我的配置中有一些问题,无法拥有一个功能齐全的邮件服务器,并且只有端口 993 和 465 具有 CRAM-MD5 身份验证。如果有人正在寻找这样的完整配置,请帮助我和其他人获取适用于 ubuntu 服务器的正确配置文件结构,以供将来使用。我很难理解正确的参数组合以获得正确的结果。每次您编写一些有用的配置时,我都会更新并编写正确的工作配置。希望这也会帮助其他人,因为弄清楚如何为这么多不同的东西设置正确的参数并不容易 =(
顺便说一句。请帮我创建一个相对安全的配置,并告诉我是否需要更改一些 chmod 或 chown 安全设置,
谢谢,我希望该文件将来能帮助很多用户
主要问题如下:
问题 1:通过 Outlook 连接到 IMAPS,无需发送纯密码
1st: i create an CRAM-MD5 Hash
doveadm pw -s CRAM-MD5
THE SECRET PASSWORD
output: {CRAM-MD5}aaaabbbbcccccddddeeeeffffggggghhhhiiiiijjjjjkkkkklllllmmmmmnnnnn
which i use under: /etc/dovecot/users
2nd: if i connect over openssl s_client -connect localhost:993 it works, but not over outlook and only as plain password
openssl s_client -connect localhost:993
A login office@MY_DOMAIN.COM "THE SECRET PASSWORD"
output: A OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABL ....]
how to solve that without plain passwords over the cfgs and login?
问题 2:无法通过 openssl s_client -connect localhost:465 成功连接
1st:
openssl s_client -connect localhost:465
AUTH CRAM-MD5
output: NEEDED_CHALLANGE_BASE64_HASH_VALUE_FOR_PASSWORD
2nd:
apt install sasl2-bin
gen-auth CRAM-MD5
Username: office@MY_DOMAIN.COM
password: THE SECRET PASSWORD
challange: NEEDED_CHALLANGE_BASE64_HASH_VALUE_FOR_PASSWORD
output: BASE64_HAHS_VALUE_FOR_LOGIN
3rd:
openssl s_client -connect localhost:465
AUTH CRAM-MD5
BASE64_HAHS_VALUE_FOR_LOGIN
output: 535 5.7.8 Error: authentication failed: ...
output-mail.log: warning: localhost[127.0.0.1]: SASL CRAM-MD5 authentication failed: ...
what do i wrong?
问题 3:openssl s_client -connect localhost:993 错误,我没有端口 465 和 443。我想为邮件服务器使用相同的 apache SSL。邮件服务器 == webserver
conclusion:
error 1: Can't use SSL_get_servername
I know. Thats because i am logged in as localhost and not over MY_DOMAIN.COM
error 2: verify error:num=20:unable to get local issuer certificate
also if i try with
openssl s_client -CAfile /var/www/security/SSL/MY_DOMAIN.ca-bundle -crlf -connect localhost:993
output:
verify error:num=2:unable to get issuer certificate
SSL handshake has read 2063 bytes and written 373 bytes
Verification error: unable to get issuer certificate
full but shorted output: openssl s_client -connect localhost:993
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = MY_DOMAIN.COM
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = MY_DOMAIN.COM
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = MY_DOMAIN.COM
verify return:1
---
Certificate chain
0 s:CN = MY_DOMAIN.COM
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 7 00:00:00 2023 GMT; NotAfter: Aug 15 23:59:59 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = MY_DOMAIN.COM
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2063 bytes and written 373 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
...
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
...
Start Time: 1684318538
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
后缀
文件夹:/etc/postfix/
[root:root-权限:655]main.cf
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
mydomain = MY_DOMAIN.COM
myhostname = web-p3.$mydomain
smtpd_banner = $myhostname ESMTP $mail_name
myorigin = $mydomain
mydestination = $myhostname, mail.$mydomain, web-p3.$mydomain, localhost.$mydomain, localhost
# old settings
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Virtual Domain Einstellungen
virtual_mailbox_domains = $mydomain
#virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
#virtual_mailbox_base = /home/vmail
#virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox
#virtual_alias_domains =
#virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_transport = lmtp:unix:private/dovecot-lmtp
# SSL Einstellungen
smtpd_use_tls = yes
smtpd_tls_key_file = /var/www/ssl/MY_DOMAIN.pem
smtpd_tls_cert_file = /var/www/ssl/MY_DOMAIN.crt
smtpd_tls_CAfile = /var/www/ssl/MY_DOMAIN.ca-bundle
smtpd_tls_auth_only = yes
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_sasl_password_maps = static:office@$mydomain:999999999-000000000000-9999999
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
#smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_path = private/auth
#smtpd_sasl_path = smtpd
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
[root:root - 权限:644] master.cf
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
[root:root - 权限:644] 虚拟邮箱
office@MY_DOMAIN.COM MY_DOMAIN.COM/office/Maildir/
原始文件!无更改
[root:root - rights:644] main.cf.proto
[root:root - rights:644] master.cf.proto
多夫科特
#文件夹:/etc/dovecot/
[root:root - 权限:644] dovecot.conf
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
listen = *, ::
dict {}
!include conf.d/*.conf
!include_try local.conf
[root:dovecot - 权限:640] dovecot-dict-auth.conf.ext
default_pass_scheme = CRAM-MD5
#default_pass_scheme = MD5
iterate_prefix = userdb/
key passdb {
key = passdb/%u
format = json
}
key userdb {
key = userdb/%u
format = json
}
key quota {
key = userdb/%u/quota
default_value = 100M
}
passdb_objects = passdb
userdb_objects = userdb
userdb_fields {
quota_rule = *:storage=%{dict:quota}
mail = maildir:%{dict:userdb.home}/Maildir
}
[root:dovecot - 权限:640] dovecot-dict-sql.conf.ext
map {
pattern = priv/quota/storage
table = quota
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = quota
username_field = username
value_field = messages
}
map {
pattern = shared/expire/$user/$mailbox
table = expires
value_field = expire_stamp
fields {
username = $user
mailbox = $mailbox
}
}
[root:root - 权限:644] 用户
office@MY_DOMAIN.COM:{CRAM-MD5}aaaabbbbcccccddddeeeeffffggggghhhhiiiiijjjjjkkkkklllllmmmmmnnnnn
[root:dovecot - 权限:640] dovecot-sql.conf.ext
# empty
#文件夹:/etc/dovecot/conf.d/
[root:root - 权限:644] 10-auth.conf
disable_plaintext_auth = yes
auth_username_format = %Lu
auth_master_user_separator = *
auth_mechanisms = cram-md5 plain login
#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
!include auth-static.conf.ext
[root:root - 权限:644] 10-director.conf
service director {
unix_listener login/director {}
fifo_listener login/proxy-notify {}
unix_listener director-userdb {}
inet_listener {}
}
service imap-login {}
service pop3-login {}
service submission-login {}
protocol lmtp {}
[root:root - 权限:644] 10-logging.conf
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
plugin {}
[root:root - 权限:644] 10-mail.conf
mail_location = maildir:/var/mail/vhosts/%d/%n
namespace inbox {
inbox = yes
}
mail_privileged_group = mail
protocol !indexer-worker {}
mail_uid = vmail
mail_gid = vmail
mbox_write_locks = fcntl
[root:root - 权限:644] 10-master.conf
service imap-login {
inet_listener imap {}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {}
inet_listener pop3s {}
}
service submission-login {
inet_listener submission {}
}
service lmtp {
unix_listener lmtp {}
}
service imap {}
service pop3 {}
service submission {}
service auth {
unix_listener auth-userdb {}
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {}
service dict {
unix_listener dict {}
}
[root:root - 权限:644] 10-ssl.conf
ssl = yes
ssl_cert = </var/www/ssl/MY_DOMAIN.crt
ssl_key = </var/www/ssl/MY_DOMAIN.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
[root:root - 权限:644] 10-tcpwrapper.conf
#empty
[root:root-权限:644] 15-lda.conf
protocol lda {}
[root:root - 权限:644] 15-邮箱.conf
namespace inbox {
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Trash {
special_use = \Trash
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
}
[root:root - 权限:644] 20-imap.conf
protocol imap {}
[root:root - 权限:644] 20-lmtp.conf
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
plugin {
sieve = /var/vmail/%d/%n/.sieve
sieve_dir = /var/vmail/%d/%n/sieve
sieve_global_dir = /var/vmail/sieve/global/
}
[root:root-权限:644] 90-acl.conf
plugin {}
plugin {}
[root:root - 权限:644] 90-plugin.conf
plugin {}
[root:root-权限:644]90-配额.conf
plugin {}
plugin {}
plugin {}
plugin {}
[root:root - 权限:644] auth-checkpassword.conf.ext
passdb {
driver = checkpassword
args = /usr/bin/checkpassword
}
userdb {
driver = prefetch
}
[root:root - 权限:644] auth-deny.conf.ext
passdb {
driver = passwd-file
deny = yes
args = /etc/dovecot/deny-users
}
[root:root - 权限:644] auth-dict.conf.ext
passdb {
driver = dict
args = /etc/dovecot/dovecot-dict-auth.conf.ext
}
userdb {
driver = dict
args = /etc/dovecot/dovecot-dict-auth.conf.ext
}
[root:root - 权限:644] auth-master.conf.ext
passdb {
driver = passwd-file
master = yes
args = /etc/dovecot/master-users
pass = yes
}
[root:root - 权限:644] auth-passwdfile.conf.ext
passdb {
driver = passwd-file
args = scheme=CRAM-MD5 username_format=%u /etc/dovecot/users
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
[root:root - 权限:644] auth-sql.conf.ext
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
[root:root - 权限:644] auth-static.conf.ext
# empty
[root:root - 权限:644] auth-system.conf.ext
userdb {
driver = passwd
}