/ 中存储网

Postfix与dovecot的安装配置

2014-12-28 20:23:38 来源:中存储网

解压目录在 /usr/local/src/

1、apache install:
./configure --prefix=/usr/local/apache --enable-so --enable-mods-

shared=most --enable-module=most
--enable-so选项:让Apache可以支持DSO模式
--enable-mods-shared=most选项:告诉编译器将所有标准模块都动态编译为DSO模块
--enable-module=most用most可以将一些不常用的,不在缺省常用模块中的模块编译

进来.
用apxs在Apache源码树以外编译并安装第三方模块,比如编译mod_foo.c为

mod_foo.so的DSO模块:
$ cd /path/to/3rdparty
$ apxs -c mod_foo.c
$ apxs -i -a -n mod_foo mod_foo.la
共享模块编译完毕后,必须在httpd.conf中用LoadModule指令使Apache启用该模块

2、mysql install:
groupadd mysql
useradd -g mysql mysql
tar -zxvf mysql.source.tgz -C /usr/local/src
cd mysql.source.tgz
./configure --prefix=/usr/local/mysql
make && make install
cp support-files/my-medium.cnf /etc/my.cnf
cd /usr/local/mysql
chown -R mysql .
chown -R :mysql .
bin/mysql_install_db --user=mysql
chown -R root .
chown -R mysql var
bin/mysqld_safe --user=mysql &
/usr/local/mysql/bin/mysqladmin -u root password 'new-password'
/usr/local/mysql/bin/mysql -uroot -p

3、php install:
./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-

apx2=/usr/local/apache/bin/apxs --with-libxml-dir=/usr/local/libxml2/ --

with-imap=/usr/lib/ --with-openssl=/usr/share/ssl --enable-mbstring --

with-kerberos
postfix需要mbstring(enable-mbstring)和php5-imap(with-imap):libc-client-

devel
make && make install
cp php.ini-dist /usr/local/lib/php.ini
LoadModule php4_module modules/libphp4.so
LoadModule php5_module modules/libphp5.so
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
/usr/local/apache/bin/apachecctl start
<?phpinfo();?>

4、postfixadmin install:
/usr/local/mysql/bin/mysqld_safe --user=mysql &
/usr/local/apache/bin/apachectl start
登录mysql,如下操作:
CREATE DATABASE postfix;
CREATE USER 'postfix'@'localhost' IDENTIFIED BY 'choose_a_password';
GRANT ALL PRIVILEGES ON `postfix` . * TO 'postfix'@'localhost';
把postfixadmin copy到/usr/local/apache/htdocs/
进入postfixadmin目录,vi config.inc.php,修改如下:
$CONF['configured'] = true;
$CONF['default_language'] = 'cn';
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '791346';
$CONF['database_name'] = 'postfix';
登录

5、nameserver install:
./configure --prefix=/usr/local/named
name.conf:
options {
directory "/usr/local/named/var/named"; zone "." {
type hint;
file "named.ca";
};

zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa.zone"; zone "localhost" {
type master;
file "localhost.zone"; zone "abc.com" {
type master;
file "abc.com.zone"; abc.com.zone:
$TTL 1D
@ IN SOA abc.com. root.abc.com. (
   200;
   1H;
   15M;
   1W;
   1D )
IN NS abc.com.
IN MX 10 mail.abc.com.
IN A 192.168.0.53
mail IN A 192.168.0.53

echo "nameserver 127.0.0.1">/etc/resolv.conf
/usr/local/named/sbin/named&
host abc.com查看是否能解释
可以上网的可以把根域加上:dig -t NS .> /usr/local/named/var/named/name.ca
host www.baidu.com
添加rndc控制器:
/usr/local/named/sbin/rndc-confgen 把属于named.conf的内容加到named.conf中
/usr/local/named/sbin/rndc-confgen |tail >>/usr/local/named/etc/named.conf
把注释去掉。

6、dovecot install :
./configure --prefix=/usr/local/dovecot --with-mysql --with-ssl
make
make install
useradd dovecot

if can not find mysql.sock,then ln -s /tmp/mysql.sock /wherethepath

dovecot.conf:

auth_debug_passwords=yes
base_dir = /var/run/dovecot/
protocols = pop3 pop3s imap imaps
listen = *
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.info
log_timestamp = "%Y-%m-%d %H:%M:%S "
#ssl加密认证设置Postfix with SSL/TLS
ssl= yes
ssl_cert_file = /etc/postfix/mail_sign_cert.pem
ssl_key_file = /etc/postfix/mailkey.pem
ssl_ca_file = /etc/postfix/cacert.pem

mail_location = maildir:/var/vmail/%u
mail_privileged_group = vmail
first_valid_uid = 1010

