Installing a mailserver is a quite complex matter because several components are involved. Since there are many different operational scenarios, there are many different possible configurations, thus lots of different howtos around the internet. In this howto I’m going to describe the basic configuration of a mail server which has the following characteristics:

• Everything runs on CentOS 6.7
• All software packages are taken from the repository (no compiling necessary)
• The server is directly connected to the internet using a static IP address
• Users don’t have system accounts on the Unix machine
• User accounts are virtual accounts stored in an LDAP
• Users with a valid LDAP account can …
  • Send and receive mail via POP3/IMAP
  • Send and receive mail via Web Interface

Spam and virus protection (amavis, clamav, spamassasin) is not covered by this howto.

Graphical overview of the set-up:

image.png

These are the necessary components:

• Postfix as MTA (Mail Transfer Agent) –> This is the SMTP server. It accepts incoming mail (after a successful LDAP lookup of the recipient address) and passes it to Dovecot. It forwards outgoing mail (after the user successfully authenticated) to the next responsible SMTP server.
• Dovecot as LDA (Local Delivery Agent) –> This is the POP3 and IMAP server. It accepts incoming mail from Postfix and stores it in virtual mailboxes. It is connected to the LDAP for user authentication and lookups.
• Cyrus SASL –> Provides authentication for the SMTP server (since users are only allowed to send mail after they authenticated). User and password verification is done via LDAP.
• LDAP –> This is the directory service that stores the (virtual) user accounts for the mail server. It uses the postfix-book scheme. [UPDATE 2017-11-17: The original postfix-book scheme seems to be no longer available, but there is one on Github]
• Roundcube –> This is a web interface that lets users access their mail via web browser instead of a mail client (Mail User Agent). In addition to a webserver (i.e. Apache) Roundcube requires a database to store user settings (i.e. MySQL).

As for this howto, everything is running on a single machine. In real life (especially when you have to deal with a lot of users), it might be better to have dedicated machines for certain services. If you use dedicated machines, however, you have to make sure that the communication between these is secure!

Basic Prerequisites

1. Connectivity

The server must be connected to the internet and should be accessible through the following ports:

• 25 (SMTP)
• 80 (HTTP)
• 110 (POP3)
• 143 (IMAP)
• 443 (HTTPS)

If you have any firewalls, don’t forget to open the necessary ports.

2. System Time

The server should have an accurate system time, i.e. by using NTP.

3. Hostname

The server needs a fully-qualified hostname (i.e. mail.example.com), because otherwise foreign mail servers might not accept mails from it. This can be checked with the following command: hostname -f

The hostname can be configured in the following config files:

• /etc/hostname
• /etc/hosts

4. DNS Resolution

The server must be configured to use a working DNS server. Traditionally, DNS servers have to be added to /etc/resolv.conf, but on Ubuntu these are configured via the Network Manager. Preferably by using the GUI, or by manually editing the config file in /etc/NetworkManager/system-connections.

5. DNS Records

The hostname needs to be resolvable in both directions (hostname –> ip & ip –> hostname), so your provider needs to set the following DNS Records for you:

• A Record (forward lookup, resolvs a hostname to an IPv4 address)
• AAAA Record (forward lookup, resolvs a hostname to an IPv6 address)
• PTR Record (reverse lookup, resolvs an IP address to a hostname)
• MX Record (provides the hostname of a domain’s mail server)

This can be checked with the following commands:

dig mail.example.com A +short # should return your server's IPv4 address
dig mail.example.com AAAA +short # should return your server's IPv6 address, if configured
dig -x <ip address> +short # should return your fully-qualified hostname
dig example.com MX +short # should return your mail server's fully-qualified hostname

6. Logging

For troubleshooting it is important that the logging service is working. This is rsyslogd by default, the configuration can be found in /etc/rsyslog.d. By default, mail-related log will go to /var/log/mail.log.

