欢迎光临
我们一直在努力

Postfix 电子邮件系统精要(二)

系统加固及安全

1、内核优化:用脚本实现
[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize
#!/bin/bash
#kernel optimize optimize ,create by 2007-7-29
#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
#    echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
2、 防火墙策略:在配置postfix连接mysql数据库时,用户名postfix,密码 postfix,类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库,不费吹灰之力就可以把邮件帐号全删 了,这肯定会激起用户的愤怒!赶快把这个漏洞堵上,下面是我的防火墙策略脚本:
[root@mailserv2 ~]# more /usr/local/bin/firewall
#!/bin/bash
#this is a common firewall created by 2007-7-29
#define some variable
IPT=/sbin/iptables
CONNECTION_TRACKING=”1″
INTERNET=”eth0″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″
IPADDR=220. 94.58.245
LOOPBACK_INTERFACE=”lo”
#Remove any existing rules
$IPT -F
$IPT -X
#setting default firewall policy
$IPT –policy OUTPUT ACCEPT
$IPT –policy FORWARD DROP
$IPT -P INPUT DROP
#stop firewall
if [ “$1” = “stop” ]
then
echo “Filewall completely stopped!no firewall running!”
exit 0
fi
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
# Using Connection State to By-pass Rule Checking
if [ “$CONNECTION_TRACKING” = “1” ]; then
$IPT -A INPUT  -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state –state INVALID -j DROP
$IPT -A OUTPUT -m state –state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
$IPT -A INPUT  -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT  -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT  -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT  -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###################################################################
#setting access rules
#enable ssh connect
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 22 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 25 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 80 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 110 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 143 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 783 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 5666 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 10024 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p tcp  –dport 10025 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p udp  –dport 123 -j ACCEPT
$IPT -A INPUT  -i $INTERNET -p icmp -j ACCEPT
“$IPT -A INPUT  -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚 本加在文件/etc/rc.local中,实现开机即启。

[root@mailserv2 ~]# more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe –user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
############### system optimize #############################
/usr/local/bin/kernel_optimize
/usr/local/bin/firewall
################### NRPE nagios remote plugin execute $$$$$$$$$
/usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d

关 于多邮件域和用户限额

Postfix支持多邮件域,当我们用postfixadmin创建多个邮件域的时候,别忘记在 DNS服务器上做好主机记录解析和MX解析。多邮件域的情形是多个mx记录指向同一个主机ip地址。
默认情况下,postfix 数据库的mailbox表的字段”quota”值是”0″,它表示用户的油箱大小是100M,假如我们要把用户的邮箱大小设置成500M,则只需连接数据 库postfix更改mailbox表”quota”字段的值为”524288000″。
mysql> use postfix;
mysql> update mailbox set quota=’524288000′;
Query OK, 1 row affected (0.03 sec)
Rows matched: 191  Changed: 1  Warnings: 0
498)this.style.width=498;”>
图 10
所 有的工作都做完以后,重启linux。检查进程看与postfix相关的守护进程是否在运行,然后在用foxmail来收发邮件,再也 webmail(extmail)方式收发。尽管postfix涉及很多方面的内容,但在大部分情况下,通过日志文件/var/log/maillog可 以得出一些非常有用的信息,从排除故障这个角度讲,postfix的日志文件将会为排除故障提供很好的帮助。
[root@mailserv2 ~]# ps auxww  //部分进程快照
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
vmail     1481  0.0  1.2  12644  6568 ?        S    Oct03   0:00 /usr/local/apache/bin/httpd -k start
postfix   1622  0.0  0.2   4000  1276 ?        S    Oct02   0:08 anvil -l -t unix -u
vmail     1843  0.0  1.2  12644  6568 ?        S    Oct03   0:00 /usr/local/apache/bin/httpd -k start
root      1972  0.0  0.1   1688   620 ?        Ss   Sep20   2:41 syslogd -m 0
root      1975  0.0  0.0   1644   400 ?        Ss   Sep20   0:01 klogd -x
root      1994  0.0  0.1   5424   984 ?        Ss   Sep20   0:22 /usr/sbin/sshd
ntp       2012  0.0  0.9   4672  4672 ?        SLs  Sep20   0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root      2027  0.0  0.2   5224  1104 ?        Ss   Sep20   0:00 crond
root      2042  0.0  0.0   2200   424 ?        Ss   Sep20   0:00 /usr/sbin/atd
root      2050  0.0  1.3  12644  7016 ?        Ss   Sep20   0:00 /usr/local/apache/bin/httpd -k start
root      2056  0.0  0.0   1628   400 ?        S    Sep20   0:18 /usr/local/authlib/sbin/courierlogger -pid=/usr/local/authlib/var/spool/authdaemon/pid -start /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2067  0.0  0.1   2732   848 ?        S    Sep20   0:00 /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2075  0.0  0.1   2776  1008 ?        S    Sep20   0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2076  0.0  0.1   2776  1008 ?        S    Sep20   0:11 /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2077  0.0  0.1   2776  1008 ?        S    Sep20   0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2078  0.0  0.1   2776  1008 ?        S    Sep20   0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2079  0.0  0.1   2776  1008 ?        S    Sep20   0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root      2143  0.0  0.2   3972  1244 ?        Ss   Sep20   4:57 /usr/libexec/postfix/master
postfix   2146  0.0  0.2   4040  1308 ?        S    Sep20   1:44 qmgr -l -t fifo -u
root      2153  0.0  0.0   1624   404 ?        S    Sep20   0:00 /usr/local/authlib/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root      2154  0.0  0.1   1728   536 ?        S    Sep20   0:00 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root      2159  0.0  0.0   1628   404 ?        S    Sep20   0:03 /usr/local/authlib/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
root      2160  0.0  0.1   1728   536 ?        S    Sep20   0:03 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
amavis    2169  0.0 17.2 113196 89072 ?        Ss   Sep20   7:00 /usr/local/clamav/sbin/clamd
root      2251  0.0  0.0   1624   440 tty1     Ss+  Sep20   0:00 /sbin/mingetty tty1
root      2252  0.0  0.0   1624   436 tty2     Ss+  Sep20   0:00 /sbin/mingetty tty2
root      2253  0.0  0.0   1624   440 tty3     Ss+  Sep20   0:00 /sbin/mingetty tty3
root      2254  0.0  0.0   1624   440 tty4     Ss+  Sep20   0:00 /sbin/mingetty tty4
root      2255  0.0  0.0   1624   440 tty5     Ss+  Sep20   0:00 /sbin/mingetty tty5
root      2256  0.0  0.0   1628   444 tty6     Ss+  Sep20   0:00 /sbin/mingetty tty6
root      3626  0.0  0.2   4440  1104 ?        S    Sep20   0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe –user=mysql
mysql     3644  0.0  4.1 133256 21460 ?        Sl   Sep20   8:33 /usr/local/mysql/libexec/mysqld –basedir=/usr/local/mysql –datadir=/usr/local/mysql/var –user=mysql –pid-file=/usr/local/mysql/var/mailserv2.pid –skip-locking
root     12456  0.0  0.4   8272  2504 ?        Ss   20:13   0:00 sshd: root@pts/2
root     12458  0.0  0.2   4624  1456 pts/2    Ss+  20:13   0:00 -bash
amavis   12624  0.0  9.7  59064 50236 ?        Ss   20:21   0:01 amavisd (master)
postfix  14269  0.0  0.2   4132  1460 ?        S    22:07   0:00 trivial-rewrite -n rewrite -t unix -u
amavis   14518  0.0 10.6  63740 54748 ?        S    22:18   0:05 amavisd (ch18-avail)
amavis   14875  0.0 10.4  62724 53768 ?        S    22:43   0:04 amavisd (ch11-avail)
amavis   14883  0.1 10.3  62592 53452 ?        S    22:44   0:04 amavisd (ch14-avail)
root     14890  0.0  0.4   8276  2512 ?        Ss   22:45   0:00 sshd: root@pts/1
root     14892  0.0  0.2   4616  1444 pts/1    Ss   22:45   0:00 -bash
amavis   15160  0.0 10.2  61812 52728 ?        S    22:59   0:02 amavisd (ch5-avail)
amavis   15164  0.1 10.3  62464 53488 ?        S    22:59   0:04 amavisd (ch13-avail)
amavis   15211  0.1 10.3  62020 53060 ?        S    23:03   0:04 amavisd (ch13-avail)
amavis   15292  0.0 10.2  61700 52648 ?        S    23:08   0:02 amavisd (ch7-avail)
amavis   15383  0.1 10.2  62124 52964 ?        S    23:12   0:03 amavisd (ch8-avail)
postfix  15762  0.0  0.4   4520  2300 ?        S    23:40   0:00 smtpd -n smtp -t inet -u
postfix  15865  0.0  0.2   4004  1156 ?        S    23:47   0:00 pickup -l -t fifo -u
root     15941  0.0  0.1   4220   940 pts/1    R+   23:55   0:00 ps auxww
nagios   18752  0.0  0.1   4836   944 ?        Ss   Sep22   0:05 ../bin/nrpe -c nrpe.cfg -d
vmail    24853  0.0  1.2  12644  6664 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    24854  0.0  1.2  12644  6596 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    24884  0.0  1.2  12644  6568 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    24885  0.0  1.3  12780  6696 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    24886  0.0  1.2  12644  6568 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    24967  0.0  1.2  12644  6596 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    24970  0.0  1.2  12644  6552 ?        S    Oct04   0:00 /usr/local/apache/bin/httpd -k start
vmail    28305  0.0  1.3  12788  6724 ?        S    Oct02   0:00 /usr/local/apache/bin/httpd -k start
root     29390  0.0  5.5  33232 28576 ?        Ss   Oct01   0:00 /usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
root     29392  0.0  5.2  33232 27068 ?        S    Oct01   0:00 spamd child
root     29393  0.0  5.2  33232 26988 ?        S    Oct01   0:00 spamd child

未经允许不得转载:理想社会 » Postfix 电子邮件系统精要(二)

评论 抢沙发

评论前必须登录!

立即登录   注册