Server Abschotten & Tunen

Xcantion · Feb 8, 2010

Hallo Liebe Community!

Ich habe derzeit einen netten kleinen Server aufgesetzt funktioniert auch soweit ganz gut. Jedoch habe ich jetzt ein paar fragen...

1) Der Server hat ein ziemlich hohen Speicher verbrauch ü. 1gb.
2) Wie und wo kann ich noch ein bisschen an der Performance schrauben...
3) Habe ich etwas übersehen? Kann ich noch etwas Optimieren / austauschen & Co....
4) System allgemein Tunen
5) Weitere absicherungen / alternativen
6) Speicherfresser Elemenieren...

USW.

Also wie man sieht derzeit noch mehr oder weniger allgemeine Fragen.

So nun zu der Frage: Was habe ich den schon alles gemacht und um was für ein System geht es.

1. Ich habe via IRedMail v0.5.1 einen MailServer aufgetzt.
Sprich Dovecot und Postfix mit Amavis Postgrey & Co. läuft alles via MYSQL DB ... da ich mir gedacht habe
1.1 Warum 2 DB Laufen lassen sprich MYSQL & LDAP!?
1.2 MYSQL lässt sich leichter in Anwendungen Integrieren...
1.3 Das bringt mich gleich zu einer direkten frage.. ich bekomme es nicht hin Dovecot in Fail2ban zu Integrieren da mir der Failregex wert fehlt oder nich richtig ist... Da die Authentifizierung ü. MYSQL läuft....

2. Ich habe Apache2 am laufen via PHP5 - Fcgid (Suexec)

3. Ich habe Fail2ban aufgetzt und soweit alles abgesichert. Postfix, SSH, SASL usw.

4. Zusätzlich ist via IPTables alles geschlossen bis auf die benötigten Ports.

5. SSH Port verlegt und nur via RSA bzw. DSA Key Konfiguriert.

6. ModSecurity 2.5.12 habe ich noch Probleme mit .. ich komme mit der config und den Rules nicht klar da die "neue" config bei mir anders ausschaut als die damalige config die ich mehrfach bearbeitet habe...

7. Da ich Mod Security noch nicht Installiert habe hatte ich noch keine zeit Mod_evasive aufzusetzten und ordentlich zu Konfigurieren

8. Es läuft kein FTP Daemon und soll derzeit auch nicht Zukünftig laufen... Lässt sich ja alles via SFTP / SSH machen.

Geplant ist noch:
Überwachungstools:
Monit bzw Munit bzw. OSSEC..
Tägliche Backups (auf dem Server Local) & via Separaten Backup Server...
evtl. noch ein Hochverfügbarkeits netz...

Das ganze System ist ein Debian 5 (Lenny) RAID1 System ... x64
Das System besitzt 2GB RAM
Das System ist mit den Standartüblichen Packeten aufgetzt wie zb.
rsyslogd
OPENSSH & Co.

Ben. · Feb 8, 2010

Deine Fragen sind so allgemein, dass man sie nur allgemein beantworten kann - leider.

Speicherverbrauch kann man reduzieren, aber muss man das?

Zum Rest kann man hier wirklich keine produktiven Antworten geben. Man kann die Festplattenparameter noch verbessern, man kann die Software ggf optimieren, man kann mySQL optimieren etc.

Du solltest Stück für Stück die einzelnen Systemkomponenten aufeinander abstimmen.

1) Debian optimieren, also entschlacken, Festplatte tunen (falls erforderlich und möglich), etc.
2) mySQL optimieren auf deine Anforderungen hin
3) Apache2 optimieren oder anderen Webserver verwenden, der weniger Ressourcen braucht
4) Postfix optimieren
5) ...

Wenn du zu den einzelnen Punkten konkrete Fragen hast (aber nicht: Was muss ich einstellen, dass mySQL schneller ist), dann kann man dir auch gute Antworten geben.

Xcantion · Feb 8, 2010

Ein paar mehr Details

Hallo!
Also ich habe mich oben wohl etwa s umständlich ausgedrückt. Ich entschuldige mich an dieser Stelle dafür.
Grund System:
Debian x64 + Raid1 + 2GB RAM
Auf dem Server läuft momentan ein Mail Server & Apache2

IRedMail

Beschreibung:
Ich habe derzeit den IRedMail Server am laufen mit Dovecot, Postfix, Amavis, Clamav, Spamassassin, Postgrey.

Dieser Server nutzt von Haus aus die im System vorgegebenen Einstellungen. Das heißt an dem MailServer und an den Configs habe ich nichts geändert.

