http://www.qbsd.ru/api.php?action=feedcontributions&feedformat=atom&user=SshOpenBSD-Wiki - Вклад участника [ru]2026-04-29T10:24:17ZВклад участникаMediaWiki 1.35.2http://www.qbsd.ru/index.php?title=%D0%90%D0%B2%D1%82%D0%BE%D0%B4%D0%BE%D0%BF%D0%BE%D0%BB%D0%BD%D0%B5%D0%BD%D0%B8%D0%B5_%D0%B2_ksh&diff=481Автодополнение в ksh2017-05-04T05:27:46Z<p>Ssh: /* Пользовательские автодополнения в ksh */</p>
<hr />
<div>== Пользовательские автодополнения в ksh ==<br />
<br />
Как показала практика автодополнение, как оно реализовано например в Bash для меня избыточно, поэтому вариант с настройкой пользовательских параметров [http://man.openbsd.org/ksh#Emacs_editing_mode ksh(1)] оказался очень удобен.<br />
<br />
<pre>ssh3@balamut:~$ vmctl (TAB)<br />
Books/ Documents/ Music/ Video/ bin/ mbox work/<br />
<br />
ssh3@balamut:~$ set -A complete_vmctl -- console load reload start stop reset status<br />
<br />
ssh3@balamut:~$ vmctl (TAB)<br />
console load reload start stop reset status<br />
<br />
ssh3@balamut:~$ set -A complete_vmctl_1 -- console load reload start stop reset status<br />
<br />
ssh3@balamut:~$ vmctl (TAB)<br />
console load reload start stop reset status<br />
<br />
ssh3@balamut:~$ vmctl status (TAB)<br />
Books/ Documents/ Music/ Video/ bin/ mbox work/</pre><br />
<br />
[[https://deftly.net/posts/2017-05-01-openbsd-ksh-tab-complete.html По мотивам]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%90%D0%B2%D1%82%D0%BE%D0%B4%D0%BE%D0%BF%D0%BE%D0%BB%D0%BD%D0%B5%D0%BD%D0%B8%D0%B5_%D0%B2_ksh&diff=480Автодополнение в ksh2017-05-04T03:15:29Z<p>Ssh: Новая страница: «== Пользовательские автодополнения в ksh == Как показала практика автодополнение, как оно…»</p>
<hr />
<div>== Пользовательские автодополнения в ksh ==<br />
<br />
Как показала практика автодополнение, как оно реализовано например в Bash для меня избыточно, поэтому вариант с настройкой пользовательских параметров [http://man.openbsd.org/ksh#Emacs_editing_mode ksh(1)] оказался очень удобен.<br />
<br />
<pre>shupikov@balamut:~$ vmctl (TAB)<br />
Books/ Documents/ Music/ Video/ bin/ mbox work/<br />
<br />
shupikov@balamut:~$ set -A complete_vmctl -- console load reload start stop reset status<br />
<br />
shupikov@balamut:~$ vmctl (TAB)<br />
console load reload start stop reset status<br />
<br />
shupikov@balamut:~$ set -A complete_vmctl_1 -- console load reload start stop reset status<br />
<br />
shupikov@balamut:~$ vmctl (TAB)<br />
console load reload start stop reset status<br />
<br />
shupikov@balamut:~$ vmctl status (TAB)<br />
Books/ Documents/ Music/ Video/ bin/ mbox work/</pre><br />
<br />
[[https://deftly.net/posts/2017-05-01-openbsd-ksh-tab-complete.html По мотивам]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%A3%D1%87%D0%B0%D1%81%D1%82%D0%BD%D0%B8%D0%BA:Ssh&diff=479Участник:Ssh2017-05-04T02:00:14Z<p>Ssh: </p>
<hr />
<div>= Заметки =<br />
<br />
[[Список открытых портов]]<br />
<br />
[[OpenBSD на рабочей станции]]<br />
<br />
[["Горячие" клавиши tmux и screen]]<br />
<br />
[[OpenBSD doas]]<br />
<br />
[[Почтовый сервер на базе OpenBSD 6.0|Почтовый сервер на базе OpenBSD 6.x]]<br />
<br />
[[Автодополнение в ksh]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%A3%D1%87%D0%B0%D1%81%D1%82%D0%BD%D0%B8%D0%BA:Ssh&diff=478Участник:Ssh2017-05-04T01:59:00Z<p>Ssh: /* Заметки */</p>
<hr />
<div>= Заметки =<br />
<br />
[[Список открытых портов]]<br />
<br />
[[OpenBSD на рабочей станции]]<br />
<br />
[["Горячие" клавиши tmux и screen]]<br />
<br />
[[OpenBSD doas]]<br />
<br />
[[Почтовый сервер на базе OpenBSD 6.x]]<br />
<br />
[[Автодополнение в ksh]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=477Почтовый сервер на базе OpenBSD 6.02017-04-18T07:43:24Z<p>Ssh: /* Вступление */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект — это может быть приобретение набора компакт дисков<ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95 %), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions ==<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer ==<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it’s worth and YMMV. If your email breaks because of this guide, then don’t run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates ==<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add «-s» to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#: <code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#: <code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br><br><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#: <code># cat /etc/mail/vusers</code><br />
#: <code>joe@example.com joe</code><br />
#: <code>@example.com joe</code><br />
#: <code>joe@example.net joe</code><br />
#: <code>@example.net joe</code><br />
#: <br><br />
#: <code># cat /etc/mail/vdomains</code><br />
#: <code>example.com</code><br />
#: <code>example.net</code><br />
#: <br><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#: <code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#: <code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#: <code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#: <code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#: <br><br />
# Create ~/Maildir for user («joe» in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: «For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken.» Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#: <code># cat /etc/mail/smtpd.conf</code><br />
#: <code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#: <code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#: <br><br />
#: <code>listen on lo0</code><br />
#: <code>listen on egress tls pki mail.example.com auth-optional</code><br />
#: <code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#: <br><br />
#: <code>table aliases db:/etc/mail/aliases.db</code><br />
#: <code>table vusers file:/etc/mail/vusers</code><br />
#: <code>table vdomains file:/etc/mail/vdomains</code><br />
#: <br><br />
#: <code>accept for local alias <aliases> deliver to maildir</code><br />
#: <br><br />
#: <code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#: <code>accept from local for any relay</code><br />
#: <br><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#: <code># cat /etc/pf.conf</code><br />
#: <code>...</code><br />
#: <code>pass in on egress proto tcp to any port smtp</code><br />
#: <code>pass in on egress proto tcp to any port submission</code><br />
#: <code>...</code><br />
#: <br><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user’s account. Since there is no imap client yet, might want to install mutt or something similar and point to the user’s ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#: <code>Connecting to 123.456.789.000</code><br />
#: <br><br />
#: <code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#: <code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#: <code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#: <code>250-8BITMIME</code><br />
#: <code>250-ENHANCEDSTATUSCODES</code><br />
#: <code>250-SIZE 36700160</code><br />
#: <code>250-DSN</code><br />
#: <code>250-STARTTLS</code><br />
#: <code>250 HELP [640 ms]</code><br />
#: <code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#: <code>250 2.0.0: Ok [640 ms]</code><br />
#: <code>RCPT TO: <test@example.com></code><br />
#: <code>550 Invalid recipient [640 ms]</code><br />
#: <br><br />
#: <code>MXTB-PWS3v2 3260ms</code><br />
#: <br><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags="-v" to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#: <code># cat /etc/pf.conf</code><br />
#: <br><br />
#: <code>...</code><br />
#: <code>#pass in on egress proto tcp to any port smtp</code><br />
#: <code>pass in on egress proto tcp to any port submission</code><br />
#: <code># rules for spamd(8)</code><br />
#: <code>table <spamd-white> persist</code><br />
#: <code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#: <code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#: <code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#: <code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#: <code> pass out log on egress proto tcp to any port smtp</code><br />
#: <code>...</code><br />
#: <br><br />
#: Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#: <code># netstat -na -f inet</code><br />
#: <br><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won’t work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#: <code>Connecting to 123.456.789.000</code><br />
#: <br><br />
#: <code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#: <code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#: <code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#: <code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#: <code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#: <code>RCPT TO: <test@example.com></code><br />
#: <code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#: <br><br />
#: <code>MXTB-PWS3v2 14602ms</code><br />
#: <br><br />
#: Haha. Love spamd.<br />
# So here is what’s happening:<br />
#: <br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#: <br><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf — comment out the «Example» line and uncomment the «DatabaseMirror» line and add the relevant country code in place of the «XY.»<br />
#: <code># cat /etc/freshclam.conf</code><br />
#: <code>#Example</code><br />
#: <code>...</code><br />
#: <code>DatabaseMirror db.us.clamav.net</code><br />
#: <code>...</code><br />
#: <br><br />
#: Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#: <code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#: <br><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the «Example» line, uncomment «TCPSocket» and «TCPAddr» lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#: <code># cat /etc/clamd.conf</code><br />
#: <code>#Example</code><br />
#: <code>...</code><br />
#: <code>TCPSocket 3310</code><br />
#: <code>...</code><br />
#: <code>TCPAddr 127.0.0.1</code><br />
#: <code>...</code><br />
#: <br><br />
#: Add «clamd» to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root’s mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#: <code># cat /etc/clamsmtpd-in.conf</code><br />
#: <code>OutAddress: 10026</code><br />
#: <code>...</code><br />
#: <code>Listen: 0.0.0.0:10025</code><br />
#: <code>...</code><br />
#: <code>ClamAddress: 127.0.0.1:3310</code><br />
#: <code>...</code><br />
#: <br><br />
#: <code># cat /etc/clamsmtpd-out.conf</code><br />
#: <code>OutAddress: 10028</code><br />
#: <code>...</code><br />
#: <code>Listen: 0.0.0.0:10027</code><br />
#: <code>...</code><br />
#: <code>ClamAddress: 127.0.0.1:3310</code><br />
#: <code>...</code><br />
#: <br><br />
# Start them both:<br />
#: <code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#: <code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#: <br><br />
#: (add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#: <code># cat /etc/mail/smtpd.conf</code><br />
#: <br><br />
#: <code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#: <code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#: <br><br />
#: <code>listen on lo0</code><br />
#: <code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#: <code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#: <code>listen on egress tls pki mail.example.com auth-optional</code><br />
#: <code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#: <br><br />
#: <code>table aliases db:/etc/mail/aliases.db</code><br />
#: <code>table vusers file:/etc/mail/vusers</code><br />
#: <code>table vdomains file:/etc/mail/vdomains</code><br />
#: <br><br />
#: <code>accept for local alias <aliases> deliver to maildir</code><br />
#: <br><br />
#: <code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#: <code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#: <code>accept tagged CLAM_OUT for any relay</code><br />
#: <br><br />
#: <code># start here - untagged mail is sent to clamsmtpd</code><br />
#: <code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#: <code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#: <br><br />
#: So here is what’s happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#: <br><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#: <code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
<br />
= SpamAssassin and SpamPD =<br />
# Install p5-Mail-SpamAssassin and spampd from packages.<br />
# Edit /etc/mail/spamassassin/local.cf and uncomment the «rewrite_header» line.<br />
# Spampd will be used as a proxy like clamsmtp. For purposes of this guide, only incoming mail will be scanned. Spampd by default runs on port 10025 but that port is already being used for clamsmtp. So, add the following to /etc/rc.conf.local:<br />
#: <code>spampd_flags="--port=10035 --relayhost=127.0.0.1:10036 --tagall -aw"</code><br />
#: With these flags, spampd will listen on port 10035 and after processing the mail through SpamAssassin, spampd will relay the mail back to port 10036, where OpenSMTPD will be listening.<br />
#: UPDATE: spampd seems to have trouble binding to the right port (10035 in this case) upon a reboot even with those spampd_flags set in /etc/rc.conf.local. It tries to bind to 10025 which, as noted previously, is being used by clamsmtp, and therefore spampd fails to work and incoming mail has no place to go when opensmtpd tries to relay it to spampd. I have to manually log in and kick spampd to get it to bind to 10035. Still investigating a solution other than changing all the ports around …<br />
#: Add «spamassassin» and «spampd» to pkg_scripts in /etc/rc.conf.local and then start both spamassassin and spampd. A «netstat -na -f inet» should show spampd listening on port 10035.<br />
# Once spampd was processing mail, there were errors in /var/log/maillog along the lines of: «spampd Insecure dependency -T switch at Socket.pm» and it wasn’t working. Turns out spampd needs patching for newer Perl. See this: https://github.com/mpaperno/spampd/issues/2. Here is a patch to /usr/local/sbin/spampd (also found here):<br />
#: <code>--- spampd.orig Thu Jan 29 23:19:45 2015</code><br />
#: <code>+++ spampd Thu Jan 29 23:21:31 2015</code><br />
#: <code>@@ -824,6 +824,22 @@ if ( $logsock !~ /^(unix|inet)$/ ) {</code><br />
#: <code> usage(0);</code><br />
#: <code> }</code><br />
#: <code>+# Untaint some options provided by admin command line.</code><br />
#: <code>+$pidfile =~ /^(.*)$/;</code><br />
#: <code>+$pidfile = $1;</code><br />
#: <code>+</code><br />
#: <code>+$relayhost =~ /^(.*)$/;</code><br />
#: <code>+$relayhost = $1;</code><br />
#: <code>+</code><br />
#: <code>+$relayport =~ /^(.*)$/;</code><br />
#: <code>+$relayport = $1;</code><br />
#: <code>+</code><br />
#: <code>+$host =~ /^(.*)$/;</code><br />
#: <code>+$host = $1;</code><br />
#: <code>+</code><br />
#: <code>+$port =~ /^(.*)$/;</code><br />
#: <code>+$port = $1;</code><br />
#: <code>+</code><br />
#: <code> if ( $options{tagall} ) { $tagall = 1; }</code><br />
#: <code> if ( $options{'log-rules-hit'} ) { $rh = 1; }</code><br />
#: <code> if ( $options{debug} ) { $debug = 1; $nsloglevel = 4; }</code><br />
#: <br><br />
# Restart spampd after applying that patch.<br />
# Now, modify /etc/mail/smtpd.conf similar to what was done for clamsmtp:<br />
#: <code># cat /etc/mail/smtpd.conf</code><br />
#: <code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#: <code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#: <br><br />
#: <code>listen on lo0</code><br />
#: <code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#: <code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#: <code>listen on lo0 port 10036 tag SPAM_IN # incoming mail</code><br />
#: <code>listen on egress tls pki mail.example.com auth-optional</code><br />
#: <code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#: <br><br />
#: <code>table aliases db:/etc/mail/aliases.db</code><br />
#: <code>table vusers file:/etc/mail/vusers</code><br />
#: <code>table vdomains file:/etc/mail/vdomains</code><br />
#: <br><br />
#: <code>accept for local alias <aliases> deliver to maildir</code><br />
#: <br><br />
#: <code># tagged mail returned from spampd deliver to maildir</code><br />
#: <code>accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#: <br><br />
#: <code># tagged mail returned from clamsmtpd either send to spampd or relay</code><br />
#: <code>accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd</code><br />
#: <code>accept tagged CLAM_OUT for any relay</code><br />
#: <br><br />
#: <code># start here - untagged mail is sent to clamsmtpd</code><br />
#: <code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#: <code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#: <br><br />
# There were still some errors in /var/log/maillog. First, there was something like this:<br />
#: <code>Feb 03 16:48:44 server spampd[22524]: spf: lookup failed: available_nameservers: No DNS servers available!</code><br />
#: <code>Feb 03 16:48:44 server spampd[22524]: rules: failed to run USER_IN_DEF_DKIM_WL test, skipping: (available_nameservers: No DNS servers available!)</code><br />
#: <br><br />
#: Turns out, SpamAssassin had broken DNS lookups. Here is the patch to /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/DnsResolver.pm (also found here):<br />
#: <code>--- DnsResolver.pm.orig Fri Feb 7 03:36:28 2014</code><br />
#: <code>+++ DnsResolver.pm Thu Nov 13 16:04:01 2014</code><br />
#: <code>@@ -204,8 +204,10 @@</code><br />
#: <code> @ns_addr_port = @{$self->{conf}->{dns_servers}};</code><br />
#: <code> dbg("dns: servers set by config to: %s", join(', ',@ns_addr_port));</code><br />
#: <code> } elsif ($res) { # default as provided by Net::DNS, e.g. /etc/resolv.conf</code><br />
#: <code>- @ns_addr_port = map(untaint_var("[$_]:" . $res->{port}),</code><br />
#: <code>- @{$res->{nameservers}});</code><br />
#: <code>+ my @ns = $res->UNIVERSAL::can('nameservers') ? $res->nameservers</code><br />
#: <code>+ : @{$res->{nameservers}};</code><br />
#: <code>+ my $port = $res->UNIVERSAL::can('port') ? $res->port : $res->{port};</code><br />
#: <code>+ @ns_addr_port = map(untaint_var("[$_]:" . $port), @ns);</code><br />
#: <code> dbg("dns: servers obtained from Net::DNS : %s", join(', ',@ns_addr_port));</code><br />
#: <code> }</code><br />
#: <code> return @ns_addr_port;</code><br />
#: <br><br />
# Then, there was this:<br />
#: <code>Feb 03 16:48:44 server spampd[22524]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /var/spampd/.spamassassin/bayes.lock.mail.example.com.22524 for /var/spampd/.spamassassin/bayes.lock: Permission denied</code><br />
#: It appeared that although /var/spampd was set to _spampd:_spampd, the /var/spampd/.spamassassin was set to root:_spampd and the permissions were 700 (IIRC). Anyway, chown that directory to also be _spampd:_spampd and then it appears to work fine.<br />
# So now here is what’s happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to spampd -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir<br />
#: <br><br />
#: '''Outoing mail''' (unchanged from before since outgoing mail is not sent to spampd):<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Test again, both ways. Use the GTUBE test to see if it’s flagged as spam. There should be SpamAssassin headers in the incoming email. SpamAssassin can be further set up for Bayesian training and cron entries for running sa-learn on designated directories.<br />
<br />
= DKIMproxy =<br />
# Follow the steps here to create public and private keys that will be used by DKIMproxy.<br />
# Create a TXT record for each domain the server will be hosting that looks something like this:<br />
#: <code>selector1._domainkey v=DKIM1; k=rsa; p=KEY_GOES_HERE TXT 1800 TTL</code><br />
#: <br><br />
# Install dkimproxy from ports (no packages available for OpenBSD 5.6). It has no dependencies that aren’t already pulled in from prior packages so it’s an easy and quick build.<br />
# Edit /etc/dkimproxy_out.conf so it looks something like this (note that the default ports are different so they don’t conflict with the earlier clamsmtpd setup):<br />
#: <code># cat /etc/dkimproxy_out.conf</code><br />
