首页 > 代码库 > postfix+mariadb   空壳邮件 iptables

postfix+mariadb   空壳邮件 iptables

####################postfix+mariadb###################
1.准备工作
[root@westos-mail ~]# yum install mariadb php php-mysql httpd dovecot dovecot-mysql -y
安装有关软件
2.配置文件
[root@westos-mail ~]# vim /etc/dovecot/dovecot.conf
       24 protocols = imap pop3 lmtp
       48 login_trusted_networks = 0.0.0.0/0
       49 disable_plaintext_auth = no
[root@westos-mail ~]# vim /etc/dovecot/conf.d/10-auth.conf
       123 !include auth-sql.conf.ext
[root@westos-mail ~]# cd /etc/dovecot/conf.d
[root@westos-mail conf.d]# ls
10-auth.conf       20-imap.conf                 auth-dict.conf.ext
10-director.conf   20-lmtp.conf                 auth-ldap.conf.ext
10-logging.conf    20-pop3.conf                 auth-master.conf.ext
10-mail.conf       90-acl.conf                  auth-passwdfile.conf.ext
10-master.conf     90-plugin.conf               auth-sql.conf.ext
10-ssl.conf        90-quota.conf                auth-static.conf.ext
15-lda.conf        auth-checkpassword.conf.ext  auth-system.conf.ext
15-mailboxes.conf  auth-deny.conf.ext           auth-vpopmail.conf.ext
[root@westos-mail conf.d]# cp /usr/share/doc/dovecot-2.2.10/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
[root@westos-mail conf.d]# vim /etc/dovecot/dovecot-sql.conf.ext
  32 driver = mysql
  71 connect = host=localhost dbname=email user=postuser password=postuser
  78 default_pass_scheme = PLAIN
  107 password_query = \
  108   SELECT username, domain, password \
  109   FROM emailuser WHERE username = ‘%u‘ AND domain = ‘%d‘
  125    user_query = SELECT maildir, 666 AS uid, 666 AS gid FROM emailuser WHER    E username = ‘%u‘
[root@westos-mail conf.d]# vim 10-mail.conf
  30 mail_location = maildir:/home/vmail/%d/%n
  168 first_valid_uid = 666
  175 first_valid_gid = 666
[root@westos-mail conf.d]# yum install -y telnet
[root@westos-mail conf.d]# systemctl restart dovecot

测试
[root@westos-mail conf.d]# telnet 172.25.254.101 110
Trying 172.25.254.101...
Connected to 172.25.254.101.
Escape character is ‘^]‘.
+OK [XCLIENT] Dovecot ready.
user lee@lee.com                    
+OK
pass lee
+OK Logged in.
quit
+OK Logging out.
Connection closed by foreign host.




#################空壳邮件####################
1.先重置空壳端
2.配置
[root@localhost ~]# vim /etc/postfix/main.cf
 75 myhostname = nullmail.example.com     ##主机名
 83 mydomain = example.com                ##域名
 99 myorigin = westos.com                 ##要与真实主机的域名相同
 113 inet_interfaces = all                
 164 mydestination =                      ##空壳实际不接收邮件,所以不写
 316 relayhost = 172.25.254.101           ##真实主机ip
[[root@nullmail ~]# systemctl restart postfix.service
测试
#空壳端
[root@nullmail ~]# mail root
Subject: qe
qe
qe
.
EOT
[root@nullmail ~]# mailq
Mail queue is empty

#真接收端
[root@westos-mail named]# mail
Heirloom Mail version 12.5 7/5/10.  Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N  1 root                  Thu Jun  1 08:01  22/742   "qe"
& q

######################################
#############iptables#################
######################################
1.准备工作
查看火墙状态,如果是running,将其关闭
打开iptables

2.iptables
iptables是一个工作与用户之间的防火墙应用软件
三表:filter    ##不经过内核
      mangel
      nat       ##经过内核
五链:INPUT OUTPUT FORWARD PREROUTING POSTROUTING
           -t      ##指出表的名称
           -n      ##不作解析
           -L      ##列出指定表的策略
           -F      ##刷掉filter表中的所有策略
           -A      ##增加策略
           -s      ##数据来源
           -j      ##动作
           ACCEPT  ##允许
           REJECT  ##拒绝
           --dport ##端口
           -D      ##删除指定策略
           -I      ##插入策略
           -R      ##修改策略
           -P      ##修改默认策略
service iptables save     ##保存当前策略
[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT   ##允许lo
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT  ##允许访问22 端口
[root@localhost ~]# iptables -A INPUT -s 172.25.254.75 -j ACCEPT  ##只允许75主机访问
[root@localhost ~]# iptables -A INPUT -j REJECT     ##其它全部拒绝
[root@localhost ~]# iptables -nL       ##查看filter表当前策略
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.95        0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# iptables -N redhat      ##增加redhat链
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.95        0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain redhat (0 references)
target     prot opt source               destination         
[root@localhost ~]# iptables -E redhat westos    ##将redhat链名称改为westos
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.95        0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

 Chain westos (0 references)
 target     prot opt source               destination    
[root@localhost ~]# iptables -X westos      ##删除westos链
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.95        0.0.0.0/0
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j REJECT   ##插入策略到INPUT中的第一条
iptables -P INPUT DROP    ###修改默认策略
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  172.25.254.75        0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icm[root@localhost ~]# iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT    ##修改第一条策略

####提高访问速度,缓解访问压力
[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT      ##建立过的策略再次读的话直接看这个
[root@localhost ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT                ##再次读lo策略时候直接读这个
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT    ##再次读22端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT    ##再次读80端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT   ##再次读443端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT    ##再次读53端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -j REJECT   ##其它主机数据全部拒绝
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 state NEW
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# service iptable save   ##保存当前策略


##############路由###################
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.101        ####出路由
[root@localhost ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
[root@localhost ~]# vim /etc/sysctl.conf
    5 net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
     net.ipv4.ip_forward = 1
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.0.11   #####进路由
[root@localhost ~]# iptables -t nat -nL    ####查看当前策略
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  0.0.0.0/0            0.0.0.0/0            to:172.25.0.11

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  0.0.0.0/0            0.0.0.0/0            to:172.25.254.101

测试
 
[root@localhost ~]# ping 172.25.0.11
PING 172.25.0.11 (172.25.0.11) 56(84) bytes of data.
64 bytes from 172.25.0.11: icmp_seq=1 ttl=64 time=0.527 ms
64 bytes from 172.25.0.11: icmp_seq=2 ttl=64 time=0.384 ms
64 bytes from 172.25.0.11: icmp_seq=3 ttl=64 time=0.448 ms

postfix+mariadb   空壳邮件 iptables