未分類 – 第 2 頁

Postfix 是 SMTP 伺服器

Dovecot 可使用 POP3 / IMAP 服務 (只會介紹 POP3 的部份)

OpenDkim (DKIM：DomainKeys Identified Mail) 是使用簽章做認證的電子郵件，目的是改善垃圾、釣魚郵件問題。

一、安裝套件

yum install -y postfix dovecot opendkim

1	yum install -y postfix dovecot opendkim

二、備份、修改 postfix 設定檔 /etc/postfix/main.cf

cp /etc/postfix/main.cf /etc/postfix/main.cf.bak

1	cp /etc/postfix/main.cf /etc/postfix/main.cf.bak

1.調整設定檔 /etc/postfix/main.cf

inet_interfaces = all
myhostname = 應該是主機名稱，但我是放域名 domain
mydomain = 網域名稱
myorigin = $mydomain (用來顯示郵件來自哪)
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual

inet_interfaces = all

myhostname = 應該是主機名稱，但我是放域名 domain

mydomain = 網域名稱

myorigin = $mydomain (用來顯示郵件來自哪)

inet_protocols = all

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

mynetworks = 127.0.0.0/8

home_mailbox = Maildir/

virtual_alias_maps = hash:/etc/postfix/virtual

2.重啟 Postfix、設定開機時自動啟動

service postfix restart
chkconfig postfix on

1 2	service postfix restart chkconfig postfix on

3.用 Telnet 測試 POSTFIX SMTP (#輸入內容、其它是系統回覆)

#telnet mydomain.com smtp
#ehlo localhost
250-mydomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

假設系統已有使用者 myuser
#mail from:myuser
250 2.1.0 Ok
#rcpt to:myuser
250 2.1.5 Ok
#data
354 End data with <CR><LF>.<CR><LF>
#welcome to sendmail
#.
250 2.0.0 Ok: queued as 3DA496170766
#quit
221 2.0.0 Bye

#telnet mydomain.com smtp

#ehlo localhost

250-mydomain

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

假設系統已有使用者 myuser

#mail from:myuser

250 2.1.0 Ok

#rcpt to:myuser

250 2.1.5 Ok

#data

354 End data with <CR><LF>.<CR><LF>

#welcome to sendmail

250 2.0.0 Ok: queued as 3DA496170766

#quit

221 2.0.0 Bye

4.到 /home/myuser/Maildir/new 檢查郵件，或是看 Mail Log

ls -al /home/myuser/Maildir/new
tail -f /var/log/maillog

1 2	ls -al /home/myuser/Maildir/new tail -f /var/log/maillog

三、設定 SMTP 認證

1.在 /etc/postfix/main.cf 未加入下面設定

#Dovecot SASL
smtpd_helo_required = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks,
                           reject_non_fqdn_recipient,
                           reject_unknown_recipient_domain,
                           permit_sasl_authenticated,
                           reject_unauth_destination,
                           reject_non_fqdn_sender,
                           reject_unknown_sender_domain
mailbox_size_limit = 51200000
message_size_limit = 10240000

smtp_tls_security_level = may

#Dovecot SASL

smtpd_helo_required = yes

smtpd_reject_unlisted_sender = yes

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

smtpd_recipient_restrictions = permit_mynetworks,

reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

permit_sasl_authenticated,

reject_unauth_destination,

reject_non_fqdn_sender,

reject_unknown_sender_domain

mailbox_size_limit = 51200000

message_size_limit = 10240000

smtp_tls_security_level = may

2.強制使用 TLS，在 /etc/dovecot/conf.d/10-auth.conf，設定參數 disable_plaintext_auth = yes

sed -i.bak 's/disable_plaintext_auth\s*=\s*no/disable_plaintext_auth = yes/g' /etc/dovecot/conf.d/10-auth.conf

1	sed -i.bak 's/disable_plaintext_auth\s=\sno/disable_plaintext_auth = yes/g' /etc/dovecot/conf.d/10-auth.conf

3.修改 /etc/postfix/master.cf，在未端加入下面設定

submission inet n - - - - smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_type=dovecot
          -o smtpd_sasl_path=private/auth
          -o smtpd_sasl_security_options=noanonymous
          -o smtpd_sasl_local_domain=$myhostname
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
          -o smtpd_sender_restrictions=reject_sender_login_mismatch
          -o smtpd_recipient_restrictions=eject_non_fqdn_recipient,
                                                           reject_unknown_recipient_domain,
                                                           permit_sasl_authenticated,
                                                           reject_unauth_destination,
                                                           reject_non_fqdn_sender,
                                                           reject_unknown_sender_domain,
                                                           reject
#使用 SSL/TLS 加入下列參數
 smtps inet n - n - - smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_security_options=noanonymous
 -o smtpd_sasl_local_domain=$myhostname
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 permit_sasl_authenticated,reject_unauth_destination,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject

submission inet n - - - - smtpd

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_sasl_type=dovecot

-o smtpd_sasl_path=private/auth

-o smtpd_sasl_security_options=noanonymous

-o smtpd_sasl_local_domain=$myhostname

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o smtpd_sender_login_maps=hash:/etc/postfix/virtual

