Debian Sarge 邮件系统配置全攻略

本文属原创作品,且尚在不断完善中,因此禁止转载,欢迎链接。


  • 软件列表
  • 操作系统安装
  • Postfix, Courier, MySQL, phpMyAdmin 安装
  • 为 Postfix/Courier 及 Extmail 创建 MySQL 数据库
  • 配置 Postfix 基本参数
  • 配置 Postfix 虚拟帐号
  • 配置 Courier Server
  • 为 Courier Server 重新生成 SSL 证书
  • 配置 Postfix SASL 验证
  • 配置 Postfix TLS
  • 配置 Amavisd-new, SpamAssassin 和 ClamAV
  • 安装 Razor,Pyzor 和 DCC 并配置 SpamAssassin
  • 为 SpamAssassin 添加过滤规则
  • 编译支持 MySQL 用户的 maildrop
  • 配置 maildrop 邮件分拣
  • 配置 extmail 和 extman
  • 配置 extman 中的图形日志
  • 安装 Spam Locker 反垃圾邮件
  • 防火墙配置
  • 参考文献

 

软件列表


  • 操作系统:Debian Sarge 3.1 R4
  • SMTP 服务器:Postfix 2.1.5
  • POP3/IMAP 服务器:Courier Mail Server
  • Web 服务器:Apache2
  • Web Mail:Extmail
  • Web Mail 管理:Extman
  • 数据库服务器:Mysql 4.0.24
  • 过滤接口:amavisd-new 20030616p10-5
  • 杀毒软件:clamav
  • 垃圾邮件识别:spamassassin
  • 垃圾邮件网络协作过滤:pyzor razor dcc
  • 反垃圾邮件:Spam Locker
  • 邮件分拣:maildrop 1.5.3

 

操作系统安装

系统安装选择英文,便于后面在文本状态下配置。分区时,var 分区用于存储 WebMail 网站和邮件内容,为 xfs 文件系统。其它分区为 ext3 文件系统。最终分区及使用情况如下:

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/cciss/c0d0p2      9614148     92880   9032892   2% /
tmpfs                   518040         0    518040   0% /dev/shm
/dev/cciss/c0d0p1        90297     11037     74443  13% /boot
/dev/cciss/c0d0p5      9614116     32884   9092860   1% /home
/dev/cciss/c0d0p6      9614116    295744   8830000   4% /usr
/dev/cciss/c0d0p7    253783288    638008 253145280   1% /var
tmpfs                   518040         8    518032   1% /tmp

系统安装结束后,设置 apt 源:

deb http://debian.ujn.edu.cn/debian/ sarge main contrib non-free
deb http://debian.ujn.edu.cn/debian-security/ sarge/updates main contrib non-free
deb http://ftp2.de.debian.org/debian-volatile/ sarge/volatile main
deb-src http://debian.ujn.edu.cn/debian/ sarge main contrib non-free

其中 http://ftp2.de.debian.org/debian-volatile/ 不是官方源,但是它有最新的 clamav 软件,只有这个版本的 clamav 才能升级。

在基本配置选择软件时,删除 exim4 系列、at、ppp、pppconfig、pppoe、pppoeconfig、nvi、ed 等不需要的软件,安装 vim、ssh 等必要软件。

安装结束后,安装 debfoster 软件,使用该软件可以充分保证系统的干净。关于 debfoster 的使用方法请参见:学习笔记:debfoster & deborphan


Postfix, Courier, MySQL, phpMyAdmin 安装

安装命令如下:

  1. apt-get install postfix postfix-mysql mysql-client mysql-server courier-authdaemon courier-authmysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl postfix-tls libsasl2 libsasl2-modules openssl phpmyadmin

然后回答以下问题:

Enable suExec? <– Yes
Create directories for web-based administration ? <– No
General type of configuration? <– Internet site
Where should mail for root go? <– NONE
Mail name? <– email.ujn.edu.cn
Other destinations to accept mail for? (blank for none) <– email.ujn.edu.cn, localhost, localhost.localdomain
Force synchronous updates on mail queue? <– No
SSL certificate required <– Ok
Install Hints <– Ok
Which web server would you like to reconfigure automatically? <– apache, apache2
Do you want me to restart apache now? <– Yes

apache 只能支持 IPv4,apache2 可以支持 IPv6,故选择 apache2。

然后运行 debfoster,保留上面所有软件。

为 Postfix/Courier 及 Extmail 创建 MySQL 数据库

mail.sql
-- phpMyAdmin SQL Dump
-- version 2.6.2-Debian-3sarge1
-- http://www.phpmyadmin.net
--
-- 主机: localhost
-- 生成日期: 2006 年 12 月 21 日 01:23
-- 服务器版本: 4.0.24
-- PHP 版本: 4.3.10-16
--
-- 数据库: `mail`
--
 
CREATE DATABASE `mail`;
USE `mail`;
 
-- --------------------------------------------------------
 
--
-- 表的结构 `alias`
--
 
CREATE TABLE `alias` (
 
`address` varchar(255) NOT NULL default '',
 
`goto` text NOT NULL,
 
`domain` varchar(255) NOT NULL default '',
 
`createdate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`expiredate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`active` tinyint(1) unsigned NOT NULL default '1',
 
PRIMARY KEY  (`address`)
) TYPE=MyISAM COMMENT='ExtMail - Virtual Aliases';
 
-- --------------------------------------------------------
 
--
-- 表的结构 `domain`
--
 
CREATE TABLE `domain` (
 
`domain` varchar(255) NOT NULL default '',
 
`description` varchar(255) NOT NULL default '',
 
`maxalias` int(10) unsigned NOT NULL default '0',
 
`maxusers` int(10) unsigned NOT NULL default '0',
 
`maxquota` varchar(20) NOT NULL default '0',
 
`maxnetdiskquota` varchar(20) NOT NULL default '0',
 
`transport` varchar(255) default NULL,
 
`createdate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`expiredate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`active` tinyint(1) unsigned NOT NULL default '1',
 