Der ganze MailServer läuft allerdings nicht via LDAP Server. Ich habe alles als MYSQL-Version Installiert.
Amavis User Conf:

Code:

use strict; chomp($mydomain = "server.domain.de"); @local_domains_maps = ['server.domain.de', 'domain.de']; @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # Enable virus check. @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, $bypass_virus_checks_re, ); # Enable spam check. @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, $bypass_spam_checks_re, ); $virus_admin = "root\@$mydomain"; # due to D_DISCARD default $mailfrom_notify_admin = "root\@$mydomain"; $mailfrom_notify_recip = "root\@$mydomain"; $mailfrom_notify_spamadmin = "root\@$mydomain"; # Mail notify. $mailfrom_notify_admin = "root\@$mydomain"; # notifications sender $mailfrom_notify_recip = "root\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "root\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef # Disable defang banned mail. $defang_banned = 0; # MIME-wrap passed mail containing banned name $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients allow_disclaimers => 1, # enables disclaimer insertion if available }; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating => 1, # declare that mail was submitted by our smtp client allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["root\@$mydomain"], spam_admin_maps => ["root\@domain.de"], warnbadhsender => 1, smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1], # allow sending any file names and types terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option }; # Set listen IP/PORT. $notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[127.0.0.1]:10025'; # Set default action. $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_PASS; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; @av_scanners = ( #### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir= {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ); $log_level = 0; # verbosity 0..5, -d $sa_debug = 0; $sa_spam_modifies_subj = 1; # Notify virus sender? $warnvirussender = 1; # Notify spam sender? $warnspamsender = 0; # Notify sender of banned files? $warnbannedsender = 0; # Notify sender of syntactically invalid header containing non-ASCII characters? $warnbadhsender = 0; # Notify virus (or banned files) RECIPIENT? # (not very useful, but some policies demand it) $warnvirusrecip = 0; $warnbannedrecip = 0; # Notify also non-local virus/banned recipients if $warn*recip is true? # (including those not matching local_domains*) $warn_offsite = 1; $signed_header_fields{'received'} = 0; $signed_header_fields{'to'} = 1; $originating = 1; # Add dkim_key here. dkim_key("domain.de", "dkim", "/var/lib/dkim/domain.de.pem"); @dkim_signature_options_bysender_maps = ( { 'postmaster@domain.de' => { d => "domain.de", a => 'rsa-sha256', ttl => 7*24*3600 }, #"spam-reporter@domain.de" => { d => "domain.de", a => 'rsa-sha256', ttl => 7*24*3600 }, # explicit 'd' forces a third-party signature on foreign (hosted) domains "domain.de" => { d => "domain.de", a => 'rsa-sha256', ttl => 10*24*3600 }, #"host1.domain.de" => { d => "host1.domain.de", a => 'rsa-sha256', ttl => 10*24*3600 }, #"host2.domain.de" => { d => "host2.domain.de", a => 'rsa-sha256', ttl => 10*24*3600 }, # ---- End domain: domain.de ---- # catchall defaults '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 }, } ); $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key # Program used to signing disclaimer in outgoing mails. $altermime = '/usr/bin/altermime'; # Disclaimer in plain text formart. @altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt); @disclaimer_options_bysender_maps = ({ '.' => 'default', },); # ------------ End Disclaimer Setting --------------- 1; # insure a defined return

Clamd Conf:

Code:

#Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /tmp/clamd.socket FixStaleSocket true # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav AllowSupplementaryGroups true ScanMail true ScanArchive true ArchiveLimitMemoryUsage false ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 StreamMaxLength 10M LogSyslog false LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 Foreground false Debug false ScanPE true ScanOLE2 true ScanHTML true DetectBrokenExecutables false MailFollowURLs false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false LogFile /var/log/clamav/clamd.log LogTime true LogFile /var/log/clamav/clamd.log LogFile /var/log/clamav/clamd.log

Freshclam Conf

Code:

# Automatically created by the clamav-freshclam postinst # Comments will get lost when you reconfigure the clamav-freshclam package DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogTime no Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav/ DNSDatabaseInfo current.cvd.clamav.net AllowSupplementaryGroups false PidFile /var/run/clamav/freshclam.pid ConnectTimeout 30 ReceiveTimeout 30 ScriptedUpdates yes CompressLocalDatabase no NotifyClamd /etc/clamav/clamd.conf # Check for new database 24 times a day Checks 24 DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net

Dovecot.conf:

