|
前段時間把一臺 FreeBSD 郵件服務器移到了 Ubuntu 虛擬機,又痛苦的配置了一次郵件服務器,配置完后再寫一遍 Puppet 代碼,把整個配置過程代碼化,然后再重建一次虛擬機測試和應用 Puppet 代碼,每次看到滿屏的自動配置過程都會驚訝 Puppet 的魔力。 郵件服務器配置之所以麻煩是因為需要了解很多東西,牽涉到域名服務 DNS/Bind,Web 收發郵件 Apache/PHP/MySQL/SquirrelMail,認證服務 LDAP, Kerberos, PAM,郵件通常存放在額外存儲上還要 NFS/SAN,郵件服務 Postfix/Dovecot,反垃圾反病毒 Postgrey/Clam AV/SpamAssassion,安全認證 SSL,監控和備份等等,這一套下來基本包括了 Linux 系統管理的方方面面,所以說配置一個安全可靠的企業級郵件系統不容易,足夠寫一本書。個人配置郵件服務器通常不需要 LDAP/Kerbersos/NFS/SAN/SSL 這些,剔除這些后就不是那么復雜了,不過再想一下,個人有必要配置郵件服務器么?直接用免費的 Google App 不是很方便么。 準備工作簡單介紹一下我們將要安裝的軟件包:
設置主機名(不要跳過這一步): # hostname mail. # vi /etc/hosts 127.0.0.1 mail. localhost 更新系統: $ sudo apt-get update $ sudo apt-get upgrade 安裝必要軟件包安裝 LAMP,Postfix 本身不需要 Apache/PHP/MySQL,但是因為要安裝 Postfix Admin,并且管理用戶需要用到數據庫,所以要安裝 Apache/PHP 和 MySQL. $ sudo apt-get install lamp-server^ $ sudo apt-get install php-apc php5-curl php5-gd php-xml-parser php5-imap 安裝郵件服務器及一些工具: $sudo apt-get install mail-server^ $sudo apt-get install postfix-mysql dovecot-mysql postgrey $sudo apt-get install amavis clamav clamav-daemon spamassassin $sudo apt-get install libnet-dns-perl pyzor razor $sudo apt-get install arj bzip2 cabextract cpio file gzip nomarch pax unzip zip 配置 Apache編輯 apache 配置文件后重啟: $ sudo vi /etc/apache2/sites-available/default
...
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
...
$ sudo /etc/init.d/apache2 restart
配置 MySQL 數據庫創建一個名為 mail 的數據庫并設置權限和密碼: $ mysql -uroot -p mysql> create database mail; mysql> grant all on mail.* to 'mail'@'localhost' identified by 'password'; 配置 Postfix Admin下載 psotfixadmin,解壓后放到 /var/www: $ wget http://downloads./project/postfixadmin/postfixadmin/postfixadmin-2.3.5/postfixadmin-2.3.5.tar.gz $ gunzip postfixadmin-2.3.5.tar.gz $ tar -xf postfixadmin-2.3.5.tar $ sudo mv postfixadmin-2.3.5 /var/www/postfixadmin $ sudo chown -R www-data:www-data /var/www/postfixadmin 配置 postfixamdin,標準的 php 程序配置方法,填入訪問數據庫需要的信息,其中 setup_password 部分稍后再填入: $ sudo vi /var/www/postfixadmin/config.inc.php ... $CONF['configured'] = true; $CONF['setup_password'] = '稍后替代'; $CONF['postfix_admin_url'] = 'http://mail./postfixadmin'; $CONF['database_type'] = 'mysql'; $CONF['database_host'] = 'localhost'; $CONF['database_user'] = 'mail'; $CONF['database_password'] = 'password'; $CONF['database_name'] = 'mail'; $CONF['admin_email'] = 'admin@'; $CONF['encrypt'] = 'md5crypt'; ... 用瀏覽器訪問 http://mail./postfixadmin/setup.php,用哈希后的密碼字符串替代上面 $CONF['setup_password'] = ‘稍后替代’ 中的相關部分。 為了安全考慮,最好禁止 web 訪問 setup.php: $ sudo vi /var/www/postfixadmin/.htaccess 配置 Dovecot給系統添加 vmail 賬號: $ sudo useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin -c "Virtual Mail" vmail $ sudo mkdir /var/vmail $ sudo chmod 770 /var/vmail $ sudo chown vmail:mail /var/vmail 開始配置 Dovecot,dovecot 支持多種認證方式,這里采用數據庫認證,注意下面的配置文件一個包含一個,初看比較亂,10-auth.conf 有 !include auth-sql.conf.ext 一行,會包含 /etc/dovecot/conf.d/auth-sql.conf.ext,而 auth-sql.conf.ext 會包含下面要提到的 /etc/dovecot/dovecot-sql.conf.ext,這樣只要用不同的 include 就可以切換不同的認證方式,雖然初看復雜一點但是熟悉以后用起來還是挺方便的。 $ sudo vi /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = yes auth_mechanisms = plain login !include auth-sql.conf.ext 配置 Dovecot,設置數據庫參數,以便 dovecot 能正確訪問剛才創建的 mail 數據庫: $ sudo vi /etc/dovecot/dovecot-sql.conf.ext
...
driver = mysql
connect = host=localhost dbname=mail user=mail password=password
default_pass_scheme = MD5-CRYPT
...
password_query = SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
user_query = SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, 150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
...
