CentOS7 安裝 iRedMail Mail Server

• 安裝環境 : CentOS Linux release 7.5.1804 (Core)

  cat /etc/redhat-release

• iRedMail 0.9.8
• IP : 172.21.20.253
• DN : iredmail.ichiayi.com
• hostname : iredmail

• 關閉 selinux

  vi /etc/selinux/config

  :
  SELINUX=disabled

• 設定 /etc/sysconfig/network

  HOSTNAME=iredmail.ichiayi.com

• 設定 /etc/hosts

  127.0.0.1   iredmail.ichiayi.com iredmail localhost localhost.localdomain

• 設定 /etc/hostname

  iredmail.ichiayi.com

• 重新開機

  sync;sync;sync;reboot

su - root
yum install wget bzip2
cd /root/
wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.9.tar.bz2
tar xjf iRedMail-0.9.9.tar.bz2
cd /root/iRedMail-0.9.9/
bash iRedMail.sh

• 安裝完成最後更新完成掃毒病毒碼 daily.cld 之後, 要重新開機所有服務才能正常啟動

  sync;sync;sync;reboot

• DNS : MX / DKIM / SPF 設定 / DMARC
• 重新產生 DKIM key
  • 參考 - https://docs.iredmail.org/sign.dkim.signature.for.new.domain.html 操作語法

    amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/mail3.ichiayi.com.pem
    chown amavis:amavis /var/lib/dkim/mail3.ichiayi.com.pem
    chmod 0400 /var/lib/dkim/mail.ichiayi.com.pem
    vi /etc/amavisd/amavisd.conf

    :
    # Add dkim_key here.
    dkim_key('mail3.ichiayi.com', 'dkim', '/var/lib/dkim/mail3.ichiayi.com.pem');
    :
    @dkim_signature_options_bysender_maps = ({
    :
        # catch-all (one dkim key for all domains)
        '.' => {d => 'mail3.ichiayi.com',
    :

    systemctl restart amavisd 

    至 DNS 設定 DKIM Public Key

    amavisd -c /etc/amavisd/amavisd.conf showkeys

    Exp. dkim._domainkey.mail3.ichiayi.com

    dkim._domainkey.mail3.ichiayi.com.     3600 TXT (
      "v=DKIM1; p="
      "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCrXC0tedP//DPy+CcC72g8lNw"
      "8H9igOIphFtrvNKknJPKlKaxLP8cy41rWI91WHFS0jxPyJh39kzP7ueukUMDUE0d"
      "veNPGOfYh32sdn5xNSYKg3l1HTj7wLIKsedN0E4aWbsBVwqAkgU3JJky7JzCc98R"
      "G4wj6UPgbQVBKxtgNwIDAQAB")

• IP 反查設定 → 找 ISP 協助
• 設定 aliases domain 的方式 - https://docs.iredmail.org/sql.add.alias.domain.html SQL 語法

  INSERT INTO alias_domain (alias_domain, target_domain) VALUES ('alias-1.com', 'example.com');

• 設定 aliases - mail list (虛擬信箱轉寄實際信箱) 的方式 - https://docs.iredmail.org/user.alias.address.html SQL 語法

  INSERT INTO forwardings (address, forwarding, DOMAIN, dest_domain, is_alias, active)
  	VALUES ('[email protected]', '[email protected]', 'ichiayi.com', 'ichiayi.com', 1, 1);

• 設定 aliases - mail forwarding (收信轉寄給其他信箱) 的方式 - https://docs.iredmail.org/sql.user.mail.forwarding.html SQL 語法

  INSERT INTO forwardings (address, forwarding, DOMAIN, dest_domain, is_forwarding, active)
  	VALUES ('[email protected]', '[email protected]', 'ichiayi.com', 'ichiayi.com', 1, 1);

• 設定多個 domain 的 DKIM - https://docs.iredmail.org/sign.dkim.signature.for.new.domain.html
• 設定預設 domain 的處理方式 - 主要是修改 dovecot.conf 內的 auth_default_realm

  vi /etc/dovecot/dovecot.conf

  :
  auth_default_realm = mail.ichiayi.com
  :

