☆postfix安装
在安装Postfix前,需要关闭sendmail服务和开机时的自启动,使用如下命令:
#service sendmail stop
#chkconfig sendmail off
在上下载需要的postfix的rpm安装包,或在RHEL5的安装光盘中找到需要安装的rpm包,然后进行安装:
#rpm -ivh postfix-2.3.3-2.i386.rpm (第三张光盘)
☆postfix收取邮件
为了安全的原因,sendmail和postfix的缺省的配置允许发邮件但是不允许从网络上接收邮件(缺省的它们只接受从回环接口上的连接)。
修改/etc/postfix/main.cf
找到并注释如下行
inet_interfaces = localhost
取消注释该行:
inet_interfaces = all
☆Postfix启动和校验
运行
#service sendmail start
#/etc/init.d/postfix start
使用图形工具
#system-switch-mail
使得postfix成为活跃的MTA。
也可以使用如下的命令行:
#alternatives -set mta /usr/sbin/sendmail.postfix
重新启动命令如下:
#service postfix restart
确定hostname命令正确的返回您的主机名称。确保DNS配置正确应该是您的FQDN。
如果sendmail返回您的主机名称为localhost,您可能错误配置了/etc/hosts文件。检查您的/etc/hosts文件,删除所有的但记住留下localhost的指向,然后再试一遍。如果/etc/hosts文件是正确的,那么检查一下在/etc/sysconfig/netwoek中的HOSTNAME的定义。当这些值都正确的时候,启动postfix服务。
确定postfix在启动的时候没有错误
Red Hat Linux的安装使用提供的syslog工具来记录所有的信息到文件/var/log/maillog中去。检查此文件中的最后查找任何错误信息。
试图向root@server1发送简单的邮件并且检查/var/log/maillog的记录文件
#mail -s `echo $USER` root@panda < /etc/redhat-release
应该如下所示:
Jul 26 20:55:10 localhost postfix/pickup[4902]: 717AB335FE: uid=0 from=
Jul 26 20:55:10 localhost postfix/cleanup[4943]: 717AB335FE: message-id=<20060726125510.717AB335FE@panda.com>
Jul 26 20:55:10 localhost postfix/qmgr[4903]: 717AB335FE: from=, size=314, nrcpt=1 (queue active)
Jul 26 20:55:10 localhost postfix/local[4945]: 717AB335FE: to=, relay=local, delay=0, status=sent (delivered to mailbox)
Jul 26 20:55:10 localhost postfix/qmgr[4903]: 717AB335FE: removed
☆Postfix的别名
在postfix决定消息的接受者的目的地的之前,其先试图在别名中查找。
postfix的主要的别名配置文件是/etc/aliases。为了优化查找,postfix为其别名记录建立了一个哈希表别名数据库/etc/aliases.db(和sendmail类似).该文件通过newaliases命令产生。
下列命令将增加用户student(如果不存在的话)
useradd student
在/etc/aliases 行加入如下的行:
注意:注释root别名的那一行为postfix
me: student
wizards: root, me
methere: panda@panda.com
现在运行
newaliases
更新数据库
尝试发送邮件给您定义的收件人:
echo "hello there" | mail -s "hello" me
echo "hello there" | mail -s "hello" wizards
echo "hello there" | mail -s "hello" methere
是否所有的位于wizards的收件人都受到了邮件?
要确认/etc/mail/access中打开权限
☆postfix允许转发
缺省的postfix允许在子网上的任何人通过您的机器进行转发。但是并不是在每一个环境中都安全的。例如,您的机器和其他机器在一起,如果您的本地子网里有一台机器被其他人控制,那么其他的机器都会有麻烦。
让您的伙伴扮演恶意的垃圾邮件的发送者,该人能够通过telnet到您的机器上的postfix的25号断口,进行垃圾邮件发送地址的欺骗,在panda键入如下命令:
[root@panda mail]# telnet panda 25
Trying 127.0.0.1...
Connected to panda.com (127.0.0.1).
Escape character is '^]'.
220 panda.com ESMTP Postfix
helo root.panda.com
250 panda.com
mail from:panda@panda.com
250 Ok
rcpt to: root@panda.com
250 Ok
data
354 End data with .
Subject: Faked
this was faked!
250 Ok: queued as 9DB2733601
quit
221 Bye
Connection closed by foreign host.
