tachtler:dovecot_sicherheit
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende ÜberarbeitungLetzte ÜberarbeitungBeide Seiten der Revision | ||
tachtler:dovecot_sicherheit [2014/04/16 14:40] – klaus | tachtler:dovecot_sicherheit [2015/07/11 09:21] – [/etc/cron.weekly/ssl-parameters_update.sh] klaus | ||
---|---|---|---|
Zeile 5: | Zeile 5: | ||
:!: **HINWEIS** - **Die Nachfolgende Konfiguration von [[http:// | :!: **HINWEIS** - **Die Nachfolgende Konfiguration von [[http:// | ||
* **[[tachtler: | * **[[tachtler: | ||
+ | * **[[tachtler: | ||
[[http:// | [[http:// | ||
Zeile 24: | Zeile 25: | ||
===== Flooding ===== | ===== Flooding ===== | ||
+ | |||
+ | ==== / | ||
Um eine gewisse Absicherung gegen Benutzer (Clients) zu erreichen, welche über eine **IP-Adresse** versuchen den [[http:// | Um eine gewisse Absicherung gegen Benutzer (Clients) zu erreichen, welche über eine **IP-Adresse** versuchen den [[http:// | ||
Zeile 31: | Zeile 34: | ||
verändert werden. | verändert werden. | ||
(**Nur relevanter Ausschnitt**) | (**Nur relevanter Ausschnitt**) | ||
- | < | + | < |
... | ... | ||
protocol imap { | protocol imap { | ||
Zeile 47: | Zeile 50: | ||
:!: **HINWEIS** - Probleme können hier entstehen, wenn viel Benutzer über eine **NAT-IP-Adresse** surfen, oder ein Webmailer von vielen Benutzern gleichzeitig genutzt wird! | :!: **HINWEIS** - Probleme können hier entstehen, wenn viel Benutzer über eine **NAT-IP-Adresse** surfen, oder ein Webmailer von vielen Benutzern gleichzeitig genutzt wird! | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Gleiches gilt auch für die Konfigurationsdatei | ||
+ | * ''/ | ||
+ | wie nachfolgende Darstellung zeigt. | ||
+ | (**Nur relevanter Ausschnitt**) | ||
+ | <code ini> | ||
+ | ... | ||
+ | protocol sieve { | ||
+ | # Maximum ManageSieve command line length in bytes. ManageSieve usually does | ||
+ | # not involve overly long command lines, so this setting will not normally | ||
+ | # need adjustment | ||
+ | # | ||
+ | |||
+ | # Maximum number of ManageSieve connections allowed for a user from each IP | ||
+ | # address. | ||
+ | # NOTE: The username is compared case-sensitively. | ||
+ | # | ||
+ | |||
+ | # Space separated list of plugins to load (none known to be useful so far). | ||
+ | # Do NOT try to load IMAP plugins here. | ||
+ | # | ||
+ | |||
+ | # MANAGESIEVE logout format string: | ||
+ | # %i - total number of bytes read from client | ||
+ | # %o - total number of bytes sent to client | ||
+ | # | ||
+ | |||
+ | # To fool ManageSieve clients that are focused on CMU's timesieved you can | ||
+ | # specify the IMPLEMENTATION capability that Dovecot reports to clients. | ||
+ | # For example: 'Cyrus timsieved v2.2.13' | ||
+ | # | ||
+ | |||
+ | # Explicitly specify the SIEVE and NOTIFY capability reported by the server | ||
+ | # before login. If left unassigned these will be reported dynamically | ||
+ | # according to what the Sieve interpreter supports by default (after login | ||
+ | # this may differ depending on the user). | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # The maximum number of compile errors that are returned to the client upon | ||
+ | # script upload or script verification. | ||
+ | # | ||
+ | |||
+ | # Refer to 90-sieve.conf for script quota configuration and configuration of | ||
+ | # Sieve execution limits. | ||
+ | } | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | ===== SSL-Sicherheit ===== | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | Die Diffie-Hellman-Parameter werden beim ersten Start des [[http:// | ||
+ | * ''/ | ||
+ | abgelegt. | ||
+ | |||
+ | :!: **HINWEIS** - **Ab [[http:// | ||
+ | |||
+ | Um trotzdem eine Neuerzeugung im laufenden Betrieb durchführen zu können, gibt es unter nachfolgendem externen Link Hintergründe und die Lösung zu diesem Problem, basieren auf den Hinweisen von [[https:// | ||
+ | |||
+ | Dazu sind nachfolgende Schritte erforderlich: | ||
+ | - Die Erzeugung einer **Konfigurationsdatei** für die **DH-Parameter**-Datei | ||
+ | - Die Erzeugung der **DH-Parameter**-Datei mit Hilfe des Programms ''/ | ||
+ | - unter der Angabe, welche **Parameter-Länge** '' | ||
+ | - in welchem Verzeichnis die **Parameter-Datei** '' | ||
+ | - Anschließend wir die so erzeugte **Parameter-Datei** gegen die standardmäßige Konfigurationsdatei von [[http:// | ||
+ | - Abschließend muss dann noch das **erneute einlesen** der neuen Konfigurationsdatei''/ | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Nachfolgendes Skript erledigt alle vorhergehenden Aufgaben: | ||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | |||
+ | ############################################################################## | ||
+ | # Script-Name : ssl-parameters_update.sh | ||
+ | # Description : Renew the Diffie-Hellman parameter file for Dovecot under # | ||
+ | # the path / | ||
+ | # # | ||
+ | # # | ||
+ | # Last update : 11.07.2015 | ||
+ | # Version | ||
+ | ############################################################################## | ||
+ | |||
+ | ############################################################################## | ||
+ | # H I S T O R Y # | ||
+ | ############################################################################## | ||
+ | # Version | ||
+ | # Description : < | ||
+ | # -------------------------------------------------------------------------- # | ||
+ | # Version | ||
+ | # Description : < | ||
+ | # -------------------------------------------------------------------------- # | ||
+ | ############################################################################## | ||
+ | |||
+ | # Source function library. | ||
+ | . / | ||
+ | |||
+ | # Variable declarations. | ||
+ | |||
+ | ############################################################################## | ||
+ | # >>> | ||
+ | ############################################################################## | ||
+ | |||
+ | # CUSTOM - Script-Name. | ||
+ | SCRIPT_NAME=' | ||
+ | |||
+ | # CUSTOM - PATH/ | ||
+ | PARAM_DIR="/ | ||
+ | FINAL_DIR="/ | ||
+ | STATE_DIR="/ | ||
+ | |||
+ | # CUSTOM - PARAMATERS variables. | ||
+ | SSL_DH_PARAMETERS_LENGTH=" | ||
+ | |||
+ | # CUSTOM - Binary. | ||
+ | BINARY_DOVECOT_PATH="/ | ||
+ | BINARY_SSL_PARAMS_PATH='/ | ||
+ | |||
+ | # CUSTOM - Mail-Recipient. | ||
+ | MAIL_RECIPIENT=' | ||
+ | |||
+ | # CUSTOM - Status-Mail [Y|N]. | ||
+ | MAIL_STATUS=' | ||
+ | |||
+ | ############################################################################## | ||
+ | # >>> | ||
+ | ############################################################################## | ||
+ | |||
+ | # Variables. | ||
+ | PARAM_FILE=" | ||
+ | STATE_FILE=" | ||
+ | TOUCH_COMMAND=`command -v touch` | ||
+ | MV_COMMAND=`command -v mv` | ||
+ | RM_COMMAND=`command -v rm` | ||
+ | CAT_COMMAND=`command -v cat` | ||
+ | DATE_COMMAND=`command -v date` | ||
+ | MKDIR_COMMAND=`command -v mkdir` | ||
+ | PROG_SENDMAIL=`command -v sendmail` | ||
+ | TAR_COMMAND=`command -v tar` | ||
+ | CHOWN_COMMAND=`command -v chown` | ||
+ | CHMOD_COMMAND=`command -v chmod` | ||
+ | FILE_LOCK='/ | ||
+ | FILE_LOG='/ | ||
+ | FILE_LAST_LOG='/ | ||
+ | FILE_MAIL='/ | ||
+ | VAR_HOSTNAME=`uname -n` | ||
+ | VAR_SENDER=' | ||
+ | VAR_EMAILDATE=`$DATE_COMMAND '+%a, %d %b %Y %H:%M:%S (%Z)'` | ||
+ | |||
+ | # Functions. | ||
+ | function log() { | ||
+ | echo $1 | ||
+ | echo `$DATE_COMMAND ' | ||
+ | } | ||
+ | |||
+ | function retval() { | ||
+ | if [ " | ||
+ | case " | ||
+ | *) | ||
+ | log " | ||
+ | ;; | ||
+ | esac | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | function movelog() { | ||
+ | $CAT_COMMAND $FILE_LAST_LOG >> $FILE_LOG | ||
+ | $RM_COMMAND -f $FILE_LAST_LOG | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | } | ||
+ | |||
+ | function sendmail() { | ||
+ | case " | ||
+ | ' | ||
+ | MAIL_SUBJECT=' | ||
+ | ;; | ||
+ | *) | ||
+ | MAIL_SUBJECT=' | ||
+ | ;; | ||
+ | esac | ||
+ | |||
+ | $CAT_COMMAND << | ||
+ | Subject: $MAIL_SUBJECT | ||
+ | Date: $VAR_EMAILDATE | ||
+ | From: $VAR_SENDER | ||
+ | To: $MAIL_RECIPIENT | ||
+ | |||
+ | |||
+ | |||
+ | $CAT_COMMAND $FILE_LAST_LOG >> $FILE_MAIL | ||
+ | |||
+ | $PROG_SENDMAIL -f $VAR_SENDER -t $MAIL_RECIPIENT < $FILE_MAIL | ||
+ | |||
+ | $RM_COMMAND -f $FILE_MAIL | ||
+ | |||
+ | } | ||
+ | |||
+ | # Main. | ||
+ | log "" | ||
+ | log " | ||
+ | log "| Start update generating Diffie-Hellman ssl-parameters.dat file. |" | ||
+ | log " | ||
+ | log "" | ||
+ | log "Run script with following parameter:" | ||
+ | log "" | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 10 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 11 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 12 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 13 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 14 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 15 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 16 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 17 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 18 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 19 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if LOCK file NOT exist. | ||
+ | if [ ! -e " | ||
+ | log "Check if script is NOT already runnig .....................[ | ||
+ | |||
+ | $TOUCH_COMMAND $FILE_LOCK | ||
+ | else | ||
+ | log "Check if script is NOT already runnig .....................[FAILED]" | ||
+ | log "" | ||
+ | log " | ||
+ | log "" | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 20 | ||
+ | fi | ||
+ | |||
+ | # Start update. | ||
+ | log "" | ||
+ | log " | ||
+ | log "| Run update from $SCRIPT_NAME ...................... |" | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | # Check if Directory NOT exists. | ||
+ | if [ ! -d " | ||
+ | log "Check if $PARAM_DIR exists ..............................[FAILED]" | ||
+ | log "" | ||
+ | log " INFO: Creating --> $PARAM_DIR !" | ||
+ | log "" | ||
+ | |||
+ | $MKDIR_COMMAND -p $PARAM_DIR | ||
+ | else | ||
+ | log "Check if $PARAM_DIR exists ..............................[ | ||
+ | fi | ||
+ | |||
+ | # Check if Directory NOT exists. | ||
+ | if [ ! -d " | ||
