Scripts

 

在CentOS 5.3上安装企业级的全功能邮件服务器

最近给一家公司安装了一台全功能的邮件服务器,主要包括以下部分:

  • Postfix
  • MailScanner
  • Spamassassin
  • ClamAV
  • Saslauthd
  • Cyrus-Imapd
  • SquirrelMail

本着“好记性不如烂笔头”的精神,将安装配置过程记录下来,以备日后参考。

操作系统的安装

服务器是DELL2950,DELL的自带安装引导光碟没有CENTOS系统安装选项,所以直接用CENTOS5.3的安装光碟引导机器进行安装。
安装过程相当简单,基本是以默认的方式进行安装,系统选择基本的服务器类型。

DNS服务器的安装与配置

DNS服务器是为了在本地进行DNS解析的缓存,加快DNS的查询。
yum install bind

由于默认情况下,BIND服务器会被CHROOT,所以配置文件在/var/named/chroot/etc目录下。在named.conf文件中主要添加根域解析服务器和本地解析,如下: 

/*      
Serving the following zones locally will prevent any queries
for these zones leaving your network and going to the root
name servers.  This has two significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
*/
// RFC 1912
zone "localhost"        { type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa"       { type master; file "master/localhost-reverse.db"; };
// "This" Network (RFCs 1912 and 3330)
zone "0.in-addr.arpa"           { type master; file "master/empty.db"; };
// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa"          { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "30.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "31.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "168.192.in-addr.arpa"     { type master; file "master/empty.db"; };
// Link-local/APIPA (RFCs 3330 and 3927)
zone "254.169.in-addr.arpa"     { type master; file "master/empty.db"; };
// TEST-NET for Documentation (RFC 3330)
zone "2.0.192.in-addr.arpa"     { type master; file "master/empty.db"; };
// Router Benchmark Testing (RFC 3330)
zone "18.198.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "19.198.in-addr.arpa"      { type master; file "master/empty.db"; };
// IANA Reserved - Old Class E Space
zone "240.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "241.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "242.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "243.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "244.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "245.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "246.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "247.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "248.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "249.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "250.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "251.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "252.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "253.in-addr.arpa"         { type master; file "master/empty.db"; };
zone "254.in-addr.arpa"         { type master; file "master/empty.db"; };
// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa"               { type master; file "master/empty.db"; };
zone "3.ip6.arpa"               { type master; file "master/empty.db"; };
zone "4.ip6.arpa"               { type master; file "master/empty.db"; };
zone "5.ip6.arpa"               { type master; file "master/empty.db"; };
zone "6.ip6.arpa"               { type master; file "master/empty.db"; };
zone "7.ip6.arpa"               { type master; file "master/empty.db"; };
zone "8.ip6.arpa"               { type master; file "master/empty.db"; };
zone "9.ip6.arpa"               { type master; file "master/empty.db"; };
zone "a.ip6.arpa"               { type master; file "master/empty.db"; };
zone "b.ip6.arpa"               { type master; file "master/empty.db"; };
zone "c.ip6.arpa"               { type master; file "master/empty.db"; };
zone "d.ip6.arpa"               { type master; file "master/empty.db"; };
zone "e.ip6.arpa"               { type master; file "master/empty.db"; };
zone "0.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "1.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "2.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "3.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "4.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "5.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "6.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "7.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "8.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "9.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "a.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "b.f.ip6.arpa"             { type master; file "master/empty.db"; };
zone "0.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "1.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "2.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "3.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "4.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "5.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "6.e.f.ip6.arpa"           { type master; file "master/empty.db"; };
zone "7.e.f.ip6.arpa"           { type master; file "master/empty.db"; };

在/etc/resolv.conf文件中添加以下内容,设置本地的DNS服务器是首选DNS查询服务器。 

nameserver 127.0.0.1
search localhost
确保以上代码在resolv.conf文件的开始处。

 

