«Stream» и «Почтовый сервер на Debian 9 полная установка: dbmail & postgresql & postfix & stunnel & postgrey& spamassassin»: разница между страницами

Материал из support.qbpro.ru
(Различия между страницами)
imported>Supportadmin
Нет описания правки
 
imported>Vix
 
Строка 1: Строка 1:
=API for Stream Consumers=
'''Руководство для быстрого развертывания собственного сервера почты.'''<br>
Streams can be either Readable, Writable, or both (Duplex).
* ''Данная статья появилась тут в связи с тем, что я столкнулся с проблемой переноса почтового сервера на обычной файловой системе.''
''В первую очередь с тем, что почта была организована на уже устаревшем ПО и перенос ее на новую платформу без потерь стал практически не возможен.
А вот хранение почты в базе данных, дает огромные преимущества при обновлении или доступе к информации, а так же восстановлении. В частности у меня база данных находится на другом хосте, что сильно облегчает ее обслуживание, при этом все конфигурационные файлы самой почты можно легко повторить если понадобится на новом хосте для создания почтового сервера заново.''<br>


All streams are EventEmitters, but they also have other custom methods and properties depending on whether they are Readable, Writable, or Duplex.
=='''1. Порядок установки dbmail'''==
* '''''Система Debian Stretch {9}'''''
* Используемый source.list
#
deb http://mirror.mephi.ru/debian/ stretch main
deb-src http://mirror.mephi.ru/debian/ stretch main
deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main
# stretch-updates, previously known as 'volatile'
deb http://mirror.mephi.ru/debian/ stretch-updates main
deb-src http://mirror.mephi.ru/debian/ stretch-updates main
###### Debian Main Repos
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free
deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free
deb http://deb.debian.org/debian-security stable/updates main contrib non-free
deb-src http://deb.debian.org/debian-security stable/updates main contrib non-free
deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb-src http://ftp.debian.org/debian stretch-backports main contrib non-free
1.1 ''Устанавливаем необходимые пакеты:''
apt-get install pkg-config libglib2.0-dev libgmime-2.6-dev libmhash-dev libevent-dev libssl-dev libzdb-dev\
autoconf automake libtool autotools-dev dpkg-dev fakeroot debhelper dh-make libldap2-dev libsieve2-dev ascidoc\
libcrypto++6 libcrypto++-utils libcrypto++-dev xmlto xmltoman libarchive-tools lrzip binutils-multiarch\
arch-test libpgf-dev libsasl2-modules-db libsasl2-modules curl libcroco3 libsasl2-2 procmail libsasl2-modules-sql\
libpcre32-3 zlib1g-dev libmhash-dev libpcrecpp0v5


If a stream is both Readable and Writable, then it implements all of the methods and events below. So, a Duplex or Transform stream is fully described by this API, though their implementation may be somewhat different.
1.2 ''Скачиваем с [http://www.dbmail.org/index.php?page=download dbmail.org] исходники:''
wget -c -t 0 -T 8 http://www.dbmail.org/download/3.1/dbmail-3.1.17.tar.gz


It is not necessary to implement Stream interfaces in order to consume streams in your programs. If you are implementing streaming interfaces in your own program, please also refer to API for Stream Implementors below.
1.3 ''Распаковываем и компилируем:''
cp dbmail-3.1.17.tar.gz /usr/local/src
tar -xf dbmail-3.1.17.tar.gz /usr/local/src.dbmail-3.1.7
cp dbmail-3.1.17.tar.gz /usr/local/src/dbmail_3.1.7.orig.tar.gz
* '''[!]''' - ''не знаю, может так у меня получилось, но когда применяешь комменты, версия которая высвечивается именно'' '''3.1.7'''!!
* '''[!]''' - ''именно поэтому все, что тут распаковываем и создаем имеет версию'' - 3.1.7 ...


Almost all Node programs, no matter how simple, use Streams in some way. Here is an example of using Streams in a Node program:
''Готовим пакет к сборке:''
cd /usr/local/src/dbmail-3.1.7
./configure --prefix=/usr
 
dpkg-source --commit
даем имя, что-то: '''pgsql.commit'''<br>
выходим по '''ESC'''<br>
должно быть так:<br>
...
dpkg-source: инфо: локальные изменения были записаны в новую заплату: dbmail-3.1.7/debian/patches/pgsql.commit


  <nowiki>var http = require('http');
далее:
  cd /usr/local/src/
dpkg-source -b dbmail-3.1.7


var server = http.createServer(function (req, res) {
cd /usr/local/src/dbmail-3.1.7
  // req is an http.IncomingMessage, which is a Readable Stream
dpkg-buildpackage -d
  // res is an http.ServerResponse, which is a Writable Stream


  var body = '';
* '''[!]''' - если у вас появилось сообщение типа:
  // we want to get the data as utf8 strings
...
  // If you don't set an encoding, then you'll get Buffer objects
debian/rules:138: *** missing separator (did you mean TAB instead of 8 spaces?).  Останов.
  req.setEncoding('utf8');
dpkg-buildpackage: ошибка: debian/rules clean возвратил код ошибки 2


  // Readable streams emit 'data' events once a listener is added
* '''[!]''' - то необходимо исправить ошибку в файле '''dbmail-3.1.7/debian/rules'''
  req.on('data', function (chunk) {
строка 138:
     body += chunk;
'''''........make -f debian/rules binary-common $* DH_OPTIONS=-p$*'''''
  })
      ^^^
     здесь 8 пробелов!! - а должно быть 2 табуляции, что и вызывает ошибку...


  // the end event tells you that you have entire body
* после того как соберется пакет, дожно быть так:
  req.on('end', function () {
# ls -n /usr/local/src
    try {
итого 3668
      var data = JSON.parse(body);
drwxrwxr-x 13 0  0    4096 ноя  2 00:19 dbmail-3.1.7
    } catch (er) {
-rw-r--r--  1 0 50    7597 ноя  2 00:19 dbmail_3.1.7-1_amd64.buildinfo
      // uh oh! bad json!
-rw-r--r--  1 0 50    1957 ноя  2 00:19 dbmail_3.1.7-1_amd64.changes
      res.statusCode = 400;
-rw-r--r--  1 0 50  349256 ноя  2 00:19 dbmail_3.1.7-1_amd64.deb
      return res.end('error: ' + er.message);
  -rw-r--r--  1 0 50  148008 ноя  2 00:14 dbmail_3.1.7-1.debian.tar.xz
    }
-rw-r--r--  1 0 50    1045 ноя  2 00:14 dbmail_3.1.7-1.dsc
-rw-r--r--  1 0  0 2391054 июл 27  2014 dbmail_3.1.7.orig.tar.gz
-rw-r--r--  1 0 50  838508 ноя  2 00:19 dbmail-dbgsym_3.1.7-1_amd64.deb


    // write back something interesting to the user:
* копируем себе в архив и ставим пакет.
    res.write(typeof data);
dpkg -i dbmail_3.1.7-1_amd64.deb
    res.end();
  })
})


server.listen(1337);
* правим файл конфигурации:
editor /etc/dbmail/dbmail.conf


// $ curl localhost:1337 -d '{}'
* пример рабочего конфигурационного файла:
// object
// $ curl localhost:1337 -d '"foo"'
// string
// $ curl localhost:1337 -d 'not json'
// error: Unexpected token o</nowiki>
==Class: stream.Readable==
The Readable stream interface is the abstraction for a source of data that you are reading from. In other words, data comes out of a Readable stream.


A Readable stream will not start emitting data until you indicate that you are ready to receive it.
# (c) 2000-2006 IC&S, The Netherlands
#
# Configuration file for DBMAIL
[DBMAIL]
#
# Database settings
#
# database connection URI
'''#dburi                = sqlite:///var/tmp/dbmail.db'''
#
# Supported drivers are sql, ldap.
#
'''authdriver          = sql'''
#
#
# following fields are now DEPRECATED!
'''driver              = postgresql'''
'''host                = 10.0.5.2'''
'''sqlport              = 5432'''
'''#sqlsocket            ='''             
'''user                = dbmail'''
'''pass                = dbmailpass'''
'''db                  = mailbasename'''
#
# Number of database connections per threaded daemon
# This also determines the size of the worker threadpool
#
# Do NOT increase this without proper consideration. A
# very large database/worker pool will not only increase
# the connection pressure on the database, but will more
# significantly cause unnecessary context-switching in
# your CPUs.
#
#max_db_connections  = 10
#
# Table prefix. Defaults to "dbmail_" if not specified.
#
'''table_prefix        = dbmail_''' 
#
# encoding must match the database/table encoding.
# i.e. latin1, utf8
encoding            = utf8
#
# messages with unknown encoding will be assumed to have
# default_msg_encoding
# i.e. iso8859-1, utf8
default_msg_encoding = utf8
#
# Postmaster's email address for use in bounce messages.
#
#postmaster          = DBMAIL-MAILER     
#
# Sendmail executable for forwards, replies, notifies, vacations.
# You may use pipes (|) in this command, for example:
# dos2unix|/usr/sbin/sendmail  works well with Qmail.
# You may use quotes (") for executables with unusual names.
#
sendmail              = /usr/sbin/sendmail   
#
#
# The following items can be overridden in the service-specific sections.
#
#
#
# Logging via stderr/log file and syslog
#
# Logging is broken up into 8 logging levels and each level can be indivually turned on or off.
# The Stderr/log file logs all entries to stderr or the log file.
# Syslog logging uses the facility mail and the logging level of the event for logging.
# Syslog can then be configured to log data according to the levels.
#
# Set the log level to the sum of the values next to the levels you want to record.
#  1 = Emergency
#  2 = Alert
#  4 = Critical
#  8 = Error
#  16 = Warning
#  32 = Notice
#  64 = Info
# 128 = Debug
# 256 = Database -> Logs at debug level
#
# Examples:  0 = Nothing
#            31 = Emergency + Alert + Critical + Error + Warning
#          511 = Everything
#
file_logging_levels      = 7
#
syslog_logging_levels    = 31
#
# Generate a log entry for database queries for the log level at number of seconds of query execution time.
#
query_time_info      = 10
query_time_notice    = 20
query_time_warning    = 30
#
# Throw an exception is the query takes longer than query_timeout seconds
query_timeout        = 300
#
# Root privs are used to open a port, then privs
# are dropped down to the user/group specified here.
#
'''effective_user        = dbmail'''
'''effective_group      = mail'''
#
# The IPv4 and/or IPv6 addresses the services will bind to.
# Use * for all local interfaces.
# Use 127.0.0.1 for localhost only.
# Separate multiple entries with spaces ( ) or commas (,).
#
'''bindip                = 0.0.0.0        # IPv4 only - all IP's'''
#bindip                = ::            # IPv4 and IPv6 - all IP's (linux)
#bindip                = ::            # IPv6 only - all IP's (BSD)
#bindip                = 0.0.0.0,::    # IPv4 and IPv6 - all IP's (BSD)
#
# The maximum length of the queue of pending connections. See
# listen(2) for more information
#
# backlog              = 128
#
# Idle time allowed before a connection is shut off.
#
timeout              = 300           
#
# Idle time allowed before a connection is shut off if you have not logged in yet.
#
login_timeout        = 60
#
# If yes, resolves IP addresses to DNS names when logging.
#
resolve_ip            = yes
#
# If yes, keep statistics in the authlog table for connecting users
#
authlog              = no
#
# logfile for stdout messages
#
logfile              = /var/log/dbmail.log       
#
# logfile for stderr messages
#
errorlog              = /var/log/dbmail.err       
#
# directory for storing PID files
#
pid_directory        = /var/run/dbmail
#
# directory for locating libraries (normally has a sane default compiled-in)
#
library_directory      = /usr/lib/dbmail
#
# SSL/TLS certificates
#
# A file containing a list of CAs in PEM format
tls_cafile            =
# A file containing a PEM format certificate
tls_cert              =
# A file containing a PEM format RSA or DSA key
tls_key              =
# A cipher list string in the format given in ciphers(1)
tls_ciphers          =
# hashing algorithm. You can select your favorite hash type
# for generating unique ids for message parts.
#
# for valid values check mhash(3) but minus the MHASH_ prefix.
# if you ever change this value run 'dbmail-util --rehash' to
# update the hash for all mimeparts.
#
# examples: MD5, SHA1, SHA256, SHA512, TIGER, WHIRLPOOL
#
# hash_algorithm = SHA1
# header_cache tuning
#
# set header_cache_readonly to 'yes' to prevent new
# unknown header-names from being cached.
#
# header_cache_readonly = yes
[LMTP]
'''bindip = 127.0.0.1'''
port                  = 24               
#tls_port              =
[POP]
port                  = 110
#tls_port              = 995
# You can set an alternate banner to display when connecting to the service
# banner = DBMAIL pop3 server ready to rock
#
# If yes, allows SMTP access from the host IP connecting by POP3.
# This requires addition configuration of your MTA
#
pop_before_smtp      = no     
[HTTP]
port                  = 41380
#
# the httpd daemon provides full access to all users, mailboxes
# and messages. Be very careful with this one!
'''bindip                = 127.0.0.1'''
admin                = admin:secret
[IMAP]
# You can set an alternate banner to display when connecting to the service
# banner = imap 4r1 server (dbmail 2.3.x)
#
# Port to bind to.
#
port                  = 143               
##tls_port              = 993
#
# IMAP prefers a longer timeout than other services.
#
timeout              = 4000           
#
# If yes, allows SMTP access from the host IP connecting by IMAP.
# This requires addition configuration of your MTA
#
imap_before_smtp      = no
#
# during IDLE, how many seconds between checking the mailbox
# status (default: 30)
#
# idle_timeout          = 30
# during IDLE, how often should the server send an '* OK' still
# here message (default: 10)
#
# the time between such a message is idle_timeout * idle_interval
# seconds
#
# idle_interval        = 10
#
# If TLS is enabled, login before starttls is normally
# not allowed. Use login_disabled=no to change this
#
# login_disabled        = yes
#
# Provide a CAPABILITY to override the default
#
# capability  = IMAP4 IMAP4rev1 AUTH=LOGIN ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE
# max message size. You can specify the maximum message size
# accepted by the IMAP daemon during APPEND commands.
#
# Supported formats:
#  decimal: 1000000   
#  octal:  03777777
#  hex:    0xfffff
#
# max_message_size      =
[SIEVE]
#
# Port to bind to.
#
port                  = 2000             
tls_port              =
[LDAP]
port                  = 389
version              = 3
hostname              = ldap
base_dn              = ou=People,dc=mydomain,dc=com
#
# If your LDAP library supports ldap_initialize(), then you can use the
# alternative LDAP server DSN like following.
#
# URI                = ldap://127.0.0.1:389
# URI                = ldapi://%2fvar%2frun%2fopenldap%2fldapi/
#
# Leave blank for anonymous bind.
# example: cn=admin,dc=mydomain,dc=com   
#
bind_dn              =
#
# Leave blank for anonymous bind.
#
bind_pw              =
scope                = SubTree
# AD users may want to set this to 'no' to disable
# ldap referrals if you are seeing 'Operations errors'
# in your logs
#
referrals            = yes
user_objectclass      = top,account,dbmailUser
forw_objectclass      = top,account,dbmailForwardingAddress
cn_string            = uid
field_passwd          = userPassword
field_uid            = uid
field_nid            = uidNumber
min_nid              = 10000
max_nid              = 15000
field_cid            = gidNumber
min_cid              = 10000
max_cid              = 15000
# a comma-separated list of attributes to match when searching
# for users or forwards that match a delivery address. A match
# on any of them is a hit.
field_mail            = mail
# field that holds the mail-quota size for a user.
field_quota          = mailQuota
# field that holds the forwarding address.
field_fwdtarget      = mailForwardingAddress
# override the query string used to search for users
# or forwards with a delivery address.
# query_string          = (mail=%s)
[DELIVERY]
#
# Run Sieve scripts as messages are delivered.
#
SIEVE                = yes             
#
# Use 'user+mailbox@domain' format to deliver to a mailbox.
#
SUBADDRESS            = yes         
#
# Turn on/off the Sieve Vacation extension.
#
SIEVE_VACATION        = yes     
#
# Turn on/off the Sieve Notify extension
#
SIEVE_NOTIFY          = yes
#
# Turn on/off additional Sieve debugging.
#
SIEVE_DEBUG          = no         
# Use the auto_notify table to send email notifications.
#
AUTO_NOTIFY          = no
 
#
# Use the auto_reply table to send away messages.
#
AUTO_REPLY            = no
#
# Defaults to "NEW MAIL NOTIFICATION"
#
#AUTO_NOTIFY_SUBJECT        =   
#
# Defaults to POSTMASTER from the DBMAIL section.
#
#AUTO_NOTIFY_SENDER        = 
# If you set this to 'yes' dbmail will check for duplicate
# messages in the relevant mailbox during delivery using
# the Message-ID header
#
suppress_duplicates    = no
#
# Soft or hard bounce on over-quota delivery
#
quota_failure          = hard
# end of configuration file


Readable streams have two "modes": a flowing mode and a non-flowing mode. When in flowing mode, data is read from the underlying system and provided to your program as fast as possible. In non-flowing mode, you must explicitly call stream.read() to get chunks of data out.
* правим default конфигурационный файл - /etc/default/dbmail


Examples of readable streams include:
# debian specific configuration for dbmail
# work-around for linux/epoll bug in libevent
export EVENT_NOEPOLL=yes
# comment out to disable the pop3 server
'''START_POP3D=true'''
# comment out to disable the imapd server
'''START_IMAPD=true'''
# uncomment to enable the lmtpd server
'''START_LMTPD=true'''
# uncomment to enable the timsieved server
#START_SIEVE=true
# comment out to enable the stunnel SSL wrapper
'''START_SSL=true'''
# specify the filename for the pem file as
# it resides in /etc/ssl/certs
'''PEMFILE="/etc/ssl/serts/dbmail.pem"'''


http responses, on the client
* создаем сертификат для dbmail:
http requests, on the server
cd /etc/ssl/certs
fs read streams
openssl req -new -x509 -nodes -out dbmail.pem -keyout smtpd.pem -days 3650
zlib streams
crypto streams
* перезапуск службы:
tcp sockets
systemctl restart dbmail
child process stdout and stderr
process.stdin
===Event: 'readable'===


When a chunk of data can be read from the stream, it will emit a 'readable' event.
* Краткое пояснение:
1. Предназначенные для доставки сообщений от MTA в хранилище.<br>
2. Предназначенные для доставки MUA из хранилища.<br>


In some cases, listening for a 'readable' event will cause some data to be read into the internal buffer from the underlying system, if it hadn't already.
* К первым относятся:<br>
'''dbmail-lmtpd''' – UNIX-демон, принимающий клиентские подключения через UNIX-сокет или TCP-сокет. Для приема почтовых сообщений используется протокол LMTP. На каждое входящее сообщение MTA создает только клиентский сокет, необходимое количество процессов и подключений к БД создается заранее.<br>
Таким образом, этот вариант обеспечивает лучшую производительность при высокой нагрузке, но при низкой он потребляет больше системных ресурсов, чем необходимо.<br>


var readable = getReadableStreamSomehow();
* Ко вторым относятся:<br>
readable.on('readable', function() {
'''dbmail-pop3d''' – демон для доступа по протоколу POP3.<br>
  // there is some data to read now
'''dbmail-imapd''' – демон для доступа по протоколу IMAP.<br>
})
Once the internal buffer is drained, a readable event will fire again when more data is available.


===Event: 'data'===
* Кроме того, в состав DBMail входят следующие вспомогательные утилиты:<br>
'''dbmail-users''' – инструмент для управления пользователями и их псевдонимами (возможно, многим из вас будет привычнее термин alias).<br>
'''dbmail-util''' – инструмент для очистки, оптимизации и проверки корректности БД.<br>


chunk Buffer | String The chunk of data.
* С установкой '''dbmail''' пока окончено, следующий этап установка '''postgesql''' и настройка для будущей работы.
If you attach a data event listener, then it will switch the stream into flowing mode, and data will be passed to your handler as soon as it is available.


If you just want to get all the data out of the stream as fast as possible, this is the best way to do so.


var readable = getReadableStreamSomehow();
=='''2. [[Настройка PostgreSQL]]'''==
readable.on('data', function(chunk) {
  console.log('got %d bytes of data', chunk.length);
})
===Event: 'end'===


This event fires when no more data will be provided.
2.1. После того как мы настроили базу данных '''postgresql''', создаем пользователя '''dbmail''' и базу '''dbmail'''<br>
* Создаем пользователя для работы с почтовой базой
createuser -U postgres -P dbmail


Note that the end event will not fire unless the data is completely consumed. This can be done by switching into flowing mode, or by calling read() repeatedly until you get to the end.
* '''[!]''' - Ни в коем случае не используйте спецсимволы в пароле, кроме #! (авторизация может не проходить)  


var readable = getReadableStreamSomehow();
* Создаем базу
readable.on('data', function(chunk) {
createdb -U postgres --owner dbmail dbmail
  console.log('got %d bytes of data', chunk.length);
})
readable.on('end', function() {
  console.log('there will be no more data.');
});
===Event: 'close'===


Emitted when the underlying resource (for example, the backing file descriptor) has been closed. Not all streams will emit this.
* Вместе с '''dbmail''' идут заготовки базы, распаковываем и заливаем:
bunzip2 /usr/share/doc/dbmail-2.2.10/create_tables.pgsql.bz2
psql -U dbmail -d dbmail < /usr/share/doc/dbmail-2.2.10/create_tables.pgsql


===Event: 'error'===
или так:
zcat /usr/share/doc/dbmail/examples/create_tables.pgsql.gz|psql -h 127.0.0.1 dbmail dbmailadmin


Emitted if there was an error receiving data.
или так:
psql -U dbmail -h localhost maildb < create_tables.pgsql


===readable.read([size])===


size Number Optional argument to specify how much data to read.
* В этом дампе нет таблицы для работы с виртуальными доменами, создадим ее:
Return String | Buffer | null
  CREATE TYPE dtype AS ENUM (
The read() method pulls some data out of the internal buffer and returns it. If there is no data available, then it will return null.
  'LOCAL',
  'VIRTUAL',
  'RELAY'
);
ALTER TYPE public.dtype OWNER TO dbmail;
SET default_with_oids = true;
CREATE TABLE dbmail_domains (
  uid integer NOT NULL,
  domain character varying(128) NOT NULL,
  type dtype NOT NULL
);
INSERT INTO dbmail_domains (uid, domain, type) VALUES (1, 'example.com', 'LOCAL');


If you pass in a size argument, then it will return that many bytes. If size bytes are not available, then it will return null.
'''База готова.'''


If you do not specify a size argument, then it will return all the data in the internal buffer.
* добавляем обработку базы в /etc/crontab
...
0 3 * * * root /usr/sbin/dbmail-util -cturpd -l 24h -qq
...


