搭建完整邮件系统(postfix+dovecot+clamAV+Spamassassin+amavisd-new)
时间:2023-06-02 16:16:41 来源: 人气:
相关软件:, 1. 发送邮件 --- postfix, 2. 身份认证 --- sasl2, 3. 接收邮件 --- dovecot, 4. 防病毒邮件 --- clamAV, 5. 防垃圾邮件 --- spamassassin, 6.控制病毒及垃圾邮件扫描程序 --- amavisd-new, ============================, 待完善的问题:, 1. 群发邮件的权限设置, 2. 用户邮箱的配额限制, ============================, 完整邮件系统架构简介, 我们知道,一个完整的邮件系统应该包括以下几个重要功能:, 基本功能: 发送邮件、收取邮件, 安全性功能: 收发邮件的身份认证、防病毒、防垃圾, 完整的邮件系统架构流程图如下:, 相关软件的安装及配置, 1. 安装postfix,同时让postfix支持mysql查询, # aptitude install postfix postfix-mysql, 2. 查看postfix是否支持外部数据库mysql认证, # postconf -m, btree, cidr, environ, hash, internal, mysql, nis, proxy, regexp, sdbm, static, tcp, unix, 3. 查看postfix支持的sasl认证类型, # postconf -a, cyrus, dovecot, 4. 安装cyrus sasl认证, # aptitude install sasl2-bin libsasl2-modules-sql, 5. 修改/etc/default/saslauthd, START=no ====> START=yes, 6. 重启saslauthd,并验证saslauthd正常工作, # /etc/init.d/saslauthd restart, # testsaslauthd -u {username} -p {password}, 若出现如下结果,表示saslauthd已正常运行,并可进行认证服务,否则请检查username和password并重试, 0: OK "Success.", 注:{username},{password}是登录linux系统的用户名和密码, 7. postfix启用sasl认证, 编辑/etc/postfix/main.cf,在最后添加如下内容:, smtpd_sasl_auth_enable = yes, broken_sasl_auth_clients = yes, smtpd_sasl_security_options = noanonymous, 8. 修改/etc/postfix/master.cf,禁止postfix启用chroot, smtp inet n - - - - smtpd, rewrite unix - - - - - trivial-rewrite, cleanup unix n - - - 0 cleanup, ==========>>>>>>, smtp inet n - n - - smtpd, rewrite unix - - n - - trivial-rewrite, cleanup unix n - n - 0 cleanup, 这样设置的原因:如果不这么设置,则在发送邮件时,总是报如下错误,且邮件无法发送成功:, postfix/trivial-rewrite[10698]: warning: connect to mysql server localhost: Cant connect to local MySQL server through socket /var/run/mysqld/mysqld.sock, postfix/trivial-rewrite[10698]: fatal: mysql:/etc/postfix/mysql_virtual_alias_maps.cf(0,lock|fold_fix): table lookup problem, postfix/smtpd[10394]: warning: problem talking to service rewrite: Success, postfix/master[10386]: warning: process /usr/lib/postfix/trivial-rewrite pid 10698 exit status 1, postfix/smtpd[10697]: warning: problem talking to service rewrite: Connection reset by peer, postfix/master[10386]: warning: /usr/lib/postfix/trivial-rewrite: bad command startup -- throttling, 9. 安装mysql并创建数据库和表,同时插入数据, # aptitude install mysql-client mysql-server, # mysql -u root -p, 输入密码, # sql> create database mail;, # sql> create table mail.users( id in(8) primary key auto_increment, username varchar(50), password varchar(50), domain varchar(50), quota int(10), maildir varchar(200));, # sql> insert into mail.users(username,password,domain,maildir,quota) values(test,test,tiddy.com,tiddy.com/test/,16000);, # sql> commit;, 10. 修改postfix通过sasl的认证方式(pam/shadow/sql/ldap),在/etc/postfix/sasl目录下新建文件smtpd.conf,内容如下:, pwcheck_method: auxprop, auxprop_plugin: sql, mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM, sql_engine: mysql, sql_hostnames: 127.0.0.1, sql_user: root, sql_passwd: tiddy, sql_database: mail, sql_select: SELECT password FROM users WHERE username = %u, 11. 