English
Русский
CGP Prerequisites
Table of Contents
1. DNS settings
@ IN MX 10 mail @ IN TXT "v=spf1 ip4:172.16.162.57 a:mail.ourdom.com mx -all" mail IN A 172.16.162.57 mx IN CNAME mail cgpro IN CNAME mail smtp IN CNAME mail imap IN CNAME mail pop IN CNAME mail mailhub IN CNAME vpn mailhost IN CNAME vpn smarthost IN CNAME vpn
1. The mail record has type A because MX does not tolerate CNAMEs.
2. Addresses that potentially allow SSL should have alias mail.ourdom.com because certificate uses this name.
3. About TXT records and spf read here and here.
2. Web Server Proxying
<VirtualHost *:443> DocumentRoot "/var/www/html" ServerName cgpro.ourdom.com:443 SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/pki/web/ourdom-web.crt SSLCertificateKeyFile /etc/pki/web/private/ourdom-web.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 ProxyRequests on SSLProxyEngine on ProxyPass / https://localhost:9010/ '''keepalive=On''' ProxyPassReverse / https://localhost:9010/ </VirtualHost>
3. IP tables
Open ports 25 (SMTP), 465 (SMTPs), 993 (IMAPs), 995 (POPs), 5636 (CGP LDAPs):
-A FWL -m state --state NEW -p tcp -m multiport --dports 25,465,993,995,5636 -o ! tun+ -j ACCEPT
4. Kernel tuning
Add this to /etc/sysctl.conf:
# -------- tune kernel for communigate -------- # max open files fs.file-max = 131072 # kernel threads kernel.threads-max = 131072 # socket buffers net.core.wmem_default = 65536 net.core.wmem_max = 1048576 net.core.rmem_default = 65536 net.core.rmem_max = 1048576 # netdev backlog net.core.netdev_max_backlog = 4096 # socket buckets net.ipv4.tcp_max_tw_buckets = 131072 # port range net.ipv4.ip_local_port_range = 16384 65535
Bookmark this post on:
Comments
Post new comment