This method should only be called in non-flowing mode. In flowing-mode, this method is called automatically until the internal buffer is drained.
* проверяем работу '''dbmail''' c базой:


  <nowiki>var readable = getReadableStreamSomehow();
  dbmail-util -av
readable.on('readable', function() {
  var chunk;
  while (null !== (chunk = readable.read())) {
    console.log('got %d bytes of data', chunk.length);
  }
});</nowiki>
===readable.setEncoding(encoding)===


encoding String The encoding to use.
если есть ошибки, исправляем не забывая проверить файл конфигурации...<br>
Call this function to cause the stream to return strings of the specified encoding instead of Buffer objects. For example, if you do readable.setEncoding('utf8'), then the output data will be interpreted as UTF-8 data, and returned as strings. If you do readable.setEncoding('hex'), then the data will be encoded in hexadecimal string format.
.. если все ок, приступаем к настройке '''postfix'''


This properly handles multi-byte characters that would otherwise be potentially mangled if you simply pulled the Buffers directly and called buf.toString(encoding) on them. If you want to read the data as strings, always use this method.
=='''3. Настройка Postfix'''==


  <nowiki>var readable = getReadableStreamSomehow();
  apt-get install postfix postfix-pgsql postfix-sqlite procmail libsasl2-2 libsasl2-modules libsasl2-modules-db\
readable.setEncoding('utf8');
libsasl2-modules-sql sqlite3 mutt postfix-pcre postfix-ldap postfix-lmdb sasl2-bin ufw
readable.on('data', function(chunk) {
  assert.equal(typeof chunk, 'string');
  console.log('got %d characters of string data', chunk.length);
})</nowiki>
===readable.resume()===


This method will cause the readable stream to resume emitting data events.
* вносим необходимые изменения в файлы конфигурации - пример рабочей версии '''main.cf''':


This method will switch the stream into flowing-mode. If you do not want to consume the data from a stream, but you do want to get to its end event, you can call readable.resume() to open the flow of data.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
'''#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem'''
'''#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key'''
'''smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.pem'''
'''smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key'''
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
'''smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination'''
'''myhostname = mymail.home.local'''
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
'''mydestination = $myhostname, mymail.ru, mymail.home.local, localhost.home.local, localhost'''
relayhost =
'''#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128'''
'''######################### вторым ip указываем хост где база данных postgresql'''
'''mynetworks = 127.0.0.0/8 10.0.5.2'''
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
'''############################## - указываем способ использования postgresql'''
'''local_recipient_maps = pgsql:/etc/postfix/dbmail-mailboxes.cf $alias_maps'''
'''mailbox_transport = dbmail-lmtp:127.0.0.1:24'''
'''#################### - подключаем авторизацию через sasl, установка ниже в статье.'''
'''broken_sasl_auth_clients = yes'''
'''smtpd_sasl_auth_enable = yes'''
'''smtpd_sasl_local_domain ='''
'''############################### - подключаем наш сертификат созданный как описано ниже.'''
'''smtpd_tls_auth_only = no'''
'''smtpd_tls_loglevel = 1'''
'''smtpd_tls_received_header = yes'''
'''smtpd_tls_session_cache_timeout = 3600s'''
'''tls_random_source = dev:/dev/urandom'''


  <nowiki>var readable = getReadableStreamSomehow();
 
readable.resume();
* вносим необходимые изменения в файлы конфигурации - пример рабочей версии '''master.cf''':
readable.on('end', function(chunk) {
#
   console.log('got to the end, but did not read anything');
# Postfix master process configuration file.  For details on the format
})</nowiki>
# of the file, see the master(5) manual page (command: "man 5 master" or
===readable.pause()===
# on-line: http://www.postfix.org/master.5.html).
  #
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#              (yes)  (yes)  (no)    (never) (100)
# ==========================================================================
smtp      inet  n      -      y      -      -      smtpd
#smtp      inet  n      -      y      -      1      postscreen
#smtpd    pass  -      -      y      -      -      smtpd
#dnsblog  unix  -      -      y      -      0      dnsblog
#tlsproxy  unix  -      -      y      -      0      tlsproxy
#submission inet n      -      y      -      -      smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps    inet  n      -      y      -      -      smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n      -      y      -      -      qmqpd
pickup    unix  n      -      y      60      1      pickup
cleanup  unix  n      -      y      -      0      cleanup
qmgr      unix  n      -      n      300    1      qmgr
#qmgr    unix  n      -      n      300    1      oqmgr
tlsmgr    unix  -      -      y      1000?  1      tlsmgr
rewrite  unix  -      -      y      -      -      trivial-rewrite
bounce    unix  -      -      y      -      0      bounce
defer    unix  -      -      y      -      0      bounce
trace    unix  -      -      y      -      0      bounce
verify    unix  -      -      y      -      1      verify
flush    unix  n      -      y      1000?  0      flush
proxymap  unix  -      -      n      -      -      proxymap
proxywrite unix -      -      n      -      1      proxymap
smtp      unix  -      -      y      -      -      smtp
relay    unix  -      -      y      -      -      smtp
#      -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq    unix  n      -      y      -      -      showq
error    unix  -      -      y      -      -      error
retry    unix  -      -      y      -      -      error
discard  unix  -      -      y      -      -      discard
local    unix  -      n      n      -      -      local
virtual  unix  -      n      n      -      -      virtual
lmtp      unix  -      -      y      -      -      lmtp
anvil    unix  -      -      y      -      1      anvil
scache    unix  -      -      y      -      1      scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -      n      n      -      -      pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus    unix  -      n      n      -      -      pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -      n      n      -      -      pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -      n      n      -      -      pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -      n      n      -      -      pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp    unix  -      n      n      -      -      pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -      n      n      -      2      pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman  unix  -      n      n      -      -      pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
'''######'''
'''dbmail-lmtp    unix    -      -      n      -      -      lmtp'''
        '''-o disable_dns_lookups=yes'''
* создаем файл настройки подключения к базе postgresql - '''dbmail-mailboxes.cf''':


This method will cause a stream in flowing-mode to stop emitting data events. Any data that becomes available will remain in the internal buffer.
user = dbmail
password = userpass
hosts = 10.0.5.2
dbname = mailbasename
table = dbmail_aliases
select_field = alias
where_field = alias


This method is only relevant in flowing mode. When called on a non-flowing stream, it will switch into flowing mode, but remain paused.
* Так как почтовый сервер изначально не рассматсривается как релей, то доступ к '''SMTP''' только по авторизации и для этого используем '''SASL'''.
* в каталоге настроек postfix создаем файл настроек для '''sasl''':
mkdir -p /etc/postfix/sasl


<nowiki>var readable = getReadableStreamSomehow();
* создаем файл конфигурации - '''smtpd.conf''':
readable.on('data', function(chunk) {
echo > /etc/postfix/sasl/smtpd.conf
  console.log('got %d bytes of data', chunk.length);
* вносим содержимое файла:
  readable.pause();
edit /etc/postfix/sasl/smtpd.conf
  console.log('there will be no more data for 1 second');
  setTimeout(function() {
    console.log('now data will start flowing again');
    readable.resume();
  }, 1000);
})</nowiki>
===readable.pipe(destination, [options])===


destination Writable Stream The destination for writing data
pwcheck_method: auxprop
options Object Pipe options
auxprop_plugin: sql
end Boolean End the writer when the reader ends. Default = true
mech_list: digest-md5 cram-md5 login plain
This method pulls all the data out of a readable stream, and writes it to the supplied destination, automatically managing the flow so that the destination is not overwhelmed by a fast readable stream.
sql_engine: pgsql
sql_user: dbmail
sql_passwd: userpass
sql_hostnames: 10.0.5.2
sql_database: mailbasename
sql_statement: select passwd from dbmail_users where userid='%u@%r'
sql_verbose: yes


Multiple destinations can be piped to safely.
* генерируем свой сертификат tls:
mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl
openssl req -new -x509 -days 3650 -nodes -out smtpd.pem -keyout smtpd.key


  <nowiki>var readable = getReadableStreamSomehow();
* перезапускаем '''postfix''':
var writable = fs.createWriteStream('file.txt');
  systemctl postfix restart
// All the data from readable goes into 'file.txt'
или
readable.pipe(writable);</nowiki>
/etc/init.d/postfix restart
This function returns the destination stream, so you can set up pipe chains like so:


  <nowiki>var r = fs.createReadStream('file.txt');
* проверяем работу '''postfix''':
var z = zlib.createGzip();
  # telnet mymail.ru 25
var w = fs.createWriteStream('file.txt.gz');
Trying mymail.ru...
r.pipe(z).pipe(w);</nowiki>
Connected to mymail.ru.
For example, emulating the Unix cat command:
Escape character is '^]'.
220 mx.kscom.ru ESMTP Postfix
EHLO example.com
250-mx.kscom.ru
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
- должно быть - 250-STARTTLS
- все работает..


<nowiki>process.stdin.pipe(process.stdout);</nowiki>  
=='''4. Настройка Stunnel'''==
By default end() is called on the destination when the source stream emits end, so that destination is no longer writable. Pass { end: false } as options to keep the destination stream open.
* Данный пакет позволяет организовать защищенное соединение как для почты так и для других программ.<br>
* Далее будет описание, как создать защищенный вход на почтовый сервер.<br>


This keeps writer open so that "Goodbye" can be written at the end.
* Устанавливаем пакет:
apt-get install stunnel4


<nowiki>reader.pipe(writer, { end: false });
* в каталоге /etc/stunnel - сразу создаем себе скрипт для генерации сертификата, чтобы если понадобится снова не вспоминать как это...
reader.on('end', function() {
echo > /etc/stunnel/create-sert
  writer.end('Goodbye\n');
editor /etc/stunnel/create-sert
});</nowiki>
Note that process.stderr and process.stdout are never closed until the process exits, regardless of the specified options.


===readable.unpipe([destination])===
* вносим содержимое:
#!/bin/sh
# каталог сертификатов SSL в системе
cd /etc/ssl/certs
# имя сертификата на свое усмотрение...
PEMFILE="servername.mymail.ru.pem"
# генерация сертификата
openssl req -new -x509 -nodes -days 3650 -out $PEMFILE -keyout $PEMFILE
chmod 600 $PEMFILE
[ -e temp_file ] && rm -f temp_file
dd if=/dev/urandom of=temp_file count=2
openssl dhparam -rand temp_file 512 >> $PEMFILE
ln -sf $PEMFILE `openssl x509 -noout -hash < $PEMFILE`.0
 
* даем права на исполнение - только для root:
chmod 0700 /etc/stunnel/create-sert


destination Writable Stream Optional specific stream to unpipe
* запускаем скрипт и отвечаем на вопросы..
This method will remove the hooks set up for a previous pipe() call.
/etc/stunnel/create-sert


If the destination is not specified, then all pipes are removed.
* создаем каталог в котором будет файл запуска .pid
mkdir -p /var/run/stunnel4/


If the destination is specified, but no pipe is set up for it, then this is a no-op.
* копируем из примера будущий конфигурационный файл для stunnel4
cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf


  <nowiki>var readable = getReadableStreamSomehow();
* приводим его в такой вариант (рабочий пример):
var writable = fs.createWriteStream('file.txt');
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
// All the data from readable goes into 'file.txt',
; Some options used here may be inadequate for your particular configuration
// but only for the first second
; This sample file does *not* represent stunnel.conf defaults
readable.pipe(writable);
; Please consult the manual for detailed description of available options
setTimeout(function() {
  console.log('stop writing to file.txt');
; **************************************************************************
  readable.unpipe(writable);
; * Global options                                                        *
  console.log('manually close the file stream');
; **************************************************************************
  writable.end();
}, 1000);</nowiki>
; It is recommended to drop root privileges if stunnel is started by root
===readable.unshift(chunk)===
;setuid = stunnel4
;setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
  pid = /var/run/stunnel4/stunnel.pid
; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
;debug = info
output = /var/log/stunnel.log
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
; Enable support for the insecure SSLv3 protocol
options = -NO_SSLv3
sslVersion = TLSv1.2
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Include all configuration file fragments from the specified folder    *
; **************************************************************************
;include = /etc/stunnel/conf.d
; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************
; ***************************************** Example TLS client mode services
; The following examples use /etc/ssl/certs, which is the common location
; of a hashed directory containing trusted CA certificates. This is not
; a hardcoded path of the stunnel package, as it is not related to the
; stunnel configuration in /etc/stunnel/.
;[mymail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop3.mymail.ru:995
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = pop3s.mymail.ru
;OCSPaia = yes
;[mymail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.mymail.ru:993
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = imaps.mymail.ru
;OCSPaia = yes
;[mymail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.mymail.ru:465
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = smtps.mymail.ru
;OCSPaia = yes
; ***************************************** Example TLS server mode services
[pop3s]
accept  = 995
connect = 110
cert = /etc/ssl/certs/servername.mymail.ru.pem
[imaps]
accept  = 993
connect = 143
cert = /etc/ssl/certs/servername.mymail.ru.pem
[smtps]
accept  = 465
connect = 25
cert = /etc/ssl/certs/servername.mymail.ru.pem
; TLS front-end to a web server
;[https]
;accept  = 443
;connect = 80
;cert = /etc/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0
; Remote shell protected with PSK-authenticated TLS
; Create "/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;[shell]
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;ciphers = PSK
;PSKsecrets = /etc/stunnel/secrets.txt
; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
;[mysql]
;cert = /etc/stunnel/stunnel.pem
;accept = 3307
;connect = /run/mysqld/mysqld.sock
; vim:ft=dosini


chunk Buffer | String Chunk of data to unshift onto the read queue
* корректируем конфигурационный файл запуска по умолчанию:
This is useful in certain cases where a stream is being consumed by a parser, which needs to "un-consume" some data that it has optimistically pulled out of the source, so that the stream can be passed on to some other party.
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""


