l3:serveri:mail_server_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
l3:serveri:mail_server_zimbra [2022/05/28 11:41] milanol3:serveri:mail_server_zimbra [2022/07/11 10:51] milano
Line 23: Line 23:
   - Restart servera: ''zmcontrol restart''   - Restart servera: ''zmcontrol restart''
  
-Sve je ovo automatizovano, i pokreće se kao @cronzadatak na Zimbra serveru:+Sve je ovo automatizovano, i pokreće se kao ''cron'' zadatak na Zimbra serveru:
 <code> <code>
- 
 # #
 # Milano, 28.05.2022. # Milano, 28.05.2022.
Line 31: Line 30:
 # #
 40 5 * * 6 /home/zimbra/assets/lets_zm.sh 40 5 * * 6 /home/zimbra/assets/lets_zm.sh
 +</code>
  
 +==== Preduslovi za funkcionisanje ''lets_zm.sh'' skripte ====
 +
 +  - Na Zimbri je napravljen ''nfs-mount: /home/zimbra/cert/'' koji je povezuje sa ''moc: /etc/letsencrypt'' folderom.
 +  - MOC eksponira ''nfs'' folder ''/etc/letsencrypt'' samo Zimbra serveru i to u ''ro'' režimu. \\ **Folder sadrži privatni ključ i veoma je važno da ostane zaštićen!!!**
 +  - Na Zimbri, u folderu ''/home/zimbra/assets'' nalazi se ''isrgrootx1.pem.txt'' fajl koji sadrži **pem** blok ISRG Root X1 sertifikata koji se kombinuje sa Let's Encryptovim.
 +
 +===== Fail2Ban zaštita =====
 +
 +Učestalo je zaključavanje ''office@melany.rs'' ali i ''milan@melany.rs'' naloga zbog pokušaja probijanja "brutalnim nabadanjem lozinke".
 +Kako bi sprečili //brute-force// napade instaliran je ''fail2ban'' servis.
 +
 +Za instalaciju je praćeno uputstvo sa [[https://imanudin.net/2020/07/05/how-to-install-and-configure-fail2ban-for-zimbra|ove stranice]].
 +Pošto stranica može da "nestane", evo i transkripta:
 +
 +**Install pip**
 +
 +<code>yum install python3-pip</code>
 +
 +**Install dependencies required by Fail2Ban**
 +
 +<code>
 +pip3 install pyinotify
 +pip3 install dnspython
 </code> </code>
 +
 +**Download and extract Fail2Ban**
 +
 +<code>
 +cd /tmp/
 +wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
 +</code>
 +
 +**Install Fail2Ban**
 +
 +<code>
 +tar -xvf 0.9.4.tar.gz
 +cd fail2ban-0.9.4
 +python3 setup.py install
 +</code>
 +
 +**Copy Fail2Ban service to systemd**
 +
 +<code>cp files/fail2ban.service /usr/lib/systemd/system/</code>
 +
 +**Adjust bin location on Fail2Ban service**
 +
 +<code>nano /usr/lib/systemd/system/fail2ban.service</code>
 +
 +Adjust the following lines. Change ''/usr/bin'' become ''/usr/local/bin''
 +
 +<code>
 +ExecStart=/usr/local/bin/fail2ban-client -x start
 +ExecStop=/usr/local/bin/fail2ban-client stop
 +ExecReload=/usr/local/bin/fail2ban-client reload
 +</code>
 +
 +Create fail2ban folder
 +
 +<code>
 +mkdir /var/run/fail2ban
 +nano /usr/lib/tmpfiles.d/var.conf
 +</code>
 +
 +Add this line at the bottom
 +
 +<code>d /var/run/fail2ban 0755 - - -</code>
 +
 +Reload systemd
 +
 +<code>systemctl daemon-reload</code>
 +
 +**Create zimbra.jail**
 +
 +<code>nano /etc/fail2ban/jail.d/zimbra.local</code>
 +
 +Fill with the following lines and save
 +
 +<code>
 +[zimbra-submission]
 +enabled = true
 +filter = zimbra-submission
 +logpath = /var/log/zimbra.log
 +maxretry = 3
 +findtime = 3600
 +bantime = 36000
 +action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp]
 +
 +[zimbra-webmail]
 +enabled = true
 +filter = zimbra-webmail
 +logpath = /opt/zimbra/log/mailbox.log
 +maxretry = 3
 +findtime = 3600
 +bantime = 36000
 +action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp]
 +
 +[zimbra-admin]
 +enabled = true
 +filter = zimbra-admin
 +logpath = /opt/zimbra/log/mailbox.log
 +maxretry = 3
 +findtime = 3600
 +bantime = 36000
 +action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]
 +</code>
 +
 +**Create filters**
 +– Zimbra Admin
 +
 +<code>curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf</code>
 +
 +– Zimbra Webmail
 +
 +<code>curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf</code>
 +
 +– Zimbra SMTP/SMTPS/Submission
 +
 +<code>curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf</code>
 +
 +**Ignore localhost and Zimbra IP**
 +
 +Open file /etc/fail2ban/jail.conf. Find line **“ignoreip =”** and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP
 +
 +<code>ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32</code>
 +
 +**Enable and restart Fail2Ban**
 +
 +<code>
 +systemctl enable fail2ban
 +systemctl restart fail2ban
 +</code>
 +
  
  
  • l3/serveri/mail_server_zimbra.txt
  • Last modified: 2022/07/11 10:52
  • by milano