Mejl server za mail.melany.rs domen je instaliran i konfigurisan za rad iza hardverskog rutera melany.rs adrese. Takve konfiguracije zahtevaju tzv. “Split DNS” (ili split-horizon ili dual-horizon DNS) pristup koji se u osnovi sastoji od sledećeg:
Zbog jednostavnosti konfiguracije, ali i “lakše” prirode dnsmasq daemona (BIND je veliki i potpun DNS server, preglomazan za ovu potrebu) odlučio sam se za njega. Postupak instalacije i podešavanja opisan je ovde.
/home/milano/lets_encrypt/lets_gf.sh
perbacuje sertifikate iz /etc/letsencrypt/archive/melany.rs-0002/
na /home/ftp/virtual/ftp/temp/web/zimbraCert
/home/zimbra/cert
prethodno brišući postojeći sadržajchain.pem
sa X1 root sertifikatom komandom (baš u ovom poretku): cat isrgrootx1.pem.txt chain.pem > zmchain.pem
/letsencript
folder komandom: cp ./* /opt/zimbra/ssl/letsencrypt/
/commercial.key
: cp -f privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zmchain.pem
zmcontrol restart
Sve je ovo automatizovano, i pokreće se kao cron
zadatak na Zimbra serveru:
# # Milano, 28.05.2022. # Preuzimam fajlove nakon što je MOC izvršio Certbot proveru koju radi svake subote u 5:30. # 40 5 * * 6 /home/zimbra/assets/lets_zm.sh
nfs-mount: /home/zimbra/cert/
koji je povezuje sa moc: /etc/letsencrypt
folderom.nfs
folder /etc/letsencrypt
samo Zimbra serveru i to u ro
režimu. /home/zimbra/assets
nalazi se isrgrootx1.pem.txt
fajl koji sadrži pem blok ISRG Root X1 sertifikata koji se kombinuje sa Let's Encryptovim.
Učestalo je zaključavanje office@melany.rs
ali i milan@melany.rs
naloga zbog pokušaja probijanja “brutalnim nabadanjem lozinke”.
Kako bi sprečili brute-force napade instaliran je fail2ban
servis.
Za instalaciju je praćeno uputstvo sa ove stranice. Pošto stranica može da “nestane”, evo i transkripta:
1. Install pip
yum install python3-pip
2. Install dependencies required by Fail2Ban
pip3 install pyinotify pip3 install dnspython
3. Download and extract Fail2Ban
cd /tmp/ wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
4. Install Fail2Ban
tar -xvf 0.9.4.tar.gz cd fail2ban-0.9.4 python3 setup.py install
5. Copy Fail2Ban service to systemd
cp files/fail2ban.service /usr/lib/systemd/system/
6. Adjust bin location on Fail2Ban service
nano /usr/lib/systemd/system/fail2ban.service
Adjust the following lines. Change /usr/bin
become /usr/local/bin
ExecStart=/usr/local/bin/fail2ban-client -x start ExecStop=/usr/local/bin/fail2ban-client stop ExecReload=/usr/local/bin/fail2ban-client reload
Create fail2ban folder
mkdir /var/run/fail2ban nano /usr/lib/tmpfiles.d/var.conf
Add this line at the bottom
d /var/run/fail2ban 0755 - - -
Reload systemd
systemctl daemon-reload
7. Create zimbra.jail
nano /etc/fail2ban/jail.d/zimbra.local
Fill with the following lines and save
[zimbra-submission] enabled = true filter = zimbra-submission logpath = /var/log/zimbra.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp] [zimbra-webmail] enabled = true filter = zimbra-webmail logpath = /opt/zimbra/log/mailbox.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp] [zimbra-admin] enabled = true filter = zimbra-admin logpath = /opt/zimbra/log/mailbox.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]
8. Create filters – Zimbra Admin
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf
– Zimbra Webmail
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf
– Zimbra SMTP/SMTPS/Submission
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf
9. Ignore localhost and Zimbra IP
Open file /etc/fail2ban/jail.conf. Find line “ignoreip =” and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP
ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32
10. Enable and restart Fail2Ban
systemctl enable fail2ban systemctl restart fail2ban