SMTP-->SMTPS
ESMTP
POP3郵局協議
IMAP4互聯網郵件訪問協議
SASL簡單認證安全層
MDA郵件投遞代理
procmail,maildrop
MUA郵件用戶代理
mutt,mail
[email protected] --> c.com(MX)-->[email protected]
Mail Relay郵件中繼
MTA:sendmail qmail postfix exim
Postfix:模塊化設計, master (/etc/postfix/master.cf)
(/etc/postfix/main.cf)
postconf
-d
-n
-A客戶端支持的SASL插件類型
-e 參數=值
-m
-a服務器端支持的SASL插件類型
SMTP:
helo
mail from
rcpt to
data
.
quit
MX:mail.mylinux.com
爲postfix提供SysV服務腳本/etc/rc.d/init.d/postfix,
#!/bin/bash
#
# postfix Postfix Mail Transfer Agent
#
# chkconfig: 2345 80 30
# description: Postfix is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: master
# pidfile: /var/spool/postfix/pid/master.pid
# config: /etc/postfix/main.cf
# config: /etc/postfix/master.cf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ $NETWORKING = "no" ] && exit 3
[ -x /usr/sbin/postfix ] || exit 4
[ -d /etc/postfix ] || exit 5
[ -d /var/spool/postfix ] || exit 6
RETVAL=0
prog="postfix"
start() {
# Start daemons.
echo -n $"Starting postfix: "
/usr/bin/newaliases >/dev/null 2>&1
/usr/sbin/postfix start 2>/dev/null 1>&2 && success || failure $"$prog start"
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down postfix: "
/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure $"$prog stop"
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
echo
return $RETVAL
}
reload() {
echo -n $"Reloading postfix: "
/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure $"$prog reload"
RETVAL=$?
echo
return $RETVAL
}
abort() {
/usr/sbin/postfix abort 2>/dev/null 1>&2 && success || failure $"$prog abort"
return $?
}
flush() {
/usr/sbin/postfix flush 2>/dev/null 1>&2 && success || failure $"$prog flush"
return $?
}
check() {
/usr/sbin/postfix check 2>/dev/null 1>&2 && success || failure $"$prog check"
return $?
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
abort)
abort
;;
flush)
flush
;;
check)
check
;;
status)
status master
;;
condrestart)
[ -f /var/lock/subsys/postfix ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|abort|flush|check|status|condrestart}"
exit 1
esac
exit $?
# END
vim /etc/init.d/postfix
chmod +x /etc/init.d/postfix
chkconfig --add postfix
service postfix restaart
[root@localhost ~]# vim /etc/postfix/main.cf
修改一下幾項需要的配置
指定運行postfix郵件系統時主機的主機名,既postfix系統要接收到哪個域名的郵件:
myhostname = mail.mylinux.com
指明發件人所在的域名,既做發件地址僞裝:
myorigin = mylinux.com
參數指定域名,默認情況下,postfix將myhostname的第一部分刪除而作爲mydomain的值
mydomain = mylinux.com
指定運行postfix接受郵件時收件人的域名,既postfix系統要接收的哪個域名郵件
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
指定所在網絡的網絡地址,postfix系統根據其值來區別用戶是遠程的還是本地的,如果是本地網絡用戶則允許訪問
mynetworks = 192.168.1.0/24, 127.0.0.0/8
監聽的端口$myhostname 表示監聽本機IP的25號端口,localhost表示127.0.0.1的25號端口
inet_interfaces = $myhostname, localhost
[root@localhost ~]# hostname mail.mylinux.com
[root@localhost ~]# vim /etc/sysconfig/network 永久修改主機名
HOSTNAME=mail.mylinux.com
查看是否安裝過DNS服務器
[root@localhost ~]# rpm -qa |grep bind
ypbind-1.20.4-30.el6.x86_64
rpcbind-0.2.0-11.el6.x86_64
bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64
samba-winbind-clients-3.6.9-164.el6.x86_64
bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64
samba-winbind-3.6.9-164.el6.x86_64
[root@localhost ~]# yum remove bind-libs
[root@localhost ~]# yum install bind
[root@localhost ~]# yum install bind-utils
[root@localhost ~]# vim /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
[root@localhost ~]# service named start
Starting named: [ OK ]
[root@localhost ~]# vim /etc/named.rfc1912.zones
定義一個正向區域
zone "mylinux.com" IN {
type master;
file "mylinux.com.zone";
allow-update { none; };
allow-transfer { none; };
};
定義一個反向區域
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
allow-update { none; };
allow-transfer { none; };
};
[root@mail ~]# named-checkconf /etc/named.conf 檢查語法
[root@mail ~]# cd /var/named/
[root@mail named]# vim mylinux.com.zone
$TTL 600
@ IN SOA ns.mylinux.com. admin.mylinux.com. (
2016080801
2H
10M
3D
1D
)
IN NS ns
IN MX 10 mail
ns IN A 192.168.1.50
mail IN A 192.168.1.50
[root@mail named]# cp mylinux.com.zone 192.168.1.zone
[root@mail named]# vim 192.168.1.zone
$TTL 600
@ IN SOA ns.mylinux.com. admin.mylinux.com. (
2016080801
2H
10M
3D
1D
)
IN NS ns.mylinux.com.
