Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Centos X64 version 6.9 installs postfix2.6.6+dovecot+openwebmail

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Centos X64 version 6.9 installs postfix2.6.6+dovecot+openwebmail

Test completion date: 2017.06.07

The attachment is a configuration file, which can be used directly

Use the account number and password file that comes with the system for authentication, without installing mysql, the method is simple.

The test found that Centos 6.5 / 6.9 x64 uses SHA-512 encryption.

Note: please do not set up a mail server on the ADSL dynamic IP line, it will be regarded as a spam server. It is recommended to use VPS servers such as Ali Cloud and Tencent Cloud to fix the IP address.

Uninstall sendmail first

[root@ser ~] # yum remove sendmail

# chkconfig sendmail off

Second, install postfix, dovecot,cyrus-sasl

[root@ser ~] # yum-y install epel-release

[root@ser ~] # yum-y install postfix perl

[root@ser ~] # yum-y install dovecot dovecot-devel dovecot-mysql pam-devel

[root@ser ~] # yum-y install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5 cyrus-sasl-lib

View postfix version

[root@host] # rpm-qa | grep postfix

Postfix-2.6.6-8.el6.x86_64

Postfix profile

[root@ser ~] # vi / etc/postfix/main.cf

Alias_database = hash:/etc/postfix/aliases

Alias_maps = hash:/etc/postfix/aliases

Queue_directory = / var/spool/postfix

Command_directory = / usr/sbin

Daemon_directory = / usr/libexec/postfix

Data_directory = / var/lib/postfix

Mail_owner = postfix

Myhostname = mail.dongying.com

Mydomain = dongying.com

Myorigin = $mydomain

Inet_interfaces = all

Inet_protocols = ipv4

Mydestination = $myhostname, localhost.$mydomain,$mydomain,dongying.com

Unknown_local_recipient_reject_code = 5505

Mynetworks = 127.0.0.0 amp 8120.25.162.161 max 32192.168.88.0 max 24

Smtpd_banner= "Version not Available"

Relay_domains = $mydomain

Mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,mail.$mydomain

Disable_vrfy_command=yes

Broken_sasl_auth_clients = yes

Smtpd_helo_required = yes

Strict_rfc821_envelopes = yes

Smtpd_reject_unlisted_sender = no

Smtpd_data_restrictions = reject_unauth_pipelining

Header_checks = pcre:/etc/postfix/header_checks

Smtpd_error_sleep_time = 1s

Smtpd_soft_error_limit = 10

Smtpd_hard_error_limit = 10

Smtpd_sasl_auth_enable = yes

Smtpd_sasl_security_options = noanonymous

Smtpd_delay_reject=yes

Smtpd_client_restrictions = permit_sasl_authenticated

Smtpd_sasl_path = smtpd

Smtpd_sasl_authenticated_header = yes

Smtpd_sasl_local_domain = $myhostname

Smtpd_sender_restrictions = permit_mynetworks

Reject_non_fqdn_sender

Reject_unknown_sender_domain

Reject_unauthenticated_sender_login_mismatch

Reject_rhsbl_sender dbl.spamhaus.org

Reject_rhsbl_client dbl.spamhaus.org

Permit

Smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated

Reject_invalid_hostname, reject_non_fqdn_sender

Reject_non_fqdn_recipient, reject_non_fqdn_hostname

Reject_unknown_sender_domain

Reject_unauth_pipelining, reject_unauth_destination

Check_client_access hash:/etc/postfix/client_checks

Check_sender_access hash:/etc/postfix/sender_checks

Reject_rbl_client cblless.anti-spam.org.cn

Reject_rbl_client zen.spamhaus.org

Reject_rbl_client bl.spamcop.net

Reject_rbl_client dyna.spamrats.com

Reject_rbl_client auth.spamrats.com

Reject_rbl_client cbl.abuseat.org

Check_policy_service unix:private/policy-spf,permit

Message_size_limit = 41943040

Mailbox_size_limit = 500000000

The main.cf parameters are described as follows:

First, note that the following four lines, for your company's domain name and IP information, please change according to your actual address.

Myhostname = mail.dongying.com

Mydomain = dongying.com

Mydestination = $myhostname, localhost.$mydomain,$mydomain,dongying.com

Mynetworks = 127.0.0.0 amp 8120.25.162.161 max 32192.168.88.0 max 24

Second, note that the following six lines, for anti-spam rules, use the domain name of the International Anti-Spam Alliance, which has been personally tested to be a valid domain name, so it must be added.

Reject_rbl_client cblless.anti-spam.org.cn

Reject_rbl_client zen.spamhaus.org

Reject_rbl_client bl.spamcop.net

Reject_rbl_client dyna.spamrats.com

Reject_rbl_client auth.spamrats.com

Reject_rbl_client cbl.abuseat.org

Third, the prevention of denial of service. The following three lines of parameters

Smtpd_error_sleep_time = 1s

Smtpd_soft_error_limit = 10

Smtpd_hard_error_limit = 10

# postfix can accumulate the number of errors that have occurred in the client. For suspicious clients, postfix will actively delay the response time

And the more errors, the longer the delay. These are set by the following parameters

Parameter description: the initial delay time is determined by the smptd_error_sleep_time parameter (default 1 second), when the client accumulates the

After the smtpd_soft_error_limit error, each time an error occurs, the postfix will delay by 1 second, when the number of errors

When the smtpd_hard_error_limit is exceeded, postfix abandons the client and actively disconnects

Fourth, the configuration of the blacklist and whitelist to reduce the number of important customer e-mails as spam. The following two lines of parameters

Check_client_access hash:/etc/postfix/client_checks

Check_sender_access hash:/etc/postfix/sender_checks

There are two completely different parameters in postfxi to implement whitelist blacklist, client_checks, masked by client ip,ip segment or hostname.

Sender_checks, by judging that the sender's e-mail address (located in the from section) is blocked, it is recommended to add the email domain names and addresses of frequent customers to the sender_checks file. Ok is allowed, reject is denied.

Whenever there are any changes to the above two files, remember to run the postmap command so that postfix can find them.

[root@ postfix] # postmap / etc/postfix/client_checks

[root@ postfix] # postmap / etc/postfix/sender_checks

[root@ postfix] # cat sender_checks

Gmail.com ok

Example.com REJECT env. From addr any@example.com rejected

.example.com REJECT env. From addr any@sub.example.com rejected

User@example.com REJECT We don't want your email

[root@ postfix] # cat client_checks

61.145.211.19 ok

.example.com REJECT No spammers, from your subdomain

Fifth, SPF anti-spam certification.

Check_policy_service unix:private/policy-spf

For the spf authentication of a specified domain name, you need to do "txt domain name resolution record" in the domain name center.

6. Check the mail header and filter the mail with specified content.

Header_checks = pcre:/etc/postfix/header_checks

Email header check. Emails that fail to pass the spf authentication will be discarded directly.

[root@ postfix] # cat / etc/postfix/header_checks

/ Received-SPF: softfail/ REJECT

Seventh, the setting of mailbox size and accessories.

Message_size_limit = 41943040

Mailbox_size_limit = 500000000

Is to limit the size of the user's mail directory, that is, the size of the message that can be saved on the server is 500m, then the message_size_limit limit message size is 41943040max 1024max 40m

Attachment main.cf file is added with spf anti-spam verification, and can be used directly

Generate / etc/postfix/aliases alias database to solve the problem of NIS domain name not set-NIS lookups disabled warning message

[root@ postfix] # touch / etc/postfix/aliases

[root@ postfix] # postalias / etc/postfix/aliases

The following two lines can be added to the main.cf

Alias_database = hash:/etc/postfix/aliases

Alias_maps = hash:/etc/postfix/aliases

=

Then make the following configuration

Postfix configure SPF to prevent sender from cheating

Http://www.haiyun.me/archives/postfix-spf-spoof.html (reference article)

First of all, you need to enter the "Domain name Management Center" of the public network and add a TXT record with a value of v=spf1 mx-all

At the same time, MX and other records are also configured to facilitate email sending and receiving. Just press the figure below to set the five red boxes.

[root@ postfix] # yum install perl-Mail-SPF perl-Sys-Hostname-Long

[root@ postfix] # wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz

[root@ postfix] # tar zxvf postfix-policyd-spf-perl-2.010.tar.gz

[root@ postfix] # mv postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl / usr/sbin/

[root@ postfix] # chmod + x / usr/sbin/postfix-policyd-spf-perl

Enable the postfix-policyd-spf-perl service:

[root@ postfix] # vi / etc/postfix/master.cf

# # spf check

Policy-spf unix-n n-- spawn

User=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Edit the Postfix main profile to add SPF filtering rules:

[root@ postfix] # vi / etc/postfix/main.cf

Smtpd_recipient_restrictions =

Permit_mynetworks

.

Check_policy_service unix:private/policy-spf,permit

View Mail Log

[root@ postfix] # tail-f / var/log/maillog

# for the correct record, as follows, a red Received-SPF: pass indicates yes.

Jun 7 17:25:56 host-cn postfix/smtpd [12947]: connect from smtpbg331.qq.com [14.17.43.223]

Jun 7 17:26:04 host-cn postfix/policy-spf [12952]: Policy action=PREPEND Received-SPF: pass (qq.com: Sender is authorized to use '3700488roomqq.com' in 'mfrom' identity (mechanism' include:spf.mail.qq.com' matched)) receiver=unknown; identity=mailfrom; envelope-from= "3700488@qq.com"; helo=smtpbg331.qq.com; client-ip=14.17.43.223

Jun 7 17:26:04 host-cn postfix/smtpd [12947]: 05CBEC0E16: client=smtpbg331.qq.com [14.17.43.223]

Jun 7 17:26:04 host-cn postfix/cleanup [12955]: 05CBEC0E16: message-id=

Jun 7 17:26:04 host-cn postfix/qmgr [12946]: 05CBEC0E16: from=, size=2286, nrcpt=1 (queue active)

Jun 7 17:26:04 host-cn postfix/smtpd [12947]: disconnect from smtpbg331.qq.com [14.17.43.223]

Jun 7 17:26:04 host-cn postfix/local [12956]: 05CBEC0E16: to=, relay=local, delay=7.6, delays=7.6/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)

Jun 7 17:26:04 host-cn postfix/qmgr [12946]: 05CBEC0E16: removed

# the following are error messages

Postfix/policy-spf [15857]: Policy action=PREPEND Received-SPF: softfail (www.haiyun.me: Sender is not authorized by default

Add postfix to the root group

[root@ postfix] # usermod-G root postfix

Check the configuration file again and execute the command / usr/sbin/postconf-n

Set postfix to MTA

[root@ postfix] # alternatives-set mta / usr/sbin/sendmail.postfix

How to view MTA:

[root@ postfix] # alternatives-- display mta

Set Postfix to self-startup

[root@ postfix] # chkconfig-- add postfix

[root@ postfix] # chkconfig postfix on

[root@ postfix] # chkconfig saslauthd on

Check to see if there is installation certification

[root@ postfix] # rpm-qa | grep cyrus

Cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64

Cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64

Cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64

Cyrus-sasl-2.1.23-15.el6_6.2.x86_64

Cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

Configure the authentication mechanism and add the following three lines to the content of the file

[root@ postfix] # vi / etc/sasl2/smtpd.conf

Log_level: 3

Pwcheck_method: saslauthd

Mech_list: plain login

[root@ postfix] # vi / etc/sysconfig/saslauthd has the following two lines in the contents of the file

MECH=shadow

FLAGS=

Restart the authentication service

[root@ postfix] # service saslauthd start

Add the account of the mail user

[root@ postfix] # groupadd mail creates a new mail user group

[root@ postfix] # useradd-g mail-s / sbin/nologin evan build evan users and specify user groups as mail groups, and do not allow them to log in to SSH

[root@ postfix] # passwd evan modify evan user password

In order for the added mailbox user to have permissions under the / var/spool/mail directory, you need to:

[root@ postfix] # usermod-g mail evan modifies the evan user and sets the primary user group to mail group

View users in the mail group

[root@host-cn ~] # groups mail

Mail: jack evan

Check which group a user in Linux belongs to

[root@host-cn postfix] # id evan

Uid=504 (evan) gid=12 (mail) groups=12 (mail)

[root@host-cn postfix] # groups evan

Evan: mail

When the user has been established, if you do not have control rights at the time of establishment, and now you need to cancel the user login rights, you can use the following command

Vi / etc/passwd

Find the line of the user you want to modify, such as username:x:502:502::/home/username:/bin/bash

Modify it to the following code

Username:x:502:502::/home/username:/sbin/nologin

Verify that the password is successful in the following format, for example:

[root@ postfix] # testsaslauthd-u evan-p miserp007

0: OK "Success."

The above results are displayed, indicating that the verification is successful.

Start the postfix service

[root@ postfix] # service postfix start

=

II. Installation and configuration of dovecot

[root@ postfix] # yum install-y dovecot dovecot-devel dovecot-mysql pam-devel

View version

[root@ postfix] # dovecot-- version

2.0.9

You only need to configure a dovecot.conf file, perform general authentication, and turn off SSL

[root@ dovecot] # vi / etc/dovecot/dovecot.conf

Listen = *

Protocols = pop3 imap

Default_login_user=postfix

Default_internal_user=postfix

Disable_plaintext_auth = no

Ssl = no

Mail_privileged_group = mail

Mail_location = mbox:~/mail:INBOX=/var/mail/%u

Userdb {

Driver = passwd

Args = blocking=no

}

Passdb {

Driver = shadow

}

Rename the conf.d folder without using the configuration file in it

[root@ dovecot] # cd / etc/dovecot/

[root@ dovecot] # mv conf.d conf.d.bak

Check the certification file, which does not need to be changed by default

[root@ dovecot] # vi / etc/pam.d/dovecot

Auth required pam_nologin.so

Auth include password-auth

Account include password-auth

Session include password-auth

Set dovecot to self-startup

[root@ dovecot] # service dovecot start

[root@ dovecot] # chkconfig dovecot on

[root@ dovecot] # chkconfig-- add dovecot

Test whether you can log in to dovecot normally

[root@ dovecot] # telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.

Escape character is'^]'.

+ OK Dovecot ready.

User evan manually typed in the login user name

+ OK

Pass miserp007 manually typed the user's password

+ OK Logged in. It indicates that you have logged in.

Quit, back out.

+ OK Logging out.

View Mail Log

[root@ dovecot] # tail-f / var/log/maillog

=

Third, install openwebmail

Generate openwebmail installation source

[root@ dovecot] # vi / etc/yum.repos.d/openwebmail.repo

[openwebmail]

# # Thomas Chung

# # 2008.05.29

Name=Openwebmail for Fedora or Enterprise Linux

Baseurl= http://openwebmail.org/openwebmail/download/redhat/rpm/release/

Enabled=1

Gpgcheck=1

Gpgkey= http://openwebmail.org/openwebmail/download/redhat/rpm/release/RPM-GPG-KEY-openwebmail

# metadata_expire=0

[root@ dovecot] # yum install openwebmail

When the installation is complete, prompt to run openwebmail-tool.pl-init

[root@ dovecot] # cd / var/www/cgi-bin/openwebmail/

Save after changing dbm.conf content

[root@ openwebmail] # vi / var/www/cgi-bin/openwebmail/etc/dbm.conf

Dbm_ext .db

Dbmopen_ext .db

Dbmopen_haslock no

[root@ openwebmail] # cd / var/www/cgi-bin/openwebmail/

Perform initialization

[root@ openwebmail] #. / openwebmail-tool.pl-init

Send the site report? (YBO) Please answer y

Finally complete the installation process

Modify openwebmail language options

[root@ openwebmail] # cd / var/www/cgi-bin/openwebmail/etc

[root@ etc] # vi openwebmail.conf

Domainnames dongying.com changes auto to your company's domain name, here is dongying.com

Default_language auto changed en to auto

Default_iconset Cool3D.Chinese.Simplified

[root@ etc] # cd / var/www/cgi-bin/openwebmail/etc/defaults

[root@ defaults] # vi openwebmail.conf

Domainnames dongying.com

Smtpserver 127.0.0.1

Make Open WebMail the default web page of Server

[root@ defaults] # cd / var/www/cgi-bin/openwebmail

[root@ openwebmail] # vi index.html

Install apache and modify the configuration file

[root@ openwebmail] # yum install httpd

[root@ openwebmail] # vi / etc/httpd/conf/httpd.conf

ServerName mail.dongying.com:82

Listen 82

DocumentRoot "/ var/www/cgi-bin/openwebmail"

