在Debian上安装iRedMail
参考文档:在 Debian 或 Ubuntu 系统上安装 iRedMail
先说结论:在debian上装iRedMail还是非常快的。功能也比FreeBSD版多一些(例如netdata、fail2ban)。
注意事项:
安装脚本会先安装三个包:gnupg2、dirmngr、dialog,如果使用的是官方默认源,可能会没有dialog而造成无法继续安装。
此时需要修改/etc/apt/sources.list文件,加入以下两句:
deb http://mirrors.ustc.edu.cn/debian bullseye main contrib
deb-src http://mirrors.ustc.edu.cn/debian bullseye main contrib
另外,参考文档中说需要安装tar和gzip,实际上默认安装后这两个包应该已经有了。
在第一阶段的准备过程的最后一步,默认选择了Roundcubemail、netdata、iRedAdmin、Fail2ban,SOGo默认未被选中。
由于debian版的安装过程是apt install,不存在编译源码的情况,所以整体安装过程耗时很短,大概只需数分钟。
另外,fail2ban与nftables配合工作,nftables的配置文件为:/etc/nftables.conf。
nft list ruleset查看现有规则
service nftables restart重启防火墙
/etc/postfix/main.cf
# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
# 安装时配置信息
#
# location of the Postfix queue. Default is /var/spool/postfix.
# Postfix队列的位置,默认是 /var/spool/postfix
queue_directory = /var/spool/postfix
# location of all postXXX commands. Default is /usr/sbin.
# postXXX命令的位置,默认是 /usr/sbin
command_directory = /usr/sbin
# location of all Postfix daemon programs (i.e. programs listed in the master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
# Postfix守护程序(例如master.cf文件中列出的程序)的位置。此目录的所有者必须是root。
# 默认是 /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin
# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
# Postfix可写数据文件(缓存,随机数)的位置。此目录的所有者为mail_owner账户。
data_directory = /var/lib/postfix
# owner of the Postfix queue and of most Postfix daemon processes.
# Postfix队列和大多数Postfix守护进程的所有者。
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# 此账户必须指定,此账户不与其他账户共享UID或GID,且不拥有系统上其他文件或进程的权限。
# Default is postfix.
# 默认是 postfix。
mail_owner = postfix
# The following parameters are used when installing a new Postfix version.
# 安装新版本Postfix时使用以下参数
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
# 与Sendmail兼容的邮件发送接口。
sendmail_path = /usr/sbin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
# 与Sendmail兼容的命令,用于构建alias数据库
newaliases_path = /usr/bin/newaliases
# full pathname of the Postfix mailq command. This is the Sendmail-compatible
# mail queue listing command.
# Postfix mailq命令的完整路径名。与Sendmail兼容的邮件队列列表命令。
mailq_path = /usr/bin/mailq
# group for mail submission and queue management commands.
# 邮件提交和队列管理命令的组。
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
# 必须是个组名,其数字ID不能与其他账户共享,甚至不能与Postfix账户共享。
setgid_group = postdrop
# external command that is executed when a Postfix daemon program is run with
# the -D option.
# 使用-D选项运行Postfix守护进程时执行的外部命令。
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
# 使用“command..&sleep 5”,以便调试器可以在进程前进之前附加。
# 如果使用基于X的调试器,请确保在启动Postfix之前设置XAUTHORITY环境变量。
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
debug_peer_level = 2
# --------------------
# CUSTOM SETTINGS
# 自定义设置
# SMTP server response code when recipient or domain not found.
# 找不到收件人或域时的SMTP服务器响应代码。
unknown_local_recipient_reject_code = 550
# Do not notify local user.
# 不要通知本地用户。
biff = no
# Disable the rewriting of "site!user" into "user@site".
# 禁用将"site!user"重写为"user@site".
swap_bangpath = no
# Disable the rewriting of the form "user%domain" to "user@domain".
# 禁止将表单"user%domain"重写为"user@domain".
allow_percent_hack = no
# Allow recipient address start with '-'.
# 允许收件人地址以'-'开头。
allow_min_user = no
# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
# 禁止使用SMTP VRFY命令,这可以阻止一些用于获取电子邮件地址的技术。
disable_vrfy_command = yes
# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
# 启用IPv4和/或IPv6,可用值为: ipv4, ipv6, all
inet_protocols = all
# Enable all network interfaces.
# 启用所有网卡
inet_interfaces = all
#
# TLS settings.
# TLS设置
# SSL key, certificate, CA
#SSL 密钥,证书,CA(Certification Authority,证书颁发机构)
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
#
# Disable SSLv2, SSLv3
# 禁用 SSLv2, SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
#
# Fix 'The Logjam Attack'.
# 修复'The Logjam Attack'攻击
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
tls_random_source = dev:/dev/urandom
# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate verification is not required.
