在 CentOS7/RHEL7 上設定 Web 連線加密站台
進階設定目標:
在同一 Web 主機上,設置加密與不加密兩類網站!注意事項: 基本 Web 站台設定,請參考這一篇文章!Web 虚擬主機設定,請參考第二篇文章!進階設定流程(一):安裝 Apache 所需要的架密模組:#yum -y install mod_ssl openssl產生一張自我簽署的憑證## 產生私鑰#openssl genrsa -out ca.key 2048
## 產生 CSR#openssl req -new -key ca.key -out ca.csr
## 產生自我簽署的金鑰#openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
## 複製檔案至正確位置#cp ca.crt /etc/pki/tls/certs#cp ca.key /etc/pki/tls/private/ca.key#cp ca.csr /etc/pki/tls/private/ca.csr
在 CentOS7上安裝設定 E-mail Server(四)
注意事項:
進階設定流程:
追加安裝 dovecot-mysql 套件:
#yum -y install dovecot-mysql驗證 postfix 是否有與 mysql 以及 dovecot 連上:#postconf -m#postconf -a
建立一個真實使用者以及放置郵件目錄:#mkdir -p /var/www/mailbox/vmail#groupadd -g 5000 vmail#useradd -g 5000 -u 5000 -s /sbin/nologin -d /var/www/mailbox/vmail vmail#chown -R vmail:vmail /var/www/mailbox/#chmod -R 700 /var/www/mailbox/
修改 /etc/postfix/main.cf 基本設定:#vim /etc/postfix/main.cf#修改下列設定:mynetworks_style = host##mynetworks = 127.0.0.0/8, 192.168.100.0/24 <== 可註解該行
#追加下列設定:## Vitual MailBox #####virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cfvirtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cfvirtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cfvirtual_uid_maps = static:5000virtual_gid_maps = static:5000virtual_mailbox_base = /var/www/mailbox/vmail
在 MySQL 中,建立資料表 domain, mailbox, alias, quota2:#mysql -u root -pMySQL(none)>create database MailBox;MySQL(none)>use MailBox;MySQL(MailBox)>CREATE TABLE domain (>domain varchar(255) NOT NULL default '',>description varchar(255) NOT NULL default '',>aliases int(10) NOT NULL default '0',>mailboxes int(10) NOT NULL default '0',>maxquota int(10) NOT NULL default '0',>transport varchar(255) default NULL,>backupmx tinyint(1) NOT NULL default '0',>created datetime NOT NULL default '0000-00-00 00:00:00',>modified datetime NOT NULL default '0000-00-00 00:00:00',>active tinyint(1) NOT NULL default '1',>PRIMARY KEY (domain),>KEY domain (domain)>)ENGINE=MyISAM COMMENT='Virtual Domains';MySQL(MailBox)>CREATE TABLE mailbox (>username varchar(255) NOT NULL default '',>password varchar(255) NOT NULL default '',>name varchar(255) NOT NULL default '',>maildir varchar(255) NOT NULL default '',>quota int(10) NOT NULL default '0',>domain varchar(255) NOT NULL default '',>created datetime NOT NULL default '0000-00-00 00:00:00',>modified datetime NOT NULL default '0000-00-00 00:00:00',>active tinyint(1) NOT NULL default '1',>PRIMARY KEY (username),>KEY username (username)>)ENGINE=MyISAM COMMENT='Virtual Mailboxes';
MySQL(MailBox)>CREATE TABLE alias (>address varchar(255) NOT NULL default '',>goto text NOT NULL,>domain varchar(255) NOT NULL default '',>created datetime NOT NULL default '0000-00-00 00:00:00',>modified datetime NOT NULL default '0000-00-00 00:00:00',>active tinyint(1) NOT NULL default '1',>PRIMARY KEY (address),>KEY address (address)>)ENGINE=MyISAM COMMENT='Virtual Aliases';
MySQL(MailBox)>CREATE TABLE IF NOT EXISTS `quota2` (>username varchar(100) NOT NULL,>bytes bigint(20) NOT NULL default '0',>messages int(11) NOT NULL default '0',>PRIMARY KEY (`username`)>)ENGINE=MyISAM DEFAULT CHARSET=latin1;
在 MySQL 中,新增使用者,並且授權:MySQL(MailBox)>use mysql;>CREATE USER 'mailbox'@'localhost' IDENTIFIED BY 'mailbox@123';>GRANT ALL PRIVILEGES ON MailBox.* TO 'mailbox'@'localhost';
將 postfix 連上 mysql :#vim /etc/postfix/mysql_virtual_alias_maps.cfuser = mailboxpassword = mailbox@123hosts = localhostdbname = MailBoxquery = SELECT goto from alias WHERE address = '%s' AND active = '1'
#vim /etc/postfix/mysql_virtual_domains_maps.cfuser = mailboxpassword = mailbox@123hosts = localhostdbname = MailBoxquery = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'
#vim /etc/postfix/mysql_virtual_mailbox_maps.cfuser = mailboxpassword = mailbox@123hosts = localhostdbname = MailBoxquery = SELECT maildir FROM mailbox WHERE username = '%s' AND active = '1'
設定 mailbox 大小:# vim /etc/postfix/main.cf#追加下列幾行virtual_create_maildirsize = yesvirtual_maildir_extended = yesvirtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cfvirtual_mailbox_limit_override = yesvirtual_maildir_limit_message = "The user you are trying to reach is over quota."virtual_overquota_bounce = yes