• 解決 outlook 寄信無法使用 STARTTLS(port:587) 需要設定提供 SMTPS(port:465) - https://docs.iredmail.org/enable.smtps.html
• 調整限制附件大小設定
  • 參考 - https://docs.iredmail.org/change.mail.attachment.size.html
  • Exp. 20M ⇒ 20*1024*1024=20971520 因為 MIME 的編碼特性, 所以要再 * 1.5 會比較接近 ⇒ 20971520 * 1.5= 31457280

    postconf -e message_size_limit=31457280
    systemctl restart postfix

• 自動刪除 Trash 的信件方式
  • 參考 - https://forum.iredmail.org/topic10062-iredmail-support-auto-delete-emails-in-users-trash.html
  • 建立清除信件命令

    /root/dovecot_expunge.sh

    #!/bin/bash
    #
    DOVEADM="/usr/bin/doveadm";
     
    $DOVEADM expunge -A mailbox Trash savedbefore 3d
    $DOVEADM expunge -A mailbox Junk  savedbefore 30d

  • 執行命令

    chmod a+x /root/dovecot_expunge.sh

  • 設定 crontab 設定

    /etc/crontab

    :
    # delete iRedMail emails in Trash older than 3 days and in Junk older than 30 days.
    30 3 * * * root /root/dovecot_expunge.sh > /tmp/dovecot_expunge.log

  • 重新啟動 crond

    service crond restart

• 特定 SMTP 認證帳號寄信可以不需要檢查 From 與 SMTP 認證帳號相同設定方式
  • 出現的錯誤訊息類似:

    SMTPRecipientsRefused: {'xxx@xxx': (554, '5.7.1 <xxx@xxx>: Recipient address rejected: Sender is not same as SMTP authenticate username')}

  • 參考 - https://docs.iredmail.org/errors.html#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username
  • 修改 /opt/iredapd/settings.py 最後加入以下設定 Exp. 增加 SMTP 的 [email protected] 認證就不需要檢查 From 是否一致

    :
    # https://docs.iredmail.org/errors.html#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username
    ALLOWED_LOGIN_MISMATCH_SENDERS = ['[email protected]']
    

  • 重新啟動 iredapd 服務

    systemctl restart iredapd

• 關閉 ClamAV 防毒軟體的作法 (2019/5/27 寄信附件含 PDF 會出現 Win.Exploit.CVE_2019_0903-6966169-0 誤判問題)
  • 參考 - https://forum.iredmail.org/topic3149-iredmail-support-disable-clamav-and-turn-off.html
  • 修改 /etc/amavisd/amavisd.conf @bypass_virus_checks_maps 由 0 改成 1 關閉掃毒功能

    :
    # controls running of anti-virus/spam code: 0 -> enabled, 1 -> disabled.
    @bypass_virus_checks_maps = (1);
    :

    重新啟動 amavisd 服務

    systemctl restart amavisd

• 除修改 /etc/hosts 之外還有其他服務設定檔都要一起修改
• 參考 - https://docs.iredmail.org/change.server.hostname.html
  • /etc/hosts
  • /etc/sysconfig/network
  • /var/spool/postfix/etc/hosts
  • /etc/postfix/main.cf
  • /etc/amavisd/amavisd.conf

• 設定 SSL 憑證 : https://docs.iredmail.org/use.a.bought.ssl.certificate.html
  • 取得免費的 LetsEncrypt ssl 憑證 參考 - 申請設定 Let's Encrypt 免費 SSL 憑證(CentOS + Apache/Nginx)
    • Exp. 取得的憑證存放在 /etc/letsencrypt/live/mail.ichiayi.com/
  • 設定 Postfix (SMTP server) 執行命令

    postconf -e smtpd_tls_cert_file='/etc/letsencrypt/live/mail.ichiayi.com/cert.pem'
    postconf -e smtpd_tls_key_file='/etc/letsencrypt/live/mail.ichiayi.com/privkey.pem'
    postconf -e smtpd_tls_CAfile='/etc/letsencrypt/live/mail.ichiayi.com/fullchain.pem'
    systemctl restart postfix 

  • 設定 Dovecot (POP3/IMAP server) 參考設定內容

    /etc/dovecot/dovecot.conf

    ssl = required
    ssl_cert = </etc/letsencrypt/live/mail.ichiayi.com/cert.pem
    ssl_key = </etc/letsencrypt/live/mail.ichiayi.com/privkey.pem
    ssl_ca = </etc/letsencrypt/live/mail.ichiayi.com/fullchain.pem

