postfix mysql sasl ssl linux 邮件服务器 搭建 笔记
基本上是按照 http://flurdy.com/docs/postfix 这个教程做的
推荐初次搭建邮件服务器的人看的书
LINUX系统管理技术手册(第2版)
POSTFIX权威指南
这2本书里面讲了很多邮件服务器方面的基本概念,不明白的话配置文件的时候简直像猜大小
写几点要注意的地方
ln -s /tmp/mysql.sock /var/run/mysqld/mysqld.sock
配置postfix邮件系统要很多配置文件, 里面的某些配置文件里面是不会自动trim()的, 如:
xxx = mysql
有一个认证模块的配置文件里面我在mysql后面多了一个空格,结果log一直提示我mysql模块未安装,
其实它说的是'mysql '模块,注意到没,引号里有一个空格,这个错误弄了老半天,最后在网上看到老外也提到了这点,才试着一个个去去除空格,结果就好了。。。
还有一个,就是配置ssl,生成证书的时候,他会让你写一些信息, 如下
Country Name (2 letter code) [AU]:cn
StateorProvinceName(fullname)[Some-State]:sh
LocalityName(eg,city)[]:pd
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:company
OrganizationalUnitName(eg,section)[]:section
CommonName(eg,YOURname)[]:yourdomain.com
Email Address []:[email protected]这里的Common Name一定要和你的邮件服务器的名字一样,其他无所谓, 这里也是碰壁了,网上查了才知道的,原文没有提到
最后就配置了mysql+postfix+sasl_ssl,配置文件记一下
vi /etc/mailname
mailserver.com
vi /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/postfix/postfix.cert smtpd_tls_key_file=/etc/postfix/postfix.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mailserver.com myorigin = mailserver.com relayhost = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mynetworks_style = host local_recipient_maps = mydestination = alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases virtual_mailbox_base = /var/spool/mail/virtual virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit #smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_data_restrictions = reject_unauth_pipelining # how long if undelivered before sending warning update to sender delay_warning_time = 4h # will it be a permanent error or temporary unknown_local_recipient_reject_code = 450 # how long to keep message on queue before return as failed. # some have 3 days, I have 16 days as I am backup server for some people # whom go on holiday with their server switched off. maximal_queue_lifetime = 7d # max and min time in seconds between retries if connection failed minimal_backoff_time = 1000s maximal_backoff_time = 8000s # how long to wait when servers connect before receiving rest of data smtp_helo_timeout = 60s # how many address can be used in one message. # effective stopper to mass spammers, accidental copy in whole address list # but may restrict intentional mail shots. smtpd_recipient_limit = 999 # how many error before back off. smtpd_soft_error_limit = 3 # how many max errors before blocking it. smtpd_hard_error_limit = 12
vi /etc/postfix/mysql_mailbox.cf
vi /etc/postfix/mysql_alias.cf
vi /etc/postfix/mysql_domains.cf
这3个文件没什么可说的 注意后面没有空格就好了
vi /etc/courier/authdaemonrc
authmodulelist="authmysql" 注意这个就好了 其他没改
vi /etc/courier/authmysqlrc
这个也是照着教程上的改就好了 注意的就是 MYSQL_CRYPT_PWFIELD crypt # MYSQL_CLEAR_PWFIELD clear
vi /etc/courier/imapd
这里没改
vi /etc/default/saslauthd
START=yes OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd" 就改了这2个地方
vi /etc/postfix/sasl/smtpd.conf 这个文件就是空格事件的案发现场
pwcheck_method:saslauthd mech_list: plain login cram-md5 digest-md5 log_level: 7 allow_plaintext: true auxprop_plugin: mysql sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: admin sql_passw: admin sql_database: maildb sql_select: select crypt from users where id='%u@%r' and enabled = 1
vi /etc/pam.d/smtp
auth required pam_mysql.so user=mail passwd=aPASSWORD host=127.0.0.1 db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1 account sufficient pam_mysql.so user=mail passwd=aPASSWORD host=127.0.0.1 db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1
vi /etc/postfix/master.cf 这个是配ssl时改的
smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous
配置amavis 基本上也是按照教程来的 然后用其他邮箱发邮件测试 看mail.log的输出 这里我就出了一个文件读取权限的错误 改
daemon_user 就好了
vi /etc/amavis/conf.d/50-user
$mydomain = 'yourdomain'; $myhostname = 'yourdomain'; $daemon_user= 'amavis'; $daemon_group= 'amavis'; @local_domains_acl = qw(.); $log_level = 1; $syslog_priority = 'info'; $sa_kill_level_deflt = 8.0; # triggers spam evasive actions #$final_spam_destiny = D_PASS; $final_spam_destiny = D_DISCARD;
vi /etc/postfix/master.cf
pickup fifo n - - 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
vi /etc/postfix/main.cf
content_filter = amavis:[127.0.0.1]:10024
vi
/etc/amavis/conf.d/15-content_filter_mode
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
在用javamail发邮件的时候出了问题 说 unable to find valid certification path to requested target
一看就是认证方面的
接着就上网找资料 重新配置认证文件,然后把认证文件导入到当前用到的jre\lib\security\cacerts中,
我很怀疑其实我原来的认证文件就可以的,只要导入到当前的jre中就可以
怎么导入呢
JDK/bin/keytool -import -file mailcert.pem -keystore %java_home%/jre/lib/security/cacerts
这里会问密码 是 changeit 这个对jdk都是一样的 默认密码
这里要注意的是你的java运行的时候用的那个jre你就要导入到那个里去,mailcert.pem就是你mailserver用到的认证文件
===========================================================
配置认证文件
8.1 配置OpenSSL
8.1.1制作rootCA
1.修改openssl配置文件
修改openssl配置文件:/etc/pki/tls/openssl.cnf
将- dir = ../../CA # Where everything is kept
改成
- dir = /etc/pki/CA # Where everything is kept
2. 安装CA的脚本
- shell# yum install openssl-perl
3.生成RootCA
备份原有文件- shell# cd /etc/pki
- shell# mv CA CA.bak
生成Root CA
- shell# cd /etc/pki/tls/misc/
- shell# ./CA.pl -newca
下面为脚本的输出
- CA certificate filename (or enter to create)
- MakingCAcertificate...
