- 浏览: 114255 次
- 性别:
- 来自: 山东
文章分类
最新评论
-
ly5188:
大虾,例子少了些东西,
javax.mail.Messagin ...
支持邮件群发,多附件发送的javaMail代码 -
DepthJava:
请问楼主,你的就能全部解析?
目前还没找到完全解析的方法,很多 ...
javamail接收邮件的bean,可以正确的解析中文(转)(一)
作者:田逸(sery@163.com) from http://www.51cto.com/art/200710/57530.htm
配置一个postfix邮件系统,远比我先前的想象复杂。这次共配置2个postfix系统,花了不少精力,其间也经历不少麻烦,还好,最后都做成了!在配置过程中,参考了《postfix权威指南》和网上其他人写的文章,但在实际的配置中,完全按照这些文档还是不易顺利完成。现在此行文披露我做这个事情的全部过程,希望对大家的工作有所帮助。
◆运行环境
操作系统是centos 5,其下载地址为www.centos.org,它是redhat as 5最佳的替代品(原因:开源且免费下载);postfix使用的版本是postfix-2.2.10.tar.gz,postfix(www.postfix.org)当前的稳定版本是2.4,由于2.4不支持SASL,所以我选了老一点的版本。其他所需的软件在下表列出:
名称 用途 下载地址
Apache (httpd-2.2.0) Web方式管理邮件 www.apache.org
Php (php-5.2.3) Php 解释器,与apache一起使用 www.php.org
Mysql (mysql-5.0.41) 用数据库存储用户信息 www.mysql.com
Postfixadmin(postfix-2.1.0) 邮件帐号后台web管理工具 http://sourceforge.net/projects/postfixadmin/
SASL(cyrus-sasl-2.1.21.tar.gz) 验证方法 http://ftp.andrew.cmu.edu/pub/cyrus-mail/
Authlib(courier-authlib-0.59.3.tar.bz2) 与SASL一起做验证 http://www.courier-mta.org/download.php
Postfix 邮件系统主程序 http://www.postfix.org
Courier-imap (courier-imap-4.1.3.tar.bz2) Pop3及IMAP服务 http://www.courier-mta.org/
Perl (perl-5.8.8) 解释器 http://www.cpan.org
Maildrop (maildrop-2.0.4.tar.bz2) 邮件投递代理,直观的讲就是把收到的邮件转发到用户的邮箱目录 http://www.courier-mta.org/
Clamav (clamav-0.91.2.tar.gz) 杀毒软件 http://www.clamav.org/
amavisd-new(amavisd-new-2.5.2.tar.gz) 扫描邮件病毒 http://www.ijs.si/software/amavisd
Spamassassin(SpamAssassin 3.2.3) 防垃圾邮件 http://spamassassin.apache.org/
Pcre (pcre-7.2.tar.bz2) 安装Imap需要– Perl兼容正则表达式 http://www.pcre.org
Extmail (extmail-1.0.1.tar.gz) webmail http://www.extmail.org
◆准备工作
1、下载所需的软件:照上面给出的地址找到下载URL,然后用wget下载。由于服务器一般不安装 xwindow这样的桌面环境,那怎样知道下载文件的url呢?用windows呢,通过securecrt这样的ssh工具连接和管理远程linux服务器,这样就很容易办到了。在实际的工作中,我习惯把文件下载到/root目录,原因是普通用户看不见我下载的东西。
图 1
2、清理系统:不管你喜不喜欢,安装系统时sendmail这个邮件服务软件已经安装上去了,可是一山不容二虎,既然我们选定了功能强大的postfix,那么sendmail就一边歇着吧。运行命令 rpm -e -nodeps sendmail 就达到这个目的了。第2个需要卸载的软件是SASL,为什么要卸载它呢?因为系统自带的版本不太容易与authlib正常配合,所以需要把它删除掉。第3 个要删除的是perl.本打算用系统自带的perl,可是在执行命令 perl -MCPAN -e shell时居然出现”segment fault”,导致很多功能不能使用,看来也只好删了重装一个。下面总结一下这个过程:
1、SASL
(1)列出包
rpm -qa | grep sasl
cyrus-sasl-2.1.19-5.EL4
cyrus-sasl-gssapi-2.1.19-5.EL4
cyrus-sasl-devel-2.1.19-5.EL4
cyrus-sasl-ntlm-2.1.19-5.EL4
cyrus-sasl-md5-2.1.19-5.EL4
cyrus-sasl-sql-2.1.19-5.EL4
cyrus-sasl-plain-2.1.19-5.EL4
(2)删除包
rpm –e –nodeps cyrus-sasl-2.1.19-5.EL4 cyrus-sasl-gssapi-2.1.19-5.EL4 cyrus-sasl-devel-2.1.19-5.EL4 //把上面查查来的全部列在这后面全卸载掉。nodeps前面是两”-“!
然后进目录/usr/lib查一下 ls –al /usr/lib | grep sasl 应该没有目录sasl及sasl2了。
2、Perl
(1)列出包
rpm -qa | grep perl
perl-DateManip-5.42a-3
perl-XML-Encoding-1.01-26
perl-LDAP-0.31-5
perl-XML-LibXML-Common-0.13-7
groff-perl-1.18.1.1-3
openssl-perl-0.9.7a-43.1
…………(省略若干)
perl-suidperl-5.8.5-12.1.1
(2)删除包
rpm –e –nodeps perl-DateManip-5.42a-3 //照上面的例子删除所以的包。由于包太多,用一个//rpm命令后面带的参数太长,建议一个一个收拾。
执行完删除命令后,再运行命令perl –v,如果出现“-bash: perl: command not found”则表明已经把perl清理掉了。
3、创建邮件系统运行时所需的用户和组:创建用户和组绝不仅仅是为了练习userad和groupadd这两个命令,因为安全方面的原因,一些软件不能以root用户来运行,甚至在安装过程中,如果没有为该软件预先创建用户,安装将不能进行下去,因此,我们在这里先创建这些运行postfix系统所需的用户和组。对centos或redhat等发行版而言,用命令useradd创建用户时也就创建了一个同名的组,而另外一些linux发行版(如debian)或unix(如solaris 10),创建用户时并不会同时创建同名的组,这需要手动执行命令单独创建所需的组。下面我用表格的方式列出postfix系统所需要创建的用户及组的情况:
用户名 组名 作用 备注
mysql Mysql 数据库mysql运行用户
vmail Vmail Postfix虚拟邮件帐号所使用的用户及组 uid,gid:1001,1001
postfix Postfix Postfix主程序使用的帐号和组
Postdrop Postfix setgid_group setgid_group=postdrop
amavis Amavis 邮件扫描
clamav Clamav 病毒扫描
这里有2个值得注意的地方,它们是vmail用户、组及postdrop组。在postfix邮件系统中,有好几个程序是以vmail来运行的(这些情况将在后面逐个说明);postdrop这个组,我看了很多人写的文档,无一例外的都有创建这个组的操作,但没有任何人说明这个组是干什么用的,给人很突兀的感觉,因此我在这里特别把它列出来了-它的作用是setgid_group-在postfix的主配置文件main.cf里标明了的。
[root@mail ~]# grep postdrop /etc/postfix/main.cf
setgid_group = postdrop
◆安装apache,mysql和php
1、apache
tar zxvf httpd-2.2.0.tar.gz
cd httpd-2.2.0
./configure -prefix=/usr/local/apache -enable-so //选项prefix,enanle前面是两个”-”
make
make install
上述步骤执行完毕后,将生成目录/usr/local/apache,进入这个目录检查一下,看相关的文件和目录是否存在?下图是一个正确安装apache后的目录结构:
图 2
执行命令 /usr/local/apache/bin/httpd -l检查编译进来的模块有哪些。最主要的是mod_so模块。即下面最后一个mod_so.c。这样做的目的是为了以模块方式加载php.现在我们先不忙着配置apache,等到后面再做这个工作。
2、mysql
tar zxvf mysql-5.0.41.tar.gz
cd mysql-5.0.41
./configure -prefix=/usr/local/mysql
make,make install //安装完成
useradd mysql
cp support-files/my-medium.cnf /etc/my.cnf
cd /usr/local/mysql
/usr/local/mysql/bin/mysql_install_db –user=mysql //初始化数据库
chown -R root .
chown -R mysql var
chgrp -R mysql .
3、php
cd //进/roor目录
tar zxvf php-5.2.3.tar.gz
cd php-5.2.3
./configure -prefix=/usr/local/php -with-apxs2=/usr/local/apache/bin/apxs -with-mysql=/usr/local/mysql //如果不先安装mysql,这一步将不能进行下去
make;make install
cp php.ini-dist /usr/local/php/lib/php.ini
在配置过程中,除了指定安装目录外,还有-with-apxs2和-with-mysql这两个选项。-with-apxs2的作用是与 apache的工具apxs配合,产生模块文件到目录/usr/local/apache/modules/,同时在apache的配置文件中写入一行 “LoadModule php5_module modules/libphp5.so”;
[root@myest modules]# ll
total 12212
-rw-r–r– 1 root root 8873 Jul 30 14:55 httpd.exp
-rwxr-xr-x 1 root root 12473318 Jul 31 09:29 libphp5.so
选项-with-mysql的作用非常重要,如果不加这个,以后在使用web管理工具postfixadmin时将出现不能连接数据库的错误。接着我们需要把php与apache整合在一起,这个过程很简单,由于在安装php时已经完成了一部分工作,接下来只要在apache的配置文件 httpd.conf加上”AddType application/x-httpd-php .php”这么一行就行了(注意:.php前面有一个空格)。在目录/usr/local/apache/htdocs下创建一个最简单的php测试文件,其内容为:
vi test.php
phpinfo();
?>
检查一下apache配置文件是否正确(/usr/local/apache/bin/apachectl -t),输出”Syntax OK”后就可以启动apache服务(/usr/local/apache/bin/apachectl start)。在别的机器的浏览器输入我们配置的这个服务器的url,正常的话,将得到类似下图的页面:
图 3
上面几个软件的安装相对来说还是比较容易操作的,这里我全是用GNU源码定制安装,这相对于2进制包的安装方式而已,有几个好处:①软件的相互依赖性较小(安装过rpm包的人对这个应该有深刻的认识)。②跨平台。这样的安装方式适用各种unix/linux系统。③维护方便。使用了选项- prefix指定安装目录,所有的文件目录都集中在这个安装目录里,维护起来非常方便。因此,在这里强烈推荐大家适用GNU源码方式安装。
◆安装和配置SASL、Authlib
最好先安装courier-authlib。为什么呢?因为后面配置 SASL验证smtp时需要authlib的socket路径。
1、安装和配置courier-authlib
1)安装
tar jxvf courier-authlib-0.59.3.tar.bz2
cd courier-authlib-0.59.3
./configure –with-redhat –with-authmysql=yes –with-mailuser=vmail\ –with-mailgroup=vmail –with-mysql-libs=/usr/local/mysql/lib/mysql\ –with-mysql-includes=/usr/local/mysql/include/mysql\
–prifix=/usr/local/authlib –without-stdheaderdir
make
make install
make install-configure
一般情况下,anthlib的安装应该是容易完成的。安装完成后,我们先找出配置文件中authdaemonvar的设置,这个值是干什么用的呢?它是后面SASL验证SMTP所必须的,因此需要先把它找出来,以便后面的配置能够准确无误。关于这个问题的教训,在配置sasl的时候再做说明。在我的安装中,authdaemonvar的设置如下:
[root@mail ~]# grep “authdaemonvar” /usr/local/authlib/etc/authlib/authdaemonrc
##NAME: authdaemonvar:2
# authdaemonvar is here, but is not used directly by authdaemond. It’s
authdaemonvar=/usr/local/authlib/var/spool/authdaemon
(2)配置authlib.在目录/usr/local/authlib/etc/authlib中,修改文件authdaemonrc及authmysqlrc。
vi /usr/local/authlib/etc/authlib/authdaemonrc
authmodulelist=”authmysql”
authmodulelistorig=”authmysql”
DEBUG_LOGIN=2
修改上面3项,其他的项保持不便。这个修改前2行表示用mysql认证模块;把DEBUG_LOGIN的值有默认的“0”改成“2”的用意是运行postfix时有更多的信息输出,通过生成的日志以帮助排错。
vi /usr/local/authlib/etc/authlib/authmysqlrc
MYSQL_SERVER localhost
MYSQL_USERNAME postfix
MYSQL_PASSWORD postfix
MYSQL_DATABASE postfix
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_USER_TABLE mailbox
#MYSQL_CRYPT_PWFIELD password
MYSQL_CLEAR_PWFIELD password
DEFAULT_DOMAIN sery.com
MYSQL_UID_FIELD ‘1001′
MYSQL_GID_FIELD ‘1001′
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD ‘/var/mailbox/’
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD maildir
MYSQL_QUOTA_FIELD concat(quota,’S’)
MYSQL_WHERE_CLAUSE active=’1′
照上面的格式修改,这是比较容易出错的地方,要特别小心。我曾经把MYSQL_USER_TABLE mailbox这一项的mailbox写成mailbov导致sasl验证一直没法通过!特别注意MYSQL_UID_FIELD和MYSQL_GID_FIELD字段的值,这里是‘1001’,也可以是其它的,但一定要与vmail用户及组相一致(id vmail可以得出这2者的值)
2、安装和配置SASL.