垃圾邮件现在送到您的机器上了。下一步,看看您的伙伴能不能从您的机器转发给第三台机器:
由于您的机器已经被配置成为允许混杂转发,垃圾邮件可以通过您的机器进行邮件转发。
注意/var/log/maillog的变化
☆postfix不允许转发
编辑文件/etc/postfix/main.cf取消转发。
查找并且取消注释下面的行,
mynetworks_style = host
并且重新启动postfix
让您的伙伴再从stationY转发垃圾邮件。您的postfix还是一个转发器么?任何一个转发的都会产生如下的消息:
554 : Recipient address rejected: Relay access denied
☆postfix选择性的转发
对于特定的主机,域或者网络,编辑/etc/postfix/main.cf并且重新启动postfix。对于特定的主机允许通过您的机器进行转发,找到并且取消注释该行:
mynetworks_style = host
然后添加新行来允许转发的主机和网络,在这里允许station1和本地转发
mynetworks = 192.168.152.128, 127.0.0.0/8
☆postfix接收和转发的条件
(1)默认情况下,postfix接收符合以下条件的邮件:
目的地为$inet interfaces的邮件;
目的地为$mydestination的邮件;
目的地为$virtual_alias_maps的邮件。
(2)默认情况下,postfix转发符合以下条件的邮件:
来自客户端IP地址符合$mynetworks的邮件;
来自客户端主机名称符合relay_domains及其子域的邮件;
目的地为$relay_domains及其子域的邮件。
☆主配置文件main.cf
修改/etc/postfix/main.cf的配置:
myhostname = mail.cngnu.org
指定运行postfix服务的邮件主机的主机名称(FQDN名)
mydomain = cngnu.org
指定运行postfix服务的邮件主机的域名称
myorigin = $mydomain
设置由本台邮件主机寄出的每封邮件的邮件头中mail from的地址
inet interfaces = all
默认情况下,inet interfaces参数的值被设置为localhost,这表明只能在本地邮件主机上寄信。如果邮件主机上有多个网络接口,而又不想使全部的网络接口都开放Postfix服务,就可以用主机名指定需要开放的网络接口。不过,通常是将所有的网络接口都开放,以便接收从任何网络接口来的邮件,即将inet interfaces参数的值设置为“all”。
mydestination = $mydomain,$myhostname
只有当发来的邮件的收件人地址与该参数值相匹配时,Postfix才会将该邮件接收下来。例如,这里将该参数值设置为$mydomain,$myhosname,表明无论来信的收件人地址是xxx@cngnu.org(其中,XXX表示某用户的邮件账户名),还是xxx@mail.cngnu.org,Postfix都会接收这些邮件。
mynetworks_style = host
mynetworks = 127.0.0.0/8,192.168.1.0/24
设置可转发(Relay)哪些网络的邮件.可以使用mynetworks参数来设置。可将该参数值设置为所信任的某台主机的IP地址,也可设置为所信任的某个IP子网或多个IP子网(用“,”或者“”分隔)。这里,将mynetworks参数值设置为192.168.16.0/24,则表示这台邮件主机只转发子网192.168.16.0/24中的客户端所发来的邮件,而拒绝为其他子网转发邮件。
relay_domains = gdvcp.net
mynetworks参数是针对邮件来源的IP来设置的,而relay_domains参数则是针对邮件来源的域名或主机名来设置的。例如,将该参数值设置为gdvcp.net,则表示任何由域gdvcp.net发来的邮件都会被认为是信任的,Postfix会自动对这些邮件进行转发。
virtual_alias_domains = dzxx.cn,panda.com
用来指定虚拟别名域的名称
virtual_maps = hash:/etc/postfix/virtual #,mysql:/etc/postfix/virtual.mysql
含有虚拟别名域定义的文件路径。
alias_maps = hash:/etc/aliases
指定含有用户别名定义的文件路径
alias_database = hash:/etc/aliases
指定别名表数据库文件路径。
home_mailbox = Maildir/
mailbox_transport = cyrus
fallback_transport = cyrus
smtpd_sasl_auth_enable = yes
指定是否要启用SASL作为SMTP认证方式。默认不启用,这里必须将它启用,所以要将该参数值设置为“yes”。
smtpd_sasl_local_domain = ''
如果采用Cyrus-SASL V2版进行认证,那么这里不作设置。
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
表示通过收件人地址对客户端发来的邮件进行过滤。通常有以下几种限制规则。
permit_mynetworks:表示只要是收件人地址位于mynetworks参数中指定的网段就可以被转发邮件
permit_sasl_authenticated:表示允许转发通过SASL认证的邮件。
reject_unauth_destination:表示拒绝转发含未信任的目标地址的邮件。
broken_sasl_auth_clients = yes
表示是否兼容非标准的SMTP认证。有一些Microsoft的SMTP客户端(如Outlook Express 4.x)采用非标准的SMTP认证协议,只需将该参数设置为"yes"就可解决这类不兼容问题。
smtpd_client_restrictions = permit_sasl_authenticated
表示限制可以向postfix发起SMTP连接的客户端。如果要禁止未经过认证的客户端向postfix发起SMTP连接,则可将该参数值设置为permit_sasl_authenticated
smtpd_sasl_security_options = noanonymous
用来限制某些登录的方式。如果将该参数值设置为noanonymous,则表示禁止采用匿名登录方式。
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access mysql:/etc/postfix/filter.mysql,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
permit
如果希望支持更多的虚拟域,可以在mydestination参数后面加上你所要支持的域即可。
通过virtual和virtual.mysql为系统提供了邮箱本地查询表。
☆virtual
/etc/postfix/virtual
虚拟别名 实际名
@dzxx.cn @gdvcp.net
admin@panda.com lbt
st123@panda.com st123001,st123002,st123003
daliu@panda.com lbt,liu6812@163.com
☆master.cf
由postfix运行的守护程序
☆pcre_table
地址改写的或邮件路由的perl表达式
☆postfix-files
postfix文件和权限
☆postfix-script
管理postfix,类似start,stop
☆regexp_table
从postfix查找账号的表
用postconf -m来检查
☆relocated
用户转移到新位置,用这里来重定向
☆transport
指定一个传输协议
☆postconf
postconf
测试配置文件
postconf -n
看当前配置文件的路径
☆重启postfix
修改main.cf和virtual,aliases后
postmap /etc/postfix/virtual
生成etc/postfix/virtual.db
postalias /etc/aliases
生成/etc/aliases.db
postfix reload
重载main.cf
☆SMTP认证的配置
如果任何人都可以通过一台邮件服务器来转发邮件,会有什么后果呢?很可能这台邮件服务器就成为了各类广告与垃圾信件的集结地或中转站,网络带宽也会很快被耗尽。为了避免这种情况的出现,MTA默认不会对外开放转发功能,而仅对本机(1ocalhost)开放转发功能。但是,在实际应用中,必须在MTA主配置文件中通过设置mynetworks、relay domains参数来开放一些所信任的网段或网域,否则该邮件服务器几乎没有什么用途。在开放了这些所信任的网段或网域后,还可以通过设置SMTP认证,对要求转发邮件的客户端进行用户身份(用户账户名与密码)验证。只有通过了验证,才能接收该用户寄来的邮件并帮助转发。
