26 марта 2017

Настройка почтового сервера (Postfix, Dovecot, MariaDB/MySQL) в CentOS/RHEL

Установка PostfixAdmin

Скачаем архив с PostfixAdmin, распакуем и разложим его содержимое по разным папкам:

$ wget http://sourceforge.net/projects/postfixadmin/files/latest/download?source=files -O postfixadmin.tar.gz
$ tar zxvf postfixadmin.tar.gz --no-same-owner --no-same-permissions --directory=/usr/share
$ rm -f postfixadmin.tar.gz
$ ln -s /usr/share/postfixadmin-2.92 /usr/share/postfixadmin
$ chcon -u system_u /usr/share/postfixadmin* -R
$ mkdir /usr/share/doc/postfixadmin-2.92
$ chcon -u system_u /usr/share/doc/postfixadmin-2.92
$ mv /usr/share/postfixadmin/{ADDITIONS,DOCUMENTS,VIRTUAL_VACATION} /usr/share/doc/postfixadmin-2.92
$ rm -rf /usr/share/postfixadmin/debian
$ chcon -t httpd_sys_rw_content_t /usr/share/postfixadmin/templates_c
$ chown root:apache /usr/share/postfixadmin/templates_c
$ chmod g+w /usr/share/postfixadmin/templates_c
$ mkdir /etc/postfixadmin
$ touch /etc/postfixadmin/config.local.php
$ chown root:apache /etc/postfixadmin/config.local.php
$ chmod 0640 /etc/postfixadmin/config.local.php
$ chcon -u system_u /etc/postfixadmin -R
$ chcon -t httpd_sys_content_t /etc/postfixadmin/config.local.php
$ ln -s /etc/postfixadmin/config.local.php /usr/share/postfixadmin/
$ chcon -u system_u /usr/share/postfixadmin/config.local.php -R

$ wget http://sourceforge.net/projects/postfixadmin/files/latest/download?source=files -O postfixadmin.tar.gz

$ tar zxvf postfixadmin.tar.gz --no-same-owner --no-same-permissions --directory=/usr/share

$ rm -f postfixadmin.tar.gz

$ ln -s /usr/share/postfixadmin-2.92 /usr/share/postfixadmin

$ chcon -u system_u /usr/share/postfixadmin* -R

$ mkdir /usr/share/doc/postfixadmin-2.92

$ chcon -u system_u /usr/share/doc/postfixadmin-2.92

$ mv /usr/share/postfixadmin/{ADDITIONS,DOCUMENTS,VIRTUAL_VACATION} /usr/share/doc/postfixadmin-2.92

$ rm -rf /usr/share/postfixadmin/debian

$ chcon -t httpd_sys_rw_content_t /usr/share/postfixadmin/templates_c

$ chown root:apache /usr/share/postfixadmin/templates_c

$ chmod g+w /usr/share/postfixadmin/templates_c

$ mkdir /etc/postfixadmin

$ touch /etc/postfixadmin/config.local.php

$ chown root:apache /etc/postfixadmin/config.local.php

$ chmod 0640 /etc/postfixadmin/config.local.php

$ chcon -u system_u /etc/postfixadmin -R

$ chcon -t httpd_sys_content_t /etc/postfixadmin/config.local.php

$ ln -s /etc/postfixadmin/config.local.php /usr/share/postfixadmin/

$ chcon -u system_u /usr/share/postfixadmin/config.local.php -R

Теперь создадим в MySQL базу данных, в которой будет храниться информация о почтовых пользователях:

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.40-MariaDB MariaDB Server
 
Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]> CREATE DATABASE `%VMailDB%` DEFAULT CHARACTER SET utf8;
Query OK, 1 row affected (0.00 sec)
 
MariaDB [(none)]> CREATE USER '%VMailUser%'@'localhost' IDENTIFIED BY '%VMailPassWord%';
Query OK, 0 rows affected (0.03 sec)
 
MariaDB [(none)]> GRANT ALL PRIVILEGES ON `%VMailDB%`.* TO '%VMailUser%'@'localhost';
Query OK, 0 rows affected (0.03 sec)
 
MariaDB [(none)]> \q
Bye

$ mysql -u root -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 10

Server version: 5.5.40-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE `%VMailDB%` DEFAULT CHARACTER SET utf8;

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> CREATE USER '%VMailUser%'@'localhost' IDENTIFIED BY '%VMailPassWord%';

Query OK, 0 rows affected (0.03 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON `%VMailDB%`.* TO '%VMailUser%'@'localhost';

Query OK, 0 rows affected (0.03 sec)

MariaDB [(none)]> \q

Bye

Условимся, что здесь и далее вместо %VMailDB%, %VMailUser% и %VMailPassWord% нужно вписывать название базы данных, имя пользователя и пароль. Никаких процентов!

Пропишем данные о созданной базе в конфигурационный файл PostfixAdmin и сделаем несколько дополнительных настроек:

$ nano -w /etc/postfixadmin/config.local.php
<?php
$CONF['configured'] = true;
$CONF['setup_password'] = 'changeme';
$CONF['default_language'] = 'en';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = '%VMailUser%';
$CONF['database_password'] = '%VMailPassWord%';
$CONF['database_name'] = '%VMailDB%';
$CONF['admin_email'] = 'postmaster@example.com';
$CONF['page_size'] = '50';
$CONF['default_aliases'] = array (
    'MAILER-DAEMON' => 'postmaster@example.com',
    'abuse' => 'postmaster@example.com',
    'postmaster' => 'hostmaster@example.com',
    'webmaster' => 'hostmaster@example.com',
    'hostmaster' => 'root@example.com',
    'root' => 'admin@example.com'
);
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['transport'] = 'YES';
$CONF['transport_options'] = array (
    'dovecot',  // for virtual accounts
    'virtual',  // for virtual accounts
    'local',    // for system accounts
    'relay'     // for backup mx
);
$CONF['transport_default'] = 'dovecot';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] = 'NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['backup'] = 'YES';
$CONF['sendmail'] = 'YES';
$CONF['logging'] = 'YES';
$CONF['fetchmail'] = 'YES';
$CONF['fetchmail_extra_options'] = 'YES';
$CONF['footer_text'] = 'Return to mail.example.com';
$CONF['footer_link'] = 'http://mail.example.com';
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

