Postfix로 두개의 도메인( 예, a.com & b.com)을 이용하여 메일 서비스를 사용할 경우

각각의 도메인으로 도착하는 메일을 한의 메일 계정으로 확인하고자 할경우 Virtual_alias_domains 와 Virtual_alias_maps 설정으로 이용할 수 있다.


설정하는 방법은 postfix의 설정파일(main.cf & virtual)을 수정하는 방법과 DB를 이용하여 서비스를 구성하는 방법이 있다.




[방법 1] - 설정파일 편집하여 사용하기


● /etc/postfix/main.cf 수정


virtual_mailbox_domains = a.com 
virtual_alias_maps = hash:/etc/postfix/virtual


● /etc/postfix/virtual 수정 


# I want @a.com to have two incoming aliases
@a.com   @b.com


이렇게 설정하면 a.com 으로 오는 모든 메일은  b.com 도메인의  동일한 계정 전달된다.
이 방법은 설정이 간단하여 바로 이용할 수 있으나, 매번 설정 후 엔진을 재실행해야 한다.

포워딩 도메인이 여러개일 경우 virtual_mailbox_domains = a.com 도메인1 도메인2 

이렇게 증가시키면 된다.  /etc/postfix/virtual 파일에 @로 라인을 증가시킨다.



[방법 2] - DB와 연계하여 사용하기


● /etc/postfix/main.cf 수정


virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf

● /etc/postfix/mysql/virtual_mailbox_domains.cf 


hosts       = 127.0.0.1:3306
user        = DB계정
password    = DB패스워드
dbname      = DB이름

query       = SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 UNION SELECT alias_domain.alias_doma
in FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=
domain.domain AND domain.active=1 AND domain.backupmx=0


● /etc/postfix/mysql/virtual_alias_maps.cf 


hosts       = 127.0.0.1:3306
user        = DB계정
password    = DB패스워드
dbname      = DB이름

query       = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%s' AND forwardings.domain=
domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1


● DB(vmail) - TABLE 
[domain]
domain/description/disclaimer/aliases/mailboxes/maillists/maxquota/quota/transport/backupmx/settings/created/modified/expired/active

a.com/0/0/0/0/0/dovecot/0/default_user_quota:1024;/2018-04-30 11:19:10/1970-01-01 01:01:01/9999-12-31/00:00:00/1
b.com/0/0/0/0/0/dovecot/0/                        /1970-01-01 01:01:01/1970-01-01 01:01:01/9999-12-31/00:00:00/1


[alias_domain]
alias_domain/target_domain/created/modified/active

a.com/b.com/1970-01-01 01:01:01/1970-01-01 01:01:01/1


[forwardings]
address/forwarding/domain/dest_domain/is_maillist/is_list/is_forwarding/is_alias/active

@a.com/@b.com/a.com/b.com/0/0/0/0/1

특정서버의   데이타를  로컬 또는 타서버로 이동 시킨다.

 

 

 

[형식]  rsync  옵션   원본(로컬,원격지)   대상(로컬,원격지) 

                  --->  원격지에서의 접속을 위해서는 /etc/rsyncd.conf에  설정이 되어 있어야 하

                           지만  로켈에서의 접근은 별도의 설정이 필요없다.

 

 

[ 원본서버 작업 ]

 

    1. rsyncd를 실행한다..........ntsysv 설정 xinetd 재실행.

    2. /etc/rsyncd.conf 파일을 설정한다.

        ex) rsyncd.conf  

              【opt】 
               path = /opt
               comment = opt backup 
               uid = root 
               gid = root
               use chroot = yes 
               read only = yes /no

               write only = yes / no
               hosts allow = 210.95.24.75,218.150.162.5
               max connections = 3 
               timeout 600

   

[ 백업서버 작업 ]

 

     1. cron에 정기적으로 실행될 수 있도록 스크립트를 등록한다.

           ex) /etc/cron.daily/rsync_opt.sh

                 #!/bin/sh
                 echo "rsync start" > /etc/cron.daily/log/rsync_opt.log
                 rsync -avz --delete 10.10.10.1::opt/  /BACKUP
                 if 【 $? -eq 0 】; then
                        echo "opt backup OK" >> /etc/cron.daily/log/rsync_opt.log
                 else
                        echo "opt1 backup FAILED" >> /etc/cron.daily/log/rsync_opt.log
                 fi
                 echo "rsync end" >> /etc/cron.daily/log/rsync_opt.log

 

[ rsyncd.conf 확인하기 ]

       1. 원격 서버에서 자료를  수신하기 위해  본서버의 리스트를 확인하는 방법

                rsync -avz --delete 10.10.10.1::

           이렇게 입력하면 본서버의 rsyncd.conf에 등록된 리스트를 확인할 수 있다.

 

 

 

 

 

[ 옵션 ]  =================================================================

 

1.   【 --exclude=???  】

   

     ex1) rsync    -av    --exclude=*03*.jpg   127.0.0.1::colt357/tmp/*    ./ 

     ex2) rsync    -av    --exclude "*03*.jpg"   127.0.0.1::colt357/tmp/*    ./

          --> colt357/tmp 속의 대상 중   이름에 *03*.jpg 파일과 같은 이름의 파일을 제외한다.

 

 

[옵션 설명]


  -v, --verbose                    상세하게 출력하기               
  -q, --quiet                        에러및 기타 어떠한 메시지도 출력 하지 말것
  -a, --archive                      아카이브 보드로 가져오기(퍼미션 소유주 및 위치까지 그대로 가져온다.) 
  -r, --recursive                    하위 구조의 디렉토리 모두 재귀적으로 가져온다.
  -z, --compress                   압축하여 전송하기       
  --delete    동기화시 소스 파일의 위치에 존재하지않는 팡리을 삭제한다.
  --exclude=patten  해당 패턴을 가진 파일이나 디렉토리를 동기화시 제외한다.  
  --include=patten  해당 패턴을 가진 파일이나 디렉토리를 동기화시포함시킨다.

"스팸메일 차단 방지를 위한 SPF 레코드, PTR 레코드 그리고 화이트 도메인 등록"


특정 도메인을 이용해 메일 서비스를 받기 위해서는 DNS에 처리해야 할 몇 가지 작업들이 있습니다.

MX(Mail Exchanger)레코드처럼 메일을 수신하기 위해 반드시 등록해야 하는 작업도 있고, 등록하지 않아도 송수신은 가능하지만

안정적인 메일 송수신을 위해 추가적으로 등록해야 하는 작업들도 있습니다.


반송 메일 없이 안정적인 메일 발송을 위해 꼭 등록해야하는  SPF 레코드와  PTR 레코드, 그리고 KISA(한국인터넷진흥원)에 등록해야

하는 화이트 도메인(White Domain)에 등록해야 합니다.


용어 설명과 상관 관계 정리


1.  SPF(Sender Policy Framework) 레코드



 SPF 레코드는 발송한 메일 서버의 IP와 DNS에 설정되어 있는 TXT의 IP값이 다를 경우에 수신 측에서 메일을 차단하는 방법으로

 메일을 발송하는 서버의 IP와 도메인이 서로 일치하는지 인증을 하며, 인증 방법으로 SPF 레코드(TXT값)을 확인합니다.



2. PTR 레코드 (또는 Reverse DNS)



 PTR 레코드(Reverse Domain) 정책은 도메인이 아닌 IP를 질의하여 도메인을 확인하는 정책으로, 수신측에서 메일 발송 서버의 IP를 조회하여

 도메인이 등록된 PTR 레코드(Pointer) 값과 일치하면 정상 메일로 보고 메일을 수신하겠다는 역방향 질의 방식입니다. Reverse Domain의 일치

 여부를 확인할 때 PTR 레코드를 조회하기 때문에 PTR 레코드와 Reverse Domain은 같은 의미로 통용됩니다.


 SPF 레코드 등록과 또 다른 점은 DNS가 아닌 ISP 업체(KT, LG, SK 등)에 등록을 해야 한다는 것입니다. 따라서 자체적으로 메일 시스템을 구축한

 경우가 아니라면 메일 서비스를 제공하는 있는 업체에 연락하셔서 등록 요청을 하면 됩니다.


 ISP 업체마다 등록 방법이 다르지만, KT같은 경우에는 "KTDMS 고객문의 게시판"을 통해 등록 요청을 하고 있고, 사이트에 접속하여 신청자 정보,

 리버스(Reverse) IP 등록 시 입력사항, 작업 요청사항 등을 내용으로 남기게 되어 있습니다.




3. 화이트 도메인(White Domain)


 화이트 도메인은 회원에 공지 등 정상적으로 발송하는 대량 e-메일이 스팸 메일로 간주되어 RBL에 등록되는 것을 방지하기 위해, 사전에 등록된

 개인이나 사업자에 한하여 국내 주요 포탈사이트로의 e-메일 전송을 보장해 주는 제도입니다.  단, 화이트 도메인으로 등록되었다 하더라도 이후  

 모니터링을 통해 스팸 메일 발송 사실이 확인되면, 즉각 차단 조치되며 화이트 리스트에서도 삭제될 수 있습니다. 


그리고 화이트 도메인을 등록하기 위해서는 반드시 DNS에 SPF 레코드가 등록되어 있어야 합니다.

RBL에 등록되는 것을 방지하기 위하여 DNS에 SPF 레코드 등록 > White Domain 등록 > PTR 레코드 등록의 순서로 진행합니다.






[확인하기]























[문서별 설정]


문서의 상단에   meta 테그를 이용하여 문서별로 설정할 수 있다.


     <meta name="robots" content="index,follow" />

  

이렇게 하면 해당 문서를  로봇들이 수집해 간다.



반대로, 


<meta name="robots" content="noindex,nofollow" />


이렇게 설정하며  수집해가지 못한다.






[사이트 설정]


웹서비스 폴더에 설정하여 사이트 전체에 적용하기는 robots.txt 를 html root에 선언하여 

정책을 적용할 수 있다.


1. 모든 검색봇 차단 

User-agent: * 

Disallow: /



2. 모든 검색봇 허용

User-agent: *

Allow: /



3. 구글봇 차단 (구글봇, 구글봇이미지, 구글봇모바일)

User-agent: Googlebot

Disallow: /


User-agent: Googlebot-Image

Disallow: /


User-agent: Googlebot-Mobile

Disallow: /



4. 네이버봇 차단

User-agent: Yeti

Disallow: /


php_oracle-instantclient_01.vol1.egg

php_oracle-instantclient_01.vol2.egg

php_oracle-instantclient_01.vol3.egg

php_oracle-instantclient_01.vol4.egg

php_oracle-instantclient_01.vol5.egg

php_oracle-instantclient_01.vol6.egg

기본 운영 환경을  Nginx, php, mariadb 에 Oracle 10g로 pdo-oci 와 oci8 을 이용하여 연동 설정을 한다.



1. 일단  오라클 사이트에서  instantclient 패키지을 다운 받아 설치 한다.

   ( http://www.oracle.com/technetwork/indexes/downloads/index.html#database )


   oracle-instantclient11.2-basic-11.2.0.4.0-1.x86_64.rpm

   oracle-instantclient11.2-devel-11.2.0.4.0-1.x86_64.rpm

   oracle-instantclient11.2-sqlplus-11.2.0.4.0-1.x86_64.rpm




2. oci8 을  다운로하여 컴파일 한다.

  ( wget http://pecl.php.net/get/oci8-1.4.9.tgz  또는  http://pecl.php.net/package/oci8  )   

 

   pecl download oci8-1.4.9.tgz

tar xvzf oci8-1.4.9.tgz
cd oci8-1.4.9
phpize
./configure --with-oci8=shared,instantclient,/usr/lib/oracle/11.2/client64/lib
ln -s /usr/include/oracle/11.2/client64/ /usr/lib/oracle/11.2/client64/lib/include
make all install



3. pdo_oci 드라이버 설치

  (첨부 : 

pdo_oci_php7.1.tar

  ) 

  또는 rpm으로 설치  --> 확인 필요. 

 

  pdo_oci_php7.tar 압출 해제 후 컴파일

tar xvf pdo_oci_php7.tar cd pdo_oci phpize ./configure --with-pdo-oci=instantclient,/usr,11.2 make make install

vim /etc/php.d/pdo_oci.ini

extension=pdo_oci.so



4. PHP와 OCI 연동

  

   echo 'extension=oci8.so' > /etc/php.d/oci8.ini

systemctl restart nginx

systemctl restart php-fpm



5. PHP.ini  설정

  

   [oci8]

   ; oci8.statement_cache_size int    

   ; 명령문 캐싱을 사용 가능하게 하고, 캐시할 명령문의 수를 지정한다. 명려문 캐싱을 사용하지 않으려면

   ; 옵션을 0 으로 설정한다.

   ;  -- 명령문 캐싱은  명령문 텍스트를 데이터베이스로 전송할 필요를 없애고 명령문에 대한 메타 테이터를 

   ;  -- php로 다시 전송하지 않아도 됩다. 이렇게 하면 연결이 유지되는 동안 명령문을 다시 사용하는 응용 프로그램

   ;  -- 에서 전반적인 시스템 성능이 향상된다

oci8.statement_cache_size = 0

--> 명령문 캐싱을 사용안함.

   


6. Oracle instantclient lib 링크 및 환경변수 파일(/etc/profile)에 추가하기

  

  [root@localhost ]# ln  -s  /usr/lib/oracle/11.2/client64   /usr/lib/oracle/11.2/client    

   --> sqlplus 명령 실행시 발생하는 lib 오류를 해결해야 한다.  

     예) ./sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory


  [root@localhost ]# vim  /etc/profile  

   # Oracle 라이브러리 추가

   export LD_LIBRARY_PATH=/usr/lib/oracle/11.2/client64/lib

   alias sqlplus='/usr/lib/oracle/11.2/client64/bin/sqlplus'



7.  확인하기

  1.  [root@localhost tmp]# php -r "oci_connect();"

      PHP Warning:  oci_connect() expects at least 2 parameters, 0 given in Command line code on line 1

      PHP Stack trace:

      PHP   1. {main}() Command line code:0

      PHP   2. oci_connect() Command line code:1


     → oci_connect의 사용법이 잘못되었다고 한다. PHP와 OCI 모듈이 연동된 것이다.

 

 2. [root@localhost tmp]# sqlplus  DB계정/DB비번@오라클서버:1521/DB명

     SQL*Plus: Release 11.2.0.4.0 Production on Wed Jan 16 18:03:03 2019

     Copyright (c) 1982, 2013, Oracle.  All rights reserved.


     Connected to:

     Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production

     With the Partitioning and Real Application Clusters options


    SQL>

1. 서비스 구성 환경 및 버전.


dh512_param.pem

dh2048_param.pem

dovecot.tgz

postfix.tgz





    [설치 패키지]  -->  기본 경로,  Document (/home/webmaster/web1/html)   ,  vmail (/Disk1/vmail)

  

 패키지

버전 및 항목 

Nginx

 Package

nginx-mod-mail-1.12.2-2.el7.x86_64

nginx-mod-http-image-filter-1.12.2-2.el7.x86_64

php72u-fpm-nginx-7.2.9-1.ius.centos7.noarch

nginx-filesystem-1.12.2-2.el7.noarch

nginx-mod-http-geoip-1.12.2-2.el7.x86_64

nginx-mod-http-xslt-filter-1.12.2-2.el7.x86_64

nginx-1.12.2-2.el7.x86_64

nginx-all-modules-1.12.2-2.el7.noarch

python2-certbot-nginx-0.26.1-1.el7.noarch

nginx-mod-http-perl-1.12.2-2.el7.x86_64

nginx-mod-stream-1.12.2-2.el7.x86_64

 configure

 1. /etc/nginx/conf.d/web1.conf

   

server {

 

        ## Configuration ##################################################

listen 80;

        client_max_body_size    2048M;

        server_name     U.domain.com;

        root    /home/webmaster/web1/html;


        access_log      /home/webmaster/web1/logs/access.log;


        location / {

                index  index.html  index.htm  index.php;

        }


        error_page      403 404 500 502 503 504 /error.html;

        location = /error.html {

        }


        location ~ \.php$ {

                fastcgi_pass   php-fpm;

                fastcgi_index  index.php;

                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

                include        fastcgi_params;

        }

}




2. /etc/nginx/conf.d/php-fpm.conf


# PHP-FPM FastCGI server

# network or unix domain socket configuration


upstream php-fpm {

        #server 127.0.0.1:9000;

        server unix:/run/php-fpm/www.sock;

}



PHP-FPM

 Package

php72u-xml-7.2.9-1.ius.centos7.x86_64

php72u-fpm-nginx-7.2.9-1.ius.centos7.noarch

php72u-mbstring-7.2.9-1.ius.centos7.x86_64

php72u-imap-7.2.9-1.ius.centos7.x86_64

php72u-fpm-7.2.9-1.ius.centos7.x86_64

php72u-json-7.2.9-1.ius.centos7.x86_64

php72u-pdo-7.2.9-1.ius.centos7.x86_64

php72u-opcache-7.2.9-1.ius.centos7.x86_64

php72u-common-7.2.9-1.ius.centos7.x86_64

php72u-gd-7.2.9-1.ius.centos7.x86_64

php72u-intl-7.2.9-1.ius.centos7.x86_64

php72u-mysqlnd-7.2.9-1.ius.centos7.x86_64

php72u-pecl-apcu-5.1.11-1.ius.centos7.x86_64

 configure

1. /etc/php.ini      --->  메일서비스를 위해 세팅된 내용으로 disable_funcions 기능을 제한하지 않았음.


[PHP]

engine = On

short_open_tag = Off
precision = 14
output_buffering = 4096

zlib.output_compression = Off

implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =

zend.enable_gc = On

expose_php = On
max_execution_time = 30
max_input_time = 3600
memory_limit = 5120M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 4096M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off

file_uploads = On

upload_tmp_dir = /tmp

upload_max_filesize = 3072M

max_file_uploads = 20

allow_url_fopen = On

allow_url_include = Off

default_socket_timeout = 60

[CLI Server]

cli_server.color = On
[Date]
date.timezone = Asia/Seoul;
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]

pcre.jit=0

[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000

pdo_mysql.default_socket=

[Phar]
[mail function]
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = On
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]

ibase.allow_persistent = 1

ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off

[PostgreSQL]

pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0

session.use_cookies = 1

session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1

[mbstring]

[gd]
[exif]

[Tidy]

tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[curl]
[openssl]


2. /etc/php-fpm.d/www.conf   --->  서비스 환경 설정

;listen = 127.0.0.1:9000
listen = /run/php-fpm/www.sock
listen.acl_users = nginx


 

 Postfix

 Package

postfix32u-mysql-3.2.5-2.ius.centos7.x86_64

postfix32u-sqlite-3.2.5-2.ius.centos7.x86_64

postfix32u-debuginfo-3.2.5-2.ius.centos7.x86_64

postfix32u-3.2.5-2.ius.centos7.x86_64

postfix32u-cdb-3.2.5-2.ius.centos7.x86_64

postfix32u-perl-scripts-3.2.5-2.ius.centos7.x86_64

postfix32u-pcre-3.2.5-2.ius.centos7.x86_64

postfix32u-ldap-3.2.5-2.ius.centos7.x86_64

postfix32u-pgsql-3.2.5-2.ius.centos7.x86_64

 configure

 

1. /etc/postfix/main.cf



# --------------------

# INSTALL-TIME CONFIGURATION INFORMATION

#

# location of the Postfix queue. Default is /var/spool/postfix.

queue_directory = /var/spool/postfix


# location of all postXXX commands. Default is /usr/sbin.

command_directory = /usr/sbin


# location of all Postfix daemon programs (i.e. programs listed in the

# master.cf file). This directory must be owned by root.

# Default is /usr/libexec/postfix

daemon_directory = /usr/libexec/postfix


# location of Postfix-writable data files (caches, random numbers).

# This directory must be owned by the mail_owner account (see below).

# Default is /var/lib/postfix.

data_directory = /var/lib/postfix


# owner of the Postfix queue and of most Postfix daemon processes.

# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID

# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.

# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.

# Default is postfix.

mail_owner = postfix


# The following parameters are used when installing a new Postfix version.

#

# sendmail_path: The full pathname of the Postfix sendmail command.

# This is the Sendmail-compatible mail posting interface.

#

sendmail_path = /usr/sbin/sendmail.postfix


# newaliases_path: The full pathname of the Postfix newaliases command.

# This is the Sendmail-compatible command to build alias databases.

#

newaliases_path = /usr/bin/newaliases.postfix


# full pathname of the Postfix mailq command.  This is the Sendmail-compatible

# mail queue listing command.

mailq_path = /usr/bin/mailq.postfix


# group for mail submission and queue management commands.

# This must be a group name with a numerical group ID that is not shared with

# other accounts, not even with the Postfix account.

setgid_group = postdrop


# external command that is executed when a Postfix daemon program is run with

# the -D option.

#

# Use "command .. & sleep 5" so that the debugger can attach before

# the process marches on. If you use an X-based debugger, be sure to

# set up your XAUTHORITY environment variable before starting Postfix.

#

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    ddd $daemon_directory/$process_name $process_id & sleep 5


debug_peer_level = 2


# --------------------

# CUSTOM SETTINGS

#


# SMTP server response code when recipient or domain not found.

unknown_local_recipient_reject_code = 550


# Do not notify local user.

biff = no


# Disable the rewriting of "site!user" into "user@site".

swap_bangpath = no


# Disable the rewriting of the form "user%domain" to "user@domain".

allow_percent_hack = no


# Allow recipient address start with '-'.

allow_min_user = no


# Disable the SMTP VRFY command. This stops some techniques used to

# harvest email addresses.

disable_vrfy_command = yes


# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.

inet_protocols = all


# Enable all network interfaces.

inet_interfaces = all


#

# TLS settings.

#

# SSL key, certificate, CA

#

smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem

#smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt

#smtpd_tls_CApath = /etc/pki/tls/certs


#

# Disable SSLv2, SSLv3

#

smtpd_tls_protocols = !SSLv2 !SSLv3

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3

smtp_tls_protocols = !SSLv2 !SSLv3

smtp_tls_mandatory_protocols = !SSLv2 !SSLv3

lmtp_tls_protocols = !SSLv2 !SSLv3

lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3


#

# Fix 'The Logjam Attack'.

#

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem

smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem


tls_random_source = dev:/dev/urandom


# Log only a summary message on TLS handshake completion — no logging of client

# certificate trust-chain verification errors if client certificate

# verification is not required. With Postfix 2.8 and earlier, log the summary

# message, peer certificate summary information and unconditionally log

# trust-chain verification errors.

smtp_tls_loglevel = 1

smtpd_tls_loglevel = 1


# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do

# not require that clients use TLS encryption.

smtpd_tls_security_level = may


# Produce `Received:` message headers that include information about the

# protocol and cipher used, as well as the remote SMTP client CommonName and

# client certificate issuer CommonName.

# This is disabled by default, as the information may be modified in transit

# through other mail servers. Only information that was recorded by the final

# destination can be trusted.

#smtpd_tls_received_header = yes


# Opportunistic TLS, used when Postfix sends email to remote SMTP server.

# Use TLS if this is supported by the remote SMTP server, otherwise use

# plaintext.

# References:

#   - http://www.postfix.org/TLS_README.html#client_tls_may

#   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level

smtp_tls_security_level = may


# Use the same CA file as smtpd.

smtp_tls_CApath = /etc/pki/tls/certs

smtp_tls_CAfile = $smtpd_tls_CAfile

smtp_tls_note_starttls_offer = yes


# Enable long, non-repeating, queue IDs (queue file names).

# The benefit of non-repeating names is simpler logfile analysis and easier

# queue migration (there is no need to run "postsuper" to change queue file

# names that don't match their message file inode number).

#enable_long_queue_ids = yes


# Reject unlisted sender and recipient

smtpd_reject_unlisted_recipient = yes

smtpd_reject_unlisted_sender = yes


# Header and body checks with PCRE table

#header_checks = pcre:/etc/postfix/header_checks

#body_checks = pcre:/etc/postfix/body_checks.pcre


# A mechanism to transform commands from remote SMTP clients.

# This is a last-resort tool to work around client commands that break

# interoperability with the Postfix SMTP server. Other uses involve fault

# injection to test Postfix's handling of invalid commands.

# Requires Postfix-2.7+.

#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre


# HELO restriction

smtpd_helo_required = yes

smtpd_helo_restrictions =

    permit_mynetworks

    permit_sasl_authenticated

    check_helo_access pcre:/etc/postfix/helo_access.pcre

    reject_non_fqdn_helo_hostname

    reject_unknown_helo_hostname


# Sender restrictions

smtpd_sender_restrictions =

    #reject_unknown_sender_domain

    reject_non_fqdn_sender

    reject_unlisted_sender

    permit_mynetworks

    permit_sasl_authenticated

    check_sender_access pcre:/etc/postfix/sender_access.pcre


# Recipient restrictions

smtpd_recipient_restrictions =

    reject_non_fqdn_recipient

    reject_unlisted_recipient

    #check_policy_service inet:127.0.0.1:7777

    permit_mynetworks

    permit_sasl_authenticated

    reject_unauth_destination


# END-OF-MESSAGE restrictions

# smtpd_end_of_data_restrictions =

    # check_policy_service inet:127.0.0.1:7777


# Data restrictions

smtpd_data_restrictions = reject_unauth_pipelining


proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps


# Avoid duplicate recipient messages. Default is 'yes'.

enable_original_recipient = no


# Virtual support.

virtual_minimum_uid = 2000

virtual_uid_maps = static:2000

virtual_gid_maps = static:2000

virtual_mailbox_base = /Disk1/vmail


# Do not set virtual_alias_domains.

virtual_alias_domains =


#

# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.

# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should

#          be forced to submit email through port 587 instead.

#

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_tls_auth_only = no


# hostname

myhostname = smtp.mailu.kr

myorigin = smtp.mailu.kr

mydomain = smtp.mailu.kr


# trusted SMTP clients which are allowed to relay mail through Postfix.

#

# Note: additional IP addresses/networks listed in mynetworks should be listed

#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.

#       for example:

#

#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]

#

mynetworks = 127.0.0.1 [::1]

  

# Accepted local emails

mydestination = $myhostname, localhost, localhost.localdomain


alias_maps = hash:/etc/postfix/aliases

alias_database = hash:/etc/postfix/aliases


# Default message_size_limit.

message_size_limit = 524288000

mailbox_size_limit = 629145600


# The set of characters that can separate a user name from its extension

# (example: user+foo), or a .forward file name from its extension (example:

# .forward+foo).

# Postfix 2.11 and later supports multiple characters.

recipient_delimiter = +


# The time after which the sender receives a copy of the message headers of

# mail that is still queued. Default setting is disabled (0h) by Postfix.

#delay_warning_time = 1h

#

# Lookup virtual mail accounts

#

transport_maps =

    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf

    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf

    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf


sender_dependent_relayhost_maps =

    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf


# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.

smtpd_sender_login_maps =

    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf


virtual_mailbox_domains =

    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf


relay_domains =

    $mydestination

    proxy:mysql:/etc/postfix/mysql/relay_domains.cf


virtual_mailbox_maps =

    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf


virtual_alias_maps =

    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf

    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf

    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf

    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf


sender_bcc_maps =

    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf

    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf


recipient_bcc_maps =

    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf

    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf


#

# Postscreen

#

postscreen_greet_action = drop

postscreen_blacklist_action = drop

postscreen_dnsbl_action = drop

postscreen_dnsbl_threshold = 2

postscreen_dnsbl_sites =

    zen.spamhaus.org=127.0.0.[2..11]*3

    b.barracudacentral.org=127.0.0.2*2


postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr


# Require Postfix-2.11+

#postscreen_dnsbl_whitelist_threshold = -2

#

# Dovecot SASL support.

#

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/dovecot-auth

virtual_transport = dovecot

dovecot_destination_recipient_limit = 1


#

# mlmmj - mailing list manager

#

#mlmmj_destination_recipient_limit = 1


#

# Amavisd + SpamAssassin + ClamAV

#

#content_filter = smtp-amavis:[127.0.0.1]:10024


# Concurrency per recipient limit.

#smtp-amavis_destination_recipient_limit = 1

meta_directory = /etc/postfix

sample_directory = /usr/share/doc/postfix32u-3.2.5/samples

readme_directory = /usr/share/doc/postfix32u-3.2.5/README_FILES

manpage_directory = /usr/share/man

html_directory = no

shlib_directory = /usr/lib64/postfix



2. /etc/master.cf


#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

#smtp      inet  n       -       -       -       -       smtpd

smtp      inet  n       -       n       -       1       postscreen

smtpd     pass  -       -       n       -       -       smtpd

dnsblog   unix  -       -       n       -       0       dnsblog

tlsproxy  unix  -       -       n       -       0       tlsproxy

#submission inet n       -       n       -       -       smtpd

#  -o syslog_name=postfix/submission

#  -o smtpd_tls_security_level=encrypt

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#  -o smtpd_sender_restrictions=$mua_sender_restrictions

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#smtps     inet  n       -       n       -       -       smtpd

#  -o syslog_name=postfix/smtps

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#  -o smtpd_sender_restrictions=$mua_sender_restrictions

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       n       -       -       qmqpd

pickup    unix  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      unix  n       -       n       300     1       qmgr

#qmgr     unix  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

#maildrop  unix  -       n       n       -       -       pipe

#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# ====================================================================

#

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

#

# Specify in cyrus.conf:

#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4

#

# Specify in main.cf one or more of the following:

#  mailbox_transport = lmtp:inet:localhost

#  virtual_transport = lmtp:inet:localhost

#

# ====================================================================

#

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

#

#cyrus     unix  -       n       n       -       -       pipe

#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}

#

# ====================================================================

#

# Old example of delivery via Cyrus.

#

#old-cyrus unix  -       n       n       -       -       pipe

#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}

#

# ====================================================================

#

# See the Postfix UUCP_README file for configuration details.

#

#uucp      unix  -       n       n       -       -       pipe

#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# ====================================================================

#

# Other external delivery methods.

#

#ifmail    unix  -       n       n       -       -       pipe

#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

#

#bsmtp     unix  -       n       n       -       -       pipe

#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

#

#scalemail-backend unix -       n       n       -       2       pipe

#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store

#  ${nexthop} ${user} ${extension}

#

#mailman   unix  -       n       n       -       -       pipe

#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

#  ${nexthop} ${user}

# Submission, port 587, force TLS connection.

submission inet n       -       n       -       -       smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  #-o content_filter=smtp-amavis:[127.0.0.1]:10026


# Use dovecot's `deliver` program as LDA.

dovecot unix    -       n       n       -       -      pipe

    flags=DRh user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}


# mlmmj - mailing list manager

# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u')

#mlmmj   unix  -       n       n       -       -       pipe

#    flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}


# Amavisd integration.

#smtp-amavis unix -  -   n   -   1  smtp

#    -o syslog_name=postfix/amavis

#    -o smtp_data_done_timeout=1200

#    -o smtp_send_xforward_command=yes

#    -o disable_dns_lookups=yes

#    -o max_use=20


127.0.0.1:10025 inet n  -   n   -   -  smtpd

    -o syslog_name=postfix/10025

    -o content_filter=

    -o mynetworks_style=host

    -o mynetworks=127.0.0.0/8

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o strict_rfc821_envelopes=yes

    -o smtp_tls_security_level=none

    -o smtpd_tls_security_level=none

    -o smtpd_restriction_classes=

    -o smtpd_delay_reject=no

    -o smtpd_client_restrictions=permit_mynetworks,reject

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o smtpd_end_of_data_restrictions=

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

    -o smtpd_client_connection_count_limit=0

    -o smtpd_client_connection_rate_limit=0

    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings



3. /etc/postfix/body_checks.pcre


4. /etc/postfix/helo_access.pcre

  

#---------------------------------------------------------------------

# This file is part of iRedMail, which is an open source mail server

# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.

#

# iRedMail is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# iRedMail is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with iRedMail.  If not, see <http://www.gnu.org/licenses/>.

#---------------------------------------------------------------------


#

# Sample Postfix check_helo_access rule. It should be located at:

#   /etc/postfix/check_helo_access.pcre

#

# Shipped within iRedMail project:

#   * http://www.iredmail.org/


# Prepend HELO hostname of sender server

#/(.*)/ PREPEND X-Original-Helo: $1 (iRedMail: http://www.iredmail.org/)


# No one will use these in helo command.

/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})


# Reject who use IP address as helo.

# Correct:      [xxx.xxx.xxx.xxx]

# Incorrect:    xxx.xxx.xxx.xxx

/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1})


#

# This is the real HELO identify of these ISPs:

#   sohu.com    websmtp.sohu.com relay2nd.mail.sohu.com

#   126.com     m15-78.126.com

#   163.com     m31-189.vip.163.com m13-49.163.com

#   sina.com    mail2-209.sinamail.sina.com.cn

#   gmail.com   xx-out-NNNN.google.com

/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

#

# Spammers.

#

/^(728154EA470B4AA\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(taj-co\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(CF8D3DB045C1455\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(dsgsfdg\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(se\.nit7-ngbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(mail\.goo\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(n-ong_an\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(meqail\.teamefs-ine5tl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(zzg\.jhf-sp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(din_glo-ng\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(fda-cnc\.ie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(yrtaj-yrco\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(m\.am\.biz\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(xr_haig\.roup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(hjn\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(we_blf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(netvigator\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(mysam\.biz)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(mail\.teams-intl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(seningbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(nblf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(kdn\.ktguide\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(zzsp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(nblongan\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(dpu\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(nbalton\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(cncie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(xinhaigroup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/^(wz\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/(\.zj\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})

/(\.kornet)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})


/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(system\.mail)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(speedtouch\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})


#

# Reject adsl spammers.

#

# match word `adsl` with word boundary `\b`.

/(\badsl\b)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})


# bypass "[IP_ADDRESS]"

/^\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]$/ DUNNO


# bypass some HELOs which contains IP address

/^o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net$/ DUNNO

# reject HELO which contains IP address

/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(\d{1,3}\.ip\.-\d{1,3}-\d{1,3}-\d{1,3}\.eu)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(static-pool-[\d\.-]*\.flagman\.zp\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})


/(speedy\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(speedyterra\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(static\.sbb\.rs)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

/(static\.vsnl\.net\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})


/(advance\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(airtelbroadband\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(bb\.netvision\.net\.il)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(broadband3\.iol\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(cable\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(catv\.broadband\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(chello\.nl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(chello\.sk)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(client\.mchsi\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(comunitel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(coprosys\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(dclient\.hispeed\.ch)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(dip0\.t-ipconnect\.de)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(domain\.invalid)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(dyn\.centurytel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(embarqhsd\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(emcali\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(epm\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(eutelia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(fibertel\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(freedom2surf\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(hgcbroadband\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(HINET-IP\.hinet\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(infonet\.by)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(is74\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(kievnet\.com\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(metrotel\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(nw\.nuvox\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pldt\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pool\.invitel\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pool\.ukrtel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pools\.arcor-ip\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(pppoe\.avangarddsl\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(retail\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(revip2\.asianet\.co\.th)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(tim\.ro)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(tsi\.tychy\.pl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(ttnet\.net\.tr)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(tttmaxnet\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(user\.veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(utk\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(virtua\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(wanamaroc\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(wbt\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(wireless\.iaw\.on\.ca)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(business\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(cotas\.com\.bo)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(marunouchi\.tokyo\.ocn\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(amedex\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/(aageneva\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

/^ylmf-pc/ REJECT ACCESS DENIED



5. /etc/postfix/postscreen_access.cidr


# Rules are evaluated in the order as specified.

#1.2.3.4 permit

#2.3.4.5 reject


# Permit local clients

127.0.0.0/8 permit



6. /etc/postfix/postscreen_dnsbl_reply


7. /etc/postfix/sender_access.pcre


8. /etc/postfix/mysql/catchall_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%d' AND '%u' NOT LIKE '%%+%%' AND forwardings.address=domain.domain AND forwardings.active=1 AND domain.active=1 AND domain.backupmx=0



9. /etc/postfix/mysql/domain_alias_catchall_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1



10. /etc/postfix/mysql/domain_alias_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1


11. /etc/postfix/mysql/recipient_bcc_maps_domain.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT bcc_address FROM recipient_bcc_domain WHERE domain='%d' AND active=1



12. /etc/postfix/mysql/recipient_bbs_maps_user.cf


hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT recipient_bcc_user.bcc_address FROM recipient_bcc_user,domain WHERE recipient_bcc_user.username='%s' AND recipient_bcc_user.domain='%d' AND recipient_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND recipient_bcc_user.active=1



13. /etc/postfix/mysql/relay_domains.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = (SELECT domain

                 FROM domain

                WHERE domain='%s'

                      AND backupmx=1

                      AND active=1

                LIMIT 1)

                UNION

              (SELECT alias_domain.target_domain

                 FROM alias_domain, domain

                WHERE alias_domain.alias_domain='%s'

                      AND alias_domain.target_domain=domain.domain

                      AND domain.backupmx=1

                      AND domain.active=1

                LIMIT 1)


14. /etc/postfix/mysql/sender_bcc_maps_domain.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl

dbname      = vmail

query       = SELECT bcc_address FROM sender_bcc_domain WHERE domain='%d' AND active=1


15. /etc/postfix/mysql/sender_bcc_maps_user.cf


hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT sender_bcc_user.bcc_address FROM sender_bcc_user,domain WHERE sender_bcc_user.username='%s' AND sender_bcc_user.domain='%d' AND sender_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND sender_bcc_user.active=1


16. /etc/postfix/mysql/sender_dependent_relayhost_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

# '%s' will be replaced by the envelope sender address or @domain.

query       = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1



17. /etc/postfix/mysql/sender_login_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1



18. /etc/postfix/mysql/transport_maps_domain.cf


hosts       = 127.0.0.1:3306

user        = vmail 

password    = rladudrl

dbname      = vmail

query       = SELECT transport FROM domain WHERE domain='%s' AND active=1


19. /etc/postfix/mysql/transport_maps_maillist.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl

dbname      = vmail

query       = SELECT maillists.transport FROM maillists,domain WHERE maillists.address='%s' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1



20. /etc/postfix/mysql/transport_maps_user.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1


21. /etc/postfix/mysql/virtual_alias_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%s' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1


22. /etc/postfix/mysql/virtual_mailbox_domains.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 UNION SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0


23. /etc/postfix/mysql/virtual_mailbox_maps.cf


hosts       = 127.0.0.1:3306

user        = vmail

password    = rladudrl 

dbname      = vmail

query       = SELECT CONCAT(mailbox.storagenode, '/', mailbox.maildir, '/Maildir/') FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.domain = mailbox.domain AND domain.active=1



 Dovecot

 Package

dovecot22u-devel-2.2.35-1.ius.centos7.x86_64
dovecot22u-mysql-2.2.35-1.ius.centos7.x86_64
dovecot22u-pigeonhole-2.2.35-1.ius.centos7.x86_64
dovecot22u-2.2.35-1.ius.centos7.x86_64

 configure


1. /etc/dovecot/dovecot-master-users



2. /etc/dovecot/dovecot-mysql.conf


driver = mysql

default_pass_scheme = SHA512-CRYPT

connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=*********


# Required by doveadm tools which require to list all mail users.

iterate_query = SELECT username AS user FROM mailbox


password_query = SELECT mailbox.password, mailbox.allow_nets \

        FROM mailbox,domain \

       WHERE mailbox.username='%u' \

             AND mailbox.`enable%Ls%Lc`=1 \

             AND mailbox.active=1 \

             AND mailbox.domain=domain.domain \

             AND domain.backupmx=0 \

             AND domain.active=1


user_query = SELECT \

            '%u' AS master_user, \

            CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir) AS home, \

            CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule \

        FROM mailbox,domain \

       WHERE mailbox.username='%u' \

             AND mailbox.`enable%Ls%Lc`=1 \

             AND mailbox.active=1 \

             AND mailbox.domain=domain.domain \

             AND domain.backupmx=0 \

             AND domain.active=1



3. /etc/dovecot/dovecot-share-folder.conf


connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=********

map {

    pattern = shared/shared-boxes/user/$to/$from

    table = share_folder

    value_field = dummy


    fields {

        from_user = $from

        to_user = $to

    }

}


# To share mailbox to anyone, please uncomment 'acl_anyone = allow' in

# dovecot.conf

map {

    pattern = shared/shared-boxes/anyone/$from

    table = anyone_shares

    value_field = dummy

    fields {

        from_user = $from

    }

}



4. /etc/dovecot/dovecot-used-quota.conf


connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=**********

map {

    pattern = priv/quota/storage

    table = used_quota

    username_field = username

    value_field = bytes

}

map {

    pattern = priv/quota/messages

    table = used_quota

    username_field = username

    value_field = messages

}



5. /etc/dovecot/dovecot.conf


# More details about Dovecot settings:

#   - http://wiki2.dovecot.org/

#   - http://wiki2.dovecot.org/Variables


# Listen addresses.

#   - '*' means all available IPv4 addresses.

#   - '[::]' means all available IPv6 addresses.

# Listen on all available addresses by default

listen = * [::]


#base_dir = /var/run/dovecot

mail_plugins = quota mailbox_alias acl mail_log notify stats


# Enabled mail protocols.

protocols = pop3 imap sieve lmtp


# User/group who owns the message files:

mail_uid = 2000

mail_gid = 2000


# Assign uid to virtual users.

first_valid_uid = 2000

last_valid_uid = 2000


# Logging. Reference: http://wiki2.dovecot.org/Logging

#

# Use syslog

#syslog_facility = local5

# Log file path if we use internal log system

log_path = /var/log/dovecot/dovecot.log


# Debug

#mail_debug = yes

#auth_verbose = yes

#auth_debug = yes

#auth_debug_passwords = yes

# Possible values: no, plain, sha1.

#auth_verbose_passwords = no


# SSL: Global settings.

# Refer to wiki site for per protocol, ip, server name SSL settings:

# http://wiki2.dovecot.org/SSL/DovecotConfiguration

ssl_protocols = !SSLv2 !SSLv3

ssl = required

verbose_ssl = no

#ssl_ca = </path/to/ca

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

ssl_key = </etc/pki/dovecot/private/dovecot.pem


# Fix 'The Logjam Attack'

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

# Dovecot 2.2.6 or greater:

# Specify the wanted DH parameters length

ssl_dh_parameters_length = 2048

ssl_prefer_server_ciphers = yes


# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.

# Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted

# insecurely.

disable_plaintext_auth = yes


# Allow plain text password per IP address/net

#remote 192.168.0.0/24 {

#   disable_plaintext_auth = no

#}


# Mail location and mailbox format.

mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/


# Authentication related settings.

# Append this domain name if client gives empty realm.

#auth_default_realm = weschool.kr


# Authentication mechanisms.

auth_mechanisms = PLAIN LOGIN


# Limits the number of users that can be logging in at the same time.

# Default is 100. This can be overridden by `process_limit =` in

# `service [protocol]` block.

# e.g.

#       protocol imap-login {

#           ...

#           process_limit = 500

#       }

#default_process_limit = 100


# Mail delivery log format

deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, %$


service auth {

    unix_listener /var/spool/postfix/private/dovecot-auth {

        user = postfix

        group = postfix

        mode = 0666

    }

    unix_listener auth-master {

        user = vmail

        group = vmail

        mode = 0666

    }

    unix_listener auth-userdb {

        user = vmail

        group = vmail

        mode = 0660

    }

}


# LMTP server (Local Mail Transfer Protocol).

# Reference: http://wiki2.dovecot.org/LMTP

service lmtp {

    user = vmail


    # For higher volume sites, it may be desirable to increase the number of

    # active listener processes. A range of 5 to 20 is probably good for most

    # sites.

    process_min_avail = 5


    # Logging.

    # Require 'log_path =' in 'protocol lmtp {}' block.

    executable = lmtp -L


    # Listening on socket file and TCP

    unix_listener /var/spool/postfix/private/dovecot-lmtp {

        user = postfix

        group = postfix

        mode = 0600

    }


    inet_listener lmtp {

        # Listen on localhost (ipv4)

        address = 127.0.0.1

        port = 24

    }

}


# Virtual mail accounts.

userdb {

    args = /etc/dovecot/dovecot-mysql.conf

    driver = sql

}

passdb {

    args = /etc/dovecot/dovecot-mysql.conf

    driver = sql

}


# Master user.

# Master users are able to log in as other users. It's also possible to

# directly log in as any user using a master password, although this isn't

# recommended.

# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers

auth_master_user_separator = *

passdb {

    driver = passwd-file

    args = /etc/dovecot/dovecot-master-users

    master = yes

}


plugin {

    # Quota configuration.

    # Reference: http://wiki2.dovecot.org/Quota/Configuration

    quota = dict:user::proxy::quotadict


    # Set default quota rule if no quota returned from SQL/LDAP query.

    #quota_rule = *:storage=1G

    #quota_rule2 = *:messages=0

    #quota_rule3 = Trash:storage=1G

    #quota_rule4 = Junk:ignore


    # Quota warning.

    #

    # If user suddenly receives a huge mail and the quota jumps from

    # 85% to 95%, only the 95% script is executed.

    #

    # Only the command for the first exceeded limit is executed, so configure

    # the highest limit first.

    quota_warning = storage=100%% quota-warning 100 %u

    quota_warning2 = storage=95%% quota-warning 95 %u

    quota_warning3 = storage=90%% quota-warning 90 %u

    quota_warning4 = storage=85%% quota-warning 85 %u


    # allow user to become max 10% (or 50 MB) over quota

    quota_grace = 10%%

    #quota_grace = 50 M


    # Custom Quota Exceeded Message.

    # You can specify the message directly or read the message from a file.

    #quota_exceeded_message = Quota exceeded, please try again later.

    #quota_exceeded_message = </path/to/quota_exceeded_message.txt


    # Plugin: expire.

    #expire = Trash 7 Trash/* 7 Junk 30

    #expire_dict = proxy::expire


    # ACL and share folder

    acl = vfile

    acl_shared_dict = proxy::acl


    # By default Dovecot doesn't allow using the IMAP "anyone" or

    # "authenticated" identifier, because it would be an easy way to spam

    # other users in the system. If you wish to allow it,

    #acl_anyone = allow


    # Pigeonhole managesieve service.

    # Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration

    # Per-user sieve settings.

    sieve_dir = %Lh/sieve

    sieve = %Lh/sieve/dovecot.sieve


    # Global sieve settings.

    sieve_global_dir = /var/vmail/sieve

    # Note: if user has personal sieve script, global sieve rules defined in

    #       sieve_default will be ignored. Please use sieve_before or

    #       sieve_after instead.

    #sieve_default =


    sieve_before = /var/vmail/sieve/dovecot.sieve

    #sieve_after =


    # The maximum number of redirect actions that can be performed during a

    # single script execution.

    # The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and

    # beyond this means that redirect is prohibited. For older versions,

    # however, this means that the number of redirects is unlimited.

    sieve_max_redirects = 30


    # Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias

    mailbox_alias_old = Sent

    mailbox_alias_new = Sent Messages

    mailbox_alias_old2 = Sent

    mailbox_alias_new2 = Sent Items


        # Events to log. `autoexpunge` is included in `expunge`

    # Defined in https://github.com/dovecot/core/blob/master/src/plugins/mail-log/mail-log-plugin.c

    mail_log_events = delete undelete expunge mailbox_delete mailbox_rename

    mail_log_fields = uid box msgid size from subject


    # stats

    #

    # how often to session statistics (must be set)

    stats_refresh = 30 secs

    # track per-IMAP command statistics (optional)

    stats_track_cmds = yes

}


service stats {

    fifo_listener stats-mail {

        user = vmail

        mode = 0644

    }


    inet_listener {

        address = 127.0.0.1

        port = 24242

    }

}


service quota-warning {

    executable = script /usr/local/bin/dovecot-quota-warning.sh

    unix_listener quota-warning {

        user = vmail

        group = vmail

        mode = 0660

    }

}


service dict {

    unix_listener dict {

        mode = 0660

        user = vmail

        group = vmail

    }

}


dict {

    #expire = db:/var/lib/dovecot/expire/expire.db

    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf

    acl = mysql:/etc/dovecot/dovecot-share-folder.conf

}


protocol lda {

    # Reference: http://wiki2.dovecot.org/LDA

    mail_plugins = $mail_plugins sieve

    lda_mailbox_autocreate = yes

    lda_mailbox_autosubscribe = yes

    postmaster_address = root


    # Log file path if we use internal log system

    #log_path = /var/log/dovecot/sieve.log

}


protocol lmtp {

    # Log file path if we use internal log system

    #log_path = /var/log/dovecot/lmtp.log


    # Plugins

    mail_plugins = quota sieve

    postmaster_address = postmaster


    # Address extension delivery

    lmtp_save_to_detail_mailbox = yes

    recipient_delimiter = +

}


protocol imap {

    mail_plugins = $mail_plugins imap_quota imap_acl imap_stats

    imap_client_workarounds = tb-extra-mailbox-sep


    # Maximum number of IMAP connections allowed for a user from each IP address.

    # NOTE: The username is compared case-sensitively.

    # Default is 10.

    # Increase it to avoid issue like below:

    # "Maximum number of concurrent IMAP connections exceeded"

    mail_max_userip_connections = 30

}


protocol pop3 {

    mail_plugins = $mail_plugins

    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

    pop3_uidl_format = %08Xu%08Xv


    # Maximum number of IMAP connections allowed for a user from each IP address.

    # NOTE: The username is compared case-sensitively.

    # Default is 10.

    mail_max_userip_connections = 30


    # POP3 logout format string:

    #  %i - total number of bytes read from client

    #  %o - total number of bytes sent to client

    #  %t - number of TOP commands

    #  %p - number of bytes sent to client as a result of TOP command

    #  %r - number of RETR commands

    #  %b - number of bytes sent to client as a result of RETR command

    #  %d - number of deleted messages

    #  %m - number of messages (before deletion)

    #  %s - mailbox size in bytes (before deletion)

    # Default format doesn't have 'in=%i, out=%o'.

    #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o

}


# Login processes. Refer to Dovecot wiki for more details:

# http://wiki2.dovecot.org/LoginProcess

service imap-login {

    #inet_listener imap {

    #    port = 143

    #}

    #inet_listener imaps {

    #    port = 993

    #    ssl = yes

    #}


    service_count = 1


    # To avoid startup latency for new client connections, set process_min_avail

    # to higher than zero. That many idling processes are always kept around

    # waiting for new connections.

    #process_min_avail = 0


    # number of simultaneous IMAP connections

    process_limit = 500


    # vsz_limit should be fine at its default 64MB value

    #vsz_limit = 64M

}


service pop3-login {

    #inet_listener pop3 {

    #    port = 110

    #}

    #inet_listener pop3s {

    #    port = 995

    #    ssl = yes

    #}


    service_count = 1


    # number of simultaneous POP3 connections

    #process_limit = 500

}


service managesieve-login {

    inet_listener sieve {

        # Listen on localhost (ipv4)

        address = 127.0.0.1

        port = 4190

    }

}


namespace {

    type = private

    separator = /

    prefix =

    inbox = yes


    # Refer to document for more details about alias mailbox:

    # http://wiki2.dovecot.org/MailboxSettings

    #

    # Sent

    mailbox Sent {

        auto = subscribe

        special_use = \Sent

    }

    mailbox "Sent Messages" {

        auto = no

        special_use = \Sent

    }

    mailbox "Sent Items" {

        auto = no

        special_use = \Sent

    }


    mailbox Drafts {

        auto = subscribe

        special_use = \Drafts

    }


        # Trash

    mailbox Trash {

        auto = subscribe

        special_use = \Trash

    }


    mailbox "Deleted Messages" {

        auto = no

        special_use = \Trash

    }


    # Junk

    mailbox Junk {

        auto = subscribe

        special_use = \Junk

    }

    mailbox Spam {

        auto = no

        special_use = \Junk

    }

    mailbox "Junk E-mail" {

        auto = no

        special_use = \Junk

    }


    # Archive

    mailbox Archive {

        auto = no

        special_use = \Archive

    }

    mailbox Archives {

        auto = no

        special_use = \Archive

    }

}


namespace {

    type = shared

    separator = /

    prefix = Shared/%%u/

    location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln


    # this namespace should handle its own subscriptions or not.

    subscriptions = yes

    list = children

}

 

# Public mailboxes.

# Refer to Dovecot wiki page for more details:

# http://wiki2.dovecot.org/SharedMailboxes/Public

#namespace {

#    type = public

#    separator = /

#    prefix = Public/

#    location = maildir:/var/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public

#

#    # Allow users to subscribe to the public folders.

#    subscriptions = yes

#}


!include_try /etc/dovecot/iredmail/*.conf


 MariaDB

 Package

mariadb101u-embedded-devel-10.1.32-1.ius.centos7.x86_6
mariadb101u-server-galera-10.1.32-1.ius.centos7.x86_64
mariadb101u-10.1.32-1.ius.centos7.x86_64
mariadb101u-config-10.1.32-1.ius.centos7.x86_64

mariadb101u-libs-10.1.32-1.ius.centos7.x86_64

mariadb101u-errmsg-10.1.32-1.ius.centos7.x86_64
mariadb101u-server-10.1.32-1.ius.centos7.x86_64

mariadb101u-devel-10.1.32-1.ius.centos7.x86_64

mariadb101u-test-10.1.32-1.ius.centos7.x86_64

mariadb101u-server-utils-10.1.32-1.ius.centos7.x86_64
mariadb101u-oqgraph-engine-10.1.32-1.ius.centos7.x86_64
mariadb101u-debuginfo-10.1.32-1.ius.centos7.x86_64
mariadb101u-bench-10.1.32-1.ius.centos7.x86_64
mariadb101u-connect-engine-10.1.32-1.ius.centos7.x86_64
mariadb101u-common-10.1.32-1.ius.centos7.x86_64
mariadb101u-embedded-10.1.32-1.ius.centos7.x86_64

 configure

 


1. /etc/my.cnf  


#

# This group is read both both by the client and the server

# use it for options that affect everything

#

[client-server]


#

# This group is read by the server

#

[mysqld]

 bind-address            = 0.0.0.0

 port                    = 3306

 collation-server        = utf8mb4_general_ci

 character-set-server    = utf8mb4

 skip-character-set-client-handshake

 max_allowed_packet      = 32M

 slow_query_log

 long_query_time         = 2



# 모든 쿼리 로그를 남깁니다.

 general_log = 1

 general_log_file = /var/log/mariadb/mysql_query.log

 expire_logs_days = 2

 max_binlog_size = 10M



# Disabling symbolic-links is recommended to prevent assorted security risks

 symbolic-links=0


#ssl-ca =

#ssl-cert = /etc/pki/tls/certs/iRedMail.crt

#ssl-key = /etc/pki/tls/private/iRedMail.key

#ssl-cipher = ALL



[client]

default-character-set=utf8



#

# include all files from the config directory

#

 !includedir /etc/my.cnf.d



 Roundcube

&

Gnuboard
&
wmail

 Package

 

      gnuboard5.3.1.4.tar.gz

      Roundcube Webmail 1.3.5

      wmail 1.1


 * 기본판(liroo.net 모델 ==> 

web3.vol1.egg

web3.vol2.egg

web3.vol3.egg

web3.vol4.egg



 configure

1. gnuboard configuration


/data/dbconfig.php   ---> DB 접속 정보 설정.


2. Roundcube configuration


[html/rmail/config/config.inc.php]


<?php


// SQL DATABASE

$config['db_dsnw'] = 'mysqli://DB_ID:DB_PW@127.0.0.1:3306/web1';

$config['db_prefix'] = 'lr_';


// LOGGING

$config['log_driver'] = 'syslog';

$config['syslog_facility'] = LOG_MAIL;


// IMAP

$config['default_host'] = '127.0.0.1';

$config['default_port'] = 143;

$config['imap_auth_type'] = 'LOGIN';

$config['imap_delimiter'] = '/';

// Required if you're running PHP 5.6 or later

$config['imap_conn_options'] = array(

    'ssl' => array(

        'verify_peer'  => false,

        'verify_peer_name' => false,

    ),

);


// SMTP

$config['smtp_server'] = 'tls://127.0.0.1';

$config['smtp_port'] = 587;

$config['smtp_user'] = '%u';

$config['smtp_pass'] = '%p';

$config['smtp_auth_type'] = 'LOGIN';

// Required if you're running PHP 5.6 or later

$config['smtp_conn_options'] = array(

    'ssl' => array(

        'verify_peer'      => false,

        'verify_peer_name' => false,

    ),

);


// Use user's identity as envelope sender for 'return receipt' responses,

// otherwise it will be rejected by iRedAPD plugin `reject_null_sender`.

$config['mdn_use_from'] = true;


// SYSTEM

$config['force_https'] = false;

$config['login_autocomplete'] = 2;

$config['ip_check'] = true;

$config['des_key'] = 'GyxjqQ7kaD5dqsq7HAB3Ab0g';

$config['cipher_method'] = 'AES-256-CBC';

$config['useragent'] = 'Narae Webmail'; // Hide version number

$config['username_domain'] = 'weschool.kr';

//$config['mime_types'] = '/etc/mime.types';


// USER INTERFACE

$config['create_default_folders'] = true;

$config['quota_zero_as_unlimited'] = true;


// USER PREFERENCES

$config['default_charset'] = 'UTF-8';

//$config['addressbook_sort_col'] = 'name';

$config['draft_autosave'] = 60;

$config['default_list_mode'] = 'threads';

$config['autoexpand_threads'] = 2;

$config['check_all_folders'] = true;

$config['default_font_size'] = '12pt';

$config['message_show_email'] = true;

$config['layout'] = 'widescreen';   // three columns

//$config['skip_deleted'] = true;


// PLUGINS

$config['plugins'] = array('managesieve', 'password', 'enigma', 'large_attachments');


//max mail attach file size

$config['max_attach_size'] = 31457280;


//logout url

$config['logout_url'] = '/bbs/logout.php';


[/html/rmail/plugins/large_attachments/config.inc.php]


<?php


//file upload directory

$config['large_upload_path']= '/data/webmaster/web1/data/upload/';

$config['large_extensions']= [];

$config['large_multiselect'] = false;


?>


3. wmail configuration


[/data/webmaster/web1/data/db.conf]


db=mysql

host=localhost

port=

dbname=DB

user=DB_user

passwd=DB_pw



[/data/webmaster/web1/data/vmail.conf]


db=mysql

host=localhost

port=

dbname=vmail

user=vmail_DB_user

passwd=vmail_DB_pw


 Certbot

 Package

python2-certbot-0.26.1-2.el7.noarch
certbot-0.26.1-2.el7.noarch
python2-certbot-nginx-0.26.1-1.el7.noarch

 configure

/etc/letsencrypt





2. DB 초기화


1) DB 구성


[DB 생성]

 ○  vmail - 메일 계정 및 기능 설정과 관련 정보 기록      vmail.sql



admin, alias, alias_domain, anyone_shares, deleted_mailboxes, domain, domain_admins, forwardings, mailbox, maillists, recipient_bcc_domain, recipient_bcc_user, sender_bcc_domain, sender_bcc_user, sender_relayhost, share_folder, used_quota


CREATE TABLE `admin` (

  `username` varchar(255) NOT NULL DEFAULT '',

  `password` varchar(255) NOT NULL DEFAULT '',

  `name` varchar(255) NOT NULL DEFAULT '',

  `language` varchar(5) NOT NULL DEFAULT '',

  `passwordlastchange` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `settings` text,

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`username`),

  KEY `passwordlastchange` (`passwordlastchange`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `alias` (

  `address` varchar(255) NOT NULL DEFAULT '',

  `name` varchar(255) NOT NULL DEFAULT '',

  `accesspolicy` varchar(30) NOT NULL DEFAULT '',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`address`),

  KEY `domain` (`domain`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `alias_domain` (

  `alias_domain` varchar(255) NOT NULL,

  `target_domain` varchar(255) NOT NULL,

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`alias_domain`),

  KEY `target_domain` (`target_domain`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `anyone_shares` (

  `from_user` varchar(255) NOT NULL,

  `dummy` char(1) DEFAULT '1',

  PRIMARY KEY (`from_user`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `deleted_mailboxes` (

  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,

  `timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,

  `username` varchar(255) NOT NULL DEFAULT '',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `maildir` varchar(255) NOT NULL DEFAULT '',

  `admin` varchar(255) NOT NULL DEFAULT '',

  `delete_date` date DEFAULT NULL,

  KEY `id` (`id`),

  KEY `timestamp` (`timestamp`),

  KEY `username` (`username`),

  KEY `domain` (`domain`),

  KEY `admin` (`admin`),

  KEY `delete_date` (`delete_date`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `domain` (

  `domain` varchar(255) NOT NULL DEFAULT '',

  `description` text,

  `disclaimer` text,

  `aliases` int(10) NOT NULL DEFAULT '0',

  `mailboxes` int(10) NOT NULL DEFAULT '0',

  `maillists` int(10) NOT NULL DEFAULT '0',

  `maxquota` bigint(20) NOT NULL DEFAULT '0',

  `quota` bigint(20) NOT NULL DEFAULT '0',

  `transport` varchar(255) NOT NULL DEFAULT 'dovecot',

  `backupmx` tinyint(1) NOT NULL DEFAULT '0',

  `settings` text,

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`domain`),

  KEY `backupmx` (`backupmx`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `domain_admins` (

  `username` varchar(255) CHARACTER SET ascii NOT NULL DEFAULT '',

  `domain` varchar(255) CHARACTER SET ascii NOT NULL DEFAULT '',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`username`,`domain`),

  KEY `username` (`username`),

  KEY `domain` (`domain`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `forwardings` (

  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,

  `address` varchar(255) NOT NULL DEFAULT '',

  `forwarding` varchar(255) NOT NULL DEFAULT '',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `dest_domain` varchar(255) NOT NULL DEFAULT '',

  `is_maillist` tinyint(1) NOT NULL DEFAULT '0',

  `is_list` tinyint(1) NOT NULL DEFAULT '0',

  `is_forwarding` tinyint(1) NOT NULL DEFAULT '0',

  `is_alias` tinyint(1) NOT NULL DEFAULT '0',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`id`),

  UNIQUE KEY `address` (`address`,`forwarding`),

  KEY `domain` (`domain`),

  KEY `dest_domain` (`dest_domain`),

  KEY `is_maillist` (`is_maillist`),

  KEY `is_list` (`is_list`),

  KEY `is_alias` (`is_alias`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `mailbox` (

  `username` varchar(255) NOT NULL DEFAULT '',

  `password` varchar(255) NOT NULL DEFAULT '',

  `name` varchar(255) NOT NULL DEFAULT '',

  `language` varchar(5) NOT NULL DEFAULT '',

  `storagebasedirectory` varchar(255) NOT NULL DEFAULT '/var/vmail',

  `storagenode` varchar(255) NOT NULL DEFAULT 'vmail1',

  `maildir` varchar(255) NOT NULL DEFAULT '',

  `quota` bigint(20) NOT NULL DEFAULT '0',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `transport` varchar(255) NOT NULL DEFAULT '',

  `department` varchar(255) NOT NULL DEFAULT '',

  `rank` varchar(255) NOT NULL DEFAULT 'normal',

  `employeeid` varchar(255) DEFAULT '',

  `isadmin` tinyint(1) NOT NULL DEFAULT '0',

  `isglobaladmin` tinyint(1) NOT NULL DEFAULT '0',

  `enablesmtp` tinyint(1) NOT NULL DEFAULT '1',

  `enablesmtpsecured` tinyint(1) NOT NULL DEFAULT '1',

  `enablepop3` tinyint(1) NOT NULL DEFAULT '1',

  `enablepop3secured` tinyint(1) NOT NULL DEFAULT '1',

  `enableimap` tinyint(1) NOT NULL DEFAULT '1',

  `enableimapsecured` tinyint(1) NOT NULL DEFAULT '1',

  `enabledeliver` tinyint(1) NOT NULL DEFAULT '1',

  `enablelda` tinyint(1) NOT NULL DEFAULT '1',

  `enablemanagesieve` tinyint(1) NOT NULL DEFAULT '1',

  `enablemanagesievesecured` tinyint(1) NOT NULL DEFAULT '1',

  `enablesieve` tinyint(1) NOT NULL DEFAULT '1',

  `enablesievesecured` tinyint(1) NOT NULL DEFAULT '1',

  `enableinternal` tinyint(1) NOT NULL DEFAULT '1',

  `enabledoveadm` tinyint(1) NOT NULL DEFAULT '1',

  `enablelib-storage` tinyint(1) NOT NULL DEFAULT '1',

  `enableindexer-worker` tinyint(1) NOT NULL DEFAULT '1',

  `enablelmtp` tinyint(1) NOT NULL DEFAULT '1',

  `enabledsync` tinyint(1) NOT NULL DEFAULT '1',

  `enablesogo` tinyint(1) NOT NULL DEFAULT '1',

  `allow_nets` text,

  `lastlogindate` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `lastloginipv4` int(4) unsigned NOT NULL DEFAULT '0',

  `lastloginprotocol` char(255) NOT NULL DEFAULT '',

  `disclaimer` text,

  `allowedsenders` text,

  `rejectedsenders` text,

  `allowedrecipients` text,

  `rejectedrecipients` text,

  `settings` text,

  `passwordlastchange` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`username`),

  KEY `domain` (`domain`),

  KEY `department` (`department`),

  KEY `employeeid` (`employeeid`),

  KEY `isadmin` (`isadmin`),

  KEY `isglobaladmin` (`isglobaladmin`),

  KEY `enablesmtp` (`enablesmtp`),

  KEY `enablesmtpsecured` (`enablesmtpsecured`),

  KEY `enablepop3` (`enablepop3`),

  KEY `enablepop3secured` (`enablepop3secured`),

  KEY `enableimap` (`enableimap`),

  KEY `enableimapsecured` (`enableimapsecured`),

  KEY `enabledeliver` (`enabledeliver`),

  KEY `enablelda` (`enablelda`),

  KEY `enablemanagesieve` (`enablemanagesieve`),

  KEY `enablemanagesievesecured` (`enablemanagesievesecured`),

  KEY `enablesieve` (`enablesieve`),

  KEY `enablesievesecured` (`enablesievesecured`),

  KEY `enablelmtp` (`enablelmtp`),

  KEY `enableinternal` (`enableinternal`),

  KEY `enabledoveadm` (`enabledoveadm`),

  KEY `enablelib-storage` (`enablelib-storage`),

  KEY `enableindexer-worker` (`enableindexer-worker`),

  KEY `enabledsync` (`enabledsync`),

  KEY `enablesogo` (`enablesogo`),

  KEY `passwordlastchange` (`passwordlastchange`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `maillists` (

  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,

  `address` varchar(255) NOT NULL DEFAULT '',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `transport` varchar(255) NOT NULL DEFAULT '',

  `accesspolicy` varchar(30) NOT NULL DEFAULT '',

  `maxmsgsize` bigint(20) NOT NULL DEFAULT '0',

  `name` varchar(255) NOT NULL DEFAULT '',

  `description` text,

  `mlid` varchar(36) NOT NULL DEFAULT '',

  `is_newsletter` tinyint(1) NOT NULL DEFAULT '0',

  `settings` text,

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`id`),

  UNIQUE KEY `address` (`address`),

  UNIQUE KEY `mlid` (`mlid`),

  KEY `is_newsletter` (`is_newsletter`),

  KEY `domain` (`domain`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `recipient_bcc_domain` (

  `domain` varchar(255) NOT NULL DEFAULT '',

  `bcc_address` varchar(255) NOT NULL DEFAULT '',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`domain`),

  KEY `bcc_address` (`bcc_address`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `recipient_bcc_user` (

  `username` varchar(255) NOT NULL DEFAULT '',

  `bcc_address` varchar(255) NOT NULL DEFAULT '',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`username`),

  KEY `bcc_address` (`bcc_address`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `sender_bcc_domain` (

  `domain` varchar(255) NOT NULL DEFAULT '',

  `bcc_address` varchar(255) NOT NULL DEFAULT '',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`domain`),

  KEY `bcc_address` (`bcc_address`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `sender_bcc_user` (

  `username` varchar(255) NOT NULL DEFAULT '',

  `bcc_address` varchar(255) NOT NULL DEFAULT '',

  `domain` varchar(255) NOT NULL DEFAULT '',

  `created` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `modified` datetime NOT NULL DEFAULT '1970-01-01 01:01:01',

  `expired` datetime NOT NULL DEFAULT '9999-12-31 00:00:00',

  `active` tinyint(1) NOT NULL DEFAULT '1',

  PRIMARY KEY (`username`),

  KEY `bcc_address` (`bcc_address`),

  KEY `domain` (`domain`),

  KEY `expired` (`expired`),

  KEY `active` (`active`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `sender_relayhost` (

  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,

  `account` varchar(255) NOT NULL DEFAULT '',

  `relayhost` varchar(255) NOT NULL DEFAULT '',

  PRIMARY KEY (`id`),

  UNIQUE KEY `account` (`account`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `share_folder` (

  `from_user` varchar(255) CHARACTER SET ascii NOT NULL,

  `to_user` varchar(255) CHARACTER SET ascii NOT NULL,

  `dummy` char(1) DEFAULT NULL,

  PRIMARY KEY (`from_user`,`to_user`),

  KEY `from_user` (`from_user`),

  KEY `to_user` (`to_user`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `used_quota` (

  `username` varchar(255) NOT NULL,

  `bytes` bigint(20) NOT NULL DEFAULT '0',

  `messages` bigint(20) NOT NULL DEFAULT '0',

  `domain` varchar(255) NOT NULL DEFAULT '',

  PRIMARY KEY (`username`),

  KEY `domain` (`domain`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TRIGGER `used_quota_before_insert` BEFORE INSERT ON `used_quota` FOR EACH ROW BEGIN

        SET NEW.domain = SUBSTRING_INDEX(NEW.username, '@', -1);

    END;



 ○  web1- Gnuboard 및 Roundcube 정보 기록


g5_auth, g5_autosave, g5_board, g5_board_file, g5_board_good, g5_board_new, g5_cert_history, g5_config, g5_content, g5_faq, g5_faq_master, g5_group, g5_group_member, g5_login, g5_mail, g5_member, g5_member_social_profiles, g5_memo, g5_menu, g5_new_win, g5_point, g5_poll, g5_poll_etc, g5_popular, g5_qa_config, g5_qa_content, g5_scrap, g5_uniqid, g5_visit, g5_visit_sum, g5_write_free, g5_write_gallery, g5_write_notice, g5_write_qa, 


lr_cache, lr_cache_index, lr_cache_messages, lr_cache_shared, lr_cache_thread, lr_contactgroupmembers, lr_contactgroups, lr_contacts, lr_dictionary, lr_identities, lr_searches, lr_session, lr_system, lr_users, rmail_manage




[DB 사용자 생성]

  ○  vmail - vmail DB 사용자를 생성한다.

  ○  web1_user -  web1  DB 사용자를 생성한다.


  



3. 로그인(접속)

[도메인 등록]

 - web1 의  rmail_manage 테이블의 정보를 등록해야만 관리자를 비롯한 모든 접속 기능이 동작한다.


    (예)

    no   /   type    /   domain    /   base_dir   /   quota_limit   /   etc   /   wdate

     1                     mailu.kr     /Disk1/vamil        1024                      1529571229

 




스퀴드 서버 설정 파일은 다음과 같다. 

RPM 설치시        ---> /etc/squid/squid.conf 
소스 컴파일 설치시 --> /usr/local/squid/etc/squid.conf 

squid.conf는 상당히 복잡하게 구성되어 있으나, 실제로 
프록시 서버를 운영하는데 있어서는 아파치 설정과 마찬가지로 
몇 가지 기본 설정만 해주면 쉽게 작동시킬 수 있다 

1. http_port 3128 
  :스퀴드 프록시 서버의 서비스 포트를 지정한다.디폴트는 3128포트다 

2. cache_mem 8 
   Maximum_object_size 4096 KB 
  :스퀴드 서버에서 사용하는 캐쉬 사이즈를 설정한다. 디폴트는 8MB 다 
   Maximum_object_size 는 캐시 디스크에 저장될 수 있는 객체 파일의 
   크기를 제한하는 옵션이다. 디폴트는 4메가다. 

3. cache_dir /var/spool/squid 1000 16 256 
    cache_access_log /var/log/squid/access.log 
    cache_log /var/log/squid/cache.log 
    cache_store_log /var/log/squid/store.log 
  :디스크에 저장될 캐쉬 크기와 캐쉬 로그 파일들을 지정한다. 
   cache_dir은 캐쉬가 저장될 경로와 크기,하위 1차, 2차 디렉토리수를 
   지정한다.예제는 /var/spool/squid 디렉토리에 최대 1000메가까지다. 
   16 256은 1차 2차 하위디렉토리의 갯수이다. 

4. debug_options ALL,1 
  :스퀴드가 동작할 때 오류 체크 기능을 사용하여 로그 파일에 기록할 
   수 있게하는 옵션이다. 

5. acl all src 0.0.0.0/0.0.0.0 
  :ACL은 Access Control를 의미하는 약자다. 프록시 서버에 접근할 수 
   있는 범주를 설정하는 옵션으로 httpd_access와 함께 사용하여야 한다. 
   all범주는 src옵션으로 all범주에 속하는 네트워크를 지정한다. 
   0.0.0.0/0.0.0.0 으로 설정하면 모든 네트워크들에 대해서 프록시 
   서버를 접근할 수 있도록 설정하는 것이다. 

6. http_access allow all 
  :http_access는 클라이언트가 프록시 서버에 접속을 허용할 것인지 
   거부할 것인지 결정해 주는 옵션으로 acl과 함께 사용한다.

   http_access  다음에 allow 또는 deny를 지정하고 acl리스트중 하나를 지정하여 
   사용하게 된다. 
   ex1) acl all src 0.0.0.0/0.0.0.0 
       http_access allow all 
      (모든 네트워크를 all 범주로 규정하여 프록시 서버에 모든 네트워크 
       가 접속할 수 있도록 허용한다.) 
   ex2) acl dumca src 211.58.64.0/255.255.255.0 
        acl all src 0.0.0.0/0.0.0.0 
        http_access allow dumca 
        http_access deny all 
       (C클래스 211.58.64.0 네트워크 주소를 dumca 범주로 규정하여 
        http_access에서 프록시 서버 접속을 허용하고, 다른 모든 
        네트워크에 대해서는 접속을 거부함.) 

7. cache_mgr dumca 
   cache_effective_user squid 
   cache_effective_group squid 
  : 케쉬 서버의 괸리자 계정과 스퀴드 서버를 작동시킬 유저와 그룹명을 
    지정한다.

메일서버등록제 - SPF (Sender Policy Framework)


발송 메일 서버 아이피를 DNS에 등록 하여  수신메일 서버에서 발송자 정보가 실제 메일서버의 정보화 

일치하는지를 확인하여 정상적인 메일로 처리할도록 하는 국제 표준 인증 기술입니다.


대다수 스팸발송자가 자신의 신원을 감추기 위해 발송자 주소나 전송 경로를 허위로 표기하거나 변경하는 경우가 많다는데서 착안되었다.  ( * 자세한 내용은 한국인터넷 진흥원에서 운영하고 있는 http://www.kisarbl.or.kr 을 참고하세요~)



nslookup 명령으로 DNS 서버에 SPF 레코드 등록 여부를 확인해 본다.....


# nslookup 

# server 1.2.3.4 
(DNS 서버명 또는 DNS IP 입력)

Default Server: 
Address: 1.2.3.4

# set type=txt (DNS record type 지정)

# kisarbl.or.kr (조회하려는 도메인 입력)
Server: 
Address: 1.2.3.4

Non-authoritative answer:
kisarbl.or.kr   text = "v=spf1 ip4:10.0.0.4 ~all"   (SPF 레코드 등록 정보) 

samba는 이기종간의 파일,  CD-ROM, 프린터 등을 공유하기 위해 만들어진 프로그램이다.
samba는 마이크로소프트사와 인텔이 다른 시스템의 디스크나 프린터와 같은 자원을 공유하기 위해 개발한 프로토콜이다. SMB는 tcp/ip 기반의 NetBIOS 프로토콜을 사용한다.

samba는 서버는 크게 2개(smbd, nmbd)의 프로세스로 구성 되어 있다.
대부분의 처리는 smbd에서 한다. 포트 또한 tcp:445 만 열려 있으면 작동한다.  다만, 윈도우즈 사용자의  컴퓨터이름으로 접속할 수 있게 하기 위해서는 nmbd를 사용해야 한다. nmbd는 3개의 포트를 사용한다.  (tcp:139, udp:137,138) 

SAMBA를 사용하는 경우 tcp : 139, 445번과  udp : 137, 138번 포트가 열려있어야 한며, 방화벽설정에도 적용되어야 한다.

1. SAMBA 서버 설치

~]#  yum  -y  install  samba  samba-common  samba-client

2. SAMBA 시작 및 종료
samba server는 항상 실행하고 있는 서버 프로그램이다, smb는 systemd로 관리하며 systemctl로 제어할 수 있다.  smb,  nmb 가  있으며,   smb 만으로도 서비스 가능하다.

~]# systemctl  enable  smb  nmb
~]# systemctl  start  smb  nmb

3. SAMBA  사용자 계정 설정
samba 사용자는 시스템 사용자를 이용하며,  smbpasswd -a 명령으로  samba 접속 계정으로 설정할 수 있다.

~]#  useradd  ID
~]#  passwd   ID     ----->   리눅스 사용자 생성
~]#  smbpasswd  -a   ID    ----->   samba 계정 적용
New SMB password:
Retype new SMB password:
Added user ID.

4. SAMBA 설정
samba 설정 파일의 위치는 /etc/samba/smb.conf 이다.

[root@localhost samba]# more smb.conf 
# See smb.conf.example for a more detailed config file or 
# read the smb.conf manpage. 
# Run 'testparm' to verify the config is correct after 
# you modified it. 

[global]     
  //  전역 설정 부분, 여기 아래에 옵션을 넣게 되면 모든 Samba 정보에 설정된다.

workgroup = SAMBA 
  //  윈도우의 workgroup과 일치 시키거나 NT 도메인 이름으로 설정한다. 

server string = Samba Server Version %v 
  //  윈도우 컴퓨터 설명과 유사, 공유시 폴더명 옆에 설명.
  //   %h 호스트명, %L NetBIOS 이름, %v Samba Version 표시


interfaces = lo eth0 192.168.1.2/24  192.168.2.2/24 
  // 두개의 네트워크에 Samba 가 물려있는 경우로 양쪽 네트워크에 대행 브라우징 및 서비스가 가능하다.

hosts allow = 127.   192.168.1.   192.168.2.  // 접근을 허가할 호스트 네임 혹은 ip 주소를 지정
   
log file = /var/log/samba/log.%m   // 서버에 접속한 호스트마다 개별적인 호그 파일을 생성하도록 설정  
max log size = 50

security = user 
  //   서버의 사용자 계정만 사용할 수 있도록 한다.
  //   user = Samba Server에서 계정 및 패스워드를 통한 인증을 거친 사용자에 한하여 공유를 허가
  //   share = 모든 공유 영역에 권한 없이 접근이 가능하도록 설정
  //   server =  공유 영역에 대한 사용 권한은 다른 호스트(NT 패스워드 서버)의 인증 과정을 거친 사용자에 한하여 허가  

passdb backend = tdbsam 
  //  패스워드에 해한 인증 방식.
  //   tdbsam = samba 내장 TDB SAM 형식
  //  ldapsam = LDAP 사용 ( LDAP 라이브러리 필요)
  //  sbmpasswd = smbpasswd 텍스트 파일 인증 형식 

printing = cups 
printcap name = cups 
load printers = yes 
  //  Samba에서 별도의 프린터 설정을 하지 않고, printcap name 에서 설정한 프린트 설정을 불러온다.
cups options = raw 





[homes]      //   사용자  계정을 통해서 자기 홈 경로를 접근 할 수 있다.
comment = Home Directories       //   폴더에 대한 설명
valid users = %S, %D%w%S       //     
browseable = No    //  이 폴더의  표출여부 설정, yes로 하면 접속 권한이 없어도 네트웍의 모든 PC에서 확인 가능.   
read only = No     //  버전 따라 writable 로 표시되기도 한다. 읽고, 쓰기 권한 설정.
inherit acls = Yes 
create mask = 0664   //  생성되는 파일 권한  
directory mask = 0755    //  생성되는 폴더 권한


[printers] 
comment = All Printers 
path = /var/tmp 
printable = Yes 
create mask = 0600 
browseable = No 

[print$] 
comment = Printer Drivers 
path = /var/lib/samba/drivers 
write list = root 
create mask = 0664 
directory mask = 0775


# 여러 사용자가 함께 사용할 수 있는 공유 폴더 설정하기
# "[ ]"  안에 접속할 경로를 설정한다,  만일 "[share]"로  세팅했을 경우, 윈도우에서의 접속은
# "\\server\share" 로 접속할 수 있다. 

[share]
comment = shared Files
path = /data/samba/share   //  실제 파일이 저장될 공간으로 , 설정이 끝나고 폴더를 생성해 주어야 한다.
browseable = yes  //  공유 내역을 브라우징 리스트에 나타나게 할 것인지에 대한 옵션
read only = no
create mask = 0664
diretory mask = 0755
guest ok = yes  //  Anonymous로 접속 간으하게 하려면 아래 주석을 풀어준다. 이때는 read only을 추천한다.




# 옵션 설명
# vlid users   -->  공유 영역에 접근 가능한 사용자 혹은 그룹 지정사용자를 여러명 지정할 경우 공백으로 구분하여 지정
#                          그룹명일 경우 @ 그룹명 으로  그룹임을 명시한다.
#  write list  -->  공유 영역에 대한 쓰기 가능한  사용자 혹은 그룹 지정사용자를 여러 명 지정할 경우 공백으로 구분.
#                          그룹명일 경우 @ 그룹명 으로 그룹임을 명시한다.


5. 방화벽 설정
Samba는   tcp 139, 445 포트를 사용한다.

(참고)  삼바서버 포트 번호
netbios-ns         137/udp                       # NETBIOS Name Service 
netbios-dgm     138/udp                       # NETBIOS Datagram Service 
netbios-ssn       139/tcp                         # NETBIOS session service 
microsoft-ds     445/tcp 


6. 삼바 서버  접속 클라이언트
위도우즈에서 다음과 같은 방법으로 접속할 수 있다.

   1) 윈도우즈에서 접속하기

시작 → 실행   ,  \\IP(또는 호스트명)           ,     아이디/비번으로 접속할 수 있다.

   2)  리눅스에서 접속하기

GUI 환경의  리눅스에서는  "파일브라우저" 를  실행하여  "네트워크 찾아보기" 에서  
smb://컴퓨터명/공유이름   
형식으로  접근 할수 있다.

   3) MC(Midnight  Commander)를  이용하여 접속하기  

명령어 창에서 mc를  입력하여 작동한 후 f9 키를 눌러 메뉴에서 "smb 연결"을 선택하여 접근할 수 있다.

  4)  smbclient 를 이용한 smb 서버 접속
samba에서 제공하는 smbclient 명령어를 이용하여  SMB에 접속할 수 있다.
접속한 후  ftp 처럼 동작하며, help 명령어로 사용할 수 있는 명령어를 확인할 수 있다.
 get, put 등의 명령어로 파일을 다운로드 업로드 할 수 있다.

~]# smbclient   //컴퓨터이름/공유명  -U  사용자명
Enter user_id's  password :  패스워드
smb: \> ls 

   5)  linux   SMB   마우트 하기.

~]# mount   -t   cifs    //아이피/공유명     /smb_dir    -o  user=사용자,password=패스워드


Centos-7 NFS (네트워크 파일 시스템)

NFS 를 사용하여 원격지에 있는 자원(Disk, DVD-ROM등)을 마치 로컬에 있는 자원처럼 마운트하여 사용할 수 있다. 리눅스나 유닉스에서 사용하는 소류자, 권한 등을 완벽하게 사용할 수 있어 스토리지 공유등의 다양한 분야에 사용된다. 
NFS는 지속적인 발전을 거듭하여 왔다. 현재 NFS v4.1까지 있으며 CentOS7은 v3, v4, v4.1 을 지원한다. v3에서 여러 가지 기능을 제공해 왔으며, v4는 복잡한 인터넷 환경을 고려하여 가변포트를 사용하지 않고 , 보안요소가 많이 고려되었다. v3까지는 UDP 포트를 사용하여 데이터를 전송하였다. 이는 신뢰성이 뛰어난 네트워크에서는 효율적이지만, 인터넷 환경에는 적합하지 않다. v4는 tcp 만 사용하므로 보다 신뢰성 있는 전송이 가능하다. v4.1은 pNFS를 제공한다. 이는 클라우드 컴퓨팅 환경을 고려하여 대량의 데이터를 분산 저장하기 위해 메타서버, 데이터서버를 분리하여 제공하는 방식이다. CentOS7은 다양한 버전의 NFS를 사용할 수 있다. NFS는 Pnfs-utils-1.3.0-0.48.el7_4.x86_RPC(Remote  Procedure Calls)를 사용한다. RPC를 이용하여 mount, read 등의 명령을 전달한다. NFS 클라이언트는 NFS서버로부터 파일핸들을 받아 이 핸들을 사용하여 파일에 접근한다.

[주요 서비스 설명]

서비스
설명
nfs
NFS 메인 서빗, RPC 콜이 있으면 작동
nfslock
NFS 클라이언트가 서버의 파일을 잠글 때 필요한 데몬
rpcbind
RPC요청에 의해 포트를 결정하기 위한 데몬.(예전 portmap 역할)

[관련 프로그램]

프로그램
설명
NFS v4
rpc.mountd
NFS 클라이언트로부터 마운트 요청을 받았아 검증 및 마운트 진행
불필요
rpc.nfsd
NFS 프로그램
필요
rpc.lockd
클라이언트 요청으로 파일을 잠그는 기능 NLM(Network Lock Manager)구현
불필요
rpc.statd
NFS 상태를 전달. NSM(Network  Status  Monitor)의 구현
불필요
rpc.rquotad
사용자 쿼타 정보를 제공하는 데몬
필요
rpc.idmapd
NFSv4의 이름을 제공하는 데몬
필요
NFS 동작 구조



NFS 서버는 RPC(Remote Procedure Calls)를 사용하여 동작한다. 먼저 NFS 클라이언트가  NFS 서버의 특정 디렉토리를 마운트 하기 위해서는 다음 과정을 거치게 된다.

1. NFS서버의 rpcbind에  접속하여 get_port 라는 RPC 요청을 하고 NFS서버는 마운트포트번호를
    NFS클라이언트에게 전달한다.

2. NFS클라이언트는 마운트 포트번호를 통하여 prc.mountd에 접속하고 RPC마운트 요청한다.
    NFS서버는 클라이언트를 확인하고, /etc/exports 파일을 참조하여 파일시스템의 파일핸들을 
    NFS클라이언트에게 전달한다. NFS클라이언트는 이 파일핸들을 마운트한다.

위와 같은 과정으로 마운트를 하였다면, 파일을 읽을 때는 마운트 된 최상위 디렉토리부터 속성을 읽어 오고, 하위 디렉토리를 찾고, 속성을 읽어오고, 피일을 팢아 읽는 과정을 거치게 된다. 모든 과정에서는 RPC를 사용하게 된다. 위 과정에서 rpc.nfsd 와 접속하게 된다.

NFS 상태, 쿼타정보를 알기 위해서는 rpc.stated와 rpc.rquotad 등을 사용한다.

NOTE.
 NFS를 사용하기 위해서는 NFS 클라이언트 IP에 대해서 UDP, TCP 모든 포트를 오픈 하여야 원활하게 NFS를 사용할 수 있다.

NFSv4 동작 구조

NFSv4는 이전 버전과 다르게 , PORT는 TCP 2049포트만 사용한다. rpcbind의 도움을 받지도 않으며, nfslockd 및 nfsstatd 등의 프로그램 또한 필요하지 않다. NFSv4를 사용한다면, 방화벽의 모든 포트를 오픈 할 필요 없이 2049 포트만을 오픈하면 된다.

NFS 서버 설치

본 가이드에서는  CentOS7을 기준으로 설명하겠다.

# yum  -y  install nfs-utils
NFS 서버 시작 및 종료
# systemctl  start  nfs-server
# systemctl  restart  nfs-server
# systemctl  stop  nfs-server

위와 같은 systemctl 명령를 사용하여 nfs-server 를 시작, 재시작, 종료한 결과이다. 위와 같은 방법으로 NFS 서버를 제어할 수 있다.

NOTE.
NFS는 여러 버전이 있으며 일반적으로 많이 사용한 NFSv3은 rpcbind를 사용한다. 그렇기 때문에 NFS를 사용하려면 위 nfs-server 서비스만 시작하는 것이 아닌, rpcbind 서비스도 함께 시작하여야 정상 작동한다.
NFS클라이언트에도 rpcbind 서비스를 시작해야 정상적으로 NFS마운트가 가능하다. NFSv4 의 경우는 서버에는 rpcbind이 필요 없으나, 클라이언트에는 rpcbind 서비스가 실행되어 있어야 정상적으로 작동한다.

# systemctl  enable  rpcbind
# systemctl  start  rpcbind
# systemctl  stop  rpcbind


NFS 서버 설정

NFS 서버를 사용하려면 다음과 같은 설정이 필요하다.
NFS 서버의 설절파일인  /etc/exports 파일에는 다음과 같이 작성한다. 처음 설정한다면 /etc/exports 파일이 없을 것이다.

# vim   /etc/exports

/home/vmail         192.168.0.11(rw,sync,no_root_squash)

위 설정은 "/home/vmail" 디렉토리를 공유하며, 192.168.0.11 NFS 클라이언트에서 접속이 가능하며, 옵션들은 다음과 같다.

*  rw  :  일기 / 쓰기를 허용
* sync :  요청시 쓰기 작업을 동기화
* no_root_squash : 원격 루트 사용자를 로컬 루트로 취급
NFS 클라이언트
1. NFS 마운트

NFS  클라이언트에서 NFS 서버에 접속한다. NFS 클라이언트에도 rpcbind 서비스가 가동중이여야 정상적으로 NFS  마운트가 된다. NFS  클라이언트는 다음과 같은 방법으로 마운트 한다.

( 클라이언트의 마운트 디렉토리는 기존에 존재하는 폴더를 지정하여야 한다.)

# mount  -t  nfs  NFS서버:대상DIR   마운트DIR

     


+ Recent posts