目前,比较常用的SMTP认证机制是通过Cyrus-SASI.。包来实现的。
☆Cyrus-SASL
是Cyrus Simple Authentication and Security Layer的简写,它最大的功能是为应用程序提供了认证函数库。应用程序可以通过函数库所提供的功能定义认证方式,并让SASL。通过与邮件服务器主机的沟通从而提供认证的功能。
☆Cyrus-SASL安装
rpm -qa | grep sasl
☆Cyrus-SASL启动
运行saslauthd守护进程
service saslauthd restart
☆Cyrus-SASL认证机制
默认情况下,Cyrus-SASL V2版使用saslauthd这个守护进程进行密码认证,而密码认证的方法有多种,使用下面的命令可查看当前系统中的Cyrus-SASL V2所支持的密码验证机制。
[root@panda mail]# saslauthd -v
saslauthd 2.1.19
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
☆saslauthd配置
配置saslauthd使用shadow认证方案:
/etc/sysconfig/saslauthd
MECH=shadow
配置saslauthd使用PAM认证方案(非默认,需要配置pam,否则测试失败):
/etc/sysconfig/saslauthd
MECH=pam
命令行方式启动验证方案:
saslauthd -a shadow
用shadow的用户和密码进行验证
☆测试Cyrus-SASL
ps aux | grep saslauthd
service saslauthd restart
testsaslauthd -u userid -p password
[root@panda ~]# testsaslauthd -u student -p '111111'
0: OK "Success."
如果出现以上信息,就说明saslauthd正常运行了。表示认证功能有效
服务器启动后,可以用telnet连接服务器。
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 test.tigerhead ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Mar 2004 14:50:14 +0800
ehlo test (!!!!!!!!注意命令是ehlo)你输入的命令,按回车结束。
250-test.tigerhead Hello LOCALHOST.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN #就表明SMTP认证成功
250-DELIVERBY
250 HELP
以250-开头的为服务器的响应信息。注意倒数第三行,这就是成功配置smtp验证的显示。
输入quit离开。
☆Cyrus-SASL配置MTA
postfix中
更改main.cf中的配置
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
建立/usr/lib/sasl2/smtpd.conf
设置Postfix使用SASL的saslauthd认证守护进程来支持smtp auth认证,并只打开了plain和login认证模块:
[root@mail root]# echo pwcheck_method:saslauthd > /usr/lib/sasl2/smtpd.conf
[root@mail root]# echo mech_list: plain login >> /usr/lib/sasl2/smtpd.conf
sendmail中
更改/etc/mail/sendmail.mc
去掉下面俩行的注释
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
如果sendmail没办法收信,就把
DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')dnl 改为
DAEMON_OPTIONS(`Port=25, Name=MSA')dnl (这一句不能和DAEMON_OPTIONS(`Port=25, Name=MTA')dnl
同时存在)
建立/usr/lib/sasl2/Sendmail.conf
当sendmail要使用SMTP认证时,必须创建一个SASL的配置文件来把MTA程序定义成一个SASL应用。配置文件名为Sendmail.conf(注意是大写的S),位于/usr/lib/sasl2目录中,也就是/usr/local/sasl2/lib/sasl2这个目录,记得上面新建的链接了吗?在该文件中你定义你希望使用的认证数据库方法,以下这个例子使用saslauthd来验证认证请求。
# echo 'pwcheck_method: saslauthd' > /usr/lib/sasl2/Sendmail.conf(注意大小写)
如果是pwcheck_method: pam的话是直接调用 pam认证
如果是pwcheck_method: saslauth的话要启用 saslauth -a pam ,让saslauth调用pam认证
将这个文件复制成smtpd.conf,即cp Sendmail.conf smtpd.conf,这个文件也要在/usr/lib/sasl2/目录下
在/etc/pam.d/目录下参照其它文件建立一个“smtp”文件(postfix的是smtp.postfix),内容如下:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
☆dovecot配置
postfix服务只是一个MTA(邮件传输代理),它只提供SMTP服务,也就是只提供邮件的转发及本地的分发功能。要实现邮件的异地接收,还必须安装POP或IMAP服务。
dovecot提供了这些服务:POP3,POP3S,IMAP,IMAPS
编辑/etc/dovecot.conf文件
在protocols = 一行,加入你需要的的服务
缺省的ports:
imap: 143
imaps: 993
pop3: 110
pop3s: 995
ssl_cert_file 和 ssl_key_file,可以看到dovecot是拿什么文件来做ssl认证的,可以自己创建新的pem文件。
将disable_plaintext_auth 配置为no(非缺省)
将auth_mechanisms配置为plain(缺省的)
将auth_userdb配置为passwd
也就是说缺省为所有local user 都能登录。
将auth_passdb设置为shadow
或者将auth_passdb设置为pam
增加对pop3配置文件。(缺省没有,要自己建立)
/etc/pam.d/pop3文件内容如:
代码:
auth required /lib/security/pam_stack.so service=system-auth
auth required pam_unix.so
auth required pam_listfile.so item=user sense=deny file=/etc/security/dovecot.deny onerr=fail
account required /lib/security/pam_stack.so service=system-auth
#account required pam_access.so
account required pam_unix.so
用了pam_listfile.so模块,当然也可以用pam_access.so模块来限定。
☆dovecot.conf
## Dovecot 1.0 configuration file
# Default values are shown after each value, it's not required to uncomment
# any of the lines. Exception to this are paths, they're just examples
# with real defaults being based on configure options. The paths listed here
# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
# --with-ssldir=/usr/share/ssl
# 运行时存储数据的目录
#base_dir = /var/run/dovecot/
# 加入你需要的的服务:
# imap imaps pop3 pop3s
#protocols = imap imaps
