2016年12月4日 星期日

CentOS 7 安裝 ExtMail

參考資料: http://linuxu.blog.51cto.com/9471357/1641436
參考資料: http://www.cloudchinese.com/News/detail/id/51.html
運作流程:
e-mail --> [postifx (*:25)] -->[amavisd-new (127.0.0.1:10024)]
-->[SpamAssassine過濾垃圾郵件,ClamAV掃毒]
-->[postfix (127.0.0.1:10025)] -->[delivery agent (local/smtp/...)]

yum install -y http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm

yum install -y http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum install nginx vi gcc gcc-c++ openssl openssl-devel db4-devel ntpdate mysql mysql-devel mysql-server bzip2 php-mysql cyrus-sasl-md5 perl-GD perl-DBD-MySQL perl-GD perl-CPAN perl-CGI perl-CGI-Session cyrus-sasl-lib cyrus-sasl-plain cyrus-sasl cyrus-sasl-devel libtool-ltdl-devel telnet mailx libicu-devel -y

CentOS 套件安裝 :
yum grouplist
yum groupinstall 'Development Tools'
yum install -y pcre-devel perl-rrdtool amavisd-new perl-Time-HiRes perl-devel

RPM 安裝的 postfix 可能不支援 MySQL 認證,一併刪除 Postfix 帳號及群組:

yum remove postfix -y

userdel postfix

groupdel postdrop

新增自訂的 Postfix 帳號及群組:

groupadd -g 2525 postfix

useradd -g postfix -u 2525 -s /sbin/nologin -M postfix

groupadd -g 2526 postdrop

useradd -g postdrop -u 2526 -s /sbin/nologin -M postdrop

下載 postfix tar 檔安裝:
wget ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.1.1.tar.gz

tar xf postfix-3.1.1.tar.gz

cd postfix-3.1.1

make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS ' 'AUXLIBS=-L/usr/lib64/mysql -lmysqlclient -lz -lrt -lm -L/usr/lib64/sasl2 -lsasl2 -lssl -lcrypto'

make && make install

make install 的時候會有個交互式的界面,自定義一些目錄,這裡只更改第二項臨時文件目錄
tempdir: [/root/postfix-3.1.1]

安裝後變更各資料夾的擁有者:
chown -R postfix:postdrop /var/spool/postfix

chown -R postfix:postdrop /var/lib/postfix/

chown root /var/spool/postfix

chown -R root /var/spool/postfix/pid

修改 Postfix main.cf 設定檔:
vi /etc/postfix/main.cf

myhostname = vmail.example.com //設置主機名

mydomain = example.com //指定域名

myorigin = $mydomain //指明發件人所在的域名

inet_interfaces = //all指定postfix系統監聽的網絡接口

#mydestination = $myhostname, localhost.$mydomain, localhost,$mydomain
#relay_domains = $mydestination //指定允許中轉郵件的域名
//指定postfix接收郵件時收件人的域名 [使用虛擬域需要禁用]

mynetworks_style = host //指定信任網段類型

mynetworks = 192.168.0.0/16, 127.0.0.0/8 //指定信任的客戶端

alias_maps = hash:/etc/aliases //設置郵件的別名


chmod +x /etc/rc.d/rc.local (加入啟動項目,須賦予執行的權限)
vi /etc/rc.local

/usr/sbin/postfix start
/usr/sbin/saslauthd -m /run/saslauthd -a pam
/var/www/extsuite/extmail/dispatch-init start
/var/www/extsuite/extman/daemon/cmdserver -v -d

安裝 dovecot:
yum install -y dovecot dovecot-mysql

cd /etc/dovecot/

vi dovecot.conf

protocols = imap pop3

!include conf.d/*.conf

listen = *

base_dir = /var/run/dovecot/


cd conf.d/

vi 10-auth.conf

disable_plaintext_auth = no

vi 10-mail.conf

mail_location = maildir:~/Maildir

mail_location = maildir:/var/mailbox/%d/%n/Maildir

mail_privileged_group = mail

vi 10-ssl.conf

ssl = no


vi 10-logging.conf

log_path = /var/log/dovecot.log

info_log_path = /var/log/dovecot.info

log_timestamp = "%Y-%m-%d %H:%M:%S "

