Después de instalar ispconfig3: Configurar panel administrador: Cambiar configuraciones de admin, correo... Entrar como root para crear usuario nuevo, ponerlo en grupo sudo, y desactivar root adduser ignasi adduser ignasi sudo passwd -l root Desactivar acceso root en ssh editanto /etc/ssh/sshd_config Reiniciar ssh con service sshd restart Programas que me gusta instalar: -------------------------------- sudo apt-get install bash-completion htop archivemount ********************************************************************** ESTOS DOS PROXIMOS PASOS DEBES HACERLOS YA SI QUIERES INSTALAR JAILKIT Y POSTGREY, YA QUE LA RECONFIGURACION DE ISPCONFIG RETOCA main.cf DE POSTFIX Modificar contraseña usuario root de mysql ------------------------------------------ No es necesario, pero no me gusta mantener las contraseñas originales que me vinieron en la instalación Puedes hacerlo con phpmyadmin Instalar jailkit ---------------- https://www.howtoforge.com/community/threads/install-jailkit-after-ispconfig.50219/ https://www.howtoforge.com/tutorial/perfect-server-ubuntu-18.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/2/#g0.0.19 sudo apt install ./jailkit_2.19-1_amd64.deb Instalar postgrey ----------------- https://git.ispconfig.org/ispconfig/ispconfig3/issues/4410 https://www.howtoforge.com/community/threads/greylisting.80271/ sudo apt-get install postgrey Actualizar ispconfig -------------------- Recuerda, una vez instalado jailkit y postgrey hay que actualizar ispconfig3: en caso necesario descargar ispconfig3 y ejecutar el script update.php con reconfiguración de servicios ********************************************************************** Amavis: Instalar programas auxiliares necesarios: -------------------------------------------------- sudo apt-get install p7zip p7zip-full unrar-free lrzip rpm2cpio ripole liblz4-tool ir a /etc/spamassassin/conf.d y añadir reglas en 99-oenus.cf score TO_MALFORMED 3.501 score FROM_NO_USER 3.900 score RCVD_IN_RP_RNBL 3.300 Instalar policyd-rate-limit (si no vas a usar postfwd, más abajo) --------------------------- sudo apt-get install policyd-rate-limit python3-yaml https://pypi.org/project/policyd-rate-limit/ Modificar archivo de configuración, añadir reglas, y configurar envios por email Añadir a smtpd_recipient_restricitions : check_policy_service { unix:ratelimit/policy, default_action=DUNNO }, ... añadir a cron... mira la docu Postfwd -------- Instalar desde apt-get install postfwd Editar /etc/default/postfwd Interesante: Plugin para evitar conexiones desde más de N paises diferentes: https://github.com/Vnet-as/postfwd-anti-geoip-spam-plugin apt-get install -y libgeo-ip-perl \ libtime-piece-perl \ libconfig-any-perl \ libdbi-perl \ libdbd-mysql-perl \ libconfig-tiny-perl \ libconfig-general-perl Ejemplo de postfwd con el plugin activado: ## Definitions ## id=R001; sender=~/.*/; action=rate(sender/400/86400/REJECT only 400 messages per day for $$sender) id=R002; sender=~/.*/; action=rate(sender/50/3600/REJECT only 50 messages per hour for $$sender) id=R003; sender=~/.*/; action=rate(sender/8/300/REJECT only 8 messages every 5 minutes for $$sender) id=R004; sender=~/.*/; action=rate(sender/3/60/REJECT only 3 messages every minute for $$sender) # Anti spam botnet rule # This example shows how to limit e-mail address defined by `sasl_username` to be able to login from max. 5 different countries, otherwise they will be blocked to send messages. &&PRIVATE_RANGES { \ client_address=!!(10.0.0.0/8) ; \ client_address=!!(172.16.0.0/12) ; \ client_address=!!(192.168.0.0/16) ; \ }; &&LOOPBACK_RANGE { \ client_address=!!(127.0.0.0/8) ; \ }; id=COUNTRY_LOGIN_COUNT ; \ sasl_username=~^(.+)$ ; \ &&PRIVATE_RANGES ; \ &&LOOPBACK_RANGE ; \ incr_client_country_login_count != 0 ; \ action=jump(BAN_BOTNET) id=BAN_BOTNET ; \ sasl_username=~^(.