查看“PostfixVirtualMailBoxClamSmtpHowto”的源代码

== Postfix 虚拟邮箱和病毒过滤指南 ==
原文出处：

原文作者：

授权许可：

* [http://creativecommons.org/licenses/by-sa/2.0/ 创作共用协议Attribution-ShareAlike 2.0]
* [http://www.gnu.org/copyleft/fdl.html GNU自由文档许可证]
翻译人员：Hades Enduos

校正人员：

贡献人员：

适用版本：

文章状态：[[等待翻译]]

----




=== Introduction（介绍） ===
In this setup you will be  running a small to medium sized email server with Postfix virtual mailboxes for Separate domains and non-Linux Accounts. I do not intend teach you basic stuff with Postfix here. If you are new to Postfix please work on my PostfixBasicSetupHowto to understand basics and proceed with this howto. Also I will tell you howto integrate with ClamSMTP, an SMTP filter for Postfix and other mail servers that checks for viruses using the ClamAV anti-virus software. It aims to be lightweight, reliable, and simple and easy to configure.

在这个教程中你将学习不使用Linux帐号、利用不同的域名来运行起一个中小型的Postfix虚拟邮件服务器。这不是一篇基础的Postfix教程，如果你是个新手，烦请先阅读学习并理解[[PostfixBasicSetupHowto|如何设置一个基础的Postfix邮件服务器]]。

=== Example Setup（配置说明） ===
In this howto I assume that your are going to host mails for two example domains. Namely '''domain1.com''' and '''domain2.com'''. Be ready to replace these with your actual domains.

在这个教程里我假设你将使用domain1.com和domain2.com这两个虚拟域名来运行邮件服务器。如果你愿意，可以使用真实的域名来代替domain1.com和domain2.com。

=== Install Postfix（安装Postfix） ===
'''To install postfix(安装Postfix)'''

Install the <code><nowiki>postfix</nowiki></code> package.

安装Postfix套件

Install <code><nowiki>mailx</nowiki></code> package for use as command line '''mail''' utility program.

=== Setting Postfix Support for Maildir-style Mailboxes（为Postfix设置Maildir格式的邮箱） ===
Maildir is a format for an e-mail spool that does not require file locking to maintain message integrity because the messages are kept in separate files with unique names. A Maildir is a directory (often named Maildir) with three subdirectories named tmp, new, and cur. The subdirectories should all reside on the same filesystem.

Please find out more about Maildir [http://en.wikipedia.org/wiki/Maildir here]

[http://en.wikipedia.org/wiki/Maildir 请在这里寻找更多关于Maildir格式的说明]

<pre><nowiki>
sudo  vi /etc/postfix/main.cf
</nowiki></pre>
Add the following code segment:

在配置文件中添加以下代码：

<pre><nowiki>
home_mailbox = Maildir/
</nowiki></pre>
Remove the Line <code><nowiki> mailbox_command = procmail -a "$EXTENSION"</nowiki></code>. We are not going to use it.

将mailbox_command = procmail<code><nowiki> -a "$EXTENSION"这一行删除。我们不需要使用它。</nowiki></code>

'''Restart Postfix''' to make changes effect.

重启Postfix激活配置。

<pre><nowiki>
sudo  /etc/init.d/postfix restart
</nowiki></pre>
=== Postfix virtual Mailboxes for Separate Domains and Non-Linux Accounts ===
As a system hosts more and more domains and users, it becomes less desirable to give every user their own Linux system account.

With the Postfix virtual mailbox delivery agent, every recipient address can have its own virtual mailbox. Unlike virtual alias domains, virtual mailbox domains do not need the translation from each recipient addresses into a different address, and owners of a virtual mailbox address do not need to have a Linux system account.

The Postfix virtual mailbox delivery agent looks up the user mailbox pathname, uid and gid via separate tables that are searched with the recipient's mail address. '''Maildir''' style delivery is turned on by terminating the mailbox pathname with "/".

Look at the following figure and it will be our directory structure for mailboxes.

attachment:VhostsDomains.png

I suggest you to transfer all domains into virtual mailboxes. Even if you have setup  postfix with one domain , we will make that domain a virtual domain. Actually you do not need to do this ,but doing this way you will have well organized mail system , and no need to avoid this. Having Postfix host one real domain and the rest virtual means that you will always need to configure Postfix twice: once for each type of domain.

