Installing a mailserver is a quite complex matter because several components are involved. Since there are many different operational scenarios, there are many different possible configurations, thus lots of different howtos around the internet. In this howto I’m going to describe the basic configuration of a mail server which has the following characteristics:
- Everything runs on CentOS 6.7
- All software packages are taken from the repository (no compiling necessary)
- The server is directly connected to the internet using a static IP address
- Users don’t have system accounts on the Unix machine
- User accounts are virtual accounts stored in an LDAP
- Users with a valid LDAP account can …
- Send and receive mail via POP3/IMAP
- Send and receive mail via Web Interface
Spam and virus protection (amavis, clamav, spamassasin) is not covered by this howto.
Graphical overview of the set-up:
image.png
These are the necessary components:
- Postfix as MTA (Mail Transfer Agent) –> This is the SMTP server. It accepts incoming mail (after a successful LDAP lookup of the recipient address) and passes it to Dovecot. It forwards outgoing mail (after the user successfully authenticated) to the next responsible SMTP server.
- Dovecot as LDA (Local Delivery Agent) –> This is the POP3 and IMAP server. It accepts incoming mail from Postfix and stores it in virtual mailboxes. It is connected to the LDAP for user authentication and lookups.
- Cyrus SASL –> Provides authentication for the SMTP server (since users are only allowed to send mail after they authenticated). User and password verification is done via LDAP.
- LDAP –> This is the directory service that stores the (virtual) user accounts for the mail server. It uses the postfix-book scheme. [UPDATE 2017-11-17: The original postfix-book scheme seems to be no longer available, but there is one on Github]
- Roundcube –> This is a web interface that lets users access their mail via web browser instead of a mail client (Mail User Agent). In addition to a webserver (i.e. Apache) Roundcube requires a database to store user settings (i.e. MySQL).
As for this howto, everything is running on a single machine. In real life (especially when you have to deal with a lot of users), it might be better to have dedicated machines for certain services. If you use dedicated machines, however, you have to make sure that the communication between these is secure!
Basic Prerequisites
1. Connectivity
The server must be connected to the internet and should be accessible through the following ports:
- 25 (SMTP)
- 80 (HTTP)
- 110 (POP3)
- 143 (IMAP)
- 443 (HTTPS)
If you have any firewalls, don’t forget to open the necessary ports.
2. System Time
The server should have an accurate system time, i.e. by using NTP.
3. Hostname
The server needs a fully-qualified hostname (i.e. mail.example.com), because otherwise foreign mail servers might not accept mails from it. This can be checked with the following command: hostname -f
The hostname can be configured in the following config files:
- /etc/hostname
- /etc/hosts
4. DNS Resolution
The server must be configured to use a working DNS server. Traditionally, DNS servers have to be added to /etc/resolv.conf, but on Ubuntu these are configured via the Network Manager. Preferably by using the GUI, or by manually editing the config file in /etc/NetworkManager/system-connections.
5. DNS Records
The hostname needs to be resolvable in both directions (hostname –> ip & ip –> hostname), so your provider needs to set the following DNS Records for you:
- A Record (forward lookup, resolvs a hostname to an IPv4 address)
- AAAA Record (forward lookup, resolvs a hostname to an IPv6 address)
- PTR Record (reverse lookup, resolvs an IP address to a hostname)
- MX Record (provides the hostname of a domain’s mail server)
This can be checked with the following commands:
dig mail.example.com A +short # should return your server's IPv4 address
dig mail.example.com AAAA +short # should return your server's IPv6 address, if configured
dig -x <ip address> +short # should return your fully-qualified hostname
dig example.com MX +short # should return your mail server's fully-qualified hostname
6. Logging
For troubleshooting it is important that the logging service is working. This is rsyslogd by default, the configuration can be found in /etc/rsyslog.d. By default, mail-related log will go to /var/log/mail.log.
