CentOS7虚拟账号邮件服务器构建方法

 

生命在于折腾,最近由于工作需要,自己成功实践了Postfix+Dovecot+MariaDB+CentOS7 实现了包含虚拟账号的邮件服务器的构建。最终设置是支持  SMTP+SMTPs+IMAPs ,支持邮箱转发,以后可以在不同的地方使用不同的电子邮件地址,那样就可以知道谁泄露了自己电子邮箱了。

 

 

参考文章

这里我并不打算叙述主要的安装过程,因为我的服务器上面已经装好了Dovecot Postfix 还有Mariadb了,所以对于我来说,最重要的就是设置了。我主要参考了Linode的一篇文章

 

Email with Postfix, Dovecot and MariaDB on CentOS 7
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mariadb-on-centos-7

 

里面叙述得非常详细。这里主要记录文章的坑。

 

还有可能需要用到端口地址的列表

http://zh.wikipedia.org/wiki/TCP/UDP端口列表

 

 

 

安装Postfix

值得注意的是CentOS当前版本的Postfix不能支持MariaDB所以要使用centosplus的repo。与此同时,我们应当禁用postfix使用CentOS Base进行更新。我安装完成后postfix的版本是2.10.1 。Postfix个个版本在设置方便区别比较大,因此看文档的时候应该知道自己使用的软件的版本号,并注意操作上的区别。

[base]
name=CentOS-$releasever - Base
exclude=postfix

#released updates
[updates]
name=CentOS-$releasever - Updates
exclude=postfix

 

yum --enablerepo=centosplus install postfix
yum install dovecot mariadb-server dovecot-mysql

 

 

 

在数据库中设置虚拟域名及邮箱用户

因为我已经装好数据库了,所以就只需要新建用户并且创建表格就行了,注意替换掉 mail_admin_password还有mail_admin

 

CREATE DATABASE mail;
USE mail;
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';
FLUSH PRIVILEGES;
CREATE TABLE domains (domain varchar(50) NOT NULL, PRIMARY KEY (domain) );
CREATE TABLE forwardings (source varchar(80) NOT NULL, destination TEXT NOT NULL, PRIMARY KEY (source) );
CREATE TABLE users (email varchar(80) NOT NULL, password varchar(20) NOT NULL, PRIMARY KEY (email) );
CREATE TABLE transport ( domain varchar(128) NOT NULL default '', transport varchar(128) NOT NULL default '', UNIQUE KEY domain (domain) );
quit

 

 

 

 

设置Postfix并连接到MariaDB

由于我并没有让数据库监听127.0.0.1,我希望postfix通过unix直接连接mariaDB,因此这里跟Linode的教程有点区别,采用localhost。似乎不能够直接在这里放文件名,因为postfix运行在一个chroot的环境下(如有错误欢迎指出)。另外注意替换掉数据库的用户名和密码。

 

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT domain AS virtual FROM domains WHERE domain='%s'
hosts = localhost
user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT destination FROM forwardings WHERE source='%s'
hosts = localhost
user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT CONCAT(SUBSTRING_INDEX(email,<'@'>,-1),'/',SUBSTRING_INDEX(email,<'@'>,1),'/') FROM users WHERE email='%s'
hosts = localhost
user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT email FROM users WHERE email='%s'
hosts = localhost

 

 

设置权限创建用户,如果5000已经被占用了,就要改其他(发现Linode的这篇文章对于权限的管理非常到位)

chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail -m

 

 

往postfix里面添加设置。这里Linode的文章多加了一些东西,会导致出现这样的错误,因为当前版本的postfix已经取消了这些设置了,因此将其删除

postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: virtual_create_maildirsize=yes
postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: virtual_maildir_extended=yes

 

 

