Почтовый сервер на Debian 9 полная установка: dbmail & postgresql & postfix & stunnel & postgrey& spamassassin: различия между версиями

Материал из support.qbpro.ru
Нет описания правки
Нет описания правки
Строка 568: Строка 568:

'''База готова.'''
'''База готова.'''
* добавляем обработку базы в /etc/crontab
0 3 * * * root /usr/sbin/dbmail-util -cturpd -l 24h -qq

* проверяем работу '''dbmail''' c базой:
* проверяем работу '''dbmail''' c базой:

Версия от 00:42, 1 ноября 2017

Порядок установки:

  • Система Debian Stretch {9}
  • Используемый source.list
deb http://mirror.mephi.ru/debian/ stretch main
deb-src http://mirror.mephi.ru/debian/ stretch main

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main 

# stretch-updates, previously known as 'volatile'
deb http://mirror.mephi.ru/debian/ stretch-updates main
deb-src http://mirror.mephi.ru/debian/ stretch-updates main

###### Debian Main Repos
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free

deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free

deb http://deb.debian.org/debian-security stable/updates main contrib non-free
deb-src http://deb.debian.org/debian-security stable/updates main contrib non-free

deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb-src http://ftp.debian.org/debian stretch-backports main contrib non-free

1. Устанавливаем необходимые пакеты:

apt-get install pkg-config libglib2.0-dev libgmime-2.6-dev libmhash-dev libevent-dev libssl1.0-dev libzdb-dev
autoconf automake libtool autotools-dev dpkg-dev fakeroot

2. Скачиваем с dbmail.org исходники:

wget -c -t 0 -T 8 http://www.dbmail.org/download/3.1/dbmail-3.1.17.tar.gz

3. Распаковываем и компилируем:

cp dbmail-3.1.17.tar.gz /usr/local/src
tar -xf dbmail-3.1.17.tar.gz /usr/local/src.dbmail-3.1.17
cp dbmail-3.1.17.tar.gz /usr/local/src/dbmail_3.0.2.orig.tar.gz

Готовим пакет к сборке:

cd /usr/local/src/dbmail-3.2.3
./configure --with-pgsql --prefix=/usr
dpkg-source --commit

даем имя, что-то pgsql.commit

cd /usr/local/src/
dpkg-source -b dbmail-3.2.3
cd /usr/local/src/dbmail-3.2.3
dpkg-buildpackage -d
  • после того как соберется пакет, копируем себе в архив и ставим.
dpkg -i dbmail_3.2.3-1_amd64.deb
  • правим файл конфигурации:
editor /etc/dbmail/dbmail.conf
  • пример рабочего конфигурационного файла:
# (c) 2000-2006 IC&S, The Netherlands 
# Configuration file for DBMAIL 

# Database settings
# database connection URI

#dburi                = sqlite:///var/tmp/dbmail.db

# Supported drivers are sql, ldap.
authdriver           = sql

# following fields are now DEPRECATED!
driver               = postgresql
host                 =
sqlport              = 5432
#sqlsocket            =              
user                 = dbmail
pass                 = dbmailpass
db                   = mailbasename

# Number of database connections per threaded daemon
# This also determines the size of the worker threadpool
# Do NOT increase this without proper consideration. A
# very large database/worker pool will not only increase
# the connection pressure on the database, but will more
# significantly cause unnecessary context-switching in 
# your CPUs.
#max_db_connections   = 10

# Table prefix. Defaults to "dbmail_" if not specified.
table_prefix         = dbmail_   

# encoding must match the database/table encoding.
# i.e. latin1, utf8
encoding             = utf8

# messages with unknown encoding will be assumed to have 
# default_msg_encoding
# i.e. iso8859-1, utf8
default_msg_encoding = utf8

# Postmaster's email address for use in bounce messages.
#postmaster           = DBMAIL-MAILER       

# Sendmail executable for forwards, replies, notifies, vacations.
# You may use pipes (|) in this command, for example:
# dos2unix|/usr/sbin/sendmail  works well with Qmail.
# You may use quotes (") for executables with unusual names.
sendmail              = /usr/sbin/sendmail     

