ExtMail服务器社区 » Postfix在中国 » 精华区 » 用FreeBSD6.2+jail建立邮件系统（postfix openldap dovecot amavisd extmail）测试环境

freshegg 发表于 2007-2-11 21:43

用FreeBSD6.2+jail建立邮件系统（postfix openldap dovecot amavisd extmail）测试环境

1、前言
本文版权归作者freshegg所有，任何人需转载全文或节选，请注明如下信息：
版本：0.2
作者：freshegg

FreeBSD下的jail很好玩，postfix又很耐玩，如果将2者结合会怎么样呢？我觉得这个很有趣，就产生了以下的实作^_^

实际上，jail是FreeBSD提供的安全架构，jail和chroot是完全不同的实现以达到相似的目的。开发jail的目的是弥补chroot的不足（chrooted的进程仍然可以影响chroot外的进程、可以使用raw socket等等）而实现更高的安全性。在jail中，每个进程有一个新的标识符 jail ID，这样进程能做什么的权限不仅根据UID GID，也要判断JID。

jail有2种：thin jail和fat jail。thin jail就象chroot，但可以获得更多的安全性。fat jail则象虚拟的os。您可以管理fat jail如同一个另外的主机，虽然实际上您只是安装了FreeBSD os的子集在同一个主机上。本文只使用fat jail。

因为jail有很好的隔离性，所以jail也是很好的测试环境。假设没有多余的测试服务器时，又不想搞乱base os，就可以使用jail来玩了。以下简称base os为host。提示符“host# ”表示在host里，“jail# ”表示在jail里。

将服务部署在thin jail里是不错的选择。但每个thin jail里怎么安装软件呢？可以把fat jail和ports系统结合来建立一个builder jail。本文将展示这种方法。

本文使用FreeBSD Release 6.2，选择mini安装。

mta用postfix 实现，backend为OpenLDAP，dovecot实现sasl、pop3、imap、MDA (LDA)，
内容过滤amavisd、SpamAssassin、clamav，webmail使用extmail（fastcgi）、extman，
以及基于SMTP特征的spam locker，恩，当然会实现用自制的ssl的ca，凭证支持实现smtps，https，pop3s，imaps。

2、jail（mail server）环境建立

2.1 修改host上的服务使之不listen在所有的ip，以免影响jail里的服务。
host# vi /etc/ssh/sshd_config
改为只在特定ip上listen：
ListenAddress  172.18.2.9
host# /etc/rc.d/sshd restart

2.2 获取Ports
host# csup -L 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/ports-supfile

2.3 预先在host里抓回distfiles
host# vi /etc/make.conf
加入:
MASTER_SITE_OVERRIDE?= \
[url]http://ports.hshh.org/$[/url]{DIST_SUBDIR}/ \
[url]ftp://ftp.freebsdchina.org/pub/FreeBSD/ports/distfiles/$[/url]{DIST_SUBDIR}/ \
[url]ftp://ftp.freebsd.org.cn/pub/FreeBSD/ports/distfiles/$[/url]{DIST_SUBDIR}/

host# cd /usr/ports/net/openldap23-server/
host# make config
选择SASL
    TCP_WRAPPERS
    BDB
    DYNAMIC_BACKENDS
    SLURPD
host# make fetch-recursive

host# cd /usr/ports/mail/dovecot
host# make config
选择KQUEUE
    SSL
    POP3
    LDA
    LDAP   
host# make fetch-recursive

host# cd /usr/ports/mail/postfix/
host# make config
选择PCRE
    DOVECOT
    TLS
    OPENLDAP
    VDA
    TEST
host# make fetch-recursive

host# cd /usr/ports/security/amavisd-new
host# make config-recursive
选择BDB
    LDAP
    MILTER
    SPAMASSASSIN
    RAR
    UNRAR
    ARJ
    LHA
    ARC
    CAB
    RPM
    ZOO
    UNZOO
    LZOP
    FREEZE
p5-Mail-SpamAssassin的Options
选择AS_ROOT
    DOMAINKEYS
    SSL
    GNUPG
    RAZOR
    SPF_QUERY
    RELAY_COUNTRY
    TOOLS
host# make fetch-recursive

