CENTOS6.4中與設定postfix、dovecot－K'隨手記

一、安裝

yum install postfix dovecot

二、先設定postfix並檢查可否寄信

1.先設定postfix設定檔 /etc/postfix/main.cf

依下列設定修改

inet_interfaces = all

myhostname = 你的完整主機名稱 #FQDN

mydomain = 你的網域

myorigin = $mydomain

inet_protocols = all

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

mynetworks = 你信任的IP網段, 127.0.0.0/8, fe80::21c:25ff:fe10:984f/64

home_mailbox = Maildir/

virtual_alias_maps = hash:/etc/postfix/virtual

2.重啟動postfix

service postfix restart

3.將服務設定為開機時自動啟動

chkconfig postfix on

4.測試，請依紅字輸入指令與測試文字後，按下Enter執行

假設系統已經有一個帳號叫做itest

4.1.

   [root@dns etc]# telnet localhost smtp
   Trying ::1...
   Connected to localhost.
   Escape character is '^]'.
   220 你的完整主機名稱 ESMTP Postfix
   ehlo localhost
   250-你的完整主機名稱
   250-PIPELINING
   250-SIZE 10240000
   250-VRFY
   250-ETRN
   250-ENHANCEDSTATUSCODES
   250-8BITMIME
   250 DSN
   mail from:<itest>
   250 2.1.0 Ok
   rcpt to:<itest>
   250 2.1.5 Ok
   data
   354 End data with <CR><LF>.<CR><LF>
   Welcome to use postfix mail system
     .
   250 2.0.0 Ok: queued as DF96FA1A04
   quit
   221 2.0.0 Bye
   Connection closed by foreign host.

4.2.接著到/home/itest/Maildir/new檢查有沒有信件

   [root@dns Maildir]# cd /home/itest/Maildir/new
   [root@dns new]# ls
   1384758650.Vfd02I180000bM984466.你的完整主機名稱
   [root@dns new]# cat 1384758650.Vfd02I180000bM984466.你的完整主機名稱
   Return-Path: <itest@你的完整主機名稱>
   X-Original-To: itest
   Delivered-To: itest@你的完整主機名稱
   Received: from 你的完整主機名稱 (你的完整主機名稱 [IPv6:::1])
                      by 你的完整主機名稱 (Postfix) with SMTP id DF96FA1A04
                      for <itest>; Mon, 18 Nov 2013 15:09:54 +0800 (CST)
   Message-Id: <20131118071010.DF96FA1A04@你的完整主機名稱>
   Date: Mon, 18 Nov 2013 15:09:54 +0800 (CST)
   From: itest@你的完整主機名稱
   To: undisclosed-recipients:;

   Welcome to use postfix mail system
   [root@dns new]#

三、設定SMTP驗證，使用dovecot施行SASL

1.修改/etc/postfix/main.cf 於檔案最後面加上

smtpd_helo_required = yes
    smtpd_reject_unlisted_sender = yes
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes

    smtpd_client_restrictions = permit_sasl_authenticated
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_recipient_restrictions = permit_mynetworks,

reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

permit_sasl_authenticated,

reject_unauth_destination,

reject_non_fqdn_sender,

reject_unknown_sender_domain
    mailbox_size_limit = 51200000
    message_size_limit = 10240000
    #若需使用SSL/TLS請加入下列參數

#若/etc/dovecot/10-auth.conf 中，

＃設定參數 disable_plaintext_auth = yes，則需強制使用tls
    smtpd_enforce_tls = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_cert_file = /etc/pki/tls/certs/你製作的憑證.crt
    smtpd_tls_key_file = /etc/pki/tls/private/你製作的憑證.key

2.修改 /etc/postfix/master.cf

    submission inet n - - - - smtpd
      -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_type=dovecot
          -o smtpd_sasl_path=private/auth
          -o smtpd_sasl_security_options=noanonymous
          -o smtpd_sasl_local_domain=$myhostname
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
          -o smtpd_sender_restrictions=reject_sender_login_mismatch
          -o smtpd_recipient_restrictions=eject_non_fqdn_recipient,

reject_unknown_recipient_domain,

permit_sasl_authenticated,

reject_unauth_destination,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject

#若需使用SSL/TLS請加入下列參數

smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

permit_sasl_authenticated,reject_unauth_destination,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject

3.修改dovecot設定檔 /etc/dovecot/dovecot.conf

protocols = imap pop3 lmtp #請依需求設定

4.修改dovecot設定檔/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no #若需強制使用SSL驗證，請改為yes 否則改為no

auth_mechanisms = plain login

#若有使用webmail且使用資料庫，記得設定auth_username_format參數

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format =
auth_username_format = %n

5.修改dovecot設定檔/etc/dovecot/conf.d/10-master.conf

service imap-login {

inet_listener imap {

port = 143

}

inet_listener imaps {

port = 993

ssl = yes

}

# Number of connections to handle before starting a new process. Typically

# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

# is faster. <doc/wiki/LoginProcess.txt>

service_count = 1

# Number of processes to always keep waiting for more connections.

#process_min_avail = 0

# If you set service_count=0, you probably need to grow this.

#vsz_limit = 64M

}

service pop3-login {

inet_listener pop3 {

port = 110

}

inet_listener pop3s {

port = 995

ssl = yes

}

service_count = 1

}

    service auth {
          # auth_socket_path points to this userdb socket by default. It's typically
    # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
          # permissions make it readable only by root, but you may need to relax these
          # permissions. Users that have access to this socket are able to get a list
        # of all usernames and get results of everyone's userdb lookups.
          unix_listener auth-userdb {
                 mode = 0600
                 user = postfix
                 group = postfix
        }

     # Postfix smtp-auth
     unix_listener /var/spool/postfix/private/auth {
                mode = 0666
   }

         # Auth process is run as this user.
         #user = $default_internal_user
     }

6.修改/etc/dovecot/conf.d/10-ssl.conf

   # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
   #ssl = yes
   ssl = yes

7.修改/etc/pki/dovecot/dovecot-openssl.cnf 重新定義自己的憑證資訊

    [ req ]
    default_bits = 1024
    encrypt_key = yes
    distinguished_name = req_dn
    x509_extensions = cert_type
    prompt = no

    [ req_dn ]
    # country (2 letter code)
    #C=FI
    C=TW

    # State or Province Name (full name)
    #ST=
    ST=Taiwan Republic Of China

    # Locality Name (eg. city)
    #L=Helsinki
    L=Taipei

    # Organization (eg. company)
    #O=Dovecot
    O=你的公司名稱

# Organizational Unit Name (eg. section)
OU=IMAP server

    # Common Name (*.example.com is also possible)
    #CN=imap.example.com
    CN=你的網域

    # E-mail contact
    #emailAddress=postmaster@example.com
    emailAddress=你的電子郵件帳號

[ cert_type ]
nsCertType = server

8.建立產生新憑證的批次檔 /etc/pki/dovecot/mkcert.sh 可建立有效期限一年的憑證

其內容如下：

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

9.將原本安裝dovecot提供的憑證更名

mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem-old

mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem-old

10.執行批次檔

[root@dns dovecot]# sh mkcert.sh

Generating a 1024 bit RSA private key

.................++++++

..............++++++

writing new private key to '/etc/pki/dovecot/private/dovecot.pem'

-----

11.重啟動dovecot

service dovecot restart

12.設定服務開機時自動啟動

chkconfig dovecot on

13.重啟動postfix

service postfix restart

14.測試smtp，需出現250-AUTH PLAIN LOGIN、250-AUTH PLAIN LOGIN字樣

假設測試帳號為itest、密碼為 ispwd

[root@dns log]# perl -MMIME::Base64 -e 'print encode_base64("\000itest\000ispwd");'
AGl0ZXN0AGlzcHdk

產生驗證用的字串為 AGl0ZXN0AGlzcHdk

     [root@dns new]# telnet localhost smtp
     Trying ::1...
     Connected to localhost.
     Escape character is '^]'.
     220 你的完整主機名稱 ESMTP Postfix
     ehlo localhost
     250-你的完整主機名稱
     250-PIPELINING
     250-SIZE 10240000
     250-VRFY
     250-ETRN
     250-AUTH PLAIN LOGIN