#: <code># specify what address/port DKIMproxy should listen on</code><br />
#: <code>#listen 127.0.0.1:10027</code><br />
#: <code>listen 127.0.0.1:10030</code><br />
#: <br><br />
#: <code># specify what address/port DKIMproxy forwards mail to</code><br />
#: <code>#relay 127.0.0.1:10028</code><br />
#: <code>relay 127.0.0.1:10029</code><br />
#: <br><br />
#: <code># specify what domains DKIMproxy can sign for (comma-separated, no spaces)</code><br />
#: <code>#domain example.org</code><br />
#: <code>domain example.com,example.net</code><br />
#: <br><br />
#: <code># specify what signatures to add</code><br />
#: <code>signature dkim(c=relaxed)</code><br />
#: <code>signature domainkeys(c=nofws)</code><br />
#: <br><br />
#: <code># specify location of the private key</code><br />
#: <code>#keyfile /full/path/to/private.key</code><br />
#: <code>keyfile /etc/mail/dkim/private.key</code><br />
#: <br><br />
#: <code># specify the selector (i.e. the name of the key record put in DNS)</code><br />
#: <code>selector selector1</code><br />
#: <code>...</code><br />
#: <br><br />
#: Since SpamAssassin already does DKIM checking for incoming mail, dkimproxy is only used for outgoing mail to add the DKIM keys etc. to outgoing headers.<br />
# Add «dkimproxy_out» to pkg_scripts in /etc/rc.conf.local and start it up. Again, check netstat -na -f inet to see if it’s listening on port 10030.<br />
# Same drill as before. Edit /etc/mail/smtpd.conf so it looks something like this:<br />
#: <code># cat /etc/mail/smtpd.conf</code><br />
#: <code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#: <code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#: <br><br />
#: <code>listen on lo0</code><br />
#: <code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#: <code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#: <code>listen on lo0 port 10036 tag SPAM_IN # incoming mail</code><br />
#: <code>listen on lo0 port 10029 tag DKIM_OUT # outgoing mail</code><br />
#: <code>listen on egress tls pki mail.example.com auth-optional</code><br />
#: <code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#: <br><br />
#: <code>table aliases db:/etc/mail/aliases.db</code><br />
#: <code>table vusers file:/etc/mail/vusers</code><br />
#: <code>table vdomains file:/etc/mail/vdomains</code><br />
#: <br><br />
#: <code>accept for local alias <aliases> deliver to maildir</code><br />
#: <br><br />
#: <code># tagged mail returned from dkimproxy_out relay out</code><br />
#: <code>accept tagged DKIM_OUT for any relay</code><br />
#: <br><br />
#: <code># tagged mail returned from spampd deliver to maildir</code><br />
#: <code>accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#: <br><br />
#: <code># tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out</code><br />
#: <code>accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd</code><br />
#: <code>accept tagged CLAM_OUT for any relay via smtp://127.0.0.1:10030 # send to dkimproxy_out</code><br />
#: <br><br />
#: <code># start here - untagged mail is sent to clamsmtpd</code><br />
#: <code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#: <code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#: <br><br />
# So now here is what’s happening:<br />
#: '''Incoming mail''' (unchanged from before since incoming mail is not using dkimproxy):<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> -relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir<br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay to dkimproxy on port 10030 -> add DKIM headers -> return to opensmtpd on lo0 port 10029 and tag it DKIM_OUT -> relay out<br />
# Send an email and look at the headers. There should be some DKIM headers for the domain like these:<br />
#: <code>DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com; h=from:date</code><br />
#: <code> :message-id:to:subject; s=selector1; bh=[KEY HASH]</code><br />
#: <code>DomainKey-Signature: a=rsa-sha1; c=nofws; d=example.com; h=from:date</code><br />
#: <code> :message-id:to:subject; q=dns; s=selector1; b=[KEY HASH]</code><br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=474Почтовый сервер на базе OpenBSD 6.02016-09-15T04:04:50Z<p>Ssh: /* DKIMproxy */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<code># cat /etc/freshclam.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>DatabaseMirror db.us.clamav.net</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<code># cat /etc/clamd.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>TCPSocket 3310</code><br />
#:<code>...</code><br />
#:<code>TCPAddr 127.0.0.1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<code># cat /etc/clamsmtpd-in.conf</code><br />
#:<code>OutAddress: 10026</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10025</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
#:<code># cat /etc/clamsmtpd-out.conf</code><br />
#:<code>OutAddress: 10028</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10027</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
# Start them both:<br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<br /><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#:<code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
#: So here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
<br />
= SpamAssassin and SpamPD =<br />
# Install p5-Mail-SpamAssassin and spampd from packages.<br />
# Edit /etc/mail/spamassassin/local.cf and uncomment the "rewrite_header" line.<br />
# Spampd will be used as a proxy like clamsmtp. For purposes of this guide, only incoming mail will be scanned. Spampd by default runs on port 10025 but that port is already being used for clamsmtp. So, add the following to /etc/rc.conf.local:<br />
#:<code>spampd_flags="--port=10035 --relayhost=127.0.0.1:10036 --tagall -aw"</code><br />
#: With these flags, spampd will listen on port 10035 and after processing the mail through SpamAssassin, spampd will relay the mail back to port 10036, where OpenSMTPD will be listening.<br />
#: UPDATE: spampd seems to have trouble binding to the right port (10035 in this case) upon a reboot even with those spampd_flags set in /etc/rc.conf.local. It tries to bind to 10025 which, as noted previously, is being used by clamsmtp, and therefore spampd fails to work and incoming mail has no place to go when opensmtpd tries to relay it to spampd. I have to manually log in and kick spampd to get it to bind to 10035. Still investigating a solution other than changing all the ports around ...<br />
#: Add "spamassassin" and "spampd" to pkg_scripts in /etc/rc.conf.local and then start both spamassassin and spampd. A "netstat -na -f inet" should show spampd listening on port 10035.<br />
# Once spampd was processing mail, there were errors in /var/log/maillog along the lines of: “spampd Insecure dependency -T switch at Socket.pm” and it wasn't working. Turns out spampd needs patching for newer Perl. See this: https://github.com/mpaperno/spampd/issues/2. Here is a patch to /usr/local/sbin/spampd (also found here):<br />
#:<code>--- spampd.orig Thu Jan 29 23:19:45 2015</code><br />
#:<code>+++ spampd Thu Jan 29 23:21:31 2015</code><br />
#:<code>@@ -824,6 +824,22 @@ if ( $logsock !~ /^(unix|inet)$/ ) {</code><br />
#:<code> usage(0);</code><br />
#:<code> }</code><br />
#:<code>+# Untaint some options provided by admin command line.</code><br />
#:<code>+$pidfile =~ /^(.*)$/;</code><br />
#:<code>+$pidfile = $1;</code><br />
#:<code>+</code><br />
#:<code>+$relayhost =~ /^(.*)$/;</code><br />
#:<code>+$relayhost = $1;</code><br />
#:<code>+</code><br />
#:<code>+$relayport =~ /^(.*)$/;</code><br />
#:<code>+$relayport = $1;</code><br />
#:<code>+</code><br />
#:<code>+$host =~ /^(.*)$/;</code><br />
#:<code>+$host = $1;</code><br />
#:<code>+</code><br />
#:<code>+$port =~ /^(.*)$/;</code><br />
#:<code>+$port = $1;</code><br />
#:<code>+</code><br />
#:<code> if ( $options{tagall} ) { $tagall = 1; }</code><br />
#:<code> if ( $options{'log-rules-hit'} ) { $rh = 1; }</code><br />
#:<code> if ( $options{debug} ) { $debug = 1; $nsloglevel = 4; }</code><br />
#:<br /><br />
# Restart spampd after applying that patch.<br />
# Now, modify /etc/mail/smtpd.conf similar to what was done for clamsmtp:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on lo0 port 10036 tag SPAM_IN # incoming mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from spampd deliver to maildir</code><br />
#:<code>accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either send to spampd or relay</code><br />
#:<code>accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
# There were still some errors in /var/log/maillog. First, there was something like this:<br />
#:<code>Feb 03 16:48:44 server spampd[22524]: spf: lookup failed: available_nameservers: No DNS servers available!</code><br />
#:<code>Feb 03 16:48:44 server spampd[22524]: rules: failed to run USER_IN_DEF_DKIM_WL test, skipping: (available_nameservers: No DNS servers available!)</code><br />
#:<br /><br />
#:Turns out, SpamAssassin had broken DNS lookups. Here is the patch to /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/DnsResolver.pm (also found here):<br />
#:<code>--- DnsResolver.pm.orig Fri Feb 7 03:36:28 2014</code><br />
#:<code>+++ DnsResolver.pm Thu Nov 13 16:04:01 2014</code><br />
#:<code>@@ -204,8 +204,10 @@</code><br />
#:<code> @ns_addr_port = @{$self->{conf}->{dns_servers}};</code><br />
#:<code> dbg("dns: servers set by config to: %s", join(', ',@ns_addr_port));</code><br />
#:<code> } elsif ($res) { # default as provided by Net::DNS, e.g. /etc/resolv.conf</code><br />
#:<code>- @ns_addr_port = map(untaint_var("[$_]:" . $res->{port}),</code><br />
#:<code>- @{$res->{nameservers}});</code><br />
#:<code>+ my @ns = $res->UNIVERSAL::can('nameservers') ? $res->nameservers</code><br />
#:<code>+ : @{$res->{nameservers}};</code><br />
#:<code>+ my $port = $res->UNIVERSAL::can('port') ? $res->port : $res->{port};</code><br />
#:<code>+ @ns_addr_port = map(untaint_var("[$_]:" . $port), @ns);</code><br />
#:<code> dbg("dns: servers obtained from Net::DNS : %s", join(', ',@ns_addr_port));</code><br />
#:<code> }</code><br />
#:<code> return @ns_addr_port;</code><br />
#:<br /><br />
# Then, there was this:<br />
#:<code>Feb 03 16:48:44 server spampd[22524]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /var/spampd/.spamassassin/bayes.lock.mail.example.com.22524 for /var/spampd/.spamassassin/bayes.lock: Permission denied</code><br />
#: It appeared that although /var/spampd was set to _spampd:_spampd, the /var/spampd/.spamassassin was set to root:_spampd and the permissions were 700 (IIRC). Anyway, chown that directory to also be _spampd:_spampd and then it appears to work fine.<br />
# So now here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to spampd -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''' (unchanged from before since outgoing mail is not sent to spampd):<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Test again, both ways. Use the GTUBE test to see if it’s flagged as spam. There should be SpamAssassin headers in the incoming email. SpamAssassin can be further set up for Bayesian training and cron entries for running sa-learn on designated directories.<br />
<br />
= DKIMproxy =<br />
# Follow the steps here to create public and private keys that will be used by DKIMproxy.<br />
# Create a TXT record for each domain the server will be hosting that looks something like this:<br />
#:<code>selector1._domainkey v=DKIM1; k=rsa; p=KEY_GOES_HERE TXT 1800 TTL</code><br />
#:<br /><br />
# Install dkimproxy from ports (no packages available for OpenBSD 5.6). It has no dependencies that aren't already pulled in from prior packages so it's an easy and quick build.<br />
# Edit /etc/dkimproxy_out.conf so it looks something like this (note that the default ports are different so they don't conflict with the earlier clamsmtpd setup):<br />
#:<code># cat /etc/dkimproxy_out.conf</code><br />
#:<code># specify what address/port DKIMproxy should listen on</code><br />
#:<code>#listen 127.0.0.1:10027</code><br />
#:<code>listen 127.0.0.1:10030</code><br />
#:<br /><br />
#:<code># specify what address/port DKIMproxy forwards mail to</code><br />
#:<code>#relay 127.0.0.1:10028</code><br />
#:<code>relay 127.0.0.1:10029</code><br />
#:<br /><br />
#:<code># specify what domains DKIMproxy can sign for (comma-separated, no spaces)</code><br />
#:<code>#domain example.org</code><br />
#:<code>domain example.com,example.net</code><br />
#:<br /><br />
#:<code># specify what signatures to add</code><br />
#:<code>signature dkim(c=relaxed)</code><br />
#:<code>signature domainkeys(c=nofws)</code><br />
#:<br /><br />
#:<code># specify location of the private key</code><br />
#:<code>#keyfile /full/path/to/private.key</code><br />
#:<code>keyfile /etc/mail/dkim/private.key</code><br />
#:<br /><br />
#:<code># specify the selector (i.e. the name of the key record put in DNS)</code><br />
#:<code>selector selector1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Since SpamAssassin already does DKIM checking for incoming mail, dkimproxy is only used for outgoing mail to add the DKIM keys etc. to outgoing headers.<br />
# Add "dkimproxy_out" to pkg_scripts in /etc/rc.conf.local and start it up. Again, check netstat -na -f inet to see if it's listening on port 10030.<br />
# Same drill as before. Edit /etc/mail/smtpd.conf so it looks something like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on lo0 port 10036 tag SPAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10029 tag DKIM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from dkimproxy_out relay out</code><br />
#:<code>accept tagged DKIM_OUT for any relay</code><br />
#:<br /><br />
#:<code># tagged mail returned from spampd deliver to maildir</code><br />
#:<code>accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out</code><br />
#:<code>accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd</code><br />
#:<code>accept tagged CLAM_OUT for any relay via smtp://127.0.0.1:10030 # send to dkimproxy_out</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
# So now here is what’s happening:<br />
#: '''Incoming mail''' (unchanged from before since incoming mail is not using dkimproxy):<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> -relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir<br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay to dkimproxy on port 10030 -> add DKIM headers -> return to opensmtpd on lo0 port 10029 and tag it DKIM_OUT -> relay out<br />
# Send an email and look at the headers. There should be some DKIM headers for the domain like these:<br />
#:<code>DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com; h=from:date</code><br />
#:<code> :message-id:to:subject; s=selector1; bh=[KEY HASH]</code><br />
#:<code>DomainKey-Signature: a=rsa-sha1; c=nofws; d=example.com; h=from:date</code><br />
#:<code> :message-id:to:subject; q=dns; s=selector1; b=[KEY HASH]</code><br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=473Почтовый сервер на базе OpenBSD 6.02016-09-15T03:56:40Z<p>Ssh: </p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<code># cat /etc/freshclam.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>DatabaseMirror db.us.clamav.net</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<code># cat /etc/clamd.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>TCPSocket 3310</code><br />
#:<code>...</code><br />
#:<code>TCPAddr 127.0.0.1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<code># cat /etc/clamsmtpd-in.conf</code><br />
#:<code>OutAddress: 10026</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10025</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
#:<code># cat /etc/clamsmtpd-out.conf</code><br />
#:<code>OutAddress: 10028</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10027</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
# Start them both:<br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<br /><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#:<code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
#: So here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
<br />
= SpamAssassin and SpamPD =<br />
# Install p5-Mail-SpamAssassin and spampd from packages.<br />
# Edit /etc/mail/spamassassin/local.cf and uncomment the "rewrite_header" line.<br />
# Spampd will be used as a proxy like clamsmtp. For purposes of this guide, only incoming mail will be scanned. Spampd by default runs on port 10025 but that port is already being used for clamsmtp. So, add the following to /etc/rc.conf.local:<br />
#:<code>spampd_flags="--port=10035 --relayhost=127.0.0.1:10036 --tagall -aw"</code><br />
#: With these flags, spampd will listen on port 10035 and after processing the mail through SpamAssassin, spampd will relay the mail back to port 10036, where OpenSMTPD will be listening.<br />
#: UPDATE: spampd seems to have trouble binding to the right port (10035 in this case) upon a reboot even with those spampd_flags set in /etc/rc.conf.local. It tries to bind to 10025 which, as noted previously, is being used by clamsmtp, and therefore spampd fails to work and incoming mail has no place to go when opensmtpd tries to relay it to spampd. I have to manually log in and kick spampd to get it to bind to 10035. Still investigating a solution other than changing all the ports around ...<br />
#: Add "spamassassin" and "spampd" to pkg_scripts in /etc/rc.conf.local and then start both spamassassin and spampd. A "netstat -na -f inet" should show spampd listening on port 10035.<br />
# Once spampd was processing mail, there were errors in /var/log/maillog along the lines of: “spampd Insecure dependency -T switch at Socket.pm” and it wasn't working. Turns out spampd needs patching for newer Perl. See this: https://github.com/mpaperno/spampd/issues/2. Here is a patch to /usr/local/sbin/spampd (also found here):<br />
#:<code>--- spampd.orig Thu Jan 29 23:19:45 2015</code><br />
#:<code>+++ spampd Thu Jan 29 23:21:31 2015</code><br />
#:<code>@@ -824,6 +824,22 @@ if ( $logsock !~ /^(unix|inet)$/ ) {</code><br />
#:<code> usage(0);</code><br />
#:<code> }</code><br />
#:<code>+# Untaint some options provided by admin command line.</code><br />
#:<code>+$pidfile =~ /^(.*)$/;</code><br />
#:<code>+$pidfile = $1;</code><br />
#:<code>+</code><br />
#:<code>+$relayhost =~ /^(.*)$/;</code><br />
#:<code>+$relayhost = $1;</code><br />
#:<code>+</code><br />
#:<code>+$relayport =~ /^(.*)$/;</code><br />
#:<code>+$relayport = $1;</code><br />
#:<code>+</code><br />
#:<code>+$host =~ /^(.*)$/;</code><br />
#:<code>+$host = $1;</code><br />
#:<code>+</code><br />
#:<code>+$port =~ /^(.*)$/;</code><br />
#:<code>+$port = $1;</code><br />
#:<code>+</code><br />
#:<code> if ( $options{tagall} ) { $tagall = 1; }</code><br />
#:<code> if ( $options{'log-rules-hit'} ) { $rh = 1; }</code><br />
#:<code> if ( $options{debug} ) { $debug = 1; $nsloglevel = 4; }</code><br />
#:<br /><br />
# Restart spampd after applying that patch.<br />
# Now, modify /etc/mail/smtpd.conf similar to what was done for clamsmtp:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on lo0 port 10036 tag SPAM_IN # incoming mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from spampd deliver to maildir</code><br />
#:<code>accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either send to spampd or relay</code><br />
#:<code>accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
# There were still some errors in /var/log/maillog. First, there was something like this:<br />
#:<code>Feb 03 16:48:44 server spampd[22524]: spf: lookup failed: available_nameservers: No DNS servers available!</code><br />
#:<code>Feb 03 16:48:44 server spampd[22524]: rules: failed to run USER_IN_DEF_DKIM_WL test, skipping: (available_nameservers: No DNS servers available!)</code><br />
#:<br /><br />
#:Turns out, SpamAssassin had broken DNS lookups. Here is the patch to /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/DnsResolver.pm (also found here):<br />
#:<code>--- DnsResolver.pm.orig Fri Feb 7 03:36:28 2014</code><br />