host# cd /usr/ports/security/clamav
host# make config
选择MILTER
    CURL
    LIBUNRAR
host# make fetch-recursive

host# cd /usr/ports/www/apache22
host# make fetch-recursive

host# cd /usr/ports/databases/p5-DBD-LDAP
host# make fetch-recursive

host# cd /usr/ports/www/mod_fastcgi
host# make fetch-recursive

host# cd /usr/ports/www/p5-FastCGI
host# make fetch-recursive

host# cd /usr/ports/security/cyrus-sasl2
host# make fetch-recursive

host# cd /usr/ports/converters/p5-MIME-Base64/
host# make fetch-recursive

host# cd /usr/ports/net/rrdtool
host# make fetch-recursive
host# cd /usr/ports/devel/p5-File-Tail
host# make fetch-recursive
host# cd /usr/ports/devel/p5-Time-HiRes
host# make fetch-recursive

2.4 下载最新的src，并重新编译更新系统
host# csup -L 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/standard-supfile
host# cd /usr/src
host# make buildworld
host# make buildkernel=YOURKER
host# make installkernel=YOURKER
host# reboot
host# cd /usr/src
host# mergemaster -p
host# make installworld
host# mergemaster -Ui
host# reboot

2.5 建立jail
host# make installworld DESTDIR=/dada/jail
host# make distribution DESTDIR=/dada/jail

host# cp /etc/master.passwd /data/jail/etc/
host# vi /data/jail/etc/master.passwd
改用户名为jfreshegg（uid为1001）
host# mkdir -p /data/jail/home/jfreshegg
host# chown 1001:1001 /data/jail/home/jfreshegg
host# pwd_mkdb -d /data/jail/etc /data/jail/etc/master.passwd
host# vi /data/jail/etc/rc.conf
加入 sshd_enable="YES"

host# vi /etc/rc.conf
原来网卡设置为ifconfig_fxp0="inet 172.18.2.9  netmask 255.255.0.0"
增加：
######jail configure########
ifconfig_fxp0_alias0="inet 172.18.2.11/24"
jail_enable="YES"
jail_list="jailtest"
jail_jailtest_devfs_enable="YES"
jail_jailtest_devfs_ruleset="devfsrules_jail"
jail_jailtest_exec="/bin/sh /etc/rc"
jail_jailtest_hostname="jail.fresh.egg"
jail_jailtest_ip="172.18.2.11"
jail_jailtest_rootdir="/data/jail"

启用网卡的alias
host# /etc/rc.d/netif restart

设置jail和host共享ports tree
host# mkdir -p /data/jail/usr/ports
host# vi /etc/fstab
增加：
/usr/ports          /data/jail/usr/ports   nullfs  ro    0     0

host# mount_nullfs -o ro /usr/ports /data/jail/usr/ports

启动jail:
host# /etc/rc.d/jail start

因为第1次启动jail的 sshd要产生host key，所以时间要多些。
jail启动成功后，就可以ssh上去玩拉，
可是先等等，在host上还有2个重要环境需要设置好^_^

2.6 配置bind

    现在的mail server无论是普通的运转还是anti spam都严重依赖DNS，所以在本地建立一个
    cache nameserver将极大的改善mail server的性能。这里我将顺便设置fresh.egg这个zone
    因为是测试，所以选了一个现在不存在的domain name。

host# cd /etc/namedb
host# sh make-localhost
host# vi /etc/namedb/named.conf
改:
      listen-on     { 127.0.0.1;  172.18.2.9; };

加入:
zone "fresh.egg" {
      type master;
      file "master/fresh.egg";
};
zone "18.172.in-addr.arpa" {
      type master;
      file "master/18.172.in-addr.arpa";
};

host# vi /etc/namedb/master/fresh.egg
$TTL 3600      ; 1 hour
@          IN    SOA    test.fresh.egg. root.fresh.egg. (
                      2007020401    ; Serial
                      10800        ; Refresh
                      3600        ; Retry
                      604800       ; Expire
                      86400        ; Minimum TTL
                )

