55 KiB
55 KiB
1 目的
用新的服务器来替换旧的服务器,新的服务器要实现以下功能:
1.1 搭建域名解析服务器
- 对公司的网站进行域名解析服务
1.2 对公司网站进行加密服务
- 使用ssl对公司网站进行ssl加密服务
1.3 邮件服务器所实现的功能
-
实现邮件收发的功能
-
实现邮件的垃圾过滤和杀毒的功能
-
实现网页邮件服务的功能
-
实现对邮件用户配额,附件大小配置,修改个人密码的功能
-
实现通过网页管理邮件用户的功能
2 邮件域名和网站服务器
2.1 安装操作系统
下载debian-8.8.0的操作系统镜像
wget http://ftp.cae.tntech.edu/debian-cd/dvd/debian-8.8.0-amd64-DVD-1.iso
2.1.1 分区规划
/ 50G
swap 15G
/var 1T
2.1.2 网络规划
主机名:mail.linx-info.com
用户:rocky 密码:rocky
eth1: inet 172.17.201.8/16 brd 172.17.255.255
eth3: inet 172.31.255.3/24 brd 172.31.255.255
2.2 所使用的软件包
2.2.1 通过软件源来进行下载的软件包
- dns服务使用的软件是bind9
named -v
BIND 9.9.5-9+deb8u15-Debian (Extended Support Version)
- web服务使用的软件是nginx php
nginx -v
nginx version: nginx/1.12.2
php7.0 -v
PHP 7.0.27-1~dotdeb+8.1 (cli) ( NTS )
- 数据库使用的是mysql
mysqld --version
mysqld Ver 5.5.59-0+deb8u1 for debian-linux-gnu on x86_64 ((Debian))
- 邮件服务使用的软件是postfix dovecot
postconf -d | grep mail_version
mail_version = 2.11.3
milter_macro_v = $mail_name $mail_version
dovecot --version
2.2.13
- 垃圾邮件过滤软件使用的是spamassassin
spamassassin --version
SpamAssassin version 3.4.0
running on Perl version 5.20.2
- 邮件杀毒软件使用的是clamav
freshclam --version
ClamAV 0.99.3/24373/Thu Mar 8 09:11:49 2018
2.2.2 从网站中下载的软件
- 邮件服务器管理使用的软件是postfixadmin
http://nchc.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.0/postfixadmin-3.0.tar.gz
postfixadmin-3.0
- 网页邮箱使用的是roundcube
https://github.com/roundcube/roundcubemail/releases/download/1.3.3/roundcubemail-1.3.3-complete.tar.gz
roundcubemail-1.3.3
3 新服务器网络配置和软件源配置
搭建的是debian-8.8.0操作系统
3.1 网络配置
vi /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto eth3
iface eth3 inet static
address 172.31.255.3
netmask 255.255.255.0
auto eth1
iface eth1 inet static
address 172.17.201.8
netmask 255.255.0.0
gateway 172.17.0.254
重启网络
/etc/init.d/networking restart
3.2 更改软件源配置和更新软件列表
3.2.1 修改软件源配置
把/etc/apt/sources.list修改成以下配置
deb http://mirrors.163.com/debian/ jessie main non-free contrib
deb http://mirrors.163.com/debian/ jessie-updates main non-free contrib
deb http://mirrors.163.com/debian/ jessie-backports main non-free contrib
deb-src http://mirrors.163.com/debian/ jessie main non-free contrib
deb-src http://mirrors.163.com/debian/ jessie-updates main non-free contrib
deb-src http://mirrors.163.com/debian/ jessie-backports main non-free contrib
deb http://mirrors.163.com/debian-security/ jessie/updates main non-free contrib
deb-src http://mirrors.163.com/debian-security/ jessie/updates main non-free contrib
deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all
3.2 更新软件列表和操作系统升级
aptitude update -y
由于没有公钥,无法验证下列签名: NO_PUBKEY 9AA38DCD55BE302B
第一种:
gpg --keyserver pgpkeys.mit.edu --recv-key 9AA38DCD55BE302B
gpg -a --export 9AA38DCD55BE302B | sudo apt-key add -
第二种:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906
aptitude update
aptitude upgrade
4 安装配置dns服务
安装bind9是要能对公司各个网站提供解析服务,能够实现旧机器的所有解析功能,并且把rd.in.linx域迁移到这台机器上
4.1 安装bind9
aptitude install bind9 -y
4.2 修改bind9的配置文件
4.2.1 配置bind9的配置文件和域文件
拷贝的是旧机器中对应的域名配置和bind9服务的配置拷贝到对应的路径下
tar xf bind-cfg.tar.gz
cp etc/bind/* /etc/bind
cp var/cache/bind/* /var/cache/bind
4.2.2 在配置文件上添加rd.in.linx域
在/etc/bind/named.conf.local的最后面添加
zone "rd.in.linx" IN{
type master;
file "rd.in.linx.zone";
};
4.2.3 创建rd.in.linx.zone域名文件
创建/var/cache/bind/rd.in.linx.zone
$ORIGIN rd.in.linx.