用戶在服務器上用來存放郵件的地方在哪呢?所以需要指定郵件存放地址 /var/vmail,這個目錄上面在創建 vmail 賬號時已經創建了: $ sudo vi /etc/dovecot/conf.d/10-mail.conf ... mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail mail_gid = mail ... 修改 /etc/dovecot/conf.d/10-master.conf $ sudo vi /etc/dovecot/conf.d/10-master.conf
...
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
group = mail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
...
確認 dovecot 有權限讀取配置文件: $ sudo chown -R vmail:dovecot /etc/dovecot $ sudo chmod -R o-rwx /etc/dovecot 配置 Amavis, ClamAV, SpamAssassin互加 clamav, amavis 用戶到對方組里以便能互相訪問,配置過濾模式: $ sudo adduser clamav amavis $ sudo adduser amavis clamav $ sudo vi /etc/amavis/conf.d/15-content_filter_mode use strict; @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # ensure a defined return 啟用 spamassassin: $ sudo vi /etc/default/spamassassin ... ENABLED=1 CRON=1 ... 配置 Postfixmain.cf 是 postfix 的主要配置文件: $ sudo /etc/postfix/main.cf ... smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes myhostname = mail. myorigin = /etc/hostname mydestination = mail., localhost mynetworks = 127.0.0.0/8 inet_interfaces = all mynetworks_style = host virtual_mailbox_base = /var/vmail/ virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/m ysql_virtual_alias_domainaliases_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf mail_spool_directory = /var/mail virtual_transport = dovecot dovecot_destination_recipient_limit = 1 content_filter = amavis:[127.0.0.1]:10024 header_checks = regexp:/etc/postfix/header_checks ... 注意上面配置有行 header_checks = regexp:/etc/postfix/header_checks,我們現在還沒有 header_checks 文件,創建一個并包含一下內容,給自己郵件增加一點隱私,過濾一些信息: $ sudo vi /etc/postfix/header_checks /^Received:/ IGNORE /^User-Agent:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^x-cr-[a-z]*:/ IGNORE /^Thread-Index:/ IGNORE 還需要配置 master.cf 文件: $ sudo vi /etc/postfix/master.cf ... smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d $(recipient) 還需要配置幾個文件: $ sudo vi /etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
user = mail
password = password
hosts = 127.0.0.1
dbname = mail
query = SELECT goto FROM alias,alias_domain
WHERE alias_domain.alias_domain = '%d'
AND alias.address=concat('%u', '@', alias_domain.target_domain)
AND alias.active = 1
$ sudo vi /etc/postfix/mysql_virtual_alias_maps.cf
user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
$ sudo vi /etc/postfix/mysql_virtual_domains_maps.cf
user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
$ sudo vi /etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
user = mail
password = password
hosts = 127.0.0.1
dbname = mail
query = SELECT maildir FROM mailbox, alias_domain
WHERE alias_domain.alias_domain = '%d'
AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
AND mailbox.active = 1
$ sudo vi /etc/postfix/mysql_virtual_mailbox_maps.cf
user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'
大功告成,重啟相關服務: $ sudo service spamassassin restart $ sudo service clamav-daemon restart $ sudo service amavis restart $ sudo service dovecot restart $ sudo service postfix restart 測試 Postfix用 telnet 連上郵件服務器的 25 端口(SMTP),然后發送 HELO mail. 指令就會得到 250 mail. 確認信息: $ telnet mail2. 25 Trying 192.168.2.66... Connected to mail.. Escape character is '^]'. 220 mail. ESMTP Postfix (Ubuntu) HELO mail. 250 mail. 用 telnet 發送一封郵件試一下,下面的 MAIL FROM, RCPT TO, DATA, ., QUIT 都是指令: $ telnet mail2. 25 Trying 192.168.2.66... Connected to mail.. Escape character is '^]'. 220 mail. ESMTP Postfix (Ubuntu) MAIL FROM:<test1@> 250 2.1.0 Ok RCPT TO:<test2@> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> Subject: a test message This is a test message! . 250 2.0.0 Ok: queued as 6832FF0036 QUIT 221 2.0.0 Bye Connection closed by foreign host. ssh 登陸郵件服務器后去 /var/vmail 郵件目錄看一下就可以證實 test2 用戶是否收到來自 test1 用戶的郵件,當然這個郵件也可以通過 Mail.app, Thunderbird, Mutt 這類工具收到本地電腦上看。 |
|
|
