差異處
這裏顯示兩個版本的差異處。
兩邊的前次修訂版 前次修改 | 下次修改兩邊的下次修訂版 | ||
tech:iredmail [2020/04/30 10:10] – [相關設定與驗證測試] jonathan_tsai | tech:iredmail [2020/09/23 20:22] – [關閉 SPF 的方式] jonathan_tsai | ||
---|---|---|---|
行 1: | 行 1: | ||
+ | ====== CentOS7 安裝 iRedMail Mail Server ====== | ||
+ | * 安裝環境 : ++CentOS Linux release 7.5.1804 (Core) |<code sh>cat / | ||
+ | * iRedMail 0.9.8 | ||
+ | * IP : 172.21.20.253 | ||
+ | * DN : iredmail.ichiayi.com | ||
+ | * hostname : iredmail | ||
+ | ===== 環境準備 ===== | ||
+ | * 關閉 selinux <code sh> | ||
+ | vi / | ||
+ | : | ||
+ | SELINUX=disabled | ||
+ | </ | ||
+ | * 設定 / | ||
+ | HOSTNAME=iredmail.ichiayi.com | ||
+ | </ | ||
+ | * 設定 /etc/hosts < | ||
+ | 127.0.0.1 | ||
+ | </ | ||
+ | * 設定 / | ||
+ | iredmail.ichiayi.com | ||
+ | </ | ||
+ | * 重新開機< | ||
+ | sync; | ||
+ | </ | ||
+ | |||
+ | ===== 下載安裝 iRedMail ===== | ||
+ | <code sh> | ||
+ | su - root | ||
+ | yum install wget bzip2 | ||
+ | cd /root/ | ||
+ | wget https:// | ||
+ | tar xjf iRedMail-0.9.9.tar.bz2 | ||
+ | cd / | ||
+ | bash iRedMail.sh | ||
+ | </ | ||
+ | |||
+ | * 安裝完成最後更新完成掃毒病毒碼 daily.cld 之後, 要重新開機所有服務才能正常啟動< | ||
+ | sync; | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | * 如果執行安裝時一直出現 /etc/hosts 的設定錯誤, | ||
+ | * 如果是安裝在中國機房, | ||
+ | IREDMAIL_EPEL_MIRROR=' | ||
+ | IREDMAIL_MIRROR=' | ||
+ | </ | ||
+ | * 安裝完成後重要資訊會產生在 / | ||
+ | </ | ||
+ | |||
+ | ===== 相關設定與驗證測試 ===== | ||
+ | * DNS : MX / DKIM / [[http:// | ||
+ | * 重新產生 DKIM key | ||
+ | * 參考 - https:// | ||
+ | amavisd -c / | ||
+ | chown amavis: | ||
+ | chmod 0400 / | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | # Add dkim_key here. | ||
+ | dkim_key(' | ||
+ | : | ||
+ | @dkim_signature_options_bysender_maps = ({ | ||
+ | : | ||
+ | # catch-all (one dkim key for all domains) | ||
+ | ' | ||
+ | : | ||
+ | </ | ||
+ | systemctl restart amavisd | ||
+ | </ | ||
+ | amavisd -c / | ||
+ | </ | ||
+ | dkim._domainkey.mail3.ichiayi.com. | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | </ | ||
+ | |||
+ | ++ | ||
+ | * IP 反查設定 -> 找 ISP 協助 | ||
+ | * 設定 aliases domain 的方式 - https:// | ||
+ | INSERT INTO alias_domain (alias_domain, | ||
+ | </ | ||
+ | * 設定 aliases - mail list (虛擬信箱轉寄實際信箱) 的方式 - https:// | ||
+ | INSERT INTO forwardings (address, forwarding, domain, dest_domain, | ||
+ | VALUES (' | ||
+ | </ | ||
+ | * 設定 aliases - mail forwarding (收信轉寄給其他信箱) 的方式 - https:// | ||
+ | INSERT INTO forwardings (address, forwarding, domain, dest_domain, | ||
+ | VALUES (' | ||
+ | </ | ||
+ | * 設定多個 domain 的 DKIM - https:// | ||
+ | * 設定預設 domain 的處理方式 - ++主要是修改 dovecot.conf 內的 auth_default_realm |<code |h vi / | ||
+ | : | ||
+ | auth_default_realm = mail.ichiayi.com | ||
+ | : | ||
+ | </ | ||
+ | * 解決 outlook 寄信無法使用 STARTTLS(port: | ||
+ | * 調整限制附件大小設定 | ||
+ | * 參考 - https:// | ||
+ | * Exp. 20M => 20*1024*1024=20971520 因為 MIME 的編碼特性, | ||
+ | postconf -e message_size_limit=31457280 | ||
+ | systemctl restart postfix | ||
+ | </ | ||
+ | * 自動刪除 Trash 的信件方式 | ||
+ | * 參考 - https:// | ||
+ | * ++建立清除信件命令|< | ||
+ | #!/bin/bash | ||
+ | # | ||
+ | DOVEADM="/ | ||
