linux postfix mail service deployment

A former mail deployment knowledge

1. Mail Server and DNS relations

• Mail Server and the role of MX and A
  when sending mail, the destination address to send mail using "account @ domain" approach, it must be parsed by DNS @ domain name back before delivering each other's mail server.
  MX stands for Mail eXchanger, when a message to be sent out, the mail host will first analyze "DNS domain name of the target" of that message, first obtain MX mark (note, there may be multiple MX logo hosts) and then highest priority MX resolution for the purpose of the message is sent out, if all purposes MX resolution fails to receive mail, try to send mail using a for the purpose of parsing all else fails before the message prompt return.
• Role Mail Server and reverse DNS solution is
  when the mail server receives mail, will first anti-source IP solution, if the inverse solution to resolve domain name registration does not come out, then classified as spam.

2. Mail Transfer components needed

• That MTA Mail Transfer Agent, is sent by the server and transmitting messages, send and transmit using the SMTP protocol.
• MRA i.e. Mail Retrieval Agent, the server receives the message, using the message protocol received POP3 or IMAP.
• I.e. MDA Mail Delivery Agent, MDA is hung in a small program under the MTA, mail header analysis or content data received by the MTA, spam filtering, automatic reply.
• Mail Box is a special account to accept letters of the file, Linux systems are on the default mailbox / var / spool / mail / user account number.
• That MUA Mail User Agent, you can log in to the mail server to send mail directly, you can also use the MUA to send and receive mail, common MUA has Outlook, Foxmail and so on.

3. Relay the importance of authentication mechanisms

When you set the MTA because the situation has led to poor relations Open Relay, plus your MTA is indeed connected to the Internet, because the Internet too much above idlers port scan software with your MTA has this Open Relay function things will be a lot of people perceive it in a short time, then those illegal advertising letters, pornographic spam industry will take advantage of you this Open Relay MTA send their advertising, so it should close open relay function, authorization open relay function:

• Predetermined a particular client's IP or network segments, such as the internal LAN 192.168.1.0/24 predetermined Relay can be used;
• If the IP client is not fixed (e.g., non-fixed IP dial acquired) may be processed with the authentication mechanism.
• The MUA MTA erected above, e.g. MUA OpenWebMail function like web interface.

Two. PostFix set based MTA server

1. PostFix software architecture introduced

• /etc/postfix/main.cf
  This is the main postfix configuration file, almost all specification parameters are set in this file! This is the default file a complete description of the file, you can refer to the contents of this file to set up your own postfix MTA! As long as the modified this file, remember to restart the postfix!
• /etc/postfix/master.cf understand the need to configure
  the main provisions of the functioning parameters postfix each program, is also very important configuration file. But this has been the default file is OK, and usually do not need to change him.
• / etc / postfix / Access (use postmap processing)
  can be set to open Relay or reject external profile information of the source or destination addresses and other online, but this file is also needed to start to take effect in this file /etc/postfix/main.cf the use of the job. After setting and need to be processed into the database files postmap it!
• / etc / aliases (or newaliases can use postalias)
  as the use of e-mail aliases, e-mail can also be set as a group!
• / usr / sbin / postconf (SEE postfix setting data)
  This command can list your current detailed data set postfix, including the system default value is also listed, so the amount of data is quite huge! If you main.cf have modified certain preset parameters inside, you want to list only the non-default value of the data set, you can use the "postconf -n" this option.
• / usr / sbin / postfix (main daemon command)
  [root @ the WWW ~] # postfix the Check <== check the relevant file postfix, permissions are correct!
  execution [root @ www ~] # postfix start <== postfix start of
  [root @ www ~] # postfix stop <== closed postfix
  [the WWW root @ ~] # postfix flush <== force the currently-mail message queues send!
  [root @ www ~] # postfix reload <== reread the configuration file, which is /etc/postfix/main.cf
• / usr / sbin / postalias
  setting command alias database, because the MTA database format file read performance preferred, we will rebuild the file in ASCII format database. Among the postfix, this instruction is mainly in the conversion / etc / aliases to become /etc/aliases.db Hello! Usage is:
  [root @ the WWW ~] # postalias hash: / etc / aliases
  hash into a form that database, then that will be automatically updated /etc/aliases.db
• / usr / sbin / postcat
  primarily used to check on the contents of the letter in the Queue (queue) among. Since the contents of the letter are among the queue to the MTA to see, so the format is not text data is generally read to understand our humanity. So this time you have to use postcat can see the contents of the letter. There are quite a directory in / var / spool / postfix, there is a file called / deferred / abcfile, then you can use under way to query the contents of the file within the hypothesis
  [root @ www ~] # postcat / var / spool / postfix / deferred / abcfile
• / usr / sbin / postmap
  this usage and postalias similar instructions, but he is mainly in this file conversion access database
  [root @ www ~] # postmap hash: / etc / postfix / access
• / usr / sbin / postqueue
  similar output mailq, for example, you can enter "postqueue -p" to see to know.