+ | log "Check if $STATE_DIR exists ......................................[FAILED]" | ||
+ | log "" | ||
+ | log " INFO: Creating --> $STATE_DIR !" | ||
+ | log "" | ||
+ | |||
+ | $MKDIR_COMMAND -p $STATE_DIR | ||
+ | else | ||
+ | log "Check if $STATE_DIR exists ......................................[ | ||
+ | log "" | ||
+ | fi | ||
+ | |||
+ | # Check if file exists | ||
+ | if [ ! -e " | ||
+ | log "Check if $PARAM_DIR/ | ||
+ | log "" | ||
+ | else | ||
+ | log "Check if $PARAM_DIR/ | ||
+ | log "" | ||
+ | log " INFO: Deleting --> $PARAM_DIR/ | ||
+ | log "" | ||
+ | |||
+ | $RM_COMMAND $PARAM_DIR/ | ||
+ | fi | ||
+ | |||
+ | # Generating file. | ||
+ | |||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | echo "# Lenght of Diffie-Helmann-Parameter" | ||
+ | echo " | ||
+ | echo "# Save directory of temporary $STATE_FILE" | ||
+ | echo " | ||
+ | |||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | $BINARY_SSL_PARAMS_PATH -c $PARAM_DIR/ | ||
+ | |||
+ | # Move file. | ||
+ | $MV_COMMAND $STATE_DIR/ | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log "Move file ' | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 50 | ||
+ | else | ||
+ | log "" | ||
+ | log "Move file ' | ||
+ | fi | ||
+ | |||
+ | $CHOWN_COMMAND -R root.root $FINAL_DIR/ | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log "Owner set ' | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 51 | ||
+ | else | ||
+ | log "Owner set ' | ||
+ | fi | ||
+ | |||
+ | $CHMOD_COMMAND -R 644 $FINAL_DIR/ | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log " | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 52 | ||
+ | else | ||
+ | log " | ||
+ | fi | ||
+ | |||
+ | $BINARY_DOVECOT_PATH reload | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log " | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 53 | ||
+ | else | ||
+ | log "" | ||
+ | log " | ||
+ | fi | ||
+ | |||
+ | # Finish update. | ||
+ | log "" | ||
+ | log " | ||
+ | log "| End update from $SCRIPT_NAME ...................... |" | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | # Status e-mail. | ||
+ | if [ $MAIL_STATUS = ' | ||
+ | sendmail STATUS | ||
+ | fi | ||
+ | # Move temporary log to permanent log | ||
+ | movelog | ||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | Um das Skript **einmal wöchentlich** laufen zu lassen, kann das vorhergehende Skript im Verzeichnis | ||
+ | * ''/ | ||
+ | erstellt werden. | ||
+ | |||
+ | Anschließend müssen noch die erforderlich **Datei**rechte mit nachfolgendem Befehl gesetzt werden, damit das Skipt auch ausgeführt werden kann, hier nachfolgendes **Beispiel**: | ||
+ | < | ||
+ | # chmod +x / | ||
+ | </ | ||
+ | |||
+ | Das oben gezeigte Skript führt nachfolgende Aktionen aus: | ||
+ | - Erstellen einer Konfigurationsdatei ''/ | ||
+ | - Erzeugen einer neuen **temporären** Diffie-Hellman Parameter-Datei | ||
+ | - Kopieren der neuen **temporären** Diffie-Hellman Parameter-Datei auf die durch [[http:// | ||
+ | - Setzen der richtigen **Besitz**rechte | ||
+ | - Setzen der richtigen **Datei**rechte | ||
+ | - Neustart von [[http:// | ||
+ | - Benachrichtigung im Skript-**Fehlerfall** via e-Mail | ||
+ | - Benachrichtigung via e-Mail über eine erfolgreiche Ausführung, | ||
+ | - Erstellen einer **LOG-Datei** über die Skript-Ausführung in ''/ | ||
tachtler/dovecot_sicherheit.txt · Zuletzt geändert: 2015/07/11 09:22 von klaus