若系統已有sendmail請移除掉再進行以下安裝
/etc/rc.d/init.d/sendmail stop
or
kill -9 `cat /var/run/sendmail.pid`
yum remove sendmail
1.安裝postfix、dovecot及system-switch-mail
yum install postfix dovecot system-switch-mail
2.設定system-switch-mail
system-switch-mail
選擇Postfix之後按OK
會出現已設定成功。(預設為MTA為POSTFIX)。
3.設定Postfix
設定 postfix 可接收外部連線
vi /etc/postfix/main.cf 編輯postfix設定檔 #設定 postfix 的監聽介面 inet_interfaces = all #在最後加上這行 inet_interfaces = localhost #這行前面加上#號註解 #設定 postfix 的監聽 IP 協定 inet_protocols = ipv4 #設定本機收信域名 mydomain = xxxxx.com #設定本機host myhostname = mail.xxxxx.com #設定『能夠收信的主機名稱』 mydestination = $myhostname, $mydomain, localhost mynetworks_style = host #規定信任的用戶端 mynetworks = 192.168.1.0/24, 59.126.xx.xx/32 →加入自已內部網段及外部ip #設定郵件別名 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases service postfix restart #重新啟動postfix服務
沒加mydestination會發生只能寄到mail.xxxxx.com,寄xxxxx.com會收不到。
查看啟動
[root@localhost ~]# /etc/init.d/postfix restart [root@localhost ~]# netstat -tlunp | grep ':25' Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 13697/master
設定postfix saslauthd服務 SMTP 身份驗證
[root@localhost ~]# saslauthd -v(先瞭解你的 saslauthd 有支援哪些密碼管理機制) saslauthd 2.1.23 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap(pam 即可,也能使用 shadow ) [root@localhost ~]# vim /etc/sysconfig/saslauthd(saslauthd 設定檔中,選定 pam 的驗證機制) MECH=pam [root@localhost ~]# /etc/init.d/saslauthd start [root@localhost ~]# chkconfig saslauthd on [root@localhost ~]# vim /etc/sasl2/smtpd.conf log_level: 3 <==登錄檔資訊等級的設定,設定 3 即可 pwcheck_method: saslauthd <==就是選擇什麼服務來負責密碼的比對啊 mech_list: plain login <==那麼支援的機制有哪些之意!
vi /etc/postfix/main.cf # 在本檔案最後面增加這些與 SASL 有關的設定資料: smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes # 然後找到跟 relay 有關的設定項目,增加一段允許 SMTP 認證的字樣: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, #重點在這裡!注意順序! reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cblless.anti-spam.org.cn, reject_rbl_client sbl-xbl.spamhaus.org, check_policy_service unix:/var/spool/postfix/postgrey/socket /etc/init.d/postfix restart #重啟postfix服務 chkconfig saslauthd on #設定開機啟動 service saslauthd restart #啟動saslauthd
測試連線
[root@mail2 postfix]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.kokinternational.com ESMTP Postfix ehlo localhost 250-mail.kokinternational.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN 250-AUTH=PLAIN DIGEST-MD5 CRAM-MD5 LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
quit
設定MRA伺服器 (POP3/IMAP服務)
yum install dovecot vim /etc/dovecot/dovecot.conf #protocols = imap imaps pop3 pop3s 將#拿掉並存檔。 vim /etc/dovecot/conf.d/10-ssl.conf #ssl = no --> ssl = no /etc/init.d/dovecot start #重啟dovecot chkconfig dovecot on #設定開機執行 service dovecot start #啟動dovecot [root@localhost ~]# netstat -tlnp | grep dovecot Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 :::110 :::* LISTEN 14343/dovecot tcp 0 0 :::143 :::* LISTEN 14343/dovecot
加密pop3/imaps設定
[root@localhost ~]#vim /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes --> disable_plaintext_auth = yes [root@localhost ~]#vim /etc/dovecot/conf.d/10-ssl.conf #ssl = yes --> ssl = required [root@localhost ~]#vim /etc/dovecot/conf.d/10-master.conf service imap-login { inet_listener imap { #port = 143 --> port = 0 } inet_listener imaps { #port = 993 #ssl = yes } service pop3-login { inet_listener pop3 { #port = 110 --> port = 0 } inet_listener pop3s { #port = 995 #ssl = yes } [root@localhost ~]#vim /etc/dovecot/conf.d/10-mail.conf #mail_location = -->mail_location = mbox:~/mail:INBOX=/var/mail/%u [root@localhost ~]#/etc/init.d/dovecot restart
dovecot 設定檔異常排除
protocols = imap pop3
(單純啟用 IMAP POP3)
