iredmail 新版本安装

1. 官方文档地址：下载地址

2. 安装guide：

在ubuntu系统安装文档

3. 首先申请证书：

相关文档
安装好acme.sh后：使用root运行下面的命令

/home/mailsvr/.acme.sh/acme.sh --install-cert -d m.cwbio.com.cn \
        --key-file       /etc/ssl/private/iRedMail.key  \
        --fullchain-file /etc/ssl/certs/iRedMail.crt \
        --reloadcmd     "service nginx force-reload"

使用crontab -e查看是否加入了30天自动化任务

30 0 * * * "/home/mailsvr/.acme.sh"/acme.sh --cron --home "/home/mailsvr/.acme.sh" > /dev/null

4. 配置DNS解析

# amavisd-new showkeys
; key#1 2048 bits, s=dkim, d=cwbio.com.cn, /var/lib/dkim/cwbio.com.cn.pem
dkim._domainkey.cwbio.com.cn.   3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw4ecsxak39VxIFU9Q73P"
  "tCWJpGloZ2V26aPDOfUNB9+liAmZNRpZbrty4+XVLprTeWVgW1moBVT6QqYInhXH"
  "hBPKG8p6HUGJxdmsPZscN0HTWWtLigO1JaIa22uXm4rQdLxvQYtqIjUC29N1W8Ig"
  "u7rYh4sf7a+U4HUzHFUxxphJb7iqqBsM7OElXdhmD4AA+nej1kFZcj1jiG98LnJl"
  "RBxsgIJvUaT6dcbZzntncZovync003MzihotLrjj4E+FisdHQTa7pI7bh1ooeAKQ"
  "yQQzz7bM/qtEMAvbM7pm+4tzPNDeL+mkqPcd0MEF9PhNIZC7j9l5ysbGjKJ3EiAc"
  "7wIDAQAB")

nslookup -type=txt dkim._domainkey.cwbio.com.cn
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
dkim._domainkey.cwbio.com.cn    text = "v=DKIM1;....

最终配置完成：

5. 设定正确的时区，如果不准确

sudo timedatectl set-timezone Asia/Shanghai

6. 设定防火墙规则，如果不能访问

vi /etc/nftables.conf
 # ssh
        tcp dport 22 accept

        # http, https
        tcp dport 80 accept
        tcp dport 443 accept

        # smtp, submission, smtps
        tcp dport 25 accept
        tcp dport 587 accept
        tcp dport 465 accept

        # pop3, pop3s
        # tcp dport 110 accept
        tcp dport 995 accept

        # imap, imaps
        # tcp dport 143 accept
        tcp dport 993 accept
        
        # bt panel
        tcp dport 33147 accept

7. 添加信任域名收件，避免拦截

Recipient address rejected: Intentional policy rejection

打开/etc/postfix/main.cf文件
禁用如下4行：

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
#    **reject_unknown_helo_hostname**

# Sender restrictions
smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre
#    **reject_unknown_sender_domain**

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
#    **reject_unlisted_recipient**
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
#    **reject_unauth_destination**
    check_policy_service inet:127.0.0.1:12340

8. 未添加白名单，导致无法收到邮件(Intended policy rejection, please try again later)

相关文档

注意，添加--submit表示存储到数据库
# cd /opt/iredapd/tools/
# python3 spf_to_greylist_whitelists.py --submit 126.com 163.com qq.com foxmail.com cwbiosciences.com genetronhealth.com bjchp.gov.cn cwbiotech.cn cwbio.cn genewill.cn genewill.com cwbio.com.cn
20240329更新：
> aol.com
> bjchp.gov.cn
> cloudfiltering.com
> constantcontact.com
> craigslist.org
> fbmta.com
> fishbowl.com
> gmx.com
> ivydx.com
> kdfpy.com
> microsoft.com
> outlook.com
> tumblr.com
> yahoo.com
> yandex.ru
> zendesk.com
> zoho.com
查看添加结果：
# python3 greylisting_admin.py --list-whitelist-domains

全局禁用（不建议）：

##To disable greylisting global, please run command below:

python3 /opt/iredapd/tools/greylisting_admin.py --disable --from '@.'

启用了DNSBL service导致无法收到邮件

Dec 14 14:16:26 cwbio postfix/dnsblog[2236394]: addr 111.207.252.179 listed by domain zen.spamhaus.org as 127.0.0.4
Dec 14 14:16:32 cwbio postfix/postscreen[2236392]: DNSBL rank 3 for [111.207.252.179]:60942
Dec 14 14:16:32 cwbio postfix/postscreen[2236392]: DISCONNECT [111.207.252.179]:60942

需要加入IP白名单：比如： 111.207.252.179
修改配置文件：
vi /etc/postfix/postscreen_access.cidr

111.207.252.179 permit

修改完成后， 需要重启postfix服务service postfix restart：

Dec 14 15:12:27 cwbio postfix/postscreen[2241707]: WHITELISTED [111.207.252.179]:39382

9. RoundCube升级指南, 修改logo和product_name

# vi www/roundcubemail-1.6.1/config/defaults.inc.php
$config['product_name'] = '<产品名称，比如康为>';

修改logo
#cp logo.png /opt/www/roundcubemail/skins/elastic/images/logo.png
/opt/www/roundcubemail/skins/elastic/templates/login.html:6:   <roundcube:object name="logo" src="/images/logo.png" id="logo" alt="Logo" />
/opt/www/roundcubemail/skins/elastic/templates/includes/menu.html:4:           <roundcube:object name="logo" src="/images/logo.png" id="logo" alt="Logo" />
/opt/www/roundcubemail/skins/elastic/watermark.html:9:  background: url(images/logo.png) center no-repeat #fff;

10. 修改iredamin名称

vi /opt/www/iRedAdmin-2.3/libs/default_settings.py 
BRAND_LOGO = "logo.png"
# Product name, short description.
BRAND_NAME = "康为世纪"
BRAND_DESC = "邮件管理面板"

www/iRedAdmin-2.3/static/logo.png 

11. 增加全局通讯录

github地址：https://github.com/johndoh/roundcube-globaladdressbook
将解压后的文件夹复制到roundcube安装目录的plugins目录下

# mv roundcube-globaladdressbook-2.1/ /opt/www/roundcubemail/plugins/globaladdressbook
# cd /opt/www/roundcubemail/plugins/globaladdressbook
# cp  config.inc.php.dist  config.inc.php
$config['globaladdressbooks']['global'] = [
    // the name of the address book displayed to the user
    'name' => '康为世纪通讯录',
    // eg. to create one global address book per domain: global_addressbook@%d
    'user' => 'postmaster@%d',
    // default user permissions
    // 0 - global address book is read only
    // 1 - users can add, edit and delete contacts (full permissions)
    // 2 - users can add but not edit or delete contacts
    // 3 - users can add and edit but not delete contacts
    'perms' => 2,

    // always copy contacts from the global address book to another address book, never move
    'force_copy' => true,

    // allow groups in global address book
    'groups' => false,

    // global address book admin user
    // admin user(s) can always add/edit/delete entries, overrides readonly
    // either a single username, or an array of usernames, see README for more info
    'admin' => 'postmaster@cwbio.com.cn',

    // show addresses from the global address book in the auto complete menu when composing an email
    'autocomplete' => true,

    // check globaladdressbook for known senders when displaying remote inline images
    'check_safe' => true,

    // address book visibility
    // null for visible to all or an array of usernames, see README for more info
    'visibility' => null,
];

// activate GlobalAddressbook for selected mail hosts only. If this is not set all mail hosts are allowed.
// example: $config['globaladdressbook_allowed_hosts'] = ['mail1.domain.tld', 'mail2.domain.tld'];
$config['globaladdressbook_allowed_hosts'] = null;

##编辑roundcube配置文件，添加插件：
# vi /opt/www/roundcubemail/config/config.inc.php
$config['plugins'] = array('managesieve', 'password', 'zipdownload', 'globaladdressbook');

##最后重启php服务生效
# service php8.1-fpm restart 或 # systemctl restart php8.1-fpm 

12. roundcube修改密码复杂度设定

# vi /opt/www/roundcubemail/plugins/password/config.inc.php
$config['password_minimum_length'] = 8;
// Note: Password strength is scored from 1 (week) to 5 (strong).
$config['password_minimum_score'] = 3;

13. 防火墙规则(不兼容，会出现误拦截)

# ufw enable
# ufw allow 23022/tcp
ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 465/tcp
ufw allow 993/tcp
ufw allow 995/tcp
ufw allow 33147/tcp

无拦截查询移除方法：

fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:   dovecot, nginx-http-auth, postfix, pregreet, roundcube, sogo, sshd
查询jail服务，然后分别查询：
fail2ban-client get dovecot banned
fail2ban-client get nginx-http-auth banned
fail2ban-client get postfix banned
fail2ban-client get pregreet banned
fail2ban-client get roundcube banned
fail2ban-client get sogo banned

如果有拦截，运行：
 fail2ban-client set dovecot unbanip 111.207.252.179

修改配置文件永久加入白名单：比如加入111.207.252.179，以空格分隔

vi /etc/fail2ban/jail.local 
...
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 111.207.252.179

重启或者重启服务： systemctl restart fail2ban