Postfix 电子邮件系统精要(二)
时间:2009-04-21 来源:gron
◆Corurier-imap安装配置
Postfix只是实现邮件系统的smtp功能,pop3或imap则需要另外的软件来实现,这个软件就是courier-imap(当然也有别的软件可以选择)。
(1)安装courier-imap
(2)修改配置文件/usr/local/imap/etc/pop3d及/usr/local/imap/etc/imapd。把/usr/local/imap/etc/pop3d 文件的行"POP3DSTART=NO"改成"POP3DSTART=YES",再依照这个形式把文件 /usr/local/imap/etc/imapd的行"IMAPDSTART=NO"改成"IMAPDSTART=YES"即可。
(3)复制文件 courier-imap.sysvinit到目录/usr/local/imap/sbin,以便于启动imap的守护进程。
[root@mailserv2 courier-imap-4.1.3]# cp courier-imap.sysvinit /usr/local/imap/sbin/imapd
(4)测试imap服务。
[root@mailserv2 courier-imap-4.1.3]# /usr/local/imap/sbin/imapd start
Starting Courier-IMAP server: imap pop3 ◆安装courier-maildrop Maiidrop的作用是本地投递,即把收到的邮件移动到相应的用户目录。在前面配置postfix的时候,我们已经把与maildrop相关的东西写进文件/etc/postfix/master.cf了,因此这里就不再叙述。前面的步骤我们也提到过pcre 这个软件,它是安装maildrop所必须的,所以需要先安装这个软件(如果系统不存在这个软件的话)。
下面的命令简单验证maildrop
输出内容一定要有"Courier Authentication Library extension enabled"这一行。如果没有这个输出,那是非常不幸的事情了,返回去挨个排错吧。那么这个"Courier Authentication Library extension enabled"是怎么一回事呢?这表明maildrop已经和前面我们安装配置的SASL和courier-authlib紧密结合在一起了。
知道maildrop把邮件移动到哪个用户目录还是非常有必要的,这个操作就是maildrop的日志记录。这里我们创建一个新文件/etc/maildroprc,这个文件就2行内容:
我们来看一个正常运行的postfix邮件系统的maildrop日志,就会对maildrop有更清楚的认识。
上面的日志表明收到一封来自[email protected]的信,maildrop把邮件移动到目录/mail/mailbox/sery.com/magazine。
很可惜maidrop没有创建和删除邮件用户目录的能力,在配置postfixadmin时,我们提到需要使用2个shell脚本 /usr/sbin/maildirdel.sh及/usr/sbin/maildirmake.sh,这2个脚本的作用就是用来弥补maildrop不能创建/删除目录这个缺陷的。
这2个脚本由web调用,而web(apache)的执行用户为vmail,出于安全考虑,我们给vmail用户的权限非常有限,为了保证这2个 shell脚本能正常执行,需要使用sudo这个工具来完成这个任务。尽管可以使用vi这样的编辑器来修改/etc/sudoers这个配置文件,但还是不及visudo可靠,因为visudo可以对修改的内容做语法检查,如果更改不正确,保存文件是会给出提示。把行"vmail ALL = NOPASSWD: /usr/sbin/maildirmake.sh , /usr/sbin/maildirdel.sh"追加到文件末尾即可!
有的时候,在postfixadmin里创建新的邮件帐号,帐号倒是创建成功了,却并没有在指定的位置生成相应的虚拟用户目录,从网上收集的信息来看,这个问题似乎很普遍,我本人也被这个问题困扰过--以vmail 用户手动执行sudo /usr/sbin/maildirdel.sh就能创建目录,用web方式就是不行-实验多次才找出原因,原来是/etc/sudoers里需要把 "Defaults requiretty"这行注释掉。有人可能要问,你怎么知道要这样做呢?答:我是通过看apache日志知道要这样干的。
◆邮件病毒检查和垃圾邮件过滤
抗病毒使用软件是clamav,安装时一定要用当前的最新版本。垃圾邮件过滤可使用一个名为SpamAssassin的perl模块。通过采用amavisd-new这个容器,可以把clamav和SpamAssassin整合起来。
(1)安装配置clamav.
