标签:postfix常用配置
SMTP-->SMTPS
ESMTP
POP3邮局协议
IMAP4互联网邮件访问协议
SASL简单认证安全层
MDA邮件投递代理
procmail,maildrop
MUA邮件用户代理
mutt,mail
tom@a.org --> c.com(MX)-->jerry@b.net
Mail Relay邮件中继
MTA:sendmail qmail postfix exim
Postfix:模块化设计, master (/etc/postfix/master.cf)
(/etc/postfix/main.cf)
postconf
-d
-n
-A客户端支持的SASL插件类型
-e 参数=值
-m
-a服务器端支持的SASL插件类型
SMTP:
helo
mail from
rcpt to
data
.
quit
MX:mail.mylinux.com
为postfix提供SysV服务脚本/etc/rc.d/init.d/postfix,
#!/bin/bash
#
# postfix Postfix Mail Transfer Agent
#
# chkconfig: 2345 80 30
# description: Postfix is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: master
# pidfile: /var/spool/postfix/pid/master.pid
# config: /etc/postfix/main.cf
# config: /etc/postfix/master.cf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ $NETWORKING = "no" ] && exit 3
[ -x /usr/sbin/postfix ] || exit 4
[ -d /etc/postfix ] || exit 5
[ -d /var/spool/postfix ] || exit 6
RETVAL=0
prog="postfix"
start() {
# Start daemons.
echo -n $"Starting postfix: "
/usr/bin/newaliases >/dev/null 2>&1
/usr/sbin/postfix start 2>/dev/null 1>&2 && success || failure $"$prog start"
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down postfix: "
/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure $"$prog stop"
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
echo
return $RETVAL
}
reload() {
echo -n $"Reloading postfix: "
/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure $"$prog reload"
RETVAL=$?
echo
return $RETVAL
}
abort() {
/usr/sbin/postfix abort 2>/dev/null 1>&2 && success || failure $"$prog abort"
return $?
}
flush() {
/usr/sbin/postfix flush 2>/dev/null 1>&2 && success || failure $"$prog flush"
return $?
}
check() {
/usr/sbin/postfix check 2>/dev/null 1>&2 && success || failure $"$prog check"
return $?
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
abort)
abort
;;
flush)
flush
;;
check)
check
;;
status)
status master
;;
condrestart)
[ -f /var/lock/subsys/postfix ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|abort|flush|check|status|condrestart}"
exit 1
esac
exit $?
# END
vim /etc/init.d/postfix
chmod +x /etc/init.d/postfix
chkconfig --add postfix
service postfix restaart
[root@localhost ~]# vim /etc/postfix/main.cf
修改一下几项需要的配置
指定运行postfix邮件系统时主机的主机名,既postfix系统要接收到哪个域名的邮件:
myhostname = mail.mylinux.com
指明发件人所在的域名,既做发件地址伪装:
myorigin = mylinux.com
参数指定域名,默认情况下,postfix将myhostname的第一部分删除而作为mydomain的值
mydomain = mylinux.com
指定运行postfix接受邮件时收件人的域名,既postfix系统要接收的哪个域名邮件
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
指定所在网络的网络地址,postfix系统根据其值来区别用户是远程的还是本地的,如果是本地网络用户则允许访问
mynetworks = 192.168.1.0/24, 127.0.0.0/8
监听的端口$myhostname 表示监听本机IP的25号端口,localhost表示127.0.0.1的25号端口
inet_interfaces = $myhostname, localhost
[root@localhost ~]# hostname mail.mylinux.com
[root@localhost ~]# vim /etc/sysconfig/network 永久修改主机名
HOSTNAME=mail.mylinux.com
查看是否安装过DNS服务器
[root@localhost ~]# rpm -qa |grep bind
ypbind-1.20.4-30.el6.x86_64
rpcbind-0.2.0-11.el6.x86_64
bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64
samba-winbind-clients-3.6.9-164.el6.x86_64
bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64
samba-winbind-3.6.9-164.el6.x86_64
[root@localhost ~]# yum remove bind-libs
[root@localhost ~]# yum install bind
[root@localhost ~]# yum install bind-utils
[root@localhost ~]# vim /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
[root@localhost ~]# service named start
Starting named: [ OK ]
[root@localhost ~]# vim /etc/named.rfc1912.zones
定义一个正向区域
zone "mylinux.com" IN {
type master;
file "mylinux.com.zone";
allow-update { none; };
allow-transfer { none; };
};
定义一个反向区域
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
allow-update { none; };
allow-transfer { none; };
};
[root@mail ~]# named-checkconf /etc/named.conf 检查语法
[root@mail ~]# cd /var/named/
[root@mail named]# vim mylinux.com.zone
$TTL 600
@ IN SOA ns.mylinux.com. admin.mylinux.com. (
2016080801
2H
10M
3D
1D
)
IN NS ns
IN MX 10 mail
ns IN A 192.168.1.50
mail IN A 192.168.1.50
[root@mail named]# cp mylinux.com.zone 192.168.1.zone
[root@mail named]# vim 192.168.1.zone
$TTL 600
@ IN SOA ns.mylinux.com. admin.mylinux.com. (
2016080801
2H
10M
3D
1D
)
IN NS ns.mylinux.com.