PRIMARY KEY  (`domain`)
) TYPE=MyISAM COMMENT='ExtMail - Virtual Domains';
 
-- --------------------------------------------------------
 
--
-- 表的结构 `domain_manager`
--
 
CREATE TABLE `domain_manager` (
 
`username` varchar(255) NOT NULL default '',
 
`domain` varchar(255) NOT NULL default '',
 
`createdate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`active` tinyint(1) unsigned NOT NULL default '1',
 
KEY `username` (`username`)
) TYPE=MyISAM COMMENT='Ext/Webman - Domain Admins';
 
-- --------------------------------------------------------
 
--
-- 表的结构 `mailbox`
--
 
CREATE TABLE `mailbox` (
 
`username` varchar(255) NOT NULL default '',
 
`uid` varchar(255) NOT NULL default '',
 
`password` varchar(255) NOT NULL default '',
 
`name` varchar(255) NOT NULL default '',
 
`mailhost` varchar(255) NOT NULL default '',
 
`maildir` varchar(255) NOT NULL default '',
 
`homedir` varchar(255) NOT NULL default '',
 
`quota` varchar(20) NOT NULL default '0',
 
`netdiskquota` varchar(20) NOT NULL default '0',
 
`domain` varchar(255) NOT NULL default '',
 
`uidnumber` int(6) NOT NULL default '1000',
 
`gidnumber` int(6) NOT NULL default '1000',
 
`createdate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`expiredate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`active` smallint(1) NOT NULL default '1',
 
`disablesmtpd` smallint(1) default NULL,
 
`disablesmtp` smallint(1) default NULL,
 
`disablewebmail` smallint(1) default NULL,
 
`disablenetdisk` smallint(1) default NULL,
 
`disableimap` smallint(1) default NULL,
 
`disablepop3` smallint(1) default NULL,
 
PRIMARY KEY  (`username`)
) TYPE=MyISAM COMMENT='ExtMail - Virtual Mailboxes';
 
-- --------------------------------------------------------
 
--
-- 表的结构 `manager`
--
 
CREATE TABLE `manager` (
 
`username` varchar(255) NOT NULL default '',
 
`password` varchar(255) NOT NULL default '',
 
`type` varchar(64) NOT NULL default 'postmaster',
 
`uid` varchar(255) NOT NULL default '',
 
`name` varchar(255) NOT NULL default '',
 
`createdate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`expiredate` datetime NOT NULL default '0000-00-00 00:00:00',
 
`active` tinyint(1) unsigned NOT NULL default '1',
 
PRIMARY KEY  (`username`)
) TYPE=MyISAM COMMENT='Ext/Webman - Admin Accounts';
 
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';
FLUSH PRIVILEGES;
 
INSERT INTO `manager` VALUES ('root','41BrVsy8feOIk','admin','root','Super User','0000-00-00 00:00:00','0000-00-00 00:00:00',1);

上面的操作都可以在 phpmyadmin 中完成。


配置 Postfix 基本参数

默认的 /etc/postfix/main.cf 文件是这样的:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
 
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
 
myhostname = email.ujn.edu.cn
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = email.ujn.edu.cn, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.1
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

可以增加:

append_dot_mydomain = no
append_at_myorigin = no

让服务器禁止自动补全不完整的发件人地址。可以从一定程度上防止垃圾邮件。

增加:

smtpd_helo_required = yes

要求客户端必须先送出 HELO/EHLO 命令,才能正式开始 SMTP 对话。

增加:

smtpd_noop_commands = vrfy, expn

让客户端发送 vrfy, expn 命令时,Postfix 不做任何事,但返回 250 OK。可避免外界使用 vrfy, expn 命令来侦测收件地址的有效性。实际上 Postfix 本来就不支持 expn 命令。

增加:

allow_percent_hack = no

percent hack 技术用于早期 DNS 尚未普及之前,目前 DNS 和邮递路径选择已经很可靠了,不需要开启这项功能。

增加:

ignore_mx_lookup_error = yes

当 Postfix 向 DNS Server 查询 MX 记录却得不到响应时,它会隔一段时间之后再试一次。将 ignore_mx_lookup_error 设为 yes,将让 Postfix 在第一次失败后,立即直接查询 A 记录。这样对于要发送到的服务器没有 MX 记录时,会加快发送速度。

增加:

message_size_limit = 31457280

允许一个邮件最大 30 M,这个数字可以根据具体情况设定。

配置 Postfix 虚拟帐号

Debian 上的 Postfix 是以 chroot 方式运行的,这种方式更安全,但是这样访问本地资源会受限,也就是说与数据库通讯只能通过 TCP 方式连接,而不能通过 Unix 套接字方式连接,因此需要保证 MySQL 的配置文件 /etc/mysql/my.cnf 中有以下语句:

bind-address            = 127.0.0.1

修改之后需要重启 MySQL 服务。

接下来,需要创建 4 个文本文件,这些文件用于 Postfix 读取 MySQL。

mysql_virtual_alias_maps.cf
user = mail_admin
password = mail_admin_password
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = AND active = 1
hosts = 127.0.0.1
mysql_virtual_domains_maps.cf
user = mail_admin
password = mail_admin_password
dbname = mail
table = domain
select_field = description
where_field = domain
additional_conditions = AND active = 1
hosts = 127.0.0.1
mysql_virtual_mailbox_maps.cf
user = mail_admin
password = mail_admin_password
dbname = mail
table = mailbox
select_field = maildir
where_field = username
additional_conditions = AND active = 1
hosts = 127.0.0.1
mysql_virtual_sender_maps.cf
user = mail_admin
password = mail_admin_password
dbname = mail
table = mailbox
select_field = username
where_field = username
additional_conditions = AND active = 1
hosts = 127.0.0.1

这些文件是由 root 帐号创建的。然后修改其属性为其它用户无权限,同组人可读,并且属于 Postfix 组。

  1. chmod o= /etc/postfix/mysql_virtual_*.cf
  2. chgrp postfix /etc/postfix/mysql_virtual_*.cf