(1)安装
tar zxvf cyrus-sasl-2.1.21.tar.gz
cd cyrus-sasl-2.1.21
./configure –disable-anon -enable-plain –enable-login –enable-sql –with-mysql=/usr/local/mysql –with-mysql-includes=/usr/local/mysql/include/mysql –with-mysql-libs=/usr/local/mysql/lib/mysql –with-authdaemond
make
make install
如果在编译过程(make)出现错误,如“client.c:64: error: static declaration of ‘global_callbacks’ follows non-static declaration saslint.h:112…”,需要加一个补丁程序,然后再执行编译过程。
用vi在当前位置创建补丁文件,起名为sasl.patch,其内容包括:
— cyrus-sasl-2.1.20/lib/client.c~ 2003-11-11 11:26:06.000000000 -0500
+++ cyrus-sasl-2.1.20/lib/client.c 2005-05-31 22:34:14.000000000 -0400
@@ -61,7 +61,7 @@
static cmech_list_t *cmechlist; /* global var which holds the list */
-static sasl_global_callbacks_t global_callbacks;
+sasl_global_callbacks_t global_callbacks;
static int _sasl_client_active = 0;
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 //sasl的安装目录是/usr/local/lib/sasl
echo “/usr/local/lib” >> /etc/ld.so.conf //指定动态连接库的位置
ldconfig //共享动态链接库生效
(2) 配置
创建文件 /usr/local/lib/sasl2/smtpd.conf,并加入如下内容:
pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
log_level: 3
authdaemond_path: /usr/local/authlib/var/spool/authdaemon/socket
最后一行authdaemond_paeth的设置来自anthlib 的配置文件authlibdaemonrc,千万不要把这个弄错了,我当初的smtp验证一直通不过就是由于这个原因。通过查看进程也可以知道这个路径(前提是authlib正常运行了),如下图所示:
图 4
Sasl2需要使用文件/usr/local/authlib/var/spool/authdaemon/socket,但默认情况下,其属性是744,需要把它加上执行权限,以便文件属组(主)而外的其它用户可以执行。运行命令
chmod +x /usr/local/authlib/var/spool/authdaemon
即可,如果不这样处理,smtp验证无一例外会失败的。那么这里所说的其它用户是什么用户呢?答:postfix。
◆安装和配置postfixadmin
Postfixadmin是postfix邮件系统的web管理工具,有了这个工具,管理和维护用户帐号就方便多了。假如不用工具,就需要手动修改数据库,谁愿意这样做?安装postfixadmin比较简单,解压包postfix-2.2.11.tar.gz,然后把它移动到某个目录下,其过程如下:
cd /root
tar zxvf postfixadmin-2.2.11.tar.gz
mv postfixadmin-2.2.11 /var/www/postfixadmin
现在postfixadmin的目录是/var/www/postfixadmin,为了能够让它按照我们的意愿工作,需要用命令 chown -R vmail:vmail /var/www/postfixadmin 更改属主。这样,postfixadmin的安装就算完成了。接着我们来配置它,这个过程要复杂一点,我在这里分几步进行。
(1)修改相关的配置文件。Postfixadmin第一个需要修改配置文件是config.inc.php, 但事实上却没有这个文件,不要紧,把config.inc.php.sample搬过来就是了(cp config.inc.php.sample config.ini.php),再来看一下目录结构:
[root@mailserv2 postfixadmin]# pwd
/mail/www/postfixadmin
[root@mailserv2 postfixadmin]ll
total 236
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 ADDITIONS
drwxr-xr-x 2 vmail vmail 4096 Sep 16 19:31 admin
-rw-r–r– 1 vmail vmail 1195 Sep 16 16:06 BACKUP_MX.TXT
-rw-r–r– 1 vmail vmail 10155 Sep 16 16:06 CHANGELOG.TXT
-rw-r—– 1 vmail vmail 4700 Sep 16 16:14 config.inc.php
-rw-r–r– 1 vmail vmail 4694 Sep 16 16:06 config.inc.php.sample
-rw-r—– 1 vmail vmail 3774 Sep 16 16:06 create-alias.php
-rw-r—– 1 vmail vmail 7379 Sep 16 19:24 create-mailbox.php
-rw-r–r– 1 vmail vmail 4910 Sep 16 16:06 DATABASE_MYSQL.TXT
-rw-r–r– 1 vmail vmail 4955 Sep 16 16:06 DATABASE_PGSQL.TXT
-rw-r—– 1 vmail vmail 2497 Sep 16 19:30 delete.php
-rw-r—– 1 vmail vmail 1727 Sep 16 16:06 edit-active.php
-rw-r—– 1 vmail vmail 3013 Sep 16 16:06 edit-alias.php
-rw-r—– 1 vmail vmail 4026 Sep 16 16:06 edit-mailbox.php
-rw-r—– 1 vmail vmail 25031 Sep 16 16:06 functions.inc.php
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 images
-rw-r—– 1 vmail vmail 3994 Sep 16 16:06 index.php
-rw-r–r– 1 vmail vmail 2655 Sep 16 16:06 INSTALL.TXT
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 languages
-rw-r–r– 1 vmail vmail 1651 Sep 16 16:06 LANGUAGE.TXT
-rw-r–r– 1 vmail vmail 5375 Sep 16 16:06 LICENSE.TXT
-rw-r—– 1 vmail vmail 1743 Sep 16 16:06 login.php
-rw-r—– 1 vmail vmail 494 Sep 16 16:06 logout.php
-rw-r—– 1 vmail vmail 869 Sep 16 16:06 main.php
-rw-r–r– 1 vmail vmail 981 Sep 16 16:06 motd-admin.txt.orig
-rw-r–r– 1 vmail vmail 262 Sep 16 16:06 motd.txt
-rw-r–r– 1 vmail vmail 262 Sep 16 16:06 motd-users.txt
-rw-r—– 1 vmail vmail 4827 Sep 16 16:06 overview.php
-rw-r—– 1 vmail vmail 2314 Sep 16 16:06 password.php
-rwxr-xr-x 1 vmail vmail 392 Sep 16 16:08 postfix_chmod.sh
-rw-r—– 1 vmail vmail 3233 Sep 16 16:06 search.php
-rw-r—– 1 vmail vmail 2119 Sep 16 16:06 sendmail.php
-rw-r—– 1 vmail vmail 5506 Sep 16 16:06 setup.php
-rw-r—– 1 vmail vmail 4204 Sep 16 16:06 stylesheet.css
-rw-r–r– 1 vmail vmail 456 Sep 16 16:06 TABLE_BACKUP_MX.TXT
-rw-r–r– 1 vmail vmail 3737 Sep 16 16:06 TABLE_CHANGES.TXT
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 templates
-rw-r–r– 1 vmail vmail 2303 Sep 16 16:06 UPGRADE.TXT
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 users
-rw-r—– 1 vmail vmail 1949 Sep 16 16:06 variables.inc.php
-rw-r—– 1 vmail vmail 1965 Sep 16 16:06 viewlog.php
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 VIRTUAL_VACATION
在上面的目录输出中,我将要处理的文件或目录用了粗字体来标识了,先从config.ini.php动手吧。
[root@mailserv2 postfixadmin]# more config.inc.php
//
// Postfix Admin
// by Mischa Peters
// Copyright (c) 2002 – 2005 High5!
// License Info: http://www.postfixadmin.com/?file=LICENSE.TXT
//
// File: config.inc.php
//
if (ereg (”config.inc.php”, $_SERVER['PHP_SELF']))
{
header (”Location: login.php”);
exit;
}
// Postfix Admin Path
// Set the location to your Postfix Admin installation here.
$CONF['postfix_admin_url'] = ”;
$CONF['postfix_admin_path'] = ”;
// Language config
// Language files are located in ‘./languages’.
$CONF['default_language'] = ‘cn’;
// Database Config
// mysql = MySQL 3.23 and 4.0
// mysqli = MySQL 4.1
// pgsql = PostgreSQL
$CONF['database_type'] = ‘mysql’;
$CONF['database_host'] = ‘localhost’;
$CONF['database_user'] = ‘postfixadmin’;
$CONF['database_password'] = ‘postfixadmin’;
$CONF['database_name'] = ‘postfix’;
$CONF['database_prefix'] = ”;
…………………………省略若干……………………………………….
// Mailboxes
// If you want to store the mailboxes per domain set this to ‘YES’.
// Example: /usr/local/virtual/domain.tld/username@domain.tld
$CONF['domain_path'] = ‘YES’;
// If you don’t want to have the domain in your mailbox set this to ‘NO’.
// Example: /usr/local/virtual/domain.tld/username
$CONF['domain_in_mailbox'] = ‘NO’;
…………………………省略若干……………………………………….
// Default Domain Values
// Specify your default values below. Quota in MB.
$CONF['aliases'] = ‘1000′;
$CONF['mailboxes'] = ‘1000′;
$CONF['maxquota'] = ‘1000′;
…………………………省略若干……………………………………….
// Quota
// When you want to enforce quota for your mailbox users set this to ‘YES’.
$CONF['quota'] = ‘NO’;
// You can either use ‘1024000′ or ‘1048576′
$CONF['quota_multiplier'] = ‘1024000′;
…………………………省略若干……………………………………….
?>
被改动过的内容用红色粗体标记出来了,这些值可根据实际情况作修改。下一个需要修改的文件是create-mailbox.php:
[root@mailserv2 postfixadmin]# more create-mailbox.php
//
// Postfix Admin
// by Mischa Peters
// Copyright (c) 2002 – 2005 High5!
// License Info: http://www.postfixadmin.com/?file=LICENSE.TXT
……………………………………省略若干…………………………………….
$tQuota = $CONF['maxquota'];
system(”sudo /usr/sbin/maildirmake.sh $fDomain “.$_POST['fUsername']);
if ($fMail == “on”)
……………………………………省略若干…………………………………….
?>
红色字体那行是需要插入的,它的位置在210行,不要把位置放错了,因为文件中有2行是”$tQuota = $CONF['maxquota'];”一定要把它放在第209行的那个”$tQuota = $CONF['maxquota'];”的后面才会有作用。在这里,很有必要解释一下插入这行的作用–在php脚本中执行系统的shell脚本–直接的后果就是创建用户的邮箱目录,这与执行在linux下执行命令行sudo /usr/sbin/maildirmake.sh sery.com sey相当。接下来我们修改文件delete.php:
[root@mailserv2 postfixadmin]# vi delete.php
……………………………………….省略很多………………………………
require (”./variables.inc.php”);
require (”./config.inc.php”);
require (”./functions.inc.php”);
include (”./languages/” . check_language () . “.lang”);
$SESSID_USERNAME = check_session();
……………………………………….省略很多……………………………… $result = db_query (”SELECT * FROM mailbox WHERE username=’$fDelete’ AND domain=’$fDomain’”);
$userarray=explode(”@”,$fDelete);
$user=$userarray[0];
$domain=$userarray[1];
system(”sudo /usr/sbin/maildirdel.sh $domain $user”);
……………………………………….省略很多………………………………
?>
红色字体标示的那4行是需要插入的,位置也是至关重要的,不能弄错。到了这一步,还是没有完成,还需要进目录admin里修改2个同名文件 admin/create-mailbox.php和admin/delete.php,修改的方法是一样的,只是插入位置的行号不同(如 admin/create-mail在200行的位置插入),见下面的截图:
图 5
这里有一个疑惑:为什么在不同的目录下有相同的文件呢?这是出于安全方面的原因。Postfixadmin把管理员分成2种:超级邮件系统管理员和一般邮件系统管理员,在admin目录里的是超级管理员的目录,而普通的邮件系统管理员在/mail/www/postfixadmin这个目录。在上述过程中,我们使用了2个shell脚本/usr/sbin/maildirdel.sh及/usr/sbin/maildirmake.sh,这些脚本的内容和作用将在后面安装配置maildrop时一并给出。
(2) 在mysql中创建postfix所需的数据库。
[root@mailserv2 ~] # cd /var/www/postfixadmin
[root@mailserv2 ~] # mysql -u root < DATABASE_MYSQL.TXT
(3) 测试postfixadmin。先修改apache的配置文件/usr/local/apache/conf/httpd.conf,加入如下内容:
Alias /postfixadmin /var/www/postfixadmin
<Directory /var/www/postfixadmin>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory “/var/www/postfixadmin/admin”>
AuthType Basic
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName “sery.mail Access”
AuthUserFile /usr/local/apache/conf/htpasswd
Require valid-user
</Directory>
保存后重起apache服务(/usr/local/apache/bin/apachectl restart),然后在别的机器的浏览器输入邮件服务器的url如:http://mail.sery.com/postfixadmin
图 6
点击链接 setup,如果出现的都是ok,则表明postfixadmin配置正确。
图 7
默认情况下,很有可能没有安装pcre(Perl Compatible Regular Expressions)这个软件包。这个包是必须的,如果没有这个包,安装courier-maildrop将不能正常进行,关于pcre的安装,我们把它放到maildrop安装这一部分。
◆Postfix安装和配置
这是邮件系统的核心部分,因此安装和配置是比较复杂的,特别是做配置时要格外小心,有时还需要反复修改,反复测试。
(1)安装postfix.
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar zxvf postfix-2.2.11.tar.gz
[root@mailserv2 ~]# cd postfix-2.2.11
[root@mailserv2 postfix-2.2.11]# make -f Makefile.init makefiles ‘CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH -I/usr/local/include/sasl’ ‘AUXLIBS=-L/usr/local/mysql/lib/mysql -lmysqlclient -lz -lm -L/usr/local/lib -lsasl2′
如果没有意外,make这一步很快就执行完了,接下来就是安装,使用的命令是:
[root@mailserv2 postfix-2.2.11]# make install
程序先自动执行一阵子,然后会进入交互状态,等待用户的输入,一般情况下,一路回车即可完成所有的安装。
(2)配置postfix。Postfix有本身有2个需要修改的配置文件/etc/postfix/main.cf和/etc/postfix/master.cf,因为我们要用mysql虚拟帐号,因此需要手动加一些配置文件,下面挨个来做这些配置。
①main.cf。这个文件有很多行注释,察看起来不是很方便,先用命令 [root@mailserv2 postfix]# sed -n ‘/^#/!p’ /etc/postfix/main.cf > /etc/postfix/main.cf.new 去掉注释行并生成新文件/etc/postfix/main.cf.new,然后再把它覆盖到 /etc/postfix/main.cf (cp /etc/postfix/main.cf.new /etc/postfix/main.cf)。修改后的文件如下所示:
[root@mailserv2 postfix]# more main.cf
config_directory = /etc/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
html_directory = no
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/local/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix
###########################################################
content_filter = smtp-amavis:[127.0.0.1]:10024
max_use = 10
#=====================BASE=========================
myhostname = mail2.sery.com
mydomain = mail.sery.com
myorigin = $mydomain
mydestination = $myhostname localhost localhost.$mydomain
mynetworks = 127.0.0.0/8 220.94.159.0/24
inet_interfaces = all
#=====================Vritual Mailbox settings======================
virtual_mailbox_base = /var/mailbox
virtual_mailbox_maps = mysql:/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql/mysql_virtual_domains_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql/mysql_virtual_alias_maps.cf
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1
maildrop_destination_concurrency_limit = 1
#====================QUOTA========================
message_size_limit = 14336000
virtual_mailbox_limit = 20971520
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, the user’s maildir has overdrawn his diskspace quota, please try again later.
virtual_overquota_bounce = yes
#====================SASL========================
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
reject_non_fqdn_sender,reject_non_fqdn_recipient,
reject_unknown_recipient_domain,reject_unauth_pipelining,
reject_unauth_destination,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner=$myhostname ESMTP “Version not Available”
alias_maps = hash:/etc/aliases
unknown_local_recipient_reject_code = 450
上述配置中,需要特别注意的是mydomain和myhostname,这2个项的值不要设置成一样,否则postfix将不能正确启动。第2个要注意的地方是 virtual_uid_maps及virtual_gid_maps的值,它是vmail用户的uid和vmail组的gid,与前面的文件 /usr/local/authlib/etc/authlib/authmysqlrc的 “MYSQL_UID_FIELD””MYSQL_GID_FIELD”一定要保持一致,本案的uid和gid都是1001.任何情况下,通过执行
root@mailserv2 postfix]# id vmail
uid=1001(vmail) gid=1001(vmail) groups=1001(vmail)
察看uid和gid。”content_filter = smtp-amavis:[127.0.0.1]:10024″这一行是防病毒和反垃圾邮件用的,稍后再做说明。
②创建目录/etc/postfix/mysql,然后手动创建四个配置文件:mysql_virtual_alias_maps.cf, mysql_virtual_domains_maps.cf,mysql_virtual_mailbox_limit_maps.cf, mysql_virtual_mailbox_maps.cf。这4个文件的内容分别如下:
[root@mailserv2 mysql]# more mysql_virtual_alias_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
[root@mailserv2 mysql]# more mysql_virtual_domains_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = domain
select_field = description
where_field = domain
[root@mailserv2 mysql]# more mysql_virtual_mailbox_limit_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
[root@mailserv2 mysql]# more mysql_virtual_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
另外一个配置文件是/etc/postfix/master.cf,由于需要修改的地方不是很多,可以先在这里把它配置好。
[root@mailserv2 postfix]# more master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/maildrop/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender – $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#############################################################################
# antispam #
#############################################################################
smtp-amavis unix – - n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
localhost:10025 inet n – n – - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o mynetworks=127.0.0.0/8
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
这个配置文件,”flags=DRhu user=vmail:vmail argv=/usr/local/maildrop/bin/maildrop -d ${recipient}”是修改过的,flags前面必须有2个空格,这点值得注意。至于”argv= /usr/local/maildrop/bin/maildrop”则是maildrop安装的路径及maildrop二进制执行文件的位置,当我们安装maildrop文件时,一定要和这个位置相一致。文件从注释框 “antispam”后的一部分内容,是过滤垃圾邮件用的。
到这里,postfix的配置文件基本上算配好了,但是其它相依赖的软件还没有安装和配置好,因此不能运行和测试postfix,等所有的相关软件安装和配置正确后再进行这个步骤。
◆Corurier-imap安装配置
Postfix只是实现邮件系统的smtp功能,pop3或imap则需要另外的软件来实现,这个软件就是courier-imap(当然也有别的软件可以选择)。
(1)安装courier-imap
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar jxvf courier-imap-4.1.3.tar.bz2
[root@mailserv2 ~]# cd courier-imap-4.1.3
[root@mailserv2courier-imap-4.1.3]#./configure –prefix=/usr/local/imap –with-redhat
–disable-root-check –enable-unicode=utf-8,iso-8859-1,gb2312,gbk,gb18030
–with-trashquota –with-dirsync –with-mysql-libs=/usr/local/mysql/lib/mysql –with-mysql-includes=/usr/local/mysql/include/mysql/ –with-authmysql –with-authmysql=yes
[root@mailserv2 courier-imap-4.1.3]# make
[root@mailserv2 courier-imap-4.1.3]# make install
[root@mailserv2 courier-imap-4.1.3]# make install-configure
(2)修改配置文件/usr/local/imap/etc/pop3d及/usr/local/imap/etc/imapd。把/usr/local/imap/etc/pop3d 文件的行”POP3DSTART=NO”改成”POP3DSTART=YES”,再依照这个形式把文件 /usr/local/imap/etc/imapd的行”IMAPDSTART=NO”改成”IMAPDSTART=YES”即可。
(3)复制文件 courier-imap.sysvinit到目录/usr/local/imap/sbin,以便于启动imap的守护进程。
[root@mailserv2 courier-imap-4.1.3]# cp courier-imap.sysvinit /usr/local/imap/sbin/imapd
(4)测试imap服务。
[root@mailserv2 courier-imap-4.1.3]# /usr/local/imap/sbin/imapd start
Starting Courier-IMAP server: imap pop3
◆安装courier-maildrop
Maiidrop的作用是本地投递,即把收到的邮件移动到相应的用户目录。在前面配置postfix的时候,我们已经把与maildrop相关的东西写进文件/etc/postfix/master.cf了,因此这里就不再叙述。前面的步骤我们也提到过pcre 这个软件,它是安装maildrop所必须的,所以需要先安装这个软件(如果系统不存在这个软件的话)。
[root@mailserv2 courier-imap-4.1.3]# cd
[root@mailserv2 courier-imap-4.1.3]# tar jxvf pcre-7.2.tar.bz2
[root@mailserv2 courier-imap-4.1.3]# cd pcre-7.2
[root@mailserv2 courier-imap-4.1.3]# ./configure
[root@mailserv2 courier-imap-4.1.3]# make
[root@mailserv2 courier-imap-4.1.3]# make install
//安装pcre应该是非常容易的事情,片刻之间就可搞定,接下来安装maildrop.在执行配置过程中,需要很多选项,不要疏漏。
[root@mailserv2 pcre-7.2]# cd
[root@mailserv2 pcre-7.2]# tar jxvf maildrop-2.0.4.tar.bz2
[root@mailserv2 pcre-7.2]# cd maildrop-2.0.4
[root@mailserv2 maildrop-2.0.4]# ./configure –prefix=/usr/local/maildrop –enable-
sendmail=/usr/sbin/sendmail –enable-trusted-users=’root vmail’ –enable-syslog=1
–enable-maildirquota –enable-maildrop-uid=1001 –enable-maildrop-gid=1001 –with
-trashquota –with-dirsync
[root@mailserv2 maildrop-2.0.4]# make
[root@mailserv2 maildrop-2.0.4]# make install
[root@mailserv2 maildrop-2.0.4]# cp /usr/local/maildrop/bin/maildrop /usr/bin
下面的命令简单验证maildrop
[root@mailserv2 ~]# maildrop –v
maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.