#:<code>+++ DnsResolver.pm Thu Nov 13 16:04:01 2014</code><br />
#:<code>@@ -204,8 +204,10 @@</code><br />
#:<code> @ns_addr_port = @{$self->{conf}->{dns_servers}};</code><br />
#:<code> dbg("dns: servers set by config to: %s", join(', ',@ns_addr_port));</code><br />
#:<code> } elsif ($res) { # default as provided by Net::DNS, e.g. /etc/resolv.conf</code><br />
#:<code>- @ns_addr_port = map(untaint_var("[$_]:" . $res->{port}),</code><br />
#:<code>- @{$res->{nameservers}});</code><br />
#:<code>+ my @ns = $res->UNIVERSAL::can('nameservers') ? $res->nameservers</code><br />
#:<code>+ : @{$res->{nameservers}};</code><br />
#:<code>+ my $port = $res->UNIVERSAL::can('port') ? $res->port : $res->{port};</code><br />
#:<code>+ @ns_addr_port = map(untaint_var("[$_]:" . $port), @ns);</code><br />
#:<code> dbg("dns: servers obtained from Net::DNS : %s", join(', ',@ns_addr_port));</code><br />
#:<code> }</code><br />
#:<code> return @ns_addr_port;</code><br />
#:<br /><br />
# Then, there was this:<br />
#:<code>Feb 03 16:48:44 server spampd[22524]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /var/spampd/.spamassassin/bayes.lock.mail.example.com.22524 for /var/spampd/.spamassassin/bayes.lock: Permission denied</code><br />
#: It appeared that although /var/spampd was set to _spampd:_spampd, the /var/spampd/.spamassassin was set to root:_spampd and the permissions were 700 (IIRC). Anyway, chown that directory to also be _spampd:_spampd and then it appears to work fine.<br />
# So now here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to spampd -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''' (unchanged from before since outgoing mail is not sent to spampd):<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Test again, both ways. Use the GTUBE test to see if it’s flagged as spam. There should be SpamAssassin headers in the incoming email. SpamAssassin can be further set up for Bayesian training and cron entries for running sa-learn on designated directories.<br />
<br />
= DKIMproxy =<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=472Почтовый сервер на базе OpenBSD 6.02016-09-15T02:46:53Z<p>Ssh: /* SpamAssassin and SpamPD */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<code># cat /etc/freshclam.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>DatabaseMirror db.us.clamav.net</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<code># cat /etc/clamd.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>TCPSocket 3310</code><br />
#:<code>...</code><br />
#:<code>TCPAddr 127.0.0.1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<code># cat /etc/clamsmtpd-in.conf</code><br />
#:<code>OutAddress: 10026</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10025</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
#:<code># cat /etc/clamsmtpd-out.conf</code><br />
#:<code>OutAddress: 10028</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10027</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
# Start them both:<br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<br /><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#:<code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
#: So here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
<br />
= SpamAssassin and SpamPD =<br />
# Install p5-Mail-SpamAssassin and spampd from packages.<br />
# Edit /etc/mail/spamassassin/local.cf and uncomment the "rewrite_header" line.<br />
# Spampd will be used as a proxy like clamsmtp. For purposes of this guide, only incoming mail will be scanned. Spampd by default runs on port 10025 but that port is already being used for clamsmtp. So, add the following to /etc/rc.conf.local:<br />
#:<code>spampd_flags="--port=10035 --relayhost=127.0.0.1:10036 --tagall -aw"</code><br />
#: With these flags, spampd will listen on port 10035 and after processing the mail through SpamAssassin, spampd will relay the mail back to port 10036, where OpenSMTPD will be listening.<br />
#: UPDATE: spampd seems to have trouble binding to the right port (10035 in this case) upon a reboot even with those spampd_flags set in /etc/rc.conf.local. It tries to bind to 10025 which, as noted previously, is being used by clamsmtp, and therefore spampd fails to work and incoming mail has no place to go when opensmtpd tries to relay it to spampd. I have to manually log in and kick spampd to get it to bind to 10035. Still investigating a solution other than changing all the ports around ...<br />
#: Add "spamassassin" and "spampd" to pkg_scripts in /etc/rc.conf.local and then start both spamassassin and spampd. A "netstat -na -f inet" should show spampd listening on port 10035.<br />
# Once spampd was processing mail, there were errors in /var/log/maillog along the lines of: “spampd Insecure dependency -T switch at Socket.pm” and it wasn't working. Turns out spampd needs patching for newer Perl. See this: https://github.com/mpaperno/spampd/issues/2. Here is a patch to /usr/local/sbin/spampd (also found here):<br />
#:<code>--- spampd.orig Thu Jan 29 23:19:45 2015</code><br />
#:<code>+++ spampd Thu Jan 29 23:21:31 2015</code><br />
#:<code>@@ -824,6 +824,22 @@ if ( $logsock !~ /^(unix|inet)$/ ) {</code><br />
#:<code> usage(0);</code><br />
#:<code> }</code><br />
#:<code>+# Untaint some options provided by admin command line.</code><br />
#:<code>+$pidfile =~ /^(.*)$/;</code><br />
#:<code>+$pidfile = $1;</code><br />
#:<code>+</code><br />
#:<code>+$relayhost =~ /^(.*)$/;</code><br />
#:<code>+$relayhost = $1;</code><br />
#:<code>+</code><br />
#:<code>+$relayport =~ /^(.*)$/;</code><br />
#:<code>+$relayport = $1;</code><br />
#:<code>+</code><br />
#:<code>+$host =~ /^(.*)$/;</code><br />
#:<code>+$host = $1;</code><br />
#:<code>+</code><br />
#:<code>+$port =~ /^(.*)$/;</code><br />
#:<code>+$port = $1;</code><br />
#:<code>+</code><br />
#:<code> if ( $options{tagall} ) { $tagall = 1; }</code><br />
#:<code> if ( $options{'log-rules-hit'} ) { $rh = 1; }</code><br />
#:<code> if ( $options{debug} ) { $debug = 1; $nsloglevel = 4; }</code><br />
#:<br /><br />
# Restart spampd after applying that patch.<br />
# Now, modify /etc/mail/smtpd.conf similar to what was done for clamsmtp:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on lo0 port 10036 tag SPAM_IN # incoming mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from spampd deliver to maildir</code><br />
#:<code>accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either send to spampd or relay</code><br />
#:<code>accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
# There were still some errors in /var/log/maillog. First, there was something like this:<br />
#:<code>Feb 03 16:48:44 server spampd[22524]: spf: lookup failed: available_nameservers: No DNS servers available!</code><br />
#:<code>Feb 03 16:48:44 server spampd[22524]: rules: failed to run USER_IN_DEF_DKIM_WL test, skipping: (available_nameservers: No DNS servers available!)</code><br />
#:<br /><br />
#:Turns out, SpamAssassin had broken DNS lookups. Here is the patch to /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/DnsResolver.pm (also found here):<br />
#:<code>--- DnsResolver.pm.orig Fri Feb 7 03:36:28 2014</code><br />
#:<code>+++ DnsResolver.pm Thu Nov 13 16:04:01 2014</code><br />
#:<code>@@ -204,8 +204,10 @@</code><br />
#:<code> @ns_addr_port = @{$self->{conf}->{dns_servers}};</code><br />
#:<code> dbg("dns: servers set by config to: %s", join(', ',@ns_addr_port));</code><br />
#:<code> } elsif ($res) { # default as provided by Net::DNS, e.g. /etc/resolv.conf</code><br />
#:<code>- @ns_addr_port = map(untaint_var("[$_]:" . $res->{port}),</code><br />
#:<code>- @{$res->{nameservers}});</code><br />
#:<code>+ my @ns = $res->UNIVERSAL::can('nameservers') ? $res->nameservers</code><br />
#:<code>+ : @{$res->{nameservers}};</code><br />
#:<code>+ my $port = $res->UNIVERSAL::can('port') ? $res->port : $res->{port};</code><br />
#:<code>+ @ns_addr_port = map(untaint_var("[$_]:" . $port), @ns);</code><br />
#:<code> dbg("dns: servers obtained from Net::DNS : %s", join(', ',@ns_addr_port));</code><br />
#:<code> }</code><br />
#:<code> return @ns_addr_port;</code><br />
#:<br /><br />
# Then, there was this:<br />
#:<code>Feb 03 16:48:44 server spampd[22524]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /var/spampd/.spamassassin/bayes.lock.mail.example.com.22524 for /var/spampd/.spamassassin/bayes.lock: Permission denied</code><br />
#: It appeared that although /var/spampd was set to _spampd:_spampd, the /var/spampd/.spamassassin was set to root:_spampd and the permissions were 700 (IIRC). Anyway, chown that directory to also be _spampd:_spampd and then it appears to work fine.<br />
# So now here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to spampd -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''' (unchanged from before since outgoing mail is not sent to spampd):<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Test again, both ways. Use the GTUBE test to see if it’s flagged as spam. There should be SpamAssassin headers in the incoming email. SpamAssassin can be further set up for Bayesian training and cron entries for running sa-learn on designated directories.<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=471Почтовый сервер на базе OpenBSD 6.02016-09-15T02:32:20Z<p>Ssh: /* ClamAV and ClamSMTP */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<code># cat /etc/freshclam.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>DatabaseMirror db.us.clamav.net</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<code># cat /etc/clamd.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>TCPSocket 3310</code><br />
#:<code>...</code><br />
#:<code>TCPAddr 127.0.0.1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<code># cat /etc/clamsmtpd-in.conf</code><br />
#:<code>OutAddress: 10026</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10025</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
#:<code># cat /etc/clamsmtpd-out.conf</code><br />
#:<code>OutAddress: 10028</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10027</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
# Start them both:<br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<br /><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#:<code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
#: So here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
<br />
= SpamAssassin and SpamPD =<br />
<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=470Почтовый сервер на базе OpenBSD 6.02016-09-15T02:31:48Z<p>Ssh: </p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<code># cat /etc/freshclam.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>DatabaseMirror db.us.clamav.net</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<code># cat /etc/clamd.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>TCPSocket 3310</code><br />
#:<code>...</code><br />
#:<code>TCPAddr 127.0.0.1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<code># cat /etc/clamsmtpd-in.conf</code><br />
#:<code>OutAddress: 10026</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10025</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
#:<code># cat /etc/clamsmtpd-out.conf</code><br />
#:<code>OutAddress: 10028</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10027</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
# Start them both:<br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<br /><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#:<code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
#: So here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
#:<br /><br />
<br />
= SpamAssassin and SpamPD =<br />
<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=469Почтовый сервер на базе OpenBSD 6.02016-09-15T02:28:53Z<p>Ssh: /* ClamAV and ClamSMTP */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<code># cat /etc/freshclam.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>DatabaseMirror db.us.clamav.net</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<code>20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1</code><br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<code># cat /etc/clamd.conf</code><br />
#:<code>#Example</code><br />
#:<code>...</code><br />
#:<code>TCPSocket 3310</code><br />
#:<code>...</code><br />
#:<code>TCPAddr 127.0.0.1</code><br />
#:<code>...</code><br />
#:<br /><br />
#: Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<code># cat /etc/clamsmtpd-in.conf</code><br />
#:<code>OutAddress: 10026</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10025</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
#:<code># cat /etc/clamsmtpd-out.conf</code><br />
#:<code>OutAddress: 10028</code><br />
#:<code>...</code><br />
#:<code>Listen: 0.0.0.0:10027</code><br />
#:<code>...</code><br />
#:<code>ClamAddress: 127.0.0.1:3310</code><br />
#:<code>...</code><br />
#:<br /><br />
# Start them both:<br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf</code><br />
#:<code># /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf</code><br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<br /><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on lo0 port 10026 tag CLAM_IN # incoming mail</code><br />
#:<code>listen on lo0 port 10028 tag CLAM_OUT # outgoing mail</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code># tagged mail returned from clamsmtpd either deliver or relay</code><br />
#:<code>accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept tagged CLAM_OUT for any relay</code><br />
#:<br /><br />
#:<code># start here - untagged mail is sent to clamsmtpd</code><br />
#:<code>accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail</code><br />
#:<code>accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail</code><br />
#:<br /><br />
#: So here is what's happening:<br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: '''Outoing mail''':<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP</code><br />
#:<br /><br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=468Почтовый сервер на базе OpenBSD 6.02016-09-15T02:17:05Z<p>Ssh: </p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= ClamAV and ClamSMTP =<br />
# Install clamav and clamsmtp from packages.<br />
# Edit /etc/freshclam.conf -- comment out the “Example” line and uncomment the "DatabaseMirror" line and add the relevant country code in place of the "XY."<br />
#:<br /><br />
# cat /etc/freshclam.conf<br />
#Example<br />
...<br />
DatabaseMirror db.us.clamav.net<br />
...<br />
#:<br /><br />
#:Run ‘freshclam’ to update the database. Add a freshclam command to root’s crontab to have periodic updates:<br />
#:<br /><br />
20 * * * * /usr/local/bin/freshclam >/dev/null 2>&1<br />
#:<br /><br />
# Once freshclam has updated the database, edit /etc/clamd.conf. Comment out the “Example” line, uncomment “TCPSocket” and “TCPAddr” lines and change them so clamd listens on port 3310 at 127.0.0.1.<br />
#:<br /><br />
# cat /etc/clamd.conf<br />
#Example<br />
...<br />
TCPSocket 3310<br />
...<br />
TCPAddr 127.0.0.1<br />
...<br />
#:<br /><br />
#:Add “clamd” to pkg_scripts in /etc/rc.conf.local and then start clamd. Check netstat -na -f inet to see if clamd is running on 127.0.0.1:3310. Check out both /etc/freshclam.conf and /etc/clamd.conf to look at logging options or actions (in VirusEvent) to take when a virus is found. Can set it up so it drops an email into root's mailbox when a virus is found.<br />
# Now, set up clamsmtp, which is a proxy for clamd. Two config files will be used, one for incoming mail and one for outgoing mail. OpenSMTPD will accept mail, send it to clamsmtp on one port for incoming mail (10025) and a different port (10027) for outgoing mail. Clamsmtp will run the mail through clamd, and then return it to OpenSMTPD for incoming mail (10026) or outgoing mail (10028). Depending on which port the mail is returned to, OpenSMTPD will tag it CLAM_IN or CLAM_OUT.<br />
#:<br /><br />
#: So copy /etc/clamsmtpd.conf and create /etc/clamsmtpd-in.conf and /etc/clamsmtpd-out.conf. Modify the files like so:<br />
#:<br /><br />
# cat /etc/clamsmtpd-in.conf<br />
OutAddress: 10026<br />
...<br />
Listen: 0.0.0.0:10025<br />
...<br />
ClamAddress: 127.0.0.1:3310<br />
...<br />
#:<br /><br />
# cat /etc/clamsmtpd-out.conf<br />
OutAddress: 10028<br />
...<br />
Listen: 0.0.0.0:10027<br />
...<br />
ClamAddress: 127.0.0.1:3310<br />
...<br />
#:<br /><br />
# Start them both:<br />
# /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-in.conf<br />
# /usr/local/sbin/clamsmtpd -f /etc/clamsmtpd-out.conf<br />
#:<br /><br />
#:(add something similar to /etc/rc.local so they start at boot)<br />
# Edit /etc/mail/smtpd.conf so it looks like this:<br />
# cat /etc/mail/smtpd.conf<br />
#:<br /><br />
pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"<br />
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"<br />
#:<br /><br />
listen on lo0<br />
listen on lo0 port 10026 tag CLAM_IN # incoming mail<br />
listen on lo0 port 10028 tag CLAM_OUT # outgoing mail<br />
listen on egress tls pki mail.example.com auth-optional<br />
listen on egress port submission tls-require pki mail.example.com auth<br />
#:<br /><br />
table aliases db:/etc/mail/aliases.db<br />
table vusers file:/etc/mail/vusers<br />
table vdomains file:/etc/mail/vdomains<br />
#:<br /><br />
accept for local alias <aliases> deliver to maildir<br />
#:<br /><br />
# tagged mail returned from clamsmtpd either deliver or relay<br />
accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to maildir<br />
accept tagged CLAM_OUT for any relay<br />
#:<br /><br />
# start here - untagged mail is sent to clamsmtpd<br />
accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail<br />
accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail<br />
#:<br /><br />
#: So here is what's happening:<br />
#:<br /><br />
#: '''Incoming mail''':<br />
#: pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> deliver to maildir<br />
#:<br /><br />
#: Outoing mail:<br />
#: opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay out<br />
# Send some emails both ways. This should be in the header:<br />
#:<code>X-Virus-Scanned: ClamAV using ClamSMTP<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=467Почтовый сервер на базе OpenBSD 6.02016-09-15T02:01:38Z<p>Ssh: /* OpenSMTPD и spamd */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
#:<br /><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
#:<br /><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
#:<br /><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=466Почтовый сервер на базе OpenBSD 6.02016-09-15T01:58:47Z<p>Ssh: /* OpenBSD Mail Server - Part 1, Initial Setup */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=465Почтовый сервер на базе OpenBSD 6.02016-09-15T01:57:47Z<p>Ssh: /* OpenSMTPD и spamd */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
#:<br /><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
#:<br /><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=464Почтовый сервер на базе OpenBSD 6.02016-09-15T01:57:08Z<p>Ssh: /* OpenSMTPD и spamd */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
#:<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
# Edit pf.conf to allow connections on smtp port 25 and port 587, such as:<br />
#:<code># cat /etc/pf.conf</code><br />
#:<code>...</code><br />
#:<code>pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code>...</code><br />
# Reload pf and start /etc/rc.d/smtpd.<br />
# Test sending mail to/from the user's account. Since there is no imap client yet, might want to install mutt or something similar and point to the user's ~/Maildir to check incoming mail. The user should be able to connect to OpenSMTPD on port 587 from an outside client to send mail through OpenSMTPD to another party. Sending outbound mail from the command line should also work. Perhaps telnet into the server or run a couple of SMTP checks against the server like this one to verify things are working correctly. The session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /><br />
#:<code>220 mail.example.com ESMTP OpenSMTPD [624 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250-mail.example.com Hello MXTB-PWS3.mxtoolbox.com [64.20.227.133], pleased to meet you</code><br />
