创建域邮件存储目录
mkdir /var/mail/example.net chown postfix /var/mail/example.net |
配置 Postfix + TLS + LDAP
基本配置
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h myhostname = mail.example.net mydomain = example.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases #mydestination = debian, example.net, localhost.localdomain, localhost mydestination = $myhostname, $mydomain, $transport_maps #relayhost = ISP SMTP #LAN -> WAN mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + #================== BASE =================== debug_peer_level = 2 smtpd_tls_loglevel=2 disable_vrfy_command = yes local_recipient_maps = transport_maps = hash:/etc/postfix/transport #=================== LDAP ==================== local_transport = virtual virtual_transport = virtual virtual_mailbox_base = /var/mail virtual_alias_maps = ldap:aliases #virtual_alias_domains = ldap:aliases virtual_mailbox_maps = ldap:mailbox #virtual_mailbox_domains = ldap:mailbox virtual_uid_maps = static:105 virtual_gid_maps = static:109 #virtual_minimum_uid = 500 virtual_mailbox_limit = 0 virtual_maildir_limit_message = "The user you're trying to reach is over quota." virtual_mailbox_limit_maps = ldap:quota virtual_mailbox_limit_override = yes virtual_mailbox_limit_inbox = yes #virtual_mailbox_size_limit = 1024000000 virtual_maildir_extended = yes virtual_create_maildirsize = yes |
transport
建议使用hash表 [1]
debian:/etc/postfix# vi transport example.net virtual: debian:/etc/postfix# postmap transport |
这里我使用了virtual方式投递,其它投递方式还有maildrop:,local:
当然,为了方便管理有时需要使用ldap,配置的方法是:
## Transport transport_server_host = localhost transport_search_base = ou=postfix,dc=example,dc=net transport_query_filter = (%s) (objectClass=postfixVirtualDomain)) transport_result_attribute = transport #or transport_result_attribute = o transport_scope = one transport_cache = yes transport_bind = yes transport_bind_dn = cn=admin,dc=example,dc=net transport_bind_pw = chen transport_maps = ldap:transport mydestination = domaine.tld, host.domain.tld, \ localhost, $transport_maps |
virtual_alias_maps[2]
# ldap:aliases, ldapsource here tell postfix the information while search # Alias instead of using hash file for lookup :-) aliases_server_host = localhost aliases_server_port = 389 aliases_bind = yes aliases_bind_dn = cn=admin,dc=example,dc=net aliases_bind_pw = chen aliases_search_base = ou=postfix,dc=example,dc=net aliases_query_filter = ((objectClass=postfixAccount)(mail=%s))(accountStatus=true)) aliases_result_attribute = maildrop aliases_bind = yes aliases_cache = no aliases_version=3 aliases_debuglevel=0 |
virtual_mailbox_maps
# ldap:accounts, ldapsource here tell postfix about VirtualAccount infor- # mation while doing Account ldap lookup mailbox_server_host = localhost mailbox_server_port = 389 mailbox_bind = yes mailbox_bind_dn = cn=admin,dc=example,dc=net mailbox_bind_pw = chen mailbox_search_base = ou=postfix,dc=example,dc=net mailbox_query_filter = ((mail=%s)(objectClass=postfixAccount))(|(AccountStatus=true)(accountStatus=enable))) mailbox_result_attribute = mailbox mailbox_version=3 mailbox_debuglevel=0 |
virtual_mailbox_limit_maps
quota_server_host = localhost quota_bind = yes quota_bind_dn = cn=admin,dc=example,dc=net quota_bind_pw = chen quota_search_base = ou=postfix,dc=example,dc=net quota_query_filter = ((objectClass=postfixAccount)(mail=%s))(AccountStatus=TRUE)) quota_result_attribute = quota quota_cache = yes quota_version=3 quota_debuglevel=0 |
sasl
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject #smtpd_sasl_local_domain = $mydomain #smtpd_sasl_local_domain = $myhostname smtpd_sasl_local_domain = smtpd_client_restrictions = permit_sasl_authenticated #smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_relay_domains |
TLS/SSL
#TLS smtp_use_tls = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = $config_directory/ssl/post.pem smtpd_tls_cert_file = $config_directory/ssl/post.pem smtpd_tls_CAfile = $config_directory/ssl/post.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom |
生成证书 [3]
smtp-amavis
content_filter = smtp-amavis:[127.0.0.1]:10024
Example 4. master.cf