然后创建 vmail 用户和组,并且设置它的 home 为 /var/vmail,这个位置是以后保存所有邮件的位置。为了保证安全,该用户设置为不允许登录。

  1. groupadd -g 5000 vmail
  2. useradd -g vmail -u 5000 vmail -d /home/vmail -s /bin/false -m

然后在 /etc/postfix/main.cf 后面附加以下内容,用以配置虚拟帐号:

# virtual config
virtual_alias_domains =
virtual_alias_maps =
    
proxy:mysql:/etc/Postfix/mysql_virtual_sender_maps.cf,
    
proxy:mysql:/etc/Postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/Postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/Postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $smtpd_sender_login_maps $recipient_canonical_maps $relocated_maps transport_maps $mynetworks

上面选项中,virtual_alias_domains 被设置为空,是因为它会影响无限别名地址的正常工作,把所有虚拟域设置到 virtual_mailbox_domains 即可。
virtual_alias_maps 中不但设置虚拟别名对虚拟邮箱的映射,还设置了虚拟邮箱对其自身的映射,是为了防止无限别名地址造成同域中所有虚拟邮箱实效。

配置 Courier Server

首先修改 /etc/courier/authdaemonrc,将 authmodulelist 的值改为 authmysql:

authmodulelist="authmysql"

其它值不需要修改。

修改 /etc/courier/authmysqlrc,修改其主要内容如下:

MYSQL_SERVER            127.0.0.1
MYSQL_USERNAME          mail_admin
MYSQL_PASSWORD          mail_admin_password
MYSQL_PORT              3306
MYSQL_OPT               0
MYSQL_DATABASE          mail
MYSQL_USER_TABLE        mailbox
MYSQL_CRYPT_PWFIELD     password
DEFAULT_DOMAIN          domain
MYSQL_UID_FIELD         uidnumber
MYSQL_GID_FIELD         gidnumber
MYSQL_LOGIN_FIELD       username
MYSQL_HOME_FIELD        homedir
MYSQL_NAME_FIELD        name
MYSQL_MAILDIR_FIELD     maildir
MYSQL_QUOTA_FIELD       quota
MYSQL_SELECT_CLAUSE     SELECT username,password,domain,                \
                        
uidnumber,gidnumber,                            \
                        
CONCAT('/var/vmail/',homedir),                  \
                        
CONCAT('/var/vmail/',maildir),                  \
                        
quota,                                          \
                        
name                                            \
                        
FROM mailbox                                    \
                        
WHERE username = '$(local_part)@$(domain)'      \
                        
AND active = 1

然后重启 Courier Server:

  1. /etc/init.d/courier-authdaemon restart
  2. /etc/init.d/courier-imap restart
  3. /etc/init.d/courier-imap-ssl restart
  4. /etc/init.d/courier-pop restart
  5. /etc/init.d/courier-pop-ssl restart

为 Courier Server 重新生成 SSL 证书

如果你觉得默认的 Courier Server 的 SSL 证书不适合你,你可以为自己重新生成一份。例如你可以修改 /etc/courier/imapd.cnf 为以下内容:

imapd.cnf
RANDFILE = /usr/lib/courier/imapd.rand
 
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
 
[ req_dn ]
C=CN
ST=ShanDong
L=Jinan
O=Uiversity of Jinan
OU=Network Center
CN=email.ujn.edu.cn
emailAddress=webmaster@ujn.cn
 
 
[ cert_type ]
nsCertType = server

然后删除 /etc/courier/imapd.pem,再执行 /usr/lib/courier/mkimapdcert,即可生成新的证书。

  1. rm /etc/courier/imapd.pem
  2. /usr/lib/courier/mkimapdcert

同样方法可以生成新的 pop3d.pem,只不过要执行的是:/usr/lib/courier/mkpop3dcert。

生成以后可重启这两个服务:

  1. /etc/init.d/courier-imap-ssl restart
  2. /etc/init.d/courier-pop-ssl restart

配置 Postfix SASL 验证

配置 Postfix SASL 验证最简单的方式莫过于采用 authdaemond 验证,这样可以和 Courier Server 共用一种验证方式。不过还是因为 Postfix 是以 chroot 方式运行的,需要对 authdaemond 的 socket 路径进行一些修改。

建立 /var/spool/postfix/var/run/courier/authdaemon/ 这个目录:

  1. mkdir -p /var/spool/postfix/var/run/courier/authdaemon

然后修改 /etc/init.d/courier-authdaemon 文件,找到:

echo -n "Starting Courier authdaemon: "
                ${
libexecdir}/authlib/authdaemond start
                
echo "done."

修改为

echo -n "Starting Courier authdaemon: "
                ${
libexecdir}/authlib/authdaemond start
                
sleep 1
                
ln -f /var/run/courier/authdaemon/socket /var/spool/postfix/var/run/courier/authdaemon/socket
                
echo "done."

echo -n "Stopping Courier authdaemon: "
                ${
libexecdir}/authlib/authdaemond stop
                
echo "done."

修改为

echo -n "Stopping Courier authdaemon: "
                
rm /var/spool/postfix/var/run/courier/authdaemon/socket
                ${
libexecdir}/authlib/authdaemond stop
                
echo "done."

