第十六章 邮件服务（二）

第十六章 邮件服务（二）

16.3 邮件转发

除了支持本域内的邮件转发，postfix也可以实现不同域之间的转发，本例中将演示两台smtp服务器之间转发邮件。实验要求是rzz.com与jll.com两个域中的邮箱用户可以互发邮件。

首先，开启一台Linux虚拟机，ip地址为192.168.10.11，DNS指向192.168.10.1，关闭防火墙及selinux。作为jll.com域的smtp、pop3服务器。与上一台服务器一样，安装并配置postfix和dovecot，并通过配置文件配置支持jll.com的邮件转发，新建两个系统用户：user3、user4作为邮箱账号使用。最后启动postfix、dovecot服务。验证user3、user4之间可以互发邮件。

然后，我们配置DNS服务器，新建jll.com区域，并加入指向mail.jll.com的MX记录和mail.jll.com的A记录解析（如之前的DNS截图所示）。

最后，来启动转发功能。其实配置十分简单，我们在192.168.10.10上，编辑postfix配置文件：

vi /etc/postfix/main.cf ---有两行配置，写其一即可

relay_domains = $mydestionation,jll.com

relay_host = [mail.jll.com] ---格式：[域名/ip]:port 也可以不设置port

注：relay_domains指定允许转发到的目标域，可以写多个，写入jll.com后， rzz.com的服务器就可以给jll.com发送邮件了，不设置relay_host项其实也是可以的。如果我们在后面写上163.com、yahoo.com等域名，只要本机负责的域（即rzz.com）是公网正确注册的，也就可以给公网的邮箱发送邮件了。relay_host项是指定把邮件转发给那台smtp服务器，但是格式上只可以指定一个，不可以用逗号分隔设置多个，且只能写一条relay_host句，所以局限性就比较大，但是它的好处是设置了relay_host后就不再找DNS服务器做MX解析，是直接发送给目标smtp服务器的，转发速度快些。

配置完毕后，重启服务就可以了：

systemctl restart postfix

然后在jll.com的smtp服务器上，在配置文件中，设置支持转发给rzz.com，重启服务后，两个域中的用户就可以互发邮件了。

16.4 postfix+dovecot+ssl验证+mysql

可以想象，上面的实验，有很大的漏洞，就是用户数量与系统安全。邮箱账号全都是系统用户，那么用户多了就会造成系统用户臃肿，且邮箱密码与系统用户登录密码一致，这显然存在着巨大的安全隐患。那么我们最佳的解决方案就是通过数据库软件存储用户信息，并借助于ssl的安全功能做加密传输、认证，则邮箱账号与系统用户就隔离开来了。这就需要比较多的辅助配置项，下面我们就来演示一下具体操作过程。

16.4.1 安装、配置mysql数据库

这里我们不使用光盘自带的mariaDb数据库，而直接采用mysql。首先下载了mysql-5.7.20-1.el7.x86_64.rpm-bundle.tar，然后解压:

mkdir /mnt/mysql

tar -xvf mysql-5.7.20-1.el7.x86_64.rpm-bundle.tar -C /mnt/mysql

createrepo -v /mnt/mysql

然后我们配置yum双源，即这个/mnt/mysql源及系统光盘源，再安装：

yum -y install mysql

yum -y install mysql-server ---两个包有时需要分别安装才可以

注：安装过程中显示安装的应该是mysql，而非mariadb，若显示mariadb，则先卸载mariadb及mariadb-server后，用--enablerepo参数指定源。再启动mysql服务：

systemctl restart mysqld

systemctl enable mysqld

然后需要登录mysql操作，但是刚安装完毕，需要查看随机生成的默认密码：

grep'temporary password' /var/log/mysqld.log ---抓取查看

如图：root@localhost:后显示的就是随机密码

mysql –uroot–p ---以root用户登录mysql，输入随机密码

然后在mysql内修改root密码，但是root密码必须大于8位且由大小写字母、符号、数字组成：

SQL>alter user 'root'@'localhost' identified by 'Rzz-123456';

注：by后面就是设定的新密码。

初步配置完毕后，我们来为邮箱账号创建用户、数据库及表格：

mysql -uroot -pRzz-123456

SQL>create database mailDB; ---创建邮件数据库

SQL>create user mailUser@'localhost'identified by 'Rzz-123456';

