CentOS配置邮件服务器(postfix+dovecot)

在Linode机器、阿里云主机，CentOS 6.8 x86_64与CentOS 7.6 x86_64上成功实现。

# 简介
使用的软件：
1. cyrus-sasl
Simple Authentication Security Layer
简单认证安全层, 主要用于SMTP认证。
其在OS中的守护进程为saslauthd
1. postfix
**作为发送服务器**
postfix是一个为了改良sendmail而产生的邮件服务器，配置简单方便。
1. dovecot
**作为接收服务器**
dovecot是一个开源的IMAP和POP3邮件服务器。
```
POP/IMAP是MUA从邮件服务器中读取邮件时使用的协议。
POP3是从邮件服务器中下载邮件存起来
IMAP则是将邮件留在服务器端直接对邮件进行管理、操作。
```
1. postfixadmin
postfixadmin是一个基于web的postfix管理工具，可以直接管理将数据存储在MYSQL或PostgreSQL数据库的postfix。
postfix的邮件用户和虚拟域名的管理都是通过postfixadmin来进行的。

**注意！在本文中用domain.com代替域名，用example@domain.com表示邮件地址！**
# 环境配置
### 域名解析
**不支持IPV6的主机请忽略AAAA记录，但如果支持一定要添加，不然GMAIL会拒收**

| 主机记录     |     记录类型  |     记录内容  |
| ------------ | ------------ | ------------ |
|  mail | A  | 主机IPv4地址  |
| mail|AAAA|主机IPv6地址|
|  @ | MX  | mail.domain.com  |
|  @ | TXT  | v=spf1 a -all  |
|  imap | CNAME  | mail.domain.com  |
|smtp|CNAME|mail.domain.com|
|mailadmin|A|主机IPv4地址|
|mailadmin|AAAA|主机IPv6地址|
|_dmarc|TXT|v=DMARC1; p=none|

**并不是最终配置，等一会生成DKIM后仍需要添加一条TXT**
### DNS反向解析
简单来说DNS反向解析就是可以使用IP地址反查到域名。
具体服务商具体操作不一样，以linode为例：
在服务器页面中点击上方""Remote Access""
在Public IPs下方可以看到""Reserve DNS""
点进去，域名添加""mail.domain.com"",点击旁边确认
Linode会根据域名解析记录自动查找对应的解析记录，并出现提示是否将该IP反向解析到该域名，点选“YES”
**注意：该步骤中如果该机器有IPv6地址且mail.domain.com的AAAA记录指向了该IPv6地址的话会一同出现是否反向解析。一定要选YES不然GMAIL会拒收**
### web环境安装配置
这里使用LNMP一键安装包：[LNMP1.5正式版](https://www.lnmp.org/notice/lnmp-v-15.html ""LNMP1.5正式版"")
安装好后还需要手动编译添加imap扩展
（当然yum安装的pong友们就可以直接yum -y install php-imap)
进入下载lnmp1.5的目录

```bash
#安装依赖
yum -y install libc-client-devel
#进入src,解压php源码
cd src
tar -jxvf php-5.6.36.tar.bz2
cd php-5.6.36
cd ext
cd imap
/usr/local/php/bin/phpize
#configure
./configure --with-php-config=/usr/local/php/bin/php-config --with-kerberos --with-imap-ssl --with-libdir=lib64
#make and make install
make && make install
#修改php.ini
vi /usr/local/php/etc/php.ini
#在其中添加   extension = "imap.so"
#重启php-fpm
lnmp php-fpm restart
```

### MYSQL配置
```bash
yum -y install mysql-devel
```
安装完成后务必确保设置正确，如不确定请使用：
```bash
mysql_secure_installation
```
然后：
```sql
#登录MYSQL
mysql -uroot -p'密码'

--创建数据库postfix
CREATE database postfix default character set utf8 collate utf8_bin;
--创建postfix用户，设置密码及赋予postfix库权限
GRANT ALL on postfix.* to 'postfix'@'localhost' identified by '密码在这里设置';
--刷新
flush privileges;
```
### 主机名修改
```bash
vi /etc/sysconfig/network
#修改HOSTNAME=mail.domain.com
#然后重启机器
reboot
```
### 创建用户
我们需要创建一个不能登录系统的用户来管理邮件
```bash
groupadd -g 5000 vmail
useradd -g vmail -u 5000 -s /sbin/nologin vmail
```
### 生成SSL证书、配置postfixadmin/mail.domain.com
使用lnmp自带Let's Encrypt来生成证书。（若无lnmp可以自己使用acme.sh的standalone模式生成）
```bash
#配置mail.domain.com
#添加虚拟主机
lnmp vhost add
#主域名输入mail.domain.com
#副域名输入imap.domain.com smtp.domain.com
#不需要rewrite及pathinfo
#选择使用SSL
#使用自带Let's Encrypt创建SSL证书

#配置postfixadmin同上，只不过不需要副域名，且postfixadmin不需要自己的数据库。
```