#:<code>250-8BITMIME</code><br />
#:<code>250-ENHANCEDSTATUSCODES</code><br />
#:<code>250-SIZE 36700160</code><br />
#:<code>250-DSN</code><br />
#:<code>250-STARTTLS</code><br />
#:<code>250 HELP [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 2.0.0: Ok [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>550 Invalid recipient [640 ms]</code><br />
#:<br /><br />
#:<code>MXTB-PWS3v2 3260ms</code><br />
# If that works, set up spamd. This is a very simple and standard setup and there are lots of resources out there on how to do this, but here is the shorthand: Add spamd_flags=”-v” to /etc/rc.conf.local. Edit /etc/mail/spamd.conf to add override/whitelist if desired (file /etc/mail/nospamd in sample pf rules). Add spamd pf rules from example /etc/pf.conf and comment out prior rule that passed smtp on egress (because now we want incoming mail to be redirected to spamd running on localhost port 8025):<br />
#:<code># cat /etc/pf.conf</code><br />
#:<br /><br />
#:<code>...</code><br />
#:<code>#pass in on egress proto tcp to any port smtp</code><br />
#:<code>pass in on egress proto tcp to any port submission</code><br />
#:<code># rules for spamd(8)</code><br />
#:<code>table <spamd-white> persist</code><br />
#:<code>table <nospamd> persist file "/etc/mail/nospamd"</code><br />
#:<code>pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd</code><br />
#:<code>pass in on egress proto tcp from <nospamd> to any port smtp</code><br />
#:<code>pass in log on egress proto tcp from <spamd-white> to any port smtp</code><br />
#:<code> pass out log on egress proto tcp to any port smtp</code><br />
#:<code>...</code><br />
#:<br /><br />
#:Reload pf and start /etc/rc.d/spamd. Check netstat to see if spamd is listening on port 8025:<br />
#:<code># netstat -na -f inet</code><br />
#:<br /><br />
# Send test emails again and check logs and 'spamdb' to see if email is getting greylisted. Once spamd is working, those third-party SMTP checks won't work because spamd is intercepting incoming mail. Same with telnet, if you can stand waiting for the stuttering. ;-) Anyway, now the session transcript should look something like this:<br />
#:<code>Connecting to 123.456.789.000</code><br />
#:<br /> <br />
#:<code>220 mail.example.com ESMTP spamd IP-based SPAM blocker; Sat Jan 31 11:33:21 2015 [11716 ms]</code><br />
#:<code>EHLO MXTB-PWS3.mxtoolbox.com</code><br />
#:<code>250 Hello, spam sender. Pleased to be wasting your time. [640 ms]</code><br />
#:<code>MAIL FROM: <supertool@mxtoolbox.com></code><br />
#:<code>250 You are about to try to deliver spam. Your time will be spent, for nothing. [640 ms]</code><br />
#:<code>RCPT TO: <test@example.com></code><br />
#:<code>250 This is hurting you more than it is hurting me. [640 ms]</code><br />
#:<br /> <br />
#:<code>MXTB-PWS3v2 14602ms</code><br />
#:<br /><br />
#:Haha. Love spamd.<br />
# So here is what's happening:<br />
#:<br />
#:'''Incoming mail''':<br />
#:pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir<br />
#:<br /><br />
#:'''Outoing mail''':<br />
#:opensmtpd on lo0 -> relay out<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=463Почтовый сервер на базе OpenBSD 6.02016-09-15T01:39:23Z<p>Ssh: /* OpenBSD Mail Server - Part 2, OpenSMTPD and spamd */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenSMTPD и spamd =<br />
# Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
# Set up virtual users and virtual domains:<br />
#:<code># cat /etc/mail/vusers</code><br />
#:<code>joe@example.com joe</code><br />
#:<code>@example.com joe</code><br />
#:<code>joe@example.net joe</code><br />
#:<code>@example.net joe</code><br />
<br /><br />
#:<code># cat /etc/mail/vdomains</code><br />
#:<code>example.com</code><br />
#:<code>example.net</code><br />
# Create SSL certificates as described in man 5 smtpd.conf:<br />
#:<code># openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096</code><br />
#:<code># openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key -out /etc/ssl/mail.example.com.crt -days 365</code><br />
#:<code># chmod 600 /etc/ssl/mail.example.com.crt</code><br />
#:<code># chmod 600 /etc/ssl/private/mail.example.com.key</code><br />
# Create ~/Maildir for user ("joe" in this example).<br />
# Edit /etc/mail/smtpd.conf so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. Note that the smtpd.conf man page clearly says: "For each message processed by the daemon, the filter rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." Therefore, the order of the rules in smtpd.conf is very important and will become more important as additional bits are added (e.g. for clamsmtp, spampd, and dkimproxy).<br />
#:<code># cat /etc/mail/smtpd.conf</code><br />
#:<code>pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"</code><br />
#:<code>pki mail.example.com key "/etc/ssl/private/mail.example.com.key"</code><br />
#:<br /><br />
#:<code>listen on lo0</code><br />
#:<code>listen on egress tls pki mail.example.com auth-optional</code><br />
#:<code>listen on egress port submission tls-require pki mail.example.com auth</code><br />
#:<br /><br />
#:<code>table aliases db:/etc/mail/aliases.db</code><br />
#:<code>table vusers file:/etc/mail/vusers</code><br />
#:<code>table vdomains file:/etc/mail/vdomains</code><br />
#:<br /><br />
#:<code>accept for local alias <aliases> deliver to maildir</code><br />
#:<br /><br />
#:<code>accept from any for domain <vdomains> virtual <vusers> deliver to maildir</code><br />
#:<code>accept from local for any relay</code><br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=462Почтовый сервер на базе OpenBSD 6.02016-09-15T01:27:06Z<p>Ssh: </p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /><br /><br />
<br />
= OpenBSD Mail Server - Part 2, OpenSMTPD and spamd =<br />
1. Read the man page for smtpd and smtpd.conf and review the configuration files.<br />
2. Set up virtual users and virtual domains:<br />
<br />
<br />
= Примечания =</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=461Почтовый сервер на базе OpenBSD 6.02016-09-15T01:24:06Z<p>Ssh: /* OpenBSD Mail Server - Part 1, Initial Setup */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.<br /></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=460Почтовый сервер на базе OpenBSD 6.02016-09-14T08:14:41Z<p>Ssh: /* OpenBSD Mail Server - Part 1, Initial Setup */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />&hellip;<br />pass in on egress proto tcp to any port ssh<br />&hellip;</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=459Почтовый сервер на базе OpenBSD 6.02016-09-14T08:12:08Z<p>Ssh: /* OpenBSD Mail Server - Part 1, Initial Setup */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
#:<code># cat /etc/pf.conf<br />...<br />pass in on egress proto tcp to any port ssh<br />...</code><br />
# Reload pf with:<br />
#:<code># pfctl -f /etc/pf.conf</code><br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=458Почтовый сервер на базе OpenBSD 6.02016-09-14T07:16:03Z<p>Ssh: </p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br />
<br />
= OpenBSD Mail Server - Part 1, Initial Setup =<br />
<br />
# Install OpenBSD 5.6. If using the auto-partitioner, make sure enough space is allocated to /usr and /usr/src to allow for extracting the sources (below). Edit /etc/rc.conf.local and add “-s” to ntpd_flags so time is set at boot if desired.<br />
# Add a rule to default /etc/pf.conf to allow incoming ssh connections, such as:<br />
# cat /etc/pf.conf<br />
...<br />
pass in on egress proto tcp to any port ssh<br />
...<br />
# Reload pf with:<br />
# pfctl -f /etc/pf.conf<br />
# Update the system by [http://www.openbsd.org/faq/faq5.html#BldGetSrc fetching the sources] via ftp and [http://www.openbsd.org/errata60.html patching].<br />
# Set up $PKG_PATH to install packages.<br />
# Configure MX records etc. at domain registrar, perhaps with an unused domain for testing purposes.</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=457Почтовый сервер на базе OpenBSD 6.02016-09-08T14:05:10Z<p>Ssh: /* Why not ? */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Почему не <вставьте имя любимой операционной системы или программы>? ==<br />
<br />
Никогда не слышал об этом. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=456Почтовый сервер на базе OpenBSD 6.02016-09-08T13:48:24Z<p>Ssh: /* Why SpamAssassin in addition to spamd? */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Зачем SpamAssassin в дополнение к spamd? ==<br />
<br />
Spamd отлично работает, не создавая лишней нагрузки. Он отлавливает большую часть моего спама (более 95%), так что я почти решил отказаться от возни со SpamAssassin. Но подумав, решил что будет интересно попробовать интегрировать их оба.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=455Почтовый сервер на базе OpenBSD 6.02016-09-08T13:12:31Z<p>Ssh: /* Почему OpenBSD? */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
Это прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=454Почтовый сервер на базе OpenBSD 6.02016-09-08T13:11:52Z<p>Ssh: /* Resources: */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
OpenBSD - прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=453Почтовый сервер на базе OpenBSD 6.02016-09-08T13:11:33Z<p>Ssh: /* Resources: */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
OpenBSD - прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin<br />
<br /><br /></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=452Почтовый сервер на базе OpenBSD 6.02016-09-08T13:11:09Z<p>Ssh: /* Resources: */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
OpenBSD - прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
* OpenBSD FAQ (required)<br />
* OpenBSD man pages (required)<br />
* OpenSMTPD wiki<br />
* Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
* http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
* https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
* http://blog.ehouse.io/mail-server-basic-smtp.html<br />
* http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=451Почтовый сервер на базе OpenBSD 6.02016-09-08T13:08:50Z<p>Ssh: /* Почему OpenBSD? */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
OpenBSD - прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>С релиза 6.1, OpenBSD [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=450Почтовый сервер на базе OpenBSD 6.02016-09-08T13:07:57Z<p>Ssh: /* Why OpenBSD? */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Почему OpenBSD? ==<br />
OpenBSD - прекрасная операционная система, созданная и поддерживаемая многими умными людьми. Кроме того, мне нравится, что большое количество великолепного программного обеспечения включено в базовую систему. Если вы найдёте это руководство полезным или откроете как восхитительна OpenBSD, пожалуйста подумайте над тем, чтобы поддержать проект - это может быть приобретение набора компакт дисков <ref>начиная с релиза 6.1, операционная система [http://undeadly.org/cgi?action=article&sid=20160901090415 не будет распространяться на CD], но вы по прежнему можете [https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=department приобрести] различные предметы с символикой OpenBSD. прим. переводчика</ref> или сделав [http://www.openbsd.org/donations.html пожертвование]. Команда разработчиков OpenBSD отлично выполняет свою работу, которая приносит пользу всему сообществу и ваша поддержка не будет лишней!<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=449Почтовый сервер на базе OpenBSD 6.02016-09-08T12:43:15Z<p>Ssh: /* Дополнительно */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством IMAP (SSL): Dovecot<br />
<br />
Доступ к почте через веб-интерфейса (SSL): httpd и Roundcube<br />
<br />
== Why OpenBSD? ==<br />
<br />
Because I think it's a great operating system created and maintained by a lot of very smart people. Plus, I like how there are so many excellent bits of software included in the base system. If you find anything helpful in this guide, or discover how great OpenBSD is, please consider supporting the project, either by purchasing a CD set or making a financial donation. The OpenBSD team does amazing work that benefits the whole community in a wide variety of ways and they can always use the support.<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=448Почтовый сервер на базе OpenBSD 6.02016-09-08T12:41:16Z<p>Ssh: /* Окончательный результат */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
=== Обработка исходящих сообщений ===<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
=== Дополнительно ===<br />
Доступ посредством SSL IMAP: Dovecot<br />
SSL webmail доступ: httpd и Roundcube<br />
<br />
== Why OpenBSD? ==<br />
<br />
Because I think it's a great operating system created and maintained by a lot of very smart people. Plus, I like how there are so many excellent bits of software included in the base system. If you find anything helpful in this guide, or discover how great OpenBSD is, please consider supporting the project, either by purchasing a CD set or making a financial donation. The OpenBSD team does amazing work that benefits the whole community in a wide variety of ways and they can always use the support.<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=447Почтовый сервер на базе OpenBSD 6.02016-09-08T12:39:15Z<p>Ssh: </p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== Окончательный результат ==<br />
=== Обработка входящих сообщений ===<br />
'''pf''' -> '''spamd''' -> '''opensmtpd''' -> '''clamsmtpd''' -> '''clamd''' -> '''clamsmtpd''' -> '''opensmtpd''' -> '''spampd''' -> '''SpamAssassin''' -> '''spampd''' -> '''opensmtpd''' -> '''deliver to dovecot/lmtp'''<br />
<br />
=== Обработка исходящих сообщений ===<br />
'''opensmtpd''' -> '''clamsmtpd''' -> '''clamd''' -> '''clamsmtpd''' -> '''opensmtpd''' -> '''dkimproxy''' -> '''opensmtpd''' -> '''relay out'''<br />
<br />
=== Дополнительно ===<br />
Доступ посредством SSL IMAP: Dovecot<br />
SSL webmail доступ: httpd и Roundcube<br />
<br />
== Why OpenBSD? ==<br />
<br />
Because I think it's a great operating system created and maintained by a lot of very smart people. Plus, I like how there are so many excellent bits of software included in the base system. If you find anything helpful in this guide, or discover how great OpenBSD is, please consider supporting the project, either by purchasing a CD set or making a financial donation. The OpenBSD team does amazing work that benefits the whole community in a wide variety of ways and they can always use the support.<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=446Почтовый сервер на базе OpenBSD 6.02016-09-08T12:26:03Z<p>Ssh: /* Вступление */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше!]<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== The final setup ==<br />
<br />
Incoming mail:<br />
<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
Outoing mail:<br />
<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
Other:<br />
<br />
SSL IMAP access: Dovecot<br />
SSL webmail access: httpd and Roundcube<br />
<br />
== Why OpenBSD? ==<br />
<br />
Because I think it's a great operating system created and maintained by a lot of very smart people. Plus, I like how there are so many excellent bits of software included in the base system. If you find anything helpful in this guide, or discover how great OpenBSD is, please consider supporting the project, either by purchasing a CD set or making a financial donation. The OpenBSD team does amazing work that benefits the whole community in a wide variety of ways and they can always use the support.<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=445Почтовый сервер на базе OpenBSD 6.02016-09-08T12:25:38Z<p>Ssh: /* Цель */</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше]!<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются [https://www.clamav.net ClamAV], [http://thewalter.net/stef/software/clamsmtp ClamSMTP], [http://spamassassin.apache.org SpamAssassin], [http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html SpamPD], [http://dkimproxy.sourceforge.net DKIMproxy], [http://www.dovecot.org Dovecot], [http://pigeonhole.dovecot.org Dovecot-Pigeonhole] и [https://roundcube.net Roundcube].<br />
<br />
== The final setup ==<br />
<br />
Incoming mail:<br />
<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
Outoing mail:<br />
<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
Other:<br />
<br />
SSL IMAP access: Dovecot<br />
SSL webmail access: httpd and Roundcube<br />
<br />
== Why OpenBSD? ==<br />
<br />
Because I think it's a great operating system created and maintained by a lot of very smart people. Plus, I like how there are so many excellent bits of software included in the base system. If you find anything helpful in this guide, or discover how great OpenBSD is, please consider supporting the project, either by purchasing a CD set or making a financial donation. The OpenBSD team does amazing work that benefits the whole community in a wide variety of ways and they can always use the support.<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_%D0%B1%D0%B0%D0%B7%D0%B5_OpenBSD_6.0&diff=444Почтовый сервер на базе OpenBSD 6.02016-09-08T12:19:36Z<p>Ssh: Новая страница: «= Вступление = Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим ко…»</p>
<hr />
<div>= Вступление =<br />
Перевод [http://technoquarter.blogspot.ru/2015/02/openbsd-mail-server.html статьи] Chess Griffin с небольшим количеством комментариев от переводчика, в основном связанных с тем, что с момента релиза [http://www.openbsd.org/56.html OpenBSD 5.6], система стала еще [http://www.openbsd.org/60.html лучше]!<br />
<br />
== Цель ==<br />
Создать достаточно безопасный почтовый сервер на базе OpenBSD и нескольких пакетов. OpenSMTPD, spamd, pf и httpd входят в состав базовой системы. Дополнительно потребуются ClamAV, ClamSMTP, SpamAssassin, SpamPD, DKIMproxy, Dovecot, Dovecot-Pigeonhole, и Roundcube.<br />
<br />
== The final setup ==<br />
<br />
Incoming mail:<br />
<br />
pf -> spamd -> opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> spampd -> SpamAssassin -> spampd -> opensmtpd -> deliver to dovecot/lmtp<br />
<br />
Outoing mail:<br />
<br />
opensmtpd -> clamsmtpd -> clamd -> clamsmtpd -> opensmtpd -> dkimproxy -> opensmtpd -> relay out<br />
<br />
Other:<br />
<br />
SSL IMAP access: Dovecot<br />
SSL webmail access: httpd and Roundcube<br />
<br />
== Why OpenBSD? ==<br />
<br />
Because I think it's a great operating system created and maintained by a lot of very smart people. Plus, I like how there are so many excellent bits of software included in the base system. If you find anything helpful in this guide, or discover how great OpenBSD is, please consider supporting the project, either by purchasing a CD set or making a financial donation. The OpenBSD team does amazing work that benefits the whole community in a wide variety of ways and they can always use the support.<br />
<br />
== Why SpamAssassin in addition to spamd? ==<br />
<br />
Spamd works wonderfully well and it has a very light footprint. It trapped the bulk of my spam (more than 95%) so I almost just let it go instead of bothering with SpamAssassin. But I thought it would be interesting to try and integrate the two.<br />
<br />
== Why not <insert name of favorite operating system/software/tool>? ==<br />
<br />
Never heard of it. ;-)<br />
<br />
== Why bother with setting up your own email server to begin with? Why not just keep using Gmail? ==<br />
<br />
I used to run my own email server back when I hosted the Linux Reality podcast and decided it would be a fun exercise to try it again. The email server I set up using the steps in this guide might become my primary email server. Or, I might take the server down tomorrow and go back to using AOL and working on my Geocities page. Who knows?<br />
<br />
== Assumptions: ==<br />
<br />
