2014-08-18 10:20:38
来 源
中存储网
Postfix
整个邮件解决方案由如下软件组成:功能模块 内容 备注操作系统(OS)安装时的注意事项1,磁盘分区由于是邮件系统,相关的日志和queue都会保存在var分区内,因此var分区要有足够的空间。以一块硬盘73G/内存3G的服务器为例。

整个邮件解决方案由如下软件组成:

功能模块 内容 备注 


操作系统(OS) FreeBSD FreeBSD是一个优秀的unix操作系统,基于宽松的BSD协议 


邮件传输代理(MTA) Postfix 使用2.4.x,ports中的postfix已经是最新的2.4版 


数据库/目录服务 mysql 5.0可选MySQL或其他mysql ,本文以mysql 5.0为蓝本 


邮件投递代理(MDA) maildrop 2.0.x 支持过滤和强大功能 


Web帐户管理后台 ExtMan-0.2.3 支持无限域名、无限用户 


POP3 服务器 Courier-IMAP 支持pop3/pop3s/imap/imaps,功能强大,可根据需要选择 


WebMail 系统 ExtMail-1.0.3 支持多语言、全部模板化,功能基本齐全 


防病毒软件(Anti-Virus) ClamAV 0.92 最热门的开源杀毒软件 


内容过滤器 Amavisd-new 2.5.x Content-Filter软件,支持与clamav/sa的挂接 


内容级别的反垃圾邮件工具 SpamAssassin 著名的SA,可以支持大量规则,但速度较慢 


SMTP认证库 Cyrus SASL 2.1x 标准的SASL实现库,可以支持Courier authlib 


其他数据认证库 Courier Authlib 0.60 authlib是maildrop, courier-imap等服务的关键部件 


日志分析及显示 mailgraph_ext 在ExtMan中已经包含了 


Web 服务器 Apache 2.2.x 最新版的apache服务器,默认支持ssl模块 


maillist软件 Mailman2.1.x 功能强大的邮件列表软件,支持基于web的管理 


操作系统安装


操作系统的安装建议参考FreeBSD Handbook,在此仅给出链接,以避免不必要的重复劳动: 


英文版


http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/install.html 


中文版


http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/install.html 


安装时的注意事项


1,磁盘分区


由于是邮件系统,相关的日志和queue都会保存在var分区内,因此var分区要有足够的空间。以一块硬盘73G/内存3G的服务器为例,可做如下分区: 


/  512m


swap 4096m 


/var 5g


/tmp 512m


/usr 8g(尽量保证有10G左右)


/home 50g(剩下所有的空间)


2,软件包的选择 


我们的邮件系统是要对外服务的,所以尽可能少的选择软件包,安装时建议选择Minimal,然后进入Custom选择doc,info,man,src即可。 


配置


1,编辑/etc/rc.conf确保有如下内容: 


sshd_enable="YES"


named_enable="YES"


sendmail_enable="NONE"


编辑/etc/resolv.conf确保第一条nameserver记录是127.0.0.1,这样本地DNS缓存才有效,类似如下: 


domain  xxxxx.cn


nameserver      127.0.0.1


nameserver      202.106.0.20


然后执行如下命令: 


/etc/rc.d/named start 


2,根据硬件的配置重新编译内核,编译内核的办法参考FreeBSD Handbook,这里只给出链接: 


英文版


http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html 


中文版


http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/kernelconfig.html 


编译后系统的性能将得到较大的提升. 


更新ports


根据你的情况执行 


cvsup -gL2 /usr/share/examples/cvsup/ports-supfile -h cvsup.freebsdchina.org 


或者 


portsnap fetch && portsnap update 


下载配置包


基本假定


整个系统的安装全过程都要求以root身份执行。并能够访问Internet。


安装前的准备


增加一个存储邮件的帐号和组(vmail)


执行如下命令 


pw group add vmail -g 1000


pw user add vmail -u 1000 -g 1000 -s /sbin/nologin -d /dev/null


给test用户创建路径


需要一个测试帐号[email]test@xxxxx.cn[/email],需要准备该账号的路径。 


mkdir -p /home/domains/xxxxx.cn/test/Maildir/new


mkdir -p /home/domains/xxxxx.cn/test/Maildir/cur


mkdir -p /home/domains/xxxxx.cn/test/Maildir/tmp


chown -R vmail:vmail /home/domains/


chmod -R 700 /home/domains/


ExtMan的安装


由于在安装过程中要使用ExtMan里面带的文件,因此在此先安装ExtMan。安装时根据个人需要选择MySQL或者mysql支持。 


cd /usr/ports/mail/extman/ && make install clean


安装时选择mysql


安装mysql


cd /usr/ports/databases/mysql50-server/ && make WITH_CHARSET=gbk WITH_XCHARSET=all WITH_PROC_SCOPE_PTH=yes BUILD_OPTIMIZED=yes BUILD_STATIC=yes SKIP_DNS_CHECK=yes WITHOUT_INNODB=yes install clean


编辑/etc/rc.conf


ee /etc/rc.conf


mysql_enable="YES"


复制 MySQL  配置文件


cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf


ee /usr/local/etc/my.cnf  


在[mysqld]组中加入下面的内容,部分内容看来如下


[mysqld]


bind_address=127.0.0.1


将mysql端口绑定到127.0.0.1主要因为该服务器只为本站提供服务,为了增加安全性,所以这样做。


启动 mysql-server


/usr/local/bin/mysql_install_db --user=mysql


cp /usr/local/etc/rc.d/mysql-server /usr/local/etc/rc.d/mysql.sh


/usr/local/etc/rc.d/mysql-server start


修改root用户的密码


/usr/local/bin/mysqladmin -u root -p password 


Enter password:


