Salut à tous. Je reviens de mon périple, j'ai nommé l'épisode Serveur de mail ^^.
Alors pour commencer quel sera l'architecture :
- Liaison Dovecot / Postfix avec authentification PAM & SASL:
- Filtrage SIeve activé et utilisable (Sous Thunderbird comme sous Roundcube)
- Sécurisé au moyen de SSL aussi bien pour Postfix que pour Dovecot
- Unification Postfix / Dovecot : L'authentification se fait à l'aide de Dovecot ainsi que la livraison des mail (MDA)
En résumé les protocoles disponibles : POP, POP SSL, SMTP SMTP SSL, IMAP IMAP SSL
Par contre je ne me suis pas encore attélé à la partie SPAM (Mais qui reste relativement simple)
pour commencer, le /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/smtp.crt
smtpd_tls_key_file=/etc/postfix/smtp.key
smtp_tls_CAfile = /etc/postfix/ca.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = domain.lan
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = serveur.domain.lan
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = serveur.domain.lan, localhost.domain.lan, localhost, domain.lan
relayhost = [smtp.mailoo.org]:225
mynetworks = 127.0.0.0/8, 192.168.100.200, 192.168.200.200
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1, 192.168.100.200, 192.168.200.200
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Wait until the RCPT TO command before evaluating restrictions
smtpd_delay_reject = yes
# Basics Restrictions
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
# Requirements for the connecting server
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
permit
# Requirements for the HELO statement
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
# Requirements for the sender address
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
# Requirement for the recipient address
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit
Avec cette conf on est sécurisé contre l'open relay (Serveur Relai SMTP ouvert => Gros facteur de spam)
Ensuite /etc/postfix/master.cf avec les bonnes options
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -d $recipient
Passon à la partie dovecot :
## Fichier Configuration - Serveur POP (SSL) / IMAP (SSL) Dovecot
base_dir = /var/run/dovecot/
protocols = imap pop imaps pops managesieve lda
protocol imap {
listen = 192.168.100.200:143
ssl_listen = 192.168.100.200:993
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap
mail_plugin_dir = /usr/lib/dovecot/imap
imap_logout_format = bytes ( in=%i : out=%o )
}
protocol pop3 {
listen = *:110
ssl_listen = *:995
pop3_enable_last = no
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
mail_plugin_dir = /usr/lib/dovecot/pop3
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
}
protocol managesieve {
listen = *:2000
login_executable = /usr/lib/dovecot/managesieve-login
mail_executable = /usr/lib/dovecot/managesieve
managesieve_max_line_length = 65536
managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol lda {
postmaster_address = postmaster@domain.lan
auth_socket_path = /var/run/dovecot/auth-master
hostname = server.domain.com
log_path = /var/log/dovecot-lda-errors.log
info_log_path = /var/log/dovecot-lda-info.log
mail_plugins = sieve
mail_plugin_dir = /usr/lib/dovecot/modules/lda
}
plugin {
sieve=~/.dovecot.sieve
sieve_dir=~/.Sieve
}
disable_plaintext_auth = no
shutdown_clients = yes
auth default {
mechanisms = plain login
passdb pam {
args = failure_show_msg=yes
}
userdb passwd {
args =
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0666
}
client {
path = /var/spool/postfix/private/auth
mode = 0666
user = postfix
group = postfix
}
}
}
##
## Logging
##
log_path = /var/log/dovecot/dovecot.log
info_log_path = /var/log/dovecot/dovecot-info.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
syslog_facility = mail
##
## SSL settings
##
ssl = yes
ssl_cert_file = /root/pki/certificats/serveur/imap.crt
ssl_key_file = /root/pki/certificats/serveur/imap.key
ssl_ca_file = /root/pki/CA/ca.crt
ssl_verify_client_cert = no
ssl_cipher_list = ALL:!LOW:!SSLv2
verbose_ssl = yes
mail_location = maildir:~/.Maildir
Concernant le dossier de logs voici les droits à avoir (Postfix inscrit les logs dans les fichiers logs de Dovecot vu que Dovecot est le MDA)
- Chmod 755 sur /var/log/dovecot
- Chmod 777 sur /var/log/dovecot/dovecot.log
- Chmod 777 sur /var/log/dovecot/dovecot-info.log
Postfix dois faire partis du groupe dovecot
Concernant les droits de /var/log/dovecot je sais ça peux se discuter mais c'est le seul moyens que j'ai trouvé pour le moment et qui colle à la config.
Ensuite, pour le reste, il faut mettre les adresses mails dans /etc/aliases afin de faire la jonction compte utilisateur local - compte mail :
/etc/aliases
root: utilisateur_local
info: utilisateur_local
Vous pouvez également relayer les messages sur d'autres serveur smtp suivant l'adresse d'envoi utilisée en utilisant la syntaxe suivante dans un fichier relay_passwd (cf paramètre postfix dans main.cf "smtp_sasl_password_maps")
[smtp.serveur.org]:"port" utilisateur@serveur.org:Mot de passe
Voili voilou comme premier jets. j'ajouterais par la suite la partie fetchmail (pour récupérer vos mail depuis d'autres boites mails pop externes) ainsi que Roundcube et SpamAssassin.
N'hésitez pas à mettre vos remarques et contribuez également si vous avez des idées.
Dernière modification par mecanotox (06-09-2012 20:15:56)
Debian
Debian-France
Debian-Facile
Debian-fr.org
Forum-Debian.fr
Debian ?
Communautés