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA rd.in.linx. root.rd.in.linx. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS rd.in.linx.
rd.in.linx. IN A 172.31.255.3
dns IN A 172.31.255.3
cloud IN A 172.31.255.3
;gitlab IN A 172.17.150.10
;gitlab IN A 172.16.6.190
gitlab IN A 172.17.201.11
gitlab-rd2 IN A 172.16.0.248
gitlab-mirrorcd IN A 172.16.0.249
gitlab-ci IN A 172.17.150.10
ibarn IN A 172.17.150.30
;erp IN A 172.17.150.20
erp IN A 172.17.201.9
gitlab-runner1 IN A 172.17.150.31
gitlab-runner2 IN A 172.17.150.32
gitlab-runner3 IN A 172.17.150.33
gitlab-runner4 IN A 172.17.150.34
gitlab-runner5 IN A 172.17.150.35
wanna-build IN A 172.17.150.39
buildd IN A 172.17.150.40
bz IN A 172.17.0.251 ;dev2 bugzilla
ftp IN A 172.17.234.234 ;dev1 bugzilla
bugzilla IN A 172.16.0.4 ;dev1 bugzilla
rd-server IN A 172.16.0.4 ;dev1 rd-server
gitweb IN A 172.16.0.4 ;dev1 gitweb-server
cgit IN A 172.16.0.4 ;dev1 cgit-server
trac IN A 172.16.0.4 ;dev1 trac-server
testlink IN A 172.16.0.4 ;dev1 testlink-server
blog IN A 172.16.0.4 ;dev1 blog
ntp1 IN A 172.31.255.8 ;ntp1
ntp2 IN A 172.31.255.9 ;ntp2
tslog IN A 172.16.0.234 ;tslog.rd.in.linx
mirrors IN A 172.16.0.234 ;mirror.rd.in.linx
isoimage IN A 172.16.0.234 ;isoimage.rd.in.linx
gitblog IN A 172.17.150.22
qa IN A 172.17.150.22
oduser-doc IN A 172.17.150.22
oddev-doc IN A 172.17.150.22
search IN A 172.17.150.21
www IN A 172.17.150.21
42.builder IN A 172.16.0.250 ;4.2.builder
proxy IN A 172.16.0.250
pic IN A 172.17.150.17; pictures of linx
autotest IN A 172.19.135.254
linx-info IN A 172.31.255.3
exam IN A 172.17.150.24
yy IN A 172.16.3.17
- 修改解析服务器地址
vi /etc/resove.conf
nameserver 172.17.201.8
- 重启bind9服务查看状态
通过查看bind9状态,判断bind9的配置文件是否存在错误
/etc/init.d/bind9 restart
/etc/init.d/bind9 status
如果是以下状态说明bind9服务正常启动
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
Drop-In: /run/systemd/generator/bind9.service.d
└─50-insserv.conf-$named.conf
Active: active (running) since 四 2018-03-15 11:37:59 CST; 2min 3s ago
Docs: man:named(8)
Main PID: 471 (named)
CGroup: /system.slice/bind9.service
└─471 /usr/sbin/named -f -u bind
4.3 测试dns服务器
使用dig命令进行测试解析(显示以下结果)
dig www.linx-info.com @172.17.201.8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.linx-info.com. IN A
;; ANSWER SECTION:
www.linx-info.com. 604800 IN A 172.31.255.3
;; AUTHORITY SECTION:
linx-info.com. 604800 IN NS ns.
dig mail.linx-info.com @172.17.201.8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.linx-info.com. IN A
;; ANSWER SECTION:
mail.linx-info.com. 604800 IN A 172.31.255.3
;; AUTHORITY SECTION:
linx-info.com. 604800 IN NS ns
dig odoo.linx-info.com @172.17.201.8
;; QUESTION SECTION:
;odoo.linx-info.com. IN A
;; ANSWER SECTION:
odoo.linx-info.com. 604800 IN A 172.31.255.3
;; AUTHORITY SECTION:
linx-info.com. 604800 IN NS ns
dig erp.rd.in.linx
;; QUESTION SECTION:
;erp.rd.in.linx. IN A
;; ANSWER SECTION:
erp.rd.in.linx. 86400 IN A 172.17.201.9
;; AUTHORITY SECTION:
rd.in.linx. 86400 IN NS rd.in.linx.
