\/em><\/p><\/blockquote>\n
Toate directoarele speciale ale casutei postale vor fi create automat de Dovecot pentru fiecare cont in parte. Trebuie specificat formatul casutei postale in mail_location<\/em> si un utilizator de sistem care sa execute operatiile corespunzatoare in mailbox-uri
\nSe creeaza utilizatorul de sistem vmail<\/em>:<\/p>\n
adduser --system --home \/var\/vmail --uid 550 --group --disabled-login vmail<\/pre>\n
A fost creat folderul \/var\/vmail\u00a0<\/em> detinut de utilizatorul de sistem vmail.<\/em>
\nSe creaza primul cont de e-mail si se introduce parola utilizand algoritmul de criptare SHA512 dupa urmatorul model:<\/p>\n
doveadm pw -s SHA512-CRYPT<\/pre>\n
Exemplu de rezultat:<\/p>\n
{SHA512-CRYPT}$6$jBJaXdjpgiAZVRUh$ysJbSwCDAZvxrJNUHr8urqKWOUmyQ7mNxl7ptWDf7htMB9s9lZZuNYTXuDPST2W226nOQG5IrHHmo0PCnhF\/d0<\/em><\/p><\/blockquote>\n
Se creeaza un fisier nou in \/etc\/dovecot<\/em> si se introduce parola criptata:<\/p>\n
nano \/etc\/dovecot\/users<\/pre>\n
dupa modelul:<\/p>\n
user@domeniu.com<\/span>:{SHA512-CRYPT}$6$jBJaXdjpgiAZVRUh$ysJbSwCDAZvxrJNUHr8urqKWOUmyQ7mNxl7ptWDf7htMB9s9lZZuNYTXuDPST2W226nOQG5IrHHmo0PCnhF\/d0<\/em><\/p><\/blockquote>\n
Se schimba propietarul si permisiunile:<\/p>\n
chmod 640 \/etc\/dovecot\/users\nchown root:dovecot \/etc\/dovecot\/users<\/pre>\n
Dovecot nu depinde de domenii, deci pot fi folosite mai multe sau nici un domeniu. Utilizatorii pot fi administra\u021bi utilizand acest fisier.<\/p>\n
PROBA<\/em>
\nDin calculatorul local:<\/p>\n
openssl s_client -connect domeniu.com<\/span>:993<\/pre>\n
Se realizeaza conexiunea la serverul de mail:
\n\u2026\u2026<\/p>\n
* OK
\n\u2026\u2026<\/p>\n
In terminal se scriu comenzile pentru conectarea la contul de utilizator creat anterior:<\/p>\n
a login user@domeniu.com<\/span> \u00a0parola<\/pre>\n
a OK [\u2026\u2026] Logged in<\/em><\/p><\/blockquote>\n
Pentru iesire si revenire la cursorul de root:<\/p>\n
b logout<\/pre>\n
Se poate reveni la root si cu Ctrl + c
\nLMTP (Local Mail Transfer Protocol)<\/strong><\/em><\/p>\n
POSTFIX<\/p>\n
nano \/etc\/postfix\/main.cf<\/pre>\n
Se introduce linia mydomain = domeniu.com<\/span> inainte de $myhostname. Se schimba variabilele urmatoare:<\/p>\n
mydomain = domeniu.com<\/span><\/em>
\nmyhostname = $mydomain<\/em>
\nmyorigin = $mydomain<\/em>
\nmydestination = localhost<\/em><\/p><\/blockquote>\n
Valorile variabilelor $mydomain si $myhostname trebuie sa fie aceleasi din certificatele SSL.
\nModul de utilizare al variabilelor:
\n$myhostname: numele transmis prin comenzile SMTP HELO sau EHLO si banerul de intampinare SMTP.
\n$myorigin, $mydestination: In \/etc\/postfix\/virtual_aliases<\/em> mai jos.
