域帐号认证邮件系统(postfix)配置文档
一、网络环境:
网段:192.168.0.0/24(服务器) 192.168.1.0/24(工作站)
网域名称 csctek.com.cn
域控制器 :WINDOWS 2003 Server, IP地址:192.168.0.5 192.168.0.6
工作站: windowXP SP2 IP地址:192.168.1.136
邮件服务器:www2(计算机名) debian linux 4.0 IP地址: 192.168.0.8
二、目 的:
将上述的LINUX服务器做为邮件服务器和代理服务器,要求使用WINDOWS2003 的域账号及密码进行验证来存取相关的文件、收发邮件等。(不需要在debian及samba中设置任何域用户帐号)。
三、邮件服务器工作原理
postfix用来做smtp,dovecot做pop3 saslauthd用来做smtp验证。大致配置过程如下:postfix和dovecot把帐号交给saslauthd,saslauthd把帐号交给pam,pam通过samba和winbind联系AD。
四、安装相关的软件
使用apt-get install 方式安装软件,安装过程中,系统会自动安装其它的一些依赖软件。
apt-get install samba winbind krb5-config postfix dovecot-common dovecot-imapd dovecot-pop3d squirrelmail openssh-server libsasl2-modules libsasl2 sasl2-bin
五、修改加入域的配置文件
1、krb5.conf配置
#cp /etc/krbr.conf /etc/krbr.conf.bak
#vim /etc/krbr.conf
clockskew = 300
[realms]
CSCTEK.COM.CN = {
kdc = OA.csctek.com.cn
default_domain = csctek.com.cn
admin_server = OA.csctek.com.cn
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.csctek.com.cn = CSCTEK.COM.CN
csctek.com.cn = CSCTEK.COM.CN
2、 nsswitch.conf配置
# cp /etc/nsswitch.conf nsswitch.conf.bak
# vim nsswitch.conf
passwd: compat
group: compat
…to this…
asswd: compat winbind
group: compat winbind
3、 smb.conf 配置
#vim /etc/samba/smb.conf
[global]
workgroup = CSCTEK
netbios name = PROXY
server string = PROXY (Samba Server)
load printers = no
log file = /var/log/samba/log.%m
max log size = 500
realm = CSCTEK.COM.CN
security = ads
auth methods = winbind
winbind separator = /
encrypt passwords = yes
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 192.168.0.5
dns proxy = no
ldap ssl = no
注:将其中的template shell = /bin/bash,改为template shell = /bin/false。这样只允许本地帐户ssh登录,拒绝域帐号的ssh登录。
4、ntp客户端配置
编写同步脚本,每天同步一次。
ntpdate ntp.csctek.com.cn
5、重新启动samab 和winbind服务
#/etc/init.d/samba restart
#/etc/init.d/winbind restart
6、加入域
net ads join -S csctek.com.cn -U Administrator
若出现问题:ads_connect: Preauthentication failed,编辑 /etc/samba/smb.conf ,将其中securit = domain改为 securit = ads
wbinfo -t
出现checking the trust secret via RPC calls succeeded说明主机信任已成功建立。
执行wbinfo -u 可列出debian中的用户和win2003 域中的用户信息
执行 wbinfo -g 可列出debian中的组和win2003 域中的组信息
七、邮件配置相关文件
1、postfix配置
1)main.cf文件配置
#vim /etc/postfix/main.cf
www2:/usr/share/postfix# diff /etc/postfix/main.cf main.cf.debian
< queue_directory = /var/spool/postfix
< command_directory = /usr/sbin
< #daemon_directory = /usr/libexec/postfix
< mail_owner = postfix
< myhostname = www2.csctek.com.cn
< mydomain = csctek.com.cn
< myorigin = $mydomain
< inet_interfaces = all
< mydestination = csctek.com.cn, www2.csctek.com.cn, localhost, localhost.localdomain, localhost
---
> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
> # Debian specific: Specifying a file name will cause the first
> # line of that file to be used as the name. The Debian default
> # is /etc/mailname.
> #myorigin = /etc/mailname
< unknown_local_recipient_reject_code = 550
< mynetworks_style = subnet
< mynetworks = 192.168.0.0/24,127.0.0.0/8,192.168.1.0/24,192.168.0.3
< relay_domains = $mydestination
< alias_maps = hash:/etc/aliases
< alias_database = hash:/etc/aliases
< mail_spool_directory = /var/mail/
< debug_peer_level = 2
< debugger_command =
< smtpd_sasl_auth_enable = yes
< smtpd_sasl_security_options = noanonymous
< smtpd_sasl_local_domain = $mydomain
---
> # appending .domain is the MUA's job.
< smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
< home_mailbox =Maildir/
< command_directory = /usr/sbin
< debug_peer_level = 2
< mail_owner = postfix
---
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
使用newaliases命令,生成aliases.db
#touch /etc/mailname
添加 csctek.com.cn #test@csctek.com.cn 的后缀
2)master.cf配置
vim /etc/postfix/master.conf
找到下面这句
smtp inet n - - - - smtpd改成
smtp inet n - n - - smtpd
3)smtpd.conf文件配置
log_level: 2
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
2
、
dovecot相关的配置
见配置文件夹
3、PAM及SASL相关的配置
修改/etc/pam.d/common-auth common-account common-session
vim /etc/pam.d/common-auth
auth sufficient pam_winbind.so krb5_auth Krb5_ccache_type=FILE
auth sufficient pam_unix.so use_first_pass nullok_secure
auth required pam_deny.so
vim /etc/pam.d/common-account
account sufficient pam_winbind.so use_first_pass cached_login
account required pam_unix.so
vim /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
刪除/var/run/saslauthd
rm -R /var/run/saslauthd
新建 /var/spool/postfix/var/run/saslauthd
mkdir -p /var/spool/postfix/var/run/saslauthd
建立连接並修改相关的属性
ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd
chgrp sasl /var/spool/postfix/var/run/saslauthd
将postfix加入sasl组
adduser postfix sasl
vim /etc/default/saslauthd
START=yes
MECHANISMS="pam"
重新启动 saslauthd
/etc/init.d/saslauthd restart
4、squirrelmail相关的配置
# squirrelmail-configure
1)主菜单如下,主要配置第 2 项
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
第 2 项配置后如下:
1. Domain : csctek.com.cn
2. Invert Time : false
3. Sendmail or SMTP : SMTP
A. Update IMAP Settings : localhost:143 (other)
B. Update SMTP Settings : localhost:25
若要让squirrelmail支持中文显示,配置第10项 Languages
1. Default Language : zh_CN
2. Default Charset : GB2312
3. Enable lossy encoding : false
2)修改apache2配置文件
#cd /etc/apache2/site-enabled
#touch squirrelmail #建立文件
添加如下配置(见配置文件夹),重启apache2服务,即可看到squirrelmail中文界面
#/etc/init.d/apache2 restart
如没有出现中文界面,需要运行dpkg-reconfigure命令,重新配置locales,安装中文环境。