LDAP的安装与配置

采用yum安装就可以了。 

yum install openldap-servers
yum install openldap-clients

修改/etc/openldap/slapd.conf

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/slapd.acl
index nisMapName,nisMapEntry eq,pres,sub
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid,memberUid eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
rootdn "cn=Manager,dc=localhost,dc=localdomain,dc=com"
rootpw secret
suffix "dc=localhost,dc=localdomain,dc=com"

OpenSSL的安装

提供SMTP、IMAP、POP3的加密通道。安装很简单,直接yum install即可。

yum install openssl

 

SMTP服务器用的证书的生成可以用以下命令生成:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

 

Cyrus-SASL认证软件安装

SMTP服务器当然需要认证功能,认证是通过SASL库完成的,SASL通过与SASLAUTHD服务器进行用户身份的认证。

yum install cyrus-sasl
yum install cyrus-sasl-plain
yum install cyrus-sasl-lib

 

SASLAUTHD的配置文件在/etc/saslauthd.conf,这里主要写入LDAP服务器的相关信息即可,如下:

ldap_servers: ldap://localhost/
ldap_bind_dn: cn=Manager,dc=localhost,dc=localdomain,dc=com
ldap_bind_pw: secret
ldap_search_base: dc=localhost,dc=localdomain,dc=com

 

Postfix软件的安装与配置

Postfix是整个系统的核心,不过安装过程很方便。直接yum install就可以了。

yum install postfix
如果相从源码安装,需要在编译时加上OPENLDAP、SASL2、VDA、TLS、PCRE、BDB支持。

 

配置文件在/etc/postfix/main.cf,支持SASL认证与TLS遂道的配置文件内容如下:

queue_directory = /var/spool/postfix
command_directory = /sbin
daemon_directory = /libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = mail1.localhost.localdoamin.com
mydomain = localdomain.com
myorigin = $mydomain
mydestination = $myhostname, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks_style = subnet
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 3
debugger_command =
PATH=/bin:/usr/bin:/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /sbin/sendmail
newaliases_path = /bin/newaliases
mailq_path = /bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /man
sample_directory = /etc/postfix
readme_directory = no
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetwork
permit_sasl_authenticated
reject
smtpd_client_restrictions = permit_sasl_authenticated
reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

由于Postfix是调用SASL2库进行用户认证的,所以需要更改SASL2的配置文件,让它使用SASLAUTHD进行用户认证。配置文件在/usr/lib64/sasl2/smtpd.conf: 

pwcheck_method: saslauthd
mech_list: login plain

Cyrus-IMAPD软件的安装与配置

收邮件就要靠这个软件了,支持POP3、IMAP、POP3S、IMAPS。

yum install cyrus-imapd

配置文件在/etc/imapd.conf,主要设置以下参数:

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail.postfix
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_ldap_servers: localhost
sasl_ldap_bind_dn: cn=Manager,dc=localhost,dc=localdomain,dc=com
sasl_ldap_bind_pw: secret
sasl_mech_list: PLAIN
tls_ca_file: /etc/pki/cyrus-imapd/server.pem
tls_cert_file: /etc/pki/cyrus-imapd/server.pem
tls_key_file: /etc/pki/cyrus-imapd/server.pem
autocreatequota: -1
createonpost: yes
alowanonymouslogin: no
altnamespace: no
servername: mail.localhost.localdomain.com
这里用到的认证文件可以按SMTP的证书文件的生成方式生成,不过要cat到一起。

IMAP 软件同样采用saslauthd 进行客户的认证。同时增加了加密通道的支持。这样, 客户端可以采用加密的方式进行邮件传送, 保证了邮件内容的隐秘性。

Apache及PHP软件的安装

Apache主要提供http服务,PHP是最流行的WEB编程语言,两者都可以采用yum方式进行安装。

yum install httpd
yum install php
yum install php-mbstring
yum install php-ldap
yum install php-common

