tachtler:postfix_centos_7_-_openpgpkey_anbinden_openpgpkey-milter
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:postfix_centos_7_-_openpgpkey_anbinden_openpgpkey-milter [2018/08/31 14:05] – klaus | tachtler:postfix_centos_7_-_openpgpkey_anbinden_openpgpkey-milter [2018/08/31 15:56] (aktuell) – [openpgpkey-milter] klaus | ||
---|---|---|---|
Zeile 202: | Zeile 202: | ||
* **'' | * **'' | ||
* **'' | * **'' | ||
+ | * **'' | ||
+ | |||
+ | :!: **HINWEIS** - **Die Installation muss __aktuell__ auf dem gleichen Server auf dem auch der [[http:// | ||
Die Installation von **'' | Die Installation von **'' | ||
< | < | ||
# yum install openpgpkey-milter | # yum install openpgpkey-milter | ||
+ | Loaded plugins: changelog, priorities | ||
+ | 301 packages excluded due to repository priority protections | ||
+ | Resolving Dependencies | ||
+ | --> Running transaction check | ||
+ | ---> Package openpgpkey-milter.noarch 0:0.5-1.el7 will be installed | ||
+ | --> Processing Dependency: python-pymilter for package: openpgpkey-milter-0.5-1.el7.noarch | ||
+ | --> Running transaction check | ||
+ | ---> Package python-pymilter.x86_64 0:1.0-1.el7 will be installed | ||
+ | --> Processing Dependency: python-pydns for package: python-pymilter-1.0-1.el7.x86_64 | ||
+ | --> Processing Dependency: libmilter.so.1.0()(64bit) for package: python-pymilter-1.0-1.el7.x86_64 | ||
+ | --> Running transaction check | ||
+ | ---> Package python-pydns.noarch 0: | ||
+ | ---> Package sendmail-milter.x86_64 0: | ||
+ | --> Finished Dependency Resolution | ||
+ | Changes in packages about to be updated: | ||
+ | |||
+ | |||
+ | Dependencies Resolved | ||
+ | |||
+ | ================================================================================ | ||
+ | | ||
+ | ================================================================================ | ||
+ | Installing: | ||
+ | | ||
+ | Installing for dependencies: | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Transaction Summary | ||
+ | ================================================================================ | ||
+ | Install | ||
+ | |||
+ | Total download size: 231 k | ||
+ | Installed size: 518 k | ||
+ | Is this ok [y/d/N]: y | ||
+ | Downloading packages: | ||
+ | (1/4): openpgpkey-milter-0.5-1.el7.noarch.rpm | ||
+ | (2/4): python-pydns-2.3.6-2.el7.noarch.rpm | ||
+ | (3/4): python-pymilter-1.0-1.el7.x86_64.rpm | ||
+ | (4/4): sendmail-milter-8.14.7-5.el7.x86_64.rpm | ||
+ | -------------------------------------------------------------------------------- | ||
+ | Total 598 kB/s | 231 kB 00:00 | ||
+ | Running transaction check | ||
+ | Running transaction test | ||
+ | Transaction test succeeded | ||
+ | Running transaction | ||
+ | Installing : sendmail-milter-8.14.7-5.el7.x86_64 | ||
+ | Installing : python-pydns-2.3.6-2.el7.noarch | ||
+ | Installing : python-pymilter-1.0-1.el7.x86_64 | ||
+ | Installing : openpgpkey-milter-0.5-1.el7.noarch | ||
+ | Verifying | ||
+ | Verifying | ||
+ | Verifying | ||
+ | Verifying | ||
+ | |||
+ | Installed: | ||
+ | openpgpkey-milter.noarch 0: | ||
+ | |||
+ | Dependency Installed: | ||
+ | python-pydns.noarch 0: | ||
+ | sendmail-milter.x86_64 0: | ||
+ | |||
+ | Complete! | ||
</ | </ | ||
Zeile 212: | Zeile 279: | ||
< | < | ||
# rpm -qil openpgpkey-milter | # rpm -qil openpgpkey-milter | ||
+ | Name : openpgpkey-milter | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Fri 31 Aug 2018 02:20:39 PM CEST | ||