This guide assumes an understanding of how to install and configure OpenBSD and an understanding of networking and email, both in general and in regards to OpenBSD in particular. Additionally, this guide assumes an understanding of how to install packages with a properly configured $PKG_PATH, how to work from the command line and edit configuration files, how to change DNS records and MX records, and other general nuts and bolts. These kinds of basic topics will not be covered in this guide.<br />
<br />
== Disclaimer: ==<br />
<br />
I am an ordinary OpenBSD user. I am not a sysadmin, developer, programmer, kung-fu master, or expert in any of these areas. This guide is mainly a writeup for myself so I can replicate these steps in the future. If someone finds it helpful, fine, but it is by no means the only way or even the best way to configure an email server. There are most likely mistakes in this guide, so take it for what it's worth and YMMV. If your email breaks because of this guide, then don't run your own email server. Feedback and corrections are welcome.<br />
<br />
== Updates: ==<br />
<br />
Updated the last line of example smtpd.conf from "for any" to "for domain <vdomains>". Thanks to Christoph on the opensmtpd-misc mailing list.<br />
Removed bit about enabling pf since it's enabled by default. Duh. Also changed notations of port 587 to 'submission' which is the name of that port in /etc/services. Thanks to rjc.<br />
<br />
== Resources: ==<br />
<br />
OpenBSD FAQ (required)<br />
OpenBSD man pages (required)<br />
OpenSMTPD wiki<br />
Helpful thread on OpenSMTPD mailing list re: tagging and proxying<br />
http://www.kernel-panic.it/openbsd/mail/ (the bits about ClamAV and SpamAssassing are helpful)<br />
https://coderwall.com/p/eejzja/simple-smtp-server-with-opensmtpd<br />
http://blog.ehouse.io/mail-server-basic-smtp.html<br />
http://blog.admiral0.it/computing/mail-server-with-opensmtpd-dovecot-and-amavisdspamassassin/</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%A3%D1%87%D0%B0%D1%81%D1%82%D0%BD%D0%B8%D0%BA:Ssh&diff=443Участник:Ssh2016-09-08T11:23:28Z<p>Ssh: /* Заметки */</p>
<hr />
<div>= Заметки =<br />
<br />
[[Список открытых портов]]<br />
<br />
[[OpenBSD на рабочей станции]]<br />
<br />
[["Горячие" клавиши tmux и screen]]<br />
<br />
[[OpenBSD doas]]<br />
<br />
[[Почтовый сервер на базе OpenBSD 6.0]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%97%D0%B0%D0%B3%D0%BB%D0%B0%D0%B2%D0%BD%D0%B0%D1%8F_%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D0%B0&diff=440Заглавная страница2016-01-19T07:18:23Z<p>Ssh: Воспользовался главред - https://glvrd.ru/</p>
<hr />
<div>== Неофициальный вики-портал русскоязычного сообщества пользователей [http://www.openbsd.org OpenBSD] ==<br />
<br />
Мы объединяем доступную по данной тематике информацию: руководства, заметки, переводы официальной документации, ссылки на [[Перечень Интернет ресурсов о OpenBSD|ресурсы схожей тематики]], интересные примеры конфигурации.<br />
<br />
Будем рады новой статье, переводу или исправленной неточности. Завершенные статьи размещены в разделе [[OpenBSD-Wiki:Текущие события]].<br />
<br />
Из завершённого пока располагаем только [http://openbsd.pw/files архивом сайтов], с которым и работаем.<br />
<br />
Порты доступны на [http://ports.su/ ports.su], а поиск исходников на [http://bxr.su/OpenBSD/ bxr.su]. Короткие адреса руководств BSD раздаются на [http://mdoc.su/ mdoc.su].</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%A1%D0%BF%D0%B8%D1%81%D0%BE%D0%BA_%D0%BE%D1%82%D0%BA%D1%80%D1%8B%D1%82%D1%8B%D1%85_%D0%BF%D0%BE%D1%80%D1%82%D0%BE%D0%B2&diff=439Список открытых портов2016-01-18T02:47:19Z<p>Ssh: </p>
<hr />
<div>Поведение [http://www.openbsd.org/cgi-bin/man.cgi?query=netstat netstat(1)] в OpenBSD несколько отличается от аналога в Linux .<br />
<br />
Состояние всех сокетов, включая созданные серверными процессами системы (LISTEN):<br />
<pre>$ netstat -na</pre><br />
Тоже, что и предыдущее, но для конкретной группы протоколов (IPv4, IPv6 и т. д.), в данном случае для IPv4:<br />
<pre>$ netstat -na -f inet</pre><br />
Отфильтруем порты ожидающие соединения:<br />
<pre>$ netstat -na | grep LISTEN</pre><br />
На моей системе вывод имеет такой вид:<br />
<pre>tcp 0 0 *.13 *.* LISTEN<br />
tcp 0 0 *.21 *.* LISTEN<br />
tcp 0 0 *.6000 *.* LISTEN<br />
tcp 0 0 127.0.0.1.587 *.* LISTEN<br />
tcp 0 0 127.0.0.1.25 *.* LISTEN<br />
tcp 0 0 *.22 *.* LISTEN<br />
tcp6 0 0 *.13 *.* LISTEN<br />
tcp6 0 0 *.6000 *.* LISTEN<br />
tcp6 0 0 ::1.587 *.* LISTEN<br />
tcp6 0 0 ::1.25 *.* LISTEN<br />
tcp6 0 0 *.22 *.* LISTEN</pre><br />
Используем [http://www.openbsd.org/cgi-bin/man.cgi?query=fstat fstat(1)] для того, чтобы узнать какой процесс слушает порт:<br />
<pre># fstat | grep ':22' <br />
root sshd 5870 3* internet stream tcp 0xffff800000d8e000 *:22<br />
root sshd 5870 4* internet6 stream tcp 0xffff800000d8e230 *:22</pre></div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%B5%D1%80%D0%B5%D1%87%D0%B5%D0%BD%D1%8C_%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82_%D1%80%D0%B5%D1%81%D1%83%D1%80%D1%81%D0%BE%D0%B2_%D0%BE_OpenBSD&diff=438Перечень Интернет ресурсов о OpenBSD2015-12-29T02:08:40Z<p>Ssh: /* Действующие */</p>
<hr />
<div>== Перечень Интернет ресурсов о OpenBSD ==<br />
<br />
=== Действующие ===<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="3" style="background:#FFCC00"|Перечень сайтов<br />
|-<br />
!Ресурс||Актуальность||Описание<br />
|-<br />
|[http://www.openbsd.org/faq/index.html www.openbsd.org]||ДА||'''FAQ. Строго обязательно к прочтению!''' [http://www.openbsd.org/faq/ru/ Русскоязычная версия].<br />
|-<br />
|[http://obsd.ru obsd.ru]||ДА||Портал русскоязычного сообщества OpenBSD<br />
|-<br />
|[http://undeadly.org undeadly.org]||ДА||Live-журнал OpenBSD<br />
|-<br />
|[http://freshbsd.org freshbsd.org]||ДА||Все изменения в коде *BSD проектов, в портах отображаются здесь.<br />
|-<br />
|[http://openports.se openports.se]||ДА||Коллекция портов для OpenBSD<br />
|-<br />
|[https://stable.mtier.org stable.mtier.org]||ДА||Коллекция портов для OpenBSD для i386 и amd64<br />
|-<br />
|[http://distrowatch.com/table.php?distribution=openbsd distrowatch.com]||ДА||Информационно-новостной ресурс сообщающий о составе и релизах открытого ПО (Linux / BSD / др.).<br />
|-<br />
|[http://bsdtalk.blogspot.ru bsdtalk.blogspot.ru]||ДА||Аудиозаписи, интервью, размышления на тему *BSD. На английском.<br />
|-<br />
|[http://bsdmag.org bsdmag.org]||ДА||BSD magazine. Популярный журнал о BSD системах. Русские переводы выполненные командой энтузиастов [http://bsdmag.su находятся здесь].<br />
|-<br />
|[http://home.nuug.no/~peter/pf/en/long-firewall.html home.nuug.no]||ДА||Firewalling with OpenBSD’s PF packet filter.<br />
Автор: Peter N. M. Hansteen. Основополагающая вещь, читать всем! <br /> [http://rlworkman.net/howtos/OpenBSD_pf_guide.html Устаревшая версия 2006 г. Firewalling with OpenBSD’s PF packet filter.] <br /> [http://home.nuug.no/~peter/pf/eurobsdcon2012 Ещё eurobsdcon2012] от него же.<br />
|-<br />
|[http://www.openbsdsupport.org www.openbsdsupport.org]||ДА||OpenBSD Users Documentation project<br />
|-<br />
|[http://www.opennet.ru/search.shtml?method=and&format=builtin-long&config=htdig&restrict=&exclude=&words=openbsd www.opennet.ru]||ДА||The OpenNet Project. Популярный портал посвященный открытому ПО. Содержит новости, советы. Имеется форум.<br />
|-<br />
|[https://calomel.org calomel.org]||ДА||Богатый сборник how-to по OpenBSD. Актуализирован под OpenBSD 5.x!<br />
|-<br />
|[http://www.lissyara.su www.lissyara.su]||4.x||Личный сайт BSD’шника под ником '''lissyara''', богатый справочник по FreeBSD и OpenBSD.<br />Актуален для старых версий.<br />
|-<br />
|[http://habrahabr.ru/search/?q=openbsd habrahabr.ru]||Сомнительно||Сверхпопулярный IT-blog. Доступные на нем записи о OpenBSD.<br />
|-<br />
|[http://www.kernel-panic.it/openbsd.html www.kernel-panic.it]||Сомнительно||Сборник руководств по OpenBSD.<br />
|-<br />
|[http://www.monkey.org/misc www.monkey.org]||Неизвестно||OpenBSD is for monkeys<br />
|-<br />
|[http://www.trumpetpower.com/OpenBSD/Meta-FAQ www.trumpetpower.com]||Неизвестно||OpenBSD Meta-FAQ<br />
|-<br />
|[http://tuxmobil.org/mobile_bsd.html tuxmobil.org]||Неизвестно||FreeBSD, NetBSD, OpenBSD, DragonFly and Mobile Computers (Laptops, Notebooks, PDAs, Mobile Phones)<br />
|-<br />
|[http://blog.bronevichok.ru/ blog.bronevichok.ru]||Да||Блог Сергея Бронникова<br />
|-<br />
|[http://www.read-and-think.org/openbsd5_tools_xterm_fvwm_fonts.html www.read-and-think.org]||Да||Библия для людей, работающих с командной строкой. Так же по ссылке масса информации по настройке русского языка и шрифтов в OpenBSD и UTF-8.<br />
|-<br />
|}<br />
<br />
=== Отдельные информационные статьи, записки, заметки ===<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="3" style="background:#FFCC00"|Перечень статей<br />
|-<br />
!Ресурс||Актуальность||Описание<br />
|-<br />
|[http://www.vpnc.org/InteropProfiles/OpenBSD.html www.vpnc.org]||-||OpenBSD Documentation Examples for IPsec Interoperability<br />
|-<br />
|[http://www.nomoa.com/bsd/index.html www.nomoa.com]||-||Установка и настройка OpenBSD сервера<br />
|-<br />
|[http://www.realo.ca/BSDinstall.html www.realo.ca]||-||A Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall<br />
|-<br />
|[http://pestilenz.org/~bauerm/tor-openbsd-howto.html pestilenz.org]||-||Установка Tor Wiki в Apache chroot<br />
|-<br />
|[http://disorder.ru/archives/category/openbsd disorder.ru]||-||Александр Юрченко является разработчиком OpenBSD из России. Ведёт заметки об OpenBSD на своём блоге<br />
|-<br />
|[http://citforum.ru/operating_systems/openbsd citforum.ru]||-|| Документация по OpenBSD на citforum.ru<br />
|}<br />
<br />
== Недействующие ==<br />
<br />
Информацию можно просмотреть через [http://archive.org/web/web.php archive.org]<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="2" style="background:#FFCC00"|Архив сайтов<br />
|-<br />
!Ресурс||Описание<br />
|-<br />
|[http://web.archive.org/web/*/http://openbsd.ru openbsd.ru]||Главный портал русскоязычного сообщества OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://openbsd101.com openbsd101.com]||Сборник how-to для начинающих.<br />
|-<br />
|[http://web.archive.org/web/*/http://kaw.ath.cx/openbsd/?FuguIta FuguIta]||Проект FuguIta в рамках которого формируют LiveCD сборки OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://www.synack.ru www.synack.ru]||Хороший blog по *BSD \ Linux \ VoIP и др.<br />
|-<br />
|[http://web.archive.org/web/*/https://www.dmoz.org www.dmoz.org]||Сборник статей по OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://www.infobsd.org www.infobsd.org]||InfoBSD.<br />
|}<br />
<br />
[[Категория:Общая информация]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%B5%D1%80%D0%B5%D1%87%D0%B5%D0%BD%D1%8C_%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82_%D1%80%D0%B5%D1%81%D1%83%D1%80%D1%81%D0%BE%D0%B2_%D0%BE_OpenBSD&diff=437Перечень Интернет ресурсов о OpenBSD2015-12-29T02:04:13Z<p>Ssh: Перенёс неработающие ресурсы в раздел неактуальных.</p>
<hr />
<div>== Перечень Интернет ресурсов о OpenBSD ==<br />
<br />
=== Действующие ===<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="3" style="background:#FFCC00"|Перечень сайтов<br />
|-<br />
!Ресурс||Актуальность||Описание<br />
|-<br />
|[http://www.openbsd.org/faq/index.html www.openbsd.org]||ДА||'''FAQ. Строго обязательно к прочтению!''' [http://www.openbsd.org/faq/ru/ Русскоязычная версия].<br />
|-<br />
|[http://obsd.ru obsd.ru]||ДА||Портал русскоязычного сообщества OpenBSD<br />
|-<br />
|[http://undeadly.org undeadly.org]||ДА||Live-журнал OpenBSD<br />
|-<br />
|[http://freshbsd.org freshbsd.org]||ДА||Все изменения в коде *BSD проектов, в портах отображаются здесь.<br />
|-<br />
|[http://openports.se openports.se]||ДА||Коллекция портов для OpenBSD<br />
|-<br />
|[https://stable.mtier.org stable.mtier.org]||ДА||Коллекция портов для OpenBSD для i386 и amd64<br />
|-<br />
|[http://distrowatch.com/table.php?distribution=openbsd distrowatch.com]||ДА||Информационно-новостной ресурс сообщающий о составе и релизах открытого ПО (Linux / BSD / др.).<br />
|-<br />
|[http://bsdtalk.blogspot.ru bsdtalk.blogspot.ru]||ДА||Аудиозаписи, интервью, размышления на тему *BSD. На английском.<br />
|-<br />
|[http://bsdmag.org bsdmag.org]||ДА||BSD magazine. Популярный журнал о BSD системах. Русские переводы выполненные командой энтузиастов [http://bsdmag.su находятся здесь].<br />
|-<br />
|[http://home.nuug.no/~peter/pf/en/long-firewall.html home.nuug.no]||ДА||Firewalling with OpenBSD’s PF packet filter.<br />
Автор: Peter N. M. Hansteen. Основополагающая вещь, читать всем! [http://home.nuug.no/~peter/pf/eurobsdcon2012 Ещё eurobsdcon2012] от него же.<br />
|-<br />
|[http://rlworkman.net/howtos/OpenBSD_pf_guide.html rlworkman.net]||Нет||Устаревшая версия 2006 г. Firewalling with OpenBSD’s PF packet filter.<br />
Автор: Peter N. M. Hansteen.<br />
|-<br />
|[http://www.openbsdsupport.org www.openbsdsupport.org]||ДА||OpenBSD Users Documentation project<br />
|-<br />
|[http://www.opennet.ru/search.shtml?method=and&format=builtin-long&config=htdig&restrict=&exclude=&words=openbsd www.opennet.ru]||ДА||The OpenNet Project. Популярный портал посвященный открытому ПО. Содержит новости, советы. Имеется форум.<br />
|-<br />
|[https://calomel.org calomel.org]||ДА||Богатый сборник how-to по OpenBSD. Актуализирован под OpenBSD 5.x!<br />
|-<br />
|[http://www.lissyara.su www.lissyara.su]||4.x||Личный сайт BSD’шника под ником '''lissyara''', богатый справочник по FreeBSD и OpenBSD.<br />Актуален для старых версий.<br />
|-<br />
|[http://habrahabr.ru/search/?q=openbsd habrahabr.ru]||Сомнительно||Сверхпопулярный IT-blog. Доступные на нем записи о OpenBSD.<br />
|-<br />
|[http://www.kernel-panic.it/openbsd.html www.kernel-panic.it]||Сомнительно||Сборник руководств по OpenBSD.<br />
|-<br />
|[http://www.monkey.org/misc www.monkey.org]||Неизвестно||OpenBSD is for monkeys<br />
|-<br />
|[http://www.trumpetpower.com/OpenBSD/Meta-FAQ www.trumpetpower.com]||Неизвестно||OpenBSD Meta-FAQ<br />
|-<br />
|[http://tuxmobil.org/mobile_bsd.html tuxmobil.org]||Неизвестно||FreeBSD, NetBSD, OpenBSD, DragonFly and Mobile Computers (Laptops, Notebooks, PDAs, Mobile Phones)<br />
|-<br />
|[http://blog.bronevichok.ru/ blog.bronevichok.ru]||Да||Блог Сергея Бронникова<br />
|-<br />
|[http://www.read-and-think.org/openbsd5_tools_xterm_fvwm_fonts.html www.read-and-think.org]||Да||Библия для людей, работающих с командной строкой. Так же по ссылке масса информации по настройке русского языка и шрифтов в OpenBSD и UTF-8.<br />
|-<br />
|}<br />
<br />
=== Отдельные информационные статьи, записки, заметки ===<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="3" style="background:#FFCC00"|Перечень статей<br />
|-<br />
!Ресурс||Актуальность||Описание<br />
|-<br />
|[http://www.vpnc.org/InteropProfiles/OpenBSD.html www.vpnc.org]||-||OpenBSD Documentation Examples for IPsec Interoperability<br />
|-<br />
|[http://www.nomoa.com/bsd/index.html www.nomoa.com]||-||Установка и настройка OpenBSD сервера<br />
|-<br />
|[http://www.realo.ca/BSDinstall.html www.realo.ca]||-||A Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall<br />
|-<br />
|[http://pestilenz.org/~bauerm/tor-openbsd-howto.html pestilenz.org]||-||Установка Tor Wiki в Apache chroot<br />
|-<br />
|[http://disorder.ru/archives/category/openbsd disorder.ru]||-||Александр Юрченко является разработчиком OpenBSD из России. Ведёт заметки об OpenBSD на своём блоге<br />
|-<br />
|[http://citforum.ru/operating_systems/openbsd citforum.ru]||-|| Документация по OpenBSD на citforum.ru<br />
|}<br />
<br />
== Недействующие ==<br />
<br />
Информацию можно просмотреть через [http://archive.org/web/web.php archive.org]<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="2" style="background:#FFCC00"|Архив сайтов<br />
|-<br />
!Ресурс||Описание<br />
|-<br />
|[http://web.archive.org/web/*/http://openbsd.ru openbsd.ru]||Главный портал русскоязычного сообщества OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://openbsd101.com openbsd101.com]||Сборник how-to для начинающих.<br />
|-<br />
|[http://web.archive.org/web/*/http://kaw.ath.cx/openbsd/?FuguIta FuguIta]||Проект FuguIta в рамках которого формируют LiveCD сборки OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://www.synack.ru www.synack.ru]||Хороший blog по *BSD \ Linux \ VoIP и др.<br />
|-<br />
|[http://web.archive.org/web/*/https://www.dmoz.org www.dmoz.org]||Сборник статей по OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://www.infobsd.org www.infobsd.org]||InfoBSD.<br />
|}<br />
<br />
[[Категория:Общая информация]]</div>Sshhttp://www.qbsd.ru/index.php?title=%D0%9F%D0%B5%D1%80%D0%B5%D1%87%D0%B5%D0%BD%D1%8C_%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82_%D1%80%D0%B5%D1%81%D1%83%D1%80%D1%81%D0%BE%D0%B2_%D0%BE_OpenBSD&diff=436Перечень Интернет ресурсов о OpenBSD2015-12-29T02:02:38Z<p>Ssh: /* Недействующие */</p>
<hr />
<div>== Перечень Интернет ресурсов о OpenBSD ==<br />
<br />
=== Действующие ===<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="3" style="background:#FFCC00"|Перечень сайтов<br />
|-<br />
!Ресурс||Актуальность||Описание<br />
|-<br />
|[http://www.openbsd.org/faq/index.html www.openbsd.org]||ДА||'''FAQ. Строго обязательно к прочтению!''' [http://www.openbsd.org/faq/ru/ Русскоязычная версия].<br />
|-<br />
|[http://obsd.ru obsd.ru]||ДА||Портал русскоязычного сообщества OpenBSD<br />
|-<br />
|[http://undeadly.org undeadly.org]||ДА||Live-журнал OpenBSD<br />
|-<br />
|[http://freshbsd.org freshbsd.org]||ДА||Все изменения в коде *BSD проектов, в портах отображаются здесь.<br />
|-<br />
|[http://openports.se openports.se]||ДА||Коллекция портов для OpenBSD<br />
|-<br />
|[https://stable.mtier.org stable.mtier.org]||ДА||Коллекция портов для OpenBSD для i386 и amd64<br />
|-<br />
|[http://distrowatch.com/table.php?distribution=openbsd distrowatch.com]||ДА||Информационно-новостной ресурс сообщающий о составе и релизах открытого ПО (Linux / BSD / др.).<br />
|-<br />
|[http://bsdtalk.blogspot.ru bsdtalk.blogspot.ru]||ДА||Аудиозаписи, интервью, размышления на тему *BSD. На английском.<br />
|-<br />
|[http://bsdmag.org bsdmag.org]||ДА||BSD magazine. Популярный журнал о BSD системах. Русские переводы выполненные командой энтузиастов [http://bsdmag.su находятся здесь].<br />
|-<br />
|[http://home.nuug.no/~peter/pf/en/long-firewall.html home.nuug.no]||ДА||Firewalling with OpenBSD’s PF packet filter.<br />
Автор: Peter N. M. Hansteen. Основополагающая вещь, читать всем! [http://home.nuug.no/~peter/pf/eurobsdcon2012 Ещё eurobsdcon2012] от него же.<br />
|-<br />
|[http://kaw.ath.cx/openbsd/?FuguIta FuguIta]||ДА||Проект FuguIta в рамках которого формируют LiveCD сборки OpenBSD.<br />
|-<br />
|[http://rlworkman.net/howtos/OpenBSD_pf_guide.html rlworkman.net]||Нет||Устаревшая версия 2006 г. Firewalling with OpenBSD’s PF packet filter.<br />
Автор: Peter N. M. Hansteen.<br />
|-<br />
|[http://www.openbsdsupport.org www.openbsdsupport.org]||ДА||OpenBSD Users Documentation project<br />
|-<br />
|[http://www.opennet.ru/search.shtml?method=and&format=builtin-long&config=htdig&restrict=&exclude=&words=openbsd www.opennet.ru]||ДА||The OpenNet Project. Популярный портал посвященный открытому ПО. Содержит новости, советы. Имеется форум.<br />
|-<br />
|[http://www.synack.ru www.synack.ru]||ДА||Хороший blog по *BSD \ Linux \ VoIP и др.<br />
|-<br />
|[https://calomel.org calomel.org]||ДА||Богатый сборник how-to по OpenBSD. Актуализирован под OpenBSD 5.x!<br />
|-<br />
|[http://www.lissyara.su www.lissyara.su]||4.x||Личный сайт BSD’шника под ником '''lissyara''', богатый справочник по FreeBSD и OpenBSD.<br />Актуален для старых версий.<br />
|-<br />
|[http://habrahabr.ru/search/?q=openbsd habrahabr.ru]||Сомнительно||Сверхпопулярный IT-blog. Доступные на нем записи о OpenBSD.<br />
|-<br />
|[http://www.kernel-panic.it/openbsd.html www.kernel-panic.it]||Сомнительно||Сборник руководств по OpenBSD.<br />
|-<br />
|[https://www.dmoz.org www.dmoz.org]||Неизвестно||Сборник статей по OpenBSD.<br />
|-<br />
|[http://www.monkey.org/misc www.monkey.org]||Неизвестно||OpenBSD is for monkeys<br />
|-<br />
