在 CentOS 7 上搭建属于自己的邮件系统
跟朋友整了一堆活,总得要留下邮箱收集民意~由于项目的敏感性,我们需要一个属于自己的email服务器,于是便开始搭建了。
所需工具:域名,可以PTR的公网IP机器,二级域名证书
原理:
先安装环境:
yum -y install epel-release yum update yum -y install dovecot dovecot-mysql opendkim postfix pypolicyd-spf wget
mysql的话自行安装,如果已经配置好宝塔之类的可以忽略的
进入mysql命令行界面:
mysql -u root -p
然后创建数据库,添加用户,给予用户操作权限
CREATE USER 'mail_sys'@'localhost' IDENTIFIED BY 'mail_sys'; CREATE DATABASE mail_sys; GRANT SELECT ON mail_sys.* TO 'mail_sys'@'localhost' IDENTIFIED BY 'mail_sys'; FLUSH PRIVILEGES; USE mail_sys; CREATE TABLE `domains` ( `id` int(20) NOT NULL auto_increment, `name` varchar(100) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `users` ( `id` int(20) NOT NULL auto_increment, `domain_id` int(20) NOT NULL, `password` varchar(200) NOT NULL, `email` varchar(200) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`), FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `aliases` ( `id` int(20) NOT NULL auto_increment, `domain_id` int(20) NOT NULL, `source` varchar(200) NOT NULL, `destination` varchar(200) NOT NULL, PRIMARY KEY (`id`), FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
添加域名:
INSERT INTO `mail_sys`.`domains` (`id` ,`name`)
VALUES ('<域名索引号>', '<域名>');添加用户:
INSERT INTO `mail_sys`.`users`
(`id`, `domain_id`, `password` , `email`) VALUES
('<用户索引号>', '<域名索引号>', ENCRYPT('<密码>', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), '<邮箱地址>');设置邮件专用用户:
groupadd -g 2000 mail_sys useradd -g mail_sys -u 2000 mail_sys -d /var/spool/mail -s /sbin/nologin chown -R mail_sys:mail_sys /var/spool/mail
接下来配置postfix,首先先配置main.cf
cat > /etc/postfix/main.cf << EOF
请按实际情况以及注释提示修改以下内容,完成后去除 # 号和后面的注释,然后粘贴到命令行窗口中按回车即可
mydomain = example.com # 您的域名,需要修改
myhostname = mail.example.com # 您的域名前面加上 mail. 需要修改
mydestination = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
inet_interfaces = all
smtp_address_preference = ipv4
smtpd_banner = ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
virtual_mailbox_domains = mysql:/etc/postfix/mysql_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_mailbox_maps.cf, mysql:/etc/postfix/mysql_alias_maps.cf
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
message_size_limit = 102400000
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_cert_file=/etc/pki/tls/certs/cert.pem # mail.example.com 证书文件位置,需要修改
smtpd_tls_key_file=/etc/pki/tls/private/key.pem # mail.example.com 证书私钥文件位置,需要修改
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
smtpd_tls_received_header = yes
policyd-spf_time_limit = 3600
EOF修改master.cf,执行以下命令:
cat > /etc/postfix/master.cf << EOF
以下内容直接粘贴到命令行窗口中按回车即可。
smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_helo_timeout=120 -o smtp_connect_timeout=120 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache policyd-spf unix - n n - 0 spawn user=mail_sys argv=/usr/libexec/postfix/policyd-spf EOF
开始对接mysql,执行下面的命令:
cat > /etc/postfix/mysql_mailbox_domains.cf << EOF
以下内容直接粘贴到命令行窗口中按回车即可。
user = mail_sys password = mail_sys hosts = localhost dbname = mail_sys query = SELECT 1 FROM domains WHERE name='%s' EOF
执行以下命令:
cat > /etc/postfix/mysql_mailbox_maps.cf << EOF
以下内容直接粘贴到命令行窗口中按回车即可。
user = mail_sys password = mail_sys hosts = localhost dbname = mail_sys query = SELECT email FROM users WHERE email='%s' EOF
执行下面的命令:
cat > /etc/postfix/mysql_alias_maps.cf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
