postfix ,但是它只是一个 smtp server ,要配置完整的 mail 还要有个 pop3/imap ,在这里我选择了 dovecot ,原因是比较新,更重要的是,它有很多安全配置功能。
很多 C/S 的协议是没有验证能力的,或者说验证能力很弱。所以我们要找个专业的加强用户验证功能的软件,这个软件就是 Cyrus SASL 即简单的认证机制。在网上用 LDAP 的人也很多,因为公司网络没有其他要用 LDAP 认证的,所以我没有用这个,以后会出现在补充文档里。
SASL 密码加密库 < == smtp server < == SASL 认证算法=== > smtp client
1.安装软件
[root@zh888 ~]# yum -y install lftp
[root@zh888 ~]#lftpget
http://openwebmail.org/openwebmail/download/redhat/rpm/release/openwebmail.repo
[root@zh888 ~]# lftpget
http://pkgs.repoforge.org/perl-Text-Iconv/perl-Text-Iconv-1.4-1.2.el5.rf.i386.rpm
[root@zh888 ~]# rpm -ivh perl-Text-Iconv-1.4-1.2.el5.rf.i386.rpm
[root@zh888 ~]# rpm -ivh perl-Text-Iconv-1.4-1.2.el5.rf.i386.rpm
[root@zh888 ~]# cp -rf openwebmail.repo /etc/yum.repos.d
[root@zh888 ~]# yum install postfix dovecot openwebmail cyrus-sasl httpd
2.配置文件
[root@zh888 yum.repos.d]# cat /etc/dovecot/dovecot.conf //用[root@zh888 yum.repos.d]# doveconf -n >dovecot-new.conf
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-71.el6.i686 i686 CentOS Linux release 6.0 (Final)
listen = *
auth_mechanisms = plain
[root@zh888 yum.repos.d]# cat /etc/dovecot/dovecot.conf //用[root@zh888 yum.repos.d]# doveconf -n >dovecot-new.conf
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-71.el6.i686 i686 CentOS Linux release 6.0 (Final)
listen = *
auth_mechanisms = plain
disable_plaintext_auth = no
ssl= no
mail_location =maildir:/home/%u
mbox_write_locks = fcntl
passdb {
driver = pam
}
protocols = pop3
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
[root@zh888 ~]# chkconfig dovecot on//开机启动
[root@zh888 ~]# service dovecot start
[root@zh888 ~]# chkconfig saslauthd on
[root@zh888 ~]# cat /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=shadow//修改为shadow
# of which mechanism your installation was compiled with the ablity to use.
MECH=shadow//修改为shadow
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
# DAEMONOPTS=--user saslauth
# DAEMONOPTS=--user saslauth
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=
# for the list of accepted flags.
FLAGS=
[root@zh888 sysconfig]# cat /usr/lib/sasl2/smtpd.conf//添加认证如果没有文件直接vi一个smtpd.conf文件
pwcheck_method:saslauthd
saslauthd_path:/var/run/saslauthd/mux
[root@zh888 sysconfig]# service saslauthd restart
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@zh888 sysconfig]# testsaslauthd -u zh888 -p '123456' //测试成功
0: OK "Success."
0: OK "Success."
配置postfix2.6.6版本
[root@zh888 sysconfig]# cat /etc/postfix/main.cf
queue_directory = /var/spool/postfix
[root@zh888 sysconfig]# cat /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = mail.zh888.com //修改自己的路径
mydomain = zh888.com//修改自己的顶级域名
myorigin = $mydomain
inet_interfaces = all
mydestination = localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.40.0/24//修改自己的ip
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
mail_spool_directory = /var/spool/mail
#mailbox_command = /usr/bin/procmail//这句话启动就发送不了邮件状态为deferred
#mailbox_command = /usr/bin/procmail//这句话启动就发送不了邮件状态为deferred
LOGFILE=/var/log/mail/procmail.log
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
default_process_limit = 50
default_destination_concurrency_limit = 20
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sasl_security_options = noanonymous
[root@zh888 ~]# service postfix restart//重新启动postfix服务
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@zh888 ~]# chkconfig postfix on//开机启动postfix
测试postfix、dovecot
[root@zh888 ~]# netstat -altpn|grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 32567/master
tcp 0 48 192.168.40.40:22 192.168.40.41:2577 ESTABLISHED 1613/1
[root@zh888 ~]# netstat -altpn|grep 110
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 993
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 995
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 32567/master