另外smtpd_tls_cert_file和smtpd_tls_key_file 在等号右边不应该有小于号(<)。邮件这样重要的,没有UI不能够直接通过界面判断钓鱼的,还是买个SSL吧,可以防止监听很多客户端都自动支持。

myhostname = proxy.ink.moe #注意 服务器上面的证书应该以这个地址出现
mynetworks = 127.0.0.0/8
message_size_limit = 512000000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination #收什么邮件
smtpd_use_tls = yes #开启smtps
smtpd_tls_cert_file = /etc/ssl/certs/proxy.ink.moe.2015.crt #证书位置
smtpd_tls_key_file = /etc/ssl/private/proxy.ink.moe.2015.key #密钥位置
#virtual_create_maildirsize = yes #Linode写有的配置,多余的
#virtual_maildir_extended = yes #同上
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_maps #在哪里读取收信人地址
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

#SMTPs的配置
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
#smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtpd_tls_received_header = yes
smtp_tls_loglevel = 1

 

在postfix的inet_interfacesinet_protocols设置监听的IP地址和ipv4/ipv6

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

smtps inet n - n - - smtpd
 -o smtpd_tls_wrappermode=yes

这个是进程管理还有端口吧,开启与dovecot的控制还有smtps

 

 

 

设置Dovecot并连接到MariaDB

dovecot和postfix 都可以通过命令获取一份新的配置,所以不用担心。我使用的是Dovecot v2.2.10,Dovecot各个版本的区别也是很大的,上网Google 问题的时候也要注意一下的说。同样,替换掉IP地址、SSL证书、邮箱管理员地址、用户的权限。

 

protocols = imap
listen = 你的IP地址, xxxx:xxxx::xxxx:xxxx:xxxx:xxxx

log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n/Maildir邮件的目录

ssl = required
ssl_cipher_list = 证书支持的加密方式ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

ssl_cert = </etc/ssl/certs/proxy.ink.moe.2015.crt证书公钥
ssl_key = </etc/ssl/private/proxy.ink.moe.2015.key证书私钥

service imap-login {
  inet_listener imap {
    port = 0    设置为零不监听没加密的imap
  }
  inet_listener imaps {
    port = 993  监听加密的imaps
  }
}

namespace {
    type = private
    separator = .
    prefix = INBOX.
    inbox = yes
}

service auth {
    unix_listener auth-master {
        mode = 0600
        user = vmail
    }

    unix_listener /var/spool/postfix/private/auth {
        mode = 0666
        user = postfix
        group = postfix
    }

user = root
}

service auth-worker {
    user = root
}

protocol lda {
    log_path = /home/vmail/dovecot-deliver.log记录送信
    auth_socket_path = /var/run/dovecot/auth-master
    postmaster_address = postmaster@masterchan.me
}

protocol pop3 {
    pop3_uidl_format = %08Xu%08Xv
}

passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
    driver = static
    args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
}

 

driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=mail user=mail_admin password=mail_admin_password
default_pass_scheme = CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';

 

如果没有chroot 可以直接访问sock,然后调整权限

chgrp dovecot /etc/dovecot/dovecot-sql.conf.ext
chmod o= /etc/dovecot/dovecot-sql.conf.ext

 

调整与测试

完成以上步骤的时候相信你已经restart了这些service很多次了,主要要留意的是 /var/log/message 和 /var/log/maillog

可以使用的工具有 telnet

telnet localhost 25
ehlo localhost

 

 

还有 openssl当发现握手失败的时候可以尝试这个(当时没有任何响应,甚至没有拒绝消息,修好了防火墙,还是不行,原来是证书权限不对,读不了然后握手失败,message 里面也没有log)

openssl s_client -connect localhost:465
openssl s_client -connect localhost:993

 

poi~

 

 

 

 

 

 

这篇博文发表在 服务器开发 目录下,标签为 , , , , ,
版权所有,请勿转载。如需引用,请使用链接:https://note.masterchan.me/?p=672
 

您的邮箱地址不会被公开,评论使用Gravatar头像。
Your email address will not be published. This blog is using Gravatar.

正在提交评论...
正在为您准备评论控件