50 IN PTR mail.mylinux.com.
50 IN PTR ns.mylinux.com.
[root@mail named]# chown root.named 192.168.1.zone mylinux.com.zone
[root@mail named]# chmod 640 mylinux.com.zone 192.168.1.zone
檢查語法
[root@mail named]# named-checkzone "mylinux.com" mylinux.com.zone
zone mylinux.com/IN: loaded serial 2016080801
OK
[root@mail named]# named-checkzone "1.168.192.in-addr.arpa" 192.168.1.zone
zone 1.168.192.in-addr.arpa/IN: loaded serial 2016080801
OK
[root@mail named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@mail named]#
[root@mail named]# chkconfig named on
[root@mail named]# dig -t MX mylinux.com @192.168.1.50
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t MX mylinux.com @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8645
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;mylinux.com.INMX
;; ANSWER SECTION:
mylinux.com.600INMX10 mail.mylinux.com.
;; AUTHORITY SECTION:
mylinux.com.600INNSns.mylinux.com.
;; ADDITIONAL SECTION:
mail.mylinux.com.600INA192.168.1.50
ns.mylinux.com.600INA192.168.1.50
;; Query time: 1 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Aug 8 13:25:36 2016
;; MSG SIZE rcvd: 99
[root@mail named]# dig -t A mail.mylinux.com @192.168.1.50
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A mail.mylinux.com @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15877
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.mylinux.com.INA
;; ANSWER SECTION:
mail.mylinux.com.600INA192.168.1.50
;; AUTHORITY SECTION:
mylinux.com.600INNSns.mylinux.com.
;; ADDITIONAL SECTION:
ns.mylinux.com.600INA192.168.1.50
;; Query time: 1 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Aug 8 13:26:34 2016
;; MSG SIZE rcvd: 83
[root@mail named]# dig -x 192.168.1.50 @192.168.1.50
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.1.50 @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38905
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;50.1.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
50.1.168.192.in-addr.arpa. 600INPTRns.mylinux.com.
50.1.168.192.in-addr.arpa. 600INPTRmail.mylinux.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.600INNSns.mylinux.com.
;; ADDITIONAL SECTION:
ns.mylinux.com.600INA192.168.1.50
;; Query time: 0 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Aug 8 13:27:42 2016
;; MSG SIZE rcvd: 120
[root@mail named]# cd /etc/postfix
[root@mail postfix]# service postfix start
[root@mail postfix]# tail /var/log/maillog
[root@mail postfix]# vim /etc/resolv.conf
nameserver 192.168.1.50
MRA:
cyrus-imap,dovecot
dovecot 依賴mysql客戶端
[root@mail etc]# yum install dovecot 接收郵件的服務器
pop3:110/tcp
imap4:143/tcp
以明文方式工作。
dovecot服務器支持4種協議pop3,imap4,pops,imaps
配置文件:/etc/dovecot.conf
有SASL認證能力,
郵箱格式:
mbox,一個文件存儲所有郵件;
maildir:一個文件存儲一封郵件,所有郵件存儲在一個目錄中;
[root@mail yum.repos.d]# vim /etc/dovecot/dovecot.conf
protocols = imap pop3 啓用,只保留2個明文的協議
[root@mail yum.repos.d]# service dovecot start
Starting Dovecot Imap: [ OK ]
telnet mail.mylinux.com 110
USER openstack 收件人
PASS openstack 密碼
LIST 列出郵件
RETR 1 選擇第一封郵件
postfix + SASL 用戶認證
1.啓用sasl,啓動sasl服務
/etc/init.d/saslauthd 服務腳本
/etc/sysconfig/saslauthd 配置文件
[root@mail yum.repos.d]# saslauthd -v 顯示當前服務器支持哪些認證
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
[root@mail yum.repos.d]# vim /etc/sysconfig/saslauthd
MECH=shadow 表示支持的認證
[root@mail yum.repos.d]# service saslauthd start
[root@mail yum.repos.d]# chkconfig saslauthd on
[root@mail yum.repos.d]# testsaslauthd -u admin -p admin 用戶認證 -u用戶給 -p密碼
[root@mail yum.repos.d]# postconf -a 查看服務器支持哪些認證
cyrus 表示支持ssl
dovecot
smtp:
限制 只允許哪些用戶連接
connection: smtpd_client_restrictions = check_client_acess hash:/etc/postfix/access
只允許哪些用戶發送helo
helo: smtpd_helo_restrictions = check_helo_acess mysql:/etc/postfix/mysql_user
只允許哪些用戶發送
mail from: smtpd_sender_restrictions =
只允許發送給哪些用戶
rcpt to: smtpd_recipient_restrictions =
限制data
data: smtp_data_restrictions =
#vi /etc/postfix/main.cf
添加以下內容:
############################CYRUS-SASL############################
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = smtpd
smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!