Clamav有2个配置文件,一个主配置文件/usr/local/clamav/etc/clamd.conf,一个病毒更新配置文件/usr/local/clamav/etc/ freshclam.conf。现把修改好的配置文件列于下面:
这2个文件有很多注释,我用sed把它过滤掉了。Clamd.conf中,有"User amavis"这样一行。为什么不用默认的用户clamav而使用amavis呢?这样做的目的是为了与amavis-new结合在一起。既然没有这个用户,就手动创建一个(useradd amavis)。接下来需要手动创建一些目录并赋予相应的权限,用来记录日志等用途;我把它作成一个shell脚本,直接执行即可,脚本的内容如下所示:
脚本执行成功后,再执行 [root@mailserv2 ~]# /usr/local/clamav/bin/freshclam 手动更新病毒库。
(2)安装和配置avamvis-new。解压包amavisd-new-2.5.2.tar.gz,然后把它移动到相关的位置。这里还是用一个脚本来做这个事情,脚本的内容如下:
执行完脚本后别忘记检查一下是否都按我们的意愿工作,如/usr/local/sbin目录是否有文件amavisd。
Amavisd的配置文件/etc/amavisd.conf比较复杂,需要修改的内容如下:
上述修改确认无误后,执行 [root@mailserv2 ~]# /usr/local/sbin/amavisd debug 测试amavis。一般而言,测试皆不能正常进行,因为所需要的很多perl模块很可能没有被安装。还好,报错信息给出了所需的模块。这时你需要到www.cpan.org下载相关的模块,然后安装;也可能遇到包依赖,再下载依赖的包,安装这个依赖,再反回来安装先前那个包,如此反复,很是烦人,极考验人的耐性。等到 /usr/local/sbin/amavisd debug 输出没有错误方才完成。有另外一种方法,即运行 [root@mailserv2 ~]# perl MCPAN -e shell ,然后执行 cpan> install Time::HiRes 这样的命令挨个安装缺少的perl模块。根据我的经验,这样干很耗时,并且有的模块用这种方法安装还不灵,所以还不如在网站下载模块安装有效。下面给出一个perl模块的安装实例:
修正:用cpan 加模块名(如 cpan Compress::Zlib),比较省事.
解决"Can't locate Crypt/OpenSSL/RSA.pm in @IN"报错的方法:cpan Crypt::OpenSSL::RSA即可.其它的perl模块可如法炮制.
◆Webmail安装配置
可供postfix选择的webmail不是很丰富,通过比较,我选择extmail作为postfix的webmail客户端工具,本来 extmail也包括像postfixadmin这样的web管理工具(extman),因为前面我们已经用了postfixadmin, 这里我只用extmail。
下载ExtMail-Solution-Linux-0.1.tar.gz后解压,然后把它移动到目录/var/www/extsuite/extmail。在apache的配置文件httpd.conf末尾追加下面的内容以便用户可以通过web方式访问extmail:
保存文件,重启apache服务即可在浏览器输入邮件服务器的url访问了。
如果少了相应的perl模块,web页面会给出提示,按照提示把perl模块安装上去就正常了。到这里,extmail的配置还没有完呢,至少还有 2个文件需要修改,这2个文件是webmail.cf和 /var/www/extsuite/extmail/html/default/index.html.前一个是extmail的配置文件,后一个是页面文件显示方式。
webmail.cf的内容:更改过的内容用斜体红色字体显示
在文件/var/www/extsuite/extmail/html/default/index.html 加入下面的标识,可以得到不同
邮件域的下拉列表,从而方便用户的使用。
到这里,postfix的安装配置算是完成了。我们来逐个检查这些服务的正确性,简单的方法就是启动每一个服务,根据服务的运行来掌握各个服务是否正常。为了方便所有服务随开机自动启动,我把它们都加在了文件/etc/rc.local里,这些内容包括:
病毒库和垃圾邮件的列表则放在crontab里:
待所有的服务都正常后,用postfixadmin创建邮件域和用户。创建完毕,通过查看postfix日志/var/log/maillog了解操作是否成功;同时通过查看目录/var/mailbox里是否生成与创建的邮件帐户同名的目录。
◆邮件系统的备份
在系统崩溃以后,没有提前备份将使你无限懊悔。一次没有成功的在线内核升级引起的系统崩溃(在我没来得及备份时发生),为恢复崩溃邮件系统,曾让我精疲力竭。所以做好备份是一个好主意。当然我们不能天天手动去执行这个备份任务,用脚本吧!下面是我的一个postfix的备份脚本,供大家参考:
这个脚本对postfix数据库和用户的邮件做了备份。因为磁盘空间始终是有限的,因此是一边备份一边删除就的备份。如果条件允许,建议进行异地备份。手动执行一下这个脚本,看它是否按我们的意愿工作了,如果一些如愿,则把它放入crontab里让它每晚自动进行。