安装 openssl


cd /usr/ports/security/openssl/ && make install clean


安装配置文件


cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf


安装配置courier-imap POP3/IMAP


Courier-IMAP是一个提供POP3、IMAP服务的程序,能够很方便的配置使其支持加密协议POP3s、IMAPs。并良好的支持Maildir。 


Courier-imap的安装


安装时选择(如果你使用MySQL认证,则选择AUTH_MYSQL): 


OPENSSL


TRASHQUOTA


AUTH_MYSQL


cd /usr/ports/mail/courier-imap/ && make install clean


安装时选择 TRASHQUOTA  AUTH_MYSQL


Authlib的配置


mv /usr/local/etc/authlib/authdaemonrc /usr/local/etc/authlib/authdaemonrc.bak


编辑/usr/local/etc/authlib/authdaemonrc文件,内容类似如下: 


authmodulelist="authmysql"


authmodulelistorig="authmysql"


version="authdaemond.mysql"


daemons=5


authdaemonvar=/var/run/authdaemond


subsystem=mail


DEBUG_LOGIN=0


DEFAULTOPTIONS="wbnodsn=1"


LOGGEROPTS=""


增加/var/run/authdaemond的执行权限,在FreeBSD系统下,其他用户默认没有执行权限 


chmod +x /var/run/authdaemond 


mv /usr/local/etc/authlib/authmysqlrc /usr/local/etc/authlib/authmysqlrc.bak


编辑/usr/local/etc/authlib/authmysqlrc文件,内容类似如下: 


MYSQL_SERVER          localhost


MYSQL_USERNAME   extmail


MYSQL_PASSWORD   extmail


MYSQL_PORT          0


MYSQL_OPT          0


MYSQL_DATABASE   extmail


MYSQL_SELECT_CLAUSE         SELECT username,password,"",uidnumber,gidnumber,


CONCAT('/home/domains/',homedir),        


CONCAT('/home/domains/',maildir),        


quota,        


name        


FROM mailbox        


WHERE username = '$(local_part)@$(domain)'


配置支持POP3s


拷贝一份配置文件 


cp /usr/local/etc/courier-imap/pop3d.cnf.dist /usr/local/etc/courier-imap/pop3d.cnf 


编辑/usr/local/etc/courier-imap/pop3d.cnf文件,类似如下: 


RANDFILE = /usr/local/share/courier-imap/pop3d.rand


[ req ]


default_bits = 1024


encrypt_key = yes


distinguished_name = req_dn


x509_extensions = cert_type


prompt = no


[ req_dn ]


C=CN


ST=BJ


L=Bei Jing


O=Extmail


OU=Extmail


CN=xxxxx.cn


emailAddress=ppabc@qq.com


[ cert_type ]


nsCertType = server


执行如下命令产生供POP3s使用的证书 


/usr/local/sbin/mkpop3dcert 


配置支持IMAPs


拷贝一份配置文件 


cp /usr/local/etc/courier-imap/imapd.cnf.dist /usr/local/etc/courier-imap/imapd.cnf 


编辑/usr/local/etc/courier-imap/imapd.cnf文件,类似如下: 


RANDFILE = /usr/local/share/courier-imap/imapd.rand


[ req ]


default_bits = 1024


encrypt_key = yes


distinguished_name = req_dn


x509_extensions = cert_type


prompt = no


[ req_dn ]


C=CN


ST=BJ


L=Bei Jing


O=Extmail


OU=Extmail


CN=xxxxx.cn


emailAddress=ppabc@qq.com


[ cert_type ]


nsCertType = server


执行如下命令产生供IMAP使用的证书 


/usr/local/sbin/mkimapdcert 


配置自动启动


编辑/etc/rc.conf文件,添加如下行: 


courier_authdaemond_enable="YES"


courier_imap_pop3d_enable="YES"


courier_imap_imapd_enable="YES"


courier_imap_pop3d_ssl_enable="YES"


courier_imap_imapd_ssl_enable="YES"


这5行的作用分别是在开机时:启动authdaemond,启动pop3d,启动imapd,启动pop3d-ssl,启动imapd-ssl。也可以使用命令行来控制这些进程的启动或者停止。 


/usr/local/etc/rc.d/courier-authdaemond start/stop


/usr/local/etc/rc.d/courier-imap-pop3d start/stop


/usr/local/etc/rc.d/courier-imap-imapd start/stop


/usr/local/etc/rc.d/courier-imap-pop3d-ssl start/stop


/usr/local/etc/rc.d/courier-imap-imapd-ssl start/stop


Postfix的安装和配置-MTA


MTA在邮件系统中处于非常重要的位置,他负责接收其他人给你发的信,并且负责把你的信转发到目的地。选择一个靠谱的MTA对建立邮件来说意义重大,因此我们使用Postfix!! :-)。另外MTA部分在邮件系统中的开发难度是最高的,起到的作用也是最大的,因此我们也常拿MTA的名字来称呼自己的邮件系统,比如:我常说我的邮件系统是Postfix。 


安装postfix


安装时选择(如果你使用MySQL验证,可以选择MYSQL): 


PCRE


SASL2


TLS


MYSQL


VDA


TEST


cd /usr/ports/mail/postfix/ && make install clean


安装时选择PCRE SASL2 TLS MYSQL VDA TEST


配置postfix


编辑/etc/rc.conf,增加如下一行 


postfix_enable="YES" 


编辑/etc/aliases,确保有如下一行 


postfix: root 


替换掉系统带的sendmail程序 


mv /usr/sbin/sendmail /usr/sbin/sendmail.bak


cp /usr/local/sbin/sendmail /usr/sbin/sendmail


编辑/etc/periodic.conf,加入如下内容,禁掉sendmail的自动维护。 


daily_clean_hoststat_enable="NO"


daily_status_mail_rejects_enable="NO"


daily_status_include_submit_mailq="NO"


daily_submit_queuerun="NO"


