2016年5月9日 星期一

05/09/2016 pt4

在 CentOS7/RHEL7 上設定 Web 連線加密站台
進階設定目標: 

在同一 Web 主機上,設置加密與不加密兩類網站!
注意事項: 
基本 Web 站台設定,請參考這一篇文章!
Web 虚擬主機設定,請參考第二篇文章!

進階設定流程(一):
安裝 Apache 所需要的架密模組:
#yum -y install mod_ssl openssl
產生一張自我簽署的憑證
## 產生私鑰
#openssl genrsa -out ca.key 2048

## 產生 CSR
#openssl req -new -key ca.key -out ca.csr

## 產生自我簽署的金鑰
#openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

## 複製檔案至正確位置
#cp ca.crt /etc/pki/tls/certs
#cp ca.key /etc/pki/tls/private/ca.key
#cp ca.csr /etc/pki/tls/private/ca.csr

05/09/2016 pt3

在 CentOS7上安裝設定 E-mail Server(四)


注意事項: 
進階設定流程: 
追加安裝 dovecot-mysql 套件:

#yum -y install dovecot-mysql
驗證 postfix 是否有與 mysql 以及 dovecot 連上:
#postconf -m
#postconf -a

建立一個真實使用者以及放置郵件目錄:
#mkdir -p /var/www/mailbox/vmail
#groupadd -g 5000 vmail
#useradd -g 5000 -u 5000 -s /sbin/nologin -d /var/www/mailbox/vmail vmail
#chown -R vmail:vmail /var/www/mailbox/
#chmod -R 700 /var/www/mailbox/

修改 /etc/postfix/main.cf 基本設定:
#vim /etc/postfix/main.cf
#修改下列設定:
mynetworks_style = host
##mynetworks = 127.0.0.0/8, 192.168.100.0/24 <== 可註解該行

#追加下列設定:
## Vitual MailBox #####
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/www/mailbox/vmail

在 MySQL 中,建立資料表 domain, mailbox, alias, quota2:
#mysql -u root -p
MySQL(none)>create database MailBox;
MySQL(none)>use MailBox;
MySQL(MailBox)>CREATE TABLE domain (
>domain varchar(255) NOT NULL default '',
>description varchar(255) NOT NULL default '',
>aliases int(10) NOT NULL default '0',
>mailboxes int(10) NOT NULL default '0',
>maxquota int(10) NOT NULL default '0',
>transport varchar(255) default NULL,
>backupmx tinyint(1) NOT NULL default '0',
>created datetime NOT NULL default '0000-00-00 00:00:00',
>modified datetime NOT NULL default '0000-00-00 00:00:00',
>active tinyint(1) NOT NULL default '1',
>PRIMARY KEY (domain),
>KEY domain (domain)
>)ENGINE=MyISAM COMMENT='Virtual Domains';

MySQL(MailBox)>CREATE TABLE mailbox (
>username varchar(255) NOT NULL default '',
>password varchar(255) NOT NULL default '',
>name varchar(255) NOT NULL default '',
>maildir varchar(255) NOT NULL default '',
>quota int(10) NOT NULL default '0',
>domain varchar(255) NOT NULL default '',
>created datetime NOT NULL default '0000-00-00 00:00:00',
>modified datetime NOT NULL default '0000-00-00 00:00:00',
>active tinyint(1) NOT NULL default '1',
>PRIMARY KEY (username),
>KEY username (username)
>)ENGINE=MyISAM COMMENT='Virtual Mailboxes';

MySQL(MailBox)>CREATE TABLE alias (
>address varchar(255) NOT NULL default '',
>goto text NOT NULL,
>domain varchar(255) NOT NULL default '',
>created datetime NOT NULL default '0000-00-00 00:00:00',
>modified datetime NOT NULL default '0000-00-00 00:00:00',
>active tinyint(1) NOT NULL default '1',
>PRIMARY KEY (address),
>KEY address (address)
>)ENGINE=MyISAM COMMENT='Virtual Aliases';

MySQL(MailBox)>CREATE TABLE IF NOT EXISTS `quota2` (
>username varchar(100) NOT NULL,
>bytes bigint(20) NOT NULL default '0',
>messages int(11) NOT NULL default '0',
>PRIMARY KEY (`username`)
>)ENGINE=MyISAM DEFAULT CHARSET=latin1;

在 MySQL 中,新增使用者,並且授權:
MySQL(MailBox)>use mysql;
>CREATE USER 'mailbox'@'localhost' IDENTIFIED BY 'mailbox@123';
>GRANT ALL PRIVILEGES ON MailBox.* TO 'mailbox'@'localhost';

將 postfix 連上 mysql :
#vim /etc/postfix/mysql_virtual_alias_maps.cf
user = mailbox
password = mailbox@123
hosts = localhost
dbname = MailBox
query = SELECT goto from alias WHERE address = '%s' AND active = '1'

#vim /etc/postfix/mysql_virtual_domains_maps.cf
user = mailbox
password = mailbox@123
hosts = localhost
dbname = MailBox
query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'