    執行命令

    systemctl restart dovecot

  • 設定 WebMail(nginx) 參考執行命令

    cd /etc/pki/tls/
    mv cert.pem cert.pem.old
    ln -s /etc/letsencrypt/live/mail.ichiayi.com/fullchain.pem cert.pem
    cd certs/
    mv iRedMail.crt iRedMail.crt.old
    ln -s /etc/letsencrypt/live/mail.ichiayi.com/cert.pem iRedMail.crt
    cd ../private/
    mv iRedMail.key iRedMail.key.old
    ln -s /etc/letsencrypt/live/mail.ichiayi.com/privkey.pem iRedMail.key
    service nginx restart

  • 確認設定的 SSL 憑證有正式運作
    • IMAP 執行命令

      openssl s_client -showcerts -connect mail.ichiayi.com:993

    • POP3 執行命令

      openssl s_client -showcerts -connect mail.ichiayi.com:995

    • SMTP 執行命令

      openssl s_client -showcerts -connect mail.ichiayi.com:587 -starttls smtp

    • Web 執行命令

      openssl s_client -showcerts -connect mail.ichiayi.com:443

• 設定 greylisting 白名單的方式 - https://docs.iredmail.org/manage.iredapd.html#greylisting
  1. iredapd.greylisting_whitelist 資料表先增加白名單網域 Exp. ik2.com SQL 語法

     INSERT INTO iredapd.greylisting_whitelist_domains (DOMAIN) VALUES ('ik2.com');

  2. 執行spf_to_greylist_whitelists.py 讓白名單生效 執行命令

     /opt/iredapd/tools/spf_to_greylist_whitelists.py

• 設定 spam 白名單與黑名單
  • 參考網址 - https://docs.iredmail.org/amavisd.wblist.html
  1. 新增白名單: Exp. 來自 [email protected] 加入白名單 執行命令

     python /opt/iredapd/tools/wblist_admin.py --add --whitelist [email protected]

  2. 新增黑名單: Exp. 來自 [email protected] 加入黑名單 執行命令

     python /opt/iredapd/tools/wblist_admin.py --add --blacklist [email protected]

  3. 顯示目前設定的白名單與黑名單 執行命令

     python /opt/iredapd/tools/wblist_admin.py --list --whitelist
     python /opt/iredapd/tools/wblist_admin.py --list --blacklist

• fail2ban 的白名單設定
  • 參考 - https://www.ichiayi.com/wiki/tech/fail2ban_unban
  • 參考 - https://forum.iredmail.org/topic10045-iredmail-support-solved-fail2ban-problems.html
  • 將要列入的 IP 寫在 /etc/fail2ban/jail.local 內的 ignoreip = 後面 看範例.

    :
    maxretry    = 5
    ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 60.248.245.172/32

  • 重新載入設定 執行命令

    service fail2ban reload

• 是透過新舊 Mail Server 的 imap 協定來將舊 Mail Server 內的信件移轉至新 Mail Server 內
• 安裝 imapsync

  yum install imapsync

• 假設要移轉 jonathan 的信件, 要知道新舊主機 jonathan 的密碼, 將密碼寫入 /root/sync_info/jonathan 檔案內, 然後執行以下的語法

  imapsync --host1 mail.ichiayi.com --user1 jonathan --passfile1 /root/sync_info/jonathan --host2 192.168.11.236 --user2 jonathan --passfile2 /root/sync_info/jonathan

• 參考 - https://docs.iredmail.org/iredmail.releases.html
• Exp. 目前版本是 0.9.8 預計更新到最新版 0.9.9 → 參考 https://docs.iredmail.org/upgrade.iredmail.0.9.8-0.9.9.html

1. Upgrade iRedAPD → 5.0.2 - https://docs.iredmail.org/upgrade.iredapd.html

   su - root
   mkdir -p 0.9.9
   cd 0.9.9
   wget -O iRedAPD-5.0.2.tar.gz https://github.com/iredmail/iRedAPD/archive/5.0.2.tar.gz
   tar zxf iRedAPD-5.0.2.tar.gz
   cd iRedAPD-5.0.2/tools/
   bash upgrade_iredapd.sh