;; ADDITIONAL SECTION:
rd.in.linx. 86400 IN A 172.31.255.3
5 安装配置web服务
安装配置web服务,并且使用证书进行ssl加密
如果已经安装了apache,需先停止apache服务
5.1 安装nginx网页服务
/etc/init.d/apache2 stop
/etc/init.d/apache2 status
aptitude -y install nginx
5.2 生成和配置证书
5.2.1 修改openssl配置
cd /etc/ssl
mkdir CA newcerts
cd CA
touch index.txt serial
cd /etc/ssl
vi openssl.cnf
修改[CA_default]区域设置内容
dir = /etc/ssl #CA路径
certs = $dir/certs #发给其他的人的证书
crl_dir = $dir/crl #证书吊销列表,不属于必须创建的目录
database = $dir/CA/index.txt #存放生成证书文件索引 需要手动创建的文件
new_certs_dir = $dir/newcerts #新生成的证书存放地 需要手动创建
certificate = $dir/certs/cacert.pem
serial= $dir/CA/serial #序列号,自己建的每一个证书都有一个序列号,需创建该文件,并指定从几开始
crlnumber= $dir/crlnumber
crl= $dir/crl.pem
private_key= $dir/private/cakey.pem
RANDFILE= $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = default
preserve = no
允许从外部站点获取证书
# For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN #证书所属国家
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing #证书所属省会
localityName = Locality Name (eg, city)
localityName_default = Beijing #证书所属城市
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Linx Technology Co.,Ltd. #证书所属城市
5.2.2 如何生成证书
我们使用旧机器的证书,进行加密,因此跳过生成证书这一步
- 生成CA服务器的根证书
生成CA服务器自己的私钥
openssl genrsa 1024 >private/cakey.pem
为保护CA私钥的安全性,改变私钥文件的权限
chmod 600 private/*
使用CA的私钥生成CA服务器自己的认证证书
openssl req -new -key private/cakey.pem -x509 -out certs/cacert.pem
注意:这一步骤生成的cacert.pem文件即为CA服务器的根证书
- 生成Apache服务的认证证书
生成Apache服务的私钥
openssl genrsa 1024 >private/apache2.key
为保护CA私钥的安全性,改变私钥文件的权限
chmod 600 private/*
使用CA的私钥生成证书请求文件(Certificate Signing Request)
openssl req -new -key private/apache2.key -out newcerts/apache2.csr
通过证书请求获取Apache服务的认证证书
向CA服务器提交申请文件apache2.csr,CA服务器根据该文件签署生成证书
openssl ca -in newcerts/apache2.csr -out newcerts/apache2.crt
注意:这一步骤生成的apache2.crt文件即为Apache服务的认证证书
5.2.3 添加证书
因为有旧机器上的证书,所以不用重新生成新证书,拷贝原服务器里证书到新的服务器中
cd new-mail
cp ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
cp ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key
cp mail.crt /etc/ssl/newcerts/
cp mail.key /etc/ssl/private/
cp 配置文件存档/CA/etc/ssl/certs/apache2.crt /etc/ssl/certs/
cp 配置文件存档/CA/etc/ssl/private/apache2.key /etc/ssl/private/
cp www.linx-info.com /etc/ssl/certs/ -r
chmod -R 600 /etc/ssl/certs
chmod -R 600 /etc/ssl/private
chmod -R 600 /etc/ssl/newcerts
5.3 配置nginx
5.3.1 邮件管理网页的配置
创建/etc/nginx/sites-available/postfixadmin.linx-info.com
server {
listen 80;
server_name postfixadmin.linx-info.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name postfixadmin.linx-info.com;
root /var/www/postfixadmin-3.0;
index index.php;
charset utf-8;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ecdh_curve secp521r1;
location / {
try_files $uri $uri/ index.php;
}
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
}
5.3.2 odoo网页代理转发的配置
创建/etc/nginx/sites-enabled/odoo.linx-info.com
server {
listen 80;
server_name odoo.linx-info.com;
# return 301 https://$server_name$request_uri;
location / {
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_pass http://erp.rd.in.linx:8069/ ;
proxy_set_header Host odoo.linx-info.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/odoo.linx-info.com.80.log;
}
server {
listen 10000;
server_name odoo.linx-info.com;
# return 301 https://$server_name$request_uri;
location / {
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_pass http://erp.rd.in.linx:8069/ ;
proxy_set_header Host odoo.linx-info.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/odoo.linx-info.com.10000.log;
}
server {
listen 443 ssl;
server_name odoo.linx-info.com;
#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_certificate /etc/ssl/certs/www.linx-info.com/cert.pem;
ssl_certificate_key /etc/ssl/certs/www.linx-info.com/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ecdh_curve secp521r1;
location / {
proxy_pass http://erp.rd.in.linx:8069/;
}
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
access_log /var/log/nginx/odoo.linx-info.com.443.log;
}
5.3.3 公司网站代理转发的配置
创建/etc/nginx/sites-enabled/www.linx-info.com
server {
listen 80;
server_name www.linx-info.com;
# return 301 https://$server_name$request_uri;
location / {
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_pass http://172.31.255.4/ ;
proxy_set_header Host www.linx-info.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/www.linx-info.com.log;
}
server {
listen *:443;
ssl on;
server_name www.linx-info.com;
rewrite ^(.*) http://www.linx-info.com$1 permanent;
#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_certificate /etc/ssl/certs/apache2.crt;
ssl_certificate_key /etc/ssl/private/apache2.key;
}
5.3.4 网页邮箱的网页配置
创建/etc/nginx/sites-enabled/mail.linx-info.com
server {
listen 80;
server_name mail.linx-info.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mail.linx-info.com;
root /var/www/webmail;
index index.php;
charset utf-8;
#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_certificate /etc/ssl/newcerts/mail.crt;
ssl_certificate_key /etc/ssl/private/mail.key;
ssl_protocols TLSv1.2 TLSv1 TLSv1.1;
# ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4";
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ecdh_curve secp521r1;
location / {
try_files $uri $uri/ index.php;
client_max_body_size 30m;