-o smtpd_sender_restrictions=reject_sender_login_mismatch

-o smtpd_recipient_restrictions=eject_non_fqdn_recipient,

reject_unknown_recipient_domain,

permit_sasl_authenticated,

reject_unauth_destination,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject

#使用 SSL/TLS 加入下列參數

smtps inet n - n - - smtpd

-o smtpd_sasl_auth_enable=yes

-o smtpd_sasl_security_options=noanonymous

-o smtpd_sasl_local_domain=$myhostname

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

permit_sasl_authenticated,reject_unauth_destination,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject

4.修改dovecot設定檔 /etc/dovecot/dovecot.conf

#protocols = imap pop3  lmtp
protocols = pop3

1 2	#protocols = imap pop3 lmtp protocols = pop3

5.修改 /etc/dovecot/conf.d/10-master.conf

 service imap-login {
 inet_listener imap {
 #port = 143
 }
 inet_listener imaps {
 #port = 993
 #ssl = yes
 }
 
 # Number of connections to handle before starting a new process. Typically
 # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
 # is faster. <doc/wiki/LoginProcess.txt>
 service_count = 1
 # Number of processes to always keep waiting for more connections.
 #process_min_avail = 0
 # If you set service_count=0, you probably need to grow this.
 #vsz_limit = 64M
 }
 service pop3-login {
 inet_listener pop3 {
 port = 110
 }
 inet_listener pop3s {
 port = 995
 ssl = yes
 }
 service_count = 1
 }
 service auth {
 # auth_socket_path points to this userdb socket by default. It's typically
 # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
 # permissions make it readable only by root, but you may need to relax these
 # permissions. Users that have access to this socket are able to get a list
 # of all usernames and get results of everyone's userdb lookups.
 unix_listener auth-userdb {
 mode = 0600
 user = postfix
 group = postfix
 }

 # Postfix smtp-auth
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 }

 # Auth process is run as this user.
 #user = $default_internal_user
 }

service imap-login {

inet_listener imap {

#port = 143

}

inet_listener imaps {

#port = 993

#ssl = yes

}

# Number of connections to handle before starting a new process. Typically

# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

# is faster. <doc/wiki/LoginProcess.txt>

service_count = 1

# Number of processes to always keep waiting for more connections.

#process_min_avail = 0

# If you set service_count=0, you probably need to grow this.

#vsz_limit = 64M

}

service pop3-login {

inet_listener pop3 {

port = 110

}

inet_listener pop3s {

port = 995

ssl = yes

}

service_count = 1

}

service auth {

# auth_socket_path points to this userdb socket by default. It's typically

# used by dovecot-lda, doveadm, possibly imap process, etc. Its default

# permissions make it readable only by root, but you may need to relax these

# permissions. Users that have access to this socket are able to get a list

# of all usernames and get results of everyone's userdb lookups.

unix_listener auth-userdb {

mode = 0600

user = postfix

group = postfix

}

# Postfix smtp-auth

unix_listener /var/spool/postfix/private/auth {

mode = 0666

}

# Auth process is run as this user.

#user = $default_internal_user

}

6.修改/etc/dovecot/conf.d/10-ssl.conf

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

1 2	# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes

7.修改/etc/pki/dovecot/dovecot-openssl.cnf 重新定義自己的憑證資訊

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI
C=TW
# State or Province Name (full name)
#ST=
ST=Taiwan
# Locality Name (eg. city)
#L=Helsinki
L=Taipei
# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
#CN=imap.example.com
CN=mail.rusnake.com
# E-mail contact
#emailAddress=postmaster@example.com
emailAddress=root@mail.rusnake.com
[ cert_type ]
nsCertType = server

[ req ]

default_bits = 1024

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = no

[ req_dn ]

# country (2 letter code)

#C=FI

C=TW

# State or Province Name (full name)

#ST=

ST=Taiwan

# Locality Name (eg. city)

#L=Helsinki

L=Taipei

# Organization (eg. company)

#O=Dovecot

# Organizational Unit Name (eg. section)

OU=IMAP server

# Common Name (*.example.com is also possible)

#CN=imap.example.com

CN=mail.rusnake.com

# E-mail contact

#emailAddress=postmaster@example.com

emailAddress=root@mail.rusnake.com

[ cert_type ]

nsCertType = server

8.建立產生新憑證的 Script /etc/pki/dovecot/mkcert.sh 建立有效期限 10 年的憑證內容如下：

#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
#OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
OPENSSLCONFIG=$SSLDIR"/"${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem
if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi
if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi
if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi
if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 3650 || exit 2
chmod 0600 $KEYFILE
echo 
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