GDBM extensions enabled.
Courier Authentication Library extension enabled.
Maildir quota extension enabled.
This program is distributed under the terms of the GNU General Public
License. See COPYING for additional information.
输出内容一定要有”Courier Authentication Library extension enabled”这一行。如果没有这个输出,那是非常不幸的事情了,返回去挨个排错吧。那么这个”Courier Authentication Library extension enabled”是怎么一回事呢?这表明maildrop已经和前面我们安装配置的SASL和courier-authlib紧密结合在一起了。
知道maildrop把邮件移动到哪个用户目录还是非常有必要的,这个操作就是maildrop的日志记录。这里我们创建一个新文件/etc/maildroprc,这个文件就2行内容:
[root@mailserv2 mailbox]# more /etc/maildroprc
logfile “/var/mailbox/maildrop.log”
to “$HOME/$DEFAULT”
我们来看一个正常运行的postfix邮件系统的maildrop日志,就会对maildrop有更清楚的认识。
[root@mailserv2 mailbox]# tail maildrop.log
Date: Sat Oct 6 12:45:20 2007
From: “Saundra Y. Echols” <saundra@MS13.HINET.NET>
Subj: No girls laugh at me now, haha, i laugh at them
File: /mail/mailbox//sery.com/magazine/ (3355)
上面的日志表明收到一封来自Saundra@ms13.hinet.net的信,maildrop把邮件移动到目录/mail/mailbox/sery.com/magazine。
很可惜maidrop没有创建和删除邮件用户目录的能力,在配置postfixadmin时,我们提到需要使用2个shell脚本 /usr/sbin/maildirdel.sh及/usr/sbin/maildirmake.sh,这2个脚本的作用就是用来弥补maildrop不能创建/删除目录这个缺陷的。
[root@mailserv2 ~]# more /usr/sbin/maildirmake.sh
#!/bin/bash
set -e
if [ ! -d /var/mailbox/$1 ]
then
mkdir /var/mailbox/$1
fi
chown -R vmail:vmail /var/mailbox/$1
cd “/var/mailbox/$1″
/usr/local/imap/bin/maildirmake $2
mkdir /var/mailbox/$1/$2/Maildir
chown -R vmail:vmail /var/mailbox/$1/$2
[root@mailserv2 ~]# more /usr/sbin/maildirdel.sh
#!/bin/bash
rm -rf /mail/mailbox/$1/$2
这2个脚本由web调用,而web(apache)的执行用户为vmail,出于安全考虑,我们给vmail用户的权限非常有限,为了保证这2个 shell脚本能正常执行,需要使用sudo这个工具来完成这个任务。尽管可以使用vi这样的编辑器来修改/etc/sudoers这个配置文件,但还是不及visudo可靠,因为visudo可以对修改的内容做语法检查,如果更改不正确,保存文件是会给出提示。把行”vmail ALL = NOPASSWD: /usr/sbin/maildirmake.sh , /usr/sbin/maildirdel.sh”追加到文件末尾即可!
有的时候,在postfixadmin里创建新的邮件帐号,帐号倒是创建成功了,却并没有在指定的位置生成相应的虚拟用户目录,从网上收集的信息来看,这个问题似乎很普遍,我本人也被这个问题困扰过–以vmail 用户手动执行sudo /usr/sbin/maildirdel.sh就能创建目录,用web方式就是不行-实验多次才找出原因,原来是/etc/sudoers里需要把 “Defaults requiretty”这行注释掉。有人可能要问,你怎么知道要这样做呢?答:我是通过看apache日志知道要这样干的。
◆邮件病毒检查和垃圾邮件过滤
抗病毒使用软件是clamav,安装时一定要用当前的最新版本。垃圾邮件过滤可使用一个名为SpamAssassin的perl模块。通过采用amavisd-new这个容器,可以把clamav和SpamAssassin整合起来。
(1)安装配置clamav.
[root@mailserv2 ~]# useradd clamav
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# cd clamav-0.91.2
[root@mailserv2 ~]# ./configure –prefix=/usr/local/clamav –with-dbdir=/usr/local/share/clamav –disable-zlib-vcheck
[root@mailserv2 ~]# make
[root@mailserv2 ~]# make install
Clamav有2个配置文件,一个主配置文件/usr/local/clamav/etc/clamd.conf,一个病毒更新配置文件/usr/local/clamav/etc/ freshclam.conf。现把修改好的配置文件列于下面:
[root@mailserv2 ~]# more /usr/local/clamav/etc/freshclam.conf | sed -n ‘/^#/!p’
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose yes
LogSyslog yes
LogFacility LOG_MAIL
DatabaseOwner amavis
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
[root@mailserv2 ~]# more /usr/local/clamav/etc/clamd.conf | sed -n ‘/^#/!p’
LogFile /var/log/clamav/clamd.log
LogSyslog yes
LogVerbose yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /usr/local/share/clamav
LocalSocket /var/run/clamav/clamd.socket
StreamMaxLength 20M
User amavis
ScanMail yes
ScanArchive yes
这2个文件有很多注释,我用sed把它过滤掉了。Clamd.conf中,有”User amavis”这样一行。为什么不用默认的用户clamav而使用amavis呢?这样做的目的是为了与amavis-new结合在一起。既然没有这个用户,就手动创建一个(useradd amavis)。接下来需要手动创建一些目录并赋予相应的权限,用来记录日志等用途;我把它作成一个shell脚本,直接执行即可,脚本的内容如下所示:
[root@mailserv2 ~]# more /root/clamav.sh
#!/bin/bash
# create directory for clamav
mkdir /var/log/clamav
chmod -R 744 /var/log/clamav
chown -R amavis:amavis /var/log/clamav
chown -R amavis.amavis /usr/local/share/clamav
mkdir /var/run/clamav
chmod 700 /var/run/clamav
chown amavis.amavis /var/run/clamav
脚本执行成功后,再执行 [root@mailserv2 ~]# /usr/local/clamav/bin/freshclam 手动更新病毒库。
(2)安装和配置avamvis-new。解压包amavisd-new-2.5.2.tar.gz,然后把它移动到相关的位置。这里还是用一个脚本来做这个事情,脚本的内容如下:
[root@mailserv2 ~]# more /root/amavis.sh
#!/bin/bash
cd /root
tar amavisd-new-2.5.2.tar.gz
cd amavisd-new-2.5.2
mkdir -p /var/amavis /var/amavis/tmp /var/amavis/var /var/amavis/db
chown -R amavis:amavis /var/amavis
chmod -R 750 /var/amavis
cp amavisd /usr/local/sbin/
chown root /usr/local/sbin/amavisd
chmod 755 /usr/local/sbin/amavisd
cp amavisd.conf /etc/
chown root /etc/amavisd.conf
chmod 644 /etc/amavisd.conf
mkdir /var/virusmails
chown amavis:amavis /var/virusmails
chmod 750 /var/virusmails
执行完脚本后别忘记检查一下是否都按我们的意愿工作,如/usr/local/sbin目录是否有文件amavisd。
Amavisd的配置文件/etc/amavisd.conf比较复杂,需要修改的内容如下:
$max_servers=8;
$daemon_user = ‘amavis’;
$daemon_group = ‘amavis’;
$mydomain = ’sery.com’;
$db_home = “$MYHOME/db”;
$inet_socket_port = 10024;
$sa_tag_level_deflt = -100;
$sa_tag2_level_deflt = 6.3;
$sa_kill_level_deflt = $sa_tag2_level_deflt;
$virus_admin = “virusalert@$mydomain“;
$sa_spam_subject_tag = ‘***SPAM*** ‘;
$notify_method = $forward_method;
$forward_method = ’smtp:127.0.0.1:10025′;
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_PASS;
['ClamAV-clamd',
&ask_daemon, ["CONTSCAN {}n", "/var/run/clamav/clamd"],
qr/bOK$/, qr/bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
上述修改确认无误后,执行 [root@mailserv2 ~]# /usr/local/sbin/amavisd debug 测试amavis。一般而言,测试皆不能正常进行,因为所需要的很多perl模块很可能没有被安装。还好,报错信息给出了所需的模块。这时你需要到www.cpan.org下载相关的模块,然后安装;也可能遇到包依赖,再下载依赖的包,安装这个依赖,再反回来安装先前那个包,如此反复,很是烦人,极考验人的耐性。等到 /usr/local/sbin/amavisd debug 输出没有错误方才完成。有另外一种方法,即运行 [root@mailserv2 ~]# perl MCPAN -e shell ,然后执行 cpan> install Time::HiRes 这样的命令挨个安装缺少的perl模块。根据我的经验,这样干很耗时,并且有的模块用这种方法安装还不灵,所以还不如在网站下载模块安装有效。下面给出一个perl模块的安装实例:
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar zxvf BerkeleyDB-0.32.tar.gz
[root@mailserv2 ~]# cd BerkeleyDB-0.32
[root@mailserv2 ~]# perl Makefile.PL
[root@mailserv2 ~]# make
[root@mailserv2 ~]# make install
◆Webmail安装配置
可供postfix选择的webmail不是很丰富,通过比较,我选择extmail作为postfix的webmail客户端工具,本来 extmail也包括像postfixadmin这样的web管理工具(extman),因为前面我们已经用了postfixadmin, 这里我只用extmail。
下载ExtMail-Solution-Linux-0.1.tar.gz后解压,然后把它移动到目录/var/www/extsuite/extmail。在apache的配置文件httpd.conf末尾追加下面的内容以便用户可以通过web方式访问extmail:
DirectoryIndex index.html index.php index.cgi
ScriptAlias /extmail/cgi/ /mail/www/extsuite/extmail/cgi/
<Directory “/mail/www/extsuite/extmail/cgi”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Alias /extmail /mail/www/extsuite/extmail/html
<Directory /mail/www/extsuite/extmail/html>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
保存文件,重启apache服务即可在浏览器输入邮件服务器的url访问了。
图 8
如果少了相应的perl模块,web页面会给出提示,按照提示把perl模块安装上去就正常了。到这里,extmail的配置还没有完呢,至少还有 2个文件需要修改,这2个文件是webmail.cf和 /var/www/extsuite/extmail/html/default/index.html.前一个是extmail的配置文件,后一个是页面文件显示方式。
webmail.cf的内容:更改过的内容用斜体红色字体显示
[root@mailserv2 extmail]# more webmail.cf
# sys_config, the config file and webmail programe root
SYS_CONFIG = /var/www/extsuite/extmail/
# sys_langdir, the i18n dir
SYS_LANGDIR = /var/www/extsuite/extmail/lang
# sys_templdir, the template dir
SYS_TEMPLDIR = /var/www/extsuite/extmail/html
# sys_warn, show system warning or not, default to yes
SYS_SHOW_WARN = 0
# sys_permit_noquota, permit an account without qouta?
SYS_PERMIT_NOQUOTA = 1
# sys_sess_dir, the session dir
SYS_SESS_DIR = /tmp/
# sys_log_on = 1 | 0 – enable logging or not
SYS_LOG_ON = 1
# sys_log_type = file|syslog|nsyslog, syslog will save login
# or error info into mail.*, nsyslog is a replacement to syslog
# that will send log message to network syslogd
SYS_LOG_TYPE = syslog
# sys_log_file – path to log file, if sys_log_type = file
SYS_LOG_FILE = /var/log/extmail.log
# sys_sess_timeout, session timeout, default 3 hours (3h) format:
# number+(s|m|h|d|M|y); or only number, the 0 means that the
# session will last for 0 seconds, but if you specify the
# sys_sess_cookie_only = 1 then it means the session will expire
# after you close your browser SYS_SESS_TIMEOUT = 0
# sys_sess_cookie_only = 0|1 use cookie only or include cgi “sid”
# parameter ? if set to true(1), the session will be expired after
# sys_sess_timeout if there is no any active request from browser
SYS_SESS_COOKIE_ONLY = 1
# sys_user_psize, user default page_size
SYS_USER_PSIZE = 10
# sys_user_tsize, user mail subject truncate size, valid type:
# auto => full text
# screen1 => 800×600
# screen2 => 1024×768
# screen3 => 1280×1024
SYS_USER_SCREEN = auto
# sys_user_lang, user default language
SYS_USER_LANG = en_US
# sys_user_template, user default template
SYS_USER_TEMPLATE = default
# sys_user_charset, user default charset
SYS_USER_CHARSET = utf-8
# sys_user_trylocal, user default outgoing encoding mechanism
SYS_USER_TRYLOCAL = 1
# sys_user_timezone, user default timezone
SYS_USER_TIMEZONE = +0800
# sys_user_* default parameters
SYS_USER_CCSENT = 0
SYS_USER_SHOW_HTML = 1
SYS_USER_COMPOSE_HTML = 1
SYS_USER_CONV_LINK =1
SYS_USER_ADDR2ABOOK = 1
# sys_min_pass_len, minimal password length, default 2
SYS_MIN_PASS_LEN = 2
# sys_mfilter_on, default is off
SYS_MFILTER_ON = 1
# sys_netdisk_on, default is off
SYS_NETDISK_ON = 0
# sys_debug_on, default is off
SYS_DEBUG_ON = 0
# sys auth type, mysql/ldap/authlib
SYS_AUTH_TYPE = mysql
# maildir_base, the base dir of user maildir, use absolute path
# if not set.
SYS_MAILDIR_BASE = /var/mailbox
# sys_auth_schema, vpopmail1/vpopmail2/virtual
# vpopmail1 => all user accounts in one table
# vpopmail2 => accounts in per domain table
SYS_AUTH_SCHEMA = virtual
# crypt_type, the default encrypt type of password, possible type
# currently is crypt|cleartext|plain|md5|md5crypt|plain-md5|ldap-md5|sha|sha1
SYS_CRYPT_TYPE = md5crypt
# if mysql, all relate parameters should prefix as SYS_MYSQL
SYS_MYSQL_USER = postfix
SYS_MYSQL_PASS = postfix
SYS_MYSQL_DB = postfix
SYS_MYSQL_HOST = localhost
SYS_MYSQL_SOCKET = /tmp/mysql.sock
# table name
SYS_MYSQL_TABLE = mailbox
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_DOMAIN = domain
SYS_MYSQL_ATTR_PASSWD = password
# sys_mysql_attr_clearpw – attribute to save clear password, useful for
# postmaster withdraw the original passwd if the end user forgot, but
# we highly recommend that you don’t enable it for security reason
# SYS_MYSQL_ATTR_CLEARPW = clearpwd
SYS_MYSQL_ATTR_QUOTA = quota
SYS_MYSQL_ATTR_NDQUOTA = netdiskquota
SYS_MYSQL_ATTR_HOME = homedir
SYS_MYSQL_ATTR_MAILDIR = maildir
# service enable/disable attributes
# comment them out if you don’t want their function
SYS_MYSQL_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_MYSQL_ATTR_DISABLENETDISK = disablenetdisk
SYS_MYSQL_ATTR_ACTIVE = active
# if ldap, all relate parameters should prefix as SYS_LDAP
SYS_LDAP_BASE = o=extmailAccount,dc=example.com
SYS_LDAP_RDN = cn=Manager,dc=example.com
SYS_LDAP_PASS = secret
SYS_LDAP_HOST = localhost
# ldif attributes
SYS_LDAP_ATTR_USERNAME = mail
SYS_LDAP_ATTR_DOMAIN = virtualDomain
SYS_LDAP_ATTR_PASSWD = userPassword
# sys_ldap_attr_clearpw – attribute to save clear password, useful for
# postmaster withdraw the original passwd if the end user forgot, but
# we highly recommend that you don’t enable it for security reason
# SYS_LDAP_ATTR_CLEARPW = clearPassword
SYS_LDAP_ATTR_QUOTA = mailQuota
SYS_LDAP_ATTR_NDQUOTA = netdiskQuota
SYS_LDAP_ATTR_HOME = homeDirectory
SYS_LDAP_ATTR_MAILDIR = mailMessageStore
# service enable/disable attributes
# comment them out if you don’t want their function
SYS_LDAP_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_LDAP_ATTR_DISABLENETDISK = disablenetdisk
SYS_LDAP_ATTR_ACTIVE = active
# if authlib, all relate parameters should prefix as AUTHLIB
SYS_AUTHLIB_SOCKET = /usr/local/authlib/var/spool/authdaemon/socket
# Global Abook support
# sys_g_abook_type, global abook type, valid is ldap|file, currently
# only support ldap, file module is under development SYS_G_ABOOK_TYPE = file
# if ldap, all relate parameters should prefix as SYS_G_ABOOK_LDAP
SYS_G_ABOOK_LDAP_HOST = localhost
SYS_G_ABOOK_LDAP_BASE = ou=AddressBook,dc=example.com
SYS_G_ABOOK_LDAP_ROOTDN = cn=Manager,dc=example.com
SYS_G_ABOOK_LDAP_ROOTPW = secret
SYS_G_ABOOK_LDAP_FILTER = objectClass=OfficePerson
# if file, all relate parameters should prefix as SYS_G_ABOOK_FILE
SYS_G_ABOOK_FILE_PATH = /mail/www/extsuite/extmail/globabook.cf
SYS_G_ABOOK_FILE_LOCK = 1
SYS_G_ABOOK_FILE_CONVERT = 0
SYS_G_ABOOK_FILE_CHARSET = utf-8
在文件/var/www/extsuite/extmail/html/default/index.html 加入下面的标识,可以得到不同
<TR>
<TD><%domain%></TD>
<TD><select name=”domain” size=”1″ class=”input_select”></option><option value=”mail.sery.com”>mail.sery.com</option>
<optionvalue=”sery.com”>sery.com</option></select><!–<INPUT TYPE=”text” class=”input_n” NAME=”domain”>–></TD>
</TR>
邮件域的下拉列表,从而方便用户的使用。
图 9
到这里,postfix的安装配置算是完成了。我们来逐个检查这些服务的正确性,简单的方法就是启动每一个服务,根据服务的运行来掌握各个服务是否正常。为了方便所有服务随开机自动启动,我把它们都加在了文件/etc/rc.local里,这些内容包括:
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe –user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
病毒库和垃圾邮件的列表则放在crontab里:
[root@mailserv2 extmail]# crontab -l
0 0 1 * * root wget -N -P /usr/share/spamassassin www.ccert.edu.cn/spam/sa/Chinese_rules.cf;kill -HUP `cat /var/run/spamd.pid`
00 00 * * * /usr/local/clamav/bin/freshclam
待所有的服务都正常后,用postfixadmin创建邮件域和用户。创建完毕,通过查看postfix日志/var/log/maillog了解操作是否成功;同时通过查看目录/var/mailbox里是否生成与创建的邮件帐户同名的目录。
◆邮件系统的备份
在系统崩溃以后,没有提前备份将使你无限懊悔。一次没有成功的在线内核升级引起的系统崩溃(在我没来得及备份时发生),为恢复崩溃邮件系统,曾让我精疲力竭。所以做好备份是一个好主意。当然我们不能天天手动去执行这个备份任务,用脚本吧!下面是我的一个postfix的备份脚本,供大家参考:
[root@mailserv2 virusalert]# more /usr/local/bin/data_backup.sh
#!/bin/bash
BackupPath=/var/data_bk
Mysql_bk_dir=$BackupPath/mysqlbk
Mail_bk_dir=$BackupPath/mailbk
LogFile=$BackupPath/backuplog
MailBoxDir=/var/mailbox
####################################################################
# define mysql variables #
####################################################################
NewFile=”$Mysql_bk_dir”/postfix$(date +%Y%m%d).tgz
DumpFile=”$Mysql_bk_dir”/postfix$(date +%Y%m%d).sql
OldFile=”$Mysql_bk_dir”/postfix$(date +%Y%m%d –date=’5 days ago’).tgz
DbUser=root
DbPasswd=husb^R
DbName=postfix
####################################################################
# mysql backup proccess #
####################################################################
echo “——————————————-” >> $LogFile
echo $(date +”%y-%m-%d %H:%M:%S”) >> $LogFile
echo “————————–” >> $LogFile
#Delete Old File
if [ -f $OldFile ]
then
rm -f $OldFile >> $LogFile 2>&1
echo “[$OldFile]Delete Old File Success!” >> $LogFile
else
echo “[$OldFile]No Old Backup File!” >> $LogFile
fi
if [ -f $NewFile ]
then
echo “[$NewFile]The Backup File is exists,Can’t Backup!” >> $LogFile
else
cd $Mysql_bk_dir
/usr/local/mysql/bin/mysqldump -u $DbUser -p$DbPasswd –opt $DbName > $DumpFile
tar czf $NewFile postfix$(date +%Y%m%d).sql >> $LogFile 2>&1
echo “[$NewFile]Backup Success!” >> $LogFile
rm -rf $DumpFile
fi
######################################################################
# backup mail’s user directories and files #
######################################################################
MailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d).tgz
OldMailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d –date=’14 days ago’).tgz
if [ -f $OldMailFileBk ]
then
rm -rf $OldMailFileBk
fi
if [ -f $MailFileBk ]
then
echo “[$MailFileBk]The Backup File is exists,Can’t Backup!” >> $LogFile
else
cd /mail
tar czf $MailFileBk mailbox >> $LogFile 2>&1
fi
echo “——————————————-” >> $LogFile
这个脚本对postfix数据库和用户的邮件做了备份。因为磁盘空间始终是有限的,因此是一边备份一边删除就的备份。如果条件允许,建议进行异地备份。手动执行一下这个脚本,看它是否按我们的意愿工作了,如果一些如愿,则把它放入crontab里让它每晚自动进行。
[root@mailserv2 ~]# crontab -l
0 0 1 * * root wget -N -P /usr/share/spamassassin www.ccert.edu.cn/spam/sa/Chinese_rules.cf;kill -HUP `cat /var/run/spamd.pid`
00 01 * * * /usr/local/bin/data_backup.sh
00 00 * * * /usr/local/clamav/bin/freshclam
◆系统加固及安全
1、内核优化:用脚本实现
[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize
#!/bin/bash
#kernel optimize optimize ,create by 2007-7-29
#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
# echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
2、防火墙策略:在配置postfix连接mysql数据库时,用户名postfix,密码postfix,类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库,不费吹灰之力就可以把邮件帐号全删了,这肯定会激起用户的愤怒!赶快把这个漏洞堵上,下面是我的防火墙策略脚本:
[root@mailserv2 ~]# more /usr/local/bin/firewall
#!/bin/bash
#this is a common firewall created by 2007-7-29
#define some variable
IPT=/sbin/iptables
CONNECTION_TRACKING=”1″
INTERNET=”eth0″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″
IPADDR=220. 94.58.245
LOOPBACK_INTERFACE=”lo”
#Remove any existing rules
$IPT -F
$IPT -X
#setting default firewall policy
$IPT –policy OUTPUT ACCEPT
$IPT –policy FORWARD DROP
$IPT -P INPUT DROP
#stop firewall
if [ "$1" = "stop" ]
then
echo “Filewall completely stopped!no firewall running!”
exit 0
fi
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state –state INVALID -j DROP
$IPT -A OUTPUT -m state –state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###################################################################
#setting access rules
#enable ssh connect
$IPT -A INPUT -i $INTERNET -p tcp –dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 25 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 80 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 110 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 143 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 783 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 5666 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 10024 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 10025 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp –dport 123 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
“$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚本加在文件/etc/rc.local中,实现开机即启。[root@mailserv2 ~]# more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe –user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
############### system optimize #############################
/usr/local/bin/kernel_optimize
/usr/local/bin/firewall
################### NRPE nagios remote plugin execute $$$$$$$$$
/usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d
◆关于多邮件域和用户限额
Postfix支持多邮件域,当我们用postfixadmin创建多个邮件域的时候,别忘记在DNS服务器上做好主机记录解析和MX解析。多邮件域的情形是多个mx记录指向同一个主机ip地址。
默认情况下,postfix 数据库的mailbox表的字段”quota”值是”0″,它表示用户的油箱大小是100M,假如我们要把用户的邮箱大小设置成500M,则只需连接数据库postfix更改mailbox表”quota”字段的值为”524288000″。
mysql> use postfix;
mysql> update mailbox set quota=’524288000′;
Query OK, 1 row affected (0.03 sec)
Rows matched: 191 Changed: 1 Warnings: 0
图 10
所有的工作都做完以后,重启linux。检查进程看与postfix相关的守护进程是否在运行,然后在用foxmail来收发邮件,再也 webmail(extmail)方式收发。尽管postfix涉及很多方面的内容,但在大部分情况下,通过日志文件/var/log/maillog可以得出一些非常有用的信息,从排除故障这个角度讲,postfix的日志文件将会为排除故障提供很好的帮助。
[root@mailserv2 ~]# ps auxww //部分进程快照
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
vmail 1481 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
postfix 1622 0.0 0.2 4000 1276 ? S Oct02 0:08 anvil -l -t unix -u
vmail 1843 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
root 1972 0.0 0.1 1688 620 ? Ss Sep20 2:41 syslogd -m 0
root 1975 0.0 0.0 1644 400 ? Ss Sep20 0:01 klogd -x
root 1994 0.0 0.1 5424 984 ? Ss Sep20 0:22 /usr/sbin/sshd
ntp 2012 0.0 0.9 4672 4672 ? SLs Sep20 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 2027 0.0 0.2 5224 1104 ? Ss Sep20 0:00 crond
root 2042 0.0 0.0 2200 424 ? Ss Sep20 0:00 /usr/sbin/atd
root 2050 0.0 1.3 12644 7016 ? Ss Sep20 0:00 /usr/local/apache/bin/httpd -k start
root 2056 0.0 0.0 1628 400 ? S Sep20 0:18 /usr/local/authlib/sbin/courierlogger -pid=/usr/local/authlib/var/spool/authdaemon/pid -start /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2067 0.0 0.1 2732 848 ? S Sep20 0:00 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2075 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2076 0.0 0.1 2776 1008 ? S Sep20 0:11 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2077 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2078 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2079 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2143 0.0 0.2 3972 1244 ? Ss Sep20 4:57 /usr/libexec/postfix/master
postfix 2146 0.0 0.2 4040 1308 ? S Sep20 1:44 qmgr -l -t fifo -u
root 2153 0.0 0.0 1624 404 ? S Sep20 0:00 /usr/local/authlib/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2154 0.0 0.1 1728 536 ? S Sep20 0:00 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2159 0.0 0.0 1628 404 ? S Sep20 0:03 /usr/local/authlib/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
root 2160 0.0 0.1 1728 536 ? S Sep20 0:03 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
amavis 2169 0.0 17.2 113196 89072 ? Ss Sep20 7:00 /usr/local/clamav/sbin/clamd
root 2251 0.0 0.0 1624 440 tty1 Ss+ Sep20 0:00 /sbin/mingetty tty1
root 2252 0.0 0.0 1624 436 tty2 Ss+ Sep20 0:00 /sbin/mingetty tty2
root 2253 0.0 0.0 1624 440 tty3 Ss+ Sep20 0:00 /sbin/mingetty tty3
root 2254 0.0 0.0 1624 440 tty4 Ss+ Sep20 0:00 /sbin/mingetty tty4
root 2255 0.0 0.0 1624 440 tty5 Ss+ Sep20 0:00 /sbin/mingetty tty5
root 2256 0.0 0.0 1628 444 tty6 Ss+ Sep20 0:00 /sbin/mingetty tty6
root 3626 0.0 0.2 4440 1104 ? S Sep20 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe –user=mysql
mysql 3644 0.0 4.1 133256 21460 ? Sl Sep20 8:33 /usr/local/mysql/libexec/mysqld –basedir=/usr/local/mysql –datadir=/usr/local/mysql/var –user=mysql –pid-file=/usr/local/mysql/var/mailserv2.pid –skip-locking
root 12456 0.0 0.4 8272 2504 ? Ss 20:13 0:00 sshd: root@pts/2
root 12458 0.0 0.2 4624 1456 pts/2 Ss+ 20:13 0:00 -bash
amavis 12624 0.0 9.7 59064 50236 ? Ss 20:21 0:01 amavisd (master)
postfix 14269 0.0 0.2 4132 1460 ? S 22:07 0:00 trivial-rewrite -n rewrite -t unix -u
amavis 14518 0.0 10.6 63740 54748 ? S 22:18 0:05 amavisd (ch18-avail)
amavis 14875 0.0 10.4 62724 53768 ? S 22:43 0:04 amavisd (ch11-avail)
amavis 14883 0.1 10.3 62592 53452 ? S 22:44 0:04 amavisd (ch14-avail)
root 14890 0.0 0.4 8276 2512 ? Ss 22:45 0:00 sshd: root@pts/1
root 14892 0.0 0.2 4616 1444 pts/1 Ss 22:45 0:00 -bash
amavis 15160 0.0 10.2 61812 52728 ? S 22:59 0:02 amavisd (ch5-avail)
amavis 15164 0.1 10.3 62464 53488 ? S 22:59 0:04 amavisd (ch13-avail)
amavis 15211 0.1 10.3 62020 53060 ? S 23:03 0:04 amavisd (ch13-avail)
amavis 15292 0.0 10.2 61700 52648 ? S 23:08 0:02 amavisd (ch7-avail)
amavis 15383 0.1 10.2 62124 52964 ? S 23:12 0:03 amavisd (ch8-avail)
postfix 15762 0.0 0.4 4520 2300 ? S 23:40 0:00 smtpd -n smtp -t inet -u
postfix 15865 0.0 0.2 4004 1156 ? S 23:47 0:00 pickup -l -t fifo -u
root 15941 0.0 0.1 4220 940 pts/1 R+ 23:55 0:00 ps auxww
nagios 18752 0.0 0.1 4836 944 ? Ss Sep22 0:05 ../bin/nrpe -c nrpe.cfg -d
vmail 24853 0.0 1.2 12644 6664 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24854 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24884 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24885 0.0 1.3 12780 6696 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24886 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24967 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24970 0.0 1.2 12644 6552 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 28305 0.0 1.3 12788 6724 ? S Oct02 0:00 /usr/local/apache/bin/httpd -k start
root 29390 0.0 5.5 33232 28576 ? Ss Oct01 0:00 /usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
root 29392 0.0 5.2 33232 27068 ? S Oct01 0:00 spamd child
root 29393 0.0 5.2 33232 26988 ? S Oct01 0:00 spamd child
配置一个postfix邮件系统,远比我先前的想象复杂。这次共配置2个postfix系统,花了不少精力,其间也经历不少麻烦,还好,最后都做成了!在配置过程中,参考了《postfix权威指南》和网上其他人写的文章,但在实际的配置中,完全按照这些文档还是不易顺利完成。现在此行文披露我做这个事情的全部过程,希望对大家的工作有所帮助。
◆运行环境
操作系统是centos 5,其下载地址为www.centos.org,它是redhat as 5最佳的替代品(原因:开源且免费下载);postfix使用的版本是postfix-2.2.10.tar.gz,postfix(www.postfix.org)当前的稳定版本是2.4,由于2.4不支持SASL,所以我选了老一点的版本。其他所需的软件在下表列出:
名称 用途 下载地址
Apache (httpd-2.2.0) Web方式管理邮件 www.apache.org
Php (php-5.2.3) Php 解释器,与apache一起使用 www.php.org
Mysql (mysql-5.0.41) 用数据库存储用户信息 www.mysql.com
Postfixadmin(postfix-2.1.0) 邮件帐号后台web管理工具 http://sourceforge.net/projects/postfixadmin/
SASL(cyrus-sasl-2.1.21.tar.gz) 验证方法 http://ftp.andrew.cmu.edu/pub/cyrus-mail/
Authlib(courier-authlib-0.59.3.tar.bz2) 与SASL一起做验证 http://www.courier-mta.org/download.php
Postfix 邮件系统主程序 http://www.postfix.org
Courier-imap (courier-imap-4.1.3.tar.bz2) Pop3及IMAP服务 http://www.courier-mta.org/
Perl (perl-5.8.8) 解释器 http://www.cpan.org
Maildrop (maildrop-2.0.4.tar.bz2) 邮件投递代理,直观的讲就是把收到的邮件转发到用户的邮箱目录 http://www.courier-mta.org/
Clamav (clamav-0.91.2.tar.gz) 杀毒软件 http://www.clamav.org/
amavisd-new(amavisd-new-2.5.2.tar.gz) 扫描邮件病毒 http://www.ijs.si/software/amavisd
Spamassassin(SpamAssassin 3.2.3) 防垃圾邮件 http://spamassassin.apache.org/
Pcre (pcre-7.2.tar.bz2) 安装Imap需要– Perl兼容正则表达式 http://www.pcre.org
Extmail (extmail-1.0.1.tar.gz) webmail http://www.extmail.org
◆准备工作
1、下载所需的软件:照上面给出的地址找到下载URL,然后用wget下载。由于服务器一般不安装 xwindow这样的桌面环境,那怎样知道下载文件的url呢?用windows呢,通过securecrt这样的ssh工具连接和管理远程linux服务器,这样就很容易办到了。在实际的工作中,我习惯把文件下载到/root目录,原因是普通用户看不见我下载的东西。
图 1
2、清理系统:不管你喜不喜欢,安装系统时sendmail这个邮件服务软件已经安装上去了,可是一山不容二虎,既然我们选定了功能强大的postfix,那么sendmail就一边歇着吧。运行命令 rpm -e -nodeps sendmail 就达到这个目的了。第2个需要卸载的软件是SASL,为什么要卸载它呢?因为系统自带的版本不太容易与authlib正常配合,所以需要把它删除掉。第3 个要删除的是perl.本打算用系统自带的perl,可是在执行命令 perl -MCPAN -e shell时居然出现”segment fault”,导致很多功能不能使用,看来也只好删了重装一个。下面总结一下这个过程:
1、SASL
(1)列出包
rpm -qa | grep sasl
cyrus-sasl-2.1.19-5.EL4
cyrus-sasl-gssapi-2.1.19-5.EL4
cyrus-sasl-devel-2.1.19-5.EL4
cyrus-sasl-ntlm-2.1.19-5.EL4
cyrus-sasl-md5-2.1.19-5.EL4
cyrus-sasl-sql-2.1.19-5.EL4
cyrus-sasl-plain-2.1.19-5.EL4
(2)删除包
rpm –e –nodeps cyrus-sasl-2.1.19-5.EL4 cyrus-sasl-gssapi-2.1.19-5.EL4 cyrus-sasl-devel-2.1.19-5.EL4 //把上面查查来的全部列在这后面全卸载掉。nodeps前面是两”-“!
