艾瑞克的 Hexo 空間

[筆記] Iredmail + Postfix Admin dovecot 的一些設定

本文發表於587天之前,文章內容可能已經過時,如有疑問,請聯繫作者。

/etc/dovecot/dovecot.conf

重點

disable_plaintext_auth = no

mail_location = maildir:/var/vmail/%d/%n:INDEX=/var/vmail/%d/%n/indexes

 

 

#ssl_dh_parameters_length = 2048

#ssl_prefer_server_ciphers = yes

IP ranges specified by login_trusted_networks setting are assumed to be secure.

#login_trusted_networks = 127.0.0.1

With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.

Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted

insecurely.

disable_plaintext_auth = no

Allow plain text password per IP address/net

#remote 192.168.0.0/24 {

disable_plaintext_auth = no

}

Mail location and mailbox format.

#mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/

mail_location = maildir:/var/vmail/%d/%n:INDEX=/var/vmail/%d/%n/indexes

Authentication related settings.

Append this domain name if client gives empty realm.

auth_default_realm = abc.org

Authentication mechanisms.

auth_mechanisms = PLAIN LOGIN

Limits the number of users that can be logging in at the same time.

Default is 100. This can be overridden by process_limit = in

service [protocol] block.

e.g.

protocol imap-login {

process_limit = 500

}

#default_process_limit = 100

service auth {

unix_listener /var/spool/postfix/private/dovecot-auth {

user = postfix

group = postfix

mode = 0666

}

unix_listener auth-master {

user = vmail

group = vmail

mode = 0666

}

unix_listener auth-userdb {

user = vmail

group = vmail

mode = 0660

}

}

LMTP server (Local Mail Transfer Protocol).

Reference: http://wiki2.dovecot.org/LMTP

service lmtp {

user = vmail

For higher volume sites, it may be desirable to increase the number of

active listener processes. A range of 5 to 20 is probably good for most

sites.

process_min_avail = 5

Logging.

Require ‘info_log_path =’ in ‘protocol lmtp { }’ block.

executable = lmtp -L

Listening on socket file and TCP

unix_listener /var/spool/postfix/private/dovecot-lmtp {

user = postfix

group = postfix

mode = 0600

}

inet_listener lmtp {

Listen on localhost (ipv4)

address = 127.0.0.1

port = 24

}

}

Virtual mail accounts.

userdb {

args = /etc/dovecot/dovecot-mysql.conf

driver = sql

}

passdb {

args = /etc/dovecot/dovecot-mysql.conf

driver = sql

}

Master user.

Master users are able to log in as other users. It’s also possible to

directly log in as any user using a master password, although this isn’t

recommended.

Reference: http://wiki2.dovecot.org/Authentication/MasterUsers

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/dovecot-master-users

master = yes

}

plugin {

auth_socket_path = /var/run/dovecot/auth-master

Quota configuration.

Reference: http://wiki2.dovecot.org/Quota/Configuration

quota = dict:user::proxy::quotadict

quota_rule = *:storage=1G

#quota_rule2 = *:messages=0

#quota_rule3 = Trash:storage=1G

#quota_rule4 = Junk:ignore

Quota warning.

#

If user suddenly receives a huge mail and the quota jumps from

85% to 95%, only the 95% script is executed.

#

Only the command for the first exceeded limit is executed, so configure

the highest limit first.

quota_warning = storage=100%% quota-warning 100 %u

quota_warning2 = storage=95%% quota-warning 95 %u

quota_warning3 = storage=90%% quota-warning 90 %u

quota_warning4 = storage=85%% quota-warning 85 %u

allow user to become max 10% (or 50 MB) over quota

quota_grace = 10%%

#quota_grace = 50 M

Custom Quota Exceeded Message.

You can specify the message directly or read the message from a file.

#quota_exceeded_message = Quota exceeded, please try again later.

#quota_exceeded_message = </path/to/quota_exceeded_message.txt

Plugin: autocreate. Create and subscribe to default IMAP folders.

autocreate = INBOX

autocreate2 = Sent

autocreate3 = Trash

autocreate4 = Drafts

autocreate5 = Junk

autosubscribe = INBOX

autosubscribe2 = Sent

autosubscribe3 = Trash

autosubscribe4 = Drafts

autosubscribe5 = Junk

Plugin: expire.

#expire = Trash 7 Trash/* 7 Junk 30

#expire_dict = proxy::expire

ACL and share folder

acl = vfile

acl_shared_dict = proxy::acl

By default Dovecot doesn’t allow using the IMAP “anyone” or

“authenticated” identifier, because it would be an easy way to spam

other users in the system. If you wish to allow it,

#acl_anyone = allow

Pigeonhole managesieve service.

Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration

Per-user sieve settings.

sieve_dir = %Lh/sieve

sieve = %Lh/sieve/dovecot.sieve

Global sieve settings.

sieve_global_dir = /var/vmail/sieve

Note: if user has personal sieve script, global sieve rules defined in

sieve_default will be ignored. Please use sieve_before or

sieve_after instead.

#sieve_default =

sieve_before = /var/vmail/sieve/dovecot.sieve

#sieve_after =

The maximum number of redirect actions that can be performed during a

single script execution.

The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and

beyond this means that redirect is prohibited. For older versions,

however, this means that the number of redirects is unlimited.

#sieve_max_redirects = 4

}

service quota-warning {

executable = script /usr/local/bin/dovecot-quota-warning.sh

unix_listener quota-warning {

user = vmail

group = vmail

mode = 0660

}

}

service dict {

unix_listener dict {

mode = 0660

user = vmail

group = vmail

}

}

dict {

#expire = db:/var/lib/dovecot/expire/expire.db

quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf

acl = mysql:/etc/dovecot/dovecot-share-folder.conf

}

}

protocol lda {

Reference: http://wiki2.dovecot.org/LDA

mail_plugins = $mail_plugins sieve autocreate

auth_socket_path = /var/run/dovecot/auth-master

log_path = /var/log/dovecot-sieve.log

lda_mailbox_autocreate = yes

lda_mailbox_autosubscribe = yes

postmaster_address = root

}

protocol lmtp {

Log file

info_log_path = /var/log/dovecot-lmtp.log

Plugins

mail_plugins = quota sieve

postmaster_address = postmaster

lmtp_save_to_detail_mailbox = yes

recipient_delimiter = +

}

protocol imap {

mail_plugins = $mail_plugins imap_quota autocreate imap_acl

imap_client_workarounds = tb-extra-mailbox-sep

Maximum number of IMAP connections allowed for a user from each IP address.

NOTE: The username is compared case-sensitively.

Default is 10.

Increase it to avoid issue like below:

“Maximum number of concurrent IMAP connections exceeded”

mail_max_userip_connections = 30

}

protocol pop3 {

mail_plugins = $mail_plugins

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

pop3_uidl_format = %08Xu%08Xv

Maximum number of IMAP connections allowed for a user from each IP address.

NOTE: The username is compared case-sensitively.

Default is 10.

mail_max_userip_connections = 30

}

Login processes. Refer to Dovecot wiki for more details:

http://wiki2.dovecot.org/LoginProcess

service imap-login {

#inet_listener imap {

port = 143

}

#inet_listener imaps {

port = 993

ssl = yes

}

service_count = 1

To avoid startup latency for new client connections, set process_min_avail

to higher than zero. That many idling processes are always kept around

waiting for new connections.

#process_min_avail = 0

number of simultaneous IMAP connections

process_limit = 500

vsz_limit should be fine at its default 64MB value

 

}

service pop3-login {

#inet_listener pop3 {

port = 110

}

#inet_listener pop3s {

port = 995

ssl = yes

}

service_count = 1

number of simultaneous POP3 connections

#process_limit = 500

}

service managesieve-login {

inet_listener sieve {

Listen on localhost (ipv4)

address = 127.0.0.1

port = 4190

}

}

namespace {

type = private

separator = /

prefix =

#location defaults to mail_location.

inbox = yes

}

namespace {

type = shared

separator = /

prefix = Shared/%%u/

location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%u

this namespace should handle its own subscriptions or not.

subscriptions = yes

list = children

}

Public mailboxes.

Refer to Dovecot wiki page for more details:

http://wiki2.dovecot.org/SharedMailboxes/Public

#namespace {

type = public

separator = /

prefix = Public/

#

# CONTROL=: Mark this public folder as read-only mailbox

# INDEX=: Per-user \Seen flag

location = maildir:/var/vmail/public/:CONTROL=~/Maildir/public:INDEX=~/Maildir/public

#

# Allow users to subscribe to the public folders.

subscriptions = yes

 

/etc/dovecot/dovecot-mysql.conf

有 # 的是iredmail 自動做好的設定

註解掉之後新增最後面的幾行,改成自己的DB、帳號、密碼、確認一下uid 跟 postfix的main.cf 一樣

#driver = mysql

#default_pass_scheme = CRYPT

#connect = host=127.0.0.1 dbname=vmail user=vmail password=NP5eaW3VSRogGT5bx0qaHMm7CKemRY

Required by ‘doveadm mailbox …’.

