Schlagwort-Archive: Postfix

Zertifikat für Postfix und Dovecot unter ISPConfig erneuern

1 Antwort

wechseln ins tmp Verzeichnis

cd /tmp

Key erstellen

openssl genrsa -des3 -out srv01.linux-welten.de.key 2048

Phrase eingeben

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for srv01.linux-welten.de.key: SICHEREphrase
Verifying - Enter pass phrase for srv01.linux-welten.de.key: SICHEREphrase

csr erstellen

openssl req -new -key srv02.linux-welten.de.key -out srv02.linux-welten.de.csr

Fragen beantworten

Enter pass phrase for srv02.linux-welten.de.key: SICHEREphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:THUERINGEN
Locality Name (eg, city) []:BAD LIEBENSTEIN
Organization Name (eg, company) []:Linux Welten
Organizational Unit Name (eg, section) []:Technik
Common Name (e.g. server FQDN or YOUR name) []:srv02.linux-welten.de
Email Address []:----@linux-welten.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

crt erstellen

openssl x509 -req -days 365 -in srv02.linux-welten.de.csr -signkey srv02.linux-welten.de.key -out srv02.linux-welten.de.crt

Phrase eingeben

Signature ok
subject=/C=DE/ST=THUERINGEN/L=BAD LIEBENSTEIN/OU=Technik/CN=srv02.linux-welten.de/emailAddress=----@linux-welten.de
Getting Private key
Enter pass phrase for srv02.linux-welten.de.key

Key rsa

openssl rsa -in srv02.linux-welten.de.key -out srv02.linux-welten.de.key.nopass

umbenennen

mv srv02.linux-welten.de.key.nopass srv02.linux-welten.de.key

Pem erstellen

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Fragen beantworten

Enter pass phrase for srv02.linux-welten.de.key: SICHEREphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:THUERINGEN
Locality Name (eg, city) []:BAD LIEBENSTEIN
Organization Name (eg, company) []:Linux Welten
Organizational Unit Name (eg, section) []:Technik
Common Name (e.g. server FQDN or YOUR name) []:srv02.linux-welten.de
Email Address []:----@linux-welten.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Dateien an richtige Stelle verschieben, alte Dateien sichern, postfix neu starten

cd /etc/postfix/
mv smtpd.cert smtpd.cert.old
mv smtpd.key smtpd.key.old
cp -a /root/srv02.linux-welten.de.crt ./
cp -a /root/srv02.linux-welten.de.key ./
mv srv02.linux-welten.de.crt ./smtpd.cert
mv srv02.linux-welten.de.key ./smtpd.key
chmod 600 ./smtpd.cert
chmod 600 ./smtpd.key
/etc/init.d/postfix restart

Wenn nach dem Perfect Server HowTo installiert wurde, greift dovecot auf die gleichen Zertifikate zu. Überprüfen:

vim /etc/dovecot/dovecot.conf

Suchen nach den Pfadangaben Zertifikat

ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

Wenn der Pfad passt, dovecot neu starten

/etc/init.d/dovecot restart

 

SPAMschutz Debian postfix ISPconfig

1 Antwort

Nach mehrwöchigen Tests hier eine Konstellation die in meiner Testumgebung am besten funktioniert und am wenigsten „false positive“ gebracht hat.

Voraussetzung ist ein zusätzlich installiertes postgrey.

/etc/postfix/main.cf anpassen

[...]
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
[...]
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
[...]

postfix restart

/etc/init.d/postfix restart

Bedingt durch die Greylist können sich mails ca. 5 Minuten verzögern.

Weiterhin sollte man die Logs im Auge behalten ob nicht irgend welche Mails gegen die Blacklist rennen.

tail -f /var/log/mail.log

Evtl. lohnt vorher ein Blick auf die schwarzen Listen mit Hilfe der mxtools usw.