执行如下命令 


/usr/local/sbin/postalias /etc/aliases


chown postfix:postfix /etc/opiekeys


/usr/local/sbin/postconf -e 'mydomain = xxxxx.cn'


/usr/local/sbin/postconf -e 'myhostname = mail.xxxxx.cn'


/usr/local/sbin/postconf -e 'myorigin = $mydomain'


/usr/local/sbin/postconf -e 'virtual_mailbox_base = /home/domains'


/usr/local/sbin/postconf -e 'virtual_uid_maps=static:1000'


/usr/local/sbin/postconf -e 'virtual_gid_maps=static:1000'


执行如下命令对查询表进行配置 


cp /usr/local/www/extman/docs/mysql_virtual_* /usr/local/etc/postfix/


/usr/local/sbin/postconf -e 'virtual_alias_maps = $alias_maps, mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf'


/usr/local/sbin/postconf -e 'virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf'


/usr/local/sbin/postconf -e 'virtual_mailbox_domains = mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf'


SMTP认证设置


编辑/usr/local/lib/sasl2/smtpd.conf 


pwcheck_method:authdaemond


log_level:3


mech_list:PLAIN LOGIN


authdaemond_path:/var/run/authdaemond/socket


对postfix做如下配置使支持smtp认证 


/usr/local/sbin/postconf -e 'smtpd_sasl_auth_enable=yes'


/usr/local/sbin/postconf -e 'broken_sasl_auth_clients = yes'


/usr/local/sbin/postconf -e 'smtpd_sasl_local_domain = $myhostname'


postfix反垃圾设置


此处的反垃圾邮件只是在MTA级的一些预防垃圾邮件的设置,可根据实际情况以及自己的需要进行调整。 


/usr/local/sbin/postconf -e 'smtpd_helo_required=yes'


/usr/local/sbin/postconf -e 'smtpd_delay_reject=yes'


/usr/local/sbin/postconf -e 'disable_vrfy_command=yes'


/usr/local/sbin/postconf -e 'smtpd_client_restrictions = check_client_access hash:/usr/local/etc/postfix/client_access'


/usr/local/sbin/postconf -e 'smtpd_helo_restrictions=reject_invalid_hostname,check_helo_access hash:/usr/local/etc/postfix/helo_access'


/usr/local/sbin/postconf -e 'smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access hash:/usr/local/etc/postfix/sender_access'


/usr/local/sbin/postconf -e 'smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain'


/usr/local/sbin/postconf -e 'smtpd_data_restrictions=reject_unauth_pipelining'


/usr/local/sbin/postconf -e 'header_checks = regexp:/usr/local/etc/postfix/head_checks'


/usr/local/sbin/postconf -e 'body_checks = regexp:/usr/local/etc/postfix/body_checks'


touch /usr/local/etc/postfix/head_checks


touch /usr/local/etc/postfix/body_checks


touch /usr/local/etc/postfix/client_access


touch /usr/local/etc/postfix/sender_access


touch /usr/local/etc/postfix/helo_access


/usr/local/sbin/postmap /usr/local/etc/postfix/head_checks


/usr/local/sbin/postmap /usr/local/etc/postfix/body_checks


/usr/local/sbin/postmap /usr/local/etc/postfix/client_access


/usr/local/sbin/postmap /usr/local/etc/postfix/sender_access


/usr/local/sbin/postmap /usr/local/etc/postfix/helo_access


TLS设置


生成证书,在这里默认私钥的访问密码为123qwe98,请根据自己的情况决定,以后可能会用得到。 


mkdir -p /usr/local/etc/postfix/certs/CA


cd /usr/local/etc/postfix/certs/CA


mkdir certs crl newcerts private


echo "01" > serial


touch index.txt


cp /usr/local/openssl/openssl.cnf        .


编辑openssl.cnf,确认dir参数的值是/usr/local/etc/postfix/certs/CA。然后继续执行如下命令,并根据情况输入信息。输入信息类似如下: 


Country Name (2 letter code) [AU]:CN


State or Province Name (full name) [Some-State]:BJ


Locality Name (eg, city) []:Bei Jing


Organization Name (eg, company) [Internet Widgits Pty Ltd]:Extmail


Organizational Unit Name (eg, section) []:extmail


Common Name (eg, YOUR name) []:xxxxx.cn


Email Address []:ppabc@qq.com


命令如下: 


openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf 


openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 3650 -config openssl.cnf


openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem


openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem


rm tmp.pem


cp cacert.pem /usr/local/etc/postfix/certs/


cp mycert.pem /usr/local/etc/postfix/certs/


cp mykey.pem /usr/local/etc/postfix/certs/


cd /usr/local/etc/postfix/certs/


chown root:wheel cacert.pem mycert.pem


chown root:postfix mykey.pem


chmod 755 cacert.pem


chmod 644 mycert.pem


chmod 440 mykey.pem


ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem `.0


配置postfix支持TLS 


/usr/local/sbin/postconf -e 'smtpd_use_tls=yes'


/usr/local/sbin/postconf -e 'smtpd_tls_auth_only=no'


/usr/local/sbin/postconf -e 'smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem'


/usr/local/sbin/postconf -e 'smtp_tls_cert_file = /usr/local/etc/postfix/certs/mycert.pem'


/usr/local/sbin/postconf -e 'smtp_tls_key_file = /usr/local/etc/postfix/certs/mykey.pem'


/usr/local/sbin/postconf -e 'smtpd_tls_CAfile=/usr/local/etc/postfix/certs/cacert.pem'


/usr/local/sbin/postconf -e 'smtpd_tls_cert_file=/usr/local/etc/postfix/certs/mycert.pem'


/usr/local/sbin/postconf -e 'smtpd_tls_key_file=/usr/local/etc/postfix/certs/mykey.pem'


