Build a complete email system (postfix + dovecot + clamAV + Spamassassin + amavisd-new)

======================================

Related Software:

1. Send email --- postfix

2. Identity Authentication --- sasl2

3. receive email --- dovecot

4. Anti-Virus email --- clamAV

5. Anti-Spam --- spamassassin

6. Control the virus and spam scanner --- amavisd-new

======================================

Questions to be improved:

1. group email permission settings

2. user mailbox quota limit

======================================

Complete email system architecture

We know that a complete mail system should include the following important functions:

Basic functions: send and receive emails

Security Features: identity authentication, anti-virus, and anti-spam for sending and receiving emails

The complete email system architecture flowchart is as follows:

Installation and configuration of related software

1. Install postfix and enable postfix to support mysql query.
# Aptitude install postfix-mysql
2. Check whether postfix supports external database mysql authentication.
# Postconf-m
Btree
Cidr
Environ
Hash
Internal
Mysql
Nis
Proxy
Regexp
Sdbm
Static
Tcp
Unix

3. view the sasl authentication types supported by postfix
# Postconf-
Cyrus
Dovecot
4. Install cyrus sasl authentication
# Aptitude install sasl2-bin libsasl2-modules-sql
5. Modify/etc/default/saslauthd
START = no ==> START = yes
6. Restart saslauthd and verify that saslauthd works properly.
#/Etc/init. d/saslauthd restart
# Testsaslauthd-u {username}-p {password}
If the following result is displayed, saslauthd is running properly and the authentication service can be performed. Otherwise, check username and password and try again.
0: OK "Success ."

Note: {username} and {password} are the usernames and passwords used to log on to linux.

7. Enable sasl authentication in postfix
Edit/etc/postfix/main. cf and add the following content at the end:
Smtpd_sasl_auth_enable = yes
Broken_sasl_auth_clients = yes
Smtpd_sasl_security_options = noanonymous

8. Modify/etc/postfix/master. cf to disable enabling chroot with postfix.
Smtp inet n--smtpd
Rewrite unix---trivial-rewrite
Cleanup unix n--0 cleanup
==========>>>>>>>
Smtp inet n--smtpd
Rewrite unix--n--trivial-rewrite
Cleanup unix n-0 cleanup

The reason for this setting: if this is not set, the following error is always reported when an email is sent, and the email cannot be sent successfully:

Postfix/trivial-rewrite [10698]: warning: connect to mysql server localhost: Can't connect to local MySQL server through socket '/var/run/mysqld. sock'
Postfix/trivial-rewrite [10698]: fatal: mysql:/etc/postfix/mysql_virtual_alias_maps.cf (0, lock | fold_fix): table lookup problem
Postfix/smtpd [10394]: warning: problem talking to service rewrite: Success
Postfix/master [10386]: warning: process/usr/lib/postfix/trivial-rewrite pid 10698 exit status 1
Postfix/smtpd [10697]: warning: problem talking to service rewrite: Connection reset by peer
Postfix/master [10386]: warning:/usr/lib/postfix/trivial-rewrite: bad command startup -- throttling

9. Install mysql, create databases and tables, and insert data at the same time
# Aptitude install mysql-client mysql-server
# Mysql-u root-p
Enter Password
# SQL> create database mail;
# SQL> create table mail. users (id in (8) primary key auto_increment, username varchar (50), password varchar (50), domain varchar (50), quota int (10 ), maildir varchar (200 ));
# SQL> insert into mail. users (username, password, domain, maildir, quota) values ('test', 'test', 'tiddy. com ', 'tiddy. com/test/', 16000 );
# SQL> commit;

10. Modify the postfix to pass sasl authentication (pam/shadow/SQL/ldap) and create the smtpd. conf file in the/etc/postfix/sasl directory. The content is as follows:
Pwcheck_method: auxprop
Auxprop_plugin: SQL
Mech_list: PLAIN loin CRAM-MD5 DIGEST-MD5 NTLM
SQL _engine: mysql
SQL _hostnames: 127.0.0.1
SQL _user: root
SQL _passwd: tiddy
SQL _database: mail
SQL _select: SELECT password FROM users WHERE username = '% U'

11. Install and test telnet on postfix
# Aptitude install telnet
# Telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.tiddy.com ESMTP Postfix (Debian/GNU)
Auth login
334 VXNlcm5hbWU6
DGVzdA =
334 UGFzc3dvcmQ6
DGVzdA =
235 2.7.0 Authentication successful
Mail from: <user1@tiddy.com>
250 2.1.0 OK
Rcpt to: <tiddy@126.com>
250 2.1.5 OK
Data
354 End data with <CR> <LF>. <CR> <LF>
Subject: alskdjlasd
Lasdjflasdf
.
250 2.0.0 OK: queued as 4c1fb1_e6

Postfix sasl mysql authentication successful

Note: The text marked in red goes throughBASE64 encodingUser Name (test) and password (test)

12. Install the POP3 software dovecot
# Aptitude install dovecot-pop3d

13. Create a virtual user (so that the user has the permission to access the mail storage directory)
# Groupadd-g 5000 vmail.com
# Useradd-u 5000-g 5000 vmail-d/var/vmail-m

14. Configure dovecot
Modify/etc/dovecot. conf.
1) Remove the annotator (#)
Base_dir =/var/run/dovecot
2) protocols used by dovecot
Protocols = pop3 pop3s
3) Port listened by dovecot (*: Listening to all network ports)
Listen = *
4) Enable plaintext password authentication (when receiving emails using pop3 protocol, plaintext password authentication is used)
Disable_plaintext_auth = no
5) log files
Log_path =/var/log/dovecot. log
6) debug log file
Info_log_path =/var/log/dovecot.info
7) the prefix of each log output line
Log_timestamp = "% Y-% m-% d % H: % M: % S"
8) the server receiving path when the client uses pop3 protocol to receive emails
Mail_location = maildir:/var/vmail/% d/% n/
9) Whether to enable debug (used in the test phase, it is best to disable it after it is officially put into use)
Mail_debug = yes

10) dovecot pop3 Authentication

Auth default {
# Authentication method
Machisms = plain login
# Password query method during authentication (using SQL query)
Passdb SQL {
# Path for SQL configuration file
Args =/etc/dovecot/dovecot-sql.conf
}
# User query method during authentication (using SQL query)
Userdb SQL {
# Path for SQL configuration file
Args =/etc/dovecot/dovecot-sql.conf
}
# Listen to the client socket to detect user identity authentication initiated by the client at any time
Socket listen {
Client {
Path =/var/spool/postfix/private/auth
Mode = 0660
User = postfix
Group = postfix
}
}

}

15. Modifying/etc/dovecot/dovecot-sql.conf
1) database-driven
Driver = mysql
2) database connection information
Connect = host = localhost dbname = mail user = root password = tiddy
3) Database Password Encryption Method (PLAIN: plaintext, not encrypted)
Default_pass_scheme = PLAIN
4) database query statements
Password_query = SELECT username, domain, password FROM users WHERE username = '% N'
User_query = SELECT maildir, 5000 AS uid, 5000 AS gid FROM users WHERE username = '% N'

16. Modify/etc/postfix/main. cf again (NOTE: Some content already exists or has been added. Please do not add it again)
######################## Basic configuration ############## ############
Myhostname = postfixsvr
Alias_maps = hash:/etc/aliases
Alias_database = hash:/etc/aliases
Myorigin = tiddy.com
Relayhost =
Mynetworks = 127.0.0.0/8 [: ffff: 127.0.0.0]/104 [: 1]/128
Mailbox_size_limit = 0
Recipient_delimiter = +
Inet_interfaces = all
# Use the virtual_mailbox_domains variable of the virtual domain to determine which domain emails can be shipped. Comment out here.
# Relay_domains = tiddy.com
# Mydestination = tiddy.com

##################### Enable SASL Auth ################ ########

# Set the Postfix to use SASL authentication.
Smtpd_sasl_auth_enable = yes

# Set SASL to support authentication of non-standard E-mail clients.
Broken_sasl_auth_clients = yes

# Do not use the ANONYMOUS authentication.
Smtpd_sasl_security_options = noanonymous

# Restrictions on recipients and senders (allow authorized users and local network users <network clients defined by mynetwork>, and deny others)
Smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject

# Client restrictions (allow authentication of clients, local network clients <network clients defined by mynetwork>, and reject all others)
Smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject
# Authentication Type
Smtpd_sasl_type = dovecot

# Sasl authentication path (note that the path end is consistent with the socket listen content in the dovecot configuration file/etc/dovecot. conf)
Smtpd_sasl_path = private/auth

############################## Virtual mailbox ####### ##############################

# Root path of the virtual mailbox

Virtual_mailbox_base =/var/vmail

# Virtual mailbox ing table
Virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

# Virtual domains
Virtual_mailbox_domains = tiddy.com

# Virtual alias ing table (the user's mailbox alias, the contact group is determined by this parameter, and the group is also a form of alias)
Virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf

# Which users can access virtual mailboxes?
Virtual_uid_maps = static: 5000
Virtual_gid_maps = static: 5000

########################### Mail delivery program ########## #######################
Virtual_transport = virtual

########################## Mailbox Capacity Limit ########### #####################
# The maximum size of each mail (10 MB), the default value of postfix is 10 MB, but this refers to the mail body and
# The total number of encoded attachments. After base64 encoding, the attachment size increases by about 35%. Therefore, the mail size is set to 14 Mb.
Message _ size_limit = 14336000
# If Courier maildir ++ quotas is used, yes is used. The default value is no.
Virtual_maildir_extended = yes
Virtual_create_maildirsize = yes

# Default mailbox size limit
Virtual_mailbox_limit = 16000000
# Whether to overwrite the default mailbox size settings.
Virtual_mailbox_limit_override = yes

# No limits the entire maildir. yes only limits inbox. The default value is no.
Virtual_mailbox_limit_inbox = no

# Limits for each user
Virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf

# If you do not set 'virtual _ maildir_limit_message_maps ',
Virtual_maildir_limit_message = Sorry, overquota

# If yes, the 5xx error is used, and no 4xx error is used, the email will still be put into the queue
Virtual_overquota_bounce = yes

# Whether to add junk folders when calculating the quota. This option requires virtual_trash_name. The default value is no.
Virtual_trash_count = no
# Set the name of the spam folder. The default value is. Trash.
Virtual_trash_name = ". Trash"

17. Create Related Files

(1) Create the file/etc/postfix/mysql_virtual_mailbox_maps.cf. The content is as follows (the following content is actually to query the database, and the specific statement meaning is not described in detail ):

User = root
Password = tiddy
Hosts = localhost
Dbname = mail
Table = users
Select_field = maildir
Where_field = username

(2) Create the file/etc/postfix/mysql_virtual_alias_maps.cf. The content is as follows (the following content is actually to query the database, and the specific statement meaning is not described in detail ):

User = root
Password = tiddy
Hosts = localhost
Dbname = mail
Table = alias
Select_field = goto
Where_field = address

18. Database Structure

Database Name: mail

Database Table users (id in (8) primary key auto_increment, username varchar (50), password varchar (50), domain varchar (50), quota int (10 ), maildir varchar (200 ))

Database table alias (id int (8) primary key auto_increment, address varchar (100), goto varchar (5000), isgroup int (2 ))

Note:

(1) whether or not the last character '/' of the mail storage path saved by the maildir field in the users table determines the mail storage method. '/' indicates that the mail is stored in maildir mode, '/' indicates that it is stored as mailbox

(2) The Field goto In the table alias indicates the target mailbox that actually forwards the email according to the alias mailbox. If it is a group forwardingGoto FieldMay be savedMultiple email addresses, These email addresses useSeparated by semicolons

------------------------------------------------------------------- The installation and configuration of the basic email system are as follows ---------------------------------------------------------------------------------

----------------------------------------------------------------- The following describes the improvements to the basic email system (including anti-virus and anti-spam processing )---------------------------------------------------------------------------------

1. install anti-virus software (ClamAV) and SpamAssassin and their dependent packages.
# Apt-get install libnet-dns-perl pyzor razor arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip zip
# Apt-get install amavisd-new spamassassin clamav-daemon

2. Modify user permissions
# Usermod-a-G clamav amavis
# Usermod-a-G amavis clamav

3. Modify the spamassassin configuration file/etc/default/spamassassin
ENABLED = 0 ==> ENABLED = 1
CRON = 0 ==> CRON = 1

4. Start spamassassin
#/Etc/init. d/spamassassin start

5. Modify the amavis configuration file/etc/amavis/conf. d/15-content_filter_mode
Remove the following comments (objective: check Virus and spam)
@ Bypass_virus_checks_maps = (
\ % Bypass_virus_checks, \ @ bypass_virus_checks_acl, \ $ bypass_virus_checks_re );

@ Bypass_spam_checks_maps = (
\ % Bypass_spam_checks, \ @ bypass_spam_checks_acl, \ $ bypass_spam_checks_re );

6. Modify the postfix configuration file/etc/postfix/main. cf, comment out mydestination, and add the following content:
# Send the email received by the postfix to the amavis program for scanning

Content_filter = smtp-amavis: [127.0.0.1]: 10024

7. edit the file/etc/postfix/master. cf: Add the following content at the end of the file (Note: there must be at least two spaces before-o, indicating that the previous line is logically a line)
Smtp-amavis unix--2 smtp
-O smtp_data_done_timeout = 1200
-O smtp_send_xforward_command = yes
-O disable_dns_lookups = yes
-O max_use = 20

127.0.0.1: 10025 inet n--smtpd
-O content_filter =
-O local_recipient_maps =
-O relay_recipient_maps =
-O smtpd_restriction_classes =
-O smtpd_delay_reject = no
-O smtpd_client_restrictions = permit_mynetworks, reject
-O smtpd_helo_restrictions =
-O smtpd_sender_restrictions =
-O smtpd_recipient_restrictions = permit_mynetworks, reject
-O smtpd_data_restrictions = reject_unauth_pipelining
-O smtpd_end_of_data_restrictions =
-O mynetworks = 127.0.0.0/8
-O smtpd_error_sleep_time = 0
-O smtpd_soft_error_limit = 1001
-O smtpd_hard_error_limit = 1000
-O smtpd_client_connection_count_limit = 0
-O smtpd_client_connection_rate_limit = 0
-O receive_override_options = no_header_body_checks, no_unknown_recipient_checks

8. Add the following content to the pickup line in the file/etc/postfix/master. cf (Note: there must be at least two spaces before-o, indicating that the previous line is logically one line)
-O content_filter =
-O receive_override_options = no_header_body_checks

9. Restart postfix
#/Etc/init. d/postfix reload

10. Modify/etc/amavis/conf. d/20-debian_defaults

For more information about the following parameters, see my other article "introduction, installation and configuration of amavisd-new in the mail system".
$ Final_spam_destiny = D_BOUNCE ==>$ final_spam_destiny = D_DISCARD
$ QUARANTINEDIR = "/data/virusmails ";

11. modify/etc/amavis/conf. d/05-node_id (if not modified to the following format, when starting some software of the mail system, in/var/log/mail. errors are always reported in logs and the software cannot be started properly)
$ Myhostname = "mail.tiddy.com ";

12. Modify/etc/amavis/conf. d/50-user and add the following content (note that the following content cannot be added to the end ):

# Directory where spam and virus emails will be stored (the spam-quarantine directory corresponds to the variable $ QUARANTINEDIR in the/etc/amavis/conf. d/20-debian_defaults file)

# The setting indicates that the directory for saving spam and virus emails is/data/virusmails.
$ Spam_quarantine_to = "spam-quarantine ";
$ Virus_quarantine_to = "spam-quarantine ";
# Black/white list settings
@ Whitelist_sender_maps = read_hash ("/etc/amavis/whitelist ");
@ Blacklist_sender_maps = read_hash ("/etc/amavis/blacklist ");

13. Create blacklist and whitelist files in the/etc/amavis directory)
# Touch/etc/amavis/whitelist
# Touch/etc/amavis/blacklist

14. Restart all services

#/Etc/init. d/clamav-daemon restart

#/Etc/init. d/clamav-freshclam restart

#/Etc/init. d/spamassassin restart

#/Etc/init. d/amavis restart

#/Etc/init. d/postfix restart

#/Etc/init. d/dovecot restart