在FreeBSD上安装邮件系统
安装postfix和dovecot
pkg install postfix dovecot
安装完成后根据做如下操作:
mkdir -p /usr/local/etc/mail
install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
sysrc postfix_enable="YES"
sysrc sendmail_enable="NONE"
vi /etc/periodic.conf
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
cp -R /usr/local/etc/dovecot/example-config/* \
/usr/local/etc/dovecot
sysrc dovecot_enable="YES"
制作自认证证书
# mkdir /etc/ssl/mailserver
# cd /etc/ssl/mailserver
# openssl genrsa -out mailserver.key
# openssl req -new -x509 -days 3650 -key mailserver.key -out mailserver.crt -subj "/C=CN/ST=GuangDong/L=GuangZhou/O=mycompany/OU=mydepartment/CN=mail.abc.com/CN=mail.xyz.com"
# mkdir /etc/ssl/private
# ln -s /etc/ssl/mailserver/mailserver.crt /etc/ssl/certs/dovecot.pem
# ln -s /etc/ssl/mailserver/mailserver.key /etc/ssl/private/dovecot.pem
service postfix start ; service dovecot start ; service sendmail stop
查看当前开放了哪些端口:
root@mail:/etc/ssl/mailserver # sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root master 3756 13 tcp4 *:25 *:*
root dovecot 3655 22 tcp4 *:110 *:*
root dovecot 3655 24 tcp4 *:995 *:*
root dovecot 3655 40 tcp4 *:143 *:*
root dovecot 3655 42 tcp4 *:993 *:*
root sshd 763 4 tcp4 *:22 *:*
root syslogd 560 7 udp4 *:514 *:*
设置dovecot
添加虚拟账号:
pw groupadd vmail -g 500
pw useradd vmail -g 500 -u 500
zfs create zroot/var/vmail
chown vmail:vmail /var/vmail
生成加密字符串
root@mail:/var # doveadm pw -p pass123
{CRYPT}$2y$05$jKKD9qJRrSIYWj578Fe/C./fxzlZjEINaEld9XGe42TTm6Sk9xbM2
在/var/vmail/passwd-user-auth目录中分别为两个域创建用户账号密码文件
# mkdir /var/vmail/passwd-user-auth
# vi /var/vmail/passwd-user-auth/test.com
abc@test.com:{CRYPT}$2y$05$jKKD9qJRrSIYWj578Fe/C./fxzlZjEINaEld9XGe42TTm6Sk9xbM2
# vi /var/vmail/passwd-user-auth/xyz.com
abc@xyz.com:{CRYPT}$2y$05$jKKD9qJRrSIYWj578Fe/C./fxzlZjEINaEld9XGe42TTm6Sk9xbM2
cd /usr/local/etc/dovecot/conf.d
cp auth-passwdfile.conf.ext auth-passwdfile.conf.abc.com.ext
vi auth-passwdfile.conf.abc.com.ext
passdb{
driver = passwd-file
args = scheme=CRYPT username_format=%u /var/vmail/passwd-user-auth/test.com
}
userdb{
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}
vi auth-passwdfile.conf.xyz.com.ext
passdb{
driver = passwd-file
args = scheme=CRYPT username_format=%u /var/vmail/passwd-user-auth/test.com
}
userdb{
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}
在文件尾部,原本auth-system.conf.ext未被注释掉。改成以下样式:
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.abc.com.ext
!include auth-passwdfile.conf.xzy.com.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext
mail_location = maildir:~/Maildir
修改/usr/local/etc/dovecot/conf.d/10-master.conf,取消以下三行注释:
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
重启dovecot。
设置postfix
创建用于存放postfix所有map文件的目录:
mkdir /var/vmail/postmaps
创建虚拟域文件:
vi /var/vmail/postmaps/vmail_domains
test.com ok
xyz.com ok
vi /var/vmail/postmaps/vmail_mailbox
abc@test.com test.com/abc/Maildir/
abc@xyz.com xyz.com/abc/Maildir/
postmap /var/vmail/postmaps/*
修改/usr/local/etc/postifx/main.cf文件,添加以下行
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
virtual_mailbox_base=/var/vmail
virtual_mailbox_domains = hash:/var/vmail/postmaps/vmail_domains
virtual_mailbox_maps = hash:/var/vmail/postmaps/vmail_mailbox
virtual_transport = virtual
virtual_uid_maps = static:500
virtual_gid_maps = static:500
postfix+SSL/TLS
修改/usr/local/etc/postifx/main.cf文件,添加以下行
smtpd_use_tls = yes
smtpd_tls_security_level = may 此处如果写request的话,网易发不进来
smtpd_tls_received_header = yes
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
以下开启端口587
submission inet n - n - - smptd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
以下开启端口465
submissions inet n - n - - smtpd
-o syslog_name=postfix/submissions
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
postfix一些配置
修改/usr/local/etc/postfix/master.cn的submission和submissions部分:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
