Kadmin | обратитесь к системному администратору

Jan 08

Сертификат для Exchange

By kadmin | Exchange, WEB, Windows Server | No Comments

Теперь совсем некрасиво не воспользоваться возможностью получения бесплатного доверенного сертификата SSL для почтового сервера Exchange., уже заботливо написан скрипт для получения, установки и создания задачи для автоматического обновления SSL сертификата задолго до окончания его срока.

.\wacs.exe --target manual --host mail.domain.ru,autodiscover.domain.ru --certificatestore My --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

1	.\wacs.exe --target manual --host mail.domain.ru,autodiscover.domain.ru --certificatestore My --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

Жить стало лучше, жить стало веселей

Jun 03

Deleted mailboxes to PST

By kadmin | Exchange, Kadmin | No Comments

Ищем удалённые ящики в одной или во всех базах

$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null}
$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов*"}
$mailboxes = Get-MailboxStatistics -Database mcs | where-object { $_.DisconnectDate -ne $null}
$mailboxes = Get-MailboxStatistics -Database mcs | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов Иван*"}

$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null}

$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов*"}

$mailboxes = Get-MailboxStatistics -Database mcs | where-object { $_.DisconnectDate -ne $null}

$mailboxes = Get-MailboxStatistics -Database mcs | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов Иван*"}

Создаём временных пользователей (без однофамильцев)

foreach ($mailbox in $mailboxes){ New-ADUser -Path "ou=test,dc=domain,dc=com" -Name $mailbox.displayname.split(" ")[0] -enable $True -accountPassword (ConvertTo-SecureString -AsPlainText "!!qwerty2018" -Force)}

1	foreach ($mailbox in $mailboxes){ New-ADUser -Path "ou=test,dc=domain,dc=com" -Name $mailbox.displayname.split(" ")[0] -enable $True -accountPassword (ConvertTo-SecureString -AsPlainText "!!qwerty2018" -Force)}

Подключаем ящики к пользователям

foreach ($mailbox in $mailboxes) {Connect-Mailbox -Database $mailbox.database -Identity $mailbox -User $mailbox.displayname.split(" ")[0]}

1	foreach ($mailbox in $mailboxes) {Connect-Mailbox -Database $mailbox.database -Identity $mailbox -User $mailbox.displayname.split(" ")[0]}

Сохраняем в PST

foreach ($mailbox in $mailboxes) {
$box = Get-Mailbox -Identity $mailbox.displayname.split(" ")[0]
New-MailboxExportRequest -Name $box.name -Mailbox $box -FilePath \\server\folder\$box.pst
}

foreach ($mailbox in $mailboxes) {

$box = Get-Mailbox -Identity $mailbox.displayname.split(" ")[0]

New-MailboxExportRequest -Name $box.name -Mailbox $box -FilePath \\server\folder\$box.pst

}

May 10

Exchange. Перенос адресов в контакты

By kadmin | Exchange, Kadmin, PowerShell, Windows Server | No Comments

Формат файла:

DN,objectClass,mail
"CN=Jon Smith,OU=staff,DC=contoso,DC=com",contact,j.smith@contoso.com

1 2	DN,objectClass,mail "CN=Jon Smith,OU=staff,DC=contoso,DC=com",contact,j.smith@contoso.com

Экспорт

csvde.exe -u -d "OU=staff,DC=contoso,dc=com" -r "(&(objectClass=user)(company=contoso))" -l "objectClass,userPrincipalName" -f contoso_contacts.csv
(cat .\contoso_contacts.csv).replace("userPrincipalName","mail") | %{$_ -replace "user", "contact"} | %{$_ -replace "OU=staff,DC=contoso,dc=com","OU=slaves,DC=gontozo,dc=com"} > .\contoso_contacts_in_gontozo.csv

csvde.exe -u -d "OU=staff,DC=contoso,dc=com" -r "(&(objectClass=user)(company=contoso))" -l "objectClass,userPrincipalName" -f contoso_contacts.csv

(cat .\contoso_contacts.csv).replace("userPrincipalName","mail") | %{$_ -replace "user", "contact"} | %{$_ -replace "OU=staff,DC=contoso,dc=com","OU=slaves,DC=gontozo,dc=com"} > .\contoso_contacts_in_gontozo.csv

Импорт

csvde -i -f contoso_contacts_in_gontozo.csv
get-contact -organizationalunit slaves -RecipientTypeDetails Contact -Filter 'WindowsEmailAddress -ne $null' |  %{ enable-mailcontact -Identity $_ -ExternalEmailAddress $_.WindowsEmailAddress.toString() }