然后进目录/usr/lib查一下 ls –al /usr/lib | grep sasl 应该没有目录sasl及sasl2了。
2、Perl
(1)列出包
rpm -qa | grep perl
perl-DateManip-5.42a-3
perl-XML-Encoding-1.01-26
perl-LDAP-0.31-5
perl-XML-LibXML-Common-0.13-7
groff-perl-1.18.1.1-3
openssl-perl-0.9.7a-43.1
…………(省略若干)
perl-suidperl-5.8.5-12.1.1
(2)删除包
rpm –e –nodeps perl-DateManip-5.42a-3 //照上面的例子删除所以的包。由于包太多,用一个//rpm命令后面带的参数太长,建议一个一个收拾。
执行完删除命令后,再运行命令perl –v,如果出现“-bash: perl: command not found”则表明已经把perl清理掉了。
3、创建邮件系统运行时所需的用户和组:创建用户和组绝不仅仅是为了练习userad和groupadd这两个命令,因为安全方面的原因,一些软件不能以root用户来运行,甚至在安装过程中,如果没有为该软件预先创建用户,安装将不能进行下去,因此,我们在这里先创建这些运行postfix系统所需的用户和组。对centos或redhat等发行版而言,用命令useradd创建用户时也就创建了一个同名的组,而另外一些linux发行版(如debian)或unix(如solaris 10),创建用户时并不会同时创建同名的组,这需要手动执行命令单独创建所需的组。下面我用表格的方式列出postfix系统所需要创建的用户及组的情况:
用户名 组名 作用 备注
mysql Mysql 数据库mysql运行用户
vmail Vmail Postfix虚拟邮件帐号所使用的用户及组 uid,gid:1001,1001
postfix Postfix Postfix主程序使用的帐号和组
Postdrop Postfix setgid_group setgid_group=postdrop
amavis Amavis 邮件扫描
clamav Clamav 病毒扫描
这里有2个值得注意的地方,它们是vmail用户、组及postdrop组。在postfix邮件系统中,有好几个程序是以vmail来运行的(这些情况将在后面逐个说明);postdrop这个组,我看了很多人写的文档,无一例外的都有创建这个组的操作,但没有任何人说明这个组是干什么用的,给人很突兀的感觉,因此我在这里特别把它列出来了-它的作用是setgid_group-在postfix的主配置文件main.cf里标明了的。
[root@mail ~]# grep postdrop /etc/postfix/main.cf
setgid_group = postdrop
◆安装apache,mysql和php
1、apache
tar zxvf httpd-2.2.0.tar.gz
cd httpd-2.2.0
./configure -prefix=/usr/local/apache -enable-so //选项prefix,enanle前面是两个”-”
make
make install
上述步骤执行完毕后,将生成目录/usr/local/apache,进入这个目录检查一下,看相关的文件和目录是否存在?下图是一个正确安装apache后的目录结构:
图 2
执行命令 /usr/local/apache/bin/httpd -l检查编译进来的模块有哪些。最主要的是mod_so模块。即下面最后一个mod_so.c。这样做的目的是为了以模块方式加载php.现在我们先不忙着配置apache,等到后面再做这个工作。
2、mysql
tar zxvf mysql-5.0.41.tar.gz
cd mysql-5.0.41
./configure -prefix=/usr/local/mysql
make,make install //安装完成
useradd mysql
cp support-files/my-medium.cnf /etc/my.cnf
cd /usr/local/mysql
/usr/local/mysql/bin/mysql_install_db –user=mysql //初始化数据库
chown -R root .
chown -R mysql var
chgrp -R mysql .
3、php
cd //进/roor目录
tar zxvf php-5.2.3.tar.gz
cd php-5.2.3
./configure -prefix=/usr/local/php -with-apxs2=/usr/local/apache/bin/apxs -with-mysql=/usr/local/mysql //如果不先安装mysql,这一步将不能进行下去
make;make install
cp php.ini-dist /usr/local/php/lib/php.ini
在配置过程中,除了指定安装目录外,还有-with-apxs2和-with-mysql这两个选项。-with-apxs2的作用是与 apache的工具apxs配合,产生模块文件到目录/usr/local/apache/modules/,同时在apache的配置文件中写入一行 “LoadModule php5_module modules/libphp5.so”;
[root@myest modules]# ll
total 12212
-rw-r–r– 1 root root 8873 Jul 30 14:55 httpd.exp
-rwxr-xr-x 1 root root 12473318 Jul 31 09:29 libphp5.so
选项-with-mysql的作用非常重要,如果不加这个,以后在使用web管理工具postfixadmin时将出现不能连接数据库的错误。接着我们需要把php与apache整合在一起,这个过程很简单,由于在安装php时已经完成了一部分工作,接下来只要在apache的配置文件 httpd.conf加上”AddType application/x-httpd-php .php”这么一行就行了(注意:.php前面有一个空格)。在目录/usr/local/apache/htdocs下创建一个最简单的php测试文件,其内容为:
vi test.php
phpinfo();
?>
检查一下apache配置文件是否正确(/usr/local/apache/bin/apachectl -t),输出”Syntax OK”后就可以启动apache服务(/usr/local/apache/bin/apachectl start)。在别的机器的浏览器输入我们配置的这个服务器的url,正常的话,将得到类似下图的页面:
图 3
上面几个软件的安装相对来说还是比较容易操作的,这里我全是用GNU源码定制安装,这相对于2进制包的安装方式而已,有几个好处:①软件的相互依赖性较小(安装过rpm包的人对这个应该有深刻的认识)。②跨平台。这样的安装方式适用各种unix/linux系统。③维护方便。使用了选项- prefix指定安装目录,所有的文件目录都集中在这个安装目录里,维护起来非常方便。因此,在这里强烈推荐大家适用GNU源码方式安装。
◆安装和配置SASL、Authlib
最好先安装courier-authlib。为什么呢?因为后面配置 SASL验证smtp时需要authlib的socket路径。
1、安装和配置courier-authlib
1)安装
tar jxvf courier-authlib-0.59.3.tar.bz2
cd courier-authlib-0.59.3
./configure –with-redhat –with-authmysql=yes –with-mailuser=vmail\ –with-mailgroup=vmail –with-mysql-libs=/usr/local/mysql/lib/mysql\ –with-mysql-includes=/usr/local/mysql/include/mysql\
–prifix=/usr/local/authlib –without-stdheaderdir
make
make install
make install-configure
一般情况下,anthlib的安装应该是容易完成的。安装完成后,我们先找出配置文件中authdaemonvar的设置,这个值是干什么用的呢?它是后面SASL验证SMTP所必须的,因此需要先把它找出来,以便后面的配置能够准确无误。关于这个问题的教训,在配置sasl的时候再做说明。在我的安装中,authdaemonvar的设置如下:
[root@mail ~]# grep “authdaemonvar” /usr/local/authlib/etc/authlib/authdaemonrc
##NAME: authdaemonvar:2
# authdaemonvar is here, but is not used directly by authdaemond. It’s
authdaemonvar=/usr/local/authlib/var/spool/authdaemon
(2)配置authlib.在目录/usr/local/authlib/etc/authlib中,修改文件authdaemonrc及authmysqlrc。
vi /usr/local/authlib/etc/authlib/authdaemonrc
authmodulelist=”authmysql”
authmodulelistorig=”authmysql”
DEBUG_LOGIN=2
修改上面3项,其他的项保持不便。这个修改前2行表示用mysql认证模块;把DEBUG_LOGIN的值有默认的“0”改成“2”的用意是运行postfix时有更多的信息输出,通过生成的日志以帮助排错。
vi /usr/local/authlib/etc/authlib/authmysqlrc
MYSQL_SERVER localhost
MYSQL_USERNAME postfix
MYSQL_PASSWORD postfix
MYSQL_DATABASE postfix
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_USER_TABLE mailbox
#MYSQL_CRYPT_PWFIELD password
MYSQL_CLEAR_PWFIELD password
DEFAULT_DOMAIN sery.com
MYSQL_UID_FIELD ‘1001′
MYSQL_GID_FIELD ‘1001′
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD ‘/var/mailbox/’
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD maildir
MYSQL_QUOTA_FIELD concat(quota,’S’)
MYSQL_WHERE_CLAUSE active=’1′
照上面的格式修改,这是比较容易出错的地方,要特别小心。我曾经把MYSQL_USER_TABLE mailbox这一项的mailbox写成mailbov导致sasl验证一直没法通过!特别注意MYSQL_UID_FIELD和MYSQL_GID_FIELD字段的值,这里是‘1001’,也可以是其它的,但一定要与vmail用户及组相一致(id vmail可以得出这2者的值)
2、安装和配置SASL.
(1)安装
tar zxvf cyrus-sasl-2.1.21.tar.gz
cd cyrus-sasl-2.1.21
./configure –disable-anon -enable-plain –enable-login –enable-sql –with-mysql=/usr/local/mysql –with-mysql-includes=/usr/local/mysql/include/mysql –with-mysql-libs=/usr/local/mysql/lib/mysql –with-authdaemond
make
make install
如果在编译过程(make)出现错误,如“client.c:64: error: static declaration of ‘global_callbacks’ follows non-static declaration saslint.h:112…”,需要加一个补丁程序,然后再执行编译过程。
用vi在当前位置创建补丁文件,起名为sasl.patch,其内容包括:
— cyrus-sasl-2.1.20/lib/client.c~ 2003-11-11 11:26:06.000000000 -0500
+++ cyrus-sasl-2.1.20/lib/client.c 2005-05-31 22:34:14.000000000 -0400
@@ -61,7 +61,7 @@
static cmech_list_t *cmechlist; /* global var which holds the list */
-static sasl_global_callbacks_t global_callbacks;
+sasl_global_callbacks_t global_callbacks;
static int _sasl_client_active = 0;
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 //sasl的安装目录是/usr/local/lib/sasl
echo “/usr/local/lib” >> /etc/ld.so.conf //指定动态连接库的位置
ldconfig //共享动态链接库生效
(2) 配置
创建文件 /usr/local/lib/sasl2/smtpd.conf,并加入如下内容:
pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
log_level: 3
authdaemond_path: /usr/local/authlib/var/spool/authdaemon/socket
最后一行authdaemond_paeth的设置来自anthlib 的配置文件authlibdaemonrc,千万不要把这个弄错了,我当初的smtp验证一直通不过就是由于这个原因。通过查看进程也可以知道这个路径(前提是authlib正常运行了),如下图所示:
图 4
Sasl2需要使用文件/usr/local/authlib/var/spool/authdaemon/socket,但默认情况下,其属性是744,需要把它加上执行权限,以便文件属组(主)而外的其它用户可以执行。运行命令
chmod +x /usr/local/authlib/var/spool/authdaemon
即可,如果不这样处理,smtp验证无一例外会失败的。那么这里所说的其它用户是什么用户呢?答:postfix。
◆安装和配置postfixadmin
Postfixadmin是postfix邮件系统的web管理工具,有了这个工具,管理和维护用户帐号就方便多了。假如不用工具,就需要手动修改数据库,谁愿意这样做?安装postfixadmin比较简单,解压包postfix-2.2.11.tar.gz,然后把它移动到某个目录下,其过程如下:
cd /root
tar zxvf postfixadmin-2.2.11.tar.gz
mv postfixadmin-2.2.11 /var/www/postfixadmin
现在postfixadmin的目录是/var/www/postfixadmin,为了能够让它按照我们的意愿工作,需要用命令 chown -R vmail:vmail /var/www/postfixadmin 更改属主。这样,postfixadmin的安装就算完成了。接着我们来配置它,这个过程要复杂一点,我在这里分几步进行。
(1)修改相关的配置文件。Postfixadmin第一个需要修改配置文件是config.inc.php, 但事实上却没有这个文件,不要紧,把config.inc.php.sample搬过来就是了(cp config.inc.php.sample config.ini.php),再来看一下目录结构:
[root@mailserv2 postfixadmin]# pwd
/mail/www/postfixadmin
[root@mailserv2 postfixadmin]ll
total 236
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 ADDITIONS
drwxr-xr-x 2 vmail vmail 4096 Sep 16 19:31 admin
-rw-r–r– 1 vmail vmail 1195 Sep 16 16:06 BACKUP_MX.TXT
-rw-r–r– 1 vmail vmail 10155 Sep 16 16:06 CHANGELOG.TXT
-rw-r—– 1 vmail vmail 4700 Sep 16 16:14 config.inc.php
-rw-r–r– 1 vmail vmail 4694 Sep 16 16:06 config.inc.php.sample
-rw-r—– 1 vmail vmail 3774 Sep 16 16:06 create-alias.php
-rw-r—– 1 vmail vmail 7379 Sep 16 19:24 create-mailbox.php
-rw-r–r– 1 vmail vmail 4910 Sep 16 16:06 DATABASE_MYSQL.TXT
-rw-r–r– 1 vmail vmail 4955 Sep 16 16:06 DATABASE_PGSQL.TXT
-rw-r—– 1 vmail vmail 2497 Sep 16 19:30 delete.php
-rw-r—– 1 vmail vmail 1727 Sep 16 16:06 edit-active.php
-rw-r—– 1 vmail vmail 3013 Sep 16 16:06 edit-alias.php
-rw-r—– 1 vmail vmail 4026 Sep 16 16:06 edit-mailbox.php
-rw-r—– 1 vmail vmail 25031 Sep 16 16:06 functions.inc.php
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 images
-rw-r—– 1 vmail vmail 3994 Sep 16 16:06 index.php
-rw-r–r– 1 vmail vmail 2655 Sep 16 16:06 INSTALL.TXT
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 languages
-rw-r–r– 1 vmail vmail 1651 Sep 16 16:06 LANGUAGE.TXT
-rw-r–r– 1 vmail vmail 5375 Sep 16 16:06 LICENSE.TXT
-rw-r—– 1 vmail vmail 1743 Sep 16 16:06 login.php
-rw-r—– 1 vmail vmail 494 Sep 16 16:06 logout.php
-rw-r—– 1 vmail vmail 869 Sep 16 16:06 main.php
-rw-r–r– 1 vmail vmail 981 Sep 16 16:06 motd-admin.txt.orig
-rw-r–r– 1 vmail vmail 262 Sep 16 16:06 motd.txt
-rw-r–r– 1 vmail vmail 262 Sep 16 16:06 motd-users.txt
-rw-r—– 1 vmail vmail 4827 Sep 16 16:06 overview.php
-rw-r—– 1 vmail vmail 2314 Sep 16 16:06 password.php
-rwxr-xr-x 1 vmail vmail 392 Sep 16 16:08 postfix_chmod.sh
-rw-r—– 1 vmail vmail 3233 Sep 16 16:06 search.php
-rw-r—– 1 vmail vmail 2119 Sep 16 16:06 sendmail.php
-rw-r—– 1 vmail vmail 5506 Sep 16 16:06 setup.php
-rw-r—– 1 vmail vmail 4204 Sep 16 16:06 stylesheet.css
-rw-r–r– 1 vmail vmail 456 Sep 16 16:06 TABLE_BACKUP_MX.TXT
-rw-r–r– 1 vmail vmail 3737 Sep 16 16:06 TABLE_CHANGES.TXT
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 templates
-rw-r–r– 1 vmail vmail 2303 Sep 16 16:06 UPGRADE.TXT
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 users
-rw-r—– 1 vmail vmail 1949 Sep 16 16:06 variables.inc.php
-rw-r—– 1 vmail vmail 1965 Sep 16 16:06 viewlog.php
drwxr-xr-x 2 vmail vmail 4096 Sep 16 16:06 VIRTUAL_VACATION
在上面的目录输出中,我将要处理的文件或目录用了粗字体来标识了,先从config.ini.php动手吧。
[root@mailserv2 postfixadmin]# more config.inc.php
//
// Postfix Admin
// by Mischa Peters
// Copyright (c) 2002 – 2005 High5!
