一、安裝

yum install postfix dovecot

 

二、先設定postfix並檢查可否寄信

 1.先設定postfix設定檔 /etc/postfix/main.cf

    依下列設定修改        

     inet_interfaces = all

     myhostname = 你的完整主機名稱 #FQDN

     mydomain = 你的網域

     myorigin = $mydomain

     inet_protocols = all

     mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

     mynetworks = 你信任的IP網段, 127.0.0.0/8, fe80::21c:25ff:fe10:984f/64

     home_mailbox = Maildir/

    virtual_alias_maps = hash:/etc/postfix/virtual

2.重啟動postfix

   service postfix restart

3.將服務設定為開機時自動啟動

   chkconfig postfix on

4.測試,請依紅字輸入指令與測試文字後,按下Enter執行

   假設系統已經有一個帳號叫做itest

   4.1.

   [root@dns etc]# telnet localhost smtp
   Trying ::1...
   Connected to localhost.
   Escape character is '^]'.
   220 你的完整主機名稱 ESMTP Postfix
   ehlo localhost
   250-你的完整主機名稱
   250-PIPELINING
   250-SIZE 10240000
   250-VRFY
   250-ETRN
   250-ENHANCEDSTATUSCODES
   250-8BITMIME
   250 DSN
   mail from:<itest>
   250 2.1.0 Ok
   rcpt to:<itest>
   250 2.1.5 Ok
   data
   354 End data with <CR><LF>.<CR><LF>
   Welcome to use postfix mail system
     .
   250 2.0.0 Ok: queued as DF96FA1A04
   quit
   221 2.0.0 Bye
   Connection closed by foreign host.

   4.2.接著到/home/itest/Maildir/new檢查有沒有信件

   [root@dns Maildir]# cd /home/itest/Maildir/new
   [root@dns new]# ls
   1384758650.Vfd02I180000bM984466.你的完整主機名稱
   [root@dns new]# cat 1384758650.Vfd02I180000bM984466.你的完整主機名稱 
   Return-Path: <itest@你的完整主機名稱>
   X-Original-To: itest
   Delivered-To: itest@你的完整主機名稱
   Received: from 你的完整主機名稱 (你的完整主機名稱 [IPv6:::1])
                      by 你的完整主機名稱 (Postfix) with SMTP id DF96FA1A04
                      for <itest>; Mon, 18 Nov 2013 15:09:54 +0800 (CST)
   Message-Id: <20131118071010.DF96FA1A04@你的完整主機名稱>
   Date: Mon, 18 Nov 2013 15:09:54 +0800 (CST)
   From: itest@你的完整主機名稱
   To: undisclosed-recipients:;

   Welcome to use postfix mail system
   [root@dns new]#

 

三、設定SMTP驗證,使用dovecot施行SASL

1.修改/etc/postfix/main.cf 於檔案最後面加上

    smtpd_helo_required = yes
    smtpd_reject_unlisted_sender = yes
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes

    smtpd_client_restrictions = permit_sasl_authenticated
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_recipient_restrictions = permit_mynetworks,

                                                   reject_non_fqdn_recipient,

                                                   reject_unknown_recipient_domain,

                                                   permit_sasl_authenticated,

                                                   reject_unauth_destination,

                                                   reject_non_fqdn_sender,

                                                   reject_unknown_sender_domain 
    mailbox_size_limit = 51200000
    message_size_limit = 10240000
    #若需使用SSL/TLS請加入下列參數

    #若/etc/dovecot/10-auth.conf 中,

    #設定參數 disable_plaintext_auth = yes,則需強制使用tls
    smtpd_enforce_tls = no 
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_cert_file = /etc/pki/tls/certs/你製作的憑證.crt
    smtpd_tls_key_file = /etc/pki/tls/private/你製作的憑證.key

2.修改 /etc/postfix/master.cf

    submission inet n - - - - smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_type=dovecot
          -o smtpd_sasl_path=private/auth
          -o smtpd_sasl_security_options=noanonymous
          -o smtpd_sasl_local_domain=$myhostname
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
          -o smtpd_sender_restrictions=reject_sender_login_mismatch
          -o smtpd_recipient_restrictions=eject_non_fqdn_recipient,

                                                           reject_unknown_recipient_domain,

                                                           permit_sasl_authenticated,

                                                           reject_unauth_destination,

                                                           reject_non_fqdn_sender,

                                                           reject_unknown_sender_domain,

                                                           reject

    #若需使用SSL/TLS請加入下列參數

    smtps inet n - n - - smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_sasl_security_options=noanonymous
        -o smtpd_sasl_local_domain=$myhostname
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,

