PostFix+Dovecot 部署郵件系統
Postfix 是一種電子郵件伺服器,它是由任職於IBM華生研究中心(T.J. Watson Research Center)的荷蘭籍研究員Wietse Venema為了改良sendmail郵件伺服器而產生的。最早在1990年代晚期出現,是一個開放原始碼的軟體。
Postfix 是Wietse Venema在IBM的GPL協議之下開發的MTA(郵件傳輸代理)軟體。postfix是Wietse Venema想要為使用最廣泛的sendmail提供替代品的一個嘗試。在Internet世界中,大部分的電子郵件都是通過sendmail來投遞的,大約有100萬用戶使用sendmail,每天投遞上億封郵件。這真是一個讓人吃驚的數字。Postfix試圖更快、更容易管理、更安全,同時還與sendmail保持足夠的相容性。
郵件伺服器概述
◆常用的郵件伺服器◆
Sendmail: 資格最古老,執行穩定,但安全性欠佳.
Postfix: 採用模組化設計,在投遞效率、穩定性、效能及安全性方面表現優秀,與sendmail保持足夠的相容性.
Qmail: 採用模組化設計,速度快、執行效率高,配置稍微複雜點.
◆PostFix的特點◆
1.PostFix是免費,開源的,並且相容sendmail
2.效能好,大約比sendmail快三倍,一臺執行postfix的臺式pc每天可收發上百萬郵件.
3.安全性,PostFix具有多層防禦結構,可以有效地抵禦惡意入侵者,可以執行在較低的許可權之下.
4.靈活性好,postfix是由超過一打的小程式組成的,每個程式完成特定功能.可以通過配置設定每個程式的執行引數.
5.健壯穩定,postfix被設計成在重負荷之下仍然可以正常工作.當系統執行超出了可用的記憶體或磁碟空間時,postfix會自動減少執行程序的數目.當處理的郵件數目增長時,Postfix執行的程序不會跟著增加.
◆PostFix工作流程圖解◆
1.客戶端通過Outlook或網頁客戶端軟體,向郵件伺服器傳送一封郵件,首先郵件伺服器會檢查是發往本域,還是發往其他域.
2.如果傳送到本域直接存放到Mailbox中,另外一個使用者上線,需要收取這封郵件,藉助dovecot軟體,通過dovecot進入資料庫驗證身份,驗證通過以後,就可以通過MRA呼叫POP3或者IMAP4的協議,進入郵箱收取郵件,並且將郵件轉發給使用者.
3.如果傳送到其他域,轉發之前驗證使用者身份,是否要為其轉發郵件,驗證的時候是用到了SASL函式庫,使用者的資訊是放到了資料庫中,此時我們需要一箇中間層authlib,通過authlib替SASL函式庫向資料庫進行驗證,做"發信認證",認證通過允許轉發,驗證不通過拒絕轉發.
4.通過瀏覽器訪問郵件伺服器(EXtmall/FoxMali),轉發到其他域,放到郵箱,到資料庫驗證.
◆關於郵件系統中的角色◆
MUA:郵件使用者代理 (sendmail qmail postfix)
MTA:郵件傳輸代理 (outlook)
MDA:郵件分發代理 (maildrop)
MRA:郵件檢索代理 (dovecot)
postfix: 實現郵件傳送伺服器的角色.
dovecot: 作為郵件接收伺服器的角色.
extmail: 實現利用web介面收發信件.
extman: 使用者註冊同個extman的頁面.
mysql: 存放使用者的賬戶資訊.
cyrus-sasl,courier-authlib: 實現使用者的身份驗證.
◆郵件應用使用協議◆
1.SMTP,簡單郵件傳輸協議,TCP 25埠,加密時使用TCP 465埠,(傳送郵件),客戶端向其他伺服器傳送郵件或者伺服器向其他伺服器轉發郵件,傳送方使用的都是SMTP協議.
2.POP3,第3版郵局協議,TCP 110埠,加密時使用TCP 995埠,(收郵件) 收取郵件的時候,先將伺服器的郵件下載到本地,所有的操作都是在本地完成.
3.IMAP4,第4版網際網路訊息訪問協議,TCP 143埠,加密時使用 993埠,(比POP3靈活)接收郵件,客戶端和伺服器端互動了以後,在伺服器端處理,好處能實現更多的功能,例如檢視郵件的資訊,但是消耗的系統的資越高.
[簡單記憶]
SMTP 簡單郵件傳輸協議(發郵件)TCP 25埠,加密時使用TCP 465埠
POP3 第三版郵局協議(收郵件)TCP 110 埠,加密時使用 TCP 995埠
IMAP4 第四版網際網路郵件訪問協議(收郵件)TCP 143埠,加密時使用TCP 993埠
Postfix+Dovecot 部署郵件系統
◆配置DNS域名解析◆
首先我們需要配置bind為客戶端提供dns域名解析
1.安裝bind,為客戶提供解析服務
[[email protected] ~]# yum install -y bind
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Server 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-61.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-61.el7
......
Installed:
bind.x86_64 32:9.9.4-61.el7
Dependency Installed:
bind-libs.x86_64 32:9.9.4-61.el7
Complete!
[[email protected] ~]#2.修改dns主配置檔案,區域檔案和域名配置檔案等
[[email protected] ~]# vim /etc/named.conf
12 options {
13 listen-on port 53 { any; }; #修改IPV4的偵聽埠
14 listen-on-v6 port 53 { ::any; }; #修改IPV6的偵聽埠
15 directory "/var/named";
16 dump-file "/var/named/data/cache_dump.db";
17 statistics-file "/var/named/data/named_stats.txt";
18 memstatistics-file "/var/named/data/named_mem_stats.txt";
19 allow-query { any; }; #允許迭代
20
21 /*
3.修改named.rfc1912.zones區域配置檔案,或者寫在named.conf的底部也可以
[[email protected] ~]# vim /etc/named.rfc1912.zones
42
43 zone "lyshark.com" IN { #新增此處區域檔案
44 type master; #宣告為主dns
45 file "lyshark.com.zone"; #宣告區域配置檔名稱
46 allow-update {none;}; #是否迭代
47 };4.拷貝預設區域配置檔案,修改成lyshark.com.zone並做郵件交換記錄配置
[[email protected] ~]# cd /var/named/
[[email protected] named]#
[[email protected] named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[[email protected] named]#
[[email protected] named]# cp -a named.localhost lyshark.com.zone
[[email protected] named]#
[[email protected] named]# ls
data dynamic lyshark.com.zone named.ca named.empty named.localhost named.loopback slaves
[[email protected] named]#
[[email protected] named]# vim lyshark.com.zone
1 $TTL 1D
2 @ IN SOA dns.lyshark.com. root.lyshark.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.lyshark.com.
9 MX 3 mail.lyshark.com.
10 dns A 127.0.0.1
11 mail A 192.168.1.20
12 AAAA ::15.重啟named解析服務,並設定成開機自啟動
[[email protected] named]# systemctl restart named
[[email protected] named]# systemctl enable named6.此處在其他電腦配置好,dns解析地址,解析到本機,並測試是否能解析
C:\Users\LyShark>ping 192.168.1.20
正在 Ping 192.168.1.20 具有 32 位元組的資料:
來自 192.168.1.20 的回覆: 位元組=32 時間<1ms TTL=64
C:\Users\LyShark>nslookup mail.lyshark.com
伺服器: UnKnown
Address: 192.168.1.20
名稱: mail.lyshark.com
Addresses: ::1
192.168.1.20
C:\Users\LyShark>◆配置PostFix服務程式◆
postfix是由IBM贊助研發的一款免費開源的電子郵件服務程式,它能夠很好的相容sendmail,可以很方便的將sendmail使用者遷移到postfix服務上,postfix服務的收發郵件能力強於sendmail,而且能夠自動,增加,減少程序的數量來保證郵件伺服器的高效能運轉,postfix有許多小模組組成,方便了功能的新增,拓展和刪除,提高了可用性,使用者可以靈活搭配使用.
1.安裝postfix服務程式,rhel7系統預設整合,這裡只做演示
[[email protected] ~]# yum install -y postfix
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 2:postfix-2.10.1-6.el7.x86_64 already installed and latest version
Nothing to do2.配置郵局系統的主機名,在第76行,一個名為myhostname的變數,用來儲存伺服器主機名
[[email protected] ~]# vim /etc/postfix/main.cf
68 # INTERNET HOST AND DOMAIN NAMES
69 #
70 # The myhostname parameter specifies the internet hostname of this
71 # mail system. The default is to use the fully-qualified domain name
72 # from gethostname(). $myhostname is used as a default value for many
73 # other configuration parameters.
