l3:serveri:mail_server_zimbra

Mail server Zimbra

  1. Reindeksiranje korumpiranog naloga

Mejl server za mail.melany.rs domen je instaliran i konfigurisan za rad iza hardverskog rutera melany.rs adrese. Takve konfiguracije zahtevaju tzv. “Split DNS” (ili split-horizon ili dual-horizon DNS) pristup koji se u osnovi sastoji od sledećeg:

  1. Postfix servis na koji se oslanja Zimbra za prijem/slanje mejla uvek razrešava DNS MX i DNS A lookup registrovane adrese.
  2. Kako je server na lokalnoj IP adresi (192.168.0.250) iza firewall-a, ne može uspešno razrešiti javni IP mail.melany.rs pa mu je potreban interni DNS da ga “zavara” da je sve u redu
  3. Interni DNS se može dobiti upotrebom daemona BIND ili dnsmasq

DNSMASQ

Zbog jednostavnosti konfiguracije, ali i “lakše” prirode dnsmasq daemona (BIND je veliki i potpun DNS server, preglomazan za ovu potrebu) odlučio sam se za njega. Postupak instalacije i podešavanja opisan je ovde.

Let's encrypt sertifikat

  1. MOC, u okviru skripte /home/milano/lets_encrypt/lets_gf.sh perbacuje sertifikate iz /etc/letsencrypt/archive/melany.rs-0002/ na /home/ftp/virtual/ftp/temp/web/zimbraCert
  2. CRON na zimbri kupi fajlove i prenosi ih u /home/zimbra/cert prethodno brišući postojeći sadržaj
  3. Zatim kombinuje lanac chain.pem sa X1 root sertifikatom komandom (baš u ovom poretku): cat isrgrootx1.pem.txt chain.pem > zmchain.pem
  4. Fajlovi se prenose u /letsencript folder komandom: cp ./* /opt/zimbra/ssl/letsencrypt/
  5. Privatni ključ se kopira u /commercial.key: cp -f privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
  6. I konačno se registruje novi sertifikat: zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zmchain.pem
  7. Restart servera: zmcontrol restart

Sve je ovo automatizovano, i pokreće se kao cron zadatak na Zimbra serveru: 

#
# Milano, 28.05.2022.
# Preuzimam fajlove nakon što je MOC izvršio Certbot proveru koju radi svake subote u 5:30.
#
40 5 * * 6 /home/zimbra/assets/lets_zm.sh

Preduslovi za funkcionisanje ''lets_zm.sh'' skripte

  1. Na Zimbri je napravljen nfs-mount: /home/zimbra/cert/ koji je povezuje sa moc: /etc/letsencrypt folderom.
  2. MOC eksponira nfs folder /etc/letsencrypt samo Zimbra serveru i to u ro režimu.
    Folder sadrži privatni ključ i veoma je važno da ostane zaštićen!!!
  3. Na Zimbri, u folderu /home/zimbra/assets nalazi se isrgrootx1.pem.txt fajl koji sadrži pem blok ISRG Root X1 sertifikata koji se kombinuje sa Let's Encryptovim.

Fail2Ban zaštita

Učestalo je zaključavanje office@melany.rs ali i milan@melany.rs naloga zbog pokušaja probijanja “brutalnim nabadanjem lozinke”. Kako bi sprečili brute-force napade instaliran je fail2ban servis.

Za instalaciju je praćeno uputstvo sa ove stranice. Pošto stranica može da “nestane”, evo i transkripta:

1. Install pip 

yum install python3-pip

2. Install dependencies required by Fail2Ban 

pip3 install pyinotify
pip3 install dnspython

3. Download and extract Fail2Ban 

cd /tmp/
wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz

4. Install Fail2Ban 

tar -xvf 0.9.4.tar.gz
cd fail2ban-0.9.4
python3 setup.py install

5. Copy Fail2Ban service to systemd 

cp files/fail2ban.service /usr/lib/systemd/system/

6. Adjust bin location on Fail2Ban service 

nano /usr/lib/systemd/system/fail2ban.service

Adjust the following lines. Change /usr/bin become /usr/local/bin 

ExecStart=/usr/local/bin/fail2ban-client -x start
ExecStop=/usr/local/bin/fail2ban-client stop
ExecReload=/usr/local/bin/fail2ban-client reload

Create fail2ban folder 

mkdir /var/run/fail2ban
nano /usr/lib/tmpfiles.d/var.conf

Add this line at the bottom 

d /var/run/fail2ban 0755 - - -

Reload systemd 

systemctl daemon-reload

7. Create zimbra.jail 

nano /etc/fail2ban/jail.d/zimbra.local

Fill with the following lines and save 

[zimbra-submission]
enabled = true
filter = zimbra-submission
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp]

[zimbra-webmail]
enabled = true
filter = zimbra-webmail
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp]

[zimbra-admin]
enabled = true
filter = zimbra-admin
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]

8. Create filters – Zimbra Admin 

curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf

– Zimbra Webmail 

curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf

– Zimbra SMTP/SMTPS/Submission 

curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf

9. Ignore localhost and Zimbra IP

Open file /etc/fail2ban/jail.conf. Find line “ignoreip =” and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP 

ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32

10. Enable and restart Fail2Ban 

systemctl enable fail2ban
systemctl restart fail2ban
  • l3/serveri/mail_server_zimbra.txt
  • Last modified: 2022/07/11 10:52
  • by milano