user = mail_sys
password = mail_sys
hosts = localhost
dbname = mail_sys
query = SELECT destination FROM aliases WHERE source='%s'
EOF接下来配置dovecot
执行以下命令:
cat > /etc/dovecot/dovecot.conf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
protocols = imap lmtp
dict {
}
!include conf.d/*.conf
!include_try local.conf
EOF执行以下命令:
cat > /etc/dovecot/conf.d/10-mail.conf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
namespace inbox {
inbox = yes
}
first_valid_uid = 1000
mbox_write_locks = fcntl
mail_location = maildir:/var/spool/mail/%d/%n
mail_privileged_group = mail
EOF修改 conf.d/15-mailboxes.conf
执行以下命令:
cat > /etc/dovecot/conf.d/15-mailboxes.conf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
namespace inbox {
mailbox Drafts {
auto = create
special_use = \Drafts
}
mailbox Trash {
auto = create
special_use = \Trash
}
mailbox Sent {
auto = create
special_use = \Sent
}
}
EOF执行以下命令:
cat > /etc/dovecot/conf.d/10-auth.conf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
auth_mechanisms = plain login
!include auth-sql.conf.ext
EOF执行以下命令:
cat > /etc/dovecot/conf.d/auth-sql.conf.ext << EOF以下内容直接粘贴到命令行窗口中按回车即可。
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=mail_sys gid=mail_sys home=/var/spool/mail/%d/%n
}
EOF执行以下命令:
cat > /etc/dovecot/dovecot-sql.conf.ext << EOF以下内容直接粘贴到命令行窗口中按回车即可。
driver = mysql
connect = host=localhost dbname=mail_sys user=mail_sys password=mail_sys
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';
EOF执行以下命令:
cat > /etc/dovecot/conf.d/10-ssl.conf << EOF请按实际情况以及注释提示修改以下内容,完成后去除 # 号和后面的注释,然后粘贴到命令行窗口中按回车即可。
ssl = required
ssl_cert = </etc/pki/tls/certs/cert.pem # mail.example.com 证书文件位置,需要修改
ssl_key = </etc/pki/tls/private/key.pem # mail.example.com 证书私钥文件位置,需要修改
ssl_protocols = TLSv1.2 TLSv1.1 !TLSv1 !SSLv2 !SSLv3
ssl_cipher_list = ALL:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL
EOF执行以下命令:
cat > /etc/dovecot/conf.d/10-master.conf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}执行以下命令:
cat > /etc/dovecot/conf.d/15-lda.conf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
postmaster_address = postmaster@%d
protocol lda {
}
EOF配置opendkim:
执行以下命令:
postmaster_address = postmaster@%d
protocol lda {
}
EOF请按实际情况以及注释提示修改以下内容,完成后去除 # 号和后面的注释,然后粘贴到命令行窗口中按回车即可。
Syslog yes
UMask 002
OversignHeaders From
Socket inet:8891@127.0.0.1
Domain example.com # 您的域名,需要修改
KeyFile /etc/opendkim/keys/mail.private
Selector mail
RequireSafeKeys no
EOF接下来生成私钥,下面的 example.com 请替换成您的域名。
opendkim-genkey -D /etc/opendkim/keys/ -d example.com -s mail && \
chown -R opendkim:opendkim /etc/opendkim/keys/配置发件增加dkim签名,
执行以下命令:
cat >> /etc/postfix/main.cf << EOF以下内容直接粘贴到命令行窗口中按回车即可。
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
EOF最后启动所有服务,并开启开机自启:
systemctl start postfix dovecot opendkim
systemctl enabled postfix dovecot opendkim开始配置解析:
A记录:在域名控制面板中添加一条记录,主机记录填 @ ,记录类型选 A 记录值填 1.1.1.1 ,其他保持默认,保存即可。再添加一条记录,主机记录填 mail ,记录类型选 A ,记录值填 1.1.1.1,其他保持默认,保存即可。
MX记录:在域名控制面板中添加一条记录,主机记录填 @ ,记录类型选 MX ,记录值填 mail.example.com,其他保持默认;
SPF记录:在域名控制面板中添加一条记录,主机记录填 @ ,记录类型选 TXT ,记录值填 v=spf1 mx -all,其他保持默认,保存即可。
DMRAC记录:在域名控制面板中添加一条记录,主机记录填 _dmarc ,记录类型选 TXT ,记录值填 v=DMARC1; p=reject,其他保持默认,保存即可。
DKIM记录:
执行以下命令:
cat /etc/opendkim/keys/mail.txt把括号内的值复制出来,去掉所有引号并整理成一行,形如:
在域名控制面板中添加一条记录,主机记录填 mail._domainkey ,记录类型选 TXT ,记录值填刚刚复制的一行
去outlook或者foxmail里测试即可
如果被拒信大概率是因为IP的PTR记录不对
