知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
Postfix 提供了postconf配置工具,配置Postfix有兩種方法,第一種方法是使用文本編輯工具修改 main.cf和master.cf兩個配置檔案,第二種方法就是使用postconf命令
修改配置項
postconf -e "myhostname=mail.netkiller.cn"
刪除隊列中待發郵件
# mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- CB71F8022974 3038 Wed Oct 19 01:57:03 MAILER-DAEMON (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable) root@example.com -- 3 Kbytes in 1 Request. # postsuper -d CB71F8022974 deferred postsuper: CB71F8022974: removed postsuper: Deleted: 1 message # mailq Mail queue is empty
刪除隊列中所有待發郵件
postsuper -d ALL deferred
將所有IP地址綁定到伺服器上
cd /etc/sysconfig/network-scripts vim ifcfg-enp2s0
# cat ifcfg-enp2s0 TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="enp2s0" UUID="c27c6ef8-ab82-4019-af0a-9f3a70b2d230" DEVICE="enp2s0" ONBOOT="yes" DNS1="8.8.8.8" IPADDR="192.168.0.1" ... ... IPADDR247="192.168.0.250" PREFIX="26" PERFIX0="24" GATEWAY="192.168.0.254" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes" IPV6_PRIVACY="no"
IP範圍 192.168.0.1-192.168.0.250,介面是enp2s0,enp2s0:1 ~ enp2s0:250
初始化postfix 多實例
postmulti -e init
創建postfix實例
postmulti -I postfix-1 -G mta -e create ... ... postmulti -I postfix-250 -G mta -e create
啟用postfix 實例
postmulti -i postfix-1 -e enable ... ... postmulti -i postfix-250 -e enable
配置postfix實例
postmulti -i postfix-1 -x postconf -e "master_service_disable =" "authorized_submit_users = root" "minimal_backoff_time= 30d" "maximal_backoff_time = 300d" "mynetworks = 127.0.0.0/8,192.168.0.0/24" "inet_interfaces = \$myhostname" "mailbox_size_limit = 0" "message_size_limit = 0" "myhostname = mail.example.com" "myorigin = mail.example.com" "mydomain = example.com" "smtp_bind_address = 192.168.0.1" ... ... postmulti -i postfix-250 -x postconf -e "master_service_disable =" "authorized_submit_users = root" "minimal_backoff_time= 30d" "maximal_backoff_time = 300d" "mynetworks = 127.0.0.0/8,192.168.0.0/24" "inet_interfaces = \$myhostname" "mailbox_size_limit = 0" "message_size_limit = 0" "myhostname = mail.example.com" "myorigin = mail.example.com" "mydomain = example.com" "smtp_bind_address = 192.168.0.250"
iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 250 -j SNAT --to-source 192.168.0.1 ... ... iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 250 -j SNAT --to-source 192.168.0.250
注意,不要使用下面的方式配置iptables,經過測試這種192.168.0.1-192.168.0.250方式,不會輪換IP地址。
iptables -t nat -I POSTROUTING -o enp2s0f0 -p tcp -m state --state NEW -m tcp -m statistic --mode nth --every 5 --packet 0 -j SNAT --to-source 192.168.0.1-192.168.0.250
測試 iptables使用 curl每次請求你將看到一個全新的IP地址。
[root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:173.254.223.57 來自:美國 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:173.254.223.54 來自:美國 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:107.167.40.137 來自:美國 [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:173.254.223.55 來自:美國 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:107.167.40.134 來自:美國 [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:173.254.223.56 來自:美國 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:173.254.223.54 來自:美國 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:107.167.40.132 來自:美國 [root@www.netkiller.cn ~]# curl http://ip.cn 當前 IP:173.254.223.53 來自:美國 QuadraNet
使用netkiller-firewall 替代原來的iptables,傳統的iptables規則不容易書寫,也不容易閲讀。
# unzip firewall-master.zip # yum install -y python34 # bash install.sh # /etc/init.d/firewall Usage: /etc/init.d/firewall {start|stop|status|restart}
RULE=www 改為 RULE=smtp # cat /etc/init.d/firewall | grep RULE RULE=smtp # cat /etc/sysconfig/firewall LIBEXEC=/srv/firewall/libexec RULE=smtp
編輯ACL規則
# vim /srv/firewall/libexec/smtp.py #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # example.py # # Copyright 2013 neo <netkiller@msn.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, # MA 02110-1301, USA. # # from firewall import * ######################################## # Web Application ######################################## smtp = Firewall() smtp.flush() smtp.policy(smtp.INPUT,smtp.ACCEPT) smtp.policy(smtp.OUTPUT,smtp.ACCEPT) smtp.policy(smtp.FORWARD,smtp.ACCEPT) smtp.policy(smtp.POSTROUTING,smtp.ACCEPT) smtp.input().state(('RELATED','ESTABLISHED')).accept() smtp.input().protocol('icmp').accept() smtp.input().interface('-i','lo').accept() smtp.input().protocol('tcp').state('NEW').dport('22').accept() smtp.input().protocol('tcp').state('NEW').dport(('25','110')).accept() #smtp.input().protocol('tcp').dport(('3306','5432')).reject() smtp.input().reject('--reject-with icmp-host-prohibited') smtp.forward().reject('--reject-with icmp-host-prohibited') for ip in range(53,58): smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 173.24.223.'+str(ip)) for ip in range(130,191): smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 107.17.40.'+str(ip)) for ip in range(2,63): smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 107.18.142.'+str(ip)) for ip in range(130,191): smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 146.71.38.'+str(ip)) for ip in range(194,255): smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 104.20.164.'+str(ip)) def start(): smtp.start() def stop(): smtp.stop() def restart(): smtp.stop() smtp.start() def show(): smtp.show() def status(): smtp.status() def main(): show() return( 0 ) if __name__ == '__main__': main()
啟動firewall
systemctl enable firewall systemctl start firewall
CentOS 6.x 之前的版本請使用 /etc/init.d/firewall 腳本