vim /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = no —> 取消明碼傳輸
(maillog出現:pop3-login: Disconnected (tried to use disabled plaintext auth解決方式 )
mail_location = mbox:~/mail:INBOX=/var/mail/%u
(maillog出現:Initialization failed: mail_location not set and autodetection failed: Mail storage)
建立使用者要使用-m建立家目錄不然無法登入iamp
useradd test -m
cd /var/mail
touch test
chown test:test test
chmod 600 test
錯誤log
May 11 10:58:54 dns dovecot: pop3(ben): Error: chown(/home/ben/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=500(ben), group based on /var/mail/ben)
May 11 10:58:54 dns dovecot: pop3(ben): Error: mkdir(/home/ben/mail/.imap/INBOX) failed: Operation not permitted
解決方式
mkdir -p /etc/skel/mail/.imap/INBOX
利用家目錄範本解決,以後新增使用者就會自行建立
查詢信件問題可以用tcpdump來檢查問題
[root@bk-mail postfix]# tcpdump | grep 61.220.15.209 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:47:50.106209 IP google-public-dns-a.google.com.domain > 192.168.1.20.41450: 24712 1/0/0 A 61.220.15.209 (59) 15:48:15.394267 IP google-public-dns-a.google.com.domain > 192.168.1.20.33003: 33594 1/0/0 A 61.220.15.209 (59) ^[[A^[[A^X^[[A^C995 packets captured 996 packets received by filter 0 packets dropped by kernel
或是tail來觀察mail流量
[root@bk-mail etc]# tail -f /var/log/maillog Mar 23 15:58:08 localhost postfix/smtp[16238]: 5036D2E0DEA: to=<[email protected]>, relay=mx1.mail.tw.yahoo.com[203.188.197.119]:25, delay=464, delays=462/0.12/1.7/0.14, dsn=4.0.0, status=deferred (host mx1.mail.tw.yahoo.com[203.188.197.119] said: 451 Message temporarily deferred - [160] (in reply to end of DATA command))
postfix設定檔補充說明 /etc/postfix/main.cf
#試探密碼攻擊設定 smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 #每封信不得超過20MB,每人信箱總量不得超過400MB message_size_limit = 20480000 mailbox_size_limit = 400000000 #限制每封信的收信人不得超過10個人 smtpd_recipient_limit = 10 #限制收信行程 postfix 不得超過5個行程,避免吃掉太多記憶體和效能。 default_process_limit = 5 #另外新增黑名單的位址 maps_rbl_domains = relays.ordb.org, opm.blitzed.org #上述的 relays.ordb.org, opm.blitzed.org 機構可以自己Google一下。 #另外設置 disable_vrfy_command 為yes可避免外界使用vrfy命令來探測收信位置的有效性(防止垃圾郵件),以及防止別人用vrfy命令去測試你的本機郵件用戶是否存在。 disable_vrfy_command = yes #避免有心人士沒有用 ehlo 命令跳過檢查 smtpd_helo_required = yes #收信人和信件主體的限制,細節請上網查詢。允許和拒絕與設定先後順序有關,請小心設定,最好先拒絕再允許 smtpd_recipient_restrictions = smtpd_recipient_restrictions = reject_unauth_destination, ←拒絕「收件人」不在Postfix 所轄的網域(由$mydestination定義),此選項避免你的伺服器變成一部開放式轉信站,讓別人利用你的mail server 亂發信 reject_non_fqdn_sender, ←拒絕「寄信人」沒有 FQDN reject_non_fqdn_recipient, ←拒絕「收信人」沒有 FQDN reject_unknown_sender_domain, ←拒絕「寄信人」網域不存在 reject_unknown_recipient_domain , ←拒絕「收件人」網域不存在 reject_invalid_hostname, ←拒絕「寄信人」「收信人」FQDN 不合網域名稱規則 permit_mynetworks, ←允許來自 $mynetworks 的「寄信人」 permit_sasl_authenticated, ←允許經本機 SASL 驗證過的「寄信人」 reject_rbl_client bl.spamcop.net, ←線上的黑名單資料庫,可自行定義 reject_rbl_client dnsbl.njabl.org, ←線上的黑名單資料庫,可自行定義 reject_rbl_client xbl.spamhaus.org ←線上的黑名單資料庫,可自行定義 smtpd_data_restrictions = reject_unauth_pipelining,← 拒絕寄件人email是null但卻有多個收件人的信和只能設定在smtpd_data_restrictions 或是smtpd_end_of_data_restrictions裏面 reject_multi_recipient_bounce ←阻止那些進行大量郵寄的軟件濫用流水線來加快發送電子郵件 #設定允許relay的domain relay_domains = test.com #設定特定的domain要送到何處 transport_maps = hash:/etc/postfix/transport #設定relay的domain中該收哪些信 relay_recipient_maps = hash:/etc/postfix/relay_maps
另外Postfix 用戶端判別規則檢查順序如下:
smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions header_checks body_checks
所有設定更改完必須重啟服務才能生效
service postfix restart
參考資料
http://befungo.com/?p=107
https://www.dennysu.com/wordpress/2014/08/29/cubietruck-%E9%83%B5%E4%BB%B6%E4%BC%BA%E6%9C%8D%E5%99%A8postfix%E7%9A%84%E4%B8%80%E4%BA%9B%E9%9B%9C%E9%A0%85%E8%A8%AD%E5%AE%9A/