====== Mail server Zimbra ======
- [[:kb:uputstva:sistemska:zimbra:reindeksiranje_korumpiranog_naloga|Reindeksiranje korumpiranog naloga]]
Mejl server za mail.melany.rs domen je instaliran i konfigurisan za rad iza hardverskog rutera melany.rs adrese. Takve konfiguracije zahtevaju tzv. "[[https://wiki.zimbra.com/wiki/Split_DNS|Split DNS]]" (ili **split-horizon** ili **dual-horizon** DNS) pristup koji se u osnovi sastoji od sledećeg:
- Postfix servis na koji se oslanja Zimbra za prijem/slanje mejla **uvek** razrešava DNS MX i DNS A lookup registrovane adrese.
- Kako je server na lokalnoj IP adresi (192.168.0.250) iza firewall-a, ne može uspešno razrešiti javni IP mail.melany.rs pa mu je potreban interni DNS da ga "zavara" da je sve u redu
- Interni DNS se može dobiti upotrebom daemona BIND ili dnsmasq
===== DNSMASQ =====
Zbog jednostavnosti konfiguracije, ali i "lakše" prirode dnsmasq daemona (BIND je veliki i potpun DNS server, preglomazan za ovu potrebu) odlučio sam se za njega. Postupak instalacije i podešavanja opisan je [[:kb:linux:dnsmasq_instalacija|ovde]].
===== Let's encrypt sertifikat =====
- MOC, u okviru skripte ''/home/milano/lets_encrypt/lets_gf.sh'' perbacuje sertifikate iz ''/etc/letsencrypt/archive/melany.rs-0002/'' na ''/home/ftp/virtual/ftp/temp/web/zimbraCert''
- CRON na zimbri kupi fajlove i prenosi ih u ''/home/zimbra/cert'' prethodno brišući postojeći sadržaj
- Zatim kombinuje lanac ''chain.pem'' sa X1 root sertifikatom komandom (baš u ovom poretku): ''cat isrgrootx1.pem.txt chain.pem > zmchain.pem''
- Fajlovi se prenose u ''/letsencript'' folder komandom: ''cp ./* /opt/zimbra/ssl/letsencrypt/''
- Privatni ključ se kopira u ''/commercial.key'': ''cp -f privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key''
- I konačno se registruje novi sertifikat: ''zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zmchain.pem''
- Restart servera: ''zmcontrol restart''
Sve je ovo automatizovano, i pokreće se kao ''cron'' zadatak na Zimbra serveru:
#
# Milano, 28.05.2022.
# Preuzimam fajlove nakon što je MOC izvršio Certbot proveru koju radi svake subote u 5:30.
#
40 5 * * 6 /home/zimbra/assets/lets_zm.sh
==== Preduslovi za funkcionisanje ''lets_zm.sh'' skripte ====
- Na Zimbri je napravljen ''nfs-mount: /home/zimbra/cert/'' koji je povezuje sa ''moc: /etc/letsencrypt'' folderom.
- MOC eksponira ''nfs'' folder ''/etc/letsencrypt'' samo Zimbra serveru i to u ''ro'' režimu. \\ **Folder sadrži privatni ključ i veoma je važno da ostane zaštićen!!!**
- Na Zimbri, u folderu ''/home/zimbra/assets'' nalazi se ''isrgrootx1.pem.txt'' fajl koji sadrži **pem** blok ISRG Root X1 sertifikata koji se kombinuje sa Let's Encryptovim.
===== Fail2Ban zaštita =====
Učestalo je zaključavanje ''office@melany.rs'' ali i ''milan@melany.rs'' naloga zbog pokušaja probijanja "brutalnim nabadanjem lozinke".
Kako bi sprečili //brute-force// napade instaliran je ''fail2ban'' servis.
Za instalaciju je praćeno uputstvo sa [[https://imanudin.net/2020/07/05/how-to-install-and-configure-fail2ban-for-zimbra|ove stranice]].
Pošto stranica može da "nestane", evo i transkripta:
**1. Install pip**
yum install python3-pip
**2. Install dependencies required by Fail2Ban**
pip3 install pyinotify
pip3 install dnspython
**3. Download and extract Fail2Ban**
cd /tmp/
wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
**4. Install Fail2Ban**
tar -xvf 0.9.4.tar.gz
cd fail2ban-0.9.4
python3 setup.py install
**5. Copy Fail2Ban service to systemd**
cp files/fail2ban.service /usr/lib/systemd/system/
**6. Adjust bin location on Fail2Ban service**
nano /usr/lib/systemd/system/fail2ban.service
Adjust the following lines. Change ''/usr/bin'' become ''/usr/local/bin''
ExecStart=/usr/local/bin/fail2ban-client -x start
ExecStop=/usr/local/bin/fail2ban-client stop
ExecReload=/usr/local/bin/fail2ban-client reload
Create fail2ban folder
mkdir /var/run/fail2ban
nano /usr/lib/tmpfiles.d/var.conf
Add this line at the bottom
d /var/run/fail2ban 0755 - - -
Reload systemd
systemctl daemon-reload
**7. Create zimbra.jail**
nano /etc/fail2ban/jail.d/zimbra.local
Fill with the following lines and save
[zimbra-submission]
enabled = true
filter = zimbra-submission
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp]
[zimbra-webmail]
enabled = true
filter = zimbra-webmail
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp]
[zimbra-admin]
enabled = true
filter = zimbra-admin
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]
**8. Create filters**
– Zimbra Admin
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf
– Zimbra Webmail
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf
– Zimbra SMTP/SMTPS/Submission
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf
**9. Ignore localhost and Zimbra IP**
Open file /etc/fail2ban/jail.conf. Find line **“ignoreip =”** and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP
ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32
**10. Enable and restart Fail2Ban**
systemctl enable fail2ban
systemctl restart fail2ban