\n$myorigin, $virtual_mailbox_domains, $virtual_alias_maps: reject_unauth_destination
\nSe introduc urmatoarele linii:<\/p>\n
# Handing off local delivery to Dovecot\u2019s LMTP<\/em>
\n# http:\/\/wiki2.dovecot.org\/HowTo\/PostfixDovecotLMTP<\/a><\/em>
\n#<\/em>
\n# The path relative to $queue_directory, that is:<\/em>
\n#\u00a0\u00a0\u00a0 \/var\/spool\/postfix\/private\/dovecot-lmtp<\/em>
\nvirtual_transport = lmtp:unix:private\/dovecot-lmtp<\/em>
\n# Check domains only, query users and aliases in Dovecot<\/em>
\n#<\/em>
\n# IMPORTANT: Don\u2019t overlap with $mydestination<\/em>
\n#virtual_mailbox_domains = example1.com, example2.com<\/em>
\nvirtual_mailbox_domains = $mydomain<\/em>
\n#virtual_alias_domains = $virtual_alias_maps<\/em>
\nvirtual_alias_maps = hash:\/etc\/postfix\/virtual_aliases<\/em><\/p><\/blockquote>\n
Alias-uri<\/strong><\/em>
\nSe creeaza fisierul virtual_aliases<\/em><\/p>\n
nano \/etc\/postfix\/virtual_aliases<\/pre>\n
si se introduc urmatoarele linii:<\/p>\n
# The input(left column) without domain, will match user@$myorigin<\/em>
\n# and user@$mydestination (e.g. root@example.com, root@localhost)<\/em>
\n#<\/em>
\n# The result(right column) without domain, Postfix will append<\/em>
\n#\u00a0\u00a0 $myorigin as $append_at_myorigin=yes<\/em>
\n# So the user user@domeniu.com<\/span> must exists in \/etc\/dovecot\/users<\/em>
\n# See: The section TABLE FORMAT in manual virtual(5)<\/em>
\npostmaster \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 root<\/em>
\nwebmaster\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root<\/em>
\nabuse \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0root<\/em>
\n# Person who should get root\u2019s mail<\/em>
\nroot\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 user<\/em>
\ninfo@domeniu.com<\/span> \u00a0 \u00a0user<\/em>
\n# A catch-all address is at the risk of spam<\/em>
\n#@domeniu.com<\/span> \u00a0 \u00a0user<\/em><\/p><\/blockquote>\n
Apoi se creeaza baza de date alocata alias-urilor:<\/p>\n
postmap \/etc\/postfix\/virtual_aliases\npostfix reload<\/pre>\n
DOVECOT<\/strong><\/p>\n
nano \/etc\/dovecot\/dovecot.conf<\/pre>\n
Se introduce urmatorul bloc:<\/p>\n
service lmtp {<\/em>
\nunix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp {<\/em>
\nmode = 0666<\/em>
\nuser = postfix<\/em>
\ngroup = postfix<\/em>
\n}<\/em>
\n}<\/em><\/p><\/blockquote>\n
Calea absoluta catre\u00a0 dovecot-lmtp trebuie sa fie aceeasi ca valoarea variabilei $virtual_transport<\/em> in Postfix.<\/p>\n
PROBA<\/em>
\nPe serverul unde se instaleaza:<\/p>\n
systemctl restart postfix\nsystemctl restart dovecot<\/pre>\n
Se verifica daca s-a creat fisierul \u201edovecot-lmtp\u201d<\/p>\n
ls -l \/var\/spool\/postfix\/private\/dovecot-lmtp<\/pre>\n
Se trimite un e-mail. Datorita alias-urilor create anterior contul user@domeniu.com<\/span> va primi un mesaj in directorul new<\/em>:<\/p>\n
sendmail -bv webmaster<\/pre>\n
sudo ls -l \/var\/vmail\/domeniu.com<\/span>\/user\/new<\/p>\n
Inregistrarile DNS<\/strong><\/p>\n
Hostname -> A -> IPv4<\/em>
\ndomeniu.com\u00a0 -> MX -> mail.domeniu.com<\/em>
\ndomeniu.com\u00a0 -> TXT -> v=spf1 a mx ip4:IPv4 ip6:IPv6 \u2013all<\/em><\/p><\/blockquote>\n
Pentru ca serverul de mail este acelasi cu serverul domeniului domeniu.com = mail.domeniu.com<\/span>