+ | |||
+ | $DOVEADM expunge -A mailbox Trash savedbefore 3d | ||
+ | $DOVEADM expunge -A mailbox Junk savedbefore 30d | ||
+ | </ | ||
+ | * ++執行命令|< | ||
+ | chmod a+x / | ||
+ | </ | ||
+ | * ++設定 crontab 設定|< | ||
+ | : | ||
+ | # delete iRedMail emails in Trash older than 3 days and in Junk older than 30 days. | ||
+ | 30 3 * * * root / | ||
+ | </ | ||
+ | * ++重新啟動 crond |<code sh> | ||
+ | service crond restart | ||
+ | </ | ||
+ | * 特定 SMTP 認證帳號寄信可以不需要檢查 From 與 SMTP 認證帳號相同設定方式 | ||
+ | * 出現的錯誤訊息類似:< | ||
+ | SMTPRecipientsRefused: | ||
+ | </ | ||
+ | * 參考 - https:// | ||
+ | * 修改 / | ||
+ | : | ||
+ | # https:// | ||
+ | ALLOWED_LOGIN_MISMATCH_SENDERS = [' | ||
+ | |||
+ | </ | ||
+ | * 重新啟動 iredapd 服務 <code sh> | ||
+ | * 關閉 ClamAV 防毒軟體的作法 (2019/5/27 寄信附件含 PDF 會出現 | ||
+ | * 參考 - https:// | ||
+ | * 修改 / | ||
+ | : | ||
+ | # controls running of anti-virus/ | ||
+ | @bypass_virus_checks_maps = (1); | ||
+ | : | ||
+ | </ | ||
+ | systemctl restart amavisd | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== 修改主機名稱的處理方式 ==== | ||
+ | * 除修改 /etc/hosts 之外還有其他服務設定檔都要一起修改 | ||
+ | * 參考 - https:// | ||
+ | * /etc/hosts | ||
+ | * / | ||
+ | * / | ||
+ | * / | ||
+ | * / | ||
+ | |||
+ | ==== SSL 憑證設定 ==== | ||
+ | * 設定 SSL 憑證 : https:// | ||
+ | * 取得免費的 LetsEncrypt ssl 憑證 參考 - [[tech/ | ||
+ | * Exp. 取得的憑證存放在 / | ||
+ | * 設定 Postfix (SMTP server) ++執行命令|< | ||
+ | postconf -e smtpd_tls_cert_file='/ | ||
+ | postconf -e smtpd_tls_key_file='/ | ||
+ | postconf -e smtpd_tls_CAfile='/ | ||
+ | systemctl restart postfix | ||
+ | </ | ||
+ | * 設定 Dovecot (POP3/IMAP server) ++參考設定內容|< | ||
+ | ssl = required | ||
+ | ssl_cert = </ | ||
+ | ssl_key = </ | ||
+ | ssl_ca = </ | ||
+ | </ | ||
+ | systemctl restart dovecot | ||
+ | </ | ||
+ | * 設定 WebMail(nginx) ++參考執行命令|< | ||
+ | cd / | ||
+ | mv cert.pem cert.pem.old | ||
+ | ln -s / | ||
+ | cd certs/ | ||
+ | mv iRedMail.crt iRedMail.crt.old | ||
+ | ln -s / | ||
+ | cd ../private/ | ||
+ | mv iRedMail.key iRedMail.key.old | ||
+ | ln -s / | ||
+ | service nginx restart | ||
+ | </ | ||
+ | * 確認設定的 SSL 憑證有正式運作 | ||
+ | * IMAP ++執行命令|< | ||
+ | openssl s_client -showcerts -connect mail.ichiayi.com: | ||
+ | </ | ||
+ | * POP3 ++執行命令|< | ||
+ | openssl s_client -showcerts -connect mail.ichiayi.com: | ||
+ | </ | ||
+ | * SMTP ++執行命令|< | ||
+ | openssl s_client -showcerts -connect mail.ichiayi.com: | ||
+ | </ | ||
+ | * Web ++執行命令|< | ||
+ | openssl s_client -showcerts -connect mail.ichiayi.com: | ||
+ | </ | ||
+ | |||
+ | |||
+ | < | ||
+ | * 如果 SSL 憑證與 Mail Server 在不同主機上, | ||
+ | * Exp. SSL 憑證存在 192.168.11.234 主機上, 可在 Mail Server ++執行以下的同步語法: | ||
+ | rm -rf / | ||
+ | mv / | ||
+ | rsync -zavl [email protected]:/ | ||
+ | |||
+ | rm -rf / | ||
+ | mv / | ||
+ | rsync -zavl [email protected]:/ | ||
+ | |||
+ | systemctl restart postfix | ||
+ | systemctl restart dovecot | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== 白名單與黑名單設定 ==== | ||
+ | * 設定 greylisting 白名單的方式 - https:// | ||
+ | - iredapd.greylisting_whitelist 資料表先增加白名單網域 Exp. ik2.com ++SQL 語法|< | ||