cp auth-sql.conf.ext auth-sql.conf

vi auth-sql.conf

passdb { driver = sql # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext

args = /etc/dovecot/dovecot-sql.conf

}

userdb { driver = sql

args =/etc/dovecot/dovecot-sql.conf

}

vi /etc/dovecot/dovecot-sql.conf

driver = mysql

connect = host=localhost dbname=extmail user=extmail password=extmail

default_pass_scheme = CRYPT

password_query = SELECT username AS user,password AS password FROM mailbox WHERE username = '%u'

user_query = SELECT maildir, uidnumber AS uid, gidnumber AS gid FROM mailbox WHERE username = '%u'

systemctl enable dovecot.service

systemctl start dovecot.service


安裝courier-unicode

wget https://sourceforge.net/projects/courier/files/courier-unicode/1.2/courier-unicode-1.2.tar.bz2

tar xf courier-unicode-1.2.tar.bz2

cd courier-unicode-1.2

./configure

make && make install

安裝courier-authlib

wget https://sourceforge.net/projects/courier/files/authlib/0.66.2/courier-authlib-0.66.2.tar.bz2

tar xf courier-authlib-0.66.2.tar.bz2

cd courier-authlib-0.66.2

./configure \

--prefix=/usr/local/courier-authlib \

--sysconfdir=/etc \

--without-authpam \

--without-authshadow \

--without-authvchkpw \

--without-authpgsql \

--with-authmysql \

--with-mysql-libs=/usr/lib64/mysql \

--with-mysql-includes=/usr/include/mysql \

--with-redhat \

--with-authmysqlrc=/etc/authmysqlrc \

--with-authdaemonrc=/etc/authdaemonrc\

--with-mailuser=postfix

make && makeinstall

chmod 755 /usr/local/courier-authlib/var/spool/authdaemon

cp /etc/authdaemonrc.dist /etc/authdaemonrc

cp /etc/authmysqlrc.dist /etc/authmysqlrc

vi /etc/authdaemonrc

authmodulelist="authmysql"

authmodulelistorig="authmysql"

vi /etc/authmysqlrc

MYSQL_SERVER localhost

MYSQL_USERNAME extmail

MYSQL_PASSWORD extmail

MYSQL_SOCKET /var/lib/mysql/mysql.sock

MYSQL_PORT 3306

MYSQL_DATABASE extmail

MYSQL_USER_TABLE mailbox

MYSQL_CRYPT_PWFIELD password

DEFAULT_DOMAIN example.com

MYSQL_UID_FIELD '2525'
#MYSQL_UID_FIELD '2000' ( maildrop 安裝完後修改 )
MYSQL_GID_FIELD '2525'
#MYSQL_GID_FIELD '2000'( maildrop 安裝完後修改 )

MYSQL_LOGIN_FIELD username

MYSQL_HOME_FIELD concat('/var/mailbox/',homedir)

MYSQL_NAME_FIELD name

MYSQL_MAILDIR_FIELD concat('/var/mailbox/',maildir)


courier-authlib添加服務啟動腳本及其他:

cp courier-authlib.sysvinit /etc/init.d/courier-authlib

chmod +x /etc/init.d/courier-authlib

chkconfig –add courier-authlib

chkconfig courier-authlib on

echo "/usr/local/courier-authlib/lib/courier-authlib" >> /etc/ld.so.conf.d/courier-authlib.conf

ldconfig

systemctl enable courier-authlib

systemctl start courier-authlib


vi /usr/lib64/sasl2/smtpd.conf //文件不存在,要自己建立

pwcheck_method: authdaemond

log_level: 3

mech_list: PLAIN LOGIN

authdaemond_path:/usr/local/courier-authlib/var/spool/authdaemon/socket

vi /etc/postfix/main.cf
##一般 postfix SMTP 設定##
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = ''
二選一:
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        reject_unauth_destination

broken_sasl_auth_clients=yes
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sasl_security_options = noanonymous

##postfix支持虛擬用戶## (沒用到虛擬主機,不須要以下設定)
virtual_mailbox_base = /var/mailbox
//這裡的設定檔需在後面extman裡複製過來
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_uid_maps = static:2000 (依建立 ExtMail vmail 帳號 id 修改)
virtual_gid_maps = static:2000(依建立 ExtMail vmail 帳號 id 修改)
virtual_transport = maildrop (安裝 maildrop 套件後修改)


