2015-03-25 22:15:51 +08:00
权威指南:构建个人私有云,拿回你的数据隐私的控制权!
2015-02-13 10:44:32 +08:00
================================================================================
2015-03-25 22:15:51 +08:00
8年里40000多次搜索! ? ( ) , , !
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
## 很多非常私人的信息不受自己控制地存储在世界范围内的服务器上 ##
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
比如说你也像我一样从2006年到2013年都是Gmail用户, , , , , ,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
从统计数据来看, , , , : , , , , ? , , ,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
你是否还会非常小心地同步自己的联系人信息, , ? , , ,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
## 这种泄漏自己私人信息的日常爱好会以一种甚至没人能够预测的方式影响你的生活 ##
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
总结一下, , , ( ) , , , ,
2015-02-13 10:44:32 +08:00
不敢想象把这些深度的个人信息交给完全陌生的人, , , , ? , ( )
2015-03-25 22:15:51 +08:00
有这么多的高质量信息, , : , , ( ) ( , ? ) , , , , ( ) ? , , , , ? , , , ? , , ?
2015-02-13 10:44:32 +08:00
我们大多数人把自己的个人数据托付给这些公司的一个原因就是它们提供免费服务。但是真的免费吗? :
2015-03-25 22:15:51 +08:00
我写的最多的是Google, , ( ) :
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
## 只要5小时,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
但是事实并不是一定必须这样的。你可以生活在21世纪, , , : ,
2015-02-13 10:44:32 +08:00
这也是这篇文章的意义所在。仅仅5个小时内, , ,
2015-03-25 22:15:51 +08:00
为自己做这件事情已经是迈出很大一步了。但是, , ,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
我们将构建的系统能够:
2015-02-13 10:44:32 +08:00
- **支持任意数目的域名和用户**。这样就能轻易地和你的家人朋友共享这台服务器,所以他们也能掌控自己的个人数据,并且还能和你一起分摊服务费用。和你一起共享服务器的人可以使用他们自己的域名或者共享你的。
2015-03-25 22:15:51 +08:00
- **允许你从任意网络发送和接收电子邮件**,需要成功登录服务器之后。这样,你可以通过任意的邮件地址、任意设备(台式机、手机、平板)、任意网络(家里、公司、公共网络、...)来发送电子邮件。
2015-02-13 10:44:32 +08:00
- **在发送和接收邮件的时候加密网络数据**,这样,你不信任的人不能钓出你的密码,也不能看到你的私人邮件。
2015-03-25 22:15:51 +08:00
- **提供最先进的反垃圾邮件技术**,结合了已知垃圾邮件黑名单、自动灰名单、和自适应垃圾邮件过滤。如果邮件被误判了只需要简单地把它拖入或拖出垃圾目录就可以重新调校垃圾邮件过滤器。而且,服务器还会为基于社区的反垃圾邮件努力做出贡献。
- **一段时间里只需要几分钟的维护**, , , , ‘ ’ ( )
2015-02-13 10:44:32 +08:00
要完成这篇文章里的工作, , , , ( , )
下面是我们将要做的事情的概述。
- [申请一个虚拟私人服务器,一个域名,并把它们配置好][11]
- [设置postfix和dovecot来收发电子邮件][12]
- [阻止垃圾邮件进入你的收件箱][13]
- [确保你发出的邮件能通过垃圾邮件过滤器][14]
- [使用Owncloud提供日历, ,
- [在云上同步你的设备][16]
2015-03-25 22:15:51 +08:00
## 这篇文章是受之前工作的启发并以之为基础 ##
2015-02-13 10:44:32 +08:00
本文很大程度参考了两篇文章,由[Xavier Claude][17]和[Drew Crawford][18]写的关于架设私有邮件服务器的介绍。
本文覆盖了Xavier和Drew的文章里所描述的所有功能, : ( , ) , ( ) , ( ) , ,
和Xavier和Drew的成果比起来, :
- 根据我自己按Drew文章操作的经验以及原文的大量回复, ,
- 低维护: , : , , ( , )
- 我增加了webmail。
- 我增加了设定云服务器的部分,不仅能收发邮件还能管理文件,地址本/联系人(邮件地址,电话号码,生日,等等等),日程表和图片,供所有设备访问使用。
2015-03-25 22:15:51 +08:00
## 申请一个虚拟私人服务器,一个域名,并把它们配置好 ##
2015-02-13 10:44:32 +08:00
让我们从设置基础设施开始:我们的虚拟私人主机和我们的域名。
我用过[1984.is][19]和[Linode][20]提供的虚拟私人主机( ) , , , , ( ) , ,
2015-03-25 22:15:51 +08:00
最好是在服务器上创建一个文件用来保存后面要用到的各种密码(用户账号、邮件账号、云帐号、数据库帐号)。当然最好是加密一下(可以用[GnuPG][24]),这样就算用来设定服务器的电脑被偷了或被入侵了,你的服务器就不会那么容易被攻击。
2015-02-13 10:44:32 +08:00
关于注册域名,我已经使用[grandi][25]的服务超过10年了, , , , ( ) , ,
最后, ( ) , , , ,
在服务器上, , ,
adduser roudy
2015-03-25 22:15:51 +08:00
然后,在文件**/etc/ssh/sshd\_config**中设置
2015-02-13 10:44:32 +08:00
PermitRootLogin no
然后重启ssh服务
service ssh reload
然后,我们要修改服务器的主机名。编辑文件**/etc/hostname**,只有一行就是自己的主机名,我们这个例子中是
cloud
2015-03-25 22:15:51 +08:00
然后,
2015-02-13 10:44:32 +08:00
reboot
我们将更新系统并移除不必要的服务以降低远程攻击的风险。
apt-get update
apt-get dist-upgrade
service exim4 stop
apt-get remove exim4 rpcbind
apt-get autoremove
apt-get install vim
2015-03-25 22:15:51 +08:00
我喜欢使用vim远程编辑配置文件。打开vim 的自动语法高亮会很有帮助。添加下面这一行到**~/.vimrc**文件中。
2015-02-13 10:44:32 +08:00
syn on
2015-03-25 22:15:51 +08:00
## 设置postfix和dovecot来收发电子邮件 ##
2015-02-13 10:44:32 +08:00
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-mysql mysql-server dovecot-lmtpd postgrey
2015-03-25 22:15:51 +08:00
在[Postfix][27]的配置菜单里,选择`Internet Site`,设置这个系统的邮件名称为**jhausse.net**。
2015-02-13 10:44:32 +08:00
现在开始添加一个数据库用于保存主机上管理的域名列表,和每个域名下的用户列表(同时也包括他们各自的密码),以及邮件别名列表(用于从一个地址往另一个地址转发邮件)。
