配置 Postfix

创建域邮件存储目录

mkdir /var/mail/example.net
chown postfix /var/mail/example.net
		

配置 Postfix + TLS + LDAP

  1. 基本配置

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    myhostname = mail.example.net
    mydomain = example.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    #mydestination = debian, example.net, localhost.localdomain, localhost
    mydestination = $myhostname, $mydomain, $transport_maps
    #relayhost = ISP SMTP
    #LAN -> WAN
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    #================== BASE ===================
    debug_peer_level = 2
    smtpd_tls_loglevel=2
    disable_vrfy_command = yes
    local_recipient_maps =
    
    transport_maps = hash:/etc/postfix/transport
    
    #=================== LDAP ====================
    local_transport = virtual
    virtual_transport = virtual
    virtual_mailbox_base = /var/mail
    virtual_alias_maps = ldap:aliases
    #virtual_alias_domains = ldap:aliases
    virtual_mailbox_maps = ldap:mailbox
    #virtual_mailbox_domains = ldap:mailbox
    virtual_uid_maps = static:105
    virtual_gid_maps = static:109
    #virtual_minimum_uid = 500
    
    virtual_mailbox_limit = 0
    virtual_maildir_limit_message = "The user you're trying to reach is over quota."
    virtual_mailbox_limit_maps = ldap:quota
    virtual_mailbox_limit_override = yes
    virtual_mailbox_limit_inbox = yes
    #virtual_mailbox_size_limit = 1024000000
    virtual_maildir_extended = yes
    virtual_create_maildirsize = yes
    				
  2. transport

    建议使用hash表 [1]

    debian:/etc/postfix# vi transport
    example.net     virtual:
    debian:/etc/postfix# postmap transport
    			

    这里我使用了virtual方式投递,其它投递方式还有maildrop:,local:

    当然,为了方便管理有时需要使用ldap,配置的方法是:

    ## Transport
    
    transport_server_host = localhost
    transport_search_base = ou=postfix,dc=example,dc=net
    transport_query_filter = (%s) (objectClass=postfixVirtualDomain))
    transport_result_attribute = transport
    #or transport_result_attribute = o
    transport_scope = one
    transport_cache = yes
    transport_bind = yes
    transport_bind_dn = cn=admin,dc=example,dc=net
    transport_bind_pw = chen
    
    transport_maps = ldap:transport
    mydestination = domaine.tld, host.domain.tld, \
    localhost, $transport_maps
    			
  3. virtual_alias_maps[2]

    # ldap:aliases, ldapsource here tell postfix the information while search
    # Alias instead of using hash file for lookup :-)
    aliases_server_host = localhost
    aliases_server_port = 389
    aliases_bind = yes
    aliases_bind_dn = cn=admin,dc=example,dc=net
    aliases_bind_pw = chen
    aliases_search_base = ou=postfix,dc=example,dc=net
    aliases_query_filter = ((objectClass=postfixAccount)(mail=%s))(accountStatus=true))
    aliases_result_attribute = maildrop
    aliases_bind = yes
    aliases_cache = no
    aliases_version=3
    aliases_debuglevel=0
    				
  4. virtual_mailbox_maps

    # ldap:accounts, ldapsource here tell postfix about VirtualAccount infor-
    # mation while doing Account ldap lookup
    mailbox_server_host = localhost
    mailbox_server_port = 389
    mailbox_bind = yes
    mailbox_bind_dn = cn=admin,dc=example,dc=net
    mailbox_bind_pw = chen
    mailbox_search_base = ou=postfix,dc=example,dc=net
    mailbox_query_filter = ((mail=%s)(objectClass=postfixAccount))(|(AccountStatus=true)(accountStatus=enable)))
    mailbox_result_attribute = mailbox
    mailbox_version=3
    mailbox_debuglevel=0
    				
  5. virtual_mailbox_limit_maps

    quota_server_host = localhost
    quota_bind = yes
    quota_bind_dn = cn=admin,dc=example,dc=net
    quota_bind_pw = chen
    quota_search_base = ou=postfix,dc=example,dc=net
    quota_query_filter = ((objectClass=postfixAccount)(mail=%s))(AccountStatus=TRUE))
    quota_result_attribute = quota
    quota_cache = yes
    quota_version=3
    quota_debuglevel=0
    				
  6. sasl

    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject
    #smtpd_sasl_local_domain = $mydomain
    #smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_local_domain =
    smtpd_client_restrictions = permit_sasl_authenticated
    #smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_relay_domains
    				
  7. TLS/SSL

    #TLS
    smtp_use_tls = yes
    smtpd_use_tls = yes
    #smtpd_tls_auth_only = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = $config_directory/ssl/post.pem
    smtpd_tls_cert_file = $config_directory/ssl/post.pem
    smtpd_tls_CAfile = $config_directory/ssl/post.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    				