2. PostFix main configuration file syntax

• "#" Symbol is annotated meaning;
• All set value is set in a manner similar "variable" to deal with, such as myhostname = www.centos.jet, please pay attention to both sides of the equal sign to give the space character, and the first character can not be a blank, that "my .. "to write from the first row;
• You can use "$" to extend the use of variable settings, such as myorigin = $ myhostname, will equal myorigin = www.centos.jet;
• If the variable support two or more data, use a space character to separate, but recommended comma and space characters "," to deal with. For example: mydestination = $ myhostname, $ mydomain, linux.centos.jet, means mydestination intended to support the content of the three data.
• May be represented by multiple lines with a set value, as long as the first line of the last comma, and the beginning of the second row of spaces can be extended to continue writing data to the second row (so just before said second point, beginning not be left blank)!;
• If the repeat setting an item, set the value, whichever occurs later places!

3. Let Postfix as the MTA configuration Introduction

• myhostname: Setting the host name, use a FQDN Oh
  this project is to set your hostname, and the setting will be follow-up to a lot of other parameters referenced, it is necessary to set the correct job. You should be the complete set of host name. In this exercise which should be set to: myhostname = www.centos.jet son. In addition to this setting, there is a set mydomain project, which by default will take $ myhostname first "." After the name. For example, the top setting is completed, the default is mydomain centos.jet! You can also set up his own.

• myorigin: "letter source host" project when the letter displayed
  the project in "the e-mail address of the head above the mail from" setting, which is spread out on behalf of the MTA letters will use this set value is taken! If you forget to send a letter at the time of the machine plus Mail from the words, then it is subject to the order value. By default this project to $ myhostname-based, such as: myorigin = $ myhostname

• inet_interfaces: postfix set listener interfaces (very important)
  in the case of default of your Postfix will monitor the native interface lo (127.0.0.1) only, if you want to monitor the entire Internet, please become open external interface, or is open to all interfaces, common setting method is: inet_interfaces = all fishes! Because if there are duplicate set items, will be subject to a set value of the latest appearance, it is best to keep only one set inet_interfaces set!

• inet_protocols: postfix listening IP protocol set
  default postfix CentOS will go while listening IPv4, IPv6 two versions of IP, if your network environment inside an IPv4-only when it can be specified directly inet_protocols = ipv4 will avoid seeing ::: 1 IP appears like Yo!

• mydestination: set "can be prepared to receive the host name" (very important)

  • This setting is very important project! Because we have a lot of host name, then fill in the other side of the mail to the host name in the end which we can write the letter accept? Here is the specification! That is, many of them your host name, just write the setting value as a host name to the email address. So the wording is: mydestination = $ myhostname, $ mydomain
  • If you want to set this value to move to an external file that can be used under similar practices: mydestination = / etc / postfix / local-host-names, then be prepared to receive the local-host-names inside the host name write to. In general, we do not recommend you to establish additional local-host-names this file you, write directly to main.cf to say! Special attention is that if your DNS MX is set inside the sign, then set the MX pointing to that host name must be written in this mydestination, otherwise it is prone to error Oh! In general, local users on the most common errors in this set inside it!

• mynetworks_style: setting an indicator of "trust network segment" of
  the provisions set value "with the host in a network of trusted customers with the end" means! Keep the default, because we can set from mynetworks.

• mynetworks: provision of client trust (very important)
  your MTA can not help be with the Relay This setting most relevant! For example, when I want to open the machine and the internal IP domain, so you can set: mynetworks = 127.0.0.0/8, 192.168.100.0/24. If you want to / etc / postfix / access this file to the user control relay, I suggest you the above data is rewritten as: mynetworks = 127.0.0.0/8, 192.168.100.0/24, hash : / etc / postfix / access after you then reformed into a database and then just after the establishment of access, hey! Users can set the Relay!

• relay_domains: a specification can help lower the MTA relay host address

  • Relative to mynetworks against "trusted client" and set this relay_domains can be considered "for the downstream MTA server" and set. For example, if you are the host of this www.niki.centos.jet MX hosts, then you have to be set in relay_domains transmitting the job for the entire niki.centos.jet field goal letters. In the case of default, this setting is $ mydestination.
  • You will need to pay attention to the "default Postfix MX host does not transmit letters", meaning to say: If you have two hosts, one is MTAup upstream, one downstream is MTAdown, and MTAdown standard MX host is MTAup, because the DNS MX set value mail delivery direction, we want to know any letters sent MTAdown host, will go through MTAup to transmit the job! At this point if it does not turn help MTAdown Ministry MTAup permissions relay, then passed MTAdown any letters would "all be MTAup the back '! Since then MTAdown will not receive any of the letters.
  • For some special instructions please think again, because if you and your company have a mail server downstream in large companies, and also under the conditions set MX, hey! This is very important relay_domains it! Upstream MTA host will need to activate this setting. Generally speaking, unless you are a unit of MTA MX source host, otherwise the setting items can not be set to ignore him. And if you want to help your client to transmit letters to a unit of a particular MTA host, this project is also setting can be set. Default Please keep the default value.

• alias_maps: Setting up mail alias
  is set up mail aliases setting item, simply specify the correct file to go to, this setting can leave the default value.

4. MTA receives a letter of the operation

The configuration exemplified as MTA

#配置前请确保iptables规则配置妥当，selinux已经关闭，如果是centos7，firewall也要关闭。
iptables -A INPUT -p TCP -i $EXTIF --dport  25  --sport 1024:65534 -j ACCEPT

[root@www ~]# vim /etc/postfix/main.cf
myhostname = www.centos.jet 
myorigin = $myhostname 
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname,$mydomain
mynetworks = 127.0.0.0/8, 192.168.100.0/24, hash:/etc/postfix/access
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# 其他的设定值就先保留默认值即可！

# 生成别名数据库文件
[root@www ~]# postmap hash:/etc/postfix/access
[root@www ~]# postalias hash:/etc/aliases
# 检查配置文件的语法是否有错误
[root@www ~]# /etc/init.d/postfix check   <==没有信息输出，表示没有问题。

# 启动与观察 port number
[root@www ~]# /etc/init.d/postfix restart

Suppose you want to increase the filtering mechanism of MTA

[root@www ~]# vim /etc/postfix/access
10.1.30.50		OK
.edu.com			OK
av.com			REJECT
192.168.2.  		REJECT
# OK 表示可接受，而 REJECT 则表示拒绝。

[root@www ~]# postmap hash:/etc/postfix/access
[root@www ~]# ls -l /etc/postfix/access*
#不必重新启动 postfix，只要重新生成数据库文件即可生效。

Configuration About alias (root privileges configuration)

#作用是将发给这些系统账号的邮件发一份给root。
[root@www ~]# vim /etc/aliases
mailer-daemon:  postmaster
postmaster:     root
bin:            root
daemon:         root
#左边是系统账号，也是别名设置位置，右边是root账号，也是实际接收邮件的账号。

#假如你的 MTA 内有一个实际的账号名称为 dmtsai ，这个使用者还想要使用 dermintsai 这个名称来收他的信件， 那么你可以这样做：
[root@www ~]# vim /etc/aliases
dermintsai:     dmtsai
# 左边是你额外所设定的，右边则是实际接收这封信的账号！

[root@www ~]# postalias hash:/etc/aliases

# 信件会传给 root 与 dmtsai 这两个账号！
[root@www ~]# vim /etc/aliases
root:		root,dmtsai  
[root@www ~]# postalias hash:/etc/aliases

#创建邮件组
[root@www ~]# vim /etc/aliases
student2011:	std001,std002,std003,std004...
[root@www ~]# postalias hash:/etc/aliases