安裝extmail:

extmail和extman可通過這兩個鏈接下載

http://7xivyw.com1.z0.glb.clouddn.com/extmail-1.2.tar.gz

http://7xivyw.com1.z0.glb.clouddn.com/extman-1.1.tar.gz

mkdir -p /var/www/extsuite

tar xf extmail-1.2.tar.gz -C /var/www/extsuite/

mv /var/www/extsuite/extmail-1.2/ /var/www/extsuite/extmail

cd /var/www/extsuite/extmail

cp webmail.cf.default webmail.cf

vi webmail.cf

SYS_SESS_DIR = /tmp/extmail

SYS_UPLOAD_TMPDIR = /tmp/extmail/upload

SYS_USER_LANG = zh_TW

SYS_MIN_PASS_LEN = 8

SYS_MAILDIR_BASE = /var/mailbox

SYS_MYSQL_USER = extmail

SYS_MYSQL_PASS = extmail

SYS_MYSQL_DB = extmail

SYS_MYSQL_HOST = localhost

SYS_MYSQL_SOCKET = /var/lib/mysql/mysql.sock

SYS_MYSQL_TABLE = mailbox

SYS_MYSQL_ATTR_USERNAME = username

SYS_MYSQL_ATTR_DOMAIN = domain

SYS_MYSQL_ATTR_PASSWD =password

SYS_AUTHLIB_SOCKET = /usr/local/courier-authlib/var/spool/authdaemon/socket

建立臨時文件目錄與session目錄

mkdir -p /tmp/extmail/upload

chown -R postfix.postfix /tmp/extmail/

安裝extman:

tar xf extman-1.1.tar.gz -C /var/www/extsuite/

cd /var/www/extsuite/

mv extman-1.1/ extman

cd extman/

cp webman.cf.default webman.cf

vi webman.cf

SYS_MAILDIR_BASE = /var/mailbox
SYS_DEFAULT_UID = 2000
SYS_DEFAULT_GID = 2000

chown -R postfix.postfix /var/www/extsuite/extman/cgi/

chown -R postfix.postfix /var/www/extsuite/extmail/cgi/

vi docs/extmail.sql

:% s/TYPE/ENGINE/g

vi /etc/my.cnf

#sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
//將這行註釋掉,重啟mysql,這裡需要注意的是,等資料庫導入成功後,這行是不可以去掉注釋的,不然mysql就啟動不起來了。

導入資料庫
mysql -uroot < docs/extmail.sql
mysql -uroot < docs/init.sql

建立資料庫使用者帳號 extmail 並授予權限,這裡直接在授權任何權限給任意位址

mysql> GRANT ALL ON extmail.* to extmail@'%' identified by 'extmail';
mysql> FLUSH PRIVILEGES;

將 vmail 帳號 ID update 到資庫內:
[root@Mail ~]# mysql -u root -p
mysql> use extmail;
mysql> update mailbox set uidnumber='2000';
mysql> update mailbox set gidnumber='2000';
mysql> flush privileges;


cd /var/www/extsuite/extman/docs/

cp mysql_virtual_* /etc/postfix/

mkdir /tmp/extman

chown -R postfix.postfix /tmp/extman/

啟動postfix、dovecot、saslauthd

確認服務有正常啟動:
ss -tnluo | grep :25

ps aux | grep dovecot

ps aux | grep saslauthd


測試運作:

/usr/local/courier-authlib/sbin/authtest -s login postmaster@extmail.org extmail

Authentication succeeded. //顯示這個表示成功,測試時使用的是postmaster@extmail.org,因為我們導入的資料庫init.sql裡面內建了這個postmaster@extmail.org。
Authenticated: postmaster@extmail.org (uid 2525, gid 2525)
Home Directory: /var/mailbox/extmail.org/postmaster //這裡需要注意/var/mailbox這個目錄現在我們還沒有建立,後面web連線的時候如果沒有會出現錯誤
Maildir: /var/mailbox/extmail.org/postmaster/Maildir/
Quota: (none)
Encrypted Password: $1$phz1mRrj$3ok6BjeaoJYWDBsEPZb5C0
Cleartext Password: extmail
Options: (none)

mkdir /var/mailbox

chown -R postfix.postfix /var/mailbox/


測試smtp發信:

printf "postmaster@extmail.org" | openssl base64

cG9zdG1hc3RlckBleHRtYWlsLm9yZw==

printf "extmail" | openssl base64

ZXh0bWFpbA==

telnet localhost 25


啟動 nginx web 連線:

vi /var/www/extsuite/extmail/dispatch-init

SU_UID=postfix

SU_GID=postfix

啟動ExtMail、ExtMan服務:

/var/www/extsuite/extmail/dispatch-init start

/var/www/extsuite/extman/daemon/cmdserver -v -d

添加 nginx 虛擬主機:

vi /etc/nginx/conf.d/extmail.conf

server {

listen 8080;

server_name mail.everyoo.com;

index index.html index.htm index.php index.cgi;

root /var/www/extsuite/extmail/html/;

location /extmail/cgi/ {

fastcgi_pass 127.0.0.1:8888;

fastcgi_index index.cgi;

fastcgi_param SCRIPT_FILENAME /var/www/extsuite/extmail/cgi/$fastcgi_script_name;

include fcgi.conf;

}

location /extmail/ {

alias /var/www/extsuite/extmail/html/;

}

location /extman/cgi/ {

fastcgi_pass 127.0.0.1:8888;

fastcgi_index index.cgi;

fastcgi_param SCRIPT_FILENAME /var/www/extsuite/extman/cgi/$fastcgi_script_name;

include fcgi.conf;

}

location /extman/ {

alias /var/www/extsuite/extman/html/;

}

access_log /var/log/extmail_access.log;

}


生成fcgi.conf

vi /etc/nginx/fcgi.conf

fastcgi_param GATEWAY_INTERFACE CGI/1.1;

fastcgi_param SERVER_SOFTWARE nginx;

fastcgi_param QUERY_STRING $query_string;

fastcgi_param REQUEST_METHOD $request_method;

fastcgi_param CONTENT_TYPE $content_type;

fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;

fastcgi_param REQUEST_URI $request_uri;

fastcgi_param DOCUMENT_ROOT $document_root;

fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param REMOTE_ADDR $remote_addr;

fastcgi_param REMOTE_PORT $remote_port;

fastcgi_param SERVER_ADDR $server_addr;

fastcgi_param SERVER_PORT $server_port;

fastcgi_param SERVER_NAME $server_name;

systemctl enable nginx.service

systemctl start nginx.service


安裝 Unix-Syslog 套件:
wget http://www.cpan.org/authors/id/M/MH/MHARNISCH/Unix-Syslog-1.1.tar.gz

tar xf Unix-Syslog-1.1.tar.gz

cd Unix-Syslog-1.1

perl Makefile.PL

make && make install

extman預設的登入帳號為 root@extmail.org 密碼為 extmail*123*,首次使用需要先增一個網域及管理員帳號(可進 MySQL 新增修改帳號類型),新增之後再刪除內建的 extmail.org 網域。


安裝clamav、clamd、amavisd

yum –y install amavisd-new spamassassin

yum install epel-release

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

修改 clamd.conf

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf

sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf

User clamscan
#User amavis ( Amavisd-new 安裝後修改 )

LocalSocket /tmp/clamd.socket

#TCPSocket 3310
須註釋掉此行行


修改 freshclam.conf

cp /etc/freshclam.conf /etc/freshclam.conf.bak

sed -i ‘/^Example/d’ /etc/freshclam.conf

Create a new file /usr/lib/systemd/system/clam-freshclam.service

# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

開機啟動:
systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service
systemctl status clam-freshclam.service

修改 ClamAV 設定:
mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service

vi /usr/lib/systemd/system/clamd@scan.service

.include /lib/systemd/system/clamd@.service (刪除 @ 符號)

修改 /usr/lib/systemd/system/clamd.service

vi /usr/lib/systemd/system/clamd.service

[Unit]
Description = clamd scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target


vi /etc/rc.local

add:
mkdir -p /var/run/clamd.service
chown clamscan.clamscan /var/run/clamd.service
cd /usr/lib/systemd/system
systemctl enable clamd.service
systemctl start clamd.service
#systemctl enable clamd@scan.service (會與 clamd.service 衝突,messages log 一直出現 clamd.sock 被位用)
#systemctl start clamd@scan.service


修改 local.cf 配置文件

vi /etc/mail/spamassassin/local.cf

required_hits 5

report_safe 0

rewrite_header Subject [SPAM]

use_bayes 1

bayes_auto_learn 1

skip_rbl_checks 0

use_razor2 1

use_pyzor 0


安裝其他垃圾信件程式與spamassassin協同作業

先安裝razor2、pyzor、razor-agents與perl-Razor-Agent

yum install pyzor

yum install perl-Razor-Agent

安裝 razor-agents-2.84

tar -vxf razor-agents-2.84.tar.bz2

cd razor-agents-2.84

perl Makefile.PL

make

make test

make install

DCC 必須在 amavisd-new 完成後再執行安裝DCC
下載最新版DCC http://www.rhyolite.com/dcc/source/dcc.tar.Z

tar xzvf dcc.tar.Z

cd dcc-1.3.152

./configure --with-uid=amavis

//amavis帳號在amavisd-new才會建立完成

make

make install

chown -R amavis:amavis /var/dcc

//amavis群組與帳號在amavisd-new才會建立完成

ln -s /var/dcc/libexec/dccifd /usr/local/bin/dccifd

檔案下載位址:

pyzor http://sourceforge.net/apps/trac/pyzor/

razor http://razor.sourceforge.net/

dcc http://www.rhyolite.com/dcc/

/etc/mail/spamassassin/v310.pre 確認檔案中下列功能沒註解掉

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::AWL

loadplugin Mail::SpamAssassin::Plugin::TextCat

測試spamassassin

spamassassin -t -D razor2 < /usr/share/doc/spamassassin-3.4.0/sample-spam.txt

spamassassin -t -D pyzor < /usr/share/doc/spamassassin-3.4.0/sample-spam.txt


修改master.cf配置文件

vi /etc/postfix/master.cf

amavisfeed unix - - n - 5 smtp # maxproc欄內的數值 5 必須要與/etc/amavisd.conf內的$max_servers設定一致。

-o smtp_data_done_timeout=1200

-o smtp_send_xforward_command=yes

-o smtp_tls_note_starttls_offer=no

-o disable_dns_lookups=yes

-o max_use=20

另在加入一個localhost(127.0.0.1)的tcp 10025端口/etc/amavisd.conf的預設值)上監聽的smtp服務.

127.0.0.1:10025 inet n - n - - smtpd

-o content_filter=

-o smtpd_delay_reject=no

-o smtpd_client_restrictions=permit_mynetworks,reject

-o smtpd_helo_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o smtpd_data_restrictions=reject_unauth_pipelining

-o smtpd_end_of_data_restrictions=

-o smtpd_restriction_classes=

-o mynetworks=127.0.0.0/8

-o smtpd_error_sleep_time=0

-o smtpd_soft_error_limit=1001

-o smtpd_hard_error_limit=1000

-o smtpd_client_connection_count_limit=0

-o smtpd_client_connection_rate_limit=0

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings

-o local_header_rewrite_clients=

-o smtpd_milters=

-o local_recipient_maps=

policy unix - n n - 0 spawn

user=nobody argv=/usr/libexec/postfix/postfix-policyd-spf-perl #SPF

maildrop unix - n n - - pipe

flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} #maildrop


修改main.cf配置文件

#filter mail
content_filter=amavisfeed:[127.0.0.1]:10024
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        reject_unauth_destination


重啟reload 服務即可,或者重啟postfix也是可以的.

修改amavisd.conf配置文件

(1).去除以下 # 來停止檢查病毒域垃圾郵件 (由於下面數行預設是被注釋掉的,因此病毒及垃圾郵件在預設中默認是被啟動的)

12 @bypass_virus_checks_maps = (1); # controls running of anti-virus code

13 @bypass_spam_checks_maps = (1); # controls running of anti-spam code

14 $bypass_decode_parts = 1; # controls running of decoders&dearchivers

(2) 接着可以看到下面幾行

16 $max_servers = 5; # num of pre-forked children (2..30 is common), -m

17 $daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u

18 $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g

20 $mydomain = 'example.com';

58 $inet_socket_port = 10024; # listen on this local TCP port(s)

154 $notify_method = $forward_method ;

155 $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
$max_servers 設定同步執行的Amavisd-new進程數量,而且必須與/etc/postfix/master.cf內的amavisfeed服務的maxproc中相符合

(3)以下是必須修改選項

20 $mydomain = 'example.com'; # a convenient default for other settings

22 $MYHOME = '/var/amavis'; # a convenient default for other settings, -H

33 $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S

34 $lock_file = "$MYHOME/var/amavisd.lock"; # -L

35 $pid_file = "$MYHOME/var/amavisd.pid"; # -P

152 $myhostname = 'vmail.example.com'; # must be a fully-qualified domain name!

(4)下面是SpamAssassin設定來替換預設的SpamAssassin設置

94 $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level

95 $sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level

96 $sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)

97 $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

98 $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From

99 # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off

100 $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database)

101 $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam

102 $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces

104 $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger

105 $sa_local_tests_only = 0; # only tests which do not require internet access?

預設值不需要修改但了解它的意義,可以方便設置垃圾郵件:

$sa_tag_level_deflt 指定Amavisd-new由哪一個級別開始修改 X-Spam-Flag、X-Spam-Score、X-Spam-Status等垃圾郵件資訊標頭,假如你想為所有郵件加入資訊標頭,請把此值設為 -999

$sa_tag2_level_deflt 指定由哪一個級別開始在垃圾郵件的標頭上標記它們

$sa_kill_level_deflt 指定Amavisd-new由哪一個級別開始攔截和扣留郵件。這個用途很大,因為SpamAssassin在預設情況下不會這樣做

$sa_dsn_cutoff_level 指定由哪一個級別開始寄件失敗通告不會被發送給寄件人。由於多數垃圾郵件寄件者的地址都是偽造的,不為明顯的垃圾郵件發送寄件失敗通告是最合理的,要不然你只會加劇反向散寄的問題

$sa_quarantine_cutoff_level 指定哪一個級別開始不必扣留垃圾郵件。這個選項預設是被注釋掉的,意思是所有郵件都會被扣留

(5)下面是發送通告的郵件地址(默認是管理員郵箱,接收垃圾郵件通告的郵箱)

118 $virus_admin = "postmaster\@$mydomain"; # notifications recip.

121 $mailfrom_notify_admin = "postmaster\@$mydomain"; # notifications sender

122 $mailfrom_notify_recip = "postmaster\@$mydomain"; # notifications sender

123 $mailfrom_notify_spamadmin = "postmaster\@$mydomain"; # notifications sender

(6) 設置ClamAV的部分
381 - 385 行
### http://www.clamav.net/

['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],


安裝maildrop

useradd -u 2000 vmail

ln -sv /usr/local/courier-authlib/bin/courierauthconfig /usr/bin

ln -sv /usr/local/courier-authlib/include/* /usr/include

wget https://sourceforge.net/projects/courier/files/maildrop/2.8.4/maildrop-2.8.4.tar.bz2

tar xf maildrop-2.8.4.tar.bz2

cd maildrop-2.8.4

./configure --enable-sendmail=/usr/sbin/sendmail --enable-trusted-users='root vmail' --enable-syslog=1 --enable-maildrop-uid=2000 --enable-maildrop-gid=2000 && make && make install

vi /etc/ld.so.conf.d/courier-unicode.conf

/usr/local/lib

ldconfig -v

maildrop -v

修改相應文件的權限

chmod 700 /var/mailbox/ -R

chown vmail /tmp/extma* -R

chmod 777 /tmp/extma*

chgrp postdrop /var/spool/postfix/maildrop/

chown vmail.vmail -R /tmp/viewlog/

/usr/sbin/postfix restart

mysql -u root -p

mysql> use extmail;

mysql> update mailbox set uidnumber='2000';

mysql> update mailbox set gidnumber='2000';

mysql> flush privileges;


額外套件:
使用Opendkim為Postfix郵件服務器添加DKIM簽名

DKIM就是一種防垃圾郵件的機制!網域密鑰DomainKeys(DK)和域名密鑰標識郵件技朮(DKIM)是使用密碼的email驗證系統,它能用於防止網絡詐騙,而且,因為大多數的垃圾郵件都包含欺騙性的地址,DK/DKIM能從很大程度上減少垃圾郵件,盡管它們不是專門設計用於反垃圾郵件的工具。DK/DKIM還能用於確保收到郵件的完整性,或確保郵件在發件人服務器被發出直到到達接收者服務器的過程中,沒有被更改過。

