admin';?>

首页 / 电子邮件系统

Postfix + Dovecot + Mysql 搭建自己的电子邮件系统

By admin  •  2022-01-01 13:15:44  •  730次点击
永久外链: https://i.otherhill.com/static/df4575916ac111ec87ea2089845721cb.html

6. Email服务器反代

何为代理,何为反代.
所谓代理,就是隐藏客户端.客户端通过代理服务器连接Internet.
所谓反代,就是反向代理,隐藏服务器端.真实服务器通过代理服务器,暴露服务到Internet.
客户 <---> vps服务器(反向代理) <---> 后端服务器(real email server host)

我们这里用的是第二种,即反代.反代的好处是,
1. 增加了后端真实email server主机的安全性.
2. 你可以以最小代价,随时更换VPS, VPS仅用于流量中转,本身不存储任何数据.
这个我们在第二节中已讲过.大家可以用HAproxy做email反代,see more: https://www.linuxbabe.com/mail-server/smtp-imap-proxy-with-haproxy-debian-ubuntu-centos
但是我们不用这种,我们用stunnel, 原因是stunnel提供加密,更加轻量化,方便布置.做为一种通用的加密隧道工具, 还能做其他用途,比如dns加密查询等.与HAproxy相比,唯一美中不足的可能就是,需要在vps以及你的email host两台机器上同时布署stunnel.不过因为其体积小,配置简单.也不是太麻烦.

1. vps端的stunnel 配置如下:

/opt/stunnel5.6/etc/stunnel/stunnel.conf:
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1

sslVersion = TLSv1.2
pid = /opt/stunnel5.6/var/run/stunnel.pid
output=/opt/stunnel5.6/var/log/stunnel5/dns.log


[smtp-client-25]
accept = 25
client=yes
connect=your_real_email_srv_ip:1026
protocol=smtp
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

[smtp-client-2525]
accept = 2525
client=yes
connect=your_real_email_srv_ip:1026
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

[smtp-client-465]
accept = 465
client=yes
connect=your_real_email_srv_ip:1466
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

[smtp-client-587]
accept = 587
client=yes
connect=your_real_email_srv_ip:1588
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

;;;;;;;;;;;;;;;;;;
[imap-client-143]
accept = 143
client=yes
connect=your_real_email_srv_ip:1144
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

[imap-client-993]
accept = 993
client=yes
connect=your_real_email_srv_ip:1994
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

;;;;;;;;;;;;;;;;;;
[pop3-client-110]
accept = 110
client=yes
connect=your_real_email_srv_ip:1996
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

[pop3-client-995]
accept = 995
client=yes
connect=your_real_email_srv_ip:1996
verifyChain = yes
CAfile=/opt/stunnel5.6/etc/stunnel/dns.crt

;run "sudo iptables -I INPUT 1 -p tcp --dport 6143 -j ACCEPT" on your vps
[dns]
accept=12000
connect=8.8.8.8:53
cert = /opt/stunnel5.6/etc/stunnel/dns.crt
key = /opt/stunnel5.6/etc/stunnel/dns.key
requireCert = yes

sudo stunnel -c /opt/stunnel5.6/etc/stunnel5.6/stunnel.conf  运行即可.
后面的[dns]可以删除, 我放上面,仅用于演示如何用它做dns加密查询. your_real_email_srv_ip 换成你真实的email主机公网IP,或域名.


2. real email server host的stunnel配置:

/etc/stunnel5.6/stunnel.conf:
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1

sslVersion = TLSv1.2

include = /etc/stunnel/conf.d

;https://www.stunnel.org/static/stunnel.html
delay = yes
pid = /var/run/stunnel.pid
output=/var/log/stunnel5/dns.log

;25,2525~1026~4144
[smtp-wrap]
accept=1026
connect= 4144
cert = /home/lixing/etc/stunnel/dns.crt
key  = /home/lixing/etc/stunnel/dns.key

;465~1466~4148
[smtps-wrap-ssl]
accept = 1466
connect= 4148
cert = /home/lixing/etc/stunnel/dns.crt
key  = /home/lixing/etc/stunnel/dns.key

;587~1588~4149
[smtps-wrap]
accept = 1588
connect= 0.0.0.0:4149
cert = /home/lixing/etc/stunnel/dns.crt
key  = /home/lixing/etc/stunnel/dns.key


;143~1144~4147
[imap-wrap]
accept = 1144
connect= 0.0.0.0:4147
cert = /home/lixing/etc/stunnel/dns.crt
key  = /home/lixing/etc/stunnel/dns.key

;993~1994~4150
[imaps-wrap]
accept = 1994
connect= 4150
cert = /home/lixing/etc/stunnel/dns.crt
key  = /home/lixing/etc/stunnel/dns.key


;110,995~1996~4151
[pop3-wrap]
accept = 1996
connect= 4151
cert = /home/lixing/etc/stunnel/dns.crt
key  = /home/lixing/etc/stunnel/dns.key

[tashan-dns]
client = yes
accept = 0.0.0.0:53
connect = your_vps_ip:12000
CAfile = /home/lixing/etc/stunnel/dns.crt
cert   = /home/lixing/etc/stunnel/dns.crt
key    = /home/lixing/etc/stunnel/dns.key
verifyChain = yes

stunnel -c /etc/stunnel5.6/stunnel.conf

3. 端口相关

在第二节中,我们将postfix默认协议的端口,改成如下.
#4144  ~  25    smtp
#4149 ~ 587 smtp over tls
#4148 ~ 465 smtp over ssl, is will not be use.
可以据此查看:
[root@otherhill postfix-3.6.2]# ss -lnpt | grep master
LISTEN     4      100                       *:4144                     *:*      users:(("master",961,13))
LISTEN     0      100                      :::4144                    :::*      users:(("master",961,14))
LISTEN     0      100                       *:4148                     *:*      users:(("master",961,22))
LISTEN     0      100                      :::4148                    :::*      users:(("master",961,23))
LISTEN     0      100                       *:4149                     *:*      users:(("master",961,18))
LISTEN     0      100                      :::4149                    :::*      users:(("master",961,19))

在第三节中,我们将dovecot默认协议的端口,改成如下.
#4146  ~  110   pop3
#4151 ~ 995 pop3s
 
#4147 ~ 143 imap
#4150 ~ 993 imaps
可以据此查看:
[root@otherhill postfix-3.6.2]# ss -lnpt | grep dovecot
LISTEN     0      100                      :::4146                    :::*      users:(("dovecot",29819,23))   
LISTEN     0      100                       *:4146                     *:*      users:(("dovecot",29819,22))
LISTEN     0      100                      :::4147                    :::*      users:(("dovecot",29819,40))
LISTEN     0      100                       *:4147                     *:*      users:(("dovecot",29819,39))
LISTEN     0      100                      :::4150                    :::*      users:(("dovecot",29819,42))
LISTEN     0      100                       *:4150                     *:*      users:(("dovecot",29819,41))
LISTEN     0      100                      :::4151                    :::*      users:(("dovecot",29819,25))
LISTEN     0      100                       *:4151                     *:*      users:(("dovecot",29819,24))

这些端口的调整,都是为email反代服务的.
你需要在real email srv host上,通知防火墙打开如下端口:
iptables -I INPUT 1 -p tcp --dport 1026 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1466 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1588 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1144 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1994 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1996 -j ACCEPT
和刚才表述的端口又不一样对吧? 没错,是这样的.这些打开的端口,是让防火墙放行stunnel用的.
端口映射总览:
vps               remote-stunnel                                      local-stunnel     my-house
25         25    <-> myhouse.otherhill.com:1026          1026 <->4144       4144
2525     2525 <-> myhouse.otherhill.com:1026          1026 <->4144       4144
465       465   <-> myhouse.otherhill.com:1466          1466 <->4148       4148
587       587   <-> myhouse.otherhill.com:1588          1588 <->4149       4149
143       143   <-> myhouse.otherhill.com:1144          1144 <->4147       4147
993       993   <-> myhouse.otherhill.com:1994          1994 <->4150       4150
995       995   <-> myhouse.otherhill.com:1996          1996 <->4151       4151

同样,你也需要在你的远程VPS上,通知防火墙放行如下端口.
iptables -I INPUT 1 -p tcp --dport 25,2525,465,587,143,993,995 -j ACCEPT


4. 证书文件生成

上面的dns.crt, dns.key文件生成:
我们的stunnel使用的是/home/lixing/ohui/3rdparty_src/sys/openssl-1.1.1l 
所以我们需要用这个版本的openssl来生成pem证书, openssl-1.1.1支持tls 1.3,能提供更好的安全性.
cd /home/lixing/ohui/3rdparty_src/sys/openssl-1.1.1l/dist/home/lixing/openssl-1.1.1/bin
export LD_LIBRARY_PATH=/home/lixing/ohui/3rdparty_src/sys/openssl-1.1.1l/dist/home/lixing/openssl-1.1.1/lib

export LD_LIBRARY_PATH=/home/lixing/unstable_libs/ssl-1.1.1k/lib
export PATH=/home/lixing/unstable_libs/ssl-1.1.1k/bin:$PATH

https://kb.isc.org/docs/aa-01386

openssl genrsa -out dns.key 2048

openssl req -new -key dns.key -out dns.req
openssl req -new -key dns.key -days 3650 -out ca.crt -x509 -extensions v3_ca
openssl x509 -req -in dns.req -days 3650 -out dns.crt -CA ca.crt -CAkey dns.key -CAcreateserial

以上是自签名证书,用于stunnel服务器端与客户端的ssl通讯, stunnel服务器端,根据配置中的 verifyChain = yes, 以及CAfile, 来验证证书的合法性,所以无需第三方认证机构的仲裁.
细心的朋友会注意到我们一共用了两套ssl证书,在前面2,4两节中, postfix,和dovecot用了另一套证书.
/opt/tsMail/etc/postfix/main.cf: 
...
smtpd_tls_CAfile= /opt/ssl/otherhill.com/chain.pem
smtpd_tls_cert_file=/opt/ssl/otherhill.com/fullchain.pem
smtpd_tls_key_file=/opt/ssl/otherhill.com/privkey.pem
...

/opt/tsMail/etc/dovecot/conf.d/10-ssl.conf
...
ssl = required ssl_cert = </opt/ssl/otherhill.com/fullchain.pem ssl_key = </opt/ssl/otherhill.com/privkey.pem
...
这套证书,来自Let's encrypt的申请, 对我们*.otherhill.com的免费仲裁与认证.这样当第三方电邮客户端,连接我们的smtp.otherhill.com, 和imaps.otherhill.com时,就能启用ssl加密.
关于Let's encrypt证书申请,可参看我们之前的文章:  获取lets encrypt ssl免费证书 脚本

ssl加密,只能用于数据在网络传输中的密文传递,当一封邮件从一个域转向不同的域时,对方邮件服务器还是能拿到你的邮件明文,这就好比信件到达邮局,邮局工作人员能拿到你的信是一样的.
所以普通的邮件传递不要收发重要数据,可以使用delta chat这种端到端加密聊天工具,或S/MIME机制来解决这一难题.

 

上一篇:   DNS域名设置

   

下一篇:   email收发测试






0 回复 | 直到2022-05-27 23:13添加回复

回复

最近更新

私信给我
生成图片 生成二维码 生成密码
清空