1 2	csvde -i -f contoso_contacts_in_gontozo.csv get-contact -organizationalunit slaves -RecipientTypeDetails Contact -Filter 'WindowsEmailAddress -ne $null' \| %{ enable-mailcontact -Identity $_ -ExternalEmailAddress $_.WindowsEmailAddress.toString() }

Apr 17

Exchange. URLs

By kadmin | Exchange, Kadmin | No Comments

Set-ClientAccessServer -Identity mx01.contoso.com -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "mx01.contoso.com\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "mx01.contoso.com\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
Set-ActiveSyncVirtualDirectory -Identity "mx01.contoso.com\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync
Set-OWAVirtualDirectory -Identity "mx01.contoso.com\owa (Default Web Site)" -InternalUrl https://mail.contoso.com/owa
Set-ECPVirtualDirectory -Identity "mx01.contoso.com\ecp (Default Web Site)" -InternalUrl https://mail.contoso.com/ecp
Set-OutlookAnywhere -Identity "mx01.contoso.com\Rpc (Default Web Site)" -InternalHostname mail.contoso.com -InternalClientsRequireSsl $true

Set-ClientAccessServer -Identity mx01.contoso.com -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "mx01.contoso.com\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "mx01.contoso.com\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Set-ActiveSyncVirtualDirectory -Identity "mx01.contoso.com\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync

Set-OWAVirtualDirectory -Identity "mx01.contoso.com\owa (Default Web Site)" -InternalUrl https://mail.contoso.com/owa

Set-ECPVirtualDirectory -Identity "mx01.contoso.com\ecp (Default Web Site)" -InternalUrl https://mail.contoso.com/ecp

Set-OutlookAnywhere -Identity "mx01.contoso.com\Rpc (Default Web Site)" -InternalHostname mail.contoso.com -InternalClientsRequireSsl $true

Mar 04

Rsync everything

By kadmin | Kadmin | No Comments

Подключаем внешний диск nano /etc/fstab

/dev/sdc1     /media/rsync     auto     noauto,x-systemd.automount     0 2

1	/dev/sdc1 /media/rsync auto noauto,x-systemd.automount 0 2

mkdir /media/rsync

1	mkdir /media/rsync

systemctl daemon-reload
systemctl restart remote-fs.target
systemctl restart local-fs.target

systemctl daemon-reload

systemctl restart remote-fs.target

systemctl restart local-fs.target

screen
rsync -aAXv / --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"}  /media/rsync

1 2	screen rsync -aAXv / --exclude={"/dev/","/proc/","/sys/","/tmp/","/run/","/mnt/","/media/*","/lost+found"} /media/rsync

Jan 18

SpamAssassin

By kadmin | CentOS, Exchange, Kadmin, Linux | No Comments

yum install spammassassin
groupadd spamassassin
useradd -g spamassassin -s /bin/false -d /usr/local/spamassassin spamassassin

yum install spammassassin

groupadd spamassassin

useradd -g spamassassin -s /bin/false -d /usr/local/spamassassin spamassassin

nano /etc/mail/spamassassin/local.cf

1	nano /etc/mail/spamassassin/local.cf

nano /etc/postfix/master.cf

1	nano /etc/postfix/master.cf

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

1 2	smtp inet n - n - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

nano /etc/postfix/main.cf

1	nano /etc/postfix/main.cf

myhostname = mail.domain.ru #SPF
mydomain = domain.ru
myorigin = $mydomain
inet_interfaces = all
transport_maps = hash:/etc/postfix/transport
relay_domains = domain.ru

myhostname = mail.domain.ru #SPF

mydomain = domain.ru

myorigin = $mydomain

inet_interfaces = all

transport_maps = hash:/etc/postfix/transport

relay_domains = domain.ru

nano /etc/postfix/transport

1	nano /etc/postfix/transport

domain.ru smtp:10.10.10.10

1	domain.ru smtp:10.10.10.10

postmap /etc/postfix/transport

1	postmap /etc/postfix/transport

systemctl enable postfix
systemctl enable spamassassin
systemctl start postfix
systemctl start spamassassin

systemctl enable postfix

systemctl enable spamassassin

systemctl start postfix

systemctl start spamassassin

spamassassin -D --lint 2>&1 | grep -i failed

1	spamassassin -D --lint 2>&1 \| grep -i failed

cpan Geo::IP 
cpan Net::Patricia
cpan Digest::SHA1
cpan Razor2::Client::Agent
cpan  Mail::SPF

cpan Geo::IP

cpan Net::Patricia

cpan Digest::SHA1

cpan Razor2::Client::Agent

cpan Mail::SPF

Dec 19

Exchange DAG

By kadmin | Exchange, Kadmin, Windows Server | No Comments

В одной конторе) жил сервер Exchange 2013 и был запасной сервер в запасной сети в запасном сайте, связаны сервера были между собой через VPN. Решил я добавить mailbox дабы получить успокоительный DAG. Бессмысленно было создавать отдельную сеть для репликации и добавлять вторые сетевые карты в виртуальные машины находящиеся на разных хостах в разных местах, соединенных через одну VPN. Я добавил DAG без IP адреса:

И все было было бы хорошо но при добавлении сервера в DAG я получал следующие: Read More

Nov 01

OpenVPN Сеть за клиентом

By kadmin | CentOS, Kadmin, OpenVPN | No Comments

Установка OpenVPN на Centos

yum install epel-release -y
yum install openvpn easy-rsa –y
cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./clean-all
source ./vars
./build-ca
./build-key-server server
./build-dh
./build-key first
./build-key second

yum install epel-release -y

yum install openvpn easy-rsa –y

cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

./clean-all

source ./vars

./build-ca

./build-key-server server

./build-dh

./build-key first

./build-key second

В файле /etc/openvpn/server.conf распологается конфигурация сервера:
Read More

May 29

Два Asterisk 13 на CentOS 7

By kadmin | Asterisk, CentOS, Kadmin | No Comments

yum update -y
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && cat /etc/selinux/config && reboot
yum install ncurses-devel libuuid-devel libxml2-devel sqlite-devel openssl-devel
get http://www.digip.org/jansson/releases/jansson-2.10.tar.gz
tar zxf jansson-2.10.tar.gz
cd jansson-2.10/
./configure --libdir=/usr/lib64
make
make install
get http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar zxf asterisk-13-current.tar.gz
cd asterisk-13.16.0/
./configure --libdir=/usr/lib64
make menuselect
(if mp3 is selected) contrib/scripts/get_mp3_source.sh
make
make install
make config

yum update -y

sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && cat /etc/selinux/config && reboot

yum install ncurses-devel libuuid-devel libxml2-devel sqlite-devel openssl-devel

get http://www.digip.org/jansson/releases/jansson-2.10.tar.gz

tar zxf jansson-2.10.tar.gz

cd jansson-2.10/

./configure --libdir=/usr/lib64

make

make install

get http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz

tar zxf asterisk-13-current.tar.gz

cd asterisk-13.16.0/

./configure --libdir=/usr/lib64

make menuselect

(if mp3 is selected) contrib/scripts/get_mp3_source.sh

make

make install

make config

May 21

Squid, Kerberos и SquidGuard

By kadmin | AD, CentOS, Kadmin, SQUID | No Comments

После включения Centos в домен, (use_fully_qualified_names = True) или до… поставим Squid c авторизацией в AD и парсер блэклистов SquidGuard.

yum install squid squidGuard

1	yum install squid squidGuard

Запускаем Squid:

systemctl enable squid
systemctl start squid

1 2	systemctl enable squid systemctl start squid

Проверяем ходит ли браузер в Инет через прокси.
Смотрим в tail -f /var/log/squid/access.log

Для аутентификации пользователей через AD создадим пользователя proxy и кейтаб для него proxy.keytab на контроллере домена:

ktpass -princ HTTP/proxy.domain.ru@DOMAIN.RU -mapuser squid -pass паролик -ptype KRB5_NT_SRV_HST -out proxy.keytab

Successfully mapped HTTP/proxy.domain.ru to squid.

ktpass -princ HTTP/proxy.domain.ru@DOMAIN.RU -mapuser squid -pass паролик -ptype KRB5_NT_SRV_HST -out proxy.keytab

Successfully mapped HTTP/proxy.domain.ru to squid.

Копируем proxy.keytab на proxy.domian.ru, chown squid. proxy.keytab, и прописываем в /etc/sysconfig/squid

KRB5_KTNAME=/etc/proxy.keytab
export KRB5_KTNAME

1 2	KRB5_KTNAME=/etc/proxy.keytab export KRB5_KTNAME

Проверка:

kinit -V -k -t /etc/proxy.keytab HTTP/proxy.domain.ru@DOMAIN.RU

1	kinit -V -k -t /etc/proxy.keytab HTTP/proxy.domain.ru@DOMAIN.RU

Добавляем в /etc/squid/squid.conf

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.domain.ru@DOMAIN.RU
auth_param negotiate children 300 startup=20 idle=10
auth_param negotiate keep_alive on

acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access deny !localnet
http_access allow auth
http_access deny all

