Install/iRedAPD/MySQL/zh CN

From iRedMail
Jump to: navigation, search

Contents


  • Read this tutorial in other languages

简介与功能列表

  • iRedAPD 是由 iRedMail 团队开发的 Postfix policy daemon 程序,用于实现在 SMTP 会话阶段的高级访问控制。
  • 同时支持 OpenLDAP 和 MySQL backend。
  • 支持插件机制。
Available Plugins
Plugin name Description Backend
ldap_maillist_access_policy Used to restrict mail list access OpenLDAP
sql_alias_access_policy Used to restrict alias access MySQL

安装需求

  • Python >= 2.4。核心编程语言。
  • Python-MySQLdb。Python 访问 MySQL 的数据库接口。
  • web.py >= 0.3.0。一个简洁的 web 框架。
  • DBUtils。用于实现高效的数据库访问连接池,在大负载的情况下可以极大地保持数据库访问速度。
  • iRedMail。所有版本的 iRedMail 均适用。

改变 MySQL 表

插件 sql_alias_access_policyvmail.alias 表里添加两列,用来保存访问策略和管理员的邮箱地址。

Terminal:
mysql> USE vmail;
mysql> ALTER TABLE alias ADD COLUMN accesspolicy VARCHAR(30) NOT NULL DEFAULT '';
mysql> ALTER TABLE alias ADD COLUMN moderators TEXT NOT NULL DEFAULT '';

安装系统需要的 python 模块

  • RHEL/CentOS:
Terminal:
# yum install MySQL-python python-setuptools
# easy_install web.py DBUtils
  • Debian/Ubuntu:
Terminal:
$ sudo apt-get install python-setuptools python-mysqldb
$ sudo easy_install web.py DButils
  • FreeBSD:
Terminal:
# cd /usr/ports/databases/py-MySQLdb
# make install clean

# cd /usr/ports/www/webpy/
# make install clean

# cd /usr/ports/databases/py-dbutils/
# make install clean

下载和配置 iRedAPD

  • download page下载iRedAPD.
  • 复制 iRedAPD 到 /opt/, 设置文件权限并创建软连接。
Terminal:
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chmod +x /opt/iredapd/src/iredapd.py
  • 复制启动脚本到 /etc/init.d/ (Linux) 或 /usr/local/etc/rc.d/ (FreeBSD):
Terminal:
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd
  • 复制示例配置文件:
Terminal:
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
  • 编辑 /opt/iredapd/etc/iredapd.ini :
File: /opt/iredapd/etc/iredapd.ini
[general]
# Listen address and port.
listen_addr     = 127.0.0.1
listen_port     = 7777

# Background/daemon mode: yes, no.
run_as_daemon   = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, warning, error, debug.
# 'info' is recommended for product use.
log_level       = info

# Backend: ldap, mysql.
backend     = mysql

[mysql]
# For MySQL backend only.
server      = 127.0.0.1
db          = vmail
user        = vmail
password    = Psaf68wsuVctYSbj4PJzRqmFsE0rlQ
alias_table = alias

# Enabled plugins.
plugins = sql_alias_access_policy
  • 启动 iRedAPD。
Terminal:
# /etc/init.d/iredapd start
  • 让 iRedAPD 开机启动。
    • RHEL/CentOS:
Terminal:
# chkconfig --level 345 iredapd on
    • Debian/Ubuntu:
Terminal:
$ update-rc.d iredapd defaults
    • FreeBSD, 你需要在/etc/rc.conf配置文件里添加一行:
File: /etc/rc.conf
iredapd_enable='YES'

配置 postfix

  • 修改Postfix设置,在配置文件/etc/postfix/main.cfsmtpd_recipient_restrictions:
File: /etc/postfix/main.cf
smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,     # <-- 插入这行
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...
  • 重启 postfix,让修改生效。
Terminal:
# /etc/init.d/postfix restart

使用 logrotate 自动轮巡备份日志文件

为 logrotate 程序添加文件用于轮巡备份 iRedAPD 的日志文件:

File: /etc/logrotate.d/iredapd
/var/log/mail.log {
    compress
    daily
    rotate 30
    missingok

    # Use bzip2 for compress.
    compresscmd /bin/bzip2
    uncompresscmd /bin/bunzip2
    compressoptions -9
    compressext .bz2 

    # Used on RHEL/CentOS.
    postrotate
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript

    # Used on Ubuntu.
    #postrotate
    #    invoke-rc.d sysklogd reload > /dev/null
    #endscript
}

可以设置的访问策略

针对邮件的alias,有5种策略可以设置:

Policy Description Value of column 'accesspolicy'
无限制 Email is unrestricted, which means everyone can mail to this address. public
只允许域内的用户发送邮件给 alias Only users under same domain can send mail to this address. domain
只允许 alias 的成员发送邮件到 alias Only members can send mail to this address. membersOnly
只允许规定的管理员(moderators)发送邮件给 alias Only moderators can send mail to this address. moderatorsOnly
只允许 alias 的成员和管理员发送邮件给 alias Only members and moderators can send mail to this address. membersAndModeratorsOnly

备注:accesspolicy 值是不区分大小写的.

排错 & Debug

如果iRedAPD工作不正常,你可以在/opt/iredapd/etc/iredapd.ini设置log_level = debug , 重启 iredapd 并观察log文件/var/log/iredapd.log, 到 iRedMail 论坛 发贴并附上日志信息。

Personal tools