第十五节课 DHCP和使用Postfix与Dovecot部署邮件系统

动态主机配置协议（DHCP）是一种基于UDP协议且仅限于在局域网内部使用的网络协议，主要用于大型的局域网环境或者存在较多移动办公设备的局域网环境中，其主要用途是为局域网内部的设备或网络供应商自动分配IP地址等参数　　　　　　　　//DHCP协议就是让局域网中的主机自动获得网络参数的服务

 

作用域：一个完整的IP地址段，DHCP协议根据作用域来管理网络的分布、分配IP地址及其他配置参数。

超级作用域：用于管理处于同一个物理网络中的多个逻辑子网段。超级作用域中包含了可以统一管理的作用域列表。

排除范围：把作用域中的某些IP地址排除，确保这些IP地址不会分配给DHCP客户端。

地址池：在定义了DHCP的作用域并应用了排除范围后，剩余的用来动态分配给DHCP客户端的IP地址范围。

租约：DHCP客户端能够使用动态分配的IP地址的时间。

预约：保证网络中的特定设备总是获取到相同的IP地址。

 

部署dhcpd服务程序

 yum install dhcp

查看dhcpd服务程序的配置文件内容。

[root@linuxprobe ~]# cat /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page

自动管理IP地址

[root@linuxprobe ~]# vim /etc/dhcp/dhcpd.conf
ddns-update-style none;
ignore client-updates;
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.50 192.168.10.150;
option subnet-mask 255.255.255.0;
option routers 192.168.10.1;
option domain-name "linuxprobe.com";
option domain-name-servers 192.168.10.1;
default-lease-time 21600;
max-lease-time 43200;
}

[root@linuxprobe ~]# systemctl start dhcpd
[root@linuxprobe ~]# systemctl enable dhcpd
 ln -s '/usr/lib/systemd/system/dhcpd.service' '/etc/systemd/system/multi-user.target.wants/dhcpd.service'

分配固定IP地址

[root@linuxprobe ~]# vim /etc/dhcp/dhcpd.conf 
ddns-update-style none;
ignore client-updates;
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.50 192.168.10.150;
option subnet-mask 255.255.255.0;
option routers 192.168.10.1;
option domain-name "linuxprobe.com";
option domain-name-servers 192.168.10.1;
default-lease-time 21600;
max-lease-time 43200;
host linuxprobe {
hardware ethernet 00:0c:29:27:c6:12;
fixed-address 192.168.10.88;
}
}

确认参数填写正确后就可以保存退出配置文件，然后就可以重启dhcpd服务程序了。

[root@linuxprobe ~]# systemctl restart dhcpd

使用Postfix与Dovecot部署邮件系统

简单邮件传输协议（Simple Mail Transfer Protocol，SMTP）：用于发送和中转发出的电子邮件，占用服务器的25/TCP端口。

邮局协议版本3（Post Office Protocol 3）：用于将电子邮件存储到本地主机，占用服务器的110/TCP端口。

Internet消息访问协议版本4（Internet Message Access Protocol 4）：用于在本地主机上访问邮件，占用服务器的143/TCP端口。

 

大家在生产环境中部署企业级的电子邮件系统时，有4个注意事项请留意。

1. 添加反垃圾与反病毒模块：它能够很有效地阻止垃圾邮件或病毒邮件对企业信箱的干扰。
2. 对邮件加密：可有效保护邮件内容不被黑客盗取和篡改。
3. 添加邮件监控审核模块：可有效地监控企业全体员工的邮件中是否有敏感词、是否有透露企业资料等违规行为。
4. 保障稳定性：电子邮件系统的稳定性至关重要，运维人员应做到保证电子邮件系统的稳定运行，并及时做好防范分布式拒绝服务（Distributed Denial of Service，DDoS）攻击的准备。

部署基础的电子邮件系统

一个最基础的电子邮件系统肯定要能提供发件服务和收件服务，为此需要使用基于SMTP协议的Postfix服务程序提供发件服务功能，并使用基于POP3协议的Dovecot服务程序提供收件服务功能。这样一来，用户就可以使用Outlook Express或Foxmail等客户端服务程序正常收发邮件了。电子邮件系统的工作流程如图15-3所示。

