Mars: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2 Dort laufen: * Apache für ** [https://munichmakerlab.de munichmake...") |
No edit summary |
||
Line 19: | Line 19: | ||
== Setup == | == Setup == | ||
=== Postfix === | === Postfix === | ||
<nowiki> | |||
# sudo aptitude install postfix | |||
# sudo dpkg-reconfigure postfix | |||
Choose / Change: | |||
-> Internet site | |||
-> munichmakerlab.de | |||
</nowiki> | |||
Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi) | |||
<nowiki> | |||
# sudo vi /etc/postfix/main.cf</nowiki> | |||
* Allgemein | |||
<nowiki> | |||
myhostname = mars.munichmakerlab.de</nowiki> | |||
* Änderungen fuer mailman | |||
<nowiki> | |||
alias_maps = hash:/etc/postfix/aliases, | |||
hash:/usr/local/mailman/data/aliases | |||
mailman_destination_recipient_limit = 1</nowiki> | |||
* TLS | |||
<nowiki> | |||
tls_ssl_options = NO_COMPRESSION | |||
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA | |||
### outgoing connections ### | |||
smtp_tls_security_level=may | |||
smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem | |||
smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem | |||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | |||
### incoming connections ### | |||
smtpd_tls_security_level=may | |||
smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem | |||
smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem | |||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | |||
smtpd_use_tls=yes</nowiki> | |||
* Einige Sicherheits-/Anti-Spameinstellungen | |||
<nowiki> | |||
smtpd_client_restrictions = | |||
permit_mynetworks, | |||
permit | |||
smtpd_helo_restrictions = | |||
permit_mynetworks, | |||
reject_invalid_helo_hostname, | |||
reject_non_fqdn_helo_hostname, | |||
permit | |||
smtpd_sender_restrictions = | |||
permit_mynetworks, | |||
permit | |||
smtpd_recipient_restrictions = | |||
permit_mynetworks, | |||
reject_non_fqdn_sender, | |||
reject_non_fqdn_recipient, | |||
reject_unauth_destination, | |||
reject_unlisted_recipient, | |||
reject_unlisted_sender, | |||
reject_unknown_sender_domain, | |||
reject_rbl_client sbl-xbl.spamhaus.org, | |||
reject_rbl_client cbl.abuseat.org, | |||
reject_rbl_client dul.dnsbl.sorbs.net, | |||
permit | |||
smtpd_data_restrictions = | |||
permit_mynetworks, | |||
reject_unauth_pipelining, | |||
reject_multi_recipient_bounce, | |||
permit | |||
canonical_classes = envelope_sender, header_sender | |||
smtpd_discard_ehlo_keywords = silent-discard, dsn | |||
disable_vrfy_command = yes | |||
smtpd_helo_required = yes | |||
strict_rfc821_envelopes = yes | |||
smtpd_delay_reject = yes | |||
anvil_rate_time_unit = 60 | |||
anvil_status_update_time = 60 | |||
smtpd_client_connection_count_limit = 5 | |||
smtpd_client_connection_rate_limit = 10 | |||
smtpd_client_message_rate_limit = 10 | |||
smtpd_client_recipient_rate_limit = 10 | |||
smtp_connect_timeout = 300s | |||
smtp_helo_timeout = 300s | |||
smtp_mail_timeout = 300s | |||
smtp_rcpt_timeout = 300s | |||
smtp_quit_timeout = 600s | |||
smtp_rset_timeout = 30s</nowiki> | |||
* Milter für Spamassassin und Clamav | |||
<nowiki> | |||
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock | |||
milter_connect_macros = i j {daemon_name} v {if_name} _ | |||
milter_default_action = accept</nowiki> | |||
=== ClamAV === | === ClamAV === | ||
Installation ist straightforward | |||
<nowiki> | |||
# sudo aptitude install clamav</nowiki> | |||
Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden): | |||
<nowiki> | |||
# sudo aptitude install clamav-milter</nowiki> | |||
Milter anpassen, so dass Postfix drauf zugreifen kann: | |||
<nowiki> | |||
# sudo dpkg-reconfigure clamav-milter | |||
-> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl | |||
-> ClamdSocket unix:/var/run/clamav/clamd.ctl</nowiki> | |||
=== Spamassassin === | === Spamassassin === | ||
Installation, inkl. einiger Tools und Milter | |||
<nowiki> | |||
# sudo aptitude install spamassassin razor pyzor swaks spamass-milter</nowiki> | |||
Noch ein paar configs anpassen: | |||
<nowiki> | |||
# sudo vi /etc/default/spamass-milter | |||
-> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8 -- --socket=/var/run/spamassassin/spamd.sock" | |||
# sudo vi /etc/default/spamassassin | |||
-> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660" | |||
-> CRON=1 | |||
# sudo vi /etc/spamassassin/local.cf | |||
-> report_safe 0 | |||
-> required_score 5.0 | |||
# sudo systemctl enable spamassassin.service | |||
# sudo useradd -G debian-spamd spamass-milter</nowiki> | |||
=== pdns-recursor === | === pdns-recursor === | ||
Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor. | |||
<nowiki> | |||
# sudo aptitude install pdns-recursor | |||
# sudo vi /etc/powerdns/recursor.conf | |||
-> Default config ist soweit ok, ggf. folgendes ändern: | |||
-> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 | |||
-> local-address=127.0.0.1<nowiki> | |||
Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen: | |||
<nowiki> | |||
# sudo vi /etc/resolv.conf | |||
-> In der ersten Zeile hinzufügen: | |||
-> nameserver 127.0.0.1 | |||
# sudo vi /etc/dhcp/dhclient.conf | |||
-> prepend domain-name-servers 127.0.0.1;</nowiki> | |||
=== Mailman === | === Mailman === |
Revision as of 09:29, 12 August 2016
Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2
Dort laufen:
- Apache für
- Unsere Mailinglisten
- Postfix zum Empfang der Mails
- ClamAV als Virenscanner
- Spamassassin zur Filterung des Spams
- Mailman zur Verwaltung der Listen
- Weitere Services
- PowerDNS Recursor (oder kurz pdns-recursor)
- fail2ban
Wenn du ssh-Zugriff benötigst, sprich mit Severin.
Setup
Postfix
# sudo aptitude install postfix # sudo dpkg-reconfigure postfix Choose / Change: -> Internet site -> munichmakerlab.de
Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi)
# sudo vi /etc/postfix/main.cf
- Allgemein
myhostname = mars.munichmakerlab.de
- Änderungen fuer mailman
alias_maps = hash:/etc/postfix/aliases, hash:/usr/local/mailman/data/aliases mailman_destination_recipient_limit = 1
- TLS
tls_ssl_options = NO_COMPRESSION tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA ### outgoing connections ### smtp_tls_security_level=may smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache ### incoming connections ### smtpd_tls_security_level=may smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls=yes
- Einige Sicherheits-/Anti-Spameinstellungen
smtpd_client_restrictions = permit_mynetworks, permit smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_sender_domain, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit canonical_classes = envelope_sender, header_sender smtpd_discard_ehlo_keywords = silent-discard, dsn disable_vrfy_command = yes smtpd_helo_required = yes strict_rfc821_envelopes = yes smtpd_delay_reject = yes anvil_rate_time_unit = 60 anvil_status_update_time = 60 smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 10 smtpd_client_message_rate_limit = 10 smtpd_client_recipient_rate_limit = 10 smtp_connect_timeout = 300s smtp_helo_timeout = 300s smtp_mail_timeout = 300s smtp_rcpt_timeout = 300s smtp_quit_timeout = 600s smtp_rset_timeout = 30s
- Milter für Spamassassin und Clamav
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock milter_connect_macros = i j {daemon_name} v {if_name} _ milter_default_action = accept
ClamAV
Installation ist straightforward
# sudo aptitude install clamav
Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden):
# sudo aptitude install clamav-milter
Milter anpassen, so dass Postfix drauf zugreifen kann:
# sudo dpkg-reconfigure clamav-milter -> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl -> ClamdSocket unix:/var/run/clamav/clamd.ctl
Spamassassin
Installation, inkl. einiger Tools und Milter
# sudo aptitude install spamassassin razor pyzor swaks spamass-milter
Noch ein paar configs anpassen:
# sudo vi /etc/default/spamass-milter -> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8 -- --socket=/var/run/spamassassin/spamd.sock" # sudo vi /etc/default/spamassassin -> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660" -> CRON=1 # sudo vi /etc/spamassassin/local.cf -> report_safe 0 -> required_score 5.0 # sudo systemctl enable spamassassin.service # sudo useradd -G debian-spamd spamass-milter
pdns-recursor
Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor.
# sudo aptitude install pdns-recursor # sudo vi /etc/powerdns/recursor.conf -> Default config ist soweit ok, ggf. folgendes ändern: -> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 -> local-address=127.0.0.1<nowiki> Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen: <nowiki> # sudo vi /etc/resolv.conf -> In der ersten Zeile hinzufügen: -> nameserver 127.0.0.1 # sudo vi /etc/dhcp/dhclient.conf -> prepend domain-name-servers 127.0.0.1;