/usr/local/sbin/postconf -e 'smtpd_tls_received_header=yes'


/usr/local/sbin/postconf -e 'smtpd_tls_loglevel=3'


/usr/local/sbin/postconf -e 'smtpd_starttls_timeout=60s'


/usr/local/etc/postfix/master.cf


配置master.cf,添加如下信息 


smtps     inet  n       -       n       -       -       smtpd


  -o smtpd_tls_wrappermode=yes


  -o smtpd_sasl_auth_enable=yes


  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


Maildrop的安装和配置-MDA


MDA-邮件分发代理。他从MTA那儿拿到信,然后存入您的邮箱里面。MDA在投递邮件到您的目录里面时,会先对邮件进行一些过滤,过滤规则会根据您的配置文件来进行。1,进行全局过滤设置,读取/etc/maildroprc(Linux)或者/usr/local/etc/maildroprc(BSD),根据配置该配置文件执行相应的操作,影响到所有用户;2,根据每个用户的配置进行过滤,读取$HOME/.mailfilter,根据每个用户的设置进行相应的操作,仅影响单个用户。基于这样的特点,WEBMAIL通过编辑$HOME/.mailfilter可以实现一些特色化的东西,比如:黑白名单、SPAM自动转入垃圾邮件夹、SMS提醒等等。 


安装maildrop


cd /usr/ports/mail/maildrop/ && make WITH_AUTHLIB=yes install clean


安装时选择mysql


 


修改master.cf


修改master.cf的maildrop,类似修改为: 


#maildrop  unix  -       n       n       -       -       pipe


#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}


maildrop  unix  -       n       n       -       -       pipe


  flags=DRhu user=vmail:vmail argv=/usr/local/bin/maildrop -w 90 -d ${recipient}


/usr/local/etc/postfix/main.cf


修改main.cf


/usr/local/sbin/postconf -e 'virtual_transport=maildrop:'


/usr/local/sbin/postconf -e 'maildrop_destination_concurrency_limit=1'


/usr/local/sbin/postconf -e 'maildrop_destination_recipient_limit=1'


编辑文件/usr/local/etc/maildroprc


确保是如下内容: 


logfile "/home/domains/maildrop.log"


#logfile "/var/log/maildrop.log"


TEST="/bin/test -f"


#


# Check for custom user .mailfilter file


#


CUSTOM_FILTER="$HOME/.mailfilter"


`$TEST $CUSTOM_FILTER && exit 1 || exit 0`


if ( $RETURNCODE == 0 )


{


        to "$HOME/Maildir"


}


安装配置Apache


安装apache


添加了这两个参数的意思是,支持suexec模块,改变suexec_docroot的路径。但在本文中并没有在虚拟主机中使用suexec,在此编译进去是为了方便测试,以及方便以后可能会使用到的朋友。其他选项使用默认的即可。 


cd /usr/ports/www/apache22/ && make WITH_SUEXEC=yes SUEXEC_DOCROOT=/usr/local/www WITH_MPM=worker WITHOUT_IPV6=yes WITH_THREADS=yes install clean


使用默认的即可


配置/etc/rc.conf


添加如下一行 


apache22_enable="YES" 


修改apache的配置文件/usr/local/etc/apache22/httpd.conf,使apache运行时的权限为vmail:vmail 


User vmail


Group vmail


虚拟主机配置


编辑/usr/local/etc/apache22/Includes/extmail.conf 


NameVirtualHost *:80


<VirtualHost *:80>


    ServerName mail.xxxxx.cn


    DocumentRoot /usr/local/www/extmail/html/


    ScriptAlias /extmail/cgi /usr/local/www/extmail/cgi/


    Alias /extmail /usr/local/www/extmail/html/


    ScriptAlias /extman/cgi "/usr/local/www/extman/cgi/"


    Alias /extman "/usr/local/www/extman/html/"


    <Location "/extman/cgi">


        SetHandler cgi-script


        Options +ExecCGI


        AllowOverride All


    </Location>


    <Directory "/usr/local/www">


        AllowOverride None


        Options None


        Order allow,deny


        Allow from all


    </Directory>


#    SuexecUserGroup vmail vmail


</VirtualHost>


配置支持https


复制一份证书到apache的目录 


mkdir /usr/local/etc/apache22/certs/


cp /usr/local/etc/postfix/certs/*.pem /usr/local/etc/apache22/certs/


编辑文件/usr/local/etc/apache22/Includes/extmail-ssl.conf,内容如下 


Listen 443


AddType application/x-x509-ca-cert .crt


AddType application/x-pkcs7-crl    .crl


SSLPassPhraseDialog  builtin


SSLSessionCache        shmcb:/var/run/ssl_scache(512000)


SSLSessionCacheTimeout  300


SSLMutex  file:/var/run/ssl_mutex


<VirtualHost _default_:443>


DocumentRoot "/usr/local/www/extmail/html"


ServerName mail.xxxxx.cn:443


ScriptAlias /extmail/cgi /usr/local/www/extmail/cgi/


Alias /extmail /usr/local/www/extmail/html/


ScriptAlias /extman/cgi "/usr/local/www/extman/cgi/"


Alias /extman "/usr/local/www/extman/html/"


ServerAdmin [email]ppabc@qq.com[/email]


ErrorLog /var/log/httpd-error.log


TransferLog /var/log/httpd-access.log


SSLEngine on


SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL


#SSLCertificateFile /usr/local/etc/apache22/server.crt


#SSLCertificateKeyFile /usr/local/etc/apache22/server.key


SSLCertificateFile /usr/local/etc/apache22/certs/mycert.pem


SSLCertificateKeyFile /usr/local/etc/apache22/certs/mykey.pem


<FilesMatch ".(cgi|shtml|phtml|php)$">


    SSLOptions +StdEnvVars


</FilesMatch>


<Directory "/usr/local/www/apache22/cgi-bin">


    SSLOptions +StdEnvVars


</Directory>


BrowserMatch ".*MSIE.*"


         nokeepalive ssl-unclean-shutdown


         downgrade-1.0 force-response-1.0


CustomLog /var/log/httpd-ssl_request.log


          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"


