连接外网SMTP服务器SSL加密端口(如阿里云企业邮箱465端口)

云友“就这种感觉 ”说原本正常使用的配置文件,在ECS云服务器里无法连接外网SMTP服务器(常用25端口),导致发信失败。

原因:可能阿里云为减免邮件滥用,新开通的ECS主动过滤了与外网TCP 25端口的连接。

方案:现在多数邮局提供商除了提供25的发信端口,还有提供其它安全加密端口,如阿里云企业邮箱提供465端口。可以尝试通过配置参数,将默认连接外网的25端口修改为其它可发信的端口。

环境: Debian 8

目的:在系统里,使用 mailx 命令,连接阿里云企业邮局,以企业邮箱账户(sales@vfutai.xxx)登录,发送一封测试邮件到一个腾讯邮箱地址(dongshan3@xxxx)。

过程:

1.安装 heirloom-mailx,替换默认的 bsd-mailx,因为Debian系统默认使用 bsd-mailx ,但 bsd-mailx 没有smtp的相关设置选项
apt-get install heirloom-mailx
bbs-aliyun-dongshan3-302371-1.png

2.创建mailx配置文件,~/.mailrc ,文件内容如下:

set smtp="smtps://smtp.mxhichina.com:465"
set smtp-auth=login
set smtp-auth-user="sales@vfutai.xxx"
set smtp-auth-password="Ni_De_Mi_Ma"
set ssl-verify=ignore

请替换其中的登录用户和密码值。

3.发信测试:
echo message4 | mail -v -r "sales@vfutai.xxx" -s "This is the subject" dongshan3@foxmail.xxx
请替换其中的回信、收信地址和标题。

4.执行命令后,显示发信成功。收件人邮箱中,有信。
bbs-aliyun-dongshan3-302371-2.png

bbs-aliyun-dongshan3-302371-3.png

参考:

在CentOS 7系统里设置开机自动执行脚本systemd

云友“yongzhang ”希望能在CentOS 7系统里设置开机能自动添加IPv6隧道地址,参照网上的例子,写此帖。

环境:CentOS 7 64位
目的:系统启动后自动执行脚本,为系统添加IPv6隧道地址

过程:

1.假设您已经为阿里云系统启用了IPv6地址

2.创建 systemd 的启动脚本:
vi /etc/systemd/system/enable-ipv6.service

内容如下:

[Unit]
After=network.target
[Service]
ExecStart=/usr/local/bin/enable-ipv6.sh
[Install]
WantedBy=default.target

3.创建设置IPv6隧道地址命令的脚本:
vi /usr/local/bin/enable-ipv6.sh
内容如下:

#!/bin/bash
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.218.221.6 local 121.43.110.72 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:18:401::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

4.更改上边两个脚本的权限(有执行权限):
chmod 744 /usr/local/bin/enable-ipv6.sh
chmod 664 /etc/systemd/system/enable-ipv6.service

5.启用新创建的服务(假如叫 enable-ipv6.service),令其在系统启动时,可自动执行:
systemctl daemon-reload
systemctl enable enable-ipv6.service

bbs-aliyun-dongshan3-301042-1.png

6.重启系统,检查是否成功自动执行

bbs-aliyun-dongshan3-301042-2.png

参考:

  1. https://linuxconfig.org/how-to-automatically-execute-shell-script-at-startup-boot-on-systemd-linux
  2. https://www.centos.org/forums/viewtopic.php?t=48140

升级Gentoo Linux系统内核(从3.x到4.x)

云友“uudiin ”希望能升级Gentoo的内核,因为目前公共镜像里的Gentoo系统相对老了些。

阿里云官方不建议用户自行升级系统版本及更换内核。本例仅是测试。

环境:Gentoo 13 64位。

过程:

1.查看当前系统内核版本为:3.12.21-gentoo-r1
uname -r
bbs-aliyun-dongshan3-300218-1.png

2.增加DNS地址208.67.222.222,以备某些情况下,阿里云内网DNS解析失效:
vi /etc/resolv.conf

3.更新 portage 软件库:
emerge --sync
emerge --oneshot portage
bbs-aliyun-dongshan3-300218-2.png

bbs-aliyun-dongshan3-300218-3.png

4.安装新内核的源文件:
emerge --ask sys-kernel/gentoo-sources
bbs-aliyun-dongshan3-300218-4.png

5.更新软件 eselect
emerge eselect
bbs-aliyun-dongshan3-300218-5.png

6.安装软件 screen , 稍后用到,因为编译新内核较耗时间
emerge app-misc/screen
bbs-aliyun-dongshan3-300218-6.png

