主要步驟如下:
1.安裝更新Postfix、Dovecot及相關套件
2.調整Postfix參數
3.調整Dovecot參數
1.安裝更新Postfix、Dovecot及相關套件
# yum update postfix openssl
# yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5 telnet wget dovecot
2.調整Postfix參數
# vi /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = host.yourdomain.com.tw
mydomain = yourdomain.com.tw
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8
relay_domains = $mydestination
transport_maps = hash:/etc/postfix/transport
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
smtpd_helo_required = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mailbox_size_limit = 6144000000
message_size_limit = 40960000
smtpd_enforce_tls = no
smtpd_use_tls = yes 使用 tls 加密
smtp_tls_note_starttls_offer = yes
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem 憑證放置的路徑
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem 憑證放置的路徑
因為有使用到 transport_maps = hash:/etc/postfix/transport ,所以要修改 /etc/postfix/transport
# vi /etc/postfix/transport
destinationdomain.com smtp:[1.2.3.4]:25
格式如下:
目的網域 通訊協定:[可以提供轉信的主機網域或IP]:連接埠
加了 [] 就不會透過一般 SMTP 查詢 MX 的方式傳遞,而直接傳到指定的主機。
後面的連接埠,如果是通用的 port 25,則可以省略不寫。
使用 postmap 產出 transport.db
# postmap /etc/postfix/transport
重新載入設定檔
# service postfix reload
重新啟動postfix
# service postfix restart
設定服務開機時自動啟動
# chkconfig postfix on
使用postconf 調整/etc/postfix/main.cf 參數內容,常用的參數如下:
|
參數值 |
說明 |
|
基本參數設定 |
|
|
myhostname |
Postfix 發送主機名稱 在HELO時會使用到 |
|
mydomain |
Postfix 發送主機網域名稱 |
|
myorigin |
郵件中Mail From欄位,通常與mydomian 參數相同既可 |
|
mydestination |
Postfix 中要接收的郵件網域(Inbound)名稱 |
|
inet_interfaces |
Listen IP,預設localhost |
|
mynetworks |
指定IP可做信件relay,預設 127.0.0.0/8 |
|
smtpd_banner |
SMTP 歡迎訊息 |
|
smtpd_timeout |
SMTP 逾時設定,預設300秒 |
|
transport_maps |
指定網域信件(Inbound)丟到下一台Mail Server |
|
relayhost |
指定外寄信件(Outbound) 丟到一下台Mail Server (Smart Host) |
|
always_bcc |
自動備份信件到某一信箱,預設無此設定 |
|
smtpd_recipient_limit |
限制一封信件最多能有多少收件人,預設1000 |
|
message_size_limit |
單封信件容量大小,預設10MB |
|
mailbox_size_limit |
使用者信箱容量大小 |
|
header_size_limit |
郵件表頭容量大小 |
|
Queue 佇列參數設定 |
|
|
maximal_queue_lifetime |
Queue 信存活時間,超過時間則退回原寄件者,預設5天 |
|
queue_run_delay |
預設每300秒掃描一次deferred queue內的信件 |
|
minimal_backoff_time |
預設最少停留300秒後會retry deferred queue內信件 |
|
maximal_backoff_time |
預設最大停留4000秒後會retry deferred queue內信件 |
|
基本安全性參數設定 |
|
|
disable_vrfy_command |
是否關閉vrfy 指令,預設關閉 |
|
smtpd_soft_error_limit |
預設SMTP指令錯誤10次時,暫停連線一段時間 |
|
smtpd_error_sleep_time |
暫停連線時間,預設1秒 |
|
smtpd_hard_error_limit |
預設SMTP指令錯誤20次時,直接斷線 |
|
strict_rfc821_envelopes |
RFC821要求mail from & rcpt to指令必須要有<>符號,預設關閉 |
|
smtpd_helo_required |
SMTP交涉時,是否要HELO or EHLO 預設關閉 |
|
SMTP HELO限制smtpd_helo_restrictions 預設不存在 |
|
|
reject_invalid_helo_hostname |
拒絕不正確的HELO hostname |
|
reject_unknown_helo_hostname |
拒絕HELO hostname 沒有MX或A 紀錄 |
|
SMTP 寄件者限制 smtpd_sender_restrictions預設不存在 |
|
|
check_sender_access |
檢查寄件者或寄件網域 |
|
reject_sender_login_mismatch |
拒絕SASL帳號與Mail From帳號不同 |
|
reject_unknown_sender_domain |
拒絕Mail From網域沒有MX 或 A紀錄 |
3.調整Dovecot參數
修改dovecot設定檔
# vi /etc/dovecot/dovecot.conf
protocols = imap pop3
修改dovecot設定檔
# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no #若需強制使用SSL驗證,請改為yes
auth_mechanisms = plain login
修改dovecot設定檔
# vi /etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
service_count = 1
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener auth-userdb {
mode = 0600
user = postfix
group = postfix
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
# Auth process is run as this user.
#user = $default_internal_user
}
啟動SSL
# vi /etc/dovecot/conf.d/10-ssl.conf
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
#ssl = yes
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem 憑證放置的路徑
ssl_key = </etc/pki/dovecot/private/dovecot.pem 憑證放置的路徑
# vi /etc/pki/dovecot/dovecot-openssl.cnf 重新定義憑證
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
# country (2 letter code)
#C=FI
C=tw
# State or Province Name (full name)
#ST=
ST=Taiwan
# Locality Name (eg. city)
#L=Helsinki
L=Taipei
# Organization (eg. company)
#O=Dovecot
O=yourcompany
# Organizational Unit Name (eg. section)
OU=IMAP server
# Common Name (*.example.com is also possible)
#CN=imap.example.com
CN=yourdomain.com.tw
# E-mail contact
#emailAddress=postmaster@example.com
emailAddress=tech@ yourdomain.com.tw
[ cert_type ]
nsCertType = server
# vi /etc/pki/dovecot/mkcert.sh
#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem
if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi
if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi
if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi
if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 有效期限一年的憑證(預設值)
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
產生憑證
# sh mkcert.sh
Generating a 2048 bit RSA private key
.................++++++
..............++++++
writing new private key to '/etc/pki/dovecot/private/dovecot.pem'
-----
重啟動dovecot
# service dovecot restart
設定服務開機時自動啟動
# chkconfig dovecot on
假設測試帳號:test、密碼:testpassword
# perl -MMIME::Base64 -e 'print encode_base64("\000test\000testpassword");'
AHRlc3QAdGVzdHBhc3N3b3Jk
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 你的完整主機名稱 ESMTP Postfix
ehlo .
250-你的完整主機名稱
250-PIPELINING
250-SIZE 40960000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3QAdGVzdHBhc3N3b3Jk
235 2.7.0 Authentication successful #帳號、密碼驗證成功
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 你的完整主機名稱 ESMTP Postfix
ehlo .
250-你的完整主機名稱
250-PIPELINING
250-SIZE 40960000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS #使用 smtp over tls
220 2.0.0 Ready to start TLS #使用 smtp over tls 成功
留言列表