---创建数据库用户：mailUser，并设置登录密码为：Rzz-123456

SQL>grant all on mailDB.* to mailUser@'localhost' identifiedby ' Rzz-123456'; ---给用户授权操作mailDB数据库的权限

SQL>flush privileges; ---刷新系统权限表

SQL>exit; ---退出

mysql -umailUser -pRzz-123456 ---以新用户登录

SQL> use mailDB; ---使用邮件数据库

SQL> CREATETABLE `mail_domains` (

`id` int(11) NOT NULLauto_increment,

`name` varchar(50) NOT NULL,

PRIMARY KEY (`id`))

ENGINE=InnoDB DEFAULT CHARSET=utf8; ---创建域名表格

SQL> CREATETABLE `mail_users` (

`id` int(11) NOT NULLauto_increment,

`domain_id` int(11) NOTNULL,

`password` varchar(106) NOTNULL,

`email` varchar(100) NOTNULL,

PRIMARY KEY (`id`),

UNIQUE KEY `email`(`email`),

FOREIGN KEY (domain_id)REFERENCES virtual_domains(id) ON DELETE CASCADE)

ENGINE=InnoDB DEFAULTCHARSET=utf8; ---创建用户表格

SQL> CREATE TABLE `mail_aliases` (

`id` int(11) NOT NULL auto_increment,

`domain_id` int(11) NOT NULL,

`source` varchar(100) NOT NULL,

`destination` varchar(100) NOT NULL,

PRIMARY KEY (`id`),

FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETECASCADE)

ENGINE=InnoDB DEFAULT CHARSET=utf8; ---创建别名表

SQL> insert into mail_domains(id,name)

values(1,'mail.rzz.com'); ---插入数据

SQL> insert into mail_domains(id,name) values(2,'rzz.com');

SQL> insert into mail_users(id,domain_id,password,email)

values(1,2,ENCRYPT('123123'),'zhangsan@rzz.com');

---插入用户邮箱：zhangsan@rzz.com，密码是123123，且加密

SQL> insert into mail_users(id,domain_id,password,email)

values (2,2,ENCRYPT('123123'),'lisi@rzz.com');

---插入用户邮箱：lisi@rzz.com，密码是123123，且加密

SQL> insert into mail_aliases(id,domain_id,source,destination)

values (1,2,'all@rzz.com','zhangsan@rzz.com'); ---插入别名

SQL> insert into mail_aliases(id,domain_id,source,destination)

values (2,2,'all@rzz.com','lisi@rzz.com');

然后可以查看一下插入结果：

SQL> select * from mail_domains;

SQL> select * from mail_users;

SQL> select * from mail_aliases;

好了，到此数据库配置完毕

16.4.2 postfix配置

编辑postfix配置文件：

vi /etc/postfix/main.cf

复制如下内容，并将其插入到配置文件中，开启ssl验证，并指定密钥文件和证书文件。

smtpd_tls_key_file= /etc/pki/dovecot/private/dovecot.pem

smtpd_tls_cert_file= /etc/pki/dovecot/certs/dovecot.pem

smtpd_use_tls=yes

smtpd_tls_auth_only= yes

smtpd_sasl_type= dovecot

smtpd_sasl_path= private/auth

smtpd_sasl_auth_enable= yes

smtpd_recipient_restrictions= permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

virtual_transport= dovecot

virtual_mailbox_domains= mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

virtual_mailbox_maps= mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-virtual-email2email.cf

再创建连接mysql的虚拟用户文件：

vim /etc/postfix/mysql-virtual-mailbox-domains.cf ---创建虚拟域名配置

user = mailUser

password = 123123

hosts = 127.0.0.1

dbname = mailDB

query = SELECT 1 FROM mail_domains WHERE name='%s'

vim /etc/postfix/mysql-virtual-mailbox-maps.cf ---创建虚拟邮箱配置

user = mailUser

password = 123123

hosts = 127.0.0.1

dbname = mailDB

query = SELECT 1 FROM mail_users WHERE email='%s'

vim /etc/postfix/mysql-virtual-alias-maps.cf ---创建电子邮件与文件映射

user = mailUser

password = 123123

hosts = 127.0.0.1

dbname = mailDB

query = SELECT destination FROM mail_aliases WHEREsource='%s'

