Linux Admin 简明教程

Set Up Postfix MTA and IMAP/POP3

为了从我们的 CentOS 7 服务器发送电子邮件，我们需要进行设置来配置一个现代邮件传输代理 (MTA)。邮件传输代理是通过 SMTP 为系统用户或公司互联网域发送出站邮件的守护进程。

In order to send an email from our CentOS 7 server, we will need the setup to configure a modern Mail Transfer Agent (MTA). Mail Transfer Agent is the daemon responsible for sending outbound mail for system users or corporate Internet Domains via SMTP.

值得注意的是，本教程仅教授针对本地使用而设置守护进程的过程。我们不会详细介绍为业务运营设置 MTA 的高级配置。这是多种技能的组合，包括但不限于：DNS、获取未列入黑名单的静态可路由 IP 地址以及配置高级安全和服务设置。简而言之，本教程旨在让你熟悉基本配置。请不要将本教程用于面向互联网的主机的 MTA 配置。

It is worth noting, this tutorial only teaches the process of setting up the daemon for local use. We do not go into detail about advanced configuration for setting up an MTA for business operations. This is a combination of many skills including but not limited to: DNS, getting a static routable IP address that is not blacklisted, and configuring advanced security and service settings. In short, this tutorial is meant to familiarize you with the basic configuration. Do not use this tutorial for MTA configuration of an Internet facing host.

我们将 Postfix 作为本教程的 MTA，因为该 MTA 同时注重安全性和易于管理。CentOS 旧版本中安装的默认 MTA 为 Sendmail。 Sendmail 是一个优秀的 MTA。然而，据作者的浅见，Postfix 在针对 MTA 的以下注释中达到了最佳点。Postfix 已在 CentOS 的最新版本中替代 Sendmail 成为默认 MTA。

With its combined focus on both security and the ease of administration, we have chosen Postfix as the MTA for this tutorial. The default MTA installed in the older versions of CentOS is Sendmail. Sendmail is a great MTA. However, of the author’s humble opinion, Postfix hits a sweet spot when addressing the following notes for an MTA. With the most current version of CentOS, Postfix has superseded Sendmail as the default MTA.

Postfix 是一个被广泛使用且文档齐全的 MTA。它在不断地维护和开发之中。它在思想上要求配置极少（这只是电子邮件），而且系统资源利用率高（同样，这只是电子邮件）。

Postfix is a widely used and well documented MTA. It is actively maintained and developed. It requires minimal configuration in mind (this is just email) and is efficient with system resources (again, this is just email).

Step 1 - 从 YUM 包管理器安装 Postfix。

Step 1 − Install Postfix from YUM Package Manager.

[root@centos]# yum -y install postfix

Step 2 - 配置 Postfix 配置文件。

Step 2 − Configure Postfix config file.

Postfix 配置文件位于：/etc/postfix/main.cf

The Postfix configuration file is located in: /etc/postfix/main.cf

在 Postfix 简单配置中，必须为特定主机配置以下内容：主机名、域、原点、inet_interfaces 和目标。

In a simple Postfix configuration, the following must be configured for a specific host: host name, domain, origin, inet_interfaces, and destination.

Configure the hostname - 主机名是 Postfix 主机的完全限定域名。在 OpenLDAP 章节中，我们在域 vmnet.local 上将 CentOS 服务器命名为：centos。为了本章，我们使用这个名称。

Configure the hostname − The hostname is a fully qualified domain name of the Postfix host. In OpenLDAP chapter, we named the CentOS box: centos on the domain vmnet.local. Let’s stick with that for this chapter.

# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
myhostname = centos.vmnet.local

Configure the domain - 如上所述，我们将在本教程中使用域 vmnet.local

Configure the domain − As stated above, the domain we will be using in this tutorial is vmnet.local

# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
mydomain = vmnet.local

Configure the origin - 对于单服务器和域设置，我们只需取消以下部分的注释并保留默认 Postfix 变量即可。

Configure the origin − For a single server and domain set up, we just need to uncomment the following sections and leave the default Postfix variables.

# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites.  If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
myorigin = $myhostname
myorigin = $mydomain

Configure the network interfaces - 我们将保留 Postfix 对我们的单个网络接口和关联于该接口的所有协议和 IP 地址进行监听。只需为 Postfix 启用默认设置即可完成此操作。

Configure the network interfaces − We will leave Postfix listening on our single network interface and all protocols and IP Addresses associated with that interface. This is done by simply leaving the default settings enabled for Postfix.

# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on.  By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost
# Enable IPv4, and IPv6 if supported
inet_protocols = all

Step 3 - 配置 Postfix 的 SASL 支持。

Step 3 − Configure SASL Support for Postfix.

如果没有 SASL 认证支持，Postfix 将只允许从本地用户发送电子邮件。或者用户从本地域发送电子邮件时将出现中继拒绝错误。

Without SASL Authentication support, Postfix will only allow sending email from local users. Or it will give a relaying denied error when the users send email away from the local domain.

Note - SASL 或 Simple Application Security Layer Framework 是一个为不同应用程序层协议之间的不同技术提供认证支持的框架。而不是将认证机制留给应用程序层协议，SASL 开发人员（和使用者）充分利用了用于高级协议的当前认证协议，这些高级协议可能不具备方便性或者更安全的认证（当谈及对安全服务的访问时）。

Note − SASL or Simple Application Security Layer Framework is a framework designed for authentication supporting different techniques amongst different Application Layer protocols. Instead of leaving authentication mechanisms up to the application layer protocol, SASL developers (and consumers) leverage current authentication protocols for higher level protocols that may not have the convenience or more secure authentication (when speaking of access to secured services) built in.

Install the "cyrus-sasl* package

[root@centos]# yum -y install  cyrus-sasl
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: repos.forethought.net
 * extras: repos.dfw.quadranet.com
 * updates: mirrors.tummy.com
Package cyrus-sasl-2.1.26-20.el7_2.x86_64 already installed and latest version
Nothing to do

Configure /etc/postfix/main.cf for SASL Auth

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

My SASL Options in main.conf

##Configure SASL Options Entries:
smtpd_sasl_auth_enable = yes
smptd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtp_sasl_type = dovecot
smtp_sasl_path = private/auth/etc

Step 4 - 配置 FirewallD 以允许入站 SMTP 服务。

Step 4 − Configure FirewallD to allow incoming SMTP Services.

[root@centos]# firewall-cmd --permanent --add-service=smtp
success

[root@centos]# firewall-cmd --reload
success

[root@centos]#

现在让我们检查一下我们的 CentOS 主机是否正在允许和响应端口 25（SMTP）上的请求。

Now let’s check to make sure our CentOS host is allowing and responding to the requests on port 25 (SMTP).

Nmap scan report for 172.16.223.132
Host is up (0.00035s latency).
Not shown: 993 filtered ports
PORT    STATE  SERVICE
   20/tcp  closed ftp-data
   21/tcp  open   ftp
   22/tcp  open   ssh
   25/tcp  open   smtp
   80/tcp  open   http
   389/tcp open   ldap
   443/tcp open   https
MAC Address: 00:0C:29:BE:DF:5F (VMware)

你看，SMTP 正在监听，守护进程正在响应该内部 LAN 发出的请求。

As you can see, SMTP is listening and the daemon is responding to the requests from our internal LAN.

Install Dovecot IMAP and POP3 Server

Dovecot 是一个安全的 IMAP 和 POP3 服务器，设计用于处理小型到大型组织的入站邮件需求。由于它与 CentOS 进行了大量使用，我们将使用 Dovecot 作为在 CentOS 和 MTA SASL 提供程序中安装和配置入站邮件服务器的示例。

Dovecot is a secure IMAP and POP3 Server deigned to handle incoming mail needs of a smaller to larger organization. Due to its prolific use with CentOS, we will be using Dovecot as an example of installing and configuring an incoming mail-server for CentOS and MTA SASL Provider.

如前所述，我们不会为 DNS 配置 MX 记录，也不会创建安全规则以允许我们的服务处理域的邮件。因此，只需在面向因特网的主机上设置这些服务，就有可能为 SPF 记录预留安全漏洞。

As noted previously, we will not be configuring MX records for DNS or creating secure rules allowing our services to handle mail for a domain. Hence, just setting these services up on an Internet facing host may leave leverage room for security holes w/o SPF Records.

Step 1 - 安装 Dovecot。

Step 1 − Install Dovecot.

[root@centos]# yum -y install dovecot

Step 2 配置 dovecot。

Step 2 − Configure dovecot.

dovecot 的主配置文件位于：/etc/dovecot.conf。我们首先来备份主配置文件。进行任何编辑前，最好养成定期备份配置文件的习惯。这样，如果（例如）换行符被文本编辑器破坏了，变更也不会丢失。将当前的备份复制到生产环境就可以轻松还原。

The main configuration file for dovecot is located at: /etc/dovecot.conf. We will first back up the main configuration file. It is a good practice to always backup configuration files before making edits. This way id (for example) line breaks get destroyed by a text editor, and years of changes are lost. Reverting is easy as copying the current backup into production.

Enable protocols and daemon service for dovecot

# Protocols we want to be serving.
protocols = imap imaps pop3 pop3s

现在，我们需要让 dovecot daemon 在启动时开始侦听 -

Now, we need to enable the dovecot daemon to listen on startup −

[root@localhost]# systemctl start  dovecot
[root@localhost]# systemctl enable dovecot

让我们确保 Dovecot 在指定端口上对以下服务进行本地侦听：imap、pop3、imap 安全和 pop3 安全。

Let’s make sure Dovecot is listening locally on the specified ports for: imap, pop3, imap secured, and pop3 secured.

[root@localhost]# netstat -antup | grep dovecot
 tcp        0        0 0.0.0.0:110        0.0.0.0:*        LISTEN        4368/dovecot
 tcp        0        0 0.0.0.0:143        0.0.0.0:*        LISTEN        4368/dovecot
 tcp        0        0 0.0.0.0:993        0.0.0.0:*        LISTEN        4368/dovecot
 tcp        0        0 0.0.0.0:995        0.0.0.0:*        LISTEN        4368/dovecot
 tcp6       0        0 :::110                :::*          LISTEN        4368/dovecot
 tcp6       0        0 :::143                :::*          LISTEN        4368/dovecot
 tcp6       0        0 :::993                :::*          LISTEN        4368/dovecot
 tcp6       0        0 :::995                :::*          LISTEN        4368/dovecot

[root@localhost]#

如您所见，dovecot 在指定端口上对 IPv4 和 IPv4 进行侦听。

As seen, dovecot is listening on the specified ports for IPv4 and IPv4.

POP3	110
POP3s	995
IMAP	143
IMAPs	993

现在，我们需要制定一些防火墙规则。

Now, we need to make some firewall rules.

[root@localhost]# firewall-cmd --permanent --add-port=110/tcp
success

[root@localhost]# firewall-cmd --permanent --add-port=143/tcp
success

[root@localhost]# firewall-cmd --permanent --add-port=995/tcp
success

[root@localhost]# firewall-cmd --permanent --add-port=993/tcp
success

[root@localhost]# firewall-cmd --reload
success

[root@localhost]#

我们的传入邮件服务器正在接受 LAN 上的请求以使用 POP3、POP3s、IMAP 和 IMAPs 主机。

Our incoming mail sever is accepting requests for POP3, POP3s, IMAP, and IMAPs to hosts on the LAN.

Port Scanning host: 192.168.1.143

   Open TCP Port:   21          ftp
   Open TCP Port:   22          ssh
   Open TCP Port:   25          smtp
   Open TCP Port:   80          http
   Open TCP Port:   110         pop3
   Open TCP Port:   143         imap
   Open TCP Port:   443         https
   Open TCP Port:   993         imaps
   Open TCP Port:   995         pop3s