                                                         reject_unknown_recipient_domain,

                                                         permit_sasl_authenticated,reject_unauth_destination,

                                                         reject_non_fqdn_sender,

                                                         reject_unknown_sender_domain,

                                                         reject

3.修改dovecot設定檔 /etc/dovecot/dovecot.conf

    protocols = imap pop3  lmtp #請依需求設定

4.修改dovecot設定檔/etc/dovecot/conf.d/10-auth.conf

    disable_plaintext_auth = no #若需強制使用SSL驗證,請改為yes 否則改為no

    auth_mechanisms = plain login

    #若有使用webmail且使用資料庫,記得設定auth_username_format參數

    # Username formatting before it's looked up from databases. You can use
    # the standard variables here, eg. %Lu would lowercase the username, %n would
    # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
    # "-AT-". This translation is done after auth_username_translation changes.
    #auth_username_format =
    auth_username_format = %n

5.修改dovecot設定檔/etc/dovecot/conf.d/10-master.conf

   service imap-login {

      inet_listener imap {

         port = 143

     }

     inet_listener imaps {

         port = 993

         ssl = yes

     }

 

    # Number of connections to handle before starting a new process. Typically

    # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

    # is faster. <doc/wiki/LoginProcess.txt>

    service_count = 1

    # Number of processes to always keep waiting for more connections.

    #process_min_avail = 0

    # If you set service_count=0, you probably need to grow this.

    #vsz_limit = 64M

   }

   service pop3-login {

     inet_listener pop3 {

       port = 110

     }

    inet_listener pop3s {

       port = 995

       ssl = yes

    }

     service_count = 1

   }

    service auth {
          # auth_socket_path points to this userdb socket by default. It's typically
          # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
          # permissions make it readable only by root, but you may need to relax these
          # permissions. Users that have access to this socket are able to get a list
          # of all usernames and get results of everyone's userdb lookups.
          unix_listener auth-userdb {
                 mode = 0600
                 user = postfix
                 group = postfix
          }

         # Postfix smtp-auth
         unix_listener /var/spool/postfix/private/auth {
                mode = 0666
         }

         # Auth process is run as this user.
         #user = $default_internal_user
     }

6.修改/etc/dovecot/conf.d/10-ssl.conf

     # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
     #ssl = yes
     ssl = yes

7.修改/etc/pki/dovecot/dovecot-openssl.cnf 重新定義自己的憑證資訊

    [ req ]
    default_bits = 1024
    encrypt_key = yes
    distinguished_name = req_dn
    x509_extensions = cert_type
    prompt = no

    [ req_dn ]
    # country (2 letter code)
    #C=FI
    C=TW

    # State or Province Name (full name)
    #ST=
    ST=Taiwan Republic Of China

    # Locality Name (eg. city)
    #L=Helsinki
    L=Taipei

    # Organization (eg. company)
    #O=Dovecot
    O=你的公司名稱

    # Organizational Unit Name (eg. section)
    OU=IMAP server

    # Common Name (*.example.com is also possible)
    #CN=imap.example.com
    CN=你的網域

    # E-mail contact
    #emailAddress=postmaster@example.com
    emailAddress=你的電子郵件帳號

    [ cert_type ]
    nsCertType = server

8.建立產生新憑證的批次檔 /etc/pki/dovecot/mkcert.sh 可建立有效期限一年的憑證

   其內容如下:

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

9.將原本安裝dovecot提供的憑證更名

    mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem-old

    mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem-old     

10.執行批次檔

[root@dns dovecot]# sh mkcert.sh

Generating a 1024 bit RSA private key

.................++++++

..............++++++

writing new private key to '/etc/pki/dovecot/private/dovecot.pem'

-----

11.重啟動dovecot

      service dovecot restart

12.設定服務開機時自動啟動

    chkconfig dovecot on

13.重啟動postfix

      service postfix restart

14.測試smtp,需出現250-AUTH PLAIN LOGIN250-AUTH PLAIN LOGIN字樣

     假設測試帳號為itest、密碼為 ispwd

     [root@dns log]# perl -MMIME::Base64 -e 'print encode_base64("\000itest\000ispwd");'
     AGl0ZXN0AGlzcHdk

       產生驗證用的字串為  AGl0ZXN0AGlzcHdk

     [root@dns new]# telnet localhost smtp
     Trying ::1...
     Connected to localhost.
     Escape character is '^]'.
     220 你的完整主機名稱 ESMTP Postfix
     ehlo localhost
     250-你的完整主機名稱
     250-PIPELINING
     250-SIZE 10240000
     250-VRFY
     250-ETRN
     250-AUTH PLAIN LOGIN
    
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
     mail from:<itest>
     250 2.1.0 Ok
     rcpt to:<itest@你的網域>
     250 2.1.5 Ok
     rcpt to:<測試收件人@測試收件網域>
     554 5.7.1 <測試收件人@測試收件網域>: Relay access denied

     EHLO 你的網域
     250-你的完整主機名稱
     250-PIPELINING
     250-SIZE 10240000
     250-VRFY
     250-ETRN
     250-AUTH PLAIN LOGIN
     250-AUTH=PLAIN LOGIN
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
    
AUTH PLAIN AGl0ZXN0AGlzcHdk
     235 2.7.0
Authentication successful

     quit
     221 2.0.0 Bye
     Connection closed by foreign host.