#邮件别名除了填写自己主机上面的实体用户之外，其实你可以填写外部主机的 email ！
# 例如你要将本机的 dermintsai 那个不存在的用户的信件除了传给 dmtsai 之外，还要外传到 [email protected] 时，可以这样做：
[root@www ~]# vim /etc/aliases
dermintasi:	dmtsai,[email protected]
[root@www ~]# postalias hash:/etc/aliases

Personal mail redirection (normal user): ~ / .forward

#普通用户将自己的邮件同时收一份到jet和[email protected]下。
[dmtsai@www ~]$ vim .forward
# 注意！我现在的身份现在是 dmtsai 这个一般身份，而且在他的家目录下！
dmtsai
jet
[email protected]
[dmtsai@www ~]$ chmod 644 .forward
#该档案所在用户家目录权限，其 group、other 不可以有写入权限。
#.forward 档案权限，其 group、other 不可以有写入权限。

6. MTA maintenance command

[root@www ~]# postqueue -p   #查看MTA邮件队列
[root@www ~]# cd /var/spool/postfix/maildrop 
[root@www maildrop]# postcat 5CFBB21DB  <==这个档名就是 Queue ID
[root@www ~]# /etc/init.d/postfix restart
[root@www ~]# postfix flush

Three. PostFix MRA server settings

1. MRA setting unencrypted

[root@www ~]# yum install dovecot
[root@www ~]# vim /etc/dovecot/dovecot.conf
# 找到底下这一行，大约是在第 25 行左右的地方，复制新增一行内容如下：
#protocols = imap pop3 lmtp
protocols = imap pop3
[root@www ~]# vim /etc/dovecot/conf.d/10-ssl.conf
ssl = no   <==将第 6 行改成这样！

[root@www ~]# /etc/init.d/dovecot start
[root@www ~]# chkconfig dovecot on
[root@www ~]# netstat -tlnp | grep dovecot
Proto Recv-Q Send-Q Local Address   Foreign Address   State    PID/Program name
tcp        0      0 :::110          :::*              LISTEN   14343/dovecot
tcp        0      0 :::143          :::*              LISTEN   14343/dovecot

2. Encrypted MRA set

# 1. 建立凭证：到系统提供的 /etc/pki/tls/certs/ 目录下建立所需要的 pem 凭证档：
[root@www ~]# cd /etc/pki/tls/certs/
[root@www certs]# make vbirddovecot.pem
....(前面省略)....
Country Name (2 letter code) [XX]:China
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:mail.centos.jet
Email Address []:[email protected]

# 2. 因为担心 SELinux 的问题，所以请关闭selinux，并配置iptables规则
iptables -A INPUT -p TCP -i $EXTIF --dport 993  --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF --dport 995  --sport 1024:65534 -j ACCEPT

# 3. 开始处理 dovecot.conf，只要 pop3s, imaps 不要明码传输的咯！
[root@www certs]# vim /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes  <==第 9 行改成这样！取消批注！
[root@www certs]# vim /etc/dovecot/conf.d/10-ssl.conf
ssl = required                                <==第 6 行改成这样
ssl_cert = </etc/pki/dovecot/vbirddovecot.pem <==12, 13 行变这样
ssl_key =  </etc/pki/dovecot/vbirddovecot.pem

[root@www certs]# vim /etc/dovecot/conf.d/10-master.conf
  inet_listener imap {
    port = 0     <== 15 行改成这样
  }
  inet_listener pop3 {
    port = 0     <== 36 行改成这样
  }

# 4. 处理额外的 mail_location 设定值！很重要！否则网络收信会失败：
[root@www certs]# vim /etc/dovecot/conf.d/10-mail.conf
mail_location = mbox:~/mail:INBOX=/var/mail/%u <==第 30 行改这样

# 5. 重新启动 dovecot 并且观察 port 的变化：
[root@www certs]# /etc/init.d/dovecot restart
[root@www certs]# netstat -tlnp | grep dovecot
Proto Recv-Q Send-Q Local Address  Foreign Address   State    PID/Program name
tcp        0      0 :::993         :::*              LISTEN   14527/dovecot
tcp        0      0 :::995         :::*              LISTEN   14527/dovecot