行云无鸣

2011-10-01

Example.com服务器配置

Filed under: 乱语 — 标签:, , , , , , , , , — hellyguo @ 21:15

服务器为Dell PowerEdge 1950
安装Debian6作为操作系统
安装系统时,需要提前准备bnx2/bnx2-mips-06-5.0.0.j3.fw包(为non-free,故需要自行准备),下载路径是:debian.org

邮件服务器配置
1. 安装exim4/courier-pop
sudo apt-get install exim4 exim4-daemon-heavy courier-pop courier-pop-ssl
2. 安装sasl
sudo apt-get install sasl2-bin
3. 配置sasl,使之自启动
sudo vi /etc/default/saslauthd
START=yes #令其自启动
4. 安装SpamAssassin
sudo apt-get install spamassassin
5. 配置SpamAssassin,使之自启动
sudo vi /etc/default/spamassassin
ENABLE=1 #令其自启动
CRON=1 #令其在晚间自动更新过滤规则
6. 启动SpamAssassin
sudo /etc/init.d/spamassassin start
7. 安装ClamAV
sudo apt-get install clamav
8. 安装Greylistd
sudo apt-get install greylistd
9. 配置exim4
sudo dpkg-reconfigure exim4-config
选项提示
1) internet site
2) example.com
3) 留空
4) example.com
5) 留空
6) 留空
7) NO
8) Maildir
9) NO
10. 配置exim4自签证书
sudo /usr/share/doc/exim4/examples/exim-gencert

[*] Creating a self signed SSL certificate for Exim!
This may be sufficient to establish encrypted connections but for
secure identification you need to buy a real certificate!

Please enter the hostname of your MTA at the Common Name (CN) prompt!

Generating a 1024 bit RSA private key
………………………++++++
…………………++++++
writing new private key to ‘/etc/exim4/exim.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Code (2 letters) [US]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company; recommended) []:example.com
Organizational Unit Name (eg, section) []:http://www.example.com
Server name (eg. ssl.domain.tld; required!!!) []:mail.example.com
Email Address []:webmaster@example.com
[*] Done generating self signed certificates for exim!
Refer to the documentation and example configuration files
over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
support in your mail transfer agent.
生成的证书位于/etc/exim4,名为exim.crt/exim.key。此处为默认位置,在下面步骤中将用到。如果不移动,则下面对证书路径不需要修改;如果进行移动,则需要修改证书路径

11. 配置exim4,使之支持STARTTLS及sasl认证
sudo adduser Debian-exim sasl
sudo /etc/init.d/saslauthd restart
sudo vi /etc/exim4/exim4.conf.template

a) 在.ifdef MAIN_TLS_ENABLE上方添加MAIN_TLS_ENABLE = yes
b) 确认上步的证书路径,已移动则修改
c) 在Authenticate against local passwords using sasl2-bin下方打开plain_saslauthd_server及login_saslauthd_server段的注释
12. 更新exim4的配置文件,并重启exim4
sudo update-exim4.conf
sudo /etc/init.d/exim4 restart

13. 设置每次创建用户时自动产生Maildir
sudo maildirmake /etc/skel/Maildir
sudo chmod 755 /etc/skel/Maildir

14. 测试配置
sudo apt-get install swaks
swaks -a -tls -q HELO -s localhost -au user -ap 'pwd'

=== Trying localhost:25…
=== Connected to localhost.
EHLO localhost
<- 250-localhost Hello localhost [127.0.0.1]
<- 250-SIZE 52428800
<- 250-PIPELINING
<- 250-STARTTLS
STARTTLS
EHLO localhost
<~ 250-localhost Hello localhost [127.0.0.1]
<~ 250-SIZE 52428800
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
QUIT
<~ 221 localhost closing connection
=== Connection closed with remote host.

15. 在Exim4中启用Greylistd
sudo greylistd-setup-exim4 add
sudo update-exim4.conf
sudo /etc/init.d/exim4 restart

16. 在Exim4中启用SpamAssassin
sudo vi /etc/exim4/exim4.conf.template
sudo update-exim4.conf
sudo /etc/init.d/exim4 restart

a) 查找spamd_address = 127.0.0.1,解开此行注释
b) 查找Add headers to a message if it is judged to be spam.,解开下方的warn块
17. 配置Courier证书。默认Courier的证书信息为虚构信息,需要按服务器配置Courier-POP的证书
sudo vi /etc/courier/pop3d.cnf

RANDFILE = /usr/lib/courier/pop3d.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=CN
ST=Zhejiang
L=Hangzhou
O=example.com
OU=http://www.example.com
CN=mail.example.com
emailAddress=webmaster@example.com