74 #
75 #myhostname = host.domain.tld
76 myhostname = mail.lyshark.com #解除註釋,定義伺服器主機名
773.配置郵局系統的域名,在第83行,一個名為mydomain的變數,用來定義郵件域
[[email protected] ~]# vim /etc/postfix/main.cf
78 # The mydomain parameter specifies the local internet domain name.
79 # The default is to use $myhostname minus the first component.
80 # $mydomain is used as a default value for many other configuration
81 # parameters.
82 #
83 mydomain = lyshark.com #解除註釋,指定郵件域
844.配置本機發出的域名稱,在第99行,一個名為myorigin的變數,用來定義郵件域
[[email protected] ~]# vim /etc/postfix/main.cf
94 # For the sake of consistency between sender and recipient addresses,
95 # myorigin also specifies the default domain name that is appended
96 # to recipient addresses that have no @domain part.
97 #
98 myorigin = $myhostname #解除註釋,設定允許發信的使用者的郵件域
99 myorigin = $mydomain #解除註釋,例:[email protected]
1005.配置偵聽網絡卡介面,在第116行,一個名為inet_interfaces的變數,用來定義網絡卡介面
[[email protected] ~]# vim /etc/postfix/main.cf
108 # See also the proxy_interfaces parameter, for network addresses that
109 # are forwarded to us via a proxy or network address translator.
110 #
111 # Note: you need to stop/start Postfix when this parameter changes.
112 #
113 inet_interfaces = all #解除註釋,設定所有IP都提供郵件服務
114 #inet_interfaces = $myhostname
115 #inet_interfaces = $myhostname, localhost
116 #inet_interfaces = localhost #註釋掉
1176.配置接收郵件的主機名或域名,在第164行,一個名為mydestination的變數,用來定義可接收郵件的主機名或域名列表,這裡可以直接呼叫前面的兩個變數myhostname和mydomain變數(如果不想呼叫變數,也可直接呼叫變數中的值)
[[email protected] ~]# vim /etc/postfix/main.cf
156 # Specify a list of host or domain names, /file/name or type:table
157 # patterns, separated by commas and/or whitespace. A /file/name
158 # pattern is replaced by its contents; a type:table is matched when
159 # a name matches a lookup key (the right-hand side is ignored).
160 # Continue long lines by starting the next line with whitespace.
161 #
162 # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
163 #
164 #mydestination = $myhostname, localhost.$mydomain, localhost #註釋掉,設定取出那些郵件
165 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #解除註釋
166 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
167 # mail.$mydomain, www.$mydomain, ftp.$mydomain7.配置郵件儲存位置,在第619行,一個名為home_mailbox的變數,用來定義郵件儲存位置
[[email protected] ~]# vim /etc/postfix/main.cf
413 # The home_mailbox parameter specifies the optional pathname of a
414 # mailbox file relative to a user's home directory. The default
415 # mailbox file is /var/spool/mail/user or /var/mail/user. Specify
416 # "Maildir/" for qmail-style delivery (the / is required).
417 #
418 #home_mailbox = Mailbox
419 home_mailbox = Maildir/ #解除註釋
4208.最後,建立一個郵件測試賬號admin,重啟postfix服務,並設定成開機自啟動
[[email protected] ~]# useradd -s /sbin/nologin admin
[[email protected] ~]# passwd admin
Changing password for user admin.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[[email protected] ~]#
[[email protected] ~]# systemctl restart postfix
[[email protected] ~]# systemctl enable postfix◆配置Dovecot服務程式◆
dovecot是一款能夠為linux系統提供IMAP和POP3電子郵件服務的開源服務程式,安全性極高,配置簡單,執行效率高,而且佔用伺服器資源極低,是一款很好的收件伺服器.
1.通過yum安裝dovecot服務程式的軟體包,和依賴
[[email protected] ~]# yum install -y dovecot dovecot-devel clucene-core
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager .
Package 1:dovecot-2.2.10-8.el7.x86_64 already installed and latest version
Package clucene-core-2.3.3.4-11.el7.x86_64 already installed and latest version
Nothing to do2.配置dovecot服務,在第24行,把服務的電子郵件協議改為 imap,pop3和lmtp,在這一行下面新增 disable_plaintext_auth 允許使用者明文使用郵件系統.
[[email protected] ~]# vim /etc/dovecot/dovecot.conf
16 # Default values are shown for each setting, it's not required to uncomment
17 # those. These are exceptions to this though: No sections (e.g. namespace {})
18 # or plugin settings are added by default, they're listed only as examples.
19 # Paths are also just examples with the real defaults being based on configure
20 # options. The paths listed here are for configure --prefix=/usr
21 # --sysconfdir=/etc --localstatedir=/var
22
23 # Protocols we want to be serving.
24 protocols = imap pop3 lmtp #取消註釋,開啟驗證型別
25 disable_plaintext_auth = no #新增欄位,開啟允許使用明文傳輸3.配置允許登陸的網段,在第48行,設定允許來自於指定網段的主機使用,如果想任何人則無需修改本引數
[[email protected] ~]# vim /etc/dovecot/dovecot.conf
45 # Space separated list of trusted network ranges. Connections from these
46 # IPs are allowed to override their IP addresses and ports (for logging and
47 # for authentication checks). disable_plaintext_auth is also ignored for
48 # these networks. Typically you'd specify your IMAP proxy servers here.
49 login_trusted_networks = 192.168.1.0/24 #允許指定網段使用,遮蔽掉預設all
504.配置郵箱位置,子配置檔案中,在第24行
[[email protected] ~]# vim /etc/dovecot/conf.d/10-mail.conf
22 # See doc/wiki/Variables.txt for full list. Some examples:
23 #
24 mail_location = maildir:~/Maildir #解除註釋
25 # mail_location = mbox:~/mail:INBOX=/var/mail/%u
26 # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n5.重啟收件伺服器,並設定開機自啟動
[[email protected] ~]# systemctl restart dovecot
[[email protected] ~]# systemctl enable dovecot◆配置PostFix和Dovecot 啟用SSL加密◆
由於上面的過程配置的郵件伺服器使用的是明文傳輸,無法將其用於生產環境,下面的步驟將開啟郵件伺服器的SSL加密模式,讓其可以在生產環境中使用
1.生成SSL金鑰檔案,並自行放入合適的位置
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -sha256 -in server.csr -signkey server.key -out servernew.crt
[[email protected] ~]# ls
server.csr server.key servernew.crt
[[email protected] ~]# cp -a * /etc/pki/CA/certs/
[[email protected] ~]# ls /etc/pki/CA/certs/
server.csr server.key servernew.crt2.修改PostFix與Dovecot配置檔案,啟用SSL加密引數
[[email protected] ~]# vim /etc/postfix/main.cf
681 # SSL CRT 新增如下配置到末尾
682
683 smtpd_use_tls = yes
684 smtpd_tls_cert_file = /etc/pki/CA/certs/servernew.crt
685 smtpd_tls_key_file = /etc/pki/CA/certs/server.key
686 smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
[[email protected] ~]# vim /etc/postfix/master.cf
# 第127-28行: 去掉註釋
26 #smtps inet n - n - - smtpd
27 -o syslog_name=postfix/smtps
28 -o smtpd_tls_wrappermode=yes
29 # -o smtpd_sasl_auth_enable=yes
[[email protected] ~]# vim /etc/dovecot/conf.d/10-ssl.conf
5 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
6 # disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
7 # plain imap and pop3 are still allowed for local connections
8 ssl = yes
9
10 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
11 # dropping root privileges, so keep the key file unreadable by anyone but
12 # root. Included doc/mkcert.sh can be used to easily generate self-signed
13 # certificate, just make sure to update the domains in dovecot-openssl.cnf
14 ssl_cert = </etc/pki/CA/certs/dovecot.pem
15 ssl_key = </etc/pki/CA/private/dovecot.pem3.重啟PostFix和Dovecot服務
[[email protected] ~]# systemctl restart postfix
[[email protected] ~]# systemctl restart dovecot◆測試郵件伺服器連通性◆
自行下載foxmail或者outlook進行測試
https://www.foxmail.com/
https://outlook.live.com/owa/