AddHandler cgi-script .cgi .pl

Install character encoding

[root@ openwebmail] # wget ftp://ftp.devil-linux.org/pub/devel/sources/1.4/perl-ext/MIME-Base64-3.09.tar.gz

[root@] # tar-xzvf MIME-Base64-3.09.tar.gz

[root@] # cd MIME-Base64-3.09

[root@ MIME-Base64-3.09] # perl Makefile.PL

Checking if your kit is complete...

Looks good

Writing Makefile for MIME::Base64

[root@ MIME-Base64-3.09] # make

[root@ openwebmail] # service httpd restart

Add to Auto start

[root@ openwebmail] # chkconfig httpd on

Deactivate the firewall or join designated ports 25, 82, 110, 143,

[root@ openwebmail] # service iptables stop

[root@ openwebmail] # vi / etc/sysconfig/iptables

-An INPUT-p tcp-m tcp-- dport 25-j ACCEPT

-An INPUT-p tcp-m tcp-- dport 110j ACCEPT

-An INPUT-p tcp-m tcp-- dport 143j ACCEPT

-An INPUT-p tcp-m tcp-- dport 82-j ACCEPT

[root@ openwebmail] # service iptables restart

Then you can open it directly in the browser.

Http://mail.dongying.com:82

=

Regularly back up maillog files and delete old backup files from 15 days ago to prevent maillog files from being too large, resulting in a waste of hard disk space

[root@postfix] # vi / etc/posftix/clearmaillog

#! / bin/sh

# clear maillog and Backup .by evanli

Rq= `date +% Ymuri% mmury% d`

Service postfix stop

Service dovecot stop

Mv / var/log/maillog / var/log/maillog-$rq.bak

Service rsyslog restart

Service postfix start

Service dovecot start

Find / var/log-mtime + 15-name "mail*.bak"-exec rm-rf {}\

The generated backup log file format is maillog-2017-06-08.bak

Give executable authority

[root@ postfix] # chmod + x clearmaillog

Install scheduling and time synchronization service

[root@postfix] # yum install crontabs ntpdate

Disable the ntpd service that comes with the system

[root@postfix] # service ntpd stop

[root@postfix] # chkconfig ntpd off

Add the following 2 red lines to the end of the file

[root@host-cn postfix] # vi / etc/crontab

55 23 * 0 root / etc/postfix/clearmaillog

0 * / 1 * root / usr/sbin/ntpdate 0.pool.ntp.org > & / dev/null

At 23:55 every Sunday night, back up miallog and erase old files.

Synchronize the system time every one hour

Restart the scheduling service

[root@ postfix] # / sbin/service crond restart

=

Mail log analysis tool pflogsumm

1. Pflogsumm function:

Statistics of messages received, delivered, forwarded, delayed, bounced, rejected, retained, discarded

Statistics of senders and recipients

Statistics of sending and receiving hosts / domain names

Count the number of SMTPD connections

.

2. Installation

# yum install postfix-pflogsumm

3. Use

Count today's information.

# pflogsumm-d today / var/log/maillog

Statistics of yesterday's information

# pflogsumm-d yesterday / var/log/maillog

4. Use scheduled tasks to generate j reports yesterday

The mail system log statistics report for the same day will be sent to the administrator's mailbox at 23: 53 every evening.

Add the following line to the end of the file

[root@ postfix] # vi / etc/crontab

53 23 * root / usr/sbin/pflogsumm-d today / var/log/maillog 2 > & 1 | mail-s "daily mail stats" evan@dongying.com

More ways to use pflogsumm:

# man pflogsumm

Finally, when using outlook2013 or foxmail to receive email, be sure to check "my outgoing server (STMP) needs authentication". In addition, the location of the user name must be set according to the picture. The figure below is as follows

Test completion date: 2017.06.07

The attachment is a configuration file, which can be used directly

Attachment: http://down.51cto.com/data/2366734

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report