引言
我想研究邮件服务器很长时间,但直到现在我的手都伸手,找不到正确的信息,所以我决定写尽可能详细的出版物。 该出版物将不仅讨论postfix,dovecot,mysql,postfixadmin,还讨论spamassassin,clamav-milter(用于邮件服务器的clamav的特殊版本),postgrey,以及将垃圾邮件转移到Spam文件夹的可能性(dovecot-鸽洞)。
准备工作
首先,我们将安装工作所需的软件包(必须从端口安装postfix,dovecot和dovecot-pigeonhole,可以从软件包安装dovecot-sieve,原则上,端口中有较新的版本,因此,dovecot与dovecot-筛子)。 安装以下软件包:
pkg install apache24 php73 mod_php73 php73-extensions php73-mysqli php73-mbstring php73-openssl clamav-milter postgrey spamassassin mysql57-server openssl wget
安装后,我们将必要的服务置于自动运行状态:
#postfix dovecot , sysrc postfix_enable="YES" sysrc dovecot_enable="YES" sysrc mysql_enable="YES" sysrc apache24_enable="YES" sysrc spamd_flags="-u spamd -H /var/spool/spamd" sysrc spamd_enable="YES" sysrc postgrey_enable="YES" sysrc clamav_clamd_enable="YES" sysrc clamav_milter_enable="YES" sysrc clamav_freshclam_enable="YES" #freshclam 12 sysrc clamav_freshclam_flags="--daemon --checks=12"
运行服务:
service apache24 start service mysql-server start # spamassassin sa-update sa-compile service sa-spamd start # clamav freshclam service clamav-clamd start service clamav-freshclam start service clamav-milter start # postgrey (/usr/local/etc/rc.d/postgrey), "" 4- , : ${postgrey_flags:=--inet=10023} : : ${postgrey_flags:=--inet=10023 --auto-whitelist-clients=4} service postgrey start
不要忘记在httpd.conf中添加使php在apache中工作以及postfixadmin正常工作所必需的行:
<FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> <IfModule dir_module> DirectoryIndex index.php </IfModule> # postfixadmin DocumentRoot "/usr/local/www/apache24/data/postfixadmin-3.2/public"
接下来,转到目录并下载postfixadmin
cd /usr/local/www/apache24/data
下载postfixadmin(在撰写本文时,当前版本为3.2)
wget --no-check-certificate https://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-3.2/postfixadmin-3.2.tar.gz
之后,您需要将归档文件解压缩到此目录并更改目录的所有者:
gzip -d postfixadmin-3.2.tar.gz tar -xvf postfixadmin-3.2.tar chown -R www:www /usr/local/www/apache24/data service apache24 restart
接下来,为postfixadmin准备数据库,运行mysql-secure-installation脚本(在此脚本中创建的密码将需要使用alter user命令在mysql中创建),用于mysql的初始设置,然后输入mysql,创建数据库并设置权限为她:
mysql -p -r alter user 'root'@'localhost' identified by 'password123'; create database postfix; grant all privileges on postfix.* to 'postfix'@'localhost' identified by 'password123'; exit
配置数据库后,您需要编辑config.inc.php文件,在此示例中,此文件位于/usr/local/www/apache24/data/postfixadmin-3.2/目录中,在此文件中,您需要编辑几行并将其移至请注意,更改设置后,重新启动apache,还需要在/usr/local/www/apache24/data/postfixadmin-3.2目录中创建templates_c目录,并将www所有者分配给它:
mkdir /usr/local/www/apache24/data/postfixadmin-3.2/templates_c chown -R www:www /usr/local/www/apache24/data/postfixadmin-3.2/templates_c $CONF['configured'] = true # postfixadmin . $CONF['setup_password'] = 'dd28fb2139a3bca426f02f60e6877fd5:13d2703c477b0ab85858e3ac5e076a0a7a477315'; $CONF['default_language'] = 'ru' $CONF['database_type'] = 'mysqli'; $CONF['database_host'] = 'localhost'; $CONF['database_user'] = 'postfix'; # $CONF['database_password'] = 'password123'; $CONF['database_name'] = 'postfix'; service apache24 restart
SSL协议
要生成密钥,我们将使用postfix.org上提出的方法,并创建自己的证书颁发机构,我们需要转到/ etc / ssl目录并执行脚本:
cd /etc/ssl /usr/local/openssl/misc/CA.pl -newca
在脚本执行过程中,将要求输入证书名称,不输入任何内容,按Enter键,然后脚本将要求您为证书创建密码,然后会出现创建证书的标准问题。
接下来,您需要创建一个秘密密钥(没有密码)和一个未签名的公共密钥证书(组织单位名称(例如,部分)[]应该与上面创建的证书中指定的名称不同):
openssl req -new -newkey rsa:4096 -nodes -keyout foo-key.pem -out foo-req.pem
我们将签署公共密钥证书(指定您需要的天数):
openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem
将创建的证书保留在该目录中,或将其转移到更方便的目录中,将考虑到证书将在此目录中的事实来配置“ postfix”和“ dovecote”配置。
Vmail用户
在开始安装postfix,dovecot和dovecot-pigeonhole之前,我们将创建一个用户和一个组(将自动创建一个组)vmail,以及一个邮件将位于的目录。
pw useradd -n vmail -s /usr/sbin/nologin -u 1000 -d /var/vmail
创建邮件目录并设置vmail用户的所有者:
mkdir /var/vmail chown -R vmail:vmail /var/vmail chmod -R 744 /var/vmail