tcp 0 48 192.168.40.40:22 192.168.40.41:2577 ESTABLISHED 1613/1
[root@zh888 ~]# netstat -altpn|grep 110
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 993
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 32286/dovecot
[root@zh888 ~]# netstat -altpn|grep 995
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 32286/dovecot
最后配置openwebmail
vi /var/www/cgi-bin/openwebmail/etc/openwebmail.conf
# in cgi-bin/openwebmail/etc/defaults/openwebmail.conf
domainnames zh888.com
default_language zh_CN.GB2312
default_timeoffset +0800
default_iconset Cool3D.Chinese.Simplified
auth_module auth_unix.pl
mailspooldir /var/spool/mail
ow_cgidir /var/www/cgi-bin/openwebmail
ow_cgiurl /cgi-bin/openwebmail
ow_htmldir /var/www/data/openwebmail
ow_htmlurl /data/openwebmail
logfile /var/log/openwebmail.log
vi /var/www/cgi-bin/openwebmail/etc/openwebmail.conf
# in cgi-bin/openwebmail/etc/defaults/openwebmail.conf
domainnames zh888.com
default_language zh_CN.GB2312
default_timeoffset +0800
default_iconset Cool3D.Chinese.Simplified
auth_module auth_unix.pl
mailspooldir /var/spool/mail
ow_cgidir /var/www/cgi-bin/openwebmail
ow_cgiurl /cgi-bin/openwebmail
ow_htmldir /var/www/data/openwebmail
ow_htmlurl /data/openwebmail
logfile /var/log/openwebmail.log
cat /var/www/cgi-bin/openwebmail/etc/defaults/openwebmail.conf
# host dependent configuration
##############################################################################
domainnames zh888
smtpserver 192.168.40.40
authpop3_server 192.168.40.40
smtpport 25
smtpauth no
virtusertable /etc/mail/virtusertable
auth_module auth_unix.pl
auth_withdomain no
auth_domain auto
quota_module none
[root@zh888 ~]# cd /var/www/cgi-bin/openwebmail/切换到openwebmail目录
[root@zh888 openwebmail]# ./openwebmail-tool.pl --init//安装openwebmail
Send the site report?(Y/n) Y
[root@zh888 openwebmail]# ./openwebmail-tool.pl --init//安装openwebmail
Send the site report?(Y/n) Y
sending report...
Thank you.
因为是rpm装的ScriptAlias的配置已经自动添加了,装了openwebmail之后记得重启httpd。
浏览 http://mail.zh888.com/webmail即可。本人在xp上就是 http://192.168.40.40/webmail
因为是rpm装的ScriptAlias的配置已经自动添加了,装了openwebmail之后记得重启httpd。
浏览 http://mail.zh888.com/webmail即可。本人在xp上就是 http://192.168.40.40/webmail
直接用系统账号登
最后配置bind域名服务
[root@zh888 dovecot]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };//任何人
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 0.0.0.0/0; };任意ip
recursion yes;
forward only;
forwarders{ 202.101.172.35;};//打开转发dns功能
listen-on port 53 { any; };//任何人
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 0.0.0.0/0; };任意ip
recursion yes;
forward only;
forwarders{ 202.101.172.35;};//打开转发dns功能
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
[root@zh888 dovecot]# cat /etc/named.rfc1912.zones //查看区域文件。
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
type master;
file "named.empty";
allow-update { none; };
};
zone "zh888.com" IN {
type master; //写一个正向区域文件zh888.com
file "zh888.com";
allow-update { none; };
type master; //写一个正向区域文件zh888.com
file "zh888.com";
allow-update { none; };
};
[root@zh888 dovecot]# cat /var/named/zh888.com //写一个正向区域文件内容如下:
$TTL 1D
@ IN SOA zh888.com. root.zh888.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
www IN A 192.168.40.40
mail IN A 192.168.40.40 //创建a记录mail
mail IN MX 10 mail.zh888.com //设置邮件交换。
[root@zh888 openwebmail]# tail -F /var/log/maillog //查看maillog文件。
Apr 2 00:01:11 zh888 postfix/smtpd[32742]: disconnect from zh888.com[192.168.40.40]
Apr 2 00:01:11 zh888 postfix/local[32746]: 09B69808DD: to=< zh888@zh888.com>, relay=local, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 2 00:01:11 zh888 postfix/qmgr[32570]: 09B69808DD: removed
Apr 2 00:13:49 zh888 postfix/smtpd[32767]: connect from zh888.com[192.168.40.40]