\nRaspunsul inregistrarii MX trebuie sa fie aceeasi cu variabila $myhostname<\/em> din \/etc\/postfix\/main.cf<\/em><\/p>\n
domeniu.com -> A -> 5.189.138.195 (IP-ul domeniului)<\/em>
\ndomeniu.com -> MX -> domeniu.com<\/em>
\ndomeniu.com -> TXT -> v=spf1 a mx ip4:5.189.138.195 ip6:2a02:c207:2013:6973:0000:0000:0000:0001 -all<\/em><\/p><\/blockquote>\n
Pentru reverseDNS se introduce IP-ul inversat in inregistrarea PTR:<\/p>\n
195.138.189.5.in-addr.arpa<\/em><\/p><\/blockquote>\n
PROBA<\/em>
\nSe testeaza cu comanda dig:<\/p>\n
dig +short mx domeniu.com<\/span> |awk '{print $2}'<\/pre>\n
Output-ul trebuie sa fie numele domeniului unde a fost directionata inregistrarea MX<\/p>\n
domeniu.com<\/span><\/em><\/p><\/blockquote>\n
dig +short a domeniu.com<\/span><\/em><\/pre>\n
Output-ul trebuie sa fie IP-ul mailserver-ului<\/p>\n
5.189.138.195<\/p><\/blockquote>\n
dig +short -x 5.189.138.195<\/pre>\n
Output-ul trebuie sa fie numele domeniului<\/p>\n
domeniu.com<\/span><\/em><\/p><\/blockquote>\n
Mail User Agent<\/strong><\/em><\/p>\n
Date de configurare pentru clientii de mail (Microsoft Outlook, Thunderbird, etc.):
\nIMAP<\/p>\n
Server Name: domeniu.com<\/span><\/em>
\nPort: 993<\/em>
\nConnection security: SSL\/TLS<\/em>
\nAuthentication method: Normal password<\/em>
\nUser Name: user@ domeniu.com<\/span><\/em><\/p><\/blockquote>\n
SMTP<\/p>\n
Server Name: domeniu.com<\/span><\/em>
\nPort: 587<\/em>
\nConnection security: STARTTLS<\/em>
\nAuthentication method: Normal password<\/em>
\nUser Name: user@ domeniu.com<\/span><\/em><\/p><\/blockquote>\n
Antispam<\/strong><\/em><\/p>\n
POSTFIX<\/strong><\/p>\n
nano \/etc\/postfix\/main.cf<\/pre>\n
Se sterge linia cu variabila smtpd_relay_restrictions<\/em>. In locul ei se introduce blocul urmator:<\/p>\n
# Restrictions in order: client, helo, sender, relay\/recipient<\/em>
\nsmtpd_client_restrictions = permit_mynetworks,<\/em>
\nreject_unauth_pipelining,<\/em>
\nsmtpd_helo_required = yes<\/em>
\nsmtpd_helo_restrictions = permit_mynetworks,<\/em>
\nreject_invalid_helo_hostname,<\/em>
\nreject_non_fqdn_helo_hostname,<\/em>
\nsmtpd_sender_restrictions = permit_mynetworks,<\/em>
\nreject_non_fqdn_sender,<\/em>
\nreject_unknown_sender_domain,<\/em>
\ncheck_sender_access hash:\/etc\/postfix\/sender_access,<\/em>
\n# Reject destination we\u2019re not responsible for, limit abuse or<\/em>
\n# prevent postfix become an open relay. (version >= 2.10 required)<\/em>
\nsmtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,<\/em>
\nreject_unauth_destination,<\/em>
\nsmtpd_recipient_restrictions =<\/em>
\n# General rules<\/em>
\nreject_non_fqdn_recipient,<\/em>
\nreject_unknown_recipient_domain,<\/em>
\n# Our users<\/em>
\npermit_mynetworks,<\/em>
\npermit_sasl_authenticated,<\/em>
\n# Spam filters<\/em>
\nreject_rbl_client zen.spamhaus.org,<\/em>
\nreject_rbl_client dnsbl.sorbs.net,<\/em>
\nreject_rhsbl_reverse_client dbl.spamhaus.org,<\/em>
\nreject_rhsbl_helo dbl.spamhaus.org,<\/em>
\nreject_rhsbl_sender dbl.spamhaus.org,<\/em>
\n# This should be next-to-last<\/em>
\ncheck_policy_service unix:private\/postgrey,<\/em>
\npermit<\/em><\/p><\/blockquote>\n
Regula\u00a0 reject_unauth_destination<\/em> impiedica mailserver-ul sa devina open relay.<\/em><\/p>\n