# 仅记录TLS握手完成时的摘要消息-如果不需要客户端证书验证,则不记录客户端证书信任链验证错误。
# With Postfix 2.8 and earlier, log the summary message, peer certificate summary
# information and unconditionally log trust-chain verification errors.
# 使用Postfix 2.8及更早版本,记录摘要消息、对等证书摘要信息,并无条件记录信任链验证错误。
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
# 投机性TLS:宣布对远程SMTP客户端的STARTTLS支持,但不要求客户端使用TLS加密。
smtpd_tls_security_level = may
# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# 生成'Received:'消息头,其中包含有关所用协议和密码的信息,以及远程SMTP客户端CommonName和客户端证书颁发者CommonName。
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
# 默认情况下是禁用的,因为信息可能会在通过其他邮件服务器传输的过程中被修改。
# 只能信任最终目标记录的信息。
#smtpd_tls_received_header = yes
# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# 投机性TLS,在Postfix向远程SMTP服务器发送电子邮件时使用。
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# 如果远程SMTP服务器支持TLS,则使用TLS,否则使用明文。
# References:参阅:
# - http://www.postfix.org/TLS_README.html#client_tls_may
# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = may
# Use the same CA file as smtpd.
# 使用smtpd相同的CA文件
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes
# Enable long, non-repeating, queue IDs (queue file names).
# 启用长且不重复的队列ID(队列文件名)
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
# 非重复名称的好处是更简单的日志文件分析和更容易的队列迁移
# (无需运行“postsuper”来更改与其消息文件inode号不匹配的队列文件名)。
enable_long_queue_ids = yes
# Reject unlisted sender and recipient
# 拒绝未列出的发件人和收件人
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
# Header and body checks with PCRE table
# 使用PCRE表检查邮件头和邮件体
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre
# A mechanism to transform commands from remote SMTP clients.
# 转换来自远程SMTP客户端的命令的机制。
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# 这是解决客户端命令中断与Postfix SMTP服务器互操作性的最后手段。
# 其他用途包括故障注入,以测试Postfix对无效命令的处理。
# Requires Postfix-2.7+.
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
# HELO restriction
# HELO 限制规定
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Sender restrictions
# 发送者限制规定
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unlisted_sender
permit_mynetworks
permit_sasl_authenticated
check_sender_access pcre:/etc/postfix/sender_access.pcre
reject_unknown_sender_domain
# Recipient restrictions
# 接收者限制规定
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:7777
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service inet:127.0.0.1:12340
# END-OF-MESSAGE restrictions
# END-OF-MESSAGE限制规定
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777
# Data restrictions
# 数据限制规定
smtpd_data_restrictions = reject_unauth_pipelining
# SRS (Sender Rewriting Scheme) support
#sender_canonical_maps = tcp:127.0.0.1:7778
#sender_canonical_classes = envelope_sender
#recipient_canonical_maps = tcp:127.0.0.1:7779
#recipient_canonical_classes= envelope_recipient,header_recipient
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
# Avoid duplicate recipient messages. Default is 'yes'.
# 避免重复的收件人邮件。默认是yes。
enable_original_recipient = no
# Virtual support.
# 虚拟支持
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
# Do not set virtual_alias_domains.
# 不设置virtual_alias_domains
virtual_alias_domains =
#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# 在端口25上启用SASL身份验证,并强制TLS加密的SASL身份验证。
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
# be forced to submit email through port 587 instead.
#警告:不建议在端口25上启用smtp身份验证,应强制所有最终用户通过端口587提交电子邮件。
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes
# hostname
# 主机名
myhostname = mail.abc.org
myorigin = mail.abc.org
mydomain = mail.abc.org
# trusted SMTP clients which are allowed to relay mail through Postfix.
# 允许通过Postfix中继邮件的受信任SMTP客户端。
# Note: additional IP addresses/networks listed in mynetworks should be listed
# in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
# 注意:mynetworks中列出的其他IP地址/网络也应列在iRedApp设置"mynetworks"(在/opt/iRedApp/settings.py)中
# for example:
#
# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1]
# Accepted local emails
# 接受的本地电子邮件
mydestination = $myhostname, localhost, localhost.localdomain
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# Default message_size_limit.