# 监听的IP或者主机地址.
# It's not currently possible to specify multiple addresses.
# "*" 是指定监听所有IPv4的interfaces.
# "[::]" 监听所有IPv6的interfaces,可能会监听所有的IPv4的interfaces但是这个取决于操作系统
# 指定端口的格式是:"host:port".
imap_listen = [::]
pop3_listen = [::]
# 监听SSL连接的IP或主机地址.
# Defaults to above non-SSL equilevants if not specified.
#imaps_listen =
#pop3s_listen =
# 禁用SSL/TLS支持.
#ssl_disable = no
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, 要保证在dovecot-openssl.cnf中更新域
#ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
#ssl_key_file = /usr/share/ssl/private/dovecot.pem
# SSL parameter file. Master process generates this file for login processes.
# It contains Diffie Hellman and RSA parameters.
#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 24
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
# IPv6 ::1 addresses are considered secure, this setting has no effect if
# you connect from those addresses.
#disable_plaintext_auth = yes
# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
#log_path =
# For informational messages, use this logfile instead of the default
#info_log_path =
# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
##
## Login processes
##
# Directory where authentication process places authentication UNIX sockets
# which login needs to be able to connect to. The sockets are created when
# running as root, so you don't have to worry about permissions. Note that
# everything in this directory is deleted when Dovecot is started.
login_dir = /var/run/dovecot-login
# chroot login process to the login_dir. Only reason not to do this is if you
# wish to run the whole Dovecot without roots.
#login_chroot = yes
##
## IMAP login process
##
login = imap
# Executable location.
#login_executable = /usr/libexec/dovecot/imap-login
# User to use for the login process. Create a completely new user for this,
# and don't use it anywhere else. The user must also belong to a group where
# only it has access, it's used to control access for authentication process.
#login_user = dovecot
# Set max. process size in megabytes. If you don't use
# login_process_per_connection you might need to grow this.
#login_process_size = 32
# Should each login be processed in it's own process (yes), or should one
# login process be allowed to process multiple connections (no)? Yes is more
# secure, espcially with SSL/TLS enabled. No is faster since there's no need
# to create processes all the time.
#login_process_per_connection = yes
# Number of login processes to create. If login_process_per_user is
# yes, this is the number of extra processes waiting for users to log in.
#login_processes_count = 3
# Maximum number of extra login processes to create. The extra process count
# usually stays at login_processes_count, but when multiple users start logging
# in at the same time more extra processes are created. To prevent fork-bombing
# we check only once in a second if new processes should be created - if all
# of them are used at the time, we double their amount until limit set by this
# setting is reached. This setting is used only if login_process_per_use is yes.
#login_max_processes_count = 128
# Maximum number of connections allowed in login state. When this limit is
# reached, the oldest connections are dropped. If login_process_per_user
# is no, this is a per-process value, so the absolute maximum number of users
# logging in actually login_processes_count * max_logging_users.
#login_max_logging_users = 256
##
## POP3 login process
##
# Settings default to same as above, so you don't have to set anything
# unless you want to override them.
login = pop3
# Exception to above rule being the executable location.
#login_executable = /usr/libexec/dovecot/pop3-login
##
## Mail processes
##
# Maximum number of running mail processes. When this limit is reached,
# new users aren't allowed to log in.
#max_mail_processes = 1024
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Show protocol level SSL errors.
#verbose_ssl = no
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Grant access to these extra groups for mail processes. Typical use would be
# to give "mail" group write access to /var/mail to be able to create dotlocks.
#mail_extra_groups =
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot or auth_chroot variables.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. See doc/configuration.txt for more information.
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden by
# giving /./ in user's home directory (eg. /home/./user chroots into /home).
#mail_chroot =
# Default MAIL environment to use when it's not set. By leaving this empty
# dovecot tries to do some automatic detection as described in
# doc/mail-storages.txt. There's a few special variables you can use:
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
# %h - home directory
# You can also limit a width of string by giving the number of max. characters
# after the '%' character. For example %1u gives the first character of
# username. Some examples:
# default_mail_env = maildir:/var/mail/%1u/%u/Maildir
# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u
# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n
#default_mail_env =
# Space-separated list of fields to cache for all mails. Currently these
# fields are allowed followed by a list of commands they speed up:
## Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,
# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,
# HEADER IN-REPLY-TO
# Body - FETCH BODY
# Bodystructure - FETCH BODY, BODYSTRUCTURE
# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,
# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE
# generation. This is always set with mbox mailboxes, and
# also default with Maildir.
# Different IMAP clients work in different ways, that's why Dovecot by default
# only caches MessagePart which speeds up most operations. Whenever client
# does something where caching could be used, the field is automatically marked
# to be cached later. For example after FETCH BODY the BODY will be cached
# for all new messages. Normally you should leave this alone, unless you know
# what most of your IMAP clients are. Caching more fields than needed makes
# the index files larger and generate useless I/O.
# With maildir there's one extra optimization - if nothing is cached, indexing
# the maildir becomes much faster since it's not opening any of the mail files.
# This could be useful if your IMAP clients access only new mails.
#mail_cache_fields = MessagePart
# Space-separated list of fields that Dovecot should never set to be cached.
# Useful if you want to save disk space at the cost of more I/O when the fields
# needed.
#mail_never_cache_fields =
# Workarounds for various client bugs:
# oe6-fetch-no-newmail:
# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express
# seems to think they are FETCH replies and gives user "Message no longer
# in server" error. Note that OE6 still breaks even with this workaround
# if synchronization is set to "Headers Only".
# outlook-idle:
# Outlook and Outlook Express never abort IDLE command, so if no mail
# arrives in half a hour, Dovecot closes the connection. This is still
# fine, except Outlook doesn't connect back so you don't see if new mail
# arrives.
# outlook-pop3-no-nuls:
# Outlook and Outlook Express hang if mails contain NUL characters.
# This setting replaces them with 0x80 character.
#client_workarounds =
# Dovecot can notify client of new mail in selected mailbox soon after it's
# received. This setting specifies the minimum interval in seconds between
# new mail notifications to client - internally they may be checked more or
# less often. Setting this to 0 disables the checking.
# NOTE: Evolution client breaks with this option when it's trying to APPEND.
#mailbox_check_interval = 0
# Like mailbox_check_interval, but used for IDLE command.
#mailbox_idle_check_interval = 30
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Maximum allowed length for custom flag name. It's only forced when trying
# to create new flags.
#mail_max_flag_length = 50
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
#mail_save_crlf = no
# Use mmap() instead of read() to read mail files. read() seems to be a bit
# faster with my Linux/x86 and it's better with NFS, so that's the default.
#mail_read_mmaped = no
# By default LIST command returns all entries in maildir beginning with dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# Copy mail to another folders using hard links. This is much faster than
# actually copying the file. This is problematic only if something modifies
# the mail in one folder but doesn't want it modified in the others. I don't
# know any MUA which would modify mail files directly. IMAP protocol also
# requires that the mails don't change, so it would be problematic in any case.
# If you care about performance, enable it.
#maildir_copy_with_hardlinks = no
# Check if mails' content has been changed by external programs. This slows
# down things as extra stat() needs to be called for each file. If changes are
# noticed, the message is treated as a new message, since IMAP protocol
# specifies that existing messages are immutable.
#maildir_check_content_changes = no
# Which locking methods to use for locking mbox. There's three available:
# dotlock: Create .lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# You can use both fcntl and flock too; if you do the order they're declared
# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl
# and flock. Some operating systems don't allow using both of them
# simultaneously, eg. BSDs. If dotlock is used, it's always created first.
mbox_locks = fcntl
# Should we create dotlock file even when we want only a read-lock? Setting
# this to yes hurts the performance when the mailbox is accessed simultaneously
# by multiple processes, but it's needed for reliable reading if no other
# locking methods are available.
#mbox_read_dotlock = no
# Maximum time in seconds to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 300
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this many seconds.