在postfix上安装telnet并进行测试, # aptitude install telnet, # telnet localhost 25, Trying 127.0.0.1..., Connected to localhost., Escape character is ^]., 220 mail.tiddy.com ESMTP Postfix (Debian/GNU), auth login, 334 VXNlcm5hbWU6, dGVzdA==, 334 UGFzc3dvcmQ6, dGVzdA==, 235 2.7.0 Authentication successful, mail from:, 250 2.1.0 Ok, rcpt to:, 250 2.1.5 Ok, data, 354 End data with ., Subject: alskdjlasd, lasdjflasdf, ., 250 2.0.0 Ok: queued as 4C1FB440E6, postfix sasl mysql认证成功, 注意:上述红色标记的文字表示经过BASE64编码的用户名(test)和密码(test), 12. 安装POP3软件dovecot, # aptitude install dovecot-pop3d, 13. 创建虚拟用户(以便该用户有权限访问邮件存放目录), # groupadd -g 5000 vmail, # useradd -u 5000 -g 5000 vmail -d /var/vmail -m, 14. 配置dovecot, 修改/etc/dovecot/dovecot.conf,主要修改如下部分, 1) 去掉注释符号(#), base_dir = /var/run/dovecot, 2) dovecot所使用的协议, protocols = pop3 pop3s, 3) dovecot所监听的端口(*:监听所有网络端口), listen = *, 4) 打开明文密码认证(采用pop3协议收取邮件时,采用明文密码认证), disable_plaintext_auth = no, 5) 日志文件, log_path = /var/log/dovecot.log, 6) debug日志文件, info_log_path = /var/log/dovecot.info, 7) 每行日志输出的前缀, log_timestamp = "%Y-%m-%d %H:%M:%S ", 8) 客户端用pop3协议收取邮件时的服务器收取路径, mail_location = maildir:/var/vmail/%d/%n/, 9) 是否开启debug(测试阶段使用,正式投入使用后,最好关闭), mail_debug = yes, 10) dovecot的pop3认证, auth default {, #认证方式, mechanisms = plain login, #认证过程中的密码查询方式(采用sql查询), passdb sql {, # Path for SQL configuration file, args = /etc/dovecot/dovecot-sql.conf, }, #认证过程中的用户查询方式(采用sql查询), userdb sql {, # Path for SQL configuration file, args = /etc/dovecot/dovecot-sql.conf, }, #监听客户端socket以便随时发现客户端发起的用户身份认证, socket listen {, client {, path = /var/spool/postfix/private/auth, mode = 0660, user = postfix, group = postfix, }, }, }, 15. 修改/etc/dovecot/dovecot-sql.conf, 1) 数据库驱动, driver = mysql, 2) 数据库连接信息, connect = host=localhost dbname=mail user=root password=tiddy, 3) 数据库密码的加密方式(PLAIN:明文方式,不加密), default_pass_scheme = PLAIN, 4) 数据库查询语句, password_query = SELECT username, domain, password FROM users WHERE username = %n, user_query = SELECT maildir, 5000 AS uid, 5000 AS gid FROM users WHERE username = %n, 16. 重新修改/etc/postfix/main.cf(注意:有的内容已经存在或添加过,请务必不要重复添加), ######################## 基本配置 ##########################, myhostname = postfixsvr, alias_maps = hash:/etc/aliases, alias_database = hash:/etc/aliases, myorigin = tiddy.com, relayhost =, mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, mailbox_size_limit = 0, recipient_delimiter = +, inet_interfaces = all, #我们使用虚拟网域virtual_mailbox_domains变量来决定哪些网域的邮件可以被投递,此处注释掉, #relay_domains = tiddy.com, #mydestination = tiddy.com, ##################### 启用SASL Auth ########################, # 设定 Postfix 使用 SASL 认证。, smtpd_sasl_auth_enable = yes, # 设定 SASL 支持非标准 E-mail Client 的认证动作。, broken_sasl_auth_clients = yes, # 不使用 ANONYMOUS 这个认证。