Dev {Tricks}

You are here: Home / Archives for Server and Hosting

by

Fail2Ban on iRedMail

  • How To Protect SSH with Fail2Ban on Debian 11

Check whether installed.

systemctl status fail2ban

Installed, but fail2ban not active or running

systemctl start fail2ban
systemctl enable fail2ban

To fail2ban error fix

fail2ban-client start

Installing Fail2ban, if not installed

sudo apt update
sudo apt install fail2ban

Check installation status

systemctl status fail2ban.service

Configuring Fail2ban

Configuration files of fail2ban service is in the /etc/fail2ban directory. There is a file with defaults called jail.conf. In this tutorial, you’ll create jail.local by copying jail.conf

cd /etc/fail2ban
sudo cp jail.conf jail.local

Now you can configure as per requirements

sudo vi jail.local

You can set bantime, findtime, maxretry and you can set destemail to receive email alert.

Individual Jail Settings

vi /etc/fail2ban/jail.local

By default, the SSH service is enabled and all others are disabled.

enabled = true

After configuring all restart

sudo systemctl restart fail2ban

Sample jail.local

#
# The fail2ban local definition file for the default settings.
#

[DEFAULT]
# Destination email for action that send you an email
destemail = hostbriz@gmail.com

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender = fail2ban@imail.hostbriz.com

# Default action. Will block user and send you an email with whois content and log lines.
action = %(action_mwl)s

# ignoreip can be a list of IP addresses, CIDR masks, or DNs hosts. Fail2ban
# # will not ban a host which matches an address in this list.
ignoreip = 127.0.0.1/8 ::1/128 27.147.130.62 123.200.16.218 203.4.187.252 157.119.236.11

# configure nftables
banaction = nftables-multiport
chain = input

# regular banning
bantime = 24h
findtime = 600
maxretry = 5

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 30m

# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
bantime.maxtime = 60d

# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time
# grows by 1, 2, 4, 8, 16 ...
bantime.factor = 2

# purge database entries after
dbpurgeage = 30d

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
mode = aggressive

[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
ignoreip = 127.0.0.1/8 ::1/128 91.229.0.0/24 27.147.130.62 123.200.16.218 203.4.187.252 157.119.236.11

 

 

by

Creating new user Debian

  • Initial Server Setup with Debian 11

1. Log in as root
This example creates a new user called suname

adduser suname

This will ask for New password and other information. You can leave other information blank.

Next, we’ll set up this new user with admin privileges.

Granting Administrative Privileges with sudo

usermod -aG sudo suname

 

 

by

Request a free cert from Let’s Encrypt

  • Secure iRedMail Server with Let’s Encrypt SSL Certificate

Before requesting a cert

The full hostname of your mail server.

hostname -f

Make sure you have correct DNS record for the host names

To check the DNS record, you can use dig command like below:

dig +short -t a mail.domainname.com

It should return the (public) IP address of your server.

Request a free cert from Let’s Encrypt

Check cert status

certbot certificates

If certbot not installed Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate or follow Let’s Encrypt official tutorial to install required certbot package: https://certbot.eff.org. it’s used to request cert.

 

 

by

iRedMain Checklist

Backup old emails

zip -r archive-name.zip directory-name

Test the ZIPed File if it is Valid

unzip -t archive-name.zip

For more zip and unzip command click here.

Install iRedMail on Debian or Ubuntu Linux

System Requirements

To install iRedMail on Debian or Ubuntu Linux, you need:

    • A FRESH, working Debian/Ubuntu Linux. [Supported OS]
    • At least 4 GB memory is required for a low traffic production mail server with spam/virus scanning enabled..
    • Make sure 3 UID/GID are not used by other user/group: 2000, 2001, 2002.

Preparations

On Debian/Ubuntu Linux, hostname is set in two files: /etc/hostname and /etc/hosts.

  • For short hostname, not Fully Qualified Domain Name (FQDN). 
    vi /etc/hostname

    Short hostname example

    imail
  • Static table lookup for hostnames. 
    vi /etc/hosts

    Part of file: /etc/hosts

    127.0.0.1 mx.example.com mx localhost localhost.localdomain

    Warning: Please list the FQDN hostname as first item.

