CentOS新增網卡及指定對外網卡

CentOS新增網卡

1. 設定
# yum install system-config-network-tui

 a. Network Configuration
    # system-config-network-tui，選擇『Network Configuration』

 b. Device Configuration

 c. New Device

 d. Ethernet

 e. Name & Device
 

3. 完成確認
 a. 確認裝置已新增並儲存離開

 b. # vi /etc/sysconfig/network-scripts/ifcfg-eth1
修改 ONBOOT=yes
開機時才會自動將這張網卡啟動

 

指定對外網卡方式

方法1

# vi /etc/sysconfig/network
加入GATEWAYDEV=eth0 (你要對外的那一張網卡)
這是將默認gateway設定用對外網卡

# route
就可以看是不是設定正確走你想要的route出去


方法2

# vi /etc/sysconfig/network-scripts/ifcfg-eth1 (內部使用之網卡)
將gateway刪掉 就出不去啦 就會走唯一可以到外部的那張網卡

參考：
http://www.dotblogs.com.tw/ghoseliang/archive/2012/09/26/75062.aspx
http://www.hksilicon.com/kb/articles/22317/Centos
http://linux.vbird.org/linux_server/0130internet_connect.php

CentOS 6.4 使用Maildir建置流程 Postfix+dovecot+MailScanner+Clamav+Spamassassin

關閉SELINUX
# vi /etc/sysconfig/selinux

SELINUX=enforcing

改成

SELINUX=disabled

安裝RPMforge
# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm 
RPMforge是Dag, Dries和其他的打包者合作的套件庫，提供CentOS超過4000種以上的套件


更新套件
# yum -y update

網路校時
# yum -y install ntp      #安裝NTP
# /usr/sbin/ntpdate tock.stdtime.gov.tw  #執行網路校時針對 tock.stdtime.gov.tw
# /usr/sbin/hwclock -w   #將時間寫入BIOS
# vi /etc/crontab
加入 10 5 * * * root /usr/sbin/ntpdate tock.stdtime.gov.tw && /sbin/hwclock –w
#排程自動校時每天5:10校時


安裝Postfix

1.移除sendmail安裝postfix
# /etc/init.d/sendmail stop #停用sendmail
# yum install postfix     #安裝postfix
# rpm -e sendmail       #移除sendmail
# service postfix start     #啟動postfix服務

2. postfix設定
設定檔位置 /etc/postfix/main.cf設定 postfix 可接收外部連線

vi /etc/postfix/main.cf

將inet_interfaces = localhost #註解

改成

inet_interfaces = all


mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

mydomain = example.com.tw

myhostname = mail.example.com.tw

home_mailbox = Maildir/


# service postfix restart        #重新啟動postfix服務

3. 測試 postfix(smtp)

# telnet localhost smtp

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 mail.acme.local ESMTP Postfix

ehlo localhost
250-mail.acme.local

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:<johndoe>

250 2.1.0 Ok

rcpt to:<johndoe>

250 2.1.5 Ok

data
354 End data with <CR><LF>.<CR><LF>

test

.

250 2.0.0 Ok: queued as 9729067C17

quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~]#

看信件內容：

To check if the mail indeed exists


# cd /home/johndoe/Maildir/new
[root@mail new]# ls

1185669817.Vfd00I18012M795756.mail.acme.local

[root@mail new]# cat 1185669817.Vfd00I18012M795756.mail.acme.local

Don’t worry, you don’t have to type in the whole filename above. Just type in the first few characters say 118 then press Tab to activate automatic completion.

From johndoe@mail.acme.local  Thu Feb 22 21:48:28 2007

Return-Path: <johndoe@mail.acme.local>

X-Original-To: johndoe

Delivered-To: johndoe@mail.acme.local

Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])

        by mail.acme.local (Postfix) with SMTP id 9729067C17

        for <johndoe>; Thu, 22 Feb 2007 21:48:26 -0500 (EST)

Message-Id: <20070222134827.9729067C17@mail.acme.local>

Date: Thu, 22 Feb 2007 21:48:26 -0500 (EST)

From: johndoe@mail.acme.local

To: undisclosed-recipients:;

test

[root@mail mail]#

4. 設定postfix SMTP 驗證
安裝 cyrus-sasl-md5  cyrus-sasl-plain  cyrus-sasl 套件
yum install cyrus-sasl-md5 cyrus-sasl-plain cyrus-sasl -y

vi /etc/dovecot/conf.d/10-master.conf

service auth {       

  unix_listener /var/spool/postfix/private/auth {

               mode = 0666

               user = postfix

               group = postdrop

  }      

}

vi /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login

vi /etc/postfix/main.cf

find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.

mynetworks = 127.0.0.0/8

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =  permit_mynetworks,

    permit_sasl_authenticated,

    reject_unauth_destination

broken_sasl_auth_clients = yes

smtpd_sasl_security_options = noanonymous


chkconfig saslauthd on   #設定開機啟動
service saslauthd restart    #啟動saslauthd服務



利用telnet 測式smtp認證功能是否生效(要有出現LOGIN PLAIN才算)

[root@mail ~]# telnet mail smtp

Trying 192.168.0.1...