# 默认邮件大小设置
message_size_limit = 15728640
# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# 可以将用户名与其扩展名(例如: user+foo)或.forward文件名与其扩展名(例如.forward+foo)分隔的字符集。
# Postfix 2.11 and later supports multiple characters.
# Postfix2.11以及后续版本支持多字符。
recipient_delimiter = +
# The time after which the sender receives a copy of the message headers of mail that is still queued.
# 发件人收到仍在排队的邮件的邮件头副本的时间。
# Default setting is disabled (0h) by Postfix.
# 默认设置是disabled(0h)
#delay_warning_time = 1h
# Do not display the name of the recipient table in the "User unknown" responses.
# 不要在"User unknown"响应中显示收件人列表的名称。
# The extra detail makes trouble shooting easier but also reveals information
# that is nobody elses business.
# 额外的细节是故障排除变得更容易,但也会显示其他人都不关心的信息。
show_user_unknown_table_name = no
compatibility_level = 2
#
# Lookup virtual mail accounts
#查找虚拟邮件账户
transport_maps =
proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
sender_dependent_relayhost_maps =
proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
relay_domains =
$mydestination
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps =
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
#
# Postscreen
# Postfix zombie blocker 僵尸拦截器
postscreen_greet_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 2
# Attention:
# - zen.spamhaus.org free tire has 3 limits
# (https://www.spamhaus.org/organization/dnsblusage/):
#
# 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
# 2) Your email traffic is less than 100,000 SMTP connections per day, and
# 3) Your DNSBL query volume is less than 300,000 queries per day.
#
# - FAQ: "Your DNSBL blocks nothing at all!"
# https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
# It's strongly recommended to use a local DNS server for cache.
# 强烈建议使用本地DNS服务器进行缓存。
postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[2..11]*3
b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#
# mlmmj - mailing list manager
#
mlmmj_destination_recipient_limit = 1
#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024
# Concurrency per recipient limit.
# 每个收件人的并发限制
smtp-amavis_destination_recipient_limit = 1
/etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
#smtp inet n - - - - smtpd
pickup unix n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10026
cleanup unix n - n - 0 cleanup
#qmgr unix n - n 300 1 oqmgr
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
maildrop unix - n n - - pipe flags=DRXhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# Other external delivery methods.
#
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FRX
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
# Submission, port 587, force TLS connection.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
# smtps, port 465, force SSL connection.
465 inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
# Use dovecot's `deliver` program as LDA.
dovecot unix - n n - - pipe
flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}
# mlmmj - mailing list manager
# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u')
mlmmj unix - n n - - pipe
flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}
# Amavisd integration.
smtp-amavis unix - - n - 4 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
# smtp port used by Amavisd to re-inject scanned email back to Postfix
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix/10025
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
# smtp port used by mlmmj to re-inject scanned email back to Postfix, with
# address mapping support
127.0.0.1:10028 inet n - n - - smtpd
-o syslog_name=postfix/10028
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
/etc/dovecot/dovecot.conf
# More details about Dovecot settings:
# - http://wiki2.dovecot.org/
# - http://wiki2.dovecot.org/Variables
# Listen addresses.
# 监听地址
# - '*' means all available IPv4 addresses.
# '*'表示所有IPv4地址。
# - '[::]' means all available IPv6 addresses.
# '[::]'表示所有IPv6地址。
# Listen on all available addresses by default
# 默认监听所有可用地址
listen = * [::]
#base_dir = /var/run/dovecot
mail_plugins = quota mailbox_alias acl mail_log notify
# Enabled mail protocols.
# 启用的邮件协议。
protocols = pop3 imap sieve lmtp
# User/group who owns the message files:
# 拥有消息文件的用户/组
mail_uid = 2000
mail_gid = 2000
# Assign uid to virtual users.
# 将uid分配给虚拟用户。
first_valid_uid = 2000
last_valid_uid = 2000
# Logging. Reference: http://wiki2.dovecot.org/Logging
#
# Use syslog
syslog_facility = local5
# Debug
#mail_debug = yes
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes
# Possible values: no, yes, plain, sha1.
# 可用值:no, yes, plain, sha1。
# Set to 'yes' or 'plain', to output plaintext password (NOT RECOMMENDED).
# 设置为'yes'或'plain',以输出纯文本密码(不推荐)。
#auth_verbose_passwords = no
# SSL: Global settings.
# SSL: 通用设置。
# Refer to wiki site for per protocol, ip, server name SSL settings:
# http://wiki2.dovecot.org/SSL/DovecotConfiguration
ssl_min_protocol = TLSv1.2
ssl = required
verbose_ssl = no
#ssl_ca = method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
# Mail delivery log format
# 邮件传递日志格式
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, delivery_time=%{delivery_time}ms, %$
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
user = postfix
group = postfix
mode = 0666
}
unix_listener auth-master {
user = vmail
group = vmail
mode = 0666
}
unix_listener auth-userdb {
user = vmail
group = vmail
mode = 0660
}
}
# LMTP server (Local Mail Transfer Protocol).
# Reference: http://wiki2.dovecot.org/LMTP
service lmtp {
user = vmail
# For higher volume sites, it may be desirable to increase the number of
# active listener processes. A range of 5 to 20 is probably good for most
# sites.
# 对于大多数站点来说,5到20的范围可能是好的。对于容量更大的站点,可能需要增加活动侦听器进程的数量。
process_min_avail = 5
# Logging.
# Require 'log_path =' in 'protocol lmtp {}' block.
executable = lmtp -L
# Listening on socket file and TCP
unix_listener /var/spool/postfix/private/dovecot-lmtp {
user = postfix
group = postfix
mode = 0600
}
inet_listener lmtp {
# Listen on localhost (ipv4)
address = 127.0.0.1
port = 24
}
}
# Virtual mail accounts.
userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
# Master user.
# Master users are able to log in as other users. It's also possible to
# directly log in as any user using a master password, although this isn't
# recommended.
# Master user可以作为其他用户登录。也可以使用主密码作为任何用户直接登录,但不建议这么做。
# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers
auth_master_user_separator = *
passdb {
driver = passwd-file
args = /etc/dovecot/dovecot-master-users
# 此文件中实际上保存的是sogo_sieve_master@not-exist.com账号密码。
master = yes
}
plugin {
# Quota configuration.
# Reference: http://wiki2.dovecot.org/Quota/Configuration
quota = dict:user::proxy::quotadict
# Set default quota rule if no quota returned from SQL/LDAP query.
#quota_rule = *:storage=1G
#quota_rule2 = *:messages=0
#quota_rule3 = Trash:storage=1G
#quota_rule4 = Junk:ignore
# Quota warning.
#
# If user suddenly receives a huge mail and the quota jumps from
# 85% to 95%, only the 95% script is executed.
#
# Only the command for the first exceeded limit is executed, so configure
# the highest limit first.
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
# allow user to become max 10% (or 50 MB) over quota
quota_grace = 10%%
#quota_grace = 50 M
# Custom Quota Exceeded Message.
# You can specify the message directly or read the message from a file.
#quota_exceeded_message = Quota exceeded, please try again later.