Code:

protocols = pop3 pop3s imap imaps managesieve listen = * mail_uid = 1000 mail_gid = 1001 log_path = /var/log/dovecot.log umask = 0077 disable_plaintext_auth = no login_process_per_connection=yes auth_default_realm = domain.de plugin { quota_warning = storage=85%% /usr/bin/dovecot-quota-warning.sh 85 quota_warning2 = storage=90%% /usr/bin/dovecot-quota-warning.sh 90 quota_warning3 = storage=95%% /usr/bin/dovecot-quota-warning.sh 95 } ssl_disable = no verbose_ssl = no ssl_key_file = /etc/ssl/private/iRedMail.key ssl_cert_file = /etc/ssl/certs/iRedMail_CA.pem mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/ plugin { quota = maildir } dict { # NOTE: dict process currently runs as root, so this file will be owned as root. expire = db:/var/lib/dovecot/expire/expire.db } plugin { expire = Trash 7 Trash/* 7 Junk 30 expire_dict = proxy::expire # If you have a non-default path to auth-master, set also: auth_socket_path = /var/run/dovecot/auth-master } # Per-user sieve mail filter. plugin { # For maildir format. sieve = /var/vmail/sieve/%Ld/%Ln/dovecot.sieve } # LDA: Local Deliver Agent protocol lda { postmaster_address = root auth_socket_path = /var/run/dovecot/auth-master #mail_plugins = cmusieve quota expire mail_plugins = cmusieve quota sieve_global_path = /var/vmail/sieve/dovecot.sieve log_path = /var/log/sieve.log } # IMAP configuration protocol imap { #mail_plugins = quota imap_quota zlib expire mail_plugins = quota imap_quota zlib # number of connections per-user per-IP #mail_max_userip_connections = 10 } # POP3 configuration protocol pop3 { #mail_plugins = quota zlib expire mail_plugins = quota zlib pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } auth default { mechanisms = plain login user = vmail passdb sql { args = /etc/dovecot/dovecot-mysql.conf } userdb sql { args = /etc/dovecot/dovecot-mysql.conf } socket listen { master { path = /var/run/dovecot/auth-master mode = 0666 user = vmail group = vmail } client { path = /var/spool/postfix/dovecot-auth mode = 0666 user = postfix group = postfix } } } protocol managesieve { listen = 127.0.0.1:2000 sieve = /var/vmail/sieve/%Ld/%Ln/dovecot.sieve sieve_storage = /var/vmail/sieve/%Ld/%Ln/ login_executable = /usr/lib/dovecot/managesieve-login mail_executable = /usr/lib/dovecot/managesieve managesieve_max_line_length = 65536 managesieve_implementation_string = dovecot }

Dovecot-mysql:

Code:

driver = mysql default_pass_scheme = CRYPT connect = host=localhost dbname=user user=user password=xyz password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1' AND expired >= NOW() user_query = SELECT CONCAT(storagebasedirectory, '/', maildir) AS home, CONCAT('*:bytes=', quota*1048576) AS quota_rule FROM mailbox WHERE username='%u' AND active='1' AND enable%Ls%Lc='1' AND expired >= NOW()

Postfix Main.cf

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem smtpd_tls_key_file = /etc/ssl/private/iRedMail.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = server.domain.de alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases myorigin = server.domain.de mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname relayhost = mynetworks = 127.0.0.0/8 mailbox_command = /usr/lib/dovecot/deliver mailbox_size_limit = 15728640 recipient_delimiter = + inet_interfaces = all mydomain = domain.de mail_name = iRedMail mail_version = 0.5.1 relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains.cf mynetworks_style = subnet smtpd_data_restrictions = reject_unauth_pipelining smtpd_reject_unlisted_recipient = yes smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated delay_warning_time = 0h policy_time_limit = 3600 maximal_queue_lifetime = 1d bounce_queue_lifetime = 1d proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre queue_run_delay = 300s minimal_backoff_time = 300s maximal_backoff_time = 4000s enable_original_recipient = no disable_vrfy_command = yes home_mailbox = Maildir/ allow_min_user = no message_size_limit = 15728640 virtual_mailbox_limit_override = yes virtual_overquota_bounce = yes virtual_mailbox_limit_message = Sorry, the user's maildir has overdrawn the disk quota, please notice the user and try again later. virtual_minimum_uid = 1000 virtual_uid_maps = static:1000 virtual_gid_maps = static:1001 virtual_mailbox_base = /var/vmail/vmail01 check_sender_access = hash:/etc/postfix/sender_access header_checks = pcre:/etc/postfix/header_checks.pcre transport_maps = proxy:mysql:/etc/postfix/mysql_transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql_transport_maps_domain.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql_recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql_recipient_bcc_maps_user.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = no smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031 smtpd_tls_security_level = may smtpd_enforce_tls = no smtpd_tls_loglevel = 0 tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom # # Uncomment the following line to enable policyd sender throttle. # #smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032 virtual_transport = dovecot dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = dovecot-auth content_filter = smtp-amavis:[127.0.0.1]:10024