+ | insert into iredapd.greylisting_whitelist_domains (domain) values (' | ||
+ | </ | ||
+ | - 執行spf_to_greylist_whitelists.py 讓白名單生效 ++執行命令|< | ||
+ | / | ||
+ | </ | ||
+ | * 設定 spam 白名單與黑名單 | ||
+ | * 參考網址 - https:// | ||
+ | - 新增白名單: | ||
+ | python / | ||
+ | </ | ||
+ | - 新增黑名單: | ||
+ | python / | ||
+ | </ | ||
+ | - 顯示目前設定的白名單與黑名單 ++執行命令|< | ||
+ | python / | ||
+ | python / | ||
+ | </ | ||
+ | * fail2ban 的白名單設定 | ||
+ | * 參考 - https:// | ||
+ | * 參考 - https:// | ||
+ | * 將要列入的 IP 寫在 / | ||
+ | : | ||
+ | maxretry | ||
+ | ignoreip | ||
+ | </ | ||
+ | * 重新載入設定 ++執行命令|< | ||
+ | |||
+ | ===== 郵件移轉 (imapsync) ===== | ||
+ | * 是透過新舊 Mail Server 的 imap 協定來將舊 Mail Server 內的信件移轉至新 Mail Server 內 | ||
+ | * 安裝 imapsync <code sh> | ||
+ | yum install imapsync | ||
+ | </ | ||
+ | * 假設要移轉 jonathan 的信件, 要知道新舊主機 jonathan 的密碼, 將密碼寫入 / | ||
+ | imapsync --host1 mail.ichiayi.com --user1 jonathan --passfile1 / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | * 執行後, 會在執行目錄底下產生 LOG_imapsync 目錄, 裡面會有執行過程的紀錄檔案 Exp. 2018_09_07_11_35_30_testalbert.txt | ||
+ | * 記錄檔內出現 Err 的項目表示同步時出現異常的信件匣, | ||
+ | Err 1/2: Could not create folder [from Albert/& | ||
+ | : | ||
+ | </ | ||
+ | </ | ||
+ | ===== 更新版本程序 ===== | ||
+ | * 參考 - https:// | ||
+ | * Exp. 目前版本是 0.9.8 預計更新到最新版 0.9.9 -> 參考 https:// | ||
+ | - Upgrade iRedAPD -> 2.4 - https:// | ||
+ | su - root | ||
+ | mkdir -p 0.9.9 | ||
+ | cd 0.9.9 | ||
+ | wget https:// | ||
+ | tar xjf iRedAPD-2.4.tar.bz2 | ||
+ | cd iRedAPD-2.4/ | ||
+ | bash upgrade_iredapd.sh | ||
+ | </ | ||
+ | : | ||
+ | 2019-02-16 23:43:34 INFO Starting iRedAPD (version: 2.4, backend: mysql), listening on 127.0.0.1: | ||
+ | 2019-02-16 23:43:34 INFO Log rotate type: time, interval: W6, backup copies: 12. | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 100): reject_null_sender | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 99): wblist_rdns | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 90): reject_sender_login_mismatch | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 80): greylisting | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 60): throttle | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 50): sql_alias_access_policy | ||
+ | 2019-02-16 23:43:34 INFO Loading plugin (priority: 40): amavisd_wblist | ||
+ | : | ||
+ | </ | ||
+ | - Upgrade iRedAdmin -> 0.9.4 - https:// | ||
+ | wget https:// | ||
+ | tar xjf iRedAdmin-0.9.4.tar.bz2 | ||
+ | cd iRedAdmin-0.9.4/ | ||
+ | bash upgrade_iredadmin.sh | ||
+ | </ | ||
+ | - Upgrade mlmmjadmin -> 2.1 - https:// | ||
+ | wget https:// | ||
+ | tar zxf 2.1.tar.gz | ||
+ | cd mlmmjadmin-2.1/ | ||
+ | bash upgrade_mlmmjadmin.sh | ||
+ | </ | ||
+ | - Upgrade Roundcube webmail -> 1.3.8 - https:// | ||
+ | wget https:// | ||
+ | tar xf roundcubemail-*.tar.gz | ||
+ | cd roundcubemail-* | ||
+ | bin/ | ||
+ | </ | ||
+ | - Upgrade netdata -> 1.12.0 - https:// | ||
+ | wget https:// | ||
+ | chmod +x netdata-*.gz.run | ||
+ | ./ | ||
+ | </ | ||
+ | - Fix improper Nginx config files for Roundcube <code sh> | ||
