网络服务搭建篇 其五
本系列(本季?)的最后一篇
前文:
FTP服务器搭建
WEB服务器搭建
DNS服务器搭建
DHCP服务器搭建
环境
云服务器
- IP:173.254.200.106
- 系统:Ubuntu 18.04 x86_64
- 状态:已配置好并能够以root用户登录
域名
- mail.linzyjx.com
- 能够管理该域名的各类DNS记录
SSL证书
- 域名对应的SSL证书
- 能够在Let's Encrypt上免费申请三个月的证书,到期后可再申请
目标
- 搭建一个邮件服务器,能够在公网正常收发邮件
- 支持SMTP、IMAP、POP3协议
- 支持SSL/TLS加密的上述协议
- 方便的账户管理系统
名词及概念解释
MX记录
当别的服务器要向你的域名下的邮件地址发送邮件时,发送方会先从DNS中查询相应域名的MX记录,以便确定应该和哪个mail服务器取得联系。MX记录的值可以直接是一个IP地址(类似A记录),也可以是另一个域名(类似CNAME记录,FQDN)。当一个域名下有多个MX记录时,MX优先级越小的越优先选用(类比传输开销)。
SMTP的发送方认证机制
SMTP在设计之初没有考虑到对发送方进行身份验证,随着Internet的快速发展,伪造发送方的虚假邮件和垃圾邮件也开始变得泛滥。此时由于SMTP已经被大范围地使用了,大规模修改协议被认为不现实。所以现在mail服务器使用一系列简单、灵活、轻量级的、可升级的源端认证协议来补充SMTP的认证功能。
SPF
发件人测试框架(Sender Policy Framework, SPF)能够允许哪些邮件服务器代表我们的域来发送电子邮件。管理员在DNS的对应域中设置一条TXT记录,解析值如v=spf1 a mx -all着代表我们只允许域名下的A记录和MX记录对应的主机作为邮件服务器。
DMARC
DMARC是基于SPF和DKIM协议的认证方式,它为邮件收发方之间提供数据反馈机制。
它规定了接收方在邮件验证失败后应采取的措施(拒收、标记为垃圾、不作处理)以及如何将该邮件记录如何发送给发送端管理员(邮件地址)。
要使用DMARC,我们只要在DNS中添加TXT记录,主机名为_dmarc,解析值为v=DMARC1;p=reject;rua=i@linzyjx.com。这样我们就告知了接收方,当邮件验证失败时应该拒收该邮件,并将该邮件记录发送给管理员i@linzyjx.com。
DKIM
域名密钥识别邮件(DomainKeys Identified Mail, DKIM)为邮件提供了一种认证机制,使用电子签名验证邮件来源以及邮件内容是否被篡改。
要在Linux服务器上使用DKIM,我们需要在服务器上安装opendkim,并使用其生成一个密钥对;再将opendkim和postfix关联。将最后将生成的公钥设置为DNS TXT记录,主机名为default._domainkey。
PTR
PTR是反向解析记录。邮件接收方能使用PTR记录验证发件服务器是否在发送方的域下。
服务商一般提供rDNS的功能,管理员只要把对应主机的将PTR记录值修改成邮件服务器的主机名即可。
PostfixAdmin
PostfixAdmin是一款基于Postfix的虚拟域,用户和别名管理器。它使用PHP语言编写,使用Web界面。它通过连接到和Postfix关联的SQL数据库来对账户等信息进行修改。
Postfix
Postfix是一种广泛使用的开源的邮件传输代理(MTA),能够提供发送和接收电子邮件的服务。
Dovecot
Dovecot是一个IMAP/POP3服务器,它通过和Postfix进行连接来处理本地传递和身份验证。
配置DNS记录
设置MX记录
如下图所示,在服务商的管理面板上添加MX记录和A记录
设置SPF记录
如下图,在DNS记录中添加一个TXT记录,主机记录为空或@。
这里使用v=spf1 a mx -all,代表允许域名的A记录和MX记录书法邮件。all是结束标志,-代表只允许设置的记录通过。
设置DMARC记录
添加TXT解析,主机名为_dmarc,解析值为v=DMARC1;p=reject;rua=i@linzyjx.com
设置PTR记录
在IPS提供的控制面板中修改对应主机的rDNS(PTR)记录
使用dig反查服务器IP我们能查到PTR信息
设置DKIM
要配置DKIM,我们需要先在服务器上安装OpenDKIM
sudo apt install opendkim opendkim-tools -y使用以下命令生成DKIM key并添加到OpenDKIM的key列表
export domain=linzyjx.com
mkdir -p /etc/opendkim/keys//$domain
cd /etc/opendkim/keys//$domain
opendkim-genkey -d $domain -s default
chown -R opendkim:opendkim /etc/opendkim/keys//$domain
echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable
echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable生成后打开/etc/opendkim/keys/linzyjx.com/default.txt,这就是DKIM key,需要将里面的内容添加到DNS。主机TXT记录为default._domainkey,记录为文本中括号内的值。这个值类似这样:
"v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfb4k+0Qy2zgeHEJHh2R7tvJHTk5rkppsfpFLs1I9xPEw+WIfCMsJbjLPmxiTR3TcivG2Hp/1DY4hqYEIMevirKZOAI9RDAaeiPGicItVBD3+F1hWhd+4uKkXoUVwBMwMv1I+/ngHzWoe6feTZT4dY8Bz9hyJMK139EWb9U6QJBMamRwTFEIENuq7vyT/cqricI5o7lGaPJvMaNH9LzJhXm0luAt0EBwq6rwQuSk0sELhBRZNsFLC8UQoht5u9vixyXE7CeF53eZcoWzDvbA7jEclks9eiDgj475BxyHvVQyIbZ4E89aKzxSz+kGj0zrHqZB332NmdR5XnBFa16KcwIDAQAB"
