起因:随着我公司在线应用软件的增多,比如wordpress、 next cloud、SuitCRM 、iFair等,许多场合都要求填写邮箱地址,绑定邮箱。因为不想将过多的数据存储于第三方空间,因此考虑在公司局域网内搭建一个私有的电子邮箱服务器,再通过公司域名,实现功能的透传。
零、用到的服务器环境介绍
0.1 外网固定ip的vps
Debian12 最小化安装,frps 0.53.2, nginx , 假设绑定的域名 www.abctest.com mail.abctest.com
该vps上运行了 公司的官方网站,采用的是html5 + CSS 编写的静态单页网站,结合私有ssl证书,通过 https://www.abctest.com 访问。
0.2 局域网搭建的iRedMail邮箱服务器
Debian12 最小化安装,frpc 0.53.2
一、邮件服务器的搭建
1.1 假设域名: abctest.com 邮箱服务器: mail.abctest.com
这里服务器环境为Debian12最小化安装;邮箱服务器采用可交互式安装的 iRedMail,安装过程可以参考官网;安装的过程中,选择使用了PostgreSQL数据库,密码假设为: Abctest888;要求设置邮箱域,输入 abctest.com 即可;还要求设邮箱管理员postmaster@abctest.com 的密码,这里假设为 Abctest888
1.2 安装完成后如何进入邮箱:
这里假设邮件服务器在本地局域网的ip为 192.168.1.250
管理员模式登录:
* - iRedMail Admin: https://192.168.1.250/iredadmin
管理员账号:postmaster@abctest.com 密码:Abctest888
普通用户模式登录
* - Roundcube webmail: https://mail.abctest.com ## 默认的webGUI
* - SOGo groupware: https://mail.abctest.com/SOGo/ ## SOGo登录GUI
1.3 安装完成后可以查看服务器的总体配置
1.3.1 基本配置如下
cat iRedMail-1.6.8/config
export STORAGE_BASE_DIR='/var/vmail'
export WEB_SERVER='NGINX'
export BACKEND_ORIG='PGSQL'
export BACKEND='PGSQL'
export VMAIL_DB_BIND_PASSWD='s9SmJbOlKpPzm5T8j5qDrxobekuDbpvL'
export VMAIL_DB_ADMIN_PASSWD='IhSdIIPzbzSSXUK0BfMM5rKmtri0qPsk'
export MLMMJADMIN_API_AUTH_TOKEN='qBQyzRCwHEOvRAYlhja5tAaXhhmBXQh4'
export NETDATA_DB_PASSWD='yx0nFXuiWJs7D26xeVCwZw4RAdjEtnCA'
export PGSQL_ROOT_PASSWD='Abctest888'
export FIRST_DOMAIN='abctest.com'
export DOMAIN_ADMIN_PASSWD_PLAIN='Abctest888'
export USE_IREDADMIN='YES'
export USE_ROUNDCUBE='YES'
export USE_SOGO='YES'
export USE_NETDATA='YES'
export USE_FAIL2BAN='YES'
export AMAVISD_DB_PASSWD='tPpwOzq33oVMISgktgS3f55IeRTWjKKz'
export IREDADMIN_DB_PASSWD='EVIH8ZTsCDv3jbowtmSMEd94LLDAkVtW'
export RCM_DB_PASSWD='y9lMIKGYsjtwE07MTIsZU1EzTbGIDZyT'
export SOGO_DB_PASSWD='21NHY4yp1Yjw1qkeF4mZ2EBzBlzKW5JM'
export SOGO_SIEVE_MASTER_PASSWD='QfnTNbkQmfSn965EnGiyNzysGO3shnou'
export IREDAPD_DB_PASSWD='7QcVfbX0QTSi0Lprxisefp1YIOtdmYxn'
export FAIL2BAN_DB_PASSWD='9D4j3twgaQTS06ioSluhPeXHPnELI2kI'
#EOF
1.3.2 安装完成后的邮箱服务器信息如下
cat iRedMail-1.6.8/iRedMail.tips
Admin of domain abctest.com:
* Account: postmaster@abctest.com
* Password: Abctest888
You can login to iRedAdmin with this account, login name is full email address.
First mail user:
* Username: postmaster@abctest.com
* Password: Abctest888
* SMTP/IMAP auth type: login
* Connection security: STARTTLS or SSL/TLS
You can login to webmail with this account, login name is full email address.
* Enabled services: rsyslog postfix postgresql nginx php8.2-fpm dovecot clamav-daemon amavis clamav-freshclam sogo memcached fail2ban cron nftables
SSL cert keys (size: 4096):
- /etc/ssl/certs/iRedMail.crt
- /etc/ssl/private/iRedMail.key
Mail Storage:
- Mailboxes: /var/vmail/vmail1
- Mailbox indexes:
- Global sieve filters: /var/vmail/sieve
- Backup scripts and backup copies: /var/vmail/backup
PostgreSQL:
* Admin user: postgres, Password: Abctest888
* Bind account (read-only):
- Name: vmail, Password: s9SmJbOlKpPzm5T8j5qDrxobekuDbpvL
* Vmail admin account (read-write):
- Name: vmailadmin, Password: IhSdIIPsacSSXUK0BfMM5rKrtmi0qPsk
* Database stored in: /var/lib/postgresql/15/main
* RC script: /etc/init.d/postgresql
* Config files:
* /etc/postgresql/15/main/postgresql.conf
* /etc/postgresql/15/main/pg_hba.conf
* Log file: /var/log/postgresql/
* See also:
- /root/iRedMail-1.6.8/runtime/pgsql_init.pgsql
- /var/lib/postgresql/.pgpass
SQL commands used to initialize database and import mail accounts:
- /root/iRedMail-1.6.8/runtime/*.sql
Postfix:
* Configuration files:
- /etc/postfix
- /etc/postfix/aliases
- /etc/postfix/main.cf
- /etc/postfix/master.cf
* SQL/LDAP lookup config files:
- /etc/postfix/pgsql
Dovecot:
* Configuration files:
- /etc/dovecot/dovecot.conf
- /etc/dovecot/dovecot-ldap.conf (For OpenLDAP backend)
- /etc/dovecot/dovecot-mysql.conf (For MySQL backend)
- /etc/dovecot/dovecot-pgsql.conf (For PostgreSQL backend)
- /etc/dovecot/dovecot-used-quota.conf (For real-time quota usage)
- /etc/dovecot/dovecot-share-folder.conf (For IMAP sharing folder)
* Syslog config file:
- /etc/rsyslog.d/1-iredmail-dovecot.conf (present if rsyslog >= 8.x)
* RC script: /etc/init.d/dovecot
* Log files:
- /var/log/dovecot/dovecot.log
- /var/log/dovecot/sieve.log
- /var/log/dovecot/lmtp.log
- /var/log/dovecot/lda.log (present if rsyslog >= 8.x)
- /var/log/dovecot/imap.log (present if rsyslog >= 8.x)
- /var/log/dovecot/pop3.log (present if rsyslog >= 8.x)
- /var/log/dovecot/sieve.log (present if rsyslog >= 8.x)
* See also:
- /var/vmail/sieve/dovecot.sieve
- Logrotate config file: /etc/logrotate.d/dovecot
Nginx:
* Configuration files:
- /etc/nginx/nginx.conf
- /etc/nginx/sites-available/00-default.conf
- /etc/nginx/sites-available/00-default-ssl.conf
* Directories:
- /etc/nginx
- /var/www/html
* See also:
- /var/www/html/index.html
php-fpm:
* Configuration files: /etc/php/8.2/fpm/pool.d/www.conf
PHP:
* PHP config file for Nginx:
* Disabled functions: posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,system,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid
ClamAV:
* Configuration files:
- /etc/clamav/clamd.conf
- /etc/clamav/freshclam.conf
- /etc/logrotate.d/clamav
* RC scripts:
+ /etc/init.d/clamav-daemon
+ /etc/init.d/clamav-freshclam
Amavisd-new:
* Configuration files:
- /etc/amavis/conf.d/50-user
- /etc/postfix/master.cf
- /etc/postfix/main.cf
* RC script:
- /etc/init.d/amavis
* SQL Database:
- Database name: amavisd
- Database user: amavisd
- Database password: tPpwOzq33oVMISgktgS3f55IeRTWjKKz
DNS record for DKIM support:
; key#1 2048 bits, s=dkim, d=abctest.com, /var/lib/dkim/abctest.com.pem
dkim._domainkey.abctest.com. 3600 TXT (
"v=DKIM1; p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs9BKQ0Q821NN1IC8FbzC"
"3Uq1XGF/10xypU6LUZpNudmvqApCAQDXcyvMIiYwFhejtMdeLbk+qbywuiHGRs3Y"
"OlJ/fGTTgIUL8qx3IfxEjtvvsU90fi94721+1kCKy7SyFHXgkyjlRTUXkUnF3HplIV6"
"TWlXBp9GvpSXW5ZNfBG3zFM2NZTt3A8psKbHs6FQyZ6Z7fMi+cKEktRrg2e4P2kx"
"wfJ25W+FGTVI//H1AsE3ZfjV+RQj1rjB2d5Vpls1SZCA3Q6nqc5lDufPxnmviC9F"
"VvjN3K9XcF9beSCV3oTgQUz6PRNuli7/5TMkTUP/DqigodyQqubARdMFPDNn3+pX"
"JQIDAQAB")
SpamAssassin:
* Configuration files and rules:
- /etc/mail/spamassassin
- /etc/mail/spamassassin/local.cf
iRedAPD - Postfix Policy Server:
* Version: 5.3.3
* Listen address: 127.0.0.1, port: 7777
* SQL database account:
- Database name: iredapd
- Username: iredapd
- Password: 7QcVfbX0QTSi9Lprxisekl1YIOtdmYvz
* Configuration file:
- /opt/iredapd/settings.py
* Related files:
- /opt/iRedAPD-5.3.3
- /opt/iredapd (symbol link to /opt/iRedAPD-5.3.3
iRedAdmin - official web-based admin panel:
* Version: 2.5
* Root directory: /opt/www/iRedAdmin-2.5
* Config file: /opt/www/iRedAdmin-2.5/settings.py
* Web access:
- URL: https://mail.abctest.com/iredadmin/
- Username: postmaster@abctest.com
- Password: Abctest888
* SQL database:
- Database name: iredadmin
- Username: iredadmin
- Password: EVIH8ZTsCDa9jbowtmSMEd63LLDAkVtW
Roundcube webmail: /opt/www/roundcubemail-1.6.5
* Config file: /opt/www/roundcubemail-1.6.5/config
* Web access:
- URL: http://mail.abctest.com/mail/ (will be redirected to https:// site)
- URL: https://mail.abctest.com/mail/ (secure connection)
- Username: postmaster@abctest.com
- Password: Abctest888
* SQL database account:
- Database name: roundcubemail
- Username: roundcube
- Password: y5lMIKGYsjtwE07MTIsZU2EzTbGIDZyT
* Cron job:
- Command: "crontab -l -u root"
SOGo Groupware:
* Web access: httpS://mail.abctest.com/SOGo/
* Main config file: /etc/sogo/sogo.conf
* Nginx template file: /etc/nginx/templates/sogo.tmpl
* Database:
- Database name: sogo
- Database user: sogo
- Database password: 75NHY4yp1Yjw1qkeF3mZ2EBzBlzKW0JM
* SOGo sieve account (Warning: it's a Dovecot Master User):
- file: /etc/sogo/sieve.cred
- username: sogo_sieve_master@not-exist.com
- password: QfnTNbkQmfSn371EnGiyNzysGO8shnou
* See also:
- cron job of system user: sogo
netdata (monitor):
- Config files:
- All config files: /opt/netdata/etc/netdata
- Main config file: /opt/netdata/etc/netdata/netdata.conf
- Modified modular config files:
- /opt/netdata/etc/netdata/go.d
- /opt/netdata/etc/netdata/python.d
- HTTP auth file (if you need a new account to access netdata, please
update this file with command like 'htpasswd' or edit manually):
- /etc/nginx/netdata.users
- Log directory: /opt/netdata/var/log/netdata
- SQL:
- Username: netdata
- Password: yx4nFXuiWJs9D38xeVCwZw1RAdjEtnCA
- NOTE: No database required by netdata.
1.4 管理员登录界面和普通用户登录界面
二 、frp 软件的设置
可参考我的两篇文章
frp透传软件最新toml格式的配置文件的使用_frpc toml设置-CSDN博客
利用frps搭建本地自签名https服务的透传_frp配置ssl-CSDN博客
假设我们的域名服务器就是frps服务器,也就是 www.abctest.com
2.1 frps.toml的配置
cat /etc/frp/frps.toml
bindPort = 7777
vhostHTTPSPort = 443
vhostHTTPPort = 8080
2.2 frpc.toml的配置
主要是对 邮箱服务所需的特定端口进行绑定,类型都是tcp
cat /etc/frp/frpc.toml
serverAddr = "www.abctest.com"
serverPort = 7777
[[proxies]]
name = "ssh-250"
type = "tcp"
localIP = "127.0.0.1"
localPort = 33250
remotePort = 33250
[[proxies]]
name = "web-250"
type = "https"
localPort = 443
customDomains = ["mail.abctest.com"]
[[proxies]]
name = "smtp-250"
type = "tcp"
localPort = 25
remotePort = 25
[[proxies]]
name = "submission-250"
type = "tcp"
localPort = 587
remotePort =587
[[proxies]]
name = "pop3-250"
type = "tcp"
localPort = 110
remotePort =110
[[proxies]]
name = "pop3s-250"
type = "tcp"
localPort = 995
remotePort =995
[[proxies]]
name = "imap-250"
type = "tcp"
localPort = 143
remotePort = 143
[[proxies]]
name = "imaps-250"
type = "tcp"
localPort = 993
remotePort = 993
三、 服务端nginx对域名 mail.abctest.com 的自动转发
因为外网vps运行的是 frps以及一个官网网页,所以已经占据了80端口和443端口,要想实现对 https://mail.abctest.com 的转发,需要新增一个 nginx 虚拟机的配置。配置文件内容如下
cat /etc/nginx/conf.d/mail.conf
server {
listen 80 ;
listen [::]:80 ;
server_name mail.abctest.com;
rewrite ^/(.*)$ https://mail.abctest.com:443/$1 permanent;
# location / {
# proxy_pass http://127.0.0.1:443;
# }
}
局域网内 iRedMail服务器的 nginx设置
将 /etc/nginx/sites-enabled/{00-default-ssl.conf,00-default.conf} 这两个配置文件中 的 server_name 配置上 mail.abctest.com 即可!!
重启vps和本地iRedMail 服务器上的 nginx
连接测试一下