Apr 2 00:13:49 zh888 postfix/smtpd[32767]: 52DA9808DD: client=zh888.com[192.168.40.40]
Apr 2 00:13:49 zh888 postfix/cleanup[303]: 52DA9808DD: message-id=< 20120401161336.M87645@zh888.com>
Apr 2 00:13:49 zh888 postfix/qmgr[32570]: 52DA9808DD: from=< foxmail@zh888.com>, size=762, nrcpt=1 (queue active)
Apr 2 00:13:49 zh888 postfix/smtpd[32767]: disconnect from zh888.com[192.168.40.40]
Apr 2 00:13:49 zh888 postfix/local[304]: 52DA9808DD: to=< zh888@zh888.com>, relay=local, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 2 00:13:49 zh888 postfix/qmgr[32570]: 52DA9808DD: removed
$TTL 1D
@ IN SOA zh888.com. root.zh888.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
www IN A 192.168.40.40
mail IN A 192.168.40.40 //创建a记录mail
mail IN MX 10 mail.zh888.com //设置邮件交换。
[root@zh888 openwebmail]# tail -F /var/log/maillog //查看maillog文件。
Apr 2 00:01:11 zh888 postfix/smtpd[32742]: disconnect from zh888.com[192.168.40.40]
Apr 2 00:01:11 zh888 postfix/local[32746]: 09B69808DD: to=< zh888@zh888.com>, relay=local, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 2 00:01:11 zh888 postfix/qmgr[32570]: 09B69808DD: removed
Apr 2 00:13:49 zh888 postfix/smtpd[32767]: connect from zh888.com[192.168.40.40]
Apr 2 00:13:49 zh888 postfix/smtpd[32767]: 52DA9808DD: client=zh888.com[192.168.40.40]
Apr 2 00:13:49 zh888 postfix/cleanup[303]: 52DA9808DD: message-id=< 20120401161336.M87645@zh888.com>
Apr 2 00:13:49 zh888 postfix/qmgr[32570]: 52DA9808DD: from=< foxmail@zh888.com>, size=762, nrcpt=1 (queue active)
Apr 2 00:13:49 zh888 postfix/smtpd[32767]: disconnect from zh888.com[192.168.40.40]
Apr 2 00:13:49 zh888 postfix/local[304]: 52DA9808DD: to=< zh888@zh888.com>, relay=local, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 2 00:13:49 zh888 postfix/qmgr[32570]: 52DA9808DD: removed
遇到的问题
zh888 postfix/local[2393]: E7D5281967: to=<
test@zh888.com>, relay=local, delay=0.11, delays=0.02/0.05/0/0.04, dsn=4.3.0, status=deferred (temporary failure. Command output: local: fatal: execvp /usr/bin/procmail: No such file or directory ) 没有/usr/bin这个目录在main.cf中去掉即可。
Apr 2 00:15:53 zh888 dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=192.168.40.41, lip=192.168.40.40//在dovecot.conf中添加disable_plaintext_auth = no参数
Apr 5 22:21:49 zh888 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=< zh888@zh888.com>, method=PLAIN, rip=192.168.40.41, lip=192.168.40.40
Apr 5 22:21:49 zh888 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=< zh888@zh888.com>, method=PLAIN, rip=192.168.40.41, lip=192.168.40.40
Apr 5 22:21:49 zh888 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=< zh888@zh888.com>, method=PLAIN, rip=192.168.40.41, lip=192.168.40.40
用foxmail测试是正常的,但是接收文件的时候虽然提示完成,但是没有接收下来,不知道为什么?但是为什么会断开连接,auth错误,到底是什么地方出现问题,还是foxmail根本就用不了,还是自己配置dovecot.conf文件出错,希望网友提出宝贵的意见。自己也查询了互联网别人说可能用rpm软件包安装就会出现这个问题,要用tar.gz包编译安装就不会出现这个问题,但是也不十分肯定。
SASL认证失败的原因可分为如下几个可能的方面:
Permission问题:对系统用户的SASL Auth尤其重要,要保证postfix用户(smtpd)对/etc/shadow有读权限,这必须将postfix加到root组并将shadow文件的组权限加到可读,但这毕竟有些危险,建议不要使用系统用户认证特性;另一方面,如果是用pam(例如pam_mysql, pam_ldap等),特别注意/etc/pam.d/smtp文件(Linux系统)对postfix用户也必须是可读,否则照样会造成认证失败的原因。
配置问题:如果使用pam_ldap, pam_mysql,那么要注意/usr/lib/sasl/smtpd.conf或/usr/lib/sasl2/smtpd.conf的内容不要写错,应该为pwcheck_method: pam 另外/etc/ldap.conf(pam_ldap)及pam_mysql的配置文件一权限要对,二配置必须正确,否则一样无法认证通过。
链接问题:主要指编译Postfix时将Postfix连接到错误的sasl 库,这在cyrus2.x里更加明显,一般linux发行版的cyrus 2.0.x其实是1.5.x及2.0.x的集成版,因此编译Postfix时如果连接到sasl1.x而smtpd.conf却放在/usr/lib/sasl2下那么认证无论如何都不会成功,请注意这点
centOS6下bind的rdnc 问题: 找不到/etc/rndc.key文件?我的系统是CentOS6 , bind 用的是rpm安装的,用rndc-confgen -a 生成/etc/rndc.key后,再用 rndc-confgen > /etc/rndc.conf文件,用 tail -13 /etc/rndc.conf >> /etc/named.conf 把 rndc.conf的最后添加到named.conf,并在named.conf中去掉了相关的注释,named-checkconf没问题
本文转自zh888 51CTO博客,原文链接:http://blog.51cto.com/zh888/826715,如需转载请自行联系原作者