DK/DKIM密碼驗證系統,收件人服務器能確信到達的郵件是來自發件人的并且沒有人用任何方式改變過郵件信息。為了確保郵件的有效性和完整性,DKIM使用一個公共和密碼的keypairs系統,一個加密的公鑰被發布到發送服務器的DNS記錄,然後每個發出的郵件都被服務器用相應的私鑰進行了簽名。對於收到的郵件,當收件服務器發現它是一個被做了DKIM簽名的郵件時,它將從發件服務器的DNS記錄中找回公鑰,然後將期與郵件中的簽名比對來確定郵件的合法性。如果收到的郵件不能通過驗證,那麼收件服務器就知道其包含了偽造的地址或曾被篡改

安裝配置Opendkim

wget -P /tmp http://mirror.pnl.gov/epel/7/x86_64/epel-release-7-7.noarch.rpm

rpm -Uvh /tmp/epel-release-7-7.noarch.rpm

yum -y install opendkim

opendkim-genkey -d example.com -s default

mv default.private /etc/opendkim/keys/

chown opendkim.opendkim /etc/opendkim/keys/default.private

cat default.txt

default._domainkey IN TXT ( "v=DKIM1; k=rsa; "

"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuoxOw56mF5JBKD5GhQdf5KYuilyTOUgn9nrOCHbMosdjZ1lrJsN/ww+YANyI68dUhX2L6Z2Gk2bzclM74xdSq+KyjdNv4AhAabBeyV7wEu7s5Pl/9owdaLIpVEx4CFJKV+PbjASwn2lBiZmQ+OqM2Goa7s/p8Nd0M5ASQkNHOrwIDAQAB" ) ; ----- DKIM key default for example.com

這樣就為網域 example.com 生成了一對用於DKIM簽名的公鑰和私鑰,把私鑰放到了opendkim默認的存儲密鑰文件的目錄下.

上面default.txt裡面的內容是公鑰文件,需要把上面的內容在DNS服務器上新建一個TXT類型的記錄存儲起來.名字就是default._domainkey內容是Default是剛才生成密鑰的時候-S參數後面的名字,也就是一個selector,可以建立多個selector,不同域名使用不同的selector來做簽名的.

修改Opendkim的配置文件
[root@Mail ~]# cat /etc/opendkim/KeyTable

# OPENDKIM KEY TABLE

# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,

# then uncomment the following line and replace example.com with your domain

# name, then restart OpenDKIM. Additional keys may be added on separate lines.

default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private

寫在文件的末端即可

vi /etc/opendkim/SigningTable

*@example.com default._domainkey.example.com

配置opendkim.conf文件

vi /etc/opendkim.conf

     Mode sv
     Syslog yes
     Socket inet:8891@localhost
     KeyFile /etc/opendkim/keys/default.private

Domain example.com最後一行添加就行

修改完以上配置文件啟動opendkim及postfix服務

/etc/init.d/opendkim start

/usr/sbin/postfix restart

chkconfig opendkim on


給Postfix發送出的郵件做SPF簽名

SPF是Sender Policy Framework的縮寫,也是一種反垃圾郵件的策略。主要是用來通過IP地址來驗證發送郵件的用戶是否合法的一種手段,這個IP地址指的是MTA郵件服務器的IP地址,因為一般的郵件服務器發送郵件都是需要驗證的,而如果用戶通過了郵件服務器的驗證,并且發送出的郵件確實是MTA服務器的IP地址,那麼用戶的身份也就得到了驗證。在Linux中,發件人的地址是可以偽造的,但是如果用了SPF,雖然偽造了發件人,但是發出去郵件的地址,是沒有辦法進行偽造的.

為Postfix來增加SPF簽名

yum -y install perl-CPAN

rpm -q perl-CPAN

perl –MCPAN –e shell

執行完這個命令會有一個提示直接按Y

cpan[1]> install Mail::SPF

然後下載一個 script,來做SPF簽名,這個 script 叫 postfix-policyd-spf-perl,可以在http://www.openspf.org/blobs/ 下載到.