# The following items can be overridden in the service-specific sections.

# Logging via stderr/log file and syslog
# Logging is broken up into 8 logging levels and each level can be indivually turned on or off.
# The Stderr/log file logs all entries to stderr or the log file.
# Syslog logging uses the facility mail and the logging level of the event for logging.
# Syslog can then be configured to log data according to the levels.
# Set the log level to the sum of the values next to the levels you want to record.
#   1 = Emergency 
#   2 = Alert
#   4 = Critical
#   8 = Error
#  16 = Warning
#  32 = Notice
#  64 = Info
# 128 = Debug
# 256 = Database -> Logs at debug level
# Examples:   0 = Nothing
#            31 = Emergency + Alert + Critical + Error + Warning
#           511 = Everything
file_logging_levels       = 7
syslog_logging_levels     = 31

# Generate a log entry for database queries for the log level at number of seconds of query execution time.
query_time_info       = 10
query_time_notice     = 20
query_time_warning    = 30

# Throw an exception is the query takes longer than query_timeout seconds
query_timeout         = 300 

# Root privs are used to open a port, then privs
# are dropped down to the user/group specified here.
effective_user        = dbmail
effective_group       = mail

# The IPv4 and/or IPv6 addresses the services will bind to.
# Use * for all local interfaces.
# Use for localhost only.
# Separate multiple entries with spaces ( ) or commas (,).
bindip                =         # IPv4 only - all IP's
#bindip                = ::             # IPv4 and IPv6 - all IP's (linux)
#bindip                = ::             # IPv6 only - all IP's (BSD)
#bindip                =,::     # IPv4 and IPv6 - all IP's (BSD)

# The maximum length of the queue of pending connections. See
# listen(2) for more information
# backlog              = 128

# Idle time allowed before a connection is shut off.
timeout               = 300             

# Idle time allowed before a connection is shut off if you have not logged in yet.
login_timeout         = 60

# If yes, resolves IP addresses to DNS names when logging.
resolve_ip            = yes

# If yes, keep statistics in the authlog table for connecting users
authlog               = no

# logfile for stdout messages
logfile               = /var/log/dbmail.log        

# logfile for stderr messages
errorlog              = /var/log/dbmail.err        

# directory for storing PID files
pid_directory         = /var/run/dbmail

# directory for locating libraries (normally has a sane default compiled-in)
library_directory       = /usr/lib/dbmail

# SSL/TLS certificates
# A file containing a list of CAs in PEM format
tls_cafile            =

# A file containing a PEM format certificate
tls_cert              =

# A file containing a PEM format RSA or DSA key
tls_key               =

# A cipher list string in the format given in ciphers(1)
tls_ciphers           =

# hashing algorithm. You can select your favorite hash type
# for generating unique ids for message parts. 
# for valid values check mhash(3) but minus the MHASH_ prefix.
# if you ever change this value run 'dbmail-util --rehash' to 
# update the hash for all mimeparts.
# examples: MD5, SHA1, SHA256, SHA512, TIGER, WHIRLPOOL
# hash_algorithm = SHA1

# header_cache tuning
# set header_cache_readonly to 'yes' to prevent new
# unknown header-names from being cached.
# header_cache_readonly = yes

bindip =
port                  = 24                 
#tls_port              =

port                  = 110
#tls_port              = 995

# You can set an alternate banner to display when connecting to the service
# banner = DBMAIL pop3 server ready to rock

# If yes, allows SMTP access from the host IP connecting by POP3.
# This requires addition configuration of your MTA
pop_before_smtp       = no      

port                  = 41380
# the httpd daemon provides full access to all users, mailboxes
# and messages. Be very careful with this one!
bindip                =
admin                 = admin:secret

# You can set an alternate banner to display when connecting to the service
# banner = imap 4r1 server (dbmail 2.3.x)

# Port to bind to.
port                  = 143                
##tls_port              = 993

# IMAP prefers a longer timeout than other services.
timeout               = 4000            

# If yes, allows SMTP access from the host IP connecting by IMAP.
# This requires addition configuration of your MTA
imap_before_smtp      = no

# during IDLE, how many seconds between checking the mailbox
# status (default: 30)
# idle_timeout          = 30

# during IDLE, how often should the server send an '* OK' still
# here message (default: 10)
# the time between such a message is idle_timeout * idle_interval
# seconds
# idle_interval         = 10

