elbarna's questions

我想设置一项服务来使用 nagios 检查 kdc。使用我的 kdc (samba4)，我使用此脚本创建用户

#!/bin/bash

USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv

samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDN

然后我复制 nagios 服务器上的密钥表并重新启动服务

scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagios

权限没问题

ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul  2 02:25 /etc/nagios/nagios.keytab

钥匙看起来还可以

klist -ke /etc/nagios/nagios.keytab 
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nagioskerberos/[email protected] (aes256-cts-hmac-sha1-96) 

但是当我尝试检查时...

./check_kdc -k /etc/nagios/nagios.keytab  -p nagioskerberos/[email protected] -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/[email protected]' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/[email protected] from /etc/nagios/nagios.keytab)

为什么？

这是服务器 samba4 和服务器 nagios 的 krb5.conf

[libdefaults]
    default_realm = MYHOST.PRIV
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

我已经从 10 升级到 Debian 11。使用 Debian 10 openvpn 工作正常，现在我遇到了这个问题，我可以访问我的 vpn 服务器，但我无法 ping 或访问我的局域网远程，除了 vpn 服务器。这是远程端的防火墙配置

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 2991
ACCEPT     udp  --  anywhere             anywhere             multiport dports 2991
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:cisco-sccp
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:2004
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:3000
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:37890
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2124
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5861
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:telnet
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:5900:5910
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere            
LOGGING    all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
NFLOG      all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain LOGGING (1 references)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             nflog-prefix  "[iptables-drop]:" nflog-group 11
DROP       all  --  anywhere             anywhere            
root@vpn:/etc/openvpn# 

这是 Openvpn 远程端的配置

port 2991
proto tcp
dev tun
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/vpn.******.priv.crt
key /etc/openvpn/certs/keys/vpn.******.priv.key
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/certs/keys/ta.key 0
data-ciphers-fallback AES-256-CBC
user openvpn
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 7
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
auth-nocache

这是客户端openvpn的配置（防火墙与远程相同，所以我避免发布）

client
dev tun
proto tcp
remote ****** 2991
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
cert /etc/openvpn/certs/keys/vpn.******.priv.crt
key /etc/openvpn/certs/keys/vpn.******.priv.key
dh /etc/openvpn/dh2048.pem
remote-cert-tls server
tls-auth /etc/openvpn/certs/ta.key 1
data-ciphers-fallback AES-256-CBC
auth SHA512
auth-nocache
topology subnet
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
verb 7

我在服务器上发现的唯一错误是这个..

ago 21 00:56:23 vpn ovpn-server[3791]: ******/*****:24545 GET INST BY VIRT: 192.168.0.12 [failed]

192.168.0.12 是 openvpn 服务器 ip，我可以访问它，但是 lan 192.168.0.02/24 中的每个 ip 都被阻止（没有 ping，没有 ssh，什么都没有）。

例如..

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5133ms

$ ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=166 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=164 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=84.9 ms
^C
--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 84.924/138.389/166.113/37.814 ms

我有一个带有 3 个虚拟站点（包括主要真实站点）的 nginx 网络服务器。使用 http 简单工作正常，使用 https（不重定向）工作正常。我想将所有 http 请求重定向到 https，即使对于容器（也称为虚拟主机）也是如此。但是每个客户端（firefox，链接）都会给出 301 错误循环重定向。

这是我的配置

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
    worker_connections 768;
}
http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off; 
    more_clear_headers Server;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/ssl/certs/http2.mysite.priv.crt;
    ssl_certificate_key /etc/ssl/private/http2.mysite.priv.key;
    access_log /var/log/nginx/access.log ;
    error_log /var/log/nginx/error.log debug;
    gzip on;
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

默认站点

server {
    listen 80 default_server;
    listen 443 ssl ;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name http2.mysite.priv;
    location / {
        try_files $uri $uri/ =404;
    }
}

第一个容器/虚拟主机

server {
    listen 80; 
    listen [::]:80 ;
    listen 443 ssl;
    root /var/www/html/virtual1.mysite.priv;
    index index.html index.htm index.nginx-debian.html;
    server_name virtual1.mysite.priv;
    rewrite ^(.*) https://virtual1.mysite.priv$1 permanent;
    location / {
        try_files $uri $uri/ =404;
    }
    
    location /images {
        autoindex on;
    }
}

我也尝试了“return”方法而不是重写，但给了我相同的结果。

return 301 https://$host$request_uri;

我想念什么？

我创建了这个简单的脚本来调整所有机器上的时区，称为 date.sh

#!/bin/sh
# Exit at first error

set -e

# Set the localtime
timedatectl set-timezone Europe/Zurich

# Check date
date

我用ansible运行它

- name: Transfer and execute a script.
  hosts: all
  become_user: root
  tasks:
     - name: Transfer the script
       copy: src=date.sh dest=/tmp/date.sh mode=0700