#!/bin/sh

# Generates a self-signed certificate.

# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}

SSLDIR=${SSLDIR-/etc/pki/dovecot}

#OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

OPENSSLCONFIG=$SSLDIR"/"${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs

KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem

KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then

echo "$SSLDIR/certs directory doesn't exist"

exit 1

if [ ! -d $KEYDIR ]; then

echo "$SSLDIR/private directory doesn't exist"

exit 1

if [ -f $CERTFILE ]; then

echo "$CERTFILE already exists, won't overwrite"

exit 1

if [ -f $KEYFILE ]; then

echo "$KEYFILE already exists, won't overwrite"

exit 1

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 3650 || exit 2

chmod 0600 $KEYFILE

echo

$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

9.備份原 dovecot 憑證

mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem-old
mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem-old

1 2	mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem-old mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem-old

10.執行批次檔

sh mkcert.sh

1	sh mkcert.sh

11.dovecot 設定開機自動啟動

chkconfig dovecot on

1	chkconfig dovecot on

12.重啟相關服務

service dovecot restart
service postfix restart

1 2	service dovecot restart service postfix restart

13.測試 SMTP

#telnet mydomain.com smtp
#ehlo localhost
250-mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
#mail from:myuser
250 2.1.0 Ok
#rcpt to:myuser@gmail.com
454 4.7.1 <myuser@mydomain.com>: Relay access denied
#AUTH PLAIN AG15dXNlcgAxMjM0 2.7.0 Authentication successful
#mail from:myuser
250 2.1.0 Ok
#rcpt to:myuser@gmail.com
250 2.1.5 Ok
#data
354 End data with <CR><LF>.<CR><LF>
#welcome to postfix.
#.
250 2.0.0 Ok: queued as 092996170763

#telnet mydomain.com smtp

#ehlo localhost

250-mydomain.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

#mail from:myuser

250 2.1.0 Ok

#rcpt to:myuser@gmail.com

454 4.7.1 <myuser@mydomain.com>: Relay access denied

#AUTH PLAIN AG15dXNlcgAxMjM0 2.7.0 Authentication successful

#mail from:myuser

250 2.1.0 Ok

#rcpt to:myuser@gmail.com

250 2.1.5 Ok

#data

354 End data with <CR><LF>.<CR><LF>

#welcome to postfix.

250 2.0.0 Ok: queued as 092996170763

中場休息

測試憑證

openssl s_client -connect YourDomain:pop3s

1	openssl s_client -connect YourDomain:pop3s

如果有自己的域名，最好再為郵件伺服器的域名加上一個 SPF 記錄 (Sender Policy Framework)，說明這個域名只會透過那些主機發送郵件.，比較不會被擋信

v=spf1 ip4:11.22.33.44 ~all

SPF 記錄中的參數請參照下面的解說：
1. 'a' ：比對 dns 中的 a 紀錄，若沒有指定哪個網域名，則以目前的的網域為主。
2. 'mx' ：比對 dns 中的 mx 紀錄，若沒有指定哪個網域名，則以目前的網域為主。
3. 'ptr' ：比對 dns 中的 ptr 紀錄，若沒有指定哪個網域名，則以目前的網域為主。
4. '~all'：參數若比對失敗，信件仍能寄進來，但該信件標題會加註 'SPF-Failure' ，並置於垃圾信件資料夾中。

v=spf1 ip4:11.22.33.44 ~all

SPF 記錄中的參數請參照下面的解說：

1. 'a' ：比對 dns 中的 a 紀錄，若沒有指定哪個網域名，則以目前的的網域為主。

2. 'mx' ：比對 dns 中的 mx 紀錄，若沒有指定哪個網域名，則以目前的網域為主。

3. 'ptr' ：比對 dns 中的 ptr 紀錄，若沒有指定哪個網域名，則以目前的網域為主。

4. '~all'：參數若比對失敗，信件仍能寄進來，但該信件標題會加註 'SPF-Failure' ，並置於垃圾信件資料夾中。

常用指令

列出postfix全部參數設定：postconf 
列出使用者自定的參數設定：postconf -n
查詢postfix版本：postconf mail_version

列出postfix全部參數設定：postconf

列出使用者自定的參數設定：postconf -n

查詢postfix版本：postconf mail_version

接著可以試著到 outLook 或 thunderbird 設定帳戶

OutLook01

OutLook02

OutLook03

盧尛朋友

學海無涯，回頭是ㄢ‵

分類: 未分類

Postfix 和 Dovecot

Linux 修改使用者新增檔案群組