# 软件安装及配置
### cyrus-sasl
```bash
yum -y install cyrus-sasl

#查询版本
saslauthd -v
```
本文使用2.1.23版本进行配置
```bash
vi /etc/sysconfig/saslauthd
#修改：
MECH=shadow

vi /etc/sasl2/smtpd.conf
#若CentOS 7:
vim /usr/lib64/sas12/smtpd.conf   #64位系统
vim /usr/lib/sas12/smtpd.conf     #32位系统
#修改为：
pwcheck_method: saslauthd
mech_list: plain login
log_level: 3
saslauthd_path:/var/run/saslauthd/mux

#重启sasl
service saslauthd restart
#测试sasl
testsaslauthd -u root -p '密码'
#出现0: OK Success.即配置成功。
```
### postfix
```bash
yum -y install postfix
#查看版本
postconf -d | grep mail_version
#mail_verion = 2.6.6
#本文使用2.6.6进行配置
vi /etc/postfix/main.cf
```
修改：
```
myhostname = mail.domain.com
mydomain = domain.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
local_recipient_maps =
```
在其中增加： **注意替换证书地址**
```
#验证设置
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_unknown_sender_domain
smtpd_sasl_security_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sasl_security_options = noanonymous
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
#虚拟设置
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#SSL(注意将证书地址替换！)
smtpd_use_tls= yes
smtpd_tls_cert_file = fullchain.cer
smtpd_tls_key_file = xxxx.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 0
smtpd_tls_auth_only = yes
```

```bash
#修改master.cf
vi /etc/postfix/master.cf
#修改（注意，第二行开头的两个空格不能少)
smtps       inet   n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
#添加（注意，第二行开头的两个空格不能少）
dovecot   unix  -       n       n       -       -       pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
```

数据库连接：
本例中：数据库用户名:postfix
密码:postfix
主机:localhost
数据库:postfix
**自行替换！**
```bash
mkdir /etc/postfix/sql/

vim /etc/postfix/sql/mysql_virtual_alias_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

vim /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

vim /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

vim /etc/postfix/sql/mysql_virtual_domains_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

vim /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

vim /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u','@',alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'

vim /etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'
```

### dovecot
安装：
```bash
yum -y install dovecot dovecot-devel dovecot-mysql pam-devel
```
配置：
```bash
vi /etc/dovecot/dovecot.conf
#修改或增加
protocols = imap
listen = *
!include conf.d/*.conf
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
  driver = static
  args = uid=5000 gid=5000 home=/home/vmail/%d/%n
}

vi /etc/dovecot/conf.d/10-auth.conf
#修改
disable_plaintext_auth = no
auth_mechanisms = plain login cram-md5
!include auth-system.conf.ext

vi /etc/dovecot/conf.d/10-ssl.conf
#修改
ssl = yes
#SSL证书（记得保留<)
ssl_cert = <xxx.crt
ssl_key = <xxx.pem

vim /etc/dovecot/conf.d/10-master.conf

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
	ssl = yes
  }
}
service auth {
   unix_listener auth-userdb {
    mode = 0600
    user = vmail
    group = vmail
  }
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
  }
}

vim /etc/dovecot/conf.d/15-lda.conf
#修改
postmaster_address = postmaster@example.com

vim /etc/dovecot/dovecot-sql.conf.ext
#MYSQL相关，注意修改信息！
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=postfix
default_pass_scheme = MD5-CRYPT
password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u' AND active='1'
user_query = SELECT maildir, 5000 AS uid, 5000 AS gid, CONCAT('dict:storage=',floor(quota/1000),' proxy::quota') as quota FROM mailbox WHERE username = '%u' AND active='1'

```

**未完待续**