mysqladmin -p create mailserver
mysql -p mailserver
mysql> GRANT SELECT ON mailserver.* TO 'mailuser'@'localhost' IDENTIFIED BY 'mailuserpass';
mysql> FLUSH PRIVILEGES;
mysql> CREATE TABLE `virtual_domains` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(50) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
mysql> CREATE TABLE `virtual_users` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`password` varchar(106) NOT NULL,
`email` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `email` (`email`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
mysql> CREATE TABLE `virtual_aliases` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`source` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
2015-03-25 22:15:51 +08:00
这里我们为**jhausse.net**域名提供邮件服务。如果还需要加入其他域名, ( ) ,
2015-02-13 10:44:32 +08:00
mysql> INSERT INTO virtual_domains (`name`) VALUES ('jhausse.net');
mysql> INSERT INTO virtual_domains (`name`) VALUES ('otherdomain.net');
mysql> INSERT INTO virtual_aliases (`domain_id`, `source` , `destination` ) VALUES ('1', 'postmaster', 'roudy@jhausse.net');
mysql> INSERT INTO virtual_aliases (`domain_id`, `source` , `destination` ) VALUES ('2', 'postmaster', 'roudy@jhausse.net');
2015-03-25 22:15:51 +08:00
现在已经添加了一个本地邮件账号**roudy@jhausse.net**。首先,为它生成一个密码的哈希串:
2015-02-13 10:44:32 +08:00
doveadm pw -s SHA512-CRYPT
然后把哈希值加入到数据库中
mysql> INSERT INTO `mailserver` .`virtual_users` (`domain_id`, `password` , `email` ) VALUES ('1', '$6$YOURPASSWORDHASH', 'roudy@jhausse.net');
2015-03-25 22:15:51 +08:00
现在我们的域名、别名和用户列表都设置好了, ( , )
2015-02-13 10:44:32 +08:00
myhostname = cloud.jhausse.net
myorigin = /etc/mailname
mydestination = localhost.localdomain, localhost
mynetworks_style = host
# We disable relaying in the general case
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
# Requirements on servers that contact us: we verify the client is not a
# known spammer (reject_rbl_client) and use a graylist mechanism
# (postgrey) to help reducing spam (check_policy_service)
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023
disable_vrfy_command = yes
inet_interfaces = all
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/cloud.crt
smtpd_tls_key_file=/etc/ssl/private/cloud.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level=may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Delivery
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
message_size_limit = 50000000
recipient_delimiter = +
# The next lines are useful to set up a backup MX for myfriendsdomain.org
# relay_domains = myfriendsdomain.org
# relay_recipient_maps =
# Virtual domains
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
local_recipient_maps = $virtual_mailbox_maps
现在我们要让postfix知道如何从我们设定的数据库里找出需要接收邮件的域名。建立一个新文件**/etc/postfix/mysql-virtual-mailbox-domains.cf**并添加以下内容:
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_domains WHERE name='%s'
我们可以让postfix判断给定的电子邮件账号是否存在,
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_users WHERE email='%s'
最后,
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT virtual_aliases.destination as destination FROM virtual_aliases, virtual_domains WHERE virtual_aliases.source='%u' AND virtual_aliases.domain_id = virtual_domains.id AND virtual_domains.name='%d'
在配置好这些后,
postmap -q jhausse.net mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
postmap -q roudy@jhausse.net mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
postmap -q postmaster@jhausse.net mysql:/etc/postfix/mysql-virtual-alias-maps.cf
postmap -q bob@jhausse.net mysql:/etc/postfix/mysql-virtual-alias-maps.cf
如果一切都正常配置了的话, ,
2015-03-25 22:15:51 +08:00
现在, ( , )
2015-02-13 10:44:32 +08:00
# Enable installed protocol
# !include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
这样将只打开imap( ) ( )
mail_location = maildir:/var/mail/%d/%n
[...]