+ | Group : System Environment/ | ||
+ | Size : 50233 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : openpgpkey-milter-0.5-1.el7.src.rpm | ||
+ | Build Date : Mon 04 Jan 2016 01:08:27 AM CET | ||
+ | Build Host : bvirthost02-nfs.phx2.fedoraproject.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : ftp:// | ||
+ | Summary | ||
+ | Description : | ||
+ | The openpgpkey-milter package provides a milter plugin for sendmail or postfix | ||
+ | that will automatically encrypt plaintext emails if the target recipient is | ||
+ | publishing an OPENPGPKEY record protected with DNSSEC. This is currently an | ||
+ | IETF draft (draft-wouters-dane-openpgp) | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Die Installation von **'' | ||
+ | < | ||
+ | # yum install python-setproctitle | ||
+ | Loaded plugins: changelog, priorities | ||
+ | 301 packages excluded due to repository priority protections | ||
+ | Resolving Dependencies | ||
+ | --> Running transaction check | ||
+ | ---> Package python-setproctitle.x86_64 0: | ||
+ | --> Finished Dependency Resolution | ||
+ | |||
+ | Changes in packages about to be updated: | ||
+ | |||
+ | |||
+ | Dependencies Resolved | ||
+ | |||
+ | ================================================================================ | ||
+ | | ||
+ | ================================================================================ | ||
+ | Installing: | ||
+ | | ||
+ | |||
+ | Transaction Summary | ||
+ | ================================================================================ | ||
+ | Install | ||
+ | |||
+ | Total download size: 15 k | ||
+ | Installed size: 29 k | ||
+ | Is this ok [y/d/N]: y | ||
+ | Downloading packages: | ||
+ | python-setproctitle-1.1.6-5.el7.x86_64.rpm | ||
+ | Running transaction check | ||
+ | Running transaction test | ||
+ | Transaction test succeeded | ||
+ | Running transaction | ||
+ | Installing : python-setproctitle-1.1.6-5.el7.x86_64 | ||
+ | Verifying | ||
+ | |||
+ | Installed: | ||
+ | python-setproctitle.x86_64 0: | ||
+ | |||
+ | Complete! | ||
+ | </ | ||
+ | |||
+ | Die Installation von **'' | ||
+ | < | ||
+ | # rpm -qil python-setproctitle | ||
+ | Name : python-setproctitle | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Fri 31 Aug 2018 03:42:12 PM CEST | ||
+ | Group : Unspecified | ||
+ | Size : 30189 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : python-setproctitle-1.1.6-5.el7.src.rpm | ||
+ | Build Date : Tue 10 Jun 2014 10:01:15 AM CEST | ||
+ | Build Host : worker1.bsys.centos.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | Python module allowing a process to change its title as displayed by | ||
+ | system tool such as ps and top. | ||
+ | |||
+ | It's useful in multiprocess systems, allowing to identify tasks each forked | ||
+ | process is busy with. This technique has been used by PostgreSQL and OpenSSH. | ||
+ | |||
+ | It's based on PostgreSQL implementation which has proven to be portable. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== Dienst/ | ||
+ | |||
+ | Um einen [[https:// | ||
+ | < | ||
+ | # systemctl enable openpgpkey-milter.service | ||
+ | Created symlink from / | ||
+ | </ | ||
+ | |||
+ | Eine Überprüfung, | ||
+ | < | ||
+ | # systemctl list-unit-files --type=service | grep -e openpgpkey-milter.service | ||
+ | openpgpkey-milter.service | ||
+ | </ | ||
+ | bzw. | ||
+ | < | ||
+ | # systemctl is-enabled openpgpkey-milter.service | ||
