iptables.rule

#!/bin/bash 

iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT

MIME 編解碼

yum install xemacs
cp /usr/lib/xemacs-21.5-b29/i386-redhat-linux/mmencode /usr/bin/

BASE64 (將信件編碼為7bits)
echo "大奶妹" | mmencode  –>  5aSn5aW25aa5Cg==
BASE64解碼
echo "5aSn5aW25aa5Cg==" | mmencode –u  –>  大奶妹

QP (將8bits信件轉為7bits)
echo "援交" | mmencode –q  –>  =E6=8F=B4=E4=BA=A4
QP解碼
echo "=E6=8F=B4=E4=BA=A4" | mmencode -u –q  –>  援交

procmail參考網站
http://fireflybug.blog.ithome.com.tw/post/3966/105601
http://netlab.cse.yzu.edu.tw/~statue/freebsd/zh-tut/procmail.html

以RHEL為基礎的YUM源

EPEL
http://www.fedora.redhat.com/
http://download.fedora.redhat.com/pub/

Repoforge (RPMforge)
http://repoforge.org/

SSL X.509

http://www.imacat.idv.tw/tech/sslcerts.html

CentOS wiki

http://wiki.centos.org/zh-tw/HowTos

Postfix SSL SMTP use Cyrus SASL

創建憑證參考 Postfix SSL POP3 use Dovecot
將 cert.pem 與 private.pem 合併為 server.pem 並放到 /etc/postfix/目錄下
cat /etc/pki/dovecot/certs/cert.pem /etc/pki/dovecot/private/private.pem > /etc/postfix/server.pem
——————————————————————————————
vi /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_enforce_tls = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes 

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  permit_tls_clientcerts, 加入此行
  reject_unauth_destination
——————————————————————————————
vi /etc/postfix/master.cf (只是把以下註解 # 拿掉)
smtps inet n – n – – smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
——————————————————————————————
測試 smtp SSL/TLS 運作 (藍字部分為手動輸入)
telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 cs6.aaazzz.com ESMTP Postfix
ehlo localhost
250-cs6.aaazzz.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS 必須出現此行
——————————————————————————————
使用者郵件設定

Postfix SSL POP3 use Dovecot

yum install openssl
vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/dovecot/certs/cert.pem
ssl_key = </etc/pki/dovecot/private/private.pem
——————————————————————————————
建立憑證(至Dovecot官網下載相關檔案)
http://wiki2.dovecot.org/SSL/CertificateCreation
vi /etc/pki/dovecot/dovecot-openssl.cnf
依環境編輯內容
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=TW
ST=Taiwan
L=Taipei
O=aaazzz.com
OU=cs6
CN=aaazzz.com 必須與使用者的郵件伺服器設定smtp及pop3相同
emailAddress=xxxxxx@aaazzz.com
[ cert_type ]
nsCertType = server
——————————————————————————————
vi /etc/pki/dovecot/mkcert.sh
CERTFILE=$CERTDIR/cert.pem
KEYFILE=$KEYDIR/private.pem
SSLDIR=${SSLDIR-/etc/pki/dovecot} 注意路徑
-days = 365可改成36500即憑證有效期為100年
——————————————————————————————
執行創建憑證腳本/etc/pki/dovecot/mkcert.sh
查看/etc/pki/dovecot/certs與/etc/pki/dovecot/private目錄下有無建立cert.pem與private.pem憑證檔
——————————————————————————————
將pem檔轉成MS Windows認得之pkcs2格式
openssl pkcs12 -export -in /etc/pki/dovecot/certs/cert.pem
-out /etc/pki/dovecot/server.p12 -name "Mail Certificate"
-inkey /etc/pki/dovecot/private/private.pem
——————————————————————————————
將轉出之server.p12傳給使用者安裝
必須注意的是使用者的郵件伺服器設定smtp及pop3
必須與dovecot-openssl.cnf檔內之CN=相同
——————————————————————————————
使用者郵件伺服器設定
POP3 安全連線 – SSL 打勾