7.运行 screen
screen

8.列出当前可用内核列表
eselect kernel list

9.根据实际情况,选择新的内核,如本例中的第2项:
eselect kernel set 2
bbs-aliyun-dongshan3-300218-7.png

10.安装内核安装工具,genkernel
emerge genkernel
bbs-aliyun-dongshan3-300218-8.png

11.自动配置新内核选项,因为本例测试机的主要是Xen虚拟平台,所以需要选取安装Xen相关的驱动;如果您的阿里云ECS是KVM虚拟平台的,估计要选择KVM客户机的相关驱动:
genkernel --menuconfig --bootloader=grub all

bbs-aliyun-dongshan3-300218-9.png

bbs-aliyun-dongshan3-300218-10.png

bbs-aliyun-dongshan3-300218-11.png

bbs-aliyun-dongshan3-300218-12.png

bbs-aliyun-dongshan3-300218-13.png

bbs-aliyun-dongshan3-300218-14.png

bbs-aliyun-dongshan3-300218-15.png

bbs-aliyun-dongshan3-300218-16.png

12.更新grub的启动配置菜单:
grub2-mkconfig -o /boot/grub/grub.cfg
bbs-aliyun-dongshan3-300218-17.png

13.重启系统后,检查当前系统使用的内核是新的:4.4.26-gentoo
reboot
bbs-aliyun-dongshan3-300218-18.png

14.如果提示portage版本较低安装不了新版本的软件,可尝试升级portage后,更新软件,如本例可能需要先删除一些软件后更新软件:

emerge -cav dev-util/systemtap
emerge -cav app-portage/gentoolkit
emerge -cav dev-lang/python-exec
emerge portage
emerge -auvDN @world

可能出现的问题,使用新内核的系统,可以从远程登录操作,但阿里云“管理终端”好象无法操作。

参考:

在Debian 8 系统里安装简易电子邮局系统 postfix mysql dovecot postfixadmin roundcube

在前一个帖子 里,是用 iRedMail 快速自建邮局,现在尝试手动安装。安装过程主要参考国外的一个教程。

环境: debian 8 64位,mail 用户组数字ID是 8。假设 postfixadmin 的访问网址是:https://yun.anqun.org/postfixamdin , roundcube 的访问网址是: https://yun.anqun.org/webmail

过程:

1.更改ECS实例的主机名:
hostname yun.anqun.org

2.更改 /etc/hostname 文件中的名称,如本例是:
yun

3.更改 /etc/hosts 文件中的完整主机名称,如本例是:
127.0.0.1 yun.anqun.org yun localhost localhost.localdomain

4.更新软件
apt-get update

5.安装 nginx + php5 + mariadb 的 web 运行环境:https://bbs.aliyun.com/read/288162.html

6.假设已经获取了 yun.anqun.org 的证书,为 nginx 配置 https 访问

6.安装相关的软件:
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql php5-imap php5-mysql php5-mcrypt php5-intl php-apc php5-memcache php5-curl php5-gd php-xml-parser php5-imap

7.创建一个新的mysql数据库 postfdb :数据库用户 postuser:密码是 aqtest46 ,给予相应权限,预备给 postfixadmin 使用:
create database postfdb;
grant all on postfdb.* to 'postuser'@'localhost' identified by 'aqtest46';

8.下载 postfixadmin 的安装文件包:
wget http://nchc.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.0/postfixadmin-3.0.tar.gz

9.将 postfixadmin 解压到 /var/www/html/postfixadmin,创建 config.local.php 配置文件,包含 mysql 的连接信息:

<?php
$CONF['database_type'] = 'mysqli';
$CONF['database_user'] = 'postuser';
$CONF['database_password'] = 'aqtest46';
$CONF['database_name'] = 'postfdb';
$CONF['configured'] = true;
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
?>

10.安装过程中,会让您新设配置密码,再让您创建邮局管理员账号

11.设置一个系统用户vmail(用户ID 150,属于mail组,用户目录在/var/vmail),用来“托管”所有的虚拟邮箱服务
useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin -c "Virtual MailDir Handler" vmail

12.创建相应的目录,修改合适的权限
mkdir -p /var/vmail
chown vmail:mail /var/vmail
chmod 770 /var/vmail

13.开始配置 dovecot,修改数据库配置文件 /etc/dovecot/dovecot-sql.conf.ext ,内容如下:

# Database driver: mysql, pgsql, sqlite
driver = mysql
# Database Connection:
#   connect = host=192.168.1.1 dbname=users
#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
#   connect = /etc/dovecot/authdb.sqlite
#
connect = host=127.0.0.1 dbname=postfdb user=postuser password=aqtest46
# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
#
# Weak but common encryption scheme:
default_pass_scheme = MD5-CRYPT
#
# Comment the above out and uncomment below
# for stronger encryption:
#default_pass_scheme - SHA256-CRYPT
# Define the query to obtain a user password.
password_query = \
  SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \
  'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \
  FROM mailbox WHERE username = '%u' AND active = '1'
# Define the query to obtain user information.
user_query = \
  SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \
  150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'

14.修改认证配置文件 /etc/dovecot/conf.d/10-auth.conf,内容如下:

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
disable_plaintext_auth = yes
# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
# Use the SQL database configuration rather than any of the others.
!include auth-sql.conf.ext

15.修改邮件相关的配置文件:/etc/dovecot/conf.d/10-mail.conf,内容如下:

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:/var/vmail/%d/%n
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = vmail
mail_gid = mail
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#
# Use the vmail user uid here.
first_valid_uid = 150
last_valid_uid = 150
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
  # Namespace type: private, shared or public
  #type = private
  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
  #separator =
  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
  #prefix =
  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
  #location =
  # There can be only one INBOX, and this setting defines which namespace
  # has it.
  inbox = yes
  # If namespace is hidden, it's not advertised to clients via NAMESPACE
  # extension. You'll most likely also want to set list=no. This is mostly
  # useful when converting from another server with different namespaces which
  # you want to deprecate but still keep working. For example you can create
  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
  #hidden = no
  # Show the mailboxes under this namespace with LIST command. This makes the
  # namespace visible for clients that don't support NAMESPACE extension.
  # "children" value lists child mailboxes, but hides the namespace prefix.
  #list = yes
  # Namespace handles its own subscriptions. If set to "no", the parent
  # namespace handles them (empty prefix should always have this as "yes")
  #subscriptions = yes
}

16.修改ssl证书路径,/etc/dovecot/conf.d/10-ssl.conf ,内容如下:

ssl = yes
ssl_cert = </etc/ssl/certs/yun_anqun_org.pem
ssl_key = </etc/ssl/private/yun_anqun_org.key

17.修改配置文件 /etc/dovecot/conf.d/10-master.conf ,更改相应的用户和组,内容如下:

#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }
  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1
  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0
  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}
service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }
  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}
service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit
  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}
service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}
service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0666
    user = vmail
    group = mail
  }
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  # Auth process is run as this user.
  #user = $default_internal_user
}
service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
}
service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =
  }
}

18.更改权限,让dovecot和邮箱用户能读取相应的配置文件内容
chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot

20.开始配置postfix,检查mysql的监听地址是否为 127.0.0.1
cat /etc/mysql/my.cnf | grep bind-address

21.创建配置文件,/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf,内容如下:

user = postuser
password = aqtest46
hosts = 127.0.0.1
dbname = postfdb
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address=concat('%u', '@', alias_domain.target_domain) AND alias.active = 1

22.创建配置文件,/etc/postfix/mysql_virtual_alias_maps.cf ,内容如下:

user = postuser
password = aqtest46
hosts = 127.0.0.1
dbname = postfdb
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'

23.创建配置文件,/etc/postfix/mysql_virtual_domains_maps.cf,内容如下:

user = postuser
password = aqtest46
hosts = 127.0.0.1
dbname = postfdb
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

24.创建配置文件,/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf ,内容如下:

user = postuser
password = aqtest46
hosts = 127.0.0.1
dbname = postfdb
query = SELECT maildir FROM mailbox, alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
  AND mailbox.active = 1

25.创建配置文件,/etc/postfix/mysql_virtual_mailbox_maps.cf,内容如下:

user = postuser
password = aqtest46
hosts = 127.0.0.1
dbname = postfdb
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'

26.创建配置文件,/etc/postfix/header_checks ,内容如下:

/^Received:/                 IGNORE
/^User-Agent:/               IGNORE
/^X-Mailer:/                 IGNORE
/^X-Originating-IP:/         IGNORE
/^x-cr-[a-z]*:/              IGNORE
/^Thread-Index:/             IGNORE