+ | enabled | ||
+ | </ | ||
+ | |||
+ | ===== iptables Regel ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | Um die aktuellen '' | ||
+ | < | ||
+ | # iptables -L -nv --line-numbers | ||
+ | Chain INPUT (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 ACCEPT | ||
+ | 2 0 0 ACCEPT | ||
+ | 3 0 0 ACCEPT | ||
+ | 4 0 0 ACCEPT | ||
+ | 5 0 0 REJECT | ||
+ | |||
+ | Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | </ | ||
+ | |||
+ | Nachfolgender Befehl, fügt folgende '' | ||
+ | * < | ||
+ | und hier der Befehl: | ||
+ | < | ||
+ | # iptables -I INPUT 5 -p tcp --dport 8890 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | Ein erneute Abfrage des '' | ||
+ | < | ||
+ | # iptables -L -nv --line-numbers | ||
+ | Chain INPUT (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 ACCEPT | ||
+ | 2 0 0 ACCEPT | ||
+ | 3 0 0 ACCEPT | ||
+ | 4 0 0 ACCEPT | ||
+ | 5 0 0 ACCEPT | ||
+ | 6 0 0 REJECT | ||
+ | |||
+ | Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | </ | ||
+ | |||
+ | Die neue Zeile ist an **Position 5 (INPUT)** zu sehen, hier nachfolgend zur Verdeutlichung noch einmal dargestellt (**nur relevanter Ausschnitt**): | ||
+ | < | ||
+ | ... | ||
+ | 5 0 0 ACCEPT | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Um diese '' | ||
+ | < | ||
+ | # / | ||
</ | </ | ||
===== Konfiguration ===== | ===== Konfiguration ===== | ||
- | ==== Konfiguration: | + | ==== DNS-Einträge ==== |
Nachfolgender Befehl erstellt unter nachfolgenden Voraussetzungen **zwei** **DNS-Records**, | Nachfolgender Befehl erstellt unter nachfolgenden Voraussetzungen **zwei** **DNS-Records**, | ||
Zeile 333: | Zeile 590: | ||
pub 4096R/ | pub 4096R/ | ||
sub 4096R/ | sub 4096R/ | ||
+ | </ | ||
+ | |||
+ | ===== Erster Start OpenPGPKey-milter ===== | ||
+ | |||
+ | Um den [[https:// | ||
+ | < | ||
+ | # systemctl start openpgpkey-milter | ||
+ | </ | ||
+ | |||
+ | Eine Überprüfung ob der Start des [[http:// | ||
+ | < | ||
+ | # systemctl status openpgpkey-milter | ||
+ | ● openpgpkey-milter.service - OPENPGPKEY auto encryption milter | ||
+ | | ||
+ | | ||
+ | Main PID: 31380 (openpgpkey-milt) | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Aug 31 15:15:15 vml70060.idmz.tachtler.net systemd[1]: Started OPENPGPKEY aut... | ||
+ | Aug 31 15:15:15 vml70060.idmz.tachtler.net systemd[1]: Starting OPENPGPKEY au... | ||
+ | Aug 31 15:15:15 vml70060.idmz.tachtler.net openpgpkey-milter[31380]: | ||
+ | Aug 31 15:15:15 vml70060.idmz.tachtler.net openpgpkey-milter[31380]: | ||
+ | Hint: Some lines were ellipsized, use -l to show in full. | ||
+ | </ | ||
+ | |||
+ | bzw. mit nachfolgendem Befehl, ob der Dienst/ | ||
+ | < | ||
+ | # ps aux | grep openpgpkey-milter | ||
+ | root | ||
+ | root | ||
+ | root | ||
+ | </ | ||
+ | |||
+ | ===== Konfiguration: | ||
+ | |||
+ | Nachfolgende Änderungen werden an den Konfigurationsdateien | ||
+ | * **''/ | ||
+ | * **''/ | ||
+ | durchgeführt, | ||
+ | |||
+ | Dabei soll die Anbindung von [[http:// | ||
+ | * **'' | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Hier die Änderungen an der Konfigurationsdatei **''/ | ||
+ | |||
+ | (**Nur relevanter Ausschnitt**): | ||
+ | |||
+ | <code ini> | ||
+ | ... | ||
+ | # OPENPGPKEY (openphpkey-milter) | ||
+ | openpgpkey_milter = inet: | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Hier die Änderungen an der Konfigurationsdatei **''/ | ||
+ | |||
+ | (**Nur relevanter Ausschnitt**): | ||
+ | |||