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz

tar zxvf postfix-policyd-spf-perl-2.007.tar.gz

cd postfix-policyd-spf-perl-2.007

cp postfix-policyd-spf-perl /usr/libexec/postfix/

安裝postfix的時候,指定的postfixlibexec目錄是/usr/libexec/postfix/,這裡要根據自己的配置來確定放到哪個目錄.
vi /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_unknown_sender_domain,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination,
    reject_sender_login_mismatch,
    check_policy_service unix:private/policy,
    reject_authenticated_sender_login_mismatch




/var/log/message 錯誤訊息1:
Cannot add dependency job for unit clamd@amavisd.service, ignoring: Unit clamd@amavisd.service failed to load: No such file or directory.
Cannot add dependency job for unit postfix.service, ignoring: Unit postfix.service failed to load: No such file or directory.
原因:
因利用 tar 檔安裝,在 /usr/lib/systemd/system/amavisd.service 裡有連結上面兩個起動檔,但無此兩檔案,造成啟動錯誤。
/usr/lib/systemd/system/amavisd.service 裡面內容:
修改 Wants=clamd@amavisd.service     --> Wants=clamd.service
Wants=postfix.service

新增postfix.service
[Unit]
Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service

[Service]
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
EnvironmentFile=-/etc/sysconfig/network
ExecStartPre=-/usr/libexec/postfix/aliasesdb #看message log 如果還有錯訊息刪除
ExecStartPre=-/usr/libexec/postfix/chroot-update   #看message log 如果還有錯訊息刪除
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop

[Install]
WantedBy=multi-user.target

ln -sf /usr/lib/systemd/system/postfix.service /etc/systemd/system/multi-user.target.wants/postfix.service

/var/log/message 錯誤訊息2:
postfix/smtpd[xxxx]: sql_select option missing
postfix/smtpd[xxxx]: auxpropfunc error no mechanism available

vi /usr/lib64/sasl2/smtpd.conf
新增:
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: localhost
sql_user: extmail
sql_passwd: extmail
sql_database: extmail
sql_select: select password from mailbox where username='%u'

如還有錯誤訊息:
#systemctl status slapd.service

auxpropfunc error invalid parameter supplied

ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied

#systemctl status cyrus-imapd.service

ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied

auxpropfunc error invalid parameter supplied

解決方式:
查看是否有安裝
rpm -qa cyrus-sasl-ldap

or
rpm -qa cyrus-sasl-sql

它是不需要的 RPM:

rpm -e cyrus-sasl-ldap

rpm -e cyrus-sasl-sql (錯誤訊依舊再移除左側套件)


安裝 Fail2Ban:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm

yum install fail2ban

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
依照需求 啟用 policy (postfix, ssh, apache, named)
例:
cd /etc/fail2ban/jail.d/
vi sshd.local
     [ssh-iptables]

     enabled = true

     filter = sshd

     action = iptables[name=SSH, port=ssh, protocol=tcp]

     logpath = /var/log/secure

     maxretry = 3

     findtime  = 10800
     bantime = 3600

vi postfix.local
     [postfix-iptables]
     enabled  = true
     filter   = postfix
     action   = iptables[name=Postfix, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 3
     findtime  = 10800
     bantime  = 7200

vi named.local
     [named-refused-udp]
     enabled  = false
     filter   = named-refused
     action   = iptables-multiport[name=named, port="domain,953", protocol=udp]
     logpath  = /var/named/chroot/var/log/named/security.log
     maxretry = 3
     findtime  = 10800
     bantime  = 3600

vi dovecot.local
     [dovecot-iptables]
     #pop3(110),pop3s(995),imap(143),imaps(993)
     enabled  = true
     filter       = dovecot
     action     = iptables-multiport[name=Dovecot, port="pop3,imap", protocol=tcp]
     #logpath  = /var/log/maillog
     logpath   = /var/log/secure
     maxretry = 3
     findtime  = 10800
     bantime  = 3600

測試過濾功能是否正常:
fail2ban-regex /var/log/secure /etc/fail2ban/jail.d/sshd.local
fail2ban-regex /var/log/maillog /etc/fail2ban/jail.d/postfix.local
fail2ban-regex /var/named/chroot/var/log/named/security.log /etc/fail2ban/jail.d/named-refused.local
fail2ban-regex /var/log/secure /etc/fail2ban/jail.d/dovecot.local

沒有留言:

張貼留言

OCS Inventory 匯出資料到 Google 試算表(依電腦設備類型)

OCS Inventory 匯出到 Google 試算表的程式是從網路上其他高手分享出來( 參考資料出處 ),並依個人需求調整。 如要取用請注意,因程式是用 python 寫的,程式段落可能會移位導致無法正常運作。 下列程式調整SELECT電腦 設備類型 為Noteboo...