27.更改配置文件,/etc/postfix/main.cf ,内容如下:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# The first text sent to a connecting process.
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# SASL parameters
# ---------------------------------
# Use Dovecot to authenticate.
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes
# TLS parameters
# ---------------------------------
# Replace this with your SSL certificate path if you are using one.
smtpd_tls_cert_file=/etc/ssl/certs/yun_anqun_org.pem
smtpd_tls_key_file=/etc/ssl/private/yun_anqun_org.key
# The snakeoil self-signed certificate has no need for a CA file. But
# if you are using your own SSL certificate, then you probably have
# a CA certificate bundle from your provider. The path to that goes
# here.
#smtpd_tls_CAfile=/path/to/ca/file
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Note that forcing use of TLS is going to cause breakage - most mail servers
# don't offer it and so delivery will fail, both incoming and outgoing. This is
# unfortunate given what various governmental agencies are up to these days.
# These are Postfix 2.2 only.
#
# Enable (but don't force) use of TLS on incoming smtp connections.
smtpd_use_tls = yes
smtpd_enforce_tls = no
# Enable (but don't force) use of TLS on outgoing smtp connections.
smtp_use_tls = yes
smtp_enforce_tls = no
# These are Postfix 2.3 and later.
#
# Enable (but don't force) all incoming smtp connections to use TLS.
smtpd_tls_security_level = may
# Enable (but don't force) all outgoing smtp connections to use TLS.
smtp_tls_security_level = may
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# SMTPD parameters
# ---------------------------------
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
# some have 3 days, I have 16 days as I am backup server for some people
# whom go on holiday with their server switched off.
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12
# This next set are important for determining who can send mail and relay mail
# to other servers. It is very important to get this right - accidentally producing
# an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
#
# You are encouraged to read up on what exactly each of these options accomplish.
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
# Requirements for the sender details
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
# Requirements for the connecting server
# This is primarily the RBL (Realtime Blacklist) Filtering
smtpd_client_restrictions = reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org
# Requirement for the recipient address. Note that the entry for
# "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining
# This is a new option as of Postfix 2.10+, and is required in addition to
# smtpd_recipient_restrictions for things to work properly in this setup.
smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes
# General host and delivery info
# ----------------------------------
myhostname = yun.anqun.org
myorigin = /etc/hostname
# Some people see issues when setting mydestination explicitly to the server
# subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
# mydestination = mail.example.com, localhost
mydestination =
# If you have a separate web server that sends outgoing mail through this
# mailserver, you may want to add its IP address to the space-delimited list in
# mynetworks, e.g. as 111.222.333.444/32.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
# This specifies where the virtual mailbox folders will be located.
virtual_mailbox_base = /var/vmail
# This is for the mailbox location for each user. The domainaliases
# map allows us to make use of Postfix Admin's domain alias feature.
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
# and their user id
virtual_uid_maps = static:150
# and group id
virtual_gid_maps = static:8
# This is for aliases. The domainaliases map allows us to make
# use of Postfix Admin's domain alias feature.
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
# This is for domain lookups.
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
# Integration with other packages
# ---------------------------------------
# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Use amavis for virus and spam scanning
# content_filter = amavis:[127.0.0.1]:10024
# Header manipulation
# --------------------------------------
# Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
header_checks = regexp:/etc/postfix/header_checks
# getting rid of x-original-to
enable_original_recipient = no

28.编辑配置文件,/etc/postfix/master.cf ,内容如下:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# SMTP on port 25, unencrypted.
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
# SMTP with TLS on port 587.
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
# SMTP over SSL on port 465.
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
  -o content_filter=
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
# The next two entries integrate with Amavis for anti-virus/spam checks.
amavis      unix    -       -       -       -       3       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
127.0.0.1:10025 inet    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
# Integration with Dovecot - hand mail over to it for local delivery, and
# run the process under the vmail user and mail group.
dovecot      unix   -        n      n       -       -   pipe
  flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)

29.重启相应的服务:
service postfix restart
service dovecot restart

30.如报错,可查看 /var/log/mail.log 及 /var/log/mail.err

31.下载 roundcubemail-1.2.2-complete.tar.gz,解压放到 /var/www/html/webmail

32.更改程序目录权限
chown -R www-data:www-data /var/www/html/webmail

33.创建新数据库 roundcubemail ,数据库用户名 roundcube,密码 qtest87 ,并分配合适权限:

CREATE DATABASE roundcubemail;
GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'aqtest87';  
FLUSH PRIVILEGES;

34.浏览器访问:https://yun.anqun.org/webmail/installer 开始安装

参考:

在Debian 8 系统里安装 iRedMail 电子邮局系统

应云友要求,写此帖。

环境:Debian 8 64位系统,iRedMail-0.9.5-1,系统主机名:yun.anqun.org,电子邮局域名:portal.anqun.org。

过程:

1.更改ECS实例的主机名:
hostname yun.anqun.org

2.更改 /etc/hostname 文件中的名称,如本例是:yun

3.更改 /etc/hosts 文件中的完整主机名称,如本例是:
127.0.0.1 yun.anqun.org yun localhost localhost.localdomain

4.安装 sudo,
apt-get install sudo

5.下载当前 iredmail 安装包,如果无法在国内下载(文件托管在 amazon),可使用代理下载再上传
wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.5-1.tar.bz2

6.解压安装包,
tar xjf iRedMail-0.9.5-1.tar.bz2

7.转到安装包路径,
cd /root/iRedMail-0.9.5-1

8.设置国内安装镜像地址,启动安装,
IREDMAIL_MIRROR='http://173.254.22.21' bash iRedMail.sh

9.iRedMail 安装欢迎界面
bbs-aliyun-dongshan3-299474-1.png

10.设置邮件存储目录,可保持默认,/var/vmail
bbs-aliyun-dongshan3-299474-2.png

11.选择web服务,可保持默认,nginx
bbs-aliyun-dongshan3-299474-3.png

12.选择存储邮件用户名的数据库类别,可选择 MariaDB
bbs-aliyun-dongshan3-299474-4.png

13.填写第一个电子邮局的域名,要与主机名区别开来,如本例的 portal.anqun.org
bbs-aliyun-dongshan3-299474-5.png

14.设置邮局管理员的密码,本例默认管理员用户名是:postmaster@portal.anqun.org
bbs-aliyun-dongshan3-299474-6.png

15.选择要安装的其它组件,可保持默认,安装 iRedAdmin(类似postfixadmin,可通过web浏览器管理邮局域),Roundcubemail(邮箱用户可通过浏览器收发邮件), Fail2ban
bbs-aliyun-dongshan3-299474-7.png

16.再次确认要安装的组件或功能
bbs-aliyun-dongshan3-299474-8.png

17.询问是否启用防火墙
bbs-aliyun-dongshan3-299474-9.png

18.完成iRedMail安装,会有相应的登录信息提示。之后,重启系统
bbs-aliyun-dongshan3-299474-10.png

19.因为默认iRedMail安装时,自签数字证书,在浏览器访问时,会警告。这里在阿里云申请免费的域名证书
bbs-aliyun-dongshan3-299474-11.png

19.在“云盾”控制面板里,补充CA证书信息,提交域名(yun.anqun.org)和个人信息
bbs-aliyun-dongshan3-299474-12.png

20.如果域名是使用阿里云的DNS,会自动创建相应的验证cname记录,
bbs-aliyun-dongshan3-299474-13.png

21.完成CA证书申请后,在CA证书控制面板,下载相应的证书类型,本例是适合nginx的,上传到合适的路径,如证书存储在/etc/ssl/certs/yun_anqun_org.pem,私匙存在/etc/ssl/private/yun_anqun_org.key。编辑站点配置文件(/etc/nginx/conf.d/00-default.conf),替换里边的证书路径:

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

bbs-aliyun-dongshan3-299474-14.png

22.执行以下命令,为 smtpd 也启用安全证书:
postconf -e smtpd_use_tls='yes'
postconf -e smtpd_tls_cert_file='/etc/ssl/certs/yun_anqun_org.pem'
postconf -e smtpd_tls_key_file='/etc/ssl/private/yun_anqun_org.key'

23.修改 dovecot 服务文件 /etc/dovecot/dovecot.conf 中的证书配置信息,
ssl_cert = </etc/ssl/certs/yun_anqun_org.pem
ssl_key = </etc/ssl/private/yun_anqun_org.key

24.重启 postfix, dovecot 的服务:
systemctl restart dovecot.service
systemctl restart postfix.service

25.iRedAdmin登录界面
bbs-aliyun-dongshan3-299474-15.png

26.iRedAdmin管理界
bbs-aliyun-dongshan3-299474-16.png

27.iRedAdmin管理界面,添加一个新的邮件用户
bbs-aliyun-dongshan3-299474-17.png

28.roundcube登录界面
bbs-aliyun-dongshan3-299474-18.png

29.roundcube管理界面
bbs-aliyun-dongshan3-299474-19.png

30.Thunderbird邮件客户端配置
bbs-aliyun-dongshan3-299474-20.png

31.邮件客户端可收信
bbs-aliyun-dongshan3-299474-21.png

32.邮件客户端发信设置
bbs-aliyun-dongshan3-299474-22.png

参考: