搭建基于Postfix和Dovecot的邮件服务器

最近帮飞哥搭建了一个Linux Mail Server,捣鼓了一天终于搞掂了。这里记录下来以备后用,由于时间仓促,很多参数和功能还不知所以然;-(。

1. 服务器环境

操作系统:CentOS 7.1
环境:apache php mariadb
软件:postfix dovecot roundcubemail postfixadmin
其它:在域名商添加邮件服务器的A记录和MX记录,这里用的mail.freesign.net
同时请申请数字证书,中文版页面的免费申请地址很难看到,估计就是故意不想让人找到的。前段时间还是3年的,现在签发只能管一年了。
关于LAMP环境的搭建网络上已经一大堆了,此处不表。Apache推荐开启https,因为postfixadmin和roundcubemail是网页端访问的,这样会比较安全。
添加邮件专用用户vmail:vmail
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail -m

2. 邮件服务器搭建

2.1 设置服务器

在数据库中专门添加一个邮件的数据库。同时由于邮件服务器涉及到多个软件,这些软件的系统也是通过操作数据库的操作来实现的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 user@localhost  ~  mysql -u user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3857
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
MariaDB [(none)]> create database postfix;
MariaDB [(none)]> CREATE USER 'postfix'@'localhost' IDENTIFIED BY 'postfixadmin';
MariaDB [(none)]> CREATE USER 'postfix'@'localhost.localdomain' IDENTIFIED BY 'postfixadmin';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON `postfix` . * TO 'postfix'@'localhost';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON `postfix` . * TO 'postfix'@'localhost.localdomain';
MariaDB [(none)]> FLUSH PRIVILEGES;

(把数据库操作过程的输出信息省略了)

2.2 安装roundcubemail和postfixadmin

postfixadmin没有被打包到库中,所以需要手动下载源代码来安装。roundcubemail是epel中被打包了的,可以直接yum安装。

1
2
3
4
5
user@localhost  ~  sudo yum install roundcubemail
user@localhost  ~  cd /usr/share
user@localhost  /usr/share  sudo wget wget http://jaist.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz
user@localhost  /usr/share  sudo tar xzvf postfixadmin-2.93.tar.gz
user@localhost  /usr/share  sudo mv postfixadmin-2.93 postfixadmin

把postfixadmin解压到/usr/share目录,其实这步骤是跟roundcubemail学的。在安装roundcubemail 的时候,会在/etc/httpd/conf.d/roundcubemail.conf产生一个虚拟主机,对这个虚拟主机的别名和目录做如下设置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Alias /roundcubemail /usr/share/roundcubemail
Alias /mail /usr/share/roundcubemail
Alias /postfixadmin /usr/share/postfixadmin

<Directory /usr/share/roundcubemail/>
Options none
AllowOverride Limit
Require all granted
</Directory>

<Directory /usr/share/postfixadmin/>
Options none
AllowOverride Limit
Require all granted
</Directory>

<Directory /usr/share/roundcubemail/installer>
Options none
AllowOverride Limit
Require all granted
</Directory>

记得重启apache服务器。

postfixadmin算是一个postfix的管理前端,邮件服务器管理域名和用户账户都在这里。解压之后修改config.inc.php文件(官方推荐是创建config.local.php文件,便于后续升级),其实最主要是数据库相关的设置信息(重要的修改列出如下):

1
2
3
4
5
6
7
8
9
10
11
$CONF['configured'] = true;
$CONF['setup_password'] = 'abc123def';
$CONF['default_language'] = 'cn';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'postfixadmin';
$CONF['database_name'] = 'postfix';
$CONF['admin_email'] = 'yourmailaddress@126.com';
$CONF['encrypt'] = 'dovecot:CRAM-MD5';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";

坑点说明:(1)setup_password需要满足密码复杂性要求,不是随便设置的,第一步设置明文,然后在页面生成加密后的密码,再将加密后的密文替换abc123def之后,才能进行添加管理员的操作;(2)encrypt需要修改,要跟后面其它部分设置一样;(3)CentOS7中doveadm打包到了/usr/bin目录,所以这里的路径需要更新;(4)templates_c目录的所属权限需要改为apache;
(postfixadmin的DOCUMENTS目录下的内容是个比较好的参考文档)

然后访问https://mail.freesign.net/postfixadmin/setup.php进行安装:第一步会生成加密的setup_passwd密码,替换config文件中的明文密码后,会让你创建一个管理账户,创建完成验证能登陆之后就先别做其它操作和设置了,因为很多东西还没有设置,创建域啥的没啥意义;
管理员和普通用户的管理路径在下面:
https://mail.freesign.net/postfixadmin/login.php
https://mail.freesign.net/postfixadmin/users/login.php