     - name: Execute the script
       command: sh /tmp/date.sh

有效，但如何在标准输出上查看输出？我试过这个，但给我错误。

- name: Transfer and execute a script.
  hosts: all
  become_user: root
  tasks:
     - name: Transfer the script
       copy: src=date.sh dest=/tmp/date.sh mode=0700

     - name: Execute the script
       command: sh /tmp/date.sh

  debug:
    msg: "{{ test.stdout.split('\n') }}"

我已经设置了一个邮件服务器，用于测试。我的目标是拥有一个带有 imaps 的 HA 邮件服务器，当客户端连接到虚拟 ip 时，它会重定向到两个真实服务器，如果一个真实服务器崩溃，另一个真实服务器“接受”连接。我已经设置了一个集群，其中包含两个 keepalived/haproxy lb 和两个带有 postfix 和 Dovecot 的真实服务器。两个 lb 是 Debian，邮件服务器是 Fedora 31。这是我在两个 lb（负载平衡器）上的配置

Keepalived.conf

global_defs {
}
vrrp_instance VI_1 {
       interface nm-team
       state MASTER
       virtual_router_id 51
       priority 101                    # 101 on master, 100 on backup
       advert_int 1
       smtp_alert
authentication {
auth_type PASS
auth_pass mypass

}
}

       virtual_ipaddress {
           10.2.0.4/24 brd 10.2.0.255 dev nm-team
}

 virtual_server 10.2.0.4 25 {
   delay_loop 30
   lb_algo rr
   lb_kind DR
   protocol TCP
   persistence_timeout 360

   real_server 10.2.0.5 25 {
   weight 1
       TCP_CHECK {
               connect_timeout 10
       connect_port 25
       delay_before_retry 3
       }
   }
   real_server 10.2.0.6 25 {
       weight 1
       TCP_CHECK {
               connect_timeout 10
       connect_port 25
       delay_before_retry 3
       }
   }
}

virtual_server 10.2.0.4 993 {
delay_loop 30
lb_algo rr
lb_kind DR
protocol TCP
persistence_timeout 360

real_server 10.2.0.5 993 {
weight 1
    TCP_CHECK {
            connect_timeout 10
    connect_port 993
    nb_get_retry 3
    delay_before_retry 3
    }
}
real_server 10.2.0.6 993 {
    weight 1
    TCP_CHECK {
            connect_timeout 10
    connect_port 993
    nb_get_retry 3
    delay_before_retry 3
    }
}
}

haproxy.cfg

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log global
    mode    tcp

#postfix
listen smtp
bind mail.mydomain.priv:25
balance roundrobin
timeout client 30s
timeout connect 10s
timeout server 1m
no option http-server-close
mode tcp
option smtpchk
option tcplog
server mail1 mail1.mydomain.priv:25 send-proxy
server mail2 mail2.mydomain.priv:25 send-proxy

#dovecot
listen imap
bind mail.mydomain.priv:993
timeout client 30s
timeout connect 10s
timeout server 1m
no option http-server-close
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
mode tcp
option tcplog
server mail1 mail1.mydomain.priv:993 send-proxy
server mail2 mail2.mydomain.priv:993 send-proxy

如您所见，mail.domain.priv 是绑定到虚拟 ip 10.2.0.4（由 keepalived 创建）的“虚拟”服务器，真实服务器是 10.2.0.5 和 10.2.0.6。虚拟 ip 10.2.0.4 是 lo 接口的别名，我用这些行在 lb 中创建了它

ip addr add 10.2.0.4/32 dev lo label lo:0

在真实服务器中

echo 1 >/proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 >/proc/sys/net/ipv4/conf/all/arp_announce
ip addr add 10.2.0.4/32 dev lo label lo:0

由于太长，我跳过发布 dovecot/postfix 配置，但我已经对其进行了测试并且工作正常，作为单个服务器并使用 10.2.0.4 虚拟 IP。当然，真正的服务器使用 glusterfs 共享 /var/vmail/mydomain（我知道这很慢，但仅用于测试）。我已经连接了一个客户端，我可以使用 dovecot 接收电子邮件，并使用 imaps 和带有 starttls 的 smtp 发送带有 postfix 的电子邮件，没有任何问题。那么，问题是什么？我已经测试了集群关闭了一个客户端打开（Thunderbird）的真实服务器，并且客户端“冻结”，因为集群不存在并且无法读取电子邮件。如果我杀死客户端或重新启动它，它会毫无问题地重新连接到 10.2.0.4 虚拟 ip(mail.mydomain.priv)。怎么了？是否可以使用 keepalived 和 haproxy 创建一个 ha 集群活动/活动？

我插入了 LTO6 磁带

tapeinfo -f /dev/st0
Product Type: Tape Drive
Vendor ID: 'QUANTUM '
Product ID: 'ULTRIUM 6       '
Revision: '4142'
Attached Changer API: No
SerialNumber: 'HU1322VW9U'
MinBlock: 1
MaxBlock: 16777215
SCSI ID: 0
SCSI LUN: 0
Ready: yes
BufferedMode: yes
Medium Type: Not Loaded
Density Code: 0x5a
BlockSize: 0
DataCompEnabled: yes
DataCompCapable: yes
DataDeCompEnabled: yes
CompType: 0x1
DeCompType: 0x1
BOP: yes
Block Position: 0
ActivePartition: 0
EarlyWarningSize: 0
NumPartitions: 0
MaxPartitions: 3