|[http://www.trumpetpower.com/OpenBSD/Meta-FAQ www.trumpetpower.com]||Неизвестно||OpenBSD Meta-FAQ<br />
|-<br />
|[http://www.infobsd.org/default.htm www.infobsd.org]||Неизвестно||InfoBSD<br />
|-<br />
|[http://tuxmobil.org/mobile_bsd.html tuxmobil.org]||Неизвестно||FreeBSD, NetBSD, OpenBSD, DragonFly and Mobile Computers (Laptops, Notebooks, PDAs, Mobile Phones)<br />
|-<br />
|[http://blog.bronevichok.ru/ blog.bronevichok.ru]||Да||Блог Сергея Бронникова<br />
|-<br />
|[http://www.read-and-think.org/openbsd5_tools_xterm_fvwm_fonts.html www.read-and-think.org]||Да||Библия для людей, работающих с командной строкой. Так же по ссылке масса информации по настройке русского языка и шрифтов в OpenBSD и UTF-8.<br />
|-<br />
|}<br />
<br />
=== Отдельные информационные статьи, записки, заметки ===<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="3" style="background:#FFCC00"|Перечень статей<br />
|-<br />
!Ресурс||Актуальность||Описание<br />
|-<br />
|[http://www.vpnc.org/InteropProfiles/OpenBSD.html www.vpnc.org]||-||OpenBSD Documentation Examples for IPsec Interoperability<br />
|-<br />
|[http://www.nomoa.com/bsd/index.html www.nomoa.com]||-||Установка и настройка OpenBSD сервера<br />
|-<br />
|[http://www.realo.ca/BSDinstall.html www.realo.ca]||-||A Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall<br />
|-<br />
|[http://pestilenz.org/~bauerm/tor-openbsd-howto.html pestilenz.org]||-||Установка Tor Wiki в Apache chroot<br />
|-<br />
|[http://disorder.ru/archives/category/openbsd disorder.ru]||-||Александр Юрченко является разработчиком OpenBSD из России. Ведёт заметки об OpenBSD на своём блоге<br />
|-<br />
|[http://citforum.ru/operating_systems/openbsd citforum.ru]||-|| Документация по OpenBSD на citforum.ru<br />
|}<br />
<br />
== Недействующие ==<br />
<br />
Информацию можно просмотреть через [http://archive.org/web/web.php archive.org]<br />
<br />
{| class="wikitable collapsible"<br />
!colspan="2" style="background:#FFCC00"|Архив сайтов<br />
|-<br />
!Ресурс||Описание<br />
|-<br />
|[http://web.archive.org/web/*/http://openbsd.ru openbsd.ru]||Главный портал русскоязычного сообщества OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://openbsd101.com openbsd101.com]||Сборник how-to для начинающих.<br />
|-<br />
|[http://web.archive.org/web/*/http://kaw.ath.cx/openbsd/?FuguIta FuguIta]||Проект FuguIta в рамках которого формируют LiveCD сборки OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://www.synack.ru www.synack.ru]||Хороший blog по *BSD \ Linux \ VoIP и др.<br />
|-<br />
|[http://web.archive.org/web/*/https://www.dmoz.org www.dmoz.org]||Сборник статей по OpenBSD.<br />
|-<br />
|[http://web.archive.org/web/*/http://www.infobsd.org www.infobsd.org]||InfoBSD.<br />
|}<br />
<br />
[[Категория:Общая информация]]</div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD_%D0%BD%D0%B0_%D1%80%D0%B0%D0%B1%D0%BE%D1%87%D0%B5%D0%B9_%D1%81%D1%82%D0%B0%D0%BD%D1%86%D0%B8%D0%B8&diff=435OpenBSD на рабочей станции2015-12-28T06:21:38Z<p>Ssh: /* Настройка производительности */</p>
<hr />
<div>Вольный перевод статьи [http://eradman.com Eric Radman] [http://eradman.com/posts/openbsd-workstation.html An OpenBSD Workstation] с некоторыми дополнениями учитывающими изменения пришедшие в свежих релизах.<br />
<br />
== Выключение системы нажатием на кнопку питания ==<br />
<br />
Безопасное выключение компьютера нажатием на кнопку питания возможно после передачи ядру параметра: <br />
<pre># /etc/sysctl.conf<br />
hw.allowpowerdown=1</pre><br />
Параметр может быть установлен только до перехода системы к уровню безопасности 1, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man7/securelevel.7?query=securelevel securelevel(7)].<br />
<br />
== Больше никаких раздражающих сигналов ==<br />
<br />
Одна из многих вещей, которую узнаешь прочитав [http://nostarch.com/obenbsd2e Absolute OpenBSD] - это как отключить раздражающий [http://en.wikipedia.org/wiki/Bell_character сигнал]:<br />
<pre># /etc/wsconsctl.conf<br />
keyboard.bell.volume=0</pre><br />
<br />
Начиная с релиза [http://www.openbsd.org/54.html 5.4] способ с '''wsconsctl''' больше не работает. Отключить сигнал можно так:<br />
<pre># ~/.xinitrc<br />
xset -b</pre><br />
или<br />
<pre># /etc/rc.conf.local<br />
mixerctl inputs.spkr.mute=on</pre><br />
<br />
== Монтирование съемных устройств пользователем ==<br />
<br />
Удобно, когда можно смонтировать DVD или флеш-носитель без повышения привилегий, используя для этого членство в группе '''operator'''.<br />
<pre># usermod -G operator eradman<br />
# chmod g=rw /dev/cd0*</pre><br />
Остаётся изменить параметр ядра и можно пользоваться.<br />
<pre># sysctl kern.usermount=1</pre><br />
<pre>$ mkdir -p mount/cdrom<br />
$ mount /dev/cd0c mount/cdrom</pre><br />
<br />
== Suspend & Resume ==<br />
<br />
OpenBSD обладает хорошей поддержкой ACPI, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi?query=apmd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html apmd(8)]. zzz и ZZZ быстрый способ перехода в режимы suspend и hibernate, если apmd запускается при загрузке.<br />
<pre># rc.conf.local<br />
apmd_flags="-A"</pre><br />
"'''-A'''" будет автоматически масштабировать частоту CPU для оптимального энергопотребления.<br />
<br />
Начиная с выпуска [http://www.openbsd.org/56.html 5.6], управление сервисами осуществляется посредством утилиты [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/rcctl.8?query=rcctl rcctl(8)].<br />
<pre># rcctl getdef apmd <br />
apmd_flags=NO<br />
&#8230;<br />
# rcctl enable apmd<br />
&#8230;<br />
# rcctl getdef apmd <br />
apmd_flags=</pre><br />
<br />
== X Configuration: .xinitrc ==<br />
<br />
<pre># ~/.xinitrc<br />
<br />
redshift -O 5600<br />
<br />
while true; do<br />
batt="$(sysctl -n hw.sensors.acpibat0.watthour3 | cut -f1,2 -d" ")"<br />
xsetroot -name "$batt"<br />
sleep 60<br />
done &<br />
xsetroot -solid steelblue &<br />
exec dwm</pre><br />
<br />
[http://jonls.dk/redshift/ redshift] утилита предназначена для регулировки цветовой температуры экрана в зависимости от вашего окружения. Это работает и в случае ручной регулировки цветовой температуры. Например, подсветка экрана IBM T60p автора статьи по умолчанию "холодная", поэтому он изменяет значение цветовую температуры с 6500K до 5600K. <br />
<br />
Запускаем циклический опрос сенсора времени жизни батареи (battery life (Wh)) с интервалом один раз в 60 сек, а полученное значение выводим "поверх" корневого окна. <br />
<br />
Установим цвет фона и запустить свой любимый менеджер окон.<br />
<br />
==Переключение на внешний монитор==<br />
Разрешение дисплея на рабочем месте немного выше чем дисплея ноутбука, небольшой скрипт для переключения на внешний монитор:<br />
<pre>#!/bin/sh<br />
xrandr --output LVDS --off<br />
xrandr --output VGA-0 --off<br />
xrandr --output DVI-0 --auto<br />
redshift -O 6200</pre><br />
<br />
По моему опыту, X11 иногда скрывает курсор мыши, если возобновление работы системы происходило при подключенном внешнем мониторе. Для решения я использовал [http://sourceforge.net/projects/unclutter/ unclutter] - утилиту скрывающую курсор мыши когда он неподвижен и восстанавливающую его как только он переместился.<br />
<pre>pkill unclutter<br />
unclutter -idle 1 -root -grab -visible &</pre><br />
<br />
Лично мне больше нравится немного другой вариант:<br />
<pre>xrandr --query | grep "VGA1 connected" && xrandr --output LVDS1 --off --output VGA1 --mode 1920x1080</pre><br />
<br />
==Подключение проектора==<br />
<br />
Если X-сервер запускается когда проектор подключен к VGA порту, то скорее всего сервер установит для встроенного и внешнего дисплеев одинаковое разрешение. На T60 например, это можно изменить:<br />
<pre>xrandr --output LVDS --mode 1400x1050</pre><br />
<br />
Используя --query можно узнать какие режимы поддерживаются дисплеем, then I set up a viewport that pans with the mouse pointer<br />
<pre>xrandr --output VGA-0 --mode 1024x768 --panning 1400x1050</pre><br />
<br />
Так же, я добавил в .xinitrc команды для автоматической конфигурации дисплеев, если при запуске X-сервера внешний монитор уже подключен:<br />
<pre>xrandr --query | grep "DVI-0 connected" && ~/bin/docked-dvi<br />
xrandr --query | grep "VGA-0 connected" && ~/bin/docked-vga</pre><br />
<br />
==tmux - мультиплексор терминалов==<br />
<br />
Несколько дополнений в мою конфигурацию мультиплексора терминалов. Я часто запускаю [http://entrproject.org/ entr] в небольшой панели снизу. <br />
<pre>bind-key C-t split-window -p 25</pre><br />
<br />
Не знаю палитры цветов терминала, но её можно распечатать:<br />
<pre>#!/bin/ksh<br />
<br />
for i in `jot 255`; do<br />
printf "\033[38;5;${i}mcolour${i}\n"<br />
done</pre><br />
<br />
Фон строки состояния и границы активного окна ярко-зеленый:<br />
<pre>set -g status-bg colour118<br />
set -g pane-active-border-fg colour118<br />
set -g pane-border-fg colour30</pre><br />
<br />
Таблица с сопоставлением [["Горячие" клавиши tmux и screen | клавиатурных комбинаций для tmux и screen]]<br />
<br />
==Использование шифрования для дисков==<br />
OpenBSD предоставляет программный RAID как виртуальный хост-адаптер шины ([https://ru.wikipedia.org/wiki/HBA HBA]). Также HBA применяется для настройки и использования шифрования дисков. Посредством [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/disklabel.8 disklabel(8)] установим тип раздела RAID (в оригинальной статье автор использует блочное устройство '''/dev/sd0c''' как шифрованный том, монтируемый в '''/home'''): <br />
<pre>$ sudo disklabel -E /dev/sd0c<br />
Label editor (enter '?' for help at any prompt)<br />
g: 55641600 100653824 RAID<br />
> m g<br />
offset: [100653824]<br />
size: [55641600]<br />
FS type: [4.2BSD] RAID</pre><br />
<br />
Для настройки шифрования используем [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bioctl.8 bioctl(8)] с параметром -c C: <br />
<pre># bioctl -c C -l /dev/sd0g softraid0<br />
New passphrase: My Crypto Pass Phrase<br />
Re-type passphrase: My Crypto Pass Phrase<br />
softraid0: CRYPTO volume attached as sd1</pre><br />
<br />
Монтирование выполняется той же командой, журнал ядра сообщит о появлении нового виртуального устройства:<br />
<pre>sd1 at scsibus2 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct fixed<br />
sd1: 27168MB, 512 bytes/sector, 55641072 sectors</pre><br />
<br />
Разметим и отформатируем шифрованный том:<br />
<pre>$ sudo disklabel -E /dev/sd1c<br />
...<br />
$ sudo newfs /dev/rsd1a</pre><br />
<br />
Устройства в OpenBSD могут монтироваться по имени или с использованием disklabel UID, который случайным образом генерируется при разметке:<br />
<pre>$ disklabel /dev/sd1a | grep uid<br />
duid: 779d87bac3905122</pre><br />
<br />
Полученный UID используется для монтирования тома, что позволяет избежать путаницы при. Код ниже, позволит выполнить четыре попытки ввода ключевой фразы для дешифрации тома:<br />
<pre>#/etc/rc.local<br />
for attept in 1 2 3 4; do<br />
bioctl -c C -l c3e2f405c96a8e10.g softraid0 && break<br />
sleep 1<br />
done<br />
fsck /dev/rsd1a<br />
mount -o nodev,nosuid,softdep 779d87bac3905122.a /home</pre><br />
<br />
Если необходим полностью шифрованный загрузочный том, ознакомьтесь с [http://www.tedunangst.com/flak/post/OpenBSD-softraid-crypto-boot публикацией] Ted Unangst.<br />
<br />
==Уменьшим "возню" с паролями с помощью YubiKey==<br />
<br />
[https://www.yubico.com/ Yubico] выпускают небольшие аппаратные ключи, которые используются для авторизации с использованием одноразовых паролей ([https://ru.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D1%80%D0%B0%D0%B7%D0%BE%D0%B2%D1%8B%D0%B9_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8C OTP]). Yubikey-personalization-gui - это QT-приложение, которое может быть использовано для записи приватных ключей в один из двух слотов. Запишите без пробелов 6-байт в файл приватной? идентификации и 16-байт в файл ключа: <br />
<pre>echo "5c e1 e0 3e 63 a4" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.id<br />
echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.key<br />
chmod 600 /var/db/yubikey/$USER.*</pre><br />
<br />
Настроим YubiKey в качестве метода локальной авторизации и авторизации через SSH. <br />
<br />
<pre># Default allowed authentication styles<br />
auth-defaults:auth=yubikey,passwd,skey:</pre><br />
<br />
Перестроим БД авторизации - '''login.conf'''<br />
<br />
<pre>cap_mkdb /etc/login.conf</pre><br />
<br />
Для уменьшения количества вводимых символов, второй слот YubiKey используется как относительно безопасный метод активации [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&format=html ssh-agent], что позволяет соединяться с удалёнными системами, на которых уже присутствует мой публичный ключ (RSA, DSA, ECDSA). Для этого, используя yubikey-personalization-gui создайте случайный ключ, а затем установите слот 2 в режим "запрос-ответ" (challеnge-response): <br />
<br />
<pre>hexkey=$(echo "dd b6 68 81 c9 73 f9 64 84 21 7e f0 69 e8 2c 28 1b 6c ad e2" | tr -d ' ')<br />
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a $hexkey</pre><br />
<br />
Затем создайте новую пару SSH-ключей с помощью ответов ykchalresp. Скрипт ykauth, установлен в ~/bin.<br />
<br />
<pre>#!/bin/sh<br />
ykchalresp -2 "$(whoami)@$(hostname)" | cut -c 1-15</pre><br />
<br />
И наконец, настроим автоматическую активацию ключей при входе в систему:<br />
<br />
<pre>ssh-add -l > /dev/null 2>&1 || {<br />
eval `ssh-agent`<br />
DISPLAY='' SSH_ASKPASS='/home/eradman/bin/ykauth' ssh-add < /dev/null<br />
exec ksh<br />
}</pre><br />
<br />
==Настройка производительности==<br />
<br />
Нет документов описывающих способы адаптации OpenBSD для рабочей станции. Я делаю следующие изменения. Первое, позволяю приложениям использовать больше оперативной памяти:<br />
<br />
<pre># /etc/login.conf<br />
staff:\<br />
:datasize-cur=2048M:\<br />
:datasize-max=2048M:\<br />
:datasize=2048M:\<br />
:openfiles-cur=1024:\<br />
:stacksize-cur=16M:\</pre><br />
<br />
Если знаете другие способы улучшить производительность, пожалуйста [mailto:ericshane@eradman.com сообщите] их автору.<br />
<br />
==Блокировка экрана==<br />
<br />
Для автоматической блокировки экрана после 5 минут неактивности, добавьте указанный ниже код в '''~/.xinitrc''': <br />
<pre>xidle -timeout 300 -program "/usr/X11R6/bin/xlock -mode blank" &</pre><br />
<br />
Чтобы это сработало когда система переходит в режим сна (suspended), необходимо в '''/etc/apm/suspend''' добавить сигнал '''xidle''' для запуска программы блокировки. <br />
<br />
<pre>#!/bin/sh<br />
pkill -USR1 xidle</pre><br />
<br />
==Смена сетевого подключения==<br />
<br />
Переключение из одной сети в другую, например из беспроводной в проводную, не является очевидным в BSD. <br />
<br />
Во-первых, необходимо остановить dhcp-клиент, чтобы исключить попытки повторной активации сетевого интерфейса: <br />
<br />
<pre>pkill dhclient</pre><br />
<br />
Затем удалить установленный IP-адрес и деактивировать сетевой интерфейс:<br />
<br />
<pre>ifconfig wpi0 -inet down</pre><br />
<br />
Удаление IP-адреса так же сбрасывает локальные маршруты. Сбросить все прочие маршруты:<br />
<br />
<pre>route -n flush</pre><br />
<br />
-n предотвращает попытки route пытаться разрешать имена хостов.<br />
<br />
Если для подключения к беспроводной сети использовался WPA, следует удалить параметры подключения к сети, чтобы получать широковещательные SSID других сетей: <br />
<br />
<pre>ifconfig wpi0 nwid "Mobile Hotspot" wpa wpakey 09123456789<br />
ifconfig wpi0 -nwid -wpa -wpakey # use broadcast id</pre></div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD_%D0%BD%D0%B0_%D1%80%D0%B0%D0%B1%D0%BE%D1%87%D0%B5%D0%B9_%D1%81%D1%82%D0%B0%D0%BD%D1%86%D0%B8%D0%B8&diff=434OpenBSD на рабочей станции2015-12-28T06:18:34Z<p>Ssh: /* Переключение на внешний монитор */</p>
<hr />
<div>Вольный перевод статьи [http://eradman.com Eric Radman] [http://eradman.com/posts/openbsd-workstation.html An OpenBSD Workstation] с некоторыми дополнениями учитывающими изменения пришедшие в свежих релизах.<br />
<br />
== Выключение системы нажатием на кнопку питания ==<br />
<br />
Безопасное выключение компьютера нажатием на кнопку питания возможно после передачи ядру параметра: <br />
<pre># /etc/sysctl.conf<br />
hw.allowpowerdown=1</pre><br />
Параметр может быть установлен только до перехода системы к уровню безопасности 1, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man7/securelevel.7?query=securelevel securelevel(7)].<br />
<br />
== Больше никаких раздражающих сигналов ==<br />
<br />
Одна из многих вещей, которую узнаешь прочитав [http://nostarch.com/obenbsd2e Absolute OpenBSD] - это как отключить раздражающий [http://en.wikipedia.org/wiki/Bell_character сигнал]:<br />
<pre># /etc/wsconsctl.conf<br />
keyboard.bell.volume=0</pre><br />
<br />
Начиная с релиза [http://www.openbsd.org/54.html 5.4] способ с '''wsconsctl''' больше не работает. Отключить сигнал можно так:<br />
<pre># ~/.xinitrc<br />
xset -b</pre><br />
или<br />
<pre># /etc/rc.conf.local<br />
mixerctl inputs.spkr.mute=on</pre><br />
<br />
== Монтирование съемных устройств пользователем ==<br />
<br />
Удобно, когда можно смонтировать DVD или флеш-носитель без повышения привилегий, используя для этого членство в группе '''operator'''.<br />
<pre># usermod -G operator eradman<br />
# chmod g=rw /dev/cd0*</pre><br />
Остаётся изменить параметр ядра и можно пользоваться.<br />
<pre># sysctl kern.usermount=1</pre><br />
<pre>$ mkdir -p mount/cdrom<br />
$ mount /dev/cd0c mount/cdrom</pre><br />
<br />
== Suspend & Resume ==<br />
<br />
OpenBSD обладает хорошей поддержкой ACPI, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi?query=apmd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html apmd(8)]. zzz и ZZZ быстрый способ перехода в режимы suspend и hibernate, если apmd запускается при загрузке.<br />
<pre># rc.conf.local<br />
apmd_flags="-A"</pre><br />
"'''-A'''" будет автоматически масштабировать частоту CPU для оптимального энергопотребления.<br />
<br />
Начиная с выпуска [http://www.openbsd.org/56.html 5.6], управление сервисами осуществляется посредством утилиты [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/rcctl.8?query=rcctl rcctl(8)].<br />
<pre># rcctl getdef apmd <br />
apmd_flags=NO<br />
&#8230;<br />
# rcctl enable apmd<br />
&#8230;<br />
# rcctl getdef apmd <br />
apmd_flags=</pre><br />
<br />
== X Configuration: .xinitrc ==<br />
<br />
<pre># ~/.xinitrc<br />
<br />
redshift -O 5600<br />
<br />
while true; do<br />
batt="$(sysctl -n hw.sensors.acpibat0.watthour3 | cut -f1,2 -d" ")"<br />
xsetroot -name "$batt"<br />
sleep 60<br />
done &<br />
xsetroot -solid steelblue &<br />
exec dwm</pre><br />
<br />
[http://jonls.dk/redshift/ redshift] утилита предназначена для регулировки цветовой температуры экрана в зависимости от вашего окружения. Это работает и в случае ручной регулировки цветовой температуры. Например, подсветка экрана IBM T60p автора статьи по умолчанию "холодная", поэтому он изменяет значение цветовую температуры с 6500K до 5600K. <br />
<br />
Запускаем циклический опрос сенсора времени жизни батареи (battery life (Wh)) с интервалом один раз в 60 сек, а полученное значение выводим "поверх" корневого окна. <br />
<br />
Установим цвет фона и запустить свой любимый менеджер окон.<br />
<br />
==Переключение на внешний монитор==<br />
Разрешение дисплея на рабочем месте немного выше чем дисплея ноутбука, небольшой скрипт для переключения на внешний монитор:<br />
<pre>#!/bin/sh<br />
xrandr --output LVDS --off<br />
xrandr --output VGA-0 --off<br />
xrandr --output DVI-0 --auto<br />
redshift -O 6200</pre><br />
<br />
По моему опыту, X11 иногда скрывает курсор мыши, если возобновление работы системы происходило при подключенном внешнем мониторе. Для решения я использовал [http://sourceforge.net/projects/unclutter/ unclutter] - утилиту скрывающую курсор мыши когда он неподвижен и восстанавливающую его как только он переместился.<br />
<pre>pkill unclutter<br />
unclutter -idle 1 -root -grab -visible &</pre><br />
<br />
Лично мне больше нравится немного другой вариант:<br />