50 IN PTR mail.mylinux.com.
50 IN PTR ns.mylinux.com.
[root@mail named]# chown root.named 192.168.1.zone mylinux.com.zone
[root@mail named]# chmod 640 mylinux.com.zone 192.168.1.zone
检查语法
[root@mail named]# named-checkzone "mylinux.com" mylinux.com.zone
zone mylinux.com/IN: loaded serial 2016080801
OK
[root@mail named]# named-checkzone "1.168.192.in-addr.arpa" 192.168.1.zone
zone 1.168.192.in-addr.arpa/IN: loaded serial 2016080801
OK
[root@mail named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@mail named]#
[root@mail named]# chkconfig named on
[root@mail named]# dig -t MX mylinux.com @192.168.1.50
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t MX mylinux.com @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8645
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;mylinux.com.INMX
;; ANSWER SECTION:
mylinux.com.600INMX10 mail.mylinux.com.
;; AUTHORITY SECTION:
mylinux.com.600INNSns.mylinux.com.
;; ADDITIONAL SECTION:
mail.mylinux.com.600INA192.168.1.50
ns.mylinux.com.600INA192.168.1.50
;; Query time: 1 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Aug 8 13:25:36 2016
;; MSG SIZE rcvd: 99
[root@mail named]# dig -t A mail.mylinux.com @192.168.1.50
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A mail.mylinux.com @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15877
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.mylinux.com.INA
;; ANSWER SECTION:
mail.mylinux.com.600INA192.168.1.50
;; AUTHORITY SECTION:
mylinux.com.600INNSns.mylinux.com.
;; ADDITIONAL SECTION:
ns.mylinux.com.600INA192.168.1.50
;; Query time: 1 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Aug 8 13:26:34 2016
;; MSG SIZE rcvd: 83
[root@mail named]# dig -x 192.168.1.50 @192.168.1.50
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.1.50 @192.168.1.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38905
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;50.1.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
50.1.168.192.in-addr.arpa. 600INPTRns.mylinux.com.
50.1.168.192.in-addr.arpa. 600INPTRmail.mylinux.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.600INNSns.mylinux.com.
;; ADDITIONAL SECTION:
ns.mylinux.com.600INA192.168.1.50
;; Query time: 0 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Aug 8 13:27:42 2016
;; MSG SIZE rcvd: 120
[root@mail named]# cd /etc/postfix
[root@mail postfix]# service postfix start
[root@mail postfix]# tail /var/log/maillog
[root@mail postfix]# vim /etc/resolv.conf
nameserver 192.168.1.50
MRA:
cyrus-imap,dovecot
dovecot 依赖mysql客户端
[root@mail etc]# yum install dovecot 接收邮件的服务器
pop3:110/tcp
imap4:143/tcp
以明文方式工作。
dovecot服务器支持4种协议pop3,imap4,pops,imaps
配置文件:/etc/dovecot.conf
有SASL认证能力,
邮箱格式:
mbox,一个文件存储所有邮件;
maildir:一个文件存储一封邮件,所有邮件存储在一个目录中;
[root@mail yum.repos.d]# vim /etc/dovecot/dovecot.conf
protocols = imap pop3 启用,只保留2个明文的协议
[root@mail yum.repos.d]# service dovecot start
Starting Dovecot Imap: [ OK ]
telnet mail.mylinux.com 110
USER openstack 收件人
PASS openstack 密码
LIST 列出邮件
RETR 1 选择第一封邮件
postfix + SASL 用户认证
1.启用sasl,启动sasl服务
/etc/init.d/saslauthd 服务脚本
/etc/sysconfig/saslauthd 配置文件
[root@mail yum.repos.d]# saslauthd -v 显示当前服务器支持哪些认证
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
[root@mail yum.repos.d]# vim /etc/sysconfig/saslauthd
MECH=shadow 表示支持的认证
[root@mail yum.repos.d]# service saslauthd start
[root@mail yum.repos.d]# chkconfig saslauthd on
[root@mail yum.repos.d]# testsaslauthd -u admin -p admin 用户认证 -u用户给 -p密码
[root@mail yum.repos.d]# postconf -a 查看服务器支持哪些认证
cyrus 表示支持ssl
dovecot
smtp:
限制 只允许哪些用户连接
connection: smtpd_client_restrictions = check_client_acess hash:/etc/postfix/access
只允许哪些用户发送helo
helo: smtpd_helo_restrictions = check_helo_acess mysql:/etc/postfix/mysql_user
只允许哪些用户发送
mail from: smtpd_sender_restrictions =
只允许发送给哪些用户
rcpt to: smtpd_recipient_restrictions =
限制data
data: smtp_data_restrictions =
#vi /etc/postfix/main.cf
添加以下内容:
############################CYRUS-SASL############################
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!
