Mars: Difference between revisions

From The Munich Maker Lab's Wiki
Jump to navigation Jump to search
(Created page with "Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2 Dort laufen: * Apache für ** [https://munichmakerlab.de munichmake...")
 
No edit summary
Line 19: Line 19:
== Setup ==
== Setup ==
=== Postfix ===
=== Postfix ===
<nowiki>
# sudo aptitude install postfix
# sudo dpkg-reconfigure postfix
Choose / Change:
-> Internet site
-> munichmakerlab.de
</nowiki>
Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi)
<nowiki>
# sudo vi /etc/postfix/main.cf</nowiki>
* Allgemein
<nowiki>
myhostname = mars.munichmakerlab.de</nowiki>
* Änderungen fuer mailman
<nowiki>
alias_maps = hash:/etc/postfix/aliases,
            hash:/usr/local/mailman/data/aliases
mailman_destination_recipient_limit = 1</nowiki>
* TLS
<nowiki>
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
### outgoing connections ###
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
### incoming connections ###
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls=yes</nowiki>
* Einige Sicherheits-/Anti-Spameinstellungen
<nowiki>
smtpd_client_restrictions =
        permit_mynetworks,
        permit
smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        permit
smtpd_sender_restrictions =
        permit_mynetworks,
        permit
smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        reject_unlisted_recipient,
        reject_unlisted_sender,
        reject_unknown_sender_domain,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        permit
smtpd_data_restrictions =
        permit_mynetworks,
        reject_unauth_pipelining,
        reject_multi_recipient_bounce,
        permit
canonical_classes = envelope_sender, header_sender
smtpd_discard_ehlo_keywords = silent-discard, dsn
disable_vrfy_command = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
anvil_rate_time_unit = 60
anvil_status_update_time = 60
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 10
smtp_connect_timeout = 300s
smtp_helo_timeout = 300s
smtp_mail_timeout = 300s
smtp_rcpt_timeout = 300s
smtp_quit_timeout = 600s
smtp_rset_timeout = 30s</nowiki>
* Milter für Spamassassin und Clamav
<nowiki>
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock
milter_connect_macros = i j {daemon_name} v {if_name} _
milter_default_action = accept</nowiki>


=== ClamAV ===
=== ClamAV ===
Installation ist straightforward
<nowiki>
# sudo aptitude install clamav</nowiki>
Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden):
<nowiki>
# sudo aptitude install clamav-milter</nowiki>
Milter anpassen, so dass Postfix drauf zugreifen kann:
<nowiki>
# sudo dpkg-reconfigure clamav-milter
-> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
-> ClamdSocket unix:/var/run/clamav/clamd.ctl</nowiki>


=== Spamassassin ===
=== Spamassassin ===
Installation, inkl. einiger Tools und Milter
<nowiki>
# sudo aptitude install spamassassin razor pyzor swaks spamass-milter</nowiki>
Noch ein paar configs anpassen:
<nowiki>
# sudo vi /etc/default/spamass-milter
-> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8  -- --socket=/var/run/spamassassin/spamd.sock"
# sudo vi /etc/default/spamassassin
-> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660"
-> CRON=1
# sudo vi /etc/spamassassin/local.cf
-> report_safe 0
-> required_score 5.0
# sudo systemctl enable spamassassin.service
# sudo useradd -G debian-spamd spamass-milter</nowiki>


=== pdns-recursor ===
=== pdns-recursor ===
Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor.
<nowiki>
# sudo aptitude install pdns-recursor
# sudo vi /etc/powerdns/recursor.conf
-> Default config ist soweit ok, ggf. folgendes ändern:
-> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
-> local-address=127.0.0.1<nowiki>
Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen:
<nowiki>
# sudo vi /etc/resolv.conf
-> In der ersten Zeile hinzufügen:
-> nameserver 127.0.0.1
# sudo vi /etc/dhcp/dhclient.conf
-> prepend domain-name-servers 127.0.0.1;</nowiki>


=== Mailman ===
=== Mailman ===

Revision as of 09:29, 12 August 2016

Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2

Dort laufen:

  • Apache für
  • Unsere Mailinglisten
    • Postfix zum Empfang der Mails
    • ClamAV als Virenscanner
    • Spamassassin zur Filterung des Spams
    • Mailman zur Verwaltung der Listen
  • Weitere Services
    • PowerDNS Recursor (oder kurz pdns-recursor)
    • fail2ban

Wenn du ssh-Zugriff benötigst, sprich mit Severin.

Setup

Postfix

# sudo aptitude install postfix
# sudo dpkg-reconfigure postfix
Choose / Change:
-> Internet site
-> munichmakerlab.de

Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi)

# sudo vi /etc/postfix/main.cf
  • Allgemein
myhostname = mars.munichmakerlab.de
  • Änderungen fuer mailman
alias_maps = hash:/etc/postfix/aliases,
             hash:/usr/local/mailman/data/aliases
mailman_destination_recipient_limit = 1
  • TLS
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

### outgoing connections ###
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

### incoming connections ###
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls=yes
  • Einige Sicherheits-/Anti-Spameinstellungen
smtpd_client_restrictions =
        permit_mynetworks,
        permit
smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        permit
smtpd_sender_restrictions =
        permit_mynetworks,
        permit
smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        reject_unlisted_recipient,
        reject_unlisted_sender,
        reject_unknown_sender_domain,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        permit
smtpd_data_restrictions =
        permit_mynetworks,
        reject_unauth_pipelining,
        reject_multi_recipient_bounce,
        permit
canonical_classes = envelope_sender, header_sender

smtpd_discard_ehlo_keywords = silent-discard, dsn
disable_vrfy_command = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
anvil_rate_time_unit = 60
anvil_status_update_time = 60
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 10
smtp_connect_timeout = 300s
smtp_helo_timeout = 300s
smtp_mail_timeout = 300s
smtp_rcpt_timeout = 300s
smtp_quit_timeout = 600s
smtp_rset_timeout = 30s
  • Milter für Spamassassin und Clamav
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock
milter_connect_macros = i j {daemon_name} v {if_name} _
milter_default_action = accept

ClamAV

Installation ist straightforward

# sudo aptitude install clamav

Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden):

# sudo aptitude install clamav-milter

Milter anpassen, so dass Postfix drauf zugreifen kann:

# sudo dpkg-reconfigure clamav-milter
-> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
-> ClamdSocket unix:/var/run/clamav/clamd.ctl

Spamassassin

Installation, inkl. einiger Tools und Milter

# sudo aptitude install spamassassin razor pyzor swaks spamass-milter

Noch ein paar configs anpassen:

# sudo vi /etc/default/spamass-milter
-> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8  -- --socket=/var/run/spamassassin/spamd.sock"

# sudo vi /etc/default/spamassassin
-> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660"
-> CRON=1

# sudo vi /etc/spamassassin/local.cf
-> report_safe 0
-> required_score 5.0

# sudo systemctl enable spamassassin.service

# sudo useradd -G debian-spamd spamass-milter

pdns-recursor

Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor.

# sudo aptitude install pdns-recursor
# sudo vi /etc/powerdns/recursor.conf
-> Default config ist soweit ok, ggf. folgendes ändern:
-> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
-> local-address=127.0.0.1<nowiki>

Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen:
 <nowiki>
# sudo vi /etc/resolv.conf
-> In der ersten Zeile hinzufügen:
-> nameserver 127.0.0.1
# sudo vi /etc/dhcp/dhclient.conf
-> prepend domain-name-servers 127.0.0.1;

Mailman