<pre>xrandr --query | grep "VGA1 connected" && xrandr --output LVDS1 --off --output VGA1 --mode 1920x1080</pre><br />
<br />
==Подключение проектора==<br />
<br />
Если X-сервер запускается когда проектор подключен к VGA порту, то скорее всего сервер установит для встроенного и внешнего дисплеев одинаковое разрешение. На T60 например, это можно изменить:<br />
<pre>xrandr --output LVDS --mode 1400x1050</pre><br />
<br />
Используя --query можно узнать какие режимы поддерживаются дисплеем, then I set up a viewport that pans with the mouse pointer<br />
<pre>xrandr --output VGA-0 --mode 1024x768 --panning 1400x1050</pre><br />
<br />
Так же, я добавил в .xinitrc команды для автоматической конфигурации дисплеев, если при запуске X-сервера внешний монитор уже подключен:<br />
<pre>xrandr --query | grep "DVI-0 connected" && ~/bin/docked-dvi<br />
xrandr --query | grep "VGA-0 connected" && ~/bin/docked-vga</pre><br />
<br />
==tmux - мультиплексор терминалов==<br />
<br />
Несколько дополнений в мою конфигурацию мультиплексора терминалов. Я часто запускаю [http://entrproject.org/ entr] в небольшой панели снизу. <br />
<pre>bind-key C-t split-window -p 25</pre><br />
<br />
Не знаю палитры цветов терминала, но её можно распечатать:<br />
<pre>#!/bin/ksh<br />
<br />
for i in `jot 255`; do<br />
printf "\033[38;5;${i}mcolour${i}\n"<br />
done</pre><br />
<br />
Фон строки состояния и границы активного окна ярко-зеленый:<br />
<pre>set -g status-bg colour118<br />
set -g pane-active-border-fg colour118<br />
set -g pane-border-fg colour30</pre><br />
<br />
Таблица с сопоставлением [["Горячие" клавиши tmux и screen | клавиатурных комбинаций для tmux и screen]]<br />
<br />
==Использование шифрования для дисков==<br />
OpenBSD предоставляет программный RAID как виртуальный хост-адаптер шины ([https://ru.wikipedia.org/wiki/HBA HBA]). Также HBA применяется для настройки и использования шифрования дисков. Посредством [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/disklabel.8 disklabel(8)] установим тип раздела RAID (в оригинальной статье автор использует блочное устройство '''/dev/sd0c''' как шифрованный том, монтируемый в '''/home'''): <br />
<pre>$ sudo disklabel -E /dev/sd0c<br />
Label editor (enter '?' for help at any prompt)<br />
g: 55641600 100653824 RAID<br />
> m g<br />
offset: [100653824]<br />
size: [55641600]<br />
FS type: [4.2BSD] RAID</pre><br />
<br />
Для настройки шифрования используем [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bioctl.8 bioctl(8)] с параметром -c C: <br />
<pre># bioctl -c C -l /dev/sd0g softraid0<br />
New passphrase: My Crypto Pass Phrase<br />
Re-type passphrase: My Crypto Pass Phrase<br />
softraid0: CRYPTO volume attached as sd1</pre><br />
<br />
Монтирование выполняется той же командой, журнал ядра сообщит о появлении нового виртуального устройства:<br />
<pre>sd1 at scsibus2 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct fixed<br />
sd1: 27168MB, 512 bytes/sector, 55641072 sectors</pre><br />
<br />
Разметим и отформатируем шифрованный том:<br />
<pre>$ sudo disklabel -E /dev/sd1c<br />
...<br />
$ sudo newfs /dev/rsd1a</pre><br />
<br />
Устройства в OpenBSD могут монтироваться по имени или с использованием disklabel UID, который случайным образом генерируется при разметке:<br />
<pre>$ disklabel /dev/sd1a | grep uid<br />
duid: 779d87bac3905122</pre><br />
<br />
Полученный UID используется для монтирования тома, что позволяет избежать путаницы при. Код ниже, позволит выполнить четыре попытки ввода ключевой фразы для дешифрации тома:<br />
<pre>#/etc/rc.local<br />
for attept in 1 2 3 4; do<br />
bioctl -c C -l c3e2f405c96a8e10.g softraid0 && break<br />
sleep 1<br />
done<br />
fsck /dev/rsd1a<br />
mount -o nodev,nosuid,softdep 779d87bac3905122.a /home</pre><br />
<br />
Если необходим полностью шифрованный загрузочный том, ознакомьтесь с [http://www.tedunangst.com/flak/post/OpenBSD-softraid-crypto-boot публикацией] Ted Unangst.<br />
<br />
==Уменьшим "возню" с паролями с помощью YubiKey==<br />
<br />
[https://www.yubico.com/ Yubico] выпускают небольшие аппаратные ключи, которые используются для авторизации с использованием одноразовых паролей ([https://ru.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D1%80%D0%B0%D0%B7%D0%BE%D0%B2%D1%8B%D0%B9_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8C OTP]). Yubikey-personalization-gui - это QT-приложение, которое может быть использовано для записи приватных ключей в один из двух слотов. Запишите без пробелов 6-байт в файл приватной? идентификации и 16-байт в файл ключа: <br />
<pre>echo "5c e1 e0 3e 63 a4" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.id<br />
echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.key<br />
chmod 600 /var/db/yubikey/$USER.*</pre><br />
<br />
Настроим YubiKey в качестве метода локальной авторизации и авторизации через SSH. <br />
<br />
<pre># Default allowed authentication styles<br />
auth-defaults:auth=yubikey,passwd,skey:</pre><br />
<br />
Перестроим БД авторизации - '''login.conf'''<br />
<br />
<pre>cap_mkdb /etc/login.conf</pre><br />
<br />
Для уменьшения количества вводимых символов, второй слот YubiKey используется как относительно безопасный метод активации [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&format=html ssh-agent], что позволяет соединяться с удалёнными системами, на которых уже присутствует мой публичный ключ (RSA, DSA, ECDSA). Для этого, используя yubikey-personalization-gui создайте случайный ключ, а затем установите слот 2 в режим "запрос-ответ" (challеnge-response): <br />
<br />
<pre>hexkey=$(echo "dd b6 68 81 c9 73 f9 64 84 21 7e f0 69 e8 2c 28 1b 6c ad e2" | tr -d ' ')<br />
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a $hexkey</pre><br />
<br />
Затем создайте новую пару SSH-ключей с помощью ответов ykchalresp. Скрипт ykauth, установлен в ~/bin.<br />
<br />
<pre>#!/bin/sh<br />
ykchalresp -2 "$(whoami)@$(hostname)" | cut -c 1-15</pre><br />
<br />
И наконец, настроим автоматическую активацию ключей при входе в систему:<br />
<br />
<pre>ssh-add -l > /dev/null 2>&1 || {<br />
eval `ssh-agent`<br />
DISPLAY='' SSH_ASKPASS='/home/eradman/bin/ykauth' ssh-add < /dev/null<br />
exec ksh<br />
}</pre><br />
<br />
==Настройка производительности==<br />
<br />
Нет документов описывающих способы адаптации OpenBSD для рабочей станции. Я делаю следующие изменения. Первое, позволяю приложениям использовать больше оперативной памяти:<br />
<br />
<pre># /etc/login.conf<br />
staff:\<br />
:datasize-cur=2048M:\<br />
:datasize-max=2048M:\<br />
:datasize=2048M:\<br />
:openfiles-cur=1024:\<br />
:stacksize-cur=16M:\</pre><br />
<br />
Если знаете другие способы улучшить производительность, пожалуйста [mailto:ericshane@eradman.com сообщите мне].<br />
<br />
==Блокировка экрана==<br />
<br />
Для автоматической блокировки экрана после 5 минут неактивности, добавьте указанный ниже код в '''~/.xinitrc''': <br />
<pre>xidle -timeout 300 -program "/usr/X11R6/bin/xlock -mode blank" &</pre><br />
<br />
Чтобы это сработало когда система переходит в режим сна (suspended), необходимо в '''/etc/apm/suspend''' добавить сигнал '''xidle''' для запуска программы блокировки. <br />
<br />
<pre>#!/bin/sh<br />
pkill -USR1 xidle</pre><br />
<br />
==Смена сетевого подключения==<br />
<br />
Переключение из одной сети в другую, например из беспроводной в проводную, не является очевидным в BSD. <br />
<br />
Во-первых, необходимо остановить dhcp-клиент, чтобы исключить попытки повторной активации сетевого интерфейса: <br />
<br />
<pre>pkill dhclient</pre><br />
<br />
Затем удалить установленный IP-адрес и деактивировать сетевой интерфейс:<br />
<br />
<pre>ifconfig wpi0 -inet down</pre><br />
<br />
Удаление IP-адреса так же сбрасывает локальные маршруты. Сбросить все прочие маршруты:<br />
<br />
<pre>route -n flush</pre><br />
<br />
-n предотвращает попытки route пытаться разрешать имена хостов.<br />
<br />
Если для подключения к беспроводной сети использовался WPA, следует удалить параметры подключения к сети, чтобы получать широковещательные SSID других сетей: <br />
<br />
<pre>ifconfig wpi0 nwid "Mobile Hotspot" wpa wpakey 09123456789<br />
ifconfig wpi0 -nwid -wpa -wpakey # use broadcast id</pre></div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD_%D0%BD%D0%B0_%D1%80%D0%B0%D0%B1%D0%BE%D1%87%D0%B5%D0%B9_%D1%81%D1%82%D0%B0%D0%BD%D1%86%D0%B8%D0%B8&diff=433OpenBSD на рабочей станции2015-12-28T06:17:57Z<p>Ssh: /* Переключение на внешний монитор */</p>
<hr />
<div>Вольный перевод статьи [http://eradman.com Eric Radman] [http://eradman.com/posts/openbsd-workstation.html An OpenBSD Workstation] с некоторыми дополнениями учитывающими изменения пришедшие в свежих релизах.<br />
<br />
== Выключение системы нажатием на кнопку питания ==<br />
<br />
Безопасное выключение компьютера нажатием на кнопку питания возможно после передачи ядру параметра: <br />
<pre># /etc/sysctl.conf<br />
hw.allowpowerdown=1</pre><br />
Параметр может быть установлен только до перехода системы к уровню безопасности 1, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man7/securelevel.7?query=securelevel securelevel(7)].<br />
<br />
== Больше никаких раздражающих сигналов ==<br />
<br />
Одна из многих вещей, которую узнаешь прочитав [http://nostarch.com/obenbsd2e Absolute OpenBSD] - это как отключить раздражающий [http://en.wikipedia.org/wiki/Bell_character сигнал]:<br />
<pre># /etc/wsconsctl.conf<br />
keyboard.bell.volume=0</pre><br />
<br />
Начиная с релиза [http://www.openbsd.org/54.html 5.4] способ с '''wsconsctl''' больше не работает. Отключить сигнал можно так:<br />
<pre># ~/.xinitrc<br />
xset -b</pre><br />
или<br />
<pre># /etc/rc.conf.local<br />
mixerctl inputs.spkr.mute=on</pre><br />
<br />
== Монтирование съемных устройств пользователем ==<br />
<br />
Удобно, когда можно смонтировать DVD или флеш-носитель без повышения привилегий, используя для этого членство в группе '''operator'''.<br />
<pre># usermod -G operator eradman<br />
# chmod g=rw /dev/cd0*</pre><br />
Остаётся изменить параметр ядра и можно пользоваться.<br />
<pre># sysctl kern.usermount=1</pre><br />
<pre>$ mkdir -p mount/cdrom<br />
$ mount /dev/cd0c mount/cdrom</pre><br />
<br />
== Suspend & Resume ==<br />
<br />
OpenBSD обладает хорошей поддержкой ACPI, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi?query=apmd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html apmd(8)]. zzz и ZZZ быстрый способ перехода в режимы suspend и hibernate, если apmd запускается при загрузке.<br />
<pre># rc.conf.local<br />
apmd_flags="-A"</pre><br />
"'''-A'''" будет автоматически масштабировать частоту CPU для оптимального энергопотребления.<br />
<br />
Начиная с выпуска [http://www.openbsd.org/56.html 5.6], управление сервисами осуществляется посредством утилиты [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/rcctl.8?query=rcctl rcctl(8)].<br />
<pre># rcctl getdef apmd <br />
apmd_flags=NO<br />
&#8230;<br />
# rcctl enable apmd<br />
&#8230;<br />
# rcctl getdef apmd <br />
apmd_flags=</pre><br />
<br />
== X Configuration: .xinitrc ==<br />
<br />
<pre># ~/.xinitrc<br />
<br />
redshift -O 5600<br />
<br />
while true; do<br />
batt="$(sysctl -n hw.sensors.acpibat0.watthour3 | cut -f1,2 -d" ")"<br />
xsetroot -name "$batt"<br />
sleep 60<br />
done &<br />
xsetroot -solid steelblue &<br />
exec dwm</pre><br />
<br />
[http://jonls.dk/redshift/ redshift] утилита предназначена для регулировки цветовой температуры экрана в зависимости от вашего окружения. Это работает и в случае ручной регулировки цветовой температуры. Например, подсветка экрана IBM T60p автора статьи по умолчанию "холодная", поэтому он изменяет значение цветовую температуры с 6500K до 5600K. <br />
<br />
Запускаем циклический опрос сенсора времени жизни батареи (battery life (Wh)) с интервалом один раз в 60 сек, а полученное значение выводим "поверх" корневого окна. <br />
<br />
Установим цвет фона и запустить свой любимый менеджер окон.<br />
<br />
==Переключение на внешний монитор==<br />
Разрешение дисплея на рабочем месте немного выше чем дисплея ноутбука, небольшой скрипт для переключения на внешний монитор:<br />
<pre>#!/bin/sh<br />
xrandr --output LVDS --off<br />
xrandr --output VGA-0 --off<br />
xrandr --output DVI-0 --auto<br />
redshift -O 6200</pre><br />
<br />
<br />
По моему опыту, X11 иногда скрывает курсор мыши, если возобновление работы системы происходило при подключенном внешнем мониторе. Для решения я использовал [http://sourceforge.net/projects/unclutter/ unclutter] - утилиту скрывающую курсор мыши когда он неподвижен и восстанавливающую его как только он переместился.<br />
<pre>pkill unclutter<br />
unclutter -idle 1 -root -grab -visible &</pre><br />
<br />
<br />
Лично мне больше нравится немного другой вариант:<br />
<pre>xrandr --query | grep "VGA1 connected" && xrandr --output LVDS1 --off --output VGA1 --mode 1920x1080</pre><br />
<br />
==Подключение проектора==<br />
<br />
Если X-сервер запускается когда проектор подключен к VGA порту, то скорее всего сервер установит для встроенного и внешнего дисплеев одинаковое разрешение. На T60 например, это можно изменить:<br />
<pre>xrandr --output LVDS --mode 1400x1050</pre><br />
<br />
Используя --query можно узнать какие режимы поддерживаются дисплеем, then I set up a viewport that pans with the mouse pointer<br />
<pre>xrandr --output VGA-0 --mode 1024x768 --panning 1400x1050</pre><br />
<br />
Так же, я добавил в .xinitrc команды для автоматической конфигурации дисплеев, если при запуске X-сервера внешний монитор уже подключен:<br />
<pre>xrandr --query | grep "DVI-0 connected" && ~/bin/docked-dvi<br />
xrandr --query | grep "VGA-0 connected" && ~/bin/docked-vga</pre><br />
<br />
==tmux - мультиплексор терминалов==<br />
<br />
Несколько дополнений в мою конфигурацию мультиплексора терминалов. Я часто запускаю [http://entrproject.org/ entr] в небольшой панели снизу. <br />
<pre>bind-key C-t split-window -p 25</pre><br />
<br />
Не знаю палитры цветов терминала, но её можно распечатать:<br />
<pre>#!/bin/ksh<br />
<br />
for i in `jot 255`; do<br />
printf "\033[38;5;${i}mcolour${i}\n"<br />
done</pre><br />
<br />
Фон строки состояния и границы активного окна ярко-зеленый:<br />
<pre>set -g status-bg colour118<br />
set -g pane-active-border-fg colour118<br />
set -g pane-border-fg colour30</pre><br />
<br />
Таблица с сопоставлением [["Горячие" клавиши tmux и screen | клавиатурных комбинаций для tmux и screen]]<br />
<br />
==Использование шифрования для дисков==<br />
OpenBSD предоставляет программный RAID как виртуальный хост-адаптер шины ([https://ru.wikipedia.org/wiki/HBA HBA]). Также HBA применяется для настройки и использования шифрования дисков. Посредством [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/disklabel.8 disklabel(8)] установим тип раздела RAID (в оригинальной статье автор использует блочное устройство '''/dev/sd0c''' как шифрованный том, монтируемый в '''/home'''): <br />
<pre>$ sudo disklabel -E /dev/sd0c<br />
Label editor (enter '?' for help at any prompt)<br />
g: 55641600 100653824 RAID<br />
> m g<br />
offset: [100653824]<br />
size: [55641600]<br />
FS type: [4.2BSD] RAID</pre><br />
<br />
Для настройки шифрования используем [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bioctl.8 bioctl(8)] с параметром -c C: <br />
<pre># bioctl -c C -l /dev/sd0g softraid0<br />
New passphrase: My Crypto Pass Phrase<br />
Re-type passphrase: My Crypto Pass Phrase<br />
softraid0: CRYPTO volume attached as sd1</pre><br />
<br />
Монтирование выполняется той же командой, журнал ядра сообщит о появлении нового виртуального устройства:<br />
<pre>sd1 at scsibus2 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct fixed<br />
sd1: 27168MB, 512 bytes/sector, 55641072 sectors</pre><br />
<br />
Разметим и отформатируем шифрованный том:<br />
<pre>$ sudo disklabel -E /dev/sd1c<br />
...<br />
$ sudo newfs /dev/rsd1a</pre><br />
<br />
Устройства в OpenBSD могут монтироваться по имени или с использованием disklabel UID, который случайным образом генерируется при разметке:<br />
<pre>$ disklabel /dev/sd1a | grep uid<br />
duid: 779d87bac3905122</pre><br />
<br />
Полученный UID используется для монтирования тома, что позволяет избежать путаницы при. Код ниже, позволит выполнить четыре попытки ввода ключевой фразы для дешифрации тома:<br />
<pre>#/etc/rc.local<br />
for attept in 1 2 3 4; do<br />
bioctl -c C -l c3e2f405c96a8e10.g softraid0 && break<br />
sleep 1<br />
done<br />
fsck /dev/rsd1a<br />
mount -o nodev,nosuid,softdep 779d87bac3905122.a /home</pre><br />
<br />
Если необходим полностью шифрованный загрузочный том, ознакомьтесь с [http://www.tedunangst.com/flak/post/OpenBSD-softraid-crypto-boot публикацией] Ted Unangst.<br />
<br />
==Уменьшим "возню" с паролями с помощью YubiKey==<br />
<br />
[https://www.yubico.com/ Yubico] выпускают небольшие аппаратные ключи, которые используются для авторизации с использованием одноразовых паролей ([https://ru.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D1%80%D0%B0%D0%B7%D0%BE%D0%B2%D1%8B%D0%B9_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8C OTP]). Yubikey-personalization-gui - это QT-приложение, которое может быть использовано для записи приватных ключей в один из двух слотов. Запишите без пробелов 6-байт в файл приватной? идентификации и 16-байт в файл ключа: <br />
<pre>echo "5c e1 e0 3e 63 a4" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.id<br />
echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.key<br />
chmod 600 /var/db/yubikey/$USER.*</pre><br />
<br />
Настроим YubiKey в качестве метода локальной авторизации и авторизации через SSH. <br />
<br />
<pre># Default allowed authentication styles<br />
auth-defaults:auth=yubikey,passwd,skey:</pre><br />
<br />
Перестроим БД авторизации - '''login.conf'''<br />
<br />
<pre>cap_mkdb /etc/login.conf</pre><br />
<br />
Для уменьшения количества вводимых символов, второй слот YubiKey используется как относительно безопасный метод активации [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&format=html ssh-agent], что позволяет соединяться с удалёнными системами, на которых уже присутствует мой публичный ключ (RSA, DSA, ECDSA). Для этого, используя yubikey-personalization-gui создайте случайный ключ, а затем установите слот 2 в режим "запрос-ответ" (challеnge-response): <br />
<br />
<pre>hexkey=$(echo "dd b6 68 81 c9 73 f9 64 84 21 7e f0 69 e8 2c 28 1b 6c ad e2" | tr -d ' ')<br />
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a $hexkey</pre><br />
<br />
Затем создайте новую пару SSH-ключей с помощью ответов ykchalresp. Скрипт ykauth, установлен в ~/bin.<br />
<br />
<pre>#!/bin/sh<br />
ykchalresp -2 "$(whoami)@$(hostname)" | cut -c 1-15</pre><br />
<br />
И наконец, настроим автоматическую активацию ключей при входе в систему:<br />
<br />
<pre>ssh-add -l > /dev/null 2>&1 || {<br />
eval `ssh-agent`<br />
DISPLAY='' SSH_ASKPASS='/home/eradman/bin/ykauth' ssh-add < /dev/null<br />
exec ksh<br />
}</pre><br />
<br />
==Настройка производительности==<br />
<br />
Нет документов описывающих способы адаптации OpenBSD для рабочей станции. Я делаю следующие изменения. Первое, позволяю приложениям использовать больше оперативной памяти:<br />
<br />
<pre># /etc/login.conf<br />
staff:\<br />
:datasize-cur=2048M:\<br />
:datasize-max=2048M:\<br />
:datasize=2048M:\<br />
:openfiles-cur=1024:\<br />
:stacksize-cur=16M:\</pre><br />
<br />
Если знаете другие способы улучшить производительность, пожалуйста [mailto:ericshane@eradman.com сообщите мне].<br />
<br />
==Блокировка экрана==<br />
<br />
Для автоматической блокировки экрана после 5 минут неактивности, добавьте указанный ниже код в '''~/.xinitrc''': <br />
<pre>xidle -timeout 300 -program "/usr/X11R6/bin/xlock -mode blank" &</pre><br />
<br />
Чтобы это сработало когда система переходит в режим сна (suspended), необходимо в '''/etc/apm/suspend''' добавить сигнал '''xidle''' для запуска программы блокировки. <br />
<br />
<pre>#!/bin/sh<br />
pkill -USR1 xidle</pre><br />
<br />
==Смена сетевого подключения==<br />
<br />
Переключение из одной сети в другую, например из беспроводной в проводную, не является очевидным в BSD. <br />
<br />