+)$ ; \ &&PRIVATE_RANGES ; \ &&LOOPBACK_RANGE ; \ client_uniq_country_login_count > 5 ; \ action=rate(sasl_username/1/3600/554 Your mail account ($$sasl_username) was compromised. Please change your password immediately after next login.) Instalar spf ------------ https://help.ubuntu.com/community/Postfix/SPF sudo apt-get install postfix-policyd-spf-python Configurar postfix para crear Trusted TLS con Google y Yahoo ------------------------------------------------------------ https://community.letsencrypt.org/t/fix-untrusted-tls-connection-established-with-gmail-yahoo-for-postfix/13265/5 Crear dhparams.pem (Esto va a llevar varios minutos) como root: ---------------------------------------------------- cd /etc/ssl/private openssl dhparam -out dhparams.pem 4096 Añadir parametros a postfix para limitar envío de mensajes a demasiadas personas a la vez ---------------------------------------------------------------------------------------- smtp_destination_concurrency_limit = 2 smtp_destination_rate_delay = 3s smtp_extra_recipient_limit = 10 smtpd_recipient_limit = 50 smtpd_recipient_overshoot_limit = 51 smtpd_hard_error_limit = 20 smtpd_client_recipient_rate_limit = 50 smtpd_client_connection_rate_limit = 10 smtpd_client_message_rate_limit = 100 default_extra_recipient_limit = 50 duplicate_filter_limit = 50 Activar Postscreen y hacer mas seguro postfix ---------------------------------------------- https://www.howtoforge.com/hardening-postfix-for-ispconfig-3 #http://rob0.nodns4.us/postscreen.html ## Before-220 tests postscreen_access_list = permit_mynetworks postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 #swl.spamhaus.org*-4 postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforcesudo apt-get install postfix-policyd-spf-python postscreen_whitelist_interfaces = 207.223.116.211 !207.223.116.208/29 !216.23.247.72/29 static:all #### This is the killer feature of Postfix 2.11 and later, which #### removes most of the pain associated with the after-220 tests, q.v. #### When a connecting host is at or below this score, the after-220 #### tests are bypassed. postscreen_dnsbl_whitelist_threshold = -1 #### End of before-220 tests #### After-220 tests #### WARNING -- See "Tests after the 220 SMTP server greeting" in the #### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the #### following tests! postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes y en master.cf: #smtp inet n - y - - smtpd smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd ... ... SRS: postsrsd ------------- sudo apt-get install postsrsd sudo systemctl enable postsrsd en main.cf sender_canonical_maps = tcp:localhost:10001 sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:localhost:10002 recipient_canonical_classes= envelope_recipient,header_recipient Dovecot: --------------------------------- disable_plaintext_auth=no ####en configuración global Activar plugin Trash https://wiki2.dovecot.org/Plugins/Trash ###En 15-mailboxes.conf mailbox Junk { special_use = \Junk #By Ignacio autoexpunge=182d mailbox_list_index=yes } mailbox Trash { special_use = \Trash #By Ignacio autoexpunge=30d mailbox_list_index=yes } RoundCube ------------------------------------- editar config.inc.php Al final añadir: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verfify_peer_name' => false, ), ); $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); Hacer que trabaje con nombre de usuario y contraseña la conexión: $config['smtp_server'] = 'tls://s0.oenus.com'; // SMTP port (default is 25; use 587 for STARTTLS or 465 for the // deprecated SSL over SMTP (aka SMTPS)) $config['smtp_port'] = 587; // SMTP username (if required) if you use %u as the username Roundcube // will use the current username for login $config['smtp_user'] = '%u'; // SMTP password (if required) if you use %p as the password Roundcube // will use the current user's password for login $config['smtp_pass'] = '%p'; // provide an URL where a user can get support for this Roundcube installation // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE! $config['support_url'] = ''; // Name your service. This is displayed on the login screen and in the window title $config['product_name'] = 'Oenus Webmail'; rainloop --------- https://www.howtoforge.com/installation-and-configuration-of-rainloop-in-debian-7-wheezy#-downloading-and-installing-rainloop-webmail fail2ban -------- https://kk6jyt.com/configure-fail2ban-ispconfig-3-failed-login-attempts/ rainloop: https://wiki.i-mscp.net/doku.php?id=start:howto:fail2ban#rainloopconf crear archivo ispconfig.local en jail.d [ispconfig] enabled = true port = 8080 filter = ispconfig logpath = /var/log/ispconfig/auth.log maxretry = 3 crear archivo ispconfig.conf en filter.d [Definition] failregex = Failed login for user .