UbuntuHelp:Postfix
来自Ubuntu中文
目录
Introduction
Postfix is a Mail Transfer Agent
(MTA) which is the default MTA for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.
Installation
In order to install Postfix with SMTP-AUTH and TLS do the following steps:
apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail
Configuration
Run:
dpkg-reconfigure postfix
Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
- Internet Site
- NONE
- server1.example.com
- server1.example.com, localhost.example.com, localhost
- No
- 127.0.0.0/8
- Yes
- 0
- +
- all
Then run the following commands:
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = server1.example.com'
The file /etc/postfix/main.cf should now look like this:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no myhostname = server1.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server1.example.com, localhost.example.com, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandomRestart the postfix daemon like this:
/etc/init.d/postfix reload
Authentication
Authentication will be done by saslauthd.
We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have change a couple paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):
First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the PWDIR, PARAMS, and PIDFILE lines:
START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" MECHANISMS="pam"
Note: If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.
Next, we update the dpkg "state" of /var/spool/portfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
Finally, start saslauthd:
/etc/init.d/saslauthd start
Testing
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS 250-AUTH
among others, everything is working.
Type quit
to return to the system's shell.
Other Postfix Guides
These guides will teach your howto setup Postfix mail servers from basic to advanced.
Postfix Basic Setup
Postfix Basic Setup Howto will teach you the concepts of Posfix and how you can get Postfix basics setup up and running. If you are new to Postfix it is recomended to follow this guide first.
Postfix Virtual Mailbox and Antivirus Filtering
Postfix Virtual MailBox ClamSmtp Howto will teach you howto setup a Virtual mailboxes using non-linux accounts where each user will authenticate using their e-mail address with Dovecot POP3/IMAP server and ClamSMTP Antivirus to filter both incoming and out going mails for known viruses.
Postfix Setup For Sender Policy Framework (SPF) Checking
Postfix SPF will show you how to add SPF checking to reject mail from unauthorized sources to your existing Postfix setup.
Postfix Complete Solution
Postfix Complete Virtual Mail System Howto will help you if you are managing a large number of virtual domains at an ISP level service provider or in a large corporation where you mange few hundred or thousand mail domains. This guide is appropriate if you are looking a complete solution with:
- Web based system administration
- Unlimited number of domains
- Virtual mail users without the need for shell accounts
- Domain specific user names
- Mailbox quotas
- Web access to email accounts
- Web base interface to change user passwords
- IMAP and POP3 support
- Auto responders
- SMTP Authentication for secure relaying
- SSL for transport layer security
- Strong SPAM filtering
- Anti-Virus filtering
- Log Analysis