重新启动 authdaemon 服务:

  1. /etc/init.d/courier-authdaemon restart

接下来在 /etc/postfix 下建立 sasl 目录,然后建立 /etc/postfix/sasl/smtpd.conf 文件:

smtpd.conf
pwcheck_method: authdaemond
mech_list: plain login digest-md5 cram-md5
allow_plaintext: true
authdaemond_path: /var/run/courier/authdaemon/socket

最后,配置 /etc/postfix/main.cf,增加如下内容:

# smtpd auth config
 
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
 
local_recipient_maps = $alias_maps $virtual_mailbox_maps
 
smtpd_sender_login_maps =
    
proxy:mysql:/etc/postfix/mysql_virtual_sender_maps.cf,
    
proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
 
smtpd_reject_unlisted_sender = yes
 
smtpd_recipient_restrictions =
    
permit_mynetworks,
    
reject_sender_login_mismatch,
    
permit_sasl_authenticated,
    
reject_unknown_sender_domain,
    
reject_non_fqdn_hostname,
    
reject_non_fqdn_sender,
    
reject_non_fqdn_recipient,
    
reject_unknown_recipient_domain,
    
reject_unauth_destination,
    
reject_unauth_pipelining,
    
reject_invalid_hostname,
    
check_recipient_maps

上面的配置,使得从本地域到任何地址(包含本地地址)的邮件必须认证且验证用户和发信人必须一致,从任何非本地地址到本地地址的邮件无需认证,从任何非本地地址到任何非本地地址的邮件直接拒绝。

另外,会拒绝带有不完整主机名的 SMTP 客户端,拒绝带有不完整发送者的 SMTP 客户端,拒绝带有不完整接收者的 SMTP 客户端,拒绝未知发送域和未知接收域的 SMTP 客户端,拒绝收件地址包含任何发信方指定递送路径的 SMTP 客户端,拒绝不遵守流水线规则的 SMTP 客户端,拒绝 HELO 命令时提供无效主机名的客户端。

最后重新启动 Postfix 服务:

  1. /etc/init.d/postfix restart

配置 Postfix TLS

这部分证书生成比较繁琐,请参见:http://www.tribulaciones.org/docs/postfix-sasl-tls-howto.html 这篇文章的第 1.3 节,这里暂时就不细述了。

配置 Amavisd-new, SpamAssassin 和 ClamAV

  1. apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip unarj unrar bzip2 rar lha arc lzop


Virus database update method: <-- daemon
Local database mirror site: <-- db.cn.clamav.net
HTTP proxy information (leave blank for none): <-- 根据实际情况配置
Should clamd be notified after updates? <-- Yes

修改 /etc/amavis/amavisd.conf,主要注意以下内容:

# @bypass_virus_checks_acl = qw( . );  # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_acl  = qw( . );  # uncomment to DISABLE anti-spam code
 
$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny     = D_REJECT# (defaults to D_BOUNCE)
$final_spam_destiny       = D_PASS# (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS# (defaults to D_PASS), D_BOUNCE suggested

并将 clamav 以外的杀毒软件配置注释掉即可。

然后,添加 clamav 用户到 amavis 用户组,并重启这两个服务。

  1. adduser clamav amavis
  2. /etc/init.d/amavis restart
  3. /etc/init.d/clamav-daemon restart

然后,修改 /etc/postfix/main.cf,增加:

# amavis config
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

修改 /etc/postfix/master.cf,增加:

amavis    unix  -       -       -       -       2       smtp
  -
o smtp_data_done_timeout=1200
  -
o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n  -       -       -       -       smtpd
  -
o content_filter=
  -
o local_recipient_maps=
  -
o relay_recipient_maps=
  -
o smtpd_restriction_classes=
  -
o smtpd_client_restrictions=
  -
o smtpd_helo_restrictions=
  -
o smtpd_sender_restrictions=
  -
o smtpd_recipient_restrictions=permit_mynetworks,reject
  -
o mynetworks=127.0.0.0/8
  -
o strict_rfc821_envelopes=yes
  -
o smtpd_error_sleep_time=0
  -
o smtpd_soft_error_limit=1001
  -
o smtpd_hard_error_limit=1000
  -
o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -
o smtpd_bind_address=127.0.0.1

重启 Postfix:

  1. /etc/init.d/postfix restart
  2. postfix check

安装 Razor,Pyzor 和 DCC 并配置 SpamAssassin

Razor,Pyzor 和 DCC 是网络协作式垃圾邮件过滤器,它们可以由 SpamAssassin 来调用。先安装它们:

  1. apt-get install razor pyzor dcc-client

然后修改 SpamAssassin 配置文件 /etc/spamassassin/local.cf,以调用它们:

local.cf
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock
 
# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd
 
# pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1
 
# razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf
 
# bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
 
#whitelist
whitelist_from *@*.edu.cn *@ujn.cn *@ujn.org.cn
 
# ---------------------------------------------------------------------------
# URL: http://www.anti-spam.org.cn/
# CBL-
header RCVD_IN_CBLLESS eval:check_rbl('cblless', 'cblless.anti-spam.org.cn.', '127.0.8.5')
describe RCVD_IN_CBLLESS Received via a relay in cblless.anti-spam.org.cn
tflags RCVD_IN_CBLLESS net
score RCVD_IN_CBLLESS 3.5
 
# CML
header RCVD_IN_CML eval:check_rbl('cml', 'cml.anti-spam.org.cn.', '127.0.8.1')
describe RCVD_IN_CML Received via a white list relay in cml.anti-spam.org.cn
tflags RCVD_IN_CML net nice
score RCVD_IN_CML -20.0

上面白名单部分,你可以将你的本地虚拟域或者你认为安全的域列出来,这样可以避免域内邮件被过滤。下面的 rbl 来自 http://www.anti-spam.org.cn/。这样配置可以防止在 Postfix 直接配置的情况下,把来自这些地址的非垃圾邮件直接拒绝。

然后重新启动 Amavisd-new:

  1. /etc/init.d/amavis restart

注意这里不是启动 spamassassin,因为 spamassassin 以及配置为由 Amavisd-new 来调用了。

为 SpamAssassin 添加过滤规则

接下来我们需要下载一些过滤规则,创建 /usr/local/sbin/sa_rules_update.sh:

sa_rules_update.sh
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# export http_proxy=http://your.proxy.server
 