Connected to mail.acme.local (192.168.0.1).

Escape character is '^]'.

220 mail.acme.local ESMTP Postfix

ehlo localhost

250-mail.acme.local

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

Note the new 250-AUTH lines. See the old SMTP Telnet Test.

mail from:<johndoe>

250 2.1.0 Ok

rcpt to:<test@example.com>

554 5.7.1 <test@example.com>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=

235 2.0.0 Authentication successful

rcpt to:<test@example.com>

250 2.1.5 Ok

quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~]#

安裝dovecot pop3服務
yum install dovecot #安裝dovecot
vi /etc/dovecot/dovecot.conf

protocols = imap imaps pop3 pop3s

改成

protocols = pop3 imap lmtp

vi /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no

(檢查看看outlook setting
disable_plaintext_auth = yes <--- 使用SSL/TLS
disable plaintext_auth = no <--- 跟上面的相反)

vi /etc/dovecot/conf.d/10-mail.conf

#mail_location = mbox:~/mail:INBOX=/var/mail/%u （不用mbox）

改成

mail_location = maildir:/var/spool/maildir/%u

vi /etc/dovecot/conf.d/20-pop3.conf

pop3_uidl_format = %08Xu%08Xv

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

設定啟動 dovecot 服務,並設定開機自動啟動
chkconfig dovecot on
service dovecot start

測試 Dovecot

Sample dovecot session. Replace johndoe and password with any valid user name and password.

[root@mail ~]# telnet localhost pop3

+OK dovecot ready.

user johndoe

+OK

pass password

+OK Logged in.

list

+OK 1 messages:

1 622

.

retr 1

+OK 622 octets

Return-Path: <johndoe@mail.acme.local>

X-Original-To: johndoe

Delivered-To: johndoe@mail.acme.local

Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])

        by mail.acme.local (Postfix) with SMTP id 9729067C17

        for <johndoe>; Thu, 22 Feb 2007 09:06:37 -0500 (EST)

Message-Id: <20070222140640.9729067C17@mail.acme.local>

Date: Thu, 22 Feb 2007 09:06:37 -0500 (EST)

From: johndoe@mail.acme.local

To: undisclosed-recipients:;

X-IMAPbase: 1172153557 1

Status: O

X-UID: 1

Content-Length: 5

X-Keywords:

test

.

quit

+OK Logging out.

Connection closed by foreign host.

[root@mail ~]#

防火牆安裝

yum install system-config-firewall

掃毒clamd及過濾廣告信軟體spamassassin

1. yum install clamd spamassassin

2. 啟動 clamd

freshclam

service clamd start

chkconfig clamd on

3. 啟用 SpamAssassin AWL Plugin

vi /etc/mail/spamassassin/v310.pre

取消這行註解loadplugin Mail::SpamAssassin::Plugin::AWL讓 SpamAssassin 載入 AWL (Auto-White-List) Plugin

（因應 MailScanner.conf 的 use_auto_whitelist 參數無效問題）

安裝MailScanner

1. 安裝 MailScanner

yum install perl-Archive-Zip perl-DBI perl-DBD-SQLite perl-Filesys-Df perl-Net-CIDR perl-OLE-Storage_Lite  perl-Sys-Hostname-Long perl-Sys-SigAction perl-MIME-tools gcc make rpm-build -y

wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.84.5-3.rpm.tar.gz

tar zxf MailScanner-*
cd MailScanner-*
./install.sh

2. MailScanner 基本設置

vi /etc/MailScanner/MailScanner.conf

%org-name% = www.example.com.tw

Run As User = postfix

Run As Group = postdrop

Incoming Queue Dir = /var/spool/postfix/hold

Outgoing Queue Dir = /var/spool/postfix/incoming

MTA = postfix

Incoming Work Group = clam

Incoming Work Permissions = 0640

Virus Scanners = clamd

Clamd Socket = /var/run/clamav/clamd.sock

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

High Scoring Spam Actions = deliver

vi /etc/MailScanner/virus.scanners.conf

clamd /bin/false /usr

vi /etc/MailScanner/spam.assassin.prefs.conf

bayes_ignore_header X- www.example.com.tw -MailScanner
bayes_ignore_header X- www.example.com.tw -MailScanner-SpamCheck
bayes_ignore_header X- www.example.com.tw -MailScanner-SpamScore
bayes_ignore_header X- www.example.com.tw -MailScanner-Information
envelope_sender_header X- www.example.com.tw -MailScanner-From
#use_auto_whitelist 0

