diff options
Diffstat (limited to '')
-rw-r--r-- | _posts/dns.md | 80 | ||||
-rw-r--r-- | _posts/mail.md | 191 | ||||
-rw-r--r-- | _posts/rfc2136.md | 29 |
3 files changed, 300 insertions, 0 deletions
diff --git a/_posts/dns.md b/_posts/dns.md new file mode 100644 index 0000000..bbac1ac --- /dev/null +++ b/_posts/dns.md @@ -0,0 +1,80 @@ +apt install bind9 + +mkdir /etc/bind/keys + +dnssec-keygen -K /etc/bind/keys -f KSK -a ECDSAP256SHA256 -n ZONE sijanec.eu +dnssec-keygen -a ECDSAP256SHA256 -n ZONE sijanec.eu +dnssec-keygen -K /etc/bind/keys -f KSK -a ECDSAP256SHA256 -n ZONE sijanec.org +dnssec-keygen -a ECDSAP256SHA256 -n ZONE sijanec.org +in tako dalje za vse domene + +chown -R bind:bind /etc/bind/keys + +vim /etc/bind9/named.conf.options + options { + directory "/var/cache/bind"; + check-names master warn; + check-names slave warn; + recursion yes; + allow-recursion { any; }; + querylog yes; + allow-transfer { any; }; + allow-query { any; }; + dnssec-validation auto; + listen-on-v6 { any; }; + }; +vim /etc/bind/named.conf.local + zone "sijanec.eu" { + type master; + file "/var/lib/bind/db.sijanec.eu"; + key-directory "/etc/bind/keys"; + auto-dnssec maintain; + inline-signing yes; + }; + zone "sijanec.org" { + type master; + file "/var/lib/bind/db.sijanec.org"; + key-directory "/etc/bind/keys"; + auto-dnssec maintain; + inline-signing yes; + }; + in tako dalje za vse domene + +če pa konfiguriramo suženjski DNS strežnik, pa v /etc/bind/named.conf.local napišemo + zone "sijanec.eu" { + type slave; + file "/var/lib/bind/db.sijanec.eu"; + allow-transfer { 93.103.235.126/32; }; + // IP naslov glavnega DNS strežnika + masters { 93.103.235.126; }; + }; + zone "sijanec.org" { + type slave; + file "/var/lib/bind/db.sijanec.org"; + allow-transfer { 93.103.235.126/32; }; + masters { 93.103.235.126/32; }; + }; + in tako dalje za vse domene + +na glavnem DNS strežniku v datoteko /var/lib/bind/db.sijanec.eu vpišemo DNS zone + $TTL 300 + @ IN SOA ns1.sijanec.org. abuse.sijanec.eu. ( + 10 ; serijska številka za DNS zone, povečaj za 10 ob spremembi + 301 ; refresh + 299 ; retry + 31556926 ; po enem letu nedelovanja NS1 sužnji pozabijo domeno + 30 ; TTL za NXDOMAIN, negative cache TTL + ) ; abuse.sijanec.eu. je poštni naslov abuse@sijanec.eu - spremeni ga + ; ns1.sijanec.eu. je glavni DNS strežnik za domeno - spremeni ga + @ IN NS ns1.sijanec.eu. ; glavni strežnik + @ IN NS ns2.sijanec.eu. ; DNS suženj + @ IN A 84.255.241.83 + in tako dalje za dodatne zapise + +za vse dodatne domene, ki naj imajo isto zone datoteko, lahko samo narediš symlinke. nikakor ne sme biti "file" direktiva v named.conf.local enaka pri več različnih DNS zone deklaracijah enaka, lahko pa kaže na symlink. + +za vsako dodatno domeno torej: +ln -s db.sijanec.eu /var/lib/bind/db.sijanec.org +ln -s db.sijanec.eu /var/lib/bind/db.sijanec.net + +systemctl restart bind9 diff --git a/_posts/mail.md b/_posts/mail.md new file mode 100644 index 0000000..b908d81 --- /dev/null +++ b/_posts/mail.md @@ -0,0 +1,191 @@ +apt install postfix dovecot-imapd opendkim postfix-policyd-spf-python maildrop roundcube prayer nginx postfix-mta-sts-resolver hash-slinger + +vim /etc/dovecot/conf.d/10-mail.conf + mail_location = maildir:~/Maildir + +vim /etc/dovecot/conf.d/10-ssl.conf + ssl_cert = </etc/ssl/certifikati/fullchain.pem + ssl_key = </etc/ssl/certifikati/privkey.pem + +vim /etc/postfix/header\_checks + /^X-Originating-IP:/ IGNORE + /^Received:.*ESMTPSA/ IGNORE + +vim /etc/postfix/command\_filter + /^(.*)šijanec(.*)$/ $1 xn--ijanec-9jb $2 + +vim /etc/postfix/destinations + if !/seznami/ + /ijanec/ ALLOW + /241/ ALLOW + /146/ ALLOW + /235/ ALLOW + /gimb.tk/ ALLOW + /xn--jha/ ALLOW + endif + +usermod -aG opendkim postfix +mkdir /var/spool/postfix/opendkim +chown opendkim:opendkim /var/spool/postfix/opendkim + +opendkim-genkey -D /etc/dkimkeys -s mail + +dodaj vsebino /etc/dkimkeys/mail.txt v DNS zone za domeno + +vim /etc/opendkim.conf + LogWhy yes + UserID opendkim:opendkim + Domain sijanec.eu,sijanec.org,sijanec.net,xn--ijanec-9jb.eu in tako dalje + Selector mail + KeyFile /etc/dkimkeys/mail.private + Socket local:/var/spool/postfix/opendkim/opendkim.sock + +vim /etc/postfix-policyd-spf-python/policyd-spf.conf + HELO_reject = False + Mail_From_reject = False + +vim /etc/postfix/main.cf + smtp_header_checks = regexp:/etc/postfix/header_checks + smtpd_tls_cert_file = /etc/ssl/certifikati/fullchain.pem + smtpd_tls_key_file = /etc/ssl/certifikati/privkey.pem + smtpd_tls_received_header = yes + smtpd_command_filter = pcre:/etc/postfix/command_filter + mydomain = sijanec.eu + mydestination = pcre:/etc/postfix/destinations + smtp_address_preference = ipv4 + mailbox_command = /usr/bin/maildrop -d $(USER) + smtp_bind_address = 89.212.146.168 + smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf + policyd-spf_time_limit = 3600 + message_size_limit = 1222333444 + milter_protocol = 2 + milter_default_action = accept + smtpd_milters = unix:/opendkim/opendkim.sock + non_smtpd_milters = unix:/opendkim/opendkim.sock + smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8451:postfix + smtpd_sasl_type = dovecot + smtpd_sasl_path = private/auth + smtpd_sasl_auth_enable = yes + +vim /etc/postfix/master.cf + odkomentiraj: smtp, submission, smtps (ostali potrebni so že odkomentirani) + dodaj na konec: + policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policy-spf + +vim /etc/dovecot/conf.d/10-master.conf + # ta block že obstaja v privzeti konfiguraciji + # https://www.postfix.org/SASL_README.html + service auth { + unix_listener /var/spool/postfix/private/auth { + user = postfix + group = postfix + mode = 0660 + } + } + +vim /etc/dovecot/conf.d/15-mailboxes.conf + # ti blocki že obstajajo v privzeti konfiguraciji, treba jih je samo dopolniti + namespace inbox { + mailbox Drafts { + special_use = \Drafts + auto = subscribe + } + mailbox Junk { + special_use = \Junk + auto = subscribe + } + mailbox Trash { + special_use = \Trash + auto = subscribe + } + mailbox Sent { + special_use = \Sent + auto = subscribe + } + } + +vim ~/.mailfilter + if (/.*librehosting@radiostudent\.si.*/ || /.*kiberpipa\.org.*/ || /.*lugos\.si.*/) + { + to $HOME/Maildir/.liste.lugos + } + if (/.*oss-security.*/ || /.*debian-security-announce.*/) + { + to $HOME/Maildir/.liste.oss-security + } + in tako dalje + +iz IMAP klienta je treba **PRED DODAJANJEM MAPE** v ~/.mailfilter izdelati mapo, v nasprotnem primeru bo maildrop naredil mbox datoteko, česar nočemo. + +chown $USER:$USER ~/.mailfilter +chmod 0600 ~/.mailfilter + +vim /etc/maildroprc +DEFAULT="$HOME/Maildir" + +tlsa --create sijanec.eu +dodaj output v DNS domensko zono (nginx mora teči s pravilnim certifikatom!) - spremeni zapis v DNS zoni, ko spremeniš cert + +rndc freeze +vim /var/lib/bind/db.sijanec.eu + _mta-sts IN TXT "v=STSv1; id=2" + mta-sts IN CNAME