电子邮件系统的工作流程

第1步：配置服务器主机名称，需要保证服务器主机名称与发信域名保持一致：

[root@linuxprobe ~]# vim /etc/hostname
mail.linuxprobe.com
[root@linuxprobe ~]# hostname
mail.linuxprobe.com

第2步：清空iptables防火墙默认策略，并保存策略状态，避免因防火墙中默认存在的策略阻止了客户端DNS解析域名及收发邮件：

[root@localhost ~]# iptables -F
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

第3步：为电子邮件系统提供域名解析。由于第13章已经讲解了bind-chroot服务程序的配置方法，因此这里只提供主配置文件、区域配置文件和域名数据文件的配置内容，其余配置步骤请大家自行完成。

 [root@linuxprobe ~]# cat /etc/named.conf
 1 //
 2 // named.conf
 3 //
 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 5 // server as a caching only nameserver (as a localhost DNS resolver only).
 6 //
 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 //
 9 
 10 options {
 11 listen-on port 53 { any; };
 12 listen-on-v6 port 53 { ::1; };
 13 directory "/var/named";
 14 dump-file "/var/named/data/cache_dump.db";
 15 statistics-file "/var/named/data/named_stats.txt";
 16 memstatistics-file "/var/named/data/named_mem_stats.txt";
 17 allow-query { any; };
 18 
 ………………省略部分输出信息………………

[root@linuxprobe ~]# cat /etc/named.rfc1912.zones
zone "linuxprobe.com" IN {
type master;
file "linuxprobe.com.zone";
allow-update {none;};
};

[root@linuxprobe ~]# cat /var/named/linuxprobe.com.zone

$TTL 1D
@	IN SOA	linuxprobe.com.	root.linuxprobe.com.	(
				0;serial
				1D;refresh
				1H;retry
				1W;expire
				3H);minimum
	NS	ns.linuxprobe.com.
ns	IN A	192.168.10.10
@	IN MX 10	mail.linuxprobe.com.
mail	IN A	192.168.10.10

[root@linuxprobe ~]# systemctl restart named
[root@linuxprobe ~]# systemctl enable named
ln -s '/usr/lib/systemd/system/named.service' 
'/etc/systemd/system/multi-user.target.wants/named.service'

修改好配置文件后记得重启bind服务程序，这样电子邮件系统所对应的服务器主机名即为mail.linuxprobe.com，而邮件域为@linuxprobe.com。把服务器的DNS地址修改成本地IP地址

配置Postfix服务程序

第1步：安装Postfix服务程序

[root@linuxprobe ~]# yum install postfix
Loaded plugins: langpacks, product-id, subscription-manager
rhel7 | 4.1 kB 00:00
(1/2): rhel7/group_gz | 134 kB 00:00
(2/2): rhel7/primary_db | 3.4 MB 00:00
Package 2:postfix-2.10.1-6.el7.x86_64 already installed and latest version
Nothing to do
[root@linuxprobe ~]# systemctl disable iptables

第2步：配置Postfix服务程序

[root@linuxprobe ~]# vim /etc/postfix/main.cf
………………省略部分输出信息………………
68 # INTERNET HOST AND DOMAIN NAMES
69 # 
70 # The myhostname parameter specifies the internet hostname of this
71 # mail system. The default is to use the fully-qualified domain name
72 # from gethostname(). $myhostname is used as a default value for many
73 # other configuration parameters.
74 #
75 #myhostname = host.domain.tld
76 myhostname = mail.linuxprobe.com
………………省略部分输出信息………………

然后在第83行定义一个名为mydomain的变量，用来保存邮件域的名称。大家也要记住这个变量名称，下面将调用它：

78 # The mydomain parameter specifies the local internet domain name.
79 # The default is to use $myhostname minus the first component.
80 # $mydomain is used as a default value for many other configuration
81 # parameters.
82 #
83 mydomain = linuxprobe.com

在第99行调用前面的mydomain变量，用来定义发出邮件的域。调用变量的好处是避免重复写入信息，以及便于日后统一修改：

85 # SENDING MAIL
86 # 
87 # The myorigin parameter specifies the domain that locally-posted
88 # mail appears to come from. The default is to append $myhostname,
89 # which is fine for small sites. If you run a domain with multiple
90 # machines, you should (1) change this to $mydomain and (2) set up
91 # a domain-wide alias database that aliases each user to
92 # user@that.users.mailhost.
93 #
94 # For the sake of consistency between sender and recipient addresses,
95 # myorigin also specifies the default domain name that is appended
96 # to recipient addresses that have no @domain part.
97 #
98 #myorigin = $myhostname
99 myorigin = $mydomain

