標籤: linux
不管是MacOS, Windows 都需要關閉trim
仿間都說為了要增進SSD效率與壽命, 必須確保trim功能是關閉的
MacOS
sudo trimforce enable
Windows
# cmd 以管理者權限執行 fsutil behavior set disabledeletenotify 0
Linux (複雜,先不弄)
遊走於MacOS與ubuntu的檔案系統
我已經很久沒有把windows當作主機的開機作業系統,並不是windows不好用,反而是windows很常用,常用到若要重新安裝,會非常頭痛.
因此主機開機作業系統就改成ubuntu 18.04, 然後使用virtualbox掛載windows 10 虛擬主機, 這種方式最方便.
後來因為需要開發iOS app, 決定將原本的pc重灌成黑蘋果Mojave(10.14.x) , 期間遇到的問題就是檔案格式要如何滿足MacOS與ubuntu.
網路上大家都建議使用extFAT的方式, 這樣windows與mac 都可以相容, 但是效能不彰, 也嘗試過讓黑蘋果下載外掛讓ntfs變成可以寫入的狀態, 但是不穩定.
最後突然發現HFS+(Mac Extended,no journaled)的格式可以相容MacOS與ubuntu, 雖說windows不相容, 不過沒關係, 我的目標是資料硬碟相容於MacOS以及Linux就好了, 只要讓這兩個作業系統透過分享目錄的方式,windows就可以存取資料了.
格式化HFS+的方式有兩種, 一種是ubuntu開機直接硬碟格式化成HFS+, 另一種是MacOS開機, 格式化成HFS+.
ubuntu格式化直接就是no journaled, 但是MacOS居然只能選with journaled的格式, 後來發現MacOS可以下指令改成no journaled.
sudo diskutil disableJournal /dev/diskXXX
ps. diskXXX是磁碟分割代號,可由Disk Utitity取得
安裝CentOS8注意事項
大概就是一些心得, 安裝後要更新,要加上epel-release
1. vi /etc/profile export LANG=en_US.UTF-8 export LANGUAGE=en_US.UTF-8 export LC_COLLATE=C export LC_CTYPE=en_US.UTF-8 2. dnf install epel-release dnf update sync;reboot 3.後續遇到再補
Zimbra(金芭樂)郵件伺服器安裝心得
Zimbra我是最近從節神大大(http://blog.jason.tools/)得知是一套優質的郵件服務器,
在此之前我推薦的是 iredmail , 安裝非常簡單,可以多網域管理, 但iredmail免費版並沒有整合microsoft active directory,不建議有AD的企業使用.
Zimbra社群版本,能跟AD整合,還滿適合企業使用, 以下節錄一些心得與重點, 不會紀錄詳細的安裝方式.
Zimbra Container
我通常會優先尋找container的方式安裝, 原因是想快速體驗.不過官方網站的docker停留在2017年的版本, 安裝的時候會失敗, 於是就作罷, 後續接手應該就是 Zimbra X版本了.
手動安裝
只要準備好Linux OS(我使用CenOS 7), 下載最新相對應的檔案(我使用8.8.15), 解開後,執行裡面的 install.sh 就可以依照指示安裝, 安裝前需要搞定hostname. 要修改/etc/hosts 以及執行hostnamectl set-hostname , 這部分install.sh也會提示您.
解除安裝
畢竟不是container, 若解除安裝有問題, 可能造成OS不穩定或是常駐無用服務的狀況, 好險到目前為止安裝很順利, 解除安裝也很簡單, 只要執行 ./install.sh -u 就可以進行解除安裝程序.
解除安裝曾遇到一個問題,就是CentOS有個套件移除不乾淨,需要手動移除, 可以使用rpm -qa|grep zimbra的方式找出相關套件, 手動移除, 這樣才可以移除乾進,才能重新安裝哦.
登入帳號與郵件不同如何處理
- 管理者協助新增別名
- 使用者登入webmail, 設定寄件者郵件為別名email
- 系統管理者停用aliases登入功能
su - zimbra
zmlocalconfig -e alias_login_enabled=false
zmcontrol restart mailbox
安裝前請關閉CentOS7上預設的Mail Server
因為zimbra自帶mail server , 所以用不到Linux內建的, 請關閉,否則會衝突
systemctl stop postfix ; systemctl disable postfix
zimbra proxy啟動失敗, 出現invalid port in “0” of the “listen”錯誤
cd /opt/zimbra/libexec ./zmproxyconfig -e -w -H <zimbra host name> ./zmproxyconfig -e -m -H <zimbra host name>
自動取得Let’s Encrypt證書
- 設定網域的CAA
- 確認開防火牆 80,443有開放
- 確認zimbra的proxy監聽80,443 (設定both,而不是只有https,這樣會造成let’s encrypt認證失敗
- 安裝let’s Encrypt 的 自動獲取程式 certbot
yum install epel-release mod_ssl certbot -y
- 下載 certbot-zimbra
#下載certbot_zimbra
wget https://raw.githubusercontent.com/YetOpen/certbot-zimbra/master/certbot_zimbra.sh -P /usr/local/bin
chmod +x /usr/local/bin/certbot_zimbra.sh
#確定主機名稱
/opt/zimbra/bin/zmhostname
# 自動獲取證書
##單一主機名稱)
certbot_zimbra.sh -n
##或是多主機
certbot_zimbra.sh -n -e <第二主機名稱> - 重啟zimbra
- 設定自動更新(這方式很多,請參考certbot-zimbra官網
- certbot-zimbra網站 https://github.com/YetOpen/certbot-zimbra
擋信政策
擋信政策可以使用管理頁面登入, 參考https://wiki.zimbra.com/wiki/Anti-spam_Strategies 建議設定
- reject_non_fqdn_sender
- reject_unknown_sender_domain
- rbl
- rhbl
手動設定擋信政策
新版設定不太一樣,針對postscreen新的設定可參考這裏 , 另外可參考 這個網站 提供的整體建議.
我綜合之後的設定(有些可使用管理頁面設定就不再額外加入)
## antispam enable ### check status zmlocalconfig antispam_enable_rule_updates zmlocalconfig antispam_enable_restarts ### set enable zmlocalconfig -e antispam_enable_rule_updates=true zmlocalconfig -e antispam_enable_restarts=true zmprov mcf zimbraSpamKillPercent 75 zmprov mcf zimbraSpamTagPercent 20 zmprov mcf zimbraSpamSubjectTag "** CAUTION! SUSPICIOUS EMAIL **" ### restart zmamavisdctl restart ## set MTA restriction zmprov mcf +zimbraMtaBlockedExtension asd zmprov mcf +zimbraMtaBlockedExtension bat zmprov mcf +zimbraMtaBlockedExtension cab zmprov mcf +zimbraMtaBlockedExtension chm zmprov mcf +zimbraMtaBlockedExtension cmd zmprov mcf +zimbraMtaBlockedExtension com zmprov mcf +zimbraMtaBlockedExtension dll zmprov mcf +zimbraMtaBlockedExtension do zmprov mcf +zimbraMtaBlockedExtension exe zmprov mcf +zimbraMtaBlockedExtension hlp zmprov mcf +zimbraMtaBlockedExtension hta zmprov mcf +zimbraMtaBlockedExtension js zmprov mcf +zimbraMtaBlockedExtension jse zmprov mcf +zimbraMtaBlockedExtension lnk zmprov mcf +zimbraMtaBlockedExtension ocx zmprov mcf +zimbraMtaBlockedExtension pif zmprov mcf +zimbraMtaBlockedExtension reg zmprov mcf +zimbraMtaBlockedExtension scr zmprov mcf +zimbraMtaBlockedExtension shb zmprov mcf +zimbraMtaBlockedExtension shm zmprov mcf +zimbraMtaBlockedExtension shs zmprov mcf +zimbraMtaBlockedExtension vbe zmprov mcf +zimbraMtaBlockedExtension vbs zmprov mcf +zimbraMtaBlockedExtension vbx zmprov mcf +zimbraMtaBlockedExtension vxd zmprov mcf +zimbraMtaBlockedExtension wsf zmprov mcf +zimbraMtaBlockedExtension wsh zmprov mcf +zimbraMtaBlockedExtension xl zmprov mcf +zimbraMtaBlockedExtensionWarnAdmin TRUE zmprov mcf +zimbraMtaBlockedExtensionWarnRecipient TRUE zmprov mcf zimbraVirusBlockEncryptedArchive FALSE zmprov gcf zimbraMTARestriction ## set Postscreen , 8.7 and above ### https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen ### medium/high level zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore zmprov mcf zimbraMtaPostscreenBareNewlineEnable no zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d zmprov mcf zimbraMtaPostscreenBlacklistAction ignore zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d zmprov mcf zimbraMtaPostscreenCommandCountLimit 20 zmprov mcf zimbraMtaPostscreenDnsblAction enforce zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2' zmprov mcf zimbraMtaPostscreenDnsblTTL 5m zmprov mcf zimbraMtaPostscreenDnsblThreshold 8 zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0 zmprov mcf zimbraMtaPostscreenGreetAction enforce zmprov mcf zimbraMtaPostscreenGreetTTL 1d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d zmprov mcf zimbraMtaPostscreenPipeliningAction enforce zmprov mcf zimbraMtaPostscreenPipeliningEnable no zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all ### Create /opt/zimbra/common/conf/postscreen_wblist vi /opt/zimbra/common/conf/postscreen_wblist ### Rules are evaluated in the order as specified. ### Blacklist 60.70.80.