艾瑞克的 Hexo 空間

[筆記] CentOS LAMP Postfix Postfixadmin Virtual Mail Multi Domain SASL TLS SSL Dovecot MySQL

本文發表於696天之前,文章內容可能已經過時,如有疑問,請聯繫作者。

CentOS LAMP Postfix Postfixadmin Virtual Mail Multi Domain SASL TLS SSL Dovecot MySQL 安裝步驟整理

系統基礎


檢查 hostname 是否有設定正確,hostname -f 如果跑不出正確結果,編輯 /etc/hosts 內容

#####安裝會用到的小工具

yum install epel-release ; yum list > yum.txt
yum install ftp traceroute telnet vim joe lynx bind-utils wget openssl ntpdate mail

#####修改時區
cp /usr/share/zoneinfo/Asia/Taipei /etc/localtime
ntpdate time.stdtime.gov.tw

加入 crontab

/10 ntpdate time.stdtime.gov.tw > /dev/null 2>&1

或者是直接安裝 ntp 服務

yum install -y ntp

vim /etc/ntp.conf

加入

restrict 192.168.10.0 mask 255.255.255.0

server  time.stdtime.gov.tw     iburst
server  192.168.10.243  iburst

service ntpd restart

 

#####關閉 SELINUX

vim /etc/sysconfig/selinux

SELINUX = disabled

##### 關閉防火牆服務,有需要再打開 #####

service iptables stop

chkconfig –level 235 iptables off

####系統重開機 套用關閉SELINUX

reboot


LAMP

## MYSQL 5 ##
yum install mysql mysql-server
chkconfig –levels 235 mysqld on
/etc/init.d/mysqld start
/usr/bin/mysql_secure_installation

## APACHE 2 ##
yum install httpd
chkconfig –levels 235 httpd on

##修改 httpd.conf 裡面的 ServerName 參數 ##
vim /etc/httpd/conf/httpd.conf
ServerName localhost:80
service httpd start
check http://ip_address

## PHP ##
yum install php php-gd php-mbstring php-mysql mod_ssl php-imap -y

##add a php file in /var/www/html check if php works

##新增一個 PHP 檔案 看看 php 是否可以正常運作
vim /var/www/html/1.php
<?php
phpinfo();
?>
lynx localhost/1.php

 

########## Enable HTTPS ######

yum install –y openssl mod_ssl

service httpd restart

apache 預設就幫我們做好了兩個憑證,位置在/etc/pki/tls/certs  & /etc/pki/tls/private 底下 檔名分別叫做 localhost.crt / localhost.key 所以修改apache設定去抓這兩個檔案

 

修正

沒有預設做好憑證這回事,所以還是要自己做憑證出來

openssl genrsa -out ms.abc.com.key 1024
openssl req -new -key ms.abc.com.key -out ms.abc.com.csr
x509 -req -days 3650 -in ms.abc.com.csr -signkey ms.abc.com.key -out ms.abc.com.crt

mv ms.abc.com.crt /etc/pki/tls/certs/

mv ms.abc.com.key /etc/pki/tls/private/

vim /etc/httpd/conf.d/ssl.conf

找到 SSLCertificateFile 、 SSLCertificateKeyFile 這兩個參數

加入預設憑證的路徑

SSLCertificateFile /etc/pki/tls/certs/ms.abc.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/ms.abc.com.key

重啟 apache

service httpd restart

開啟 https 頁面測試看看

https://ip_address

一開始應該會出現錯誤憑證的畫面,這是因為我們的憑證是自己簽的,而不是透過第三方機構發的。不過無所謂,可以用就好~

不然還要花錢去申請..