#vim /etc/postfix/mysql_virtual_mailbox_maps.cf
user = mailbox
password = mailbox@123
hosts = localhost
dbname = MailBox
query = SELECT maildir FROM mailbox WHERE username = '%s' AND active = '1'

設定 mailbox 大小:
# vim /etc/postfix/main.cf
#追加下列幾行
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes

設定相對應檔案內容/etc/postfix/mysql_virtual_mailbox_limit_maps.cf:
user = mailbox
password = mailbox@123
hosts = localhost
dbname = MailBox
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = '1'

修改 /etc/dovecot/dovecot.conf 檔案內容:
# vim /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp

修改 /etc/dovecot/conf.d/10-auth.conf 檔案內容:
# vim /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no

修改 /etc/dovecot/conf.d/10-mail.conf 檔案內容:
# vim /etc/dovecot/conf.d/10-mail.conf
mail_location = Maildir:/var/www/mailbox/vmail/%d/%n
namespace {
type = private
separator = .
prefix = INBOX.
inbox = yes
hidden = no
}

設定 pop3 以及 imap 的 quota :
#vim /etc/dovecot/conf.d/10-mail.conf
mail_plugins = $mail_plugins quota

#vim /etc/dovecot/conf.d/20-imap.conf
mail_plugins = $mail_plugins imap_quota

#vim /etc/dovecot/conf.d/20-pop3.conf
pop3_uidl_format = %08Xu%08Xv
mail_plugins = $mail_plugins quota

#vim /etc/dovecot/conf.d/15-lda.conf
postmaster_address = postmaster@localhost
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
mail_plugins = $mail_plugins quota
}

#vim /etc/dovecot/conf.d/90-quota.conf
dict {
quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf
}
plugin {
quota = dict:user::proxy::quotadict
}

#vim /etc/dovecot/dovecot-dict-quota.conf
connect = host=localhost dbname=MailBox user=mailbox password=mailbox@123
map {
pattern = priv/quota/storage
table = quota2
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

追加 cram-md5 加密機制:
#vim /etc/dovecot/conf.d/10-auth.conf
#auth default {
auth_mechanisms = plain login cram-md5
#}

設定 dovecot 帳密資料庫:
# vim /etc/dovecot/conf.d/10-auth.conf
!include auth-sql.conf.ext
# vim /etc/dovecot/conf.d/auth-sql.conf.ext
###反註解
userdb {
driver = prefetch
}

設定真實的唯一使用者 vmail:
#vim /etc/dovecot/conf.d/10-master.conf
###反註解
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
}
service dict {
unix_listener dict {
mode = 0600
user = vmail
group = vmail
}
}

編寫 dovecot 對 mysql 的設定檔:
# vim /etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=localhost dbname=MailBox user=mailbox password=mailbox@123
#default_pass_scheme = CRAM-MD5
default_pass_scheme = PLAIN
user_query = SELECT CONCAT('/var/www/mailbox/vmail/',domain,'/',name) AS home,5000 AS uid, \
5000 AS gid, CONCAT('*:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active='1'
password_query = SELECT username AS user, password, CONCAT('/var/www/mailbox/vmail/',domain,'/',name) \
AS userdb_home, 5000 AS userdb_uid, 5000 AS userdb_gid,CONCAT('*:bytes=', quota) as userdb_quota_rule \
FROM mailbox WHERE username = '%u' AND active='1'

設定 dovecot 連進 postfix:
#vim /etc/postfix/main.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# vim /etc/postfix/master.cf
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail \
argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

重啟 dovecot 服務,測試是否有錯誤:
#systemctl restart dovecot
設定 SASL 讓 postfix 可以使用 smtp-auth:
#vim /etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}

修改 /etc/postfix/main.cf 檔案內容:
#vim /etc/postfix/main.cf
##追加下列項目:
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

##修改下列項目,加入mysql 驗證機制:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
:
: (以下省略)

重新啟動 Postfix、dovecot 服務:
#systemctl restart postfix
#systemctl restart dovecot

設定 SELinux:
# yum install setroubleshoot*
# grep dovecot /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

測試:
#systemctl restart postfix
#postmap -q test@example.com mysql:/etc/postfix/mysql_virtual_alias_maps.cf

檢查與驗證:
#mail -s "first test" test@example.com
(接著輸入下列內容:)
Hello World
.
(以上的小黑點一定要打)
#mailq
#less /var/log/maillog
#postmap -q test@example.com mysql:/etc/postfix/mysql_virtual_alias_maps.cf

imap 的查驗方式:
#telnet localhost imap
a1 LOGIN 使用者帳號 使用者密碼
a2 LIST "" "*"
a3 EXAMINE INBOX
a4 FETCH 1 BODY[]
a5 LOGOUT


補充說明: 
解決一下 SELinux 的問題:
#grep imap /var/log/audit/audit.log | audit2allow -M mypol
#semodule -i mypol.pp
#grep dovecot-lda /var/log/audit/audit.log | audit2allow -M lda
#semodule -i lda.pp