intranet で unbound + opensmtpd で作る
mail server
本来の権威ネームサーバ NSD管理の代わりに、 キャシュサーバとして生まれたunboubを 簡易的に権威サーバーとして代用します
(http://gihyo.jp/admin /feature/01/unbound /0001)
全体の状況は internet | | wifi router dhcpd| | run0:dhcpcd <openbsd(opensmtpf + dovecot + dhcpd server)> bge0:192.168.11.1 | | fxp0:dhcp <LINUX thunderbird> 1) setting of openbsd server a) about dhcpd /etc/dhcpd.intefaces bge0 /etc/dhcpd.conf option domain-name-servers 192.168.11.1; subnet 192.168.11.0 netmask 255.255.255.0 { option routers 192.168.11.1; range 192.168.11.50 192.168.11.57; } b) /etc/hosts ------------------------- 127.0.0.1 localhost ::1 localhost 192.168.100.101 aoiyuma.mydns.jp 192.168.11.1 server.home /etc/myname ------------------------- aoiyuma.mydns.jp c)dovecot -n -------------------------- # 2.2.15: /etc/dovecot/dovecot.conf # OS: OpenBSD 5.7 i386 auth_mechanisms = plain login disable_plaintext_auth = no first_valid_uid = 1000 imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags listen = * mail_location = maildir:~/Maildir mbox_write_locks = fcntl mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = bsdauth } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh protocols = imap ssl_cert = </etc/ssl/dovecotcert.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { driver = passwd /etc/dovecot/dovecot.conf < ------------------------ protocols = imap listen = * !include conf.d/*.conf /etc/dovecot/conf.d/10-mail.conf ------------------------- mail_location = maildir:~/Maildir namespace inbox { inbox = yes } mmap_disable = yes first_valid_uid = 1000 mail_plugin_dir = /usr/local/lib/dovecot mbox_write_locks = fcntl /etc/dovecot/conf.d/10-master.conf ---------------------------------- service imap-login { inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service auth { unix_listener auth-userdb { } } service auth-worker { } service dict { unix_listener dict { } } /etc/dovecot/conf.d/10-auth.conf -------------------------------- auth_mechanisms = plain login !include auth-system.conf.ext disable_plaintext_auth = no /etc/dovecot/conf.d/10-ssl.conf < -------------------------------- ssl = yes ssl_cert = </etc/ssl/dovecotcert.pem ssl_key = </etc/ssl/private/dovecot.pem d) first openbsd server runs dhcpcd under wifi-router(dhcpd) so /etc/hostname.run0 ------------------ nwid URoad-662EA0 wpakey 04607271 dhcp but when i start openbsd as serve , i run the next script .
| mail-server.bat
------------------------------------------------ cp /etc/resolv.conf-127 /etc/resolv.conf cp /etc/hostname.run0-fix /etc/hostname.run0 /etc/rc.d/unbound restart /etc/rc.d/smtpd restart /etc/rc.d/dovecot restart |
/etc/resolv.conf-127 ---------------------------- nameserver 127.0.0.1 /etc/hostname.run0-fix ----------------------- inet 192.168.100.101 255.255.255.0 |
e)UNBOUND
| /var/unbound/etc/unbound.conf ------------------------------- server: interface: 127.0.0.1 interface: ::1 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes interface: 192.168.11.1 access-control: 192.168.11.0/24 allow local-zone: "home." static local-data: "server.home. IN A 192.168.11.1" local-data: "kerai.home. IN A 192.168.11.50" local-data-ptr: "192.168.11.1 server.home." local-data-ptr: "192.168.11.50 kerai.home." local-data: "home. IN MX 10 server.home." local-data-ptr: "192.168.11.1 server.home." |
/ |
2) linux thunderbird
smtp
server name : server.home
port 25
authentification method: password, transmitted insecure
conection security : none
imap
server name : server.home
port 143
authentification method: normal password
conection security : STARTTLS
X) in this setting
i send mail to X@server.home and recieve mail from X@server.home .
but
i cannot send mail from Y@gmx.com to X@server.home
and
i cannot send mail from X@server.home to Y@gmx.com .
this is safe setting considering of virus from internet .
when i want to send or recieve mail with Z@gmail.com , i use Y@gmx.com .
さらに/etc /pf.confを 以下のようにすると
ext_if="run0"
int_if="bge0"
tcp_services="{ 22, 80 }"
icmp_types="echoreq"
set block-policy return
set loginterface $ext_if
set skip on lo
match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
set reassemble yes no-df
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ( $ext_if:0 ) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
外からのメールはgmx.comを利用しても入ってこなくなります。
ただ gmx.comを利用して @internet.com に秘密をおくれます。
もちろん
ext_if="run0"
int_if="bge0"
tcp_services="{ 22, 80 }"
icmp_types="echoreq"
set block-policy return
set loginterface $ext_if
set skip on lo
### match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
set reassemble yes no-df
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ( $ext_if:0 ) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
とすれば intraネット内からメールも遅れなくなりますが、wwwも見れなくなります。
でも web mailの存在を考えると ここまでしなくてはいけないかもしれません。
0 件のコメント:
コメントを投稿