La plantilla Debian 10 de Kimsufi da problemas, por lo que, tras instalar Debian 9 Entrar como root para crear usuario nuevo, ponerlo en grupo sudo, y desactivar root adduser ignasi adduser ignasi sudo passwd -l root Desactivar acceso root en ssh editanto /etc/ssh/sshd_config Reiniciar ssh con service sshd restart Programas que me gusta instalar: -------------------------------- sudo apt-get install bash-completion htop archivemount deborphan Acto seguido, actualizar los archivos existentes /etc/apt para adecuarlos a la instalación de Debian 10 sustituyendo stretc por buster en vi: :%s/stretch/buster/g Para actualizar el sistema operativo: sudo apt update sudo apt full-upgrade y seguir instrucciones Como es una instalación nueva, cuando pregunte si deseamos actualizar ciertos archivos de configuración, le diremos que si Una vez actualizado a Debian 10, reiniciamos y: apt-get autoremove apt-get clean apt-get autoclean ejecutar deborpahn para ver que paquetes se podrían desinstalar apt-get purge `deborphan --exclude=paquete_que_quieras_mantener` Instalar ispconfig3 y pasos previos ------------------------------------ https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/ https://www.howtoforge.com/tutorial/how-to-install-php-7-for-ispconfig-3-from-debian-packages-on-debian-8-and-9/ https://www.howtoforge.com/how-to-enable-http-2-in-apache/ Contraseña que he creado para roundcube G2v7yAd2Z1RQQGHt Amavis: Instalar programas auxiliares necesarios: -------------------------------------------------- sudo apt-get install p7zip p7zip-full unrar-free lrzip rpm2cpio ripole liblz4-tool ir a /etc/spamassassin/ y añadir reglas en 99-oenus.cf score TO_MALFORMED 3.501 score FROM_NO_USER 3.900 score RCVD_IN_RP_RNBL 3.300 Postfwd -------- Instalar desde apt-get install postfwd Editar /etc/default/postfwd Interesante: Plugin para evitar conexiones desde más de N paises diferentes: https://github.com/Vnet-as/postfwd-anti-geoip-spam-plugin apt-get install -y libgeo-ip-perl \ libtime-piece-perl \ libconfig-any-perl \ libdbi-perl \ libdbd-mysql-perl \ libdbd-pg-perl \ libnet-subnet-perl \ geoip-database \ libconfig-tiny-perl \ libconfig-general-perl Ejemplo de postfwd con el plugin activado: ## Definitions ## id=R001; sender=~/.*/; action=rate(sender/400/86400/REJECT only 400 messages per day for $$sender) id=R002; sender=~/.*/; action=rate(sender/50/3600/REJECT only 50 messages per hour for $$sender) id=R003; sender=~/.*/; action=rate(sender/8/300/REJECT only 8 messages every 5 minutes for $$sender) id=R004; sender=~/.*/; action=rate(sender/3/60/REJECT only 3 messages every minute for $$sender) # Anti spam botnet rule # This example shows how to limit e-mail address defined by `sasl_username` to be able to login from max. 5 different countries, otherwise they will be blocked to send messages. &&PRIVATE_RANGES { \ client_address=!!(10.0.0.0/8) ; \ client_address=!!(172.16.0.0/12) ; \ client_address=!!(192.168.0.0/16) ; \ }; &&LOOPBACK_RANGE { \ client_address=!!(127.0.0.0/8) ; \ }; id=COUNTRY_LOGIN_COUNT ; \ sasl_username=~^(.+)$ ; \ &&PRIVATE_RANGES ; \ &&LOOPBACK_RANGE ; \ incr_client_country_login_count != 0 ; \ action=jump(BAN_BOTNET) id=BAN_BOTNET ; \ sasl_username=~^(.+)$ ; \ &&PRIVATE_RANGES ; \ &&LOOPBACK_RANGE ; \ client_uniq_country_login_count > 5 ; \ action=rate(sasl_username/1/3600/554 Your mail account ($$sasl_username) was compromised. Please change your password immediately after next login.) De Clamav-daemon ---------------- sudo apt-get install clamav-unofficial-sigs clamdscan Instalar spf ------------ https://help.ubuntu.com/community/Postfix/SPF sudo apt-get install postfix-policyd-spf-python Configurar postfix para crear Trusted TLS con Google y Yahoo ------------------------------------------------------------ https://community.letsencrypt.org/t/fix-untrusted-tls-connection-established-with-gmail-yahoo-for-postfix/13265/5 Crear dhparams.pem (Esto va a llevar varios minutos) como root: ---------------------------------------------------- cd /etc/ssl/private openssl dhparam -out dhparams.pem 4096 Añadir parametros a postfix para limitar envío de mensajes a demasiadas personas a la vez ---------------------------------------------------------------------------------------- smtp_destination_concurrency_limit = 2 smtp_destination_rate_delay = 3s smtp_extra_recipient_limit = 10 smtpd_recipient_limit = 50 smtpd_recipient_overshoot_limit = 51 smtpd_hard_error_limit = 20 smtpd_client_recipient_rate_limit = 50 smtpd_client_connection_rate_limit = 10 smtpd_client_message_rate_limit = 100 default_extra_recipient_limit = 50 duplicate_filter_limit = 50 Activar Postscreen y hacer mas seguro postfix ---------------------------------------------- https://www.howtoforge.com/hardening-postfix-for-ispconfig-3 #http://rob0.nodns4.us/postscreen.html ## Before-220 tests postscreen_access_list = permit_mynetworks postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 #swl.spamhaus.org*-4 postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforcesudo apt-get install postfix-policyd-spf-python postscreen_whitelist_interfaces = 207.223.116.211 !207.223.116.208/29 !216.23.247.72/29 static:all #### This is the killer feature of Postfix 2.11 and later, which #### removes most of the pain associated with the after-220 tests, q.v. #### When a connecting host is at or below this score, the after-220 #### tests are bypassed. postscreen_dnsbl_whitelist_threshold = -1 #### End of before-220 tests #### After-220 tests #### WARNING -- See "Tests after the 220 SMTP server greeting" in the #### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the #### following tests! postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes y en master.cf: #smtp inet n - y - - smtpd smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd ... ... SRS: postsrsd ------------- sudo apt-get install postsrsd sudo systemctl enable postsrsd en main.cf sender_canonical_maps = tcp:localhost:10001 sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:localhost:10002 recipient_canonical_classes= envelope_recipient,header_recipient