메그넘

 SPF 레코드는 발송한 메일 서버의 IP와 DNS에 설정되어 있는 TXT의 IP값이 다를 경우에 수신 측에서 메일을 차단하는 방법으로

 메일을 발송하는 서버의 IP와 도메인이 서로 일치하는지 인증을 하며, 인증 방법으로 SPF 레코드(TXT값)을 확인합니다.

 PTR 레코드(Reverse Domain) 정책은 도메인이 아닌 IP를 질의하여 도메인을 확인하는 정책으로, 수신측에서 메일 발송 서버의 IP를 조회하여

 도메인이 등록된 PTR 레코드(Pointer) 값과 일치하면 정상 메일로 보고 메일을 수신하겠다는 역방향 질의 방식입니다. Reverse Domain의 일치

 여부를 확인할 때 PTR 레코드를 조회하기 때문에 PTR 레코드와 Reverse Domain은 같은 의미로 통용됩니다.

 SPF 레코드 등록과 또 다른 점은 DNS가 아닌 ISP 업체(KT, LG, SK 등)에 등록을 해야 한다는 것입니다. 따라서 자체적으로 메일 시스템을 구축한

 경우가 아니라면 메일 서비스를 제공하는 있는 업체에 연락하셔서 등록 요청을 하면 됩니다.

 ISP 업체마다 등록 방법이 다르지만, KT같은 경우에는 "KTDMS 고객문의 게시판"을 통해 등록 요청을 하고 있고, 사이트에 접속하여 신청자 정보,

 리버스(Reverse) IP 등록 시 입력사항, 작업 요청사항 등을 내용으로 남기게 되어 있습니다.

 화이트 도메인은 회원에 공지 등 정상적으로 발송하는 대량 e-메일이 스팸 메일로 간주되어 RBL에 등록되는 것을 방지하기 위해, 사전에 등록된

 개인이나 사업자에 한하여 국내 주요 포탈사이트로의 e-메일 전송을 보장해 주는 제도입니다.  단, 화이트 도메인으로 등록되었다 하더라도 이후  

 모니터링을 통해 스팸 메일 발송 사실이 확인되면, 즉각 차단 조치되며 화이트 리스트에서도 삭제될 수 있습니다. 

 패키지

버전 및 항목 

Nginx

 Package

nginx-mod-mail-1.12.2-2.el7.x86_64

nginx-mod-http-image-filter-1.12.2-2.el7.x86_64

php72u-fpm-nginx-7.2.9-1.ius.centos7.noarch

nginx-filesystem-1.12.2-2.el7.noarch

nginx-mod-http-geoip-1.12.2-2.el7.x86_64

nginx-mod-http-xslt-filter-1.12.2-2.el7.x86_64

nginx-1.12.2-2.el7.x86_64

nginx-all-modules-1.12.2-2.el7.noarch

python2-certbot-nginx-0.26.1-1.el7.noarch

nginx-mod-http-perl-1.12.2-2.el7.x86_64

nginx-mod-stream-1.12.2-2.el7.x86_64

 configure

 1. /etc/nginx/conf.d/web1.conf

server {

        ## Configuration ##################################################

listen 80;

        client_max_body_size    2048M;

        server_name     U.domain.com;

        root    /home/webmaster/web1/html;

        access_log      /home/webmaster/web1/logs/access.log;

        location / {

                index  index.html  index.htm  index.php;

        }

        error_page      403 404 500 502 503 504 /error.html;

        location = /error.html {

        }

        location ~ \.php$ {

                fastcgi_pass   php-fpm;

                fastcgi_index  index.php;

                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

                include        fastcgi_params;

        }

}

2. /etc/nginx/conf.d/php-fpm.conf

# PHP-FPM FastCGI server

# network or unix domain socket configuration

upstream php-fpm {

        #server 127.0.0.1:9000;

        server unix:/run/php-fpm/www.sock;

}

PHP-FPM

 Package

php72u-xml-7.2.9-1.ius.centos7.x86_64

php72u-fpm-nginx-7.2.9-1.ius.centos7.noarch

php72u-mbstring-7.2.9-1.ius.centos7.x86_64

php72u-imap-7.2.9-1.ius.centos7.x86_64

php72u-fpm-7.2.9-1.ius.centos7.x86_64

php72u-json-7.2.9-1.ius.centos7.x86_64

php72u-pdo-7.2.9-1.ius.centos7.x86_64

php72u-opcache-7.2.9-1.ius.centos7.x86_64

php72u-common-7.2.9-1.ius.centos7.x86_64

php72u-gd-7.2.9-1.ius.centos7.x86_64

php72u-intl-7.2.9-1.ius.centos7.x86_64

php72u-mysqlnd-7.2.9-1.ius.centos7.x86_64

php72u-pecl-apcu-5.1.11-1.ius.centos7.x86_64

 configure

1. /etc/php.ini      --->  메일서비스를 위해 세팅된 내용으로 disable_funcions 기능을 제한하지 않았음.

