Postfix Dovecot Mysql搭建邮件服务器 在Centos上 +TLS 自建 加密 调试Debug
本文最后更新于 407 天前,其中的信息可能已经有所发展或是发生改变。 原创文章保留所有权利,允许提前告知征得同意并在明显位置保留原文链接的转载,任何无视版权的行为将受到搜索引擎的 DMCA 投诉。

站长吐槽

百度谷歌了各种教程,都有些许纰漏,反正我按教程来没成功过一次。要不然就是IMAP连接不上,要不就是TLS出问题。今天按着官方配置文件,Debug日志,可算是整出来了。遂写文章记录一下。
当然还有非常好的介绍,Example:

环境准备

一个域名设置好A记录(CNAME)和MX记录到主机
CentOS一台,装好Mysql(推荐使用lnmp.org一键脚本,更推荐一并安装好phpMyAdmin)
如果你会的话,为邮件数据库单独新建一个用户。不会直接用root也行
下一步的命令需要在Mysql中输入

mysql> CREATE DATABASE mailserver;
mysql> USE mailserver;
mysql> CREATE TABLE `virtual_domains` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB;
mysql> CREATE TABLE `virtual_users` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `password` varchar(106) NOT NULL,
  `email` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB;
mysql> CREATE TABLE `virtual_aliases` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `source` varchar(100) NOT NULL,
  `destination` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB;

好的,接下来插入几个测试数据,记得替换为你自己的域名 邮箱 密码

mysql> INSERT INTO `virtual_domains`
  (`id` ,`name`)
VALUES
  ('1', 'example.com');
mysql> INSERT INTO `virtual_users`
  (`id`, `domain_id`, `password` , `email`)
VALUES
  ('1', '1', ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), '[email protected]');

安装Postfix+Dovecot

shell> yum install postfix dovecot dovecot-mysql

Postfix配置文件主要有两个,一个是/etc/postfix/main.cf;另一个是/etc/postfix/master.cf
编辑之前备份是个好习惯

首先创建Postfix与Mysql链接的文件

创建/etc/postfix/mysql-virtual-mailbox-domains.cf

user = Mysql的用户名
password = Mysql的密码
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_domains WHERE name='%s'

创建/etc/postfix/mysql-virtual-mailbox-maps.cf

user = Mysql的用户名
password = Mysql的密码
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_users WHERE email='%s'

创建/etc/postfix/mysql-virtual-alias-maps.cf

user = Mysql的用户名
password = Mysql的密码
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source='%s'

确认一下创建是否正确

shell> postmap -q example.com mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
1
shell>  postmap -q [email protected] mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
1

如果你的输出和我的一样,那么恭喜你配置成功链接文件

配置Postfix

啊啊啊啊来到这里了*
首先贴出我编辑好的以供参考


来用你的编辑器打开/etc/postfix/main.cf ,和我一起编辑
找到myhostname =  填入你的主机名(即域名解析设置的。要求和hostnamectl输出的一致,不一致请更改系统主机名)

myorigin =   你的域名
inet_interfaces =  all
mynetworks = 0.0.0.0/0
mydestination = localhost(使用数据库进行确认更具有通用性)

接下来就是追加了(如果你的配置文件里有的话,修改不用追加)

#User add
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem(请检查该文件是否存在)
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem(请检查该文件是否存在)
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# Restrictions
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
        reject_unauthenticated_sender_login_mismatch,
        reject_invalid_hostname,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_sender_login_mismatch,
        reject_authenticated_sender_login_mismatch,
        reject_unauthenticated_sender_login_mismatch,
        reject_non_fqdn_recipient,
        reject_invalid_hostname,
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination
#Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:/var/spool/postfix/private/dovecot-lmtp
#Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

终于改完了······我不会告诉你我在这个文件上干了多长时间
来用你的编辑器打开/etc/postfix/master.cf ,和我一起编辑
 
额,这个我没有备份原来的长什么样,改的一样就行了

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

再往下那些不用动着,保留就行了
重启一下服务

shell> service postfix restart

配置Dovecot

配置文件均在/etc/dovecot内,编辑之前备份是个好习惯

为/etc/dovecot/dovecot.conf的以下内容取消注释

protocols = imap pop3 lmtp
protocols !include_try /usr/share/dovecot/protocols.d/*.protocol (这个没有可以忽略)

修改/etc/dovecot/conf.d/10-mail.conf文件

mail_location = maildir:/var/mail/vhosts/%d/%n (将来会存放收到的邮件)
mail_privileged_group = mail

创建文件夹配置权限

shell> mkdir -p /var/mail/vhosts/mydomain.com
shell> groupadd -g 5000 vmail
shell> useradd -g vmail -u 5000 vmail -d /var/mail
shell> chown -R vmail:vmail /var/mail

修改/etc/dovecot/conf.d/10-auth.conf文件

disable_plaintext_auth = yes
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext

修改/etc/dovecot/conf.d/auth-sql.conf.ext文件

passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

修改/etc/dovecot/dovecot-sql.conf.ext文件

这个文件如果存在就修改,不存在直接贴进去改改也行

driver = mysql
connect = host=127.0.0.1 dbname=mailserver user=Mysql的用户名 password=Mysql的密码
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
user_query = SELECT ('5000') as 'uid',('5000') as 'gid'

修改目录权限

shell> chown -R vmail:dovecot /etc/dovecot
shell> chmod -R o-rwx /etc/dovecot

修改/etc/dovecot/conf.d/10-master.conf文件

将端口设置为0,以禁用非SSL加密的IMAP和POP3协议

service imap-login {
    inet_listener imap {
        port = 0
    }
    ...
}
service pop3-login {
    inet_listener pop3 {
        port = 0
    }
    ...
}
service lmtp {
        unix_listener /var/spool/postfix/private/dovecot-lmtp {
        mode = 0600
        user = postfix
        group = postfix
  }
service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0666
    user = vmail
    #group = postfix
  }
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  # Auth process is run as this user.
  #user = $default_internal_user
}
service auth-worker {
    # Auth worker process is run as root by default, so that it can access
    # /etc/shadow. If this isn't necessary, the user should be changed to
    # $default_internal_user.
    user = vmail
}

修改/etc/dovecot/conf.d/10-ssl.conf文件

ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

重新启动Dovecot服务

shell> service dovecot restart

连接测试调试

所有的日志都会打印在/var/log/maillog里

Dovecot调试Debug

在/etc/dovecot/dovecot.conf中追加以下内容

mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_verbose_passwords = yes

Postfix调试Debug

修改/etc/postfix/main.cf

debug_peer_list = 你的域名

半亩方塘 , 版权所有丨如未注明 , 均为原创丨本网站采用CC BY-NC-SA 3.0 CN反996许可证协议进行授权
转载请注明原文链接:Postfix Dovecot Mysql搭建邮件服务器 在Centos上 +TLS 自建 加密 调试Debug
上一篇
下一篇