[筆記] CentOS LAMP Postfix Postfixadmin Virtual Mail Multi Domain SASL TLS SSL Dovecot MySQL

2016-01-18 未分類

CentOS LAMP Postfix Postfixadmin Virtual Mail Multi Domain SASL TLS SSL Dovecot MySQL 安裝步驟整理

系統基礎

檢查 hostname 是否有設定正確，hostname -f 如果跑不出正確結果，編輯 /etc/hosts 內容

#####安裝會用到的小工具

yum install epel-release ; yum list > yum.txt yum install ftp traceroute telnet vim joe lynx bind-utils wget openssl ntpdate mail

#####修改時區 cp /usr/share/zoneinfo/Asia/Taipei /etc/localtime ntpdate time.stdtime.gov.tw

加入 crontab

*/10 * * * * * ntpdate time.stdtime.gov.tw > /dev/null 2>&1

或者是直接安裝 ntp 服務

yum install -y ntp

vim /etc/ntp.conf

加入

restrict 192.168.10.0 mask 255.255.255.0

server time.stdtime.gov.tw iburst server 192.168.10.243 iburst

service ntpd restart

#####關閉 SELINUX

vim /etc/sysconfig/selinux

SELINUX = disabled

##### 關閉防火牆服務，有需要再打開 #####

service iptables stop

chkconfig –level 235 iptables off

####系統重開機套用關閉SELINUX

reboot

LAMP

## MYSQL 5 ## yum install mysql mysql-server chkconfig –levels 235 mysqld on /etc/init.d/mysqld start /usr/bin/mysql_secure_installation

## APACHE 2 ## yum install httpd chkconfig –levels 235 httpd on

##修改 httpd.conf 裡面的 ServerName 參數 ## vim /etc/httpd/conf/httpd.conf ServerName localhost:80 service httpd start check http://ip_address

## PHP ## yum install php php-gd php-mbstring php-mysql mod_ssl php-imap -y

##add a php file in /var/www/html check if php works

##新增一個 PHP 檔案看看 php 是否可以正常運作 vim /var/www/html/1.php <?php phpinfo(); ?> lynx localhost/1.php

########## Enable HTTPS ######

yum install –y openssl mod_ssl

service httpd restart

~~apache 預設就幫我們做好了兩個憑證，位置在/etc/pki/tls/certs & /etc/pki/tls/private 底下~~

~~檔名分別叫做 localhost.crt / localhost.key~~

~~所以修改apache設定去抓這兩個檔案~~

修正

沒有預設做好憑證這回事，所以還是要自己做憑證出來

openssl genrsa -out ms.abc.com.key 1024 openssl req -new -key ms.abc.com.key -out ms.abc.com.csr x509 -req -days 3650 -in ms.abc.com.csr -signkey ms.abc.com.key -out ms.abc.com.crt

mv ms.abc.com.crt /etc/pki/tls/certs/

mv ms.abc.com.key /etc/pki/tls/private/

vim /etc/httpd/conf.d/ssl.conf

找到 SSLCertificateFile 、 SSLCertificateKeyFile 這兩個參數

加入預設憑證的路徑

SSLCertificateFile /etc/pki/tls/certs/ms.abc.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/ms.abc.com.key

重啟 apache

service httpd restart

開啟 https 頁面測試看看

https://ip_address

一開始應該會出現錯誤憑證的畫面，這是因為我們的憑證是自己簽的，而不是透過第三方機構發的。不過無所謂，可以用就好～

不然還要花錢去申請..

##date.timezone vim /etc/php.ini date.timezone = Asia/Taipei service httpd restart

## LAMP DONE

POSTFIX

## POSTFIX / DOVECOT ##

Cyrus

yum -y install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain

**#######################################################

Generate SSL Sign Key

#######################################################**

openssl genrsa -des3 -out ms.abc.com.key 2048 chmod 600 ms.abc.com.key openssl req -new -key ms.abc.com..key -out ms.abc.com..csr openssl x509 -req -days 3650 -in ms.abc.com..csr -signkey ms.abc.com.key -out ms.abc.com..crt openssl rsa -in ms.abc.com..key -out ms.abc.com..key.nopass mv -f ms.abc.com..key.nopass ms.abc.com..key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 chmod 600 ms.abc.com.key chmod 600 cakey.pem mkdir /etc/ssl/private mv ms.abc.com.key /etc/ssl/private/ mv ms.abc.com.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/

**#######################################################

Add TLS Settings to /etc/postfix/main.cf

#######################################################**

postconf -e ‘smtpd_tls_auth_only = no’ postconf -e ‘smtp_use_tls = yes’ postconf -e ‘smtpd_use_tls = yes’ postconf -e ‘smtp_tls_note_starttls_offer = yes’ postconf -e ‘smtpd_tls_key_file = /etc/ssl/private/ms.abc.com.key’ postconf -e ‘smtpd_tls_cert_file = /etc/ssl/certs/ms.abc.com.crt’ postconf -e ‘smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem’ postconf -e ‘smtpd_tls_loglevel = 1’ postconf -e ‘smtpd_tls_received_header = yes’ postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’ postconf -e ‘tls_random_source = dev:/dev/urandom’ postconf -e ‘myhostname = ms.abc.com’ postconf -e ‘mydomain = abc.com ‘

