November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

postfix

  • Biglobe is OP25B because there are regulations, to set via the relay server of Biglobe. Thus SASL to transmit authentication.
  • SPF perform the source domain authentication in.
  • S25R , Greylisting , Tarpitting prevent access from suspicious server approach.
  • Because you do not want to do in the form of a patch to Postfix, the Debian package, plug-ins, the measures to be carried out in the setting change.

Biglobe relay

  • Installation of SASL module.
     #aptitude install libsasl2-modules sasl2-bin
    
  • Relays Biglobe relay server, configured to use SASL at that time.
    main.cf

     # BIGLOBE transfer server relayhost = [#####. Biglobe.ne.jp]
    
     # To enable SASL authentication in the Postfix SMTP client.
     smtp_sasl_auth_enable = yes
    
     # Specify the SMTP client lookup tables smtp_sasl_password_maps = hash: / etc / postfix / isp_passwd
    
     # Since the SMTP server-side SASL mechanism and the home server-side SASL mechanism of the ISP might fail to # authentication it's a mismatch, to fix the mechanism to be used in the following.
     smtp_sasl_mechanism_filter = cram-md5, login, plain
    
  • Describe the setting of the password to be used for transmission.
    isp_passwd

     [#####. Biglobe.ne.jp] ***** @ bma.biglobe.ne.jp:*******
    
     #postmap isp_passwd
    
  • Complete the setting of the relay to restart

Setting of SMTP AUTH

  • Installation of the necessary modules
     #aptitude install libsasl2-modules sasl2-bin
    
  • Additional authentication user
     # Saslpasswd2 -u [domain name] -c [user name]
    
  • Set to read in Postfix
     #chgrp postfix / etc / sasldb2
     #chmod 640 / etc / sasldb2
     #ln / etc / sasldb2 / var / spool / postfix / etc
    
  • Postfix configuration of
    main.cf

     smtpd_sasl_auth_enable = yes
     smtpd_sasl_local_domain = example.com
     smtpd_sasl_security_options = noanonymous, noplaintext
    
     smtpd_recipient_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unauth_destination
    
  • Completion SMTP AUTH settings restart

Access regulations from suspicious server

  • Set the number of allowable error to prevent the account survey of brute force. 70 seconds of the response delay in the more than five times the error. Cut at 8 times error.
    main.cf

     smtpd_soft_error_limit = 5
     smtpd_hard_error_limit = 8
     smtpd_error_sleep_time = 70
    
     smtpd_delay_reject = yes
    
  • Install the policy server for Greylisting.
     # Apt-get install postgrey
    

    main.cf

     smtpd_restriction_classes = check_greylist
     check_greylist = check_policy_service inet: 60000
    
  • At the time of the RCPT command, things get caught in the S25R will prompt the retransmission Greylisting. Things that have been retransmitted, multiplied by the response delay in further Tarpitting.
    The methodological, screen out method in Tarpitting in addition to Rgrey.
    main.cf

     # RCPT check (Greylisting) & Terpit
     smtpd_recipient_restrictions =
                     permit_mynetworks
                     reject_unauth_destination
                     check_client_access regexp: / etc / postfix / check_client_fqdn_greylist ? ? 1
                     check_client_access regexp: / etc / postfix / check_client_fqdn_tarpit ? ? 2
                     check_recipient_access hash: / etc / postfix / recipient_restrictions
    

    check_client_fqdn_greylist

     / ^ Unknown $ / check_greylist
     /^[^\.]*[0-9][^0-9\.]+[0-9]/ Check_greylist
     /^[^\.]*[0-9]{5}/ Check_greylist
     /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[az]/ Check_greylist
     /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ Check_greylist
     /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ Check_greylist
     /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist
    

    check_client_fqdn_tarpit

     / ^ Unknown $ / sleep 70
     /^[^\.]*[0-9][^0-9\.]+[0-9]/ Sleep 70
     /^[^\.]*[0-9]{5}/ Sleep 70
     /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[az]/ Sleep 70
     /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ Sleep 70
     /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ Sleep 70
     /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ sleep 70
    
  • The check_client_fqdn_greylist and check_client_fqdn_tarpit to postmap, complete if you restart Postfix.
  • taRgrey If you find the things that implement in Postfix, the place that you want to migrate to over there. There is only a patch is now?