# If TLS is enabled, login before starttls is normally
# not allowed. Use login_disabled=no to change this
# login_disabled        = yes

# Provide a CAPABILITY to override the default

# max message size. You can specify the maximum message size
# accepted by the IMAP daemon during APPEND commands.
# Supported formats:
#  decimal: 1000000    
#  octal:   03777777
#  hex:     0xfffff
# max_message_size      =

# Port to bind to.
port                  = 2000               
tls_port              =

port                  = 389
version               = 3
hostname              = ldap
base_dn               = ou=People,dc=mydomain,dc=com

# If your LDAP library supports ldap_initialize(), then you can use the
# alternative LDAP server DSN like following.
# URI                = ldap://
# URI                = ldapi://%2fvar%2frun%2fopenldap%2fldapi/

# Leave blank for anonymous bind.
# example: cn=admin,dc=mydomain,dc=com     
bind_dn               = 

# Leave blank for anonymous bind.
bind_pw               = 
scope                 = SubTree

# AD users may want to set this to 'no' to disable
# ldap referrals if you are seeing 'Operations errors' 
# in your logs
referrals             = yes

user_objectclass      = top,account,dbmailUser
forw_objectclass      = top,account,dbmailForwardingAddress
cn_string             = uid
field_passwd          = userPassword
field_uid             = uid
field_nid             = uidNumber
min_nid               = 10000
max_nid               = 15000
field_cid             = gidNumber
min_cid               = 10000
max_cid               = 15000

# a comma-separated list of attributes to match when searching
# for users or forwards that match a delivery address. A match
# on any of them is a hit.
field_mail            = mail

# field that holds the mail-quota size for a user.
field_quota           = mailQuota

# field that holds the forwarding address. 
field_fwdtarget       = mailForwardingAddress

# override the query string used to search for users 
# or forwards with a delivery address.
# query_string          = (mail=%s)

# Run Sieve scripts as messages are delivered.
SIEVE                 = yes               

# Use 'user+mailbox@domain' format to deliver to a mailbox.
SUBADDRESS            = yes          

# Turn on/off the Sieve Vacation extension.
SIEVE_VACATION        = yes      

# Turn on/off the Sieve Notify extension
SIEVE_NOTIFY          = yes

# Turn on/off additional Sieve debugging.
SIEVE_DEBUG           = no          

# Use the auto_notify table to send email notifications.
AUTO_NOTIFY           = no
# Use the auto_reply table to send away messages.
AUTO_REPLY            = no


# Defaults to POSTMASTER from the DBMAIL section.

# If you set this to 'yes' dbmail will check for duplicate
# messages in the relevant mailbox during delivery using 
# the Message-ID header
suppress_duplicates     = no

# Soft or hard bounce on over-quota delivery
quota_failure           = hard

# end of configuration file

  • правим default конфигурационный файл - /etc/default/dbmail
# debian specific configuration for dbmail

# work-around for linux/epoll bug in libevent
export EVENT_NOEPOLL=yes

# comment out to disable the pop3 server

# comment out to disable the imapd server

# uncomment to enable the lmtpd server

# uncomment to enable the timsieved server

# comment out to enable the stunnel SSL wrapper

# specify the filename for the pem file as 
# it resides in /etc/ssl/certs
  • перезапуск службы:
systemctl restart dbmail
  • Краткое пояснение:

1. Предназначенные для доставки сообщений от MTA в хранилище.
2. Предназначенные для доставки MUA из хранилища.

  • К первым относятся:

dbmail-lmtpd – UNIX-демон, принимающий клиентские подключения через UNIX-сокет или TCP-сокет. Для приема почтовых сообщений используется протокол LMTP. На каждое входящее сообщение MTA создает только клиентский сокет, необходимое количество процессов и подключений к БД создается заранее.
Таким образом, этот вариант обеспечивает лучшую производительность при высокой нагрузке, но при низкой он потребляет больше системных ресурсов, чем необходимо.

  • Ко вторым относятся:

dbmail-pop3d – демон для доступа по протоколу POP3.
dbmail-imapd – демон для доступа по протоколу IMAP.