#mbox_dotlock_change_timeout = 30
# umask to use for mail files and directories
#umask = 0077
# Drop all privileges before exec()ing the mail process. This is mostly
# meant for debugging, otherwise you don't get core dumps. Note that setting
# this to yes means that log file is opened as the logged in user, which
# might not work. It could also be a small security risk if you use single UID
# for multiple users, as the users could ptrace() each others processes then.
#mail_drop_priv_before_exec = no
##
## IMAP process
##
# Executable location
#imap_executable = /usr/libexec/dovecot/imap
# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
#imap_process_size = 256
# Support for dynamically loadable modules.
#imap_use_modules = no
#imap_modules = /usr/lib/dovecot/imap
##
## POP3 process
##
# Executable location
#pop3_executable = /usr/libexec/dovecot/pop3
# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
#pop3_process_size = 256
# Support for dynamically loadable modules.
#pop3_use_modules = no
#pop3_modules = /usr/lib/dovecot/pop3
##
## Authentication processes
##
# An Authentication process is a child process used by Dovecot that
# handles the authentication steps. The steps cover an authentication
# mechanism (auth_mechanisms, how the client authenticates in the IMAP or
# POP3 protocol), which password database should be queried (auth_passdb),
# and which user database should be queried (auth_userdb, to obtain
# UID, GID, and location of the user's mailbox/home directory).
# You can have multiple processes, though a typical configuration will
# have only one. Each time "auth = xx" is seen, a new process
# definition is started. The point of multiple processes is to be able
# to set stricter permissions. (See auth_user below.)
# Just remember that only one Authentication process is asked for the
# password, so you can't have different passwords accessible through
# different process definitions (unless they have different
# auth_mechanisms, and you're ok with having different password for
# each mechanisms).
# Authentication process name.
auth = default
# Specifies how the client authenticates in the IMAP protocol.
# Space separated list of permitted authentication mechanisms:
# anonymous plain digest-md5 cram-md5
# anonymous - No authentication required.
# plain - The password is sent as plain text. All IMAP/POP3 clients
# support this, and the password can be encrypted by Dovecot to match
# any of the encryption schemes used in password databases.
# digest-md5 and cram-md5 - both encrypt the password so it is more
# secure in transit, but are not well supported by clients, and
# require that the password database use a matching encryption
# scheme (or be in plaintext).
# See auth.txt for more details.
# If you are using SSL there is less benefit to digest-md5 and
# cram-md5 as the communication is already encrypted.
auth_mechanisms = plain
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
# Where user database is kept:
# passwd: /etc/passwd or similiar, using getpwnam()
# passwd-file : passwd-like file with specified location
# static uid= gid= home=: static settings
# vpopmail: vpopmail library
# ldap : LDAP, see doc/dovecot-ldap.conf
# pgsql : a PostgreSQL database, see doc/dovecot-pgsql.conf
auth_userdb = passwd
# Where password database is kept:
# passwd: /etc/passwd or similiar, using getpwnam()
# shadow: /etc/shadow or similiar, using getspnam()
# pam [ | *]: PAM authentication
# passwd-file : passwd-like file with specified location
# vpopmail: vpopmail authentication
# ldap : LDAP, see doc/dovecot-ldap.conf
# pgsql : a PostgreSQL database, see doc/dovecot-pgsql.conf
#auth_passdb = pgsql /usr/local/etc/dovecot-pgsql.conf
auth_passdb = pam
#auth_executable = /usr/libexec/dovecot/dovecot-auth
# Set max. process size in megabytes.
#auth_process_size = 256
# User to use for the process. This user needs access to only user and
# password databases, nothing else. Only shadow and pam authentication
# requires roots, so use something else if possible. Note that passwd
# authentication with BSDs internally accesses shadow files, which also
# requires roots.
auth_user = root
# Directory where to chroot the process. Most authentication backends don't
# work if this is set, and there's no point chrooting if auth_user is root.
#auth_chroot =
# Number of authentication processes to create
#auth_count = 1
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# More verbose logging. Useful for figuring out why authentication isn't
# working.
#auth_verbose = no
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
# digest-md5 authentication process. It requires special MD5 passwords which
# /etc/shadow and PAM doesn't support, so we never need roots to handle it.
# Note that the passwd-file is opened before chrooting and dropping root
# privileges, so it may be 0600-root owned file.
#auth = digest_md5
#auth_mechanisms = digest-md5
#auth_realms =
#auth_userdb = passwd-file /etc/passwd.imap
#auth_passdb = passwd-file /etc/passwd.imap
#auth_user = imapauth
#auth_chroot =
# if you plan to use only passwd-file, you don't need the two auth processes,
# simply set "auth_methods = plain digest-md5"
☆Mail测试
[root@mail root]# mail virtualuser@cngnu.org
Subject: test by me
this is a test.
CC:
[root@mail root]# mailq
Mail queue is empty
[root@mail root]# tail /var/log/maillog
使用mailq来查看邮件队列是否有错误,并查看/var/log/mail/*是否有错误信息。如果一切正常,说明信件已经发送到tester了。
☆测试pop/imap
测试收信,先测试POP3:
telnet panda 110
然后输入:
user username
+OK
pass password (注意是pass)
如果LOGIN成功,会有提示。
+OK Logged in.
list
+OK 2 messages:
1 849
2 823
这样的返回信息说明已经一切正常,可以提供服务了。
STAT
+OK 2 1672
TOP 1
+OK
Return-Path:
Received: from panda ([192.168.152.1])
by panda.panda.com (8.13.1/8.13.1) with SMTP id k7KJE2DZ004002
for ; Mon, 21 Aug 2006 03:14:02 +0800
Date: Mon, 21 Aug 2006 03:14:02 +0800
From: student@panda.panda.com
Message-Id: <200608201914.k7KJE2DZ004002@panda.panda.com>
To:
Subject: =?utf-8?B?TWljcm9zb2Z0IE9mZmljZSBPdXRsb29rIOa1i+ivlea2iOaBrw==?=
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
X-IMAPbase: 1154223507 6
Status: O
X-UID: 5
Content-Length: 120
X-Keywords:
DELE 1
+OK Marked to be deleted.
QUIT
+OK Sayonara
Connection closed by foreign host.
再测试IMAP:
imtest -m login -a panda@panda.panda.com localhost
C: C01 CAPABILITY
S: * OK mail.cngnu.org Cyrus IMAP4 v2.1.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
S: C01 OK Completed
Password:
C: L01 LOGIN virtualuser {6}
+ go ahead
C:
L01 OK User logged in
Authenticated.
Security strength factor: 0
. select inbox
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)]
* 1 EXISTS
* 1 RECENT
* OK [UIDVALIDITY 1021736432]
* OK [UIDNEXT 3]
. OK [READ-WRITE] Completed
. fetch 1:1 (FLAGS BODY[HEADER.FIELDS (DATE FROM)])
* 1 FETCH (FLAGS (\Seen) BODY[HEADER.FIELDS (DATE FROM)] {68}
Date: Mon, 20 May 2002 09:26:09 +0800 (CST)
From: wxy@cngnu.org
)
. OK Completed
. logout
* BYE LOGOUT received
. OK Completed
☆procmail
邮件分拣
Linux的sendmail使用procmail作为信件的最终投递代理。这个程序有一些非常有用的 ,对于我们来说,最重要的功能是信件的自动过滤和分拣功能。
信件分拣大概是用户最希望的功能,它按照邮件的文件头(发信地址,收信地址等等 )甚至邮件的正文进行归类,并且可以自动存放在各个文件中或者转发给别的用户账号 。马上我们会看到,用procmail配置自动分拣是一件非常容易的事情。
通常的sendmail配置中已经使用了procmail作为邮件最终投递代理,如果你的sendmail已经改乱了,可以使用FEATURE(local_procmail)设置这个功能。
procmail主要依靠用户宿主目录下面的.procmailrc中的信息来处理邮件.如果这个配 制文件不存在,则procmail只是简单的将邮件保存到用户的信箱中.
一般来说,.procmailrc文件由配置行和行为规则组成,规则的一般格式是
0 选项
[零个或多个条件,每个一行]
[动作命令] [动作命令]
0表示开始一条规则,后面可以加上一些单字符的选项,选项主要有下面的一些:
H 搜索匹配邮件头部
B 搜索匹配整个邮件
D 匹配时区分大小写
A 如果前面最近的一个没有A或a选项的规则执行,执行本规则
a 如果上面一条规则执行,则本规则执行
E 同A相反,前面最近的没有E或e选项的规则没有执行,则执行本规则
e 同a相反
h 通过管道传送邮件首部(缺省)
b 通过管道传送邮件主体(缺省)
c 复制一个邮件
I 忽略所有写操作中的错误
r 原始模式,即procmail不对mail进行任何模式的处理
条件用一个*号开始,后面跟上正则表达式
动作命令就是procmail在规则成功之后使用的命令,一般的命令有下面一些:
{}
开始一个语句段,表示把一组命令集合成一个动作。如果你要嵌套处理规则,(例如 ,对于来自test的邮件,区分是含有computer字符串还是含有physics字符串)那么必须 使用语句段把子规则括起来。
!
转发信件给某个用户
|
启用管道将邮件传送给后面的程序,例如|auto-reply表示启动auto-reply程序并且将 邮件内容作为标准输入传递给它。
任意文件名
将邮件存入某个文件。如果文件已经存在,就添加在文件的末尾。
对于熟悉perl或C语言的的用户,很容易用procmail的管道功能做出邮件的自动回复程序,这里不再介绍了,想进一步了解procmail的用户可以用
☆使用POP客户端
所有的现在的邮件用户代理(MUA),例如netscape,elm,Outlook,pine和mutt都是使用POP的,可以被用作POP的客户端。每一个的配置都有所不同。同样有一个流行字符界面的的POP客户端叫做fetchmail。fetchmail是高度的可配置的,可以查询多个邮箱,可以作为守护进程运行,这样使得其每五分钟查询用户的邮箱。fetchmail在主机上递送邮件到邮件传送代理(MTA),例如sendmail。我们将勾画出以后如何安装fetchmail和使用其来查询我们装过的POP服务器。
注意到有很多选项可以影响fetchmail的行为。建立一个~/.fetchmailrc文件如下所示:
~student/.fetchmailrc
poll stationX.exmaple.com with protocol pop3: user studentXX there is user studentXX here password "password"
由于密码存储在该文件中,因此fetchmail将会拒绝运行除非您把该文件的属性设定为对于仅仅文件的所有者只读。注意还可以使用chown改变由root创建的文件的所有者为studentXX。
chmod 600 ~student/.fetchmailrc
chown student.student ~student/.fetchmailrc
尝试使用studentXX登陆到POP3邮箱
echo "hello student" | mail -s "Hola" student
su - student
fetchmail -v
exit
fetchmail能不能接收到student的POP邮件?将递送student的邮件到哪里?比从本地获取POP邮件有意义么?
