I. Principles of mail service
The mail service is one of the most commonly used services in our daily life. In the old release version, the default mail service is sendmail, and the default sending service is postfix in versions later than centos6. You also need to configure mx records through third-party DNS or internal DNS before configuring postfix. Before further configuration, we should clarify three concepts: MTA, MUA, and MDA.
Let's take a look at an email sending diagram:
MUA (Mail User Agent) --- Mail User Agent, unless you can directly use telnet-like software to directly log on to the Mail server and send a letter, otherwise, you must use MUA to send your email to the email server. Common MUA types include foxmail, outlook, Thunderbird, and kmail.
MTA (Mail Transfer Agent) --- Mail transmission proxy. If a server can send emails to a user, it is an MTA. MTA provides two functions: 1. Receiving emails through SMTP (Simple Mail Transfer Protocol); 2. Forwarding emails. For example, postfix and sendmail mentioned in this article are an MTA functional software.
MDA (Mail Delivery Agent) --- Mail Delivery Agent, which is a small function program under MTA. The main function is to analyze the mail header or content received by the MTA, and then determine the Mail destination through the relevant policies. As mentioned above, the mail forwarding function is implemented by MDA. It is mainly used for email filtering and automatic reply. In addition to the sendmail and postfix mentioned above, they also have some third-party MDA tools, such as procmail, mailhandler + Spamassassion.
According to the preceding flow chart, we can see that the steps for MUA to send an email to an email account are as follows:
1. Has an account and password for an MTA. Generally, you can apply for an email account such as 163, sina, and 139 online;
2. Use MUA to write an email and send it to MTA;
3. If the target message is a local MTA, MDA sends the email to mailbox through MDA. If the target message is another MTA, relay the email;
4. The recipient's MTA server receives the email.
In addition, we also need to know about the MRA (Mail Retrieval Agent) --- email receiving proxy. The SMTP protocol provided by MTA can be used for sending and receiving mails. However, the so-called receiving is stored in the mailbox of the corresponding account and can be viewed only after being sent to the server. It is impossible for every user to log on to the server to view their emails. The MRA function is to solve this problem. Through POP3 or IMAP protocol, you can log on to the server through the client software to obtain the mailbox mail and read it locally. MRA is not the focus of this section, I will discuss it later.
II. Common configuration files and commands
1. Configuration file
The main configuration files of postfix are in the/etc/postfix directory, as follows:
# Rpm-qc postfix/etc/pam. d/smtp. postfix/etc/postfix/access/etc/postfix/canonical/etc/postfix/generic/etc/postfix/header_checks/etc/postfix/main. cf/etc/postfix/master. cf/etc/postfix/relocated/etc/postfix/transport/etc/postfix/virtual/etc/sasl2/smtpd. conf
Here we select several major files for annotation.
In the main. cf --- postfix main configuration file, almost all configurations are modified here. After modification, restart the postfix process;
Master. cf --- specifies the running parameters of the postfix program, which generally does not need to be changed;
Access --- set an external configuration file for enabling Relay or rejecting online source or target address information. However, to take effect of this file, you must enable it in/etc/postfix/main. cf. After the settings are completed, the database must be generated using postmap;
Virtual --- virtual alias domain library file, which must be enabled in the main. cf file;
Header_checks --- mainly used to filter the content of the mail header. You can also set the body filter for the file copy by using the regular expression matching validation policy;
There is also a file/etc/aliases, which is used as the Mail alias or contact group setting. However, it is not a file in the postfix, but it is a file in the setup package, you also need to use postalias or newaliases to generate data files.
2. postfix commands
/Usr/sbin/postconf --- list the configuration files of the current postfix. The default values are also displayed by default. If you want to list non-default values (that is, manually modify values), you can use postconf-n to obtain the configuration. /Usr/sbin/postfix --- main program file of postfix. Common methods are as follows: # postfix check <= check whether the files and permissions related to postfix are correct! # Postfix start <= start the execution of postfix # postfix stop <= disable postfix # postfix flush <= force mail that is currently in the mail queue to be sent! # Postfix reload <= re-read the configuration file, that is,/etc/postfix/main. cf/usr/sbin/postalias --- alias database generation command. After execution,/etc/aliases is generated based on the/etc/aliases file. db, details: # postalias hash:/etc/aliases/usr/sbin/postcat --- used to view the Mail content in the mail queue. The query method is similar to the following: # postcat/var/spool/postfix/maildrop/F36DDC08FF/usr/sbin/postmap --- This file is similar to postalias, except that it is used to generate an access file as a database file: # postmap hash:/etc/postfix/access/usr/sbin/postqueue --- the common method is postqueue-p, and its output is similar to mailq.
3. Set up the postfix service
Suppose we have two servers in the Lan, one is DNS, and the other is the postfix mail server, as follows:
DNS server: 192.168.0.109
Mail Server: 192.168.0.110
1. DNS configuration
Add the following configuration to the domain name configuration in the etc/unbound. conf file of the DNS server:
Local-data: "361way.com. in mx 5 mail.361way.com" local-data: "mail.361way.com. in a 192.168.0.110"
For details about dns configuration, see RH254 summary (1) setting up the unbound DNS server.
2. postfix configuration
Modify the host name of/etc/hostname to mail.361way.com, then change the local DNS to 192.168.0.109, and the IP address resolved by pinging mail.361way.com and MX to 192.168.0.110.
Modify the following parts in the/etc/postfix/main. cf file:
# Postconf-nalias_database = hash:/etc/aliasesalias_maps = hash: /etc/aliases // Set the email alias command_directory =/usr/sbinconfig_directory =/etc/postfixdaemon_directory =/usr/libexec/postfixdata_directory =/var/lib/alias = 2debugger_command = PATH =/ bin: /usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $ daemon_directory/$ process_name $ process_id & sleep 5html_directory = noinet_interfaces = Ll // listening interface. The default value is 127.0.0.1. If it is set to all, you can listen to all interfaces. inet_protocols = all // if there is no ipv6 address, you can set it to ipv4mail_owner = postfixmailq_path =/usr/bin/mail. postfixmanpage_directory =/usr/share/manmydestination = $ myhostname, $ mydomain, localhost // Set the host name that can receive the email, mydomain = 361way.com // mail from address on the header, only the specified name can be used as the host address of the email. Myhostname = mail.361way.com // Set the host name myorigin = $ mydomainnewaliases_path =/usr/bin/newaliases. postfixqueue_directory =/var/spool/postfixreadme_directory =/usr/share/doc/postfix-2.10.1/users =/usr/share/doc/postfix-2.10.1/samplessendmail_path =/usr/sbin/ sendmail. post fixsetgid_group = postdropunknown_local_recipient_reject_code = 550
3. Firewall configuration
[Root @ mail ~] # Firewall-cmd -- permanent -- add-service = smtpsuccess [root @ mail ~] # Firewall-cmd -- add-service = smtpsuccess
4. Mail test
Create two new users, testa and testb. Switch to testa and perform the following test:
[Testa @ mail ~] $ Echo 'test page' | mail-s' first mail 'testb@361way.com
Switch to the testb user and run the mail command to view the information:
[Testb @ mail ~] $ MailHeirloom Mail version 12.5 7/5/10. Type? For help. "/var/spool/mail/testb": 1 message 1 new> N 1 testa@361way.com Tue Sep 1 18/556 "first mail" & 1 Message 1: from testa@361way.com Tue Sep 1 21:22:48 2015Return-Path: <testa@361way.com> X-Original-To: testb@361way.comDelivered-To: testb@361way.comDate: Tue, 01 Sep 2015 21:22:48 + 0800To: testb@361way.comSubject: first mailUser-Agent: heirloom mailx 12.5/10Content-Type: text/plain; charset = us-asciiFrom: testa@361way.comStatus: Rtest page &
IV. postfix email filtering
Email filtering is a large-scale concept. The specific details include IP address, domain name, and email address filtering, and mail content filtering (header, body, and mime attachment. In addition, the table can be divided into regex (standard regular expression) table filtering, pcre (perl compatible regular expression) table filtering, and CIDR table filtering.
1. Source filtering
The biggest advantage of setting through this file is that you don't have to restart postfix, as long as you set up the database, it will take effect immediately! Other functions can also view comments in the file
# The rule is as follows: the standard range or the action of the rule Postfix (example:) OK/REJECT [root @ mail ~], such as IP/partial IP/host name/Email # Vim/etc/postfix/access115.28.174.118 OK .com OKav.com REJECT192.168.2. REJECT # OK indicates acceptable, while REJECT indicates rejected. [Root @ mail ~] # Postmap hash:/etc/postfix/access
2. Mail header filtering
2.1/etc/postfix/main. cf
# For details, see "man header_checks". header_checks = regexp:/etc/postfix/header_checks
The following rules are added to the 2.2/etc/postfix/header_checks file:
/^ Subject: * lottery */REJECT Bye, spam mail!
The above indicates that all emails containing lottery (lottery) in the subject are rejected. The reason for automatic reply rejection is Bye and spam mail! .
2.3 Use the testa user to send an email with the header containing the lottery keyword through the following verification:
[Testa @ mail ~] $ Echo 'Hi, money' | mail-s 'lottery mail' testb@361way.com
After the execution is complete, go to the testb user and run the mail command to check whether the email has not been received. If you switch back to testa, you will receive the following bounce message:
[Testa @ mail ~] $ Mail "/var/spool/mail/testa": 1 message 1 new> N 1 Mail Delivery System Tue Sep 1 69/2166 "Undelivered Mail Returned to Sender" & 1 Message 1: from MAILER-DAEMON Tue Sep 1 22:34:47 2015Return-Path: <> X-Original-To: testa@361way.comDelivered-To: testa@361way.comDate: Tue, 1 Sep 2015 22:34:47 + 0800 (CST) From: the MAILER-DAEMON@361way.com (Mail Delivery System) Subject: Undelivered Mail Returned to Send ErTo: testa@361way.comAuto-Submitted: auto-repliedContent-Type: multipart/report; report-type = delivery-status; boundary = "8B5D988435. 1441118087/mail.361way.com "Status: RPart 1: Content-Description: icationicationcontent-Type: text/plain; charset = us-asciiThis is the mail system at host mail.361way.com. i'm sorry to have to inform you that your message cocould notbe delivered to one or more recipients. it' S attached below. for further authentication ance, please send mail to postmaster. if you do so, please include this problem report. you candelete your own text from the attached returned message. the mail system <testb@361way.com>: Bye, spam mail! Part 2: Content-Description: Delivery reportContent-Type: message/delivery-statusPart 3: Content-Description: Undelivered Message HeadersContent-Type: text/rfc822-headersReturn-Path: <testa@361way.com> Received: by mail.361way.com (Postfix, from userid 1000) id 8B5D988435; Tue, 1 Sep 2015 22:34:47 + 0800 (CST) Date: Tue, 01 Sep 2015 22:34:47 + 0800To: testb@361way.comSubject: lottery mailUser-Agent: Heirloom mailx 12.5/10MIME-Version: 1.0Content-Type: text/plain; charset = us-asciiContent-Transfer-Encoding: 7bitMessage-Id: <20150901143447.8B5D988435@mail.361way.com> From: testa@361way.com & exit
Note: The header_checks file above needs to restart the postfix service to take effect after each modification. It is very unfriendly to restart the postfix service to take effect. You can also execute the following command to temporarily take effect:
# Postmap-q-regexp:/etc/postfix/header_checks </etc/postfix/header_checks or # postmap-q-pcre: /etc/postfix/header_checks </etc/postfix/header_checks
Depends on the regular type used.
3. Mail content filtering
Add the following lines to the main. cf file:
Body_checks = regexp:/etc/postfix/body_checks
Add the following content to the/etc/postfix/body_checks file:
/I love you/REJECT Bye, love spam mail!
/I love you/REJECT 'Fuck your love'
Note that body matching is case-insensitive, which is different from header matching. In addition, if the Mail content contains the above string, it will be rejected, without adding the * sign before and after. Use the testa user to send a mail test:
[Testa @ mail ~] $ Echo 'testb, I love you! '| Mail-s' love mail' testb@361way.com [testa @ mail ~] $ Echo 'testb, I love you! '| Mail-s' love mail' testb@361way.com
This testa is so sad that it is rejected by the email server.
4. Emails with attachments
Add the following lines to main. cf:
Mime_header_checks = pcre:/etc/postfix/mime_header_checks
Add the following content to the/etc/postfix/mime_header_checks file:
# Cat mime_header_checks/. exe |. doc |. bat $/REJECT 'Not allow attach'
Attachments with the following suffixes cannot be sent. The test uses mailx or mutt, as shown in the following code:
Echo 'testb, send you a file '| mailx-s 'Attach mail'-a/tmp/file.doc testb@361way.commutt testb@361way.com-s "361way document"-a/tmp/test.doc echo "test attachment" | mutt testb@361way.com-s "361way script"-a/tmp/test.exe
5. CIDR filtering
CIDR filtering is mainly used for IP segment Filtering. It can specify the allowed and not allowed CIDR segments. Here is a simple example:
# Vim/etc/postfix/main. cf adds the following line: smtpd_client_restrictions = cidr:/etc/postfix/client. cidr # vim/etc/postfix/client. add the following configuration to cidr # Sapm IP Groups220.163.0.0/16 DISCARD spam218.62.0.0/16 DISCARD spam
# Restart takes effect
# Postmap-q-cidr:/etc/postfix/client. cidr </etc/postfix/client. cidr or # postfix reload
6. Summary
In addition, nested_header_checks is used to filter emails. For more details, see header_checks, pcre_table, regexp_table, and cidr_table. Due to space limitations, this section is about general in the past. After this article is completed, I will write an article separately to make a simple summary.
5. Email alias
The main configuration file used outside the email is/etc/aliases, which is divided into two columns, the user name set on the left and the user who actually receives the email on the right. Type:
# Vim/etc/aliasesroot: root, www Mail will be sent to the root and www accounts dev: dev01, dev02, dev03, dev04... this is an example of the group, such as by part of the name of the mail is better than test: test, the test@163.com can specify a name of the mailbox # postalias hash:/etc/aliases to generate a database