submissions inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
mua_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
mua_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit
最终,/usr/local/etc/postfix/main.cf文件:
compatibility_level = 3.7
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
mynetworks_style = host
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
inet_protocols = all
smtp_tls_CApath = /etc/ssl/certs
shlib_directory = /usr/local/lib/postfix
meta_directory = /usr/local/libexec/postfix
#以上是系统自动生成的,不做修改
#以下配置postfix使用dovecot验证
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
#以下配置虚拟账号
virtual_mailbox_base=/var/vmail
virtual_mailbox_domains = hash:/var/vmail/postmaps/vmail_domains
virtual_mailbox_maps = hash:/var/vmail/postmaps/vmail_mailbox
virtual_transport = virtual
virtual_uid_maps = static:500
virtual_gid_maps = static:500
#以下配置SSL
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
#smtp_use_tls = yes
#smtp_tls_cert_file = /etc/ssl/certs/dovecot.pem
#smtp_tls_key_file = /etc/ssl/private/dovecot.pem
#以下被master.cf调用
mua_client_restrictions = permit_sasl_authenticated, reject
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit
#防垃圾邮件
smtpd_helo_required = yes
smtpd_helo_restrictions =
reject_invalid_hostname
smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_data_restrictions =
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_sasl_authenticated
defer_unauth_destination
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
submissions inet n - n - - smtpd
-o syslog_name=postfix/submissions
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
在jail里面安装的时候遇到两个问题,均与IPv6有关
- postfix的mail.cf
inet_protocols = all改为 inet_protocols = ipv4
- dovecot的dovecot.conf
加一句listen = *
设置邮件转发
在main.cf中加入:
virtual_alias_maps = hash:/var/vmail/postmaps/virtual_alias
然后创建/var/vmail/postmaps/virtual_alias文件,内容类似以下:
xyz@test.com abc@test.com
意思是:凡是发往xyz@test.com的邮件,直接转去abc@test.com,不论xyz@test.com是否存在。
每行一条记录。
自动秘密抄送规则
Postfix内部转发的邮件和它自己生成的邮件都不会生成自动密件抄送收件人。
- always_bcc = address
所有进出的邮件的副本发送到指定的地址。
- sender_bcc_mpas = type:table
使用发件人地址搜索指定的类型表,以查找自动密件抄送地址。
sender_bcc_maps样式如下:
@abc.com out@abc.com
- recipient_bcc_mpas = type:table
使用收件人地址搜索指定的类型表,以查找自动密件抄送地址。
recipient_bcc_maps样式如下:
@abc.com out@abc.com
注意:接收密件的虚拟账号必须存在(即vmail_mailbox中必须有它们的记录),否则postfix不知道往哪投递。
如果并不想查看这些被秘密转发过来的邮件,可以不用在dovecot的用户密码文件中添加对应的账号。本例中该文件为/var/vmail/passwd-user-auth。
修改master.cf文件可以禁用所有自动密送功能。
127.0.0.1 10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
mynetworks,信任的远程SMTP客户端。其值可以是一个IP段,或使用空格、逗号分隔的若干IP段。例如:
mynetworks = 127.0.0.0/8 168.100.189.0/28
mynetworks = !192.168.0.1, 192.168.0.0/28
mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
mynetworks = $config_directory/mynetworks
mynetworks = hash:/etc/postfix/network_table
mynetworks = cidr:/etc/postfix/network_table.cidr
- host
仅信任本机
- subnet
信任服务器所在网段的所有主机
- class
信任所有本类地址的主机。这可能造成Postfix信任网络提供商的整个网络。
smptd_*_restrictions
| 规则名称 |
功能 |
默认值 |
备注 |
| smtpd_client_restrictions |
在客户端连接请求上下文中应用的可选限制 |
空,允许所有连接请求 |
一般不进行配置 |
| smtpd_helo_restrictions |
在客户端HELO命令上下文中应用的可选限制 |
空,允许所有连接请求 |
需要先设置smtpd_helo_required=yes,此项才能生效 |
| smtpd_sender_restrictions |
在客户端MAIL FROM命令上下文应用的可选限制 |
空,允许所有连接 |
|
| smtpd_recipient_restrictions |
在smtpd_relay_restrictions之后,在客户端RCPT TO命令上下文中应用的可选限制 |
空(使用postconf -d命令查看) |
至少要有以下限制之一,否则Postfix将拒绝收件:- reject,reject_unauth_destiantion
- defer,defer_if_permit,defer_nuauth_destination
|
| smtpd_relay_restrictions |
在smtpd_recipient_restricions之前,在客户端RCPT TO命令上下文中应用的可选限制 |
permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination |
至少要有以下限制之一,否则Postfix将拒绝收件:- reject,reject_unauth_destiantion
- defer,defer_if_permit,defer_nuauth_destination
|
| smtpd_data_restrictions |
SMTP DATA命令上下文应用的可选限制 |
空 |
|
| smtpd_end_of_data_restrictions |
SMTP END-OF-DATA命令上下文应用的可选限制 |
空 |
|
| smtpd_etrn_restrictions |
ERN命令上下文应用的可选限制 |
空 |
|