但是当备份达到 2.27TB（压缩磁带为 6TB）时退出错误，因为磁带未压缩

2,27TiB 8:39:36 [75,6MiB/s] [                                                                        <=>                             ]
pv: write failed: Spazio esaurito sul device
error writing output file

我在 slackware 14.2 上使用 tar 进行备份

tar cMpf - -X /etc/file.exclude  /| openssl enc -e -aes256 -salt -pass file:filepass |(pv -p --timer --rate --bytes > /dev/st0)

我只用端口 2122 和 pubkey 配置了 ssh。我获得了安全，但我想要更多地禁止尝试暴力验证的lamers。

我的fail2ban配置

jail.local

[INCLUDES]
before = paths-slackware.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 10800
findtime  = 600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = true
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = mail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
[ssh]
enabled  = true
port     = 22
filter   = sshd
logpath  = /var/log/messages
maxretry = 3
findtime = 10800
bantime = 21600
[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/chroothttp/var/log/httpd/error_log
maxretry = 3
findtime = 10800
bantime = 21600

Apache 运行良好，我尝试了一些错误的登录并禁止 ip 但 ssh 尝试并重试..没有禁令！

kalilinux 2016 上的全新 metasploit（最新稳定版）

systemctl start postgresql OK

在 msfconsole 上

msf > db_status 
[*] postgresql connected to msf

当我启动搜索

msf > search samba
[!] Module database cache not built yet, using slow search

所以我重建缓存...

msf > db_rebuild_cache

当我启动搜索

msf > search samba
[!] Module database cache not built yet, using slow search

奇怪！如何解决这个问题？

在新的 centos7 ldap 服务器上

我使用这样的 ldif

replace: olcRootDN
olcRootDN: dc=Manager,dc=mydomo,dc=mydom
-
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by dn.base="cn=Manager,dc=mydomo,dc=mydom" write by * none
-
add: olcRootPW
olcRootPW: {SSHA}xXXXXXXXXXXXXXXXXXXXXXXX

当然哈希是正确的

该命令正常，但如果我尝试一个简单的 ldap 插入..

ldapadd -x -D "dc=Manager,dc=mydomo,dc=mydom" -w mycorrectpass -f init2.ldif

给我吗

ldap_bind: Invalid credentials (49)

为什么？ldap 运行正确，我只能使用 ldapi 和 -Y external 插入用户 ldap 在 dirs 上具有正确的权限。

我使用这个 iptables 配置它只是将 2121 的连接重定向到端口 21（用于以用户而不是 root 身份运行 ftp）

  *nat
    :PREROUTING ACCEPT [200:39210]
    :INPUT ACCEPT [6:360]
    :OUTPUT ACCEPT [21:1323]
    :POSTROUTING ACCEPT [21:1323]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 2121 -j DNAT --to-destination 192.168.0.2:21
    COMMIT
    # Completed on Sun Jan 24 19:17:55 2016
    # Generated by iptables-save v1.4.20 on Sun Jan 24 19:17:55 2016
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2996:188699]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2121 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -p icmp -j ACCEPT
    -A FORWARD -i lo -j ACCEPT
    -A FORWARD -d 192.168.0.2/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Sun Jan 24 19:17:55 2016

ip4 转发已启用此配置在两台虚拟机上完美运行：一台 slackware，一台 centos6 但不是我的带有 slackware 的主机。我可以检查什么？我忘记了：服务器 ftp 在 chroot 上

我配置了一个邮件服务器（spamassassin+procmail+sendmail+dovecot） 我希望将所有垃圾邮件重定向到我设置的垃圾邮件文件夹 /etc/procmail

DEFAULT=/var/spool/mail/$LOGNAME/new
ORGMAIL=/var/spool/mail/$LOGNAME
MAILDIR=/var/spool/mail/$LOGNAME

# deliver spam to spam folder
:0:
* ^X-Spam-Status: Yes
.Spam/

和鸽舍邮箱

inbox = yes
  #mailbox name {
    # auto=create will automatically create this mailbox.
    # auto=subscribe will both create and subscribe to the mailbox.
    #auto = no

    # Space separated list of IMAP SPECIAL-USE attributes as specified by
    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
    #special_use =
  #}

  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
    auto = create
  }
  mailbox Spam {
    special_use = \Junk
    auto = create
  }
  mailbox Trash {
    special_use = \Trash
    auto = create
  }

当我发送垃圾邮件进行测试时，它不会在 Thunderbird 上自动创建文件夹，并且我看到该文件夹​​（存在于系统上）具有 root 权限而不是用户权限，当然如果在另一封邮件发送后执行 chown 返回到原始权限（根！）