**#######################################################

/etc/postfix/main.cf should be like this

#######################################################**

alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_command = mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = abc.com myhostname = ms.abc.com mynetworks = 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

##### POSTFIX CONFIG ##### postconf -e ‘inet_interfaces = all’ postconf -e ‘mynetworks = 127.0.0.0/8’ postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’ postconf -e ‘mailbox_command =’

#########SASL############## postconf -e ‘broken_sasl_auth_clients = yes’ postconf -e ‘smtpd_sasl_auth_enable = yes’ postconf -e ‘smtpd_sasl_local_domain = ‘ postconf -e ‘smtpd_sasl_path = private/auth’ postconf -e ‘smtpd_sasl_security_options = noanonymous’ postconf -e ‘smtpd_sasl_type = dovecot’

##### TLS , check the cert file location #####

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/ms.abc.com.crt smtpd_tls_key_file = /etc/ssl/private/ms.abc.com.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom

### Virtual Mail ###

**#######################################################################################

Create cf files

####################################################################################### **vim /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = ‘%d’ and alias.address = CONCAT(‘@’, alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active=‘1’

vim /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = ‘%d’ and alias.address = CONCAT(‘%u’, ‘@’, alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active=‘1’

vim /etc/postfix/sql/mysql_virtual_domains_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT domain FROM domain WHERE domain=‘%s’ AND active = ‘1’

vim /etc/postfix/sql/mysql_virtual_mailbox_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT maildir FROM mailbox WHERE username=‘%s’ AND active = ‘1’

vim /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = ‘%d’ and mailbox.username = CONCAT(‘%u’, ‘@’, alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active=‘1’

vim /etc/postfix/sql/mysql_virtual_alias_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT goto FROM alias WHERE address=‘%s’ AND active = ‘1’ #expansion_limit = 100

vim /etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf

user = postfixadmin password = postfixadmin hosts = localhost dbname = mail query = SELECT quota FROM mailbox WHERE username=‘%s’ AND active = ‘1’

postconf -e ‘virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf’ postconf -e ‘virtual_gid_maps = static:5000’ postconf -e ‘virtual_mailbox_base = /home/vmail’ postconf -e ‘virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf’ postconf -e ‘virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf’ postconf -e ‘virtual_transport = virtual’ postconf -e ‘virtual_uid_maps = static:5000’

Others

postconf -e ‘unknown_local_recipient_reject_code = 550’

**#######################################################################################

add vmail user/group for virtual mail

uid should be the same with main.cf

#######################################################################################**

groupadd -g 5000 vmail useradd -g vmail -u 5000 vmail -d /home/vmail chown vmail:vmail /home/vmail

############### MYSQL ###############

mysql -u root -p create database mail; create user ‘postfixadmin’@‘localhost’ identified by ‘postfixadmin’; grant all privileges on mail.* to ‘postfixadmin’@‘localhost’; flush privileges; quit

**#########Postfixadmin ################### **

wget http://nchc.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz tar zxvf postfixadmin-2.93.tar.gz mv postfixadmin-2.93 postfixadmin mv postfixadmin /var/www/html/ cd /var/www/html/postfixadmin vim config.inc.php $CONF[‘configured’] = false; –> $CONF[‘configured’] = true; $CONF[‘database_type’] = ‘mysqli’; $CONF[‘database_host’] = ‘localhost’; $CONF[‘database_user’] = ‘postfix’; –> $CONF[‘database_user’] = ‘postfixadmin’; $CONF[‘database_password’] = ‘postfixadmin’; $CONF[‘database_name’] = ‘postfix’; –> $CONF[‘database_name’] = ‘mail’;

open http://ip_address/postfixadmin/setup.php Error: Smarty template compile directory templates_c is not writable. Please make it writable. If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.

chmod a+rw -R /var/www/html/postfixadmin/templates_c open http://ip_address/postfixadmin/setup.php

change setup password (two digit , two letters , will fix later) and new password will be generated

vim /var/www/html/postfixadmin/config.ini.php Replace $CONF[‘setup_password’] = ‘changeme’; to $CONF[‘setup_password’] = ‘0287c360cbc407f4e18e520651a1c1b8:3a8a82f252f00a8593c0bfc9fa006a98deee2b32’;

create a new mail master

go http://ip_address/postfixadmin/login.php using the account last step

change the password limitation

vim /var/www/html/postfixadmin/config.inc.php

$CONF[‘password_validation’] = array( # ‘/regular expression/’ => ‘$PALANG key (optional: + parameter)‘, ‘/.{5}/’ => ‘password_too_short 5’, # minimum length 5 characters #‘/([a-zA-Z].){3}/’ => ‘password_no_characters 3’, # must contain at least 3 characters –> ‘/([a-zA-Z].){0}/’ => ‘password_no_characters 3’, # must contain at least 0 characters –> #‘/([0-9].){2}/’ => ‘password_no_digits 2’, # must contain at least 2 digits –> ‘/([0-9].){0}/’ => ‘password_no_digits 2’, # must contain at least 0 digits –> );