, smtpd_sasl_security_options = noanonymous, # 对收件人,发件人的限制(允许授权认证用户,本地网络用户<即mynetwork定义的网络客户端>,其他一律拒绝), smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject, # 客户端限制(允许授权认证客户端,本地网络客户端<即mynetwork定义的网络客户端>,其他一律拒绝), smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject, # 认证类型, smtpd_sasl_type = dovecot, # sasl认证路径(注意与dovecot配置文件/etc/dovecot/dovecot.conf中的socket listen内容path末端保持一致), smtpd_sasl_path = private/auth, ############################### 虚拟邮箱 #####################################, # 虚拟邮箱的根路径, virtual_mailbox_base = /var/vmail, # 虚拟邮箱映射表, virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, # 虚拟网域, virtual_mailbox_domains = tiddy.com, # 虚拟别名映射表(用户邮箱别名,邮件群组都由该参数决定,群组也是别名的一种形式), virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, # 哪些用户可以访问虚拟邮箱, virtual_uid_maps = static:5000, virtual_gid_maps = static:5000, ########################### 邮件投递程序 #################################, virtual_transport = virtual, ########################## 邮箱容量限制################################, #每封信的最大大小(10M),postfix的默认值为10M,但这指的是邮件正文和, #编码后附件的总和,经过base64编码,附件的大小会增加35%左右,因此这里设定邮件大小为14M, message_size_limit = 14336000, # 如果使用Courier maildir++ quotas,则使用yes,默认为no, virtual_maildir_extended = yes, virtual_create_maildirsize = yes, #默认邮箱大小限制, virtual_mailbox_limit = 16000000, #是否允许覆盖默认的邮箱大小设置。, virtual_mailbox_limit_override = yes, # no限制整个maildir,yes只限制inbox,默认为no, virtual_mailbox_limit_inbox = no, #针对每个用户的限制, virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf, # 这个选项在未设置’virtual_maildir_limit_message_maps’时,如果用户超出了限额的提示信息, virtual_maildir_limit_message = Sorry, overquota, # yes的话使用5xx错误,no使用4xx错误,邮件还是会被放入队列, virtual_overquota_bounce = yes, # 是否在计算限额时加上垃圾文件夹,这个选项需要virtual_trash_name配合,默认为no, virtual_trash_count = no, # 设置垃圾文件夹名称,默认值为:.Trash, virtual_trash_name = “.Trash”, 17. 创建相关文件, (1) 创建文件/etc/postfix/mysql_virtual_mailbox_maps.cf,内容如下(下面内容其实是查询数据库,具体语句涵义不再赘述):, user = root, password = tiddy, hosts = localhost, dbname = mail, table = users, select_field = maildir, where_field = username, (2) 创建文件/etc/postfix/mysql_virtual_alias_maps.cf,内容如下(下面内容其实是查询数据库,具体语句涵义不再赘述):, user = root, password = tiddy, hosts = localhost, dbname = mail, table = alias, select_field = goto, where_field = address, 18. 数据库结构, 数据库名称:mail, 数据库表users( id in(8) primary key auto_increment, username varchar(50), password varchar(50), domain varchar(50), quota int(10), maildir varchar(200)), 数据库表alias( id int(8) primary key auto_increment, address varchar(100), goto varchar(5000), isgroup int(2)), 注意:, (1) 表users中的字段maildir保存的邮件存放路径的最后一个字符/有无,决定了邮件的存放方式:有/表示以maildir方式存放,无/表示以mailbox方式存放, (2) 表alias中的字段goto表示根据别名邮箱将邮件实际转发的目标邮箱,如果是群组转发,则goto字段可能保存多个邮箱地址,这些邮箱地址以分号隔开, -----------------------------------------------------------------以上是基本邮件系统的安装及配置---------------------------------------------------------------------------------, -----------------------------------------------------------------以下是对基本邮件系统的完善(包括杀毒和防垃圾邮件的处理)---------------------------------------------------------------------------------, 1. 