可见，各连接文件中都指定了登录mysql的账号、密码及数据库名，创建完毕后，就可以重启服务了

systemctl restart postfix

然后测试一下mysql的连接：

postmap -q rzz.commysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

结果应该显示：1

postmap -q lisi@rzz.commysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

结果应该显示：1

postmap -q all@rzz.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf

结果应该显示：zhangsan@rzz.com lisi@rzz.com

再更改master.cf配置文件：

vi /etc/postfix/master.cf ---改里面的内容如下：

submission inet n - n - - smtpd

-osyslog_name=postfix/submission

-osmtpd_tls_security_level=encrypt

-osmtpd_sasl_auth_enable=yes

-osmtpd_reject_unlisted_recipient=no

-osmtpd_client_restrictions=$mua_client_restrictions

-osmtpd_helo_restrictions=$mua_helo_restrictions

-osmtpd_sender_restrictions=$mua_sender_restrictions

-osmtpd_recipient_restrictions=permit_sasl_authenticated,reject

-omilter_macro_daemon_name=ORIGINATING

smtps inet n - n - - smtpd

-osyslog_name=postfix/smtps

-osmtpd_tls_wrappermode=yes

-osmtpd_sasl_auth_enable=yes

-osmtpd_reject_unlisted_recipient=no

-osmtpd_client_restrictions=$mua_client_restrictions

-osmtpd_helo_restrictions=$mua_helo_restrictions

-osmtpd_sender_restrictions=$mua_sender_restrictions

-osmtpd_recipient_restrictions=permit_sasl_authenticated,reject

-omilter_macro_daemon_name=ORIGINATING

#628 inet n - n - - qmqpd

pickup unix n - n 60 1 pickup

cleanup unix n - n - 0 cleanup

qmgr unix n - n 300 1 qmgr

#qmgr unix n - n 300 1 oqmgr

tlsmgr unix - - n 1000? 1 tlsmgr

rewrite unix - - n - - trivial-rewrite

bounce unix - - n - 0 bounce

defer unix - - n - 0 bounce

trace unix - - n - 0 bounce

verify unix - - n - 1 verify

flush unix n - n 1000? 0 flush

proxymap unix - - n - - proxymap

proxywrite unix - - n - 1 proxymap

smtp unix - - n - - smtp

relay unix - - n - - smtp

# -osmtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - n - - showq

error unix - - n - - error

retry unix - - n - - error

discard unix - - n - - discard

local unix - n n - - local

virtual unix - n n - - virtual

lmtp unix - - n - - lmtp

anvil unix - - n - 1 anvil

scache unix - - n - 1 scache

dovecot unix - n n - - pipe

flags=DRhuuser=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

再次重启服务

systemctl restart postfix

lsof -i:25

lsof –i:465 ---查看一下端口，smtps已启动

到此，postfix配置完毕，下面来配置一下dovecot。

16.4.3 dovecot配置

dovecot配置需要编辑/etc/dovecot/conf.d/下的多个文件，我们来逐一演示。

首先创建用于管理邮件的系统用户和组

groupadd  -g  5000  vmail
useradd  -g  vmail -u  5000  vmail

配置目录访问权限

   chown -R vmail:dovecot/etc/dovecot
chmod -R o-rwx /etc/dovecot
 然后编辑相关配置文件

vi  /etc/dovecot/conf.d/10-mail.conf    --- 配置10-mail.conf
   mail_location =  maildir:/home/vmail/%d/%n/Maildir  ---指定用户邮件保存路径
mail_privileged_group = mail
    vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext ---注释系统用户登录行，启用MySQL身份验证
vi   /etc/dovecot/conf.d/auth-sql.conf.ext      ---配置auth-sql.conf.ext
 # Authentication for SQL users.Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.SQL.txt>
passdb {
  driver = sql
  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args =/etc/dovecot/dovecot-sql.conf.ext   ---使用指定文件验证密码
}
# "prefetch" user database means that thepassdb already provided the
# needed information and there's no need to do aseparate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
#  driver =prefetch
#}
userdb {
  driver = sql
  args =/etc/dovecot/dovecot-sql.conf.ext  ---使用指定文件验证用户
}
# If you don't have any user-specific settings, youcan avoid the user_query
# by using userdb static instead of userdb sql, forexample:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
  #driver =static
  #args =uid=vmail gid=vmail home=/var/vmail/%u
#}
vim /etc/dovecot/dovecot-sql.conf.ext    ---编辑连接sql的文件
driver = mysql
connect = host=127.0.0.1  dbname=mailDB  user=maiUser password=Rzz-123456