}
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
client_max_body_size 100m;
}
access_log /var/log/nginx/mail.linx-info.com.log;
}
5.3.5 创建软连接
ln -s /etc/nginx/sites-available/postfixadmin.linx-info.com /etc/nginx/sites-enabled/postfixadmin.linx-info.com
5.3.6 测试并重启nginx,检查nginx服务状态
- 通过查看服务器状态判断nginx配置是否存在错误
journalctl -xn
nginx -t
service nginx restart
/etc/init.d/nginx status
如果以下状况说明nginx启动成功
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
Drop-In: /etc/systemd/system/nginx.service.d
└─override.conf
Active: active (running) since 四 2018-03-15 11:48:09 CST; 3s ago
Docs: man:nginx(8)
Process: 1755 ExecStartPost=/bin/sleep 0.1 (code=exited, status=0/SUCCESS)
Process: 1751 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1750 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 1754 (nginx)
CGroup: /system.slice/nginx.service
├─1754 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─1756 nginx: worker process
使用浏览器访问www.linx-info.com和odoo.linx-info.com,看是否能访问公司网页
- 注意
问题
debian systemd[1]: Failed to read PID from file /run/nginx.pid: Invalid argument
解决方法:
mkdir -p /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx.service
6 配置邮件服务器
6.1 安装邮件服务的相关软件
6.1.1 安装mysql数据库
aptitude install mysql-server -y
根据提示设置mysql的root用户的密码,设置为rocky123
6.1.2 安装邮件传输代理软件
aptitude install -y postfix postfix-mysql
-
选中“Internet Site”确定。
-
删除默认“debian”,输入
linx-info.com确定。
6.1.3 安装IMAP和POP3邮件服务器
aptitude install -y dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
6.1.4 安装php和相关插件
aptitude install -y php7.0-imap php7.0-mysql php7.0-mcrypt php7.0-intl php-apc php5-memcache php-curl php7.0-gd php-xml-parser php-imap php-mbstring php-fpm php-mysqlnd
6.1.5 安装垃圾邮件过滤软件
aptitude install -y spamassassin
6.1.6 安装邮件杀毒软件
aptitude install -y amavisd-new clamav-daemon clamsmtp zoo unzip bzip2 libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax
6.2 为邮件服务创建数据库
创建一个新的mysql数据库
数据库名:postfixdb
数据库用户:root
密码是:rocky123
赋予postfix用户权限。
请使用一下命令
mysql -uroot -p 密码rocky123
create database postfixdb; 创建数据库
grant all on postfixdb.* to 'postfix'@'localhost' identified by 'rocky123'; 赋予权限
exit
mysql -upostfix -p 密码rocky123
show databases;
exit
6.3 创建mailbox的管理用户
6.3.1 创建管理用户
创建一个系统帐号vmail 它属于mail组,家目录是/var/vmail,不支持登录,附加文字为Virtual MailDir Handler
useradd -r -u 150 -g mail -m -d /var/vmail -s /sbin/nologin -c "Virtual MailDir Handler" vmail
6.4 配置dovecot
6.4.1 修改数据库配置文件
修改成/etc/dovecot/dovecot-sql.conf.ext,删除所有的换成一下配置
driver = mysql
connect = host=127.0.0.1 user=postfix password=rocky123 dbname=postfixdb
default_pass_scheme = MD5-CRYPT
password_query = \
SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \
'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \
FROM mailbox WHERE username = '%u' AND active = '1'
user_query = \
SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \
150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \
FROM mailbox WHERE username = '%u' AND active = '1'
6.4.2 修改认证方式配置文件
修改/etc/dovecot/conf.d/10-auth.conf,搜索auth_mechanisms字段,把那一行修改成一下配置,如auth_mechanisms = plain login,然后搜索auth-system.conf.ext和auth-sql.conf.ext和auth-ldap.conf.ext,对照下面配置进行修改
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
6.4.3 修改邮件配置文件
修改/etc/dovecot/conf.d/10-mail.conf,搜索mail_location,mail_uid,mail_gid,mail_access_groups,first_valid_uid,last_valid_uid,照着一下配置进行修改,修改mail的目录及相关权限
mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
mail_gid = mail
mail_access_groups = mail
first_valid_uid = 150
last_valid_uid = 150
6.4.4 修改ssl证书路径配置文件
修改/etc/dovecot/conf.d/10-ssl.conf,搜索ssl,ssl_cert,ssl_key,照着一下配置修改.dovecot软件使能ssl加密
ssl = yes
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
6.4.5 创建添加dovecot证书
- 检查dovecot目录下是否有dovecot.pem文件,如果有,不需要手动生成,如果没有,手动生成,根据提示将pem文件拷贝对应路径下
apt-get source dovecot
tar xf dovecot_version.orig.tar.gz
cd dovecot-version
cd doc
sh mkcert.sh
cp /etc/ssl/private/dovecot.pem /etc/dovecot/private/
cp /etc/ssl/certs/dovecot.pem /etc/dovecot/
6.4.6 修改dovecot主配置文件
修改/etc/dovecot/conf.d/10-master.conf,搜索lmtp,auth,auth-worker,中的服务内容进行修改,修改对应的权限和用户
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
#group = vmail
}
user = dovecot
}
service auth-worker {
user = vmail
}
6.4.7 修改dovecot的lda配置文件
修改/etc/dovecot/conf.d/15-lda.conf,搜索postmaster_address,修改等号后的内容为postmaster@mail.linx-info.com
postmaster_address = postmaster@mail.linx-info.com
6.4.8 更改dovecot和邮箱用户权限
使dovecot和邮箱用户都能读取相应的配置文件内容
chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot
6.4.9 启动服务
systemctl enable dovecot
systemctl restart dovecot
/etc/init.d/dovecot status
如果是以下状态,说明docecot启动成功
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled)
Active: active (running) since 四 2018-03-15 11:38:03 CST; 14min ago
Main PID: 494 (dovecot)
CGroup: /system.slice/dovecot.service
├─494 /usr/sbin/dovecot -F
├─564 dovecot/anvil
├─565 dovecot/log
└─588 dovecot/config
6.5 配置postfix
6.5.1 检查mysql的监听地址是否为127.0.0.1
- 查看mysql的监听地址
cat /etc/mysql/my.cnf | grep bind-address
bind-address = 127.0.0.1
- 如果没有的话,在/etc/mysql/my.cnf中添加
bind-address = 127.0.0.1
6.5.2 postfix对mysql进行相关映射
- 虚拟域的别名映射配置文件
创建/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
user = postfix
password = rocky123
hosts = 127.0.0.1