#Postfix and MySQL virtual user accounts
auth default {
mechanisms = plain login
passdb sql {
args = /usr/local/dovecot/etc/dovecot-sql.conf userdb sql {
args = /usr/local/dovecot/etc/dovecot-sql.conf #userdb static {
#args = uid=1010 gid=1010 home=/var/vmail/%d/%n user = root

#Postfix and Dovecot SASL Authentication
socket listen {
client {
path = /var/spool/postfix/private/auth   ###这里对应postfix

smtpd_sasl_path
mode = 0660
user = postfix
group = postfix }
}

dovecot-sql.conf:

#Postfix and MySQL virtual user accounts
driver = mysql
default_pass_scheme = MD5
connect = host=/tmp/mysql.sock dbname=postfix user=postfix password=791346
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT maildir,1010 as uid ,1010 as gid FROM mailbox WHERE

username
= '%u'

7、apt-cache search postfix
用apt-get安装postfix、postfix-mysql make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include/mysql

-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE="dovecot"' 'AUXLIBS=-

L/usr/local/mysql/lib/mysql -lmysqlclient -lz -lm'
注意AUXLIBS前面有空格
ldd postfix 查看支持sasl
postconf -m 查看支持mysql
postconf -a 查看支持dovecot
我用源码安装时ldd postfix没有sasl.so,貌似认证不了,所以用apt安装了
groupadd postfix
groupadd postdrop
groupadd -g 1010 vmail
useradd -g postfix -s /usr/sbin/nologin -d /dev/null postfix
mkdir /var/vmail
useradd -u 1010 -g vmail -d /var/vmail vamil
chown vmail:vmail /var/vmail

main.cf:
#postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
#daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
unknown_local_recipient_reject_code = 550

myhostname = mail.abc.com
mydomain = abc.com
myorigin = $mydomain
mydestination = $hostname #注意这里的域名不能在virtual_domains中出现,否则

出现冲突
mynetworks = 127.0.0.0/8, 192.168.0.0/24
inet_interfaces = all
home_mailbox = Maildir/
# ---------------------- Postfix and MySQL virtual user accounts -------

virtual_mailbox_domains         =

mysql:$config_directory/mysql_virtual_domains_
maps.cf
virtual_mailbox_base            = /var/vmail ###虚拟用户目录
virtual_mailbox_maps            =

mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_alias_maps              =

mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_mailbox_limit_maps      =

mysql:/etc/postfix/mysql_virtual_mailbox_limit
_maps.cf
virtual_minimum_uid             = 1010
virtual_uid_maps                = static:1010
virtual_gid_maps                = static:1010
virtual_transport               = virtual
dovecot_destination_recipient_limit = 1

# ------------------ Postfix and MySQL virtual user accounts END ---

# ------------------Postfix and Dovecot SASL Authentication ---------

smtpd_sasl_auth_enable          = yes

#smtpd_sasl_local_domain        = $myhostname

smtpd_sasl_exceptions_networks = $mynetworks

smtpd_sasl_security_options     = noanonymous

broken_sasl_auth_clients        = yes

smtpd_sasl_type                 = dovecot

# Can be an absolute path, or relative to $queue_directory

smtpd_sasl_path                 = private/auth

# ---------------Postfix and Dovecot SASL Authentication END ------------

----------

# ---------------------- Postfix with SSL/TLS ----------------------

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_CAfile                = /etc/postfix/cacert.pem
smtpd_tls_cert_file             = /etc/postfix/mail_sign_cert.pem
smtpd_tls_key_file              = /etc/postfix/mailkey.pem

# --------------------Postfix with SSL/TLS END ----------------------

smtpd_helo_required             = yes

disable_vrfy_command            = yes

non_fqdn_reject_code            = 450

invalid_hostname_reject_code    = 450

maps_rbl_reject_code            = 450

#unverified_sender_reject_code = 550

#header_checks                  = pcre:$config_directory/header_checks

#body_checks                    = pcre:$config_directory/body_checks

#warning: the restrictions reject_unknown_(sender|recipient)_domain

#will trigger if your DNS becomes unavailable

smtpd_recipient_restrictions =

        permit_mynetworks

        permit_sasl_authenticated

        reject_unauth_destination

        reject_invalid_helo_hostname

        warn_if_reject reject_non_fqdn_helo_hostname

        warn_if_reject reject_unknown_helo_hostname

        warn_if_reject reject_unknown_client

        reject_non_fqdn_sender

        reject_non_fqdn_recipient

        reject_unknown_sender_domain

        reject_unknown_recipient_domain

        reject_rbl_client zen.spamhaus.org

        reject_rbl_client bl.spamcop.net

        permit

smtpd_data_restrictions =

        reject_unauth_pipelining,

        reject_multi_recipient_bounce,

        permit

#Postfix and MySQL virtual user accounts :