##date.timezone
vim /etc/php.ini
date.timezone = Asia/Taipei
service httpd restart

## LAMP DONE


POSTFIX

## POSTFIX / DOVECOT ##

Cyrus

yum -y install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain

**#######################################################

Generate SSL Sign Key                  

#######################################################**

openssl genrsa -des3 -out ms.abc.com.key 2048
chmod 600 ms.abc.com.key
openssl req -new -key ms.abc.com..key -out ms.abc.com..csr
openssl x509 -req -days 3650 -in ms.abc.com..csr -signkey ms.abc.com.key -out ms.abc.com..crt
openssl rsa -in ms.abc.com..key -out ms.abc.com..key.nopass
mv -f ms.abc.com..key.nopass ms.abc.com..key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 ms.abc.com.key
chmod 600 cakey.pem
mkdir /etc/ssl/private
mv ms.abc.com.key /etc/ssl/private/
mv ms.abc.com.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/

**#######################################################

Add TLS Settings to /etc/postfix/main.cf

#######################################################**

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/ssl/private/ms.abc.com.key’
postconf -e ‘smtpd_tls_cert_file = /etc/ssl/certs/ms.abc.com.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’
postconf -e ‘myhostname = ms.abc.com’
postconf -e ‘mydomain = abc.com ‘

**#######################################################

/etc/postfix/main.cf should be like this

#######################################################**

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = abc.com
myhostname = ms.abc.com
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination


##### POSTFIX CONFIG #####
postconf -e ‘inet_interfaces = all’
postconf -e ‘mynetworks = 127.0.0.0/8’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘mailbox_command =’

#########SASL##############
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_local_domain = ‘
postconf -e ‘smtpd_sasl_path = private/auth’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘smtpd_sasl_type = dovecot’

##### TLS , check the cert file location #####

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/ms.abc.com.crt
smtpd_tls_key_file = /etc/ssl/private/ms.abc.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

### Virtual Mail ###

**#######################################################################################

Create cf files

#######################################################################################
**vim /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query  = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = ‘%d’ and alias.address = CONCAT(‘@’, alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active=’1’


vim /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = ‘%d’ and alias.address = CONCAT(‘%u’, ‘@’, alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active=’1’


vim /etc/postfix/sql/mysql_virtual_domains_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query          = SELECT domain FROM domain WHERE domain=’%s’ AND active = ‘1’


vim /etc/postfix/sql/mysql_virtual_mailbox_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query           = SELECT maildir FROM mailbox WHERE username=’%s’ AND active = ‘1’


vim /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = ‘%d’ and mailbox.username = CONCAT(‘%u’, ‘@’, alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active=’1’


vim /etc/postfix/sql/mysql_virtual_alias_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query = SELECT goto FROM alias WHERE address=’%s’ AND active = ‘1’

#expansion_limit = 100


vim /etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf

user = postfixadmin
password = postfixadmin
hosts = localhost
dbname = mail
query = SELECT quota FROM mailbox WHERE username=’%s’ AND active = ‘1’


postconf -e ‘virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf’
postconf -e ‘virtual_gid_maps = static:5000’
postconf -e ‘virtual_mailbox_base = /home/vmail’
postconf -e ‘virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf’
postconf -e ‘virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf’
postconf -e ‘virtual_transport = virtual’
postconf -e ‘virtual_uid_maps = static:5000’

Others

postconf -e ‘unknown_local_recipient_reject_code = 550’


**#######################################################################################

add vmail user/group for virtual mail    

uid should be the same with main.cf      

#######################################################################################**

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail
chown vmail:vmail /home/vmail


############### MYSQL ###############

mysql -u root -p
create database mail;
create user ‘postfixadmin’@’localhost’ identified by ‘postfixadmin’;
grant all privileges on mail.* to ‘postfixadmin’@’localhost’;
flush privileges;
quit


#########Postfixadmin ###################

wget http://nchc.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz
tar zxvf postfixadmin-2.93.tar.gz
mv postfixadmin-2.93 postfixadmin
mv postfixadmin /var/www/html/
cd /var/www/html/postfixadmin
vim config.inc.php
$CONF[‘configured’] = false;  –> $CONF[‘configured’] = true;
$CONF[‘database_type’] = ‘mysqli’;
$CONF[‘database_host’] = ‘localhost’;
$CONF[‘database_user’] = ‘postfix’;  –> $CONF[‘database_user’] = ‘postfixadmin’;
$CONF[‘database_password’] = ‘postfixadmin’;
$CONF[‘database_name’] = ‘postfix’; –> $CONF[‘database_name’] = ‘mail’;

open http://ip_address/postfixadmin/setup.php
Error: Smarty template compile directory templates_c is not writable.
Please make it writable.
If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.

chmod a+rw -R /var/www/html/postfixadmin/templates_c
open http://ip_address/postfixadmin/setup.php

change setup password (two digit , two letters , will fix later) and new password will be generated

vim /var/www/html/postfixadmin/config.ini.php
Replace
$CONF[‘setup_password’] = ‘changeme’;
to
$CONF[‘setup_password’] = ‘0287c360cbc407f4e18e520651a1c1b8:3a8a82f252f00a8593c0bfc9fa006a98deee2b32’;

create a new mail master

go http://ip_address/postfixadmin/login.php using the account last step

change the password limitation

vim /var/www/html/postfixadmin/config.inc.php

$CONF[‘password_validation’] = array(

#    ‘/regular expression/‘ => ‘$PALANG key (optional: + parameter)’,
‘/.{5}/‘                => ‘password_too_short 5’,      # minimum length 5 characters

#’/([a-zA-Z].){3}/‘     => ‘password_no_characters 3’,  # must contain at least 3 characters –>
‘/([a-zA-Z].
){0}/‘        => ‘password_no_characters 3’,  # must contain at least 0 characters –>

#’/([0-9].){2}/‘       => ‘password_no_digits 2’,      # must contain at least 2 digits  –>
‘/([0-9].
){0}/‘        => ‘password_no_digits 2’,      # must contain at least 0 digits  –>
);


**######################################################

create a new virtual domain and virtual user

check if the records exists

######################################################*
mysql -u root -p
use mail;
show tables;
select
from domain;
select * from alias;
exit

in /var/log/maillog , there should be a welcome messages from postmaster to the acouunt you just created

Jan 13 13:37:25 mssop postfix/qmgr[2396]: 632D740A18: from=<[email protected]>, size=489, nrcpt=1 (queue active)
Jan 13 13:37:25 mssop postfix/smtpd[2965]: disconnect from localhost[::1]
Jan 13 13:37:25 mssop postfix/virtual[2975]: 632D740A18: to=<[email protected]>, relay=virtual, delay=0.16, delays=0.06/0.1/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Jan 13 13:37:25 mssop postfix/qmgr[2396]: 632D740A18: removed


**#######################################################

######       Dovecot Config                    ########

#######################################################**

vim /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

vim /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-sql.conf.ext

vim /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/home/vmail/%d/%n
mail_privileged_group = mail
mbox_write_locks = fcntl

vim /etc/dovecot/conf.d/10-master.conf

service imap-login {
inet_listener imap {
}
inet_listener imaps {
}
}

service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
}
}

service lmtp {
unix_listener lmtp {
}

}

service imap {

}

service pop3 {
}

service auth {
unix_listener auth-userdb {
}

unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}

service auth-worker {
}

service dict {
unix_listener dict {
}
}

vim  /etc/dovecot/conf.d/auth-sql.conf.ext

passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
driver = static
args = uid=vmail gid=vmail home=/home/vmail/%u
}

**###########################################################################

Create the dovecot-sql.conf.ext file for support dovecot-mysql

###########################################################################**

vim  /etc/dovecot/dovecot-sql.conf.ext

driver = mysql
connect = host=127.0.0.1 dbname=mail user=postfixadmin password=postfixadmin
default_pass_scheme = MD5-CRYPT
password_query = SELECT username AS user,password FROM mailbox WHERE username = ‘%u’ AND active=’1’
user_query = SELECT maildir, 5000 AS uid, 5000 AS gid FROM mailbox WHERE username = ‘%u’ AND active=’1’
user_query = SELECT CONCAT(‘/home/vmail/‘, maildir) AS home, 5000 AS uid, 5000 AS gid, CONCAT(‘*:bytes=’, quota) AS quota_rule FROM mailbox WHERE username = ‘%u’ AND active=’1’
user_query = SELECT maildir, 5000 AS uid, 5000 AS gid, CONCAT(‘dict:storage=’,floor(quota/1000),’ proxy::quota’) as quota FROM mailbox WHERE username = ‘%u’ AND active=’1’