dbname = postfixdb
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address=concat('%u', '@', alias_domain.target_domain) AND alias.active = 1
- 虚拟别名映射配置文件
创建/etc/postfix/mysql_virtual_alias_maps.cf
user = postfix
password = rocky123
hosts = 127.0.0.1
dbname = postfixdb
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
- 虚拟域映射配置文件
创建/etc/postfix/mysql_virtual_domains_maps.cf
user = postfix
password = rocky123
hosts = 127.0.0.1
dbname = postfixdb
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
- 虚拟邮箱别名的映射配置文件
创建/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
user = postfix
password = rocky123
hosts = 127.0.0.1
dbname = postfixdb
query = SELECT maildir FROM mailbox, alias_domain
WHERE alias_domain.alias_domain='%d'
AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
AND mailbox.active = 1
- 虚拟邮箱的映射配置文件
创建/etc/postfix/mysql_virtual_mailbox_maps.cf
user = postfix
password = rocky123
hosts = 127.0.0.1
dbname = postfixdb
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'
6.5.3 创建postfix的头部检测配置文件
创建/etc/postfix/header_checks
/^Received:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Mailer:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^x-cr-[a-z]*:/ IGNORE
/^Thread-Index:/ IGNORE
6.5.4 把dovecot关联到postfix软件中
- 修改/etc/postfix/main.cf
vi打开/etc/postfix/main.cf文件.搜索# TLS parameters一行,将这一行及以后行换成一下配置
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.linx-info.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 127.0.0.1 172.17.201.0/24 172.16.0.0/24 172.31.255.0/24 172.16.3.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
inet_protocols = ipv4
virtual_transport = lmtp:unix:private/dovecot-lmtp
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 102400000
6.5.9 打开postfix所需要的功能
修改/etc/postfix/master.cf,打开submission,smtps,amavis等功能,参考一下配置
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
6.5.10 重启相应服务并查看状态
service postfix restart
service postfix status
service dovecot restart
service dovecot status
如果是以下状态,说明postfix启动成功
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (running) since 四 2018-03-15 11:38:20 CST; 16min ago
Process: 1440 ExecReload=/etc/init.d/postfix reload (code=exited, status=0/SUCCESS)
Process: 1163 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/postfix.service
├─1378 /usr/lib/postfix/master
├─1452 pickup -l -t unix -u -c
├─1453 qmgr -l -t unix -u
├─2082 trivial-rewrite -n rewrite -t unix -u -c
├─2090 smtpd -n 127.0.0.1:10025 -t inet -u -o content_filter= -o receive_override_options=no_unknown_re...
├─2091 proxymap -t unix -u
└─2092 tlsmgr -l -t unix -u -c
6.6 安装和配置网页邮件管理软件
6.6.1 下载安装包
wget http://nchc.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.0/postfixadmin-3.0.tar.gz
6.6.2 解压到对应路径
tar xf postfixadmin-3.0.tar.gz -C /var/www
6.6.3 postfixadmin关联数据库
修改/var/www/postfixadmin-3.0/config.inc.php,搜索configured,database_type,database_host,database_user,database_password,database_name,domain_path,domain_in_mailbox,修改配置,以下配置进行参考
$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'rocky123';
$CONF['database_name'] = 'postfixdb';
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
6.6.4 修改var目录权限
chmod 777 -R /var
/etc/init.d/nginx restart
6.6.5 创建postfixadmin管理用户
访问https://postfixadmin.linx-info.com/setup.php
点击我已充分了解可能的风险,点击添加例外
您应该看到如下所示的内容:
Testing database connection - OK - mysqli://mysqli://postfix:xxxxx@localhost/postfixdb
在“Setup password”后面的框中输入密码(rocky123)。会提示类似如下:
If you want to use the password you entered as setup password, edit config.inc.php or config.local.php and set
$CONF['setup_password'] = '6441d5a80679a5409ee4c25f3deaeaed:e121e1e5814823cb3276cffd615f2d47d84d8faa';
修改setup_password到配置文件中
将`$CONF['setup_password'] = '6441d5a80679a5409ee4c25f3deaeaed:e121e1e5814823cb3276cffd615f2d47d84d8faa'`替换到`/var/www/postfixadmin-3.0/config.inc.php`文件中的相应位置。(可通过在config.inc.php文件中搜索“setup_password”找到对应位置>)
在setup password:栏中输入rocky123
在admin:栏中输入admin@linx-info.com
在password:栏中输入rocky123
在password(again):栏中输入rocky123
点击add admin按钮
6.7 配置邮件过滤软件
6.7.1 添加邮件过滤用户
adduser spamd --disabled-login
6.7.2 修改spamassassin配置文件
修改/etc/default/spamassassin,将配置换成如下配置,将spamassassin使能
ENABLED=1
OPTIONS="--create-prefs --max-children 5 -d 127.0.0.1 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"
PIDFILE="/home/spamd/spamd.pid"
CRON=1
6.7.3 添加spamassassin功能到postfix
修改/etc/postfix/master.cf
找到smtp inet n - - - - smtpd,并在下方添加如下内容
-o content_filter=spamassassin
spamassassin unix - n n - - pipe
user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
6.7.4 启动服务
systemctl enable spamassassin
systemctl restart spamassassin
systemctl restart postfix
/etc/init.d/postfix status
如果是一下情况说明spamassassin启动成功
● spamassassin.service - Perl-based spam filter using text analysis
Loaded: loaded (/lib/systemd/system/spamassassin.service; enabled)
Active: active (running) since 四 2018-03-15 11:38:17 CST; 21min ago
Process: 2046 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 509 ExecStart=/usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 2070 (/usr/sbin/spamd)
CGroup: /system.slice/spamassassin.service
├─2070 /usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid --create-prefs --max-children 5 -d 127.0....