     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
     mail from:<itest>
     250 2.1.0 Ok
     rcpt to:<itest@你的網域>
     250 2.1.5 Ok
     rcpt to:<測試收件人@測試收件網域>
     554 5.7.1 <測試收件人@測試收件網域>: Relay access denied

     EHLO 你的網域
     250-你的完整主機名稱
     250-PIPELINING
     250-SIZE 10240000
     250-VRFY
     250-ETRN
     250-AUTH PLAIN LOGIN
     250-AUTH=PLAIN LOGIN
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
     AUTH PLAIN AGl0ZXN0AGlzcHdk
     235 2.7.0 Authentication successful

     quit
     221 2.0.0 Bye
     Connection closed by foreign host.

在/var/log/maillog中有如下錯誤訊息

Nov 18 16:05:02 dns postfix/smtpd[19343]: EF75AA1A92: reject: RCPT from 你的完整主機名稱[::1]: 554 5.7.1 <測試收件人@測試收件網域>: Relay access denied; from=<itest> to=<測試收件人@測試收件網域> proto=ESMTP helo=<localhost>

由上列訊息證明SMTP驗證設定成功

15.測試憑證

openssl s_client -connect 你的網域:pop3s

備註：

若一直無法寄信，且記錄檔出現類似「SASL LOGIN authentication failed」的訊息時，

檢查saslauthd服務是否啟動．

執行chkconfig saslauthd on 可開機自動啟動服務

四、使用dovecot執行pop3驗證

1.設定/etc/dovecot/conf.d/10-mail.conf

#設定郵件目錄

#需與postfix.con設定的home_mailbox = Maildir/ 相同

mail_location = maildir:~/Maildir

#設定郵件目錄的存取權限給已建立的群組mail

#若未設定則會出現類似訊息 -ERR [IN-USE] Couldn't open INBOX: Internal error occurred. Refer to server log for more information. [2013-11-18 17:35:20]

mail_access_groups = mail

2.設定/etc/dovecot/conf.d/10-master.conf

service pop3-login {
inet_listener pop3 {
port = 110
     }
     inet_listener pop3s {
port = 995
ssl = yes
      }

}

3.設定/etc/dovecot/conf.d/20-pop3.conf

pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

4.測試pop3

假設測試帳號為itest、密碼為ispwd

     [root@dns log]# telnet localhost pop3
     Trying ::1...
     Connected to localhost.
     Escape character is '^]'.
     +OK Dovecot ready.
     user itest
     +OK
     pass ispwd
     +OK Logged in.

五、使用dovecot提供imap服務

1.修改/etc/dovecot/conf.d/10-master.conf

service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}

#把service_count設定為1，讓同一使用者只能同時使用一條process，
#增進安全性，但不適用於人數多的公司
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 1

#使用process參數process_limit控管同一時間可登入使用者連線process數時要注意，
#使用SSL/TLS或SSL/TLS proxying processes會有模擬登入的process，
#所以此參數值必須大於所有使用者數量，以免造成全部使用者無法同時登入的狀況
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
#$default_process_limit預設為100
#process_limit同一時間可登入使用者連線數
#process_limit = $default_process_limit
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}

六、設定dovecot的記錄檔設定，用來測試除錯，當測試無誤時，請依自身狀況關閉除錯參數

修改/etc/dovecot/conf.d/10-logging.conf

#
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog
log_path = /var/log/dovecot/dovecot.log
# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
info_log_path = /var/log/dovecot/dovecot-info.log
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =
debug_log_path = dovecot-debug.log

##
## Logging verbosity and debugging.
##

# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no
auth_verbose = yes

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
auth_debug = yes

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no
mail_debug = yes

# Show protocol level SSL errors.
#verbose_ssl = no
verbose_ssl = yes

其他：檢查dovecot使用port

[root@dns conf.d]# netstat -tlnp | grep dovecot

tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 8226/dovecot

tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 8226/dovecot

tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 8226/dovecot

tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 8226/dovecot

tcp 0 0 :::110 :::* LISTEN 8226/dovecot