郵件伺服器 Part-1：Postfix+Dovecot+SASL+Procmail

[tony]

郵件伺服器 Part-1：Postfix+Dovecot+SASL+Procmail
系統使用CentOS 5.1
郵件伺服器全系列：Postfix+Dovecot+SASL+Procmail+Postgrey+Mailscanner+Spamassassin+ClamAV+Mailscanner-mrtg+MailWatch+Openwebmail+MySPAM

一、移除sendmail，安裝POSFIX
/etc/init.d/sendmail stop
yum install postfix
rpm -e sendmail
chkconfig --add postfix
/etc/init.d/postfix start

二、安裝cyrus-sasl
yum install cyrus-sasl

1.設定SASL啟動
chkconfig saslauthd on
service saslauthd start

2.修改SASL設定
vim /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
#mech_list: PLAIN LOGIN



三、安裝Procmail
yum install procmail

1.設定Procmail
vim /etc/procmailrc

LOGFILE=/var/log/procmail/procmail.log

(其餘指令依需求設定)

2.建立LOG檔
mkdir /var/log/procmail
touch /var/log/procmail/procmail.log
chmod 644 /var/log/procmail/procmail.log

3.設定logrotate
vim /etc/logrotate.d/procmail

/var/log/procmail/procmail.log {
monthly
size=10M
rotate 5
nocompress
}


四、安裝dovecot(pop3與imap)
yum install dovecot

1.編輯dovecot
vim /etc/dovecot.conf

啟用POP3
protocols = pop3

啟用純文字驗證功能
disable_plaintext_auth = no

偽裝歡迎訊息
login_greeting = Microsoft Exchange 2000 POP3 server version 6.0.6603.0 (ex.roc.corp) ready.

2.啟動dovecot
chkconfig dovecot on
service dovecot start

3.變更郵件檔權限
chmod a+rwxt /var/mail



五、設定Postfix
vim /etc/postfix/main.cf


1.對所有界面服務
#inet_interfaces = localhost
inet_interfaces = all

mail_owner = postfix
2.設定主機名稱及網域設定
mynetworks = 192.168.0.0/24, 127.0.0.0/8
mynetworks_style = host
myhostname = mail.domain.com
mydomain = domain.com

3.設定procmail過濾
mailbox_command = /usr/bin/procmail

4.設定使用SASL
EX.
#SMTP sasl Auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd

#開啟 smtp 認證
smtpd_sasl_auth_enable = yes

#client端的相容性
broken_sasl_auth_clients = yes


#允許用戶端sasl認證
smtpd_client_restrictions = permit_sasl_authenticated

#允許非匿名的使用者
smtpd_sasl_security_options = noanonymous

#sasl的本地網域
smtpd_sasl_local_domain = $myhostname

#阻擋網域名稱錯誤
smtpd_sender_restrictions = reject_unknown_sender_domain

#阻擋動態IP的主機
smtpd_client_restrictions = check_client_access regexp:/etc/postfix/access


設定驗證項目
每個驗證項目前需空格，最後一項不加","

5.針對client的ip/domain設限
EX.
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client dsbl.dnsbl.net.au


項目說明：
#允許內網不必檢查
permit_mynetworks,

#SASL驗證
permit_sasl_authenticated,

#反解失敗就拒絕
reject_unknown_client,

#根據access清單拒絕client
check_client_access hash:/etc/postfix/access,

(先建立/etc/postfix/access檔案,拒絕動態ip的client

dynamic.apol.com.tw REJECT We can't allow dynamic IP to relay!
dynamic.giga.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.hinet.net REJECT We can't allow dynamic IP to relay!
dynamic.seed.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.tfn.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.ttn.net REJECT We can't allow dynamic IP to relay!
dynamic.lsc.net.tw REJECT We can't allow dynamic IP to relay!

postmap hash:/etc/postfix/access 來建立DB)


#使用正規表示式拒絕名稱中有dynamic的主機連線
check_client_access regexp:/etc/postfix/access_re

(請先建立 /etc/postfix/access_re
/dynamic/ REJECT )

#使用DNS Block List 黑名單機制
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client dsbl.dnsbl.net.au,


6.要求寄信前要提出helo的要求
smtpd_helo_required = yes

7.SMTP驗證HELO
EX.
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
check_helo_access hash:/etc/postfix/fake_helo


#拒絕不正確/未知的helo domain
reject_invalid_hostname,
#reject_non_fqdn_hostname,
#reject_unknown_hostname,
#拒絕外界但是宣稱是自己domain的helo
check_helo_access hash:/etc/postfix/fake_helo


(拒絕外界但是宣稱是自己domain的helo
請先建立 /etc/postfix/fake_helo
內容 example.com REJECT
利用#postmap hash:/etc/postfix/fake_helo 建立DB)


#馬上拒絕不delay
smtpd_delay_reject = no


8.根據Mail from來限制
EX.
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain


#拒收來自於外界卻宣稱發自內部的信件
#check_sender_access hash:/etc/postfix/fake_from,
(建立 /etc/postfix/fake_from
內容 example.com REJECT
使用 #postmap hash:/etc/postfix/fake_from)

#拒絕不正確和未知的domain
reject_non_fqdn_sender


9.根據接收來限制
EX.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
permit_auth_destination,
reject_unauth_destination


#有鑑於有些廣告信都是以[email protected]為sender
header_checks = regexp:/etc/postfix/hc
(建立一檔案 /etc/postfix/hc
內容 /^From:.*edm@/ REJECT
使用正規表示式過濾以[email protected]為寄件人的廣告信)


10.偽裝登入POSTFIX時所顯示的訊息
smtpd_banner = Welcome to Microsoft Exchange 2003

11.佇列儲存時間
#寄出時間
maximal_queue_lifetime = 5d
#退信時間
bounce_queue_lifetime = 5d

12.每封信限制大小
message_size_limit = 512000000

13.每個帳號郵箱限制大小(無限)
mailbox_size_limit = 0


--------------------------------------------------------------------

SASL測試
1.啟動saslauthd啟動
/etc/rc.d/init.d/saslauthd start
service postfix reload

2.測試
testsaslauthd -u user -p 'password'
0: OK "Success."-->成功

3.相關設定檔
/etc/sysconfig/saslauthd

主要是MECH=shadow

4.SASL驗證訊息
saslauthd -v
saslauthd 2.1.19
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

5.TELNET測試
telnet mail.domain.com 25

EHLO test.com

250-mail.domain.com
250-PIPELINING
250-SIZE 512000000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

六、七行會顯示目前的認證協定
---------------------------------------------------------------------

POSTFIX測試

1.檢查啟動
service postfix restart
netstat -tupln grep :25

postfix在port 25 listen

2.檢查postfix設定
#postconf
檢查預設值
#postconf -d

3.Telnet寄信
Client傳送信件給Server的程序為
HELO / EHLO 網域名稱
MAIL FROM: 寄件者e-mail
RCPT TO: 收件者e-mail
DATA 信件內容然後以 . 為結束
QUIT 寄信完離開