POSTGREY<\/strong>
\nSe modifica optiunile Postgrey:<\/p>\n
nano \/etc\/default\/postgrey<\/pre>\n
POSTGREY_OPTS=\u201d\u2013unix=\/var\/spool\/postfix\/private\/postgrey \u2013delay=66\u2033<\/em><\/p><\/blockquote>\n
Restart Postgrey:<\/p>\n
systemctl restart postgrey<\/pre>\n
BLACKLIST OF SENDER<\/strong>
\nUnii spam-eri pot trece de filtrele impuse de Postfix. In acest caz se foloseste Blacklist.<\/p>\n
nano \/etc\/postfix\/sender_access<\/pre>\n
Calea \/etc\/postfix\/sender_access<\/em> trebuie sa fie aceeasi ca setarea variabilei\u00a0 check_sender_access<\/em> din main.cf<\/em>:
\nSe creeaza baza de date\u00a0sender_access.db<\/em>:<\/p>\n
postmap hash:sender_access<\/pre>\n
Apoi se introduc manual domeniile spam-erilor in baza de date:
\nExemplu:<\/p>\n
cd \/etc\/postfix\/\necho spam@yandex.ru REJECT >> sender_access\necho ya.ru REJECT >> sender_access\npostmap hash:sender_access<\/pre>\n
FAIL2BAN<\/strong><\/em><\/p>\n
Se instaleaza fail2ban:<\/p>\n
apt-get install fail2ban -y<\/pre>\n
Se face o copie locala a fisierului de configurare si se editeaza:<\/p>\n
cd \/etc\/fail2ban\/filter.d\/\ncp postfix.conf postfix.local\nnano postfix.local<\/pre>\n
Se adauga linia:<\/p>\n
^%(__prefix_line)slost connection after (?:AUTH|UNKNOWN) from \\S+\\[<HOST>\\]$<\/em><\/p><\/blockquote>\n
la failregex<\/em>, care ar trebui sa arate asa:<\/p>\n
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 554 5\\.7\\.1 .*$<\/em>
\n^%(__prefix_line)sNOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$<\/em>
\n^%(__prefix_line)sNOQUEUE: reject: VRFY from \\S+\\[<HOST>\\]: 550 5\\.1\\.1 .*$<\/em>
\n^%(__prefix_line)simproper command pipelining after \\S+ from [^[]*\\[<HOST>\\]:?$<\/em>
\n^%(__prefix_line)slost connection after (?:AUTH|UNKNOWN) from \\S+\\[<HOST>\\]$<\/em><\/p><\/blockquote>\n
Se editeaza jail.local<\/em>:<\/p>\n
nano \/etc\/fail2ban\/jail.local<\/pre>\n
Se activeaza Postfix:<\/p>\n
[postfix]<\/em>
\nEnabled\u00a0 =\u00a0 true<\/em><\/p><\/blockquote>\n
Se reporneste Fail2ban<\/p>\n
fail2ban-client reload postfixfail2ban-client status<\/pre>\n
SPF<\/em><\/p>\n
nano \/etc\/postfix\/main.cf<\/pre>\n
Inainte de linia check_policy_service unix:private\/postgrey<\/em> se intorduce linia aferenta SPF:<\/p>\n
\u2026\u2026<\/em>
\ncheck_policy_service unix:private\/policyd-spf,<\/em>
\ncheck_policy_service unix:private\/postgrey,<\/em>
\npermit<\/em><\/p><\/blockquote>\n
Linia\u00a0 check_policy_service<\/em> trebuie introdusa dupa reject_unauth_destination<\/em> pentru a evita ca mailserver-ul sa devina open relay<\/em>.
\nLa sfarsitul fisierului main.cf<\/em> se introduce linia:<\/p>\n
policy-spf_time_limit = 3600s<\/em><\/p><\/blockquote>\n
Se editeaza fisierul master.cf<\/em> si se introduc cele 2 linii la sfarsitul fisierului:<\/p>\n
nano \/etc\/postfix\/master.cf<\/pre>\n
policyd-spf\u00a0 unix\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 spawn<\/em>
\nuser=policyd-spf argv=\/usr\/bin\/policyd-spf<\/em><\/p><\/blockquote>\n
Se reporneste Postfix:<\/p>\n
systemctl restart postfix<\/pre>\n
DKIM (DomainKeys Identified Mail)<\/strong><\/em>
\nDKIM implica configurarea pachetului OpenDKIM, conectarea lui cu Postfix si alocarea inregistrarilor DNS specifice.