http_port 3128
coredump_dir /var/spool/squid

cache_mem 3000 MB
maximum_object_size_in_memory 4 MB
cache_mgr info@domain.ru

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.domain.ru@DOMAIN.RU

auth_param negotiate children 300 startup=20 idle=10

auth_param negotiate keep_alive on

acl localnet src 192.168.0.0/16

acl SSL_ports port 443

acl Safe_ports port 80

acl Safe_ports port 443

acl CONNECT method CONNECT

acl auth proxy_auth REQUIRED

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny to_localhost

http_access deny !localnet

http_access allow auth

http_access deny all

http_port 3128

coredump_dir /var/spool/squid

cache_mem 3000 MB

maximum_object_size_in_memory 4 MB

cache_mgr info@domain.ru

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

Или просто после INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS в /etc/squid/squid.conf добавляем:

acl auth proxy_auth REQUIRED
http_access allow auth

1 2	acl auth proxy_auth REQUIRED http_access allow auth

Проверяем ходит ли браузер в Инет через прокси с аутентификацией.
Смотрим в tail -f /var/log/squid/cache.log

Редактируем /etc/squid/squidGuard.conf

dbhome /etc/squid/blacklists
logdir /var/log/squidGuard
src lan {
        ip              192.168.0.0/16
}
dest adv {
        domainlist      adv/domains
        urllist         adv/urls
}
dest spyware {
        domainlist      spyware/domains
        urllist         spyware/urls
}
dest porn {
        domainlist      porn/domains
        urllist         porn/urls
        #expressionlist porn/expressions
}
dest redirector {
        domainlist      redirector/domains
        urllist         redirector/urls
}
acl {
        default {
                pass none
                redirect http://kadmin.ru
        }
        lan {
                pass !adv !spyware !porn !redirector !shopping all
                redirect http://kadmin.ru
        }
}

dbhome /etc/squid/blacklists

logdir /var/log/squidGuard

src lan {

ip 192.168.0.0/16

}

dest adv {

domainlist adv/domains

urllist adv/urls

}

dest spyware {

domainlist spyware/domains

urllist spyware/urls

}

dest porn {

domainlist porn/domains

urllist porn/urls

#expressionlist porn/expressions

}

dest redirector {

domainlist redirector/domains

urllist redirector/urls

}

acl {

default {

pass none

redirect http://kadmin.ru

}

lan {

pass !adv !spyware !porn !redirector !shopping all

redirect http://kadmin.ru

}

В конец /etc/squid/squid.conf

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

1	url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

И вот такой скрипт для обновления списков SquidGuard ./listupdate:

cd /etc/squid
rm -rf shallalist.tar.gz
wget http://www.shallalist.de/Downloads/shallalist.tar.gz
tar zxf shallalist.tar.gz
yes | cp -RT BL/ blacklists/
chown squid. -R /etc/squid/
squidGuard -C all
chown squid. -R /etc/squid/
service squid restart

cd /etc/squid

rm -rf shallalist.tar.gz

wget http://www.shallalist.de/Downloads/shallalist.tar.gz

tar zxf shallalist.tar.gz

yes | cp -RT BL/ blacklists/

chown squid. -R /etc/squid/

squidGuard -C all

chown squid. -R /etc/squid/

service squid restart

mkdir /etc/squid/BL
chmod +x /etc/squid/listupdate
и crontab -e обновляем каждый день:

30 0 * * * /etc/squid/listupdate

1	30 0 * * * /etc/squid/listupdate

Запускаем:

./listupdate

1	./listupdate

Или без обновления:

chown squid. -R /etc/squid/ &amp;&amp; squidGuard -C all &amp;&amp; chown squid. -R /etc/squid/ &amp;&amp; service squid restart

1	chown squid. -R /etc/squid/ && squidGuard -C all && chown squid. -R /etc/squid/ && service squid restart

Смотрим в tail -f /var/log/squidGuard/squidGuard.log

Синхронизация времени с контроллером

yum install ntp ntpdate
rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime
service ntpd stop
ntpdate 192.168.123.222
ntpdate -bs 192.168.123.222
ntpdate 192.168.123.222
service ntpd star

yum install ntp ntpdate

rm -rf /etc/localtime

ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime

service ntpd stop

ntpdate 192.168.123.222

ntpdate -bs 192.168.123.222

ntpdate 192.168.123.222

service ntpd star

Вот и все, теперь хотелось бы добавить фильтрацию для отдельных пользователей но при добавлении

src googusers {
user admin badadmin
}

src googusers {

user admin badadmin

}

squidGuard из epel падает с сегфолтом:
https://bugzilla.redhat.com/show_bug.cgi?id=1253662

21st century schizoid admin