2.3 安装postfix dovecot

postfix和dovecot是本文最重要和复杂的两处设置(所以才有人称邮件服务器就是个坑,一点没httpd、ftp这类服务器省心),postfix的配置文件位于/etc/postfix/下,而dovecot配置文件主要位于/etc/dovecot/下。

2.3.1 postfix的配置信息

main.cf重要参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
myhostname = mail.freesign.net
mydomain = freesign.net

inet_interfaces = all
inet_protocols = ipv4
mydestination = localhost.localdomain, localhost
mynetworks = 127.0.0.0/8
#以上的参数比较的严格

virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
#邮件的根目录
virtual_mailbox_base = /aaa/maildata/

#vmail:vmail的uid和gid
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps

#smtps 加密发送服务设置
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

#用户配额,可以后续慢慢优化
message_size_limit = 20480000
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf

maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d

在master.cf配置文件中,添加dovecot服务支持,同时打开smtps的相关服务smtps和submission,从而支持ssl和tls加密发送

1
2
3
4
5
6
7
8
9
10
11
submission inet n       -       n       -       -       smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

在上文的配置中,同时还需要建立若干mysql_xxx.cf的链接文件,主要用来访问postfixadmin建立的数据库来进行数据交互的,文件的内容基本同参考2种所列出。其中有个mysql_virtual_mailbox_maps.cf漏写了,内容如下:

1
2
3
4
5
user = postfix
password = postpasswd
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

2.3.2 dovecot的配置信息

这个dovecot的配置就更坑爹了,以前都是搞到一个conf文件的,现在分开到conf.d目录下各个conf文件,显得更难抄袭了。dovecat主要用来收取邮件的,支持pop3/imap/lmtp协议。
dovecot.conf的主要内容

1
2
3
4
5
6
7
8
9
10
11
12
protocols = imap pop3
listen = *

passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
driver = static
args = uid=5000 gid=5000 home=/aaa/maildata/%d/%n allow_all_users=yes
}

上文中dovecot-sql.conf.ext的内容如下,注意到采用的密码加密方式,必须跟前面的设置要一致才行。

1
2
3
4
5
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=postfixadmin
default_pass_scheme = CRAM-MD5
user_query = SELECT CONCAT('/abc/maildata/', maildir) AS home, 5000 AS uid, 5000 AS gid, CONCAT('*:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active='1'
password_query = SELECT username AS user, password, CONCAT('/webdata/data/maildata/', maildir) AS userdb_home, 5000 AS userdb_uid, 5000 AS userdb_gid, CONCAT('*:bytes=', quota) as userdb_quota_rule FROM mailbox WHERE username = '%u' AND active='1'

下面把dovecot最主要的配置列举出来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#10-mail.conf 
mail_location = maildir:/aaa/maildata/%d/%n/Maildir
#10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login cram-md5
#10-master.conf
service imap-login {
inet_listener imap {
#port = 143 关掉非加密访问
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service auth {
unix_listener auth-userdb {
mode = 0666
user = vmail
group = vmail
}

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
}
}
#10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

2.4 roundcubemail设置

roundcubemail是一个邮件登陆web界面。安装第一步也是需要运行https://mail.freesign.net/webmail/installer访问安装界面。在第(2)步检查各项条件满足后,进入下一步,在第(2)步根据用户的配置,辅助生成配置文件,我们将该文件复制拷贝到/etc/roundcubemail/config.inc.php中,再在第三步(3)进行配置的测试验证。
/etc/roundcubemail/config.inc.php的重要配置有:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#数据库访问设置
$config['db_dsnw'] = 'mysql://postfix:postfixadmin@localhost/postfix';
#IMAP
$config['default_host'] = 'ssl://mail.freesign.com/';
$config['default_port'] = 993;
#SMTP
$config['smtp_server'] = 'tls://topcubaircraft.com';
// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';

$config['plugins'] = array('archive', 'attachment_reminder', 'help');
$config['sent_mbox'] = 'Sent';
$config['trash_mbox'] = 'Trash';
$config['drafts_mbox'] = 'Drafts';
$config['junk_mbox'] = 'Junk';

3. 验证与测试

3.1 建立邮件账户

通过访问https://mail.freesign.net/postfixadmin/,首先添加域mail.freesign.net,然后在域下添加账户nicol,就完成了nicol@mail.freesign.net邮箱账户的注册。

3.2 网页端和手机端验证

在网页端,访问https://mail.freesign.net/mail/
网页端测试

在手机端,用的ssl加密连接,测试OK
邮件客户端连接

唉,邮件服务器算是最难搭建的服务器了!

本文完!

参考