unbound和mail服务的部署和简单应用

1、服务的介绍
Unbound是一个缓存DNS解析器。unbound官网

       它使用根区域的内置权威名称服务器列表
       （。），所谓的根提示。在收到DNS查询时，它会询问
       答案的根名称服务器，几乎在所有情况下都会收到
       授权给顶级域名（TLD）权威名称服务器。它
       然后会询问名称服务器的答案。它将以递归方式进行
       直到找到答案或没有答案（NXDOMAIN）。
       出于性能和效率的原因，答案被缓存为cer-
       时间（答案的生存时间或TTL）。第二个查询
       然后将从缓存中回答相同的名称。不受约束也可以
       DNSSEC验证。
        相传他的开发者是一位牙医，不知是否为真。

postfix这是Wietse Venema开发的邮件服务器

postfix是Wietse Venema想要为使用最广泛的提供替代品的一个尝试。在Internet世界中，大部分的电子邮件都是通过sendmail来投递的，大约有100万用户使用sendmail，每天投递上亿封邮件。这真是一个让人吃惊的数字。Postfix试图更快、更容易管理、更安全，同时还与sendmail保持足够的兼容性。
来自百度文献

2、环境介绍

server端：
[root@100 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)
[root@100 ~]# hostname
100.hzy.com
[root@100 ~]# ip a |grep inet
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
    inet 192.168.137.100/24 brd 192.168.137.255 scope global eno16777736
    inet6 fe80::20c:29ff:feac:5681/64 scope link 
client端：
[root@200 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)
[root@200 ~]# hostname
200.hzy.com
[root@200 ~]# ip a |grep inet
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
    inet 192.168.137.200/24 brd 192.168.137.255 scope global eno16777736
    inet6 fe80::20c:29ff:febb:c0b0/64 scope link 

3、安装和部署unbound服务

安装
yum install -y unbound
[root@100 ~]# rpm -ql unbound |grep etc
/etc/sysconfig/unbound
/etc/tmpfiles.d/unbound.conf
/etc/unbound/conf.d
/etc/unbound/conf.d/example.com.conf
/etc/unbound/keys.d
/etc/unbound/keys.d/example.com.key
/etc/unbound/local.d
/etc/unbound/local.d/block-example.com.conf
/etc/unbound/unbound.conf 

找到unbound.conf修改其配置
server:
	verbosity: 1
	statistics-interval: 0
	statistics-cumulative: no
	extended-statistics: yes
	
	num-threads: 2 #线程数
	interface: 0.0.0.0 #可以是本地个任意端口ip
	interface-automatic: no #自动选择端口
	port: 53 #端口53相应数据包

	access-control: 0.0.0.0/0 allow #相应来自所有网段的数据包
	chroot: "" #虚拟目录

	username: "unbound" #指定的系统用户安装默认创建

	directory: "/etc/unbound" #配置文件所在的目录

	log-time-ascii: yes #日志的同步时间戳

	pidfile: "/var/run/unbound/unbound.pid" #这个服务的系统pid值

	harden-glue: yes   #

	harden-dnssec-stripped: yes

	harden-below-nxdomain: yes

	harden-referral-path: yes

	use-caps-for-id: no

	unwanted-reply-threshold: 10000000

	prefetch: yes

	prefetch-key: yes

	rrset-roundrobin: yes
	minimal-responses: yes

	dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"

	trusted-keys-file: /etc/unbound/keys.d/*.key
	auto-trust-anchor-file: "/var/lib/unbound/root.key"

	val-clean-additional: yes

	val-permissive-mode: no

	val-log-level: 1


	include: /etc/unbound/local.d/*.conf #读取的解析文件路径

remote-control: #dns的控制设置
	control-enable: yes

	server-key-file: "/etc/unbound/unbound_server.key"

	server-cert-file: "/etc/unbound/unbound_server.pem"

	control-key-file: "/etc/unbound/unbound_control.key"

	control-cert-file: "/etc/unbound/unbound_control.pem"

# Stub and Forward zones

include: /etc/unbound/conf.d/*.conf

他的解析文件在 include: /etc/unbound/local.d/*.conf
[root@100 ~]# cat /etc/unbound/local.d/aa.conf 
local-zone: "hzy.com." static  #设置静态的域
##这一行是dns的默认参数设置可以不写
local-data: "hzy.com. NS 100.hzy.com." #指定这个域里的dns服务器
local-data: "hzy.com. MX 5 100.hzy.com." #指定这个域里的mail服务器
local-data: "mail.hzy.com. IN A 192.168.137.100"
local-data: "200.hzy.com. IN A 192.168.137.200"  
local-data: "www.hzy.com. IN A 192.168.137.200"
local-data: "ftp.hzy.com. IN A 192.168.137.200"
local-data-ptr: "192.168.137.200 200.hzy.com"
local-data-ptr: "192.168.137.200 www.hzy.com"

[root@100 ~]# firewall-cmd --add-port=53/tcp --permanent
[root@100 ~]# firewall-cmd --reload 

测试
[root@200 ~]# nslookup mail.hzy.com
Server:		192.168.137.100
Address:	192.168.137.100#53

Name:	mail.hzy.com
Address: 192.168.137.100

[root@200 ~]# nslookup www.hzy.com
Server:		192.168.137.100
Address:	192.168.137.100#53

Name:	www.hzy.com
Address: 192.168.137.200

4、配置postfix服务并使用dovecot收件服务测试

安装
[root@100 ~]# yum install -y dovecot postfix
##在redhat系统中默认postfix是安装的
编辑/etc/postfix/main.cf
[root@100 ~]# grep -v "#" /etc/postfix/main.cf |grep -v "^$"
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = 100.hzy.com
mydomain = hzy.com
myorigin = hzy.com
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 0.0.0.0/0
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
message_size_limit = 10485760 
mailbox_size_limit = 1073741824 
smtpd_sasl_type = dovecot 
smtpd_sasl_path = private/auth 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous 
smtpd_sasl_local_domain = $myhostname 
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject 
参数

作用

myhostname

邮局系统的主机名

mydomain

邮局系统的域名

myorigin

从本机发出邮件的域名名称

inet_interfaces

监听的网卡接口

mydestination

可接收邮件的主机名或域名

mynetworks

设置可转发哪些主机的邮件

relay_domains

设置可转发哪些网域的邮件
具体参数设置参考的是# [centos7搭建postfix邮件服务器](https://www.cnblogs.com/operationhome/p/9056870.html)

编辑/etc/dovecot/dovecot.conf
将监听的类型改成*
[root@100 ~]# grep -v '#' /etc/dovecot/dovecot.conf |grep -v "^$"
listen = *
dict {
}
!include conf.d/*.conf
!include_try local.conf

编辑/etc/dovecot/conf.d/10-auth.conf
[root@100 ~]# grep -v '#' /etc/dovecot/conf.d/10-auth.conf |grep -v "^$"
disable_plaintext_auth = no ##开启明码文本认证
auth_mechanisms = plain login 
!include auth-system.conf.ext

编辑/etc/dovecot/conf.d/10-mail.conf
找到并修改mail_location = maildir:~/Maildir

编辑/etc/dovecot/conf.d/10-master.conf
89  # unix_listener auth-userdb {
 90     #mode = 0666
 91     #user = 
 92     #group = 
 93 #  }
 94 unix_listener /var/spool/postfix/private/auth {
 95 mode = 0666
 96 user = postfix
 97 group = postfix
 98 }

编辑/etc/dovecot/conf.d/10-ssl.conf 
因为没有设置ssl加密，所以ssl的值修改为 ssl = no
[root@100 ~]# systemctl enable dovecot
ln -s '/usr/lib/systemd/system/dovecot.service' '/etc/systemd/system/multi-user.target.wants/dovecot.service'
[root@100 ~]# systemctl start dovecot.service 

5、使用Foxmail测试

使用系统用户：建议使用非登录系统用户
[root@100 ~]# id bob
uid=1001(bob) gid=1001(bob) 组=1001(bob)
[root@100 ~]# id goudan
uid=1002(goudan) gid=1002(goudan) 组=1002(goudan)

简书链接
---END---