debian:/etc/postfix# cat master.cf # # Postfix master process configuration file. Each logical line # describes how a Postfix daemon program should be run. # # A logical line starts with non-whitespace, non-comment text. # Empty lines and whitespace-only lines are ignored, as are comment # lines whose first non-whitespace character is a `#'. # A line that starts with whitespace continues a logical line. # # The fields that make up each line are described below. A "-" field # value requests that a default value be used for that field. # # Service: any name that is valid for the specified transport type # (the next field). With INET transports, a service is specified as # host:port. The host part (and colon) may be omitted. Either host # or port may be given in symbolic form or in numeric form. Examples # for the SMTP server: localhost:smtp receives mail via the loopback # interface only; 10025 receives mail on port 10025. # # Transport type: "inet" for Internet sockets, "unix" for UNIX-domain # sockets, "fifo" for named pipes. # # Private: whether or not access is restricted to the mail system. # Default is private service. Internet (inet) sockets can't be private. # # Unprivileged: whether the service runs with root privileges or as # the owner of the Postfix system (the owner name is controlled by the # mail_owner configuration variable in the main.cf file). Only the # pipe, virtual and local delivery daemons require privileges. # # Chroot: whether or not the service runs chrooted to the mail queue # directory (pathname is controlled by the queue_directory configuration # variable in the main.cf file). Presently, all Postfix daemons can run # chrooted, except for the pipe, virtual and local delivery daemons. # The proxymap server can run chrooted, but doing so defeats most of # the purpose of having that service in the first place. # The files in the examples/chroot-setup subdirectory describe how # to set up a Postfix chroot environment for your type of machine. # # Wakeup time: automatically wake up the named service after the # specified number of seconds. A ? at the end of the wakeup time # field requests that wake up events be sent only to services that # are actually being used. Specify 0 for no wakeup. Presently, only # the pickup, queue manager and flush daemons need a wakeup timer. # # Max procs: the maximum number of processes that may execute this # service simultaneously. Default is to use a globally configurable # limit (the default_process_limit configuration parameter in main.cf). # Specify 0 for no process count limit. # # Command + args: the command to be executed. The command name is # relative to the Postfix program directory (pathname is controlled by # the daemon_directory configuration variable). Adding one or more # -v options turns on verbose logging for that service; adding a -D # option enables symbolic debugging (see the debugger_command variable # in the main.cf configuration file). See individual command man pages # for specific command-line options, if any. # # General main.cf options can be overridden for specific services. # To override one or more main.cf options, specify them as arguments # below, preceding each option by "-o". There must be no whitespace # in the option itself (separate multiple values for an option by # commas). # # In order to use the "uucp" message tranport below, set up entries # in the transport table. # # In order to use the "cyrus" message transport below, configure it # in main.cf as the mailbox_transport. # # SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS. # ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL. # # DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_etrn_restrictions=reject #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil # # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # maildrop. See the Postfix MAILDROP_README file for details. # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} # only used by postfix-tls #tlsmgr fifo - - n 300 1 tlsmgr #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200s -o smtp_never_send_ehlo=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 |
Example 5. main.cf