#iterate_query = SELECT username AS user FROM mailbox

#password_query = SELECT password, allow_nets FROM mailbox WHERE username=’%u’ AND enable%Ls%Lc=1 AND active=1

#user_query = SELECT \

‘%u’ AS master_user, \

CONCAT(mailbox.storagebasedirectory, ‘/‘, mailbox.storagenode, ‘/‘, mailbox.maildir) AS home, \

CONCAT(‘:bytes=’, mailbox.quota1048576) AS quota_rule \

#FROM mailbox,domain \

#WHERE mailbox.username=’%u’ \

AND mailbox.domain=’%d’ \

AND mailbox.enable%Ls%Lc=1 \

AND mailbox.domain=domain.domain \

AND domain.backupmx=0 \

AND domain.active=1 \

AND mailbox.active=1

driver = mysql

connect = host=127.0.0.1 dbname=postfix user=postfix password=postfixadmin

default_pass_scheme = MD5-CRYPT

user_query = SELECT ‘/var/vmail/%d/%n’ as home, 2000 AS uid, 2000 AS gid FROM mailbox WHERE username = ‘%u’

password_query = SELECT password FROM mailbox WHERE username = ‘%u’
 

 

postfix main.cf

重點 uid 設定要一樣 都是 2000

原則上就是在原本的 proxy:mysql 這些設定後面,加入 postfixadmin 的設定

然後有一些只有 iredmail 有, postfix admin 沒有的,都先註解掉

像是底下這部分

#

Lookup virtual mail accounts

#

#transport_maps =

proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf

proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

#sender_dependent_relayhost_maps =

proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.

#smtpd_sender_login_maps =

proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

 

其他的設定如下

 

alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/postfix/aliases

allow_min_user = no

allow_percent_hack = no

biff = no

body_checks = pcre:/etc/postfix/body_checks.pcre

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

disable_vrfy_command = yes

enable_original_recipient = no

header_checks = pcre:/etc/postfix/header_checks

home_mailbox = Maildir/

inet_interfaces = all

inet_protocols = ipv4

lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

lmtp_tls_protocols = !SSLv2 !SSLv3

mail_owner = postfix

mailbox_command = /usr/libexec/dovecot/deliver

mailq_path = /usr/bin/mailq.postfix

message_size_limit = 15728640

mydestination = $myhostname, localhost, localhost.localdomain

mydomain = iredmail.cowbay.org

myhostname = iredmail.cowbay.org

mynetworks = 127.0.0.1

myorigin = iredmail.cowbay.org

newaliases_path = /usr/bin/newaliases.postfix

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $rela

y_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_ali

as_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

queue_directory = /var/spool/postfix

recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

recipient_delimiter = +

relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cfsender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_tls_CAfile = $smtpd_tls_CAfile

smtp_tls_loglevel = 1

smtp_tls_mandatory_protocols = !SSLv2 !SSLv3

smtp_tls_note_starttls_offer = yes

smtp_tls_protocols = !SSLv2 !SSLv3

smtp_tls_security_level = may

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_helo_access pcre:/etc

/postfix/helo_access.pcre

smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777

permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtpd_reject_unlisted_recipient = yes

smtpd_reject_unlisted_sender = yes

smtpd_sasl_path = private/dovecot-auth

smtpd_sasl_type = dovecot

smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_saslauthenticated check

sender_access pcre:/etc/postfix/sender_access.pcre

smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt

smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail.crt

smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem

smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key

smtpd_tls_loglevel = 1

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3

smtpd_tls_protocols = !SSLv2 !SSLv3

swap_bangpath = no

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_domains =

virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf proxy:mysql:/etc/postfix

/sql/mysql_virtual_alias_domain_maps.cf proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

virtual_gid_maps = static:2000

virtual_mailbox_base = /var/vmail

virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf

virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

virtual_minimum_uid = 2000

virtual_transport = virtual

virtual_uid_maps = static:2000
 

 