**############################################################################

########## install roundcubemail           #################################

############################################################################**

yum install roundcubemail
vim /etc/httpd/conf.d/roundcubemail.conf

Comment First two Directory Settings for install

Alias /roundcubemail /usr/share/roundcubemail
change to
Alias /mail    /usr/share/roundcubemail

<Directory /usr/share/roundcubemail/>
<IfModule mod_authz_core.c>

Apache 2.4

#Require local
</IfModule>
<IfModule !mod_authz_core.c>

Apache 2.2

#Order Deny,Allow

#Deny from all

#Allow from 127.0.0.1

#Allow from ::1
</IfModule>
</Directory>

Define who can access the installer

keep this secured once configured

<Directory /usr/share/roundcubemail/installer/>
<IfModule mod_authz_core.c>

Apache 2.4

#Require local
</IfModule>
<IfModule !mod_authz_core.c>

Apache 2.2

#Order Deny,Allow

#Deny from all

#Allow from 127.0.0.1

#Allow from ::1
</IfModule>
</Directory>

create a database for roundcubemail

mysql -u root -p
create database rcmail;
create user ‘rcmail’@’localhost’ identified by ‘rcmailpassword’;
grant all privileges on rcmail.* to ‘rcmail’@’localhost’;
flush privileges;

service httpd reload

open http://ip_address/mail/installer/
check if any errors , if not , next , if so , fix it !
After Next , modify the database setting with last step you create
modify the SMTP Server with localhost , check “Use the current IMAP username and password for SMTP authentication”
language : zh_TW ( not sure if this works or not )
press create config file
copy the file to /etc/roundcubemail/config.inc.php
press continue
check if any errors
initialize database
test SMTP
with the first account/password you create in the postfixadmin section

test IMAP

mv /usr/share/roundcubemail/installer /usr/share/roundcubemail/installer.bak

login to roundcubemail
open https://ip_address/mail/
login with the account/password you create in the postfixadmin section
like [email protected]
and there`s one mail waiting for you ~

Cong ! Everything works fine now ! ( it should be …..)

avatar
[筆記] script to find out user account created today

  1. 1. CentOS LAMP Postfix Postfixadmin Virtual Mail Multi Domain SASL TLS SSL Dovecot MySQL 安裝步驟整理
  2. 2. 系統基礎
  3. 3. LAMP
  4. 4. POSTFIX
  • Cyrus
    1. 0.0.1. Generate SSL Sign Key                  
      1. 0.0.1.1. Add TLS Settings to /etc/postfix/main.cf
      2. 0.0.1.2. /etc/postfix/main.cf should be like this
  • 1. Create cf files
  • 2. Others
  • 3. add vmail user/group for virtual mail    
  • 4. uid should be the same with main.cf      
  • change the password limitation
    1. 1. create a new virtual domain and virtual user
    2. 2. check if the records exists
  • in /var/log/maillog , there should be a welcome messages from postmaster to the acouunt you just created
  • vim /etc/dovecot/conf.d/10-ssl.conf
  • vim /etc/dovecot/conf.d/10-auth.conf
  • vim /etc/dovecot/conf.d/10-mail.conf
  • vim /etc/dovecot/conf.d/10-master.conf
  • vim  /etc/dovecot/conf.d/auth-sql.conf.ext
    1. 0.0.1. Create the dovecot-sql.conf.ext file for support dovecot-mysql
  • vim  /etc/dovecot/dovecot-sql.conf.ext
    1. 1. Comment First two Directory Settings for install
  • Apache 2.4
  • Apache 2.2
  • Define who can access the installer
  • keep this secured once configured
  • Apache 2.4
  • Apache 2.2
    1. 0.0.1. create a database for roundcubemail