安装杀毒软件(ClamAV)和防垃圾软件(SpamAssassin)及其相关依赖包, # apt-get install libnet-dns-perl pyzor razor arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip zip, # apt-get install amavisd-new spamassassin clamav-daemon, 2. 修改用户权限, # usermod -a -G clamav amavis, # usermod -a -G amavis clamav, 3. 修改spamassassin配置文件/etc/default/spamassassin, ENABLED=0 ====> ENABLED=1, CRON=0 ====> CRON=1, 4.启动spamassassin, # /etc/init.d/spamassassin start, 5. 修改amavis配置文件/etc/amavis/conf.d/15-content_filter_mode, 去掉如下内容注释(目的:check病毒和垃圾邮件), @bypass_virus_checks_maps = (, %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);, @bypass_spam_checks_maps = (, %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);, 6. 修改postfix配置文件/etc/postfix/main.cf,注释掉mydestination,并添加如下内容, # 将postfix接收到的邮件传递给amavis程序进行扫描, content_filter = smtp-amavis:[127.0.0.1]:10024, 7. 编辑文件/etc/postfix/master.cf,在文件最后添加如下内容(注意:-o之前必须至少有两个空格,表示跟前面一行在逻辑上是一行), smtp-amavis unix - - - - 2 smtp, -o smtp_data_done_timeout=1200, -o smtp_send_xforward_command=yes, -o disable_dns_lookups=yes, -o max_use=20, 127.0.0.1:10025 inet n - - - - smtpd, -o content_filter=, -o local_recipient_maps=, -o relay_recipient_maps=, -o smtpd_restriction_classes=, -o smtpd_delay_reject=no, -o smtpd_client_restrictions=permit_mynetworks,reject, -o smtpd_helo_restrictions=, -o smtpd_sender_restrictions=, -o smtpd_recipient_restrictions=permit_mynetworks,reject, -o smtpd_data_restrictions=reject_unauth_pipelining, -o smtpd_end_of_data_restrictions=, -o mynetworks=127.0.0.0/8, -o smtpd_error_sleep_time=0, -o smtpd_soft_error_limit=1001, -o smtpd_hard_error_limit=1000, -o smtpd_client_connection_count_limit=0, -o smtpd_client_connection_rate_limit=0, -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks, 8. 在文件/etc/postfix/master.cf中的pickup行添加如下内容(注意:-o之前必须至少有两个空格,表示跟前面一行在逻辑上是一行), -o content_filter=, -o receive_override_options=no_header_body_checks, 9. 重启postfix, # /etc/init.d/postfix reload, 10. amavis对相关邮件(病毒,垃圾邮件等)的处理方式,修改/etc/amavis/conf.d/20-debian_defaults, 关于如下参数的含义,详情请参见我的另一篇文章《邮件系统之amavisd-new的简介、安装及配置》, $final_spam_destiny = D_BOUNCE ===> $final_spam_destiny = D_DISCARD, $QUARANTINEDIR = "/data/virusmails";, 11. 修改/etc/amavis/conf.d/05-node_id(若不修改成如下格式,在启动邮件系统的一些软件时,在/var/log/mail.log中总是报错,且软件无法正常启动), $myhostname = "mail.tiddy.com";, 12. 修改/etc/amavis/conf.d/50-user,添加如下内容(注意如下内容不能添加到最后面):, #垃圾邮件和病毒邮件将被存放的目录(该目录spam-quarantine对应/etc/amavis/conf.d/20-debian_defaults文件中的变量$QUARANTINEDIR ), #这里的设置表示垃圾及病毒邮件的保存目录为/data/virusmails, $spam_quarantine_to = "spam-quarantine";, $virus_quarantine_to = "spam-quarantine";, #黑白名单设置, @whitelist_sender_maps = read_hash("/etc/amavis/whitelist");, @blacklist_sender_maps = read_hash("/etc/amavis/blacklist");, 13. 在目录/etc/amavis下创建文件blacklist(黑名单)和whitelist(白名单), # touch /etc/amavis/whitelist, # touch /etc/amavis/blacklist, 14. 重启所有服务, # /etc/init.d/clamav-daemon restart, # /etc/init.d/clamav-freshclam restart, # /etc/init.d/spamassassin restart, # /etc/init.d/amavis restart, # /etc/init.d/postfix restart, # /etc/init.d/dovecot restart,