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf -O 71_sare_redirect_pre3.0.0.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf -O 70_sare_bayes_poison_nxm.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html.cf -O 70_sare_html.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html4.cf -O 70_sare_html4.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html_x30.cf -O 70_sare_html_x30.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header0.cf -O 70_sare_header0.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header3.cf -O 70_sare_header3.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header_x30.cf -O 70_sare_header_x30.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_specific.cf -O 70_sare_specific.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_adult.cf -O 70_sare_adult.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf -O 72_sare_bml_post25x.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf -O 99_sare_fraud_post25x.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_spoof.cf -O 70_sare_spoof.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_random.cf -O 70_sare_random.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_oem.cf -O 70_sare_oem.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf -O 70_sare_genlsubj0.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf -O 70_sare_genlsubj3.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf -O 70_sare_genlsubj_x30.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_unsub.cf -O 70_sare_unsub.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_uri.cf -O 70_sare_uri.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://mywebpages.comcast.net/mkettler/sa/antidrug.cf -O antidrug.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.timj.co.uk/linux/bogus-virus-warnings.cf -O bogus-virus-warnings.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.yackley.org/sa-rules/evilnumbers.cf -O evilnumbers.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.stearns.org/sa-blacklist/random.current.cf -O random.current.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_body.cf -O 88_FVGT_body.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_rawbody.cf -O 88_FVGT_rawbody.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_subject.cf -O 88_FVGT_subject.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_headers.cf -O 88_FVGT_headers.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_uri.cf -O 88_FVGT_uri.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf -O 99_FVGT_Tripwire.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_meta.cf -O 99_FVGT_meta.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.nospamtoday.com/download/mime_validate.cf -O mime_validate.cf &> /dev/null
cd /etc/spamassassin/ &> /dev/null && /usr/bin/wget http://www.ccert.edu.cn/spam/sa/Chinese_rules.cf -O Chinese_rules.cf &> /dev/null
/
etc/init.d/amavis restart &> /dev/null
exit 0

然后,执行它:

  1. chmod 755 /usr/local/sbin/sa_rules_update.sh
  2. /usr/local/sbin/sa_rules_update.sh

你还可以加入计划任务中,让它每天自动执行,例如,执行 crontab -e,然后创建如下任务:

10 4 * * * /usr/local/sbin/sa_rules_update.sh &> /dev/null

这样每天早上 4 点 10 分,就会自动下载更新这些过滤规则了。

编译支持 MySQL 用户的 maildrop

上面所有的软件都可以通过 apt-get 方式安装,下面的软件稍微复杂一些了,不过幸好不多,maildrop 算其中一个,剩下的就是 extmail 和 extman 了。先来看 maildrop。

maildrop 在 debian sarge 中是 1.5.3 版,不过默认的 deb 包不包含 MySQL 认证功能。不过我们可以通过重新编译它来解决这个问题。

首先运行 debfoster,保留上面已经安装的所有软件。因为下面安装的软件,在使用完之后就马上卸掉了,因为它们只是一些编译工具,对我们的服务器没有用处,仅仅在编译时使用一次而已。

现在开始安装编译工具,首先安装 mysql 开发库,之所以先安装它,是因为它有多个版本,否则,后面需要选择。

  1. apt-get install libmysqlclient12-dev

然后安装编译 maildrop 所需要的其它工具:

  1. apt-get build-dep maildrop
  2. apt-get install fakeroot

现在进入 /usr/src 目录,下载 maildrop 源码包:

  1. cd /usr/src
  2. apt-get source maildrop
  3. cd maildrop-1.5.3

编辑 debian/rules,修改编译规则,找到:

--sysconfdir=/etc \
       --
enable-use-dotlock=1 --enable-use-flock=1 \
       --
enable-sendmail=/usr/sbin/sendmail --enable-maildirquota

修改为:

--sysconfdir=/etc \
       --
enable-use-dotlock=1 --enable-use-flock=1 \
       --
enable-sendmail=/usr/sbin/sendmail --enable-maildirquota \
       --
enable-syslog=1 --enable-maildropmysql \
       --
with-mysqlconfig=/etc/maildropmysql.config --without-db \
       --
enable-maildrop-uid=5000 --enable-maildrop-gid=5000 \
       --
enable-trusted-users="root postfix vmail"

然后编译生成新的 deb 包:

  1. dpkg-buildpackage -rfakeroot -uc -b
  2. cd ..
  3. ls

然后,如果你发现已经生成了 maildrop_1.5.3-1.1sarge1_i386.deb 的话,说明编译成功了。

先不要着急安装,先执行 debfoster,把上面所有为编译 maildrop 所安装的软件统统卸载掉,一个不留,包括 libmysqlclient12-dev 也不需要保留。

卸载完之后,就可以安装我们的 maildrop_1.5.3-1.1sarge1_i386.deb 了。

  1. dpkg -i maildrop_1.5.3-1.1sarge1_i386.deb

这里是编译好的包:maildrop_1.5.3-1.1sarge1_i386.deb,可以直接下载安装。

配置 maildrop 邮件分拣

创建 /etc/maildropmysql.config:

maildropmysql.config
hostname 127.0.0.1
port 3306
database mail
dbuser mail_admin
dbpw mail_admin_password
dbtable mailbox
default_uidnumber 5000
default_gidnumber 5000
uidnumber_field uidnumber
gidnumber_field gidnumber
uid_field username
homedirectory_field concat('/var/vmail/',homedir,'/')
maildir_field concat('/var/vmail/',maildir)
quota_field quota
mailstatus_field active

修改 /etc/maildroprc,生成 maildrop 日志,并进行全域垃圾分拣:

maildroprc
# Global maildrop filter file
 
# Uncomment this line to make maildrop default to ~/Maildir for
# delivery- this is where courier-imap (amongst others) will look.
#DEFAULT="$HOME/Maildir"
 
logfile "/var/log/maildrop.log"
 
#*spam2junk
if (/^X-Spam-Flag:.*YES/)
{
  `
test -f "$HOME/Maildir/.Junk" && exit 1 || exit 0`
 
if ( $RETURNCODE == 0 )
  {
    `
maildirmake -f Junk "$HOME/Maildir"`
  }
 
to "$HOME/Maildir/.Junk/"
}

创建 /etc/logrotate.d/maildrop:

maildrop
/var/log/maildrop.log {
        
daily
        
notifempty
        
missingok
        
rotate 5
        
compress
        
create 600 vmail vmail
        
sharedscripts
}

修改 /etc/postfix/main.cf,增加

# maildrop config
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1
maildrop_destination_concurrency_limit = 2

修改 /etc/postfix/master.cf,将

maildrop  unix  -       n       n       -       -       pipe
 
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

改为

maildrop  unix  -       n       n       -       -       pipe
 
flags=DRhu user=vmail argv=/usr/bin/maildrop -w 90 -d ${recipient}

创建 /etc/quotawarnmsg,里面为邮箱空间超过配额时的警告邮件内容。

配置 extmail 和 extman

首先安装必要的 perl 库:

  1. apt-get install libarchive-tar-perl libarchive-zip-perl libcompress-zlib-perl libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libdbd-mysql-perl libdbi-perl libdigest-hmac-perl libdigest-nilsimsa-perl libdigest-sha1-perl libfile-tail-perl libhtml-parser-perl libhtml-tagset-perl libio-multiplex-perl libio-string-perl libio-stringy-perl libio-zlib-perl liblocale-gettext-perl libmailtools-perl libmime-perl libnet-daemon-perl libnet-dns-perl libnet-perl libnet-server-perl libtext-charwidth-perl libtext-iconv-perl libtext-wrapi18n-perl libtimedate-perl libunix-syslog-perl liburi-perl perl-modules perl-suid

然后将 extmail、extman 及其它们的补丁下载,解压缩并打好补丁,这些步骤都请参见 extmail 官方网站的发布说明。

将 extmail 和 extman 分别以这两个名字放到 /var/www/cgi-bin/ 目录下。然后,修改它们的属主:

  1. chown vmail.vmail /var/www/cgi-bin/* -R

在 extmail 下创建 webmail.cf:

webmail.cf
# sys_config, the config file and webmail programe root
SYS_CONFIG = /var/www/cgi-bin/extmail/
 
# sys_langdir, the i18n dir
SYS_LANGDIR = /var/www/cgi-bin/extmail/lang
 
# sys_templdir, the template dir
SYS_TEMPLDIR = /var/www/cgi-bin/extmail/html
 
# sys_warn, show system warning or not, default to yes
SYS_SHOW_WARN = 0
 
# sys_permit_noquota, permit an account without qouta?
SYS_PERMIT_NOQUOTA = 1
 
# sys_sess_dir, the session dir
SYS_SESS_DIR = /tmp/
 
# sys_sess_timeout, session timeout, default 3 hours (3h) format:
# number+(s|m|h|d|M|y); or only number, the 0 means that the
# session will last for 0 seconds, but if you specify the
# sys_sess_cookie_only = 1 then it means the session will expire
# after you close your browser :)
SYS_SESS_TIMEOUT = 0
 
# sys_sess_cookie_only = 0|1 use cookie only or include cgi "sid"
# parameter ? if set to true(1), the session will be expired after
# sys_sess_timeout if there is no any active request from browser
SYS_SESS_COOKIE_ONLY = 1
 
# sys_user_psize, user default page_size
SYS_USER_PSIZE = 10
 
# sys_user_tsize, user mail subject truncate size, valid type:
# auto    => full text
# screen1 => 800x600
# screen2 => 1024x768
# screen3 => 1280x1024
SYS_USER_SCREEN = auto
 
# sys_user_lang, user default language
SYS_USER_LANG = en_US
 
# sys_user_template, user default template
SYS_USER_TEMPLATE = default
 
# sys_user_charset, user default charset
SYS_USER_CHARSET = utf-8
 
# sys_user_trylocal, user default outgoing encoding mechanism
SYS_USER_TRYLOCAL = 1
 
# sys_user_timezone, user default timezone
SYS_USER_TIMEZONE = +0800
 
# sys_user_* default parameters
SYS_USER_CCSENT = 1
SYS_USER_SHOW_HTML = 1
SYS_USER_COMPOSE_HTML = 1
SYS_USER_CONV_LINK =1
SYS_USER_ADDR2ABOOK = 1
 
# sys_min_pass_len, minimal password length, default 2
SYS_MIN_PASS_LEN = 2
 
# sys_mfilter_on, default is off
SYS_MFILTER_ON = 1
 
# sys_netdisk_on, default is off
SYS_NETDISK_ON = 1
 
# sys_debug_on, default is off
SYS_DEBUG_ON = 1
 
# sys auth type, mysql/ldap/authlib
SYS_AUTH_TYPE = mysql
 
# maildir_base, the base dir of user maildir, use absolute path
# if not set.
SYS_MAILDIR_BASE = /var/vmail
 
# sys_auth_schema, vpopmail1/vpopmail2/virtual
# vpopmail1 => all user accounts in one table
# vpopmail2 => accounts in per domain table
SYS_AUTH_SCHEMA = virtual
 
# crypt_type, the default encrypt type of password, possible type
# currently is crypt|cleartext|plain|md5|plain-md5|ldap-md5|sha|sha1
SYS_CRYPT_TYPE = crypt
 
# if mysql, all relate parameters should prefix as SYS_MYSQL
SYS_MYSQL_USER = mail_admin
SYS_MYSQL_PASS = mail_admin_password
SYS_MYSQL_DB = mail
SYS_MYSQL_HOST = 127.0.0.1
SYS_MYSQL_SOCKET = /var/lib/mysql/mysql.sock
# table name
SYS_MYSQL_TABLE = mailbox
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_DOMAIN = domain
SYS_MYSQL_ATTR_PASSWD = password
SYS_MYSQL_ATTR_QUOTA = quota
SYS_MYSQL_ATTR_NDQUOTA = netdiskquota
SYS_MYSQL_ATTR_HOME = homedir
SYS_MYSQL_ATTR_MAILDIR = maildir
# service enable/disable attributes
# comment them out if you don't want their function
SYS_MYSQL_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_MYSQL_ATTR_DISABLENETDISK = disablenetdisk
 
# if ldap, all relate parameters should prefix as SYS_LDAP
SYS_LDAP_BASE = o=extmailAccount,dc=example.com
SYS_LDAP_RDN = cn=Manager,dc=example.com
SYS_LDAP_PASS = secret
SYS_LDAP_HOST = localhost
# ldif attributes
SYS_LDAP_ATTR_USERNAME = mail
SYS_LDAP_ATTR_DOMAIN = virtualDomain
SYS_LDAP_ATTR_PASSWD = userPassword
SYS_LDAP_ATTR_QUOTA = mailQuota
SYS_LDAP_ATTR_NDQUOTA = netdiskQuota
SYS_LDAP_ATTR_HOME = homeDirectory
SYS_LDAP_ATTR_MAILDIR = mailMessageStore
# service enable/disable attributes
# comment them out if you don't want their function
SYS_LDAP_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_LDAP_ATTR_DISABLENETDISK = disablenetdisk
 
# if authlib, all relate parameters should prefix as AUTHLIB
SYS_AUTHLIB_SOCKET = /var/spool/authdaemon/socket
 
# Global Abook support
# sys_g_abook_type, global abook type, valid is ldap|file, currently
# only support ldap, file module is under development :-)
SYS_G_ABOOK_TYPE = file
 
# if ldap, all relate parameters should prefix as SYS_G_ABOOK_LDAP
SYS_G_ABOOK_LDAP_HOST = localhost
SYS_G_ABOOK_LDAP_BASE = ou=AddressBook,dc=example.com
SYS_G_ABOOK_LDAP_ROOTDN = cn=Manager,dc=example.com
SYS_G_ABOOK_LDAP_ROOTPW = secret
SYS_G_ABOOK_LDAP_FILTER = objectClass=OfficePerson
 
# if file, all relate parameters should prefix as SYS_G_ABOOK_FILE
SYS_G_ABOOK_FILE_PATH = /var/www/cgi-bin/extmail/globabook.cf
SYS_G_ABOOK_FILE_LOCK = 1
SYS_G_ABOOK_FILE_CONVERT = 0
SYS_G_ABOOK_FILE_CHARSET = utf-8

在 extman 下创建 webman.cf:

webman.cf
# sys_config, the config file and webman programe root
SYS_CONFIG = /var/www/cgi-bin/extman/
 
# sys_langdir, the i18n dir
SYS_LANGDIR = /var/www/cgi-bin/extman/lang
 
# sys_templdir, the template dir
SYS_TEMPLDIR = /var/www/cgi-bin/extman/html
 
# maildir_base, the base dir of user maildir, use absolute path
# if not set.
SYS_MAILDIR_BASE = /var/vmail
 
# sys_warn, show system warning or not, default to yes
SYS_SHOW_WARN = 0
 
# sys_sess_dir, the session dir
SYS_SESS_DIR = /var/tmp/extman/
 
# sys_sess_timeout, session timeout in seccond, default 6 hours
SYS_SESS_TIMEOUT = 21600
 
# sys_user_psize, user default page_size
SYS_PSIZE = 10
 
# sys_user_lang, user default language
SYS_LANG = zh_CN
 
# sys_template_name, the template name
SYS_TEMPLATE_NAME = default
 
# web management related restritions
# sys_default_expire, valid value: ?y ?m ?d
SYS_DEFAULT_EXPIRE = 10m
 
# sys_default_services, valid value: smtpd, smtp, webmail, netdisk,
# imap and pop3, concatenate with "," as multiple values, eg: webmail,smtpauth
SYS_DEFAULT_SERVICES = webmail,smtpd,smtp,pop3,imap,netdisk
 
# XXX FIXME
# experimental feature, per domain tranport/routing capability
# same config style as SYS_USER_ROUTING_LIST
# SYS_DOMAIN_ROUTING_LIST = lmtp:mx1.extmail.org,lmtp:mx2.extmail.org
 
# XXX FIXME
# experimental feature, per user routing capability
# please specify routing info, concatenate with "," as multiple list
# members, eg: smtp:mx1.abc.com,smtp:mx2.abc.com
# SYS_USER_ROUTING_LIST = smtp:[192.168.2.130],smtp:[192.168.2.128]
 
# sys_min_uid, the minimal uid
SYS_MIN_UID = 500
 
# sys_min_gid, the minimal gid
SYS_MIN_GID = 100
 
# sys_default_uid, if not set, webman will ignore it
SYS_DEFAULT_UID = 5000
 
# sys_default_gid, if not set, webman will ignore it
SYS_DEFAULT_GID = 5000
 
# sys_quota_multiplier, in bytes, default to 1 MB
SYS_QUOTA_MULTIPLIER = 1048576
 
# sys_quota_type, valid type: vda|courier
SYS_QUOTA_TYPE = courier
 
# maxquota, alias, users and netdisk quota for domain
SYS_DEFAULT_MAXQUOTA = 10
SYS_DEFAULT_MAXALIAS = 0
SYS_DEFAULT_MAXUSERS = 0
SYS_DEFAULT_MAXNDQUOTA = 10
 
# sys_backend_type mysql|ldap
SYS_BACKEND_TYPE = mysql
 
# sys_crypt_type: crypt|clear|md5|sha
SYS_CRYPT_TYPE = crypt
 
# if mysql, all relate paramters should prefix as SYS_MYSQL
SYS_MYSQL_USER = mail_admin
SYS_MYSQL_PASS = mail_admin_password
SYS_MYSQL_DB = mail
SYS_MYSQL_HOST = 127.0.0.1
SYS_MYSQL_SOCKET = /var/lib/mysql/mysql.sock
# table name
SYS_MYSQL_TABLE = manager
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_PASSWD = password
 
# if ldap, all relate paramters should prefix as SYS_LDAP
#SYS_LDAP_BASE = dc=extmail.org
#SYS_LDAP_RDN = cn=Manager,dc=extmail.org
#SYS_LDAP_PASS = secret
#SYS_LDAP_HOST = localhost
# ldif attributes
#SYS_LDAP_ATTR_USERNAME = mail
#SYS_LDAP_ATTR_PASSWD = userPassword
 