Postfix,鸽舍,鸽舍鸽子洞
如我先前所写,我们将从端口组装应用程序数据,运行命令以下载和解压缩端口:
portsnap fetch extract
打开端口的包装后,转到dovecot目录,配置端口(注意对mysql的支持)并运行构建(BATCH = yes将告诉make在安装过程中不要问问题):
cd /usr/ports/mail/dovecot make config make BATCH=yes install clean
用postfix和dovecot-pigeonhole做同样的事情
鸽子窝:
cd /usr/ports/mail/dovecot-pigeonhole make BATCH=yes install clean
后缀:还检查端口设置中的mysql支持
cd /usr/ports/mail/postfix-sasl make config make BATCH=yes install clean
在启动鸽舍之前,请复制“ configs”:
cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
安装postfix和dovecot之后,启动服务:
service postfix start service dovecot start
还必须创建一个目录,在该目录中将编译用于将垃圾邮件发送到spam文件夹的模块,在我的情况下,该目录位于/usr/local/etc/dovecot/conf.d文件夹中,目录名为def,创建此目录以及带有编译代码的文件并设置给定vmail用户目录的所有者:
mkdir /usr/local/etc/dovecot/conf.d/def touch /usr/local/etc/dovecot/conf.d/def/default.sieve chown -R vmail:vmail /usr/local/etc/dovecot/conf.d/def chmod -R 744 /usr/local/etc/dovecot/conf.d/def
将行放在此文件中:
require "fileinto"; if header :contains "X-Spam-Flag" "YES" { fileinto "Junk"; }
设定档
在本节中,我将给出带有注释的“ configs”示例,我只怀疑spamassassin的“ config”,因为我没有在网络上找到正确的描述(默认情况下,我保留了“ config”),请在注释中添加如何最好地配置spamassassin。
后缀
首先,您需要创建文件以从数据库中提取用户,域,配额。 创建一个目录来存储数据文件和必要的文件:
mkdir /usr/local/etc/postfix/mysql touch /usr/local/etc/postfix/mysql/relay_domains.cf touch /usr/local/etc/postfix/mysql/virtual_alias_maps.cf touch /usr/local/etc/postfix/mysql/virtual_alias_domain_maps.cf touch /usr/local/etc/postfix/mysql/virtual_mailbox_maps.cf
这些文件的内容将是:
relay_domains.cf
hosts = 127.0.0.1 user = postfix password = password123 dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'
virtual_alias_maps.cf
hosts = 127.0.0.1 user = postfix password = password123 dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active ='1'
virtual_alias_domain_maps.cf
hosts = 127.0.0.1 user = postfix password = password123 dbname = postfix query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = '1'
virtual_mailbox_maps.cf
hosts = 127.0.0.1 user = postfix password = password123 dbname = postfix query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
master.cf
# postfix , dovecot dovecot unix - nn - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient} # smtpd sasl, , spamassassin smtp inet n - n - - smtpd -o content_filter=spamassassin -o smtpd_sasl_auth_enable=yes # 587 sasl submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes # smtp SASL smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes # Spamassassin spamassassin unix - nn - - pipe flags=DROhu user=vmail:vmail argv=/usr/local/bin/spamc -f -e /usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd
main.cf
# dovecot, local_transport = dovecot # , SMTP- EHLO SMTP smtpd_discard_ehlo_keywords = CONNECT GET POST # smtpd_delay_reject = yes # smtpd_helo_required = yes # , disable_vrfy_command = yes # broken_sasl_auth_clients = yes # smtpd_sasl_security_options = noanonymous noactive nodictionary smtp_sasl_security_options = noanonymous noactive nodictionary # dovecot ( cyrus) smtpd_sasl_type = dovecot smtp_sasl_type = dovecot # smtpd_sasl_path = private/auth # local_recipient_maps = $virtual_mailbox_maps $virtual_alias_maps # , smtpd_reject_unlisted_recipient = yes # message_size_limit = 10485760 # spamassassin spamassassin_destination_recipient_limit = 1 # milter_default_action = accept milter_protocol = 2 # clamav smtpd_milters = unix:/var/run/clamav/clmilter.sock non_smtpd_milters = unix:/var/run/clamav/clmilter.sock #MYSQL relay_domains = mysql:/usr/local/etc/postfix/mysql/relay_domains.cf virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql/virtual_alias_maps.cf, mysql:/usr/local/etc/postfix/mysql/virtual_alias_domain_maps.cf virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql/virtual_mailbox_maps.cf # HELO smtpd_helo_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_hostname # smtpd_data_restrictions = permit_sasl_authenticated reject_unauth_pipelining, reject_multi_recipient_bounce # smtpd_sender_restrictions = permit_sasl_authenticated reject_sender_login_mismatch,reject_unauthenticated_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain # (check_policy_service inet:127.0.0.1:10023 postgrey - ) smtpd_recipient_restrictions = permit_sasl_authenticated reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_multi_recipient_bounce, reject_unknown_client_hostname, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023 # virtual_mailbox_base = /var/vmail #uid gid vmail virtual_minimum_uid = 1000 virtual_uid_maps = static:1000 virtual_gid_maps = static:1000 # virtual_transport = devecot dovecot_destination_recipient_limit = 1 # smtp_use_tls=yes smtp_tls_note_starttls_offer=yes # smtp_tls_security_level=encrypt ssl, ssl, smtp_tls_security_level=may( ssl, ) smtp_tls_security_level=encrypt smtp_tls_session_cache_database=btree:$data_directory/smtp_tls_session_cache smtp_tls_CAfile=/etc/ssl/demoCA/cacert.pem smtp_tls_key_file=/etc/ssl/foo-key.pem smtp_tls_cert_file=/etc/ssl/foo-cert.pem smtp_tls_session_cache_timeout=3600s smtp_tls_protocols=!TLSv1.2 smtp_tls_loglevel=1 # smtpd_tls_security_level=encrypt ssl, ssl, smtpd_tls_security_level=may( ssl, ) smtpd_tls_security_level=encrypt smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_loglevel=1 smtpd_tls_received_header=yes smtpd_tls_session_cache_timeout=3600s smtpd_tls_session_cache_database=btree:$data_directory/smtpd_tls_session_cache smtpd_tls_key_file=/etc/ssl/foo-key.pem smtpd_tls_cert_file=/etc/ssl/foo-cert.pem smtpd_tls_CAfile= /etc/ssl/demoCA/cacert.pem smtpd_tls_protocols=!TLSv1.2 # tls_random_source=dev:/dev/urandom # compatibility_level = 2 # , , , soft_bounce = no # UNIX postfix mail_owner = postfix # postfix( ) myhostname = $mydomain # mydomain = virusslayer.su myorigin = $myhostname # inet_interfaces = all # mydestination = $mydomain, localhost, localhost.$mydomain # 550 unknown_local_recipient_reject_code = 550 # localhost mynetworks_style = host # , - mynetworks = # ip inet_protocols = ipv4 # ( ) alias_maps = hash:/etc/mail/aliases alias_database = dbm:/etc/mail/aliases.db # smtpd_banner = $myhostname ESMTP $mail_name # debug_peer_level = 2 # ( , yandex.ru gmail.ru mail.ru ..) debug_peer_list = 127.0.0.1 # debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 # sendmail sendmail_path = /usr/local/sbin/sendmail mailq_path = /usr/local/bin/mailq setgid_group = maildrop # html_directory = /usr/local/share/doc/postfix manpage_directory = /usr/local/man sample_directory = /usr/local/etc/postfix readme_directory = /usr/local/share/doc/postfix meta_directory = /usr/local/libexec/postfix shlib_directory = /usr/local/lib/postfix queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix
多科特
dovecot.conf
# dovecot protocols = imap pop3 # listen = *, :: # mysql dict { quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext } # !include conf.d/*.conf !include_try local.conf
dovecot-dict-sql.conf.ext
connect = host=127.0.0.1 dbname=postfix user=postfix password=password123 map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages }
dovecot-sql.conf.ext
# MYSQL driver = mysql connect = host=127.0.0.1 dbname=postfix user=postfix password=password123 # default_pass_scheme = MD5 # , user_query = SELECT '/var/mail/%d/%n/' AS home, 'maildir:/var/vmail/%d/%n' AS mail, 1000 AS uid, 1000 AS gid, concat('*:bytes=',quota) as quota_rule FROM mailbox \ WHERE username ='%u' AND active = '1' password_query = SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, 1000 as userdb_uid, \ 1000 as userdb_gid, concat('*:bytes=',quota) AS userdb_quota_rule FROM mailbox WHERE username ='%u' AND active ='1'
10-身份验证