refer link: http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/
Install DNS
sudo yum install -y bind bind-chroot bind-utils
sudo service named start
sudo tail -n 100 /var/log/messages
sudo vim /etc/named.rfc1912.zones
*...*
*zone "[tst.com](http://tst.com/)" IN {*
* type master;*
* file "[named.tst.com](http://named.tst.com/)";*
* allow-update { none; };*
*};*
*zone "[ttt.com](http://ttt.com/)" IN {*
* type master;*
* file "[named.ttt.com](http://named.ttt.com/)";*
* allow-update { none; };*
*};*
sudo cp /var/named/named.localhost /var/named/named.tst.com
sudo ls -al /var/named
sudo vim /var/named/named.tst.com
*$TTL 1D*
*@ IN SOA @ rname.invalid. (*
* 0 ; serial*
* 1D ; refresh*
* 1H ; retry*
* 1W ; expire*
* 3H ) ; minimum*
* NS @*
* A 10.20.0.30*
* AAAA ::1*
* MX 10 [exchange1.tst.com](http://exchange1.tst.com/).*
*[exchange1.tst.com](http://exchange1.tst.com/). A 10.20.0.30*
sudo cp /var/named/named.tst.com /var/named/named.ttt.com
sudo chown root.named /var/named/named.tst.com
sudo chown root.named /var/named/named.ttt.com
sudo vim /etc/resolv.conf
*# Generated by NetworkManager*
*search [tst.com](http://tst.com/)*
*nameserver 127.0.0.1*
*nameserver 10.10.0.28*
sudo service named restart
dig -t mx ttt.com
dig -t mx tst.com
配置DNS说明
添加域名的A记录 和 反向解析的配置
sudo vim named.rfc1912.zones
zone "webdev06.ttt.com." IN {
type master;
file "webdev06.ttt.com.zone";
allow-update { none; };
};
zone "0.20.10.in-addr.arpa" IN {
type master;
file "0.20.10.zone";
allow-update { none; };
};
新建zone文件在 /var/named下
cp -a named.localhost webdev06.ttt.com.zone
cp -a named.localhost 0.20.10.zone
vim webdev06.ttt.com.zone
@ NS webdev06.sstparts.com
ns A 10.3.0.6 mail A 10.3.0.6
@ MX 10 webdev06.sstparts.com
如果邮件服务器的域名没有多个,那么MX优先级可以随便写(反正只有一个),最高1,最低50,当优先级高的解析无效时,就会去解析低的。
vim 0.20.10.zone
@ NS webdev06.sstparts.com 6 PTR webdev06.sstparts.com
在配置A和MX记录后,再添加一则txt记录作为SPF(Sender Policy Framework)。关于SPF的格式可以去http://www.openspf.org/SPF_Record_Syntax 查看。
就是除了我的A记录和MX记录外,如果有其他域发出邮件的话,那都是伪造的。
启动named进程
sudo chkconfig named on
sudo service named start
测试
dig -t mx webdev06.ttt.com
配置 openLdap
首先安装openLDAP和phpLdapAdmin,参考OpenLdap
为了能建立邮箱账号,需要做如下修改
sudo vim /usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
...
database mdb maxsize 1073741824
suffix "dc=webdev06,dc=sstparts,dc=com"
rootdn "cn=Manager,dc=webdev06,dc=sstparts,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}e8yXV//3JJQv+SJpgN5UArhb1QGQ79EG
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
loglevel -1
password-hash {SSHA}
注:include是包含相关的schema,这样才能通过phpLdapAdmin通过template 'Courier Mail: Account'来添加objectClass=inetOrgPerson的邮箱账号
postfix的相关schema可以参考:https://github.com/variablenix/ldap-mail-schema
配置Postfix
首先安装Postfix,参考Postfix
sudo install postfix postfix-ldap
Postfix把域名分为以下几类:
canonical domains(权威域、正式域)包括运行Postfix的主机名(hostnames)、IP地址,或者主机的父域名,称作权威域(canonical domains)。
权威域在Postfix中以 local_domain 实现。
hosted domains(托管域)如果作为目标投递地址(final destination),又不是权威域的话,就称为托管域(hosted domains)。
托管域在Postfix中以 virtual_alias_domain 或 virtual_mailbox_domain 实现。
relay domains(中转域、中继域)如果不是目标投递地址(not the finaly destination),需要转发(forwards),则成为中继域(relay domains)。
中继域在Postfix中以 relay_domain 实现。
在/usr/local目录下创建vmail目录以存放maildirs格式的邮箱
sudo mkdir /usr/local/vmail
sudo chmod 700 /usr/local/vmail
因为我们使用的虚拟的用户作为邮件账号,所以要创建一个系统账号作为映射,把邮件集中收到这个系统用户的家目录中
sudo groupadd --gid 5000 vmail
sudo useradd -s /sbin/nologin --group vmail --gid 5000 --uid 5000 --home-dir /usr/local/vmail vmail
sudo vim /etc/main.cf
###############################
# basic
###############################
myhostname = webdev06.ttt.com
mydomain = webdev06.ttt.com
myorigin = $mydomain
mydestination =
#mynetworks = 10.20.0.0/24 127.0.0.1/8
mynetworks_style = host
debug_peer_level = 1024
inet_interfaces = all
# mail_spool_directory = /var/spool/mail
home_mailbox = Maildir/
smtpd_banner = Welcome using Postfix Esmtp Service
###############################
# sasl auth & smtp auth
###############################
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
message_size_limit = 157286400
mailbox_size_limit = 314572800
###############################
# virtual for using ldap accounts
###############################
virtual_transport= dovecot dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_base = /usr/local/vmail virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
[virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_limit = 314572800](http://ldap/etc/postfix/ldap_virtual_aliases.cf)
注: mydestination要保持空,不然会调用postfix本身的LDA来投递邮件,这里是用dovecot来作为virtual domain的LDA
因为这里virtual_transport的值是dovecot,即使用dovecot来投递虚拟邮箱,所以需要在master.cf的最后加入dovecot的服务定义
sudo vim /etc/postfix/master.cf
dovecot unix - n n - - pipe
flags=ODRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -e -f ${sender} -d ${recipient}
sudo vim /etc/postfix/virtual_domains
webdev06.ttt.com OK
sudo vim /etc/postfix/ldap_virtual_aliases.cf
bind = yes bind_dn = cn=Manager,dc=webdev06,dc=ttt,dc=com
bind_pw = asdf
server_host = 127.0.0.1
search_base = dc=webdev06,dc=ttt,dc=com
query_filter = (&(|(objectClass=inetOrgPerson)(objectClass=posixGroup))(cn=%s))
result_attribute = memberUid,alias
result_format = %s
测试:
postmap -q ddd@webdev06.ttt.com ldap:/etc/postfix/ldap_virtual_aliases.cf
如果正确会返回: ddd@webdev06.ttt.com
重新启动 postfix
sudo service postfix restart
**配置Postfix ****TLS **
With the current configuration, the mail server only offers plaintext (and login) authentication. This is good, because all clients support this and the passwords can be stored encrypted in the LDAP. Other authentication methods would require storing the passwords in plaintext. To make the authentication process secure (and not have the passwords trasferred in plaintext) the session needs to be encrypted — this is done with TLS.
1. Certificate Files & Permissions
Save your certificate and key files in /etc/postfix/certs (see main.cf for filenames). Also save the Diffie-Hellman files (for perfect forward secrecy) in this folder. These can be created as follows:
openssl dhparam -2 -out dh_512.pem 512
openssl dhparam -2 -out dh_1024.pem 1024
Set the permissions to:
chown -R root:root /etc/postfix/certs/
chmod -R 600 /etc/postfix/certs/
2. Activate TLS
sudo vim /etc/postfix/main.cf
smtpd_use_tls = yes smtpd_tls_security_level= may smtpd_tls_auth_only = yes smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
tls_random_source = dev:/dev/urandom
[smtpd_tls_loglevel = 2 smtpd_client_new_tls_session_rate_limit = 10 smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
smtpd_tls_exclude_ciphers= EXP
ECH-RSA-DES-CBC-SHA
ADH-DES-CBC-SHA
DES-CBC-SHA
SEED-SHA
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem](http://dev/dev/urandom)
注:这里/etc/ssl/certs/ca-bundle.crt是系统本身的文件,smtpd_tls_cert_file和smtpd_tls_key_file是借用dovecot的证书文件
sudo vim /etc/postfix/master.cf
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
注:需要保持注释-o smtpd_client_restrictions=permit_sasl_authenticated,reject,否则可能会出现类似如下错误
Client host rejected: Access denied
3. TLS Test
With the following command you can connect to the server using STARTTLS:
openssl s_client -CAfile certs/example-cacert.pem -starttls smtp -connect localhost:25
Then you can talk to the server like in a Telnet session, but do not type a capital “R” since this will trigger a Renegotiation. If you want to send a mail, use “rcpt to:” instead of “RCPT TO:”.
This also works from external hosts (just change the -connect value to your mail server name). The -CAfile parameter is optional and can be omitted for a quick test.
可以通过foxmail的账号设置,端口号465, 点选Secure Connection,如果可以正常发送邮件即可
再查看日志可以看到:
sudo tail -n 50 /var/log/maillog
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: initializing the server-side TLS engine
Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: warning: request to update table [btree:/etc/postfix/smtpd_session_cache](http://btree/etc/postfix/smtpd_session_cache) in non-postfix directory /etc/postfix
Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: open smtpd TLS cache [btree:/var/lib/postfix/smtpd_session_cache](http://btree/var/lib/postfix/smtpd_session_cache)
Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: connect from unknown[10.3.1.62]
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: setting up TLS connection from unknown[10.3.1.62]
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: unknown[10.3.1.62]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!EXP:!ECH-RSA-DES-CBC-SHA:!ADH-DES-CBC-SHA:!DES-CBC-SHA:!SEED-SHA"
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:before/accept initialization
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read client hello B
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write server hello A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write certificate A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write key exchange A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write server done A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 flush data
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read client key exchange A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read finished A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write change cipher spec A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write finished A
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 flush data
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: unknown[10.3.1.62]: save session D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps to smtpd cache
Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: put smtpd session id=D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps [data 153 bytes]
Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: write smtpd TLS cache entry D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps: time=1524039017 [data 153 bytes]
Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: Anonymous TLS connection established from unknown[10.3.1.62]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
配置Postfix的STMP账号认证
SMTP 认证,简单地说就是要求必须在提供了账户名和密码之后才可以登录 SMTP 服务器,这就使得那些垃圾邮件的散播者无可乘之机。
增加 SMTP 认证的目的是为了使用户避免受到垃圾邮件的侵扰。
SASL(Simple Authentication and Security Layer)是由RFC 2222所描述的一种认证架构,是为基于连接的协议提供辅助认证支持的一种方法。使用SASL认证时,应用层协议通过插入相关的认证命令来获得服务器的访问授权,同时也可一协商协议交互时使用(或不使用)增强保护措施。SASL有多种实现,在Linux中,通常使用的是CyrusSASL,这是美国卡内基-梅隆(Carnegie Mellon,简称CMU)大学的一种软件。
查看Postfix支持何种SASL实现:
# postconf -a
cyrus
dovecot
可见当前的Postfix版本支持Cyrus SASL和Dovecot SASL 2中SASL的实现。
配置 cyrus-sasl 使用 ldap验证
saslauthd是Cyrus SASL的后台程序。查看当前运行的saslauthd运行模式:
# ps awx|grep sasl
3244 ? Ss 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow sasldb
...
这里涉及到2个参数:
-m设置saslauthd的工作路径。-a设置saslauthd的认证模式。
以上,saslauthd的工作路径是/var/run/saslauthd,认证模式是shadow。
可以通过修改/etc/sysconfig/saslauthd来配置saslauthd的运行时参数:
sudo vim /etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS=
这个配置文件包括几个常见参数:SOCKETDIR设置了工作路径(saslauthd用于监听的socket路径),也就是-m设置的路径。
saslauthd通常用UNIX域协议与其他进程通信,因此必须确保Postfix SMTP Server在saslauthd的工作路径有可读和可执行的权限:
ls -ld /var/run/saslauthd/
drwxr-xr-x 2 root root 4096 7月 28 18:02 /var/run/saslauthd/
以下是Cyrus SASL的一个配置示例:
log_level: 3 pwcheck_method: saslauthd
mech_list: plain login
pwcheck_method的值可以设置为:saslauthd或auxprop。
saslauthd是最基本的验证方式,如果设置为saslauthd,则mech_list就只能是plain, login,而这两种认证机制(plain和login)都是以不加密方式发送认证信息(credentials),应该用TLS来加密认证信息。
使用testsaslauthd来测试saslauthd认证模式:
testsaslauthd -u bailing -p MYCORRECTPWD
0: OK "Success."
而如果设置为auxprop(Auxiliary Property Plugins),则需要添加另一个选项:auxprop_plugin。Cyrus SASL支持插件的方式来扩展libsasl,详情可参考:http://www.berlinix.com/net/postfix.php
编辑 /etc/saslauthd.conf, If the saslauthd.conf file does not exist, create it. The saslauthd.conf file usually resides in the /etc folder.
If specifying a different file path, see the -O option of saslauthd.
sudo vim /etc/saslauthd.conf
ldap_servers: ldap://localhost
ldap_bind_dn: cn=Manager,dc=webdev06,dc=sstparts,dc=com
ldap_bind_pw: asdf
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: sub
ldap_search_base: dc=webdev06,dc=sstparts,dc=com
ldap_auth_method: bind
ldap_filter: (cn=%u)
ldap_debug: 0
ldap_verbose: off
ldap_ssl: no
ldap_starttls: no
ldap_referrals: yes
启动 saslauthd
sudo service saslauthd restart
sudo chkconfig saslauthd on
测试:
testsaslauthd -u lzhang -p asdfgh
0: OK "Success."
OK, 使用cyrus-sasl使用ldap验证测试成功
注:因为saslauthd验证方式是不加密的,所以如果ldap中的密码不是clear格式的,则验证不会成功
也因为这样,所以推荐使用第二种方式即dovecot-sasl方式来验证
Postfix配置cyrus-SASL
sudo vim /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining
配置dovecot-sasl使用ldap验证
Since version 2.3, Postfix supports SMTP AUTH through Dovecot SASL as introduced in the Dovecot 1.0 series. If using Postfix obtained from a binary (such as a .rpm or .deb file), you can check if Postfix was compiled with support for Dovecot SASL by running the command:
postconf -a
Console output:
cyrus
dovecot
Once you have verified that your installation of Postfix supports Dovecot SASL, it's very simple to configure:
在Postfix配置文件main.cf中添加或修改下面几行,以启用dovecot-sasl
sudo vim /etc/postfix/main.cf
smtpd_sasl_type= dovecot smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions= permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
If Postfix and Dovecot are running on separate servers, you can also authenticate via TCP. For Dovecot set up an inet_listener:
service auth {
inet_listener {
port = 12345
}
}
And configure Postfix to use it:
smtpd_sasl_path = inet:dovecot.example.com:12345
smtpd_sasl_type = dovecot
以上就是需要配置dovecot-sasl认证,需要继续下面完成常规的Dovecot配置,即支持账号验证、imap、pop
配置Dovecot
sudo vim /etc/dovecot/conf.d/10-master.conf
service auth {
...
unix_listener /var/spool/postfix/private/auth {
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
...
}
Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:
auth_mechanisms = plain login</pre>
sudo vim /etc/dovecot/conf.d/10-auth.conf
!include auth-ldap.conf.ext
在/etc/dovecot目录下创建 dovecot-ldap.conf.ext,这个文件配置的是dovecot的账号验证,
是在/etc/dovecot/conf.d/auth-ldap.conf.ext的userdb和passdb中指定的配置文件,即包括postfix的smtp验证、imap验证、pop验证。
sudo vim /etc/dovecot/dovecot-ldap.conf.ext
hosts = localhost dn = cn=Manager,dc=webdev06,dc=sstparts,dc=com
dnpass = asdf
ldap_version = 3
base = dc=webdev06,dc=sstparts,dc=com
scope = subtree
user_attrs = mailStorageDirectory=mail
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
default_pass_scheme = CRYPT
注:mail=user这个设置将使用邮箱地址做为user去搜索用户的信息和%u的值,这样才能在/usr/local/vmail下以全域名的格式建立maildir格式的邮箱 在phpldapadmin里lzhang账号的密码也必需是CRYPT加密
sudo vim /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:/usr/local/vmail/%u/Maildir
...
mail_uid = 5000
mail_gid = 5000
Activate logging in /etc/dovecot/conf.d/10-logging.conf:
log_path = syslog
syslog_facility = mail auth_debug = yes
重新启动 dovecot服务
sudo service dovecot restart
通过imap登录来测试
[lzhang@webdev06 dovecot]$ telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login lzhang@webdev06.sstparts.com asdfgh
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
输出以上信息即为成功
如果出现错误使用日志来诊断错误信息
sudo tail -n 500 /var/log/maillog
也可以使用outlook或postfix来验证
maillog:
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=::1#011rip=::1#011lport=143#011rport=56299#011resp=<hidden>
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): pass search: base=dc=webdev06,dc=sstparts,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/))) fields=mail,userPassword
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): result: userPassword(password)=<hidden> mail(user)=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: client out: OK#0111#011user=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: master in: REQUEST#0114013686785#01129815#0111#01127e51606ab079738bd43fffbaeb4fe36
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): user search: base=dc=webdev06,dc=sstparts,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/))) fields=mailStorageDirectory
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): no fields returned by the server
Apr 18 10:29:11 webdev06 dovecot: auth: Debug: master out: USER#0114013686785#011lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)
Apr 18 10:29:11 webdev06 dovecot: imap-login: Login: user=<lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)>, method=PLAIN, rip=::1, lip=::1, mpid=29831, secured
refer links:
https://wiki.dovecot.org/HowTo/DovecotOpenLdap
https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
配置Roundcube
RoundCube Webmail是一个基于浏览器,支持多国语言的IMAP客户端,操作界面看起像一个桌面应用程序。
它提供一个e-mail客户端应该具备的所有功能包括MIME支持,地址薄,文件夹操作,信息搜索和拼写检查。RoundCube Webmail采用PHP+Ajax开发并且需要MySQL数据库来存储数据。 用户界面采用XHTML+CSS2设计。
开源免费
先到官网下载:https://roundcube.net/download/
下载完后解压缩,得到的目录里有INSTALL、README文件,安装前看看先,尤其是INSTALL文件里的内容,是否和你的PHP、Mysql有所不同。
1.Decompress and put this folder somewhere inside your document root
wget https://github.com/roundcube/roundcubemail/releases/download/1.1.10/roundcubemail-1.1.10.tar.gz
tar -xzvf roundcubemail-1.1.10.tar.gz
sudo mv roundcubemail-1.1.10 /usr/local/roundcube
cd /usr/local/roundcube
more INSTALL
2.Install dependencies using composer:
-
get composer from https://getcomposer.org/download/
-
rename the composer.json-dist file into composer.json
-
if you want to use LDAP address books, enable the LDAP libraries in your
composer.json file by moving the items from "suggest" to the "require"
section (remove the explanation texts after the version!).
