====== CentOS7 安裝 iRedMail Mail Server ======
* 安裝環境 : ++CentOS Linux release 7.5.1804 (Core) |cat /etc/redhat-release++
* iRedMail 0.9.8
* IP : 172.21.20.253
* DN : iredmail.ichiayi.com
* hostname : iredmail
===== 環境準備 =====
* 關閉 selinux
vi /etc/selinux/config
:
SELINUX=disabled
* 設定 /etc/sysconfig/network
HOSTNAME=iredmail.ichiayi.com
* 設定 /etc/hosts
127.0.0.1 iredmail.ichiayi.com iredmail localhost localhost.localdomain
* 設定 /etc/hostname
iredmail.ichiayi.com
* 重新開機
sync;sync;sync;reboot
===== 下載安裝 iRedMail =====
su - root
yum install wget bzip2
cd /root/
wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.9.tar.bz2
tar xjf iRedMail-0.9.9.tar.bz2
cd /root/iRedMail-0.9.9/
bash iRedMail.sh
* 安裝完成最後更新完成掃毒病毒碼 daily.cld 之後, 要重新開機所有服務才能正常啟動
sync;sync;sync;reboot
* 如果執行安裝時一直出現 /etc/hosts 的設定錯誤, 請先用 hostname -f 是否能夠正確出現標準 FQDN 格式 Exp. iredmai.ichiayi.com
* 如果是安裝在中國機房, 因為 iredmail.org 被 GFW 封鎖, 所以要改用以下語法
IREDMAIL_EPEL_MIRROR='http://mirrors.aliyun.com/epel'
IREDMAIL_MIRROR='https://dl.iredmail.org' bash iRedMail.sh
* 安裝完成後重要資訊會產生在 /root/iRedMail-0.9.8/iRedMail.tips 檔案內
===== 相關設定與驗證測試 =====
* DNS : MX / DKIM / [[http://blog.xuite.net/tolarku/blog/233356505-DNS+%E8%A8%AD%E5%AE%9A+spf+%E8%A8%98%E9%8C%84+-+Sender+Policy+Framework|SPF 設定]] / [[https://support.google.com/a/answer/2466563?hl=zh-Hant|DMARC]]
* 重新產生 DKIM key
* 參考 - https://docs.iredmail.org/sign.dkim.signature.for.new.domain.html ++ 操作語法|
amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/mail3.ichiayi.com.pem
chown amavis:amavis /var/lib/dkim/mail3.ichiayi.com.pem
chmod 0400 /var/lib/dkim/mail.ichiayi.com.pem
vi /etc/amavisd/amavisd.conf
:
# Add dkim_key here.
dkim_key('mail3.ichiayi.com', 'dkim', '/var/lib/dkim/mail3.ichiayi.com.pem');
:
@dkim_signature_options_bysender_maps = ({
:
# catch-all (one dkim key for all domains)
'.' => {d => 'mail3.ichiayi.com',
:
systemctl restart amavisd
至 DNS 設定 DKIM Public Key
amavisd -c /etc/amavisd/amavisd.conf showkeys
Exp. dkim._domainkey.mail3.ichiayi.com
dkim._domainkey.mail3.ichiayi.com. 3600 TXT (
"v=DKIM1; p="
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCrXC0tedP//DPy+CcC72g8lNw"
"8H9igOIphFtrvNKknJPKlKaxLP8cy41rWI91WHFS0jxPyJh39kzP7ueukUMDUE0d"
"veNPGOfYh32sdn5xNSYKg3l1HTj7wLIKsedN0E4aWbsBVwqAkgU3JJky7JzCc98R"
"G4wj6UPgbQVBKxtgNwIDAQAB")
++
* IP 反查設定 -> 找 ISP 協助
* 設定 aliases domain 的方式 - https://docs.iredmail.org/sql.add.alias.domain.html ++SQL 語法|
INSERT INTO alias_domain (alias_domain, target_domain) VALUES ('alias-1.com', 'example.com');
++
* 設定 aliases - mail list (虛擬信箱轉寄實際信箱) 的方式 - https://docs.iredmail.org/user.alias.address.html ++SQL 語法|
INSERT INTO forwardings (address, forwarding, domain, dest_domain, is_alias, active)
VALUES ('infotech@ichaiyi.com', 'tech1@ichiayi.com', 'ichiayi.com', 'ichiayi.com', 1, 1);
++
* 設定 aliases - mail forwarding (收信轉寄給其他信箱) 的方式 - https://docs.iredmail.org/sql.user.mail.forwarding.html ++SQL 語法|
INSERT INTO forwardings (address, forwarding, domain, dest_domain, is_forwarding, active)
VALUES ('jonathan@ichaiyi.com', 'jonathan-forward1@ichiayi.com', 'ichiayi.com', 'ichiayi.com', 1, 1);
++
* 設定多個 domain 的 DKIM - https://docs.iredmail.org/sign.dkim.signature.for.new.domain.html
* 設定預設 domain 的處理方式 - ++主要是修改 dovecot.conf 內的 auth_default_realm |
:
auth_default_realm = mail.ichiayi.com
:
++
* 解決 outlook 寄信無法使用 STARTTLS(port:587) 需要設定提供 SMTPS(port:465) - https://docs.iredmail.org/enable.smtps.html
* 調整限制附件大小設定
* 參考 - https://docs.iredmail.org/change.mail.attachment.size.html
* Exp. 20M => 20*1024*1024=20971520 因為 MIME 的編碼特性, 所以要再 * 1.5 會比較接近 => 20971520 * 1.5= 31457280
postconf -e message_size_limit=31457280
systemctl restart postfix
* 自動刪除 Trash 的信件方式
* 參考 - https://forum.iredmail.org/topic10062-iredmail-support-auto-delete-emails-in-users-trash.html
* ++建立清除信件命令|
#!/bin/bash
#
DOVEADM="/usr/bin/doveadm";
$DOVEADM expunge -A mailbox Trash savedbefore 3d
$DOVEADM expunge -A mailbox Junk savedbefore 30d
++
* ++執行命令|
chmod a+x /root/dovecot_expunge.sh
++
* ++設定 crontab 設定|
:
# delete iRedMail emails in Trash older than 3 days and in Junk older than 30 days.
30 3 * * * root /root/dovecot_expunge.sh > /tmp/dovecot_expunge.log
++
* ++重新啟動 crond |
service crond restart
++
* 特定 SMTP 認證帳號寄信可以不需要檢查 From 與 SMTP 認證帳號相同設定方式
* 出現的錯誤訊息類似:
SMTPRecipientsRefused: {'xxx@xxx': (554, '5.7.1 : Recipient address rejected: Sender is not same as SMTP authenticate username')}
* 參考 - https://docs.iredmail.org/errors.html#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username
* 修改 /opt/iredapd/settings.py 最後加入以下設定 ++Exp. 增加 SMTP 的 sysop@ichiayi.com 認證就不需要檢查 From 是否一致 |
:
# https://docs.iredmail.org/errors.html#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username
ALLOWED_LOGIN_MISMATCH_SENDERS = ['sysop@ichiayi.com']
++
* 重新啟動 iredapd 服務 systemctl restart iredapd
* 關閉 ClamAV 防毒軟體的作法 (2019/5/27 寄信附件含 PDF 會出現 Win.Exploit.CVE_2019_0903-6966169-0 誤判問題)
* 參考 - https://forum.iredmail.org/topic3149-iredmail-support-disable-clamav-and-turn-off.html
* 修改 /etc/amavisd/amavisd.conf ++ @bypass_virus_checks_maps 由 0 改成 1 關閉掃毒功能|
:
# controls running of anti-virus/spam code: 0 -> enabled, 1 -> disabled.
@bypass_virus_checks_maps = (1);
:
重新啟動 amavisd 服務
systemctl restart amavisd
++
==== 修改主機名稱的處理方式 ====
* 除修改 /etc/hosts 之外還有其他服務設定檔都要一起修改
* 參考 - https://docs.iredmail.org/change.server.hostname.html
* /etc/hosts
* /etc/sysconfig/network
* /var/spool/postfix/etc/hosts
* /etc/postfix/main.cf
* /etc/amavisd/amavisd.conf
==== SSL 憑證設定 ====
* 設定 SSL 憑證 : https://docs.iredmail.org/use.a.bought.ssl.certificate.html
* 取得免費的 LetsEncrypt ssl 憑證 參考 - [[tech/ssl_letsencrypt]]
* Exp. 取得的憑證存放在 /etc/letsencrypt/live/mail.ichiayi.com/
* 設定 Postfix (SMTP server) ++執行命令|
postconf -e smtpd_tls_cert_file='/etc/letsencrypt/live/mail.ichiayi.com/cert.pem'
postconf -e smtpd_tls_key_file='/etc/letsencrypt/live/mail.ichiayi.com/privkey.pem'
postconf -e smtpd_tls_CAfile='/etc/letsencrypt/live/mail.ichiayi.com/fullchain.pem'
systemctl restart postfix
++
* 設定 Dovecot (POP3/IMAP server) ++參考設定內容|
ssl = required
ssl_cert = ++ ++執行命令|
systemctl restart dovecot
++
* 設定 WebMail(nginx) ++參考執行命令|
cd /etc/pki/tls/
mv cert.pem cert.pem.old
ln -s /etc/letsencrypt/live/mail.ichiayi.com/fullchain.pem cert.pem
cd certs/
mv iRedMail.crt iRedMail.crt.old
ln -s /etc/letsencrypt/live/mail.ichiayi.com/cert.pem iRedMail.crt
cd ../private/
mv iRedMail.key iRedMail.key.old
ln -s /etc/letsencrypt/live/mail.ichiayi.com/privkey.pem iRedMail.key
service nginx restart
++
* 確認設定的 SSL 憑證有正式運作
* IMAP ++執行命令|
openssl s_client -showcerts -connect mail.ichiayi.com:993
++
* POP3 ++執行命令|
openssl s_client -showcerts -connect mail.ichiayi.com:995
++
* SMTP ++執行命令|
openssl s_client -showcerts -connect mail.ichiayi.com:587 -starttls smtp
++
* Web ++執行命令|
openssl s_client -showcerts -connect mail.ichiayi.com:443
++
* 如果 SSL 憑證與 Mail Server 在不同主機上, 每次憑證更新後可透過 rsync 方式來進行跨主機同步
* Exp. SSL 憑證存在 192.168.11.234 主機上, 可在 Mail Server ++執行以下的同步語法:|
rm -rf /etc/letsencrypt/archive/mail.ichiayi.com.old
mv /etc/letsencrypt/archive/mail.ichiayi.com /etc/letsencrypt/archive/mail.ichiayi.com.old
rsync -zavl root@192.168.11.234:/etc/letsencrypt/archive/mail.ichiayi.com/ /etc/letsencrypt/archive/mail.ichiayi.com/
rm -rf /etc/letsencrypt/live/mail.ichiayi.com.old
mv /etc/letsencrypt/live/mail.ichiayi.com /etc/letsencrypt/live/mail.ichiayi.com.old
rsync -zavl root@192.168.11.234:/etc/letsencrypt/live/mail.ichiayi.com/ /etc/letsencrypt/live/mail.ichiayi.com/
systemctl restart postfix
systemctl restart dovecot
++
==== 白名單與黑名單設定 ====
* 設定 greylisting 白名單的方式 - https://docs.iredmail.org/manage.iredapd.html#greylisting
- iredapd.greylisting_whitelist 資料表先增加白名單網域 Exp. ik2.com ++SQL 語法|
insert into iredapd.greylisting_whitelist_domains (domain) values ('ik2.com');
++
- 執行spf_to_greylist_whitelists.py 讓白名單生效 ++執行命令|
/opt/iredapd/tools/spf_to_greylist_whitelists.py
++
* 設定 spam 白名單與黑名單
* 參考網址 - https://docs.iredmail.org/amavisd.wblist.html
- 新增白名單: Exp. 來自 service@ichiayi.com 加入白名單 ++執行命令|
python /opt/iredapd/tools/wblist_admin.py --add --whitelist service@ichiayi.com
++
- 新增黑名單: Exp. 來自 ad@ichiayi.com 加入黑名單 ++執行命令|
python /opt/iredapd/tools/wblist_admin.py --add --blacklist ad@ichiayi.com
++
- 顯示目前設定的白名單與黑名單 ++執行命令|
python /opt/iredapd/tools/wblist_admin.py --list --whitelist
python /opt/iredapd/tools/wblist_admin.py --list --blacklist
++
* fail2ban 的白名單設定
* 參考 - https://www.ichiayi.com/wiki/tech/fail2ban_unban
* 參考 - https://forum.iredmail.org/topic10045-iredmail-support-solved-fail2ban-problems.html
* 將要列入的 IP 寫在 /etc/fail2ban/jail.local 內的 ignoreip = 後面 ++看範例.|
:
maxretry = 5
ignoreip = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 60.248.245.172/32
++
* 重新載入設定 ++執行命令|service fail2ban reload++
===== 郵件移轉 (imapsync) =====
* 是透過新舊 Mail Server 的 imap 協定來將舊 Mail Server 內的信件移轉至新 Mail Server 內
* 安裝 imapsync
yum install imapsync
* 假設要移轉 jonathan 的信件, 要知道新舊主機 jonathan 的密碼, 將密碼寫入 /root/sync_info/jonathan 檔案內, 然後執行以下的語法
imapsync --host1 mail.ichiayi.com --user1 jonathan --passfile1 /root/sync_info/jonathan --host2 192.168.11.236 --user2 jonathan --passfile2 /root/sync_info/jonathan
* 執行後, 會在執行目錄底下產生 LOG_imapsync 目錄, 裡面會有執行過程的紀錄檔案 Exp. 2018_09_07_11_35_30_testalbert.txt
* 記錄檔內出現 Err 的項目表示同步時出現異常的信件匣, 需要另外處理 Exp.
Err 1/2: Could not create folder [from Albert/&ZbBbomI2--Data/INDIA/ABC.] from [from Albert/&ZbBbomI2--Data/INDIA/ABC.]: 38252 NO [CANNOT] Character not allowed in mailbox name: '.' (0.001 + 0.000 secs).
:
===== 更新版本程序 =====
* 參考 - https://docs.iredmail.org/iredmail.releases.html
* Exp. 目前版本是 0.9.8 預計更新到最新版 0.9.9 -> 參考 https://docs.iredmail.org/upgrade.iredmail.0.9.8-0.9.9.html
- Upgrade iRedAPD -> 5.0.2 - https://docs.iredmail.org/upgrade.iredapd.html
su - root
mkdir -p 0.9.9
cd 0.9.9
wget -O iRedAPD-5.0.2.tar.gz https://github.com/iredmail/iRedAPD/archive/5.0.2.tar.gz
tar zxf iRedAPD-5.0.2.tar.gz
cd iRedAPD-5.0.2/tools/
bash upgrade_iredapd.sh
查看更新紀錄tail -500 /var/log/iredapd/iredapd.log
- Upgrade iRedAdmin -> 1.3 - https://docs.iredmail.org/migrate.or.upgrade.iredadmin.html
cd /root/0.9.9
wget https://dl.iredmail.org/yum/misc/iRedAdmin-1.3.tar.gz
tar zxvf iRedAdmin-1.3.tar.gz
cd iRedAdmin-1.3/tools/
bash upgrade_iredadmin.sh
- Upgrade mlmmjadmin -> 3.1.2 - https://docs.iredmail.org/upgrade.mlmmjadmin.html
cd /root/0.9.9
wget https://github.com/iredmail/mlmmjadmin/archive/3.1.2.tar.gz
tar zxf 3.1.2.tar.gz
cd mlmmjadmin-3.1.2/tools/
bash upgrade_mlmmjadmin.sh
- Upgrade Roundcube webmail -> 1.4.11 - https://github.com/roundcube/roundcubemail/wiki/Upgrade
cd /root/0.9.9
wget https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz
tar xf roundcubemail-*.tar.gz
cd roundcubemail-*
bin/installto.sh /var/www/roundcubemail
如果無法執行 /bin/installto.sh 可能要檢查 /etc/php.ini 內是否關閉 system 的命令使用
- Upgrade netdata -> 1.12.0 - https://docs.iredmail.org/upgrade.netdata.html
wget https://github.com/netdata/netdata/releases/download/v1.12.0/netdata-v1.12.0.gz.run
chmod +x netdata-*.gz.run
./netdata-*.gz.run --accept
- Fix improper Nginx config files for Roundcube
vi /etc/nginx/templates/roundcube.tmpl
:
location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
:
location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
:
location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }
:
location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }
:
vi /etc/nginx/templates/roundcube-subdomain.tmpl
:
location ~ ^/(bin|config|installer|logs|SQL|temp|vendor)/.* { deny all; }
:
location ~ ^/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)$ { deny all; }
:
location ~ ^/plugins/.*/config.inc.php.* { deny all; }
:
location ~ ^/plugins/enigma/home($|/.*) { deny all; }
:
- Improve mlmmj script used for appending footer text
cd /usr/bin/
wget -O mlmmj-amime-receive https://raw.githubusercontent.com/iredmail/iRedMail/master/samples/mlmmj/mlmmj-amime-receive
chown mlmmj:mlmmj mlmmj-amime-receive
chmod 0550 mlmmj-amime-receive
- Fix address mapping issue for mlmmj mailing list
vi /etc/amavisd/amavisd.conf
:
$policy_bank{'MLMMJ'} = {
...
forward_method => 'smtp:[127.0.0.1]:10028',
};
:
vi /etc/postfix/master.cf
:
127.0.0.1:10028 inet n - n - - smtpd
-o syslog_name=postfix/10028
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.1
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
systemctl restart postfix
systemctl restart amavisd
- Fixed: SOGo backup script ((如果安裝時有更改目錄 Exp. /maildata/backup, 就依照更改的目錄執行))
cd /var/vmail/backup/
wget -O backup_sogo.sh https://raw.githubusercontent.com/iredmail/iRedMail/master/tools/backup_sogo.sh
chown root backup_sogo.sh
chmod 0400 backup_sogo.sh
- MySQL/MariaDB special
- SQL structure changes in vmail database
cd /root/0.9.9
wget -O iredmail.mysql https://raw.githubusercontent.com/iredmail/iRedMail/master/update/0.9.9/iredmail.mysql
mysql vmail < iredmail.mysql
- Dovecot: read mailbox format from SQL
vi /etc/dovecot/dovecot-mysql.conf
:
user_query = SELECT \
...
LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, \
CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder, '/') AS mail, \
...
:
systemctl restart dovecot
- 更新 /etc/iredmail-release 內容為 0.9.9
vi /etc/iredmail-release
0.9.9
#0.9.8 MARIADB edition.
:
===== 其他議題 =====
==== 關閉 netdata ====
* 如要移除請參考 - https://forum.iredmail.org/topic15606-how-to-removeuninstall-netdata.html
* 關閉的語法
systemctl stop netdata
systemctl disable netdata
==== 關閉 SPF 的方式 ====
* 參考 - https://forum.iredmail.org/topic2699-iredmail-support-how-to-remove-or-disable-spf-andor-dkim.html
* 關閉的語法
vi /etc/mail/spamassassin/init.pre
:
#loadplugin Mail::SpamAssassin::Plugin::SPF
:
systemctl restart amavisd
==== 出現 postfix/amavis/smtp[6831]: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused 問題 ====
* 2020/08 之後開始出現這問題, 快速解決方式是將 amavisd 服務啟動
systemctl start amavisd
systemctl enable amavisd
==== 忘記 iRedAdmin 登入的管理者密碼處理方式 ====
* 可以直接透過資料庫加上一位現有的信箱用戶當管理者 Exp. jonathan@ichiayi.com
* 登入 iRedMail 的資料庫
mysql -u root -p
USE vmail;
select isadmin,isglobaladmin from mailbox where username = 'jonathan@ichiayi.com';
UPDATE mailbox SET isadmin=1, isglobaladmin=1 WHERE username = 'jonathan@ichiayi.com';
INSERT INTO domain_admins (username, domain) VALUES ('jonathan@ichiayi.com', 'ALL');
* 看詳細過程
mysql -u root -p
MariaDB [(none)]> USE vmail;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [vmail]> select isadmin,isglobaladmin from mailbox where username = 'jonathan@ichiayi.com';
+---------+---------------+
| isadmin | isglobaladmin |
+---------+---------------+
| 0 | 0 |
+---------+---------------+
1 row in set (0.00 sec)
MariaDB [vmail]> UPDATE mailbox SET isadmin=1, isglobaladmin=1 WHERE username = 'jonathan@ichiayi.com';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [vmail]> INSERT INTO domain_admins (username, domain) VALUES ('jonathan@ichiayi.com', 'ALL');
Query OK, 1 row affected (0.00 sec)
MariaDB [vmail]> exit
Bye
* 使用這位帳號密碼登入 iRedAdmin 就可以進行 Web 的管理
===== 備份與還原 =====
===== 參考網址 =====
* https://docs.iredmail.org/install.iredmail.on.rhel.html
* https://www.iredmail.org/download.html
* https://www.digitalocean.com/community/questions/setting-up-iredmail-with-digital-ocean
* https://serverfault.com/questions/853102/nginx-could-not-build-map-hash-you-should-increase-map-hash-bucket-size-64
* https://www.howtoforge.com/community/threads/postfix-554-relay-access-denied.55720/
* https://www.howtoforge.com/postfix-do-not-list-domain-example.com-in-both-mydestination-and-virtual_mailbox_domains#error-postfix-do-not-list-domain-examplecom-in-both-mydestination-and-virtualmailboxdomains
* http://blog.xuite.net/tolarku/blog/233356505-DNS+%E8%A8%AD%E5%AE%9A+spf+%E8%A8%98%E9%8C%84+-+Sender+Policy+Framework
* https://forum.iredmail.org/topic4097-iredmail-support-change-default-login-domain.html
* https://support.plesk.com/hc/en-us/articles/213961665-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-the-proper-certificate-is-installed-using-Linux
* https://forum.iredmail.org/topic11159-iredmail-support-how-to-reset-the-postmaster-password-for-iredadmin.html
{{tag>mail}}