├─2086 spamd child
└─2087 spamd child
6.8 配置邮件杀毒软件
6.8.1 更新病毒库
/etc/init.d/clamav-freshclam stop
freshclam
6.8.2 编辑clamsmtp配置文件
修改/etc/clamsmtpd.conf,搜索Header:取消注释,搜索User:修改用户,参考以下配置
Header: X-AV-Checked: ClamAV using ClamSMTP
User: clamav
6.8.3 编辑连接过滤模式的配置文件
修改/etc/amavis/conf.d/15-content_filter_mode,把配置文件换成如下配置
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return
6.8.4 编辑amavis系统默认配置文件
修改/etc/amavis/conf.d/20-debian_defaults,参考如下配置
[...]
$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listening socket
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
[...]
$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
$final_spam_destiny = D_BOUNCE;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
[...]
6.8.5 编辑user配置文件
修改/etc/amavis/conf.d/50-user,把配置文件换成如下配置
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$pax='pax';
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
6.8.6 编辑node_id配置文件
修改/etc/amavis/conf.d/05-node_id把配置文件换成如下配置
use strict;
# $myhostname is used by amavisd-new for node identification, and it is
# important to get it right (e.g. for ESMTP EHLO, loop detection, and so on).
chomp($myhostname = `hostname --fqdn`);
# To manually set $myhostname, edit the following line with the correct Fully
# Qualified Domain Name (FQDN) and remove the # at the beginning of the line.
#
$myhostname = "mail.linx-info.com";
1; # ensure a defined return
6.8.7 杀毒软件关联到postfix
修改/etc/postfix/master.cf
在结尾添加如下内容
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
127.0.0.1:10025 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
6.8.8 添加用户和重启服务
adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart
postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'
6.9 在postfixadmin创建域和创建用户
访问登录管理员账户https://postfixadmin.linx-info.com/
6.9.1 创建域
点击域名清单中的新建域,填写相应信息。
域:linx-info.com
描述:linx
别名数:0
邮箱数:0
6.9.2 创建邮箱用户
点击虚拟用户清单中的新建邮箱,填写相应信息。
用户名:test
密码:rocky123
姓名:test
限制:2000
6.9.3 更改显示一页邮件用户的设置
vi /var/www/postfixadmin-3.0/config.inc.php
$CONF['page_size'] = '1000';
打开浏览器访问postfixadmin@linx-info.com/upgrade.php可生效
6.10 安装和配置roundcube网页邮箱
6.10.1 下载roundcubemail
cd /var/www/
wget https://github.com/roundcube/roundcubemail/releases/download/1.3.3/roundcubemail-1.3.3-complete.tar.gz
tar xf roundcubemail-1.3.3-complete.tar.gz
mv roundcubemail-1.3.3 webmail
chown -R www-data webmail
/etc/init.d/nginx restart
6.10.2 打开浏览器进入roundcube安装界面
- 打开浏览器访问mail.linx-info.com/installer/index.php
- Checking PHP version 必须OK
- Checking databases mysql 必须OK
- 通常设置
- mysql授权和roundcubemail相关日志信息
- IMAP设置
- SMTP设置
- 进行显示和用户属性配置
- 插件选中passwd
- 点击continue然后进入到测试界面进行测试
- 点击initialize database按钮
-
按照图片输入,点击send test mail按钮 刷新后显示ok,说明测试成功
-
按照图片输入,密码为rocky123,点击check login 刷新后显示ok,说明测试成功
6.10.3 对密码插件配置进行修改
只有对密码插件进行修改普通用户才能修改密码
cd /var/www/webmail/plugins/password/
cp config.inc.php.dist config.inc.php
vi config.inc.php
查找password_db_dsn和password_query,修改参数,照以下配置修改
$config['password_db_dsn'] = 'mysql://postfix:rocky123@localhost/postfixdb';
// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
// %p is replaced with the plaintext new password
// %c is replaced with the crypt version of the new password, MD5 if available
// otherwise DES. More hash function can be enabled using the password_crypt_hash
// configuration parameter.