[ cert_type ]
nsCertType = server

18. 生成证书
sudo rm –rf /etc/courier/pop3d.pem
sudo rm –rf /usr/lib/courier/pop3d.pem
sudo mkpop3dcert
sudo mv /usr/lib/courier/pop3d.pem /etc/courier
cd /usr/lib/courier
sudo ln –s /etc/courier/pop3d.pem pop3d.pem

Generating a 1024 bit RSA private key
..++++++
………………………++++++
writing new private key to ‘/usr/lib/courier/pop3d.pem’
—–
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
…+………+…….+…………..+……….+……………………………..+.+…+…+…………………….+…+……+……….+…………………………………………+……………………..+……………………………………………………………..+………….+…………+…+…..+…..+………….+…………………..+..+……..+………..+….+…..+……………………………..+…………….+………………+……………….+.+……………………………..+………+……..+………………………………+…………………+…….+.+…+……………………….+………………….+………………….+………+………………………..+..+……………………………………………………………+………….+…..++*++*++*++*++*++*
subject= /C=CN/ST=Zhejiang/L=Hangzhou/O=example.com/OU=http://www.example.com/CN=mail.example.com/emailAddress=webmaster@example.com
notBefore=Sep 29 14:35:10 2011 GMT
notAfter=Sep 28 14:35:10 2012 GMT
SHA1 Fingerprint=38:A1:30:3A:3F:F3:5F:B6:25:BF:8C:9E:C9:BF:91:DB:FE:EA:13:5C

19. 配置Courier-POP
sudo vi /etc/courier/pop3d
POP3AUTH=””改为POP3AUTH=”LOGIN PLAIN”
POP3AUTH_TLS=””改为POP3AUTH_TLS=”LOGIN PLAIN”
20. 重启Courier-POP
sudo /etc/init.d/courier-pop restart
sudo /etc/init.d/courier-pop-ssl restart

21. 服务器DNS设置
a) 将域名example.com的MX地址指向mail.example.com
b) 将mail.example.com指向1.2.3.4
22. 客户端设置
POP3
mail.example.com,采用SSL/TLS,普通密码
SMTP
mail.example.com,采用STARTTLS,普通密码
VPN服务器配置
1. 配置步骤:
a) sudo apt-get install pptpd
b) sudo vi /etc/pptpd.conf
将localip和remoteip进行设置
c) sudo vi /etc/ppp/pptpd-options
开启ms-dns
d) sudo vi /etc/ppp/chap-secrets
添加用户名密码
e) sudo vi /etc/sysctl.conf
开启net.ipv4.ip_forward=1
f) sudo sysctl -p
g) sudo /etc/init.d/pptpd restart
2. 客户端设置
XP 网络连接,新建连接,连接工作场所,虚拟专用网络,example,不初始拨号,www.example.com
用户名密码待分配
iptables设置
1. 编写setIptables,位于/home/opuser/bin,如下:

#!/bin/sh

#清除表
sudo iptables -F INPUT
sudo iptables -F OUTPUT
sudo iptables -F FORWARD

#设置默认
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

#允许本地网卡通讯
sudo iptables -A INPUT -i lo -j ACCEPT

#允许已建立连接的连接
sudo iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#允许DNS
sudo iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m state –state NEW -m udp –dport 53 -j ACCEPT

#允许ping
sudo iptables -A INPUT -p icmp -m icmp –icmp-type any -j ACCEPT

#允许telnet
#sudo iptables -A INPUT -p tcp -m tcp –dport 23 -j ACCEPT

#允许ssh
sudo iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT

#允许http
#sudo iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT

#允许mail
sudo iptables -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp –dport 995 -j ACCEPT

#启用VPN
sudo iptables -A INPUT -p tcp –dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 47 -j ACCEPT
sudo iptables -A INPUT -p gre -j ACCEPT
# for dynamic ip(ADSL etc.)
#sudo iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
# for static ip
sudo iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j SNAT –to 1.2.3.4
sudo iptables -A FORWARD -p tcp –syn -s 192.168.100.0/24 -j TCPMSS –set-mss 1356

#保存
sudo iptables-save > /tmp/iptables-settings
sudo mv /tmp/iptables-settings /etc/iptables-settings
#启用
sudo iptables-restore < /etc/iptables-settings
2. 在系统启动时自动加载iptables规则
sudo vi /etc/network/if-pre-up.d/iptables
sudo chmod +x /etc/network/if-pre-up.d/iptables

iptabls内容

#!/bin/sh
/sbin/iptables-restore < /etc/iptables-settings

3. 测试

发表评论 »

还没有评论。

RSS feed for comments on this post. TrackBack URI

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 注销 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 注销 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 注销 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 注销 /  更改 )

Connecting to %s

%d 博主赞过: