Schlagwort-Archive: Postfix

Zertifikat für Postfix und Dovecot unter ISPConfig erneuern

wechseln ins tmp Verzeichnis

cd /tmp

Key erstellen

openssl genrsa -des3 -out srv01.linux-welten.de.key 2048

Phrase eingeben

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for srv01.linux-welten.de.key: SICHEREphrase
Verifying - Enter pass phrase for srv01.linux-welten.de.key: SICHEREphrase

csr erstellen

openssl req -new -key srv02.linux-welten.de.key -out srv02.linux-welten.de.csr

Fragen beantworten

Enter pass phrase for srv02.linux-welten.de.key: SICHEREphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:THUERINGEN
Locality Name (eg, city) []:BAD LIEBENSTEIN
Organization Name (eg, company) []:Linux Welten
Organizational Unit Name (eg, section) []:Technik
Common Name (e.g. server FQDN or YOUR name) []:srv02.linux-welten.de
Email Address []:----@linux-welten.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

crt erstellen

openssl x509 -req -days 365 -in srv02.linux-welten.de.csr -signkey srv02.linux-welten.de.key -out srv02.linux-welten.de.crt

Phrase eingeben

Signature ok
subject=/C=DE/ST=THUERINGEN/L=BAD LIEBENSTEIN/OU=Technik/CN=srv02.linux-welten.de/emailAddress=----@linux-welten.de
Getting Private key
Enter pass phrase for srv02.linux-welten.de.key

Key rsa

openssl rsa -in srv02.linux-welten.de.key -out srv02.linux-welten.de.key.nopass

umbenennen

mv srv02.linux-welten.de.key.nopass srv02.linux-welten.de.key

Pem erstellen

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Fragen beantworten

Enter pass phrase for srv02.linux-welten.de.key: SICHEREphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:THUERINGEN
Locality Name (eg, city) []:BAD LIEBENSTEIN
Organization Name (eg, company) []:Linux Welten
Organizational Unit Name (eg, section) []:Technik
Common Name (e.g. server FQDN or YOUR name) []:srv02.linux-welten.de
Email Address []:----@linux-welten.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Dateien an richtige Stelle verschieben, alte Dateien sichern, postfix neu starten

cd /etc/postfix/
mv smtpd.cert smtpd.cert.old
mv smtpd.key smtpd.key.old
cp -a /root/srv02.linux-welten.de.crt ./
cp -a /root/srv02.linux-welten.de.key ./
mv srv02.linux-welten.de.crt ./smtpd.cert
mv srv02.linux-welten.de.key ./smtpd.key
chmod 600 ./smtpd.cert
chmod 600 ./smtpd.key
/etc/init.d/postfix restart

Wenn nach dem Perfect Server HowTo installiert wurde, greift dovecot auf die gleichen Zertifikate zu. Überprüfen:

vim /etc/dovecot/dovecot.conf

Suchen nach den Pfadangaben Zertifikat

ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

Wenn der Pfad passt, dovecot neu starten

/etc/init.d/dovecot restart

 

SPAMschutz Debian postfix ISPconfig

Nach mehrwöchigen Tests hier eine Konstellation die in meiner Testumgebung am besten funktioniert und am wenigsten „false positive“ gebracht hat.

Voraussetzung ist ein zusätzlich installiertes postgrey.

/etc/postfix/main.cf anpassen

[...]
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
[...]
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
[...]

postfix restart

/etc/init.d/postfix restart

Bedingt durch die Greylist können sich mails ca. 5 Minuten verzögern.

Weiterhin sollte man die Logs im Auge behalten ob nicht irgend welche Mails gegen die Blacklist rennen.

tail -f /var/log/mail.log

Evtl. lohnt vorher ein Blick auf die schwarzen Listen mit Hilfe der mxtools usw.