// License Info: http://www.postfixadmin.com/?file=LICENSE.TXT
//
// File: config.inc.php
//
if (ereg (”config.inc.php”, $_SERVER['PHP_SELF']))
{
header (”Location: login.php”);
exit;
}
// Postfix Admin Path
// Set the location to your Postfix Admin installation here.
$CONF['postfix_admin_url'] = ”;
$CONF['postfix_admin_path'] = ”;
// Language config
// Language files are located in ‘./languages’.
$CONF['default_language'] = ‘cn’;
// Database Config
// mysql = MySQL 3.23 and 4.0
// mysqli = MySQL 4.1
// pgsql = PostgreSQL
$CONF['database_type'] = ‘mysql’;
$CONF['database_host'] = ‘localhost’;
$CONF['database_user'] = ‘postfixadmin’;
$CONF['database_password'] = ‘postfixadmin’;
$CONF['database_name'] = ‘postfix’;
$CONF['database_prefix'] = ”;
…………………………省略若干……………………………………….
// Mailboxes
// If you want to store the mailboxes per domain set this to ‘YES’.
// Example: /usr/local/virtual/domain.tld/username@domain.tld
$CONF['domain_path'] = ‘YES’;
// If you don’t want to have the domain in your mailbox set this to ‘NO’.
// Example: /usr/local/virtual/domain.tld/username
$CONF['domain_in_mailbox'] = ‘NO’;
…………………………省略若干……………………………………….
// Default Domain Values
// Specify your default values below. Quota in MB.
$CONF['aliases'] = ‘1000′;
$CONF['mailboxes'] = ‘1000′;
$CONF['maxquota'] = ‘1000′;
…………………………省略若干……………………………………….
// Quota
// When you want to enforce quota for your mailbox users set this to ‘YES’.
$CONF['quota'] = ‘NO’;
// You can either use ‘1024000′ or ‘1048576′
$CONF['quota_multiplier'] = ‘1024000′;
…………………………省略若干……………………………………….
?>
被改动过的内容用红色粗体标记出来了,这些值可根据实际情况作修改。下一个需要修改的文件是create-mailbox.php:
[root@mailserv2 postfixadmin]# more create-mailbox.php
//
// Postfix Admin
// by Mischa Peters
// Copyright (c) 2002 – 2005 High5!
// License Info: http://www.postfixadmin.com/?file=LICENSE.TXT
……………………………………省略若干…………………………………….
$tQuota = $CONF['maxquota'];
system(”sudo /usr/sbin/maildirmake.sh $fDomain “.$_POST['fUsername']);
if ($fMail == “on”)
……………………………………省略若干…………………………………….
?>
红色字体那行是需要插入的,它的位置在210行,不要把位置放错了,因为文件中有2行是”$tQuota = $CONF['maxquota'];”一定要把它放在第209行的那个”$tQuota = $CONF['maxquota'];”的后面才会有作用。在这里,很有必要解释一下插入这行的作用–在php脚本中执行系统的shell脚本–直接的后果就是创建用户的邮箱目录,这与执行在linux下执行命令行sudo /usr/sbin/maildirmake.sh sery.com sey相当。接下来我们修改文件delete.php:
[root@mailserv2 postfixadmin]# vi delete.php
……………………………………….省略很多………………………………
require (”./variables.inc.php”);
require (”./config.inc.php”);
require (”./functions.inc.php”);
include (”./languages/” . check_language () . “.lang”);
$SESSID_USERNAME = check_session();
……………………………………….省略很多……………………………… $result = db_query (”SELECT * FROM mailbox WHERE username=’$fDelete’ AND domain=’$fDomain’”);
$userarray=explode(”@”,$fDelete);
$user=$userarray[0];
$domain=$userarray[1];
system(”sudo /usr/sbin/maildirdel.sh $domain $user”);
……………………………………….省略很多………………………………
?>
红色字体标示的那4行是需要插入的,位置也是至关重要的,不能弄错。到了这一步,还是没有完成,还需要进目录admin里修改2个同名文件 admin/create-mailbox.php和admin/delete.php,修改的方法是一样的,只是插入位置的行号不同(如 admin/create-mail在200行的位置插入),见下面的截图:
图 5
这里有一个疑惑:为什么在不同的目录下有相同的文件呢?这是出于安全方面的原因。Postfixadmin把管理员分成2种:超级邮件系统管理员和一般邮件系统管理员,在admin目录里的是超级管理员的目录,而普通的邮件系统管理员在/mail/www/postfixadmin这个目录。在上述过程中,我们使用了2个shell脚本/usr/sbin/maildirdel.sh及/usr/sbin/maildirmake.sh,这些脚本的内容和作用将在后面安装配置maildrop时一并给出。
(2) 在mysql中创建postfix所需的数据库。
[root@mailserv2 ~] # cd /var/www/postfixadmin
[root@mailserv2 ~] # mysql -u root < DATABASE_MYSQL.TXT
(3) 测试postfixadmin。先修改apache的配置文件/usr/local/apache/conf/httpd.conf,加入如下内容:
Alias /postfixadmin /var/www/postfixadmin
<Directory /var/www/postfixadmin>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory “/var/www/postfixadmin/admin”>
AuthType Basic
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName “sery.mail Access”
AuthUserFile /usr/local/apache/conf/htpasswd
Require valid-user
</Directory>
保存后重起apache服务(/usr/local/apache/bin/apachectl restart),然后在别的机器的浏览器输入邮件服务器的url如:http://mail.sery.com/postfixadmin
图 6
点击链接 setup,如果出现的都是ok,则表明postfixadmin配置正确。
图 7
默认情况下,很有可能没有安装pcre(Perl Compatible Regular Expressions)这个软件包。这个包是必须的,如果没有这个包,安装courier-maildrop将不能正常进行,关于pcre的安装,我们把它放到maildrop安装这一部分。
◆Postfix安装和配置
这是邮件系统的核心部分,因此安装和配置是比较复杂的,特别是做配置时要格外小心,有时还需要反复修改,反复测试。
(1)安装postfix.
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar zxvf postfix-2.2.11.tar.gz
[root@mailserv2 ~]# cd postfix-2.2.11
[root@mailserv2 postfix-2.2.11]# make -f Makefile.init makefiles ‘CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH -I/usr/local/include/sasl’ ‘AUXLIBS=-L/usr/local/mysql/lib/mysql -lmysqlclient -lz -lm -L/usr/local/lib -lsasl2′
如果没有意外,make这一步很快就执行完了,接下来就是安装,使用的命令是:
[root@mailserv2 postfix-2.2.11]# make install
程序先自动执行一阵子,然后会进入交互状态,等待用户的输入,一般情况下,一路回车即可完成所有的安装。
(2)配置postfix。Postfix有本身有2个需要修改的配置文件/etc/postfix/main.cf和/etc/postfix/master.cf,因为我们要用mysql虚拟帐号,因此需要手动加一些配置文件,下面挨个来做这些配置。
①main.cf。这个文件有很多行注释,察看起来不是很方便,先用命令 [root@mailserv2 postfix]# sed -n ‘/^#/!p’ /etc/postfix/main.cf > /etc/postfix/main.cf.new 去掉注释行并生成新文件/etc/postfix/main.cf.new,然后再把它覆盖到 /etc/postfix/main.cf (cp /etc/postfix/main.cf.new /etc/postfix/main.cf)。修改后的文件如下所示:
[root@mailserv2 postfix]# more main.cf
config_directory = /etc/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
html_directory = no
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/local/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix
###########################################################
content_filter = smtp-amavis:[127.0.0.1]:10024
max_use = 10
#=====================BASE=========================
myhostname = mail2.sery.com
mydomain = mail.sery.com
myorigin = $mydomain
mydestination = $myhostname localhost localhost.$mydomain
mynetworks = 127.0.0.0/8 220.94.159.0/24
inet_interfaces = all
#=====================Vritual Mailbox settings======================
virtual_mailbox_base = /var/mailbox
virtual_mailbox_maps = mysql:/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql/mysql_virtual_domains_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql/mysql_virtual_alias_maps.cf
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1
maildrop_destination_concurrency_limit = 1
#====================QUOTA========================
message_size_limit = 14336000
virtual_mailbox_limit = 20971520
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, the user’s maildir has overdrawn his diskspace quota, please try again later.
virtual_overquota_bounce = yes
#====================SASL========================
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
reject_non_fqdn_sender,reject_non_fqdn_recipient,
reject_unknown_recipient_domain,reject_unauth_pipelining,
reject_unauth_destination,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner=$myhostname ESMTP “Version not Available”
alias_maps = hash:/etc/aliases
unknown_local_recipient_reject_code = 450
上述配置中,需要特别注意的是mydomain和myhostname,这2个项的值不要设置成一样,否则postfix将不能正确启动。第2个要注意的地方是 virtual_uid_maps及virtual_gid_maps的值,它是vmail用户的uid和vmail组的gid,与前面的文件 /usr/local/authlib/etc/authlib/authmysqlrc的 “MYSQL_UID_FIELD””MYSQL_GID_FIELD”一定要保持一致,本案的uid和gid都是1001.任何情况下,通过执行
root@mailserv2 postfix]# id vmail
uid=1001(vmail) gid=1001(vmail) groups=1001(vmail)
察看uid和gid。”content_filter = smtp-amavis:[127.0.0.1]:10024″这一行是防病毒和反垃圾邮件用的,稍后再做说明。
②创建目录/etc/postfix/mysql,然后手动创建四个配置文件:mysql_virtual_alias_maps.cf, mysql_virtual_domains_maps.cf,mysql_virtual_mailbox_limit_maps.cf, mysql_virtual_mailbox_maps.cf。这4个文件的内容分别如下:
[root@mailserv2 mysql]# more mysql_virtual_alias_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
[root@mailserv2 mysql]# more mysql_virtual_domains_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = domain
select_field = description
where_field = domain
[root@mailserv2 mysql]# more mysql_virtual_mailbox_limit_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
[root@mailserv2 mysql]# more mysql_virtual_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
另外一个配置文件是/etc/postfix/master.cf,由于需要修改的地方不是很多,可以先在这里把它配置好。
[root@mailserv2 postfix]# more master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/maildrop/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender – $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#############################################################################
# antispam #
#############################################################################
smtp-amavis unix – - n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
localhost:10025 inet n – n – - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o mynetworks=127.0.0.0/8
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
这个配置文件,”flags=DRhu user=vmail:vmail argv=/usr/local/maildrop/bin/maildrop -d ${recipient}”是修改过的,flags前面必须有2个空格,这点值得注意。至于”argv= /usr/local/maildrop/bin/maildrop”则是maildrop安装的路径及maildrop二进制执行文件的位置,当我们安装maildrop文件时,一定要和这个位置相一致。文件从注释框 “antispam”后的一部分内容,是过滤垃圾邮件用的。
到这里,postfix的配置文件基本上算配好了,但是其它相依赖的软件还没有安装和配置好,因此不能运行和测试postfix,等所有的相关软件安装和配置正确后再进行这个步骤。
◆Corurier-imap安装配置
Postfix只是实现邮件系统的smtp功能,pop3或imap则需要另外的软件来实现,这个软件就是courier-imap(当然也有别的软件可以选择)。
(1)安装courier-imap
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar jxvf courier-imap-4.1.3.tar.bz2
[root@mailserv2 ~]# cd courier-imap-4.1.3
[root@mailserv2courier-imap-4.1.3]#./configure –prefix=/usr/local/imap –with-redhat
–disable-root-check –enable-unicode=utf-8,iso-8859-1,gb2312,gbk,gb18030
–with-trashquota –with-dirsync –with-mysql-libs=/usr/local/mysql/lib/mysql –with-mysql-includes=/usr/local/mysql/include/mysql/ –with-authmysql –with-authmysql=yes
[root@mailserv2 courier-imap-4.1.3]# make
[root@mailserv2 courier-imap-4.1.3]# make install
[root@mailserv2 courier-imap-4.1.3]# make install-configure
(2)修改配置文件/usr/local/imap/etc/pop3d及/usr/local/imap/etc/imapd。把/usr/local/imap/etc/pop3d 文件的行”POP3DSTART=NO”改成”POP3DSTART=YES”,再依照这个形式把文件 /usr/local/imap/etc/imapd的行”IMAPDSTART=NO”改成”IMAPDSTART=YES”即可。
(3)复制文件 courier-imap.sysvinit到目录/usr/local/imap/sbin,以便于启动imap的守护进程。
[root@mailserv2 courier-imap-4.1.3]# cp courier-imap.sysvinit /usr/local/imap/sbin/imapd
(4)测试imap服务。
[root@mailserv2 courier-imap-4.1.3]# /usr/local/imap/sbin/imapd start
Starting Courier-IMAP server: imap pop3
◆安装courier-maildrop
Maiidrop的作用是本地投递,即把收到的邮件移动到相应的用户目录。在前面配置postfix的时候,我们已经把与maildrop相关的东西写进文件/etc/postfix/master.cf了,因此这里就不再叙述。前面的步骤我们也提到过pcre 这个软件,它是安装maildrop所必须的,所以需要先安装这个软件(如果系统不存在这个软件的话)。
[root@mailserv2 courier-imap-4.1.3]# cd
[root@mailserv2 courier-imap-4.1.3]# tar jxvf pcre-7.2.tar.bz2
[root@mailserv2 courier-imap-4.1.3]# cd pcre-7.2
[root@mailserv2 courier-imap-4.1.3]# ./configure
[root@mailserv2 courier-imap-4.1.3]# make
[root@mailserv2 courier-imap-4.1.3]# make install
//安装pcre应该是非常容易的事情,片刻之间就可搞定,接下来安装maildrop.在执行配置过程中,需要很多选项,不要疏漏。
[root@mailserv2 pcre-7.2]# cd
[root@mailserv2 pcre-7.2]# tar jxvf maildrop-2.0.4.tar.bz2
[root@mailserv2 pcre-7.2]# cd maildrop-2.0.4
[root@mailserv2 maildrop-2.0.4]# ./configure –prefix=/usr/local/maildrop –enable-
sendmail=/usr/sbin/sendmail –enable-trusted-users=’root vmail’ –enable-syslog=1
–enable-maildirquota –enable-maildrop-uid=1001 –enable-maildrop-gid=1001 –with
-trashquota –with-dirsync
[root@mailserv2 maildrop-2.0.4]# make
[root@mailserv2 maildrop-2.0.4]# make install
[root@mailserv2 maildrop-2.0.4]# cp /usr/local/maildrop/bin/maildrop /usr/bin
下面的命令简单验证maildrop
[root@mailserv2 ~]# maildrop –v
maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.
GDBM extensions enabled.
Courier Authentication Library extension enabled.
Maildir quota extension enabled.
This program is distributed under the terms of the GNU General Public
License. See COPYING for additional information.
输出内容一定要有”Courier Authentication Library extension enabled”这一行。如果没有这个输出,那是非常不幸的事情了,返回去挨个排错吧。那么这个”Courier Authentication Library extension enabled”是怎么一回事呢?这表明maildrop已经和前面我们安装配置的SASL和courier-authlib紧密结合在一起了。
知道maildrop把邮件移动到哪个用户目录还是非常有必要的,这个操作就是maildrop的日志记录。这里我们创建一个新文件/etc/maildroprc,这个文件就2行内容:
[root@mailserv2 mailbox]# more /etc/maildroprc
logfile “/var/mailbox/maildrop.log”
to “$HOME/$DEFAULT”
我们来看一个正常运行的postfix邮件系统的maildrop日志,就会对maildrop有更清楚的认识。
[root@mailserv2 mailbox]# tail maildrop.log
Date: Sat Oct 6 12:45:20 2007
From: “Saundra Y. Echols” <saundra@MS13.HINET.NET>
Subj: No girls laugh at me now, haha, i laugh at them
File: /mail/mailbox//sery.com/magazine/ (3355)
上面的日志表明收到一封来自Saundra@ms13.hinet.net的信,maildrop把邮件移动到目录/mail/mailbox/sery.com/magazine。
很可惜maidrop没有创建和删除邮件用户目录的能力,在配置postfixadmin时,我们提到需要使用2个shell脚本 /usr/sbin/maildirdel.sh及/usr/sbin/maildirmake.sh,这2个脚本的作用就是用来弥补maildrop不能创建/删除目录这个缺陷的。
[root@mailserv2 ~]# more /usr/sbin/maildirmake.sh
#!/bin/bash
set -e
if [ ! -d /var/mailbox/$1 ]
then
mkdir /var/mailbox/$1
fi
chown -R vmail:vmail /var/mailbox/$1
cd “/var/mailbox/$1″
/usr/local/imap/bin/maildirmake $2
mkdir /var/mailbox/$1/$2/Maildir
chown -R vmail:vmail /var/mailbox/$1/$2
[root@mailserv2 ~]# more /usr/sbin/maildirdel.sh
#!/bin/bash
rm -rf /mail/mailbox/$1/$2
这2个脚本由web调用,而web(apache)的执行用户为vmail,出于安全考虑,我们给vmail用户的权限非常有限,为了保证这2个 shell脚本能正常执行,需要使用sudo这个工具来完成这个任务。尽管可以使用vi这样的编辑器来修改/etc/sudoers这个配置文件,但还是不及visudo可靠,因为visudo可以对修改的内容做语法检查,如果更改不正确,保存文件是会给出提示。把行”vmail ALL = NOPASSWD: /usr/sbin/maildirmake.sh , /usr/sbin/maildirdel.sh”追加到文件末尾即可!
有的时候,在postfixadmin里创建新的邮件帐号,帐号倒是创建成功了,却并没有在指定的位置生成相应的虚拟用户目录,从网上收集的信息来看,这个问题似乎很普遍,我本人也被这个问题困扰过–以vmail 用户手动执行sudo /usr/sbin/maildirdel.sh就能创建目录,用web方式就是不行-实验多次才找出原因,原来是/etc/sudoers里需要把 “Defaults requiretty”这行注释掉。有人可能要问,你怎么知道要这样做呢?答:我是通过看apache日志知道要这样干的。
◆邮件病毒检查和垃圾邮件过滤
抗病毒使用软件是clamav,安装时一定要用当前的最新版本。垃圾邮件过滤可使用一个名为SpamAssassin的perl模块。通过采用amavisd-new这个容器,可以把clamav和SpamAssassin整合起来。
(1)安装配置clamav.
[root@mailserv2 ~]# useradd clamav
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# cd clamav-0.91.2
[root@mailserv2 ~]# ./configure –prefix=/usr/local/clamav –with-dbdir=/usr/local/share/clamav –disable-zlib-vcheck
[root@mailserv2 ~]# make
[root@mailserv2 ~]# make install
Clamav有2个配置文件,一个主配置文件/usr/local/clamav/etc/clamd.conf,一个病毒更新配置文件/usr/local/clamav/etc/ freshclam.conf。现把修改好的配置文件列于下面:
[root@mailserv2 ~]# more /usr/local/clamav/etc/freshclam.conf | sed -n ‘/^#/!p’
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose yes
LogSyslog yes
LogFacility LOG_MAIL
DatabaseOwner amavis
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
[root@mailserv2 ~]# more /usr/local/clamav/etc/clamd.conf | sed -n ‘/^#/!p’
LogFile /var/log/clamav/clamd.log
LogSyslog yes
LogVerbose yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /usr/local/share/clamav
LocalSocket /var/run/clamav/clamd.socket
StreamMaxLength 20M
User amavis
ScanMail yes
ScanArchive yes
这2个文件有很多注释,我用sed把它过滤掉了。Clamd.conf中,有”User amavis”这样一行。为什么不用默认的用户clamav而使用amavis呢?这样做的目的是为了与amavis-new结合在一起。既然没有这个用户,就手动创建一个(useradd amavis)。接下来需要手动创建一些目录并赋予相应的权限,用来记录日志等用途;我把它作成一个shell脚本,直接执行即可,脚本的内容如下所示:
[root@mailserv2 ~]# more /root/clamav.sh
#!/bin/bash
# create directory for clamav
mkdir /var/log/clamav
chmod -R 744 /var/log/clamav
chown -R amavis:amavis /var/log/clamav
chown -R amavis.amavis /usr/local/share/clamav
mkdir /var/run/clamav
chmod 700 /var/run/clamav
chown amavis.amavis /var/run/clamav
脚本执行成功后,再执行 [root@mailserv2 ~]# /usr/local/clamav/bin/freshclam 手动更新病毒库。
(2)安装和配置avamvis-new。解压包amavisd-new-2.5.2.tar.gz,然后把它移动到相关的位置。这里还是用一个脚本来做这个事情,脚本的内容如下:
[root@mailserv2 ~]# more /root/amavis.sh
#!/bin/bash
cd /root
tar amavisd-new-2.5.2.tar.gz
cd amavisd-new-2.5.2
mkdir -p /var/amavis /var/amavis/tmp /var/amavis/var /var/amavis/db
chown -R amavis:amavis /var/amavis
chmod -R 750 /var/amavis
cp amavisd /usr/local/sbin/
chown root /usr/local/sbin/amavisd
chmod 755 /usr/local/sbin/amavisd
cp amavisd.conf /etc/
chown root /etc/amavisd.conf
chmod 644 /etc/amavisd.conf
mkdir /var/virusmails
chown amavis:amavis /var/virusmails
chmod 750 /var/virusmails
执行完脚本后别忘记检查一下是否都按我们的意愿工作,如/usr/local/sbin目录是否有文件amavisd。
Amavisd的配置文件/etc/amavisd.conf比较复杂,需要修改的内容如下:
$max_servers=8;
$daemon_user = ‘amavis’;
$daemon_group = ‘amavis’;
$mydomain = ’sery.com’;
$db_home = “$MYHOME/db”;
$inet_socket_port = 10024;
$sa_tag_level_deflt = -100;
$sa_tag2_level_deflt = 6.3;
$sa_kill_level_deflt = $sa_tag2_level_deflt;
$virus_admin = “virusalert@$mydomain“;
$sa_spam_subject_tag = ‘***SPAM*** ‘;
$notify_method = $forward_method;
$forward_method = ’smtp:127.0.0.1:10025′;
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_PASS;
['ClamAV-clamd',
&ask_daemon, ["CONTSCAN {}n", "/var/run/clamav/clamd"],
qr/bOK$/, qr/bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
上述修改确认无误后,执行 [root@mailserv2 ~]# /usr/local/sbin/amavisd debug 测试amavis。一般而言,测试皆不能正常进行,因为所需要的很多perl模块很可能没有被安装。还好,报错信息给出了所需的模块。这时你需要到www.cpan.org下载相关的模块,然后安装;也可能遇到包依赖,再下载依赖的包,安装这个依赖,再反回来安装先前那个包,如此反复,很是烦人,极考验人的耐性。等到 /usr/local/sbin/amavisd debug 输出没有错误方才完成。有另外一种方法,即运行 [root@mailserv2 ~]# perl MCPAN -e shell ,然后执行 cpan> install Time::HiRes 这样的命令挨个安装缺少的perl模块。根据我的经验,这样干很耗时,并且有的模块用这种方法安装还不灵,所以还不如在网站下载模块安装有效。下面给出一个perl模块的安装实例:
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar zxvf BerkeleyDB-0.32.tar.gz
[root@mailserv2 ~]# cd BerkeleyDB-0.32
[root@mailserv2 ~]# perl Makefile.PL
[root@mailserv2 ~]# make
[root@mailserv2 ~]# make install
◆Webmail安装配置
可供postfix选择的webmail不是很丰富,通过比较,我选择extmail作为postfix的webmail客户端工具,本来 extmail也包括像postfixadmin这样的web管理工具(extman),因为前面我们已经用了postfixadmin, 这里我只用extmail。
下载ExtMail-Solution-Linux-0.1.tar.gz后解压,然后把它移动到目录/var/www/extsuite/extmail。在apache的配置文件httpd.conf末尾追加下面的内容以便用户可以通过web方式访问extmail:
DirectoryIndex index.html index.php index.cgi
ScriptAlias /extmail/cgi/ /mail/www/extsuite/extmail/cgi/
<Directory “/mail/www/extsuite/extmail/cgi”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Alias /extmail /mail/www/extsuite/extmail/html
<Directory /mail/www/extsuite/extmail/html>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
保存文件,重启apache服务即可在浏览器输入邮件服务器的url访问了。
图 8
如果少了相应的perl模块,web页面会给出提示,按照提示把perl模块安装上去就正常了。到这里,extmail的配置还没有完呢,至少还有 2个文件需要修改,这2个文件是webmail.cf和 /var/www/extsuite/extmail/html/default/index.html.前一个是extmail的配置文件,后一个是页面文件显示方式。
