使用OpenLDAP搭建Postfix邮件系统

一、系统环境及本文用到相关软件及下载地址 1、系统环境 Linux 系统版本：CentOS release 5.2 (Final)

内核版本：2.6.18-92.el5 二、.卸载sendmail #killall sendmail

#rpm -e --nodeps sendmail 三、定义yum的非官方库 #vi /etc/yum.repos.d/dag.repo [dag]

name=Dag RPM Repository for Red Hat Enterprise Linux baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag gpgcheck=1 enabled=1

gpgkey=http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

四、开始安装

1、增加系统相关用户： #groupadd postfix

# useradd -g postfix -M -s /bin/false postfix #groupadd postdrop

#groupadd vmail -g 1000

# useradd -u 1000 -g 1000 -M -s /sbin/nologin -d /dev/null vmail

2、安装Apache、PHP（如果在安装系统的时候已经安装过了，可以不用做此步骤） #yum -y install httpd php php-mysql php-gd php-imap php-mbstring php-ldap 3、安装相关依赖关系包

#yum -y install perl-Unix-Syslog perl-GD \\

perl-Digest-SHA1 perl-Digest-HMAC perl-Net-IP \\ perl-Net-DNS perl-Time-HiRes perl-HTML-Tagset \\ perl-HTML-Parser perl-libwww-perl perl-IO-stringy \\ perl-IO-Multiplex perl-Net-SSLeay-1.30 perl-IO-Socket-SSL \\ perl-Net-Server perl-TimeDate perl-MailTools \\

perl-MIME-Base perl-Convert-BinHex perl-MIME-tools \\ perl-Convert-TNEF perl-Convert-UUlib \\

perl-Compress-Zlib perl-Archive-Zip perl-IO-Zlib \\

perl-Archive-Tar arc-5.21o zoo-2.10 unarj

4、增加LDAP服务器记录：

这两台记录其实是LDAP客户端查询LDAP服务器的记录，在客户端的设置文件中（ldap.conf）会用到这些记录，当然，你可以更改成其它任何的名称，如果所有的软件都是安装在同一台服务器上的话，IP地址可以设成127.0.0.1，我这里设置的是实际的地址． #echo \"192.168.254.162 ldap.test.com\" >> /etc/hosts

#echo \"192.168.254.162 ldap-master.test.com\" >> /etc/hosts 5、安装OpneLDAP：

你可以通过两种方式来安装，第一种是在安装系统是自已就安装了，你如果认为它的版本太低了，可以通过YUM的方式升级一下，也可以通过源代码的方式安装，我这里是通过YUM的方式升级了一下，如果通过源代码安装的话，那后面的一些组件的安装时就需要注意一下路径了．

#yum install openldap* 6、配置OpenLDAP：

配置LDAP需要用到extman中的schema文件，所以要先复制extman中的对于LDAP支持的schema文件到相应的地方．具体的操作如下： # tar zxf extman-1.1.tar.gz # cd extman-1.1/docs

#cp ./extmail.schema /etc/openldap/schema/ #vi /etc/openldap/slapd.conf 更改以下内容：

include /etc/openldap/schema/extmail.schema

suffix \"dc=otnet.org\"

rootdn \"cn=Manager,dc=otnet.org\"

rootpw {MD5}7tjNxADf1OyF3/cKFwBmtw== #注：这里用名文秘密的时候在初始化的时候可能会出错，建议用加密的密码。

这里的 rootpw 後面的是使用 slappasswd 生成的密码，默认是使用 SSHA 这个加密算法的：

可以用 -h 参数指定 slappasswd 使用其它的加密算法。比如： # slappasswd -h {MD5} New password:

Re-enter new password:

{MD5}7tjNxADf1OyF3/cKFwBmtw== 7、配置LDAP客户端文件：

这个文件的目的是为了客户端在执行查询或其它相关操作时能找到相应的服务器，如果没这个设置，可能会出现找不到LDAP这样的错误． #vi /etc/openldap/ldap.conf HOST 127.0.0.1

BASE dc=otnet.org

URI ldap://mail.otnet.org ldap://mail.otnet.org:3 SIZELIMIT 12 TIMELIMIT 15 DEREF never 8、启动LDAP： #service ldap start

# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 9、修改并导入初始化文件：

# vi extman-1.1/docs/init.ldif ＃ extman的初始化文件 将原有的extmail.org替换为otnet.org

# ldapadd -x -D \"cn=Manager,dc=otnet.org\" -W -f extman/docs/init.ldif

10、配置apache 编辑httpd.conf文件: # vi /etc/httpd/conf/httpd.conf 在最后一行加上： NameVirtualHost *:80 Include conf/vhost_*.conf 编辑 vhost_extmail.conf

# vi /etc/httpd/conf/vhost_extmail.conf 里面定义虚拟主机的相关内容：

# VirtualHost for ExtMail Solution

ServerName mail.otnet.org

DocumentRoot /var/www/extsuite/extmail/html/

ScriptAlias /extmail/cgi/ /var/www/extsuite/extmail/cgi/ Alias /extmail /var/www/extsuite/extmail/html/

ScriptAlias /extman/cgi/ /var/www/extsuite/extman/cgi/ Alias /extman /var/www/extsuite/extman/html/

Alias /phpldapadmin /var/www/extsuite/phpldapadmin/htdocs/ # Suexec config

SuexecUserGroup vmail vmail

设置apache开机启动

# chkconfig httpd on 11、安装ExtMail

建立/var/www/extsuite并复制源码到该目录，相关命令： #mkdir /var/www/extsuite #tar zxf extmail-1.2.tar.gz

#cp -r extmail-1.2 /var/www/extsuite/extmail #cd /var/www/extsuite/extmail #cp webmail.cf.default webmail.cf # vi webmail.cf

主要变动的内容见下： SYS_MYSQL_USER = extmail SYS_MYSQL_PASS = extmail SYS_MYSQL_DB = extmail SYS_AUTH_TYPE = ldap SYS_SPAM_REPORT_ON = 1 SYS_DEBUG_ON = 0 SYS_LDAP_PASS = ffffff

SYS_LDAP_BASE = o=extmailAccount,dc=otnet.org

SYS_LDAP_RDN = cn=Manager,dc=otnet.org

SYS_G_ABOOK_LDAP_BASE = ou=AddressBook,dc= otnet.org SYS_G_ABOOK_LDAP_ROOTDN = cn=Manager,dc= otnet.org SYS_SESS_DIR = /var/www/extsuite/extmail/tmp SYS_UPLOAD_TMPDIR = /var/www/extsuite/extmail/tmp

SYS_AUTHLIB_SOCKET = /usr/local/courier-authlib/var/spool/authdaemon/socket

更新cgi目录权限 由于SuEXEC的需要，必须将extmail的cgi目录修改vmail:vmail权限： # chown -R vmail:vmail /var/www/extsuite/extmail/cgi/ #mkdir /var/www/extsuite/extmail/tmp

#chown -R vmail:vmail /var/www/extsuite/extmail/tmp 12、安装ExtMan

# cp -r extman-1.1 /var/www/extsuite/extman

#cp /var/www/extsuite/extman/webman.cf.default /var/www/extsuite/extman/webman.cf #vi /var/www/extsuite/extman/webman.cf

SYS_SESS_DIR = /var/www/extsuite/extman/tmp SYS_BACKEND_TYPE = ldap SYS_LDAP_BASE = dc=otnet.org

SYS_LDAP_RDN = cn=Manager,dc=otnet.org SYS_LDAP_PASS = ffffff

SYS_GROUPMAIL_SENDER = postmaster@otnet.org 更新cgi目录权限由于SuEXEC的需要，必须将extman的cgi目录修改成vmail:vmail权限： # chown -R vmail:vmail /var/www/extsuite/extman/cgi/ 链接基本库到Extmail

# mkdir /var/www/extsuite/extman/tmp

# chown -R vmail:vmail /var/www/extsuite/extman/tmp

建立刚才导入mysql的postmaster@otnet.org帐户的Maildir，请输入如下命令： #cd /var/www/extsuite/extman/tools

#./maildirmake.pl /home/domains/otnet.org/postmaster/Maildir #chown -R vmail:vmail /home/domains 设置虚拟域和虚拟用户的配置文件 # cd /var/www/extsuite/extman/docs

# cp ldap_virtual_alias_maps.cf /etc/postfix/ # cp ldap_virtual_domains_maps.cf /etc/postfix/ # cp ldap_virtual_mailbox_maps.cf /etc/postfix/ # cp ldap_virtual_sender_maps.cf /etc/postfix/

#vi /etc.postfix/ldap_virtual_alias_maps.cf

更改文件extmail.org为otnet.org,其它几个文件一样，这里以些文件为例： search_base = o=extmailAlias,dc=otnet.org 13、安装BerkeleyDB： # tar zxf db-5.1.19.NC.tar.gz

# cd db-5.1.19.NC

# ./dist/configure --prefix=/usr/local/BerkeleyDB #make

#make install

#mv /usr/include/db4 /usr/include/db4.off #rm -rf /usr/include/db_cxx.h #rm -rf /usr/include/db.h

#rm -rf /usr/include/db_185.h

#ln -sv /usr/local/BerkeleyDB/include /usr/include/db4 #ln -sv /usr/local/BerkeleyDB/include/db.h /usr/include/db.h #ln -sv /usr/local/BerkeleyDB/include/db_cxx.h /usr/include/db_cxx.h #echo \"/usr/local/BerkeleyDB/lib\" >> /etc/ld.so.conf #ldconfig

14、安装Couerie Authlib：

#wget

http://nchc.dl.sourceforge.net/project/courier/authlib/0.63.0/courier-authlib-0.63.0.tar.bz2

# tar jxf courier-authlib-0.63.0.tar.bz2 # cd courier-authlib-0.63.0 #./configure \\

--prefix=/usr/local/courier-authlib \\ --sysconfdir=/etc \\

--with-authldaprc=/etc/authlib/authldaprc \\ --with-mailuser=vmail \\ --with-mailgroup=vmail \\ --without-stdheaderdir \\ --without-authuserdb \\ --without-authpam \\ --without-authmysql \\ --without-authpwd \\ --without-authshadow \\ --without-authvchkpw \\ --without-authpgsql \\ --without-authcustom \\ --with-redhat # make

# make install

#make install-configure

#echo \"/usr/local/courier-authlib/lib/courier-authlib\" >> /etc/ld.so.conf# make #ldconfig

# cp courier-authlib.sysvinit /etc/init.d/courier-authlib # chmod 755 /etc/init.d/courier-authlib #chkconfig --add courier-authlib

#chkconfig --level 2345 courier-authlib on

#service courier-authlib start

#chmod +x /usr/local/courier-authlib/var/spool/authdaemon/ 15、设置配置文件authdaemonrc：

#vi /etc/authlib/authdaemonrc

authmodulelist=\"authldap\" authmodulelistorig=\"authldap\"

authdaemonvar=/usr/local/courier-authlib/var/spool/authdaemon DEFAULTOPTIONS=\"wbnodsn=1\" 16、配置authldaprc：

#vi /etc/authlib/authldaprc

清空内容，并输入下面内容：

LDAP_URI ldap://127.0.0.1:3 LDAP_PROTOCOL_VERSION 3

LDAP_BASEDN o=extmailAccount,dc=otnet.org LDAP_BINDDN cn=Manager,dc=otnet.org

LDAP_BINDPW {MD5}7tjNxADf1OyF3/cKFwBmtw== LDAP_TIMEOUT 5

LDAP_MAIL mail

LDAP_FILTER (&(objectClass=extmailUser)(active=1)) LDAP_HOMEDIR homeDirectory LDAP_MAILROOT /home/domains LDAP_MAILDIR mailmessageStore LDAP_MAILDIRQUOTA quota LDAP_CRYPTPW userPassword

LDAP_UID uidNumber LDAP_GID gidNumber LDAP_AUXOPTIONS

disablesmtpd=disablesmtpd,disablesmtp=disablesmtp,disablewebmail=disablewebmail,disablenetdisk=disablenetdisk,disableimap=disableimap,disablepop3=disablepop3 LDAP_DEREF never LDAP_TLS 0

LDAP_DOMAIN otnet.org 17、安装cyrus-sasl

# mv /usr/lib/sasl2 /usr/lib/sasl2.OFF

#wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gz #tar zxf cyrus-sasl-2.1.23.tar.gz #cd cyrus-sasl-2.1.23

#./configure --prefix=/usr --sysconfdir=/etc \\ --disable-anon -enable-plain --enable-login \\ --enable-ldapdb –with-ldap \\

--with-authdaemond=/usr/local/courier-authlib/var/spool/authdaemon/socket #make

#make install

18、配置SASL文件 # vi /usr/lib/sasl2/smtpd.conf 确保其内容为：

pwcheck_method: authdaemond

log_level: 3

mech_list: PLAIN LOGIN

authdaemond_path:/usr/local/courier-authlib/var/spool/authdaemon/socket 19、安装Postfix：

#wget http://www.postfix.cn/source/official/postfix-2.6.8.tar.gz # tar zxf postfix-2.6.8.tar.gz # cd postfix-2.6.8 #make tidy

# make makefiles -DUSE_CYRUS_SASL \\

-I/usr/include/sasl -I/usr/local/BerkeleyDB/include -DUSE_TLS -I-DUSE_TLS \\ -I/usr/include/openssl\" \\

\"AUXLIBS=-L/usr/lib -lldap -llber -L/usr/lib -lsasl2 \\ -L/usr/local/BerkeleyDB/lib -L/usr/lib -lssl -lcrypto\"

#make

#make install

按照以下的提示输入相关的路径([]号中的是缺省值，”]”后的是输入值)

install_root: [/]

tempdir: [/opt/postfix-2.6.8] /tmp config_directory: [/etc/postfix] command_directory: [/usr/sbin] daemon_directory: [/usr/libexec/postfix] data_directory: [/var/lib/postfix] html_directory: [no] mail_owner: [postfix]

mailq_path: [/usr/bin/mailq]

manpage_directory: [/usr/local/man] newaliases_path: [/usr/bin/newaliases] queue_directory: [/var/spool/postfix] readme_directory: [no]

sendmail_path: [/usr/sbin/sendmail] setgid_group: [postdrop]

# newaliases 20、安装maildrop

\"CCARGS=-DHAS_LDAP -I/usr/include -DUSE_SASL_AUTH

将 courier-authlib 的头文件及库文件链接至/usr 目录(编译maildrop 时会到此目录下找此些 相关的文件):

# ln -s /usr/local/courier-authlib/bin/courierauthconfig /usr/bin/courierauthconfig # ln -s /usr/local/courier-authlib/include/* /usr/include

maildrop需要pcre的支持，因此，接下来将首先安装pcre

#wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.10.tar.bz2 # tar jxf pcre-8.10.tar.bz2 # cd pcre-8.10 # ./configure # make

# make check # make install

#wget http://nchc.dl.sourceforge.net/project/courier/maildrop/2.5.2/maildrop-2.5.2.tar.bz2 # tar jxf maildrop-2.5.2.tar.bz2 # cd maildrop-2.5.2 # ./configure \\

--enable-sendmail=/usr/sbin/sendmail \\ --enable-trusted-users='root vmail' \\ --enable-syslog=1 --enable-maildirquota \\ --enable-maildrop-uid=1000 \\ --enable-maildrop-gid=1000 \\ --with-trashquota --with-dirsync # make

# make install

配置master.cf 为了使Postfix支持Maildrop，必须修改/etc/postfix/master.cf文件，注释掉原来的maildrop的配置内容，并改为：

maildrop unix - n n - - pipe

flags=DRhu user=vmail:vmail argv=/usr/local/bin/maildrop -w 90 -d ${user}@${nexthop} ${recipient} ${user} ${extension} {nexthop} 21、配置maildrop的日志文件 # vi /etc/maildroprc

logfile \"/var/log/maildrop.log\" TEST=\"/bin/test -f\"

#

# Check for custom user .mailfilter file

#

CUSTOM_FILTER=\"$HOME/.mailfilter\"

`$TEST $CUSTOM_FILTER && exit 1 || exit 0` if ( $RETURNCODE == 0 ) {

to \"$HOME/Maildir\" }

#touch /var/log/maildrop.log

#chown vmail.vmail /var/log/maildrop.log 测试maildrop对authlib支持 # maildrop -v

看是否出现以下内容：

maildrop 2.5.2 Copyright 1998-2005 Double Precision, Inc. GDBM/DB extensions enabled.

Courier Authentication Library extension enabled. Maildir quota extension are now always enabled.

This program is distributed under the terms of the GNU General Public

License. See COPYING for additional information. 22、安装Courier-IMAP

#wget http://ncu.dl.sourceforge.net/project/courier/imap/4.8.1/courier-imap-4.8.1.tar.bz2 # tar jxf courier-imap-4.8.1.tar.bz2 # cd courier-imap-4.8.1 #./configure \\

--prefix=/usr/local/courier-imap \\ --sysconfdir=/etc \\ --with-redhat \\ --enable-unicode \\ --disable-root-check \\ --with-trashquota \\

--without-ipv6 \\

CPPFLAGS='-I/usr/local/courier-authlib/include' \\

LDFLAGS='-L/usr/local/courier-authlib/lib/courier-authlib' \\

COURIERAUTHCONFIG='/usr/local/courier-authlib/bin/courierauthconfig' # make

# make install

#make install-configure

配置Courier-IMAP，为用户提供pop3服务： #vi /etc/pop3d

POP3DSTART=YES #vi /etc/pop3d-ssl

POP3DSSLSTART=YES #vi /etc/pop3dcnf

#default_md = sha1 （注释点这项） 为用户提供IMAP 服务： #vi /etc/imapd

IMAPDSTART=yes #vi /etc/imapd-ssl

IMAPDSSLSTART=YES #vi /etc/imapd.cnf

#default_md = sha1 （注释点这项）

#cp courier-imap.sysvinit /etc/rc.d/init.d/courier-imapd #chmod 755 /etc/rc.d/init.d/courier-imapd #chkconfig --add courier-imapd

#chkconfig --level 2345 courier-imapd on 然后重新启动courier-imap： # service courier-imapd start

23、设置main.cf文件：

# postconf -n > /etc/postfix/main2.cf

# mv /etc/postfix/main.cf /etc/postfix/main.cf.old # mv /etc/postfix/main2.cf /etc/postfix/main.cf

# vi /etc/postfix/main.cf

alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases # hostname

mynetworks = 127.0.0.1 myhostname = mail.otnet.org mydomain = otnet.org

mydestination = $mynetworks, $myhostname # banner

mail_name = Postfix - by otnet.org

smtpd_banner = $myhostname ESMTP $mail_name

# response immediately

smtpd_error_sleep_time = 0s

unknown_local_recipient_reject_code = 550

# extmail config here

virtual_mailbox_base = /home/domains

virtual_alias_maps = ldap:/etc/postfix/ldap_virtual_alias_maps.cf

virtual_mailbox_domains = ldap:/etc/postfix/ldap_virtual_domains_maps.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf virtual_transport = maildrop:

# smtpd related config smtpd_recipient_restrictions = permit_mynetworks,

permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname,

# SMTP sender login matching config smtpd_sender_restrictions =

permit_mynetworks,

reject_sender_login_mismatch,

reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch

smtpd_sender_login_maps = ldap:/etc/postfix/ldap_virtual_sender_maps.cf,

ldap:/etc/postfix/ldap_virtual_alias_maps.cf

# SMTP AUTH config here broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $mydomain smtpd_sasl_security_options = noanonymous

# Message and return code control message_size_limit = 10485760 mailbox_size_limit = 10485760 show_user_unknown_table_name = no

# Queue lifetime control bounce_queue_lifetime = 1d maximal_queue_lifetime = 1d

# maildrop setting

maildrop_destination_concurrency_limit=1 maildrop_destination_recipient_limit = 1 24、设置master.cf文件： # vi /usr/local/etc/postfix/master.cf 更改如下信息：

smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

五、Postfix启动脚本

# vi /etc/init.d/postfix #!/bin/sh

#

# postfix Postfix Mail Transfer Agent #

# chkconfig: 2345 80 30

# description: Postfix is a Mail Transport Agent, which is the program \\ # that moves mail from one machine to another. # processname: master

# pidfile: /var/spool/postfix/pid/master.pid # config: /etc/postfix/main.cf # config: /etc/postfix/master.cf #

# $Revision: 2.2 $

#

# Written by Package Author: Simon J Mudd

# 25/02/99: Mostly s/sendmail/postfix/g by John A. Martin # 23/11/00: Changes & suggestions by Ajay Ramaswamy # 20/01/01: Changes to fall in line with RedHat 7.0 style

# 23/02/01: Fix a few untidy problems with help from Daniel Roesen.

# Source function library. . /etc/rc.d/init.d/functions

# Source networking configuration. . /etc/sysconfig/network

# Check that networking is up.

[ ${NETWORKING} = \"no\" ] && exit 0

[ -x /usr/sbin/postfix ] || exit 0 [ -d /etc/postfix ] || exit 0

[ -d /var/spool/postfix ] || exit 0

RETVAL=0

start() { # Start daemons. echo -n \"Starting postfix: \"

/usr/sbin/postfix start 2>/dev/null 1>&2 && success || failure RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix echo return $RETVAL }

stop() {

# Stop daemons. }

reload() { echo -n \"Reloading postfix: \"

echo -n \"Shutting down postfix: \"

/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure RETVAL=$?

[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix echo

return $RETVAL

}

/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure RETVAL=$? echo

return $RETVAL

restart() { }

abort() { }

flush() { /usr/sbin/postfix flush 2>/dev/null 1>&2 && success || failure return $? }

check() { /usr/sbin/postfix check 2>/dev/null 1>&2 && success || failure return $? }

# See how we were called. case \"$1\" in start) start ;; stop)

stop ;;

/usr/sbin/postfix abort 2>/dev/null 1>&2 && success || failure return $? stop start

restart) restart

;; reload) reload

;; abort) abort ;; flush)

flush

;; check) check ;; status) status master ;;

condrestart)

# don't use /var/lock/subsys/postfix, check for postfix running directly daemon_directory=$(postconf -h daemon_directory) $daemon_directory/master -t 2>/dev/null && : || restart

;; *)

echo \"Usage: postfix {start|stop|restart|reload|abort|flush|check|status|condrestart}\" exit 1

esac

exit $?

# chmod +x /etc/init.d/postfix 加入开机启动

# chkconfig --add postfix # chkconfig postfix on