Centos system in the mailbox server configuration steps detailed

Source: Internet
Author: User
Tags imap openssl socket vps dovecot mx record ssl certificate self signed certificate
After reading the article about the configuration of the mailbox server on the Internet, after being pitted by a certain article, I saw an article written in detail about the configuration of the mailbox server.
I can see that the author is very patient, so I turned it over for reference, and thank the original author for such an informative article.

#ORIGINAL LINKS AND COPYRIGHT INFORMATION ## [Noisy Guy >> Finally, the mail server was perfectly built with SENDMAIL, DOVECOT, SASLAUTHD, DKIM-MILTER] [1]
Original content #
One day, I occasionally looked at the progress of my VPS and found that there was a sendmail, as if I had seen it before. . . Later, I suddenly thought that centos should come with it. If I do n’t like it, I will get a mail server. But this road was really hard. It stuck me in an inexplicable place for one night, and finally passed me the violent method. My poor VPS, you are almost squeezed out by me.

Let me talk about the process of my tossing, write it with memory, I hope it is useful to you. Although I also checked a lot of information, but these data are not comprehensive, I am equivalent to summarizing here, you are right here, one-stop service.

First, confirm that the necessary software is installed

rpm -qa | grep sendmail #mail server
rpm -qa | grep dovecot #imap pop3 server
rpm -qa | grep cyrus #sasl authentication support
If all the above information is returned, congratulations, you save this step. If not, just follow along

#Which one is installed if it is missing, if the updated version is installed, you can skip

yum install sendmail sendmail-cf
yum install dovecot
yum install cyrus-sasl
yum install cyrus-sasl-md5
yum install cyrus-sasl-plain
yum install cyrus-sasl-lib
Now we can configure sendmail. If you did not compile it yourself, there will be a sendmail.mc file in / etc / mail /. You can directly compile this file to configure sendmail, otherwise you will have to look at the handbook of sendmail.cf. It makes no difference.

Open sendmail.mc

vi /etc/mail/sendmail.mc
Then modify these things below. Note: The right quotation mark in the m4 file is the one next to "1". Please copy the code below and modify it yourself, because it will be automatically converted into html code, so I changed it to normal right quotation mark.

#First delete the dnl before these two lines, that is, uncomment

dnl TRUST_AUTH_MECH ('EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') dnl
dnl define ('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
# To

TRUST_AUTH_MECH ('EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') dnl
define ('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
#Then modify the IP address of the SMTP login, here I hope that the SMTP server can be used to send messages anywhere

DAEMON_OPTIONS ('Port = smtp, Addr = 127.0.0.1, Name = MTA') dnl
# To

DAEMON_OPTIONS ('Port = smtp, Addr = 0.0.0.0, Name = MTA') dnl
Then generate the configuration, that is, just use this template to generate sendmail.cf

m4 /etc/mail/sendmail.mc> /etc/sendmail.cf

# ***************************
#If it appears: sendmail.mc:10: m4: cannot open `/usr/share/sendmail-cf/m4/cf.m4 ': No such file or directory
#Instructions need to install sendmail-cf
#yum install sendmail-cf
# ***************************
In fact, you can send letters now, but you can only send them, but you can't receive them. Even if you use this to send emails, no mailbox will dare to receive them, because they will be treated as spam.

Now set up dovecot, this is to control the mail, so that when you log in with the mail client, it will automatically download mail to the local.

vi /etc/dovecot/dovecot.conf
#Remove the comment before the following line

#protocols = imap imaps pop3 pop3s
# To

protocols = imap pop3 lmtp
Then add the domain name to local-host-names

vi / etc / mail / local-host-names
#Then add your domain name, one per line, for example, your VPS has multiple domain names, I only have one here, just add
noisyguy.com
Then modify the authentication method, I used saslauthd to authenticate, I heard this security point. First edit /usr/lib/sasl2/Sendmail.conf, if not, create a new one yourself, note that the beginning of this file is capitalized

vi /usr/lib/sasl2/Sendmail.conf
#Add to

pwcheck_method: saslauthd
Then edit /usr/lib/sasl2/smtpd.conf.rpmsave. Similarly, if not, create a new one

vi /usr/lib/sasl2/smtpd.conf.rpmsave
#Change the content to the following

log_level: 3
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Then edit / etc / sysconfig / saslauthd

vi / etc / sysconfig / saslauthd

# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR = / var / run / saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH = shadow #Change this thing to this
# Additional flags to pass to saslauthd on the command line. See saslauthd (8)
# for the list of accepted flags.
FLAGS =
Now that it's basically done, just set the above programs to start and restart.

#Set boot

chkconfig sendmail on
chkconfig dovecot on
chkconfig saslauthd on
#Restart

service sendmail restart
service dovecot restart
service saslauthd restart
Now you can add an account. Do n’t use the support account. I built this one from the beginning, but I never get it when I send a letter. Looking at the logs, I found that they were all intercepted by the root account. I studied for one night and still didn't understand it, and I didn't know where to set it up. At best, I had to believe that root was the wife of support, and all the support emails were read by root. After re-creating an individual account, everything is normal and tears come out!

groupadd mailuser #Add a group
adduser -g mailuser -s / sbin / nologin testmail #add a nologin account
passwd testmail #Set password
Ok, now test if testmail can be verified by saslauthd

testsaslauthd -u testmail -p password #password is the password
#If it returns OK "Success." Means success
Now test if SMTP is started

[root @ mail] # telnet localhost 25
Trying 127.0.0.1 ...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 centos5 ESMTP Sendmail 8.13.8 / 8.13.8; Apri, 25 Tue 2012 06:21:29 +0800
helo localhost
250 centos5 Hello localhost.localdomain [127.0.0.1], pleased to meet you
mail from: <testmail@noisyguy.com>
250 2.1.0 <testmail@noisyguy.com> ... Sender ok
rcpt to: <xxx@163.com> (To test outgoing emails, fill in the email address on the network)
250 2.1.5 <xxx@163.com> ... Recipient ok
data
354 Enter mail, end with "." On a line by itself
From: alin
To: alin
Subject: Hello
test
.
250 2.0.0 o45MLTcH005157 Message accepted for delivery
quit
221 2.0.0 centos5 closing connection
Connection closed by foreign host.
#The highlighted parts are all the places you want to enter. If there is no problem, you will receive an email at xxx@163.com
Next, you can set up your DNS, add a mail.noisyguy.com domain name, and then add an MX record.

Add an account for smtp now

saslpasswd2 -u noisyguy.com -c testmail
#Then set a password
However, you can't use the client to log in to your mailbox now, but you can use the client to send mail, you can try, fill in your address in SMTP, and then use testmail @ noisyguy .com, the password is the password you just set with saslpasswd2, don't use SSL, because we haven't added a certificate for SMTP.

To receive the letter again, we need to set up dovecot so that the IP anywhere can log in to your imap account, edit /etc/dovecot/dovecot.conf

vi /etc/dovecot/dovecot.conf
#Find login_trusted_network and change to

login_trusted_network = 0.0.0.0/0
Then modify /etc/dovecot/conf.d/10-mail.conf

vi /etc/dovecot/conf.d/10-mail.conf
#Find mail_location to set the path of the mailbox

mail_location = mbox: ~ / mail: INBOX = / var / mail /% u
#Then find mail_privileged_group, give dovecot the correct mailbox directory user group permissions, you can go to / var / mail to see which user group the directory is, mine is mail, so change it like this

mail_privileged_group = mail
Basically no problem, now you can send an email to testmail @ noisyguy.com, see if the client can receive it. Remember, the account of the receiving mailbox is testmail, which is the account in Linux. If there is a problem, take a look at the / var / log / maillog log, which contains a detailed description of what went wrong.

If everything is OK, congratulations, you have your own business mailbox, and you will no longer tolerate the advertisements that accompany you when you send letters from others' mailboxes. However, we also want to be more perfect, get an SSL certificate, so that I do n’t have to worry about the national treasure reading my mail, nor my password leak, nor 007. Because emails without SSL are all transmitted in plain text, get SSL encryption. You can achieve high-end things like bank websites.

First of all, let's get the imap certificate first, this is for receiving, so that you can also open SSL on the receiving server. Dovecot has a script for generating certificates. Let's use it, otherwise we will buy it ourselves. First download this script from the dovecot website. It is best to download it from / etc / pki / dovecot, because this script uses the dovecot-openssl.cnf file in this directory

cd / etc / pki / dovecot
wget http://dovecot.org/doc/mkcert.sh
Before executing the script, we first modify the script, that is, set the path to generate the certificate

vi mkcert.sh
#Find SSLDIR = modify to

SSLDIR = $ {SSLDIR- / etc / pki / dovecot / keys}
Then, change the name of the original test certificate, which is under the / etc / pki / dovecot / keys / directory, one under cert / and private /, and then you can modify dovecot-opssl.cnf to set You just get your information in.

[req]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
#No need to change the above, the default is OK

[req_dn]
# country (2 letter code)
# C = FI country, two letters, China will write CN

# State or Province Name (full name)
# ST = Which province are you from?

# Locality Name (eg. City)
# L = Helsinki city

# Organization (eg. Company)
# O = Dovecot Company

# Organizational Unit Name (eg. Section)
OU = IMAP server This certificate is used for

# Common Name (* .example.com is also possible)
CN = imap.example.com your email server address, such as my mail.noisyguy.com

# E-mail contact
emailAddress=postmaster@example.com your e-mail

[cert_type]
nsCertType = server
After changing, run mkcert.sh

/etc/pki/dovecot/mkcert.sh
Then you can see the generated certificate under / etc / pki / dovecot / keys / cert and / etc / pk / dovecot / keys / private, OK, so we set up dovecot, let it log in the certificate, open /etc/dovecot/dovecot.conf, mainly change these items

ssl = yes #Enable SSL
# Preferred permissions: root: root 0444
ssl_cert = </etc/ssl/certs/dovecot.pem #certificate path
# Preferred permissions: root: root 0400
ssl_key = </etc/ssl/private/dovecot.pem #key path
That's fine, you don't need other advanced options, unless you really do a mail server for the enterprise, if you need it, go to dovecot's official website. Restart dovecot, and then test whether it is successful

service dovecot restart

openssl s_client -connect mail.noisyguy.com:imaps

#If the following message appears, it means success
CONNECTED (00000003)
depth = 2 / O = Root CA / OU = http: //www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
verify error: num = 19: self signed certificate in certificate chain
verify return: 0
---
Certificate chain
 0 s: /CN=mail.example.com
   i: / O = CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
 1 s: / O = CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
   i: / O = Root CA / OU = http: //www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
 2 s: / O = Root CA / OU = http: //www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
   i: / O = Root CA / OU = http: //www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
----- BEGIN CERTIFICATE -----
MIIE1DCCArygAwIBAgIDAMBPMA0GCSqGSIb3DQEBBAUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTAxMjIwMTM1NDQ1WhcNMTIxMjE5
MTM1NDQ1WjAmMSQwIgYDjksadnjkasndjksandjksandjksandj5YXJlYS5vcmcw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3jOX3FC8wVqnb2r65Sfvk
cYUpJhlbhCfqPdN41c3WS0y1Jwwum1q4oMAJvdRnD5TMff1 + fqTFy3lS1sYxIXiD
kBRo478eNqzXHMpBOqbvKjYp / UZgWUNA9ebI1nQtwd7rnjmm / GrtyItjahCsgzDS
qPAie + mXYzuT49ZoG + Glg7 / R / jDcLMcJY0d5eJ7kufB1RLhvRitZD4FEbJVehqhY
aevf5bLk1BNFhzRBfLXmv6u / kfvWf2HjGAf0aFhaQyiAldDgnZrvaZOFjkToJk27
p9MguvwGmbciao0DmMjcJhQ0smclFwy8Kj98Tz + nTkfAlU8jJdb1J / tIatJdpSRh
AgMBAAGjgdwwgdkwDAYDVR0TAQH / BAIwADA0BgNVHSUELTArBggrBgEFBQcDAgYI
KwYBBQUHAwEGCWCGSAGG + EIEAQYKKwYBBAGCNwoDAzALBgNVHQ8EBAMCBaAwMwYI
KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhadodHRwOi8vb2NzcC5jYWNlcnQub3Jn
LzBRBgNVknsadkjasnjdksandjksandjsnNlY3VyaXR5YXJlYS5vcmegKQYIKwYB
BQUHCAWgHQwbbWFpbC5qb2ludC5zZWN1cml0eWFyZWEub3JnMA0GCSqGSIb3DQEB
BQUAA4ICAQAX8ceObvUZNKYTlNQ / cv0BiA1XweRsVNca1ILACNLdVPR9mvf + aXCh
ODkHaZAmGngj1DfD4fJsTbaydGWSPeVH91Qi9F + Pi6szhsxylI83NKbuXihcenuG
twnte8aIb5FelVHttLQPSKRR62E8YmDWk3KYivuFAuZqDaGnWc5yeneTBpsGter /
4awqsgymBK2YEg1HIWMPaRBvwzCVN / yUyWhFH9Nj11f / xgZE87VXrjLHWT / 73i2Z
S4uIZ2KHQUYuxMGldgpXm + QxFM8DGA6z1T1oPCVfW85cezlfr8QVvX6SXZrAUNL0
3D5YPzQuevW + 5CrqnGA + F5ff4mBMl8R8Sg0 + 0LoLqt5PbpGyTt9vS1INZCdfvtIA
/ d7Ae7Xp9W8FVRqd7tvNMIy3ZA0 / wNMDUczkhC / YtvHfMELpjtMJAGF15OtO7Vik
V + FZnBP1Yd7760dtEmd6bF8vjcXCvDdxwGtcAehAUpIgAWvkHHOt8 + H56tkFENAP
/ ZpJ + Wr + K3lxkkG + BN1bucxMuAdVyTpFyZfKDHRXIO / 5e0hpPOaTO + obD3kifzdh
yy7KmdKvDclHTiPuonJBzEXeM3JQBjcDHbMSyA6 + 38yBcso27h9VqCQJB2cZmSlW
ArS / 9wt2X21KgeuGHlTZ / 8z9gXAjQKXhDYECWWd6LkWl98ZDBihslQ ==
----- END CERTIFICATE -----
subject = / CN = mail.example.com
issuer = / O = CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
---
No client certificate CA names sent
---
SSL handshake has read 5497 bytes and written 293 bytes
---
New, TLSv1 / SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol: TLSv1
    Cipher: DHE-RSA-AES256-SHA
    Session-ID: 114A22BE4625B33F6893124ACF640AE0628B48B5039E90B3B9A20ADF7FA691F3
    Session-ID-ctx:
    Master-Key: B8A55EC91A060575CFB29503FBF7160C2DC8BCBFE02D20A7F704882F72D8D00272D8D002CE5CCC4B94A492F43ED8F
    Key-Arg: None
    TLS session ticket:0000-86 c7 46 63 a5 b6 48 74-16 d8 e0 a7 e2 64 e8 89 ..Fc..Ht ..... d ..
    0010-97 90 59 4b 57 f3 e2 b3-e2 d2 88 90 a8 aa b4 44 ..YKW ........ D
    0020-ea 24 08 5e b4 14 7f e1-2a 1a 1c 40 ca 85 e7 41. $. ^ .... * .. @ ... A
    0030-9d 0d a8 4c f7 e3 db 1e-ef da 53 9c fe 43 cc 62 ... L ...... S..C.b
    0040-79 b6 ad ea 9d cf ca b2-37 41 b7 0f ea 7d 59 e8 y ....... 7A ...} Y.
    0050-10 01 a0 eb dc c2 63 66-56 54 6a e8 3a 4b 93 49 ...... cfVTj.:K.I
    0060-77 da e4 4b 21 e8 30 7e-bf 10 91 3a 2c f9 59 80 w..K! .0 ~ ...:,. Y.
    0070-01 1f 36 0b 92 85 67 55-c8 86 1d 44 b1 6f 0d ae ..6 ... gU ... D.o ..
    0080-15 36 b6 49 3a ef 94 9a-ef 6d 27 f0 80 20 43 09 .6.I: .... m '.. C.
    0090-be 70 c5 30 15 3b 93 c6-c1 4c e9 7f 5c 34 98 dd .p.0.; ... L..4 ..

    Compression: 1 (zlib compression)
    Start Time: 1292857721
    Timeout: 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
+ OK Dovecot ready.
In this way, you can set up SSL login on the client side.

Below, let's set up SMTP with SSL to send letters

We still come to our own visa, who told me that I have no money to buy a genuine certificate.

cd / etc / pki / tls / certs
make sendmail.pem
After entering the above command, you will be asked to enter some information, which is actually the same as the previous step. Then configure the /etc/mail/sendmail.mc file

vi /etc/mail/sendmail.mc
#Then find this line and delete the previous dnl

dnl DAEMON_OPTIONS ('Port = smtps, Name = TLSMTA, M = s') dnl
# Then find the following lines, get your certificate path in, remember to delete dnl

dnl define (`confCACERT_PATH ',` / etc / pki / tls / certs') dnl
dnl define (`confCACERT ',` /etc/pki/tls/certs/ca-bundle.crt') dnl
dnl define (`confSERVER_CERT ',` /etc/pki/tls/certs/sendmail.pem') dnl
dnl define (`confSERVER_KEY ',` /etc/pki/tls/certs/sendmail.pem') dnl
#Regenerate sendmail.cf and restart sendmail

m4 /etc/mail/sendmail.mc> /etc/mail/sendmail.cf
service sendmail restart
Let's test whether it is successful

telnet localhost 25
EHLO localhost
#If you see

250-STARTTLS
#Congratulations, you succeeded
It seems that everything is over here, send it, close it, everything is normal. However, if the other party's mailbox is a Niu X mailbox such as Gmail, is your email considered to be spam? Everything seemed normal before, but after using SSL authentication, this is the case. Could it be that I used a self-signed certificate? Who told me to have no money! Who told me to have no money! Who asked this thing for money!

However, I have a way to get a DKIM to add a digital verification to the mail sent by our server. If you can add SPF records to your domain name, then you don't need to look down, because adding SPF records can easily solve this problem.

First we install dkim-milter

rpm -ivh http://dl.fedoraproject.org/pub/epel/5/i386/dkim-milter-2.8.3-8.el5.i386.rpm
After installation, you can go anywhere, but it is best to execute the following command in a place you are familiar with

dkim-genkey -r -d noisyguy.com
#Replace noisyguy.com with your domain name
Then it will generate a default.private and default.txt file in the current directory, default.txt is the public key part, open it and you will see the following things

default._domainkey IN TXT "v = DKIM1; g = *; k = rsa; p = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2ubSRHUKzL4ucfzuMKEHyy6rx / WlrZB5SKYKrCsSJWUpQstNqjcaLntaQtmKEnDgDr5rMvklaByf8vE5guqZerZ8UWeBx5joIwuohjkapgM / R6lFmI9VUj8N / c5O9AxQAOQLgnDNPl5OQamUuOp9c5W0jLbYd / hrymPYBSKEi0wIDAQAB"; - DKIM default for noisyguy.com
Now you can add a TXT record to your domain name resolution, the name is written as default._domainkey, and the value is the string of unintelligible things in double quotes above. Next, let's configure dkim-milter, open /etc/mail/dkim-milter/dkim-filter.conf, and modify the following items.

Domain noisyguy.com ## Set the domain name
KeyFile /etc/mail/dkim/keys/default.private ## is where the key is saved
#If keylist is set, this item will be ignored. If there is only one key, comment out keylist
Selector mail1 ## The name of the selector used by this machine, such as mail1
Socket local: /var/run/dkim-milter/dkim.sock
Next, we configure sendmail and open /etc/mail/sendmail.mc

vi /etc/mail/sendmail.mc
#Then add the following two lines

INPUT_MAIL_FILTER ('dkim-milter', 'S = local: /var/run/dkim-milter/dkim-milter.sock') dnl
define ('confMILTER_MACROS_ENVFROM', 'i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}') dnl
#Regenerate sendmail.cf

m4 /etc/mail/sendmail.mc> /etc/mail/sendmail.cf
Then start dkim and restart sendmail

service dkim-milter start
service sendmail restart
At this point, everything is really over. . . . Try sending a few letters to see it, it should no longer be considered as garbage, and you can see the signature of dkim in the letterhead

DKIM-Signature: v = 1; a = rsa-sha256; c = simple / simple; d = noisyguy.com;
    s = default; t = 1335321913;
    bh = vhGcrWEOzdLzyNBO5N2CRkI2e6xSCoIb8v7XqSpD + Rc =;
    h = From: Content-Type: Content-Transfer-Encoding: Subject: Date:
     Message-Id: To: Mime-Version;
    b = LPFwdhKTx2UNdRFaSruV35Dl3StNqSu9 / BRdyje / wJvt6mK9HjXYdLdNXfncTJPtR
     daYtSoes7nQyHBHacpEvNBaErdb + 8Y7eUNp6ZN / w9qFS5UT1JKK / UWnjG7FkAB2nmr
     m0i1Swt5wHjFS1xzijmegXx + bDJt65 // atKyxYAE =
Is everything perfect?


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.