增加 **csrfmiddlewaretoken:$("[name=csrfmiddlewaretoken]").val()** ```js $.ajax({ url: "/some_page", type: "post", dataType: "json", data: { csrfmiddlewaretoken:$("[name=csrfmiddlewaretoken]").val(), username: $('#uname').val(), password: $('#passwd').val(), geetest_challenge: validate.geetest_challenge, geetest_validate: validate.geetest_validate, geetest_seccode: validate.geetest_seccode }, success: function (data) { if (data && (data.status === "success")) { $(document.body).html('<h1>登录成功</h1>'); } else { $(document.body).html('<h1>登录失败</h1>'); } } }); }); ```

### OpenVPN服务器 #### 开启epel-release ```bash yum install epel-release -y ``` #### 安装openvpn、easy-rsa和iptables-services ```bash yum install openvpn easy-rsa iptables-services -y ``` #### 配置easy-rsa ```bash cd /etc/openvpn/ cp -r /usr/share/easy-rsa /etc/openvpn/ ``` ```bash cd /etc/openvpn/easy-rsa/3/ vim vars ``` ``` set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "ID" set_var EASYRSA_REQ_PROVINCE "GuangDong" set_var EASYRSA_REQ_CITY "guangzhou" set_var EASYRSA_REQ_ORG "test CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "sheyinsong@untes.co" set_var EASYRSA_REQ_OU "SHEYINSONG EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "SHEYINSONG CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha256" ``` ```bash chmod +x vars ``` #### 创建CA ```bash cd /etc/openvpn/easy-rsa/3/ ./easyrsa init-pki ./easyrsa build-ca #提示输入CA私钥的密码 ``` #### 创建OpenVPN服务器的证书和私钥 ```bash ./easyrsa gen-req openvpn-server nopass ``` #### CA签名OpenVPN服务器证书 ```bash ./easyrsa sign-req server openvpn-server ``` #### 验证签名的证书 ```bash openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt ``` #### 创建OpenVPN客户端的证书和私钥 ```bash cd /etc/openvpn/easy-rsa/3/ ./easyrsa gen-req client01 nopass ``` #### CA签名OpenVPN客户端证书 ```bash ./easyrsa sign-req client client01 ``` #### 验证签名的证书 ```bash openssl verify -CAfile pki/ca.crt pki/issued/client01.crt ``` #### 创建DH Key ```bash ./easyrsa gen-dh ``` #### 创建CRL key ```bash ./easyrsa gen-crl ``` #### 销毁拨号客户端(`注意:销毁客户端私钥,需要销毁才执行`) ```bash ./easyrsa revoke client01 ``` #### 拷贝证书和私钥到openvpn的目录 ```bash cp pki/ca.crt /etc/openvpn/server/ cp pki/issued/openvpn-server.crt /etc/openvpn/server/ cp pki/private/openvpn-server.key /etc/openvpn/server/ ``` ```bash cp pki/ca.crt /etc/openvpn/client/ cp pki/issued/client01.crt /etc/openvpn/client/ cp pki/private/client01.key /etc/openvpn/client/ ``` ```bash cp pki/dh.pem /etc/openvpn/server/ cp pki/crl.pem /etc/openvpn/server/ ``` #### 配置OpenVPN服务器 ```bash vim /etc/openvpn/server.conf ``` ``` # OpenVPN Port, Protocol and the Tun port 1194 proto udp dev tun # OpenVPN Server Certificate - CA, server key and certificate ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/openvpn-server.crt key /etc/openvpn/server/openvpn-server.key #DH and CRL key dh /etc/openvpn/server/dh.pem crl-verify /etc/openvpn/server/crl.pem # Network Configuration - Internal network # Redirect all Connection through OpenVPN Server server 10.10.1.0 255.255.255.0 