    生成证书 [3]

  8. smtp-amavis

    content_filter = smtp-amavis:[127.0.0.1]:10024

Example 4. master.cf

debian:/etc/postfix# cat master.cf
#
# Postfix master process configuration file.  Each logical line 
# describes how a Postfix daemon program should be run. 
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment 
# lines whose first non-whitespace character is a `#'.  
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field).  With INET transports, a service is specified as
# host:port.  The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server:  localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service.  Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used.  Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# General main.cf options can be overridden for specific services.
# To override one or more main.cf options, specify them as arguments
# below, preceding each option by "-o".  There must be no whitespace
# in the option itself (separate multiple values for an option by
# commas).
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n      -       -       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

# only used by postfix-tls
#tlsmgr	  fifo	-	-	n	300	1	tlsmgr
#smtps	  inet	n	-	n	-	-	smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587	  inet	n	-	n	-	-	smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

smtp-amavis unix -   -   y    -    2  smtp
    -o smtp_data_done_timeout=1200s
    -o smtp_never_send_ehlo=yes
    -o disable_dns_lookups=yes

127.0.0.1:10025 inet n  -  y    -   -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8

			

Example 5. main.cf

debian:/etc/postfix# cat main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = mail.example.net
mydomain = example.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#mydestination = debian, example.net, localhost.localdomain, localhost
mydestination = $myhostname, $mydomain, $transport_maps
#relayhost = ISP SMTP
#LAN -> WAN
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
#================== BASE ===================
debug_peer_level = 2
smtpd_tls_loglevel=2
disable_vrfy_command = yes
local_recipient_maps =

transport_maps = hash:/etc/postfix/transport

#=================== LDAP ====================
local_transport = virtual
virtual_transport = virtual
virtual_mailbox_base = /var/mail
virtual_alias_maps = ldap:aliases
#virtual_alias_domains = ldap:aliases
virtual_mailbox_maps = ldap:mailbox
#virtual_mailbox_domains = ldap:mailbox
virtual_uid_maps = static:105
virtual_gid_maps = static:109
#virtual_minimum_uid = 500

virtual_mailbox_limit = 0
virtual_maildir_limit_message = "The user you're trying to reach is over quota."
virtual_mailbox_limit_maps = ldap:quota
virtual_mailbox_limit_override = yes
virtual_mailbox_limit_inbox = yes
#virtual_mailbox_size_limit = 1024000000 
virtual_maildir_extended = yes
virtual_create_maildirsize = yes



# ldap:aliases, ldapsource here tell postfix the information while search
# Alias instead of using hash file for lookup :-)
aliases_server_host = localhost
aliases_server_port = 389
aliases_bind = yes
aliases_bind_dn = cn=admin,dc=example,dc=net
aliases_bind_pw = chen
aliases_search_base = ou=postfix,dc=example,dc=net 
aliases_query_filter = ((objectClass=postfixAccount)(mail=%s))(accountStatus=true))
#aliases_result_attribute = maildrop
aliases_result_attribute = maildrop
aliases_bind = yes
aliases_cache = no
aliases_version=3
aliases_debuglevel=0

# ldap:accounts, ldapsource here tell postfix about VirtualAccount infor-
# mation while doing Account ldap lookup
mailbox_server_host = localhost
mailbox_server_port = 389
mailbox_bind = yes
mailbox_bind_dn = cn=admin,dc=example,dc=net
mailbox_bind_pw = chen
mailbox_search_base = ou=postfix,dc=example,dc=net
mailbox_query_filter = ((mail=%s)(objectClass=postfixAccount))(|(AccountStatus=true)(accountStatus=enable)))
#mailbox_query_filter = (mail=%s)
mailbox_result_attribute = mailbox
mailbox_version=3
mailbox_debuglevel=0


quota_server_host = localhost
quota_bind = yes
quota_bind_dn = cn=admin,dc=example,dc=net
quota_bind_pw = chen
quota_search_base = ou=postfix,dc=example,dc=net
quota_query_filter = ((objectClass=postfixAccount)(mail=%s))(AccountStatus=TRUE))
quota_result_attribute = quota
quota_cache = yes
quota_version=3
quota_debuglevel=0


#====== SASL ================
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject
#smtpd_sasl_local_domain = $mydomain
#smtpd_sasl_local_domain = $myhostname
smtpd_sasl_local_domain =
smtpd_client_restrictions = permit_sasl_authenticated
#smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_relay_domains

#unknown_local_recipient_reject_code = 450

#smtp_use_tls = yes
#smtpd_use_tls = yes 
##smtpd_tls_auth_only = yes
#smtpd_tls_loglevel = 3
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 600s
#smtp_tls_note_starttls_offer = yes 
#smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
#smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
#smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem

# tls config
#smtp_use_tls = yes
#smtpd_use_tls = yes 
#smtp_tls_note_starttls_offer = yes 
#smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
#smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
#smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom

#TLS
smtp_use_tls = yes
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = $config_directory/ssl/post.pem
smtpd_tls_cert_file = $config_directory/ssl/post.pem
smtpd_tls_CAfile = $config_directory/ssl/post.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
content_filter = smtp-amavis:[127.0.0.1]:10024
#mime_header_checks = pcre:/etc/postfix/body_checks

			

Notes

[1]

hzqbbc 刚做的postfix+ldap/hash本地投递测试结果 ( 2003年1月18日15:56 ) 
  
1.测试平台 
PIII 933 x 2 + 512M + SCSI 18G 
Postfix 2.0.0.1 + openldap 2.0.11(默认安装) + virtual 投递 

2.采用hash作为lookukp tables时,速度大概都有5000多封信/分钟。哈哈~~87.5封/秒最高.这个时候采用的是只测试信头,
100个并发连接.postfix将default_process_limit = 500 简单的调整了性能.其中对syslogd采用了异步写优化(在设置的
目录前加-号) 

3.采用ldap测试时,基本都有2500-2800,再简化了lookup的方式,transport_maps采用固定文本,而只有
virtual_mailbox_maps才用ldap.速度提高到3200-3500左右。测试地址为固定的1-10个 

4.灌了50万个ldap 用户数据进去。进行500,1000,2000地址的并发测试(postal)结果发现用户地址多少和测试的性能关系
不太大,以下是2000地址的结果: 
time,msg/m,KB,error,connection,SSL 
10:26,3779,1516,2,1930,0 
10:27,3889,1556,0,1953,0 
10:28,3987,1592,0,1997,0 
10:29,4174,1667,0,2067,0 
10:30,4308,1720,0,2166,0 
10:31,4039,1613,0,1986,0 
10:32,2660,1061,0,1338,0 
10:33,2436,972,0,1216,0 

可以发现速度还是很快的。这里只测试信头,采用50个并发连接,每个连接只发2-3封信。感觉还是不错的。不过最后两行速度
发现不行,我检查了/var/spool/postfix,发现incoming忽然提高了,因此估计是cleanup不能那么快清理incoming目录。
可能是ldap反应速度开始慢了。 

小结:性能优化 
 关闭ldap的log使之=0 
 使syslog里的maillog等需要频繁操作的log成为async写,也就是加一个“-”号在目录前 
 调整postfix的default_process_limit > 150 
 最好使/var/spool/postfix目录为async属性。。chattr... 
			

[2]

virtual_maps已经不再使用,新的参数是virtual_alias_maps

[3]
debian:/etc/postfix# mkdir ssl
debian:/etc/postfix# vi etc/postfix/ssl/postfix.cnf
RANDFILE = /etc/postfix/ssl/post.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=CN
ST=GD
L=GD
O=9812.net
OU=9812
CN=Neo Chen
[email protected]

[ cert_type ]
nsCertType = server


debian:/etc/postfix# vi /etc/postfix/ssl/postfix.cnf
debian:/etc/postfix# dd if=/dev/urandom of=/etc/postfix/ssl/post.rand count=1 >& /dev/null

debian:/etc/postfix/ssl# openssl req -new -x509 -days 365 -nodes -config /etc/postfix/ssl/postfix.cnf \
> -out /etc/postfix/ssl/post.pem -keyout /etc/postfix/ssl/post.pem
Generating a 1024 bit RSA private key
..............................................++++++
..................................................................................................++++++
writing new private key to '/etc/postfix/ssl/post.pem'
-----
debian:/etc/postfix/ssl# openssl gendh -rand /etc/postfix/ssl/post.rand 512 >> /etc/postfix/ssl/post.pem
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
.......................+............+...............................................+...............+.................................+..........+...............+................+......+.....................................+......................+............+.........+..........................+.......................................+.................+.....................................................+.....+.....+.....................+..................................+..+..............................+....+............................................................................+.........+...+...+...+.................................+........+..............................+.+..................+.....................................................................................................................+........................................................................++*++*++*++*++*++*
debian:/etc/postfix/ssl# openssl x509 -subject -dates -fingerprint -noout -in /etc/postfix/ssl/post.pem
subject= /C=CN/ST=GD/L=GD/O=9812.net/OU=9812/CN=Neo Chen/[email protected]
notBefore=Sep 18 19:36:59 2004 GMT
notAfter=Sep 18 19:36:59 2005 GMT
MD5 Fingerprint=4E:54:5E:45:3F:B9:71:58:BB:E3:8B:62:C0:E8:20:15
debian:/etc/postfix/ssl#