$ nano -w /etc/postfixadmin/config.local.php

<?php

$CONF['configured'] = true;

$CONF['setup_password'] = 'changeme';

$CONF['default_language'] = 'en';

$CONF['database_type'] = 'mysqli';

$CONF['database_host'] = 'localhost';

$CONF['database_user'] = '%VMailUser%';

$CONF['database_password'] = '%VMailPassWord%';

$CONF['database_name'] = '%VMailDB%';

$CONF['admin_email'] = 'postmaster@example.com';

$CONF['page_size'] = '50';

$CONF['default_aliases'] = array (

'MAILER-DAEMON' => 'postmaster@example.com',

'abuse' => 'postmaster@example.com',

'postmaster' => 'hostmaster@example.com',

'webmaster' => 'hostmaster@example.com',

'hostmaster' => 'root@example.com',

'root' => 'admin@example.com'

);

$CONF['domain_path'] = 'YES';

$CONF['domain_in_mailbox'] = 'NO';

$CONF['transport'] = 'YES';

$CONF['transport_options'] = array (

'dovecot', // for virtual accounts

'virtual', // for virtual accounts

'local', // for system accounts

'relay' // for backup mx

);

$CONF['transport_default'] = 'dovecot';

$CONF['vacation'] = 'NO';

$CONF['vacation_control'] = 'NO';

$CONF['vacation_control_admin'] = 'NO';

$CONF['backup'] = 'YES';

$CONF['sendmail'] = 'YES';

$CONF['logging'] = 'YES';

$CONF['fetchmail'] = 'YES';

$CONF['fetchmail_extra_options'] = 'YES';

$CONF['footer_text'] = 'Return to mail.example.com';

$CONF['footer_link'] = 'http://mail.example.com';

$CONF['used_quotas'] = 'YES';

$CONF['new_quota_table'] = 'YES';

Подключим PostfixAdmin к веб-серверу Apache:

$ nano -w /etc/httpd/conf.d/postfixadmin.conf
# postfixadmin - Web based Management tool created for Postfix.
# 
# Allows only localhost by default
#
# But allowing postfixadmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
 
Alias /postfixadmin /usr/share/postfixadmin
 
<Directory /usr/share/postfixadmin/>
   AddDefaultCharset UTF-8
 
   <IfModule mod_authz_core.c>
     # Apache 2.4
     <RequireAny>
       Require ip 127.0.0.1
       Require ip ::1
       Require ip 192.168.0.0/16
     </RequireAny>
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order Deny,Allow
     Deny from All
     Allow from 127.0.0.1
     Allow from ::1
     Allow from 192.168.0.0/16
   </IfModule>
</Directory>
$ chcon -u system_u /etc/httpd/conf.d/postfixadmin.conf
$ systemctl reload httpd.service

$ nano -w /etc/httpd/conf.d/postfixadmin.conf

# postfixadmin - Web based Management tool created for Postfix.

# Allows only localhost by default

# But allowing postfixadmin to anyone other than localhost should be considered

# dangerous unless properly secured by SSL

Alias /postfixadmin /usr/share/postfixadmin

AddDefaultCharset UTF-8

# Apache 2.4

Require ip 127.0.0.1

Require ip ::1

Require ip 192.168.0.0/16

</RequireAny>

</IfModule>

# Apache 2.2

Order Deny,Allow

Deny from All

Allow from 127.0.0.1

Allow from ::1

Allow from 192.168.0.0/16

</IfModule>

</Directory>

$ chcon -u system_u /etc/httpd/conf.d/postfixadmin.conf

$ systemctl reload httpd.service

Открываем в браузере ссылку https://mail.example.com/postfixadmin/setup.php
Проверьте везде ли написано OK в требованиях. Далее задайте пароль для изменения настроек и получившийся хэш сохраните в файл /etc/postfixadmin/config.local.php

$ nano -w /etc/postfixadmin/config.local.php
$CONF['setup_password'] = 'd2aec49ec9b65d5e606ea7ddcdb78d3a:831aa5735816eb6480232a93e859a1de84aec174';

1 2	$ nano -w /etc/postfixadmin/config.local.php $CONF['setup_password'] = 'd2aec49ec9b65d5e606ea7ddcdb78d3a:831aa5735816eb6480232a93e859a1de84aec174';

Теперь опять открываем в браузере ссылку https://mail.example.com/postfixadmin/setup.php, вводим пароль и создаём учётную запись администратора.

Учётная запись администратора создана, открываем PostfixAdmin по адресу https://mail.example.com/postfixadmin/ и вводим данные администратора. Наша задача для начала создать домен и почтовые ящики пользователей.
Для того чтобы создать домен выбираем в меню «Domain List» и там пункт «New Domain». Заполняем форму (в поле «Transport» необходимо выбрать «dovecot») и нажимаем на кнопку «Add Domain».
После создания домена – создадим пользователей и алиасы. Для этого выбираем в меню «Virtual List» и там пункт «Add Mailbox». Заполняем форму и нажимаем на кнопку «Add Mailbox». По умолчанию для домена создаётся ряд системных алиасов, почта с которых в итоге редиректится на адрес admin@example.com. Нужно теперь создать редирект с имени admin@example.com на адрес администратора. Для этого выбираем в меню «Virtual List» и там пункт «Add Alias». Вводим admin в поле «Alias», в поле «To» вводим полный адрес для редиректа и нажимаем на кнопку «Add Alias».
Теперь открываем список созданных почтовых ящиков и алиасов, выбрав пункт «Virtual List» в меню «Virtual List». Если всё в порядке – приступаем к дальнейшей настройке почтовой системы.

Исправление работы PostfixAdmin с русскими символами

Для начала исправим кодировку в таблицах MySQL:

$ echo "ALTER DATABASE `%VMailDB%` CHARACTER SET utf8;" >temp.txt
$ echo "ALTER TABLE `%VMailDB%`.`quota` DROP PRIMARY KEY, ADD PRIMARY KEY (`username`) COMMENT '';" >>temp.txt
$ mysql -u root -p --database=%VMailDB% -B -N -e "SHOW TABLES" | awk '{print "SET foreign_key_checks = 0; ALTER TABLE", $1, "CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci; SET foreign_key_checks = 1; "}' >>temp.txt
$ mysql -u root -p --database=%VMailDB% <temp.txt
$ rm -f temp.txt

$ echo "ALTER DATABASE `%VMailDB%` CHARACTER SET utf8;" >temp.txt

$ echo "ALTER TABLE `%VMailDB%`.`quota` DROP PRIMARY KEY, ADD PRIMARY KEY (`username`) COMMENT '';" >>temp.txt

$ mysql -u root -p --database=%VMailDB% -B -N -e "SHOW TABLES" | awk '{print "SET foreign_key_checks = 0; ALTER TABLE", $1, "CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci; SET foreign_key_checks = 1; "}' >>temp.txt

$ mysql -u root -p --database=%VMailDB% <temp.txt

$ rm -f temp.txt

А теперь исправим php-скрипты PostfixAdmin для правильной работы с кодировкой utf-8:
Исправить нужно все вызовы функции htmlentities в каталогах /usr/share/postfixadmin и /usr/share/postfixadmin/templates, нужно добавить 2 аргумента |, ENT_QUOTES, ‘UTF-8’|.

Исправление бага с сохранением extra-опций для fetchmail

В файле fetchmail.php дважды выполняется функция escape_string, поэтому слеши сохраняются в MySQL.

$ nano -w /usr/share/postfixadmin/fetchmail.php
#               $formvars[$key]= escape_string( function_exists($func) ?$func($val) :$val);
                $formvars[$key]= function_exists($func) ?$func($val) :$val;

$ nano -w /usr/share/postfixadmin/fetchmail.php

# $formvars[$key]= escape_string( function_exists($func) ?$func($val) :$val);

$formvars[$key]= function_exists($func) ?$func($val) :$val;

Установка postfix

Для начала определимся где будут физически находиться почтовые ящики пользователей. Если планируется их оставить в дефолтной папке – пропускаем этот пункт. У меня почта физически лежит на специальном разделе, который примонтирован в /srv. Для того чтобы сделать так же – монтируем раздел и выполняем следующее:

$ mv /var/spool/mail/ /srv/
$ ln -s /srv/mail/ /var/spool/mail
$ chcon -u system_u -t mail_spool_t /var/spool/mail -R

$ mv /var/spool/mail/ /srv/

$ ln -s /srv/mail/ /var/spool/mail

$ chcon -u system_u -t mail_spool_t /var/spool/mail -R

В CentOS 7 по умолчанию устанавливается postfix, а в предыдущих версиях CentOS нужно было выполнить команду:

$ yum -y install postfix && yum -y remove sendmail

1	$ yum -y install postfix && yum -y remove sendmail

Отредактируем основной конфигурационный файл postfix:

$ nano -w /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mynetworks_style = host
mynetworks = $config_directory/mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
 
# ---------------------- VIRTUAL DOMAINS START ----------------------
virtual_alias_maps              = proxy:mysql:$config_directory/sql/virtual_alias_maps.cf
virtual_mailbox_domains         = proxy:mysql:$config_directory/sql/virtual_domains_maps.cf
virtual_mailbox_maps            = proxy:mysql:$config_directory/sql/virtual_mailbox_maps.cf
#virtual_mailbox_limit_maps     = proxy:mysql:$config_directory/sql/virtual_mailbox_limit_maps.cf
virtual_mailbox_base            = /var/spool/mail
virtual_uid_maps                = static:8
virtual_gid_maps                = static:12
mailbox_size_limit              = 104857600
message_size_limit              = 104857600
relay_domains                   = proxy:mysql:$config_directory/sql/relay_domains.cf
relay_recipient_maps            = proxy:mysql:$config_directory/sql/relay_recipient_maps.cf
transport_maps                  = proxy:mysql:$config_directory/sql/transport_maps.cf
#transport_maps                 = hash:$config_directory/transport
#virtual_transport              = dovecot
dovecot_destination_recipient_limit = 1
# ----------------------- VIRTUAL DOMAINS END -----------------------
 
# ------------------------- SASL PART START -------------------------
broken_sasl_auth_clients        = yes
smtpd_helo_required             = yes
smtpd_client_restrictions       = permit_sasl_authenticated
smtpd_sender_restrictions       = permit_sasl_authenticated
smtpd_sasl_auth_enable          = yes
smtpd_sasl_security_options     = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type                 = dovecot
# Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path                 = private/auth
# -------------------------- SASL PART END --------------------------
 
# -------------------------- TLS PART START -------------------------
smtpd_use_tls                   = yes
smtpd_tls_auth_only             = yes
smtpd_tls_CAfile                = /etc/pki/tls/certs/sub.class2.server.ca.pem
smtpd_tls_cert_file             = /etc/pki/tls/certs/mail.example.com.crt
smtpd_tls_key_file              = /etc/pki/tls/private/mail.example.com.key
smtpd_tls_mandatory_protocols   = !SSLv2,!SSLv3
smtpd_tls_received_header       = yes
smtpd_tls_loglevel              = 1
tls_random_source               = dev:/dev/urandom
# --------------------------- TLS PART END --------------------------
 
# ------------------ SMTPD RESTRICTIONS PART START ------------------
disable_vrfy_command            = yes
non_fqdn_reject_code            = 450
invalid_hostname_reject_code    = 450
maps_rbl_reject_code            = 450
unverified_sender_reject_code   = 550
#header_checks                  = pcre:$config_directory/header_checks
#body_checks                    = pcre:$config_directory/body_checks
#warning: the restrictions reject_unknown_(sender|recipient)_domain
#will trigger if your DNS becomes unavailable
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_invalid_helo_hostname
        warn_if_reject reject_non_fqdn_helo_hostname
        warn_if_reject reject_unknown_helo_hostname
        warn_if_reject reject_unknown_client
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        check_client_access hash:$config_directory/rbl_override
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client dnsbl.sorbs.net=127.0.0.2
        reject_rbl_client dnsbl.sorbs.net=127.0.0.3
        reject_rbl_client dnsbl.sorbs.net=127.0.0.4
        reject_rbl_client dnsbl.sorbs.net=127.0.0.5
        reject_rbl_client dnsbl.sorbs.net=127.0.0.7
        reject_rbl_client dnsbl.sorbs.net=127.0.0.9
        reject_rbl_client dnsbl.sorbs.net=127.0.0.11
        reject_rbl_client dnsbl.sorbs.net=127.0.0.12
        permit
 
smtpd_data_restrictions =
        permit_mynetworks,
        reject_unauth_pipelining,
        reject_multi_recipient_bounce,
        permit
# ------------------- SMTPD RESTRICTIONS PART END --------------------

$ nano -w /etc/postfix/main.cf

myhostname = mail.example.com

mydomain = example.com

myorigin = $mydomain

inet_interfaces = all

inet_protocols = ipv4

mynetworks_style = host

mynetworks = $config_directory/mynetworks

smtpd_banner = $myhostname ESMTP $mail_name

# ---------------------- VIRTUAL DOMAINS START ----------------------

virtual_alias_maps = proxy:mysql:$config_directory/sql/virtual_alias_maps.cf

virtual_mailbox_domains = proxy:mysql:$config_directory/sql/virtual_domains_maps.cf

virtual_mailbox_maps = proxy:mysql:$config_directory/sql/virtual_mailbox_maps.cf

#virtual_mailbox_limit_maps = proxy:mysql:$config_directory/sql/virtual_mailbox_limit_maps.cf

virtual_mailbox_base = /var/spool/mail

virtual_uid_maps = static:8

virtual_gid_maps = static:12

mailbox_size_limit = 104857600

message_size_limit = 104857600

relay_domains = proxy:mysql:$config_directory/sql/relay_domains.cf

relay_recipient_maps = proxy:mysql:$config_directory/sql/relay_recipient_maps.cf

transport_maps = proxy:mysql:$config_directory/sql/transport_maps.cf

#transport_maps = hash:$config_directory/transport

#virtual_transport = dovecot

dovecot_destination_recipient_limit = 1

# ----------------------- VIRTUAL DOMAINS END -----------------------

# ------------------------- SASL PART START -------------------------

broken_sasl_auth_clients = yes

smtpd_helo_required = yes

smtpd_client_restrictions = permit_sasl_authenticated

smtpd_sender_restrictions = permit_sasl_authenticated

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

smtpd_sasl_type = dovecot

# Can be an absolute path, or relative to $queue_directory

smtpd_sasl_path = private/auth

# -------------------------- SASL PART END --------------------------

# -------------------------- TLS PART START -------------------------

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_CAfile = /etc/pki/tls/certs/sub.class2.server.ca.pem

smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.crt

smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3

smtpd_tls_received_header = yes

smtpd_tls_loglevel = 1

tls_random_source = dev:/dev/urandom

# --------------------------- TLS PART END --------------------------

# ------------------ SMTPD RESTRICTIONS PART START ------------------

disable_vrfy_command = yes

non_fqdn_reject_code = 450

invalid_hostname_reject_code = 450

maps_rbl_reject_code = 450

unverified_sender_reject_code = 550

#header_checks = pcre:$config_directory/header_checks

#body_checks = pcre:$config_directory/body_checks

#warning: the restrictions reject_unknown_(sender|recipient)_domain

#will trigger if your DNS becomes unavailable

smtpd_recipient_restrictions =

permit_mynetworks

permit_sasl_authenticated

reject_unauth_destination

reject_invalid_helo_hostname

warn_if_reject reject_non_fqdn_helo_hostname

warn_if_reject reject_unknown_helo_hostname

warn_if_reject reject_unknown_client

reject_non_fqdn_sender

reject_non_fqdn_recipient

reject_unknown_sender_domain

reject_unknown_recipient_domain

check_client_access hash:$config_directory/rbl_override

reject_rbl_client zen.spamhaus.org

reject_rbl_client bl.spamcop.net

reject_rbl_client dnsbl.sorbs.net=127.0.0.2

reject_rbl_client dnsbl.sorbs.net=127.0.0.3

reject_rbl_client dnsbl.sorbs.net=127.0.0.4

reject_rbl_client dnsbl.sorbs.net=127.0.0.5

reject_rbl_client dnsbl.sorbs.net=127.0.0.7

reject_rbl_client dnsbl.sorbs.net=127.0.0.9

reject_rbl_client dnsbl.sorbs.net=127.0.0.11

reject_rbl_client dnsbl.sorbs.net=127.0.0.12

permit

smtpd_data_restrictions =

permit_mynetworks,

reject_unauth_pipelining,

reject_multi_recipient_bounce,

permit

# ------------------- SMTPD RESTRICTIONS PART END --------------------

Блок «VIRTUAL DOMAINS» отвечает за наши обслуживаемые домены и пользователей, которые мы заводили в PostfixAdmin. Блок «SASL» нужен для авторизации пользователей на SMTP, для того чтобы можно было отправлять почту через наш сервер. В блоке «TLS» прописываем наши SSL-сертификаты, для того чтобы всё общение с почтовым сервером проходило в зашифрованном виде. А блок «SMTPD RESTRICTIONS» нужен для того чтобы отсечь львиную долю спама.

Создадим список исключений из RBL-списка. Для того чтобы иметь возможность получать почту с этих серверов даже если они по какой-то причине попадут в RBL-список.

$ nano -w /etc/postfix/rbl_override
mail.example.com        OK
1.2.3.4                 OK
mail.example.org        OK
2.3.4.5                 OK
$ postmap /etc/postfix/rbl_override
$ chcon -u system_u /etc/postfix/rbl_override*

$ nano -w /etc/postfix/rbl_override

mail.example.com OK

1.2.3.4 OK

mail.example.org OK

2.3.4.5 OK

$ postmap /etc/postfix/rbl_override

$ chcon -u system_u /etc/postfix/rbl_override*

Создадим список хостов, которые смогут без авторизации отправлять почту через наш почтовый сервис (очень опасная штука, на моей памяти реально такое понадобилось только для одного блейд-центра, который не умел авторизовываться, всё остальное железо спокойно авторизуется на smtp и без проблем отправляет почту).

$ nano -w /etc/postfix/mynetworks
# localhost
127.0.0.0/8
# sw01.example.com
192.168.255.123/32
$ chcon -u system_u /etc/postfix/mynetworks

$ nano -w /etc/postfix/mynetworks

# localhost

127.0.0.0/8

# sw01.example.com

192.168.255.123/32

$ chcon -u system_u /etc/postfix/mynetworks

Настроим dovecot в качестве почтового транспорта:

$ nano -w /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}

$ nano -w /etc/postfix/master.cf

smtps inet n - n - - smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

# -o smtpd_client_restrictions=permit_sasl_authenticated,reject

# -o milter_macro_daemon_name=ORIGINATING

dovecot unix - n n - - pipe

flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}

Создадим дополнительные конфигурационные файлы с данными для подключения к SQL-таблицам с данными о наших доменах и пользователях:

$ mkdir /etc/postfix/sql
 
$ nano -w /etc/postfix/sql/virtual_alias_maps.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = alias
select_field    = goto
where_field     = address
additional_conditions = AND active = '1'
 
$ nano -w /etc/postfix/sql/virtual_domains_maps.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = domain
select_field    = description
where_field     = domain
additional_conditions = AND backupmx = '0' AND active = '1'
 
$ nano -w /etc/postfix/sql/virtual_mailbox_maps.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = mailbox
select_field    = maildir
where_field     = username
additional_conditions = AND active = '1'
 
$ nano -w /etc/postfix/sql/virtual_mailbox_limit_maps.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = mailbox
select_field    = quota
where_field     = username
additional_conditions = AND active = '1'
 
$ nano -w /etc/postfix/sql/relay_domains.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = domain
select_field    = domain
where_field     = domain
additional_conditions = AND backupmx = '1' AND active = '1'
 
$ nano -w /etc/postfix/sql/relay_recipient_maps.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = alias
select_field    = goto
where_field     = address
additional_conditions = AND active = '1'
 
$ nano -w /etc/postfix/sql/transport_maps.cf
hosts           = localhost
dbname          = %VMailDB%
user            = %VMailUser%
password        = %VMailPassWord%
table           = domain
select_field    = transport
where_field     = domain
additional_conditions = AND active = '1'
 
$ chown root:postfix /etc/postfix/sql/ -R
$ chcon -u system_u /etc/postfix/sql -R
$ chmod 0640 /etc/postfix/sql/*.cf
$ chmod 0750 /etc/postfix/sql/
$ newaliases

$ mkdir /etc/postfix/sql

$ nano -w /etc/postfix/sql/virtual_alias_maps.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = alias

select_field = goto

where_field = address

additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/virtual_domains_maps.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = domain

select_field = description

where_field = domain

additional_conditions = AND backupmx = '0' AND active = '1'

$ nano -w /etc/postfix/sql/virtual_mailbox_maps.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = mailbox

select_field = maildir

where_field = username

additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/virtual_mailbox_limit_maps.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = mailbox

select_field = quota

where_field = username

additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/relay_domains.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = domain

select_field = domain

where_field = domain

additional_conditions = AND backupmx = '1' AND active = '1'

$ nano -w /etc/postfix/sql/relay_recipient_maps.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = alias

select_field = goto

where_field = address

additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/transport_maps.cf

hosts = localhost

dbname = %VMailDB%

user = %VMailUser%

password = %VMailPassWord%

table = domain

select_field = transport

where_field = domain

additional_conditions = AND active = '1'

$ chown root:postfix /etc/postfix/sql/ -R

$ chcon -u system_u /etc/postfix/sql -R

$ chmod 0640 /etc/postfix/sql/*.cf

$ chmod 0750 /etc/postfix/sql/

$ newaliases

Postfix настроен, но запускать его не будем, пока не настроим dovecot.

Установка dovecot

Установим сервер dovecot и сопутствующие плагины для работы с базой MySQL и для работы с Sieve-фильтрами:

$ yum -y install dovecot dovecot-mysql dovecot-pigeonhole
 
$ nano -w /etc/dovecot/dovecot.conf
protocols = imap
 
$ nano -w /etc/dovecot/conf.d/10-auth.conf
#!include auth-system.conf.ext
!include auth-sql.conf.ext
 
$ nano -w /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:/var/spool/mail/%d/%n
mail_privileged_group = mail
mail_access_groups = mail
mmap_disable = yes
first_valid_uid = 8
first_valid_gid = 12
 
$ nano -w /etc/dovecot/conf.d/10-master.conf
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = mail
    group = mail
  }
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
 
$ nano -w /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/mail.example.com.crt
ssl_key = </etc/pki/tls/private/mail.example.com.key
ssl_ca = </etc/pki/tls/certs/sub.class2.server.ca.pem
ssl_protocols = !SSLv2 !SSLv3
 
$ nano -w /etc/dovecot/conf.d/15-lda.conf
postmaster_address = postmaster@example.com
hostname = mail.example.com
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
  mail_plugins = sieve
}
 
$ nano -w /etc/dovecot/conf.d/20-managesieve.conf
protocols = $protocols sieve
 
$ nano -w /etc/dovecot/conf.d/90-sieve.conf
plugin {
  sieve = /var/spool/mail/%Ld/%Ln.sieve/.dovecot.sieve
  sieve_dir = /var/spool/mail/%Ld/%Ln.sieve/
  sieve_extensions = +notify +imapflags
}
 
$ nano -w /etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=localhost dbname=%VMailDB% user=%VMailUser% password=%VMailPassWord%
user_query = \
  SELECT CONCAT("/var/spool/mail/", domain) AS home, 8 AS uid, 12 AS gid, \
    'maildir:/var/spool/mail/%d/%n' AS mail, CONCAT("dirsize:storage=", quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'
password_query = \
  SELECT username AS user, password, \
    CONCAT("/var/spool/mail/", domain) AS userdb_home, 8 AS userdb_uid, 12 AS userdb_gid \
  FROM mailbox WHERE username = '%u' AND active='1'
iterate_query = SELECT username AS user FROM mailbox WHERE active='1'
$ chcon -u system_u /etc/dovecot/dovecot-sql.conf.ext
$ chmod 0600 /etc/dovecot/dovecot-sql.conf.ext

$ yum -y install dovecot dovecot-mysql dovecot-pigeonhole

$ nano -w /etc/dovecot/dovecot.conf

protocols = imap

$ nano -w /etc/dovecot/conf.d/10-auth.conf

#!include auth-system.conf.ext

!include auth-sql.conf.ext

$ nano -w /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/var/spool/mail/%d/%n

mail_privileged_group = mail

mail_access_groups = mail

mmap_disable = yes

first_valid_uid = 8

first_valid_gid = 12

$ nano -w /etc/dovecot/conf.d/10-master.conf

service auth {

unix_listener auth-userdb {

mode = 0600

user = mail

group = mail

}

unix_listener /var/spool/postfix/private/auth {

mode = 0660

user = postfix

group = postfix

}

$ nano -w /etc/dovecot/conf.d/10-ssl.conf

ssl = yes

ssl_cert = </etc/pki/tls/certs/mail.example.com.crt

ssl_key = </etc/pki/tls/private/mail.example.com.key

ssl_ca = </etc/pki/tls/certs/sub.class2.server.ca.pem

ssl_protocols = !SSLv2 !SSLv3

$ nano -w /etc/dovecot/conf.d/15-lda.conf

postmaster_address = postmaster@example.com

hostname = mail.example.com

lda_mailbox_autocreate = yes

lda_mailbox_autosubscribe = yes

protocol lda {

mail_plugins = sieve

}

$ nano -w /etc/dovecot/conf.d/20-managesieve.conf

protocols = $protocols sieve

$ nano -w /etc/dovecot/conf.d/90-sieve.conf

plugin {

sieve = /var/spool/mail/%Ld/%Ln.sieve/.dovecot.sieve

sieve_dir = /var/spool/mail/%Ld/%Ln.sieve/

sieve_extensions = +notify +imapflags

}

$ nano -w /etc/dovecot/dovecot-sql.conf.ext

driver = mysql

connect = host=localhost dbname=%VMailDB% user=%VMailUser% password=%VMailPassWord%

user_query = \

SELECT CONCAT("/var/spool/mail/", domain) AS home, 8 AS uid, 12 AS gid, \

'maildir:/var/spool/mail/%d/%n' AS mail, CONCAT("dirsize:storage=", quota) AS quota \

FROM mailbox WHERE username = '%u' AND active = '1'

password_query = \

SELECT username AS user, password, \

CONCAT("/var/spool/mail/", domain) AS userdb_home, 8 AS userdb_uid, 12 AS userdb_gid \

FROM mailbox WHERE username = '%u' AND active='1'

iterate_query = SELECT username AS user FROM mailbox WHERE active='1'

$ chcon -u system_u /etc/dovecot/dovecot-sql.conf.ext

$ chmod 0600 /etc/dovecot/dovecot-sql.conf.ext

Запуск сервисов

Запустим dovecot и postfix и добавим их в автозагрузку:

$ systemctl enable dovecot
$ systemctl start dovecot
$ systemctl status dovecot
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since Wed 2014-11-26 15:58:44 MSK; 3min 41s ago
 Main PID: 20380 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─20380 /usr/sbin/dovecot -F
           ├─20384 dovecot/anvil
           ├─20385 dovecot/log
           └─20387 dovecot/config
 
Nov 26 15:58:44 example.com systemd[1]: Started Dovecot IMAP/POP3 email server.
Nov 26 15:58:44 example.com dovecot[20380]: master: Dovecot v2.2.10 starting up for imap, sieve (core dumps disabled)
 
$ systemctl enable postfix
$ systemctl restart postfix
$ systemctl status postfix
postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)
   Active: active (running) since Wed 2014-11-26 16:01:53 MSK; 1s ago
  Process: 20542 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
  Process: 20558 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 20555 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 20552 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 20630 (master)
   CGroup: /system.slice/postfix.service
           ├─20630 /usr/libexec/postfix/master -w
           ├─20631 pickup -l -t unix -u
           ├─20632 qmgr -l -t unix -u
           └─20633 proxymap -t unix -u
 
Nov 26 16:01:52 example.com systemd[1]: Starting Postfix Mail Transport Agent...
Nov 26 16:01:53 example.com postfix/postfix-script[20628]: starting the Postfix mail system
Nov 26 16:01:53 example.com postfix/master[20630]: daemon started -- version 2.10.1, configuration /etc/postfix
Nov 26 16:01:53 example.com systemd[1]: Started Postfix Mail Transport Agent.

$ systemctl enable dovecot

$ systemctl start dovecot

$ systemctl status dovecot

dovecot.service - Dovecot IMAP/POP3 email server

Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)

Active: active (running) since Wed 2014-11-26 15:58:44 MSK; 3min 41s ago

Main PID: 20380 (dovecot)

CGroup: /system.slice/dovecot.service

├─20380 /usr/sbin/dovecot -F

├─20384 dovecot/anvil

├─20385 dovecot/log

└─20387 dovecot/config

Nov 26 15:58:44 example.com systemd[1]: Started Dovecot IMAP/POP3 email server.

Nov 26 15:58:44 example.com dovecot[20380]: master: Dovecot v2.2.10 starting up for imap, sieve (core dumps disabled)

$ systemctl enable postfix

$ systemctl restart postfix

$ systemctl status postfix

postfix.service - Postfix Mail Transport Agent

Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)

Active: active (running) since Wed 2014-11-26 16:01:53 MSK; 1s ago

Process: 20542 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)

Process: 20558 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)

Process: 20555 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)

Process: 20552 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)

Main PID: 20630 (master)

CGroup: /system.slice/postfix.service

├─20630 /usr/libexec/postfix/master -w

├─20631 pickup -l -t unix -u

├─20632 qmgr -l -t unix -u

└─20633 proxymap -t unix -u

Nov 26 16:01:52 example.com systemd[1]: Starting Postfix Mail Transport Agent...

Nov 26 16:01:53 example.com postfix/postfix-script[20628]: starting the Postfix mail system

Nov 26 16:01:53 example.com postfix/master[20630]: daemon started -- version 2.10.1, configuration /etc/postfix

Nov 26 16:01:53 example.com systemd[1]: Started Postfix Mail Transport Agent.

Проверка работоспособности SMTP

Теперь проверим, принимает ли postfix почту для нашего домена:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: wakko@example.org
250 2.1.0 Ok
RCPT TO: admin@example.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Hi, Admin!
 
It's only test and nothing else.
.
250 2.0.0 Ok: queued as 43A7A209ED22
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

$ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.example.com ESMTP Postfix

EHLO localhost

250-mail.example.com

250-PIPELINING

250-SIZE 104857600

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM: wakko@example.org

250 2.1.0 Ok

RCPT TO: admin@example.com

250 2.1.5 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

Hi, Admin!

It's only test and nothing else.

250 2.0.0 Ok: queued as 43A7A209ED22

QUIT

221 2.0.0 Bye

Connection closed by foreign host.

А таким образом проверим подключение через TLS и авторизацию:

$ echo -ne "\0test@example.com\0testpassword" | base64
AHRlc3RAZXhhbXBsZS5jb20AdGVzdHBhc3N3b3Jk
$ openssl s_client -starttls smtp -connect localhost:25 -crlf -ign_eof
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 C = RU, CN = mail.example.com, emailAddress = hostmaster@example.com
verify return:1
---
Certificate chain
 0 s:/C=RU/CN=mail.example.com/emailAddress=hostmaster@example.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=RU/CN=mail.example.com/emailAddress=hostmaster@example.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2450 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - ...
 
    Start Time: 1417022108
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3RAZXhhbXBsZS5jb20AdGVzdHBhc3N3b3Jk
235 2.7.0 Authentication successful
MAIL FROM: test@example.com
250 2.1.0 Ok
RCPT TO: test@example.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
It's only test message.
.
250 2.0.0 Ok: queued as 8078F20A8F43
QUIT
221 2.0.0 Bye
closed

$ echo -ne "\0test@example.com\0testpassword" | base64

AHRlc3RAZXhhbXBsZS5jb20AdGVzdHBhc3N3b3Jk

$ openssl s_client -starttls smtp -connect localhost:25 -crlf -ign_eof

CONNECTED(00000003)

depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority

verify return:1

depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA

verify return:1

depth=0 C = RU, CN = mail.example.com, emailAddress = hostmaster@example.com

verify return:1

---

Certificate chain

0 s:/C=RU/CN=mail.example.com/emailAddress=hostmaster@example.com

i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA

---

Server certificate

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

subject=/C=RU/CN=mail.example.com/emailAddress=hostmaster@example.com

issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA

---

No client certificate CA names sent

Server Temp Key: ECDH, prime256v1, 256 bits

---

SSL handshake has read 2450 bytes and written 410 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: ...

Session-ID-ctx:

Master-Key: ...

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

TLS session ticket lifetime hint: 3600 (seconds)

TLS session ticket:

0000 - ...

Start Time: 1417022108

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

250 DSN

EHLO localhost

250-mail.example.com

250-PIPELINING

250-SIZE 104857600

250-ETRN

250-AUTH PLAIN

250-AUTH=PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN AHRlc3RAZXhhbXBsZS5jb20AdGVzdHBhc3N3b3Jk

235 2.7.0 Authentication successful

MAIL FROM: test@example.com

250 2.1.0 Ok

RCPT TO: test@example.org

250 2.1.5 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

It's only test message.

250 2.0.0 Ok: queued as 8078F20A8F43

QUIT

221 2.0.0 Bye

closed

Настройка firewall

Проверив что postfix функционирует и готов к принятию почты – открываем его во внешний мир:

$ firewall-cmd --permanent --zone=public --add-service=smtp
$ firewall-cmd --permanent --zone=public --add-service=imaps
$ firewall-cmd --permanent --zone=public --add-port=465/tcp
$ firewall-cmd --permanent --zone=public --add-port=4190/tcp
$ firewall-cmd --reload

$ firewall-cmd --permanent --zone=public --add-service=smtp

$ firewall-cmd --permanent --zone=public --add-service=imaps

$ firewall-cmd --permanent --zone=public --add-port=465/tcp

$ firewall-cmd --permanent --zone=public --add-port=4190/tcp

$ firewall-cmd --reload

Настройка FetchMail

Прежде всего установим необходимые пакеты:

$ yum -y install fetchmail perl-LockFile-Simple perl-Sys-Syslog

1	$ yum -y install fetchmail perl-LockFile-Simple perl-Sys-Syslog

Теперь создадим конфигурационный файл для fetchmail:

$ nano -w /etc/postfixadmin/fetchmail.conf
$db_type = "mysql";
$db_host="localhost";
$db_name="%VMailDB%";
$db_username="%VMailUser%";
$db_password="%VMailPassWord%";
 
$ chcon -u system_u /etc/postfixadmin/fetchmail.conf
$ chown root:postfix /etc/postfixadmin/fetchmail.conf
$ chmod 0640 /etc/postfixadmin/fetchmail.conf

$ nano -w /etc/postfixadmin/fetchmail.conf

$db_type = "mysql";

$db_host="localhost";

$db_name="%VMailDB%";

$db_username="%VMailUser%";

$db_password="%VMailPassWord%";

$ chcon -u system_u /etc/postfixadmin/fetchmail.conf

$ chown root:postfix /etc/postfixadmin/fetchmail.conf

$ chmod 0640 /etc/postfixadmin/fetchmail.conf

Затем подготовим скрипт, который будет запускаться сервисом cron в определённое время и забирать для нас почту:

$ cp /usr/share/doc/postfixadmin-*/ADDITIONS/fetchmail.pl /usr/libexec/postfix/
$ chmod 0755 /usr/libexec/postfix/fetchmail.pl
$ sed -i 's/\/etc\/mail\/postfixadmin/\/etc\/postfixadmin/g' /usr/libexec/postfix/fetchmail.pl
$ sed -i 's/-f \$filename -i/-s -f \$filename --pidfile/g' /usr/libexec/postfix/fetchmail.pl
$ nano -w /usr/libexec/postfix/fetchmail.pl
        $mda =~ s/\${mailbox}/${mailbox}/;
#       syslog("info","fetch ${src_user}@${src_server} for ${mailbox}");
 
$ chcon -u system_u /usr/libexec/postfix/fetchmail.pl
$ mkdir /var/run/fetchmail
$ chcon -u system_u /var/run/fetchmail
$ chown postfix:mail /var/run/fetchmail
$ chmod 0775 /var/run/fetchmail

$ cp /usr/share/doc/postfixadmin-*/ADDITIONS/fetchmail.pl /usr/libexec/postfix/

$ chmod 0755 /usr/libexec/postfix/fetchmail.pl

$ sed -i 's/\/etc\/mail\/postfixadmin/\/etc\/postfixadmin/g' /usr/libexec/postfix/fetchmail.pl

$ sed -i 's/-f \$filename -i/-s -f \$filename --pidfile/g' /usr/libexec/postfix/fetchmail.pl

$ nano -w /usr/libexec/postfix/fetchmail.pl

$mda =~ s/\${mailbox}/${mailbox}/;

# syslog("info","fetch ${src_user}@${src_server} for ${mailbox}");

$ chcon -u system_u /usr/libexec/postfix/fetchmail.pl

$ mkdir /var/run/fetchmail

$ chcon -u system_u /var/run/fetchmail

$ chown postfix:mail /var/run/fetchmail

$ chmod 0775 /var/run/fetchmail

Добавим выполнение этого скрипта в cron:

$ crontab -u postfix -e
MAILTO=root
*/1 * * * *     /usr/libexec/postfix/fetchmail.pl

$ crontab -u postfix -e

MAILTO=root

*/1 * * * * /usr/libexec/postfix/fetchmail.pl

Теперь нам необходимо залогиниться в наш PostfixAdmin и прописать почтовые учётные записи, с которых будет собираться почта. Для этого откроем веб-интерфейс PostfixAdmin и выберем в меню «Fetch Email» пункт «New Entry». Выбираем Mailbox, куда будет складываться почта, вводим имя удалённого сервера, имя пользователя и пароль, так же выбираем протокол по которому будет забираться почта (IMAP/POP3). Если на той стороне IMAP-сервер с несколькими папками, то для каждой папки нужно будет создать отдельную запись для сбора почты, и в каждой записи в поле «Folder» – указать свою папку. Если сбор почты осуществляется используя SSL-шифрование, то необходимо отметить галочкой пункт «SSL active», так же желательно заполнить поле «SSL fingerpring (md5)», для того чтобы Fetchmail не ругался на SSL-сертификат. После этого сохраняем запись нажав на кнопку «Save Changes».
А для получения fingerprint нужно выполнить следующую команду:

$ echo "QUIT" | openssl s_client -connect mail.example.org:993 -showcerts | sed -ne '/BEGIN/,/END/p' >/tmp/temp.crt
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 907535-Ri93n22WJHt0psNK, CN = mail.example.org, emailAddress = postmaster@example.org
verify return:1
notAfter=Oct 13 05:50:16 2015 GMT
verify return:1
depth=0 description = 907535-Ri93n22WJHt0psNK, CN = mail.example.org, emailAddress = postmaster@example.org
notAfter=Oct 13 05:50:16 2015 GMT
verify return:1
DONE
$ openssl x509 -in /tmp/temp.crt -fingerprint -noout -md5 | sed "s/MD5 Fingerprint=//"
4F:80:51:CD:B5:1C:6A:37:74:3A:46:4B:E1:02:A7:BC
$ rm -f /tmp/temp.crt

$ echo "QUIT" | openssl s_client -connect mail.example.org:993 -showcerts | sed -ne '/BEGIN/,/END/p' >/tmp/temp.crt

depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority

verify return:1

depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA

verify return:1

depth=0 description = 907535-Ri93n22WJHt0psNK, CN = mail.example.org, emailAddress = postmaster@example.org

verify return:1

notAfter=Oct 13 05:50:16 2015 GMT

verify return:1

depth=0 description = 907535-Ri93n22WJHt0psNK, CN = mail.example.org, emailAddress = postmaster@example.org

notAfter=Oct 13 05:50:16 2015 GMT

verify return:1

DONE

$ openssl x509 -in /tmp/temp.crt -fingerprint -noout -md5 | sed "s/MD5 Fingerprint=//"

4F:80:51:CD:B5:1C:6A:37:74:3A:46:4B:E1:02:A7:BC

$ rm -f /tmp/temp.crt

Метки: dovecot, postfix

Опубликовано 26.03.2017 от evgeniyalf в категории "Linux