Setiap tahun, periklanan di Internet menjadi lebih dan lebih, dan setiap kali ditayangkan semakin mengganggu. Ini sudah mencapai email: beriklan di antarmuka kotak surat terlihat seperti surat pertama yang belum dibaca yang secara otomatis ingin Anda buka. Saya tidak menentang periklanan, terutama bila ada topik dan tidak membingungkan. Tapi menyamarkannya sebagai surat yang belum dibaca itu berlebihan. Sepertinya langkah selanjutnya adalah mulai memasukkan iklan langsung ke badan email.
Kami sudah terbiasa dengan fakta bahwa aktivitas kami di Internet dianalisis untuk menayangkan iklan yang relevan. Tetapi tidak ada data pribadi dalam bentuk murni: ada pengguna-1 dengan kebiasaan ini dan itu, ada pengguna-2 dengan kebiasaan lain, pengguna-3, 4, 5, dll.
Mail adalah masalah lain. Pemrosesan surat sering kali merupakan pemrosesan data pribadi. Semua yang Anda beli - kwitansi masuk ke email Anda, layanan apa yang Anda gunakan - data dan laporan pendaftaran masuk ke email Anda, membeli tiket liburan - semua data tentang perjalanan Anda ada di email Anda. Dan di mana surat Anda?
Tidak ada jaminan bahwa email tidak diproses dan tidak ada penyalahgunaan. Jadi, jika Anda paranoid yang gelisah, inilah saat yang tepat bagi Anda untuk melepaskan surat "gratis".
Tetapi menyerah tidak mudah:
, .
, .
- protonmailβe, , .
β . , , . β .
, , 24/7. - Raspberry Pi, .. , . VMWare ESXi, . , . , HDD, .. / SSD . swap. : SSD, HDD. HP ProDesk 600 G2 SFF i5-6500: , ESXi . 25 , 40-45 . .
ESXi , IP, .
, ,
, , . , . , : (, ) ( LTE ). , . - LTE Huawei E3372-320. , , .
, IP , IP. : (VPS) , VPN-, VPS. , ( ) : IP , β . :
, . . .
, :
Hostname ( ) β mail
β example.com
IP VPS β 1.2.3.4
192.168.1.0 /24 (255.255.255.0) 192.168.1.1
IP β 192.168.1.3
VPN IP VPN 192.168.77.1, IP VPN 192.168.77.3
VPS, VPN
VPS , vps2day.com, , , , . VPN VPS , 5 β¬/. protonmailβe, vps2day, VPS. Debian 10, IP SSH .
, :
apt update && apt upgrade
VPN Wireguard, Debian 10 apt:
echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list
apt update
apt install wireguard
( ), , :
mkdir /etc/wireguard
chmod 700 /etc/wireguard
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
: privatekey
publickey
. /etc/wireguard/wg0.conf
:
[Interface] PrivateKey = privatekey Address = 192.168.77.1/24 ListenPort = 51820 MTU = 1380
, .
, DNS
.RU , ... . protonmail'a. , example.com.
DNS "" mail IP , VPS:
"MX" 10 mail.example.com:
"TXT" SPF v=spf1 ip4:1.2.3.4 mx ~all
:
"TXT" DMARC v=DMARC1; p=reject; adkim=s; aspf=s; pct=100;
:
ESXi (). , . swap , . , , swap , . , , swap .
, , datastore SSD. Debian 10, . mail, example.com. . /boot :
. deluser <username> --remove-home
.
, . /etc/network/interfaces
. , , ens192
. :
allow-hotplug ens192 iface ens192 inet static address 192.168.1.3/24 gateway 192.168.1.1
, VPN VPS . DNS . /etc/resolv.conf
, :
nameserver 1.1.1.1 nameserver 1.0.0.1
IPv6 , /etc/sysctl.conf
. , ens192
:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.ens192.disable_ipv6 = 1
ssh wget:
apt install ssh wget
root SSH, /etc/ssh/sshd_config
PermitRootLogin yes
. ssh.
VPN
wireguard VPS :
echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list
apt update
apt install wireguard
mkdir /etc/wireguard
chmod 700 /etc/wireguard
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
/etc/wireguard/wg0.conf
:
[Interface] PrivateKey = privatekey Address = 192.168.77.3/32 MTU = 1380 [Peer] PublicKey = publickey VPS AllowedIPs = 0.0.0.0/0 Endpoint = 1.2.3.4:51820 PersistentKeepalive = 20
SSH VPS /etc/wireguard/wg0.conf
:
# mail server [Peer] PublicKey = publickey AllowedIPs = 192.168.77.3/32
VPS /etc/sysctl.conf
net.ipv4.ip_forward = 1
, , , sysctl -w net.ipv4.ip_forward = 1
.
VPS , . /etc/network/if-up.d/firewall
, .
/etc/network/if-up.d/firewall
#! /bin/sh
EXT_IP="1.2.3.4"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT --match limit --limit 5/second
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT --match limit --limit 5/second
# SSH
iptables -A INPUT -d $EXT_IP -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d 192.168.77.1 -p tcp --dport 22 -j ACCEPT
# Established connections
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS
iptables -A INPUT -i eth0 -p udp -d $EXT_IP --sport 53 -j ACCEPT
# Wireguard
iptables -A INPUT -i eth0 -d $EXT_IP -p udp --dport 51820 -j ACCEPT
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# VPS
iptables -t nat -A POSTROUTING -s 192.168.77.3 -j SNAT --to-source $EXT_IP
#
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 80 -j DNAT --to-destination 192.168.77.3
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 443 -j DNAT --to-destination 192.168.77.3
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 25 -j DNAT --to-destination 192.168.77.3
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 587 -j DNAT --to-destination 192.168.77.3
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 143 -j DNAT --to-destination 192.168.77.3
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 993 -j DNAT --to-destination 192.168.77.3
chmod +x /etc/network/if-up.d/firewall
VPS wireguard:
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
wireguard :
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
wg show
. - , :
Debian: e-mail caramel ispmail. , . Apache, PostgreSQL, Postfix, Dovecot, rspamd, sieve, SSL DKIM, . , .