Verify the FQDN hostname.

hostname -f

If it wasn’t changed after updating above two files, please reboot server to make it work.

Update software repositories

sudo apt update

Install available software updates

sudo apt upgrade

Enable default official Debian/Ubuntu apt repositories

  • iRedMail needs official Debian/Ubuntu apt repositories, please enable them in /etc/apt/sources.list. 
    cat /etc/apt/sources.list

    Usually the repositories with the description main are the official supported repositories.

  • Install package gzip so that you can uncompress downloaded iRedMail package. 
    sudo apt-get install gzip

Download the latest release of iRedMail

  • Download page
  • Upload it to your root directory or run 
    wget https://github.com/iredmail/iRedMail/archive/1.6.2.tar.gz
  • Uncompress iRedMail tarball on root 
    tar zxf iRedMail-x.y.z.tar.gz

    Replace x.y.z by the real version number

Start iRedMail installer

cd /root/iRedMail-x.y.z/
bash iRedMail.sh

Welcome and thanks for your use >> Press Enter

Specify location to store all mailboxes. Default is /var/vmail/. >> Press Enter

Choose backend used to store mail accounts. You can manage mail accounts with iRedAdmin, our web-based iRedMail admin panel.

Note
There’s no big difference between available backends, so it’s strongly recommended to choose the one you’re familiar with for easier management and maintenance after installation.

If you choose to store mail accounts in OpenLDAP, iRedMail installer will ask to set the LDAP suffix.

To MySQL/MariaDB/PostgreSQL users

If you choose to store mail accounts in MySQL/MariaDB/PostgreSQL, iRedMail installer will generate a random, strong password for you. You can find it in file iRedMail.tips.

Add your first mail domain name

Set password of admin account of your first mail domain.

Note: This account is an admin account and a mail user. That means you can login to webmail and admin panel (iRedAdmin) with this account, login username is full email address.

Choose optional components

Which webmail should you choose? Roundcube or SOGo?

  • Roundcube is a fast and lightweight webmail.
  • SOGo offers webmail, calendar (CalDAV), contacts (CardDAV) and ActiveSync.
  • It’s ok to install both, but you can only manage mail filters with Roundcube in this case.

 

by

Hardening Postfix For ISPConfig 3

Reverse DNS, (DNS PTR Record)

You can check your rdns with the command host:

host YOUE-IP

SPF For Your Domain (DNS TXT Record)

Copy the spf result, then go to ISPConfig -> dns -> zones ->click on your domain name -> click on records tab -> and click on TXT

Hostname -> example.com. (with dot at the end!)

Text -> Paste here the spf result

Example:

v=spf1 a mx ptr ip4:YOUR.IP.ADDRESS -all

Click on Save.

Postfix main.cf

Let’s add/change something to /etc/postfix/main.cf

Helo restrictions:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname

Strict rfc:

strict_rfc821_envelopes = yes

Clients restrictions:

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

Recipient restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain

Data restrictions:

smtpd_data_restrictions = reject_unauth_pipelining

Smtpd delay:

smtpd_delay_reject = yes

Reload postfix:

/etc/init.d/postfix reload

SPF Check For Postfix (Debian And Ubuntu)

Intstall spf package:

apt-get install postfix-policyd-spf-python

or

apt-get install postfix-policyd-spf-perl

Add this to /etc/postfix/main.cf :

policy-spf_time_limit = 3600s

and add check_policy_service unix:private/policy-spf at the end of smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf

Now edit master.cf and add at the end this (for the python version):

policy-spf unix – n n – – spawn
user=nobody argv=/usr/bin/policyd-spf

or this for the perl version:

policy-spf unix – n n – – spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

…reload postfix.

/etc/init.d/postfix reload

Greylist

Greylisting is a method of defending email users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the email will be accepted.

Installing postgrey (Debian, Ubuntu):

apt-get install postgrey

The configuration options are in /etc/default/postgrey ( default delay is 5 min).

Edit main.cf and add check_policy_service inet:127.0.0.1:10023 to the end of smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf,check_policy_service inet:127.0.0.1:10023

…reload postfix:

/etc/init.d/postfix reload

DNSBL (DNS Based Blacklist/Blocklist)