- Generatinga1024bitRSAprivatekey
- .....++++++
- ...................................++++++
- writingnewprivatekeyto'../../CA/private/cakey.pem'
- EnterPEMpassphrase:
- Verifying-EnterPEMpassphrase:
- -----
- Youareabouttobeaskedtoenterinformationthatwillbeincorporated
- intoyourcertificaterequest.
- WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
- Therearequiteafewfieldsbutyoucanleavesomeblank
- Forsomefieldstherewillbeadefaultvalue,
- Ifyouenter'.',thefieldwillbeleftblank.
- -----
- CountryName(2lettercode)[CN]:CN
- StateorProvinceName(fullname)[Liaoning]:Liaoning
- LocalityName(eg,city)[Dalian]:Dalian
- OrganizationName(eg,company)[MyCompanyLtd]:testdotcom
- OrganizationalUnitName(eg,section)[]:test
- CommonName(eg,yournameoryourserver'shostname)[]:test
- EmailAddress[]:[email protected]
- Pleaseenterthefollowing'extra'attributes
- tobesentwithyourcertificaterequest
- Achallengepassword[]:
- Anoptionalcompanyname[]:
- Usingconfigurationfrom/etc/pki/tls/openssl.cnf
- Enterpassphrasefor../../CA/private/cakey.pem:
- Checkthattherequestmatchesthesignature
- Signatureok
- CertificateDetails:
- SerialNumber:
- f4:60:02:37:19:43:e5:5e
- Validity
- NotBefore:Dec213:23:112009GMT
- NotAfter:Dec113:23:112012GMT
- Subject:
- countryName=CN
- stateOrProvinceName=Liaoning
- organizationName=testdotcom
- organizationalUnitName=test
- commonName=test
- [email protected]
- X509v3extensions:
- X509v3SubjectKeyIdentifier:
- 77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
- X509v3AuthorityKeyIdentifier:
- keyid:77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
- DirName:/C=CN/ST=Liaoning/O=testdotcom/OU=test/CN=test/[email protected]
- serial:F4:60:02:37:19:43:E5:5E
- X509v3BasicConstraints:
- CA:TRUE
- CertificateistobecertifieduntilDec113:23:112012GMT(1095days)
- Write out database with 1 new entries
- Data Base Updated
8.1.2生成私钥和req文件
1. 建立私钥目录- shell# mkdir /etc/pki/myca
- shell# cd /etc/pki/myca
2. 生成私钥和req文件
- shell# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650
下面为输出内容:
- Generating a 1024 bit RSA private key
- ....++++++
- ....++++++
- writing new private key to 'mailkey.pem'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]: CN
- State or Province Name (full name) [Liaoning]: Liaoning
- Locality Name (eg, city) [Dalian]: Dalian
- Organization Name (eg, company) [My Company Ltd]:test dot com
- Organizational Unit Name (eg, section) []:test
- Common Name (eg, your name or your server's hostname) []:test
- Email Address []:[email protected]
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
查看文件是否生成:
- shell# cd /etc/pki/myca
- shell# ls -l
- total 8
- -rw-r--r-- 1 root root 887 Dec 2 21:28 mailkey.pem
- -rw-r--r-- 1 root root 700 Dec 2 21:28 mailreq.pem
在上面文件中mailkey.pem为私钥,mailreq.pem为req文件。
8.1.3 签署req文件- shell# openssl x509 -req -days 3650 -in mailreq.pem -signkey mailkey.pem -out mailcert.pem
输出内容
- Signature ok
- subject=/C=CN/ST=Liaoning/L=Dalian/O=test dot com/OU=test/CN=test/[email protected]
- Getting Private key
将root CA 复制到私钥的目录中
- shell# cp /etc/pki/CA/cacert.pem /etc/pki/myca
8.2配置postfix
修改 /etc/postfix/main.cf 增加一下几行- # tls setting for smtp server
- smtpd_use_tls = yes
- smtpd_tls_key_file = /etc/pki/myca/mailkey.pem
- smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
- smtpd_tls_CAfile = /etc/pki/myca/cacert.pem
- #smtpd_tls_security_level = encrypt
- smtpd_tls_received_header = yes
- smtpd_enforce_tls = yes
- smtpd_tls_loglevel = 2
- # tls setting for smtp client
- smtp_use_tls = yes
- smtp_tls_key_file = /etc/pki/myca/mailkey.pem
- smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
- smtp_tls_CAfile = /etc/pki/myca/cacert.pem
- #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
修改/etc/postfix/master.cf文件
增加下面内容:- smtps inet n - n - - smtpd
- -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
重启动postfix
source:
http://bbs.chinaunix.net/archiver/tid-1664576.html
http://bbs.chinaunix.net/viewthread.php?tid=1664576