debian:/etc/postfix# cat main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h myhostname = mail.example.net mydomain = example.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases #mydestination = debian, example.net, localhost.localdomain, localhost mydestination = $myhostname, $mydomain, $transport_maps #relayhost = ISP SMTP #LAN -> WAN mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + #================== BASE =================== debug_peer_level = 2 smtpd_tls_loglevel=2 disable_vrfy_command = yes local_recipient_maps = transport_maps = hash:/etc/postfix/transport #=================== LDAP ==================== local_transport = virtual virtual_transport = virtual virtual_mailbox_base = /var/mail virtual_alias_maps = ldap:aliases #virtual_alias_domains = ldap:aliases virtual_mailbox_maps = ldap:mailbox #virtual_mailbox_domains = ldap:mailbox virtual_uid_maps = static:105 virtual_gid_maps = static:109 #virtual_minimum_uid = 500 virtual_mailbox_limit = 0 virtual_maildir_limit_message = "The user you're trying to reach is over quota." virtual_mailbox_limit_maps = ldap:quota virtual_mailbox_limit_override = yes virtual_mailbox_limit_inbox = yes #virtual_mailbox_size_limit = 1024000000 virtual_maildir_extended = yes virtual_create_maildirsize = yes # ldap:aliases, ldapsource here tell postfix the information while search # Alias instead of using hash file for lookup :-) aliases_server_host = localhost aliases_server_port = 389 aliases_bind = yes aliases_bind_dn = cn=admin,dc=example,dc=net aliases_bind_pw = chen aliases_search_base = ou=postfix,dc=example,dc=net aliases_query_filter = ((objectClass=postfixAccount)(mail=%s))(accountStatus=true)) #aliases_result_attribute = maildrop aliases_result_attribute = maildrop aliases_bind = yes aliases_cache = no aliases_version=3 aliases_debuglevel=0 # ldap:accounts, ldapsource here tell postfix about VirtualAccount infor- # mation while doing Account ldap lookup mailbox_server_host = localhost mailbox_server_port = 389 mailbox_bind = yes mailbox_bind_dn = cn=admin,dc=example,dc=net mailbox_bind_pw = chen mailbox_search_base = ou=postfix,dc=example,dc=net mailbox_query_filter = ((mail=%s)(objectClass=postfixAccount))(|(AccountStatus=true)(accountStatus=enable))) #mailbox_query_filter = (mail=%s) mailbox_result_attribute = mailbox mailbox_version=3 mailbox_debuglevel=0 quota_server_host = localhost quota_bind = yes quota_bind_dn = cn=admin,dc=example,dc=net quota_bind_pw = chen quota_search_base = ou=postfix,dc=example,dc=net quota_query_filter = ((objectClass=postfixAccount)(mail=%s))(AccountStatus=TRUE)) quota_result_attribute = quota quota_cache = yes quota_version=3 quota_debuglevel=0 #====== SASL ================ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject #smtpd_sasl_local_domain = $mydomain #smtpd_sasl_local_domain = $myhostname smtpd_sasl_local_domain = smtpd_client_restrictions = permit_sasl_authenticated #smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_relay_domains #unknown_local_recipient_reject_code = 450 #smtp_use_tls = yes #smtpd_use_tls = yes ##smtpd_tls_auth_only = yes #smtpd_tls_loglevel = 3 #smtpd_tls_received_header = yes #smtpd_tls_session_cache_timeout = 600s #smtp_tls_note_starttls_offer = yes #smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key #smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt #smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem # tls config #smtp_use_tls = yes #smtpd_use_tls = yes #smtp_tls_note_starttls_offer = yes #smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem #smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem #smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem #smtpd_tls_loglevel = 1 #smtpd_tls_received_header = yes #smtpd_tls_session_cache_timeout = 3600s #tls_random_source = dev:/dev/urandom #TLS smtp_use_tls = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = $config_directory/ssl/post.pem smtpd_tls_cert_file = $config_directory/ssl/post.pem smtpd_tls_CAfile = $config_directory/ssl/post.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom content_filter = smtp-amavis:[127.0.0.1]:10024 #mime_header_checks = pcre:/etc/postfix/body_checks |
[1] |
| |
[2] | virtual_maps已经不再使用,新的参数是virtual_alias_maps | |
[3] |
|