\nSe instaleaza OpenDKIM:<\/p>\n
apt-get install opendkim opendkim-tools -y<\/pre>\n
Fisierul de configurare \/etc\/opendkim.conf trebuie sa arate astfel:<\/p>\n
nano \/etc\/opendkim.conf<\/pre>\n
# This is a basic configuration that can easily be adapted to suit a standard<\/em>
\n# installation. For more advanced options, see opendkim.conf(5) and\/or<\/em>
\n# \/usr\/share\/doc\/opendkim\/examples\/opendkim.conf.sample.<\/em>
\n# Log to syslog<\/em>
\nSyslog\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes<\/em>
\n# Required to use local socket with MTAs that access the socket as a non-<\/em>
\n# privileged user (e.g. Postfix)<\/em>
\nUMask\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 002<\/em>
\n# OpenDKIM user<\/em>
\n# Remember to add user postfix to group opendkim<\/em>
\nUserID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 opendkim<\/em>
\n# Map domains in From addresses to keys used to sign messages<\/em>
\nKeyTable\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/etc\/opendkim\/key.table<\/em>
\nSigningTable\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 refile:\/etc\/opendkim\/signing.table<\/em>
\n# Hosts to ignore when verifying signatures<\/em>
\nExternalIgnoreList\u00a0 \/etc\/opendkim\/trusted.hosts<\/em>
\nInternalHosts\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/etc\/opendkim\/trusted.hosts<\/em>
\n# Commonly-used options; the commented-out versions show the defaults.<\/em>
\nCanonicalization\u00a0\u00a0\u00a0 relaxed\/simple<\/em>
\nMode\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sv<\/em>
\nSubDomains\u00a0\u00a0\u00a0\u00a0\u00a0 no<\/em>
\n#ADSPAction\u00a0\u00a0\u00a0\u00a0 continue<\/em>
\nAutoRestart\u00a0\u00a0\u00a0\u00a0 yes<\/em>
\nAutoRestartRate\u00a0\u00a0\u00a0\u00a0 10\/1M<\/em>
\nBackground\u00a0\u00a0\u00a0\u00a0\u00a0 yes<\/em>
\nDNSTimeout\u00a0\u00a0\u00a0\u00a0\u00a0 5<\/em>
\nSignatureAlgorithm\u00a0 rsa-sha256<\/em>
\n# Always oversign From (sign using actual From and a null From to prevent<\/em>
\n# malicious signatures header fields (From and\/or others) between the signer<\/em>
\n# and the verifier.\u00a0 From is oversigned by default in the Debian package<\/em>
\n# because it is often the identity key used by reputation systems and thus<\/em>
\n# somewhat security sensitive.<\/em>
\nOversignHeaders\u00a0\u00a0\u00a0\u00a0 From<\/em><\/p><\/blockquote>\n
Se aloca permisiunile fisierului:<\/p>\n
chmod u=rw,go=r \/etc\/opendkim.conf<\/pre>\n
Se creeaza folderele pentru datele OpenDKIM, se desemneaza user-ul opendkim<\/em> ca propietar al folderelor si se configureaza permisiunile fisierelor:<\/p>\n
mkdir \/etc\/opendkim\nmkdir \/etc\/opendkim\/keys\nchown -R opendkim:opendkim \/etc\/opendkim\nchmod go-rw \/etc\/opendkim\/keys<\/pre>\n
Se creeaza tabelul de semnaturi\u00a0 \/etc\/opendkim\/signing.table<\/em> in care se introduce cate o linie pentru fiecare domeniu care are alocat un server de mail dupa modelul de mai jos:<\/p>\n
nano \/etc\/opendkim\/signing.table<\/pre>\n
*@domeniu.com<\/span>\u00a0 domeniu<\/span><\/em><\/p><\/blockquote>\n
Se creeaza tabelul cheilor private \/etc\/opendkim\/key.table<\/em> cu cate o linie pentru fiecare domeniu inscris in signing.table dupa modelul de mai jos:<\/p>\n
nano \/etc\/opendkim\/key.table<\/pre>\n
domeniu.com<\/span><\/em> \u00a0 \u00a0 domeniu.com<\/span><\/em>:YYYYMM:\/etc\/opendkim\/keys\/domeniu<\/span><\/em>.private<\/p><\/blockquote>\n
Primul camp conecteaza tabelul de semnaturi cu tabelul cheilor private.
\nAl doilea camp e impartit in 3 sectiuni separate de \u201e:\u201d
\nprima sectiune e numele de domeniu pentru care este alocata cheia.
\na doua sectiune este selectorul (YYYYMM) folosit cand este cautata cheia inscrisa in inregistrarile DNS
\na treia sectiune desemneaza fisierul care contine cheia de criptare alocata domeniului.
\nFluxul pentru cautarea DKIM incepe cu adresa expeditorului. Tabelul de semnaturi este scanat pana la o intrare al carei model (primul element) se potriveste cu adresa. Apoi, valoarea celui de-al doilea element este utilizata pentru a localiza intrarea in tabelul cheilor a carei informatie cheie va fi utilizata. Pentru mesajele primite, domeniul si selectorul sunt apoi folosite pentru a gasi \u00eenregistrarea TXT a cheii publice in DNS si cheia publica este utilizat\u0103 pentru a valida semnatura. Pentru e-mailul de iesire, cheia privata este citit\u0103 din fisierul numit s utilizata pentru a genera semnatura pe mesaj.
\nSe creeaza fisierul\u00a0 \/etc\/opendkim\/trusted.hosts<\/em> cu urmatorul continut:<\/p>\n
nano \/etc\/opendkim\/trusted.hosts<\/pre>\n
127.0.0.1<\/em>
\n::1<\/em>
\nlocalhost<\/em>
\nmail.domeniu.com<\/span><\/em>
\ndomeniu.com<\/span><\/em><\/p><\/blockquote>\n
Se aloca permisiunile si propietarul fisierelor:<\/p>\n
chown -R opendkim:opendkim \/etc\/opendkim\nchmod -R go-rwx \/etc\/opendkim\/keys<\/pre>\n
Se genereaza cheile de criptare:<\/p>\n
opendkim-genkey -b 2048 -h rsa-sha256 -r -s 201710 -d domeniu.com<\/span><\/em> -v<\/pre>\n
Se genereaza doua fisiere: YYYYMM.private care contine cheia de criptare si YYYYMM.txt care contine inregistrareaTXT pentru setarile DNS. Se redenumesc fisierele ca sa se potriveasca cu a treia sectiune a celui de-al doilea camp din key.table:
\nmv 201710.private domeniu<\/span><\/em>.private
\nmv 201710.txt domeniu<\/span><\/em>.txt
\nSe configureaza permisiunile si propietarul folderului \/etc\/opendkim:<\/em><\/p>\n
chown -R opendkim:opendkim \/etc\/opendkim<\/em>
\nchmod -R go-rw \/etc\/opendkim\/keys<\/em><\/p><\/blockquote>\n
Se reporneste OpenDKIM:<\/p>\n
systemctl restart opendkim<\/pre>\n
Daca sunt semnalate erori<\/p>\n
systemctl status -l opendkim<\/pre>\n
DKIM foloseste inregistrarile TXT ca sa pastreze informatiile despre semnatura fiecarui domeniu.
\nContinutul fisierului \/etc\/opendkim\/keys\/domeniu<\/span><\/em>.txt\u00a0 arata asa:<\/p>\n
YYYYMM._domainkey\u00a0 IN\u00a0 TXT ( \u201c**v=DKIM1; h=rsa-sha256; k=rsa; s=email; \u201c\u00a0\u00a0\u00a0 \u201cp=MIIBIjANBgkqX94YbLJ8NHcFPbaZTW8R2HthYxRaCyqodxlLHiABRuAM0WG0JEDSyakMFqIO40ghj\/h7DUc\/+PdtqIwXR\u201d\u00a0\u00a0\u00a0 \u201cZksfuXh7m30kuyavp3UasoMgMjO+YjG8JsdcwIDAQAB**\u201d )\u00a0 ; \u2014\u2013 DKIM key YYYYMM for domeniu.com<\/span><\/em><\/p><\/blockquote>\n
Valoarea dintre paranteze se copie intr-un fisier-text separat fara ghilimele si spatii goale. De asemenea se inlocuieste h=rsa-sha256\u00a0 cu h=sha256:<\/p>\n
v=DKIM1; h=sha256; k=rsa; s=email;<\/em>
\np= MIIBIjANBgkqX94YbLJ8NHcFPbaZTW8R2HthYxRaCyqodxlLHiABRuAM0WG0JEDSyakMFqIO40ghj\/h7DUc\/+PdtqIwXR ZksfuXh7m30kuyavp3UasoMgMjO+YjG8JsdcwIDAQAB<\/em><\/p><\/blockquote>\n
Continutul de mai sus se introduce intr-o intr-o inregistrare TXT in managerul DNS<\/p>\n
PROBA<\/em>