第4处修改是在第116行定义网卡监听地址。可以指定要使用服务器的哪些IP地址对外提供电子邮件服务；也可以干脆写成all，代表所有IP地址都能提供电子邮件服务：

103 # The inet_interfaces parameter specifies the network interface
104 # addresses that this mail system receives mail on. By default,
105 # the software claims all active interfaces on the machine. The
106 # parameter also controls delivery of mail to user@[ip.address].
107 #
108 # See also the proxy_interfaces parameter, for network addresses that
109 # are forwarded to us via a proxy or network address translator.
110 #
111 # Note: you need to stop/start Postfix when this parameter changes.
112 #
113 #inet_interfaces = all
114 #inet_interfaces = $myhostname
115 #inet_interfaces = $myhostname, localhost
116 inet_interfaces = all

最后一处修改是在第164行定义可接收邮件的主机名或域名列表。这里可以直接调用前面定义好的myhostname和mydomain变量（如果不想调用变量，也可以直接调用变量中的值）：

133 # The mydestination parameter specifies the list of domains that this
134 # machine considers itself the final destination for.
135 #
136 # These domains are routed to the delivery agent specified with the
137 # local_transport parameter setting. By default, that is the UNIX
138 # compatible delivery agent that lookups all recipients in /etc/passwd
139 # and /etc/aliases or their equivalent.
140 #
141 # The default is $myhostname + localhost.$mydomain. On a mail domain
142 # gateway, you should also include $mydomain.
143 #
144 # Do not specify the names of virtual domains - those domains are
145 # specified elsewhere (see VIRTUAL_README).
146 #
147 # Do not specify the names of domains that this machine is backup MX
148 # host for. Specify those names via the relay_domains settings for
149 # the SMTP server, or use permit_mx_backup if you are lazy (see
150 # STANDARD_CONFIGURATION_README).
151 #
152 # The local machine is always the final destination for mail addressed
153 # to user@[the.net.work.address] of an interface that the mail system
154 # receives mail on (see the inet_interfaces parameter).
155 #
156 # Specify a list of host or domain names, /file/name or type:table
157 # patterns, separated by commas and/or whitespace. A /file/name
158 # pattern is replaced by its contents; a type:table is matched when
159 # a name matches a lookup key (the right-hand side is ignored).
160 # Continue long lines by starting the next line with whitespace.
161 #
162 # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
163 #
164 mydestination = $myhostname , $mydomain
165 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
166 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,

第3步：创建电子邮件系统的登录账户。Postfix与vsftpd服务程序一样，都可以调用本地系统的账户和密码，因此在本地系统创建常规账户即可。最后重启配置妥当的postfix服务程序，并将其添加到开机启动项中。大功告成！

[root@linuxprobe ~]# useradd boss
[root@linuxprobe ~]# echo "linuxprobe" | passwd --stdin boss
Changing password for user boss. passwd: all authentication tokens updated successfully.
[root@linuxprobe ~]# systemctl restart postfix
[root@linuxprobe ~]# systemctl enable postfix
ln -s '/usr/lib/systemd/system/postfix.service' '/etc/systemd/system/multi-user.target.wants/postfix.service'

15.2.2 配置Dovecot服务程序

Dovecot是一款能够为Linux系统提供IMAP和POP3电子邮件服务的开源服务程序，安全性极高，配置简单，执行速度快，而且占用的服务器硬件资源也较少，因此是一款值得推荐的收件服务程序。