+ | vi / | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | </ | ||
+ | vi / | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | location ~ ^/ | ||
+ | : | ||
+ | </ | ||
+ | - Improve mlmmj script used for appending footer text< | ||
+ | cd /usr/bin/ | ||
+ | wget -O mlmmj-amime-receive https:// | ||
+ | chown mlmmj:mlmmj mlmmj-amime-receive | ||
+ | chmod 0550 mlmmj-amime-receive | ||
+ | </ | ||
+ | - Fix address mapping issue for mlmmj mailing list< | ||
+ | vi / | ||
+ | : | ||
+ | $policy_bank{' | ||
+ | ... | ||
+ | forward_method => ' | ||
+ | }; | ||
+ | : | ||
+ | </ | ||
+ | : | ||
+ | 127.0.0.1: | ||
+ | -o syslog_name=postfix/ | ||
+ | -o content_filter= | ||
+ | -o mynetworks_style=host | ||
+ | -o mynetworks=127.0.0.1 | ||
+ | -o local_recipient_maps= | ||
+ | -o relay_recipient_maps= | ||
+ | -o strict_rfc821_envelopes=yes | ||
+ | -o smtp_tls_security_level=none | ||
+ | -o smtpd_tls_security_level=none | ||
+ | -o smtpd_restriction_classes= | ||
+ | -o smtpd_delay_reject=no | ||
+ | -o smtpd_client_restrictions=permit_mynetworks, | ||
+ | -o smtpd_helo_restrictions= | ||
+ | -o smtpd_sender_restrictions= | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_end_of_data_restrictions= | ||
+ | -o smtpd_error_sleep_time=0 | ||
+ | -o smtpd_soft_error_limit=1001 | ||
+ | -o smtpd_hard_error_limit=1000 | ||
+ | -o smtpd_client_connection_count_limit=0 | ||
+ | -o smtpd_client_connection_rate_limit=0 | ||
+ | -o receive_override_options=no_header_body_checks, | ||
+ | |||
+ | </ | ||
+ | systemctl restart postfix | ||
+ | systemctl restart amavisd | ||
+ | </ | ||
+ | - Fixed: SOGo backup script ((如果安裝時有更改目錄 Exp. / | ||
+ | cd / | ||
+ | wget -O backup_sogo.sh https:// | ||
+ | chown root backup_sogo.sh | ||
+ | chmod 0400 backup_sogo.sh | ||
+ | </ | ||
+ | - MySQL/ | ||
+ | - SQL structure changes in vmail database <code sh> | ||
+ | wget -O iredmail.mysql https:// | ||
+ | mysql vmail < iredmail.mysql | ||
+ | </ | ||
+ | - Dovecot: read mailbox format from SQL<code sh> | ||
+ | vi / | ||
+ | : | ||
+ | user_query = SELECT \ | ||
+ | ... | ||
+ | LOWER(CONCAT(mailbox.storagebasedirectory, | ||
+ | CONCAT(mailbox.mailboxformat, | ||
+ | ... | ||
+ | : | ||
+ | </ | ||
+ | systemctl restart dovecot | ||
+ | </ | ||
+ | - 更新 / | ||
+ | vi / | ||
+ | 0.9.9 | ||
+ | #0.9.8 MARIADB edition. | ||
+ | : | ||
+ | </ | ||
+ | ===== 其他議題 ===== | ||
+ | ==== 關閉 netdata ==== | ||
+ | * 如要移除請參考 - https:// | ||
+ | * 關閉的語法 <code sh> | ||
+ | systemctl stop netdata | ||
+ | systemctl disable netdata | ||
+ | </ | ||
+ | |||
+ | ==== 關閉 SPF 的方式 ==== | ||
+ | * 參考 - https:// | ||
+ | * 關閉的語法 <code sh> | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | #loadplugin Mail:: | ||
+ | : | ||
+ | </ | ||
+ | systemctl restart amavisd | ||
+ | </ | ||
+ | |||
+ | ==== 出現 postfix/ | ||
+ | * 2020/08 之後開始出現這問題, | ||
+ | systemctl start amavisd | ||
+ | systemctl enable amavisd | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== 備份與還原 ===== | ||
+ | ===== 參考網址 ===== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | {{tag> |