If you find that you must often call stream.unshift(chunk) in your programs, consider implementing a Transform stream instead. (See API for Stream Implementors, below.)
* перезапуск stunnel
/etc/init.d/stunnel4 restart


  <nowiki>// Pull off a header delimited by \n\n
* после этого проверяем наличие нужных нам портов:
// use unshift() if we get too much
  nmap -v mymail.ru
// Call the callback with (error, header, stream)
...
var StringDecoder = require('string_decoder').StringDecoder;
PORT    STATE SERVICE
function parseHeader(stream, callback) {
22/tcp  open  ssh
  stream.on('error', callback);
25/tcp  open  smtp
  stream.on('readable', onReadable);
110/tcp open  pop3
  var decoder = new StringDecoder('utf8');
143/tcp open  imap
  var header = '';
465/tcp open  smtps
  function onReadable() {
993/tcp open  imaps
    var chunk;
995/tcp open  pop3s
    while (null !== (chunk = stream.read())) {
      var str = decoder.write(chunk);
      if (str.match(/\n\n/)) {
        // found the header boundary
        var split = str.split(/\n\n/);
        header += split.shift();
        var remaining = split.join('\n\n');
        var buf = new Buffer(remaining, 'utf8');
        if (buf.length)
          stream.unshift(buf);
        stream.removeListener('error', callback);
        stream.removeListener('readable', onReadable);
        // now the body of the message can be read from the stream.
        callback(null, header, stream);
      } else {
        // still reading the header.
        header += str;
      }
    }
  }
}</nowiki>
===readable.wrap(stream)===


stream Stream An "old style" readable stream
* проверяем работу с почтой по '''SSL\TLS''' - зашифрованный пароль на портах '''465,993,995'''
Versions of Node prior to v0.10 had streams that did not implement the entire Streams API as it is today. (See "Compatibility" below for more information.)
* если все в порядке, рекомендую закрыть обычные порты через '''iptables''' ('''110,143'''),
* а оставить только '''25''' (некоторые серверы для доставки вам почты требуют именно его)


If you are using an older Node library that emits 'data' events and has a pause() method that is advisory only, then you can use the wrap() method to create a Readable stream that uses the old stream as its data source.
=='''5. Установка антиспама Spamassassin'''==


You will very rarely ever need to call this function, but it exists as a convenience for interacting with old Node programs and libraries.
* установка пакета:
aptitude install spamassassin


For example:
* запуск по умолчанию в /etc/default/spamassassin
...
ENABLED=1
...


<nowiki>var OldReader = require('./old-api-module.js').OldReader;
* Приводим файл конфигурации антиспама /etc/spamassassin/local.cf  к такому:
var oreader = new OldReader;
var Readable = require('stream').Readable;
var myReader = new Readable().wrap(oreader);


myReader.on('readable', function() {
# This is the right place to customize your installation of SpamAssassin.
   myReader.read(); // etc.
#
});</nowiki>
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
===Class: stream.Writable===
# tweaked.
The Writable stream interface is an abstraction for a destination that you are writing data to.
#
# Only a small subset of options are listed below
#
###########################################################################
#  Add *****SPAM***** to the Subject header of spam e-mails
#
rewrite_header Subject *****SPAM*****
#  Save spam messages as a message/rfc822 MIME attachment instead of
#  modifying the original message (0: off, 2: use text/plain instead)
#
report_safe 0
#  Set which networks or hosts are considered 'trusted' by your mail
#  server (i.e. not spammers)
#
# trusted_networks 212.17.35.
trusted_networks 10.0.5.
#  Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
#   Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 5.0
#  Use Bayesian classifier (default: 1)
#
use_bayes 1
#  Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 1
#  Set headers which may provide inappropriate cues to the Bayesian
#  classifier
#
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
#  Whether to decode non- UTF-8 and non-ASCII textual parts and recode
#  them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1
#  Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#  default: strongly-whitelisted mails are *really* whitelisted now, if the
#  shortcircuiting plugin is active, causing early exit to save CPU load.
#  Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST      on
# shortcircuit USER_IN_DEF_WHITELIST  on
# shortcircuit USER_IN_ALL_SPAM_TO    on
# shortcircuit SUBJECT_IN_WHITELIST    on
#  the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST      on
# shortcircuit USER_IN_BLACKLIST_TO    on
# shortcircuit SUBJECT_IN_BLACKLIST    on
#  if you have taken the time to correctly specify your "trusted_networks",
#  this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED            on
#  and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
whitelist_from @mymail.ru
endif # Mail::SpamAssassin::Plugin::Shortcircuit
* Стартуем spamassasin:


Examples of writable streams include:
/etc/init.d/spamassassin start


<nowiki>http requests, on the client
* Редактируем файл постфикса /etc/postfix/master.cf
http responses, on the server
- Строку:
fs write streams
..
zlib streams
smtp      inet  n      -      -      -      -      smtpd
crypto streams
..
tcp sockets
- Заменяем на:
child process stdin
..
process.stdout, process.stderr</nowiki>
smtp      inet  n      -      -      -      -      smtpd -o content_filter=spamassassin
===writable.write(chunk, [encoding], [callback])===
..


chunk String | Buffer The data to write
- Перед:
encoding String The encoding, if chunk is a String
..
callback Function Callback for when this chunk of data is flushed
dbmail-lmtp    unix    -      -      n      -      -      lmtp
Returns: Boolean True if the data was handled completely.
        -o disable_dns_lookups=yes
This method writes some data to the underlying system, and calls the supplied callback once the data has been fully handled.
..


The return value indicates if you should continue writing right now. If the data had to be buffered internally, then it will return false. Otherwise, it will return true.
- Добавляем:
..
spamassassin unix  -  n  n  -  -  pipe  user=debian-spamd argv=/usr/bin/spamc -s 5120000 -f -e /usr/sbin/sendmail -oi -f
${sender}${recipient}
..


This return value is strictly advisory. You MAY continue to write, even if it returns false. However, writes will be buffered in memory, so it is best not to do this excessively. Instead, wait for the drain event before writing more data.
* Перезапускаем '''postfix''':
/etc/init.d/postfix restart


===Event: 'drain'===
* Проверяем работу почты, все должно работать...


If a [writable.write(chunk)][] call returns false, then the drain event will indicate when it is appropriate to begin writing more data to the stream.


<nowiki>// Write the data to the supplied writable stream 1MM times.
<hr>
// Be attentive to back-pressure.
function writeOneMillionTimes(writer, data, encoding, callback) {
  var i = 1000000;
  write();
  function write() {
    var ok = true;
    do {
      i -= 1;
      if (i === 0) {
        // last time!
        writer.write(data, encoding, callback);
      } else {
        // see if we should continue, or wait
        // don't pass the callback, because we're not done yet.
        ok = writer.write(data, encoding);
      }
    } while (i > 0 && ok);
    if (i > 0) {
      // had to stop early!
      // write some more once it drains
      writer.once('drain', write);
    }
  }
}</nowiki>
===writable.end([chunk], [encoding], [callback])===


chunk String | Buffer Optional data to write
Источники:
encoding String The encoding, if chunk is a String
<hr>
callback Function Optional callback for when the stream is finished
* [https://www.opennet.ru/docs/RUS/dbmail_postfix/ Почтовый сервер на основе реляционной СУБД.]
Call this method when no more data will be written to the stream. If supplied, the callback is attached as a listener on the finish event.
* [http://library.mobrien.com/dbmailadministrator/ GUI-конфигуратора DbMail Administrator (DBMA), написанного на Perl]
 
* [https://habrahabr.ru/post/37195/ Настройка exim+postgresql+dbmail+spamassassin...]
Calling write() after calling end() will raise an error.
* [https://www.opennet.ru/docs/RUS/dbmail/#dbmail_fs Создание почтовой системы на базе exim, dbmail, amavisd-new и postgresql]
 
* [https://www.opennet.ru/docs/RUS/dbmail_postfix/ Почтовый сервер на основе реляционной СУБД]
<nowiki>// write 'hello, ' and then end with 'world!'
* [https://habrahabr.ru/post/211078/ Почтовый сервер с хранением данных в PostgreSQL]
http.createServer(function (req, res) {
* [https://www.opennet.ru/base/net/exim_intro.txt.html  Exim (exim mail mta virtual spam virus clamav freebsd imap postgresql)]
  res.write('hello, ');
* [http://www.linuxcenter.ru/lib/articles/soft/ezh_mailsystem.phtml?style=print Создание почтовой системы на базе exim, dbmail, amavisd-new и postgresql]
  res.end('world!');
* [https://www.lissyara.su/archive/exim+dbmail/ Exim и dbmail]
  // writing more now is not allowed!
* [https://vovanys.com/linux/pochtovyj-server-pod-ubuntu-server-svyazka-dbmail-postfix-sasl-spamassassin-clamav/ Почтовый сервер под Ubuntu Server: связка DBmail + Postfix + sasl + spamassassin + clamav]
});</nowiki>
* [http://samag.ru/archive/article/608 Почтовый сервер на основе реляционной СУБД - переработанное]
===Event: 'finish'===
* [http://www.wertup.ru/ubuntu/mail-server Почтовый сервер cвязка DBmail + Postfix + sasl + spamassassin + clamav + DBMA + Roundcube webmail]
 
* [https://www.lissyara.su/articles/freebsd/mail/postfix+dbmail/ Почтовая система Postfix + DBMail + SASL2 + TLS + DSpam + ClamAV + RoundCubeWebMail]
When the end() method has been called, and all data has been flushed to the underlying system, this event is emitted.
* [http://www.dbmail.org/dokuwiki/doku.php/stunnel How to set up and use encrypted connections with DBmail]
 
* [https://notessysadmin.com/postfix-perenapravlenie-pochty Postfix. Перенаправление почты]
<nowiki>var writer = getWritableStreamSomehow();
* [https://toster.ru/q/53106 Postfix пересылка всей входящей почты на другой ящик]
for (var i = 0; i < 100; i ++) {
  writer.write('hello, #' + i + '!\n');
}
writer.end('this is the end\n');
write.on('finish', function() {
  console.error('all writes are now complete.');
});</nowiki>
===Event: 'pipe'===
 
src Readable Stream source stream that is piping to this writable
This is emitted whenever the pipe() method is called on a readable stream, adding this writable to its set of destinations.
 
<nowiki>var writer = getWritableStreamSomehow();
var reader = getReadableStreamSomehow();
writer.on('pipe', function(src) {
  console.error('something is piping into the writer');
  assert.equal(src, reader);
});
reader.pipe(writer);</nowiki>
===Event: 'unpipe'===
 
src Readable Stream The source stream that unpiped this writable
This is emitted whenever the unpipe() method is called on a readable stream, removing this writable from its set of destinations.
 
<nowiki>var writer = getWritableStreamSomehow();
var reader = getReadableStreamSomehow();
writer.on('unpipe', function(src) {
  console.error('something has stopped piping into the writer');
  assert.equal(src, reader);
});
reader.pipe(writer);
reader.unpipe(writer);</nowiki>
===Class: stream.Duplex===
Duplex streams are streams that implement both the Readable and Writable interfaces. See above for usage.
 
Examples of Duplex streams include:
 
tcp sockets
zlib streams
crypto streams
===Class: stream.Transform===
Transform streams are Duplex streams where the output is in some way computed from the input. They implement both the Readable and Writable interfaces. See above for usage.
 
Examples of Transform streams include:
 
zlib streams
crypto streams
API for Stream Implementors#
To implement any sort of stream, the pattern is the same:
 
Extend the appropriate parent class in your own subclass. (The util.inherits method is particularly helpful for this.)
Call the appropriate parent class constructor in your constructor, to be sure that the internal mechanisms are set up properly.
Implement one or more specific methods, as detailed below.
The class to extend and the method(s) to implement depend on the sort of stream class you are writing:
 
Use-case
Class
Method(s) to implement
Reading only
Readable
_read
Writing only
Writable
_write
Reading and writing
Duplex
_read, _write
Operate on written data, then read the result
Transform
_transform, _flush
In your implementation code, it is very important to never call the methods described in API for Stream Consumers above. Otherwise, you can potentially cause adverse side effects in programs that consume your streaming interfaces.
 
===Class: stream.Readable#===
stream.Readable is an abstract class designed to be extended with an underlying implementation of the _read(size) method.
 
Please see above under API for Stream Consumers for how to consume streams in your programs. What follows is an explanation of how to implement Readable streams in your programs.
 
Example: A Counting Stream#
 
This is a basic example of a Readable stream. It emits the numerals from 1 to 1,000,000 in ascending order, and then ends.
 
var Readable = require('stream').Readable;
var util = require('util');
util.inherits(Counter, Readable);
 
function Counter(opt) {
  Readable.call(this, opt);
  this._max = 1000000;
  this._index = 1;
}
 
Counter.prototype._read = function() {
  var i = this._index++;
  if (i > this._max)
    this.push(null);
  else {
    var str = '' + i;
    var buf = new Buffer(str, 'ascii');
    this.push(buf);
  }
};
Example: SimpleProtocol v1 (Sub-optimal)#
 
This is similar to the parseHeader function described above, but implemented as a custom stream. Also, note that this implementation does not convert the incoming data to a string.
 
However, this would be better implemented as a Transform stream. See below for a better implementation.
 
// A parser for a simple data protocol.
// The "header" is a JSON object, followed by 2 \n characters, and
// then a message body.
//
// NOTE: This can be done more simply as a Transform stream!
// Using Readable directly for this is sub-optimal. See the
// alternative example below under the Transform section.
 
var Readable = require('stream').Readable;
var util = require('util');
 
util.inherits(SimpleProtocol, Readable);
 
function SimpleProtocol(source, options) {
  if (!(this instanceof SimpleProtocol))
    return new SimpleProtocol(options);
 
  Readable.call(this, options);
  this._inBody = false;
  this._sawFirstCr = false;
 
  // source is a readable stream, such as a socket or file
  this._source = source;
 
  var self = this;
  source.on('end', function() {
    self.push(null);
  });
 
  // give it a kick whenever the source is readable
  // read(0) will not consume any bytes
  source.on('readable', function() {
    self.read(0);
  });
 
  this._rawHeader = [];
  this.header = null;
}
 
SimpleProtocol.prototype._read = function(n) {
  if (!this._inBody) {
    var chunk = this._source.read();
 
    // if the source doesn't have data, we don't have data yet.
    if (chunk === null)
      return this.push('');
 
    // check if the chunk has a \n\n
    var split = -1;
    for (var i = 0; i < chunk.length; i++) {
      if (chunk[i] === 10) { // '\n'
        if (this._sawFirstCr) {
          split = i;
          break;
        } else {
          this._sawFirstCr = true;
        }
      } else {
        this._sawFirstCr = false;
      }
    }
 
    if (split === -1) {
      // still waiting for the \n\n
      // stash the chunk, and try again.
      this._rawHeader.push(chunk);
      this.push('');
    } else {
      this._inBody = true;
      var h = chunk.slice(0, split);
      this._rawHeader.push(h);
      var header = Buffer.concat(this._rawHeader).toString();
      try {
        this.header = JSON.parse(header);
      } catch (er) {
        this.emit('error', new Error('invalid simple protocol data'));
        return;
      }
      // now, because we got some extra data, unshift the rest
      // back into the read queue so that our consumer will see it.
      var b = chunk.slice(split);
      this.unshift(b);
 
      // and let them know that we are done parsing the header.
      this.emit('header', this.header);
    }
  } else {
    // from there on, just provide the data to our consumer.
    // careful not to push(null), since that would indicate EOF.
    var chunk = this._source.read();
    if (chunk) this.push(chunk);
  }
};
 
// Usage:
// var parser = new SimpleProtocol(source);
// Now parser is a readable stream that will emit 'header'
// with the parsed header data.
===new stream.Readable([options])===
 
options Object
highWaterMark Number The maximum number of bytes to store in the internal buffer before ceasing to read from the underlying resource. Default=16kb
encoding String If specified, then buffers will be decoded to strings using the specified encoding. Default=null
objectMode Boolean Whether this stream should behave as a stream of objects. Meaning that stream.read(n) returns a single value instead of a Buffer of size n
In classes that extend the Readable class, make sure to call the Readable constructor so that the buffering settings can be properly initialized.
 
===readable._read(size)===
 
size Number Number of bytes to read asynchronously
Note: Implement this function, but do NOT call it directly.
 
This function should NOT be called directly. It should be implemented by child classes, and only called by the internal Readable class methods.
 
All Readable stream implementations must provide a _read method to fetch data from the underlying resource.
 
This method is prefixed with an underscore because it is internal to the class that defines it, and should not be called directly by user programs. However, you are expected to override this method in your own extension classes.
 
When data is available, put it into the read queue by calling readable.push(chunk). If push returns false, then you should stop reading. When _read is called again, you should start pushing more data.
 
The size argument is advisory. Implementations where a "read" is a single call that returns data can use this to know how much data to fetch. Implementations where that is not relevant, such as TCP or TLS, may ignore this argument, and simply provide data whenever it becomes available. There is no need, for example to "wait" until size bytes are available before calling stream.push(chunk).
 
===readable.push(chunk, [encoding])===
 
chunk Buffer | null | String Chunk of data to push into the read queue
encoding String Encoding of String chunks. Must be a valid Buffer encoding, such as 'utf8' or 'ascii'
return Boolean Whether or not more pushes should be performed
Note: This function should be called by Readable implementors, NOT by consumers of Readable streams.
 
The _read() function will not be called again until at least one push(chunk) call is made.
 
The Readable class works by putting data into a read queue to be pulled out later by calling the read() method when the 'readable' event fires.
 
The push() method will explicitly insert some data into the read queue. If it is called with null then it will signal the end of the data (EOF).
 
This API is designed to be as flexible as possible. For example, you may be wrapping a lower-level source which has some sort of pause/resume mechanism, and a data callback. In those cases, you could wrap the low-level source object by doing something like this:
 
// source is an object with readStop() and readStart() methods,
// and an `ondata` member that gets called when it has data, and
// an `onend` member that gets called when the data is over.
 
util.inherits(SourceWrapper, Readable);
 
function SourceWrapper(options) {
  Readable.call(this, options);
 
  this._source = getLowlevelSourceObject();
  var self = this;
 
  // Every time there's data, we push it into the internal buffer.
  this._source.ondata = function(chunk) {
    // if push() returns false, then we need to stop reading from source
    if (!self.push(chunk))
      self._source.readStop();
  };
 
  // When the source ends, we push the EOF-signalling `null` chunk
  this._source.onend = function() {
    self.push(null);
  };
}
 
// _read will be called when the stream wants to pull more data in
// the advisory size argument is ignored in this case.
SourceWrapper.prototype._read = function(size) {
  this._source.readStart();
};
==Class: stream.Writable==
stream.Writable is an abstract class designed to be extended with an underlying implementation of the _write(chunk, encoding, callback) method.
 
Please see above under API for Stream Consumers for how to consume writable streams in your programs. What follows is an explanation of how to implement Writable streams in your programs.
 
===new stream.Writable([options])===
 
options Object
highWaterMark Number Buffer level when write() starts returning false. Default=16kb
decodeStrings Boolean Whether or not to decode strings into Buffers before passing them to _write(). Default=true
In classes that extend the Writable class, make sure to call the constructor so that the buffering settings can be properly initialized.
 
===writable._write(chunk, encoding, callback)===
 
chunk Buffer | String The chunk to be written. Will always be a buffer unless the decodeStrings option was set to false.
encoding String If the chunk is a string, then this is the encoding type. Ignore chunk is a buffer. Note that chunk will always be a buffer unless the decodeStrings option is explicitly set to false.
callback Function Call this function (optionally with an error argument) when you are done processing the supplied chunk.
All Writable stream implementations must provide a _write() method to send data to the underlying resource.
 
Note: This function MUST NOT be called directly. It should be implemented by child classes, and called by the internal Writable class methods only.
 
Call the callback using the standard callback(error) pattern to signal that the write completed successfully or with an error.
 
If the decodeStrings flag is set in the constructor options, then chunk may be a string rather than a Buffer, and encoding will indicate the sort of string that it is. This is to support implementations that have an optimized handling for certain string data encodings. If you do not explicitly set the decodeStrings option to false, then you can safely ignore the encoding argument, and assume that chunk will always be a Buffer.
 
This method is prefixed with an underscore because it is internal to the class that defines it, and should not be called directly by user programs. However, you are expected to override this method in your own extension classes.
 
===Class: stream.Duplex===
A "duplex" stream is one that is both Readable and Writable, such as a TCP socket connection.
 
Note that stream.Duplex is an abstract class designed to be extended with an underlying implementation of the _read(size) and _write(chunk, encoding, callback) methods as you would with a Readable or Writable stream class.
 
Since JavaScript doesn't have multiple prototypal inheritance, this class prototypally inherits from Readable, and then parasitically from Writable. It is thus up to the user to implement both the lowlevel _read(n) method as well as the lowlevel _write(chunk, encoding, callback) method on extension duplex classes.
 
===new stream.Duplex(options)===
 
options Object Passed to both Writable and Readable constructors. Also has the following fields:
allowHalfOpen Boolean Default=true. If set to false, then the stream will automatically end the readable side when the writable side ends and vice versa.
In classes that extend the Duplex class, make sure to call the constructor so that the buffering settings can be properly initialized.
 
==Class: stream.Transform==
A "transform" stream is a duplex stream where the output is causally connected in some way to the input, such as a zlib stream or a crypto stream.
 
There is no requirement that the output be the same size as the input, the same number of chunks, or arrive at the same time. For example, a Hash stream will only ever have a single chunk of output which is provided when the input is ended. A zlib stream will produce output that is either much smaller or much larger than its input.
 
Rather than implement the _read() and _write() methods, Transform classes must implement the _transform() method, and may optionally also implement the _flush() method. (See below.)
 
===new stream.Transform([options])===
 
options Object Passed to both Writable and Readable constructors.
In classes that extend the Transform class, make sure to call the constructor so that the buffering settings can be properly initialized.
 
transform._transform(chunk, encoding, callback)#
 
chunk Buffer | String The chunk to be transformed. Will always be a buffer unless the decodeStrings option was set to false.
encoding String If the chunk is a string, then this is the encoding type. (Ignore if decodeStrings chunk is a buffer.)
callback Function Call this function (optionally with an error argument) when you are done processing the supplied chunk.
Note: This function MUST NOT be called directly. It should be implemented by child classes, and called by the internal Transform class methods only.
 
All Transform stream implementations must provide a _transform method to accept input and produce output.
 
_transform should do whatever has to be done in this specific Transform class, to handle the bytes being written, and pass them off to the readable portion of the interface. Do asynchronous I/O, process things, and so on.
 
Call transform.push(outputChunk) 0 or more times to generate output from this input chunk, depending on how much data you want to output as a result of this chunk.
 
Call the callback function only when the current chunk is completely consumed. Note that there may or may not be output as a result of any particular input chunk.
 
This method is prefixed with an underscore because it is internal to the class that defines it, and should not be called directly by user programs. However, you are expected to override this method in your own extension classes.
 
===transform._flush(callback)===
 
callback Function Call this function (optionally with an error argument) when you are done flushing any remaining data.
Note: This function MUST NOT be called directly. It MAY be implemented by child classes, and if so, will be called by the internal Transform class methods only.
 
In some cases, your transform operation may need to emit a bit more data at the end of the stream. For example, a Zlib compression stream will store up some internal state so that it can optimally compress the output. At the end, however, it needs to do the best it can with what is left, so that the data will be complete.
 
In those cases, you can implement a _flush method, which will be called at the very end, after all the written data is consumed, but before emitting end to signal the end of the readable side. Just like with _transform, call transform.push(chunk) zero or more times, as appropriate, and call callback when the flush operation is complete.
 
This method is prefixed with an underscore because it is internal to the class that defines it, and should not be called directly by user programs. However, you are expected to override this method in your own extension classes.
 
Example: SimpleProtocol parser v2#
 
The example above of a simple protocol parser can be implemented simply by using the higher level Transform stream class, similar to the parseHeader and SimpleProtocol v1 examples above.
 
In this example, rather than providing the input as an argument, it would be piped into the parser, which is a more idiomatic Node stream approach.
 
var util = require('util');
var Transform = require('stream').Transform;
util.inherits(SimpleProtocol, Transform);
 
function SimpleProtocol(options) {
  if (!(this instanceof SimpleProtocol))
    return new SimpleProtocol(options);
 
  Transform.call(this, options);
  this._inBody = false;
  this._sawFirstCr = false;
  this._rawHeader = [];
  this.header = null;
}
 
SimpleProtocol.prototype._transform = function(chunk, encoding, done) {
  if (!this._inBody) {
    // check if the chunk has a \n\n
    var split = -1;
    for (var i = 0; i < chunk.length; i++) {
      if (chunk[i] === 10) { // '\n'
        if (this._sawFirstCr) {
          split = i;
          break;
        } else {
          this._sawFirstCr = true;
        }
      } else {
        this._sawFirstCr = false;
      }
    }
 
    if (split === -1) {
      // still waiting for the \n\n
      // stash the chunk, and try again.
      this._rawHeader.push(chunk);
    } else {
      this._inBody = true;
      var h = chunk.slice(0, split);
      this._rawHeader.push(h);
      var header = Buffer.concat(this._rawHeader).toString();
      try {
        this.header = JSON.parse(header);
      } catch (er) {
        this.emit('error', new Error('invalid simple protocol data'));
        return;
      }
      // and let them know that we are done parsing the header.
      this.emit('header', this.header);
 
      // now, because we got some extra data, emit this first.
      this.push(chunk.slice(split));
    }
  } else {
    // from there on, just provide the data to our consumer as-is.
    this.push(chunk);
  }
  done();
};
 
// Usage:
// var parser = new SimpleProtocol();
// source.pipe(parser)
// Now parser is a readable stream that will emit 'header'
// with the parsed header data.
==Class: stream.PassThrough==
This is a trivial implementation of a Transform stream that simply passes the input bytes across to the output. Its purpose is mainly for examples and testing, but there are occasionally use cases where it can come in handy as a building block for novel sorts of streams.
 
==Streams: Under the Hood==
===Buffering===
Both Writable and Readable streams will buffer data on an internal object called _writableState.buffer or _readableState.buffer, respectively.
 
The amount of data that will potentially be buffered depends on the highWaterMark option which is passed into the constructor.
 
Buffering in Readable streams happens when the implementation calls stream.push(chunk). If the consumer of the Stream does not call stream.read(), then the data will sit in the internal queue until it is consumed.
 
Buffering in Writable streams happens when the user calls stream.write(chunk) repeatedly, even when write() returns false.
 
The purpose of streams, especially with the pipe() method, is to limit the buffering of data to acceptable levels, so that sources and destinations of varying speed will not overwhelm the available memory.
 
===stream.read(0)===
There are some cases where you want to trigger a refresh of the underlying readable stream mechanisms, without actually consuming any data. In that case, you can call stream.read(0), which will always return null.
 
If the internal read buffer is below the highWaterMark, and the stream is not currently reading, then calling read(0) will trigger a low-level _read call.
 
There is almost never a need to do this. However, you will see some cases in Node's internals where this is done, particularly in the Readable stream class internals.
 
===stream.push('')===
Pushing a zero-byte string or Buffer (when not in Object mode) has an interesting side effect. Because it is a call to stream.push(), it will end the reading process. However, it does not add any data to the readable buffer, so there's nothing for a user to consume.
 
Very rarely, there are cases where you have no data to provide now, but the consumer of your stream (or, perhaps, another bit of your own code) will know when to check again, by calling stream.read(0). In those cases, you may call stream.push('').
 
So far, the only use case for this functionality is in the tls.CryptoStream class, which is deprecated in Node v0.12. If you find that you have to use stream.push(''), please consider another approach, because it almost certainly indicates that something is horribly wrong.
 
Compatibility with Older Node Versions#
In versions of Node prior to v0.10, the Readable stream interface was simpler, but also less powerful and less useful.
 
Rather than waiting for you to call the read() method, 'data' events would start emitting immediately. If you needed to do some I/O to decide how to handle data, then you had to store the chunks in some kind of buffer so that they would not be lost.
The pause() method was advisory, rather than guaranteed. This meant that you still had to be prepared to receive 'data' events even when the stream was in a paused state.
In Node v0.10, the Readable class described below was added. For backwards compatibility with older Node programs, Readable streams switch into "flowing mode" when a 'data' event handler is added, or when the pause() or resume() methods are called. The effect is that, even if you are not using the new read() method and 'readable' event, you no longer have to worry about losing 'data' chunks.
 
Most programs will continue to function normally. However, this introduces an edge case in the following conditions:
 
No 'data' event handler is added.
The pause() and resume() methods are never called.
For example, consider the following code:
 
// WARNING!  BROKEN!
net.createServer(function(socket) {
 
  // we add an 'end' method, but never consume the data
  socket.on('end', function() {
    // It will never get here.
    socket.end('I got your message (but didnt read it)\n');
  });
 
}).listen(1337);
In versions of node prior to v0.10, the incoming message data would be simply discarded. However, in Node v0.10 and beyond, the socket will remain paused forever.
 
The workaround in this situation is to call the resume() method to trigger "old mode" behavior:
 
// Workaround
net.createServer(function(socket) {
 
  socket.on('end', function() {
    socket.end('I got your message (but didnt read it)\n');
  });
 
  // start the flow of data, discarding it.
  socket.resume();
 
}).listen(1337);
In addition to new Readable streams switching into flowing-mode, pre-v0.10 style streams can be wrapped in a Readable class using the wrap() method.
 
===Object Mode===
Normally, Streams operate on Strings and Buffers exclusively.
 
Streams that are in object mode can emit generic JavaScript values other than Buffers and Strings.
 
A Readable stream in object mode will always return a single item from a call to stream.read(size), regardless of what the size argument is.
 
A Writable stream in object mode will always ignore the encoding argument to stream.write(data, encoding).
 
The special value null still retains its special value for object mode streams. That is, for object mode readable streams, null as a return value from stream.read() indicates that there is no more data, and stream.push(null) will signal the end of stream data (EOF).
 
No streams in Node core are object mode streams. This pattern is only used by userland streaming libraries.
 
You should set objectMode in your stream child class constructor on the options object. Setting objectMode mid-stream is not safe.
 
===State Objects===
Readable streams have a member object called _readableState. Writable streams have a member object called _writableState. Duplex streams have both.
 
These objects should generally not be modified in child classes. However, if you have a Duplex or Transform stream that should be in objectMode on the readable side, and not in objectMode on the writable side, then you may do this in the constructor by setting the flag explicitly on the appropriate state object.
 
var util = require('util');
var StringDecoder = require('string_decoder').StringDecoder;
var Transform = require('stream').Transform;
util.inherits(JSONParseStream, Transform);
 
// Gets \n-delimited JSON string data, and emits the parsed objects
function JSONParseStream(options) {
  if (!(this instanceof JSONParseStream))
    return new JSONParseStream(options);
 
  Transform.call(this, options);
  this._writableState.objectMode = false;
  this._readableState.objectMode = true;
  this._buffer = '';
  this._decoder = new StringDecoder('utf8');
}
 
JSONParseStream.prototype._transform = function(chunk, encoding, cb) {
  this._buffer += this._decoder.write(chunk);
  // split on newlines
  var lines = this._buffer.split(/\r?\n/);
  // keep the last partial line buffered
  this._buffer = lines.pop();
  for (var l = 0; l < lines.length; l++) {
    var line = lines[l];
    try {
      var obj = JSON.parse(line);
    } catch (er) {
      this.emit('error', er);
      return;
    }
    // push the parsed object out to the readable consumer
    this.push(obj);
  }
  cb();
};
 
JSONParseStream.prototype._flush = function(cb) {
  // Just handle any leftover
  var rem = this._buffer.trim();
  if (rem) {
    try {
      var obj = JSON.parse(rem);
    } catch (er) {
      this.emit('error', er);
      return;
    }
    // push the parsed object out to the readable consumer
    this.push(obj);
  }
  cb();
};
The state objects contain other useful information for debugging the state of streams in your programs. It is safe to look at them, but beyond setting option flags in the constructor, it is not safe to modify them.
 
[writable.write(chunk)]

Версия от 01:48, 19 февраля 2018

Руководство для быстрого развертывания собственного сервера почты.

  • Данная статья появилась тут в связи с тем, что я столкнулся с проблемой переноса почтового сервера на обычной файловой системе.

В первую очередь с тем, что почта была организована на уже устаревшем ПО и перенос ее на новую платформу без потерь стал практически не возможен. А вот хранение почты в базе данных, дает огромные преимущества при обновлении или доступе к информации, а так же восстановлении. В частности у меня база данных находится на другом хосте, что сильно облегчает ее обслуживание, при этом все конфигурационные файлы самой почты можно легко повторить если понадобится на новом хосте для создания почтового сервера заново.

1. Порядок установки dbmail

  • Система Debian Stretch {9}
  • Используемый source.list
# 
deb http://mirror.mephi.ru/debian/ stretch main
deb-src http://mirror.mephi.ru/debian/ stretch main

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main 

# stretch-updates, previously known as 'volatile'
deb http://mirror.mephi.ru/debian/ stretch-updates main
deb-src http://mirror.mephi.ru/debian/ stretch-updates main

###### Debian Main Repos
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free

deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free

deb http://deb.debian.org/debian-security stable/updates main contrib non-free
deb-src http://deb.debian.org/debian-security stable/updates main contrib non-free

deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb-src http://ftp.debian.org/debian stretch-backports main contrib non-free

1.1 Устанавливаем необходимые пакеты: 

apt-get install pkg-config libglib2.0-dev libgmime-2.6-dev libmhash-dev libevent-dev libssl-dev libzdb-dev\
autoconf automake libtool autotools-dev dpkg-dev fakeroot debhelper dh-make libldap2-dev libsieve2-dev ascidoc\
libcrypto++6 libcrypto++-utils libcrypto++-dev xmlto xmltoman libarchive-tools lrzip binutils-multiarch\
arch-test libpgf-dev libsasl2-modules-db libsasl2-modules curl libcroco3 libsasl2-2 procmail libsasl2-modules-sql\
libpcre32-3 zlib1g-dev libmhash-dev libpcrecpp0v5

1.2 Скачиваем с dbmail.org исходники: 

wget -c -t 0 -T 8 http://www.dbmail.org/download/3.1/dbmail-3.1.17.tar.gz

1.3 Распаковываем и компилируем: 

cp dbmail-3.1.17.tar.gz /usr/local/src
tar -xf dbmail-3.1.17.tar.gz /usr/local/src.dbmail-3.1.7
cp dbmail-3.1.17.tar.gz /usr/local/src/dbmail_3.1.7.orig.tar.gz
  • [!] - не знаю, может так у меня получилось, но когда применяешь комменты, версия которая высвечивается именно 3.1.7!!
  • [!] - именно поэтому все, что тут распаковываем и создаем имеет версию - 3.1.7 ...

Готовим пакет к сборке: 

cd /usr/local/src/dbmail-3.1.7
./configure --prefix=/usr
 
dpkg-source --commit

даем имя, что-то: pgsql.commit
выходим по ESC
должно быть так:

...
dpkg-source: инфо: локальные изменения были записаны в новую заплату: dbmail-3.1.7/debian/patches/pgsql.commit

далее: 

cd /usr/local/src/
dpkg-source -b dbmail-3.1.7

cd /usr/local/src/dbmail-3.1.7
dpkg-buildpackage -d
  • [!] - если у вас появилось сообщение типа:
...
debian/rules:138: *** missing separator (did you mean TAB instead of 8 spaces?).  Останов.
dpkg-buildpackage: ошибка: debian/rules clean возвратил код ошибки 2
  • [!] - то необходимо исправить ошибку в файле dbmail-3.1.7/debian/rules
строка 138: 
........make -f debian/rules binary-common $* DH_OPTIONS=-p$*
     ^^^
   здесь 8 пробелов!! - а должно быть 2 табуляции, что и вызывает ошибку...
  • после того как соберется пакет, дожно быть так:
# ls -n /usr/local/src
итого 3668
drwxrwxr-x 13 0  0    4096 ноя  2 00:19 dbmail-3.1.7
-rw-r--r--  1 0 50    7597 ноя  2 00:19 dbmail_3.1.7-1_amd64.buildinfo
-rw-r--r--  1 0 50    1957 ноя  2 00:19 dbmail_3.1.7-1_amd64.changes
-rw-r--r--  1 0 50  349256 ноя  2 00:19 dbmail_3.1.7-1_amd64.deb
-rw-r--r--  1 0 50  148008 ноя  2 00:14 dbmail_3.1.7-1.debian.tar.xz
-rw-r--r--  1 0 50    1045 ноя  2 00:14 dbmail_3.1.7-1.dsc
-rw-r--r--  1 0  0 2391054 июл 27  2014 dbmail_3.1.7.orig.tar.gz
-rw-r--r--  1 0 50  838508 ноя  2 00:19 dbmail-dbgsym_3.1.7-1_amd64.deb
  • копируем себе в архив и ставим пакет.
dpkg -i dbmail_3.1.7-1_amd64.deb
  • правим файл конфигурации:
editor /etc/dbmail/dbmail.conf
  • пример рабочего конфигурационного файла:
# (c) 2000-2006 IC&S, The Netherlands 
#
# Configuration file for DBMAIL 

[DBMAIL] 
# 
# Database settings
#
# database connection URI

#dburi                = sqlite:///var/tmp/dbmail.db

# 
# Supported drivers are sql, ldap.
#
authdriver           = sql

# 
# 
# following fields are now DEPRECATED!
driver               = postgresql
host                 = 10.0.5.2
sqlport              = 5432
#sqlsocket            =              
user                 = dbmail
pass                 = dbmailpass
db                   = mailbasename

#
# Number of database connections per threaded daemon
# This also determines the size of the worker threadpool
#
# Do NOT increase this without proper consideration. A
# very large database/worker pool will not only increase
# the connection pressure on the database, but will more
# significantly cause unnecessary context-switching in 
# your CPUs.
#
#max_db_connections   = 10

# 
# Table prefix. Defaults to "dbmail_" if not specified.
#
table_prefix         = dbmail_   

# 
# encoding must match the database/table encoding.
# i.e. latin1, utf8
encoding             = utf8

#
# messages with unknown encoding will be assumed to have 
# default_msg_encoding
# i.e. iso8859-1, utf8
default_msg_encoding = utf8

# 
# Postmaster's email address for use in bounce messages.
#
#postmaster           = DBMAIL-MAILER       

# 
# Sendmail executable for forwards, replies, notifies, vacations.
# You may use pipes (|) in this command, for example:
# dos2unix|/usr/sbin/sendmail  works well with Qmail.
# You may use quotes (") for executables with unusual names.
#
sendmail              = /usr/sbin/sendmail     

#
#
# The following items can be overridden in the service-specific sections.
#
#

#
# Logging via stderr/log file and syslog
#
# Logging is broken up into 8 logging levels and each level can be indivually turned on or off.
# The Stderr/log file logs all entries to stderr or the log file.
# Syslog logging uses the facility mail and the logging level of the event for logging.
# Syslog can then be configured to log data according to the levels.
#
# Set the log level to the sum of the values next to the levels you want to record.
#   1 = Emergency 
#   2 = Alert
#   4 = Critical
#   8 = Error
#  16 = Warning
#  32 = Notice
#  64 = Info
# 128 = Debug
# 256 = Database -> Logs at debug level
#
# Examples:   0 = Nothing
#            31 = Emergency + Alert + Critical + Error + Warning
#           511 = Everything
#
file_logging_levels       = 7
#
syslog_logging_levels     = 31

#
# Generate a log entry for database queries for the log level at number of seconds of query execution time.
#
query_time_info       = 10
query_time_notice     = 20
query_time_warning    = 30

#
# Throw an exception is the query takes longer than query_timeout seconds
query_timeout         = 300 

# 
# Root privs are used to open a port, then privs
# are dropped down to the user/group specified here.
#
effective_user        = dbmail
effective_group       = mail

# 
# The IPv4 and/or IPv6 addresses the services will bind to.
# Use * for all local interfaces.
# Use 127.0.0.1 for localhost only.
# Separate multiple entries with spaces ( ) or commas (,).
#
bindip                = 0.0.0.0         # IPv4 only - all IP's
#bindip                = ::             # IPv4 and IPv6 - all IP's (linux)
#bindip                = ::             # IPv6 only - all IP's (BSD)
#bindip                = 0.0.0.0,::     # IPv4 and IPv6 - all IP's (BSD)


#
# The maximum length of the queue of pending connections. See
# listen(2) for more information
#
# backlog              = 128

# 
# Idle time allowed before a connection is shut off.
#
timeout               = 300             

# 
# Idle time allowed before a connection is shut off if you have not logged in yet.
#
login_timeout         = 60

# 
# If yes, resolves IP addresses to DNS names when logging.
#
resolve_ip            = yes

#
# If yes, keep statistics in the authlog table for connecting users
#
authlog               = no

# 
# logfile for stdout messages
#
logfile               = /var/log/dbmail.log        

# 
# logfile for stderr messages
#
errorlog              = /var/log/dbmail.err        

# 
# directory for storing PID files
#
pid_directory         = /var/run/dbmail

#
# directory for locating libraries (normally has a sane default compiled-in)
#
library_directory       = /usr/lib/dbmail

#
# SSL/TLS certificates
#
# A file containing a list of CAs in PEM format
tls_cafile            =

# A file containing a PEM format certificate
tls_cert              =

# A file containing a PEM format RSA or DSA key
tls_key               =

# A cipher list string in the format given in ciphers(1)
tls_ciphers           =


# hashing algorithm. You can select your favorite hash type
# for generating unique ids for message parts. 
#
# for valid values check mhash(3) but minus the MHASH_ prefix.
#  
# if you ever change this value run 'dbmail-util --rehash' to 
# update the hash for all mimeparts.
#
# examples: MD5, SHA1, SHA256, SHA512, TIGER, WHIRLPOOL
#
# hash_algorithm = SHA1


# header_cache tuning
#
# set header_cache_readonly to 'yes' to prevent new
# unknown header-names from being cached.
#
# header_cache_readonly = yes



[LMTP]
bindip = 127.0.0.1
port                  = 24                 
#tls_port              =


[POP]
port                  = 110
#tls_port              = 995

# You can set an alternate banner to display when connecting to the service
# banner = DBMAIL pop3 server ready to rock

# 
# If yes, allows SMTP access from the host IP connecting by POP3.
# This requires addition configuration of your MTA
#
pop_before_smtp       = no      

[HTTP]
port                  = 41380
#
# the httpd daemon provides full access to all users, mailboxes
# and messages. Be very careful with this one!
bindip                = 127.0.0.1
admin                 = admin:secret

[IMAP]
# You can set an alternate banner to display when connecting to the service
# banner = imap 4r1 server (dbmail 2.3.x)

# 
# Port to bind to.
#
port                  = 143                
##tls_port              = 993

# 
# IMAP prefers a longer timeout than other services.
#
timeout               = 4000            

# 
# If yes, allows SMTP access from the host IP connecting by IMAP.
# This requires addition configuration of your MTA
#
imap_before_smtp      = no

#
# during IDLE, how many seconds between checking the mailbox
# status (default: 30)
#
# idle_timeout          = 30

# during IDLE, how often should the server send an '* OK' still
# here message (default: 10)
#
# the time between such a message is idle_timeout * idle_interval
# seconds
#
# idle_interval         = 10

#
# If TLS is enabled, login before starttls is normally
# not allowed. Use login_disabled=no to change this
#
# login_disabled        = yes

#
# Provide a CAPABILITY to override the default
#
# capability   = IMAP4 IMAP4rev1 AUTH=LOGIN ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE

# max message size. You can specify the maximum message size
# accepted by the IMAP daemon during APPEND commands.
#
# Supported formats:
#  decimal: 1000000    
#  octal:   03777777
#  hex:     0xfffff
#
# max_message_size      =


[SIEVE]
# 
# Port to bind to.
#
port                  = 2000               
tls_port              =


[LDAP]
port                  = 389
version               = 3
hostname              = ldap
base_dn               = ou=People,dc=mydomain,dc=com

# 
# If your LDAP library supports ldap_initialize(), then you can use the
# alternative LDAP server DSN like following.
#
# URI                = ldap://127.0.0.1:389
# URI                = ldapi://%2fvar%2frun%2fopenldap%2fldapi/

# 
# Leave blank for anonymous bind.
# example: cn=admin,dc=mydomain,dc=com     
#
bind_dn               = 

# 
# Leave blank for anonymous bind.
#
bind_pw               = 
scope                 = SubTree

# AD users may want to set this to 'no' to disable
# ldap referrals if you are seeing 'Operations errors' 
# in your logs
#
referrals             = yes

user_objectclass      = top,account,dbmailUser
forw_objectclass      = top,account,dbmailForwardingAddress
cn_string             = uid
field_passwd          = userPassword
field_uid             = uid
field_nid             = uidNumber
min_nid               = 10000
max_nid               = 15000
field_cid             = gidNumber
min_cid               = 10000
max_cid               = 15000

# a comma-separated list of attributes to match when searching
# for users or forwards that match a delivery address. A match
# on any of them is a hit.
field_mail            = mail

# field that holds the mail-quota size for a user.
field_quota           = mailQuota

# field that holds the forwarding address. 
field_fwdtarget       = mailForwardingAddress

# override the query string used to search for users 
# or forwards with a delivery address.
# query_string          = (mail=%s)

[DELIVERY]
# 
# Run Sieve scripts as messages are delivered.
#
SIEVE                 = yes               

# 
# Use 'user+mailbox@domain' format to deliver to a mailbox.
#
SUBADDRESS            = yes          

# 
# Turn on/off the Sieve Vacation extension.
#
SIEVE_VACATION        = yes      

# 
# Turn on/off the Sieve Notify extension
#
SIEVE_NOTIFY          = yes

# 
# Turn on/off additional Sieve debugging.
#
SIEVE_DEBUG           = no          


# Use the auto_notify table to send email notifications.
#
AUTO_NOTIFY           = no
 
# 
# Use the auto_reply table to send away messages.
#
AUTO_REPLY            = no

# 
# Defaults to "NEW MAIL NOTIFICATION"
#
#AUTO_NOTIFY_SUBJECT        =    

# 
# Defaults to POSTMASTER from the DBMAIL section.
#
#AUTO_NOTIFY_SENDER        =   


# If you set this to 'yes' dbmail will check for duplicate
# messages in the relevant mailbox during delivery using 
# the Message-ID header
#
suppress_duplicates     = no

#
# Soft or hard bounce on over-quota delivery
#
quota_failure           = hard


# end of configuration file
  • правим default конфигурационный файл - /etc/default/dbmail
# debian specific configuration for dbmail

# work-around for linux/epoll bug in libevent
export EVENT_NOEPOLL=yes

# comment out to disable the pop3 server
START_POP3D=true

# comment out to disable the imapd server
START_IMAPD=true

# uncomment to enable the lmtpd server
START_LMTPD=true

# uncomment to enable the timsieved server
#START_SIEVE=true

# comment out to enable the stunnel SSL wrapper
START_SSL=true

# specify the filename for the pem file as 
# it resides in /etc/ssl/certs
PEMFILE="/etc/ssl/serts/dbmail.pem"
  • создаем сертификат для dbmail:
cd /etc/ssl/certs
openssl req -new -x509 -nodes -out dbmail.pem -keyout smtpd.pem -days 3650
  • перезапуск службы:
systemctl restart dbmail
  • Краткое пояснение:
1. Предназначенные для доставки сообщений от MTA в хранилище.

2. Предназначенные для доставки MUA из хранилища.
  • К первым относятся:

dbmail-lmtpd – UNIX-демон, принимающий клиентские подключения через UNIX-сокет или TCP-сокет. Для приема почтовых сообщений используется протокол LMTP. На каждое входящее сообщение MTA создает только клиентский сокет, необходимое количество процессов и подключений к БД создается заранее.
Таким образом, этот вариант обеспечивает лучшую производительность при высокой нагрузке, но при низкой он потребляет больше системных ресурсов, чем необходимо.

  • Ко вторым относятся:

dbmail-pop3d – демон для доступа по протоколу POP3.
dbmail-imapd – демон для доступа по протоколу IMAP.

  • Кроме того, в состав DBMail входят следующие вспомогательные утилиты:

dbmail-users – инструмент для управления пользователями и их псевдонимами (возможно, многим из вас будет привычнее термин alias).
dbmail-util – инструмент для очистки, оптимизации и проверки корректности БД.

  • С установкой dbmail пока окончено, следующий этап установка postgesql и настройка для будущей работы.


2. Настройка PostgreSQL

2.1. После того как мы настроили базу данных postgresql, создаем пользователя dbmail и базу dbmail

  • Создаем пользователя для работы с почтовой базой
createuser -U postgres -P dbmail
  • [!] - Ни в коем случае не используйте спецсимволы в пароле, кроме #! (авторизация может не проходить)
  • Создаем базу
createdb -U postgres --owner dbmail dbmail
  • Вместе с dbmail идут заготовки базы, распаковываем и заливаем:
bunzip2 /usr/share/doc/dbmail-2.2.10/create_tables.pgsql.bz2
psql -U dbmail -d dbmail < /usr/share/doc/dbmail-2.2.10/create_tables.pgsql

или так: 

zcat /usr/share/doc/dbmail/examples/create_tables.pgsql.gz|psql -h 127.0.0.1 dbmail dbmailadmin

или так: 

psql -U dbmail -h localhost maildb < create_tables.pgsql


  • В этом дампе нет таблицы для работы с виртуальными доменами, создадим ее:
 CREATE TYPE dtype AS ENUM ( 
 'LOCAL', 
 'VIRTUAL', 
 'RELAY' 
); 

ALTER TYPE public.dtype OWNER TO dbmail; 

SET default_with_oids = true; 

CREATE TABLE dbmail_domains ( 
 uid integer NOT NULL, 
 domain character varying(128) NOT NULL, 
 type dtype NOT NULL 
);

INSERT INTO dbmail_domains (uid, domain, type) VALUES (1, 'example.com', 'LOCAL');

База готова.

  • добавляем обработку базы в /etc/crontab
...
0 3 * * * root /usr/sbin/dbmail-util -cturpd -l 24h -qq
...
  • проверяем работу dbmail c базой:
dbmail-util -av

если есть ошибки, исправляем не забывая проверить файл конфигурации...
.. если все ок, приступаем к настройке postfix

3. Настройка Postfix

apt-get install postfix postfix-pgsql postfix-sqlite procmail libsasl2-2 libsasl2-modules libsasl2-modules-db\ 
libsasl2-modules-sql sqlite3 mutt postfix-pcre postfix-ldap postfix-lmdb sasl2-bin ufw
  • вносим необходимые изменения в файлы конфигурации - пример рабочей версии main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mymail.home.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mymail.ru, mymail.home.local, localhost.home.local, localhost
relayhost = 
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
######################### вторым ip указываем хост где база данных postgresql
mynetworks = 127.0.0.0/8 10.0.5.2
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
############################## - указываем способ использования postgresql
local_recipient_maps = pgsql:/etc/postfix/dbmail-mailboxes.cf $alias_maps
mailbox_transport = dbmail-lmtp:127.0.0.1:24

#################### - подключаем авторизацию через sasl, установка ниже в статье.
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
############################### - подключаем наш сертификат созданный как описано ниже.
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


  • вносим необходимые изменения в файлы конфигурации - пример рабочей версии master.cf:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
######
dbmail-lmtp     unix    -       -       n       -       -       lmtp
        -o disable_dns_lookups=yes
  • создаем файл настройки подключения к базе postgresql - dbmail-mailboxes.cf:
user = dbmail
password = userpass
hosts = 10.0.5.2
dbname = mailbasename
table = dbmail_aliases
select_field = alias
where_field = alias
  • Так как почтовый сервер изначально не рассматсривается как релей, то доступ к SMTP только по авторизации и для этого используем SASL.
  • в каталоге настроек postfix создаем файл настроек для sasl:
mkdir -p /etc/postfix/sasl
  • создаем файл конфигурации - smtpd.conf:
echo > /etc/postfix/sasl/smtpd.conf
  • вносим содержимое файла:
edit /etc/postfix/sasl/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: digest-md5 cram-md5 login plain
sql_engine: pgsql
sql_user: dbmail
sql_passwd: userpass
sql_hostnames: 10.0.5.2
sql_database: mailbasename
sql_statement: select passwd from dbmail_users where userid='%u@%r'
sql_verbose: yes
  • генерируем свой сертификат tls:
mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl
openssl req -new -x509 -days 3650 -nodes -out smtpd.pem -keyout smtpd.key
  • перезапускаем postfix:
systemctl postfix restart

или 

/etc/init.d/postfix restart
  • проверяем работу postfix:
# telnet mymail.ru 25
Trying mymail.ru...
Connected to mymail.ru.
Escape character is '^]'.
220 mx.kscom.ru ESMTP Postfix
EHLO example.com
250-mx.kscom.ru
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

- должно быть - 250-STARTTLS - все работает..

4. Настройка Stunnel

  • Данный пакет позволяет организовать защищенное соединение как для почты так и для других программ.
  • Далее будет описание, как создать защищенный вход на почтовый сервер.
  • Устанавливаем пакет:
apt-get install stunnel4
  • в каталоге /etc/stunnel - сразу создаем себе скрипт для генерации сертификата, чтобы если понадобится снова не вспоминать как это...
echo > /etc/stunnel/create-sert
editor /etc/stunnel/create-sert
  • вносим содержимое:
#!/bin/sh
# каталог сертификатов SSL в системе
cd /etc/ssl/certs
# имя сертификата на свое усмотрение...
PEMFILE="servername.mymail.ru.pem"
# генерация сертификата
openssl req -new -x509 -nodes -days 3650 -out $PEMFILE -keyout $PEMFILE
chmod 600 $PEMFILE
[ -e temp_file ] && rm -f temp_file
dd if=/dev/urandom of=temp_file count=2
openssl dhparam -rand temp_file 512 >> $PEMFILE
ln -sf $PEMFILE `openssl x509 -noout -hash < $PEMFILE`.0
  • даем права на исполнение - только для root:
chmod 0700 /etc/stunnel/create-sert
  • запускаем скрипт и отвечаем на вопросы..
/etc/stunnel/create-sert
  • создаем каталог в котором будет файл запуска .pid
mkdir -p /var/run/stunnel4/
  • копируем из примера будущий конфигурационный файл для stunnel4
cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
  • приводим его в такой вариант (рабочий пример):
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; It is recommended to drop root privileges if stunnel is started by root
;setuid = stunnel4
;setgid = stunnel4

; PID file is created inside the chroot jail (if enabled)
pid = /var/run/stunnel4/stunnel.pid

; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
;debug = info
output = /var/log/stunnel.log

; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Enable support for the insecure SSLv3 protocol
options = -NO_SSLv3
sslVersion = TLSv1.2

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************

;include = /etc/stunnel/conf.d

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; ***************************************** Example TLS client mode services

; The following examples use /etc/ssl/certs, which is the common location
; of a hashed directory containing trusted CA certificates.  This is not
; a hardcoded path of the stunnel package, as it is not related to the
; stunnel configuration in /etc/stunnel/.

;[mymail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop3.mymail.ru:995
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = pop3s.mymail.ru
;OCSPaia = yes

;[mymail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.mymail.ru:993
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = imaps.mymail.ru
;OCSPaia = yes

;[mymail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.mymail.ru:465
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = smtps.mymail.ru
;OCSPaia = yes

; ***************************************** Example TLS server mode services

[pop3s]
accept  = 995
connect = 110
cert = /etc/ssl/certs/servername.mymail.ru.pem

[imaps]
accept  = 993
connect = 143
cert = /etc/ssl/certs/servername.mymail.ru.pem

[smtps]
accept  = 465
connect = 25
cert = /etc/ssl/certs/servername.mymail.ru.pem

; TLS front-end to a web server
;[https]
;accept  = 443
;connect = 80
;cert = /etc/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0

; Remote shell protected with PSK-authenticated TLS
; Create "/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;[shell]
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;ciphers = PSK
;PSKsecrets = /etc/stunnel/secrets.txt

; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
;[mysql]
;cert = /etc/stunnel/stunnel.pem
;accept = 3307
;connect = /run/mysqld/mysqld.sock

; vim:ft=dosini
  • корректируем конфигурационный файл запуска по умолчанию:
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003

# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""

# Change to one to enable ppp restart scripts
PPP_RESTART=0

# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""
  • перезапуск stunnel
/etc/init.d/stunnel4 restart
  • после этого проверяем наличие нужных нам портов:
nmap -v mymail.ru
...
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
110/tcp open  pop3
143/tcp open  imap
465/tcp open  smtps
993/tcp open  imaps
995/tcp open  pop3s
  • проверяем работу с почтой по SSL\TLS - зашифрованный пароль на портах 465,993,995
  • если все в порядке, рекомендую закрыть обычные порты через iptables (110,143),
  • а оставить только 25 (некоторые серверы для доставки вам почты требуют именно его)

5. Установка антиспама Spamassassin

  • установка пакета:
aptitude install spamassassin
  • запуск по умолчанию в /etc/default/spamassassin
...
ENABLED=1
...
  • Приводим файл конфигурации антиспама /etc/spamassassin/local.cf к такому:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################

#   Add *****SPAM***** to the Subject header of spam e-mails
#
rewrite_header Subject *****SPAM*****


#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
report_safe 0


#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.
trusted_networks 10.0.5.


#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock


#   Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 5.0


#   Use Bayesian classifier (default: 1)
#
use_bayes 1


#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 1


#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status


#   Whether to decode non- UTF-8 and non-ASCII textual parts and recode
#   them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1

#   Some shortcircuiting, if the plugin is enabled
# 
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#   default: strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#   Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST       on
# shortcircuit USER_IN_DEF_WHITELIST   on
# shortcircuit USER_IN_ALL_SPAM_TO     on
# shortcircuit SUBJECT_IN_WHITELIST    on

#   the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST       on
# shortcircuit USER_IN_BLACKLIST_TO    on
# shortcircuit SUBJECT_IN_BLACKLIST    on

#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED             on

#   and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
whitelist_from @mymail.ru

endif # Mail::SpamAssassin::Plugin::Shortcircuit
  • Стартуем spamassasin:
/etc/init.d/spamassassin start
  • Редактируем файл постфикса /etc/postfix/master.cf

- Строку: 

..
smtp      inet  n       -       -       -       -       smtpd
..

- Заменяем на: 

..
smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamassassin
..

- Перед: 

..
dbmail-lmtp     unix    -       -       n       -       -       lmtp
        -o disable_dns_lookups=yes
..

- Добавляем: 

..
spamassassin unix   -   n   n   -   -   pipe  user=debian-spamd argv=/usr/bin/spamc -s 5120000 -f -e /usr/sbin/sendmail -oi -f
${sender}${recipient}
..
  • Перезапускаем postfix:
/etc/init.d/postfix restart
  • Проверяем работу почты, все должно работать...


Источники:

Источник — https://support.qbpro.ru/index.php?title=Stream&oldid=2280