   查看更新紀錄

   tail -500 /var/log/iredapd/iredapd.log

2. Upgrade iRedAdmin → 1.3 - https://docs.iredmail.org/migrate.or.upgrade.iredadmin.html

   cd /root/0.9.9
   wget https://dl.iredmail.org/yum/misc/iRedAdmin-1.3.tar.gz
   tar zxvf iRedAdmin-1.3.tar.gz
   cd iRedAdmin-1.3/tools/
   bash upgrade_iredadmin.sh

3. Upgrade mlmmjadmin → 3.1.2 - https://docs.iredmail.org/upgrade.mlmmjadmin.html

   cd /root/0.9.9
   wget https://github.com/iredmail/mlmmjadmin/archive/3.1.2.tar.gz
   tar zxf 3.1.2.tar.gz
   cd mlmmjadmin-3.1.2/tools/
   bash upgrade_mlmmjadmin.sh

4. Upgrade Roundcube webmail → 1.4.11 - https://github.com/roundcube/roundcubemail/wiki/Upgrade

   cd /root/0.9.9
   wget https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz
   tar xf roundcubemail-*.tar.gz
   cd roundcubemail-*
   bin/installto.sh /var/www/roundcubemail

   如果無法執行 /bin/installto.sh 可能要檢查 /etc/php.ini 內是否關閉 system 的命令使用

5. Upgrade netdata → 1.12.0 - https://docs.iredmail.org/upgrade.netdata.html

   wget https://github.com/netdata/netdata/releases/download/v1.12.0/netdata-v1.12.0.gz.run
   chmod +x netdata-*.gz.run
   ./netdata-*.gz.run --accept

6. Fix improper Nginx config files for Roundcube

   vi /etc/nginx/templates/roundcube.tmpl

   :
   location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
   :
   location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
   :
   location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }
   :
   location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }
   :

   vi /etc/nginx/templates/roundcube-subdomain.tmpl

   :
   location ~ ^/(bin|config|installer|logs|SQL|temp|vendor)/.* { deny all; }
   :
   location ~ ^/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)$ { deny all; }
   :
   location ~ ^/plugins/.*/config.inc.php.* { deny all; }
   :
   location ~ ^/plugins/enigma/home($|/.*) { deny all; }
   :

7. Improve mlmmj script used for appending footer text

   cd /usr/bin/
   wget -O mlmmj-amime-receive https://raw.githubusercontent.com/iredmail/iRedMail/master/samples/mlmmj/mlmmj-amime-receive
   chown mlmmj:mlmmj mlmmj-amime-receive
   chmod 0550 mlmmj-amime-receive

8. Fix address mapping issue for mlmmj mailing list

   vi /etc/amavisd/amavisd.conf

   :
   $policy_bank{'MLMMJ'} = {
       ...
       forward_method => 'smtp:[127.0.0.1]:10028',
   };
   :

   vi /etc/postfix/master.cf

   :
   127.0.0.1:10028 inet n  -   n   -   -  smtpd
       -o syslog_name=postfix/10028
       -o content_filter=
       -o mynetworks_style=host
       -o mynetworks=127.0.0.1
       -o local_recipient_maps=
       -o relay_recipient_maps=
       -o strict_rfc821_envelopes=yes
       -o smtp_tls_security_level=none
       -o smtpd_tls_security_level=none
       -o smtpd_restriction_classes=
       -o smtpd_delay_reject=no
       -o smtpd_client_restrictions=permit_mynetworks,reject
       -o smtpd_helo_restrictions=
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,reject
       -o smtpd_end_of_data_restrictions=
       -o smtpd_error_sleep_time=0
       -o smtpd_soft_error_limit=1001
       -o smtpd_hard_error_limit=1000
       -o smtpd_client_connection_count_limit=0
       -o smtpd_client_connection_rate_limit=0
       -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
   

   systemctl restart postfix 
   systemctl restart amavisd 

9. Fixed: SOGo backup script ¹⁾

   cd /var/vmail/backup/
   wget -O backup_sogo.sh https://raw.githubusercontent.com/iredmail/iRedMail/master/tools/backup_sogo.sh
   chown root backup_sogo.sh
   chmod 0400 backup_sogo.sh