mail_privileged_group = mail
[...]
first_valid_uid = 0
2015-03-25 22:15:51 +08:00
这样邮件将被保存到目录 /var/mail/domainname/username 下。注意下这几个选项散布在配置文件的不同位置,有时已经在那里写好了:我们只需要取消注释即可。文件里的其他设定选项,可以维持原样。在本文后面还有很多文件需要用同样的方式更新设置。在文件**/etc/dovecot/conf.d/10-auth.conf**里,设置以下参数:
2015-02-13 10:44:32 +08:00
disable_plaintext_auth = yes
auth_mechanisms = plain
#!include auth-system.conf.ext
!include auth-sql.conf.ext
在文件**/etc/dovecot/conf.d/auth-sql.conf.ext**里,设置以下参数:
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=mail gid=mail home=/var/mail/%d/%n
}
这是告诉dovecot用户的邮件保存在目录/var/mail/domainname/username下,
driver = mysql
connect = host=localhost dbname=mailserver user=mailuser password=mailuserpass
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
我们现在修改一下配置文件的权限
chown -R mail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot
基本差不多了!只是还需要再多编辑几个文件。在文件**/etc/dovecot/conf.d/10-master.conf**里,设置以下参数:
service imap-login {
inet_listener imap {
#port = 143
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
#port = 110
port = 0
}
inet_listener pop3s {
#port = 995
#ssl = yes
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0666
group = postfix
user = postfix
}
user = mail
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = mail
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
# Auth process is run as this user.
#user = $default_internal_user
user = dovecot
}
service auth-worker {
user = mail
}
注意下我们把除了imaps之外所有服务的端口都设置成了0, ,
postmaster_address = postmaster@jhausse.net
最后但很重要的一点, , :
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out "/etc/ssl/certs/cloud.crt" -keyout "/etc/ssl/private/cloud.key"
请确保你指定了服务器的完全限定域名( ) , :
Common Name (e.g. server FQDN or YOUR name) []:cloud.jhausse.net
如果没有的话, :
ssl = required
ssl_cert = < /etc/ssl/certs/cloud.crt
ssl_key = < /etc/ssl/private/cloud.key
就这些了! !
service dovecot restart
service postfix restart
在服务器上,尝试发送邮件给本地用户:
telnet localhost 25
2015-03-25 22:15:51 +08:00
2015-02-13 10:44:32 +08:00
EHLO cloud.jhausse.net
MAIL FROM:youremail@domain.com
2015-03-25 22:15:51 +08:00
RCPT TO:roudy@jhausse.net
2015-02-13 10:44:32 +08:00
data
Subject: Hallo!
This is a test, to check if cloud.jhausse.net is ready to be an MX!
Cheers, Roudy
.
QUIT
服务器应该接受我们的邮件并返回类似消息:
250 2.0.0 Ok: queued as 58D54101DB
如果一切正常的话,检查一下**/var/log/mail.log**里的日志。应该有类似下面的一行:
Nov 14 07:57:06 cloud dovecot: lmtp(4375, roudy@jhausse.net): ... saved mail to INBOX
到这里一切都正常吗? , , ( ) :
openssl s_client -connect cloud.jhausse.net:25 -starttls smtp
EHLO cloud.jhausse.net
MAIL FROM:roudy@jhausse.net
rcpt to:bob@gmail.com
服务器应该有这样的响应:
554 5.7.1 < bob @ gmail . com > : Relay access denied
2015-03-25 22:15:51 +08:00
这个没问题: , ,
2015-02-13 10:44:32 +08:00
554 5.7.1 Service unavailable; Client host [87.68.61.119] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=87.68.61.119
2015-03-25 22:15:51 +08:00
意思是你正尝试从一个被标记成垃圾邮件发送者的IP地址连接服务器。我在通过普通的因特网服务提供商( ) , , , , , , , , , , ( : , :
2015-02-13 10:44:32 +08:00
现在, , :
openssl s_client -connect cloud.jhausse.net:25 -starttls smtp
EHLO cloud.jhausse.net
MAIL FROM:youremail@domain.com
2015-03-25 22:15:51 +08:00
RCPT TO:roudy@jhausse.net
2015-02-13 10:44:32 +08:00
服务器应该有这样的响应
Client host rejected: Greylisted, see http://postgrey.schweikert.ch/help/jhausse.net.html
这意味着[postgrey][28]工作正常。postgrey做的是用临时错误拒绝未知发送者的邮件。邮件的技术规则是要求邮件服务器尝试重新发送邮件。在5分钟后, , , , ,
之后,
openssl s_client -crlf -connect cloud.jhausse.net:993
1 login roudy@jhausse.net "mypassword"
2 LIST "" "*"
3 SELECT INBOX
4 UID fetch 1:1 (UID RFC822.SIZE FLAGS BODY.PEEK[])
5 LOGOUT
2015-03-25 22:15:51 +08:00
这里,你应该把*mypassword*替换为你自己为这个邮件账号设定的密码。如果能正常工作, , ( ) , , , , , ,
2015-02-13 10:44:32 +08:00
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unauth_destination
2015-03-25 22:15:51 +08:00
然后重启postfix服务:
2015-02-13 10:44:32 +08:00
service postfix reload
现在, , :
openssl s_client -connect cloud.jhausse.net:587 -starttls smtp
EHLO cloud.jhausse.net
2015-03-25 22:15:51 +08:00
注意一下服务器建议的'250-AUTH PLAIN'功能,
2015-02-13 10:44:32 +08:00
MAIL FROM:asdf@jkl.net
rcpt to:bob@gmail.com
554 5.7.1 < bob @ gmail . com > : Relay access denied
QUIT
这个没问题, , , :
echo -ne '\000roudy@jhausse.net\000mypassword'|base64
然后让我们尝试再次通过服务器发送邮件:
openssl s_client -connect cloud.jhausse.net:587 -starttls smtp
EHLO cloud.jhausse.net
AUTH PLAIN DGplYW5AMTk4NGNsb3VQLm5ldAA4bmFmNGNvNG5jOA==
MAIL FROM:asdf@jkl.net
rcpt to:bob@gmail.com
现在postfix应该能正常接收。最后完成这个测试, , :
telnet cloud.jhausse.net 25
EHLO cloud.jhausse.net
MAIL FROM:youremail@domain.com
rcpt to:postmaster@jhausse.net
data
Subject: Virtual alias test
Dear postmaster,
Long time no hear! I hope your MX is working smoothly and securely.
Yours sincerely, Roudy
.
QUIT
让我们检查一下邮件是否被正常送到正确的收件箱了:
openssl s_client -crlf -connect cloud.jhausse.net:993
1 login roudy@jhausse.net "mypassword"
2 LIST "" "*"
3 SELECT INBOX
* 2 EXISTS
* 2 RECENT
4 LOGOUT
到这里,我们已经拥有一个能正常工作的邮箱服务器了,能收发邮件。我们可以配置自己的设备来使用它。
PS: ,
2015-03-25 22:15:51 +08:00
## 阻止垃圾邮件进入你的收件箱 ##
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
为了过滤垃圾邮件, ( ) ( ) ,
2015-02-13 10:44:32 +08:00
apt-get install dspam dovecot-antispam postfix-pcre dovecot-sieve
2015-03-25 22:15:51 +08:00
dovecot-antispam是一个安装包, , ,
2015-02-13 10:44:32 +08:00
在配置文件**/etc/dspam/dspam.conf**里,为以下参数设置相应的值:
TrustedDeliveryAgent "/usr/sbin/sendmail"
UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u"
Tokenizer osb
IgnoreHeader X-Spam-Status
IgnoreHeader X-Spam-Scanned
IgnoreHeader X-Virus-Scanner-Result
IgnoreHeader X-Virus-Scanned
IgnoreHeader X-DKIM
IgnoreHeader DKIM-Signature
IgnoreHeader DomainKey-Signature
IgnoreHeader X-Google-Dkim-Signature
ParseToHeaders on
ChangeModeOnParse off
ChangeUserOnParse full
ServerPID /var/run/dspam/dspam.pid
ServerDomainSocketPath "/var/run/dspam/dspam.sock"
ClientHost /var/run/dspam/dspam.sock
然后,在配置文件**/etc/dspam/default.prefs**里,把以下参数改为:
spamAction=deliver # { quarantine | tag | deliver } -> default:quarantine
signatureLocation=headers # { message | headers } -> default:message
showFactors=on
现在我们需要把dspam连接到postfix和dovecot上,
dspam unix - n n - 10 pipe
flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user $recipient -i -f $sender -- $recipient
dovecot unix - n n - - pipe
flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
2015-03-25 22:15:51 +08:00
现在我们将告诉postfix通过dspam来过滤所有提交给服务器端口25( ) , ( ) ,
2015-02-13 10:44:32 +08:00
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, check_client_access pcre:/etc/postfix/dspam_filter_access
在文件末尾,还需要增加:
# For DSPAM, only scan one mail at a time
dspam_destination_recipient_limit = 1
2015-03-25 22:15:51 +08:00
现在我们需要指定我们定义的过滤器。基本上, ( )
2015-02-13 10:44:32 +08:00
/./ FILTER dspam:unix:/run/dspam/dspam.sock
2015-03-25 22:15:51 +08:00
这是postfix部分的配置。现在让我们为dovecot设置垃圾过滤。在文件**/etc/dovecot/conf.d/20-imap.conf**里,修改**imap mail\_plugin**插件参数为下面的方式:
2015-02-13 10:44:32 +08:00
mail_plugins = $mail_plugins antispam
并为lmtp增加一个部分:
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
}
我们现在设置dovecot-antispam插件。编辑文件**/etc/dovecot/conf.d/90-plugin.conf**并把以下内容添加到插件部分:
plugin {
...
# Antispam (DSPAM)
antispam_backend = dspam
antispam_allow_append_to_spam = YES
antispam_spam = Junk;Spam
antispam_trash = Trash;trash
antispam_signature = X-DSPAM-Signature
antispam_signature_missing = error
antispam_dspam_binary = /usr/bin/dspam
antispam_dspam_args = --user;%u;--deliver=;--source=error
antispam_dspam_spam = --class=spam
antispam_dspam_notspam = --class=innocent
antispam_dspam_result_header = X-DSPAM-Result
}
然后在文件**/etc/dovecot/conf.d/90-sieve.conf**里指定默认的sieve脚本, :
sieve_default = /etc/dovecot/default.sieve
2015-03-25 22:15:51 +08:00
什么是sieve以及为什么我们需要为所有用户设置一个默认脚本? , ; ,
2015-02-13 10:44:32 +08:00
require ["regex", "fileinto", "imap4flags"];
# Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox
if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$",
not header :contains "X-DSPAM-Reclassified" "Innocent") {
# Mark as read
# setflag "\\Seen";
# Move into the Junk folder
fileinto "Junk";
# Stop processing here
stop;
}
现在我们需要编译这个脚本好让dovecot能运行它。我们也需要给它合适的权限。
cd /etc/dovecot
sievec .
chown mail.dovecot default.siev*
chmod 0640 default.sieve
chmod 0750 default.svbin
2015-03-25 22:15:51 +08:00
最后, :
2015-02-13 10:44:32 +08:00
chmod 0644 /etc/postfix/dynamicmaps.cf /etc/postfix/main.cf
就这些!
service dovecot restart
service postfix restart
然后通过从远程主机(比如我们用来设定服务器的电脑)连接服务器来测试一下反垃圾邮件:
openssl s_client -connect cloud.jhausse.net:25 -starttls smtp
EHLO cloud.jhausse.net
MAIL FROM:youremail@domain.com
rcpt to:roudy@jhausse.net
DATA
Subject: DSPAM test
Hi Roudy, how'd you like to eat some ham tonight? Yours, J
.
QUIT
让我们检查一下邮件是否已经送到:
openssl s_client -crlf -connect cloud.jhausse.net:993
1 login roudy@jhausse.net "mypassword"
2 LIST "" "*"
3 SELECT INBOX
4 UID fetch 3:3 (UID RFC822.SIZE FLAGS BODY.PEEK[])
这个应该返回SPAM为邮件增加了一组标记的数据, :
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Sun Oct 5 16:25:48 2014
X-DSPAM-Confidence: 1.0000
X-DSPAM-Probability: 0.0023
X-DSPAM-Signature: 5431710c178911166011737
X-DSPAM-Factors: 27,
Received*Postfix+with, 0.40000,
Received*with+#+id, 0.40000,
like+#+#+#+ham, 0.40000,
some+#+tonight, 0.40000,
Received*certificate+requested, 0.40000,
Received*client+certificate, 0.40000,
Received*for+roudy, 0.40000,
Received*Sun+#+#+#+16, 0.40000,
Received*Sun+#+Oct, 0.40000,
Received*roudy+#+#+#+Oct, 0.40000,
eat+some, 0.40000,
Received*5+#+#+16, 0.40000,
Received*cloud.jhausse.net+#+#+#+id, 0.40000,
Roudy+#+#+#+to, 0.40000,
Received*Oct+#+16, 0.40000,
to+#+#+ham, 0.40000,
Received*No+#+#+requested, 0.40000,
Received*jhausse.net+#+#+Oct, 0.40000,
Received*256+256, 0.40000,
like+#+#+some, 0.40000,
Received*ESMTPS+id, 0.40000,
how'd+#+#+to, 0.40000,
tonight+Yours, 0.40000,
Received*with+cipher, 0.40000
5 LOGOUT
很好!你现在已经为你服务器上的用户配置好自适应垃圾邮件过滤。当然,每个用户将需要在开始的几周里培训过滤器。要标记一则信息为垃圾,只需要在你的任意设备(电脑,平板,手机)上将它移动到叫“垃圾箱”或“废纸篓”的目录里。否则它将被标记为有用。
2015-03-25 22:15:51 +08:00
## 确保你发出的邮件能通过垃圾邮件过滤器 ##
2015-02-13 10:44:32 +08:00
这个部分我们的目标是让我们的邮件服务器能尽量干净地出现在世界上,并让垃圾邮件发送者们更难以我们的名义发邮件。作为附加效果,这也有助于让我们的邮件能通过其他邮件服务器的垃圾邮件过滤器。
2015-03-25 22:15:51 +08:00
### 发送者策略框架( )
2015-02-13 10:44:32 +08:00
发送者策略框架( ) , , , :
jhausse.net. 300 IN TXT v=spf1 mx mx:cloud.jhausse.net -all
2015-03-25 22:15:51 +08:00
### 反向PTR ###
2015-02-13 10:44:32 +08:00
我们[之前][32]在本文里讨论过这个问题, ,
2015-03-25 22:15:51 +08:00
### OpenDKIM ###
2015-02-13 10:44:32 +08:00
当我们激活[OpenDKIM][33]后, , , :
apt-get install opendkim opendkim-tools
然后按如下方式编辑**/etc/opendkim.conf**文件的配置:
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
Canonicalization relaxed/relaxed
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
MinimumKeyBits 1024
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim
2015-03-25 22:15:51 +08:00
我们还需要几个额外的文件,需保存在目录**/etc/opendkim**里:
2015-02-13 10:44:32 +08:00
mkdir -pv /etc/opendkim/
cd /etc/opendkim/
让我们建立新文件**/etc/opendkim/TrustedHosts**并写入以下内容
127.0.0.1
建立新文件**/etc/opendkim/KeyTable**并写入以下内容
cloudkey jhausse.net:mail:/etc/opendkim/mail.private
这会告诉OpenDKIM我们希望使用一个名叫'cloudkey'的加密密钥,它的内容在文件/etc/opendkim/mail.private里。我们建立另一个名叫**/etc/opendkim/SigningTable**的文件然后写入下面这一行:
*@jhausse.net cloudkey
这会告诉OpenDKIM每封从jhausse.net域发出的邮件都应该用'cloudkey'密钥签名。如果我们还有其他域希望也能签名,我们也可以在这里添加。
下一步是生成密钥并修改OpenDKIM配置文件的权限。
opendkim-genkey -r -s mail [-t]
chown -Rv opendkim:opendkim /etc/opendkim
chmod 0600 /etc/opendkim/*
chmod 0700 /etc/opendkim
一开始,最好使用-t开关, , ( ) :
cat mail.txt
2015-03-25 22:15:51 +08:00
然后把它作为一个TXT记录添加到区域文件里,
2015-02-13 10:44:32 +08:00
mail._domainkey.cloud1984.net. 300 IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqG...
最后, , :
# Now for OpenDKIM: we'll sign all outgoing emails
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
2015-03-25 22:15:51 +08:00
然后重启相关服务:
2015-02-13 10:44:32 +08:00
service postfix reload
service opendkim restart
2015-03-25 22:15:51 +08:00
现在让我们测试一下是否能找到我们的OpenDKIM公钥并和私钥匹配:
2015-02-13 10:44:32 +08:00
opendkim-testkey -d jhausse.net -s mail -k mail.private -vvv
2015-03-25 22:15:51 +08:00
这个应该返回:
2015-02-13 10:44:32 +08:00
opendkim-testkey: key OK
这个你可能需要等一会直到域名服务器重新加载该区域( , )
2015-03-25 22:15:51 +08:00
如果这个没问题, ,
2015-02-13 10:44:32 +08:00
mail -s CloudCheck ihAdmTBmUH@www.brandonchecketts.com
在Brandon的网页上, , , , ! !
2015-03-25 22:15:51 +08:00
## 使用Owncloud提供日历, ,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
既然我们已经拥有了一流的邮件服务器,让我们再为它增加在云上保存通讯录,日程表和文件的能力。这些是[Owncloud][35]所提供的非常赞的服务。在这个弄好后,我们还会设置一个网页邮件,这样就算你没带任何电子设备出去旅行时,或者说在你的手机或笔记本没电的情况下,也可以通过网吧来检查邮件。
2015-02-13 10:44:32 +08:00
安装Owncloud非常直观, , , , :
echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/Debian_7.0/ /' >> /etc/apt/sources.list.d/owncloud.list
wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_6.0/Release.key
apt-key add - < Release.key
apt-get update
apt-get install apache2 owncloud roundcube
2015-03-25 22:15:51 +08:00
在有提示的时候,选择**dbconfig**并设置**roundcube**使用**mysql**。然后, , , :
2015-02-13 10:44:32 +08:00
$rcmail_config['default_host'] = 'ssl://localhost';
$rcmail_config['default_port'] = 993;
2015-03-25 22:15:51 +08:00
现在我们来配置一下apache2网页服务器增加SSL支持, :
2015-02-13 10:44:32 +08:00
a2enmod ssl
然后编辑文件**/etc/apache2/ports.conf**并设定以下参数:
2015-03-25 22:15:51 +08:00
NameVirtualHost *:80
Listen 80
ServerName www.jhausse.net
2015-02-13 10:44:32 +08:00
< IfModule mod_ssl . c >
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to < VirtualHost * :443 >
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
< / IfModule >
< IfModule mod_gnutls . c >
Listen 443
< / IfModule >
我们将在目录**/var/www**下为服务器加密连接**https://www.jhausse.net**设定一个默认网站。编辑文件**/etc/apache2/sites-available/default-ssl**:
< VirtualHost _default_ :443 >
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ServerName www.jhausse.net
[...]
< Directory / var / www / owncloud >
Deny from all
< / Directory >
[...]
SSLCertificateFile /etc/ssl/certs/cloud.crt
SSLCertificateKeyFile /etc/ssl/private/cloud.key
[...]
< / VirtualHost >
然后让我们同时也在目录**/var/www**下设定一个非加密连接**http://www.jhausse.net**的默认网站。编辑文件**/etc/apache2/sites-available/default**:
< VirtualHost _default_ :443 >
DocumentRoot /var/www
ServerName www.jhausse.net
[...]
< Directory / var / www / owncloud >
Deny from all
< / Directory >
< / VirtualHost >
这样的话,我们通过把文件放到/var/www目录下让www.jhausse.net使用它们提供网站服务。名叫'Deny from all'的指令可以阻止通过www.jhausse.net访问Owncloud:
现在我们将设定网页邮件( ) ,
< IfModule mod_ssl . c >
< VirtualHost * :443 >
ServerAdmin webmaster@localhost
DocumentRoot /var/lib/roundcube
# The host name under which you'd like to access the webmail
ServerName webmail.jhausse.net
< Directory / >
Options FollowSymLinks
AllowOverride None
< / Directory >
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# do not allow unsecured connections
# SSLRequireSSL
SSLCipherSuite HIGH:MEDIUM
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/cloud.crt
SSLCertificateKeyFile /etc/ssl/private/cloud.key
# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /program/js/tiny_mce/ /usr/share/tinymce/www/
# Access to tinymce files
< Directory " / usr / share / tinymce / www / " >
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
< / Directory >
< Directory / var / lib / roundcube / >
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
< / Directory >
# Protecting basic directories:
< Directory / var / lib / roundcube / config >
Options -FollowSymLinks
AllowOverride None
< / Directory >
< Directory / var / lib / roundcube / temp >
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
< / Directory >
< Directory / var / lib / roundcube / logs >
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
< / Directory >
< FilesMatch " \.( cgi | shtml | phtml | php )$" >
SSLOptions +StdEnvVars
< / FilesMatch >
< Directory / usr / lib / cgi-bin >
SSLOptions +StdEnvVars
< / Directory >
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
< / VirtualHost >
< / IfModule >
然后在你的DNS服务商那里声明一下服务器, :
webmail.jhausse.net. 300 IN CNAME cloud.jhausse.net.
现在让我激活这三个网站
a2ensite default default-ssl roundcube
service apache2 restart
2015-03-25 22:15:51 +08:00
关于网页邮件,可以通过网址**https://webmail.jhausse.net**来访问, ( ) , ,
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
最后但很重要的是,我们将通过把以下内容写入到**/etc/apache2/sites-available/owncloud**来为Owncloud创建一个虚拟主机。
2015-02-13 10:44:32 +08:00
< IfModule mod_ssl . c >
< VirtualHost * :443 >
ServerAdmin webmaster@localhost
DocumentRoot /var/www/owncloud
ServerName cloud.jhausse.net
< Directory / >
Options FollowSymLinks
AllowOverride None
< / Directory >
< Directory / var / www / owncloud >
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
< / Directory >
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
< Directory " / usr / lib / cgi-bin " >
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
< / Directory >
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# do not allow unsecured connections
# SSLRequireSSL
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/ssl/certs/cloud.crt
SSLCertificateKeyFile /etc/ssl/private/cloud.key
< FilesMatch " \.( cgi | shtml | phtml | php )$" >
SSLOptions +StdEnvVars
< / FilesMatch >
< Directory / usr / lib / cgi-bin >
SSLOptions +StdEnvVars
< / Directory >
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
< / VirtualHost >
< / IfModule >
然后通过执行以下命令激活Owncloud
a2ensite owncloud
service apache2 reload
之后通过在浏览器里打开链接**https://cloud.jhausse.net/**配置一下Owncloud。
就这些了! , , , , ! !
2015-03-25 22:15:51 +08:00
## 在云上同步你的设备 ##
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
要同步你的邮件, : , ,
2015-02-13 10:44:32 +08:00
在Owncloud的文档里描述了如何与云端同步你的日程表和联系人。在Android系统中, ,
对于文件, , ,
2015-03-25 22:15:51 +08:00
## 最后一点提示 ##
2015-02-13 10:44:32 +08:00
在上线后的前几个星期里,最好每天检查一下日志**/var/log/syslog**和**/var/log/mail.log**以保证一切都在顺利运行。在你邀请其他人(朋友,家人,等等)加入你的服务器之前这很重要。他们信任你能很好地架设个人服务器维护他们的数据,但是如果服务器突然崩溃会让他们很失望。
2015-03-25 22:15:51 +08:00
要添加另一个邮件用户,只要在数据库**mailserver**的**virtual\_users**表中增加一行。
2015-02-13 10:44:32 +08:00
2015-03-25 22:15:51 +08:00
要添加一个域名,只要在**virtual_domains**表中增加一行。然后更新**/etc/opendkim/SigningTable**为发出的邮件签名, ,
2015-02-13 10:44:32 +08:00
Owncloud有自己的用户数据库,
2015-03-25 22:15:51 +08:00
最后, , ? , ( ) , ? , ,
2015-02-13 10:44:32 +08:00
--------------------------------------------------------------------------------
via: https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/
2015-03-25 22:15:51 +08:00
作者:[Roudy Jhausse][a]
2015-02-13 10:44:32 +08:00
译者:[zpl1025](https://github.com/zpl1025)
2015-03-25 22:15:51 +08:00
校对:[wxy](https://github.com/wxy)
2015-02-13 10:44:32 +08:00
本文由 [LCTT ](https://github.com/LCTT/TranslateProject ) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:aboutlinux@free.fr
[1]:https://history.google.com/history/
[2]:http://research.google.com/workatgoogle.html
[3]:http://www.attac.org/
[4]:http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=all
[5]:http://vimeo.com/ondemand/termsandconditions
[6]:http://www.techtimes.com/articles/21670/20141208/sony-pictures-hack-nightmare-week-celebs-data-leak-and-threatening-emails-to-employees.htm
[7]:http://blog.backupify.com/2012/07/25/what-is-my-gmail-account-really-worth/
[8]:http://adage.com/article/digital/worth-facebook-google/293042/
[9]:http://vimeo.com/ondemand/termsandconditions
[10]:https://prism-break.org/en/
[11]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#VPS
[12]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#mail
[13]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#dspam
[14]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#SPF
[15]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#owncloud
[16]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#sync
[17]:http://linuxfr.org/news/heberger-son-courriel
[18]:http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
[19]:http://www.1984.is/
[20]:http://www.linode.com/
[21]:http://www.greenpeace.org/international/Global/international/publications/climate/2012/iCoal/HowCleanisYourCloud.pdf
[22]:http://www.1984.is/about/
[23]:http://www.fsf.org/
[24]:https://www.gnupg.org/
[25]:http://www.gandi.net/
[26]:http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html
[27]:http://www.postfix.org/
[28]:http://postgrey.schweikert.ch/
[29]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#testPort25
[30]:http://dspam.sourceforge.net/
[31]:http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
[32]:https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/#PTR
[33]:http://opendkim.org/opendkim-README
[34]:http://www.brandonchecketts.com/emailtest.php
[35]:http://owncloud.org/
[36]:http://owncloud.org/install/
[37]:https://code.google.com/p/k9mail/
[38]:http://doc.owncloud.org/server/7.0/user_manual/files/files.html