#SuexecUserGroup vmail vmail


</VirtualHost>


重起一下apache 


/usr/local/etc/rc.d/apache22.sh restart 


安装配置Extmail


Extmail 是一个以perl语言编写,面向大容量/ISP级应用,免费的高性能Webmail软件。完整的支持Maildir++, 多字符、多语言支持,支持模版技术、方便的为自己定制界面等等。


[ 本帖最后由 ppabc 于 2008-5-31 10:18 编辑 ]


 ppabc 回复于:2008-05-31 10:13:52
安装extmail


安装不需要选择MySQL,mysql,因为在安装ExtMan的时候已经把这些包装上了。 


cd /usr/ports/mail/extmail && make install clean


安装不需要选择MySQL


复制一份配置文件 


cp /usr/local/www/extmail/webmail.cf.default /usr/local/www/extmail/webmail.cf 


编辑/usr/local/www/extmail/webmail.cf,修改对应的参数如下 


SYS_CONFIG = /usr/local/www/extmail/        


SYS_LANGDIR = /usr/local/www/extmail/lang        


SYS_TEMPLDIR = /usr/local/www/extmail/html


SYS_SESS_DIR = /var/tmp/extmail/ 


SYS_LOG_TYPE = file


SYS_USER_LANG = zh_CN


SYS_USER_CHARSET = utf-8


SYS_AUTH_TYPE = mysql


SYS_MAILDIR_BASE = /home/domains


SYS_mysql_BASE = dc=xxxxx.cn


SYS_mysql_RDN = cn=Manager,dc=xxxxx.cn


SYS_mysql_PASS = secret


SYS_mysql_HOST = mysql.xxxxx.cn


SYS_mysql_ATTR_USERNAME = mail


SYS_mysql_ATTR_DOMAIN = virtualDomain


SYS_mysql_ATTR_PASSWD = userPassword


SYS_mysql_ATTR_QUOTA = mailQuota


SYS_mysql_ATTR_NDQUOTA = netdiskQuota


SYS_mysql_ATTR_HOME = homeDirectory


SYS_mysql_ATTR_MAILDIR = mailMessageStore


执行如下命令 


mkdir /var/tmp/extmail


chown vmail:vmail /var/tmp/extmail/


chmod 777 /var/tmp/extmail


touch /var/log/extmail.log


chown vmail:vmail /var/log/extmail.log


chown -R vmail:vmail /usr/local/www/extmail/


配置ExtMan


ExtMan是一个基于Web的邮件帐号管理系统。可以通过他来管理邮件帐号、管理员帐号和域名等,默认的超级用户是 [email]root@xxxxx.cn[/email],密码是extmail*123* ExtMan还集成了mailgraph,可以ExtMan内看到整个邮件系统的相关状态流量图。使用ExtMan来管理您的邮件系统将使工作变得更加轻松。之前我们已经安装了ExtMan,在此直接配置webman.cf即可。 


配置extman


编辑/usr/local/www/extman/webman.cf,修改对应的参数如下 


SYS_CONFIG = /usr/local/www/extman/


SYS_LANGDIR = /usr/local/www/extman/lang


SYS_TEMPLDIR = /usr/local/www/extman/html


SYS_MAILDIR_BASE = /home/domains


SYS_SESS_DIR = /var/tmp/extman/


SYS_PSIZE = 50


SYS_LANG = zh_CN


SYS_DEFAULT_MAXQUOTA = 10000


SYS_DEFAULT_MAXALIAS = 10000


SYS_DEFAULT_MAXUSERS = 1000


SYS_DEFAULT_MAXNDQUOTA = 100


SYS_BACKEND_TYPE = mysql


SYS_mysql_BASE = dc=xxxxx.cn


SYS_mysql_RDN = cn=Manager,dc=xxxxx.cn


SYS_mysql_PASS = secret


SYS_mysql_HOST = localhost


SYS_mysql_ATTR_USERNAME = mail


SYS_mysql_ATTR_PASSWD = userPassword


其他设置


执行如下命令 


mkdir /var/lib


mkdir /var/tmp/extman/


chown –R vmail:vmail /var/tmp/extman/


chmod 777 /var/tmp/extman/


chmod 755 /usr/local/www/extman/webman.cf


unlink /usr/local/www/extman/libs/HTML/KTemplate.pm


cp /usr/local/www/extmail/libs/HTML/KTemplate.pm /usr/local/www/extman/libs/HTML/


配置图形日志


安装依赖软件 


cd /usr/ports/databases/rrdtool && make install clean


cd /usr/ports/devel/p5-File-Tail && make install clean


cd /usr/ports/devel/p5-Time-HiRes && make install clean


安装mailgraph_ext 


cp -Rfp /usr/local/www/extman/addon/mailgraph_ext/ /usr/local/mailgraph_ext


/usr/local/mailgraph_ext/mailgraph-init start


/usr/local/mailgraph_ext/qmonitor-init start


测试基本系统


到目前为止,一个基本的邮件系统已经安装完成,他支持了smtp,pop3,imap,webmail。并且支持对应的SSL加密smtps,pop3s,imaps,https。 


测试pop3


telnet localhost 110


Trying 127.0.0.1...


Connected to localhost.localdomain (127.0.0.1).


Escape character is '^]'.


+OK Hello there.


user [email]test@xxxxx.cn[/email]


+OK Password required.


pass test


+OK logged in.


list


+OK POP3 clients that break here, they violate STD53.


.


quit


+OK Bye-bye.