mysql_virtual_alias_maps.cf :
user = postfix
password = 791346
hosts = 127.0.0.1
dbname = postfix
table = alias
select_field = goto
where_field = address
#hosts = unix:/tmp/mysql.sock

mysql_virtual_mailbox_maps.cf :
user = postfix
password = 791346
hosts = 127.0.0.1
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
#hosts = unix:/tmp/mysql.sock

mysql_virtual_mailbox_limit_maps.cf :
user = postfix
password = 791346
hosts = 127.0.0.1
dbname = postfix
table = mailbox
select_field = quota
where_field = username
#hosts = unix:/tmp/mysql.sock

mysql_virtual_domains_maps.cf :
user = postfix
password = 791346
hosts = 127.0.0.1
dbname = postfix
table = domain
select_field = domain
where_field = domain
#hosts = unix:/tmp/mysql.sock

8、使用openssl签证:
find the CA.sh
redhat:rpm -ql openssl|grep CA.sh
ubuntu:dpkg -L openssl|grep CA.sh
cd the path ./CA.sh -newca
他会找你要CA需要的一个CA自己的私有密钥密码文件。如果没有这个文件?按回车会

自动创建,输入密码来保护这个密码文件。之后会要你的一个公司信息来做CA.crt文

件。最后在当前目录下多了一个./demoCA这样的目录../demoCA/private/cakey.pem

就是CA的key文件啦,./demoCA/cacert.pem就是CA的crt文件了 ,就是CA根证书

产生服务器端证书的第一步,是使用openssl工具为服务器产生一对公钥与私钥,然
后产生一个“证书签署请求”CSR,并将CSR与公钥交给CA签署。经过CA签署的公钥证

书可以广泛散布出去,但是私钥则必须被谨慎保管。事实上,有许多应用系统将私钥

加密封存在一个特殊文件,在访问私钥之前,必须先提供密码才能解密,这种存储私

钥的方法称为“密封”。然而,POSTFIX需要能够直接访问私钥,不能使用密封方法

,因为访问私钥的动作发生在运行时,而此时你不可能实时提供密码

openssl包提供一组脚本可帮助你产生公私钥与CSR,不过,它们所产生的key
是“密封”的,所以,你得直接使用openssl命令产生公私钥:

openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 365
openssl的-new表示你想产生公私钥与CSR,-nodes表示不加密,-keyout与-out分别

指出私钥文件与CSR文件的名称。-day只证书有效期限是一年。

openssl ca- out mail_sign_cert.pem -infiles mailreq.pem
产生mail_sign_cert.pem文件,就是CA所核发的证书。

9、开启服务
/etc/init.d/networking start
/usr/local/named/sbin/named&
/usr/local/mysql/bin/mysqld_safe --user=mysql&
/usr/local/dovecot/sbin/dovecot &
postfix start
telnet localhost 110
user alice@abc.com
pass alice
login ok
telnet localhost 25
ehlo localhost

10、clamav
./configure --prefix=/usr/local/clamav
make
make instll
clamav设定clamd.conf、freshclam.conf
在example前加#
# Comment or remove the line below.
Example /usr/local/clamav/bin/freshclam

11、spamssassin
cd Mail-SpamAssassin-*
perl Makefile.PL
make
make install  

12、mailscanner
./install.sh
修改mailscanner设定Mailscanner.conf
%org-name% = your organization name
%org-long-name% = your full organization name
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Group = clamav
Incoming Work Permissions = 0640
MTA = postfix
Virus Scanners = clamd
Clamd Socket = /tmp/clamd.sock
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
修改postfix设定main.cf
header_checks = regexp:/etc/postfix/header_checks
header_checks内容:
/^Received:/ HOLD
#mkdir /var/spool/MailScanner                   
#mkdir /var/spool/MailScanner/incoming        
#mkdir /var/spool/MailScanner/quarantine
#chown -R postfix:clamav /var/spool/MailSacnner