#vim /usr/lib/sasl2/smtpd.conf
添加如下內容:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
讓postfix重新加載配置文件
#/usr/sbin/postfix reload
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 Welcome to our mail.magedu.com ESMTP,Warning: Version not Available!
ehlo mail.magedu.com
250-mail.magedu.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN (請確保您的輸出以類似兩行)
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
查找表:
/etc/postfix/access 訪問控制文件 -->hash格式 --> /etc/postfix/access.db
[email protected] reject 來至於這個區域的郵件拒絕
microsoft.com ok 接收
[root@mail mail]# postconf -m 查看
btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix
實現示例
這裏以禁止192.168.1.33這臺主機通過工作在192.168.1.51上的postfix服務發送郵件爲例演示說明其實現過程。訪問表使用hash的格式。
(1)首先,編輯/etc/postfix/access文件,以之做爲客戶端檢查的控制文件,在裏面定義如下一行:
172.16.100.200REJECT
(2)將此文件轉換爲hash格式
# postmap /etc/postfix/access
(3)配置postfix使用此文件對客戶端進行檢查
編輯/etc/postfix/main.cf文件,添加如下參數:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
(4)讓postfix重新載入配置文件即可進行發信控制的效果測試了。
實現示例
這裏以禁止通過本服務器向microsoft.com域發送郵件爲例演示其實現過程。訪問表使用hash的格式。
(1)首先,建立/etc/postfix/denydstdomains文件(文件名任取),在裏面定義如下一行:
microsoft.comREJECT
(2)將此文件轉換爲hash格式
# postmap /etc/postfix/denydstdomains
(3)配置postfix使用此文件對客戶端進行檢查
編輯/etc/postfix/main.cf文件,添加如下參數:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/denydstdomains,
(4)讓postfix重新載入配置文件即可進行發信控制的效果測試了。
拒絕發給誰
----------------------------------------------------------------
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/denydstdomains, reject_unauth_destination,permit_mynetworks
-------------------------------------------------------------------------
檢查表格式的說明
hash類的檢查表都使用類似如下的格式:
pattern action
檢查表文件中,空白行、僅包含空白字符的行和以#開頭的行都會被忽略。以空白字符開頭後跟其它非空白字符的行會被認爲是前一行的延續,是一行的組成部分。
(1)關於pattern
其pattern通常有兩類地址:郵件地址和主機名稱/地址。
郵件地址的pattern格式如下:
user@domain 用於匹配指定郵件地址;
domain.tld 用於匹配以此域名作爲郵件地址中的域名部分的所有郵件地址;
user@ 用於匹配以此作爲郵件地址中的用戶名部分的所有郵件地址;
主機名稱/地址的pattern格式如下:
domain.tld 用於匹配指定域及其子域內的所有主機;
.domain.tld 用於匹配指定域的子域內的所有主機;
net.work.addr.ess
net.work.addr
net.work
net 用於匹配特定的IP地址或網絡內的所有主機;
network/mask CIDR格式,匹配指定網絡內的所有主機;
關於action
接受類的動作:
OK 接受其pattern匹配的郵件地址或主機名稱/地址;
全部由數字組成的action 隱式表示OK;
拒絕類的動作(部分):
4NN text
5NN text
其中4NN類表示過一會兒重試;5NN類表示嚴重錯誤,將停止重試郵件發送;421和521對於postfix來說有特殊意義,儘量不要自定義這兩個代碼;
REJECT optional text... 拒絕;text爲可選信息;
DEFER optional text... 拒絕;text爲可選信息;
郵件別名。
[root@mail mail]# vim /etc/aliases
# Person who should get root's mail
#root: marc
a: haddop
b: haddop
[root@mail mail]# newaliases 重讀別名
開啓SSL後:
[root@mail mail]# echo -n "admin" |openssl base64
YWRtaW4=
[root@mail mail]# telnet 192.168.1.51 25
Trying 192.168.1.51...
Connected to 192.168.1.51.
Escape character is '^]'.
220 Welcome to our mail.mylinux.com ESMTP,Warning: Version not Available!
ehlo mail.mylinux.com
250-mail.mylinux.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
334 VXNlcm5hbWU6
YWRtaW4=
334 UGFzc3dvcmQ6
YWRtaW4=
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hello
.
250 2.0.0 Ok: queued as 50821BFCB1
quit
221 2.0.0 Bye