邮件服务器
Postfix + SASL (courler-authlib) + MySQL
Dovecot + MySQL
Exmail + Exman + httpd
CentOS6.7
1- 安装前准备
yum -y install cyrus-sasl-devel.x86_64 cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64 gcc*
查询cyrus-sasl-devel安装的头文件以及库文件
rpm -ql cyrus-sasl-devel
/usr/include/sasl
/usr/include/sasl/hmac-md5.h
/usr/include/sasl/md5.h
/usr/include/sasl/md5global.h
/usr/include/sasl/prop.h
/usr/include/sasl/sasl.h
/usr/include/sasl/saslplug.h
/usr/include/sasl/saslutil.h
/usr/lib64/libsasl2.so
/usr/include/sasl //头文件位置
/usr/lib64/sasl2库文件位置
同理mysql的
rpm -ql mysql-devel
/usr/include/mysql //头文件位置
/usr/lib64/mysql/ //库文件位置
2- 卸载原postfix
yum -y remove postfix
作为依赖被删除:
cronie.x86_64 0:1.4.4-15.el6 cronie-anacron.x86_64 0:1.4.4-15.el6
crontabs.noarch 0:1.10-33.el6 redhat-lsb.x86_64 0:4.0-7.el6.centos
redhat-lsb-compat.x86_64 0:4.0-7.el6.centos redhat-lsb-core.x86_64 0:4.0-7.el6.centos
redhat-lsb-graphics.x86_64 0:4.0-7.el6.centos redhat-lsb-printing.x86_64 0:4.0-7.el6.centos
sysstat.x86_64 0:9.0.4-27.el6
3- 安装mysql
yum -y install mysql mysql-server.x86_64 mysql-devel.x86_64 mysql.x86_64
service mysqld on
service mysqld restart
mysqladmin -uroot password 666666
4- 编译安装postfix2.10
wget ftp://ftp.cuhk.edu.hk/pub/packages/mail-server/postfix/official/postfix-2.10.10.tar.gz //下载源码包
groupadd -g 2525 postfix
useradd -g postfix -u 2525 -s /sbin/nologin -M postfix
groupadd -g 2526 postdrop
useradd -g postdrop -u 2526 -s /sbin/nologin -M postdrop
tar -zxvf postfix-2.10.10.tar.gz
cd postfix-2.10.10
make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS ' 'AUXLIBS=-L/usr/lib64/mysql -lmysqlclient -lz -lm -L/usr/lib64/sasl2 -lsasl2 -lssl -lcrypto'
make
make install
Please specify the prefix for installed file names. Specify this ONLY
if you are building ready-to-install packages for distribution to OTHER
machines. See PACKAGE_README for instructions.
install_root: [/]
Please specify a directory for scratch files while installing Postfix. You
must have write permission in this directory.
tempdir: [/usr/local/soft/postfix/postfix-2.10.10] /root/postfix-2.10.0
Please specify the final destination directory for installed Postfix
configuration files.
config_directory: [/etc/postfix]
Please specify the final destination directory for installed Postfix
administrative commands. This directory should be in the command search
path of adminstrative users.
command_directory: [/usr/sbin]
Please specify the final destination directory for installed Postfix
daemon programs. This directory should not be in the command search path
of any users.
daemon_directory: [/usr/libexec/postfix]
Please specify the final destination directory for Postfix-writable
data files such as caches or random numbers. This directory should not
be shared with non-Postfix software.
data_directory: [/var/lib/postfix]
Please specify the final destination directory for the Postfix HTML
files. Specify "no" if you do not want to install these files.
html_directory: [no]
Please specify the owner of the Postfix queue. Specify an account with
numerical user ID and group ID values that are not used by any other
accounts on the system.
mail_owner: [postfix]
Please specify the final destination pathname for the installed Postfix
mailq command. This is the Sendmail-compatible mail queue listing command.
mailq_path: [/usr/bin/mailq]
Please specify the final destination directory for the Postfix on-line
manual pages. You can no longer specify "no" here.
manpage_directory: [/usr/local/man]
Please specify the final destination pathname for the installed Postfix
newaliases command. This is the Sendmail-compatible command to build
alias databases for the Postfix local delivery agent.
newaliases_path: [/usr/bin/newaliases]
Please specify the final destination directory for Postfix queues.
queue_directory: [/var/spool/postfix]
Please specify the final destination directory for the Postfix README
files. Specify "no" if you do not want to install these files.
readme_directory: [no]
Please specify the final destination pathname for the installed Postfix
sendmail command. This is the Sendmail-compatible mail posting interface.
sendmail_path: [/usr/sbin/sendmail]
Please specify the group for mail submission and for queue management
commands. Specify a group name with a numerical group ID that is
not shared with other accounts, not even with the Postfix mail_owner
account. You can no longer specify "no" here.
setgid_group: [postdrop]
postfix的配置文件
postfix模块化:
master:/etc/postfix/master.cf //主进程的配置文件
mail:/etc/postfix/main.cf //其他模块的配置文件
postconf:配置postfix
-d:显示默认的配置
-n:修改了的配置
-m:显示支持的查找表类型
-A:显示支持的SASL客户端插件类型
-e:paramter=value //修改某参数
smtp状态码
1xx:纯信息
2xx:正确
3xx:上一步操作尚未完成,需要继续补充
4xx: 暂时性错误
5xx: 永久性错误
smtp协议命令:
helo localhost(smtp协议)//联系localhost
ehlo localhost(esmtp协议)//联系localhost
mail from:root //指明发件人
rcpt to:root//指定收件人
data //发送数据
postfix默认把本机的IP地址所在的网络识别为本地网络,并为之中继邮件。
发邮件
telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.localdomain ESMTP Postfix
helo localhost
250 mail.localdomain
mail from:root
250 2.1.0 Ok
rcpt to:root
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject:How are you these days?
Are you?
.
250 2.0.0 Ok: queued as 7A7B52A0056
500 5.5.2 Error: bad syntax
quit
221 2.0.0 Bye
Connection closed by foreign host.
You have mail in /var/spool/mail/root
收邮件
[root@mail ~]# mail
Heirloom Mail version 12.4 7/29/08. Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N 1 root@mail.localdomai Tue Oct 18 13:29 14/475 "How are you these days?"
& 1
Message 1:
From root@mail.localdomain Tue Oct 18 13:29:11 2016
Return-Path: <root@mail.localdomain>
X-Original-To: root
Delivered-To: root@mail.localdomain
Subject:How are you these days?
Date: Tue, 18 Oct 2016 13:27:58 +0800 (CST)
From: root@mail.localdomain
Status: R
Are you?
&
Oct 18 13:17:37 mail postfix/smtpd[4576]: warning: hash:/etc/aliases is unavailable. open database /etc/aliases.db: No such file or directory
Oct 18 13:17:37 mail postfix/smtpd[4576]: warning: hash:/etc/aliases lookup error for "root@mail.localdomain"
alias:邮件别名
abc@fengge.com:postmaster@fengge.com
/etc/aliases --> hash --> /etc/aliases.db
#newaliases
root@mail ~]# ls /etc/ |grep alias
aliases
aliases.db
5- 为postfix提供服务脚本/etc/init.d/postfix,内容如下(#END 之前):
#!/bin/bash
#
# postfix Postfix Mail Transfer Agent
#
# chkconfig: 2345 80 30
# description: Postfix is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: master
# pidfile: /var/spool/postfix/pid/master.pid
# config: /etc/postfix/main.cf
# config: /etc/postfix/master.cf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ $NETWORKING = "no" ] && exit 3
[ -x /usr/sbin/postfix ] || exit 4
[ -d /etc/postfix ] || exit 5
[ -d /var/spool/postfix ] || exit 6
RETVAL=0
prog="postfix"
start() {
# Start daemons.
echo -n $"Starting postfix: "
/usr/bin/newaliases >/dev/null 2>&1
/usr/sbin/postfix start 2>/dev/null 1>&2 && success || failure $"$prog start"
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down postfix: "
/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure $"$prog stop"
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
echo
return $RETVAL
}
reload() {
echo -n $"Reloading postfix: "
/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure $"$prog reload"
RETVAL=$?
echo
return $RETVAL
}
abort() {
/usr/sbin/postfix abort 2>/dev/null 1>&2 && success || failure $"$prog abort"
return $?
}
flush() {
/usr/sbin/postfix flush 2>/dev/null 1>&2 && success || failure $"$prog flush"
return $?
}
check() {
/usr/sbin/postfix check 2>/dev/null 1>&2 && success || failure $"$prog check"
return $?
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
abort)
abort
;;
flush)
flush
;;
check)
check
;;
status)
status master
;;
condrestart)
[ -f /var/lock/subsys/postfix ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|abort|flush|check|status|condrestart}"
exit 1
esac
exit $?
# END
为此脚本赋予执行权限:
# chmod +x /etc/init.d/postfix
将postfix服务添加至服务列表:
# chkconfig --add postfix
设置其开机自动启动:
# chkconfig postfix on
使用此脚本重新启动服务,以测试其能否正常执行:
# service postfix restart
6- 进行一些基本配置,测试启动postfix并进行发信
# vim /etc/postfix/main.cf
修改以下几项为您需要的配置
myhostname = mail.magedu.com
myorigin = magedu.com
mydomain = magedu.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
说明:
myorigin参数用来指明发件人所在的域名,即做发件地址伪装;
mydestination参数指定postfix接收邮件时收件人的域名,即您的postfix系统要接收到哪个域名的邮件;
myhostname 参数指定运行postfix邮件系统的主机的主机名,默认情况下,其值被设定为本地机器名;
mydomain 参数指定您的域名,默认情况下,postfix将myhostname的第一部分删除而作为mydomain的值;
mynetworks 参数指定你所在的网络的网络地址,postfix系统根据其值来区别用户是远程的还是本地的,如果是本地网络用户则允许其访问;
inet_interfaces 参数指定postfix系统监听的网络接口;
注意:
1、在postfix的配置文件中,参数行和注释行是不能处在同一行中的;
2、任何一个参数的值都不需要加引号,否则,引号将会被当作参数值的一部分来使用;
3、每修改参数及其值后执行 postfix reload 即可令其生效;但若修改了inet_interfaces,则需重新启动postfix;
4、如果一个参数的值有多个,可以将它们放在不同的行中,只需要在其后的每个行前多置一个空格即可;postfix会把第一个字符为空格或tab的文本行视为上一行的延续;
7- 安装dovecot(接收邮件)
yum -y install dovecot
修改 /etc/dovecot/dovecot.conf配置文件
#protocols = imap pop3 lmtp
修改为
protocols = imap pop3
disable_plaintext_auth = no //不设置报这个错mail dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=192.168.1.22, lip=192.168.1.21
8- 命令行收邮件
telnet mail.xingxing.com 110
user hadoop
pass 666666
list
retr 1
9- 实现postfix基于客户端的访问控制
1、基于客户端的访问控制概览
postfix内置了多种反垃圾邮件的机制,其中就包括“客户端”发送邮件限制。客户端判别机制可以设定一系列客户信息的判别条件:
smtpd_client_restrictions
smtpd_data_restrictions
smtpd_helo_restrictions
smtpd_recipient_restrictions
smtpd_sender_restrictions
上面的每一项参数分别用于检查SMTP会话过程中的特定阶段,即客户端提供相应信息的阶段,如当客户端发起连接请求时,postfix就可以根据配置文件中定义的smtpd_client_restrictions参数来判别此客户端IP的访问权限。相应地,smtpd_helo_restrictions则用于根据用户的helo信息判别客户端的访问能力等等。
如果DATA命令之前的所有内容都被接受,客户端接着就可以开始传送邮件内容了。邮件内容通常由两部分组成,前半部分是标题(header),其可以由header_check过滤,后半部分是邮件正文(body),其可以由check_body过滤。这两项实现的是邮件“内容检查”。
postfix的默认配置如下:
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions =
这限制了只有mynetworks参数中定义的本地网络中的客户端才能通过postfix转发邮件,其它客户端则不被允许,从而关闭了开放式中继(open relay)的功能。
Postfix有多个内置的限制条件,如上面的permit_mynetworks和reject_unauth_destination,但管理员也可以使用访问表(access map)来自定义限制条件。自定义访问表的条件通常使用check_client_access, check_helo_access, check_sender_access, check_recipient_access进行,它们后面通常跟上type:mapname格式的访问表类型和名称。其中,check_sender_access和check_recipient_access用来检查客户端提供的邮件地址,因此,其访问表中可以使用完整的邮件地址,如admin@magedu.com;也可以只使用域名,如magedu.com;还可以只有用户名的部分,如marion@。
2、实现示例1
这里以禁止172.16.100.66这台主机通过工作在172.16.100.1上的postfix服务发送邮件为例演示说明其实现过程。访问表使用hash的格式。
(1)首先,编辑/etc/postfix/access文件,以之做为客户端检查的控制文件,在里面定义如下一行:
172.16.100.66 REJECT
(2)将此文件转换为hash格式
# postmap /etc/postfix/access
(3)配置postfix使用此文件对客户端进行检查
编辑/etc/postfix/main.cf文件,添加如下参数:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
(4)让postfix重新载入配置文件即可进行发信控制的效果测试了。
3、实现示例2
这里以禁止通过本服务器向microsoft.com域发送邮件为例演示其实现过程。访问表使用hash的格式。
(1)首先,建立/etc/postfix/denydstdomains文件(文件名任取),在里面定义如下一行:
microsoft.com REJECT
(2)将此文件转换为hash格式
# postmap /etc/postfix/denydstdomains
(3)配置postfix使用此文件对客户端进行检查
编辑/etc/postfix/main.cf文件,添加如下参数:
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/denydstdomains, permit_mynetworks, reject_unauth_destination
(4)让postfix重新载入配置文件即可进行发信控制的效果测试了。
4、检查表格式的说明
hash类的检查表都使用类似如下的格式:
pattern action
检查表文件中,空白行、仅包含空白字符的行和以#开头的行都会被忽略。以空白字符开头后跟其它非空白字符的行会被认为是前一行的延续,是一行的组成部分。
(1)关于pattern
其pattern通常有两类地址:邮件地址和主机名称/地址。
邮件地址的pattern格式如下:
user@domain 用于匹配指定邮件地址;
domain.tld 用于匹配以此域名作为邮件地址中的域名部分的所有邮件地址;
user@ 用于匹配以此作为邮件地址中的用户名部分的所有邮件地址;
主机名称/地址的pattern格式如下:
domain.tld 用于匹配指定域及其子域内的所有主机;
.domain.tld 用于匹配指定域的子域内的所有主机;
net.work.addr.ess
net.work.addr
net.work
net 用于匹配特定的IP地址或网络内的所有主机;
network/mask CIDR格式,匹配指定网络内的所有主机;
(2)关于action
接受类的动作:
OK 接受其pattern匹配的邮件地址或主机名称/地址;
全部由数字组成的action 隐式表示OK;
拒绝类的动作(部分):
4NN text
5NN text
其中4NN类表示过一会儿重试;5NN类表示严重错误,将停止重试邮件发送;421和521对于postfix来说有特殊意义,尽量不要自定义这两个代码;
REJECT optional text... 拒绝;text为可选信息;
DEFER optional text... 拒绝;text为可选信息;
10- postfix + SASL 用户认证
启动sasl,启动sasl服务
/etc/rc.d/init.d/saslauthd
/etc/sysconfig/saslauthd //修改认证方式为shadow
MECH=pam
修改为
MECH=shadow
saslauthd -v: 显示当前主机saslauthd服务所支持的认证机制,默认为pam
chkconfig saslauthd on
service salslauthd restart
测试认证:
[root@mail ~]# testsaslauthd -uhadoop -p666666
0: OK "Success."
使用以下命令验正postfix是否支持cyrus风格的sasl认证,如果您的输出为以下结果,则是支持的:
# /usr/local/postfix/sbin/postconf -a
cyrus
dovecot
#vim /etc/postfix/main.cf
添加以下内容:
############################CYRUS-SASL############################
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = smtpd
smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!
# vim /usr/lib/sasl2/smtpd.conf
添加如下内容:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
让postfix重新加载配置文件
#/usr/sbin/postfix reload
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 Welcome to our mail.magedu.com ESMTP,Warning: Version not Available!
ehlo mail.magedu.com
250-mail.magedu.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN (请确保您的输出以类似两行)
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