* from ignoreregex = Ya hay filtro para roundube. Solo hay que activarlo: en jail.d crear archivo roundcube.local [roundcube-auth] enabled = true Bind9 ----- https://www.howtoforge.com/community/threads/dos-attack-against-bind.61573/ Siguiente paso... ispconfig webui configuraciones ------------------------------------------------- ojo, ufw está instalado, al igual que bastille sudo systemctl enable ufw sudo systemctl start ufw - En System, Server Config, Mail: enable Reject sender and login mismatch - En System, Server Config, Apache: disable Enable IP wildcard (*) y Default PHP Handler Disabled - Configurar plantillas de limits Plantilla DNS, activar casilla IPv6 y cambiar por esto: [ZONE] origin={DOMAIN}. ns={NS1}. mbox={EMAIL}. refresh=7200 retry=540 expire=604800 minimum=3600 ttl=86400 [DNS_RECORDS] A|{DOMAIN}.|{IP}|0|3600 AAAA|{DOMAIN}.|{IPV6}|0|3600 A|www|{IP}|0|3600 A|mail|{IP}|0|3600 A|ns1|{IP}|0|3600 A|ns2|{IP}|0|3600 AAAA|www|{IPV6}|0|3600 AAAA|mail|{IPV6}|0|3600 AAAA|ns1|{IPV6}|0|3600 AAAA|ns2|{IPV6}|0|3600 NS|{DOMAIN}.|{NS1}.|0|3600 NS|{DOMAIN}.|{NS2}.|0|3600 MX|{DOMAIN}.|mail.{DOMAIN}.|10|3600 TXT|{DOMAIN}.|v=spf1 mx a -all|0|3600 Desactivar mail() en php ---------------------- /etc/php/7.0/apache2/php.ini /etc/php/7.0/cgi/php.ini /etc/php/7.0/cli/php.ini /etc/php/7.0/fpm/php.ini vi disable_functions = mail, Desactivar el uso de sendmail por los usuarios web: en cron de root awk -F":" '$6 ~ "/clients/" {print $1}' /etc/passwd > /etc/postfix/reject_these_senders en main.cf authorized_submit_users = !/etc/postfix/reject_these_senders , static:all ------------------------------------------------------- Script para comprobar cola de postfix ------------------------------------- apt-get install s-nail crear archivo vi /root/checkpq.sh #!/bin/bash mailq_count=`/usr/bin/mailq | /usr/bin/tail -n1 | /usr/bin/gawk '{print $5}'` mailq_count=`expr $mailq_count + 0` echo "Mail count on Server is $mailq_count" if [ $mailq_count -gt 50 ]; then echo "Mail count on Server is $mailq_count" | s-nail -A yahoo -s "ALERTA: Cola de Postfix con mucho correo" ignacio@gestoriagp.com yo@ignasi.com fi hacerlo ejecutable vi /root/.mailrc set ask askcc append dot save crt ignore Received Message-Id Resent-Message-Id Status Mail-From Return-Path Via D$ account gmail { set verbose set smtp-use-starttls set ssl-verify=ignore set smtp=smtp://smtp.gmail.com:587 set from=oenus.com@gmail.com set smtp-auth=login set smtp-auth-user=oenus.com@gmail.com set smtp-auth-password=germanias } account yahoo { set verbose set smtp-use-starttls set ssl-verify=ignore set smtp=smtp://smtp.mail.yahoo.com:587 set from=ignasigarcia@yahoo.com set smtp-auth=login set smtp-auth-user=ignasigarcia@yahoo.com set smtp-auth-password=Bacora00 } desde root: crontab -e 5 * * * * /root/checkpq.sh > /dev/null Script para borrar mensajes en la cola de postfix: -------------------------------------------------- #!/usr/bin/perl $REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!"; @data = qx; for (@data) { if (/^(\w+)(\*|\!)?\s/) { $queue_id = $1; } if($queue_id) { if (/$REGEXP/i) { $Q{$queue_id} = 1; $queue_id = ""; } } } #open(POSTSUPER,"|cat") || die "couldn't open postsuper" ; open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ; foreach (keys %Q) { print POSTSUPER "$_\n"; }; close(POSTSUPER); Usage Examples: Delete all queued messages to or from the domain called spamers.com, enter: ./postfix-delete.pl spamers.com Delete all queued messages that contain the word “spam” in the e-mail address: ./postfix-delete.pl spam Reload postfix y dovecot cada semana ------------------------------------- root: crontab -e 0 4 * * 0 postfix reload > /dev/null 1 4 * * 0 systemctl restart dovecot > /dev/null Si quires usar versiones diferentes de