Connection closed by foreign host.


测试smtp认证


通过以下命令获得[email]test@xxxxx.cn[/email]的用户名及密码的BASE64编码: 


perl -e 'use MIME::Base64; print encode_base64("test@xxxxx.cn")'


dGVzdEBleHRtYWlsLm9yZw==


perl -e 'use MIME::Base64; print encode_base64("test")'


dGVzdA==


然后本机测试,其过程如下 


telnet localhost 25


Trying 127.0.0.1...


Connected to localhost.localdomain (127.0.0.1).


Escape character is '^]'.


220 mail.xxxxx.cn ESMTP Postfix - by xxxxx.cn


ehlo demo.domain.tld


250-mail.xxxxx.cn


250-PIPELINING


250-SIZE 10240000


250-VRFY


250-ETRN


250-AUTH LOGIN PLAIN


250-AUTH=LOGIN PLAIN


250-ENHANCEDSTATUSCODES


250-8BITMIME


250 DSN


auth login


334 VXNlcm5hbWU6


dGVzdEBleHRtYWlsLm9yZw==


334 UGFzc3dvcmQ6


dGVzdA==


235 2.0.0 Authentication successful


quit


221 2.0.0 Bye


最后出现235 Authentication Successful 表明认证成功了。 


测试smtps


mail# telnet localhost 25


Trying ::1...


Trying 127.0.0.1...


Connected to localhost.localhostadmin.


Escape character is '^]'.


220 mail.xxxxx.cn ESMTP Postfix


ehlo localhost


250-mail.xxxxx.cn


250-PIPELINING


250-SIZE 10240000


250-ETRN


250-STARTTLS


250-AUTH LOGIN PLAIN


250-AUTH=LOGIN PLAIN


250-ENHANCEDSTATUSCODES


250-8BITMIME


250 DSN


STARTTLS


220 2.0.0 Ready to start TLS


^]


telnet> q


Connection closed.


测试pop3s/imaps


telnet连接本机的993,995端口出现如下提示: 


telnet localhost 993


Trying ::1...


telnet: connect to address ::1: Connection refused


Trying 127.0.0.1...


Connected to localhost.localhostadmin.


Escape character is '^]'.


^]


telnet> q


Connection closed.


telnet localhost 995


Trying ::1...


telnet: connect to address ::1: Connection refused


Trying 127.0.0.1...


Connected to localhost.localhostadmin.


Escape character is '^]'.


^]


telnet> q


Connection closed.


也可以在OutLook中如下设置进行测试 


 


测试webmail/extman


你能通过如下链接登陆webmail 


http://mail.xxxxx.cn


https://mail.xxxxx.cn


http://mail.xxxxx.cn/extman


https://mail.xxxxx.cn/extman


内容/病毒过虑


安装amavisd-new


amavisd-new是一个类似Mailscanner的解信的程序,他可以调用外部的杀毒/反垃圾来对邮件进行过滤,很方便的实现病毒过滤,内容过滤。amavisd和mailscanner的不同在于,他使用SMTP协议通信,处理完后再回传给Postfix,整个过程不会对Postfix造成任何结构上的影响。Mailscanner必须监视Postfix的Hold队列,采用比较暴力的做法。 


cd /usr/ports/security/amavisd-new && make install clean


安装时选择 BDB MILTER SPAMASSASSIN FILE RAR UNRAR ARJ LHA ARC CAB RPM ZOO UNZOO LZOP FREEZE P7ZIP


修改/etc/rc.conf增加如下一行,系统启动时自动运行amavisd 


amavisd_enable="YES"


配置amavisd.conf


修改/usr/local/etc/amavisd.conf文件中对应的选项,如下 


$max_servers = 10;


$sa_spam_subject_tag = '[SPAM] ';


$mydomain = 'mail.xxxxx.cn';


$myhostname = 'mail.xxxxx.cn';


@local_domains_maps = qw(.);


$sa_tag_level_deflt  = undef;


$sa_tag2_level_deflt = 5.0;


$sa_kill_level_deflt = 5.0;


$final_virus_destiny      = D_DISCARD;


$final_banned_destiny     = D_DISCARD;


$final_spam_destiny       = D_DISCARD;


$virus_admin               = "postmaster@$mydomain";


$mailfrom_notify_admin     = "postmaster@$mydomain";


$mailfrom_notify_recip     = "postmaster@$mydomain";


$mailfrom_notify_spamadmin = "postmaster@$mydomain";


@whitelist_sender_maps = read_hash("$MYHOME/white.lst");


@blacklist_sender_maps = read_hash("$MYHOME/black.lst");


$spam_quarantine_to = "spam@$mydomain";


$virus_quarantine_to = "virus@$mydomain";


$banned_quarantine_to = "spam@$mydomain";


$hdrfrom_notify_admin = "Content Filter ";


执行如下操作 


touch /var/amavis/white.txt


touch /var/amavis/black.txt


chown –R vscan:vscan /var/amavis/


配置postfix对amavisd-new的支持


修改/usr/local/etc/postfix/master.cf,增加如下内容 


smtp-amavis  unix    -    -    n    -    4    smtp


        -o smtp_data_done_timeout=1200


        -o smtp_send_xforward_command=yes


        -o disable_dns_lookups=yes


127.0.0.1:10025 inet    n    -    n    -    -    smtpd


        -o content_filter=


        -o local_recipient_maps=


        -o relay_recipient_maps=


        -o smtpd_restriction_classes=


        -o smtpd_helo_restrictions=


        -o smtpd_sender_restrictions=


        -o smtpd_recipient_restrictions=permit_mynetworks,reject


        -o mynetworks=127.0.0.0/8


        -o strict_rfc821_envelopes=yes


        -o smtpd_error_sleep_time=0


        -o smtpd_soft_error_limit=1001


        -o smtpd_hard_error_limit=1000


        -o receive_override_options=


修改content_filter ,receive_override_options这两项,禁止地址展开/影射,否则遇到别名时会产生冗余邮件。但是打开这一项receive_override_options后会和邮件列表程序相冲突,导致邮件列表的aliases不能打开。:(所以如果使用了邮件列表,则不要设置receive_override_options这一项。 