Во-первых, необходимо остановить dhcp-клиент, чтобы исключить попытки повторной активации сетевого интерфейса: <br />
<br />
<pre>pkill dhclient</pre><br />
<br />
Затем удалить установленный IP-адрес и деактивировать сетевой интерфейс:<br />
<br />
<pre>ifconfig wpi0 -inet down</pre><br />
<br />
Удаление IP-адреса так же сбрасывает локальные маршруты. Сбросить все прочие маршруты:<br />
<br />
<pre>route -n flush</pre><br />
<br />
-n предотвращает попытки route пытаться разрешать имена хостов.<br />
<br />
Если для подключения к беспроводной сети использовался WPA, следует удалить параметры подключения к сети, чтобы получать широковещательные SSID других сетей: <br />
<br />
<pre>ifconfig wpi0 nwid "Mobile Hotspot" wpa wpakey 09123456789<br />
ifconfig wpi0 -nwid -wpa -wpakey # use broadcast id</pre></div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD_%D0%BD%D0%B0_%D1%80%D0%B0%D0%B1%D0%BE%D1%87%D0%B5%D0%B9_%D1%81%D1%82%D0%B0%D0%BD%D1%86%D0%B8%D0%B8&diff=432OpenBSD на рабочей станции2015-12-28T05:24:12Z<p>Ssh: /* Suspend & Resume */</p>
<hr />
<div>Вольный перевод статьи [http://eradman.com Eric Radman] [http://eradman.com/posts/openbsd-workstation.html An OpenBSD Workstation] с некоторыми дополнениями учитывающими изменения пришедшие в свежих релизах.<br />
<br />
== Выключение системы нажатием на кнопку питания ==<br />
<br />
Безопасное выключение компьютера нажатием на кнопку питания возможно после передачи ядру параметра: <br />
<pre># /etc/sysctl.conf<br />
hw.allowpowerdown=1</pre><br />
Параметр может быть установлен только до перехода системы к уровню безопасности 1, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man7/securelevel.7?query=securelevel securelevel(7)].<br />
<br />
== Больше никаких раздражающих сигналов ==<br />
<br />
Одна из многих вещей, которую узнаешь прочитав [http://nostarch.com/obenbsd2e Absolute OpenBSD] - это как отключить раздражающий [http://en.wikipedia.org/wiki/Bell_character сигнал]:<br />
<pre># /etc/wsconsctl.conf<br />
keyboard.bell.volume=0</pre><br />
<br />
Начиная с релиза [http://www.openbsd.org/54.html 5.4] способ с '''wsconsctl''' больше не работает. Отключить сигнал можно так:<br />
<pre># ~/.xinitrc<br />
xset -b</pre><br />
или<br />
<pre># /etc/rc.conf.local<br />
mixerctl inputs.spkr.mute=on</pre><br />
<br />
== Монтирование съемных устройств пользователем ==<br />
<br />
Удобно, когда можно смонтировать DVD или флеш-носитель без повышения привилегий, используя для этого членство в группе '''operator'''.<br />
<pre># usermod -G operator eradman<br />
# chmod g=rw /dev/cd0*</pre><br />
Остаётся изменить параметр ядра и можно пользоваться.<br />
<pre># sysctl kern.usermount=1</pre><br />
<pre>$ mkdir -p mount/cdrom<br />
$ mount /dev/cd0c mount/cdrom</pre><br />
<br />
== Suspend & Resume ==<br />
<br />
OpenBSD обладает хорошей поддержкой ACPI, подробнее в [http://www.openbsd.org/cgi-bin/man.cgi?query=apmd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html apmd(8)]. zzz и ZZZ быстрый способ перехода в режимы suspend и hibernate, если apmd запускается при загрузке.<br />
<pre># rc.conf.local<br />
apmd_flags="-A"</pre><br />
"'''-A'''" будет автоматически масштабировать частоту CPU для оптимального энергопотребления.<br />
<br />
Начиная с выпуска [http://www.openbsd.org/56.html 5.6], управление сервисами осуществляется посредством утилиты [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/rcctl.8?query=rcctl rcctl(8)].<br />
<pre># rcctl getdef apmd <br />
apmd_flags=NO<br />
&#8230;<br />
# rcctl enable apmd<br />
&#8230;<br />
# rcctl getdef apmd <br />
apmd_flags=</pre><br />
<br />
== X Configuration: .xinitrc ==<br />
<br />
<pre># ~/.xinitrc<br />
<br />
redshift -O 5600<br />
<br />
while true; do<br />
batt="$(sysctl -n hw.sensors.acpibat0.watthour3 | cut -f1,2 -d" ")"<br />
xsetroot -name "$batt"<br />
sleep 60<br />
done &<br />
xsetroot -solid steelblue &<br />
exec dwm</pre><br />
<br />
[http://jonls.dk/redshift/ redshift] утилита предназначена для регулировки цветовой температуры экрана в зависимости от вашего окружения. Это работает и в случае ручной регулировки цветовой температуры. Например, подсветка экрана IBM T60p автора статьи по умолчанию "холодная", поэтому он изменяет значение цветовую температуры с 6500K до 5600K. <br />
<br />
Запускаем циклический опрос сенсора времени жизни батареи (battery life (Wh)) с интервалом один раз в 60 сек, а полученное значение выводим "поверх" корневого окна. <br />
<br />
Установим цвет фона и запустить свой любимый менеджер окон.<br />
<br />
==Переключение на внешний монитор==<br />
Разрешение дисплея на рабочем месте немного выше чем дисплея ноутбука, небольшой скрипт для переключения на внешний монитор:<br />
<pre>#!/bin/sh<br />
xrandr --output LVDS --off<br />
xrandr --output VGA-0 --off<br />
xrandr --output DVI-0 --auto<br />
redshift -O 6200</pre><br />
<br />
Лично мне больше нравится немного другой вариант:<br />
<pre>xrandr --query | grep "VGA1 connected" && xrandr --output LVDS1 --off --output VGA1 --mode 1920x1080</pre><br />
<br />
==Подключение проектора==<br />
<br />
Если X-сервер запускается когда проектор подключен к VGA порту, то скорее всего сервер установит для встроенного и внешнего дисплеев одинаковое разрешение. На T60 например, это можно изменить:<br />
<pre>xrandr --output LVDS --mode 1400x1050</pre><br />
<br />
Используя --query можно узнать какие режимы поддерживаются дисплеем, then I set up a viewport that pans with the mouse pointer<br />
<pre>xrandr --output VGA-0 --mode 1024x768 --panning 1400x1050</pre><br />
<br />
Так же, я добавил в .xinitrc команды для автоматической конфигурации дисплеев, если при запуске X-сервера внешний монитор уже подключен:<br />
<pre>xrandr --query | grep "DVI-0 connected" && ~/bin/docked-dvi<br />
xrandr --query | grep "VGA-0 connected" && ~/bin/docked-vga</pre><br />
<br />
==tmux - мультиплексор терминалов==<br />
<br />
Несколько дополнений в мою конфигурацию мультиплексора терминалов. Я часто запускаю [http://entrproject.org/ entr] в небольшой панели снизу. <br />
<pre>bind-key C-t split-window -p 25</pre><br />
<br />
Не знаю палитры цветов терминала, но её можно распечатать:<br />
<pre>#!/bin/ksh<br />
<br />
for i in `jot 255`; do<br />
printf "\033[38;5;${i}mcolour${i}\n"<br />
done</pre><br />
<br />
Фон строки состояния и границы активного окна ярко-зеленый:<br />
<pre>set -g status-bg colour118<br />
set -g pane-active-border-fg colour118<br />
set -g pane-border-fg colour30</pre><br />
<br />
Таблица с сопоставлением [["Горячие" клавиши tmux и screen | клавиатурных комбинаций для tmux и screen]]<br />
<br />
==Использование шифрования для дисков==<br />
OpenBSD предоставляет программный RAID как виртуальный хост-адаптер шины ([https://ru.wikipedia.org/wiki/HBA HBA]). Также HBA применяется для настройки и использования шифрования дисков. Посредством [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/disklabel.8 disklabel(8)] установим тип раздела RAID (в оригинальной статье автор использует блочное устройство '''/dev/sd0c''' как шифрованный том, монтируемый в '''/home'''): <br />
<pre>$ sudo disklabel -E /dev/sd0c<br />
Label editor (enter '?' for help at any prompt)<br />
g: 55641600 100653824 RAID<br />
> m g<br />
offset: [100653824]<br />
size: [55641600]<br />
FS type: [4.2BSD] RAID</pre><br />
<br />
Для настройки шифрования используем [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bioctl.8 bioctl(8)] с параметром -c C: <br />
<pre># bioctl -c C -l /dev/sd0g softraid0<br />
New passphrase: My Crypto Pass Phrase<br />
Re-type passphrase: My Crypto Pass Phrase<br />
softraid0: CRYPTO volume attached as sd1</pre><br />
<br />
Монтирование выполняется той же командой, журнал ядра сообщит о появлении нового виртуального устройства:<br />
<pre>sd1 at scsibus2 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct fixed<br />
sd1: 27168MB, 512 bytes/sector, 55641072 sectors</pre><br />
<br />
Разметим и отформатируем шифрованный том:<br />
<pre>$ sudo disklabel -E /dev/sd1c<br />
...<br />
$ sudo newfs /dev/rsd1a</pre><br />
<br />
Устройства в OpenBSD могут монтироваться по имени или с использованием disklabel UID, который случайным образом генерируется при разметке:<br />
<pre>$ disklabel /dev/sd1a | grep uid<br />
duid: 779d87bac3905122</pre><br />
<br />
Полученный UID используется для монтирования тома, что позволяет избежать путаницы при. Код ниже, позволит выполнить четыре попытки ввода ключевой фразы для дешифрации тома:<br />
<pre>#/etc/rc.local<br />
for attept in 1 2 3 4; do<br />
bioctl -c C -l c3e2f405c96a8e10.g softraid0 && break<br />
sleep 1<br />
done<br />
fsck /dev/rsd1a<br />
mount -o nodev,nosuid,softdep 779d87bac3905122.a /home</pre><br />
<br />
Если необходим полностью шифрованный загрузочный том, ознакомьтесь с [http://www.tedunangst.com/flak/post/OpenBSD-softraid-crypto-boot публикацией] Ted Unangst.<br />
<br />
==Уменьшим "возню" с паролями с помощью YubiKey==<br />
<br />
[https://www.yubico.com/ Yubico] выпускают небольшие аппаратные ключи, которые используются для авторизации с использованием одноразовых паролей ([https://ru.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D1%80%D0%B0%D0%B7%D0%BE%D0%B2%D1%8B%D0%B9_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8C OTP]). Yubikey-personalization-gui - это QT-приложение, которое может быть использовано для записи приватных ключей в один из двух слотов. Запишите без пробелов 6-байт в файл приватной? идентификации и 16-байт в файл ключа: <br />
<pre>echo "5c e1 e0 3e 63 a4" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.id<br />
echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" \<br />
| tr -d ' ' > /var/db/yubikey/$USER.key<br />
chmod 600 /var/db/yubikey/$USER.*</pre><br />
<br />
Настроим YubiKey в качестве метода локальной авторизации и авторизации через SSH. <br />
<br />
<pre># Default allowed authentication styles<br />
auth-defaults:auth=yubikey,passwd,skey:</pre><br />
<br />
Перестроим БД авторизации - '''login.conf'''<br />
<br />
<pre>cap_mkdb /etc/login.conf</pre><br />
<br />
Для уменьшения количества вводимых символов, второй слот YubiKey используется как относительно безопасный метод активации [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&format=html ssh-agent], что позволяет соединяться с удалёнными системами, на которых уже присутствует мой публичный ключ (RSA, DSA, ECDSA). Для этого, используя yubikey-personalization-gui создайте случайный ключ, а затем установите слот 2 в режим "запрос-ответ" (challеnge-response): <br />
<br />
<pre>hexkey=$(echo "dd b6 68 81 c9 73 f9 64 84 21 7e f0 69 e8 2c 28 1b 6c ad e2" | tr -d ' ')<br />
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a $hexkey</pre><br />
<br />
Затем создайте новую пару SSH-ключей с помощью ответов ykchalresp. Скрипт ykauth, установлен в ~/bin.<br />
<br />
<pre>#!/bin/sh<br />
ykchalresp -2 "$(whoami)@$(hostname)" | cut -c 1-15</pre><br />
<br />
И наконец, настроим автоматическую активацию ключей при входе в систему:<br />
<br />
<pre>ssh-add -l > /dev/null 2>&1 || {<br />
eval `ssh-agent`<br />
DISPLAY='' SSH_ASKPASS='/home/eradman/bin/ykauth' ssh-add < /dev/null<br />
exec ksh<br />
}</pre><br />
<br />
==Настройка производительности==<br />
<br />
Нет документов описывающих способы адаптации OpenBSD для рабочей станции. Я делаю следующие изменения. Первое, позволяю приложениям использовать больше оперативной памяти:<br />
<br />
<pre># /etc/login.conf<br />
staff:\<br />
:datasize-cur=2048M:\<br />
:datasize-max=2048M:\<br />
:datasize=2048M:\<br />
:openfiles-cur=1024:\<br />
:stacksize-cur=16M:\</pre><br />
<br />
Если знаете другие способы улучшить производительность, пожалуйста [mailto:ericshane@eradman.com сообщите мне].<br />
<br />
==Блокировка экрана==<br />
<br />
Для автоматической блокировки экрана после 5 минут неактивности, добавьте указанный ниже код в '''~/.xinitrc''': <br />
<pre>xidle -timeout 300 -program "/usr/X11R6/bin/xlock -mode blank" &</pre><br />
<br />
Чтобы это сработало когда система переходит в режим сна (suspended), необходимо в '''/etc/apm/suspend''' добавить сигнал '''xidle''' для запуска программы блокировки. <br />
<br />
<pre>#!/bin/sh<br />
pkill -USR1 xidle</pre><br />
<br />
==Смена сетевого подключения==<br />
<br />
Переключение из одной сети в другую, например из беспроводной в проводную, не является очевидным в BSD. <br />
<br />
Во-первых, необходимо остановить dhcp-клиент, чтобы исключить попытки повторной активации сетевого интерфейса: <br />
<br />
<pre>pkill dhclient</pre><br />
<br />
Затем удалить установленный IP-адрес и деактивировать сетевой интерфейс:<br />
<br />
<pre>ifconfig wpi0 -inet down</pre><br />
<br />
Удаление IP-адреса так же сбрасывает локальные маршруты. Сбросить все прочие маршруты:<br />
<br />
<pre>route -n flush</pre><br />
<br />
-n предотвращает попытки route пытаться разрешать имена хостов.<br />
<br />
Если для подключения к беспроводной сети использовался WPA, следует удалить параметры подключения к сети, чтобы получать широковещательные SSID других сетей: <br />
<br />
<pre>ifconfig wpi0 nwid "Mobile Hotspot" wpa wpakey 09123456789<br />
ifconfig wpi0 -nwid -wpa -wpakey # use broadcast id</pre></div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD-Wiki:%D0%A2%D0%B5%D0%BA%D1%83%D1%89%D0%B8%D0%B5_%D1%81%D0%BE%D0%B1%D1%8B%D1%82%D0%B8%D1%8F&diff=427OpenBSD-Wiki:Текущие события2015-09-09T06:56:13Z<p>Ssh: /* Актуальное */</p>
<hr />
<div>== Актуальное ==<br />
Собрано всё, что применимо к текущему релизу.<br />
<br />
* [[Введение в OpenBSD]]<br />
* [[Аппаратное обеспечение и вопросы]]<br />
* [[Деликатное проникновение в частную сеть]]<br />
* [[IPsec между OpenBSD и Linux Ubuntu]]<br />
* [[OpenSSH мини-руководство]]<br />
* [[OpenSSH: настройки, секреты, трюки и советы]]<br />
* [[OpenSSL: 101 прием работы]]<br />
* [[RSA/DSA аутентификация в OpenSSH]]<br />
* [[VPN на базе SSH]]<br />
* [[Использование файла mk.conf]]<br />
* [[Использование сетевой файловой системы NFS]]<br />
* [[Написание OpenBSD Loadable Kernel Modules (LKM)]]<br />
* [[Настройка sendmail]]<br />
* [[Настройка PPPoE-сервера]]<br />
* [[Настройка PPPoE-клиента с помощью pppoe(8)]]<br />
* [[Новое IPSec howto]]<br />
* [[Русификация OpenBSD 5.x]]<br />
* [[Русификация OpenBSD]]<br />
* [[Русификация консоли OpenBSD]]<br />
* [[Создание загрузочной флешки]]<br />
* [[Перечень Интернет ресурсов о OpenBSD]]<br />
* [[Описание переменных sysctl]]<br />
* [[Сборник советов с OpenBSD101.com]]<br />
* [[Работа в качестве DHCP-сервера]]<br />
* [[OpenBSD на рабочей станции]]<br />
* [["Горячие" клавиши tmux и screen]]<br />
* [[OpenBSD doas]]<br />
<br />
=== Переводы ===<br />
* [[C2k10-marco]]<br />
* [[C2k10-guenther]]<br />
* [[C2k10-ajacoutot]]<br />
* [[C2k10-henning]]<br />
* [[C2k10-tedu]]<br />
<br />
== Устаревшее ==<br />
Данная информация сохранена для архивных версий.<br />
<br />
* [[Зеркалирование данных с помощью ccd]]<br />
* [[Использование Bluetooth в OpenBSD]]<br />
* [[Настройка GPRS]]<br />
* [[Настройка Ethernet Bridge]]<br />
* [[Привязка IP к MAC с помощью bridge(4) и pf(4)]]<br />
<br />
== Прочее ==<br />
<br />
* [[Резервная копия Wiki]]</div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD-Wiki:%D0%A2%D0%B5%D0%BA%D1%83%D1%89%D0%B8%D0%B5_%D1%81%D0%BE%D0%B1%D1%8B%D1%82%D0%B8%D1%8F&diff=426OpenBSD-Wiki:Текущие события2015-09-09T06:55:39Z<p>Ssh: /* Актуальное */</p>
<hr />
<div>== Актуальное ==<br />
Собрано всё, что применимо к текущему релизу.<br />
<br />
* [[Введение в OpenBSD]]<br />
* [[Аппаратное обеспечение и вопросы]]<br />
* [[Деликатное проникновение в частную сеть]]<br />
* [[IPsec между OpenBSD и Linux Ubuntu]]<br />
* [[OpenSSH мини-руководство]]<br />
* [[OpenSSH: настройки, секреты, трюки и советы]]<br />
* [[OpenSSL: 101 прием работы]]<br />
* [[RSA/DSA аутентификация в OpenSSH]]<br />
* [[VPN на базе SSH]]<br />
* [[Использование файла mk.conf]]<br />
* [[Использование сетевой файловой системы NFS]]<br />
* [[Написание OpenBSD Loadable Kernel Modules (LKM)]]<br />
* [[Настройка sendmail]]<br />
* [[Настройка PPPoE-сервера]]<br />
* [[Настройка PPPoE-клиента с помощью pppoe(8)]]<br />
* [[Новое IPSec howto]]<br />
* [[Русификация OpenBSD 5.x]]<br />
* [[Русификация OpenBSD]]<br />
* [[Русификация консоли OpenBSD]]<br />
* [[Создание загрузочной флешки]]<br />
* [[Перечень Интернет ресурсов о OpenBSD]]<br />
* [[Описание переменных sysctl]]<br />
* [[Сборник советов с OpenBSD101.com]]<br />
* [[Работа в качестве DHCP-сервера]]<br />
* [[OpenBSD на рабочей станции]]<br />
* [["Горячие" клавиши tmux и screen]]<br />
* [[OpenBSD doas]]<br />
=== Переводы ===<br />
* [[C2k10-marco]]<br />
* [[C2k10-guenther]]<br />
* [[C2k10-ajacoutot]]<br />
* [[C2k10-henning]]<br />
* [[C2k10-tedu]]<br />
<br />
== Устаревшее ==<br />
Данная информация сохранена для архивных версий.<br />
<br />
* [[Зеркалирование данных с помощью ccd]]<br />
* [[Использование Bluetooth в OpenBSD]]<br />
* [[Настройка GPRS]]<br />
* [[Настройка Ethernet Bridge]]<br />
* [[Привязка IP к MAC с помощью bridge(4) и pf(4)]]<br />
<br />
== Прочее ==<br />
<br />
* [[Резервная копия Wiki]]</div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD_doas&diff=425OpenBSD doas2015-09-09T06:54:35Z<p>Ssh: </p>
<hr />
<div>Ted Unangst (tedu@) представил [http://www.tedunangst.com/flak/post/doas doas] — «легкую» замену '''sudo''' в OpenBSD, поддерживающую только основные функции. Начиная с OpenBSD 5.8, '''doas''' входит в состав базовой системы. Использовать '''doas''' очень просто, достаточно создать файл конфигурации '''/etc/doas.conf'''.<br />
<br />
* Либеральная OpenBSD система:<br /><pre>permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel</pre> Пользователи из группы '''wheel''' выполняют команды как '''root''' (используется по умолчанию, если не указан иной пользователь). Разрешено запускать любые команды без запроса пароля, значения переменных '''ENV''', '''PS1''' и '''SSH_AUTH_SOCK''' наследуются.<br />
<br />
* То же, что и выше, но с запросом пароля пользователя:<br /><pre>permit keepenv {ENV PS1 SSH_AUTH_SOCK} :wheel</pre><br />
<br />
* Разрешает пользователю bob выполнить '''/bin/sh''' как fred:<br /><pre>permit bob as fred cmd /bin/sh</pre><br />
<br />
* Запретить всё пользователям группы '''wheel''':<br /><pre>deny :wheel</pre><br />
<br />
<br />
Правила в '''doas.conf''' читаются сверху вниз, поэтому если запрещающее правило следует сразу за разрешающим, то разрешающее будет действовать, так как имеет приоритет. Кроме того, '''doas.conf''' должен завершаться пустой строкой.<br />
<br />
<br />
[http://www.badbug.id.au/doas-or-how-i-use-sudo-on-openbsd-5-8/ По мотивам]</div>Sshhttp://www.qbsd.ru/index.php?title=OpenBSD_doas&diff=424OpenBSD doas2015-09-09T03:51:14Z<p>Ssh: </p>
<hr />
<div>Ted Unangst (tedu@) представил [http://www.tedunangst.com/flak/post/doas doas] - замену '''sudo''' для OpenBSD, небольшую и поддерживающую только основные функции.<br />
<br />
Начиная с OpenBSD 5.8, '''doas''' входит в состав базовой системы. Использовать '''doas''' очень просто, достаточно создать файл конфигурации '''/etc/doas.conf'''.<br />
<br />
Либеральная OpenBSD система:<br />
<pre>permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel</pre><br />
<br />
Пользователи группы '''wheel''', выполняют команды от пользователя '''root''' (root используется по умолчанию, если не указан иной пользователь). Разрешено запускать любые команды без запроса пароля, значения переменных '''ENV''', '''PS1''' и '''SSH_AUTH_SOCK''' наследуются.<br />
<br />
Тоже, что и выше, но с запросом пароля пользователя:<br />
<pre>permit keepenv {ENV PS1 SSH_AUTH_SOCK} :wheel</pre><br />
<br />
Разрешает пользователю bob выполнить '''/bin/sh''' как fred:<br />
<pre>permit bob as fred cmd /bin/sh</pre><br />
<br />
Запретить всё пользователям группы '''wheel''':<br />
<pre>deny :wheel</pre><br />
<br />
Правила в '''doas.conf''' читаются сверху вниз, поэтому если запрещающее правило следует сразу за разрешающим, то разрешающее будет действовать, так как имеет приоритет. Кроме того, '''doas.conf''' должен завершаться пустой строкой.<br />
<br />
[http://www.badbug.id.au/doas-or-how-i-use-sudo-on-openbsd-5-8/ По мотивам]</div>Ssh