webmail.cf的内容:更改过的内容用斜体红色字体显示
[root@mailserv2 extmail]# more webmail.cf
# sys_config, the config file and webmail programe root
SYS_CONFIG = /var/www/extsuite/extmail/
# sys_langdir, the i18n dir
SYS_LANGDIR = /var/www/extsuite/extmail/lang
# sys_templdir, the template dir
SYS_TEMPLDIR = /var/www/extsuite/extmail/html
# sys_warn, show system warning or not, default to yes
SYS_SHOW_WARN = 0
# sys_permit_noquota, permit an account without qouta?
SYS_PERMIT_NOQUOTA = 1
# sys_sess_dir, the session dir
SYS_SESS_DIR = /tmp/
# sys_log_on = 1 | 0 – enable logging or not
SYS_LOG_ON = 1
# sys_log_type = file|syslog|nsyslog, syslog will save login
# or error info into mail.*, nsyslog is a replacement to syslog
# that will send log message to network syslogd
SYS_LOG_TYPE = syslog
# sys_log_file – path to log file, if sys_log_type = file
SYS_LOG_FILE = /var/log/extmail.log
# sys_sess_timeout, session timeout, default 3 hours (3h) format:
# number+(s|m|h|d|M|y); or only number, the 0 means that the
# session will last for 0 seconds, but if you specify the
# sys_sess_cookie_only = 1 then it means the session will expire
# after you close your browser SYS_SESS_TIMEOUT = 0
# sys_sess_cookie_only = 0|1 use cookie only or include cgi “sid”
# parameter ? if set to true(1), the session will be expired after
# sys_sess_timeout if there is no any active request from browser
SYS_SESS_COOKIE_ONLY = 1
# sys_user_psize, user default page_size
SYS_USER_PSIZE = 10
# sys_user_tsize, user mail subject truncate size, valid type:
# auto => full text
# screen1 => 800×600
# screen2 => 1024×768
# screen3 => 1280×1024
SYS_USER_SCREEN = auto
# sys_user_lang, user default language
SYS_USER_LANG = en_US
# sys_user_template, user default template
SYS_USER_TEMPLATE = default
# sys_user_charset, user default charset
SYS_USER_CHARSET = utf-8
# sys_user_trylocal, user default outgoing encoding mechanism
SYS_USER_TRYLOCAL = 1
# sys_user_timezone, user default timezone
SYS_USER_TIMEZONE = +0800
# sys_user_* default parameters
SYS_USER_CCSENT = 0
SYS_USER_SHOW_HTML = 1
SYS_USER_COMPOSE_HTML = 1
SYS_USER_CONV_LINK =1
SYS_USER_ADDR2ABOOK = 1
# sys_min_pass_len, minimal password length, default 2
SYS_MIN_PASS_LEN = 2
# sys_mfilter_on, default is off
SYS_MFILTER_ON = 1
# sys_netdisk_on, default is off
SYS_NETDISK_ON = 0
# sys_debug_on, default is off
SYS_DEBUG_ON = 0
# sys auth type, mysql/ldap/authlib
SYS_AUTH_TYPE = mysql
# maildir_base, the base dir of user maildir, use absolute path
# if not set.
SYS_MAILDIR_BASE = /var/mailbox
# sys_auth_schema, vpopmail1/vpopmail2/virtual
# vpopmail1 => all user accounts in one table
# vpopmail2 => accounts in per domain table
SYS_AUTH_SCHEMA = virtual
# crypt_type, the default encrypt type of password, possible type
# currently is crypt|cleartext|plain|md5|md5crypt|plain-md5|ldap-md5|sha|sha1
SYS_CRYPT_TYPE = md5crypt
# if mysql, all relate parameters should prefix as SYS_MYSQL
SYS_MYSQL_USER = postfix
SYS_MYSQL_PASS = postfix
SYS_MYSQL_DB = postfix
SYS_MYSQL_HOST = localhost
SYS_MYSQL_SOCKET = /tmp/mysql.sock
# table name
SYS_MYSQL_TABLE = mailbox
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_DOMAIN = domain
SYS_MYSQL_ATTR_PASSWD = password
# sys_mysql_attr_clearpw – attribute to save clear password, useful for
# postmaster withdraw the original passwd if the end user forgot, but
# we highly recommend that you don’t enable it for security reason
# SYS_MYSQL_ATTR_CLEARPW = clearpwd
SYS_MYSQL_ATTR_QUOTA = quota
SYS_MYSQL_ATTR_NDQUOTA = netdiskquota
SYS_MYSQL_ATTR_HOME = homedir
SYS_MYSQL_ATTR_MAILDIR = maildir
# service enable/disable attributes
# comment them out if you don’t want their function
SYS_MYSQL_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_MYSQL_ATTR_DISABLENETDISK = disablenetdisk
SYS_MYSQL_ATTR_ACTIVE = active
# if ldap, all relate parameters should prefix as SYS_LDAP
SYS_LDAP_BASE = o=extmailAccount,dc=example.com
SYS_LDAP_RDN = cn=Manager,dc=example.com
SYS_LDAP_PASS = secret
SYS_LDAP_HOST = localhost
# ldif attributes
SYS_LDAP_ATTR_USERNAME = mail
SYS_LDAP_ATTR_DOMAIN = virtualDomain
SYS_LDAP_ATTR_PASSWD = userPassword
# sys_ldap_attr_clearpw – attribute to save clear password, useful for
# postmaster withdraw the original passwd if the end user forgot, but
# we highly recommend that you don’t enable it for security reason
# SYS_LDAP_ATTR_CLEARPW = clearPassword
SYS_LDAP_ATTR_QUOTA = mailQuota
SYS_LDAP_ATTR_NDQUOTA = netdiskQuota
SYS_LDAP_ATTR_HOME = homeDirectory
SYS_LDAP_ATTR_MAILDIR = mailMessageStore
# service enable/disable attributes
# comment them out if you don’t want their function
SYS_LDAP_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_LDAP_ATTR_DISABLENETDISK = disablenetdisk
SYS_LDAP_ATTR_ACTIVE = active
# if authlib, all relate parameters should prefix as AUTHLIB
SYS_AUTHLIB_SOCKET = /usr/local/authlib/var/spool/authdaemon/socket
# Global Abook support
# sys_g_abook_type, global abook type, valid is ldap|file, currently
# only support ldap, file module is under development SYS_G_ABOOK_TYPE = file
# if ldap, all relate parameters should prefix as SYS_G_ABOOK_LDAP
SYS_G_ABOOK_LDAP_HOST = localhost
SYS_G_ABOOK_LDAP_BASE = ou=AddressBook,dc=example.com
SYS_G_ABOOK_LDAP_ROOTDN = cn=Manager,dc=example.com
SYS_G_ABOOK_LDAP_ROOTPW = secret
SYS_G_ABOOK_LDAP_FILTER = objectClass=OfficePerson
# if file, all relate parameters should prefix as SYS_G_ABOOK_FILE
SYS_G_ABOOK_FILE_PATH = /mail/www/extsuite/extmail/globabook.cf
SYS_G_ABOOK_FILE_LOCK = 1
SYS_G_ABOOK_FILE_CONVERT = 0
SYS_G_ABOOK_FILE_CHARSET = utf-8
在文件/var/www/extsuite/extmail/html/default/index.html 加入下面的标识,可以得到不同
<TR>
<TD><%domain%></TD>
<TD><select name=”domain” size=”1″ class=”input_select”></option><option value=”mail.sery.com”>mail.sery.com</option>
<optionvalue=”sery.com”>sery.com</option></select><!–<INPUT TYPE=”text” class=”input_n” NAME=”domain”>–></TD>
</TR>
邮件域的下拉列表,从而方便用户的使用。
图 9
到这里,postfix的安装配置算是完成了。我们来逐个检查这些服务的正确性,简单的方法就是启动每一个服务,根据服务的运行来掌握各个服务是否正常。为了方便所有服务随开机自动启动,我把它们都加在了文件/etc/rc.local里,这些内容包括:
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe –user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
病毒库和垃圾邮件的列表则放在crontab里:
[root@mailserv2 extmail]# crontab -l
0 0 1 * * root wget -N -P /usr/share/spamassassin www.ccert.edu.cn/spam/sa/Chinese_rules.cf;kill -HUP `cat /var/run/spamd.pid`
00 00 * * * /usr/local/clamav/bin/freshclam
待所有的服务都正常后,用postfixadmin创建邮件域和用户。创建完毕,通过查看postfix日志/var/log/maillog了解操作是否成功;同时通过查看目录/var/mailbox里是否生成与创建的邮件帐户同名的目录。
◆邮件系统的备份
在系统崩溃以后,没有提前备份将使你无限懊悔。一次没有成功的在线内核升级引起的系统崩溃(在我没来得及备份时发生),为恢复崩溃邮件系统,曾让我精疲力竭。所以做好备份是一个好主意。当然我们不能天天手动去执行这个备份任务,用脚本吧!下面是我的一个postfix的备份脚本,供大家参考:
[root@mailserv2 virusalert]# more /usr/local/bin/data_backup.sh
#!/bin/bash
BackupPath=/var/data_bk
Mysql_bk_dir=$BackupPath/mysqlbk
Mail_bk_dir=$BackupPath/mailbk
LogFile=$BackupPath/backuplog
MailBoxDir=/var/mailbox
####################################################################
# define mysql variables #
####################################################################
NewFile=”$Mysql_bk_dir”/postfix$(date +%Y%m%d).tgz
DumpFile=”$Mysql_bk_dir”/postfix$(date +%Y%m%d).sql
OldFile=”$Mysql_bk_dir”/postfix$(date +%Y%m%d –date=’5 days ago’).tgz
DbUser=root
DbPasswd=husb^R
DbName=postfix
####################################################################
# mysql backup proccess #
####################################################################
echo “——————————————-” >> $LogFile
echo $(date +”%y-%m-%d %H:%M:%S”) >> $LogFile
echo “————————–” >> $LogFile
#Delete Old File
if [ -f $OldFile ]
then
rm -f $OldFile >> $LogFile 2>&1
echo “[$OldFile]Delete Old File Success!” >> $LogFile
else
echo “[$OldFile]No Old Backup File!” >> $LogFile
fi
if [ -f $NewFile ]
then
echo “[$NewFile]The Backup File is exists,Can’t Backup!” >> $LogFile
else
cd $Mysql_bk_dir
/usr/local/mysql/bin/mysqldump -u $DbUser -p$DbPasswd –opt $DbName > $DumpFile
tar czf $NewFile postfix$(date +%Y%m%d).sql >> $LogFile 2>&1
echo “[$NewFile]Backup Success!” >> $LogFile
rm -rf $DumpFile
fi
######################################################################
# backup mail’s user directories and files #
######################################################################
MailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d).tgz
OldMailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d –date=’14 days ago’).tgz
if [ -f $OldMailFileBk ]
then
rm -rf $OldMailFileBk
fi
if [ -f $MailFileBk ]
then
echo “[$MailFileBk]The Backup File is exists,Can’t Backup!” >> $LogFile
else
cd /mail
tar czf $MailFileBk mailbox >> $LogFile 2>&1
fi
echo “——————————————-” >> $LogFile
这个脚本对postfix数据库和用户的邮件做了备份。因为磁盘空间始终是有限的,因此是一边备份一边删除就的备份。如果条件允许,建议进行异地备份。手动执行一下这个脚本,看它是否按我们的意愿工作了,如果一些如愿,则把它放入crontab里让它每晚自动进行。
[root@mailserv2 ~]# crontab -l
0 0 1 * * root wget -N -P /usr/share/spamassassin www.ccert.edu.cn/spam/sa/Chinese_rules.cf;kill -HUP `cat /var/run/spamd.pid`
00 01 * * * /usr/local/bin/data_backup.sh
00 00 * * * /usr/local/clamav/bin/freshclam
◆系统加固及安全
1、内核优化:用脚本实现
[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize
#!/bin/bash
#kernel optimize optimize ,create by 2007-7-29
#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
# echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
2、防火墙策略:在配置postfix连接mysql数据库时,用户名postfix,密码postfix,类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库,不费吹灰之力就可以把邮件帐号全删了,这肯定会激起用户的愤怒!赶快把这个漏洞堵上,下面是我的防火墙策略脚本:
[root@mailserv2 ~]# more /usr/local/bin/firewall
#!/bin/bash
#this is a common firewall created by 2007-7-29
#define some variable
IPT=/sbin/iptables
CONNECTION_TRACKING=”1″
INTERNET=”eth0″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″
IPADDR=220. 94.58.245
LOOPBACK_INTERFACE=”lo”
#Remove any existing rules
$IPT -F
$IPT -X
#setting default firewall policy
$IPT –policy OUTPUT ACCEPT
$IPT –policy FORWARD DROP
$IPT -P INPUT DROP
#stop firewall
if [ "$1" = "stop" ]
then
echo “Filewall completely stopped!no firewall running!”
exit 0
fi
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state –state INVALID -j DROP
$IPT -A OUTPUT -m state –state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###################################################################
#setting access rules
#enable ssh connect
$IPT -A INPUT -i $INTERNET -p tcp –dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 25 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 80 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 110 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 143 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 783 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 5666 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 10024 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 10025 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp –dport 123 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
“$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚本加在文件/etc/rc.local中,实现开机即启。[root@mailserv2 ~]# more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe –user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
############### system optimize #############################
/usr/local/bin/kernel_optimize
/usr/local/bin/firewall
################### NRPE nagios remote plugin execute $$$$$$$$$
/usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d
◆关于多邮件域和用户限额
Postfix支持多邮件域,当我们用postfixadmin创建多个邮件域的时候,别忘记在DNS服务器上做好主机记录解析和MX解析。多邮件域的情形是多个mx记录指向同一个主机ip地址。
默认情况下,postfix 数据库的mailbox表的字段”quota”值是”0″,它表示用户的油箱大小是100M,假如我们要把用户的邮箱大小设置成500M,则只需连接数据库postfix更改mailbox表”quota”字段的值为”524288000″。
mysql> use postfix;
mysql> update mailbox set quota=’524288000′;
Query OK, 1 row affected (0.03 sec)
Rows matched: 191 Changed: 1 Warnings: 0
图 10
所有的工作都做完以后,重启linux。检查进程看与postfix相关的守护进程是否在运行,然后在用foxmail来收发邮件,再也 webmail(extmail)方式收发。尽管postfix涉及很多方面的内容,但在大部分情况下,通过日志文件/var/log/maillog可以得出一些非常有用的信息,从排除故障这个角度讲,postfix的日志文件将会为排除故障提供很好的帮助。
[root@mailserv2 ~]# ps auxww //部分进程快照
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
vmail 1481 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
postfix 1622 0.0 0.2 4000 1276 ? S Oct02 0:08 anvil -l -t unix -u
vmail 1843 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
root 1972 0.0 0.1 1688 620 ? Ss Sep20 2:41 syslogd -m 0
root 1975 0.0 0.0 1644 400 ? Ss Sep20 0:01 klogd -x
root 1994 0.0 0.1 5424 984 ? Ss Sep20 0:22 /usr/sbin/sshd
ntp 2012 0.0 0.9 4672 4672 ? SLs Sep20 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 2027 0.0 0.2 5224 1104 ? Ss Sep20 0:00 crond
root 2042 0.0 0.0 2200 424 ? Ss Sep20 0:00 /usr/sbin/atd
root 2050 0.0 1.3 12644 7016 ? Ss Sep20 0:00 /usr/local/apache/bin/httpd -k start
root 2056 0.0 0.0 1628 400 ? S Sep20 0:18 /usr/local/authlib/sbin/courierlogger -pid=/usr/local/authlib/var/spool/authdaemon/pid -start /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2067 0.0 0.1 2732 848 ? S Sep20 0:00 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2075 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2076 0.0 0.1 2776 1008 ? S Sep20 0:11 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2077 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2078 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2079 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2143 0.0 0.2 3972 1244 ? Ss Sep20 4:57 /usr/libexec/postfix/master
postfix 2146 0.0 0.2 4040 1308 ? S Sep20 1:44 qmgr -l -t fifo -u
root 2153 0.0 0.0 1624 404 ? S Sep20 0:00 /usr/local/authlib/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2154 0.0 0.1 1728 536 ? S Sep20 0:00 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2159 0.0 0.0 1628 404 ? S Sep20 0:03 /usr/local/authlib/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
root 2160 0.0 0.1 1728 536 ? S Sep20 0:03 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
amavis 2169 0.0 17.2 113196 89072 ? Ss Sep20 7:00 /usr/local/clamav/sbin/clamd
root 2251 0.0 0.0 1624 440 tty1 Ss+ Sep20 0:00 /sbin/mingetty tty1
root 2252 0.0 0.0 1624 436 tty2 Ss+ Sep20 0:00 /sbin/mingetty tty2
root 2253 0.0 0.0 1624 440 tty3 Ss+ Sep20 0:00 /sbin/mingetty tty3
root 2254 0.0 0.0 1624 440 tty4 Ss+ Sep20 0:00 /sbin/mingetty tty4
root 2255 0.0 0.0 1624 440 tty5 Ss+ Sep20 0:00 /sbin/mingetty tty5
root 2256 0.0 0.0 1628 444 tty6 Ss+ Sep20 0:00 /sbin/mingetty tty6
root 3626 0.0 0.2 4440 1104 ? S Sep20 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe –user=mysql
mysql 3644 0.0 4.1 133256 21460 ? Sl Sep20 8:33 /usr/local/mysql/libexec/mysqld –basedir=/usr/local/mysql –datadir=/usr/local/mysql/var –user=mysql –pid-file=/usr/local/mysql/var/mailserv2.pid –skip-locking
root 12456 0.0 0.4 8272 2504 ? Ss 20:13 0:00 sshd: root@pts/2
root 12458 0.0 0.2 4624 1456 pts/2 Ss+ 20:13 0:00 -bash
amavis 12624 0.0 9.7 59064 50236 ? Ss 20:21 0:01 amavisd (master)
postfix 14269 0.0 0.2 4132 1460 ? S 22:07 0:00 trivial-rewrite -n rewrite -t unix -u
amavis 14518 0.0 10.6 63740 54748 ? S 22:18 0:05 amavisd (ch18-avail)
amavis 14875 0.0 10.4 62724 53768 ? S 22:43 0:04 amavisd (ch11-avail)
amavis 14883 0.1 10.3 62592 53452 ? S 22:44 0:04 amavisd (ch14-avail)
root 14890 0.0 0.4 8276 2512 ? Ss 22:45 0:00 sshd: root@pts/1
root 14892 0.0 0.2 4616 1444 pts/1 Ss 22:45 0:00 -bash
amavis 15160 0.0 10.2 61812 52728 ? S 22:59 0:02 amavisd (ch5-avail)
amavis 15164 0.1 10.3 62464 53488 ? S 22:59 0:04 amavisd (ch13-avail)
amavis 15211 0.1 10.3 62020 53060 ? S 23:03 0:04 amavisd (ch13-avail)
amavis 15292 0.0 10.2 61700 52648 ? S 23:08 0:02 amavisd (ch7-avail)
amavis 15383 0.1 10.2 62124 52964 ? S 23:12 0:03 amavisd (ch8-avail)
postfix 15762 0.0 0.4 4520 2300 ? S 23:40 0:00 smtpd -n smtp -t inet -u
postfix 15865 0.0 0.2 4004 1156 ? S 23:47 0:00 pickup -l -t fifo -u
root 15941 0.0 0.1 4220 940 pts/1 R+ 23:55 0:00 ps auxww
nagios 18752 0.0 0.1 4836 944 ? Ss Sep22 0:05 ../bin/nrpe -c nrpe.cfg -d
vmail 24853 0.0 1.2 12644 6664 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24854 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24884 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24885 0.0 1.3 12780 6696 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24886 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24967 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24970 0.0 1.2 12644 6552 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 28305 0.0 1.3 12788 6724 ? S Oct02 0:00 /usr/local/apache/bin/httpd -k start
root 29390 0.0 5.5 33232 28576 ? Ss Oct01 0:00 /usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
root 29392 0.0 5.2 33232 27068 ? S Oct01 0:00 spamd child
root 29393 0.0 5.2 33232 26988 ? S Oct01 0:00 spamd child
发表评论
-
用SSL对邮件加密的支持 Postfix+SSL配置
2012-05-18 14:51 5371在postfix启用配置SSL,启用加密传输,如下是配置过程, ... -
如何打开.dat格式文档文件:邮件中的winmail.dat附件是什么
2011-11-07 16:37 12927严格来说.DAT 并不是一 ... -
配置extmail过程详解
2011-09-08 18:18 1690Step1、安装apache+mysql+php,配置dns ... -
postfix sasl身份验证
2011-09-07 14:57 1230基本的smtp协议没有验证 ... -
邮件系统的选型与架构
2011-08-08 17:31 1277本文通过剖析邮件系统组成、各部分选型、系统架构分析及系统安全设 ...
相关推荐
**Postfix** 是一个强大的MTA(邮件传输代理),负责接收、发送和转发电子邮件。在配置Postfix时,我们需要设置邮件路由、域名、权限以及安全策略。安装Postfix后,我们还需要进行必要的配置,例如指定邮件主机名、...
Postfix电子邮件服务器是一种开源的邮件传输代理(MTA),广泛应用于Linux和Unix操作系统中。该实验旨在实现Postfix电子邮件服务器的基本环境配置,并提高其防垃圾邮件能力、防电子邮件包含病毒及保护Postfix的安全...
构建Postfix高级邮件系统,一份很详细的技术文档 随着公司经营业务的不断发展,员工数量逐渐增多,同时根据产品开发需要,...现需要对有的Postfix电子邮件系统进行改造,一遍支持更多用户、提高用户检索和管理效率...
根据给定的文件信息,接下来详细介绍关于Postfix电子邮件服务器的知识点,包括安装、配置以及相关技术概念。 ### Postfix邮件服务器概念 Postfix是一个开源的邮件传输代理(MTA),用于接收和发送邮件。它被设计为...
"postfix电子邮件服务器配置" 通过阅读提供的文件,我们可以了解到 postfix 电子邮件服务器的配置过程,包括 DNS 服务器的配置、Postfix 的安装和配置、Dovecot 和 Cyrus-SASL 的角色、OpenWebMail 和 SquirrelMail...
Postfix支持SMTP协议,负责接收、发送和转发电子邮件。 搭建Postfix邮件系统的第一步是安装必要的软件包。在CentOS上,你可以通过执行以下命令来安装Postfix: ```bash sudo yum install postfix ``` 安装完成后...
Mailbox是用户的电子邮件存放位置,通常是位于服务器上的一个文件或目录。在Linux环境中,默认的邮箱路径为`/var/spool/mail/用户名`。 #### 二、邮件传输协议 为了更好地理解和使用邮件系统,还需要了解几种关键...
通过这些步骤,我们可以构建一个功能强大、安全的邮件系统,提供可靠的服务,并保护用户免受电子邮件威胁。这个过程不仅涉及技术实施,也包括了持续的监控和维护,以确保系统的稳定性和安全性。
postfix邮件系统原理postfix邮件系统原理postfix邮件系统原理
Postfix邮件系统是一款开源、高性能、安全且易于管理的邮件传输代理软件,广泛应用于各种规模的企业和组织。它由Wietse Venema在1998年开发,旨在替代Sendmail,提供更快、更安全、更灵活的服务。Postfix的设计理念...
Postfix+ExtMail邮件系统是一种功能齐全的免费电子邮件系统解决方案,核心组件包括Postfix、Amavisd-new、ClamAV、ExtMail、ExtMan、Courier系列软件。该系统可以提供完整的邮件解决方案,包括邮件传输代理、邮件...
Postfix邮件服务器是一种广泛使用的开源邮件传输代理,用于发送和接收电子邮件。它提供了在Linux系统中设置邮件服务器的功能,支持25端口的SMTP服务(发送邮件)和110端口的POP3服务(接收邮件)。在描述中提到,要...
Postfix邮件系统是一种广泛使用的开源邮件传输代理,它在Linux和Unix系统中被用来处理电子邮件的接收、发送和路由。Postfix的设计目标是提供高效、安全和可管理的邮件服务,同时保持简单和灵活的配置。以下是关于...