cd /var/spool/MailScanner
mkdir spamassassin
chown -R postfix:clam *
chmod -R 750 *

vi /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

echo "/^Received:/ HOLD" >> /etc/postfix/header_checks

vi $(which MailScanner)

#!/usr/bin/perl -I/usr/lib/MailScanner -U

3. 修改權限

chown postfix.postdrop /var/spool/MailScanner/incoming chown postfix.postdrop /var/spool/MailScanner/quarantine

4. 檢查 MailScanner 設置是否正確

MailScanner --lint

5. 啟動 MailScanner

service postfix stop
chkconfig postfix off
service MailScanner start
chkconfig MailScanner on

參考：

http://presitw.blogspot.tw/2012/05/centos-62-mail-postfixdovecotmailscanne.html

mbox轉maildir

 1. 下載 mb2md 3.2
[root@server tmp]# wget http://batleth.sapienti-sat.org/projects/mb2md/mb2md-3.20.pl.gz

2. 解壓縮
[root@server tmp]# gzip -d mb2md-3.20.pl.gz

# 用法說明 mb2md -s /var/spool/mail/user_mailbox -d /var/spool/mail/user_maildir
※ 注意: mb2md 需用完整路徑






3. 製作轉換的script 

[root@server tmp]# vim convert.sh

#!/bin/sh

set -x

MAILBOX_DIR="/var/spool/mail"
MAILDIR_DIR="/var/spool/maildir"

[ -d $MAILDIR_DIR ] || mkdir -p $MAILDIR_DIR

cd $MAILBOX_DIR

for user in *; do
perl /tmp/mb2md-3.20.pl -s $MAILBOX_DIR/$user -d $MAILDIR_DIR/$user
chown -R $user.mail $MAILDIR_DIR/$user/
done

4. 停止相關服務
 [root@server ~]# service MailScanner stop [root@server ~]# service dovecot stop

5. 調整postfix設定檔
[root@server ~]#  vi /etc/postfix/main.cf

找到
#home_mailbox = Mailbox

改成
home_mailbox = Maildir/

新增
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=/var/spool/maildir/$USER/ MAILDIR=/var/spool/maildir/$USER/

6. 調整dovecot設定檔
[root@server ~]# vi /etc/dovecot/conf.d/10-mail.conf

找到
mail_location = mbox:~/mail:INBOX=/var/mail/%u

改成
mail_location = maildir:/var/spool/maildir/%u

7. 執行script將mailbox轉換成maildir格式
[root@server tmp]# sh convert.sh

8. 停止相關服務
[root@server ~]# service MailScanner start
[root@server ~]# service dovecot start

9. 觀察是否轉換成功
[root@server ~]# ls -l /var/spool/maildir


參考：
http://imomo.tw/phpbb/viewtopic.php?p=19091&sid=0520fa07fc9257233e8bda596afaa9e1

fail2ban安裝

[root@server ~]# yum -y install fail2ban

[root@server ~]# vi /etc/fail2ban/jail.conf

#鎖IP時間
bantime = 600

#幾秒內
findtime = 600

#錯誤次數
maxretry = 3

# 目前有啟動的服務
[dovecot]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@*****.com]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/a
logpath  = /var/log/maillog
maxretry = 3
findtime = 3600
bantime  = 3600

[postfix]
enabled  = true
filter   = postfix
action   = iptables[name=SMTP, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix-SMTP, dest=root, sender=fail2ban@*****.com]
logpath  = /var/log/maillog
maxretry = 3
findtime = 3600
bantime  = 3600

[ssh]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@*****.com]
logpath  = /var/log/secure
maxretry = 5

freshclam出現錯誤

某日yum update後執行freshclam出現錯誤

[root@server ]# freshclam

ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

觀看新的/etc/freshclam.conf後才看到
原先的DatabaseOwner clamav改為clam了

所以
[root@server ]# chown clam:clam /var/log/clamav/freshclam.log
[root@server ]# chown clam:clam /var/log/clamav/clamd.log

解決了