refer link: http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/

Install DNS

sudo yum install -y bind bind-chroot bind-utils

sudo service named start

sudo tail -n 100 /var/log/messages

sudo vim /etc/named.rfc1912.zones

*...*

*zone "[tst.com](http://tst.com/)" IN {*

*        type master;*

*        file "[named.tst.com](http://named.tst.com/)";*

*        allow-update { none; };*

*};*

*zone "[ttt.com](http://ttt.com/)" IN {*

*        type master;*

*        file "[named.ttt.com](http://named.ttt.com/)";*

*        allow-update { none; };*

*};*

sudo cp /var/named/named.localhost /var/named/named.tst.com

sudo ls -al /var/named

sudo vim /var/named/named.tst.com

*$TTL 1D*

*@       IN SOA  @ rname.invalid. (*

*                                        0       ; serial*

*                                        1D      ; refresh*

*                                        1H      ; retry*

*                                        1W      ; expire*

*                                        3H )    ; minimum*

*        NS      @*

*        A       10.20.0.30*

*        AAAA    ::1*

*        MX      10 [exchange1.tst.com](http://exchange1.tst.com/).*

*[exchange1.tst.com](http://exchange1.tst.com/). A 10.20.0.30*

sudo cp /var/named/named.tst.com /var/named/named.ttt.com

sudo chown root.named /var/named/named.tst.com

sudo chown root.named /var/named/named.ttt.com

sudo vim /etc/resolv.conf

*# Generated by NetworkManager*

*search [tst.com](http://tst.com/)*

*nameserver 127.0.0.1*

*nameserver 10.10.0.28*

sudo service named restart

dig -t mx ttt.com

dig -t mx tst.com

配置DNS說明

添加域名的A記錄 和 反向解析的配置

sudo vim named.rfc1912.zones

zone "webdev06.ttt.com." IN {
  type master;
  file "webdev06.ttt.com.zone";
  allow-update { none; };
}; 

zone "0.20.10.in-addr.arpa" IN {
  type master;
  file "0.20.10.zone";
  allow-update { none; };
}; 

新建zone文件在 /var/named下

cp -a named.localhost webdev06.ttt.com.zone
cp -a named.localhost 0.20.10.zone

vim webdev06.ttt.com.zone

@        NS    webdev06.sstparts.com
ns        A      10.3.0.6 mail     A      10.3.0.6
@        MX   10   webdev06.sstparts.com 

如果郵件服務(wù)器的域名沒有多個(gè)，那么MX優(yōu)先級(jí)可以隨便寫（反正只有一個(gè)），最高1，最低50，當(dāng)優(yōu)先級(jí)高的解析無效時(shí)，就會(huì)去解析低的。

vim 0.20.10.zone

@        NS    webdev06.sstparts.com 6          PTR  webdev06.sstparts.com

在配置A和MX記錄后，再添加一則txt記錄作為SPF(Sender Policy Framework)。關(guān)于SPF的格式可以去http://www.openspf.org/SPF_Record_Syntax 查看。
就是除了我的A記錄和MX記錄外，如果有其他域發(fā)出郵件的話，那都是偽造的。

啟動(dòng)named進(jìn)程

sudo chkconfig named on
sudo service named start

測(cè)試

dig -t mx webdev06.ttt.com

配置 openLdap

首先安裝openLDAP和phpLdapAdmin，參考OpenLdap

為了能建立郵箱賬號(hào)，需要做如下修改

sudo vim /usr/local/etc/openldap/slapd.conf

include         /usr/local/etc/openldap/schema/core.schema include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

...

database        mdb maxsize         1073741824
suffix          "dc=webdev06,dc=sstparts,dc=com"
rootdn          "cn=Manager,dc=webdev06,dc=sstparts,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}e8yXV//3JJQv+SJpgN5UArhb1QGQ79EG
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

loglevel -1

password-hash   {SSHA}

注：include是包含相關(guān)的schema，這樣才能通過phpLdapAdmin通過template 'Courier Mail: Account'來添加objectClass=inetOrgPerson的郵箱賬號(hào)

postfix的相關(guān)schema可以參考：https://github.com/variablenix/ldap-mail-schema

配置Postfix

首先安裝Postfix，參考Postfix

sudo install postfix postfix-ldap

Postfix把域名分為以下幾類：

canonical domains（權(quán)威域、正式域）包括運(yùn)行Postfix的主機(jī)名（hostnames）、IP地址，或者主機(jī)的父域名，稱作權(quán)威域（canonical domains）。
權(quán)威域在Postfix中以 local_domain 實(shí)現(xiàn)。

hosted domains（托管域）如果作為目標(biāo)投遞地址（final destination），又不是權(quán)威域的話，就稱為托管域（hosted domains）。
托管域在Postfix中以 virtual_alias_domain 或 virtual_mailbox_domain 實(shí)現(xiàn)。

relay domains（中轉(zhuǎn)域、中繼域）如果不是目標(biāo)投遞地址（not the finaly destination），需要轉(zhuǎn)發(fā)（forwards），則成為中繼域（relay domains）。
中繼域在Postfix中以 relay_domain 實(shí)現(xiàn)。

在/usr/local目錄下創(chuàng)建vmail目錄以存放maildirs格式的郵箱

sudo mkdir /usr/local/vmail
sudo chmod 700 /usr/local/vmail

因?yàn)槲覀兪褂玫奶摂M的用戶作為郵件賬號(hào)，所以要?jiǎng)?chuàng)建一個(gè)系統(tǒng)賬號(hào)作為映射，把郵件集中收到這個(gè)系統(tǒng)用戶的家目錄中

sudo groupadd --gid 5000 vmail
sudo useradd -s /sbin/nologin --group vmail --gid 5000 --uid 5000 --home-dir /usr/local/vmail vmail

sudo vim /etc/main.cf

###############################
# basic
###############################

myhostname = webdev06.ttt.com
mydomain = webdev06.ttt.com
myorigin = $mydomain
mydestination =
#mynetworks = 10.20.0.0/24 127.0.0.1/8
mynetworks_style = host
debug_peer_level = 1024
inet_interfaces = all
# mail_spool_directory = /var/spool/mail
home_mailbox = Maildir/
smtpd_banner = Welcome using Postfix Esmtp Service

###############################
# sasl auth & smtp auth
###############################
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, 
message_size_limit = 157286400
mailbox_size_limit = 314572800

###############################
# virtual for using ldap accounts
###############################

virtual_transport= dovecot dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_base = /usr/local/vmail virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
[virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_limit = 314572800](http://ldap/etc/postfix/ldap_virtual_aliases.cf)

注： mydestination要保持空，不然會(huì)調(diào)用postfix本身的LDA來投遞郵件，這里是用dovecot來作為virtual domain的LDA

因?yàn)檫@里virtual_transport的值是dovecot，即使用dovecot來投遞虛擬郵箱，所以需要在master.cf的最后加入dovecot的服務(wù)定義

sudo vim /etc/postfix/master.cf

dovecot   unix  -       n       n       -       -       pipe

  flags=ODRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -e -f ${sender} -d ${recipient}

sudo vim /etc/postfix/virtual_domains

webdev06.ttt.com   OK

sudo vim /etc/postfix/ldap_virtual_aliases.cf

bind = yes bind_dn = cn=Manager,dc=webdev06,dc=ttt,dc=com
bind_pw = asdf
server_host = 127.0.0.1
search_base = dc=webdev06,dc=ttt,dc=com
query_filter = (&(|(objectClass=inetOrgPerson)(objectClass=posixGroup))(cn=%s))
result_attribute = memberUid,alias
result_format = %s

測(cè)試：

postmap -q ddd@webdev06.ttt.com ldap:/etc/postfix/ldap_virtual_aliases.cf

如果正確會(huì)返回： ddd@webdev06.ttt.com

重新啟動(dòng) postfix

sudo service postfix restart

**配置Postfix ****TLS **

With the current configuration, the mail server only offers plaintext (and login) authentication. This is good, because all clients support this and the passwords can be stored encrypted in the LDAP. Other authentication methods would require storing the passwords in plaintext. To make the authentication process secure (and not have the passwords trasferred in plaintext) the session needs to be encrypted — this is done with TLS.

1. Certificate Files & Permissions

Save your certificate and key files in /etc/postfix/certs (see main.cf for filenames). Also save the Diffie-Hellman files (for perfect forward secrecy) in this folder. These can be created as follows:

openssl dhparam -2 -out dh_512.pem 512

openssl dhparam -2 -out dh_1024.pem 1024

Set the permissions to:

chown -R root:root /etc/postfix/certs/

chmod -R 600 /etc/postfix/certs/

2. Activate TLS

sudo vim /etc/postfix/main.cf

smtpd_use_tls = yes smtpd_tls_security_level= may smtpd_tls_auth_only = yes smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
tls_random_source = dev:/dev/urandom
[smtpd_tls_loglevel = 2 smtpd_client_new_tls_session_rate_limit = 10 smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
smtpd_tls_exclude_ciphers=  EXP
 ECH-RSA-DES-CBC-SHA
 ADH-DES-CBC-SHA
 DES-CBC-SHA
 SEED-SHA
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem](http://dev/dev/urandom)

注：這里/etc/ssl/certs/ca-bundle.crt是系統(tǒng)本身的文件，smtpd_tls_cert_file和smtpd_tls_key_file是借用dovecot的證書文件

sudo vim /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd   -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

注：需要保持注釋-o smtpd_client_restrictions=permit_sasl_authenticated,reject，否則可能會(huì)出現(xiàn)類似如下錯(cuò)誤
Client host rejected: Access denied

3. TLS Test

With the following command you can connect to the server using STARTTLS:

openssl s_client -CAfile certs/example-cacert.pem -starttls smtp -connect localhost:25

Then you can talk to the server like in a Telnet session, but do not type a capital “R” since this will trigger a Renegotiation. If you want to send a mail, use “rcpt to:” instead of “RCPT TO:”.

This also works from external hosts (just change the -connect value to your mail server name). The -CAfile parameter is optional and can be omitted for a quick test.

可以通過foxmail的賬號(hào)設(shè)置，端口號(hào)465, 點(diǎn)選Secure Connection，如果可以正常發(fā)送郵件即可
再查看日志可以看到：

sudo tail -n 50 /var/log/maillog

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: initializing the server-side TLS engine

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: warning: request to update table [btree:/etc/postfix/smtpd_session_cache](http://btree/etc/postfix/smtpd_session_cache) in non-postfix directory /etc/postfix

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: open smtpd TLS cache [btree:/var/lib/postfix/smtpd_session_cache](http://btree/var/lib/postfix/smtpd_session_cache)

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: connect from unknown[10.3.1.62]

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: setting up TLS connection from unknown[10.3.1.62]

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: unknown[10.3.1.62]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!EXP:!ECH-RSA-DES-CBC-SHA:!ADH-DES-CBC-SHA:!DES-CBC-SHA:!SEED-SHA"

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:before/accept initialization

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read client hello B

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write server hello A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write certificate A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write key exchange A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write server done A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 flush data

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read client key exchange A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read finished A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write change cipher spec A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write finished A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 flush data

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: unknown[10.3.1.62]: save session D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps to smtpd cache

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: put smtpd session id=D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps [data 153 bytes]

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: write smtpd TLS cache entry D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps: time=1524039017 [data 153 bytes]

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: Anonymous TLS connection established from unknown[10.3.1.62]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

配置Postfix的STMP賬號(hào)認(rèn)證

SMTP 認(rèn)證，簡(jiǎn)單地說就是要求必須在提供了賬戶名和密碼之后才可以登錄 SMTP 服務(wù)器，這就使得那些垃圾郵件的散播者無可乘之機(jī)。
增加 SMTP 認(rèn)證的目的是為了使用戶避免受到垃圾郵件的侵?jǐn)_。

SASL（Simple Authentication and Security Layer）是由RFC 2222所描述的一種認(rèn)證架構(gòu)，是為基于連接的協(xié)議提供輔助認(rèn)證支持的一種方法。使用SASL認(rèn)證時(shí)，應(yīng)用層協(xié)議通過插入相關(guān)的認(rèn)證命令來獲得服務(wù)器的訪問授權(quán)，同時(shí)也可一協(xié)商協(xié)議交互時(shí)使用（或不使用）增強(qiáng)保護(hù)措施。SASL有多種實(shí)現(xiàn)，在Linux中，通常使用的是CyrusSASL，這是美國(guó)卡內(nèi)基-梅隆（Carnegie Mellon，簡(jiǎn)稱CMU）大學(xué)的一種軟件。

查看Postfix支持何種SASL實(shí)現(xiàn)：

# postconf -a
cyrus
dovecot

可見當(dāng)前的Postfix版本支持Cyrus SASL和Dovecot SASL 2中SASL的實(shí)現(xiàn)。

配置 cyrus-sasl 使用 ldap驗(yàn)證

saslauthd是Cyrus SASL的后臺(tái)程序。查看當(dāng)前運(yùn)行的saslauthd運(yùn)行模式：

# ps awx|grep sasl
3244 ?        Ss     0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow sasldb
...

這里涉及到2個(gè)參數(shù)：

-m設(shè)置saslauthd的工作路徑。-a設(shè)置saslauthd的認(rèn)證模式。

以上，saslauthd的工作路徑是/var/run/saslauthd，認(rèn)證模式是shadow。

可以通過修改/etc/sysconfig/saslauthd來配置saslauthd的運(yùn)行時(shí)參數(shù)：

sudo vim /etc/sysconfig/saslauthd

SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS=

這個(gè)配置文件包括幾個(gè)常見參數(shù)：SOCKETDIR設(shè)置了工作路徑（saslauthd用于監(jiān)聽的socket路徑），也就是-m設(shè)置的路徑。

saslauthd通常用UNIX域協(xié)議與其他進(jìn)程通信，因此必須確保Postfix SMTP Server在saslauthd的工作路徑有可讀和可執(zhí)行的權(quán)限：

ls -ld /var/run/saslauthd/

drwxr-xr-x 2 root root 4096 7月 28 18:02 /var/run/saslauthd/

以下是Cyrus SASL的一個(gè)配置示例：

log_level: 3 pwcheck_method: saslauthd
mech_list: plain login

pwcheck_method的值可以設(shè)置為：saslauthd或auxprop。

saslauthd是最基本的驗(yàn)證方式，如果設(shè)置為saslauthd，則mech_list就只能是plain, login，而這兩種認(rèn)證機(jī)制（plain和login）都是以不加密方式發(fā)送認(rèn)證信息（credentials），應(yīng)該用TLS來加密認(rèn)證信息。

使用testsaslauthd來測(cè)試saslauthd認(rèn)證模式：

testsaslauthd -u bailing -p MYCORRECTPWD
0: OK "Success."

而如果設(shè)置為auxprop（Auxiliary Property Plugins），則需要添加另一個(gè)選項(xiàng)：auxprop_plugin。Cyrus SASL支持插件的方式來擴(kuò)展libsasl，詳情可參考：http://www.berlinix.com/net/postfix.php

編輯 /etc/saslauthd.conf, If the saslauthd.conf file does not exist, create it. The saslauthd.conf file usually resides in the /etc folder.
If specifying a different file path, see the -O option of saslauthd.

sudo vim /etc/saslauthd.conf

ldap_servers: ldap://localhost
ldap_bind_dn: cn=Manager,dc=webdev06,dc=sstparts,dc=com
ldap_bind_pw: asdf
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: sub
ldap_search_base: dc=webdev06,dc=sstparts,dc=com
ldap_auth_method: bind
ldap_filter: (cn=%u)
ldap_debug: 0
ldap_verbose: off
ldap_ssl: no
ldap_starttls: no
ldap_referrals: yes

啟動(dòng) saslauthd
sudo service saslauthd restart
sudo chkconfig saslauthd on

測(cè)試：

testsaslauthd -u lzhang -p asdfgh

0: OK "Success."

OK, 使用cyrus-sasl使用ldap驗(yàn)證測(cè)試成功

注：因?yàn)閟aslauthd驗(yàn)證方式是不加密的，所以如果ldap中的密碼不是clear格式的，則驗(yàn)證不會(huì)成功
也因?yàn)檫@樣，所以推薦使用第二種方式即dovecot-sasl方式來驗(yàn)證

Postfix配置cyrus-SASL

sudo vim /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining

配置dovecot-sasl使用ldap驗(yàn)證

Since version 2.3, Postfix supports SMTP AUTH through Dovecot SASL as introduced in the Dovecot 1.0 series. If using Postfix obtained from a binary (such as a .rpm or .deb file), you can check if Postfix was compiled with support for Dovecot SASL by running the command:

postconf -a

Console output:

cyrus
dovecot

Once you have verified that your installation of Postfix supports Dovecot SASL, it's very simple to configure:

在Postfix配置文件main.cf中添加或修改下面幾行，以啟用dovecot-sasl

sudo vim /etc/postfix/main.cf

smtpd_sasl_type= dovecot smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions=   permit_mynetworks,   permit_sasl_authenticated,   reject_unauth_destination

If Postfix and Dovecot are running on separate servers, you can also authenticate via TCP. For Dovecot set up an inet_listener:

service auth {
inet_listener {
port = 12345
}
}

And configure Postfix to use it:

smtpd_sasl_path = inet:dovecot.example.com:12345
smtpd_sasl_type = dovecot

以上就是需要配置dovecot-sasl認(rèn)證，需要繼續(xù)下面完成常規(guī)的Dovecot配置，即支持賬號(hào)驗(yàn)證、imap、pop

配置Dovecot

sudo vim /etc/dovecot/conf.d/10-master.conf

 service auth {
 ...
   unix_listener /var/spool/postfix/private/auth {
     mode = 0660
     # Assuming the default Postfix user and group
     user = postfix
     group = postfix        
   }
   ...
 }

Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:

auth_mechanisms = plain login</pre>

sudo vim /etc/dovecot/conf.d/10-auth.conf

!include auth-ldap.conf.ext

在/etc/dovecot目錄下創(chuàng)建 dovecot-ldap.conf.ext，這個(gè)文件配置的是dovecot的賬號(hào)驗(yàn)證，

是在/etc/dovecot/conf.d/auth-ldap.conf.ext的userdb和passdb中指定的配置文件，即包括postfix的smtp驗(yàn)證、imap驗(yàn)證、pop驗(yàn)證。

sudo vim /etc/dovecot/dovecot-ldap.conf.ext

hosts = localhost dn = cn=Manager,dc=webdev06,dc=sstparts,dc=com
dnpass = asdf
ldap_version = 3
base = dc=webdev06,dc=sstparts,dc=com
scope = subtree
user_attrs = mailStorageDirectory=mail
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
default_pass_scheme = CRYPT

注：mail=user這個(gè)設(shè)置將使用郵箱地址做為user去搜索用戶的信息和%u的值，這樣才能在/usr/local/vmail下以全域名的格式建立maildir格式的郵箱 在phpldapadmin里lzhang賬號(hào)的密碼也必需是CRYPT加密

sudo vim /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/usr/local/vmail/%u/Maildir
...
mail_uid = 5000
mail_gid = 5000

Activate logging in /etc/dovecot/conf.d/10-logging.conf:

log_path = syslog

syslog_facility = mail auth_debug = yes

重新啟動(dòng) dovecot服務(wù)

sudo service dovecot restart

通過imap登錄來測(cè)試

[lzhang@webdev06 dovecot]$ telnet localhost 143

Trying ::1...

Connected to localhost.

Escape character is '^]'.

• OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

a login lzhang@webdev06.sstparts.com asdfgh

a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in

輸出以上信息即為成功

如果出現(xiàn)錯(cuò)誤使用日志來診斷錯(cuò)誤信息

sudo tail -n 500 /var/log/maillog

也可以使用outlook或postfix來驗(yàn)證

maillog:

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=::1#011rip=::1#011lport=143#011rport=56299#011resp=<hidden>

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): pass search: base=dc=webdev06,dc=sstparts,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/))) fields=mail,userPassword

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): result: userPassword(password)=<hidden> mail(user)=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: client out: OK#0111#011user=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: master in: REQUEST#0114013686785#01129815#0111#01127e51606ab079738bd43fffbaeb4fe36

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): user search: base=dc=webdev06,dc=sstparts,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/))) fields=mailStorageDirectory

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): no fields returned by the server

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: master out: USER#0114013686785#011lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)

Apr 18 10:29:11 webdev06 dovecot: imap-login: Login: user=<lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)>, method=PLAIN, rip=::1, lip=::1, mpid=29831, secured

refer links:

https://wiki.dovecot.org/HowTo/DovecotOpenLdap

https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains

配置Roundcube

RoundCube Webmail是一個(gè)基于瀏覽器，支持多國(guó)語言的IMAP客戶端，操作界面看起像一個(gè)桌面應(yīng)用程序。

它提供一個(gè)e-mail客戶端應(yīng)該具備的所有功能包括MIME支持,地址薄，文件夾操作，信息搜索和拼寫檢查。RoundCube Webmail采用PHP+Ajax開發(fā)并且需要MySQL數(shù)據(jù)庫來存儲(chǔ)數(shù)據(jù)。 用戶界面采用XHTML+CSS2設(shè)計(jì)。

開源免費(fèi)

先到官網(wǎng)下載：https://roundcube.net/download/

下載完后解壓縮，得到的目錄里有INSTALL、README文件，安裝前看看先，尤其是INSTALL文件里的內(nèi)容，是否和你的PHP、Mysql有所不同。

1.Decompress and put this folder somewhere inside your document root

wget https://github.com/roundcube/roundcubemail/releases/download/1.1.10/roundcubemail-1.1.10.tar.gz

tar -xzvf roundcubemail-1.1.10.tar.gz

sudo mv roundcubemail-1.1.10 /usr/local/roundcube

cd /usr/local/roundcube

more INSTALL

2.Install dependencies using composer:

• get composer from https://getcomposer.org/download/

• rename the composer.json-dist file into composer.json

• if you want to use LDAP address books, enable the LDAP libraries in your

  composer.json file by moving the items from "suggest" to the "require"

  section (remove the explanation texts after the version!).

• run php composer.phar install --no-dev

3.Make sure that the following directories (and the files within)

are writable by the webserver

• /temp

• /logs

4.Create a new database and a database user for Roundcube (see DATABASE SETUP)

• MySQL

Setting up the mysql database can be done by creating an empty database,

importing the table layout and granting the proper permissions to the

roundcube user. Here is an example of that procedure:

mysql

CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;

GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost

IDENTIFIED BY 'password';

quit

mysql -u root -p roundcubemail < SQL/mysql.initial.sql

Note 1: 'password' is the master password for the roundcube user. It is strongly

recommended you replace this with a more secure password. Please keep in

mind: You need to specify this password later in 'config/db.inc.php'.

5. update some configs

cp config/config.inc.php.sample config/config.inc.php

sudo vim config/config.inc.php

then add one line after the sentence '$config = array();'

$config['enable_installer'] = true;

and update the db name and password, like:

$config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';

6. Point your browser to http://url-to-roundcube/installer/

7. Follow the instructions of the install script (or see MANUAL CONFIGURATION)

There will be some problems after you viewing the web install page. like php5.3.3 should upgrade to version than 5.3.7, now I upgrade to 5.6.35

sudo yum remove php55w.x86_64 php55w-cli.x86_64 php55w-common.x86_64 php55w-gd.x86_64 php55w-ldap.x86_64 php55w-mbstring.x86_64 php55w-mcrypt.x86_64 php55w-mysql.x86_64 php55w-pdo.x86_64 php55w-xml.x86_64

yum list installed | grep php

sudo rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm

sudo yum install php56w.x86_64 php56w-cli.x86_64 php56w-common.x86_64 php56w-gd.x86_64 php56w-ldap.x86_64 php56w-mbstring.x86_64 php56w-mysql.x86_64 php56w-pdo.x86_64 php56w-odbc.x86_64

yum list installed | grep php

php -v

sudo service httpd restart

refer link: https://blog.csdn.net/na_beginning/article/details/53414122

sudo yum install php56w-xml.x86_64

sudo yum install php56w-pecl-memcache.x86_64

sudo yum install php56w-pear

sudo pear install Net_SMTP --alldeps

sudo pear install Mail_Mime

sudo pear install channel://pear.php.net/Net_IDNA2-0.2.0

sudo pear install Auth_SASL

sudo yum install phpldapadmin.noarch

yum list installed | grep php

php56w.x86_64 5.6.35-1.w6 @webtatic

php56w-cli.x86_64 5.6.35-1.w6 @webtatic

php56w-common.x86_64 5.6.35-1.w6 @webtatic

php56w-gd.x86_64 5.6.35-1.w6 @webtatic

php56w-ldap.x86_64 5.6.35-1.w6 @webtatic

php56w-mbstring.x86_64 5.6.35-1.w6 @webtatic

php56w-mysql.x86_64 5.6.35-1.w6 @webtatic

php56w-odbc.x86_64 5.6.35-1.w6 @webtatic

php56w-pdo.x86_64 5.6.35-1.w6 @webtatic

php56w-pear.noarch 1:1.10.4-1.w6 @webtatic

php56w-pecl-memcache.x86_64

php56w-process.x86_64 5.6.35-1.w6 @webtatic

php56w-xml.x86_64 5.6.35-1.w6 @webtatic

phpldapadmin.noarch 1.2.3-10.el6 @epel

sudo vim config/config.inc.php

//$config['enable_installer'] = true;

mv installer installer_done

refer link:

http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/