+ | <code ini> | ||
+ | # Tachtler - new - | ||
+ | # Outgoing traffic, BACK from amavisd-new from smtpd_proxy_filter. | ||
+ | 192.168.0.60: | ||
+ | -o content_filter= | ||
+ | -o smtpd_proxy_filter= | ||
+ | # -o smtpd_milters= | ||
+ | # -o smtpd_milters=${opendkim_milter} | ||
+ | -o smtpd_milters=${openpgpkey_milter}, | ||
+ | -o smtpd_authorized_xforward_hosts=127.0.0.0/ | ||
+ | -o smtpd_client_restrictions= | ||
+ | -o smtpd_helo_restrictions= | ||
+ | -o smtpd_sender_restrictions= | ||
+ | -o smtpd_relay_restrictions= | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_data_restrictions= | ||
+ | -o mynetworks=0.0.0.0/ | ||
+ | -o receive_override_options=no_unknown_recipient_checks | ||
+ | # Tachtler - new - | ||
+ | # Outgoing traffic, BACK from amavisd-new from content_filter. | ||
+ | 192.168.0.60: | ||
+ | -o content_filter= | ||
+ | -o smtpd_proxy_filter= | ||
+ | # -o smtpd_milters= | ||
+ | # -o smtpd_milters=${opendkim_milter} | ||
+ | -o smtpd_milters=${openpgpkey_milter}, | ||
+ | -o smtpd_authorized_xforward_hosts=127.0.0.0/ | ||
+ | -o smtpd_delay_reject=no | ||
+ | -o smtpd_client_restrictions= | ||
+ | -o smtpd_helo_restrictions= | ||
+ | -o smtpd_sender_restrictions= | ||
+ | -o smtpd_relay_restrictions= | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_data_restrictions=reject_unauth_pipelining | ||
+ | -o smtpd_end_of_data_restrictions= | ||
+ | -o smtpd_restriction_classes= | ||
+ | -o mynetworks=0.0.0.0/ | ||
+ | -o smtpd_error_sleep_time=0 | ||
+ | -o smtpd_soft_error_limit=1001 | ||
+ | -o smtpd_hard_error_limit=1000 | ||
+ | -o smtpd_client_connection_count_limit=0 | ||
+ | -o smtpd_client_connection_rate_limit=0 | ||
+ | # -o receive_override_options=no_header_body_checks, | ||
+ | -o receive_override_options=no_header_body_checks, | ||
+ | -o local_header_rewrite_clients= | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | **__Nachfolgend Erklärungen zu den WICHTIGSTEN Konfigurationen: | ||
+ | |||
+ | * <code ini> -o smtpd_milters=${openpgpkey_milter}, | ||
+ | |||
+ | Die Option sorgt dafür, dass dem Parameter '' | ||
+ | |||
+ | :!: **ACHTUNG** - **Falls ein '' | ||
+ | |||
+ | ===== Neustart MTA Postfix ===== | ||
+ | |||
+ | Falls vorstehende Änderungen (natürlich an die jeweiligen Bedürfnisse angepasst) durchgeführt wurden, muss ein **Neustart** von [[http:// | ||
+ | |||
+ | Danach kann der **postfix**-Server mit nachfolgendem Befehle **__neu__** gestartet werden: | ||
+ | < | ||
+ | # systemctl restart postfix | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann der Status des abgefragt werden: | ||
+ | < | ||
+ | # systemctl status postfix | ||
+ | postfix.service - Postfix Mail Transport Agent | ||
+ | | ||
+ | | ||
+ | Process: 1128 ExecStop=/ | ||
+ | Process: 1144 ExecStart=/ | ||
+ | Process: 1141 ExecStartPre=/ | ||
+ | Process: 1138 ExecStartPre=/ | ||
+ | Main PID: 1216 (master) | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Oct 15 11:11:26 server60.idmz.tachtler.net systemd[1]: Starting Postfix Mail... | ||
+ | Oct 15 11:11:26 server60.idmz.tachtler.net postfix/ | ||
+ | Oct 15 11:11:26 server60.idmz.tachtler.net postfix/ | ||
+ | Oct 15 11:11:26 server60.idmz.tachtler.net systemd[1]: Started Postfix Mail ... | ||
+ | Hint: Some lines were ellipsized, use -l to show in full. | ||
</ | </ | ||
tachtler/postfix_centos_7_-_openpgpkey_anbinden_openpgpkey-milter.1535717153.txt.gz · Zuletzt geändert: 2018/08/31 14:05 von klaus