Postfix master.cf

Code:

smtp inet n - - - - smtpd cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} # Bypass checks for internally generated mail. pickup fifo n - n 60 1 pickup -o content_filter= submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject # -o content_filter=smtp-amavis:[127.0.0.1]:10026 smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o content_filter=smtp-amavis:[127.0.0.1]:10026 dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender} smtp-amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

So sieht derzeit meine Konfiguration vom MailServer aus. Als Mail Verwaltung nutze ich derzeit PofstixAdmin um die Mail Adressen & Co. Festzulegen. Ein Webmail Interface wird noch nicht genutzt.

Webmail Interface Planung.

eGroupware, Group-Office, Horde, Squirrelmail oder Roundcube… Da mir keine weiteren Interfaces zu Verfügung stehen bzw ich keine anderen kenne habe ich derzeit nur die Wahl zwischen diesen Interfaces… Bin aber gerne für alternativen offen…

Mein Hauptziel ist es gerade das Mail System so einzurichten das möglichst wenig System Ressourcen belegt wird. Speicher / Prozessor Optimierung. Derzeit angestrebtes Ziel 5000-10000 Mails Pro Tag ohne das der Speicher geflutet wird bzw. das System ausgelastet ist…
Dovecot Integration in Fail2ban …
Momentane Problematik an dieser Konfiguration ist das Amavis bzw Fresclam/Clamav bereits nach kurzer Zeit sich hochkurpeln und jede menge Speicher belegt…
Sehr viel besser schaut es mit dem Prozess: postfix-policyd auch nicht aus..
Hier mal ein paar genauere Daten:
Clamav

clamav 7530 0.0 17.4 414708 357580 ? Ss Feb06 0:09 /usr/sbin/clamd

Click to expand...

Clamav nutzt derzeit 17.4%MEM also 17,4% vom Ram..
Amavis

amavis 6926 0.0 3.9 205780 81932 ? Ss Feb06 0:02 amavisd (master)
amavis 6927 0.0 3.9 206980 80832 ? S Feb06 0:00 amavisd (virgin child)
amavis 6928 0.0 3.9 206980 80832 ? S Feb06 0:00 amavisd (virgin child)

Click to expand...

Hier sind es zwar nur 3.9% aber das halte ich dennoch für extrem viel…
Das ist nur ein Beispiel…
Ich halte diese Werte für extrem viel da ich derzeit das System als Singel user nutze…
Wenn hier schon so viel RAM belegt wird wie schaut es dann erst bei 100 oder gar 1000 Usern aus?
Wie seht Ihr das?
So weiter im Text…
Ich habe Fail2Ban aufgesetzt:
jail.local

Code:

[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 85.31.187.80 91.143.93.200 bantime = 600 maxretry = 3 backend = polling destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 5 [apache-noscript] enabled = true port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 5 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [proftpd] enabled = false port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: (pam_unix) authentication failure; .* rhost=<HOST> maxretry = 5 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = false port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=[.*:<HOST>] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = false port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=[.*:<HOST>] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl failregex = warning: [-._w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5

Hier sind wie man sieht die wichtigsten Komponenten aufgelistet und aktiviert…
Mail, Apache, SSH

Mein Problem bei dieser Konfiguration ist das ich Dovecot noch nicht geschafft habe zu Integrieren… und die Konfiguration so einzustellen das alles via Fail2ban -> = IPTable -> = Logs abgearbeitet wird.

Also ich möchte Fail2ban mit den IPTAbles Koppeln und die Logs auswerten lassen um entsprechende Gegenmaßnahmen zu starten. (Grobe Planung)

Hier nocheinmal Perform halber die entsprechende zeile aus der IPTables

# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh
-A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,21,1946 -j ACCEPT

Click to expand...

Alles rund um Apache folgt im Anschluss… Soweit ersteinmal…

Server Abschotten & Tunen

Xcantion

New Member

Ben.

Registered User

Xcantion

New Member

We value your privacy