#quota_exceeded_message = ).
sieve_vacation_send_from_recipient = yes
# Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias
mailbox_alias_old = Sent
mailbox_alias_new = Sent Messages
mailbox_alias_old2 = Sent
mailbox_alias_new2 = Sent Items
# Events to log. `autoexpunge` is included in `expunge`
# Defined in https://github.com/dovecot/core/blob/master/src/plugins/mail-log/mail-log-plugin.c
mail_log_events = delete undelete expunge copy mailbox_create mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size from subject flags
# Track user last login
last_login_dict = proxy::lastlogin
last_login_key = last-login/%s/%u/%d
}
service stats {
fifo_listener stats-mail {
user = vmail
mode = 0644
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
inet_listener {
address = 127.0.0.1
port = 24242
}
}
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
user = vmail
group = vmail
mode = 0660
}
}
service quota-status {
# '-p '. Currently only 'postfix' protocol is supported.
executable = quota-status -p postfix
client_limit = 1
inet_listener {
address = 127.0.0.1
port = 12340
}
}
service dict {
unix_listener dict {
mode = 0660
user = vmail
group = vmail
}
}
dict {
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
acl = mysql:/etc/dovecot/dovecot-share-folder.conf
lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf
}
protocol lda {
mail_plugins = $mail_plugins sieve
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
}
protocol lmtp {
# Plugins
mail_plugins = $mail_plugins sieve
# Address extension delivery
lmtp_save_to_detail_mailbox = yes
recipient_delimiter = +
}
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_acl last_login
imap_client_workarounds = tb-extra-mailbox-sep
# Maximum number of IMAP connections allowed for a user from each IP address.
# 每个IP地址允许用户的最大IMAP连接数
# NOTE: The username is compared case-sensitively.
# 注意:用户名区分大小写
# Default is 10.
# Increase it to avoid issue like below:
# "Maximum number of concurrent IMAP connections exceeded"
# 默认值为10,增加此数值可以避免"超过最大并发IMAP连接数"提示
mail_max_userip_connections = 30
}
protocol pop3 {
mail_plugins = $mail_plugins last_login
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
# Default is 10.
mail_max_userip_connections = 30
# POP3 logout format string:
# %i - total number of bytes read from client
# 从客户端读取的总字节数
# %o - total number of bytes sent to client
# 发送到客户端的总字节数
# %t - number of TOP commands
# TOP命令数
# %p - number of bytes sent to client as a result of TOP command
# 由于TOP命令发送到客户端的字节数
# %r - number of RETR commands
# RETR命令数
# %b - number of bytes sent to client as a result of RETR command
# 由于RETR命令发送到客户端的字节数
# %d - number of deleted messages
# 已删除邮件数
# %m - number of messages (before deletion)
# 消息数(删除前)
# %s - mailbox size in bytes (before deletion)
# 邮箱大小(字节)(删除前)
# Default format doesn't have 'in=%i, out=%o'.
#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o
}
# Login processes. Refer to Dovecot wiki for more details:
# http://wiki2.dovecot.org/LoginProcess
service imap-login {
#inet_listener imap {
# port = 143
#}
#inet_listener imaps {
# port = 993
# ssl = yes
#}
service_count = 1
# To avoid startup latency for new client connections, set process_min_avail
# to higher than zero. That many idling processes are always kept around
# waiting for new connections.
# 为了避免新客户端连接的启动延迟,请将process_min_avail设置为大于零。许多空闲进程总是等待新的连接。
#process_min_avail = 0
# number of simultaneous IMAP connections
# 同时IMAP连接数
process_limit = 500
# vsz_limit should be fine at its default 64MB value
#vsz_limit = 64M
}
service pop3-login {
#inet_listener pop3 {
# port = 110
#}
#inet_listener pop3s {
# port = 995
# ssl = yes
#}
service_count = 1
# number of simultaneous POP3 connections
#process_limit = 500
}
service managesieve-login {
inet_listener sieve {
# Listen on localhost (ipv4)
address = 127.0.0.1
port = 4190
}
}
namespace {
type = private
separator = /
prefix =
inbox = yes
# Refer to document for more details about alias mailbox:
# http://wiki2.dovecot.org/MailboxSettings
#
# Sent
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
# Trash
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
# Junk
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Spam {
auto = no
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
special_use = \Junk
}
# Archive
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
}
}
namespace {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
# this namespace should handle its own subscriptions or not.
subscriptions = yes
list = children
}
# Public mailboxes.
# Refer to Dovecot wiki page for more details:
# http://wiki2.dovecot.org/SharedMailboxes/Public
#namespace {
# type = public
# separator = /
# prefix = Public/
# location = maildir:/var/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public
#
# # Allow users to subscribe to the public folders.
# subscriptions = yes
#}
!include_try /etc/dovecot/iredmail/*.conf