Sent in SPF original domain authentication

  • To get the script to perform the SPF. SPF Project get the postfix-policyd-spf from the page.
  • Installation since the script uses the Perl of Mail :: SPF :: Query library.
     apt-get install libmail-spf-perl libmail-spf-query-perl
    
  • It registered as a service to use a script in Postfix.
    master.cf

     policy unix - nn - - spawn user = nobody argv = / usr / bin / perl [location of the script that was placed above]
    
  • Set to perform a check of SPF at the time of connection.
    main.cf

     # Connection check
     smtpd_client_restrictions =
                     permit_mynetworks
                     reject_rbl_client spamcop.net
                     reject_rbl_client all.rbl.jp
                     check_policy_service unix: private / policy ? ?
                     check_client_access hash: / etc / postfix / client_restrictions
    
  • Server Received-SPF is when you have new mail: completion if so as to grant the header.

Premise

  • Making the CA’s self-signed, make a server certificate by signing of the CA.
  • Import the CA certificate to the Trusted or something USB memory, to verify the certificate chain.
  • Said that even if, quite appropriate.

X.509 v3 configuration file for the extension

  • Creating a file to set the extension properties of version 3.
    ext.cnf

     # ? default value used at the time of the certificate request (CSR) [req]
       default_bits = 2048
       distinguished_name = req_distinguished_name
       attributes = req_attributes
       default_md = sha1
       string_mask = nombstr
    
     # ? default value of the contents described in the certificate request (CSR) [req_distinguished_name]
       countryName = Country Name (2 letter code)
       countryName_default = JP
       stateOrProvinceName = State or Province Name (full name)
       stateOrProvinceName_default = 
       localityName = Locality Name (eg, city)
       localityName_default = 
       0.organizationName = Organization Name (eg, company)
       0.organizationName_default = 
       organizationalUnitName = Organizational Unit Name (eg, section)
       commonName = Common Name (*** IMPORTANT ***)
       commonName_default =
       emailAddress = Email Address
       emailAddress_default =
    
     # ? I heard use at the time of the certificate request (CSR), I do not know well [req_attributes]
       challengePassword = A challenge password
       challengePassword_min = 4
       challengePassword_max = 20
       unstructuredName = An optional company name
    
     # V3 extensions for CA [v3_ca]
       basicConstraints = CA: true
       subjectKeyIdentifier = hash
       authorityKeyIdentifier = keyid: always, issuer: always
       keyUsage = cRLSign, keyCertSign
       nsCertType = sslCA, emailCA
       # ? here suspicious extendedKeyUsage = 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.4
    
     # V3 extensions for server certificate [cert_server]
       basicConstraints = CA: FALSE
       subjectKeyIdentifier = hash
       authorityKeyIdentifier = keyid: always, issuer: always
       keyUsage = digitalSignature, keyEncipherment
       nsCertType = server
       # ? here suspicious extendedKeyUsage = 1.3.6.1.5.5.7.3.1
    

Task Command

  • Creating a private key for the CA. 2048-bit RSA. Encrypt the key itself in 192-bit AES.
     $ Openssl genrsa -aes192 -out ca.key 2048
    
  • Creating a CA certificate. Create a certificate of X.509 v3. Period is suitably 10 years. In addition to the easy-to-understand PEM format as also output in the TEXT format.
     $ Openssl req -new -x509 -days 3652 \
         -key ca.key -out ca.crt \
         -config ext.cnf -extensions v3_ca -text
    
  • Create a file describing the serial No of the certificate to be managed by the CA. Error in the following and this is not.
     $ Echo "00"> ca.srl
    
  • Creating a private key for the server. 2048-bit RSA. Encryption key itself is no. (Asked passphrase to Apache startup if there)
     $ Openssl genrsa -out server.key 2048
    
  • Create a certificate request for the server. Easy-to-understand way, in addition to the PEM also TEXT format output.
     $ Openssl req -new \
         -key server.key -out server.csr \
         -config ext.cnf -text
    
  • Create a server certificate of X.509 v3 signed with the CA key. Period is suitably 700 days.
     $ Openssl x509 -req -days 700 \
         -in server.csr -out server.crt \
         -CA Ca.crt -CAkey ca.key \
         -extfile ext.cnf -extensions cert_server -CAserial ca.srl
    

Apache built-in

  • After suitably incorporated in the Apache.
    Add the following to the appropriate VirtualHost setting

     Listen 443
    
     ## SSL Virtual Host Context
     <VirtualHost *: 443>
       SSLEngine on
    
       SSLCertificateFile server.crt
       SSLCertificateKeyFile server.key
       SSLCACertificateFile ca.crt
      
       DocumentRoot ************
      
       ~ ~ ~ ~ ~ ~ Suitable below
     </ VirtualHost>
    

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>