第十六章 邮件服务(二)
16.3 邮件转发
除了支持本域内的邮件转发,postfix也可以实现不同域之间的转发,本例中将演示两台smtp服务器之间转发邮件。实验要求是rzz.com与jll.com两个域中的邮箱用户可以互发邮件。
首先,开启一台Linux虚拟机,ip地址为192.168.10.11,DNS指向192.168.10.1,关闭防火墙及selinux。作为jll.com域的smtp、pop3服务器。与上一台服务器一样,安装并配置postfix和dovecot,并通过配置文件配置支持jll.com的邮件转发,新建两个系统用户:user3、user4作为邮箱账号使用。最后启动postfix、dovecot服务。验证user3、user4之间可以互发邮件。
然后,我们配置DNS服务器,新建jll.com区域,并加入指向mail.jll.com的MX记录和mail.jll.com的A记录解析(如之前的DNS截图所示)。
最后,来启动转发功能。其实配置十分简单,我们在192.168.10.10上,编辑postfix配置文件:
vi /etc/postfix/main.cf ---有两行配置,写其一即可
relay_domains = $mydestionation,jll.com
relay_host = [mail.jll.com] ---格式:[域名/ip]:port 也可以不设置port
注:relay_domains指定允许转发到的目标域,可以写多个,写入jll.com后, rzz.com的服务器就可以给jll.com发送邮件了,不设置relay_host项其实也是可以的。如果我们在后面写上163.com、yahoo.com等域名,只要本机负责的域(即rzz.com)是公网正确注册的,也就可以给公网的邮箱发送邮件了。relay_host项是指定把邮件转发给那台smtp服务器,但是格式上只可以指定一个,不可以用逗号分隔设置多个,且只能写一条relay_host句,所以局限性就比较大,但是它的好处是设置了relay_host后就不再找DNS服务器做MX解析,是直接发送给目标smtp服务器的,转发速度快些。
配置完毕后,重启服务就可以了:
systemctl restart postfix
然后在jll.com的smtp服务器上,在配置文件中,设置支持转发给rzz.com,重启服务后,两个域中的用户就可以互发邮件了。
16.4 postfix dovecot ssl验证 mysql
可以想象,上面的实验,有很大的漏洞,就是用户数量与系统安全。邮箱账号全都是系统用户,那么用户多了就会造成系统用户臃肿,且邮箱密码与系统用户登录密码一致,这显然存在着巨大的安全隐患。那么我们最佳的解决方案就是通过数据库软件存储用户信息,并借助于ssl的安全功能做加密传输、认证,则邮箱账号与系统用户就隔离开来了。这就需要比较多的辅助配置项,下面我们就来演示一下具体操作过程。
16.4.1 安装、配置mysql数据库
这里我们不使用光盘自带的mariaDb数据库,而直接采用mysql。首先下载了mysql-5.7.20-1.el7.x86_64.rpm-bundle.tar,然后解压:
mkdir /mnt/mysql
tar -xvf mysql-5.7.20-1.el7.x86_64.rpm-bundle.tar -C /mnt/mysql
createrepo -v /mnt/mysql
然后我们配置yum双源,即这个/mnt/mysql源及系统光盘源,再安装:
yum -y install mysql
yum -y install mysql-server ---两个包有时需要分别安装才可以
注:安装过程中显示安装的应该是mysql,而非mariadb,若显示mariadb,则先卸载mariadb及mariadb-server后,用--enablerepo参数指定源。再启动mysql服务:
systemctl restart mysqld
systemctl enable mysqld
然后需要登录mysql操作,但是刚安装完毕,需要查看随机生成的默认密码:
grep'temporary password' /var/log/mysqld.log ---抓取查看
如图:root@localhost:后显示的就是随机密码
mysql –uroot–p ---以root用户登录mysql,输入随机密码
然后在mysql内修改root密码,但是root密码必须大于8位且由大小写字母、符号、数字组成:
SQL>alter user 'root'@'localhost' identified by 'Rzz-123456';
注:by后面就是设定的新密码。
初步配置完毕后,我们来为邮箱账号创建用户、数据库及表格:
mysql -uroot -pRzz-123456
SQL>create database mailDB; ---创建邮件数据库
SQL>create user mailUser@'localhost'identified by 'Rzz-123456';
---创建数据库用户:mailUser,并设置登录密码为:Rzz-123456
SQL>grant all on mailDB.* to mailUser@'localhost' identifiedby ' Rzz-123456'; ---给用户授权操作mailDB数据库的权限
SQL>flush privileges; ---刷新系统权限表
SQL>exit; ---退出
mysql -umailUser -pRzz-123456 ---以新用户登录
SQL> use mailDB; ---使用邮件数据库
SQL> CREATETABLE `mail_domains` (
`id` int(11) NOT NULLauto_increment,
`name` varchar(50) NOT NULL,
PRIMARY KEY (`id`))
ENGINE=InnoDB DEFAULT CHARSET=utf8; ---创建域名表格
SQL> CREATETABLE `mail_users` (
`id` int(11) NOT NULLauto_increment,
`domain_id` int(11) NOTNULL,
`password` varchar(106) NOTNULL,
`email` varchar(100) NOTNULL,
PRIMARY KEY (`id`),
UNIQUE KEY `email`(`email`),
FOREIGN KEY (domain_id)REFERENCES virtual_domains(id) ON DELETE CASCADE)
ENGINE=InnoDB DEFAULTCHARSET=utf8; ---创建用户表格
SQL> CREATE TABLE `mail_aliases` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`source` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETECASCADE)
ENGINE=InnoDB DEFAULT CHARSET=utf8; ---创建别名表
SQL> insert into mail_domains(id,name)
values(1,'mail.rzz.com'); ---插入数据
SQL> insert into mail_domains(id,name) values(2,'rzz.com');
SQL> insert into mail_users(id,domain_id,password,email)
values(1,2,ENCRYPT('123123'),'zhangsan@rzz.com');
---插入用户邮箱:zhangsan@rzz.com,密码是123123,且加密
SQL> insert into mail_users(id,domain_id,password,email)
values (2,2,ENCRYPT('123123'),'lisi@rzz.com');
---插入用户邮箱:lisi@rzz.com,密码是123123,且加密
SQL> insert into mail_aliases(id,domain_id,source,destination)
values (1,2,'all@rzz.com','zhangsan@rzz.com'); ---插入别名
SQL> insert into mail_aliases(id,domain_id,source,destination)
values (2,2,'all@rzz.com','lisi@rzz.com');
然后可以查看一下插入结果:
SQL> select * from mail_domains;
SQL> select * from mail_users;
SQL> select * from mail_aliases;
好了,到此数据库配置完毕
16.4.2 postfix配置
编辑postfix配置文件:
vi /etc/postfix/main.cf
复制如下内容,并将其插入到配置文件中,开启ssl验证,并指定密钥文件和证书文件。
smtpd_tls_key_file= /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_cert_file= /etc/pki/dovecot/certs/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only= yes
smtpd_sasl_type= dovecot
smtpd_sasl_path= private/auth
smtpd_sasl_auth_enable= yes
smtpd_recipient_restrictions= permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
virtual_transport= dovecot
virtual_mailbox_domains= mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps= mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-virtual-email2email.cf
再创建连接mysql的虚拟用户文件:
vim /etc/postfix/mysql-virtual-mailbox-domains.cf ---创建虚拟域名配置
user = mailUser
password = 123123
hosts = 127.0.0.1
dbname = mailDB
query = SELECT 1 FROM mail_domains WHERE name='%s'
vim /etc/postfix/mysql-virtual-mailbox-maps.cf ---创建虚拟邮箱配置
user = mailUser
password = 123123
hosts = 127.0.0.1
dbname = mailDB
query = SELECT 1 FROM mail_users WHERE email='%s'
vim /etc/postfix/mysql-virtual-alias-maps.cf ---创建电子邮件与文件映射
user = mailUser
password = 123123
hosts = 127.0.0.1
dbname = mailDB
query = SELECT destination FROM mail_aliases WHEREsource='%s'
可见,各连接文件中都指定了登录mysql的账号、密码及数据库名,创建完毕后,就可以重启服务了
systemctl restart postfix
然后测试一下mysql的连接:
postmap -q rzz.commysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
结果应该显示:1
postmap -q lisi@rzz.commysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
结果应该显示:1
postmap -q all@rzz.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf
结果应该显示:zhangsan@rzz.com lisi@rzz.com
再更改master.cf配置文件:
vi /etc/postfix/master.cf ---改里面的内容如下:
submission inet n - n - - smtpd
-osyslog_name=postfix/submission
-osmtpd_tls_security_level=encrypt
-osmtpd_sasl_auth_enable=yes
-osmtpd_reject_unlisted_recipient=no
-osmtpd_client_restrictions=$mua_client_restrictions
-osmtpd_helo_restrictions=$mua_helo_restrictions
-osmtpd_sender_restrictions=$mua_sender_restrictions
-osmtpd_recipient_restrictions=permit_sasl_authenticated,reject
-omilter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-osyslog_name=postfix/smtps
-osmtpd_tls_wrappermode=yes
-osmtpd_sasl_auth_enable=yes
-osmtpd_reject_unlisted_recipient=no
-osmtpd_client_restrictions=$mua_client_restrictions
-osmtpd_helo_restrictions=$mua_helo_restrictions
-osmtpd_sender_restrictions=$mua_sender_restrictions
-osmtpd_recipient_restrictions=permit_sasl_authenticated,reject
-omilter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -osmtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dovecot unix - n n - - pipe
flags=DRhuuser=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
再次重启服务
systemctl restart postfix
lsof -i:25
lsof –i:465 ---查看一下端口,smtps已启动
到此,postfix配置完毕,下面来配置一下dovecot。
16.4.3 dovecot配置
dovecot配置需要编辑/etc/dovecot/conf.d/下的多个文件,我们来逐一演示。
首先创建用于管理邮件的系统用户和组
代码语言:javascript复制groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail
配置目录访问权限
代码语言:javascript复制 chown -R vmail:dovecot/etc/dovecot
chmod -R o-rwx /etc/dovecot
然后编辑相关配置文件
代码语言:javascript复制vi /etc/dovecot/conf.d/10-mail.conf --- 配置10-mail.conf
mail_location = maildir:/home/vmail/%d/%n/Maildir ---指定用户邮件保存路径
mail_privileged_group = mail
vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext ---注释系统用户登录行,启用MySQL身份验证
vi /etc/dovecot/conf.d/auth-sql.conf.ext ---配置auth-sql.conf.ext
# Authentication for SQL users.Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.SQL.txt>
passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args =/etc/dovecot/dovecot-sql.conf.ext ---使用指定文件验证密码
}
# "prefetch" user database means that thepassdb already provided the
# needed information and there's no need to do aseparate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
# driver =prefetch
#}
userdb {
driver = sql
args =/etc/dovecot/dovecot-sql.conf.ext ---使用指定文件验证用户
}
# If you don't have any user-specific settings, youcan avoid the user_query
# by using userdb static instead of userdb sql, forexample:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
#driver =static
#args =uid=vmail gid=vmail home=/var/vmail/%u
#}
vim /etc/dovecot/dovecot-sql.conf.ext ---编辑连接sql的文件
driver = mysql
connect = host=127.0.0.1 dbname=mailDB user=maiUser password=Rzz-123456
default_pass_scheme = CRYPT
password_query = SELECT email as user, password FROMmail_users WHERE email='%u';
user_query = SELECT ('5000') as 'uid',('5000') as'gid'
vim /etc/dovecot/conf.d/10-master.conf ---配置10-master.conf
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit forservice processes. This is mainly
# intended to catch and kill processes that leakmemory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes.This is the most untrusted
# user in Dovecot system. It shouldn't have accessto anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes.It should be separate from
# login user, so that login processes can't disturbother processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
#port =143 ##禁止使用非ssl端口
}
inet_listenerimaps {
port = 993
ssl = yes
}
#Number ofconnections to handle before starting a new process. Typically
#the onlyuseful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster.<doc/wiki/LoginProcess.txt>
#service_count= 1
# Number ofprocesses to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probablyneed to grow this.
#vsz_limit =$default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
port =0 ##禁止使用非ssl端口
}
inet_listener pop3s {
port = 995
ssl =yes ##开启ssl
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode =0600
user =postfix
group =postfix
}
# Create inet listener only if you can't usethe above UNIX socket
#inet_listener lmtp {
# Avoidmaking LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of thememory goes to mmap()ing files. You may need to increase this
# limit ifyou have huge mailboxes.
#vsz_limit =$default_vsz_limit
# Max.number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
#auth_socket_path points to this userdb socket by default. It's typically
# used bydovecot-lda, doveadm, possibly imap process, etc. Users that have
# fullpermissions to this socket are able to get a list of all usernames and
# get the resultsof everyone's userdb lookups.
#
# Thedefault 0666 mode allows anyone to connect to the socket, but the
# userdblookups will succeed only if the userdb returns an "uid" field that
# matchesthe caller process's UID. Also if caller's uid or gid matches the
# socket'suid or gid the lookup succeeds. Anything else causes a failure.
#
# To givethe caller full permissions to lookup all users, set the mode to
# somethingelse than 0666 and Dovecot lets the kernel enforce the
# permissions(e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
mode =0666
user =vmail
#group =
}
# Postfixsmtp-auth
unix_listener /var/spool/postfix/private/auth {
mode =0666
user =postfix
user =postfix
}
# Auth process is run as this user.
#user =$default_internal_user
user=dovecot
}
service auth-worker {
# Authworker process is run as root by default, so that it can access
#/etc/shadow. If this isn't necessary, the user should be changed to
#$default_internal_user.
#user = root
user = vmail
}
service dict {
# If dictproxy is used, mail processes should have access to its socket.
# Forexample: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
以上配置完毕后即可重启dovecot服务了
systemctl restart dovecot
lsof -i:995 ---查看pop3s端口
lsof -i:993 ---查看imap4s端口
到此,我们的postfix dovecot ssl验证 mysql配置完毕,可以到foxmail中创建zhangsan@rzz.com lisi@rzz.com两个用户,设置时选择上ssl连接的勾(如下图),则可以相互发送邮件测试,并且也可以与jll.com域的邮箱用户互发邮件。