-
run
php composer.phar install --no-dev
3.Make sure that the following directories (and the files within)
are writable by the webserver
-
/temp
-
/logs
4.Create a new database and a database user for Roundcube (see DATABASE SETUP)
- MySQL
Setting up the mysql database can be done by creating an empty database,
importing the table layout and granting the proper permissions to the
roundcube user. Here is an example of that procedure:
mysql
CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost
IDENTIFIED BY 'password';
quit
mysql -u root -p roundcubemail < SQL/mysql.initial.sql
Note 1: 'password' is the master password for the roundcube user. It is strongly
recommended you replace this with a more secure password. Please keep in
mind: You need to specify this password later in 'config/db.inc.php'.
5. update some configs
cp config/config.inc.php.sample config/config.inc.php
sudo vim config/config.inc.php
then add one line after the sentence '$config = array();'
$config['enable_installer'] = true;
and update the db name and password, like:
$config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
6. Point your browser to http://url-to-roundcube/installer/
7. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
There will be some problems after you viewing the web install page. like php5.3.3 should upgrade to version than 5.3.7, now I upgrade to 5.6.35
sudo yum remove php55w.x86_64 php55w-cli.x86_64 php55w-common.x86_64 php55w-gd.x86_64 php55w-ldap.x86_64 php55w-mbstring.x86_64 php55w-mcrypt.x86_64 php55w-mysql.x86_64 php55w-pdo.x86_64 php55w-xml.x86_64
yum list installed | grep php
sudo rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm
sudo yum install php56w.x86_64 php56w-cli.x86_64 php56w-common.x86_64 php56w-gd.x86_64 php56w-ldap.x86_64 php56w-mbstring.x86_64 php56w-mysql.x86_64 php56w-pdo.x86_64 php56w-odbc.x86_64
yum list installed | grep php
php -v
sudo service httpd restart
refer link: https://blog.csdn.net/na_beginning/article/details/53414122
sudo yum install php56w-xml.x86_64
sudo yum install php56w-pecl-memcache.x86_64
sudo yum install php56w-pear
sudo pear install Net_SMTP --alldeps
sudo pear install Mail_Mime
sudo pear install channel://pear.php.net/Net_IDNA2-0.2.0
sudo pear install Auth_SASL
sudo yum install phpldapadmin.noarch
yum list installed | grep php
php56w.x86_64 5.6.35-1.w6 @webtatic
php56w-cli.x86_64 5.6.35-1.w6 @webtatic
php56w-common.x86_64 5.6.35-1.w6 @webtatic
php56w-gd.x86_64 5.6.35-1.w6 @webtatic
php56w-ldap.x86_64 5.6.35-1.w6 @webtatic
php56w-mbstring.x86_64 5.6.35-1.w6 @webtatic
php56w-mysql.x86_64 5.6.35-1.w6 @webtatic
php56w-odbc.x86_64 5.6.35-1.w6 @webtatic
php56w-pdo.x86_64 5.6.35-1.w6 @webtatic
php56w-pear.noarch 1:1.10.4-1.w6 @webtatic
php56w-pecl-memcache.x86_64
php56w-process.x86_64 5.6.35-1.w6 @webtatic
php56w-xml.x86_64 5.6.35-1.w6 @webtatic
phpldapadmin.noarch 1.2.3-10.el6 @epel
sudo vim config/config.inc.php
//$config['enable_installer'] = true;
mv installer installer_done
refer link:
http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/
网友评论