让您的伙伴在另外一台机器上建立相同的~/.fetchmailrc文件(或者配置其它诸如mozilla的MTA)试图从您的服务器上进行收信。
☆fetchmail
许多用户有多个邮件账户,有些在你的管理范围之内,有些在别的服务器上面。管理 所有这些邮件是非常恶心的事情。另外,也许你的系统仅仅是一个拨号代理(参考第八 章),不可能始终接在internet上面。你需要的是在系统连接到internet的时候发出电 子邮件,同时自动去接收电子邮件。在国内,典型的做法是每人申请一个本地电子邮件 账户和一个免费电子邮件账号,问题就是,如何从另外的ISP提供的电子邮件账号哪里自 动地接收邮件?
当然你可以让你的用户自己解决这个问题,不过这种僵硬的方法不见得合适。一般我 们采用另外的办法,就是fetchmail,它是一个自动的邮件接力程序,可以让它从远程的 pop3账号处取得邮件,然后扔进用户的本地邮箱。(关于pop3的情况参考下一节)
可以直接用命令行调用fetchmail:
$ fetchmail -p [协议] -u [用户名] [服务器]
fetchmail得到的信息将直接投入localhost机器,账号是你启动fetchmail时使用的账 号。
$ fetchmail -p POP3 -u yuanban mail.asnc.edu.cn
Enter password for yuanban@mail.asnc.edu.cn:
使用pop3协议从mail.asnc.edu.cn取得yuanban的信件。fetchmail要求你输入yuanba n的密码,然后进行验证,成功的话会出现下面的信息:
1 message for yuanban at mail.asnc.edu.cn (551840 octets).
reading message 1 of 1 (551840 octets) ................................... .....d
表示已经完成了一封信件的转交。
对于更复杂的情况,建议你使用fetchmail的配置文件,即用户宿主目录下面的.fetc hmailrc。这个文件的详细资料可以参考fetchmail的文档,这里只用一个简单地例子来 介绍它。我们看一个简单的.fetchmailrc范例:
set syslog
set postmaster "isee"
poll 202.96.44.11 with proto POP3 and options
envelope Delivered-To:
user "mere" there with password "xxxxxxx" is isee@snail.home here
no keep
user "isee" there with password "yyyyyyy" is isee@snail.home here
no keep
这个范例相当简单。fetchmail在读取配置文件的时候会忽略所有的"there","here", "and","with","has","wants","options"之类的单词。
第一行set syslog程序定义fetchmail的记录文件使用系统记录功能。set postmaste r设置的是出错时的管理员账号,接下来的poll行定义了fetchmail使用的协议为POP3, 连接的服务器是202.96.44.11。
envelope Delivered-To:这个选项比较有趣,它在信封上加上一个Delivered-To说明 ,这主要是为了让fetchmail可以把信件投递到一些使用qmail(见下面)的系统中。
接下来是fetchmail的主体部分,一个user的行定义了一个接力方法,现在的定义是取 得202.96.44.11服务器上mere账号的信件,取信的口令是xxxxxxx,然后投递到isee@sn ail.home,同样,isee的信件也被自动投递到isee@snail.home。no-keep选项表示不在 原始服务器上保留邮件。
下面是配置fetchmail的一些常用选项:
set logfile 制定log文件
set syslog 使用系统log文件
via 指定DNS机器名来取代poll中的机器明
proto 指定协议
port 指定端口
timeout 指定超时时间
interface 指定网络界面
user 指定远程用户
is 将本地用户和远程用户联系起来
to 同is
pass 口令
preconnect 连接开始前执行的外部命令
postconnect 连接结束后执行的外部命令
keep 在服务器上保留邮件备份
no keep 不保留邮件备份
在配置了.fetchmailrc之后,只要直接执行fetchmail就可以实现自动的信件投递了。 实际上,你甚至可能使用fetchmail作为一个daemon程序来实现自动的邮件转交,或是设 置fetchmail让它支持qmail的虚拟域。
在fetchmail的发行版本中还提供了一个图形化的fetchmail配置程序,称为fetchmail conf。如果你对fetchmail的语法感到困难,只要使用这个程序就可以进行配置。启动这 个程序的方法很简单,直接在xterm下面执行fetchmailconf &:
图7.1 配置fetchmail
选择configure fetchmail出现:
图7.2 配置fetchmail(2)
只要选择Novice Configuration,然后出现服务器设置选单:
图7.3 配置fetchmail(3)
在New Server中加入你准备收信的服务器,然后回车,服务器名字就会出现在列表框 中,双击服务器名字,编辑关于服务器的设置:
图7.4 配置fetchmail(4)
设置服务器的类型和服务器上的账户名字,双击账户名字并且输入对应的密码以及和 本地账户之间的对应关系,OK退出就可以了
☆squirrelmail
rpm -q squirrelmail
squirrelmail的主配置文件为/etc/squirrelmail/config.php
更改这个配置用/usr/share/squirrelmail/config/conf.pl
更方便