push "redirect-gateway def1" # Using the DNS from https://dns.watch push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 8.8.8.8" #Enable multiple client to connect with same Certificate key duplicate-cn # TLS Security cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 20 60 persist-key persist-tun comp-lzo yes daemon # OpenVPN Log log-append /var/log/openvpn.log verb 3 ``` #### 开启路由转发功能 ```bash echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf sysctl -p ``` #### iptables防火墙配置 ```bash iptables -A INPUT -p udp --dport=1194 -j ACCEPT #开放openvpn端口 internet_dev=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}') #获取访问外网的网卡名 iptables -t nat -A POSTROUTING -s 10.10.1.0/24 -o $internet_dev -j MASQUERADE #enp0s3为局域网通信的网卡接口，这里会把拨号成功的客户端对访问公网的流量进行IP伪装，修改成enp0s3的接口IP，然后经由内网网关传到路由器，再次通过路由器的NAT转换成路由器的公网ip. ``` iptables允许拨号网段的流量转发(`针对FORWARD默认拒绝的情况`) ```bash iptables -A FORWARD -s 10.10.1.0/24 -j ACCEPT iptables -A FORWARD -d 10.10.1.0/24 -j ACCEPT ``` #### firewalled防火墙配置 ```bash firewall-cmd --permanent --add-service=openvpn #开放openvpn服务端口 firewall-cmd --permanent --zone=trusted --add-interface=tun0 #把tun0加入trusted firewall-cmd --permanent --zone=trusted --add-masquerade #trusted开启masquerade internet_dev=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}') firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.10.1.0/24 -o $internet_dev -j MASQUERADE firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -s 10.10.1.0/24 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -d 10.10.1.0/24 -j ACCEPT firewall-cmd --reload ``` #### 启动OpenVPN服务器 ```bash systemctl start openvpn@server systemctl enable openvpn@server ``` #### 创建openVPN客户端的配置 ```bash vim /etc/openvpn/client/client01.ovpn ``` ``` client dev tun proto udp remote xx.xx.xx.xx 1194 #xx.xx.xx.xx配置为OpenVPN服务器所在网络的路由器公网IP，该地址为路由器的公网IP地址.端口可以自行修改,同路由器映射端口匹配即可 ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3 ``` #### 打包OpenVPN客户端配置 ```bash cd /etc/openvpn/ tar -czvf client01.tar.gz client/* scp root@xx.xx.xx.xx:/etc/openvpn/client01.tar.gz . ``` &nbsp; ### 配置路由器 ```bash 路由器添加端口映射:公网ip地址:1194---->OpenVPN的内网IP地址:1194 ``` &nbsp; ### OpenVPN客户端 #### 开启epel-release ```bash yum install epel-release -y ``` #### 安装OpenVPN ```bash yum install openvpn -y ``` #### 解压OpenVPN的配置 ```bash cd /etc/openvpn/ tar xvf client01.tar.gz ``` #### 拨号OpenVPN服务器 ```bash openvpn --config /etc/openvpn/client/client01.ovpn ``` ```bash Wed Jun 19 09:11:16 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Wed Jun 19 09:11:16 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Wed Jun 19 09:11:16 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Jun 19 09:11:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194 Wed Jun 19 09:11:16 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed Jun 19 09:11:16 2019 UDP link local: (not bound) Wed Jun 19 09:11:16 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194 Wed Jun 19 09:11:16 2019 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=a82ea46b