default_pass_scheme = CRYPT
password_query = SELECT email as user, password FROMmail_users WHERE email='%u';
user_query = SELECT ('5000') as 'uid',('5000') as'gid'
vim /etc/dovecot/conf.d/10-master.conf    ---配置10-master.conf
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit forservice processes. This is mainly
# intended to catch and kill processes that leakmemory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes.This is the most untrusted
# user in Dovecot system. It shouldn't have accessto anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes.It should be separate from
# login user, so that login processes can't disturbother processes.
#default_internal_user = dovecot
service imap-login {
 inet_listener imap {
    #port =143                  ##禁止使用非ssl端口
  }
  inet_listenerimaps {
    port = 993
    ssl = yes
  }
 #Number ofconnections to handle before starting a new process. Typically
  #the onlyuseful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster.<doc/wiki/LoginProcess.txt>
  #service_count= 1
  # Number ofprocesses to always keep waiting for more connections.
 #process_min_avail = 0
  # If you set service_count=0, you probablyneed to grow this.
  #vsz_limit =$default_vsz_limit
}
service pop3-login {
 inet_listener pop3 {
    port =0            ##禁止使用非ssl端口
  }
 inet_listener pop3s {
    port = 995
    ssl =yes           ##开启ssl
  }
}
service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode =0600
    user =postfix
    group =postfix
  }
  # Create inet listener only if you can't usethe above UNIX socket
 #inet_listener lmtp {
    # Avoidmaking LMTP visible for the entire internet
    #address =
    #port =
  #}
}
service imap {
 # Most of thememory goes to mmap()ing files. You may need to increase this
  # limit ifyou have huge mailboxes.
  #vsz_limit =$default_vsz_limit
  # Max.number of IMAP processes (connections)
 #process_limit = 1024
}
service pop3 {
  # Max. number of POP3 processes (connections)
 #process_limit = 1024
}
service auth {
  #auth_socket_path points to this userdb socket by default. It's typically
  # used bydovecot-lda, doveadm, possibly imap process, etc. Users that have
  # fullpermissions to this socket are able to get a list of all usernames and
  # get the resultsof everyone's userdb lookups.
  #
  # Thedefault 0666 mode allows anyone to connect to the socket, but the
  # userdblookups will succeed only if the userdb returns an "uid" field that
  # matchesthe caller process's UID. Also if caller's uid or gid matches the
  # socket'suid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To givethe caller full permissions to lookup all users, set the mode to
  # somethingelse than 0666 and Dovecot lets the kernel enforce the
  # permissions(e.g. 0777 allows everyone full permissions).
 unix_listener auth-userdb {
    mode =0666
    user =vmail
    #group =
  }
  # Postfixsmtp-auth
 unix_listener /var/spool/postfix/private/auth {
    mode =0666
    user =postfix
    user =postfix
  }
  # Auth process is run as this user.
  #user =$default_internal_user
  user=dovecot
}
service auth-worker {
  # Authworker process is run as root by default, so that it can access
  #/etc/shadow. If this isn't necessary, the user should be changed to
  #$default_internal_user.
  #user = root
  user = vmail
}
service dict {
  # If dictproxy is used, mail processes should have access to its socket.
  # Forexample: mode=0660, group=vmail and global mail_access_groups=vmail
 unix_listener dict {
    #mode = 0600
    #user =
    #group =
  }
}

以上配置完毕后即可重启dovecot服务了

systemctl restart dovecot

lsof -i:995 ---查看pop3s端口

lsof -i:993 ---查看imap4s端口

到此，我们的postfix+dovecot+ssl验证+mysql配置完毕，可以到foxmail中创建zhangsan@rzz.com lisi@rzz.com两个用户，设置时选择上ssl连接的勾（如下图），则可以相互发送邮件测试，并且也可以与jll.com域的邮箱用户互发邮件。