* except 60.70.80.91. 60.70.80.91/32 permit 60.70.80.0/24 reject ### enable white/black list zmprov mcf zimbraMtaPostscreenAccessList "permit_mynetworks, cidr:/opt/zimbra/common/conf/postscreen_wblist" zmprov mcf zimbraMtaPostscreenBlacklistAction enforce ### sender/recipient mismatch zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf zmprov mcf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes ### restart zmmtactl restart zmconfigdctl restart
重新啟動時, 出現 Unable to start TLS: SSL connect attempt failed error解決方式
zmcontrol stop zmlocalconfig -e ldap_starttls_required=false zmlocalconfig -e ldap_starttls_supported=0 Zmcontrol start
CentOS設定主機名稱
有些套件需要先設定正確的主機名稱, centos 7以後要改用 hostnamectl 指令更新, 而且有時候還要手動修改 /etc/hosts ( IP 完整名稱, 簡稱)
hostnamectl set-hostname <主機完整名稱>
使用docker安裝nextcloud
新版安裝方式請到這裡查看
——————-以下是舊版安裝方式——————-
- 建立volume
- 設定mariadb data
- 執行
- 設定trusted_domain
建立volume
docker volume create nextcloud-www docker volume create nextcloud-app docker volume create nextcloud-config docker volume create nextcloud-data docker volume create nextcloud-theme
確認 mariadb 資料庫伺服器是否準備好
執行docker指令
docker run -d -p <對應的port>:80 -v nextcloud-www:/var/www/html -v nextcloud-app:/var/www/html/custom_apps -v nextcloud-config:/var/www/html/config -v nextcloud-data:/var/www/html/data -v nextcloud-theme:/var/www/html/themes/mycustom --link <docker資料庫名稱>:mysql -e MYSQL_DATABASE=nextcloud -e MYSQL_USER=root -e MYSQL_PASSWORD=<密碼> -e MYSQL_HOST=mysql --restart=always --name nextcloud nextcloud
若有apache或是nginx作為反向proxy, 將https帶到nextcloud, 需設定trust_domain(網站會提醒)
httpd設定
# for CalDav
RewriteEngine On
RemoteIPHeader X-Forwarded-For
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L] RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
# form redirect
<VirtualHost *:80>
ServerName <server name>
Redirect permanent / https://<server name>/
</VirtualHost>
<VirtualHost *:443>
# form security
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
nextcloud config設定
若使用httpd proxy 的方式需要加入以下設定, 以免登入轉圈圈無法進入頁面, 修改 config.php 檔案
'overwritehost' => '<主機名稱>', 'overwriteprotocol' => 'https',
執行command
docker exec --user www-data <CONTAINER_ID> php occ 例入遇到上傳檔案失敗, 或是一些檔案錯誤可執行 docker exec --user www-data <container id> php occ files:scan --all
Linux 消去日期(月份,周)中有0的字樣
如何安裝php加解密套件 ionCube
php網站開發商為了保護自己的程式, 常常使用ionCube這個套件將程式加密,
因此咖啡偶拿到廠商的程式, 需要安裝ionCube解開執行:
1 下載並解開
wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
2 複製與php對應版本之so或是dll檔案
例如php是5.6
cp ioncube_loader_lin_5.6.so /usr/lib64/php/modules/
3. php.ini新增一筆
zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.6.so
4. 檢查是否成功
php -m
CentOS 7 安裝postfix郵件伺服器簡易步驟
本文章設定的郵件伺服器, 並不包含郵件過濾功能 , 帳號綁定windows網域 , 連線使用TLS加密連線
紅色的部份需要注意, 此外若出現 kafeiou.pw 請記得取代掉
#郵件過濾功能(mail gateway),請參考此文章
#2011年曾經寫過類似文章當時是CentOS6,應該大同小異
1. 修改 /etc/postfix/main.cf ,
############################################################### myhostname = mail.kafeiou.pw mydestination=/etc/postfix/local-host-names inet_interfaces = all # Enable IPv4, and IPv6 if supported inet_protocols = all mynetworks = 127.0.0.0/8,192.168.1.0/24 queue_directory = /var/spool/postfix mail_owner = postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix unknown_local_recipient_reject_code = 550 home_mailbox = Maildir/ sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man ############################################################### smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, smtpd_client_restrictions = permit_sasl_authenticated, smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain ############################################################### message_size_limit = 150600000 mailbox_size_limit = 250600000 virtual_mailbox_limit = 250600000 disable_vrfy_command = yes strict_rfc821_envelopes = yes bounce_queue_lifetime = 1d ############################################################### smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = ############################################################### smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_helo_restrictions = permit_mynetworks, permit ############################################################## virtual_mailbox_domains = /etc/postfix/domains virtual_mailbox_base = /home/vmail virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf # 1001 is id of user "vmail" created in linux virtual_uid_maps = static:1001 virtual_gid_maps = static:1001 virtual_alias_maps = hash:/etc/aliases,ldap:/etc/postfix/ldap-aliases.cf ############################################################## recipient_bcc_maps = hash:/etc/postfix/recipient_bcc sender_bcc_maps = hash:/etc/postfix/sender_bcc #inet_protocols = ipv4 smtpd_tls_security_level = may smtpd_tls_key_file = /etc/letsencrypt/live/mail.kafeiou.pw/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mail.kafeiou.pw/fullchain.pem # smtpd_tls_CAfile = /etc/pki/tls/root.crt smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache tls_random_source = dev:/dev/urandom tls_random_exchange_name = /var/lib/postfix/prng_exch # 強制使用TLS smtpd_tls_auth_only = yes smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes # # Disable SSLv2, SSLv3 # smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 dovecot_destination_recipient_limit = 1 #performance smtpd_error_sleep_time = 0 default_process_limit = 150 qmgr_message_active_limit = 40000 qmgr_message_recipient_limit = 40000 default_destination_concurrency_limit=100 default_destination_recipient_limit=100 default_process_limit=200 smtp_mx_session_limit=100 smtpd_client_connection_count_limit=100 smtp_destination_concurrency_limit=100 maximal_backoff_time = 1000s minimal_backoff_time = 300s
2. 修改 /etc/postfix/local-host-names , 加上主機名稱
mail.kafeiou.pw
3. 修改 /etc/postfix/domains , 加上網域
kafeiou.pw
4.新增使用者 vmail , 並紀錄該使用者id , 並更新到 main.cf 裡面的id(可參考步驟1)
groupadd vmail -g 1001; useradd vmail -u 1001 -g 1001
5. 綁定網域帳號
裡面的 mail=%s 代表郵件紀錄在網域的mail欄位
vi /etc/postfix/ldap-users.cf
server_host = <主機ip> search_base = ou=taipei,dc=kafeiou,dc=pw version = 3 query_filter = (&(objectclass=*)(mail=%s)) result_attribute = samaccountname #Account from DC result_format = %s/Maildir/ bind = yes bind_dn = cn=ldap,cn=Users,dc=kafeiou,dc=pw bind_pw = <cn=ldap的密碼>
6. 綁定aliases, 網域設定群組
vi /etc/postfix/ldap-aliases.cf
server_host = <主機ip> search_base = ou=aliases,dc=kafeiou,dc=pw #scope = sub query_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=%s,ou=aliases,dc=kafeiou,dc=pw) result_attribute = mail result_format = %s version = 3 bind = yes bind_dn = cn=ldap,cn=Users,dc=kafeiou,dc=pw bind_pw = <cn=ldap的密碼>
7. 取得letsencrypt, 更新步驟1相關的證書
按此連結到本站能找到資源 , 記得輸入guest/guest
8. 設定收發備份
/etc/postfix/recipient_bcc 與 /etc/postfix/sender_bcc
william收發信都會備份到, public , 記得改完套用 postmap /etc/postfix/recipient_bcc 與 /etc/postfix/sender_bcc
william@kafeiou.pw public@kafeiou.pw
9. 設定submission(TLS加密,使用587 port)
vi /etc/postfix/master.cf
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
10, 修改 /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. #MECH=pam MECH=ldap # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS="-O /etc/postfix/saslauthd.conf -c -r"
11. 修改 /etc/postfix/saslauthd.conf
ldap_servers: ldap://<網域伺服器IP>:389/ ldap_search_base: ou=taipei,dc=kafeiou,dc=pw ldap_auth_method: bind ldap_version: 3 ldap_bind_dn: cn=ldap,cn=Users,dc=kafeiou,dc=pw ldap_bind_pw: <cn=ldap的密碼> ldap_filter: (sAMAccountName=%u) #ldap_filter: (mail=%u)
以上應該就能夠讓smtp 綁定網域, 以及擁有TLS(port 587)功能