Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
tuto:fusiondirectory:postfix [02/09/2013 18:59] dani |
tuto:fusiondirectory:postfix [07/09/2013 14:08] (Version actuelle) dani |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
====== Gestion de serveurs postfix ====== | ====== Gestion de serveurs postfix ====== | ||
- | Postfix est un MTA très souple, qui peut être utilisé de beaucoup de façon différente. Il peut utiliser les données d'un annuaire LDAP pour beaucoup de choses. Dans cet exemple, nous allons configurer deux serveurs postfix: | + | Postfix est un MTA très souple, qui peut être utilisé de beaucoup de façons différentes. Il peut utiliser les données d'un annuaire LDAP pour beaucoup de choses. Dans cet exemple, nous allons configurer deux serveurs postfix: |
* Le premier sera installé sur un serveur nommé **proxy**. Il sera chargé d' | * Le premier sera installé sur un serveur nommé **proxy**. Il sera chargé d' | ||
Ligne 74: | Ligne 74: | ||
{{: | {{: | ||
+ | <note important> | ||
+ | * Local Networks | ||
+ | * Max mail header size | ||
+ | * Max mailbox size | ||
+ | * Max message size | ||
+ | * Relay host | ||
+ | * Restrictions for sender | ||
+ | * Restriction for recipient | ||
+ | * Transport (en cours de correction, voir https:// | ||
+ | </ | ||
===== Configuration du proxy ===== | ===== Configuration du proxy ===== | ||
Le serveur frontal (le proxy donc) va faire plusieurs choses | Le serveur frontal (le proxy donc) va faire plusieurs choses | ||
- | * Vérifier que les mails qu'il reçoit sont bien à destination d'un des domaines gérés par le serveur | + | * Vérifier que les mails qu'il reçoit sont bien à destination d'un des domaines gérés par le serveur |
- | * Vérifier que l' | + | * Vérifier que l' |
* Appliquer des filtres de bases (pas de relais pour n' | * Appliquer des filtres de bases (pas de relais pour n' | ||
* Gérer l' | * Gérer l' | ||
Ligne 90: | Ligne 100: | ||
<code bash> | <code bash> | ||
- | yum install amavisd-new postfix | + | yum install amavisd-new postfix |
</ | </ | ||
Ligne 97: | Ligne 107: | ||
==== Configuration de postfix ==== | ==== Configuration de postfix ==== | ||
+ | * / | ||
+ | <code ini> | ||
+ | [...] | ||
+ | amavisfeed unix - | ||
+ | -o lmtp_data_done_timeout=1200 | ||
+ | -o lmtp_send_xforward_command=yes | ||
+ | -o disable_dns_lookups=yes | ||
+ | -o max_use=20 | ||
+ | 127.0.0.1: | ||
+ | -o content_filter= | ||
+ | -o smtpd_delay_reject=no | ||
+ | -o smtpd_client_restrictions=permit_mynetworks, | ||
+ | -o smtpd_helo_restrictions= | ||
+ | -o smtpd_sender_restrictions= | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_data_restrictions=reject_unauth_pipelining | ||
+ | -o smtpd_end_of_data_restrictions= | ||
+ | -o smtpd_restriction_classes= | ||
+ | -o mynetworks=127.0.0.0/ | ||
+ | -o smtpd_error_sleep_time=0 | ||
+ | -o smtpd_soft_error_limit=1001 | ||
+ | -o smtpd_hard_error_limit=1000 | ||
+ | -o smtpd_client_connection_count_limit=0 | ||
+ | -o smtpd_client_connection_rate_limit=0 | ||
+ | -o receive_override_options=no_header_body_checks, | ||
+ | [...] | ||
+ | </ | ||
* / | * / | ||
<code ini> | <code ini> | ||
Ligne 135: | Ligne 172: | ||
reject_non_fqdn_recipient, | reject_non_fqdn_recipient, | ||
reject_unknown_sender_domain, | reject_unknown_sender_domain, | ||
- | | + | |
reject_unauth_destination, | reject_unauth_destination, | ||
reject_unauth_pipelining, | reject_unauth_pipelining, | ||
Ligne 185: | Ligne 222: | ||
start_tls = yes | start_tls = yes | ||
search_base = dc=firewall-services, | search_base = dc=firewall-services, | ||
- | query_filter = (& | + | query_filter = (&(|(objectClass=gosaMailAccount)(objectClass=mailAliasRedirection)(objectClass=mailAliasDistribution))(|(mail=%s)(gosaMailAlternateAddress=%s))) |
- | result_attribute = gosaMailServer | + | result_attribute = gosaMailServer, |
</ | </ | ||
Ligne 195: | Ligne 232: | ||
</ | </ | ||
</ | </ | ||
+ | |||
+ | ==== Configuration de l' | ||
+ | Postfix va utiliser le démon saslauthd pour authentifier les utilisateurs. Ce démon saslauthd vérifiera les identifications sur l' | ||
+ | * / | ||
+ | <code ini> | ||
+ | # Directory in which to place saslauthd' | ||
+ | # on. This directory must already exist. | ||
+ | SOCKETDIR=/ | ||
+ | |||
+ | # Mechanism to use when checking passwords. | ||
+ | # of which mechanism your installation was compiled with the ablity to use. | ||
+ | MECH=ldap | ||
+ | |||
+ | # Options sent to the saslauthd. If the MECH is other than " | ||
+ | DAEMONOPTS=" | ||
+ | |||
+ | # Additional flags to pass to saslauthd on the command line. See saslauthd(8) | ||
+ | # for the list of accepted flags. | ||
+ | FLAGS=" | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | ldap_servers: | ||
+ | ldap_search_base: | ||
+ | ldap_filter: | ||
+ | ldap_bind_dn: | ||
+ | ldap_bind_pw: | ||
+ | ldap_start_tls: | ||
+ | ldap_auth_method: | ||
+ | ldap_version: | ||
+ | </ | ||
+ | |||
+ | On peut maintenant démarrer les services saslauthd et postfix | ||
+ | ===== Configuration du serveur interne ===== | ||
+ | |||
+ | ==== Installation des composants ==== | ||
+ | On va utiliser dovecot pour la remise des mails dans la boite finale des utilisateurs (via son service LMTP), on l' | ||
+ | |||
+ | <code bash> | ||
+ | yum install postfix dovecot | ||
+ | </ | ||
+ | |||
+ | ==== Configuration de postfix ==== | ||
+ | |||
+ | * / | ||
+ | |||
+ | <code ini> | ||
+ | queue_directory = / | ||
+ | command_directory = /usr/sbin | ||
+ | daemon_directory = / | ||
+ | data_directory = / | ||
+ | |||
+ | mail_owner = postfix | ||
+ | myhostname = mail.firewall-services.com | ||
+ | mydomain = mail.firewall-services.com | ||
+ | mydestination = localhost | ||
+ | mynetworks = 10.10.0.0/ | ||
+ | |||
+ | recipient_delimiter = + | ||
+ | |||
+ | transport_maps = hash:/ | ||
+ | |||
+ | local_recipient_maps = $alias_maps | ||
+ | alias_maps = hash:/ | ||
+ | alias_database = hash:/ | ||
+ | |||
+ | virtual_mailbox_domains = ldap:/ | ||
+ | virtual_alias_maps = ldap:/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | mail.firewall-services.com | ||
+ | </ | ||
+ | <note tip> | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = cn=mail, | ||
+ | query_filter = (& | ||
+ | result_attribute = fdTransportTableRule | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = uid, | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | ldap_groupmembers_attribute_type = dn | ||
+ | query_filter = (& | ||
+ | result_attribute = uid, | ||
+ | special_result_attribute = member | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | timeout = 5 | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = dc=firewall-services, | ||
+ | query_filter = (& | ||
+ | result_attribute = gosaMailAlternateAddress, | ||
+ | </ | ||
+ | |||
+ | * / | ||
+ | <code ini> | ||
+ | server_host = ldap:// | ||
+ | bind = yes | ||
+ | bind_dn = cn=mail, | ||
+ | bind_pw = dsa_p@ssw0rd | ||
+ | version = 3 | ||
+ | start_tls = yes | ||
+ | search_base = cn=mail, | ||
+ | query_filter = (& | ||
+ | result_attribute = postfixMyDomain, | ||
+ | </ | ||
+ | |||
+ | |||
+ | <note important> | ||
+ | < | ||
+ | chown :postfix / | ||
+ | chmod 640 / | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Voilà, la partie postfix est terminée, après avoir configuré [[dovecot|dovecot]] vous pourrez tester votre nouvelle installation |