Der perfekte Office Server mit Mandriva Directory Server auf Debian Etch

7 SSL für Mail

Bereite zuerst eine Konfigurationsdatei mit den benötigten Informationen vor.

vi /etc/ssl/mail.cnf

Füge folgenden Inhalt hinzu:

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
prompt                  = no
string_mask             = nombstr
x509_extensions         = server_cert

[ req_distinguished_name ]
countryName             = DE
stateOrProvinceName     = Niedersachsen
localityName            = Lueneburg
organizationName        = Projektfarm GmbH
organizationalUnitName  = IT
commonName              = server1.example.com
emailAddress            = [email protected]

[ server_cert ]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
nsCertType              = server
nsComment               = "mailserver"

Erstelle nun das SSL Zertifikat …

openssl req -x509 -new -config /etc/ssl/mail.cnf -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/private/mail.key -days 365 -nodes -batch

… und passe die Rechte für den Key an damit nur Root ihn lesen kann.

chmod 600 /etc/ssl/private/mail.key

8 SASL Konfiguration

Postfix wird SASL verwenden, um Benutzer gegenüber dem LDAP Server zu authentifizieren.

mkdir -p /var/spool/postfix/var/run/saslauthd/

Passe die Standardeinstellungen an.

vi /etc/default/saslauthd

Es sollte wie folgt aussehen:

START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

vi /etc/saslauthd.conf

Es sollte wie folgt aussehen:

ldap_servers: ldap://127.0.0.1
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (&(objectClass=mailAccount)(mail=%[email protected]%r)(mailenable=OK))

vi /etc/postfix/sasl/smtpd.conf

Es sollte wie folgt aussehen:

pwcheck_method: saslauthd
mech_list: plain login

Füge Postfix der SASL Gruppe hinzu …

adduser postfix sasl

… und starte SASL neu.

/etc/init.d/saslauthd restart

9 Postfix Konfiguration

9.1 Beispiel Konfiguration

Für dieses Setup habe ich die Konfiguration ohne virtuelle Domains gewählt – vielleicht füge ich die benötigten Schritte für ein virtuelles Domain Setup in naher Zukunft hinzu. Kopiere zuerst die Beispiel Konfigurationsdatei in das postfix Verzeichnis. Das ist die Basis der folgenden Konfiguration.

cp /usr/share/doc/python-mmc-base/contrib/postfix/no-virtual-domain/* /etc/postfix/

9.2 Haupt-Konfiguration

Passe zunächst die Haupt-Konfigurationsdatei an.

vi /etc/postfix/main.cf

Bearbeite die Datei so, dass sie zu Deiner Domain passt und füge einige Beschränkungs- und Authentifizierungseinstellungen hinzu – der Inhalt sollte wie folgt aussehen:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = yes
append_at_myorigin = yes
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server1.example.com
mydomain = example.com
alias_maps = ldap:/etc/postfix/ldap-aliases.cf,  hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com,example.com,localhost.localdomain,localhost
mail_destination_recipient_limit = 1
mailbox_command = /usr/lib/dovecot/deliver -d "$USER"@"$DOMAIN"
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Use Maildir
home_mailbox = Maildir/
# Wait until the RCPT TO command before evaluating restrictions
smtpd_delay_reject = yes
# Basics Restrictions
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
# Requirements for the connecting server
smtpd_client_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client dnsbl.njabl.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client list.dsbl.org,
   permit
# Requirements for the HELO statement
smtpd_helo_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_hostname,
   reject_invalid_hostname,
   permit
# Requirements for the sender address
smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   permit
# Requirement for the recipient address
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   permit
# Enable SASL authentication for the smtpd daemon
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# Fix for outlook
broken_sasl_auth_clients = yes
# Reject anonymous connections
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
# SSL/TLS
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# Amavis
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

9.3 LDAP Aliases Konfiguration

Nun musst Du die Aliases Konfiguration bearbeiten.

vi /etc/postfix/ldap-aliases.cf

Bearbeite die Datei, sodass sie zu Deiner Domain passt – so sollte sie aussehen:

server_host = 127.0.0.1
search_base = ou=Users,dc=example,dc=com
query_filter = (&(objectClass=mailAccount)(mailalias=%s)(mailenable=OK))
result_attribute = maildrop
version = 3

9.4 Master Konfiguration

Die Master Konfiguration ist der letzte Teil der postfix Konfiguration.

vi /etc/postfix/master.cf

Füge folgende Zeilen hinzu:

# SMTPS
smtps inet n – – – – smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

# Dovecot
dovecot unix – n n – – pipe
flags=DRhu user=dovecot:mail argv=/usr/lib/dovecot/deliver -d $recipient

# Mail to Amavis
amavis unix – – – – 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

# Mail from Amavis
127.0.0.1:10025 inet n – – – – smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Starte Postfix neu:

/etc/init.d/postfix restart

10 Dovecot

Dovecot bietet dem Mailserver POP3- (SSL/TLS), IMAP- (SSL/TLS) und Quota-support.

10.1 Haupt-Konfiguration

echo „“ > /etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf

Der Inhalt sollte wie folgt aussehen:

protocols = imap imaps pop3 pop3s
listen = 0.0.0.0
login_greeting = example.com mailserver ready.
mail_location = maildir:~/Maildir
disable_plaintext_auth = no

ssl_cert_file = /etc/ssl/certs/mail.pem
ssl_key_file = /etc/ssl/private/mail.key

log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log

# IMAP configuration

protocol imap {
    mail_plugins = quota imap_quota
}

# POP3 configuration

protocol pop3 {
    pop3_uidl_format = %08Xu%08Xv
    mail_plugins = quota
}

# LDA configuration 

protocol lda {
    postmaster_address = postmaster
    auth_socket_path = /var/run/dovecot/auth-master
    mail_plugins = quota
} 

# LDAP authentication

auth default {
    mechanisms = plain login

    passdb ldap {
        args = /etc/dovecot/dovecot-ldap.conf
    }

    userdb ldap {
        args = /etc/dovecot/dovecot-ldap.conf
    }

    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0660
            user = dovecot
            group = mail
        }

        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
        }
    }
}

10.2 LDAP Konfiguration

echo „“ > /etc/dovecot/dovecot-ldap.conf
vi /etc/dovecot/dovecot-ldap.conf

Der Inhalt sollte wie folgt aussehen:

hosts = 127.0.0.1
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,mailbox=mail,mailuserquota=quota=maildir:storage
user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
default_pass_scheme = CRYPT
user_global_gid = mail

10.3 Deliver

Passe als Nächstes die Rechte für Dovecot Deliver an – Dovecot wird die Rechte uid und gid verwenden, wenn es Nachrichten in den Maildirs ablegt.

dpkg-statoverride –update –add root dovecot 4755 /usr/lib/dovecot/deliver

Starte danach Dovecot neu.

/etc/init.d/dovecot restart

11 Amavisd

Postfix leitet eingehende Mails an Amavis. Amavis leitet diese hingegen an Spamassassin und ClamAV weiter. Nachdem die Mails überprüft worden sind, werden sie zurück an Postfix geschickt. Konfiguriere Amavis wie folgt.

vi /etc/amavis/conf.d/15-content_filter_mode

So sollte es aussehen:

use strict;
@bypass_virus_checks_maps = (
   %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);
@bypass_spam_checks_maps = (
   %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);
1;

vi /etc/amavis/conf.d/50-user

So sollte es aussehen:

use strict;
$pax='pax';
1;

Füge danach den Benutzer clamav der amavis Gruppe hinzu und starte amavis & ClamAV neu.

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

Das könnte dich auch interessieren …