; DNS Servers
@          IN    NS    test.fresh.egg.
; MX Records
@          IN    MX 10  jail.fresh.egg.

localhost     IN    A     127.0.0.1
test        IN    A     172.18.2.9
jail        IN    A     172.18.2.11
client       IN    A     172.18.0.2


ldap        IN    CNAME  jail.fresh.egg.
ldap-master    IN    CNAME  jail.fresh.egg.

host# vi /etc/namedb/master/18.172.in-addr.arpa
$TTL 3600      ; 1 hour
@          IN    SOA    test.fresh.egg. root.fresh.egg. (
                      2007020401    ; Serial
                      10800        ; Refresh
                      3600        ; Retry
                      604800       ; Expire
                      86400        ; Minimum TTL
                )

; DNS Servers
@          IN    NS    test.fresh.egg.

9.2         IN    PTR    test.fresh.egg.
11.2        IN    PTR    jail.fresh.egg.
2.0         IN    PTR    client.fresh.egg.

host# vi /etc/rc.conf
加入
named_enable="YES"

启动bind
host# /etc/rc.d/named start

然后
host# tail /var/log/messages
看看有什么异常没，再在其他机器上
dig @172.18.2.9 ldap.fresh.egg
测试能正确解析不。


2.7 使用防火墙pf关闭需要block的port：389 783 10024 10025 10030（在host环境下应该绑定在环回地址上）。

host# vi /etc/rc.conf
增加：
pf_enable="YES"
pf_rules="/etc/pf.conf"

host# vi /etc/pf.conf
if="fxp0"
host_addr="172.18.2.9"
jail_addr="172.18.2.11"
scrub in all
pass quick on lo0 all
block in quick on $if from { $host_addr, $jail_addr } to any
block in quick proto { tcp, udp } from any to $jail_addr port { 389, 783, 10024, 10025, 10030 }
########其他block#############
pass in all
pass out all

启动pf
host# /etc/rc.d/pf start


3、用ports安装软件，创建package

3.1 环境设置

现在进入jail拉，首先
jail# tzsetup
设置正确的时区

jail# vi /etc/resolv.conf
nameserver     172.18.2.9

jail# mkdir -p /tmp/WRKDIR
jail# mkdir -p /pkg/All/

jail# vi /etc/make.conf
WRKDIRPREFIX=  /tmp/WRKDIR
PKGREPOSITORY=/pkg
PACKAGES=/pkg
FORCE_PACKAGE=yes

增加一个存储邮件的帐号和组（vmail）
jail# pw group add vmail -g 1000
jail# pw user add vmail -u 1000 -g 1000 -s /sbin/nologin -d /dev/null

3.2 make
以下安装时出现的Options选择请参照2.3 里的介绍

OpenLDAP的安装
jail# cd /usr/ports/net/openldap23-server/
jail# make install
jail# make package-recursive
jail# make clean

安装dovecot
jail# cd /usr/ports/mail/dovecot
jail# make install
jail# make package-recursive
jail# make clean

安装postfix：
jail# cd /usr/ports/mail/postfix/
jail# make install
当出现提示:
Would you like to activate Postfix in /etc/mail/mailer.conf [n]?
回答y
jail# make package-recursive
jail# make clean

安装内容过滤软件：
jail# cd /usr/ports/security/amavisd-new
jail# make install
jail# make package-recursive
jail# make clean

jail# cd /usr/ports/security/clamav
jail# make install
jail# make package-recursive
jail# make clean

安装apache
jail# cd /usr/ports/www/apache22/
jail# make WITH_SUEXEC=yes SUEXEC_UIDMIN=1000 SUEXEC_GIDMIN=1000 SUEXEC_DOCROOT=/usr/local/www
jail# make install
jail# make package-recursive
jail# make clean

jail# cd /usr/ports/databases/p5-DBD-LDAP
jail# make install
jail# make package-recursive
jail# make clean

jail# cd /usr/ports/www/mod_fastcgi
jail# make install
jail# make package-recursive
jail# make clean

jail# cd /usr/ports/www/p5-FastCGI
jail# make install
jail# make package-recursive
jail# make clean

jail# cd /usr/ports/net/rrdtool
jail# make install
jail# make package-recursive
jail# make clean

jail# cd /usr/ports/devel/p5-File-Tail
jail# make install
jail# make package-recursive
jail# make clean