第1步：安装Dovecot服务程序软件包。大家可自行配置Yum软件仓库、挂载光盘镜像到指定目录，然后输入要安装的dovecot软件包名称即可：

[root@linuxprobe ~]# yum install dovecot
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel | 4.1 kB 00:00 
Resolving Dependencies
--> Running transaction check
---> Package dovecot.x86_64 1:2.2.10-4.el7 will be installed
--> Processing Dependency: libclucene-core.so.1()(64bit) for package: 1:dovecot-2.2.10-4.el7.x86_64
--> Processing Dependency: libclucene-shared.so.1()(64bit) for package: 1:dovecot-2.2.10-4.el7.x86_64
--> Running transaction check
---> Package clucene-core.x86_64 0:2.3.3.4-11.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 dovecot x86_64 1:2.2.10-4.el7 rhel 3.2 M
Installing for dependencies:
 clucene-core x86_64 2.3.3.4-11.el7 rhel 528 k
Transaction Summary
================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 3.7 M
Installed size: 12 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
Total 44 MB/s | 3.7 MB 00:00 
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 Installing : clucene-core-2.3.3.4-11.el7.x86_64 1/2 
 Installing : 1:dovecot-2.2.10-4.el7.x86_64 2/2 
 Verifying : 1:dovecot-2.2.10-4.el7.x86_64 1/2 
 Verifying : clucene-core-2.3.3.4-11.el7.x86_64 2/2 
Installed:
 dovecot.x86_64 1:2.2.10-4.el7 
Dependency Installed:
 clucene-core.x86_64 0:2.3.3.4-11.el7 
Complete!

第2步：配置部署Dovecot服务程序。在Dovecot服务程序的主配置文件中进行如下修改。首先是第24行，把Dovecot服务程序支持的电子邮件协议修改为imap、pop3和lmtp。然后在这一行下面添加一行参数，允许用户使用明文进行密码验证。之所以这样操作，是因为Dovecot服务程序为了保证电子邮件系统的安全而默认强制用户使用加密方式进行登录，而由于当前还没有加密系统，因此需要添加该参数来允许用户的明文登录。

[root@linuxprobe ~]# vim /etc/dovecot/dovecot.conf
………………省略部分输出信息………………
23 # Protocols we want to be serving.
24 protocols = imap pop3 lmtp
25 disable_plaintext_auth = no
………………省略部分输出信息………………

在主配置文件中的第48行，设置允许登录的网段地址，也就是说我们可以在这里限制只有来自于某个网段的用户才能使用电子邮件系统。如果想允许所有人都能使用，则不用修改本参数：

44 # Space separated list of trusted network ranges. Connections from these
45 # IPs are allowed to override their IP addresses and ports (for logging and
46 # for authentication checks). disable_plaintext_auth is also ignored for
47 # these networks. Typically you'd specify your IMAP proxy servers here.
48 login_trusted_networks = 192.168.10.0/24

第3步：配置邮件格式与存储路径。在Dovecot服务程序单独的子配置文件中，定义一个路径，用于指定要将收到的邮件存放到服务器本地的哪个位置。这个路径默认已经定义好了，我们只需要将该配置文件中第24行前面的井号（#）删除即可。

[root@linuxprobe ~]# vim /etc/dovecot/conf.d/10-mail.conf
1 ##
2 ## Mailbox locations and namespaces
3 ##
4 # Location for users' mailboxes. The default is empty, which means that Dovecot
5 # tries to find the mailboxes automatically. This won't work if the user
6 # doesn't yet have any mail, so you should explicitly tell Dovecot the full
7 # location.
8 #
9 # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
10 # isn't enough. You'll also need to tell Dovecot where the other mailboxes are
11 # kept. This is called the "root mail directory", and it must be the first
12 # path given in the mail_location setting.
13 #
14 # There are a few special variables you can use, eg.:
15 #
16 # %u - username
17 # %n - user part in user@domain, same as %u if there's no domain
18 # %d - domain part in user@domain, empty if there's no domain
19 # %h - home directory
20 #
21 # See doc/wiki/Variables.txt for full list. Some examples:
22 #
23 # mail_location = maildir:~/Maildir
24 mail_location = mbox:~/mail:INBOX=/var/mail/%u
25 # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
………………省略部分输出信息………………

然后切换到配置Postfix服务程序时创建的boss账户，并在家目录中建立用于保存邮件的目录。记得要重启Dovecot服务并将其添加到开机启动项中。至此，对Dovecot服务程序的配置部署步骤全部结束。

[root@linuxprobe ~]# su - boss
Last login: Sat Aug 15 16:15:58 CST 2017 on pts/1
[boss@mail ~]$ mkdir -p mail/.imap/INBOX
[boss@mail ~]$ exit
[root@linuxprobe ~]# systemctl restart dovecot 
[root@linuxprobe ~]# systemctl enable dovecot 
ln -s '/usr/lib/systemd/system/dovecot.service' '/etc/systemd/system/multi-user.target.wants/dovecot.service'