CentOS 7 postfix dovecot Openwebmail for 加密的 IMAP SMTP

 

CentOS 7：172.20.0.104

Windows 10：172.20.0.102

先設定 DNS Server

主要設定檔 /var/named/chroot/etc/named.conf

zone “vclass.local" {         type master;         file “vclass.local.zone"; }; zone “0.20.172.IN-ADDR.ARPA" {         type master;         file “172.20.0.zone"; };

正解 /var/named/chroot/var/named/vclass.local.zone

$TTL 86400 @ IN  SOA station.vclass.local. root.station.vclass.local. (                 2017101101      ;serial number                 1H              ;refresh slave                 5M              ;retry refresh                 1W              ;expire zone                 5M              ;cache time-to-live for negative answers ) @                               IN  NS          station.vclass.local. vclass.local.                   IN  MX   10 station.vclass.local. @                                       IN  A           172.20.0.104 station.vclass.local.                   IN  A           172.20.0.104 http://www.vclass.local.                       IN  A           172.20.0.104 mail                                    IN  A           172.20.0.104

反解 /var/named/chroot/var/named/172.20.0.zone

$TTL 86400 @ IN SOA station.vclass.local. root.station.vclass.local. (                 2017101101      ;serial number                 1H              ;refresh slave                 5M              ;retry refresh                 1W              ;expire zone                 5M              ;cache time-to-live for negative answers ) @                               IN  NS          station.vclass.local. 104.0.20.172.IN-ADDR.ARPA.      IN  PTR         station.vclass.local.

確認名稱解析都正常

從 Windows 10 解析也都正常

安裝套件 dovecot, postfix

yum install dovecot postfix

修改設定檔

/etc/dovecot/conf.d/10-mail.conf

mail_location = mbox:~/mail:INBOX=/var/mail/%u

/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no【禁用純文字認證】

/etc/dovecot/dovecot.conf

protocols = pop3 imap【啟動 POP IMAP】

/etc/dovecot/conf.d/10-master.conf

service imap-login {   inet_listener imap {   }   inet_listener imaps {   } } service pop3-login {   inet_listener pop3 {   }   inet_listener pop3s {   } } service lmtp {   unix_listener lmtp {   } } service imap { } service pop3 { } service auth {   unix_listener auth-userdb {   }   unix_listener /var/spool/postfix/private/auth {     mode = 0660     user = postfix     group = postfix   } } service auth-worker { } service dict {   unix_listener dict {   } }

 

重新產生 dovecot 憑證

先準備產生憑證的設定檔

/etc/pki/dovecot/dovecot-openssl.cnf

[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=TW ST=TAIWAN L=Taipei #O=Dovecot OU=IMAP server CN=mail.vclass.local emailAddress=alice@vclass.local [ cert_type ] nsCertType = server

產生 dovecot 憑證

openssl req -new -x509 -nodes -config /etc/pki/dovecot/dovecot-openssl.cnf -out /etc/pki/dovecot/certs/dovecot.pem -keyout /etc/pki/dovecot/private/dovecot.pem -days 3650

chown root:root /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/private/dovecot.pem

chmod 0600 /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/private/dovecot.pem

openssl x509 -subject -fingerprint -noout -in /etc/pki/dovecot/certs/dovecot.pem

啟動 dovecot

systemctl start dovecot

systemctl enable dovecot

再來換成 postfix

/etc/postfix/main.cf

 

postconf -e “inet_interfaces = all" postconf -e “myorigin = vclass.local" postconf -e “mydestination = $myhostname, localhost.$mydomain, localhost, vclass.local, mail.vclass.local" postconf -e “mynetworks = 172.20.0.0/24″ postconf -e “smtpd_sasl_auth_enable = yes" # 不開放匿名寄信，for security # postconf -e “smtpd_sasl_security_options = noanonymous" postconf -e “smtpd_sasl_type = dovecot" postconf -e “smtpd_sasl_path = private/auth" postconf -e “smtpd_recipient_restrictions =  permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination" postconf -e “smtpd_tls_security_level = may" postconf -e “smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem" postconf -e “smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem"

 

/etc/postfix/master.cf

submission inet n       –       n       –       –       smtpd

重新產生 postfix 憑證

先準備產生憑證的設定檔

/etc/pki/tls/postfix-openssl.cnf

[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=TW ST=Taiwan L=Taipei #O=Dovecot OU=SMTP server CN=mail.vclass.local emailAddress=alice@vclass.local [ cert_type ] nsCertType = server

產生 postfix 憑證

openssl req -new -x509 -nodes -config /etc/pki/tls/postfix-openssl.cnf -out /etc/pki/tls/certs/postfix.pem -keyout /etc/pki/tls/private/postfix.pem -days 3650

chown root:root /etc/pki/tls/certs/postfix.pem /etc/pki/tls/private/postfix.pem

chmod 0600 /etc/pki/tls/certs/postfix.pem /etc/pki/tls/private/postfix.pem

openssl x509 -subject -fingerprint -noout -in /etc/pki/tls/certs/postfix.pem

重啟服務

systemctl restart postfix

systemctl enable postfix

systemctl start saslauthd

systemctl enable saslauthd

開啟 firewall

firewall-cmd –permanent –add-service=smtp

firewall-cmd –permanent –add-port=587/tcp

firewall-cmd –permanent –add-port=993/tcp

firewall-cmd –permanent –add-port=995/tcp

firewall-cmd –reload

建立測試用的使用者

useradd alice

echo password | passwd alice –stdin

usermod -aG mail alice

useradd bob

echo password | passwd bob –stdin

usermod -aG mail bob &>/dev/null

最後，如果有需要透過 WWW 分享 certificate 的話…

yum -y install httpd

cp /etc/pki/dovecot/certs/dovecot.pem /var/www/html/

chmod 444 /var/www/html/dovecot.pem

systemctl start httpd

systemctl enable httpd

firewall-cmd –permanent –add-service=http

firewall-cmd –reload

先在 Mail Server，使用指令驗證

切換成 alice，以 mutt 登入 imaps

mutt -f imaps://mail.vclass.local

確認登入的帳號為 alice

輸入密碼【password】

成功登入

驗證 postfix

telnet 172.20.0.104 25

打聲招呼

ehlo mail.vclass.local

另外開個視窗，產生 base64 encode

perl -MMIME::Base64 -e ‘print encode_base64(“\000alice\000password“);’

驗證 SMTP Auth

AUTH PLAIN AGFsaWNlAHBhc3N3b3Jk

驗證加密的 SMTP

openssl s_client -starttls smtp -crlf -connect mail.vclass.local:25

Windows 10 內建的郵件

Outlook的設定

最後來安裝 Openwebmail

參考文件：https://openwebmail.org/openwebmail/download/centos/el7/00.README.txt

下載 repo

cd /etc/yum.repos.d/

wget ftp://openwebmail.org/pub/openwebmail/el7/openwebmail-el7.repo

檔案 /etc/yum.repos.d/openwebmail-el7.repo

[openwebmail-el7] name=Open WebMail for EL7 baseurl=ftp://openwebmail.org/pub/openwebmail/el7 enabled=1 gpgcheck=1 gpgkey=ftp://openwebmail.org/pub/openwebmail/RPM-GPG-KEY-openwebmail

直接使用 yum 安裝

yum install openwebmail

初始化

openwebmail-tool –init

修復權限的問題

openwebmail-tool –fix

安裝 mod_ssl，走 https 加密連線

yum install mod_ssl

systemctl restart httpd

firewall-cmd –permanent –add-service=https

firewall-cmd –reload

強制進入加密連線，準備的轉址的首頁 /var/www/html/index.html

<html> <head> <meta http-equiv="refresh" content="0; url=https://mail.vclass.local/cgi-bin/openwebmail/openwebmail.pl"> </head> </html>

Browser 只需要輸入簡單的網址

自動轉向到 Openwebmail 的加密連線

大功告成！

廣告