To do that, let's change our <code><nowiki>myhostname</nowiki></code> line in main.cf to read:

<pre><nowiki>
myhostname = localhost
</nowiki></pre>
==== Create Virtual Mailbox Owner ====
In our setup all virtual mailboxes are owned by a fixed uid and gid 5000. If this is not what you want, specify lookup tables that are searched by the recipient's mail address.

'''To create virtual mailbox group:'''

<pre><nowiki>
sudo groupadd -g 5000 vmail
</nowiki></pre>
'''To create virtual mailbox owner:'''

<pre><nowiki>
sudo useradd -m -u 5000 -g 5000 -s /bin/bash vmail
</nowiki></pre>
Open <code><nowiki>main.cf</nowiki></code>

<pre><nowiki>
sudo vi /etc/postfix/main.cf
</nowiki></pre>
==== Setup Postfix to Use Virtual Mailboxes ====（设置Postfix以使用虚拟邮箱）

Then add the following code segment to <code><nowiki>main.cf</nowiki></code>
<br>将下面的代码段添加到 <code><nowiki>main.cf</nowiki></code> 文件中

<pre><nowiki>
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
</nowiki></pre>
In the first line, we're using a text file called vhosts. You can actually name this anything you want. Inside this text file will be a simple one-column list of all the domains you are hosting. For example, add your all domains there.
<br>在第一行，我们使用了一个名为“vhosts”的文本文件。你也可以用其他的你想要的名字。在这个文本文件中有一个单栏的列表，其中列出了所有的你所管理的域名。

<pre><nowiki>
sudo vi /etc/postfix/vhosts
</nowiki></pre>
Add the the following codes:
<br>加入以下代码：

<pre><nowiki>
domain1.com
domain2.com
</nowiki></pre>
This is my example use your own domains here.
<br>这里是一个例子，请在这里使用你自己的域名。

The next line <code><nowiki>virtual_mailbox_base</nowiki></code> specifies the base directory where we shall store all of our mail. Again, you can choose anything you want. In our case it will be our <code><nowiki>'''vmail'''</nowiki></code> owners's home directory <code><nowiki>/home/vmail</nowiki></code>
<br>下一行<code><nowiki>virtual_mailbox_base</nowiki></code> 指明了我们存放所有邮件的基础目录。同样的，这里你也可以选择其他你想要的目录。在我们这个例子中，这个目录是<code><nowiki>'''vmail'''</nowiki></code> 所有者的主目录<code><nowiki>/home/vmail</nowiki></code>


The third line points to a text file I called <code><nowiki>'''vmaps'''</nowiki></code>. This is a two column text file. The first column specifies a virtual email address. The second column specifies that persons mailbox location. Just like with real domain hosting, if you specify a '''/''' at the end of the location, it becomes Maildir format. If not, it is mbox. Any way in this howto we use '''Maildir''' format.
<br>第三行指向了一个名为 <code><nowiki>'''vmaps'''</nowiki></code>的文本文件。在这个文件中有两列。第一列指定了虚拟邮件地址。第二列指定了个人邮箱的位置。正如真实的域名主机一样，如果你在路径的最后写上了'''/''' ，那么这个将是Maildir格式。如果没有写这个'''/''' ，那么这个是mbox。在我们这个帮助文档中，我们使用 '''Maildir''' 格式。

Setup this file as in this example:
<br>编辑这个 <code><nowiki>vmaps</nowiki></code> 文件：

<pre><nowiki>
sudo vi /etc/postfix/vmaps
</nowiki></pre>
Format of this file should look like:
<br>文件的格式应该如下：

<pre><nowiki>
info@domain1.com  domain1.com/info/
sales@domain1.com  domain1.com/sales/
info@domain2.com  domain2.com/info/
sales@domain2.com  domain2.com/sales/
</nowiki></pre>
Convert vmaps into a hash file by running:
<br>将 vmaps 转化到 hash 文件：

<pre><nowiki>
sudo postmap /etc/postfix/vmaps
</nowiki></pre>
Remember to execute the above command every time when you add new map.
<br>每一次添加新的映射后请记住再次运行上面的命令。

Restart Postfix to make changes effect.
<br>重启 Postfix 以使更改生效。

<pre><nowiki>
sudo  /etc/init.d/postfix restart
</nowiki></pre>
My example config look like the following
<br>这个例子的配置应该如下：

<pre><nowiki>
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $myhostname
mynetworks = 127.0.0.0/8, 10.0.0.0/24
mailbox_size_limit = 0
home_mailbox = Maildir/
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
recipient_delimiter = +
inet_interfaces = all
</nowiki></pre>

==== Test Virtual Mailbox Setup（测试虚拟邮箱的配置） ====
Remember that the directory structure for a particular user is create when you send     he gets his firs mail.

Send a mail for info@domain1.com

In a terminal you can type:

<pre><nowiki>
mail info@domain1.com
</nowiki></pre>
Check the mailbox

<pre><nowiki>
cd /home/vmail/domain1/info/new
ls
</nowiki></pre>
You see a mail file there. If so,  Cheers!!!, you have done it.

=== Setup Non-Linux Accounts ===
Now it's time to work on the non-unix accounts.

There are several popular techniques to do this using services such as OpenLDAP or MySQL and mixing that with Courier IMAP. We won't be using any of those. Instead, we're going to be using something much more simple: plain text files.

In order to do this, we'll be using Dovecot. If you've never heard of it, you will now. '''Dovecot''' is extremely lightweight, flexible, and from what the author says, secure.

Remember the following command will install '''Dovecot''' but removes '''Courier IMAP/POP3''' which if you have installed already them. Take it easy ,let's continue to install it.

==== Install Dovecot IMAP/POP3 server（安装Dovecot IMAP/POP3服务器） ====
Install the following packages: <code><nowiki>dovecot-common dovecot-imapd dovecot-pop3d需要安装的包：dovecot-common dovecot-imapd dovecot-pop3d</nowiki></code>

==== Configure Dovecot（配置Dovecot） ====
You need to setup the '''dovecot''' to work with our setup. If your are following my steps , the best is to backup your original dovecot config file and create a one for you getting a copy of my file which I will list here.

Let's backup original config file:

<pre><nowiki>
sudo mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
</nowiki></pre>
Create a new config file and copy my config file into it:

<pre><nowiki>
sudo vi /etc/dovecot/dovecot.conf
</nowiki></pre>
Copy the following code segment and save the file:

<pre><nowiki>
base_dir = /var/run/dovecot/
protocols = imap pop3
log_path = /var/log/dovecot
info_log_path = /var/log/dovecot.info
login_dir = /var/run/dovecot/login
login_chroot = yes
login = imap
login_executable = /usr/lib/dovecot/imap-login
login_user = dovecot
login = pop3
login_executable = /usr/lib/dovecot/pop3-login
valid_chroot_dirs = /var/spool/vmail
default_mail_env = maildir:/home/vmail/%d/%n
imap_executable = /usr/lib/dovecot/imap
pop3_executable = /usr/lib/dovecot/pop3
auth = default
disable_plaintext_auth = no
auth_mechanisms = plain digest-md5
auth_userdb = passwd-file /etc/dovecot/users
auth_passdb = passwd-file /etc/dovecot/passwd
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_user = root
auth_verbose = yes
</nowiki></pre>
----
* '''Note:'''  If you are using/testing with Dapper Drake (Ubuntu 6.04), please use [https://wiki.ubuntu.com/DovecotDapperConf Dovecot config file for Dapper ]
----
* Most of the above config lines are pretty self-explanatory . Few of them I need to explain for your understanding.
* The line '''"default_mail_env = maildir:/home/vmail/%d/%n"''' is particularly important. In our virtual hosting set up, the way we distinguish one user from another is to have them log in with their full email address. For example, when the email account is '''" info@domain1.com "''',  Dovecot does some guessing on its end with your user name. If it just sees something like '''"info"''', it set's a variable called '''"%n"'''to '''"info"'''. If it sees '''" info@domain1.com "''', it will split it up and set '''"%d"''' to '''domain1.com''' and '''"%n"''' to '''"info"'''. Going off of that, if we replace the variables in this line , we get something like: '''maildir:/home/vmail/domain1.com/info'''
* The lines '''"auth_userdb == passwd-file /etc/dovecot/users"''' and  '''"auth_passdb == passwd-file /etc/dovecot/passwd"''' are similar /etc/passwd and /etc/shadow file.
'''The format of these files goes like this:'''

::

<pre><nowiki>
/etc/dovecot/users:
info@domain1.com::5000:5000::/home/vmail/domain1.com/:/bin/false::
</nowiki></pre>
<pre><nowiki>
/etc/dovecot/passwd:
info@domain1.com:$1$G/FqlOG5$Vj0xmc9fKY.UVr8OWr/7C1
</nowiki></pre>
The 5000:5000 corresponds to the '''uid''' and '''gid''' of the "virtual" called '''vmail''' who owns all the mailboxes in the system . The home directory includes everything but the word before the @ in the email address.

==== Create Dovecot Users（创建Dovecot用户） ====
There are no commands like '''useradd''' and '''passwd''' to add users and passwords for our mail system. I will provide small and quick solution with a bash script. Drawback of my system is that it can not delete users, but you can delete them manually opening the files with '''vi''' like ASCII text editor.

===== Script to Add Users =====
Create file:

<pre><nowiki>
sudo vi /usr/sbin/adddovecotuser
</nowiki></pre>
Add the following code segment and save the file:

<pre><nowiki>
#!/bin/bash
echo "$1" > /tmp/user
user=`cat /tmp/user | cut -f1 -d "@"`
domain=`cat /tmp/user | cut -f2 -d "@"`
echo "$user@$domain::5000:5000::/home/vmail/$domain/:/bin/false::" >> /etc/dovecot/users
# Create the needed Maildir directories
/usr/bin/maildirmake.dovecot /home/vmail/$domain/$user 5000:5000
# To add user to Postfix virtual map file and relode Postfix
echo $1  $domain/$user/ >> /etc/postfix/vmaps
postmap /etc/postfix/vmaps
postfix reload
</nowiki></pre>
Make the file executable:

<pre><nowiki>
sudo chmod +x /usr/sbin/adddovecotuser
</nowiki></pre>
Add a user like this:

<pre><nowiki>
sudo adddovecotuser info@domain1.com
</nowiki></pre>
===== Script to Set Passwords =====
First, make sure you have 'mkpasswd' installed:

<pre><nowiki>
which mkpasswd
</nowiki></pre>
This is not installed by default, and since mkpasswd comes with the 'whois' package,  you may have to install this first:

<pre><nowiki>
sudo apt-get install whois
</nowiki></pre>
Create file:

<pre><nowiki>
sudo vi /usr/sbin/mkdovecotpasswd
</nowiki></pre>
Add the following code segment and save the file:

<pre><nowiki>
#!/bin/bash
mkpasswd --hash=md5 $2  > /tmp/hash
echo "$1:`cat /tmp/hash`" >> /etc/dovecot/passwd
</nowiki></pre>
Make the file executable:

<pre><nowiki>
sudo chmod +x /usr/sbin/mkdovecotpasswd
</nowiki></pre>
Add a user like this:

<pre><nowiki>
sudo mkdovecotpasswd info@domain1.com password
</nowiki></pre>
Replace '''password''' with a good password

Restart Dovecot to make changes effect

Let's remove world readable permission from password file for security:

<pre><nowiki>
sudo chmod 640 /etc/dovecot/passwd
</nowiki></pre>
To start Devecot for the first time

<pre><nowiki>
sudo /etc/init.d/dovecot start
</nowiki></pre>
=== Testing Your Setup（测试你的配置） ===
Let's test our system before going production

==== Testing Dovecot POP3 Server（测试Dovecot POP3服务器） ====
Type in a terminal 在控制台输入

<pre><nowiki>
telnet mail.domain1.com 110
</nowiki></pre>
An output like the following will display in your terminal

<pre><nowiki>
Trying 69.60.109.217...
Connected to mail.domain1.com.
Escape character is '^]'.
+OK dovecot ready.
</nowiki></pre>
Type the following code segment in the prompt provided by the Dovecot POP3 server

<pre><nowiki>
user info@domain1.com
pass password
quit
</nowiki></pre>
Final output should be something like this

<pre><nowiki>
Trying 69.60.109.217...
Connected to mail.domain1.com.
Escape character is '^]'.
+OK dovecot ready.
user info@domain1.com
+OK
pass password
+OK Logged in.
quit
+OK Logging out.
</nowiki></pre>
==== Testing Dovecot IMAP Server（测试Dovecot IMAP服务器） ====
Type in a terminal 在控制台输入

<pre><nowiki>
telnet mail.domain1.com 143
</nowiki></pre>
An output like the following will display in your terminal

<pre><nowiki>
Trying 69.60.109.217...
Connected to mail.domain1.com.
Escape character is '^]'.
+OK dovecot ready.
</nowiki></pre>
Type the following code segment in the prompt provided by the Dovecot IMAP server.

<pre><nowiki>
a login info@domain1.com password
a logout
</nowiki></pre>
Final output should be something like this

<pre><nowiki>
Trying 69.60.109.217...
Connected to mail.domain1.com.
Escape character is '^]'.
+OK dovecot ready.
a login info@domain1.com password
a OK Logged in.
a logout
* BYE Logging out
a OK Logout completed.
</nowiki></pre>
=== ClamSMTP SMTP Virus Filter ===
ClamSMTP is an SMTP filter that allows you to check for viruses using the ClamAV anti-virus software. It accepts SMTP connections and forwards the SMTP commands and responses to another SMTP server. The 'DATA' email body is intercepted and scanned before forwarding.

ClamSMTP aims to be lightweight, reliable, and simple rather than have a myriad of options. It's written in C without major dependencies.

ClamSMTP can also be used as a transparent proxy to filter an entire network's SMTP traffic at the router.

==== Installing ClamAV（安装ClamAV） ====
We need ClamAV daemon to work with ClamSMTP. Let's install ClamAV first, with the following packages: <code><nowiki>clamav-daemon clamav</nowiki></code>

==== Installing ClamSMTP（安装ClamSMTP） ====
You need to install the <code><nowiki>clamsmtp</nowiki></code> package.

==== Setting Postfix to use ClamSMTP ====
Postfix supports filtering mail through a filter that acts like an SMTP server. Put the following lines in your Postfix main.cf file:

Open the file:

<pre><nowiki>
sudo vi /etc/postfix/main.cf
</nowiki></pre>
If you have doubt where to add the codes look at my example [https://wiki.ubuntu.com/PostfixClamSmtpMainCf main.cf] file

Add the codes:

<pre><nowiki>
content_filter = scan:127.0.0.1:10026
receive_override_options = no_address_mappings
</nowiki></pre>
The '''content_filter''' tells Postfix to send all mail through the service called 'scan' on '''port 10026'''. We'll set up clamsmtpd to listen on this port later.

Next we add the following to the Postfix master.cf file:

Open the file:

<pre><nowiki>
sudo vi /etc/postfix/master.cf
</nowiki></pre>
If you have doubt where to add the codes look at my example [https://wiki.ubuntu.com/PostfixClamSmtpMasterCf master.cf] file

Add the codes:

<pre><nowiki>
# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10025 inet  n -       n       -       16      smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
</nowiki></pre>
Make sure there's no spaces around the equal signs or commas in the text you added. Best way is to copy and my codes here.

The first 2 lines create the '''scan''' service. The rest set up a service for accepting mail back into postfix. All the options prevent a mail loop as well as relax address checking and the like, since that's already been done.

Make sure to run it as the same user as you run clamd or they'll have problems accessing each other's temporary files. You can use the the following accomplish  that.

<pre><nowiki>
sudo adduser clamsmtp clamav
</nowiki></pre>
Restart Postfix, ClamSMTP, and ClamAV Daemon to make your changes effect:

<pre><nowiki>
sudo /etc/init.d/postfix restart
sudo /etc/init.d/clamsmtp restart
sudo /etc/init.d/clamav-daemon restart
</nowiki></pre>
=== Test ClamSMTP for outgoing mail ===
We need to test the our outgoing mail for viruses. Best way is to download '''eicar''' test virus and attach to a mail and send. Let's do it.

Download eicar to you home directory:

<pre><nowiki>
wget http://eicar.org/download/eicar_com.zip
</nowiki></pre>
Send this file as an attachment to ''' info@domain1.com '''

Then check your '''mail.log''' file:

<pre><nowiki>
tail /var/log/mail.log
</nowiki></pre>
You should see something like in your log file.

<pre><nowiki>
Mar  8 17:12:02 localhost clamsmtpd: 100004: from=info@domain1.com, to=info@domain1.com, status=VIRUS:Eicar-Test-Signature
Mar  8 17:12:02 localhost postfix/smtp[15634]: 4A6C852110: to=<info@domain1.com>, relay=127.0.0.1[127.0.0.1], delay=0, status=sent (250 Virus Detected; Discarded Email)
</nowiki></pre>
=== Test ClamSMTP for incoming Mail from the Internet ===
If you have an actual production mail server you can check your mail server for virus provided by [http://www.webmail.us/testvirus webmail.us]. They are sending you harmless test mails with the EICAR virus test signature. Also you can use [http://www.gfi.com/emailsecuritytest/ GFI Security Labs ] for further testing.

=== Final thoughts ===
As I said in the beginning this setup is for a small/medium scale company which has few  hundred of mail accounts. This doesn't mean that  this system is poorly performing. This   setup can handle thousands of account with out any performance issue. What I say is here that we need  something more manageable like MySQL/PostgreSQL backend for users, web-based virtual domain management, password modifications by users, etc in a extensible,  scalable and robust manner.

Hope I have done something for you and Ubuntu.

Yet another howto by: ChinthakaDeshapriya.

----
* [[category:CategoryDocumentation]]