mail + @ IN MX 10 mail + mail IN A 89.212.146.168 + _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-aggregate@sijanec.eu; ruf=mailto:dmarc-forensic@sijanec.eu; fo=1" + @ IN TXT "v=spf1 mx a ip4:89.212.146.168/32 a:mail.sijanec.eu ~all" + *.sijanec.eu._report._dmarc IN TXT "v=DMARC1" + sijanec.eu._report._dmarc IN TXT "v=DMARC1" + *.sijanec.org._report._dmarc IN TXT "v=DMARC1" + sijanec.org._report._dmarc IN TXT "v=DMARC1" ; in isto za ostale domene + _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:tls@sijanec.eu" + @ IN CAA 128 issue "letsencrypt.org" + @ IN CAA 128 issuewild "letsencrypt.org" + @ IN CAA 128 iodef "mailto:caa-violation@sijanec.eu" + * IN CAA 128 issue "letsencrypt.org" + * IN CAA 128 issuewild "letsencrypt.org" + * IN CAA 128 iodef "mailto:caa-violation@sijanec.eu" +rndc thaw + +vim /etc/aliases + mailer-daemon: postmaster + postmaster: root + nobody: root + hostmaster: root + webmaster: root + listmaster: root + www: root + ftp: root + abuse: root + noc: root + security: root + root: a + anton: a + whois: hostmaster + dns: whois + devnull: null + null: |/dev/null + luka: anton + dmarc-aggregate: postmaster + dmrac-forensic: postmaster + caa-violation: hostmaster + tls: postmaster + +newaliases + +vim /var/www/html/.well-known/mta-sts.txt + version: STSv1 + mode: testing + mx: mail.sijanec.eu + mx: mail.sijanec.org + mx: mail.sijanec.net + mx: mail.xn--ijanec-9jb.eu + mx: mail.xn--ijanec-9jb.org + mx: mail.xn--ijanec-9jb.net + mx: mail.xn--ijanec-9jb.si + mx: mail.xn--ijanec-9jb.com + max_age: 31557600 + comment: karkoli + +systemctl restart postfix dovecot opendkim prayer nginx postfix-mta-sts-resolver bind9 diff --git a/_posts/rfc2136.md b/_posts/rfc2136.md new file mode 100644 index 0000000..d8d5190 --- /dev/null +++ b/_posts/rfc2136.md @@ -0,0 +1,29 @@ +# dyndns setup http://www.btteknik.net/?p=143 +ddns-confgen -s rfc2136.sijanec.eu. +# http://www.ipamworldwide.com/ipam/update-policy.html +vim /etc/bind/named.conf.local # here goes the update policy, change name to subdomain +touch /etc/bind/keyfile.conf +chmod 0660 /etc/bind/keyfile.conf +vim /etc/bind/keyfile.conf # here goes the key +# hook script https://blog.danman.eu/automatic-letsencrypt-wildcard-cert-renewal-with-nsupdate/ +vim /etc/letsencrypt/hook.sh + #!/bin/bash + CREATE_DOMAIN="certbot.rfc2136.sijanec.eu." + echo " + server 127.0.0.1 + update delete $CREATE_DOMAIN TXT + update add $CREATE_DOMAIN 1 TXT $CERTBOT_VALIDATION + send + " | nsupdate -k /etc/bind/keyfile.conf + if [ $CERTBOT_REMAINING_CHALLENGES -eq 0 ] + then + echo done, reloading server and waiting 30 seconds + rndc reload + sleep 30 + fi +chmod +x /etc/letsencrypt/hook.sh +# v domenske zapise vseh domen je treba dodati: +# _acme-challenge IN CNAME certbot.rfc2136.sijanec.eu. +certbot certonly --reuse-key --manual --register-unsafely-without-email --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/hook.sh -d sijanec.eu -d sijanec.org -d sijanec.net -d xn--ijanec-9jb.eu -d xn--ijanec-9jb.org -d xn--ijanec-9jb.net -d xn--ijanec-9jb.si -d xn--ijanec-9jb.com -d *.sijanec.eu -d *.sijanec.org -d *.sijanec.net -d *.xn--ijanec-9jb.eu -d *.xn--ijanec-9jb.org -d *.xn--ijanec-9jb.net -d *.xn--ijanec-9jb.si -d *.xn--ijanec-9jb.com -d gimb.tk -d *.gimb.tk -d xn--jha.ga -d *.xn--jha.ga +# more interesting info: +# https://certbot-dns-rfc2136.readthedocs.io/en/stable/ (per-domain setup required, no CNAMEs) |