php: https://www.howtoforge.com/tutorial/how-to-install-php-5.6-and-7.1-on-debian-9-stretch/ Instalar otras versiones de php ------------------------------- https://www.howtoforge.com/tutorial/how-to-install-php-7-for-ispconfig-3-from-debian-packages-on-debian-8-and-9/ como root: echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury.list apt install apt-transport-https curl https://packages.sury.org/php/apt.gpg | apt-key add - vi /etc/apt/preferences.d/packages-sury-org.pref Package: * Pin: origin packages.sury.org Pin-Priority: 700 sudo apt-get install php5.6 php5.6-cli php5.6-cgi php5.6-fpm php5.6-curl php5.6-gd php5.6-intl php5.6-json php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-opcache php5.6-pspell php5.6-readline php5.6-recode php5.6-sqlite3 php5.6-tidy php5.6-xml php5.6-xmlrpc php5.6-xsl php5.6-zip update-alternatives --config php update-alternatives --config php-cgi service php5.6-fpm restart En ispconfig3: PHP 5.6 Path to the PHP FastCGI binary: php-cgi5.6 Path to the php.ini directory: /etc/php/5.6/cgi/php.ini Path to the PHP-FPM init script: php5.6-fpm Path to the php.ini directory: /etc/php/5.6/fpm/php.ini Path to the PHP-FPM pool directory: /etc/php/5.6/fpm/pool.d PureFTPd necesita abrir puertos en el cortafuegos ------------------------------------------------- como root, ir al directorio /etc/pureftpd/conf echo "65434 65534" > PassivePortRange echo "50" > MaxClientsNumber sudo /etc/init.d/pure-ftpd-mysql restart en el ispconfig, abrir puertos en el cortafuegos: ..,..,..,65434:65534 Imapsync: https://raw.githubusercontent.com/imapsync/imapsync/master/imapsync Redireccionamientos necesarios en apache ----------------------------------------- Basado en: https://www.howtoforge.com/community/threads/phpmyadmin-is-listening-on-80-and-8080-how-to-fix-this.82176/ ignasi@s0:/etc/apache2/conf-available$ cat davical_redirect.conf # This makes the '/davical' url work on each domain # by redirecting to the local server's hostname rather than # directly running davical to not require davical paths # in each site's open_basedir. RewriteEngine on RewriteCond "%{HTTP_HOST}" "!^oenus\.com" [NC] RewriteCond "%{HTTP_HOST}" "!^94\.29\.19\.133" [NC] RewriteRule (.*) https://oenus.com%{REQUEST_URI} [R=301,NE,END] ignasi@s0:/etc/apache2/conf-available$ ignasi@s0:/etc/apache2/conf-available$ cat webmail_redirect.conf # This makes the '/webmail' url work on each domain # by redirecting to the local server's hostname rather than # directly running roundcube to not require roundcube paths # in each site's open_basedir. RewriteEngine on RewriteCond "%{HTTP_HOST}" "!^oenus\.com" [NC] RewriteCond "%{HTTP_HOST}" "!^94\.29\.19\.133" [NC] RewriteRule (.*) https://oenus.com%{REQUEST_URI} [R=301,NE,END] ignasi@s0:/etc/apache2/conf-available$ ignasi@s0:/etc/apache2/conf-available$ cat phpmyadmin_redirect.conf # This makes the '/phpmyadmin' url work on each domain # by redirecting to the local server's hostname rather than # directly running phpmyadmin to not require phpmyadmin paths # in each site's open_basedir. RewriteEngine on RewriteCond "%{HTTP_HOST}" "!^oenus\.com" [NC] RewriteCond "%{HTTP_HOST}" "!^94\.29\.19\.133" [NC] RewriteRule (.*) https://oenus.com%{REQUEST_URI} [R=301,NE,END] ignasi@s0:/etc/apache2/conf-available$ Luego: a2enconf davical_redirect a2enconf.... a2enconf.... systemctl reload apache2 Webs interesantes: https://stackoverflow.com/questions/44797694/where-is-rc-local-in-debian-9-debian-stretch#44801337 http://postfix.1071664.n5.nabble.com/Alert-of-unusually-large-queue-td51546.html https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists *************************************************************************** **Funciona, pero arrancando manualmente. No usar el script de instalación** https://github.com/mpellegrin/ratelimit-policyd *************************************************************************** https://www.howtoforge.com/tutorial/setup-seafile-inside-ispconfig/ https://wiki.dovecot.org/SSL/DovecotConfiguration https://stackoverflow.com/questions/9497869/export-and-import-all-mysql-databases-at-one-time#9498058