centos 搭建zimbra企业邮箱

centos 7 搭建zimbra企业邮箱

鉴于前面搭建zabbix时,用到的邮件告警信息,由于脚本的那个方法已经不在适用了。所以尝试自己搭建一个邮件系统,来测试关于邮件告警相关的推送。搭建邮件服务器,考虑到使用和部署,以及网络上相关的部署参考信息,选择了zimbra。一个开源的企业级邮件服务。

搭建环境及需求准备

在搭建一个邮件服务器前,需要有以下准备:

1、邮件服务程序,这里选择了开源的zimbra
2、可用的服务器硬件
3、ISP公网出口,以及已经备案的端口(包含不限定80、443、25等)
4、已经备案的域名,域名证书的购买

完成搭建需要的配置项:

1、公网出口无冲突的服务映射
2、zimbra依赖dns服务,需要在服务器上部署dns服务
3、处理站内发信的各种错误
4、域名A记录,mx记录,txt记录,SFP记录
5、处理对外发信的信任问题,即被反垃圾了邮件联盟识别为垃圾邮件退信

搭建环境

操作系统:CentOS Linux release 7.9.2009 (Core)
zimbra版本:Zimbra 8.8.12_GA_3844

停用centos自带的postfix服务

1
2
3
systemctl disable postfix
systemctl stop postfix
yum remove postfix

更新系统和安装程序依赖

1
2
yum update
yum install libidn gmp perl perl-core ntpl nmap sudo sysstat sqlite libaio libstdc++ wget unzip

更改主机名

1
2
3
4
hostnamectl set-hostname mail.ywmy.xyz  # 这里设置你的域名,示例参考
vim /etc/hosts
# 添加主机名
192.168.10.71   mail.ywmy.xyz mail      # 参考示例

更改主机名后,重启服务器。

关闭selinux

1
2
3
4
5
6
7
8
9
10
11
12
13
vim /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled    # 配置这里
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

安装zimbra服务程序

下载程序

zimbra服务程序的开源版本需要在官方注册后下载。下载的链接[zimbra download][1]

1
2
cd /tmp
wget https://files.zimbra.com/downloads/8.8.12_GA/zcs-8.8.12_GA_3794.RHEL7_64.20190329045002.tgz

安装zimbra服务程序

1
2
3
4
5
# 解压程序包
tar -xzvf zcs-8.8.12_GA_3794.RHEL7_64.20190329045002.tgz 
# 安装程序
cd zcs-8.8.12_GA_3794.RHEL7_64.20190329045002
./install.sh

程序由安装脚本自动执行,选择对应的设置项。zimbra的程序主体大概包含以下各个组件,参考执行程序回示如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[root@mail zcs-8.8.12_GA_3794.RHEL7_64.20190329045002]# ./install.sh 

Operations logged to /tmp/install.log.3PNassAP
Checking for existing installation...
    zimbra-drive...NOT FOUND
    zimbra-imapd...NOT FOUND
    zimbra-patch...FOUND zimbra-patch-8.8.12.1568982480
    zimbra-mta-patch...FOUND zimbra-mta-patch-8.8.12.1552427139
    zimbra-proxy-patch...FOUND zimbra-proxy-patch-8.8.12.1554984827
    zimbra-license-tools...NOT FOUND
    zimbra-license-extension...NOT FOUND
    zimbra-network-store...NOT FOUND
    zimbra-network-modules-ng...NOT FOUND
    zimbra-chat...FOUND zimbra-chat-2.0.3.1559648872-1
    zimbra-talk...NOT FOUND
    zimbra-ldap...FOUND zimbra-ldap-8.8.12_GA_3794
    zimbra-logger...FOUND zimbra-logger-8.8.12_GA_3794
    zimbra-mta...FOUND zimbra-mta-8.8.12_GA_3794
    zimbra-dnscache...FOUND zimbra-dnscache-8.8.12_GA_3794
    zimbra-snmp...FOUND zimbra-snmp-8.8.12_GA_3794
    zimbra-store...FOUND zimbra-store-8.8.12_GA_3794
    zimbra-apache...FOUND zimbra-apache-8.8.12_GA_3794
    zimbra-spell...FOUND zimbra-spell-8.8.12_GA_3794
    zimbra-convertd...NOT FOUND
    zimbra-memcached...FOUND zimbra-memcached-1.4.37-2
    zimbra-proxy...FOUND zimbra-proxy-8.8.12_GA_3794
    zimbra-archiving...NOT FOUND
    zimbra-core...FOUND zimbra-core-8.8.12_GA_3794
ZCS upgrade from 8.8.12 to 8.8.12 will be performed.
Validating ldap configuration
LDAP validation succeeded.  Continuing.


----------------------------------------------------------------------
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

License Terms for this Zimbra Collaboration Suite Software:
https://www.zimbra.com/license/zimbra-public-eula-2-6.html
----------------------------------------------------------------------



Do you agree with the terms of the software license agreement? [N]

如以上,一个已经安装过的zaibra,再次执行安装程序的提示,如已经安装过的组件,提示FOUND,未安装的组件,提示NOT FOUND。在我自己的配置中,zimbra drive这个测试安装后,页面上open drive页面也打不开。所以正式安装的时候,就没有安装这个组件了,除这个外的其它组件都默认安装。

同意license后,即配置zimbra的源,以及安装程序自动执行配置源,用户,下载组件,安装的过程。在此过程中,还涉及配置域名的配置,大概如下:

1
2
3
4
5
6
7
8
9
10
11
DNS ERROR resolving MX for mail.ywmy.xyz
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes]
Create domain: [mail.ywmy.xyz] ywmy.xyz
        MX: mail.ywmy.xyz

        Interface: 192.168.10.71
        Interface: ::1

done.
Checking for port conflicts

配置完成,完生成安装及组件配置信息。大概如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Main menu

   1) Common Configuration:
   2) zimbra-ldap:                             Enabled
   3) zimbra-logger:                           Enabled
   4) zimbra-mta:                              Enabled
   5) zimbra-dnscache:                         Enabled
   6) zimbra-snmp:                             Enabled
   7) zimbra-store:                            Enabled
        +Create Admin User:                    yes
        +Admin user to create:                 admin@ywmy.xyz
******* +Admin Password                        UNSET
        +Anti-virus quarantine user:           virus-quarantine.rvwrscjel4@ywmy.xyz
        +Enable automated spam training:       yes
        +Spam training user:                   spam.i6zgq_xfb@ywmy.xyz
        +Non-spam(Ham) training user:          ham.kctdkkb_i@ywmy.xyz
        +SMTP host:                            mail.ywmy.xyz
        +Web server HTTP port:                 8080
        +Web server HTTPS port:                8443
        +Web server mode:                      https
        +IMAP server port:                     7143
        +IMAP server SSL port:                 7993
        +POP server port:                      7110
        +POP server SSL port:                  7995
        +Use spell check server:               yes
        +Spell server URL:                     https://mail.ywmy.xyz:7780/
        +Enable version update checks:         TRUE
        +Enable version update notifications:  TRUE
        +Version update notification email:    admin@ywmy.xyz
        +Version update source email:          admin@ywmy.xyz
        +Install mailstore (service webapp):   yes
        +Install UI (zimbra,zimbraAdmin webapps): yes

   8) zimbra-spell:                            Enabled
   9) zimbra-proxy:                            Enabled
  10) zimbra-imapd:                            Enabled
  11) Default Class of Service Configuration:
   s) Save config to file
   x) Expand menu
   q) Quit

Address unconfigured (**) items  (? - help) 7

如上,配置默认未设置admin的登录密码。选7后选4,设置admin密码,后按r返回上级菜单,最后按a确认配置,zimbra系统即可配置各组件的各配置项,大概如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Main menu

   1) Common Configuration:
   2) zimbra-ldap:                             Enabled
   3) zimbra-logger:                           Enabled
   4) zimbra-mta:                              Enabled
   5) zimbra-dnscache:                         Enabled
   6) zimbra-snmp:                             Enabled
   7) zimbra-store:                            Enabled
   8) zimbra-spell:                            Enabled
   9) zimbra-proxy:                            Enabled
  10) zimbra-imapd:                            Enabled
  11) Default Class of Service Configuration:
   s) Save config to file
   x) Expand menu
   q) Quit

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a

完成自动配置后,即开始自动安装,大概如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
Notify Zimbra of your installation? [Yes]
Notifying Zimbra of installation via http://www.zimbra.com/cgi-bin/notify.cgi?VER=8.8.15_GA_3869_RHEL7_64&MAIL=admin@freedom.local

Notification complete

Checking if the NG started running...done.
Setting up zimbra crontab...done.


Moving /tmp/zmsetup.20191230-135538.log to /opt/zimbra/log


Configuration complete - press return to exit

查看zimbra服务状态

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
su - zimbra
[zimbra@mail root]$ zmcontrol status 
Host mail.ywmy.xyz
	amavis                  Running
	antispam                Running
	antivirus               Running
	dnscache                Running
	ldap                    Running
	logger                  Running
	mailbox                 Running
	memcached               Running
	mta                     Running
	opendkim                Running
	proxy                   Running
	service webapp          Running
	snmp                    Running
	spell                   Running
	stats                   Running
	zimbra webapp           Running
	zimbraAdmin webapp      Running
	zimlet webapp           Running
	zmconfigd               Running

# 重启zimbra服务
[zimbra@mail root]$ zmcontrol restart

以上,zimbra服务已经完成安装。接下来,需要涉及到的就是zimbra各程序端口放开,和映射操作。

防火墙、端口映射及登录测试

防火墙配置

参考前面zimbra服务安装时配置的各个端口,在centos中的firewalld放通对应的端口;

1
2
3
4
firewall-cmd --permanent --add-port={25,80,110,143,443,465,587,993,995,5222,5223,9071,7071,7025}/tcp
# 另一个添加服务器的方法,建议使用下面的配置方法
firewall-cmd --permanent --add-service={pop3,pop3s,imap,imaps,smtp,smtps,https}
firewall-cmd --complete-reload

对应的。出口设备如防火墙,或路由器上,需要配置上面相对应的端口。

登录测试

内网打开邮件服务器的登录页面:

如本次部署:https://192.168.10.71

zimbra-login_page

这里使用前面安装配置中设置的登录信息登陆即可。

zimbra-login_page_admin

管理员登录界面,默认的管理员端口可以查看前面安装过程中的配置回显信息,默认的管理员端口为7071,如本次部署参考:https://192.168.10.71:7071

zimbra-admin_console_login

对应的,映射到公网IP后,可以把内网IP替换成公网IP后,打开登录页面即可。

DNS、A记录、MX记录配置

zimbra服务程序,依赖DNS服务。需要在部署的zimbra服务器上部署本地的DNS服务。对于域名和MX记录配置,需要在域名供应商的解析中添加对应的记录。本部署实例在阿里云上配置参考。

DNS配置

centos 配置DNS,需要下载和安装bind。

1
yum install bind bind-utils

配置named服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
vim /etc/named.conf

[root@mail ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	listen-on port 53 { 127.0.0.1; 192.168.10.71; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { localhost; 192.168.10.71; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

# 需要添加的zone配置

zone "ywmy.xyz" {
	type master;
	file "ywmy.xyz.zone";
};

以上的配置在安装bind程序的时候自动生成。需要关注的配置见下:

  • listen-on port 53 { 127.0.0.1; 192.168.10.71; }; # 添加zimbra服务器的IP
  • allow-query { localhost; 192.168.10.71; };
  • 添加zone配置,上面配置中注释下面的内容

最后,创建域名的zone文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cd /var/named/
vim ywmy.xyz.zone
# 配置信息如下:
[root@mail named]# cat ywmy.xyz.zone 
;
; BIND data file for local loopback interface
;
$TTL    86400
@       IN      SOA     ns1.ywmy.xyz. root.ywmy.xyz. (
        2021051001 ; Serial
        604800    ; Refresh
        86400     ; Retry
        2419200   ; Expire
        604800 )  ; Negative Cache TTL

;
; name servers - NS records

@       IN      NS      ns1.ywmy.xyz.
@               MX    10   mail.ywmy.xyz.

; name servers - A records

ns1    IN    A    192.168.10.71
mail    IN    A    192.168.10.71

启动本地DNS服务

1
2
systemctl start named
systemctl enable named

域名配置

登录域名供应商后台,本实例域名为阿里云。登录阿里云,配置和邮件相关的A记录,和MX记录。

主机记录 记录类型 记录值
mail A 邮件服务器的公网IP(1.2.3.4)
@ MX mail.ywmy.xyz 10

配置了这里,就可以使用域名来访问已经部署的服务了。

配置zimbra发信

处理发信问题

创建邮箱的用户名,会发现,邮箱里的talk服务可以正常使用,不过,站内发送邮件,是没办法接收的,后台一直有队列。

队列的提示大致如下:

delivery temporarily suspended: connect to example.com[192.168.10.71]:7025: Connection refused

解决办法:

1
2
3
zmprov ms mail.ywmy.xyz zimbraMtaLmtpHostLookup native  # 中间域名那段,改成自己部署zimbra服务的主机名即可。
zmprov mcf zimbraMtaLmtpHostLookup native   # 如果使用的是Single Server,则还要始终注意Global Config
zmmtactl restart

完成以上配置,则可以正常发信了。

到这一步,域名访问,站内邮件发送,talk的服务已经都可以正常使用了,不过,尝试往第三方邮件发送邮件,发现会被退信。这个和邮件服务商的反垃圾联盟可能有关。还需要在域名供应商的DNS解析记录中配置SFP相关的txt记录。

接下来就是和DKIM相关的配置。

DKIM,SFP,DMIRC设定

在这一步,我们需要把zimbra生成的DKIM Public signature信息,添加到域名的txt记录中。txt记录通常做SFP,用于反垃圾邮件。

设置DKIM

这个需要通过命令行工具操作。登录服务器后,切换成zimbra账户来设置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
su - zimbra
cd libexec/     # 绝对路径 /opt/zimbra/libexec/
# 查看zmdkimkeyutil有哪些相关的指令
./zmdkimkeyutil -?
# 回显如下:
[zimbra@mail libexec]$ ./zmdkimkeyutil ?
Usage: ./zmdkimkeyutil [-a [-b]] [-q] [-r] [-s selector] [-S] [-u [-b]] [-d domain]
-a: Add new key pair and selector for domain
-b: Optional parameter specifying the number of bits for the new key.
    Only works with -a and -u.  Default when not specified is 2048 bits.
-d domain: Domain to use
-h: Show this usage block
-q: Query DKIM information for domain
-r: Remove DKIM keys for domain
-s: Use custom selector string instead of random UUID
-S: Generate keys with subdomain data.  This must be used if you want to sign both example.com and sub.example.com separately.
    Only works with -a and -u.  Default is not to set this flag.
-u: Update keys for domain
One of [a, q, r, or u] must be supplied
For -q, search can be either by selector or domain
For all other usage patterns, domain is required

大概说明:

1
2
3
4
5
6
7
8
9
10
11
12
13
-a:为域添加新的密钥对和选择器
-b:可选参考,指定新的密钥位数。
    仅与-a和-u一起使用。未指定时默认为2048位。
-d:使用域名
-h:显示使用块
-q:查询域的DKIM信息
-r:删除域的DKIM密钥
-s:使用自定义选择器字条器代替随机UUID
-S:生成带有子域数据的密钥。如果要分别对example.com和sub.example.com进行签名,则必须使用此选项。
-u:更新新密钥
必须提供[a,q,r或u]中的一种
对于-q,可以按选择器或域进行搜索
对于所有的其它使用模式,必须使用域

运行zmdkimkeyutil

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 生成:
./zmdkimkeyutil -a -d ywmy.xyz -s ywmydkim
# 查看:
[zimbra@mail libexec]$ ./zmdkimkeyutil -q -d ywmy.xyz
DKIM Domain:
ywmy.xyz

DKIM Selector:
9149A4A6-6A3F-11ED-ADC9-44E3D876BA8B

DKIM Private Key:
-----BEGIN RSA PRIVATE KEY-----
MI..............................................................
#
#       中间很多字符串
#
...................................................T8A==
-----END RSA PRIVATE KEY-----

DKIM Public signature:
9149A4A6-6A3F-11ED-ADC9-44E3D876BA8B._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "p=MIIB.............................lots of characters.................................................................................Vhi8p1dwBWWvkDcp"
	  "S1.....................................lots of characters...........................QAB" )  ; ----- DKIM key 9149A4A6-6A3F-11ED-ADC9-44E3D876BA8B for ywmy.xyz

DKIM Identity:
ywmy.xyz
# 更新:
./zmdkimkeyutil -u -d ywmy.xyz

配置完了,接下来,可以把上面生成的DKIM Public singature信息配置到域名的dns解析中了。

配置的部分为从 v=DKIM1;到后面的信息,不能有空格,也不能有“号。

参考示例:
DKIM_Public_signature

好了。到此,反垃圾邮件配置,对其它邮件服务商发信被拒收的问题就解决了。

可以做一个发信测试,比如QQ邮件(foxmail),再回信测试。验证如下:

send mail test ok

至此,zimbra邮件部署完毕,其实,也还缺少一个https证书的问题,zimbra默认自签https证书,虽然能保证传输的可靠性,但解决不了浏览器证书信任问题。这个留待后面更新zimbra服务导入阿里云证书时验证处理。

linux
#security #zimbra mail #mail
centos 搭建zimbra企业邮箱
https://ywmy.xyz/2022/11/21/centos-搭建zimbra企业邮箱/
作者
ian
发布于
2022年11月21日
许可协议