Mars

From The Munich Maker Lab's Wiki
Revision as of 09:29, 12 August 2016 by Siedi (talk | contribs)
Jump to navigation Jump to search

Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2

Dort laufen:

  • Apache für
  • Unsere Mailinglisten
    • Postfix zum Empfang der Mails
    • ClamAV als Virenscanner
    • Spamassassin zur Filterung des Spams
    • Mailman zur Verwaltung der Listen
  • Weitere Services
    • PowerDNS Recursor (oder kurz pdns-recursor)
    • fail2ban

Wenn du ssh-Zugriff benötigst, sprich mit Severin.

Setup

Postfix

# sudo aptitude install postfix
# sudo dpkg-reconfigure postfix
Choose / Change:
-> Internet site
-> munichmakerlab.de

Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi)

# sudo vi /etc/postfix/main.cf
  • Allgemein
myhostname = mars.munichmakerlab.de
  • Änderungen fuer mailman
alias_maps = hash:/etc/postfix/aliases,
             hash:/usr/local/mailman/data/aliases
mailman_destination_recipient_limit = 1
  • TLS
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

### outgoing connections ###
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

### incoming connections ###
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls=yes
  • Einige Sicherheits-/Anti-Spameinstellungen
smtpd_client_restrictions =
        permit_mynetworks,
        permit
smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        permit
smtpd_sender_restrictions =
        permit_mynetworks,
        permit
smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        reject_unlisted_recipient,
        reject_unlisted_sender,
        reject_unknown_sender_domain,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        permit
smtpd_data_restrictions =
        permit_mynetworks,
        reject_unauth_pipelining,
        reject_multi_recipient_bounce,
        permit
canonical_classes = envelope_sender, header_sender

smtpd_discard_ehlo_keywords = silent-discard, dsn
disable_vrfy_command = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
anvil_rate_time_unit = 60
anvil_status_update_time = 60
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 10
smtp_connect_timeout = 300s
smtp_helo_timeout = 300s
smtp_mail_timeout = 300s
smtp_rcpt_timeout = 300s
smtp_quit_timeout = 600s
smtp_rset_timeout = 30s
  • Milter für Spamassassin und Clamav
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock
milter_connect_macros = i j {daemon_name} v {if_name} _
milter_default_action = accept

ClamAV

Installation ist straightforward

# sudo aptitude install clamav

Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden):

# sudo aptitude install clamav-milter

Milter anpassen, so dass Postfix drauf zugreifen kann:

# sudo dpkg-reconfigure clamav-milter
-> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
-> ClamdSocket unix:/var/run/clamav/clamd.ctl

Spamassassin

Installation, inkl. einiger Tools und Milter

# sudo aptitude install spamassassin razor pyzor swaks spamass-milter

Noch ein paar configs anpassen:

# sudo vi /etc/default/spamass-milter
-> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8  -- --socket=/var/run/spamassassin/spamd.sock"

# sudo vi /etc/default/spamassassin
-> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660"
-> CRON=1

# sudo vi /etc/spamassassin/local.cf
-> report_safe 0
-> required_score 5.0

# sudo systemctl enable spamassassin.service

# sudo useradd -G debian-spamd spamass-milter

pdns-recursor

Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor.

# sudo aptitude install pdns-recursor
# sudo vi /etc/powerdns/recursor.conf
-> Default config ist soweit ok, ggf. folgendes ändern:
-> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
-> local-address=127.0.0.1<nowiki>

Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen:
 <nowiki>
# sudo vi /etc/resolv.conf
-> In der ersten Zeile hinzufügen:
-> nameserver 127.0.0.1
# sudo vi /etc/dhcp/dhclient.conf
-> prepend domain-name-servers 127.0.0.1;

Mailman