Depois de muito tentar sem sucesso adicionar o certificado do servidor Zimbra permanentemente no outlook e evitar a mensagem chata de erro de certificado ao abrir o outlook.
Segue o codigo abaixo para gerar um Root certificate para o Windows e navegadores em geral.
No linux:
Como root # openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -outform DER -out ca.der
Copie esse certificado ca.der para um compartilhamento ou pendrive e siga os passos a seguir:
No windows:
Digite Iniciar executar (ou windows+r) mmc.exe
Ao abrir o console selecione a opção arquivo e em seguida adicionar ou remover snap-in
Selecione certificado na lista que abrira , computador local e conta de computador e ok
Expandir a pasta Autoridades de certificados confiáveis / certificados
Clique com o botão direito em cima de certificados e selecione todas as tarefas / importar
Obs: O certificado deve conter o nome do dominio em (Nome alternativo do assunto)ex: mail.seudominio.com.br, webmail.seudominio.com.br, etc e no outlook as configurações de conta devem constar esses Subject alternative names no endereço do servidor.
Crie um novo arquivo em: /usr/local/bin/firewall.sh
vim /usr/local/bin/firewall.sh
De permissão para executar
chmod a+x /usr/local/bin/firewall.sh
adicione a linha abaixo dentro de /etc/rc.local
vim /etc/rc.local
/usr/local/bin/firewall.sh
Copie o texto abaixo para o arquivo criado: firewall.sh
################################################################################
#################### Inicio Firewall ##############################
################################################################################
## Limpando as Regras existentes #######
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
## Definindo politica padrão (Nega entrada e permite saida)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
################################################################################
################# LOG de acesso externo para a rede interna ####################
################################################################################
echo “Habilitando logs de entrada”
## Log SSH
iptables -t nat -A PREROUTING -i eth1 -d “IP Externo” -p tcp -m tcp –dport 22 -j LOG –log-prefix=”ACESSO SSH ”
## Log HTTP porta 80
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j LOG –log-prefix=”HTTP Server” –log-level 4
## Log Acesso Terminal Service
iptables -t nat -A PREROUTING -i eth1 -d “IP Externo” -p tcp -m tcp –dport 3389 -j LOG –log-prefix=”TS-SERVER ” –log-level 4
################################################################################
######################## Protege contra ataques diversos #######################
################################################################################
echo “Habilitando proteção contra ataques”
###### Proteção contra synflood
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
###### Proteção contra ICMP Broadcasting
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
###### Proteção Contra IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
###### Proteção diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -m limit –limit 1/s -j DROP
iptables -A FORWARD -p tcp -m limit –limit 1/s -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
iptables -A FORWARD –protocol tcp –tcp-flags ALL SYN,ACK -j DROP
iptables -A INPUT -m state –state INVALID -j DROP
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp –tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp –tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp –tcp-flags ALL NONE -j DROP
## Limitando conexões na porta 80 #######
iptables -I INPUT -p tcp –dport 80 -i eth1 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp –dport 80 -i eth1 -m state –state NEW -m recent –update –seconds 1 –hitcount 7 -j DROP
## IP Estranhos que tentam acesso ##
iptables -A INPUT -p tcp -s “IP Bloqueado” -j REJECT
################################################################################
######################### Fim da regras de contra ataques ######################
################################################################################
echo “Redirecionando porta 80 para o proxy”
## Impede navegação sem proxy definido no navegador ##########
## Ignora redirecionamento para os endereços abaixo (Redireciona tudo que que for acessado nos navegadores para o squid exeto os IPs listados após “! -d”)
iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d “IP sem proxy” –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d “Outro IP sem proxy” –dport 80 -j REDIRECT –to-port 8080
## Impede o uso de outro proxy externo que use a porta 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 3128 -j REDIRECT –to-port 8080
echo “Permitindo acesso da rede local”
## Estabelece relação de confiança entre maquinas da rede local eth0(rede local)
iptables -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -m state –state NEW -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
## liberando o INPUT externo para o firewall ##
echo “Liberando portas permitidas”
## Portas ##
# SSH
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 22 -j ACCEPT
## RDP
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 3389 -j ACCEPT
## Mail Server (Comente caso não tenha Servidor de emails internamente)
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 110 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 143 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 993 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp –dport 995 -j ACCEPT
## DNS ## (Comente caso não tenha Servidor DNS internamente)
iptables -A INPUT -i eth1 -p udp –dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 53 -j ACCEPT
################################################################################
################# Redirecionamento para maquinas de rede interna ###############
################################################################################
echo “Redirecionando portas de entrada”
## RDP ##
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 3389 -j DNAT –to-destination “IP Maquina”:3389
## Mail Server (Comente caso não tenha Servidor de emails internamente)
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 25 -j DNAT –to-destination “IP Maquina”:25
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 110 -j DNAT –to-destination “IP Maquina”:110
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination “IP Maquina”:80
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 143 -j DNAT –to-destination “IP Maquina”:143
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 993 -j DNAT –to-destination “IP Maquina”:993
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 995 -j DNAT –to-destination “IP Maquina”:995
################################################################################
######################### Bloqueio Messenger ###################################
################################################################################
echo “Bloqueando Messenger”
### Messenger #######
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:23:ae:b8:f2:ef -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:0f:ea:9f:02:5a -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:1a:4d:a9:21:21 -p tcp –dport 1863 -j REDIRECT –to-port 8080
Iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:1a:4d:a5:55:e6 -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source b8:ac:6f:61:86:f6 -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source F0:7B:CB:35:D0:9C -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:08:54:69:9B:28 -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:23:ae:b8:f3:2e -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:23:ae:b8:f3:6c -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:23:ae:b8:f3:45 -p tcp –dport 1863 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth0 -m mac –mac-source 00:23:ae:b8:f3:1f -p tcp –dport 1863 -j REDIRECT –to-port 8080
###################################################################
### Bloqueio facebook e youtube por HTTPS #########################
###################################################################
# Como o Squid não bloqueia acesso a HTTPS precisamos bloquear algumas pessoas no firewall
###################################################################
############ Facebook #############################################
###################################################################
echo “Bloqueando facebook.com”
iptables -I FORWARD -m mac –mac-source b8:ac:6f:61:86:f6 -d facebook.com -j DROP
iptables -I INPUT -s facebook.com -m mac –mac-source b8:ac:6f:61:86:f6 -j DROP
###################################################################
############ Youtube #############################################
###################################################################
echo “Bloqueando youtube.com.br”
iptables -I FORWARD -m mac –mac-source b8:ac:6f:61:86:f6 -d youtube.com -j DROP
iptables -I INPUT -s youtube.com -m mac –mac-source b8:ac:6f:61:86:f6 -j DROP
################################################################################
################################# Bloqueio de entrada ##########################
################################################################################
echo “Fechando acesso externo”
iptables -A INPUT -i eth1 -j REJECT
## Liberar ping ##
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
################################################################################
############################ Compartilhamento Internet #########################
################################################################################
echo “Compartilhando a Internet”
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “Firewall Ativo”
###############################################################################
######################################## Fim ###################################
################################################################################