// %D is replaced with the dovecotpw-crypted version of the new password
// %o is replaced with the password before the change
// %n is replaced with the hashed version of the new password
// %q is replaced with the hashed password before the change
// %h is replaced with the imap host (from the session info)
// %u is replaced with the username (from the session info)
// %l is replaced with the local part of the username
// (in case the username is an email address)
// %d is replaced with the domain part of the username
// (in case the username is an email address)
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
$config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';
6.11 测试邮件服务器
6.11.1 通过网页进行测试邮件服务器
- 从浏览器中访问https://mail.linx-info.com 登录帐号
帐号:test@linx-info.com 密码:rocky123
- 内网测试
将test@linx-info.com作为收件人进行收发测试
如果能进行正常收发说明好使
- 外网测试
将XXXXXXX@qq.com作为收件人进行发送测试
从XXXXXXX@qq.com作为发件人,test@linx-info.com为收件人进行接收测试
如果能进行正常收发说明好使
- 修改密码测试
6.11.2 通过thunderbird进行测试邮件服务器
- 配置thunderbird邮箱
点击左侧的本地文件夹,在创建新用户下点击电子邮件,点击跳过使用已有的电子邮箱
输入名字,邮箱,和密码,点击继续后,再点击手动进行配置
点击确认安全例外,点击完成
- 内网测试
将test@linx-info.com作为收件人进行收发测试,点击确认安全例外
如果能进行正常收发说明好使
- 外网测试
将XXXXXXX@qq.com作为收件人进行发送测试
从XXXXXXX@qq.com作为发件人,test@linx-info.com为收件人进行接收测试
如果能进行正常收发说明好使
6.12 迁移用户数据库和邮件数据
6.12.1 批量添加用户
首先ssh进入旧机器中,到用户目录,收集邮箱用户
cd /var/vmail/
ls > user.lst
vi user.lst
删除user.lst这一行
拷贝user.lst到新机器并执行脚本
cd /var/www/postfixadmin-3.0/scripts/
vi mail.list.sh
#!/bin/bash
for list in `cat $1`
do
echo "$list"@linx-info.com
#./postfixadmin-cli mailbox delete "$list@linx-info.com"
./postfixadmin-cli mailbox add "$list"@linx-info.com --password rocky123 --password2 rocky123 --quota 1000 --name $list
#./postfixadmin-cli mailbox update "$list"@linx-info.com --password rocky123 --password2 rocky123 --quota 2000 --name $list
echo $?
sleep 8
done
bash mail.list.sh user.lst
6.12.2 迁移数据库密码
- 修改加密方式
修改 /etc/dovecot/dovecot-sql.conf.ext
default_pass_scheme = CRYPT
修改 /var/www/postfixadmin-3.0/config.inc.php
$CONF['encrypt'] = 'mysql_encrypt';
- 更新数据库密码
ssh登入172.31.255.3的机器上导出旧数据的用户和密码
mysql -u mail_admin -procky -e "use mail;select * from users;" |awk '{print $1 "\t" $2}' >user-pass.lst
写更新数据库密码脚本
vi change_dbpasswd.sh
#!/bin/bash
IFS=$'\n'
for list in `cat $1`
do
user=`echo $list |awk '{ print $1 }'`
passwd=`echo $list |awk '{ print $2 }'`
# mysql -uroot -procky123 -e "show databases;use postfixdb;show tables;select * from mailbox where username=\"test@linx-info.com\""
mysql -uroot -procky123 -e "use postfixdb;update mailbox set password=\"$passwd\" where username=\"$user\""
done
执行脚本更新密码
sh change_dbpasswd.sh user-pass.lst
6.12.3 添加群发的邮箱
通过创建别名,实现对邮箱的群发
浏览器输入https://postfixadmin.linx-info.com(帐号admin@linx-info.com密码rocky123)登入进行管理
点击虚拟用户清单,点击新建别名,照着一下填写就行,转到写6.12.1里面的user.lst的用户,点击新建别名按钮
6.12.3 同步邮箱数据
为什么要同步好几次,因为数据过大,要使旧机器和新机器的数据一致,先同步大部分数据,然后进行更新数据.减小停机时间.
- 开始同步
rsync -aqH root@172.31.255.3:/var/vmail/linx-info.com /var/vmail/
- 再次同步
rsync -auq root@172.31.255.3:/var/vmail/linx-info.com /var/vmail/
6.13 防病毒测试和垃圾邮件过滤测试
6.13.1 防病毒测试
wget https://secure.eicar.org/eicar.com.txt
把下载的文件eicar.com.txt当附件发送,看是否能发送.接收者邮箱原则上是接收不到的
查看日志有一下信息,说明防病毒测试通过
tail -f /var/log/clamav/clamav.log
...