設定相對應檔案內容/etc/postfix/mysql_virtual_mailbox_limit_maps.cf:user = mailboxpassword = mailbox@123hosts = localhostdbname = MailBoxtable = mailboxselect_field = quotawhere_field = usernameadditional_conditions = and active = '1'
修改 /etc/dovecot/dovecot.conf 檔案內容:# vim /etc/dovecot/dovecot.confprotocols = imap pop3 lmtp
修改 /etc/dovecot/conf.d/10-auth.conf 檔案內容:# vim /etc/dovecot/conf.d/10-auth.confdisable_plaintext_auth = no
修改 /etc/dovecot/conf.d/10-mail.conf 檔案內容:# vim /etc/dovecot/conf.d/10-mail.confmail_location = Maildir:/var/www/mailbox/vmail/%d/%nnamespace {type = privateseparator = .prefix = INBOX.inbox = yeshidden = no}
設定 pop3 以及 imap 的 quota :#vim /etc/dovecot/conf.d/10-mail.confmail_plugins = $mail_plugins quota
#vim /etc/dovecot/conf.d/20-imap.confmail_plugins = $mail_plugins imap_quota
#vim /etc/dovecot/conf.d/20-pop3.confpop3_uidl_format = %08Xu%08Xvmail_plugins = $mail_plugins quota
#vim /etc/dovecot/conf.d/15-lda.confpostmaster_address = postmaster@localhostlda_mailbox_autocreate = yeslda_mailbox_autosubscribe = yesprotocol lda {mail_plugins = $mail_plugins quota}
#vim /etc/dovecot/conf.d/90-quota.confdict {quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf}plugin {quota = dict:user::proxy::quotadict}
#vim /etc/dovecot/dovecot-dict-quota.confconnect = host=localhost dbname=MailBox user=mailbox password=mailbox@123map {pattern = priv/quota/storagetable = quota2username_field = usernamevalue_field = bytes}map {pattern = priv/quota/messagestable = quota2username_field = usernamevalue_field = messages}
追加 cram-md5 加密機制:#vim /etc/dovecot/conf.d/10-auth.conf#auth default {auth_mechanisms = plain login cram-md5#}
設定 dovecot 帳密資料庫:# vim /etc/dovecot/conf.d/10-auth.conf!include auth-sql.conf.ext# vim /etc/dovecot/conf.d/auth-sql.conf.ext###反註解userdb {driver = prefetch}
設定真實的唯一使用者 vmail:#vim /etc/dovecot/conf.d/10-master.conf###反註解service auth {unix_listener auth-userdb {mode = 0600user = vmailgroup = vmail}}service dict {unix_listener dict {mode = 0600user = vmailgroup = vmail}}
編寫 dovecot 對 mysql 的設定檔:# vim /etc/dovecot/dovecot-sql.conf.extdriver = mysqlconnect = host=localhost dbname=MailBox user=mailbox password=mailbox@123#default_pass_scheme = CRAM-MD5default_pass_scheme = PLAINuser_query = SELECT CONCAT('/var/www/mailbox/vmail/',domain,'/',name) AS home,5000 AS uid, \5000 AS gid, CONCAT('*:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active='1'password_query = SELECT username AS user, password, CONCAT('/var/www/mailbox/vmail/',domain,'/',name) \AS userdb_home, 5000 AS userdb_uid, 5000 AS userdb_gid,CONCAT('*:bytes=', quota) as userdb_quota_rule \FROM mailbox WHERE username = '%u' AND active='1'
設定 dovecot 連進 postfix:#vim /etc/postfix/main.cfvirtual_transport = dovecotdovecot_destination_recipient_limit = 1# vim /etc/postfix/master.cfdovecot unix - n n - - pipe flags=DRhu user=vmail:vmail \argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
重啟 dovecot 服務,測試是否有錯誤:#systemctl restart dovecot設定 SASL 讓 postfix 可以使用 smtp-auth:#vim /etc/dovecot/conf.d/10-master.confunix_listener /var/spool/postfix/private/auth {mode = 0666user = postfixgroup = postfix}
修改 /etc/postfix/main.cf 檔案內容:#vim /etc/postfix/main.cf##追加下列項目:dovecot_destination_recipient_limit = 1smtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_auth_enable = yessmtpd_sasl2_auth_enable = yessmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_local_domain =
##修改下列項目,加入mysql 驗證機制:smtpd_recipient_restrictions =permit_sasl_authenticated,:: (以下省略)
重新啟動 Postfix、dovecot 服務:#systemctl restart postfix#systemctl restart dovecot
設定 SELinux:# yum install setroubleshoot*# grep dovecot /var/log/audit/audit.log | audit2allow -M mypol# semodule -i mypol.pp
測試:#systemctl restart postfix#postmap -q test@example.com mysql:/etc/postfix/mysql_virtual_alias_maps.cf
檢查與驗證:#mail -s "first test" test@example.com(接著輸入下列內容:)Hello World.(以上的小黑點一定要打)#mailq#less /var/log/maillog#postmap -q test@example.com mysql:/etc/postfix/mysql_virtual_alias_maps.cf
imap 的查驗方式:#telnet localhost imapa1 LOGIN 使用者帳號 使用者密碼a2 LIST "" "*"a3 EXAMINE INBOXa4 FETCH 1 BODY[]a5 LOGOUT
補充說明: 解決一下 SELinux 的問題:#grep imap /var/log/audit/audit.log | audit2allow -M mypol#semodule -i mypol.pp#grep dovecot-lda /var/log/audit/audit.log | audit2allow -M lda#semodule -i lda.pp