**######################################################

create a new virtual domain and virtual user

check if the records exists

######################################################** mysql -u root -p use mail; show tables; select * from domain; select * from alias; exit

in /var/log/maillog , there should be a welcome messages from postmaster to the acouunt you just created

Jan 13 13:37:25 mssop postfix/qmgr[2396]: 632D740A18: from=<postmaster@abc.com.tw>, size=489, nrcpt=1 (queue active) Jan 13 13:37:25 mssop postfix/smtpd[2965]: disconnect from localhost[::1] Jan 13 13:37:25 mssop postfix/virtual[2975]: 632D740A18: to=<mc@abc-taf.com>, relay=virtual, delay=0.16, delays=0.06/0.1/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Jan 13 13:37:25 mssop postfix/qmgr[2396]: 632D740A18: removed

####################################################### ###### Dovecot Config ######## #######################################################

vim /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem

vim /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no auth_mechanisms = plain login !include auth-sql.conf.ext

vim /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/home/vmail/%d/%n mail_privileged_group = mail mbox_write_locks = fcntl

vim /etc/dovecot/conf.d/10-master.conf

service imap-login { inet_listener imap { } inet_listener imaps { } }

service pop3-login { inet_listener pop3 { } inet_listener pop3s { } }

service lmtp { unix_listener lmtp { }

}

service imap {

}

service pop3 { }

service auth { unix_listener auth-userdb { }

unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } }

service auth-worker { }

service dict { unix_listener dict { } }

vim /etc/dovecot/conf.d/auth-sql.conf.ext

passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }

userdb { driver = static args = uid=vmail gid=vmail home=/home/vmail/%u }

**###########################################################################

Create the dovecot-sql.conf.ext file for support dovecot-mysql

###########################################################################**

vim /etc/dovecot/dovecot-sql.conf.ext

driver = mysql connect = host=127.0.0.1 dbname=mail user=postfixadmin password=postfixadmin default_pass_scheme = MD5-CRYPT password_query = SELECT username AS user,password FROM mailbox WHERE username = ‘%u’ AND active=‘1’ user_query = SELECT maildir, 5000 AS uid, 5000 AS gid FROM mailbox WHERE username = ‘%u’ AND active=‘1’ user_query = SELECT CONCAT(‘/home/vmail/’, maildir) AS home, 5000 AS uid, 5000 AS gid, CONCAT(’*:bytes=‘, quota) AS quota_rule FROM mailbox WHERE username = ‘%u’ AND active=‘1’ user_query = SELECT maildir, 5000 AS uid, 5000 AS gid, CONCAT(‘dict:storage=‘,floor(quota/1000),’ proxy::quota’) as quota FROM mailbox WHERE username = ‘%u’ AND active=‘1’

############################################################################ ########## install roundcubemail ################################# ############################################################################

yum install roundcubemail vim /etc/httpd/conf.d/roundcubemail.conf

Comment First two Directory Settings for install

Alias /roundcubemail /usr/share/roundcubemail change to Alias /mail /usr/share/roundcubemail

Apache 2.4

#Require local </IfModule> <IfModule !mod_authz_core.c>

Apache 2.2

#Order Deny,Allow #Deny from all #Allow from 127.0.0.1 #Allow from ::1 </IfModule> </Directory>

Define who can access the installer

keep this secured once configured

Apache 2.4

#Require local </IfModule> <IfModule !mod_authz_core.c>

Apache 2.2

#Order Deny,Allow #Deny from all #Allow from 127.0.0.1 #Allow from ::1 </IfModule> </Directory>

create a database for roundcubemail

mysql -u root -p create database rcmail; create user ‘rcmail’@‘localhost’ identified by ‘rcmailpassword’; grant all privileges on rcmail.* to ‘rcmail’@‘localhost’; flush privileges;

service httpd reload

open http://ip_address/mail/installer/ check if any errors , if not , next , if so , fix it ! After Next , modify the database setting with last step you create modify the SMTP Server with localhost , check “Use the current IMAP username and password for SMTP authentication” language : zh_TW ( not sure if this works or not ) press create config file copy the file to /etc/roundcubemail/config.inc.php press continue check if any errors initialize database test SMTP with the first account/password you create in the postfixadmin section

test IMAP

mv /usr/share/roundcubemail/installer /usr/share/roundcubemail/installer.bak

login to roundcubemail open https://ip_address/mail/ login with the account/password you create in the postfixadmin section like username@domain.name and there`s one mail waiting for you ~

Cong ! Everything works fine now ! ( it should be …..)