\nPentru verificare se foloseste comanda opendkim-testkey<\/em>:<\/p>\n
opendkim-testkey -d domeniu.com<\/span><\/em> -s YYYYMM<\/pre>\n
Daca nu exista output atunci totul este configurat corect. Daca apar erori, pentru mai multe informatii se adauga optiunea \u2013vvv<\/em> la sfarsitul comenzii. Output-ul trebuie sa fie \u201ekey OK\u201d<\/em>. Va aparea si mesajul \u201ckey not secure\u201d<\/em> care va fi corectat prin configurarile urmatoare.<\/p>\n
mkdir \/var\/spool\/postfix\/opendkim\nchown opendkim:postfix \/var\/spool\/postfix\/opendkim<\/pre>\n
Se configureaza socket-ul pentru Postfix in fisierul de configurare implicit al OpenDKIM:<\/p>\n
nano \/etc\/default\/opendkim<\/pre>\n
# Command-line options specified here will override the contents of<\/em>
\n# \/etc\/opendkim.conf. See opendkim(8) for a complete list of options.<\/em>
\n#DAEMON_OPTS=\u201d\u201d<\/em>
\n#<\/em>
\n# Uncomment to specify an alternate socket<\/em>
\n# Note that setting this will override any Socket value in opendkim.conf<\/em>
\nSOCKET=\u201dlocal:\/var\/spool\/postfix\/opendkim\/opendkim.sock\u201d<\/em>
\n#SOCKET=\u201dinet:54321\u2033 # listen on all interfaces on port 54321<\/em>
\n#SOCKET=\u201dinet:12345@localhost\u201d # listen on loopback on port 12345<\/em>
\n#SOCKET=\u201dinet:12345@192.0.2.1\u2033 # listen on 192.0.2.1 on port 12345<\/em><\/p><\/blockquote>\n
Calea catre socket este diferita de cea implicita pentru ca, incepand cu Debian 8 procesele Postfix ruleaza in chroot jail<\/em> si nu pot accesa locatia implicita
\nSe editeaza \/etc\/postfix\/main.cf<\/em> si se completeaza cu blocul urmator dupa smtpd_recipient_restrictions<\/em>:<\/p>\n
nano \/etc\/postfix\/main.cf<\/pre>\n
# Milter configuration<\/em>
\n# OpenDKIM<\/em>
\nmilter_default_action = accept<\/em>
\n# Postfix \u2265 2.6 milter_protocol = 6, Postfix \u2264 2.5 milter_protocol = 2<\/em>
\nmilter_protocol = 6<\/em>
\nsmtpd_milters = local:\/opendkim\/opendkim.sock<\/em>
\nnon_smtpd_milters = local:\/opendkim\/opendkim.sock<\/em><\/p><\/blockquote>\n
Se repornesc OpenDKIM si Postfix<\/p>\n
systemctl restart opendkim\nsystemctl restart postfix<\/pre>\n
PROBA<\/em>
\nSe trimite un e-mail\u00a0 de test\u00a0 la check-auth@verifier.port25.com folosind un client de e-mail<\/p>\n","protected":false},"excerpt":{"rendered":"
Se instaleaza pachetele \u201cdnsutils\u201d si \u201ctelnet\u201d apt-get install dnsutils telnet -y Se verifica daca portul 25 este deblocat: dig mx +short yahoo.com |awk -F ‘ ‘\u00a0 ‘{print $2}’ mta6.am0.yahoodns.net. mta5.am0.yahoodns.net. mta7.am0.yahoodns.net. telnet mta6.am0.yahoodns.net 25 Trying 98.138.112.34\u2026 Connected to mta6.am0.yahoodns.net. Escape character is \u2018^]\u2019. 220 mta1278.mail.ne1.yahoo.com ESMTP ready Daca output-ul este \u201cConection timed out\u201d atunci portul […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-64","post","type-post","status-publish","format-standard","hentry","category-fara-categorie"],"_links":{"self":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/posts\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":0,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/posts\/64\/revisions"}],"wp:attachment":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}