教你搭建反垃圾邮件系统

一、邮件系统的安装
1、软件包安装
Postfix+Courier-IMAP+Cyrus-SASL+PAM_MySQL+MySQL这种安装方式简单易行，在Debian下的安装更加方便：
# apt-get install courier-pop postfix-mysql postfix-tls courier-authdaemon\
courier-authmysql libpam-mysql libsasl7 libsasl-modules-plain courier-imap
如果你的系统本身没有mysql，那么在上面的列表里还要加上mysql-server。apt在安装过程中会有简单的提示，要求填上系统的域名等信息。
2、postfix的配置
修改main.cf：
添加：
home_mailbox = Maildir/
告诉postfix使用Maildir方式
mydestination = $myhostname, $transport_maps
告诉postfix发送$myhostname(本机)和$transport_maps(transport表里的域名)的邮件。
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
transport_maps = mysql:/etc/postfix/mysql-transport.cf
virtual_maps = mysql:/etc/postfix/mysql-virtual.cf
告诉postfix从哪里找这些表。
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
postfix传递给本地收件人的几种方法。
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf
虚拟用户的信息。
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
启用sasl，必须验证才能发信。
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_
domain,reject_non_fqdn_recipient,check_relay_domains
发信限制。
还可以加上一些其他的参数：
disable_vrfy_command = yes
将vrfy功能关掉。
3、与MySQL结合的配置及数据表结构
注意：配置mysql相关部分要写127.0.0.1而不要写localhost，如果使用localhost，postfix会尝试socket连接。debian的postfix使用socket连接好像有问题。mysql不能使用skip-networking选项，要使用--bind-address=127.0.0.1让它监听在127.0.0.1。(非常感谢Martin List-Petersen指点)
还有要注意的是如果是自己编译的mysql，建议在启动的时候加上--socket=/var/run/mysqld/mysqld.sock参数，因为pam-mysql又需要使用这个socket。如果你的apache+php是自己编译的话，php又需要重新编译，配置的时候需要加上--with-mysql-sock=/var/run/mysqld/mysqld.sock参数。
是不是比较烦?这不过是个开始。
MySQL的数据表：
CREATE TABLE alias (
id int(11) unsigned NOT NULL auto_increment,
alias varchar(128) NOT NULL default '',
destination varchar(128) NOT NULL default '',
PRIMARY KEY (id)
) TYPE=MyISAM;
CREATE TABLE relocated (
id int(11) unsigned NOT NULL auto_increment,
email varchar(128) NOT NULL default '',
destination varchar(128) NOT NULL default '',
PRIMARY KEY (id)
) TYPE=MyISAM;
CREATE TABLE transport (
id int(11) unsigned NOT NULL auto_increment,
domain varchar(128) NOT NULL default '',
destination varchar(128) NOT NULL default '',
PRIMARY KEY (id),
UNIQUE KEY domain (domain)
) TYPE=MyISAM;
CREATE TABLE users (
id int(11) unsigned NOT NULL auto_increment,
email varchar(128) NOT NULL default '',
clear varchar(128) NOT NULL default '',
name tinytext NOT NULL,
uid int(11) unsigned NOT NULL default '1011',
gid int(11) unsigned NOT NULL default '1011',
homedir tinytext NOT NULL,
maildir tinytext NOT NULL,
quota tinytext NOT NULL,
postfix enum('Y','N') NOT NULL default 'Y',
PRIMARY KEY (id),
UNIQUE KEY email (email)
) TYPE=MyISAM;
CREATE TABLE virtual (
id int(11) unsigned NOT NULL auto_increment,
email varchar(128) NOT NULL default '',
destination varchar(128) NOT NULL default '',
PRIMARY KEY (id)
) TYPE=MyISAM;
/etc/postfix目录下各mysql配置文件：
mysql-aliases.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = alias
select_field = destination
where_field = alias
hosts = 127.0.0.1
mysql-relocated.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = relocated
select_field = destination
where_field = email
hosts = 127.0.0.1
mysql-transport.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = transport
select_field = destination
where_field = domain
hosts = 127.0.0.1
　TLS支持
通过修改/usr/lib/ssl/misc/CA.pll脚本实现，以下修改后CA1.pl和未修改CA.pl之间的对比：
*** CA.pl
--- CA1.pl
***************
*** 59,69 ****
} elsif (/^-newcert$/) {
# create a certificate
! system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
! system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";
} elsif (/^-newca$/) {
--- 59,69 ----
} elsif (/^-newcert$/) {
# create a certificate
! system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
! system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";
} elsif (/^-newca$/) {
现在就可以使用修改的CA1.pl来签发证书：
# cd /usr/local/ssl/misc
# ./CA1.pl -newca
# ./CA1.pl -newreq
# ./CA1.pl -sign
# cp demoCA/cacert.pem /etc/postfix/CAcert.pem
# cp newcert.pem /etc/postfix/cert.pem
# cp newreq.pem /etc/postfix/key.pem
修改main.cf，添加：
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/privkey.pem
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
重起postfix后就可以看到250-STARTTLS
很多邮件客户端对TLS的支持并不是非常好，建议使用stunnel来实现相应的smtp和pop3加密。
# apt-get install stunnel
证书：
# openssl req -new -x509 -days 365 -nodes -config /etc/ssl/openssl.cnf -out stunnel.pem -keyout stunnel.pem
# openssl gendh 512 >> stunnel.pem
服务端：
# stunnel -d 60025 -r 25 -s nobody -g nogroup
# stunnel -d 60110 -r 110 -s nobody -g nogroup
如果使用-n pop3等参数就只能用邮件客户端收信。
客户端：
建一个stunnel.conf文件：
client = yes
[pop3]
accept = 127.0.0.1:110
connect = 192.168.7.144:60110
[smtp]
accept = 127.0.0.1:25
connect = 192.168.7.144:60025
然后启动stunnel.exe，在邮件客户端的smtp和pop3的服务器都填127.0.0.1就可以了，这样从你到邮件服务器端的数据传输就让stunnel给你加密了。
4、测试用户
# mkdir -p /home/vmail/test.org/san/
# chown -R nobody.nogroup /home/vmail
# chmod -R 700 /home/vmail
mysql> use postfix
mysql> insert into transport set domain='test.org', destination='
virtual:';
mysql> insert into users set email='san@test.org',clear='test',name='',uid='65534',gid='65534',
homedir='home/vmail',maildir='test.org/san/';
然后就可以使用客户端收发邮件，记得用户名是email地址。
mysql-virtual.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = virtual
select_field = destination
where_field = email
hosts = 127.0.0.1
mysql-virtual-maps.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = users
select_field = maildir
where_field = email
additional_conditions = and postfix = 'y'
hosts = 127.0.0.1
mysql-virtual-uid.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = users
select_field = uid
where_field = email
additional_conditions = and postfix = 'y'
hosts = 127.0.0.1
mysql-virtual-gid.cf
user = mysql-postfix-user
password = mysql-postfix-pass
dbname = postfix
table = users
select_field = gid
where_field = email
additional_conditions = and postfix = 'y'
hosts = 127.0.0.1
修改Courier相关设置，/etc/courier/imapd:
AUTHMODULES="authdaemon"
IMAP_CAPABILITY="IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"
修改/etc/courier/pop3d
AUTHMODULES="authdaemon"
POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
修改/etc/courier/authdaemonrc
authmodulelist="authmysql authpam"
使用mysql验证和pam验证。
修改/etc/courier/authmysqlrc
MYSQL_SERVER 127.0.0.1
MYSQL_USERNAME mysql-postfix-user
MYSQL_PASSWORD mysql-postfix-pass
#MYSQL_SOCKET /var/run/mysql/mysql.sock
MYSQL_PORT 0
MYSQL_OPT 0
MYSQL_DATABASE postfix
MYSQL_USER_TABLE users
MYSQL_LOGIN_FIELD email
MYSQL_CLEAR_PWFIELD clear
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_HOME_FIELD homedir
MYSQL_MAILDIR_FIELD maildir
SASL library
创建/etc/postfix/sasl/smtpd.conf：
pwcheck_method: PAM
PAM-MySQL
创建/etc/pam.d/smtp：
auth optional pam_mysql.so host=localhost db=postfix user=
mysql-postfix-user passwd=mysql-postfix-pass table=users
usercolumn=email passwdcolumn=clear crypt=n
account required pam_mysql.so host=localhost db=postfix user=mysql-postfix-user passwd=mysql-postfix-pass usercolumn=email passwdcolumn=clear crypt=n

责任编辑 赵毅 zhaoyi#51cto.com TEL:（010）68476636-8001