# sys_rrd_datadir, the full path of rrd data
SYS_RRD_DATADIR = /var/lib
 
# sys_rrd_tmpdir, the temp dir for graph
SYS_RRD_TMPDIR = /var/tmp/viewlog
 
# sys_rrd_queue_on, yes|no, show queue or not
SYS_RRD_QUEUE_ON = yes

创建 /etc/apache2/conf.d/extmail.conf

extmail.conf
DocumentRoot /var/www/cgi-bin/extmail/html/
 
Alias /extman/cgi/ /var/www/cgi-bin/extman/cgi/
Alias /extman/ /var/www/cgi-bin/extman/html/
 
<Location "/extman/cgi">
    SetHandler cgi-script
    Options +ExecCGI
    AllowOverride All
</Location>
 
Alias /extmail/cgi/ /var/www/cgi-bin/extmail/cgi/
Alias /extmail /var/www/cgi-bin/extmail/html/
 
<Location "/extmail/cgi">
    SetHandler cgi-script
    Options +ExecCGI
    AllowOverride All
</Location>

修改 /etc/apache2/apache2.conf,将:

User www-data
Group www-data

改为

User vmail
Group vmail

重新启动 apache2:

  1. /etc/init.d/apache2 restart

然后就可以在浏览器中登录邮箱管理了,管理的用户名和密码都是 root。到此为止,就算是全部配置完了。

配置 extman 中的图形日志

首先,修改 /var/www/cgi-bin/extman/addon/mailgraph_ext/mailgraph-init,将其中的:

MAIL_LOG=/var/log/maillog

改为

MAIL_LOG=/var/log/mail.log

然后复制文件:

  1. mkdir /usr/local/mailgraph_ext
  2. cp /var/www/cgi-bin/extman/addon/mailgraph_ext/* /usr/local/mailgraph_ext/*
  3. cp /var/www/cgi-bin/extman/addon/mailgraph_ext/mailgraph-init /etc/init.d/mailgraph
  4. update-rc.d mailgraph start 20 2 3 4 5 . stop 20 0 1 6 .
  5. cp /var/www/cgi-bin/extman/addon/mailgraph_ext/qmonitor-init /etc/init.d/qmonitor
  6. update-rc.d qmonitor start 20 2 3 4 5 . stop 20 0 1 6 .

启动服务:

  1. /etc/init.d/mailgraph start
  2. /etc/init.d/qmonitor start

安装 Spam Locker 反垃圾邮件

在 debian 上安装 Spam Locker 比较简单了,大部分 perl 包在上面已经安装了,这里只要在安装一个 libnet-ip-perl 就足够了:

  1. apt-get install libnet-ip-perl

然后下载 slockd-0.2beta1.tar.gz 解压缩后,移动到 /usr/local 下面:

  1. tar zxvf slockd-0.2beta1.tar.gz
  2. mv slockd-0.2beta1 /usr/local/slockd

然后编辑 /usr/local/slockd/config/main.cf,将

setsid          1
log_file        /var/log/slockd.log

两行前面的注释去掉。

将 /usr/local/slockd/slockd-init 复制到 /etc/init.d 目录下,然后建立启动关闭服务的链接文件:

  1. cp /usr/local/slockd/slockd-init /etc/init.d/slockd
  2. update-rc.d slockd start 19 2 3 4 5 . stop 21 0 1 6 .

创建 /etc/logrotate.d/slockd:

slockd
/var/log/slockd.log {
        
daily
        
notifempty
        
missingok
        
rotate 5
        
compress
        
create 644 root root
        
sharedscripts
}

然后,编辑 /usr/local/slockd/config/whitelist,加入你的白名单列表。之后启动 slockd 服务。

  1. /etc/init.d/slockd start

编辑 /etc/postfix/main.cf,将

smtpd_recipient_restrictions =
    
permit_mynetworks,
    
permit_sasl_authenticated,
    
reject_unknown_sender_domain,
    
reject_non_fqdn_hostname,
    
reject_non_fqdn_sender,
    
reject_non_fqdn_recipient,
    
reject_unknown_recipient_domain,
    
reject_unauth_destination,
    
reject_unauth_pipelining,
    
reject_invalid_hostname,
    
check_recipient_maps

中的

check_recipient_maps

替换为

check_policy_service inet:127.0.0.1:10030

即可。然后重新启动 Postfix。

  1. /etc/init.d/postfix reload

防火墙配置

要保证服务器安全,防火墙是少不了的,用 root 帐号执行:

iptables -F
iptables -N FIREWALL
iptables -F FIREWALL
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j FIREWALL
iptables -A FIREWALL -p tcp -m tcp --dport 993 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 995 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 110 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 143 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 443 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 465 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 22 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 25 --syn -j ACCEPT
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -p udp -m udp --sport 53 -j ACCEPT
iptables -A FIREWALL -p udp -m udp --dport 161 -j ACCEPT
iptables -A FIREWALL -p udp -m udp --sport 6277 -j ACCEPT
iptables -A FIREWALL -p udp -m udp --sport 24441 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT
iptables -A FIREWALL -p udp -m udp -j REJECT
iptables-save > /etc/firewall-rules
iptables-restore < /etc/firewall-rules

我这里设置的相对宽松一些,22 端口对所有 IP 都开放了,为的是方便管理。161 端口是 snmp 端口,我开这个是为了远程监控,所以是可选项。 6277、24441 这几个端口是 Razor/Pyzor/DCC/SA 要访问的端口。

执行

  1. iptables -L

可以看到你设定的规则,如果不对,可以用 iptables -F 清空,然后重设。

如果想要开机运行,那么编辑 /etc/network/interfaces,在 iface lo inet loopback 之后加入:

pre-up iptables-restore < /etc/firewall-rules

参考文献

标签: Linux, Mail

« 上一篇 | 下一篇 »

只显示10条记录相关文章

发表评论

评论 (必须):