/usr/local/sbin/postconf -e 'content_filter = smtp-amavis:[localhost]:10024'


/usr/local/sbin/postconf -e 'receive_override_options = no_address_mappings'


配置clamav


Clamav是一个比较好的杀毒程序,他被amavisd调用,可以查杀所有常见的病毒,在邮件系统中我们用它来对邮件进行查毒, 


cd /usr/ports/security/clamav && make install clean


安装时选择 ARC ARJ LHA UNZOO UNRAR


修改配置文件


编辑/usr/local/etc/clamd.conf 


User vscan


编辑/usr/local/etc/freshclam.conf 


DatabaseOwner vscan


修改/etc/rc.conf增加两行 


clamav_clamd_enable="YES"


clamav_freshclam_enable="YES"


修改/usr/local/etc/amavisd.conf,增加如下内容,使amavis-new对clamav的支持 


['ClamAV-clamd',


   &ask_daemon, ["CONTSCAN {}n", "/var/run/clamav/clamd"],


   qr/bOK$/, qr/bFOUND$/,


   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],


修改权限设置


chown -R vscan:vscan /var/run/clamav/


chown -R vscan:vscan /var/log/clamav/


chown -R vscan:vscan /var/db/clamav/


启动clamav。clamav有2个daemon需要启动,一个是用来查病毒的clamd,另外一个是用来更新病毒库的freshclam,他们分别通过如下脚本启动。 


/usr/local/etc/rc.d/clamav-clamd start


/usr/local/etc/rc.d/clamav-freshclam start


配置Spamassassin


开源软件中最好的内容过滤程序,做内容过滤的必选。 


配置


cp /usr/local/etc/mail/spamassassin/local.cf.sample /usr/local/etc/mail/spamassassin/local.cf 


修改/usr/local/etc/mail/spamassassin/local.cf 


report_safe             1


use_bayes               0


auto_learn              0


bayes_auto_expire       1


skip_rbl_checks         1


use_razor2              0


use_dcc                 0


use_pyzor               0


dns_available           no


lock_method             flock


使用Chinese_rules.cf


fetch得到这个规则后可以看到,他从2006年10月2日以来,都没有再更新过了,因此是否仍然使用该规则取决于您自己。如果仍然想继续使用,按照如下的操作即可。 


-rw-r--r-- 1 root wheel 55342 Oct 2 2006 Chinese_rules.cf 


编辑脚本/var/cron/sa.sh 


#!/bin/sh


cd /tmp/


fetch -q http://www.ccert.edu.cn/spam/sa/Chinese_rules.cf


mv Chinese_rules.cf /usr/local/share/spamassassin/


/usr/local/etc/rc.d/amavisd forcerestart > /dev/null


增加执行权限 


chmod +x /var/cron/sa.sh 


编辑/etc/crontab,增加一行如下,每周6执行一次 


0 0 * * 6 root /var/cron/sa.sh 


测试杀毒/内容过滤


测试杀毒。在做该测试之前,你需要确保你的clamd,amavisd,postfix都正常启动。可以通过如下脚本来启动他们。 


/usr/local/etc/rc.d/clamav-clamd restart


/usr/local/etc/rc.d/amavisd restart


/usr/local/etc/rc.d/postfix restart


telnet localhost 25


Trying 127.0.0.1...


Connected to localhost.localdomain (127.0.0.1).


Escape character is '^]'.


220 mail.xxxxx.cn ESMTP Postfix - by xxxxx.cn


helo localhost


250 mail.xxxxx.cn


mail from:<[email]ppabc@qq.com[/email]>


250 2.1.0 Ok


rcpt to:<[email]test@xxxxx.cn[/email]>


250 2.1.5 Ok


data


354 End data with .


X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


.


250 2.0.0 Ok: queued as BC24E85260


quit


221 2.0.0 Bye


Connection closed by foreign host.


maillog中出现类似如下日志则说明clamav和amavid-new正常工作 


Aug 3 15:42:41 mail amavis[730]: (00730-01) Blocked INFECTED (Eicar-Test-Signature), LOCAL [127.0.0.1] [127.0.0.1] -> , quarantine: virus-4JnxM33M2NNc, Message-ID: <[email]20060803074227.7F9581701D@mail.xxxxx.cn[/email]>, mail_id: 4JnxM33M2NNc, Hits: -, 212 ms 


安装邮件列表软件mailman


Mailman是一个比较好的邮件列表程序,功能非常强大,提供完美的Web端,权限可以分散管理,多个开源组织都在使用。 


安装mailman


cd /usr/ports/mail/mailman && make MAIL_GID=mailman CGI_GID=vmail install clean


安装时选择: POSTFIX   CHINESE


在此使用mailman做为MAIL_GID是为了避免在后期的维护中使用check_perms -f修复权限的时候,mailman会自动默认修改为mailman这个用户来转发邮件。而使用 CGI_GID=vmail作为mailman的CGI执行权限是为了跟extmail/extman执行cgi时的权限一致。 


配置/etc/rc.conf


增加一行 


mailman_enable="YES" 


配置postfix支持


touch /usr/local/mailman/data/aliases


touch /usr/local/mailman/data/virtual-mailman


/usr/local/sbin/postconf -e 'recipient_delimiter=+'