#vim /usr/lib/sasl2/smtpd.conf
添加如下内容:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
让postfix重新加载配置文件
#/usr/sbin/postfix reload
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]‘.
220 Welcome to our mail.magedu.com ESMTP,Warning: Version not Available!
ehlo mail.magedu.com
250-mail.magedu.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN (请确保您的输出以类似两行)
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
查找表:
/etc/postfix/access 访问控制文件 -->hash格式 --> /etc/postfix/access.db
a@net.com reject 来至于这个区域的邮件拒绝
microsoft.com ok 接收
[root@mail mail]# postconf -m 查看
btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix
实现示例
这里以禁止192.168.1.33这台主机通过工作在192.168.1.51上的postfix服务发送邮件为例演示说明其实现过程。访问表使用hash的格式。
(1)首先,编辑/etc/postfix/access文件,以之做为客户端检查的控制文件,在里面定义如下一行:
172.16.100.200 REJECT
(2)将此文件转换为hash格式
# postmap /etc/postfix/access
(3)配置postfix使用此文件对客户端进行检查
编辑/etc/postfix/main.cf文件,添加如下参数:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
(4)让postfix重新载入配置文件即可进行发信控制的效果测试了。
实现示例
这里以禁止通过本服务器向microsoft.com域发送邮件为例演示其实现过程。访问表使用hash的格式。
(1)首先,建立/etc/postfix/denydstdomains文件(文件名任取),在里面定义如下一行:
microsoft.com REJECT
(2)将此文件转换为hash格式
# postmap /etc/postfix/denydstdomains
(3)配置postfix使用此文件对客户端进行检查
编辑/etc/postfix/main.cf文件,添加如下参数:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/denydstdomains,
(4)让postfix重新载入配置文件即可进行发信控制的效果测试了。
拒绝发给谁
----------------------------------------------------------------
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/denydstdomains, reject_unauth_destination,permit_mynetworks
-------------------------------------------------------------------------
检查表格式的说明
hash类的检查表都使用类似如下的格式:
pattern action
检查表文件中,空白行、仅包含空白字符的行和以#开头的行都会被忽略。以空白字符开头后跟其它非空白字符的行会被认为是前一行的延续,是一行的组成部分。
(1)关于pattern
其pattern通常有两类地址:邮件地址和主机名称/地址。
邮件地址的pattern格式如下:
user@domain 用于匹配指定邮件地址;
domain.tld 用于匹配以此域名作为邮件地址中的域名部分的所有邮件地址;
user@ 用于匹配以此作为邮件地址中的用户名部分的所有邮件地址;
主机名称/地址的pattern格式如下:
domain.tld 用于匹配指定域及其子域内的所有主机;
.domain.tld 用于匹配指定域的子域内的所有主机;
net.work.addr.ess
net.work.addr
net.work
net 用于匹配特定的IP地址或网络内的所有主机;
network/mask CIDR格式,匹配指定网络内的所有主机;
关于action
接受类的动作:
OK 接受其pattern匹配的邮件地址或主机名称/地址;
全部由数字组成的action 隐式表示OK;
拒绝类的动作(部分):
4NN text
5NN text
其中4NN类表示过一会儿重试;5NN类表示严重错误,将停止重试邮件发送;421和521对于postfix来说有特殊意义,尽量不要自定义这两个代码;
REJECT optional text... 拒绝;text为可选信息;
DEFER optional text... 拒绝;text为可选信息;
邮件别名。
[root@mail mail]# vim /etc/aliases
# Person who should get root‘s mail
#root: marc
a: haddop
b: haddop
[root@mail mail]# newaliases 重读别名
开启SSL后:
[root@mail mail]# echo -n "admin" |openssl base64
YWRtaW4=
[root@mail mail]# telnet 192.168.1.51 25
Trying 192.168.1.51...
Connected to 192.168.1.51.
Escape character is ‘^]‘.
220 Welcome to our mail.mylinux.com ESMTP,Warning: Version not Available!
ehlo mail.mylinux.com
250-mail.mylinux.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
334 VXNlcm5hbWU6
YWRtaW4=
334 UGFzc3dvcmQ6
YWRtaW4=
235 2.7.0 Authentication successful
mail from:root@mylinux.com
250 2.1.0 Ok
rcpt to:hell@qq.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hello
.
250 2.0.0 Ok: queued as 50821BFCB1
quit
221 2.0.0 Bye
本文出自 “运维成长路” 博客,谢绝转载!
标签:postfix常用配置
原文地址:http://coolcl.blog.51cto.com/4514424/1836571