Apache配置文件基本可以不用改,要改只改一下ServerName就可以了。配置文件在/etc/httpd/conf/httpd.conf

ServerName mail.localhost.localdomain.com

PHP的配置文件也可以不用改,要改只改一下upload_max_filesize就可以了。配置文件在/etc/php.ini

upload_max_filesize = 10M

SquirrelMail软件的安装

这款软件可以很好地支持IMAP邮件服务器。自带的SquirrelMail版本也老了,从官网上下载最新版本后,直接解压到/usr/share/目录下即可以了。记得要解压all_locales和decode包,这样可以在繁体界面下正常显示简体邮件。

tar xzvf squirrelmail-1.4.17.tar.gz -C /usr/share
tar xzvf all_locales-1.4.13-20071220.tar.gz -C /usr/share/squirrelmail-1.4.17
tar tzvf change_ldappass-2.2-1.4.0.tar.gz -C /usr/share/squirrelmail-1.4.17/plugins/
tar xzvf squirrelmail-decode-1.2.tar.gz
cd squirrelmail-decode-1.2
./install

在默认配置上,主要更改以下配置内容:

$squirrelmail_default_language = 'zh_CN';
$default_charset = 'UTF-8';
以支持多国语言编码。

同时增加了一个插件CHANGE_LDAPPASS,此插件的功能是,允许用户自已更改自已的LDAP服务器上的口令。主要配置是在该插件主目录下的config.php文件中,增加以下内容,以支持LDAP的口令更改:

$ldap_server = '127.0.0.1';
$ldap_user_field = 'uid';
$ldap_base_dn = 'dc=localhost,dc=localdomain,dc=com';
$ldap_password_field = 'userPassword';
$query_dn = 'cn=Manager,dc=localhost,dc=localdomain,dc=com';
$query_pw = 'secret';

邮件过滤

邮件过滤系统使用SPAMASSASSIN+CLAMAV+MAILSCANNER,安装与配置如下:

ClamAV的安装

自带的ClamAV比较老,卸后在官网上下载最新版本的,然后装上。 

rpm -ivh clamav-0.95.1-2.el5.rf.x86_64.rpm
rpm -ivh clamav-db-0.95.1-2.el5.rf.x86_64.rpm
rpm -ivh clamd-0.95.1-2.el5.rf.x86_64.rpm
配置文件无须改动。

Spamassassin的安装

yum一个就可以用了。 

yum install spamassassin

MailScanner的安装

MailScanner 需要从官网上下载最新的版本,解压后直接运行install.sh就可以了 

tar xzvf MailScanner-4.75.11-1.rpm.tar.gz
cd MailScanner-4.75.11-1
./install.sh

安装完毕后,配置文件在/etc/MailScanner/MailScanner.conf文件中。主要更改以下参数:

%org-name% = localdomain
%org-long-name% = localhost.localdomain
MTA = postfix
Sendmail = /usr/sbin/sendmail.postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Quarantine User = postfix
Quarantine Group = postfix
Virus Scanners = clamd

MailScanner监控着Postfix的hold队列,所以需要将进来的邮件先hold,MailScanner才能进行邮件过滤。这就要更改一个Postfix的配置文件main.cf: 

header_checks = regexp:/etc/postfix/header_checks

还需要建立/etc/postfix/header_checks文件,第一行内容为: 

/^Received:/    HOLD

操作系统的调整

安装完所需要的软件后,就要调整操作系统,让服务器启动时自动运行所有的服务。通过命令chkconfig即可:

chkconfig MailScanner on
chkconfig clamd on
chkconfig cyrus-imapd on
chkconfig httpd on
chkconfig ldap on
chkconfig named on
chkconfig postfix off
chkconfig saslauthd on
chkconfig sendmail off
chkconfig spamassassin on
由于MailScanner会自动启动Postfix的,所以不需要开机时自动启运Postfix。由于采用Postfix,所以Sendmail也要关闭。

如果系统出现莫名其妙的问题,就可能是SELINUX在做怪,关了它一劳永逸,配置文件在/etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
重启机器后,应该就没问题了。

posted on 2009-05-06 17:09 Scripts 阅读(1350) 评论(0)  编辑 收藏 引用 所属分类: Email

只有注册用户登录后才能发表评论。

导航

统计

常用链接

留言簿(2)

随笔分类

随笔档案

文章分类

搜索

最新评论

阅读排行榜

评论排行榜