[PHP]

engine = On

zlib.output_compression = Off

zend.enable_gc = On

file_uploads = On

upload_tmp_dir = /tmp

upload_max_filesize = 3072M

max_file_uploads = 20

allow_url_include = Off

[CLI Server]

pcre.jit=0

pdo_mysql.default_socket=

ibase.allow_persistent = 1

[PostgreSQL]

session.use_cookies = 1

[mbstring]

[Tidy]

 Postfix

 Package

postfix32u-mysql-3.2.5-2.ius.centos7.x86_64

postfix32u-sqlite-3.2.5-2.ius.centos7.x86_64

postfix32u-debuginfo-3.2.5-2.ius.centos7.x86_64

postfix32u-3.2.5-2.ius.centos7.x86_64

postfix32u-cdb-3.2.5-2.ius.centos7.x86_64

postfix32u-perl-scripts-3.2.5-2.ius.centos7.x86_64

postfix32u-pcre-3.2.5-2.ius.centos7.x86_64

postfix32u-ldap-3.2.5-2.ius.centos7.x86_64

postfix32u-pgsql-3.2.5-2.ius.centos7.x86_64

 configure

1. /etc/postfix/main.cf

# --------------------

# INSTALL-TIME CONFIGURATION INFORMATION

#

# location of the Postfix queue. Default is /var/spool/postfix.

queue_directory = /var/spool/postfix

# location of all postXXX commands. Default is /usr/sbin.

command_directory = /usr/sbin

# location of all Postfix daemon programs (i.e. programs listed in the

# master.cf file). This directory must be owned by root.

# Default is /usr/libexec/postfix

daemon_directory = /usr/libexec/postfix

# location of Postfix-writable data files (caches, random numbers).

# This directory must be owned by the mail_owner account (see below).

# Default is /var/lib/postfix.

data_directory = /var/lib/postfix

# owner of the Postfix queue and of most Postfix daemon processes.

# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID

# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.

# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.

# Default is postfix.

mail_owner = postfix

# The following parameters are used when installing a new Postfix version.

#

# sendmail_path: The full pathname of the Postfix sendmail command.

# This is the Sendmail-compatible mail posting interface.

#

sendmail_path = /usr/sbin/sendmail.postfix

# newaliases_path: The full pathname of the Postfix newaliases command.

# This is the Sendmail-compatible command to build alias databases.

#

newaliases_path = /usr/bin/newaliases.postfix

# full pathname of the Postfix mailq command.  This is the Sendmail-compatible

# mail queue listing command.

mailq_path = /usr/bin/mailq.postfix

# group for mail submission and queue management commands.

# This must be a group name with a numerical group ID that is not shared with

# other accounts, not even with the Postfix account.

setgid_group = postdrop

# external command that is executed when a Postfix daemon program is run with

# the -D option.

#

# Use "command .. & sleep 5" so that the debugger can attach before

# the process marches on. If you use an X-based debugger, be sure to

# set up your XAUTHORITY environment variable before starting Postfix.

#

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    ddd $daemon_directory/$process_name $process_id & sleep 5

debug_peer_level = 2

# --------------------

# CUSTOM SETTINGS

#

# SMTP server response code when recipient or domain not found.

unknown_local_recipient_reject_code = 550

# Do not notify local user.

biff = no

# Disable the rewriting of "site!user" into "user@site".

swap_bangpath = no

# Disable the rewriting of the form "user%domain" to "user@domain".

allow_percent_hack = no

# Allow recipient address start with '-'.

allow_min_user = no

# Disable the SMTP VRFY command. This stops some techniques used to

# harvest email addresses.

disable_vrfy_command = yes

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.

inet_protocols = all

# Enable all network interfaces.

inet_interfaces = all

#

# TLS settings.

#

# SSL key, certificate, CA

#

smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem

#smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt

#smtpd_tls_CApath = /etc/pki/tls/certs

#

# Disable SSLv2, SSLv3

#

smtpd_tls_protocols = !SSLv2 !SSLv3

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3

smtp_tls_protocols = !SSLv2 !SSLv3

smtp_tls_mandatory_protocols = !SSLv2 !SSLv3

lmtp_tls_protocols = !SSLv2 !SSLv3

lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

#

# Fix 'The Logjam Attack'.

#

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem

smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem

tls_random_source = dev:/dev/urandom

# Log only a summary message on TLS handshake completion — no logging of client

# certificate trust-chain verification errors if client certificate

# verification is not required. With Postfix 2.8 and earlier, log the summary

# message, peer certificate summary information and unconditionally log

# trust-chain verification errors.

smtp_tls_loglevel = 1

smtpd_tls_loglevel = 1

# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do

# not require that clients use TLS encryption.

smtpd_tls_security_level = may

# Produce `Received:` message headers that include information about the

# protocol and cipher used, as well as the remote SMTP client CommonName and

# client certificate issuer CommonName.

# This is disabled by default, as the information may be modified in transit

# through other mail servers. Only information that was recorded by the final

# destination can be trusted.

#smtpd_tls_received_header = yes

# Opportunistic TLS, used when Postfix sends email to remote SMTP server.

# Use TLS if this is supported by the remote SMTP server, otherwise use

# plaintext.

# References:

#   - http://www.postfix.org/TLS_README.html#client_tls_may

#   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level

smtp_tls_security_level = may

# Use the same CA file as smtpd.

smtp_tls_CApath = /etc/pki/tls/certs

smtp_tls_CAfile = $smtpd_tls_CAfile

smtp_tls_note_starttls_offer = yes

# Enable long, non-repeating, queue IDs (queue file names).

# The benefit of non-repeating names is simpler logfile analysis and easier

# queue migration (there is no need to run "postsuper" to change queue file

# names that don't match their message file inode number).

#enable_long_queue_ids = yes

# Reject unlisted sender and recipient

smtpd_reject_unlisted_recipient = yes

smtpd_reject_unlisted_sender = yes

# Header and body checks with PCRE table

#header_checks = pcre:/etc/postfix/header_checks

#body_checks = pcre:/etc/postfix/body_checks.pcre

# A mechanism to transform commands from remote SMTP clients.

# This is a last-resort tool to work around client commands that break

# interoperability with the Postfix SMTP server. Other uses involve fault

# injection to test Postfix's handling of invalid commands.

# Requires Postfix-2.7+.

#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre

# HELO restriction

smtpd_helo_required = yes

smtpd_helo_restrictions =

    permit_mynetworks

    permit_sasl_authenticated

    check_helo_access pcre:/etc/postfix/helo_access.pcre

    reject_non_fqdn_helo_hostname

    reject_unknown_helo_hostname

# Sender restrictions

smtpd_sender_restrictions =

    #reject_unknown_sender_domain

    reject_non_fqdn_sender

    reject_unlisted_sender

    permit_mynetworks

    permit_sasl_authenticated

    check_sender_access pcre:/etc/postfix/sender_access.pcre

# Recipient restrictions

smtpd_recipient_restrictions =

    reject_non_fqdn_recipient

    reject_unlisted_recipient

    #check_policy_service inet:127.0.0.1:7777

    permit_mynetworks

    permit_sasl_authenticated

    reject_unauth_destination

# END-OF-MESSAGE restrictions

# smtpd_end_of_data_restrictions =

    # check_policy_service inet:127.0.0.1:7777

# Data restrictions

smtpd_data_restrictions = reject_unauth_pipelining

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

# Avoid duplicate recipient messages. Default is 'yes'.

enable_original_recipient = no

# Virtual support.

virtual_minimum_uid = 2000

virtual_uid_maps = static:2000

virtual_gid_maps = static:2000

virtual_mailbox_base = /Disk1/vmail

# Do not set virtual_alias_domains.

virtual_alias_domains =

#

# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.

# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should

#          be forced to submit email through port 587 instead.

#

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_tls_auth_only = no

# hostname

myhostname = smtp.mailu.kr

myorigin = smtp.mailu.kr

mydomain = smtp.mailu.kr

# trusted SMTP clients which are allowed to relay mail through Postfix.

#

# Note: additional IP addresses/networks listed in mynetworks should be listed

#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.

#       for example:

#

#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]

#

mynetworks = 127.0.0.1 [::1]

# Accepted local emails

mydestination = $myhostname, localhost, localhost.localdomain

alias_maps = hash:/etc/postfix/aliases

alias_database = hash:/etc/postfix/aliases

# Default message_size_limit.

message_size_limit = 524288000

mailbox_size_limit = 629145600

# The set of characters that can separate a user name from its extension

# (example: user+foo), or a .forward file name from its extension (example:

# .forward+foo).

# Postfix 2.11 and later supports multiple characters.

recipient_delimiter = +

# The time after which the sender receives a copy of the message headers of

# mail that is still queued. Default setting is disabled (0h) by Postfix.

#delay_warning_time = 1h

#

# Lookup virtual mail accounts

#

transport_maps =

    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf

    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf

    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

sender_dependent_relayhost_maps =

    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.

smtpd_sender_login_maps =

    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

virtual_mailbox_domains =

    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf

relay_domains =

    $mydestination

    proxy:mysql:/etc/postfix/mysql/relay_domains.cf

virtual_mailbox_maps =

    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

virtual_alias_maps =

    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf

    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf

    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf

    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf

sender_bcc_maps =

    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf

    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

recipient_bcc_maps =

    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf

    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

#

# Postscreen

#

postscreen_greet_action = drop

postscreen_blacklist_action = drop

postscreen_dnsbl_action = drop

postscreen_dnsbl_threshold = 2

postscreen_dnsbl_sites =

    zen.spamhaus.org=127.0.0.[2..11]*3

    b.barracudacentral.org=127.0.0.2*2

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

# Require Postfix-2.11+

#postscreen_dnsbl_whitelist_threshold = -2

#

# Dovecot SASL support.

#

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/dovecot-auth

virtual_transport = dovecot

dovecot_destination_recipient_limit = 1

#

# mlmmj - mailing list manager

#

#mlmmj_destination_recipient_limit = 1

#

# Amavisd + SpamAssassin + ClamAV

#

#content_filter = smtp-amavis:[127.0.0.1]:10024

# Concurrency per recipient limit.

#smtp-amavis_destination_recipient_limit = 1

meta_directory = /etc/postfix

sample_directory = /usr/share/doc/postfix32u-3.2.5/samples

readme_directory = /usr/share/doc/postfix32u-3.2.5/README_FILES

manpage_directory = /usr/share/man

html_directory = no

shlib_directory = /usr/lib64/postfix

2. /etc/master.cf

#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

#smtp      inet  n       -       -       -       -       smtpd

smtp      inet  n       -       n       -       1       postscreen

smtpd     pass  -       -       n       -       -       smtpd

dnsblog   unix  -       -       n       -       0       dnsblog

tlsproxy  unix  -       -       n       -       0       tlsproxy

#submission inet n       -       n       -       -       smtpd

#  -o syslog_name=postfix/submission

#  -o smtpd_tls_security_level=encrypt

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#  -o smtpd_sender_restrictions=$mua_sender_restrictions

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#smtps     inet  n       -       n       -       -       smtpd

#  -o syslog_name=postfix/smtps

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#  -o smtpd_sender_restrictions=$mua_sender_restrictions

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       n       -       -       qmqpd

pickup    unix  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      unix  n       -       n       300     1       qmgr

#qmgr     unix  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

#maildrop  unix  -       n       n       -       -       pipe

#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# ====================================================================

#

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

#

# Specify in cyrus.conf:

#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4

#

# Specify in main.cf one or more of the following:

#  mailbox_transport = lmtp:inet:localhost

#  virtual_transport = lmtp:inet:localhost

#

# ====================================================================

#

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

#

#cyrus     unix  -       n       n       -       -       pipe

#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}

#

# ====================================================================

#

# Old example of delivery via Cyrus.

#

#old-cyrus unix  -       n       n       -       -       pipe

#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}

#

# ====================================================================

#

# See the Postfix UUCP_README file for configuration details.

#

#uucp      unix  -       n       n       -       -       pipe

#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# ====================================================================

#

# Other external delivery methods.

#

#ifmail    unix  -       n       n       -       -       pipe

#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

#

#bsmtp     unix  -       n       n       -       -       pipe

#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

#

#scalemail-backend unix -       n       n       -       2       pipe

#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store

#  ${nexthop} ${user} ${extension}

#

#mailman   unix  -       n       n       -       -       pipe

#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

#  ${nexthop} ${user}

# Submission, port 587, force TLS connection.

submission inet n       -       n       -       -       smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  #-o content_filter=smtp-amavis:[127.0.0.1]:10026

# Use dovecot's `deliver` program as LDA.

dovecot unix    -       n       n       -       -      pipe

    flags=DRh user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}

# mlmmj - mailing list manager

# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u')

#mlmmj   unix  -       n       n       -       -       pipe

#    flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}

# Amavisd integration.

#smtp-amavis unix -  -   n   -   1  smtp

#    -o syslog_name=postfix/amavis

#    -o smtp_data_done_timeout=1200

#    -o smtp_send_xforward_command=yes

#    -o disable_dns_lookups=yes

#    -o max_use=20

127.0.0.1:10025 inet n  -   n   -   -  smtpd

    -o syslog_name=postfix/10025

    -o content_filter=

    -o mynetworks_style=host

    -o mynetworks=127.0.0.0/8

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o strict_rfc821_envelopes=yes

    -o smtp_tls_security_level=none

    -o smtpd_tls_security_level=none

    -o smtpd_restriction_classes=

    -o smtpd_delay_reject=no

    -o smtpd_client_restrictions=permit_mynetworks,reject

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o smtpd_end_of_data_restrictions=

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

    -o smtpd_client_connection_count_limit=0

    -o smtpd_client_connection_rate_limit=0

    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

3. /etc/postfix/body_checks.pcre

4. /etc/postfix/helo_access.pcre

#---------------------------------------------------------------------

# This file is part of iRedMail, which is an open source mail server

# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.

#

# iRedMail is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# iRedMail is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with iRedMail.  If not, see <http://www.gnu.org/licenses/>.

#---------------------------------------------------------------------

#

# Sample Postfix check_helo_access rule. It should be located at:

#   /etc/postfix/check_helo_access.pcre

#

# Shipped within iRedMail project:

#   * http://www.iredmail.org/

# Prepend HELO hostname of sender server

#/(.*)/ PREPEND X-Original-Helo: $1 (iRedMail: http://www.iredmail.org/)

# No one will use these in helo command.

/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

# Reject who use IP address as helo.

# Correct:      [xxx.xxx.xxx.xxx]

# Incorrect:    xxx.xxx.xxx.xxx

/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1})

#

# This is the real HELO identify of these ISPs:

#   sohu.com    websmtp.sohu.com relay2nd.mail.sohu.com

#   126.com     m15-78.126.com

#   163.com     m31-189.vip.163.com m13-49.163.com

#   sina.com    mail2-209.sinamail.sina.com.cn

#   gmail.com   xx-out-NNNN.google.com

/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

#

# Spammers.

#

/^(728154EA470B4AA\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(taj-co\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(CF8D3DB045C1455\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(dsgsfdg\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(se\.nit7-ngbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(mail\.goo\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(n-ong_an\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(meqail\.teamefs-ine5tl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(zzg\.jhf-sp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(din_glo-ng\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(fda-cnc\.ie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(yrtaj-yrco\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(m\.am\.biz\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(xr_haig\.roup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(hjn\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(we_blf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(netvigator\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(mysam\.biz)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(mail\.teams-intl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(seningbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(nblf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(kdn\.ktguide\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(zzsp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(nblongan\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(dpu\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(nbalton\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(cncie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(xinhaigroup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(wz\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/(\.zj\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/(\.kornet)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(system\.mail)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(speedtouch\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

#

# Reject adsl spammers.

#

# match word `adsl` with word boundary `\b`.

/(\badsl\b)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

# bypass "[IP_ADDRESS]"

/^\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]$/ DUNNO

# bypass some HELOs which contains IP address

/^o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net$/ DUNNO

# reject HELO which contains IP address

/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(\d{1,3}\.ip\.-\d{1,3}-\d{1,3}-\d{1,3}\.eu)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(static-pool-[\d\.-]*\.flagman\.zp\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(speedy\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(speedyterra\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(static\.sbb\.rs)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(static\.vsnl\.net\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(advance\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(airtelbroadband\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(bb\.netvision\.net\.il)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(broadband3\.iol\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(cable\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(catv\.broadband\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(chello\.nl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(chello\.sk)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(client\.mchsi\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(comunitel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(coprosys\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(dclient\.hispeed\.ch)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(dip0\.t-ipconnect\.de)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(domain\.invalid)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(dyn\.centurytel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(embarqhsd\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(emcali\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(epm\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(eutelia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(fibertel\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(freedom2surf\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(hgcbroadband\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(HINET-IP\.hinet\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(infonet\.by)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(is74\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(kievnet\.com\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(metrotel\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(nw\.nuvox\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pldt\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pool\.invitel\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pool\.ukrtel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pools\.arcor-ip\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pppoe\.avangarddsl\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(retail\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(revip2\.asianet\.co\.th)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(tim\.ro)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(tsi\.tychy\.pl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(ttnet\.net\.tr)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(tttmaxnet\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(user\.veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(utk\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(virtua\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(wanamaroc\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(wbt\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(wireless\.iaw\.on\.ca)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(business\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(cotas\.com\.bo)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(marunouchi\.tokyo\.ocn\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(amedex\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(aageneva\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^ylmf-pc/ REJECT ACCESS DENIED

5. /etc/postfix/postscreen_access.cidr

# Rules are evaluated in the order as specified.

#1.2.3.4 permit

#2.3.4.5 reject

# Permit local clients

127.0.0.0/8 permit

6. /etc/postfix/postscreen_dnsbl_reply

7. /etc/postfix/sender_access.pcre

8. /etc/postfix/mysql/catchall_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%d' AND '%u' NOT LIKE '%%+%%' AND forwardings.address=domain.domain AND forwardings.active=1 AND domain.active=1 AND domain.backupmx=0

9. /etc/postfix/mysql/domain_alias_catchall_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1

10. /etc/postfix/mysql/domain_alias_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1

11. /etc/postfix/mysql/recipient_bcc_maps_domain.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT bcc_address FROM recipient_bcc_domain WHERE domain='%d' AND active=1

12. /etc/postfix/mysql/recipient_bbs_maps_user.cf

hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT recipient_bcc_user.bcc_address FROM recipient_bcc_user,domain WHERE recipient_bcc_user.username='%s' AND recipient_bcc_user.domain='%d' AND recipient_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND recipient_bcc_user.active=1

13. /etc/postfix/mysql/relay_domains.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = (SELECT domain

                 FROM domain

                WHERE domain='%s'

                      AND backupmx=1

                      AND active=1

                LIMIT 1)

                UNION

              (SELECT alias_domain.target_domain

                 FROM alias_domain, domain

                WHERE alias_domain.alias_domain='%s'

                      AND alias_domain.target_domain=domain.domain

                      AND domain.backupmx=1

                      AND domain.active=1

                LIMIT 1)

14. /etc/postfix/mysql/sender_bcc_maps_domain.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl

dbname      = vmail

query       = SELECT bcc_address FROM sender_bcc_domain WHERE domain='%d' AND active=1

15. /etc/postfix/mysql/sender_bcc_maps_user.cf

hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT sender_bcc_user.bcc_address FROM sender_bcc_user,domain WHERE sender_bcc_user.username='%s' AND sender_bcc_user.domain='%d' AND sender_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND sender_bcc_user.active=1

16. /etc/postfix/mysql/sender_dependent_relayhost_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

# '%s' will be replaced by the envelope sender address or @domain.

query       = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1

17. /etc/postfix/mysql/sender_login_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1

18. /etc/postfix/mysql/transport_maps_domain.cf

hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT transport FROM domain WHERE domain='%s' AND active=1

19. /etc/postfix/mysql/transport_maps_maillist.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl

dbname      = vmail

query       = SELECT maillists.transport FROM maillists,domain WHERE maillists.address='%s' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1

20. /etc/postfix/mysql/transport_maps_user.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1

21. /etc/postfix/mysql/virtual_alias_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%s' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1

22. /etc/postfix/mysql/virtual_mailbox_domains.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 UNION SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0

23. /etc/postfix/mysql/virtual_mailbox_maps.cf

hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT CONCAT(mailbox.storagenode, '/', mailbox.maildir, '/Maildir/') FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.domain = mailbox.domain AND domain.active=1

 Dovecot

 Package

dovecot22u-devel-2.2.35-1.ius.centos7.x86_64
dovecot22u-mysql-2.2.35-1.ius.centos7.x86_64
dovecot22u-pigeonhole-2.2.35-1.ius.centos7.x86_64
dovecot22u-2.2.35-1.ius.centos7.x86_64

 configure

1. /etc/dovecot/dovecot-master-users

2. /etc/dovecot/dovecot-mysql.conf

driver = mysql

default_pass_scheme = SHA512-CRYPT

connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=*********

# Required by doveadm tools which require to list all mail users.

iterate_query = SELECT username AS user FROM mailbox

password_query = SELECT mailbox.password, mailbox.allow_nets \

        FROM mailbox,domain \

       WHERE mailbox.username='%u' \

             AND mailbox.`enable%Ls%Lc`=1 \

             AND mailbox.active=1 \

             AND mailbox.domain=domain.domain \

             AND domain.backupmx=0 \

             AND domain.active=1

user_query = SELECT \

            '%u' AS master_user, \

            CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir) AS home, \

            CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule \

        FROM mailbox,domain \

       WHERE mailbox.username='%u' \

             AND mailbox.`enable%Ls%Lc`=1 \

             AND mailbox.active=1 \

             AND mailbox.domain=domain.domain \

             AND domain.backupmx=0 \

             AND domain.active=1

3. /etc/dovecot/dovecot-share-folder.conf

connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=********

map {

    pattern = shared/shared-boxes/user/$to/$from

    table = share_folder

    value_field = dummy

    fields {

        from_user = $from

        to_user = $to

    }

}

# To share mailbox to anyone, please uncomment 'acl_anyone = allow' in

# dovecot.conf

map {

    pattern = shared/shared-boxes/anyone/$from

    table = anyone_shares

    value_field = dummy

    fields {

        from_user = $from

    }

}

4. /etc/dovecot/dovecot-used-quota.conf

connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=**********

map {

    pattern = priv/quota/storage

    table = used_quota

    username_field = username

    value_field = bytes

}

map {

    pattern = priv/quota/messages

    table = used_quota

    username_field = username

    value_field = messages

}

5. /etc/dovecot/dovecot.conf

# More details about Dovecot settings:

#   - http://wiki2.dovecot.org/

#   - http://wiki2.dovecot.org/Variables

# Listen addresses.

#   - '*' means all available IPv4 addresses.

#   - '[::]' means all available IPv6 addresses.

# Listen on all available addresses by default

listen = * [::]

#base_dir = /var/run/dovecot

mail_plugins = quota mailbox_alias acl mail_log notify stats

# Enabled mail protocols.

protocols = pop3 imap sieve lmtp

# User/group who owns the message files:

mail_uid = 2000

mail_gid = 2000

# Assign uid to virtual users.

first_valid_uid = 2000

last_valid_uid = 2000

# Logging. Reference: http://wiki2.dovecot.org/Logging

#

# Use syslog

#syslog_facility = local5

# Log file path if we use internal log system

log_path = /var/log/dovecot/dovecot.log

# Debug

#mail_debug = yes

#auth_verbose = yes

#auth_debug = yes

#auth_debug_passwords = yes

# Possible values: no, plain, sha1.

#auth_verbose_passwords = no

# SSL: Global settings.

# Refer to wiki site for per protocol, ip, server name SSL settings:

# http://wiki2.dovecot.org/SSL/DovecotConfiguration

ssl_protocols = !SSLv2 !SSLv3

ssl = required

verbose_ssl = no

#ssl_ca = </path/to/ca

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

ssl_key = </etc/pki/dovecot/private/dovecot.pem

# Fix 'The Logjam Attack'

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

# Dovecot 2.2.6 or greater:

# Specify the wanted DH parameters length

ssl_dh_parameters_length = 2048

ssl_prefer_server_ciphers = yes

# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.

# Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted

# insecurely.

disable_plaintext_auth = yes

# Allow plain text password per IP address/net

#remote 192.168.0.0/24 {

#   disable_plaintext_auth = no

#}

# Mail location and mailbox format.

mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/

# Authentication related settings.

# Append this domain name if client gives empty realm.

#auth_default_realm = weschool.kr

# Authentication mechanisms.

auth_mechanisms = PLAIN LOGIN

# Limits the number of users that can be logging in at the same time.

# Default is 100. This can be overridden by `process_limit =` in

# `service [protocol]` block.

# e.g.

#       protocol imap-login {

#           ...

#           process_limit = 500

#       }

#default_process_limit = 100

# Mail delivery log format

deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, %$

service auth {

    unix_listener /var/spool/postfix/private/dovecot-auth {

        user = postfix

        group = postfix

        mode = 0666

    }

    unix_listener auth-master {

        user = vmail

        group = vmail

        mode = 0666

    }

    unix_listener auth-userdb {

        user = vmail

        group = vmail

        mode = 0660

    }

}

# LMTP server (Local Mail Transfer Protocol).

# Reference: http://wiki2.dovecot.org/LMTP

service lmtp {

    user = vmail

    # For higher volume sites, it may be desirable to increase the number of

    # active listener processes. A range of 5 to 20 is probably good for most

    # sites.

    process_min_avail = 5

    # Logging.

    # Require 'log_path =' in 'protocol lmtp {}' block.

    executable = lmtp -L

    # Listening on socket file and TCP

    unix_listener /var/spool/postfix/private/dovecot-lmtp {

        user = postfix

        group = postfix

        mode = 0600

    }

    inet_listener lmtp {

        # Listen on localhost (ipv4)

        address = 127.0.0.1

        port = 24

    }

}

# Virtual mail accounts.

userdb {

    args = /etc/dovecot/dovecot-mysql.conf

    driver = sql

}

passdb {

    args = /etc/dovecot/dovecot-mysql.conf

    driver = sql

}

# Master user.

# Master users are able to log in as other users. It's also possible to

# directly log in as any user using a master password, although this isn't

# recommended.

# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers

auth_master_user_separator = *

passdb {

    driver = passwd-file

    args = /etc/dovecot/dovecot-master-users

    master = yes

}

plugin {

    # Quota configuration.

    # Reference: http://wiki2.dovecot.org/Quota/Configuration

    quota = dict:user::proxy::quotadict

    # Set default quota rule if no quota returned from SQL/LDAP query.

    #quota_rule = *:storage=1G

    #quota_rule2 = *:messages=0

    #quota_rule3 = Trash:storage=1G

    #quota_rule4 = Junk:ignore

    # Quota warning.

    #

    # If user suddenly receives a huge mail and the quota jumps from

    # 85% to 95%, only the 95% script is executed.

    #

    # Only the command for the first exceeded limit is executed, so configure

    # the highest limit first.

    quota_warning = storage=100%% quota-warning 100 %u

    quota_warning2 = storage=95%% quota-warning 95 %u

    quota_warning3 = storage=90%% quota-warning 90 %u

    quota_warning4 = storage=85%% quota-warning 85 %u

    # allow user to become max 10% (or 50 MB) over quota

    quota_grace = 10%%

    #quota_grace = 50 M

    # Custom Quota Exceeded Message.

    # You can specify the message directly or read the message from a file.

    #quota_exceeded_message = Quota exceeded, please try again later.

    #quota_exceeded_message = </path/to/quota_exceeded_message.txt

    # Plugin: expire.

    #expire = Trash 7 Trash/* 7 Junk 30

    #expire_dict = proxy::expire

    # ACL and share folder

    acl = vfile

    acl_shared_dict = proxy::acl

    # By default Dovecot doesn't allow using the IMAP "anyone" or

    # "authenticated" identifier, because it would be an easy way to spam

    # other users in the system. If you wish to allow it,

    #acl_anyone = allow

    # Pigeonhole managesieve service.

    # Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration

    # Per-user sieve settings.

    sieve_dir = %Lh/sieve

    sieve = %Lh/sieve/dovecot.sieve

    # Global sieve settings.

    sieve_global_dir = /var/vmail/sieve

    # Note: if user has personal sieve script, global sieve rules defined in

    #       sieve_default will be ignored. Please use sieve_before or

    #       sieve_after instead.

    #sieve_default =

    sieve_before = /var/vmail/sieve/dovecot.sieve

    #sieve_after =

    # The maximum number of redirect actions that can be performed during a

    # single script execution.

    # The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and

    # beyond this means that redirect is prohibited. For older versions,

    # however, this means that the number of redirects is unlimited.

    sieve_max_redirects = 30

    # Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias

    mailbox_alias_old = Sent

    mailbox_alias_new = Sent Messages

    mailbox_alias_old2 = Sent

    mailbox_alias_new2 = Sent Items

        # Events to log. `autoexpunge` is included in `expunge`

    # Defined in https://github.com/dovecot/core/blob/master/src/plugins/mail-log/mail-log-plugin.c

    mail_log_events = delete undelete expunge mailbox_delete mailbox_rename

    mail_log_fields = uid box msgid size from subject

    # stats

    #

    # how often to session statistics (must be set)

    stats_refresh = 30 secs

    # track per-IMAP command statistics (optional)

    stats_track_cmds = yes

}

service stats {

    fifo_listener stats-mail {

        user = vmail

        mode = 0644

    }

    inet_listener {

        address = 127.0.0.1

        port = 24242

    }

}

service quota-warning {

    executable = script /usr/local/bin/dovecot-quota-warning.sh

    unix_listener quota-warning {

        user = vmail

        group = vmail

        mode = 0660

    }

}

service dict {

    unix_listener dict {

        mode = 0660

        user = vmail

        group = vmail

    }

}

dict {

    #expire = db:/var/lib/dovecot/expire/expire.db

    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf

    acl = mysql:/etc/dovecot/dovecot-share-folder.conf

}

protocol lda {

    # Reference: http://wiki2.dovecot.org/LDA

    mail_plugins = $mail_plugins sieve

    lda_mailbox_autocreate = yes

    lda_mailbox_autosubscribe = yes

    postmaster_address = root

    # Log file path if we use internal log system

    #log_path = /var/log/dovecot/sieve.log

}

protocol lmtp {

    # Log file path if we use internal log system

    #log_path = /var/log/dovecot/lmtp.log

    # Plugins

    mail_plugins = quota sieve

    postmaster_address = postmaster

    # Address extension delivery

    lmtp_save_to_detail_mailbox = yes

    recipient_delimiter = +

}

protocol imap {

    mail_plugins = $mail_plugins imap_quota imap_acl imap_stats

    imap_client_workarounds = tb-extra-mailbox-sep

    # Maximum number of IMAP connections allowed for a user from each IP address.

    # NOTE: The username is compared case-sensitively.

    # Default is 10.

    # Increase it to avoid issue like below:

    # "Maximum number of concurrent IMAP connections exceeded"

    mail_max_userip_connections = 30

}

protocol pop3 {

    mail_plugins = $mail_plugins

    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

    pop3_uidl_format = %08Xu%08Xv

    # Maximum number of IMAP connections allowed for a user from each IP address.

    # NOTE: The username is compared case-sensitively.

    # Default is 10.

    mail_max_userip_connections = 30

    # POP3 logout format string:

    #  %i - total number of bytes read from client

    #  %o - total number of bytes sent to client

    #  %t - number of TOP commands

    #  %p - number of bytes sent to client as a result of TOP command

    #  %r - number of RETR commands

    #  %b - number of bytes sent to client as a result of RETR command

    #  %d - number of deleted messages

    #  %m - number of messages (before deletion)

    #  %s - mailbox size in bytes (before deletion)

    # Default format doesn't have 'in=%i, out=%o'.

    #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o

}

# Login processes. Refer to Dovecot wiki for more details:

# http://wiki2.dovecot.org/LoginProcess

service imap-login {

    #inet_listener imap {

    #    port = 143

    #}

    #inet_listener imaps {

    #    port = 993

    #    ssl = yes

    #}

    service_count = 1

    # To avoid startup latency for new client connections, set process_min_avail

    # to higher than zero. That many idling processes are always kept around

    # waiting for new connections.

    #process_min_avail = 0

    # number of simultaneous IMAP connections

    process_limit = 500

    # vsz_limit should be fine at its default 64MB value

    #vsz_limit = 64M

}

service pop3-login {

    #inet_listener pop3 {

    #    port = 110

    #}

    #inet_listener pop3s {

    #    port = 995

    #    ssl = yes

    #}

    service_count = 1

    # number of simultaneous POP3 connections

    #process_limit = 500

}

service managesieve-login {

    inet_listener sieve {

        # Listen on localhost (ipv4)

        address = 127.0.0.1

        port = 4190

    }

}

namespace {

    type = private

    separator = /

    prefix =

    inbox = yes

    # Refer to document for more details about alias mailbox:

    # http://wiki2.dovecot.org/MailboxSettings

    #

    # Sent

    mailbox Sent {

        auto = subscribe

        special_use = \Sent

    }

    mailbox "Sent Messages" {

        auto = no

        special_use = \Sent

    }

    mailbox "Sent Items" {

        auto = no

        special_use = \Sent

    }

    mailbox Drafts {

        auto = subscribe

        special_use = \Drafts

    }

        # Trash

    mailbox Trash {

        auto = subscribe

        special_use = \Trash

    }

    mailbox "Deleted Messages" {

        auto = no

        special_use = \Trash

    }

    # Junk

    mailbox Junk {

        auto = subscribe

        special_use = \Junk

    }

    mailbox Spam {

        auto = no

        special_use = \Junk

    }

    mailbox "Junk E-mail" {

        auto = no

        special_use = \Junk

    }

    # Archive

    mailbox Archive {

        auto = no

        special_use = \Archive

    }

    mailbox Archives {

        auto = no

        special_use = \Archive

    }

}

namespace {

    type = shared

    separator = /

    prefix = Shared/%%u/

    location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln

    # this namespace should handle its own subscriptions or not.

    subscriptions = yes

    list = children

}

# Public mailboxes.

# Refer to Dovecot wiki page for more details:

# http://wiki2.dovecot.org/SharedMailboxes/Public

#namespace {

#    type = public

#    separator = /

#    prefix = Public/

#    location = maildir:/var/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public

#

#    # Allow users to subscribe to the public folders.

#    subscriptions = yes

#}

!include_try /etc/dovecot/iredmail/*.conf

 MariaDB

 Package

mariadb101u-embedded-devel-10.1.32-1.ius.centos7.x86_6
mariadb101u-server-galera-10.1.32-1.ius.centos7.x86_64
mariadb101u-10.1.32-1.ius.centos7.x86_64
mariadb101u-config-10.1.32-1.ius.centos7.x86_64

mariadb101u-libs-10.1.32-1.ius.centos7.x86_64

mariadb101u-devel-10.1.32-1.ius.centos7.x86_64

mariadb101u-test-10.1.32-1.ius.centos7.x86_64

 configure

1. /etc/my.cnf  

#

# This group is read both both by the client and the server

# use it for options that affect everything

#

[client-server]

#

# This group is read by the server

#

[mysqld]

 bind-address            = 0.0.0.0

 port                    = 3306

 collation-server        = utf8mb4_general_ci

 character-set-server    = utf8mb4

 skip-character-set-client-handshake

 max_allowed_packet      = 32M

 slow_query_log

 long_query_time         = 2

# 모든 쿼리 로그를 남깁니다.

 general_log = 1

 general_log_file = /var/log/mariadb/mysql_query.log

 expire_logs_days = 2

 max_binlog_size = 10M

# Disabling symbolic-links is recommended to prevent assorted security risks

 symbolic-links=0

#ssl-ca =

#ssl-cert = /etc/pki/tls/certs/iRedMail.crt

#ssl-key = /etc/pki/tls/private/iRedMail.key

#ssl-cipher = ALL

[client]

default-character-set=utf8

#

# include all files from the config directory

#

 !includedir /etc/my.cnf.d

 Roundcube

&

Gnuboard
&
wmail

 Package

      gnuboard5.3.1.4.tar.gz

      Roundcube Webmail 1.3.5

      wmail 1.1

 * 기본판(liroo.net 모델 ==> 

web3.vol1.egg

web3.vol2.egg

web3.vol3.egg

web3.vol4.egg

 configure

1. gnuboard configuration

/data/dbconfig.php   ---> DB 접속 정보 설정.

2. Roundcube configuration

[html/rmail/config/config.inc.php]

<?php

// SQL DATABASE

$config['db_dsnw'] = 'mysqli://DB_ID:DB_PW@127.0.0.1:3306/web1';

$config['db_prefix'] = 'lr_';

// LOGGING

$config['log_driver'] = 'syslog';

$config['syslog_facility'] = LOG_MAIL;

// IMAP

$config['default_host'] = '127.0.0.1';

$config['default_port'] = 143;

$config['imap_auth_type'] = 'LOGIN';

$config['imap_delimiter'] = '/';

// Required if you're running PHP 5.6 or later

$config['imap_conn_options'] = array(

    'ssl' => array(

        'verify_peer'  => false,

        'verify_peer_name' => false,

    ),

);

// SMTP

$config['smtp_server'] = 'tls://127.0.0.1';

$config['smtp_port'] = 587;

$config['smtp_user'] = '%u';

$config['smtp_pass'] = '%p';

$config['smtp_auth_type'] = 'LOGIN';

// Required if you're running PHP 5.6 or later

$config['smtp_conn_options'] = array(

    'ssl' => array(

        'verify_peer'      => false,

        'verify_peer_name' => false,

    ),

);

// Use user's identity as envelope sender for 'return receipt' responses,

// otherwise it will be rejected by iRedAPD plugin `reject_null_sender`.

$config['mdn_use_from'] = true;

// SYSTEM

$config['force_https'] = false;

$config['login_autocomplete'] = 2;

$config['ip_check'] = true;

$config['des_key'] = 'GyxjqQ7kaD5dqsq7HAB3Ab0g';

$config['cipher_method'] = 'AES-256-CBC';

$config['useragent'] = 'Narae Webmail'; // Hide version number

$config['username_domain'] = 'weschool.kr';

//$config['mime_types'] = '/etc/mime.types';

// USER INTERFACE

$config['create_default_folders'] = true;

$config['quota_zero_as_unlimited'] = true;

// USER PREFERENCES

$config['default_charset'] = 'UTF-8';

//$config['addressbook_sort_col'] = 'name';

$config['draft_autosave'] = 60;

$config['default_list_mode'] = 'threads';

$config['autoexpand_threads'] = 2;

$config['check_all_folders'] = true;

$config['default_font_size'] = '12pt';

$config['message_show_email'] = true;

$config['layout'] = 'widescreen';   // three columns

//$config['skip_deleted'] = true;

// PLUGINS

$config['plugins'] = array('managesieve', 'password', 'enigma', 'large_attachments');

//max mail attach file size

$config['max_attach_size'] = 31457280;

//logout url

$config['logout_url'] = '/bbs/logout.php';

[/html/rmail/plugins/large_attachments/config.inc.php]

<?php

//file upload directory

$config['large_upload_path']= '/data/webmaster/web1/data/upload/';

$config['large_extensions']= [];

$config['large_multiselect'] = false;

?>

3. wmail configuration

[/data/webmaster/web1/data/db.conf]

db=mysql

host=localhost

port=

dbname=DB

user=DB_user

passwd=DB_pw

[/data/webmaster/web1/data/vmail.conf]

db=mysql

host=localhost

port=

dbname=vmail

user=vmail_DB_user

passwd=vmail_DB_pw

 Certbot

 Package

python2-certbot-0.26.1-2.el7.noarch
certbot-0.26.1-2.el7.noarch
python2-certbot-nginx-0.26.1-1.el7.noarch

 configure

/etc/letsencrypt