◆系统加固及安全
1、内核优化:用脚本实现
2、防火墙策略:在配置postfix连接mysql数据库时,用户名postfix,密码postfix,类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库,不费吹灰之力就可以把邮件帐号全删了,这肯定会激起用户的愤怒!赶快把这个漏洞堵上,下面是我的防火墙策略脚本:
|
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar jxvf courier-imap-4.1.3.tar.bz2
[root@mailserv2 ~]# cd courier-imap-4.1.3
[[email protected]]#./configure --prefix=/usr/local/imap --with-redhat
--disable-root-check --enable-unicode=utf-8,iso-8859-1,gb2312,gbk,gb18030
--with-trashquota --with-dirsync --with-mysql-libs=/usr/local/mysql/lib/mysql --with-mysql-includes=/usr/local/mysql/include/mysql/ --with-authmysql --with-authmysql=yes
[root@mailserv2 courier-imap-4.1.3]# make
[root@mailserv2 courier-imap-4.1.3]# make install
[root@mailserv2 courier-imap-4.1.3]# make install-configure
|
Starting Courier-IMAP server: imap pop3 ◆安装courier-maildrop Maiidrop的作用是本地投递,即把收到的邮件移动到相应的用户目录。在前面配置postfix的时候,我们已经把与maildrop相关的东西写进文件/etc/postfix/master.cf了,因此这里就不再叙述。前面的步骤我们也提到过pcre 这个软件,它是安装maildrop所必须的,所以需要先安装这个软件(如果系统不存在这个软件的话)。
|
[root@mailserv2 courier-imap-4.1.3]# cd
[root@mailserv2 courier-imap-4.1.3]# tar jxvf pcre-7.2.tar.bz2
[root@mailserv2 courier-imap-4.1.3]# cd pcre-7.2
[root@mailserv2 courier-imap-4.1.3]# ./configure
[root@mailserv2 courier-imap-4.1.3]# make
[root@mailserv2 courier-imap-4.1.3]# make install
//安装pcre应该是非常容易的事情,片刻之间就可搞定,接下来安装maildrop.在执行配置过程中,需要很多选项,不要疏漏。
[root@mailserv2 pcre-7.2]# cd
[root@mailserv2 pcre-7.2]# tar jxvf maildrop-2.0.4.tar.bz2
[root@mailserv2 pcre-7.2]# cd maildrop-2.0.4
[root@mailserv2 maildrop-2.0.4]# ./configure --prefix=/usr/local/maildrop --enable-
sendmail=/usr/sbin/sendmail --enable-trusted-users='root vmail' --enable-syslog=1
--enable-maildirquota --enable-maildrop-uid=1001 --enable-maildrop-gid=1001 --with
-trashquota --with-dirsync
[root@mailserv2 maildrop-2.0.4]# make
[root@mailserv2 maildrop-2.0.4]# make install
[root@mailserv2 maildrop-2.0.4]# cp /usr/local/maildrop/bin/maildrop /usr/bin
|
|
[root@mailserv2 ~]# maildrop –v
maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc.
GDBM extensions enabled.
Courier Authentication Library extension enabled.
Maildir quota extension enabled.
This program is distributed under the terms of the GNU General Public
License. See COPYING for additional information.
|
|
[root@mailserv2 mailbox]# more /etc/maildroprc
logfile "/var/mailbox/maildrop.log"
to "$HOME/$DEFAULT"
|
|
[root@mailserv2 mailbox]# tail maildrop.log
Date: Sat Oct 6 12:45:20 2007
From: "Saundra Y. Echols" <[email protected]>
Subj: No girls laugh at me now, haha, i laugh at them
File: /mail/mailbox//sery.com/magazine/ (3355)
|
|
[root@mailserv2 ~]# more /usr/sbin/maildirmake.sh
#!/bin/bash
set -e
if [ ! -d /var/mailbox/$1 ]
then
mkdir /var/mailbox/$1
fi
chown -R vmail:vmail /var/mailbox/$1
cd "/var/mailbox/$1"
/usr/local/imap/bin/maildirmake $2
mkdir /var/mailbox/$1/$2/Maildir
chown -R vmail:vmail /var/mailbox/$1/$2
[root@mailserv2 ~]# more /usr/sbin/maildirdel.sh
#!/bin/bash
rm -rf /var/mailbox/$1/$2
|
|
[root@mailserv2 ~]# useradd clamav [root@mailserv2 ~]# cd [root@mailserv2 ~]# cd clamav-0.91.2 [root@mailserv2 ~]# ./configure --prefix=/usr/local/clamav --with-dbdir=/usr/local/share/clamav --disable-zlib-vcheck [root@mailserv2 ~]# make [root@mailserv2 ~]# make install |
|
[root@mailserv2 ~]# more /usr/local/clamav/etc/freshclam.conf | sed -n '/^#/!p'
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose yes
LogSyslog yes
LogFacility LOG_MAIL
DatabaseOwner amavis
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
[root@mailserv2 ~]# more /usr/local/clamav/etc/clamd.conf | sed -n '/^#/!p'
LogFile /var/log/clamav/clamd.log
LogSyslog yes
LogVerbose yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /usr/local/share/clamav
LocalSocket /var/run/clamav/clamd.socket
StreamMaxLength 20M
User amavis
ScanMail yes
ScanArchive yes
|
|
[root@mailserv2 ~]# more /root/clamav.sh
#!/bin/bash
# create directory for clamav
mkdir /var/log/clamav chmod -R 744 /var/log/clamav chown -R amavis:amavis /var/log/clamav chown -R amavis.amavis /usr/local/share/clamav mkdir /var/run/clamav chmod 700 /var/run/clamav chown amavis.amavis /var/run/clamav |
|
[root@mailserv2 ~]# more /root/amavis.sh
#!/bin/bash
cd /root
tar amavisd-new-2.5.2.tar.gz
cd amavisd-new-2.5.2
mkdir -p /var/amavis /var/amavis/tmp /var/amavis/var /var/amavis/db chown -R amavis:amavis /var/amavis chmod -R 750 /var/amavis cp amavisd /usr/local/sbin/ chown root /usr/local/sbin/amavisd chmod 755 /usr/local/sbin/amavisd cp amavisd.conf /etc/ chown root /etc/amavisd.conf chmod 644 /etc/amavisd.conf
mkdir /var/virusmails chown amavis:amavis /var/virusmails chmod 750 /var/virusmails |
|
$max_servers=8; $daemon_user = 'amavis'; $daemon_group = 'amavis'; $mydomain = 'sery.com'; $db_home = "$MYHOME/db"; $inet_socket_port = 10024; $sa_tag_level_deflt = -100; $sa_tag2_level_deflt = 6.3; $sa_kill_level_deflt = $sa_tag2_level_deflt; $virus_admin = "virusalert@$mydomain"; $sa_spam_subject_tag = '***SPAM*** '; $notify_method = $forward_method; $forward_method = 'smtp:127.0.0.1:10025'; $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_DISCARD; $final_spam_destiny = D_PASS; ['ClamAV-clamd', &ask_daemon, ["CONTSCAN {}n", "/var/run/clamav/clamd.socket"], qr/bOK$/, qr/bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], |
|
[root@mailserv2 ~]# cd
[root@mailserv2 ~]# tar zxvf BerkeleyDB-0.32.tar.gz
[root@mailserv2 ~]# cd BerkeleyDB-0.32
[root@mailserv2 ~]# perl Makefile.PL
[root@mailserv2 ~]# make
[root@mailserv2 ~]# make install
|
|
DirectoryIndex index.html index.php index.cgi
ScriptAlias /extmail/cgi/ /var/www/extsuite/extmail/cgi/
<Directory "/var/www/extsuite/extmail/cgi">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Alias /extmail /var/www/extsuite/extmail/html
<Directory /var/www/extsuite/extmail/html>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
|
|
| 图 8 |
|
[root@mailserv2 extmail]# more webmail.cf
# sys_config, the config file and webmail programe root
SYS_CONFIG = /var/www/extsuite/extmail/
# sys_langdir, the i18n dir
SYS_LANGDIR = /var/www/extsuite/extmail/lang
# sys_templdir, the template dir
SYS_TEMPLDIR = /var/www/extsuite/extmail/html
# sys_warn, show system warning or not, default to yes
SYS_SHOW_WARN = 0
# sys_permit_noquota, permit an account without qouta?
SYS_PERMIT_NOQUOTA = 1
# sys_sess_dir, the session dir
SYS_SESS_DIR = /tmp/
# sys_log_on = 1 | 0 - enable logging or not
SYS_LOG_ON = 1
# sys_log_type = file|syslog|nsyslog, syslog will save login
# or error info into mail.*, nsyslog is a replacement to syslog
# that will send log message to network syslogd
SYS_LOG_TYPE = syslog
# sys_log_file - path to log file, if sys_log_type = file
SYS_LOG_FILE = /var/log/extmail.log
# sys_sess_timeout, session timeout, default 3 hours (3h) format:
# number+(s|m|h|d|M|y); or only number, the 0 means that the
# session will last for 0 seconds, but if you specify the
# sys_sess_cookie_only = 1 then it means the session will expire
# after you close your browser :)
SYS_SESS_TIMEOUT = 0
# sys_sess_cookie_only = 0|1 use cookie only or include cgi "sid"
# parameter ? if set to true(1), the session will be expired after
# sys_sess_timeout if there is no any active request from browser
SYS_SESS_COOKIE_ONLY = 1
# sys_user_psize, user default page_size
SYS_USER_PSIZE = 10
# sys_user_tsize, user mail subject truncate size, valid type:
# auto => full text
# screen1 => 800x600
# screen2 => 1024x768
# screen3 => 1280x1024
SYS_USER_SCREEN = auto
# sys_user_lang, user default language
SYS_USER_LANG = en_US
# sys_user_template, user default template
SYS_USER_TEMPLATE = default
# sys_user_charset, user default charset
SYS_USER_CHARSET = utf-8
# sys_user_trylocal, user default outgoing encoding mechanism
SYS_USER_TRYLOCAL = 1
# sys_user_timezone, user default timezone
SYS_USER_TIMEZONE = +0800
# sys_user_* default parameters
SYS_USER_CCSENT = 0
SYS_USER_SHOW_HTML = 1
SYS_USER_COMPOSE_HTML = 1
SYS_USER_CONV_LINK =1
SYS_USER_ADDR2ABOOK = 1
# sys_min_pass_len, minimal password length, default 2
SYS_MIN_PASS_LEN = 2
# sys_mfilter_on, default is off
SYS_MFILTER_ON = 1
# sys_netdisk_on, default is off
SYS_NETDISK_ON = 0
# sys_debug_on, default is off
SYS_DEBUG_ON = 0
# sys auth type, mysql/ldap/authlib
SYS_AUTH_TYPE = mysql
# maildir_base, the base dir of user maildir, use absolute path
# if not set.
SYS_MAILDIR_BASE = /var/mailbox
# sys_auth_schema, vpopmail1/vpopmail2/virtual
# vpopmail1 => all user accounts in one table
# vpopmail2 => accounts in per domain table
SYS_AUTH_SCHEMA = virtual
# crypt_type, the default encrypt type of password, possible type
# currently is crypt|cleartext|plain|md5|md5crypt|plain-md5|ldap-md5|sha|sha1
SYS_CRYPT_TYPE = md5crypt
# if mysql, all relate parameters should prefix as SYS_MYSQL
SYS_MYSQL_USER = postfix
SYS_MYSQL_PASS = postfix
SYS_MYSQL_DB = postfix
SYS_MYSQL_HOST = localhost
SYS_MYSQL_SOCKET = /tmp/mysql.sock
# table name
SYS_MYSQL_TABLE = mailbox
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_DOMAIN = domain
SYS_MYSQL_ATTR_PASSWD = password
# sys_mysql_attr_clearpw - attribute to save clear password, useful for
# postmaster withdraw the original passwd if the end user forgot, but
# we highly recommend that you don't enable it for security reason
# SYS_MYSQL_ATTR_CLEARPW = clearpwd
SYS_MYSQL_ATTR_QUOTA = quota
SYS_MYSQL_ATTR_NDQUOTA = netdiskquota
SYS_MYSQL_ATTR_HOME = homedir
SYS_MYSQL_ATTR_MAILDIR = maildir
# service enable/disable attributes
# comment them out if you don't want their function
SYS_MYSQL_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_MYSQL_ATTR_DISABLENETDISK = disablenetdisk
SYS_MYSQL_ATTR_ACTIVE = active
# if ldap, all relate parameters should prefix as SYS_LDAP
SYS_LDAP_BASE = o=extmailAccount,dc=example.com
SYS_LDAP_RDN = cn=Manager,dc=example.com
SYS_LDAP_PASS = secret
SYS_LDAP_HOST = localhost
# ldif attributes
SYS_LDAP_ATTR_USERNAME = mail
SYS_LDAP_ATTR_DOMAIN = virtualDomain
SYS_LDAP_ATTR_PASSWD = userPassword
# sys_ldap_attr_clearpw - attribute to save clear password, useful for
# postmaster withdraw the original passwd if the end user forgot, but
# we highly recommend that you don't enable it for security reason
# SYS_LDAP_ATTR_CLEARPW = clearPassword
SYS_LDAP_ATTR_QUOTA = mailQuota
SYS_LDAP_ATTR_NDQUOTA = netdiskQuota
SYS_LDAP_ATTR_HOME = homeDirectory
SYS_LDAP_ATTR_MAILDIR = mailMessageStore
# service enable/disable attributes
# comment them out if you don't want their function
SYS_LDAP_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_LDAP_ATTR_DISABLENETDISK = disablenetdisk
SYS_LDAP_ATTR_ACTIVE = active
# if authlib, all relate parameters should prefix as AUTHLIB
SYS_AUTHLIB_SOCKET = /usr/local/authlib/var/spool/authdaemon/socket
# Global Abook support
# sys_g_abook_type, global abook type, valid is ldap|file, currently
# only support ldap, file module is under development :-)
SYS_G_ABOOK_TYPE = file
# if ldap, all relate parameters should prefix as SYS_G_ABOOK_LDAP
SYS_G_ABOOK_LDAP_HOST = localhost
SYS_G_ABOOK_LDAP_BASE = ou=AddressBook,dc=example.com
SYS_G_ABOOK_LDAP_ROOTDN = cn=Manager,dc=example.com
SYS_G_ABOOK_LDAP_ROOTPW = secret
SYS_G_ABOOK_LDAP_FILTER = objectClass=OfficePerson
# if file, all relate parameters should prefix as SYS_G_ABOOK_FILE
SYS_G_ABOOK_FILE_PATH = /var/www/extsuite/extmail/globabook.cf
SYS_G_ABOOK_FILE_LOCK = 1
SYS_G_ABOOK_FILE_CONVERT = 0
SYS_G_ABOOK_FILE_CHARSET = utf-8
|
|
<TR>
<TD><%domain%></TD>
<TD><select name="domain" size="1" class="input_select"></option><option value="mail.sery.com">mail.sery.com</option>
<optionvalue="sery.com">sery.com</option></select><!--<INPUT TYPE="text" class="input_n" NAME="domain">--></TD>
</TR>
|
|
| 图 9 |
|
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe --user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd --daemonize --pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
|
|
[root@mailserv2 extmail]# crontab -l
0 0 1 * * root wget -N -P /usr/share/spamassassin www.ccert.edu.cn/spam/sa/Chinese_rules.cf;kill -HUP `cat /var/run/spamd.pid`
00 00 * * * /usr/local/clamav/bin/freshclam
|
|
[root@mailserv2 virusalert]# more /usr/local/bin/data_backup.sh
#!/bin/bash
BackupPath=/var/data_bk
Mysql_bk_dir=$BackupPath/mysqlbk
Mail_bk_dir=$BackupPath/mailbk
LogFile=$BackupPath/backuplog
MailBoxDir=/var/mailbox
####################################################################
# define mysql variables #
####################################################################
NewFile="$Mysql_bk_dir"/postfix$(date +%Y%m%d).tgz
DumpFile="$Mysql_bk_dir"/postfix$(date +%Y%m%d).sql
OldFile="$Mysql_bk_dir"/postfix$(date +%Y%m%d --date='5 days ago').tgz
DbUser=root
DbPasswd=husb^R
DbName=postfix
####################################################################
# mysql backup proccess #
####################################################################
echo "-------------------------------------------" >> $LogFile
echo $(date +"%y-%m-%d %H:%M:%S") >> $LogFile
echo "--------------------------" >> $LogFile
#Delete Old File
if [ -f $OldFile ]
then
rm -f $OldFile >> $LogFile 2>&1
echo "[$OldFile]Delete Old File Success!" >> $LogFile
else
echo "[$OldFile]No Old Backup File!" >> $LogFile
fi
if [ -f $NewFile ]
then
echo "[$NewFile]The Backup File is exists,Can't Backup!" >> $LogFile
else
cd $Mysql_bk_dir
/usr/local/mysql/bin/mysqldump -u $DbUser -p$DbPasswd --opt $DbName > $DumpFile
tar czf $NewFile postfix$(date +%Y%m%d).sql >> $LogFile 2>&1
echo "[$NewFile]Backup Success!" >> $LogFile
rm -rf $DumpFile
fi
######################################################################
# backup mail's user directories and files #
######################################################################
MailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d).tgz
OldMailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d --date='14 days ago').tgz
if [ -f $OldMailFileBk ]
then
rm -rf $OldMailFileBk
fi
if [ -f $MailFileBk ]
then
echo "[$MailFileBk]The Backup File is exists,Can't Backup!" >> $LogFile
else
cd /mail
tar czf $MailFileBk mailbox >> $LogFile 2>&1
fi
echo "-------------------------------------------" >> $LogFile
|
|
[root@mailserv2 ~]# crontab -l
0 0 1 * * root wget -N -P /usr/share/spamassassin www.ccert.edu.cn/spam/sa/Chinese_rules.cf;kill -HUP `cat /var/run/spamd.pid`
00 01 * * * /usr/local/bin/data_backup.sh
00 00 * * * /usr/local/clamav/bin/freshclam
|
|
[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize
#!/bin/bash
#kernel optimize optimize ,create by 2007-7-29
#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
# echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
|
|
[root@mailserv2 ~]# more /usr/local/bin/firewall
#!/bin/bash
#this is a common firewall created by 2007-7-29
#define some variable
IPT=/sbin/iptables
CONNECTION_TRACKING="1"
INTERNET="eth0"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
IPADDR=220. 94.58.245
LOOPBACK_INTERFACE="lo"
#Remove any existing rules
$IPT -F
$IPT -X
#setting default firewall policy
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD DROP
$IPT -P INPUT DROP
#stop firewall
if [ "$1" = "stop" ]
then
echo "Filewall completely stopped!no firewall running!"
exit 0
fi
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###################################################################
#setting access rules
#enable ssh connect
$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 783 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 5666 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 10024 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 10025 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp --dport 123 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
|
“$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚本加在文件/etc/rc.local中,实现开机即启。
◆关于多邮件域和用户限额
Postfix支持多邮件域,当我们用postfixadmin创建多个邮件域的时候,别忘记在DNS服务器上做好主机记录解析和MX解析。多邮件域的情形是多个mx记录指向同一个主机ip地址。
默认情况下,postfix 数据库的mailbox表的字段"quota"值是"0",它表示用户的油箱大小是100M,假如我们要把用户的邮箱大小设置成500M,则只需连接数据库postfix更改mailbox表"quota"字段的值为"524288000"。
所有的工作都做完以后,重启linux。检查进程看与postfix相关的守护进程是否在运行,然后在用foxmail来收发邮件,再也 webmail(extmail)方式收发。尽管postfix涉及很多方面的内容,但在大部分情况下,通过日志文件/var/log/maillog可以得出一些非常有用的信息,从排除故障这个角度讲,postfix的日志文件将会为排除故障提供很好的帮助。
|
[root@mailserv2 ~]# more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe --user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd --daemonize --pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
############### system optimize #############################
/usr/local/bin/kernel_optimize
/usr/local/bin/firewall
################### NRPE nagios remote plugin execute $$$$$$$$$
/usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d
|
|
mysql> use postfix;
mysql> update mailbox set quota='524288000';
Query OK, 1 row affected (0.03 sec)
Rows matched: 191 Changed: 1 Warnings: 0
|
|
| 图 10 |
|
[root@mailserv2 ~]# ps auxww //部分进程快照
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
vmail 1481 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
postfix 1622 0.0 0.2 4000 1276 ? S Oct02 0:08 anvil -l -t unix -u
vmail 1843 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
root 1972 0.0 0.1 1688 620 ? Ss Sep20 2:41 syslogd -m 0
root 1975 0.0 0.0 1644 400 ? Ss Sep20 0:01 klogd -x
root 1994 0.0 0.1 5424 984 ? Ss Sep20 0:22 /usr/sbin/sshd
ntp 2012 0.0 0.9 4672 4672 ? SLs Sep20 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 2027 0.0 0.2 5224 1104 ? Ss Sep20 0:00 crond
root 2042 0.0 0.0 2200 424 ? Ss Sep20 0:00 /usr/sbin/atd
root 2050 0.0 1.3 12644 7016 ? Ss Sep20 0:00 /usr/local/apache/bin/httpd -k start
root 2056 0.0 0.0 1628 400 ? S Sep20 0:18 /usr/local/authlib/sbin/courierlogger -pid=/usr/local/authlib/var/spool/authdaemon/pid -start /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2067 0.0 0.1 2732 848 ? S Sep20 0:00 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2075 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2076 0.0 0.1 2776 1008 ? S Sep20 0:11 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2077 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2078 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2079 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2143 0.0 0.2 3972 1244 ? Ss Sep20 4:57 /usr/libexec/postfix/master
postfix 2146 0.0 0.2 4040 1308 ? S Sep20 1:44 qmgr -l -t fifo -u
root 2153 0.0 0.0 1624 404 ? S Sep20 0:00 /usr/local/authlib/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2154 0.0 0.1 1728 536 ? S Sep20 0:00 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2159 0.0 0.0 1628 404 ? S Sep20 0:03 /usr/local/authlib/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
root 2160 0.0 0.1 1728 536 ? S Sep20 0:03 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
amavis 2169 0.0 17.2 113196 89072 ? Ss Sep20 7:00 /usr/local/clamav/sbin/clamd
root 2251 0.0 0.0 1624 440 tty1 Ss+ Sep20 0:00 /sbin/mingetty tty1
root 2252 0.0 0.0 1624 436 tty2 Ss+ Sep20 0:00 /sbin/mingetty tty2
root 2253 0.0 0.0 1624 440 tty3 Ss+ Sep20 0:00 /sbin/mingetty tty3
root 2254 0.0 0.0 1624 440 tty4 Ss+ Sep20 0:00 /sbin/mingetty tty4
root 2255 0.0 0.0 1624 440 tty5 Ss+ Sep20 0:00 /sbin/mingetty tty5
root 2256 0.0 0.0 1628 444 tty6 Ss+ Sep20 0:00 /sbin/mingetty tty6
root 3626 0.0 0.2 4440 1104 ? S Sep20 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --user=mysql
mysql 3644 0.0 4.1 133256 21460 ? Sl Sep20 8:33 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql --pid-file=/usr/local/mysql/var/mailserv2.pid --skip-locking
root 12456 0.0 0.4 8272 2504 ? Ss 20:13 0:00 sshd: root@pts/2
root 12458 0.0 0.2 4624 1456 pts/2 Ss+ 20:13 0:00 -bash
amavis 12624 0.0 9.7 59064 50236 ? Ss 20:21 0:01 amavisd (master)
postfix 14269 0.0 0.2 4132 1460 ? S 22:07 0:00 trivial-rewrite -n rewrite -t unix -u
amavis 14518 0.0 10.6 63740 54748 ? S 22:18 0:05 amavisd (ch18-avail)
amavis 14875 0.0 10.4 62724 53768 ? S 22:43 0:04 amavisd (ch11-avail)
amavis 14883 0.1 10.3 62592 53452 ? S 22:44 0:04 amavisd (ch14-avail)
root 14890 0.0 0.4 8276 2512 ? Ss 22:45 0:00 sshd: root@pts/1
root 14892 0.0 0.2 4616 1444 pts/1 Ss 22:45 0:00 -bash
amavis 15160 0.0 10.2 61812 52728 ? S 22:59 0:02 amavisd (ch5-avail)
amavis 15164 0.1 10.3 62464 53488 ? S 22:59 0:04 amavisd (ch13-avail)
amavis 15211 0.1 10.3 62020 53060 ? S 23:03 0:04 amavisd (ch13-avail)
amavis 15292 0.0 10.2 61700 52648 ? S 23:08 0:02 amavisd (ch7-avail)
amavis 15383 0.1 10.2 62124 52964 ? S 23:12 0:03 amavisd (ch8-avail)
postfix 15762 0.0 0.4 4520 2300 ? S 23:40 0:00 smtpd -n smtp -t inet -u
postfix 15865 0.0 0.2 4004 1156 ? S 23:47 0:00 pickup -l -t fifo -u
root 15941 0.0 0.1 4220 940 pts/1 R+ 23:55 0:00 ps auxww
nagios 18752 0.0 0.1 4836 944 ? Ss Sep22 0:05 ../bin/nrpe -c nrpe.cfg -d
vmail 24853 0.0 1.2 12644 6664 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24854 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24884 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24885 0.0 1.3 12780 6696 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24886 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24967 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24970 0.0 1.2 12644 6552 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 28305 0.0 1.3 12788 6724 ? S Oct02 0:00 /usr/local/apache/bin/httpd -k start
root 29390 0.0 5.5 33232 28576 ? Ss Oct01 0:00 /usr/bin/spamd --daemonize --pidfile /var/run/spamd.pid
root 29392 0.0 5.2 33232 27068 ? S Oct01 0:00 spamd child
root 29393 0.0 5.2 33232 26988 ? S Oct01 0:00 spamd child
|
本文出自 “sery” 博客,转载请与作者联系!
相关阅读 更多 +