/var/lib/amavis/tmp/amavis-20180227T101259-25737-XQpYuk9H/parts/p002: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
6.13.2 垃圾邮件测试
wget http://spamassassin.apache.org/gtube/gtube.txt
把下载的文件eicar.com.txt当附件发送,看是否能发送,接收邮箱原则上是接收不到的,发送者邮箱会收到一个由邮件服务器发送的邮件"considered unsolicited bulk email说明垃圾过滤测试通过
6.14 调整邮箱的上传附件大小
6.14.1 修改 postfix 中邮件大小的设置
- Postfix 是一个邮件传送代理(MTA),因此,要修改配置以使它能传送大附件的邮件。
假设要修改附件大小为 100MB,需对 message_size_limit 和 mailbox_size_limit 做如下修改:
postconf -e message_size_limit='104857600'
postconf -e mailbox_size_limit='104857600'
- 之后重启 Postfix 服务,使上述修改生效:
/etc/init.d/postfix restart
注意:
104857600 是由 100 (MB) x 1024 (KB) x 1024 (Bit) 计算得到的结果。 邮件在发送前会被客户端(Outlook,Thunderbird等)重新编码,导致邮件大小会超过 100MB,所以建议将上述设置中的邮件大小改为 110MB 或 120MB 即可。
如果 mailbox_size_limit 的值比 message_size_limit 小,你会在 Postfix 日志 文件里看到这样的错误信息:fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit. 这样你就可以通过客户端正常发送邮件了。
6.14.2 修改 Roundcube 网页邮箱的附件上传大小
- 如果使用 Roundcube 网页邮箱,需要额外更改两个地方:
修改 PHP 设置允许上传大附件
修改 PHP 配置文件/etc/php/7.0/cli/php.ini和/etc/php/7.0/fpm/php.ini中的 memory_limit, upload_max_filesize 和 post_max_size 三个参数:
memory_limit = 200M;
upload_max_filesize = 100M;
post_max_size = 100M;
- 修改 Roundcube 网页邮箱设置以允许上传大附件
修改 roundcube 目录下的 .htaccess 文件:
php_value memory_limit 200M
php_value upload_max_filesize 100M
php_value post_max_size 100M
- 重启php-fpm 服务以使上述修改生效。
/etc/init.d/php7.0-fpm restart
6.14.3 限制 Nginx 上传文件大小
- 在配置文件/etc/nginx/nginx.conf中找到参数 client_max_body_size ,按需要修改大小:(或在网页配置文件配置里修改/etc/nginx/sites-enabled/mail.linx-info.com)
http {
...
client_max_body_size 100m;
...
}
7 邮件服务器维护(推荐第一种)
7.1 第一种方法:
浏览器访问https://postfixadmin.linx-info.com
帐号admin@linx-info.com密码rocky123
登入进行管理邮箱用户
7.1.1. 创建用户(针对新同事入职)
在虚拟用户清单下点击新建邮箱,然后按要求添加新同事
7.1.2. 修改用户
在虚拟用户清单,在邮箱中找到要修改的邮箱帐户,点击编辑
7.1.3. 删除用户(针对老同事离职)
在虚拟用户清单,在邮箱中找到要删除的邮箱帐户,点击删除
7.2 第二种方法:(有利于批量操作)
7.2.1. 创建用户(针对新同事入职)
cd /var/www/postfixadmin-3.0/scripts/
./postfixadmin-cli mailbox add new@linx-info.com --password rocky123 --password2 rocky123 --quota 2000 --name new (其中new为用户成员,--name后的参数为别名)
7.2.2. 修改用户
./postfixadmin-cli mailbox update list@linx-info.com --password rocky123 --password2 rocky123 --quota 2000 --name list (可以对指定用户的密码,限制大小,别名进行修改)
7.2.3. 删除用户(针对老同事离职)
./postfixadmin-cli mailbox delete "libai@linx-info.com" (删除用户邮箱)
#删除别名成员中删除离职的同事。
7.3 管理群发的邮箱
7.3.1 对别名all@linx-info.com进行管理
通过对别名all@linx-info.com添加或删除,实现对群发邮箱的管理
浏览器输入https://postfixadmin.linx-info.com(帐号admin@linx-info.com密码rocky123)登入进行管理
点击虚拟用户清单,在别名项里点击all@linx-info.com行中有编辑,然后进行添加或删除对应的邮箱
8 问题汇总
8.1 确认安全例外
-
由于证书过期,目前使用服务器证书,使用时需要确认安全例外.对发件服务和收件服务均需要确认安全例外
-
测试方法,给自己发邮件,在发送和接收时都会弹出确认安全例外的窗口,点击确认即可,确认安全例外后检测是否正常发收邮件
-
有些用户的用户不能自动弹出,需要重启客户端,然后安装1,2步骤进行测试
8.2 邮件客户端原有文件夹不显示
-
有些用户收件箱中的子文件夹不显示,需要订阅一下
-
可以通过网页进行文件夹管理,登录mail.linx-info.com
-
点击右上角设置,点击左侧文件夹管理
-
在文件夹管理中选择需要显示的文件夹
-
也可在邮件客户端自己查找相关功能
8.3 商务部门外网发送异常
-
商务部门使用outlook进行发件,发送至外网的邮件会被退信
-
调试了基本配置,发现没有问题
-
安装虚拟机,软件环境测试
-
发件正常,怀疑是配置问题且与网络相关
-
无法发送外网(应将所有需要转发的网段加入mynetworks)
vi /etc/postfix/main.cf
mynetworks = 127.0.0.0/8 127.0.0.1 172.17.201.0/24 172.16.0.0/24 172.31.255.0/24 172.16.3.0/24
- 原有邮件服务器配置mynetworks = 127.0.0.0/8,172.16.0.0/24(不清楚为什么没有被退信)
8.4 成都gitlab自动发件功能失效
-
经排查发现邮件服务器上没有相关的邮箱
-
成都方面说通过重启路由器恢复正常
8.5 SYN flooding引发网络故障
- 修改/etc/sysctl.conf配置
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 2
- 生效配置
sysctl -p
9 参考网址
http://www.javashuo.com/content/p-5123204.html
https://bbs.aliyun.com/read/300051.html
https://www.rosehosting.com/blog/setup-and-configure-a-mail-server-with-postfixadmin/