"e-mail caramel" IMAP STARTTLS Nextcloud' webmail. - User-Agent Received. .
Nextcloud, Rainloop
-: X-Mailer, X-Originating-IP, X-PHP-Originating-Script, Mime-Version. master.cf, main.cf
, apache, , . SSL DKIM, .
. , .
:
wget https://github.com/alexmdv/mailserver-autosetup/archive/main.zip
unzip main.zip
chmod +x -R ./mailserver-autosetup-main
cd ./mailserver-autosetup-main
3 :
mailserver-setup.sh
-
mailuser-addnew.sh
-
mailuser-setpass.sh
-
mailserver-setup.sh
. : ( mail), , (, example.com), IP . + mail.example.com. , .. SSL DKIM. . mailuser-addnew.sh
mailuser-setpass.sh
PASSWORD, :
#!/bin/bash
pgadmpass="PASSWORD"
,
SSL . example.com :
certbot certonly --apache --agree-tos --email admin@example.com --no-eff-email --domain mail.example.com
DKIM. example.com β , 20210121 ():
rspamadm dkim_keygen -b 2048 -d example.com -s 20210121 -k /var/lib/rspamd/dkim/example.com.20210121.key
:
20210121._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumOhUcY3anZV4tGF1+VsYDD9bTZ0rqiFCm8FPdDHVB0U+ZPfZ2Cxf+x+jIFYXfO/jWEoAw2uYFz3Mt1ImvRQzU9oMx0t/0HtMKS4m3AhOBM5SkkhvoAaJkoIt3gTQ4KQyiBsZemihAw6V/gsex8K6M76m4WkbT92+tg192EGXBUDo0k7kk1rDOld0G9X2P0IxkVfqKqfwg+fI+0Im" "AOFC1gBCIm18XPEGZA2oOoNbkWO95bD8Rj20yv8639bMA27+B08v4/aPXQb9HZLEwpsz8Qa/WgEZFGJzd6kUaYWHTfMmbgBXnET5N+tjXGvkjtnLbx25ru/PZTeckGjE/komQIDAQAB" ) ;
/etc/rspamd/dkim_selectors.map
, :
example.com 20210121
DNS , "TXT" 20210121._domainkey
v=DKIM1; k=rsa; p=...
, . :
. 255 , .. 2048 DKIM , , p
, . , , . GoDaddy, , TXT 1024 . 255 , . 1024 .
β /etc/postfix/master.cf
. :
#submission inet n - - - - smtpd
4 , "-o". . , . master.cf. :
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o cleanup_service_name=header_cleanup
.
. mailuser-addnew.sh. ( @example.com) . .
oleg@example.com. : oleg@example.com, IMAP SMTP oleg@example.com, IMAP mail.example.com, mail.example.com, STARTTLS.
DKIM SPF, https://dkimvalidator.com, . pass ().
Rainloop webmail
php Rainloop . , , , vhost -:
wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip
unzip rainloop-community-latest.zip -d /var/www/webmail
cd /var/www/webmail
chmod 644 .
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chown -R www-data:www-data .
a2ensite webmail
service apache2 reload
rainloop https://mail.example.com/?admin
admin
12345
. , Security.
. Domains, Add Domain:
Add:
Login :
webmail https://mail.example.com
( @example.com):
, , .
Apache /etc/apache2/apache2.conf
. -:
ServerSignature Off ServerTokens Prod
Apache service apache2 reload
.
phpPgAdmin
mail_server : alias, sharedmail_boxes, users. users. alias , shared_mailboxes . phpPgAdmin http://-ip--/phppgadmin postgres , .
, phpPgAdmin :
a2dissite lanhost service apache2 reload
, , 20 . : , . . . VPS, 25 , restic. ssh VPS .
RSA , Enter:
ssh-keygen -t rsa -b 4096
VPS:
cat ~/.ssh/id_rsa.pub | ssh root@192.168.77.1 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Restic
apt install restic
( VPS /mnt/mserv-bkp
):
restic -r sftp:192.168.77.1:/mnt/mserv-bkp init
, . , /root/.restic
:
export RESTIC_REPOSITORY="sftp:192.168.77.1:/mnt/mserv-bkp"
export RESTIC_PASSWORD=" "
:
source /root/.restic
:
restic backup /var/vmail
, - :
restic snapshots
, . /etc/root/restic
:
#!/bin/bash
source /root/.restic
restic backup /var/vmail
:
chmod +x /root/restic
/etc/crontab
:
0 1 * * * root /root/restic
.
Seperti yang Anda lihat, memiliki server email sendiri membutuhkan sejumlah uang. Harganya terdiri dari pembayaran pendaftaran domain, sewa VPS, pembayaran penyedia kedua di rumah, dan akhirnya listrik. Dalam kasus saya, ternyata di wilayah 950 β½ per bulan untuk semuanya. Di sisi lain, saluran Internet cadangan dan VPN akan berguna untuk seluruh jaringan rumah, tetapi kita akan membicarakannya lain kali.
Terima kasih sudah membaca. Komentar, pertanyaan, komentar dan saran dipersilakan!