/usr/local/sbin/postconf -e 'alias_maps=hash:/etc/aliases, hash:/usr/local/mailman/data/aliases'


postalias /usr/local/mailman/data/aliases


/usr/local/sbin/postconf -e 'virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf, hash:/usr/local/mailman/data/virtual-mailman'


postalias /usr/local/mailman/data/aliases


postmap /usr/local/mailman/data/virtual-mailman


/usr/local/sbin/postconf -e 'default_privs = mailman'


postfix reload


配置mailman


cd /usr/local/mailman


/usr/local/mailman/bin/genaliases


chown -R vmail:mailman /usr/local/mailman/data/aliases*


chown -R vmail:mailman /usr/local/mailman/data/virtual-mailman*


chmod 664 /usr/local/mailman/data/aliases*


chmod 664 /usr/local/mailman/data/virtual-mailman*


cp -Rfp icons/ cgi-bin/icons


cp /usr/local/www/icons/powerlogo.gif cgi-bin/icons/


修改管理员密码,在这里我默认为123qwe98 


bin/mmsitepass 


编辑/usr/local/mailman/Mailman/mm_cfg.py,增加如下内容 


MTA = 'Postfix'


POSTFIX_STYLE_VIRTUAL_DOMAINS = ['lists.xxxxx.cn']


add_virtualhost('lists.xxxxx.cn','lists.xxxxx.cn')


DEFAULT_EMAIL_HOST = 'lists.xxxxx.cn'


DEFAULT_URL_HOST = 'lists.xxxxx.cn'


DEFAULT_SERVER_LANGUAGE = 'zh_CN'


创建一个邮件列表mailman


mailman列表为必须创建的,管理员邮箱使用[email]root@xxxxx.cn[/email],密码使用12345678 


bin/newlist mailman 


配置apache支持mailman


在文件/usr/local/etc/apache22/Includes/extmail.conf中添加如下内容。 


<VirtualHost *:80>


    ServerName lists.xxxxx.cn


    DocumentRoot /usr/local/mailman/cgi-bin/


    ScriptAlias /mailman "/usr/local/mailman/cgi-bin/"


    Alias /pipermail /usr/local/mailman/archives/public/ 


    <Directory "/usr/local/mailman/archives/public/">


        AddDefaultCharset Off


    </Directory>


    <Directory "/usr/local/mailman">


        Options FollowSymLinks ExecCGI


        AllowOverride None


        Order allow,deny


        Allow from all


    </Directory>


</VirtualHost>


重启APACHE


/usr/local/sbin/apachectl restart


解压extman


tar xzf extman-0.24.tar.gz


进入 docs  目录,导入 msyql  数据


cd /usr/local/www/extman/docs


cd extman-0.2.4/docs/


/usr/local/bin/mysql -uroot -p <extmail.sql 


Enter password:


/usr/local/bin/mysql -uroot -p < init.sql 


Enter password:


默认密码[email]root@extmail.org[/email]  extmail*123*


默认数据库位置/var/db/mysql/extmail


测试以及通过web使用mailman


你能通过如下链接管理和查看相关信息,使用密码12345678登陆mailman系统。也可以通过系统管理密码123qwe98创建新的邮件列表。 


http://lists.xxxxx.cn/mailman/admin/mailman


http://lists.xxxxx.cn/mailman/listinfo/mailman


http://lists.xxxxx.cn/mailman/create


更强大的功能在登陆列表的web管理界面后你能看到,比如调整显示界面为中文等等。 


附加信息


以下是补充的ExtMail Solution有关文档,提供了一些维护方法以及技巧等。 


只使用pop3


如果你的邮件服务器只打算使用pop3功能不打算使用更多,你可以如下这么做:修改/etc/rc.conf,注释掉pop3s,imap,imaps对应的启动选项 


courier_imap_pop3d_enable="YES"


#courier_imap_imapd_enable="YES"


#courier_imap_pop3d_ssl_enable="YES"


#courier_imap_imapd_ssl_enable="YES"


然后停止正在运行中的pop3s,imap,imaps进程 


/usr/local/etc/rc.d/courier-imap-imapd-ssl.sh forcestop


/usr/local/etc/rc.d/courier-imap-imapd.sh forcestop


/usr/local/etc/rc.d/courier-imap-pop3d-ssl.sh forcestop


/usr/local/etc/rc.d/courier-imap-imapd-ssl forcestop


/usr/local/etc/rc.d/courier-imap-imapd forcestop


/usr/local/etc/rc.d/courier-imap-pop3d-ssl forcestop


只使用smtp


修改/usr/local/etc/postfix/master.cf,注释掉对应的smtps选项 


#smtps     inet  n       -       n       -       -       smtpd


#  -o smtpd_tls_wrappermode=yes


#  -o smtpd_sasl_auth_enable=yes


#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


然后重新加载以下postfix 


postfix reload 


只使用https


有时候为了安全,我们可能只能使用https,那么在用户连http://mail.xxxxx.cn的时候,就要自动重定向到https://mail.xxxxx.cn 做起来很简单,修改我们虚拟主机配置文件(extmail.conf),在虚拟主机配置内添加如下一条指令即可 


Redirect / https://mail.xxxxx.cn/ 


注意:一定不能添加到ssl的配置文件中,也就是extmail-ssl.conf中,这样会造成重定向的循环。 


postfix日常维护


启动postfix 


postfix start 开始 postfix


postfix stop 停止 postfix 


postfix reload  重新读取postfix配置文件


postfix flush 立即投递队列中所有邮件(慎用) 


postqueue -p  查看队列邮件 


mailq


postqueue -p |tail 


postsuper -d queue_id  删掉邮件队列


postcat 查看队列里邮件内容


postsuper -d ALL hold/deffered... 删除某个队列里所有邮件


修复队列以及任何权限错误 


postfix check


查看邮件系统日志 


tail -f /var/log/maillog

声明: 此文观点不代表本站立场;转载须要保留原文链接;版权疑问请联系我们。