安装并配置PostfixAdmin
设置主机名
使用配置工具修改主机名
sudo hostnamectl set-hostname mail.linzyjx.com修改hosts,将改主机名解析到本地环回
使用hostnamectl命令查看,可以发现hostname信息已经修改
创建系统用户
我们使用虚拟用户配置邮件服务器,所以我们需要一个系统用户来承载相关服务的功能。该用户会成为所有邮箱的拥有者,虚拟用户会通过Postfix等服务取得该系统用户所属的文件。
使用以下命令创建一个名为vmail的新组和用户,并该用户的主目录设置为/var/mail/vmail
sudo groupadd -g 5000 vmail
sudo useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail所有的虚拟邮件都将存储在/var/mail/vmail中
安装Nginx,PHP和MySQL
PostfixAdmin 是一个基于PHP的应用程序。为了能够访问 PostfixAdmin的Web 界面,我们需要安装 Web 服务器和 PHP。
sudo apt install nginx mysql-server php7.2-fpm php7.2-cli php7.2-imap php7.2-json php7.2-mysql php7.2-opcache php7.2-mbstring php7.2-readline安装完成后,使用mysql_secure_installation命令来进行数据库的初始化配置。
修改/etc/mysql/mysql.conf.d/mysqld.cnf文件设置默认编码,在[mysqld]下添加
collation_server = utf8_general_ci
character_set_server = utf8下载并安装PostfixAdmin
3.1是当前PostfixAdmin的最新稳定版本
使用wget下载安装文件
VERSION=3.1
wget -q https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz下载完成后,解压文件:
tar xzf postfixadmin-${VERSION}.tar.gz将 PostfixAdmin 源文件移动到 /usr/share/nginx/html 目录和创建 templates_c 目录(smarty cache):
sudo mv postfixadmin-${VERSION}/ /usr/share/nginx/html
rm -f postfixadmin-${VERSION}.tar.gz
mkdir /usr/share/nginx/html/postfixadmin/templates_c注意,nginx默认文档目录可能会根据系统配置和软件版本配置不同而不同。
Nginx 和 PHP-FPM 都在用户 www-data 下运行, 因此我们需要更改 /usr/share/nginx/html/postfixadmin 的用户所有权:
sudo chown -R www-data: /usr/share/nginx/html/postfixadmin初始化数据库
PostfixAdmin 使用 MySQL 数据库来存储有关用户,域和应用程序配置的信息。
登录MySQL shell:
sudo mysql -u root使用以下命令创建新的 MySQL 用户和数据库:
CREATE DATABASE postfixadmin;
GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'DzTn%WxYhWIt';
FLUSH PRIVILEGES;我们创建一个文件名为 config.local.php 覆盖默认应用程序配置文件,而不是编辑默认的 Postfix Admin 配置:
sudo nano /usr/share/nginx/html/postfixadmin/config.local.php粘贴以下代码,并保存文件:
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'DzTn%WxYhWIt';
$CONF['database_name'] = 'postfixadmin';
$CONF['default_aliases'] = array (
'abuse' => 'abuse@linzyjx.com',
'hostmaster' => 'hostmaster@linzyjx.com',
'postmaster' => 'postmaster@linzyjx.com',
'webmaster' => 'webmaster@linzyjx.com'
);
$CONF['fetchmail'] = 'NO';
$CONF['show_footer_text'] = 'NO';
$CONF['quota'] = 'YES';
$CONF['domain_quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';
$CONF['aliases'] = '0';
$CONF['mailboxes'] = '0';
$CONF['maxquota'] = '0';
$CONF['domain_quota_default'] = '0';
?>上面的配置,定义了数据库类型和登录凭据。此外,我们还指定了默认别名,禁用 fetchmail 和启用配额。
接下来,使用PostfixAdmin的工具初始化数据库结构
sudo -u www-data php /usr/share/nginx/html/postfixadmin/upgrade.php之后,我们就能够使用postfixadmin-cli工具创建PostfixAdmin的超级管理员账户了。这个账户具有所有管理权限,并能修改任何域和PostfixAdmin的设置:
bash /usr/share/nginx/html/postfixadmin/scripts/postfixadmin-cli admin add superadmin@linzyjx.com --superadmin 1 --active 1 --password 3qA4YWtLUrnV --password2 3qA4YWtLUrnV输出如下图(当时配置路径稍微有点不对):
安装Let’s Encrypt SSL 证书
使用SSL证书让我们能够使用HTTPS访问管理界面,并能够启用Dovecot和Postfix的SSL/TLS加密。
我们以及准备好了一套证书,其路径在/etc/letsencrypt/live/mail.linzyjx.com下
fullchain.pem包括了包括了cert.pem和chain.pem的内容privkey.pem是证书私钥chain.pem包含浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书
添加SSL相关配置,编辑/etc/nginx/snippets/ssl.conf
#/etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384DHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES128-SHAECDHE-ECDSA-AES256-SHADHE-RSA-AES128-SHA256DHE-RSA-AES256-SHA256ECDHE-ECDSA-DES-CBC3-SHAEDH-RSA-DES-CBC3-SHAAES256-GCM-SHA384AES256-SHA256AES256-SHA!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;这是一个推荐配置,支持 OCSP Stapling , HTTP Strict Transport Security(HSTS)并强制执行少数以安全为中心的 HTTP 请求头。部分配置可能不受支持,请根据实际情况进行裁剪。
新建并编辑/etc/nginx/sites-available/mail.linzyjx.com.conf
#/etc/nginx/sites-available/mail.linzyjx.com.conf
server {
listen 443 ssl http2;
server_name www.mail.linzyjx.com;
ssl_certificate /etc/letsencrypt/live/mail.linzyjx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.linzyjx.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mail.linzyjx.com/chain.pem;
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/letsencrypt.conf;
return 301 https://mail.linzyjx.com$request_uri;
}
server {
listen 443 ssl http2;
server_name mail.linzyjx.com;
ssl_certificate /etc/letsencrypt/live/mail.linzyjx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.linzyjx.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mail.linzyjx.com/chain.pem;
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/letsencrypt.conf;
# . . . other code
location / {
try_files $uri $uri/ /index.php;
}
location /postfixadmin {
index index.php;
try_files $uri $uri/ /postfixadmin/index.php;
}
location ~* \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {return 404;}
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}通过创建软连接把sites-available中的配置链接到sites-enabled来在Nginx来激活配置:
sudo ln -s /etc/nginx/sites-available/mail.linzyjx.com.conf /etc/nginx/sites-enabled/mail.linzyjx.com.conf重新加载 Nginx 配置以使更改生效:
sudo service nginx restart此时,我们就能在浏览器中访问https://mail.linzyjx.com/postfixadmin/来访问控制面板了
安装并配置Postfix和Dovecot
安装
我们使用Dovecot的源来安装Dovecot
使用以下命令添加源并安装:
wget -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list
sudo apt update
sudo debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
sudo apt install postfix postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql配置Postfix
我们将设置 Postfix 以使用虚拟邮箱和域。
首先创建Postfix的SQL配置文件,该配置集会定义postfix如何访问我们在PostfixAdmin配置时所创建的数据库。
sudo mkdir -p /etc/postfix/sql分别创建并编辑下面代码块中的配置文件,具体各文件的路径见注释:
#/etc/postfix/sql/mysql_virtual_domains_maps.cf
user = postfixadmin
password = DzTn%WxYhWIt
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
#/etc/postfix/sql/mysql_virtual_alias_maps.cf
user = postfixadmin
password = DzTn%WxYhWIt
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
#/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf
user = postfixadmin
password = DzTn%WxYhWIt
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'
#/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
user = postfixadmin
password = DzTn%WxYhWIt
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'
#/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
user = postfixadmin
password = DzTn%WxYhWIt
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
#/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
user = postfixadmin
password = DzTn%WxYhWIt
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'创建SQL配置文件后,更新 postfix 的主配置文件以包含有关存储在 MySQL 数据库中的虚拟域,用户和别名的信息。并设置Postfix的其它配置:
# 数据库连接配置
sudo postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf"
sudo postconf -e "virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf"
sudo postconf -e "virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf"
# 将Dovecot 的 LMTP 服务设置为默认邮件传递传输
sudo postconf -e "virtual_transport = lmtp:unix:private/dovecot-lmtp"
# 使用SSL证书设置TLS参数
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mail.linzyjx.com/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mail.linzyjx.com/privkey.pem'
# 配置经过身份验证的 SMTP 设置并将身份验证移交给 Dovecot
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'此外,我们还需要编辑Postfix的主配置文件,启用submission端口(587)和smtps端口(465)
编辑/erc/postfix/master.cf并取消注释(没用的项编辑)以下行:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING重启服务使更改生效
sudo service postfix restart配置Dovecot
编辑/etc/dovecot/dovecot-sql.conf.ext,它定义了Dovecot如何访问数据库文件查找信息:
#/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=postfixadmin user=postfixadmin password=DzTn%WxYhWIt
default_pass_scheme = MD5-CRYPT
iterate_query = SELECT username AS user FROM mailbox
user_query = SELECT CONCAT('/var/mail/vmail/',maildir) AS home, \
CONCAT('maildir:/var/mail/vmail/',maildir) AS mail, \
5000 AS uid, 5000 AS gid, CONCAT('*:bytes=',quota) AS quota_rule \
FROM mailbox WHERE username = '%u' AND active = 1
password_query = SELECT username AS user,password FROM mailbox \
WHERE username = '%u' AND active='1'编辑以下配置文件所提到的内容:
# 设置系统用户信息
# /etc/dovecot/conf.d/10-mail.conf
...
mail_location = maildir:/var/mail/vmail/%d/%n
...
mail_uid = vmail
mail_gid = vmail
...
first_valid_uid = 5000
last_valid_uid = 5000
...
mail_privileged_group = vmail
...
mail_plugins = quota
...# 身份验证选项
# /etc/dovecot/conf.d/10-auth.conf
...
disable_plaintext_auth = yes
...
auth_mechanisms = plain login
...
#!include auth-system.conf.ext
!include auth-sql.conf.ext
...# 主服务配置文件
# /etc/dovecot/conf.d/10-master.conf
...
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
...
}
...
service auth {
...
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
...
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
...
}
...
service auth-worker {
user = vmail
}
...
service dict {
unix_listener dict {
mode = 0660
user = vmail
group = vmail
}
}
...# 启用SSL/TLS以及进行相应配置
# 注意修改SSL证书的路径
# /etc/dovecot/conf.d/10-ssl.conf
...
ssl = yes
...
ssl_cert = </etc/letsencrypt/live/mail.linzyjx.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.linzyjx.com/privkey.pem
ssl_dh = </etc/ssl/certs/dhparam.pem
...
ssl_cipher_list = EECDH+AES:EDH+AES+aRSA
...
ssl_prefer_server_ciphers = yes
...# imap配置,激活imap_quota插件
# /etc/dovecot/conf.d/20-imap.conf
...
protocol imap {
...
mail_plugins = $mail_plugins imap_quota
...
}
...# lmtp配置,定义默认邮箱
# /etc/dovecot/conf.d/20-lmtp.conf
...
protocol lmtp {
postmaster_address = postmaster@linzyjx.com
mail_plugins = $mail_plugins
}
...# 邮箱设置
# /etc/dovecot/conf.d/15-mailboxes.conf
...
mailbox Drafts {
special_use = \Drafts
}
mailbox Spam {
special_use = \Junk
auto = subscribe
}
mailbox Junk {
special_use = \Junk
}
...# 默认配额设置
# /etc/dovecot/conf.d/90-quota.conf
plugin {
quota = dict:User quota::proxy::sqlquota
quota_rule = *:storage=5GB
quota_rule2 = Trash:storage=+100M
quota_grace = 10%%
quota_exceeded_message = Quota exceeded, please contact your system administrator.
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
user = vmail
unix_listener quota-warning {
group = vmail
mode = 0660
user = vmail
}
}
dict {
sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}# 定义Dovecot访问SQL配额字典的方法
# /etc/dovecot/dovecot-dict-sql.conf.ext
...
connect = host=127.0.0.1 dbname=postfixadmin user=postfixadmin password=DzTn%WxYhWIt
...
map {
pattern = priv/quota/storage
table = quota2
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = quota2
username_field = username
value_field = messages
}
...
# map {
# pattern = shared/expire/$user/$mailbox
# table = expires
# value_field = expire_stamp
#
# fields {
# username = $user
# mailbox = $mailbox
# }
# }
...注意使用正确的MySQL账户凭据
创建以下Shell脚本,如歌配额超出限制,则向用户发送电子邮件
# /usr/local/bin/quota-warning.sh
#!/bin/sh
PERCENT=$1
USER=$2
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=dict:User quota::noenforcing:proxy::sqlquota"
From: postmaster@linzyjx.com
Subject: Quota warning
Your mailbox is now $PERCENT% full.
EOF赋予脚本执行权限:
sudo chmod +x /usr/local/bin/quota-warning.sh重启Dovecot服务使更改生效
sudo service dovecot restart配置opemDKIM
在文章开头我们提到了opendkim,在发送邮件时,Postfix需要使用DKIM的密钥进行签名。故我们需要在Postfix中对opendkim进行额外配置。
编辑/etc/opendkim.conf,取消注释并编辑以下信息
# /etc/opendkim.conf
...
Domain linzyjx.com
KeyFile /etc/opendkim/keys/linzyjx.com/default.private
Selector default
...记得修改成你自己的证书路径
编辑//etc/default/opendkim取消编辑并修改以下项:
...
SOCKET=inet:8891@localhost
...编辑/etc/postfix/main.cf,在配置末尾追加:
# opendkim setup
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
milter_default_action = accept重启所有服务
service postfix restart
service dovecot restart
service opendkim restart