目录 | Table of Contents
生命在于折腾,最近由于工作需要,自己成功实践了Postfix+Dovecot+MariaDB+CentOS7 实现了包含虚拟账号的邮件服务器的构建。最终设置是支持 SMTP+SMTPs+IMAPs ,支持邮箱转发,以后可以在不同的地方使用不同的电子邮件地址,那样就可以知道谁泄露了自己电子邮箱了。
参考文章
这里我并不打算叙述主要的安装过程,因为我的服务器上面已经装好了Dovecot Postfix 还有Mariadb了,所以对于我来说,最重要的就是设置了。我主要参考了Linode的一篇文章
Email with Postfix, Dovecot and MariaDB on CentOS 7
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mariadb-on-centos-7
里面叙述得非常详细。这里主要记录文章的坑。
还有可能需要用到端口地址的列表
http://zh.wikipedia.org/wiki/TCP/UDP端口列表
安装Postfix
值得注意的是CentOS当前版本的Postfix不能支持MariaDB所以要使用centosplus的repo。与此同时,我们应当禁用postfix使用CentOS Base进行更新。我安装完成后postfix的版本是2.10.1 。Postfix个个版本在设置方便区别比较大,因此看文档的时候应该知道自己使用的软件的版本号,并注意操作上的区别。
[base] name=CentOS-$releasever - Base exclude=postfix #released updates [updates] name=CentOS-$releasever - Updates exclude=postfix
yum --enablerepo=centosplus install postfix yum install dovecot mariadb-server dovecot-mysql
在数据库中设置虚拟域名及邮箱用户
因为我已经装好数据库了,所以就只需要新建用户并且创建表格就行了,注意替换掉 mail_admin_password还有mail_admin
CREATE DATABASE mail; USE mail; GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password'; GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password'; FLUSH PRIVILEGES; CREATE TABLE domains (domain varchar(50) NOT NULL, PRIMARY KEY (domain) ); CREATE TABLE forwardings (source varchar(80) NOT NULL, destination TEXT NOT NULL, PRIMARY KEY (source) ); CREATE TABLE users (email varchar(80) NOT NULL, password varchar(20) NOT NULL, PRIMARY KEY (email) ); CREATE TABLE transport ( domain varchar(128) NOT NULL default '', transport varchar(128) NOT NULL default '', UNIQUE KEY domain (domain) ); quit
设置Postfix并连接到MariaDB
由于我并没有让数据库监听127.0.0.1,我希望postfix通过unix直接连接mariaDB,因此这里跟Linode的教程有点区别,采用localhost。似乎不能够直接在这里放文件名,因为postfix运行在一个chroot的环境下(如有错误欢迎指出)。另外注意替换掉数据库的用户名和密码。
user = mail_admin password = mail_admin_password dbname = mail query = SELECT domain AS virtual FROM domains WHERE domain='%s' hosts = localhost
user = mail_admin password = mail_admin_password dbname = mail query = SELECT destination FROM forwardings WHERE source='%s' hosts = localhost
user = mail_admin password = mail_admin_password dbname = mail query = SELECT CONCAT(SUBSTRING_INDEX(email,<'@'>,-1),'/',SUBSTRING_INDEX(email,<'@'>,1),'/') FROM users WHERE email='%s' hosts = localhost
user = mail_admin password = mail_admin_password dbname = mail query = SELECT email FROM users WHERE email='%s' hosts = localhost
设置权限创建用户,如果5000已经被占用了,就要改其他(发现Linode的这篇文章对于权限的管理非常到位)
chmod o= /etc/postfix/mysql-virtual_*.cf chgrp postfix /etc/postfix/mysql-virtual_*.cf groupadd -g 5000 vmail useradd -g vmail -u 5000 vmail -d /home/vmail -m
往postfix里面添加设置。这里Linode的文章多加了一些东西,会导致出现这样的错误,因为当前版本的postfix已经取消了这些设置了,因此将其删除
postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: virtual_create_maildirsize=yes postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: virtual_maildir_extended=yes
另外smtpd_tls_cert_file和smtpd_tls_key_file 在等号右边不应该有小于号(<)。邮件这样重要的,没有UI不能够直接通过界面判断钓鱼的,还是买个SSL吧,可以防止监听很多客户端都自动支持。
myhostname = proxy.ink.moe #注意 服务器上面的证书应该以这个地址出现
mynetworks = 127.0.0.0/8
message_size_limit = 512000000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination #收什么邮件
smtpd_use_tls = yes #开启smtps
smtpd_tls_cert_file = /etc/ssl/certs/proxy.ink.moe.2015.crt #证书位置
smtpd_tls_key_file = /etc/ssl/private/proxy.ink.moe.2015.key #密钥位置
#virtual_create_maildirsize = yes #Linode写有的配置,多余的
#virtual_maildir_extended = yes #同上
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_maps #在哪里读取收信人地址
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#SMTPs的配置
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
#smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtpd_tls_received_header = yes
smtp_tls_loglevel = 1
在postfix的inet_interfaces和inet_protocols设置监听的IP地址和ipv4/ipv6
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
这个是进程管理还有端口吧,开启与dovecot的控制还有smtps
设置Dovecot并连接到MariaDB
dovecot和postfix 都可以通过命令获取一份新的配置,所以不用担心。我使用的是Dovecot v2.2.10,Dovecot各个版本的区别也是很大的,上网Google 问题的时候也要注意一下的说。同样,替换掉IP地址、SSL证书、邮箱管理员地址、用户的权限。
protocols = imap
listen = 你的IP地址, xxxx:xxxx::xxxx:xxxx:xxxx:xxxx
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n/Maildir邮件的目录
ssl = required
ssl_cipher_list = 证书支持的加密方式ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
ssl_cert = </etc/ssl/certs/proxy.ink.moe.2015.crt证书公钥
ssl_key = </etc/ssl/private/proxy.ink.moe.2015.key证书私钥
service imap-login {
inet_listener imap {
port = 0 设置为零不监听没加密的imap
}
inet_listener imaps {
port = 993 监听加密的imaps
}
}
namespace {
type = private
separator = .
prefix = INBOX.
inbox = yes
}
service auth {
unix_listener auth-master {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = root
}
service auth-worker {
user = root
}
protocol lda {
log_path = /home/vmail/dovecot-deliver.log记录送信
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster@masterchan.me
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
}
driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=mail user=mail_admin password=mail_admin_password default_pass_scheme = CRYPT password_query = SELECT email as user, password FROM users WHERE email='%u';
如果没有chroot 可以直接访问sock,然后调整权限
chgrp dovecot /etc/dovecot/dovecot-sql.conf.ext chmod o= /etc/dovecot/dovecot-sql.conf.ext
调整与测试
完成以上步骤的时候相信你已经restart了这些service很多次了,主要要留意的是 /var/log/message 和 /var/log/maillog
可以使用的工具有 telnet
telnet localhost 25 ehlo localhost
还有 openssl当发现握手失败的时候可以尝试这个(当时没有任何响应,甚至没有拒绝消息,修好了防火墙,还是不行,原来是证书权限不对,读不了然后握手失败,message 里面也没有log)
openssl s_client -connect localhost:465 openssl s_client -connect localhost:993
poi~