     在/var/log/maillog中有如下錯誤訊息

     Nov 18 16:05:02 dns postfix/smtpd[19343]: EF75AA1A92: reject: RCPT from 你的完整主機名稱[::1]: 554 5.7.1 <測試收件人@測試收件網域>: Relay access denied; from=<itest> to=<測試收件人@測試收件網域> proto=ESMTP helo=<localhost>

     由上列訊息證明SMTP驗證設定成功

15.測試憑證

          openssl s_client -connect 你的網域:pop3s

備註:

        若一直無法寄信,且記錄檔出現類似「SASL LOGIN authentication failed」的訊息時,

        檢查saslauthd服務是否啟動.

        執行chkconfig saslauthd on 可開機自動啟動服務

 

 

四、使用dovecot執行pop3驗證

1.設定/etc/dovecot/conf.d/10-mail.conf

    #設定郵件目錄

    #需與postfix.con設定的home_mailbox = Maildir/ 相同

    mail_location = maildir:~/Maildir

    #設定郵件目錄的存取權限給已建立的群組mail

    #若未設定則會出現類似訊息 -ERR [IN-USE] Couldn't open INBOX: Internal error occurred. Refer to server log for more information. [2013-11-18 17:35:20]

     mail_access_groups = mail

 2.設定/etc/dovecot/conf.d/10-master.conf

    service pop3-login {
          inet_listener pop3 {
              port = 110
         }
         inet_listener pop3s {
             port = 995
             ssl = yes
          }

         #把service_count設定為1,讓同一使用者只能同時使用一條process,
         #增進安全性,但不適用於人數多的公司
         # Number of connections to handle before starting a new process. Typically
         # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 
         # is faster. <doc/wiki/LoginProcess.txt>
         service_count = 1

      }

 3.設定/etc/dovecot/conf.d/20-pop3.conf

     pop3_uidl_format = %08Xu%08Xv
     pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

4.測試pop3

    假設測試帳號為itest、密碼為ispwd

     [root@dns log]# telnet localhost pop3
     Trying ::1...
     Connected to localhost.
     Escape character is '^]'.
     +OK Dovecot ready.
     user itest
     +OK
     pass ispwd
     +OK Logged in.

 

五、使用dovecot提供imap服務

1.修改/etc/dovecot/conf.d/10-master.conf

    service imap-login {
            inet_listener imap {
              port = 143
            }
            inet_listener imaps {
               port = 993
               ssl = yes
           }

           #把service_count設定為1,讓同一使用者只能同時使用一條process,
           #增進安全性,但不適用於人數多的公司
           # Number of connections to handle before starting a new process. Typically
           # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
           # is faster. <doc/wiki/LoginProcess.txt>
           service_count = 1

           #使用process參數process_limit控管同一時間可登入使用者連線process數時要注意,
           #使用SSL/TLS或SSL/TLS proxying processes會有模擬登入的process,
           #所以此參數值必須大於所有使用者數量,以免造成全部使用者無法同時登入的狀況
           # Number of processes to always keep waiting for more connections.
           #process_min_avail = 0
           #$default_process_limit預設為100
           #process_limit同一時間可登入使用者連線數
           #process_limit = $default_process_limit
           # If you set service_count=0, you probably need to grow this.
           #vsz_limit = 64M
        }

 

六、設定dovecot的記錄檔設定,用來測試除錯,當測試無誤時,請依自身狀況關閉除錯參數

     修改/etc/dovecot/conf.d/10-logging.conf

#
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog
log_path = /var/log/dovecot/dovecot.log
# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
info_log_path = /var/log/dovecot/dovecot-info.log
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =
debug_log_path = dovecot-debug.log

##
## Logging verbosity and debugging.
##

# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no
auth_verbose = yes

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
auth_debug = yes

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no
mail_debug = yes

# Show protocol level SSL errors.
#verbose_ssl = no
verbose_ssl = yes

     

 

其他:檢查dovecot使用port

[root@dns conf.d]# netstat -tlnp | grep dovecot

tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      8226/dovecot        

tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      8226/dovecot        

tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      8226/dovecot        

tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      8226/dovecot        

tcp        0      0 :::110                      :::*                        LISTEN      8226/dovecot        

tcp        0      0 :::143                      :::*                        LISTEN      8226/dovecot        

tcp        0      0 :::993                      :::*                        LISTEN      8226/dovecot        

tcp        0      0 :::995                      :::*                        LISTEN      8226/dovecot  

     

常用指令:

列出postfix全部參數設定 postconf 

列出使用者自定的參數設定 postconf -n

查詢postfix版本 postconf mail_version

 

參考資料:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html

http://www.postfix.org/TLS_README.html

http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

http://wiki.centos.org/zh-tw/HowTos/postfix_sasl

http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

http://wiki2.dovecot.org/LoginProcess

http://wiki2.dovecot.org/SSL

http://wiki2.dovecot.org/POP3Server

http://wiki2.dovecot.org/Logging

http://wiki2.dovecot.org/SSL/DovecotConfiguration

  

inet_protocols = all
FQDN
arrow
arrow
    文章標籤
    CENTOS postfix doveot
    全站熱搜

    K 發表在 痞客邦 留言(0) 人氣()