10. MySQL/MariaDB special
    1. SQL structure changes in vmail database

       cd /root/0.9.9
       wget -O iredmail.mysql https://raw.githubusercontent.com/iredmail/iRedMail/master/update/0.9.9/iredmail.mysql
       mysql vmail < iredmail.mysql

    2. Dovecot: read mailbox format from SQL

       vi /etc/dovecot/dovecot-mysql.conf

       :
       user_query = SELECT \
                   ...
                   LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, \
                   CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder, '/') AS mail, \
                   ...
       :

       systemctl restart dovecot

11. 更新 /etc/iredmail-release 內容為 0.9.9

    vi /etc/iredmail-release

    0.9.9
    #0.9.8 MARIADB edition.
    :

• 如要移除請參考 - https://forum.iredmail.org/topic15606-how-to-removeuninstall-netdata.html
• 關閉的語法

  systemctl stop netdata
  systemctl disable netdata

• 參考 - https://forum.iredmail.org/topic2699-iredmail-support-how-to-remove-or-disable-spf-andor-dkim.html
• 關閉的語法

  vi /etc/mail/spamassassin/init.pre

  :
  #loadplugin Mail::SpamAssassin::Plugin::SPF
  :

  systemctl restart amavisd

• 2020/08 之後開始出現這問題, 快速解決方式是將 amavisd 服務啟動

  systemctl start amavisd
  systemctl enable amavisd

• 可以直接透過資料庫加上一位現有的信箱用戶當管理者 Exp. [email protected]
• 登入 iRedMail 的資料庫

  mysql -u root -p
  USE vmail;
  select isadmin,isglobaladmin from mailbox where username = '[email protected]';
  UPDATE mailbox SET isadmin=1, isglobaladmin=1 WHERE  username = '[email protected]';
  INSERT INTO domain_admins (username, domain) VALUES ('[email protected]', 'ALL');

• 看詳細過程

  mysql -u root -p
  MariaDB [(none)]> USE vmail;
  Reading table information for completion of table and column names
  You can turn off this feature to get a quicker startup with -A
  
  Database changed
  MariaDB [vmail]> select isadmin,isglobaladmin from mailbox where username = '[email protected]';
  +---------+---------------+
  | isadmin | isglobaladmin |
  +---------+---------------+
  |       0 |             0 |
  +---------+---------------+
  1 row in set (0.00 sec)
  
  MariaDB [vmail]> UPDATE mailbox SET isadmin=1, isglobaladmin=1 WHERE  username = '[email protected]';
  Query OK, 1 row affected (0.00 sec)
  Rows matched: 1  Changed: 1  Warnings: 0
  
  MariaDB [vmail]>  INSERT INTO domain_admins (username, domain) VALUES ('[email protected]', 'ALL');
  Query OK, 1 row affected (0.00 sec)
  MariaDB [vmail]> exit
  Bye

• 使用這位帳號密碼登入 iRedAdmin 就可以進行 Web 的管理

• https://docs.iredmail.org/install.iredmail.on.rhel.html
• https://www.iredmail.org/download.html
• https://www.digitalocean.com/community/questions/setting-up-iredmail-with-digital-ocean
• https://serverfault.com/questions/853102/nginx-could-not-build-map-hash-you-should-increase-map-hash-bucket-size-64
• https://www.howtoforge.com/community/threads/postfix-554-relay-access-denied.55720/
• https://www.howtoforge.com/postfix-do-not-list-domain-example.com-in-both-mydestination-and-virtual_mailbox_domains#error-postfix-do-not-list-domain-examplecom-in-both-mydestination-and-virtualmailboxdomains
• http://blog.xuite.net/tolarku/blog/233356505-DNS+%E8%A8%AD%E5%AE%9A+spf+%E8%A8%98%E9%8C%84+-+Sender+Policy+Framework
• https://forum.iredmail.org/topic4097-iredmail-support-change-default-login-domain.html
• https://support.plesk.com/hc/en-us/articles/213961665-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-the-proper-certificate-is-installed-using-Linux
• https://forum.iredmail.org/topic11159-iredmail-support-how-to-reset-the-postmaster-password-for-iredadmin.html