——————————————————————————————
使用wireshark擷取郵件傳送封包
內容變亂碼

CentOS 6.0 Postfix 整合 Windows2008 AD 與即時通訊錄

CentOS 6.0
——————————————————————————————
yum install 下列元件
samba
samba-winbind
krb5
pam
oddjob
postfix
dovecot
saslauthd
——————————————————————————————
CentOS 6.0 網路設定完畢後
vi /etc/hosts
vi /etc/resole.conf
service iptables stop
service ip6tables stop
chkconfig iptables off
chkconfig ip6tables off
X-Windows > 系統 > 管理 > SELinux 管理 > 停用
X-Windows > 系統 > 管理 > 認證 > 設定完 > 套用
——————————————————————————————
設定 Samba and Winbind
vi /etc/samba/smb.conf
[global]
netbios name = cs6
workgroup = aaazzz
realm = AAAZZZ.COM
security = ads
encrypt passwords = yes
password server = ad8.aaazzz.com
wins server = 172.16.1.11
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
idmap uid = 100000 – 200000
idmap gid = 100000 – 200000
template homedir = /home/%D/%U
template shell = /bin/bash
obey pam restrictions = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = MYDOMAIN\%S
——————————————————————————————
/etc/pam.d/…
/etc/nsswitch.conf
/etc/login.defs
都預設未更改
——————————————————————————————
設定 Kerberos 只更動紅字部分其他預設
vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AAAZZZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AAAZZZ.COM = {
  kdc = AD8.AAAZZZ.COM
  admin_server = AD8.AAAZZZ.COM
}
[domain_realm]
.aaazzz.com = AAAZZZ.COM
aaazzz.com = AAAZZZ.COM
——————————————————————————————
vi /var/kerberos/krb5kdc/kadm5.acl
*/administrator@AAAZZZ.COM      *
——————————————————————————————
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
AAAZZZ.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
——————————————————————————————
設定 Dovecot
vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-system.conf.ext
——————————————————————————————
vi /etc/dovecot/conf.d/auth-system.conf.ext
passdb {
  driver = pam
}
userdb {
}
——————————————————————————————
vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
—————————————————————————————— 
Postfix 基本設定外加入以下設定
vi /etc/postfix/main.cf
home_mailbox = Maildir/
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination
——————————————————————————————
設定完畢啟動服務
service smb restart
service winbind restart
service oddjobd restart
service postfix restart
service dovecot restart
service saslauthd restart
chkconfig smb on
chkconfig winbind on
chkconfig oddjobd on
chkconfig postfix on
chkconfig dovecot on
chkconfig saslauthd on
——————————————————————————————
加入網域並取得Kerberos憑證 (Windows2008網域須先建立)
kinit administrator@AAA.ZZZ
klist 查看憑證
net ads join -U administrator 加入網域 (查看AD有無加入cs6 Computer)

——————————————————————————————
取得網域使用者帳號
wbinfo -u
getent passwd (必須要出現網域使用者帳號)
——————————————————————————————
Windows2008 AD (DNS + WINS皆已安裝)
打開 Active Directory 使用者和電腦 > 檢視 > 進階功能
隨意建立一使用者後於該使用者右鍵內容 > 屬性編輯器
DisplayName > 輸入想要在通訊錄上顯示的名字
mail > 填入email
——————————————————————————————
Outlook 2003 or 2010
新增目錄或通訊錄 > 網際網路目錄服務(LDAP)
(Outlook 2010 啟用瀏覽功能打勾 )
開啟通訊錄即能顯示即時通訊錄
——————————————————————————————
因 Dovecot 自動建立家目錄未搞定
所以須先由使用者電腦連結至 CentOS Server (\\CentOS_server) 後會自動建立家目錄
或在 Windows 2008 GPO 設定使用者登入時建立網路磁碟機
net use z: \\cs6\public (smb.conf 須設定)
net use y: \\cs6\%username%