邮件服务器搭建
搭建一个私有的邮箱服务器,正规认证,可接受网易、腾讯等邮件,具备合规的邮件接收能力。
可正常邮箱、可做钓鱼等。
搭建准备
- 服务器—腾讯云主机
- 域名:阿里云域名(Jeromeyoung.com 举例)
邮件相关协议:
| 类型 | 服务器名称 | 服务器地址 | 非SSL协议端口 | SSL协议端口 |
|---|---|---|---|---|
| 发件服务器 | SMTP | smtp.qq.com | 25 | 465/587 |
| 收件服务器 | POP | pop.qq.com | 110 | 995 |
| 收件服务器 | IMAP | imap.qq.com | 143 | 993 |
测试连通性
telnet smtp.qq.com 25
- 腾讯云允许25端口通信,阿里云未允许25端口通信。
配置域名解析记录
配置DKIM
登录主机服务器
apt-get install opendkim opendkim-tools
mkdir -p /var/run/opendkim
mkdir /etc/opendkim
chown -R opendkim:opendkim /var/run/opendkim
mkdir /etc/opendkim/keys/jeromeyoung.com -p // 这里是自己的域名
配置配置文件
登录主机服务器配置/etc/opendkim.conf:
Syslog yes
UMask 002
Domain jeromeyoung.com
Canonicalization relaxed/relaxed
Mode sv
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
PidFile /var/run/opendkim/opendkim.pid
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@127.0.0.1
SyslogSuccess Yes
TemporaryDirectory /var/tmp
Opendkim生成数字签名
opendkim-genkey -D /etc/opendkim/keys/jeromeyoung.com/ -d jeromeyoung.com -s default
echo "default._domainkey.jeromeyoung.com jeromeyoung.com:default:/etc/opendkim/keys/jeromeyoung.com/default.private">/etc/opendkim/KeyTable
echo "*@jeromeyoung.com default._domainkey.jeromeyoung.com" > /etc/opendkim/SigningTable
echo "127.0.0.1">/etc/opendkim/TrustedHosts
echo "jeromeyoung.com">>/etc/opendkim/TrustedHosts
echo "mail.jeromeyoung.com">>/etc/opendkim/TrustedHosts
配置opendkim
vim /etc/default/opendkim
SOCKET="local:/var/run/opendkim/opendkim.sock"
SOCKET="inet:8891@127.0.0.1"
修改文件所属组:
chown -R opendkim:opendkim /etc/opendkim/keys/jeromeyoung.com
启动服务
systemctl restart opendkim.service
还需要配置域名解析:
将 /etc/opendkim/keys/jeromeyoung.com/default.txt 增加到域名解析里:(复制选中的一段)
cat /etc/opendkim/keys/jeromeyoung.com/default.txt
配置DMARC解析:
v=DMARC1;p=quarantine;rua=mailto:admin@jeromeyoung.com
给邮箱进行TLS加密
这里是以前的老方法,可行,现在不行。
通过 Freessl 申请证书 https://freessl.cn/
首先自己注册账号,然后输入域名 mail.jeromeyoung.com ,单击创建免费的SSL证书
安装Certbot,用于给邮箱进行TLS加密:
apt-get install certbot
certbot certonly --manual -d mail.jeromeyoung.com --server https://acme.freessl.cn/v2/DV90/directory/pxf4xxxxx
这里使用certbot安装应该被腾讯云拦截,所以我们不进行自动化安装,进行如下操作:
新的方法:
前往https://www.51ssl.com/申请证书,实际上就是https://freessl.cn/控制台右上角就能一键跳转。
填完申请即可,然后进行配置域名的DNS解析,等待解析同步就好,只是有点儿慢,几分钟几小时都是可能的。
当完成解析后下载域名的key和pem文件
其两个文件放到邮件服务器 /etc/letsencrypt/live/mail.jeromeyoung.com 目 录下。
最后通过openssl,将crt和key格式转换为pem格式;至此证书申请完成: (也可以直接下载51ssl的pem)
key转pem:
openssl rsa -in private.key -out private.pem
crt转pem:
openssl x509 -in full_chain.crt -out full_chain.pem
systemctl status dovecot.service
最后查看一下状态,没有爆红就说明证书没问题。
Postfix安装
debconf-set-selections <<< "postfix postfix/mailname string mail.jeromeyoung.com"
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
apt-get install --assume-yes postfix
安装完成后,配置
vim /etc/postfix/main.cf
myhostname = mail.jeromeyoung.com
mydomain = jeromeyoung.com
myorigin = $mydomain
smtp_helo_name = $myhostname
mydestination = $myhostname, localhost.$mydomain, $mydomain
smtpd_banner = mail.$mydomain ESMTP
home_mailbox = Maildir/
mynetworks = 0.0.0.0 82.156.22.229 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.jeromeyoung.com/full_chain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.jeromeyoung.com/private.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
milter_protocol = 2
milter_default_action = accept
disable_vrfy_command = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost=
mailbox_size_limit=0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
配置 vim /etc/postfix/master.cf :
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
安装 Dovecot :
apt-get install dovecot-core dovecot-imapd dovecot-pop3d
安装完成后,配置
配置/etc/dovecot/conf.d/10-master.conf:
service imap-login {
inet_listener imap {
}
inet_listener imaps {
}
}
service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
}
}
service lmtp {
unix_listener lmtp {
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
配置/etc/dovecot/conf.d/10-auth.conf:
auth_mechanisms = plain login
!include auth-system.conf.ext
配置 /etc/dovecot/conf.d/10-mail.conf :
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
mail_privileged_group = mail
配置 /etc/dovecot/conf.d/20-pop3.conf :
pop3_uidl_format = %08Xu%08Xv
protocol pop3 {
}
配置 /etc/dovecot/conf.d/10-ssl.conf :
ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.jeromeyoung.com/full_chain.pem
ssl_key = </etc/letsencrypt/live/mail.jeromeyoung.com/private.pem
创建邮箱用户账号:
useradd -m admin -s /sbin/nologin 【指定该账号不可用于登录服务器|这里伪造admin发送邮件,所以创建admin用户】
passwd admin
启动所有服务:
systemctl restart dovecot.service
systemctl restart postfix.service
systemctl restart opendkim.service
使用Foxmail连接服务器
这里选择其它邮箱登录,进入后点手动设置:
添加账号,密码是当时创建账号时设置的密码,配置好后点击创建:
邮件测试
注意
配置好以后就可以一直使用,只是需要证书到期的时候,重新申请证书,然后完成dns解析验证和/etc/letsencrypt/live/mail.jeromeyoung.com 目 录下的内容替换即可
扫一扫
2568
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