  • Кроме того, в состав DBMail входят следующие вспомогательные утилиты:

dbmail-users – инструмент для управления пользователями и их псевдонимами (возможно, многим из вас будет привычнее термин alias).
dbmail-util – инструмент для очистки, оптимизации и проверки корректности БД.

  • С установкой dbmail пока окончено, следующий этап установка postgesql и настройка для будущей работы.

4. Настройка PostgreSQL

5. После того как мы настроили базу данных postgresql, создаем пользователя dbmail и базу dbmail

  • Создаем пользователя для работы с почтовой базой
createuser -U postgres -P dbmail
  • Создаем базу
createdb -U postgres --owner dbmail dbmail
  • Вместе с dbmail идут заготовки базы, распаковываем и заливаем:
bunzip2 /usr/share/doc/dbmail-2.2.10/create_tables.pgsql.bz2
psql -U dbmail -d dbmail < /usr/share/doc/dbmail-2.2.10/create_tables.pgsql
  • В этом дампе нет таблицы для работы с виртуальными доменами, создадим ее:

ALTER TYPE public.dtype OWNER TO dbmail; 

SET default_with_oids = true; 

CREATE TABLE dbmail_domains ( 
 uid integer NOT NULL, 
 domain character varying(128) NOT NULL, 
 type dtype NOT NULL 

INSERT INTO dbmail_domains (uid, domain, type) VALUES (1, 'example.com', 'LOCAL');

База готова.

  • добавляем обработку базы в /etc/crontab
0 3 * * * root /usr/sbin/dbmail-util -cturpd -l 24h -qq
  • проверяем работу dbmail c базой:
dbmail-util -av

если есть ошибки, исправляем не забывая проверить файл конфигурации...
.. если все ок, приступаем к настройке postfix

5. Настройка Postfix

apt-get install postfix postfix-pgsql postfix-sqlite procmail libsasl2-2 libsasl2-modules libsasl2-modules-db libsasl2-modules-sql sqlite3
  • вносим необходимые изменения в файлы конфигурации - пример рабочей версии main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mymail.home.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mymail.ru, mymail.home.local, localhost.home.local, localhost
relayhost = 
#mynetworks = [::ffff:]/104 [::1]/128
mynetworks =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
############################## - указываем способ использования postgresql
local_recipient_maps = pgsql:/etc/postfix/dbmail-mailboxes.cf $alias_maps
mailbox_transport = dbmail-lmtp:

#################### - подключаем авторизацию через sasl, установка ниже в статье.
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
############################### - подключаем наш сертификат созданный как описано ниже.
smtp_use_tls = yes
smtpd_use_tls = yes 
smtp_tls_note_starttls_offer = yes 
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
  • вносим необходимые изменения в файлы конфигурации - пример рабочей версии master.cf:
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
# Do not forget to execute "postfix reload" after editing this file.
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# ====================================================================
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
# ====================================================================
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# ====================================================================
# Old example of delivery via Cyrus.
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# ====================================================================
# See the Postfix UUCP_README file for configuration details.
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
# Other external delivery methods.
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
dbmail-lmtp     unix    -       -       n       -       -       lmtp
        -o disable_dns_lookups=yes

  • создаем файл настройки подключения к базе postgresql - dbmail-mailboxes.cf:
user = dbmail

password = userpass

hosts =

dbname = mailbasename

table = dbmail_aliases

select_field = alias

where_field = alias

  • в каталоге настроек postfix создаем файл настроек для sasl:
mkdir -p /etc/postfix/sasl
  • создаем файл конфигурации - smtpd.conf:
echo > /etc/postfix/sasl/smtpd.conf
  • вносим содержимое файла:
edit /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: digest-md5 cram-md5 login plain
sql_engine: pgsql
sql_user: dbmail
sql_passwd: userpass
sql_database: mailbasename
sql_statement: select passwd from dbmail_users where userid='%u@%r'
sql_verbose: yes
  • генерируем свой сертификат tls:
mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl
openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
  • перезапускаем postfix:
systemctl postfix restart


/etc/init.d/postfix restart
  • проверяем работу postfix:
telnet mymail.ru 25

- должно быть сообщение об TLS
