Postfix + Dovecot + Mysql 搭建自己的电子邮件系统
| By admin • 2022-01-01 13:15:44 • 730次点击 |
| 永久外链: https://i.otherhill.com/static/df4575916ac111ec87ea2089845721cb.html |
6. Email服务器反代
何为代理,何为反代.所谓代理,就是隐藏客户端.客户端通过代理服务器连接Internet.
所谓反代,就是反向代理,隐藏服务器端.真实服务器通过代理服务器,暴露服务到Internet.
客户 <---> vps服务器(反向代理) <---> 后端服务器(real email server host)我们这里用的是第二种,即反代.反代的好处是,
1. 增加了后端真实email server主机的安全性.
2. 你可以以最小代价,随时更换VPS, VPS仅用于流量中转,本身不存储任何数据.
这个我们在第二节中已讲过.大家可以用HAproxy做email反代,see more: https://www.linuxbabe.com/mail-server/smtp-imap-proxy-with-haproxy-debian-ubuntu-centos
但是我们不用这种,我们用stunnel, 原因是stunnel提供加密,更加轻量化,方便布置.做为一种通用的加密隧道工具, 还能做其他用途,比如dns加密查询等.与HAproxy相比,唯一美中不足的可能就是,需要在vps以及你的email host两台机器上同时布署stunnel.不过因为其体积小,配置简单.也不是太麻烦.
1. vps端的stunnel 配置如下:
/opt/stunnel5.6/etc/stunnel/stunnel.conf:options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 sslVersion = TLSv1.2 pid = /opt/stunnel5.6/var/run/stunnel.pid output=/opt/stunnel5.6/var/log/stunnel5/dns.log [smtp-client-25] accept = 25 client=yes connect=your_real_email_srv_ip:1026 protocol=smtp verifyChain = yes CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt [smtp-client-2525] accept = 2525 client=yes connect=your_real_email_srv_ip:1026 verifyChain = yes CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt [smtp-client-465]
accept = 465
client=yes
connect=your_real_email_srv_ip:1466
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt
[smtp-client-587]
accept = 587
client=yes
connect=your_real_email_srv_ip:1588
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt
;;;;;;;;;;;;;;;;;;
[imap-client-143]
accept = 143
client=yes
connect=your_real_email_srv_ip:1144
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt
[imap-client-993]
accept = 993
client=yes
connect=your_real_email_srv_ip:1994
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt
;;;;;;;;;;;;;;;;;;
[pop3-client-110]
accept = 110
client=yes
connect=your_real_email_srv_ip:1996
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt
[pop3-client-995]
accept = 995
client=yes
connect=your_real_email_srv_ip:1996
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt
;run "sudo iptables -I INPUT 1 -p tcp --dport 6143 -j ACCEPT" on your vps
[dns]
accept=12000
connect=8.8.8.8:53
cert = /opt/stunnel5.6/etc/stunnel/dns.crt
key = /opt/stunnel5.6/etc/stunnel/dns.key
requireCert = yes
sudo stunnel -c /opt/stunnel5.6/etc/stunnel5.6/stunnel.conf 运行即可.
后面的[dns]可以删除, 我放上面,仅用于演示如何用它做dns加密查询. your_real_email_srv_ip 换成你真实的email主机公网IP,或域名.
2. real email server host的stunnel配置:
/etc/stunnel5.6/stunnel.conf:options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 sslVersion = TLSv1.2 include = /etc/stunnel/conf.d ;https://www.stunnel.org/static/stunnel.html delay = yes pid = /var/run/stunnel.pid output=/var/log/stunnel5/dns.log ;25,2525~1026~4144 [smtp-wrap] accept=1026 connect= 4144 cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key ;465~1466~4148 [smtps-wrap-ssl] accept = 1466 connect= 4148 cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key ;587~1588~4149 [smtps-wrap] accept = 1588 connect= 0.0.0.0:4149 cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key ;143~1144~4147 [imap-wrap] accept = 1144 connect= 0.0.0.0:4147 cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key ;993~1994~4150 [imaps-wrap] accept = 1994 connect= 4150 cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key ;110,995~1996~4151 [pop3-wrap] accept = 1996 connect= 4151 cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key [tashan-dns] client = yes accept = 0.0.0.0:53 connect = your_vps_ip:12000 CAfile = /home/lixing/etc/stunnel/dns.crt cert = /home/lixing/etc/stunnel/dns.crt key = /home/lixing/etc/stunnel/dns.key verifyChain = yes
stunnel -c /etc/stunnel5.6/stunnel.conf
3. 端口相关
在第二节中,我们将postfix默认协议的端口,改成如下.#4144 ~ 25 smtp
#4149 ~ 587 smtp over tls
#4148 ~ 465 smtp over ssl, is will not be use.
可以据此查看:[root@otherhill postfix-3.6.2]# ss -lnpt | grep master
LISTEN 4 100 *:4144 *:* users:(("master",961,13))
LISTEN 0 100 :::4144 :::* users:(("master",961,14))
LISTEN 0 100 *:4148 *:* users:(("master",961,22))
LISTEN 0 100 :::4148 :::* users:(("master",961,23))
LISTEN 0 100 *:4149 *:* users:(("master",961,18))
LISTEN 0 100 :::4149 :::* users:(("master",961,19))
在第三节中,我们将dovecot默认协议的端口,改成如下.
#4146 ~ 110 pop3可以据此查看:
#4151 ~ 995 pop3s
#4147 ~ 143 imap
#4150 ~ 993 imaps
[root@otherhill postfix-3.6.2]# ss -lnpt | grep dovecot
LISTEN 0 100 :::4146 :::* users:(("dovecot",29819,23))
LISTEN 0 100 *:4146 *:* users:(("dovecot",29819,22))
LISTEN 0 100 :::4147 :::* users:(("dovecot",29819,40))
LISTEN 0 100 *:4147 *:* users:(("dovecot",29819,39))
LISTEN 0 100 :::4150 :::* users:(("dovecot",29819,42))
LISTEN 0 100 *:4150 *:* users:(("dovecot",29819,41))
LISTEN 0 100 :::4151 :::* users:(("dovecot",29819,25))
LISTEN 0 100 *:4151 *:* users:(("dovecot",29819,24))
这些端口的调整,都是为email反代服务的.
你需要在real email srv host上,通知防火墙打开如下端口:
iptables -I INPUT 1 -p tcp --dport 1026 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1466 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1588 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1144 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1994 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1996 -j ACCEPT
和刚才表述的端口又不一样对吧? 没错,是这样的.这些打开的端口,是让防火墙放行stunnel用的.
端口映射总览:
vps remote-stunnel local-stunnel my-house
25 25 <-> myhouse.otherhill.com:1026 1026 <->4144 4144
2525 2525 <-> myhouse.otherhill.com:1026 1026 <->4144 4144
465 465 <-> myhouse.otherhill.com:1466 1466 <->4148 4148
587 587 <-> myhouse.otherhill.com:1588 1588 <->4149 4149
143 143 <-> myhouse.otherhill.com:1144 1144 <->4147 4147
993 993 <-> myhouse.otherhill.com:1994 1994 <->4150 4150
995 995 <-> myhouse.otherhill.com:1996 1996 <->4151 4151
同样,你也需要在你的远程VPS上,通知防火墙放行如下端口.
iptables -I INPUT 1 -p tcp --dport 25,2525,465,587,143,993,995 -j ACCEPT
4. 证书文件生成
上面的dns.crt, dns.key文件生成:我们的stunnel使用的是/home/lixing/ohui/3rdparty_src/sys/openssl-1.1.1l
所以我们需要用这个版本的openssl来生成pem证书, openssl-1.1.1支持tls 1.3,能提供更好的安全性.
cd /home/lixing/ohui/3rdparty_src/sys/openssl-1.1.1l/dist/home/lixing/openssl-1.1.1/bin
export LD_LIBRARY_PATH=/home/lixing/ohui/3rdparty_src/sys/openssl-1.1.1l/dist/home/lixing/openssl-1.1.1/lib
export LD_LIBRARY_PATH=/home/lixing/unstable_libs/ssl-1.1.1k/lib
export PATH=/home/lixing/unstable_libs/ssl-1.1.1k/bin:$PATH
https://kb.isc.org/docs/aa-01386
openssl genrsa -out dns.key 2048
openssl req -new -key dns.key -out dns.req
openssl req -new -key dns.key -days 3650 -out ca.crt -x509 -extensions v3_ca
openssl x509 -req -in dns.req -days 3650 -out dns.crt -CA ca.crt -CAkey dns.key -CAcreateserial
以上是自签名证书,用于stunnel服务器端与客户端的ssl通讯, stunnel服务器端,根据配置中的 verifyChain = yes, 以及CAfile, 来验证证书的合法性,所以无需第三方认证机构的仲裁.
细心的朋友会注意到我们一共用了两套ssl证书,在前面2,4两节中, postfix,和dovecot用了另一套证书.
/opt/tsMail/etc/postfix/main.cf:
... smtpd_tls_CAfile= /opt/ssl/otherhill.com/chain.pem smtpd_tls_cert_file=/opt/ssl/otherhill.com/fullchain.pem smtpd_tls_key_file=/opt/ssl/otherhill.com/privkey.pem ...
/opt/tsMail/etc/dovecot/conf.d/10-ssl.conf
...这套证书,来自Let's encrypt的申请, 对我们*.otherhill.com的免费仲裁与认证.这样当第三方电邮客户端,连接我们的smtp.otherhill.com, 和imaps.otherhill.com时,就能启用ssl加密.
ssl = required ssl_cert = </opt/ssl/otherhill.com/fullchain.pem ssl_key = </opt/ssl/otherhill.com/privkey.pem
...
关于Let's encrypt证书申请,可参看我们之前的文章: 获取lets encrypt ssl免费证书 脚本
ssl加密,只能用于数据在网络传输中的密文传递,当一封邮件从一个域转向不同的域时,对方邮件服务器还是能拿到你的邮件明文,这就好比信件到达邮局,邮局工作人员能拿到你的信是一样的.
所以普通的邮件传递不要收发重要数据,可以使用delta chat这种端到端加密聊天工具,或S/MIME机制来解决这一难题.
0 回复 | 直到2022-05-27 23:13添加回复
回复
最近更新
| 私信给我 |
| 生成图片 | 生成二维码 | 生成密码 |
| 清空 |