avatar
[筆記] 在CentOS 為 iredmail 加入 letsencrypt 的FREE SSL 認證

  1. 1. IP ranges specified by login_trusted_networks setting are assumed to be secure.
  2. 2. With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.
  3. 3. Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted
  4. 4. insecurely.
  5. 5. Allow plain text password per IP address/net
  6. 6. disable_plaintext_auth = no
  7. 7. }
  8. 8. Mail location and mailbox format.
  9. 9. Authentication related settings.
  10. 10. Append this domain name if client gives empty realm.
  11. 11. Authentication mechanisms.
  12. 12. Limits the number of users that can be logging in at the same time.
  13. 13. Default is 100. This can be overridden by process_limit = in
  14. 14. service [protocol] block.
  15. 15. e.g.
  16. 16. protocol imap-login {
  17. 17.
  18. 18. process_limit = 500
  19. 19. }
  20. 20. LMTP server (Local Mail Transfer Protocol).
  21. 21. Reference: http://wiki2.dovecot.org/LMTP
  22. 22. For higher volume sites, it may be desirable to increase the number of
  23. 23. active listener processes. A range of 5 to 20 is probably good for most
  24. 24. sites.
  25. 25. Logging.
  26. 26. Require ‘info_log_path =’ in ‘protocol lmtp { }’ block.
  27. 27. Listening on socket file and TCP
  28. 28. Listen on localhost (ipv4)
  29. 29. Virtual mail accounts.
  30. 30. Master user.
  31. 31. Master users are able to log in as other users. It’s also possible to
  32. 32. directly log in as any user using a master password, although this isn’t
  33. 33. recommended.
  34. 34. Reference: http://wiki2.dovecot.org/Authentication/MasterUsers
  35. 35. Quota configuration.
  36. 36. Reference: http://wiki2.dovecot.org/Quota/Configuration
  37. 37. Quota warning.
  38. 38. If user suddenly receives a huge mail and the quota jumps from
  39. 39. 85% to 95%, only the 95% script is executed.
  40. 40. Only the command for the first exceeded limit is executed, so configure
  41. 41. the highest limit first.
  42. 42. allow user to become max 10% (or 50 MB) over quota
  43. 43. Custom Quota Exceeded Message.
  44. 44. You can specify the message directly or read the message from a file.
  45. 45. Plugin: autocreate. Create and subscribe to default IMAP folders.
  46. 46. Plugin: expire.
  47. 47. ACL and share folder
  48. 48. By default Dovecot doesn’t allow using the IMAP “anyone” or
  49. 49. “authenticated” identifier, because it would be an easy way to spam
  50. 50. other users in the system. If you wish to allow it,
  51. 51. Pigeonhole managesieve service.
  52. 52. Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
  53. 53. Per-user sieve settings.
  54. 54. Global sieve settings.
  55. 55. Note: if user has personal sieve script, global sieve rules defined in
  56. 56. sieve_default will be ignored. Please use sieve_before or
  57. 57. sieve_after instead.
  58. 58. The maximum number of redirect actions that can be performed during a
  59. 59. single script execution.
  60. 60. The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and
  61. 61. beyond this means that redirect is prohibited. For older versions,
  62. 62. however, this means that the number of redirects is unlimited.
  63. 63. Reference: http://wiki2.dovecot.org/LDA
  64. 64. Log file
  65. 65. Plugins
  66. 66. Maximum number of IMAP connections allowed for a user from each IP address.
  67. 67. NOTE: The username is compared case-sensitively.
  68. 68. Default is 10.
  69. 69. Increase it to avoid issue like below:
  70. 70. “Maximum number of concurrent IMAP connections exceeded”
  71. 71. Maximum number of IMAP connections allowed for a user from each IP address.
  72. 72. NOTE: The username is compared case-sensitively.
  73. 73. Default is 10.
  74. 74. Login processes. Refer to Dovecot wiki for more details:
  75. 75. http://wiki2.dovecot.org/LoginProcess
  76. 76. port = 143
  77. 77. }
  78. 78. port = 993
  79. 79. ssl = yes
  80. 80. }
  81. 81. To avoid startup latency for new client connections, set process_min_avail
  82. 82. to higher than zero. That many idling processes are always kept around
  83. 83. waiting for new connections.
  84. 84. number of simultaneous IMAP connections
  85. 85. vsz_limit should be fine at its default 64MB value
  86. 86. port = 110
  87. 87. }
  88. 88. port = 995
  89. 89. ssl = yes
  90. 90. }
  91. 91. number of simultaneous POP3 connections
  92. 92. Listen on localhost (ipv4)
  93. 93. this namespace should handle its own subscriptions or not.
  94. 94. Public mailboxes.
  95. 95. Refer to Dovecot wiki page for more details:
  96. 96. http://wiki2.dovecot.org/SharedMailboxes/Public
  97. 97. type = public
  98. 98. separator = /
  99. 99. prefix = Public/
  100. 100. # CONTROL=: Mark this public folder as read-only mailbox
  101. 101. # INDEX=: Per-user \Seen flag
  102. 102. location = maildir:/var/vmail/public/:CONTROL=~/Maildir/public:INDEX=~/Maildir/public
  103. 103. # Allow users to subscribe to the public folders.
  104. 104. subscriptions = yes
  105. 105. Required by ‘doveadm mailbox …’.
  106. 106. ‘%u’ AS master_user, \
  107. 107. CONCAT(mailbox.storagebasedirectory, ‘/‘, mailbox.storagenode, ‘/‘, mailbox.maildir) AS home, \
  108. 108. CONCAT(‘:bytes=’, mailbox.quota1048576) AS quota_rule \
  109. 109. AND mailbox.domain=’%d’ \
  110. 110. AND mailbox.enable%Ls%Lc=1 \
  111. 111. AND mailbox.domain=domain.domain \
  112. 112. AND domain.backupmx=0 \
  113. 113. AND domain.active=1 \
  114. 114. AND mailbox.active=1
  115. 115. Lookup virtual mail accounts
  116. 116. proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
  117. 117. proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
  118. 118. proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
  119. 119. Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
  120. 120. proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf