Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision |
l3:serveri:mail_server_zimbra [2022/05/26 18:44] – milano | l3:serveri:mail_server_zimbra [2022/07/11 10:51] – milano |
---|
===== Let's encrypt sertifikat ===== | ===== Let's encrypt sertifikat ===== |
| |
- MOC, u okviru skripte ''/home/milano/lets_encrypt/lets_gf.sh'' perbacuje sertifikate iz ''/etc/letsencrypt/archive/melany.rs-0002/'' na ''/home/ftp/virtual/ftp/temp/web/zimbraCert'' | - MOC, u okviru skripte ''/home/milano/lets_encrypt/lets_gf.sh'' perbacuje sertifikate iz ''/etc/letsencrypt/archive/melany.rs-0002/'' na ''/home/ftp/virtual/ftp/temp/web/zimbraCert'' |
- CRON na zimbri kupi fajlove i prenosi ih u ''/home/zimbra/cert'' prethodno brišući postojeći sadržaj | - CRON na zimbri kupi fajlove i prenosi ih u ''/home/zimbra/cert'' prethodno brišući postojeći sadržaj |
- Zatim kombinuje lanac ''chain.pem'' sa X1 root sertifikatom komandom (baš u ovom poretku): ''cat isrgrootx1.pem.txt chain.pem > zmchain.pem'' | - Zatim kombinuje lanac ''chain.pem'' sa X1 root sertifikatom komandom (baš u ovom poretku): ''cat isrgrootx1.pem.txt chain.pem > zmchain.pem'' |
- Fajlovi se prenose u ''/letsencript'' folder komandom: ''cp ./* /opt/zimbra/ssl/letsencrypt/'' | - Fajlovi se prenose u ''/letsencript'' folder komandom: ''cp ./* /opt/zimbra/ssl/letsencrypt/'' |
- Privatni ključ se kopira u ''/commercial.key'': ''cp -f privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key'' | - Privatni ključ se kopira u ''/commercial.key'': ''cp -f privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key'' |
- I konačno se registruje novi sertifikat: ''zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zmchain.pem'' | - I konačno se registruje novi sertifikat: ''zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zmchain.pem'' |
- Restart servera: ''zmcontrol restart'' | - Restart servera: ''zmcontrol restart'' |
| |
| Sve je ovo automatizovano, i pokreće se kao ''cron'' zadatak na Zimbra serveru: |
| <code> |
| # |
| # Milano, 28.05.2022. |
| # Preuzimam fajlove nakon što je MOC izvršio Certbot proveru koju radi svake subote u 5:30. |
| # |
| 40 5 * * 6 /home/zimbra/assets/lets_zm.sh |
| </code> |
| |
| ==== Preduslovi za funkcionisanje ''lets_zm.sh'' skripte ==== |
| |
| - Na Zimbri je napravljen ''nfs-mount: /home/zimbra/cert/'' koji je povezuje sa ''moc: /etc/letsencrypt'' folderom. |
| - MOC eksponira ''nfs'' folder ''/etc/letsencrypt'' samo Zimbra serveru i to u ''ro'' režimu. \\ **Folder sadrži privatni ključ i veoma je važno da ostane zaštićen!!!** |
| - Na Zimbri, u folderu ''/home/zimbra/assets'' nalazi se ''isrgrootx1.pem.txt'' fajl koji sadrži **pem** blok ISRG Root X1 sertifikata koji se kombinuje sa Let's Encryptovim. |
| |
| ===== Fail2Ban zaštita ===== |
| |
| Učestalo je zaključavanje ''office@melany.rs'' ali i ''milan@melany.rs'' naloga zbog pokušaja probijanja "brutalnim nabadanjem lozinke". |
| Kako bi sprečili //brute-force// napade instaliran je ''fail2ban'' servis. |
| |
| Za instalaciju je praćeno uputstvo sa [[https://imanudin.net/2020/07/05/how-to-install-and-configure-fail2ban-for-zimbra|ove stranice]]. |
| Pošto stranica može da "nestane", evo i transkripta: |
| |
| **Install pip** |
| |
| <code>yum install python3-pip</code> |
| |
| **Install dependencies required by Fail2Ban** |
| |
| <code> |
| pip3 install pyinotify |
| pip3 install dnspython |
| </code> |
| |
| **Download and extract Fail2Ban** |
| |
| <code> |
| cd /tmp/ |
| wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz |
| </code> |
| |
| **Install Fail2Ban** |
| |
| <code> |
| tar -xvf 0.9.4.tar.gz |
| cd fail2ban-0.9.4 |
| python3 setup.py install |
| </code> |
| |
| **Copy Fail2Ban service to systemd** |
| |
| <code>cp files/fail2ban.service /usr/lib/systemd/system/</code> |
| |
| **Adjust bin location on Fail2Ban service** |
| |
| <code>nano /usr/lib/systemd/system/fail2ban.service</code> |
| |
| Adjust the following lines. Change ''/usr/bin'' become ''/usr/local/bin'' |
| |
| <code> |
| ExecStart=/usr/local/bin/fail2ban-client -x start |
| ExecStop=/usr/local/bin/fail2ban-client stop |
| ExecReload=/usr/local/bin/fail2ban-client reload |
| </code> |
| |
| Create fail2ban folder |
| |
| <code> |
| mkdir /var/run/fail2ban |
| nano /usr/lib/tmpfiles.d/var.conf |
| </code> |
| |
| Add this line at the bottom |
| |
| <code>d /var/run/fail2ban 0755 - - -</code> |
| |
| Reload systemd |
| |
| <code>systemctl daemon-reload</code> |
| |
| **Create zimbra.jail** |
| |
| <code>nano /etc/fail2ban/jail.d/zimbra.local</code> |
| |
| Fill with the following lines and save |
| |
| <code> |
| [zimbra-submission] |
| enabled = true |
| filter = zimbra-submission |
| logpath = /var/log/zimbra.log |
| maxretry = 3 |
| findtime = 3600 |
| bantime = 36000 |
| action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp] |
| |
| [zimbra-webmail] |
| enabled = true |
| filter = zimbra-webmail |
| logpath = /opt/zimbra/log/mailbox.log |
| maxretry = 3 |
| findtime = 3600 |
| bantime = 36000 |
| action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp] |
| |
| [zimbra-admin] |
| enabled = true |
| filter = zimbra-admin |
| logpath = /opt/zimbra/log/mailbox.log |
| maxretry = 3 |
| findtime = 3600 |
| bantime = 36000 |
| action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp] |
| </code> |
| |
| **Create filters** |
| – Zimbra Admin |
| |
| <code>curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf</code> |
| |
| – Zimbra Webmail |
| |
| <code>curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf</code> |
| |
| – Zimbra SMTP/SMTPS/Submission |
| |
| <code>curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf</code> |
| |
| **Ignore localhost and Zimbra IP** |
| |
| Open file /etc/fail2ban/jail.conf. Find line **“ignoreip =”** and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP |
| |
| <code>ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32</code> |
| |
| **Enable and restart Fail2Ban** |
| |
| <code> |
| systemctl enable fail2ban |
| systemctl restart fail2ban |
| </code> |
| |
| |
| |