b556e79b Wed Jun 19 09:11:16 2019 VERIFY OK: depth=1, CN=Easy-RSA CA Wed Jun 19 09:11:16 2019 VERIFY OK: depth=0, CN=openvpn-server Wed Jun 19 09:11:16 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Jun 19 09:11:16 2019 [openvpn-server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194 Wed Jun 19 09:11:17 2019 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1) Wed Jun 19 09:11:17 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 114.114.114.114,dhcp-option DNS 8.8.8.8,route 10.10.1.1,topology net30,ping 20,ping-restart 60,ifconfig 10.10.1.6 10.10.1.5,peer-id 0,cipher AES-256-GCM' Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: timers and/or timeouts modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: --ifconfig/up options modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: route options modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: peer-id set Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: data channel crypto options modified Wed Jun 19 09:11:17 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Jun 19 09:11:17 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 19 09:11:17 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 19 09:11:17 2019 ROUTE_GATEWAY 172.19.239.253/255.255.240.0 IFACE=eth0 HWADDR=00:16:3e:02:88:cd Wed Jun 19 09:11:17 2019 TUN/TAP device tun0 opened Wed Jun 19 09:11:17 2019 TUN/TAP TX queue length set to 100 Wed Jun 19 09:11:17 2019 /sbin/ip link set dev tun0 up mtu 1500 Wed Jun 19 09:11:17 2019 /sbin/ip addr add dev tun0 local 10.10.1.6 peer 10.10.1.5 Wed Jun 19 09:11:17 2019 /sbin/ip route add xx.xx.xx.xx/32 via 172.19.239.253 Wed Jun 19 09:11:17 2019 /sbin/ip route add 0.0.0.0/1 via 10.10.1.5 Wed Jun 19 09:11:17 2019 /sbin/ip route add 128.0.0.0/1 via 10.10.1.5 Wed Jun 19 09:11:17 2019 /sbin/ip route add 10.10.1.1/32 via 10.10.1.5 Wed Jun 19 09:11:17 2019 Initialization Sequence Completed ``` #### 验证openVPN客户端拨号是否成功(`成功则显示为OpenVPN的所在网络的公网ip`) ```bash curl ifconfig.io ``` 参考: https://www.howtoforge.com/tutorial/how-to-install-openvpn-server-and-client-with-easy-rsa-3-on-centos-7/ https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/ #### `报错: VERIFY ERROR: depth=0, error=CRL has expired: CN=client` #### 解决方法: ```bash grep crl /etc/openvpn/server.conf #注销crl-verify ``` ``` #crl-verify /etc/openvpn/server/crl.pem ``` ```bash systemctl restart openvpn@server ```

安装django-smtp-ssl ```bash $ pip install django-smtp-ssl ``` 修改settings.py的 ```py EMAIL_BACKEND = 'django_smtp_ssl.SSLEmailBackend' EMAIL_HOST = 'mail.example.com' EMAIL_PORT = 465 ```

## 这里介绍两种加密方法:Roundcubemail自带的PGP插件加密和第三方插件Mailvelope加密 ### 一、Roundcubemail自带的PGP插件加密 #### 配置发件人的签名信息  　　 #### 配置PGP密钥对  　　 #### 设置PGP私钥密码  　　 #### 生成了密钥对  　　 #### 设置加密选项  　　 #### 发送公钥给test01   　　 #### test01收到公钥并添加到公钥(test01的密钥对的生成跟前面的test02操作一样)  　　 #### test02\@unotes.co的公钥已经添加成功  　　 #### test01使用test02的公钥加密发送邮件给test02(只有拥有该公钥所对应的私钥的用户才能解密)   　　 #### test01需输入密码，对该邮件进行签名  　　 #### test02收到了test01的加密邮件  #### 如果test02使用了没有私钥的客户端foxmail打开,是看不到加密邮件的真实内容  　　 ### 二、第三方插件Mailvelope加密 浏览器需要安装Mailvelope扩展插件  **firefox:** `https://download.mailvelope.com/releases/latest/mailvelope.firefox.xpi` **chrome:** `https://chrome.google.com/webstore/detail/kajibbejlbohfaggdiogboambcijhkke` 　　 　　 #### 安装扩展完成，之后浏览器上会有个小锁图标 　　 　　 #### 这里测试chrome登录test01的邮箱，火狐登录test02的邮箱 #### 激活当前域名的开启Mailvelope   　　 #### 添加成功后，发送邮件页面会多一个加密图标  　　 #### 导入双方的公私钥 #### chrome的Mailvelope导入test01的私钥以及test02的公钥   　　 #### firefox的Mailvelope导入test02的私钥以及test01的公钥  　　 #### 测试test01给test02发送一份通过Mailvelope加密的邮件  　　 #### test02收到加密的邮件，通过私钥自动解密  　　 #### 如果test02使用了没有私钥的客户端foxmail打开,是看不到加密邮件的真实内容 

### Roundcubemail介绍 　　*RoundCube Webmail是一个基于浏览器，支持多国语言的IMAP客户端，操作界面看起像一个桌面应用程序 　　它提供一个e-mail客户端应该具备的所有功能包括MIME支持,地址薄，文件夹操作，信息搜索和拼写检查。RoundCube Webmail采用PHP+Ajax开发并且需要MySQL数据库来存储数据。 用户界面采用XHTML+CSS2设计。* 　　 ### 安装LAMP 参考[邮件服务器之postfix+dovecot+postfixadmin+TLS](https://ynotes.cn/blog/article_detail/143)中的`LAMP`部分 　　　　　 　　 ### 安装Roundcubemail(1.3.7版本) 下载地址: `https://roundcube.net/` ```bash $ wget https://github.com/roundcube/roundcubemail/releases/download/1.3.7/roundcubemail-1.3.7-complete.tar.gz $ tar -xf roundcubemail-1.3.7-complete.tar.gz -C /var/www/html/ $ cd /var/www/html/ $ mv roundcubemail-1.3.7 webmail ``` ### 浏览器访问`http://roundcube_server_ip/webmail/installer/`   上面提示时区没有配置 ```bash $ vim /etc/php.ini ``` ``` date.timezone = Asia/Shanghai ```        　　 　　 　　 ### 配置插件 ```bash $ vim /var/www/html/webmail/config/config.inc.php ``` ``` $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; $config['product_name'] = 'unotes.co Webmail'; $config['plugins'] = array('attachment_reminder', 'autologon', 'emoticons', 'enigma', 'filesystem_attachments', 'markasjunk', 'newmail_notifier', 'password', 'show_additional_headers', 'userinfo', 'virtuser_file','virtuser_query', 'zipdownload'); $config['password_dovecotpw'] = '/usr/bin/doveadm pw'; $config['password_dovecotpw_method'] = 'CRAM-MD5'; $config['password_dovecotpw_with_method'] = false; $config['password_force_new_user'] = true; $config['password_driver'] = 'sql'; //下面配置postfix库的访问账号 $config['password_db_dsn'] = 'mysql://username:password@localhost/postfix'; ``` 　　 ### 添加automatic_addressbook插件(自动补全已发送过的邮件地址) #### 安装插件 ```bash $ cd /var/www/html/webmail/plugins $ wget https://github.com/sblaisot/automatic_addressbook/archive/master.zip $ tar xvf master.zip $ rm master.zip $ mv automatic_addressbook-master automatic_addressbook $ chown -R apache.apache automatic_addressbook ``` #### 添加插件相关的表 ```bash mysql>use roundcubemail; mysql>source automatic_addressbook/SQL/mysql.initial.sql; ``` #### 修改config配置 ```bash $ vim /var/www/html/webmail/config/config.inc.php ``` ``` $config['plugins'] = array('attachment_reminder', 'autologon', 'emoticons', 'enigma', 'automatic_addressbook', 'filesystem_attachments', 'markasjunk', 'newmail_notifier', 'password', 'show_additional_headers', 'userinfo', 'virtuser_file','virtuser_query', 'zipdownload'); ``` #### 重启服务 ```bash $ /etc/init.d/httpd restart ``` 　　 ### 登录webmail `http://mail.unotes.co/webmail`  　　 ### 配置SSL 增加ssl.conf ```bash /etc/httpd/conf.d/ssl.conf ``` ``` <VirtualHost *:80> ServerName mail.unotes.co RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [L,R] </VirtualHost> ``` ``` LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> DocumentRoot "/var/www/html" ServerName mail.unotes.co SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl/mail.unotes.co.crt SSLCertificateKeyFile /etc/httpd/conf/ssl/mail.unotes.co.key SSLCertificateChainFile /etc/httpd/conf/ssl/ca.crt ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> ``` 重定向80->443 ```bash $ vim /etc/httpd/conf/httpd.conf ``` 拷贝证书到/etc/httpd/conf/ssl ```bash $ cp /etc/postfix/ssl/* /etc/httpd/conf/ssl ``` 重启服务 ```bash $ /etc/init.d/httpd restart ``` 访问 `https://mail.unotes.co/webmail/` 

### 邮件服务器(mail.unotes.co)收到 test01\@unotes.co 发送给 test.redhat\@gmail.com 邮件的日志 ```bash $ tail -f /var/log/maillog ``` **`收到客户端x.x.196.255的连接请求`** ```bash Aug 19 05:49:42 mail postfix/smtps/smtpd[10057]: connect from unknown[x.x.196.255] ``` **`用户test01@unotes.co通过sasl认证登录成功`** ```bash Aug 19 05:49:43 mail postfix/smtps/smtpd[10057]: EA8FF222F6: client=unknown[x.x.196.255], sasl_method=LOGIN, sasl_username=test01@unotes.co ``` **`postfix cleanup清理邮件，处理好的邮件，会被传入收件队列(Incoming Queue)`** ```bash Aug 19 05:49:44 mail postfix/cleanup[10064]: EA8FF222F6: message-id=<2018081917494313210561@unotes.co> ``` **`opendkim会检查发送邮件的DKIM签名是否通过`** ```bash Aug 19 05:49:44 mail opendkim[10046]: EA8FF222F6: DKIM-Signature field added (s=default, d=unotes.co) ``` **`qmgr把邮件放入active队列`** ```bash Aug 19 05:49:44 mail postfix/qmgr[7739]: EA8FF222F6: from=<test01@unotes.co>, size=1725, nrcpt=1 (queue active) ``` **`邮件服务器和gmail的smtp发起建立TLS的连接的请求`** ```bash Aug 19 05:49:44 mail postfix/smtp[10065]: setting up TLS connection to gmail-smtp-in.l.google.com[74.125.197.26]:25 ``` **`邮件服务器和gmail的smtp的TLS连接建立成功`** ```bash Aug 19 05:49:44 mail postfix/smtp[10065]: Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.197.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) ``` **`邮件服务器发送邮件给gmail的smtp服务器`** ```bash Aug 19 05:49:45 mail postfix/smtp[10065]: EA8FF222F6: to=<test.redhat@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.197.26]:25, delay=1.8, delays=0.74/0.03/0.19/0.82, dsn=2.0.0, status=sent (250 2.0.0 OK 1534672190 g10-v6si7304311pfd.86 - gsmtp) ``` **`qmgr把邮件移除`** ```bash Aug 19 05:49:45 mail postfix/qmgr[7739]: EA8FF222F6: removed ``` **`客户端x.x.196.255断开连接`** ```bash Aug 19 05:49:49 mail postfix/smtps/smtpd[10057]: disconnect from unknown[x.x.196.255] ``` ### 邮件服务器(mail.unotes.co)收到 test.redhat\@gmail.com 发送给 test01\@unotes.co 邮件的日志 **`gmail客户端请求连接邮件服务器`** ```bash Aug 19 06:09:14 mail postfix/smtpd[10077]: connect from mail-wr1-f42.google.com[209.85.221.42] ``` **`postgrey灰名单校验通过，客户端在whitelist中`** ```bash Aug 19 06:09:15 mail postgrey[9433]: action=pass, reason=client whitelist, client_name=mail-wr1-f42.google.com, client_address=209.85.221.42, sender=test.redhat@gmail.com, recipient=test01@unotes.co Aug 19 06:09:15 mail postgrey[9433]: cleaning up old logs... Aug 19 06:09:15 mail postgrey[9433]: cleaning up old entries... Aug 19 06:09:15 mail postgrey[9433]: cleaning main database finished. before: 4, after: 4 Aug 19 06:09:15 mail postgrey[9433]: cleaning clients database finished. before: 4, after: 4 ``` **`postfix cleanup清理邮件`** ```bash Aug 19 06:09:15 mail postfix/smtpd[10077]: 974C6222F6: client=mail-wr1-f42.google.com[209.85.221.42] Aug 19 06:09:15 mail postfix/cleanup[10083]: 974C6222F6: message-id=<CAOmnsz0oWbDCvGsjo3Q2sLoyCWeFPqsyZFdin1thTvC2NmWA5w@mail.gmail.com> ``` **`opendkim检查客户端的smtp服务器的DKIM签名成功`** ```bash Aug 19 06:09:15 mail opendkim[10046]: 974C6222F6: mail-wr1-f42.google.com [209.85.221.42] not internal Aug 19 06:09:15 mail opendkim[10046]: 974C6222F6: not authenticated Aug 19 06:09:15 mail opendkim[10046]: 974C6222F6: DKIM verification successful ``` **`qmgr把邮件放入active队列`** ```bash Aug 19 06:09:15 mail postfix/qmgr[7739]: 974C6222F6: from=<test.redhat@gmail.com>, size=9907, nrcpt=1 (queue active) Aug 19 06:09:16 mail postfix/smtpd[10077]: disconnect from mail-wr1-f42.google.com[209.85.221.42] Aug 19 06:09:16 mail postfix/smtpd[10088]: connect from unknown[127.0.0.1] Aug 19 06:09:17 mail postfix/smtpd[10088]: 01373222F7: client=unknown[127.0.0.1] Aug 19 06:09:17 mail postfix/cleanup[10083]: 01373222F7: message-id=<CAOmnsz0oWbDCvGsjo3Q2sLoyCWeFPqsyZFdin1thTvC2NmWA5w@mail.gmail.com> ``` **`opendkim检查客户端的发件人的DKIM签名不匹配(正常,因为我们没有把test.redhat@gmail.com添加到/etc/opendkim/SigningTable)，smtp服务器的DKIM签名成功`** ```bash Aug 19 06:09:17 mail opendkim[10046]: 01373222F7: no signing table match for 'test.redhat@gmail.com' Aug 19 06:09:17 mail opendkim[10046]: 01373222F7: DKIM verification successful ``` **`qmgr再次把邮件放入active队列`** ```bash Aug 19 06:09:17 mail postfix/qmgr[7739]: 01373222F7: from=<test.redhat@gmail.com>, size=10498, nrcpt=1 (queue active) ``` **`amavis检测通过`** ```bash Aug 19 06:09:17 mail amavis[9854]: (09854-01) Passed CLEAN {RelayedInbound}, [209.85.221.42] [209.85.221.42] <test.redhat@gmail.com> -> <test01@codemax.cn>, Message-ID: <CAOmnsz0oWbDCvGsjo3Q2sLoyCWeFPqsyZFdin1thTvC2NmWA5w@mail.gmail.com>, mail_id: rLrGCzYXUKtd, Hits: -0.099, size: 10066, queued_as: 01373222F7, dkim_sd=20161025:gmail.com, 1077 ms ``` **`smtp把邮件发送给amavis`** ```bash Aug 19 06:09:17 mail postfix/smtp[10084]: 974C6222F6: to=<test01@codemax.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=0.42/0.04/0.02/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 01373222F7) ``` **`qmgr把邮件移除`** ```bash Aug 19 06:09:17 mail postfix/qmgr[7739]: 974C6222F6: removed ``` **`把邮件中继给dovecot`** ```bash Aug 19 06:09:17 mail postfix/pipe[10090]: 01373222F7: to=<test01@codemax.cn>, relay=dovecot, delay=0.32, delays=0.06/0.01/0/0.25, dsn=2.0.0, status=sent (delivered via dovecot service) ``` **`qmgr把邮件移除`** ```bash Aug 19 06:09:17 mail postfix/qmgr[7739]: 01373222F7: removed ```