Postfix 是 Ubuntu 中缺省的邮件传输代理 (MTA)。它试图变得快捷、易于管理和安全。它与 MTA sendmail 兼容。这部分内容说明如何安装和配置 postfix。还说明如何将它设置成使用安全连接的 SMTP 服务器 (为了安全发送邮件)。
要安装带有 SMTP-AUTH 和 传输层安全 (TLS) 的 postfix,运行下列命令:
sudo apt-get install postfix
当安装进程提问时简单地按回车,下面将详细说明相关配置。
要配置 postfix,运行下列命令:
sudo dpkg-reconfigure postfix
用户界面将显示。在每一屏中,选择下列值:
Ok
Internet 站点
NONE
mail.example.com
mail.example.com, localhost.localdomain, localhost
No
127.0.0.0/8
Yes
0
+
全部
![]() |
|
将 mail.example.com 替换成您的邮件服务器的主机名。 |
Now is a good time to decide which mailbox format you want to use. By default
Postifx will use mbox for the mailbox format.
Rather than editing the configuration file directly,
you can use the postconf command to configure
all postfix parameters. The
configuration parameters will be stored in
/etc/postfix/main.cf
file. Later if you
wish to re-configure a particular parameter, you can either
run the command or change it manually in the file.
To configure the mailbox format for Maildir:
sudo postconf -e 'home_mailbox = Maildir/'
![]() |
|
This will place new mail in /home/username/Maildir so you'll need to configure your Mail Delivery Agent to use the same path. |
The next steps are to configure postfix to use SASL for SMTP AUTH.
Configure Postfix to do SMTP AUTH using SASL (saslauthd):
sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'inet_interfaces = all'
Open the /etc/postfix/sasl/smtpd.conf
file and add
the following lines to end of the file:
pwcheck_method: saslauthd mech_list: plain login
接下来,为 TLS 配置数字认证。当被询问问题时,请根据指示并作出适当的回答。
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
![]() |
|
您可以从某个认证机构获取数字证书。或者,您也可以自己创建证书。详情请参照 创建一个自签名的证书 子章节。 |
Configure Postfix to do TLS encryption for both incoming and outgoing mail:
sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_use_tls = yes' sudo postconf -e 'smtpd_use_tls = yes' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = mail.example.com'
Turn off the chroot operation for SMTP server. Locate
for the following line in
/etc/postfix/master.cf
file:
smtp inet n - - - - smtpd
and modify it as follows:
smtp inet n - n - - smtpd
![]() |
|
在您运行所有命令之后,postfix 的 SMTP AUTH 将被配置。将为 TLS 创建自己签署的证书并与 postfix 一起配置。 |
现在文件 /etc/postfix/main.cf
看上去就象 这样。
postfix 初始配置完成。运行下列命令以开始 postfix 守护程序:
sudo /etc/init.d/postfix start
现在 postfix 已经被安装、配置及成功运行。Postfix 支持在 RFC2554 中定义的 SMTP AUTH。它基于 SASL。无论如何在您使用 SMTP 之前必须设置 SASL 认证。
The libsasl2-2, sasl2-bin and libsasl2-modules are necessary to enable SMTP AUTH using SASL. You can install these applications if you have not installed them already.
sudo apt-get install libsasl2-2 sasl2-bin
A few changes are necessary to make it work properly. Because Postfix runs chrooted in /var/spool/postfix
, SASL needs to be configured to run in the false root (/var/run/saslauthd
becomes /var/spool/postfix/var/run/saslauthd
):
sudo mkdir -p /var/spool/postfix/var/run/saslauthd sudo rm -rf /var/run/saslauthd
要激活 saslauthd,编辑文件 /etc/default/saslauthd
,并修改或添加 START 变量。为了将 saslauthd 配置成在假根目录中运行,添加 PWDIR、PIDFILE 和 PARAMS 变量。最终,随您所好配置 MECHANISMS 变量。该文件看起来象这样:
# This needs to be uncommented before saslauthd will be run # automatically START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb", like this: # MECHANISMS="pam shadow" MECHANISMS="pam"
![]() |
|
如果您喜欢,您可以使用 shadow 代替 pam。这将使用 MD5 哈希密码传输并更为安全。需要认证的用户名和密码将是您正在服务器上使用系统的那些用户。 |
Next, update the dpkg "state" of /var/spool/portfix/var/run/saslauthd
. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
SMTP AUTH 配置完成。现在是启动并测试设置的时候了。您可以运行下列命令来启动 SASL 守护程序:
sudo /etc/init.d/saslauthd start
要查看 SMTP-AUTH 和 TLS 是否正常工作,运行下列命令:
telnet mail.example.com 25
在您建立到 postfix 邮件服务器连接之后,输入:
ehlo mail.example.com
如果您看到包括下列行时,那么一切工作正常。输入 quit 退出。
250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250 8BITMIME