Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
tuto:fusiondirectory:postfix [02/09/2013 18:23] dani [Configuration dans FusionDirectory] |
tuto:fusiondirectory:postfix [07/09/2013 14:08] (Version actuelle) dani |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
====== Gestion de serveurs postfix ====== | ====== Gestion de serveurs postfix ====== | ||
- | Postfix est un MTA très souple, qui peut être utilisé de beaucoup de façon différente. Il peut utiliser les données d'un annuaire LDAP pour beaucoup de choses. Dans cet exemple, nous allons configurer deux serveurs postfix: | + | Postfix est un MTA très souple, qui peut être utilisé de beaucoup de façons différentes. Il peut utiliser les données d'un annuaire LDAP pour beaucoup de choses. Dans cet exemple, nous allons configurer deux serveurs postfix: |
* Le premier sera installé sur un serveur nommé **proxy**. Il sera chargé d' | * Le premier sera installé sur un serveur nommé **proxy**. Il sera chargé d' | ||
Ligne 73: | Ligne 73: | ||
* Configurer le service postfix, en y déclarant notamment les domaines que vous gérez en internes | * Configurer le service postfix, en y déclarant notamment les domaines que vous gérez en internes | ||
{{: | {{: | ||
+ | |||
+ | <note important> | ||
+ | * Local Networks | ||
+ | * Max mail header size | ||
+ | * Max mailbox size | ||
+ | * Max message size | ||
+ | * Relay host | ||
+ | * Restrictions for sender | ||
+ | * Restriction for recipient | ||
+ | * Transport (en cours de correction, voir https:// | ||
+ | </ | ||
===== Configuration du proxy ===== | ===== Configuration du proxy ===== | ||
- | La p | + | Le serveur frontal (le proxy donc) va faire plusieurs choses |
+ | |||
+ | * Vérifier que les mails qu'il reçoit sont bien à destination d'un des domaines gérés par le serveur interne (cette info sera récupérée de façon dynamique dans l' | ||
+ | * Vérifier que l' | ||
+ | * Appliquer des filtres de bases (pas de relais pour n' | ||
+ | * Gérer l' | ||
+ | * Passer les mails à une moulinette Antivirus (clamav) et anti-spam (spamassassin) via amavis | ||
+ | * Pour finir, si le mail à passé toutes ces étapes, il va le transmettre au serveur interne qui gère la boite du destinataire | ||
+ | |||
+ | <note tip>Il est possible de gérer plusieurs serveurs de mails distincts en interne. le postfix frontal va demander à l' | ||
+ | |||
+ | ==== Installation des composants ==== | ||
+ | |||
+ | <code bash> | ||
+ | yum install amavisd-new postfix cyrus-sasl-ldap cyrus-sasl-ldap saslauthd | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ==== Configuration de postfix ==== | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | [...] | ||
+ | amavisfeed unix - | ||
+ | -o lmtp_data_done_timeout=1200 | ||
+ | -o lmtp_send_xforward_command=yes | ||
+ | -o disable_dns_lookups=yes | ||
+ | -o max_use=20 | ||
+ | 127.0.0.1: | ||
+ | -o content_filter= | ||
+ | -o smtpd_delay_reject=no | ||
+ | -o smtpd_client_restrictions=permit_mynetworks, | ||
+ | -o smtpd_helo_restrictions= | ||
+ | -o smtpd_sender_restrictions= | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_data_restrictions=reject_unauth_pipelining | ||
+ | -o smtpd_end_of_data_restrictions= | ||
+ | -o smtpd_restriction_classes= | ||
+ | -o mynetworks=127.0.0.0/ | ||
+ | -o smtpd_error_sleep_time=0 | ||
+ | -o smtpd_soft_error_limit=1001 | ||
+ | -o smtpd_hard_error_limit=1000 | ||
+ | -o smtpd_client_connection_count_limit=0 | ||
+ | -o smtpd_client_connection_rate_limit=0 | ||
+ | -o receive_override_options=no_header_body_checks, | ||
+ | [...] | ||
+ | </ | ||
+ | * / | ||
+ | <code ini> | ||
+ | queue_directory = / | ||
+ | command_directory = /usr/sbin | ||
+ | daemon_directory = / | ||
+ | data_directory = / | ||
+ | |||
+ | mail_owner = postfix | ||
+ | myhostname = proxy.firewall-services.com | ||
+ | mydomain = proxy.firewall-services.com | ||
+ | mydestination = | ||
+ | mynetworks = 10.10.0.0/ | ||
+ | |||
+ | transport_maps = ldap:/ | ||
+ | |||
+ | relay_recipient_maps = ldap:/ | ||
+ | relay_domains = ldap:/ | ||
+ | |||
+ | recipient_delimiter = + | ||
+ | |||
+ | smtpd_tls_cert_file = / | ||
+ | smtpd_tls_key_file = / | ||
+ | smtpd_tls_security_level = may | ||
+ | |||
+ | smtpd_sasl_path = smtpd | ||
+ | smtpd_sasl_auth_enable = yes | ||
+ | smtpd_sasl_security_options = noanonymous | ||
+ | smtpd_sasl_tls_security_options = noanonymous | ||
+ | smtpd_tls_auth_only = yes | ||
+ | |||
+ | smtpd_recipient_restrictions = | ||
+ | permit_mynetworks, | ||
+ | permit_sasl_authenticated, | ||
+ | reject_invalid_hostname, | ||
+ | reject_non_fqdn_hostname, | ||
+ | reject_non_fqdn_sender, | ||
+ | reject_non_fqdn_recipient, | ||
+ | reject_unknown_sender_domain, | ||
+ | reject_unverified_recipient, | ||
+ | reject_unauth_destination, | ||
+ | reject_unauth_pipelining, | ||
+ | reject_rbl_client zen.spamhaus.org, | ||
+ | reject_rbl_client psbl.surriel.com, | ||
+ | reject_rbl_client dnsbl.sorbs.net, | ||
+ | reject_rbl_client bl.spamcop.net, | ||
+ | reject_rbl_client cbl.abuseat.org, | ||
+ | reject_rbl_client b.barracudacentral.org, | ||
+ | reject_rbl_client dnsbl-1.uceprotect.net | ||
+ | |||
+ | content_filter = amavisfeed: | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = gosaMailServer | ||
+ | result_format = smtp:[%s] | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = postfixMyDomain, | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = gosaMailServer, | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | < | ||
+ | chown :postfix / | ||
+ | chmod 640 / | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Configuration de l' | ||
+ | Postfix va utiliser le démon saslauthd pour authentifier les utilisateurs. Ce démon saslauthd vérifiera les identifications sur l' | ||
+ | * / | ||
+ | <code ini> | ||
+ | # Directory in which to place saslauthd' | ||
+ | # on. This directory must already exist. | ||
+ | SOCKETDIR=/ | ||
+ | |||
+ | # Mechanism to use when checking passwords. | ||
+ | # of which mechanism your installation was compiled with the ablity to use. | ||
+ | MECH=ldap | ||
+ | |||
+ | # Options sent to the saslauthd. If the MECH is other than " | ||
+ | DAEMONOPTS=" | ||
+ | |||
+ | # Additional flags to pass to saslauthd on the command line. See saslauthd(8) | ||
+ | # for the list of accepted flags. | ||
+ | FLAGS=" | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | ldap_servers: | ||
+ | ldap_search_base: | ||
+ | ldap_filter: | ||
+ | ldap_bind_dn: | ||
+ | ldap_bind_pw: | ||
+ | ldap_start_tls: | ||
+ | ldap_auth_method: | ||
+ | ldap_version: | ||
+ | </ | ||
+ | |||
+ | On peut maintenant démarrer les services saslauthd et postfix | ||
+ | ===== Configuration du serveur interne ===== | ||
+ | |||
+ | ==== Installation des composants ==== | ||
+ | On va utiliser dovecot pour la remise des mails dans la boite finale des utilisateurs (via son service LMTP), on l' | ||
+ | |||
+ | <code bash> | ||
+ | yum install postfix dovecot | ||
+ | </ | ||
+ | |||
+ | ==== Configuration de postfix ==== | ||
+ | |||
+ | * / | ||
+ | |||
+ | <code ini> | ||
+ | queue_directory = / | ||
+ | command_directory = /usr/sbin | ||
+ | daemon_directory = / | ||
+ | data_directory = / | ||
+ | |||
+ | mail_owner = postfix | ||
+ | myhostname = mail.firewall-services.com | ||
+ | mydomain = mail.firewall-services.com | ||
+ | mydestination = localhost | ||
+ | mynetworks = 10.10.0.0/ | ||
+ | |||
+ | recipient_delimiter = + | ||
+ | |||
+ | transport_maps = hash:/ | ||
+ | |||
+ | local_recipient_maps = $alias_maps | ||
+ | alias_maps = hash:/ | ||
+ | alias_database = hash:/ | ||
+ | |||
+ | virtual_mailbox_domains = ldap:/ | ||
+ | virtual_alias_maps = ldap:/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | mail.firewall-services.com | ||
+ | </ | ||
+ | <note tip> | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = cn=mail, | ||
+ | query_filter = (& | ||
+ | result_attribute = fdTransportTableRule | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = uid, | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | ldap_groupmembers_attribute_type = dn | ||
+ | query_filter = (& | ||
+ | result_attribute = uid, | ||
+ | special_result_attribute = member | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | timeout = 5 | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = gosaMailAlternateAddress, | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = cn=mail, | ||
+ | query_filter = (& | ||
+ | result_attribute = postfixMyDomain, | ||
+ | </ | ||
+ | |||
+ | |||
+ | <note important> | ||
+ | < | ||
+ | chown :postfix / | ||
+ | chmod 640 / | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Voilà, la partie postfix est terminée, après avoir configuré [[dovecot|dovecot]] vous pourrez tester votre nouvelle installation |