# SSL disable_plaintext_auth = yes # auth_realms = virusslayer.su auth_default_realm = virusslayer.su # ( , ssl) auth_mechanisms = plain login # , !include auth-sql.conf.ext, mysql #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext !include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext
10个邮件
# mail_location = maildir:/var/vmail/%d/%n # namespace inbox { inbox = yes } #uid gid vmail mail_uid = 1000 mail_gid = 1000 # , quota mail_plugins = quota
10-master.conf
# ssl service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service submission-login { inet_listener submission { port = 587 } } # ( , ) service auth { unix_listener auth-userdb { mode = 0600 user = vmail group = vmail } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } # vmail service dict { unix_listener dict { mode = 0660 user = vmail group = vmail } }
10-ssl.conf
# ssl ( sll ) ssl = required # ssl_cert = </etc/ssl/foo-cert.pem ssl_key = </etc/ssl/foo-key.pem ssl_ca = </etc/ssl/demoCA/cacert.pem # ssl_min_protocol = TLSv1.2
15-lda.conf
quota_full_tempfail = no lda_mailbox_autosubscribe = yes protocol lda { # sieve, mail_plugins = $mail_plugins sieve quota }
90-插件.conf
# "", chown -R vmail:vmail # "" plugin { #setting_name = value sieve = /usr/local/etc/dovecot/conf.d/def/default.sieve }
auth-sql.conf.ext
# MYSQL passdb { driver = sql # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext args = /usr/local/etc/dovecot/dovecot-sql.conf.ext } userdb { driver = sql args = /usr/local/etc/dovecot/dovecot-sql.conf.ext }
Spamassassin
“ spamassassin”的“配置”看起来像这样,但是有些信息告诉我数据还不够,请帮助“ config”中的数据:
local.cf
rewrite_header Subject *****SPAM***** report_safe 0 required_score 5.0 use_bayes 1 bayes_auto_learn 1 ifplugin Mail::SpamAssassin::Plugin::Shortcircuit endif # Mail::SpamAssassin::Plugin::Shortcircuit
还需要对有垃圾邮件和没有垃圾邮件的信件进行培训:
sa-learn --spam /path/spam/folder sa-learn --ham /path/ham/folder
选配
在本部分中,我将基于pf指定防火墙设置,将pf添加到自动运行并使用以下规则指定文件:
sysrc pf_enable="YES" sysrc pf_rules="/etc/0.pf"
使用规则创建文件:
ee /etc/0.pf
并添加规则:
# ( lo0) , set skip on lo0 # deovecot, postfix, root pass in quick proto { tcp, udp } from any to any port {53,25,465,587,110,143,993,995} user {dovecot,postfix,root} flags S/SA modulate state pass out quick proto { tcp, udp } from any to any port {53,25,465,587,110,143,993,995} user {dovecot,postfix,root} # root pass out quick proto {tcp,udp} from any to any user root # pass in quick proto tcp from any to any port 80 flags S/SA modulate state #SSH pass in quick proto tcp from any to any port 22 flags S/SA modulate state # clamav spamd pass out quick proto {tcp,udp} from any to any user {clamav,spamd} #DNS ICMP pass out quick proto {tcp,udp} from any to any port=53 keep state pass out quick proto icmp from any to any block from any to any fragment block from any to any block all
您可以使用以下命令运行pf:
service pf start
测试中
要测试所有可能的连接(STARTTLS,SLL),可以将MyOffice Mail客户端用于移动设备(在我的情况下为ios),在此应用程序中,有许多参数用于配置与邮件服务器的连接。
要测试spaassasin,我们使用GTUBE签名,在消息中添加以下行:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
如果一切正确,该邮件将被标记为垃圾邮件,并相应地移至垃圾邮件文件夹。
要测试防病毒软件,您需要发送带有文本文件的电子邮件,该文件中将包含一个EICAR序列:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
自然需要从外部邮箱发送信件。
要实时查看日志,请运行:
tail -f /var/log/maillog
另外,为了正确测试将邮件发送到外部邮箱(例如yandex.ru,mail.ru,gmail.com等),您需要注册反向DNS区域(PTR记录),可以通过与提供商联系来进行(如果您当然没有自己的DNS服务器)。
结论
当然,邮件服务器似乎是一件相当复杂的事情,但是如果您弄清楚了,它根本不是那样,花了一些时间进行配置后,您可以得到一个功能强大的邮件服务器,并且可以抵御垃圾邮件和病毒。
PS:如果您打算用注释“复制-粘贴”,则需要将root用户(以及需要它的用户)添加到俄语类日志中:
pw usermod root -L russian
这些操作之后,俄语字符将正确显示。