1、设置页面超时时间
[root@mail ~]# vi /var/www/extsuite/extmail/webmail.cf SYS_SESS_TIMEOUT = 30m SYS_SESS_COOKIE_ONLY = 1
30分钟不操作将断开页面连接;多域环境可以对各域分别设置。
也可设置为当用户关闭浏览器时超时:
SYS_SESS_TIMEOUT = 0 SYS_SESS_COOKIE_ONLY = 1
2、限制邮件大小
[root@mail ~]# vi /var/www/extsuite/extmail/webmail.cf SYS_MESSAGE_SIZE_LIMIT = 20971520
邮件20M,包括附件,针对WEB发送的邮件;
多域环境可以对各域分别设置。
3、限制附件和邮箱大小
[root@mail ~]# vi /etc/postfix/main.cf message_size_limit = 10485760 mailbox_size_limit = 2097152000
附件10M,邮箱2G。
4、限制最大收件人数
[root@mail ~]# vi /etc/postfix/main.cf smtpd_recipient_limit = 100 [root@mail ~]# service postfix reload
5、限制最大连接数
超过连接数限制时maillog日志报错:
mail imapd: Maximum connection limit reached for <IPADDRESS> DISCONNECTED
[root@mail ~]# vi /usr/lib/courier-imap/etc/pop3d # Maximum number of POP3 servers started MAXDAEMONS=100 # Maximum number of connections to accept from the same IP address MAXPERIP=10 [root@mail ~]# /usr/lib/courier-imap/libexec/pop3d.rc stop [root@mail ~]# /usr/lib/courier-imap/libexec/pop3d.rc start
[root@mail ~]# vi /usr/lib/courier-imap/etc/imapd # IMAP服务进程启动的最大数目 MAXDAEMONS=100 # 接受来自同一个IP地址的最大连接数 MAXPERIP=10 [root@mail ~]# /usr/lib/courier-imap/libexec/imapd.rc stop [root@mail ~]# /usr/lib/courier-imap/libexec/imapd.rc start
6、设置邮箱容量90%提醒(maildrop)
(1)前提条件:
编译安装maildrop时添加了--enable-maildirquota
(2)配置postfix:(配置maildrop时已添加,-w 90表示容量达到90%时警告)
[root@mail ~]# vi /etc/postfix/master.cf maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -w 90 -d ${user}@${nexthop} ${recipient} ${user} ${extension} {nexthop}
(3)查看警告邮件模板路径:
[root@mail ~]# cat /usr/local/src/maildrop-2.7.2/libs/maildir/quotawarnmsg.h #define QUOTAWARNMSG "/usr/local/etc/quotawarnmsg"
(4)复制警告邮件模板(复制到上面的路径):
[root@mail ~]# cp /usr/local/src/maildrop-2.7.2/libs/maildir/quotawarnmsg /usr/local/etc/ [root@mail ~]# chmod 755 /usr/local/etc/quotawarnmsg
(5)设置警告邮件模板:
[root@mail ~]# vi /usr/local/etc/quotawarnmsg X-Comment: Rename/Copy this file to quotawarnmsg, and make appropriate changes X-Comment: See deliverquota man page for more information From: Mail Delivery System <[email protected]> Reply-To: [email protected] To: Valued Customer:; Subject: Mail quota warning Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Your mailbox on the server is now more than 90% full. So that you can continue to receive mail you need to remove some messages from your mailbox.
(6)如果想使用中文发件人名称和中文主题可按以下方法:
[root@mail ~]# perl -e 'use MIME::Base64; print encode_base64("系统管理员")'; 57O757uf566h55CG5ZGY [root@mail ~]# perl -e 'use MIME::Base64; print encode_base64("邮箱配额警告")'; 6YKu566x6YWN6aKd6K2m5ZGK [root@mail ~]# vi /usr/local/etc/quotawarnmsg From: "=?UTF-8?B?57O757uf566h55CG5ZGY?="<[email protected]> Subject: =?UTF-8?B?6YKu566x6YWN6aKd6K2m5ZGK?= Content-Type: text/plain; charset=Unicode(UTF-8) Content-Transfer-Encoding: 8bit 您的邮箱空间已使用90%,如果您想正常使用,请从您的邮箱清除一些邮件,或与管理员联系。 Your mailbox on the server is now more than 90% full. So that you can continue to receive mail you need to remove some messages from your mailbox.
(7)测试:
[email protected]邮箱账号默认空间大小为5M:
使用[email protected]给test发送4M的附件,test将会收到警告邮件:
说明:在WEB端显示邮件内容正常,而FOXMAIL客户端收到的邮件内容显示乱码,转换编码格式为UTF-8后显示正常,因此最好把英文内容也写在模板里。
关于Postfix本身的访问限制,前面的博文已经讲述过,参考:
http://ywzhou.blog.51cto.com/2785388/1590342
7、postfix黑白名单
参考文件:/etc/postfix/access
(1)添加访问表限制:
[root@mail ~]# vi /etc/postfix/main.cf smtpd_recipient_restrictions = #注意:找到相应的位置,添加到最后,前一条后面加上逗号(下同) #限制收件人地址 check_recipient_access hash:/etc/postfix/recipient_access smtpd_sender_restrictions = #限制发件人地址 check_sender_access hash:/etc/postfix/sender_access smtpd_client_restrictions = #限制客户端IP地址 check_client_access hash:/etc/postfix/client_access
(2)创建访问表
[root@mail ~]# vi /etc/postfix/recipient_access [email protected] REJECT [root@mail ~]# vi /etc/postfix/sender_access [email protected] REJECT marketing@ REJECT abc.example.com REJECT [root@mail ~]# vi /etc/postfix/client_access 10.188.1.172 REJECT "ip 172 is user ywzhou" 192.168.1 REJECT extmail.org REJECT
这里拒绝了收件人[email protected],一会测试下
(3)转化为数据库格式
[root@mail ~]# postmap /etc/postfix/recipient_access [root@mail ~]# postmap /etc/postfix/sender_access [root@mail ~]# postmap /etc/postfix/client_access
将生成db文件,只要访问表有修改都要重新转化生成db文件。
(4)检查配置并重新加载
[root@mail ~]# postfix check [root@mail ~]# postfix reload
(5)测试收件人访问表限制
由于本地域不进行过滤,因此使用外域邮箱测试
使用[email protected]给[email protected]发封邮件
查看日志:
[root@mail ~]# tailf /var/log/maillog Dec 26 16:00:15 mail postfix/smtpd[30685]: Anonymous TLS connection established from unknown[10.188.1.86]: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits) Dec 26 16:00:15 mail postfix/smtpd[30685]: NOQUEUE: filter: RCPT from unknown[10.188.1.86]: <unknown[10.188.1.86]>: Client host triggers FILTER lmtp:[127.0.0.1]:10028; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.eplantstore.com> Dec 26 16:00:15 mail postfix/smtpd[30685]: NOQUEUE: reject: RCPT from unknown[10.188.1.86]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.eplantstore.com> Dec 26 16:00:15 mail postfix/smtpd[30685]: disconnect from unknown[10.188.1.86]
发件人会收到一封系统说明:
结论:可以看到邮件拒绝了:Recipient address rejected: Access denied
(6)测试客户端访问表限制
客户端访问表中设置的我的电脑10.188.1.172并不被限制;
因为对服务器来说,对方邮件服务器才是客户端IP(日志中可以看到);
因此在客户端访问表中添加eplantstore.com邮件服务器的IP。
[root@mail ~]# vi /etc/postfix/client_access 10.188.1.86 REJECT [root@mail ~]# postmap /etc/postfix/client_access
使用[email protected]给[email protected]发封邮件
查看日志:
[root@mail ~]# tailf /var/log/maillog Dec 26 16:48:31 mail postfix/smtpd[30953]: NOQUEUE: reject: RCPT from unknown[10.188.1.86]: 554 5.7.1 <unknown[10.188.1.86]>: Client host rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.eplantstore.com>
结论:可以看到客户端主机被拒绝了,客户端检查要先于收件人检查。
8、限制用户给群组邮箱发邮件
流程:邮件通过SMTPD进来、发件人过滤、检查其收件人是groups中的群组地址[email protected]、
该地址调用类group_limit_rsb、该类调用访问表rsb、检查发件人在该表中设为了OK则通过、没有则拒绝
(1)添加访问表限制:
[root@mail ~]# vi /etc/postfix/main.cf smtpd_sender_restrictions = #这里和前面不同,是在“发件人”限制中添加“收件人”访问表 check_recipient_access hash:/etc/postfix/group_limit/groups #定义“检查收件方”的类,一个群组账号对应一个 smtpd_restriction_classes = group_limit_rsb, group_limit_cwb, group_limit_all #为类添加发件人访问表 group_limit_rsb = check_sender_access hash:/etc/postfix/group_limit/rsb, reject group_limit_cwb = check_sender_access hash:/etc/postfix/group_limit/cwb, reject group_limit_all = check_sender_access hash:/etc/postfix/group_limit/all, reject #给类添加规则,检查发件人访问表,其他拒绝
(2)创建访问表
[root@mail ~]# mkdir /etc/postfix/group_limit
群组账号列表,及其调用的类:
[root@mail ~]# vi /etc/posftix/group_limit/groups [email protected] group_limit_rsb [email protected] group_limit_cwb [email protected] group_limit_all
设置类调用的访问表:
[root@mail ~]# vi /etc/postfix/group_limit/rsb [email protected] OK [root@mail ~]# vi /etc/postfix/group_limit/cwb [email protected] OK [root@mail ~]# vi /etc/postfix/group_limit/all yourmail.com OK
(3)转化为hash数据库格式
[root@mail ~]# postmap /etc/postfix/group_limit/group_limit [root@mail ~]# postmap /etc/postfix/group_limit/rsb [root@mail ~]# postmap /etc/postfix/group_limit/cwb [root@mail ~]# postmap /etc/postfix/group_limit/all
将生成db文件,只要访问表有修改都要重新转化生成db文件。
(4)检查配置并重新加载
[root@mail ~]# postfix check [root@mail ~]# postfix reload
问题:
用Extmail WEB发的话任意用户都可以对别名群发
因为webmail发送是通过管道呼叫/usr/sbin/sendmail 发送email,不受这个限制
必须让webmail使用smtp的方式发送才能实现这个限制
9、限制用户只能内部收发邮件
过程:外网发邮件给test01~03 => 收件人过滤 => 检查其发件人调用local_senders_in访问表
=> 该表中设置了01和02调用local_limit_in类 => 该类调用local_domains访问表检查发件人
=> 表中没有外网发件人的域名,因此拒绝01和02,但03正常;
同理01~03发邮件给外网 => local_senders_out限制了01和03只能发给local_domains中的域
=> 因此拒绝01和03,02不受限制。
(1)添加访问表限制:
[root@mail ~]# vi /etc/postfix/main.cf smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/group_limit/local_senders_in check_recipient_access hash:/etc/postfix/group_limit/local_senders_out smtpd_restriction_classes = local_limit_in, local_limit_out local_limit_in = check_sender_access hash:/etc/postfix/group_limit/local_domains, reject local_limit_out = check_recipient_access hash:/etc/postfix/group_limit/local_domains, reject
(2)创建访问表
[root@mail ~]# vi /etc/posftix/group_limit/local_senders_in [email protected] local_limit_in [email protected] local_limit_in [root@mail ~]# vi /etc/posftix/group_limit/local_senders_out [email protected] local_limit_out [email protected] local_limit_out [root@mail ~]# vi /etc/postfix/group_limit/local_domains yourmail.com OK seconed.cn OK
(3)转化为hash数据库格式
[root@mail ~]# postmap /etc/postfix/group_limit/local_domains [root@mail ~]# postmap /etc/postfix/group_limit/local_senders_in [root@mail ~]# postmap /etc/postfix/group_limit/local_senders_out
将生成db文件,只要访问表有修改都要重新转化生成db文件。
(4)检查配置并重新加载
[root@mail ~]# postfix check [root@mail ~]# postfix reload
10、amavisd限制
说明:由于main.cf中注释掉了amavisd的10024过滤器,因此邮件不经过amavisd的黑白名单,这里就不列出了。
[root@mail ~]# vi /etc/amavisd.conf #对本地发出的邮件不进行内容过滤 $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients allow_disclaimers => 1, # enables disclaimer insertion if available #添加以下三行参数,不进行检查 bypass_spam_checks_maps => [1], bypass_banned_checks_maps => [1], bypass_header_checks_maps => [1], }; # 启用自动学习白名单 $sa_auto_whitelist = 1; #限制附件格式 $banned_filename_re = new_RE( qr'_\.(exe-ms|dll)$', qr'\.[_./]*[A-Za-z][_./*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'.\.(exe|vbs|pif|scr|cpl)$'i, #如需放行指定格式的附件,删除字段即可,比如bat。 [root@mail ~]# service amavisd restart