4、mail server配置

4.1 下载extmail软件

在[url]http://www.extmail.org/cgi-bin/download.cgi[/url]上下载最新的extmail组件，
本文挡用的是extmail-1.0.0.tar.gz extman-0.2beta3.tar.gz slockd-0.2beta1.tar.gz
都放在~/extmailsoft/下面

jail# cd extmailsoft/
jail# tar -xvf extman-0.2beta3.tar.gz
jail# tar -xvf extmail-1.0.0.tar.gz
jail# mv extman-0.2beta3 extman
jail# mv extmail-1.0.0 extmail

4.2 配置openldap
    以下操作中的相对路径均相对于~/extmailsoft/
jail# cp extman/docs/extmail.schema /usr/local/etc/openldap/schema/
jail# vi /usr/local/etc/openldap/slapd.conf
在前面加入：
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/extmail.schema
在最后加入:
index  mail,active,virtualDomain,mailLocalAddress      eq,pres
下面2行更改为：
suffix       "dc=extmail.org"
rootdn       "cn=Manager,dc=extmail.org"

jail# vi /usr/local/etc/openldap/ldap.conf
BASE dc=extmail.org
URI ldap://ldap.fresh.egg ldap://ldap-master.fresh.egg:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never

jail# vi /etc/rc.conf.local
加入
slapd_enable="YES"

启动openldap
jail# /usr/local/etc/rc.d/slapd start

给test用户创建路径
需要一个测试帐号[email]test@extmail.org[/email]，需要准备该账号的路径。
jail# mkdir -p /var/domains/extmail.org/test/Maildir/new
jail# mkdir -p /var/domains/extmail.org/test/Maildir/cur
jail# mkdir -p /var/domains/extmail.org/test/Maildir/tmp
jail# chown -R vmail:vmail /var/domains/
jail# chmod -R 700 /var/domains/

初始化LDAP
jail# ldapadd -x -D 'cn=Manager,dc=extmail.org' -w secret -f extman/docs/init.ldif

4.3 配置dovecot:

jail# cp /usr/local/etc/dovecot-example.conf /usr/local/etc/dovecot.conf
jail# cp /usr/local/share/dovecot/dovecot-ldap.conf /usr/local/etc/dovecot-ldap.conf
jail# vi /usr/local/etc/dovecot.conf
注释：
  #passdb pam {
  #}
  #userdb passwd {
  #}
以及其他编辑,结果为:
jail# grep -v '^ *#' /usr/local/etc/dovecot.conf | grep -v '^$'
protocols = imap pop3
disable_plaintext_auth = no
ssl_disable = yes
ssl_parameters_regenerate = 0
login_process_size = 64
default_mail_env = maildir:/var/domains/%d/%n/Maildir
mail_extra_groups = mail
verbose_proctitle = yes
first_valid_gid = 1000
last_valid_gid = 1000
protocol imap {
  imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}
  
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
  postmaster_address = [email]postmaster@fresh.egg[/email]
  sendmail_path = /usr/local/sbin/sendmail
}
auth default {
  mechanisms = plain
  passdb ldap {
   args = /usr/local/etc/dovecot-ldap.conf
  }
  userdb ldap {
   args = /usr/local/etc/dovecot-ldap.conf
  }
  user = root
  socket listen {
   master {
    path = /var/run/dovecot/auth-master
    mode = 0600
    user = vmail
    group = vmail
   }
   client {
    path = /var/run/dovecot/auth-client
    mode = 0660
    user = postfix
    group = postfix
   }
  }
}
dict {
}
plugin {
}

jail# vi /usr/local/etc/dovecot-ldap.conf
结果：
jail# grep -v '^ *#' /usr/local/etc/dovecot-ldap.conf | grep -v '^$'
hosts = localhost
dn = cn=Manager,dc=extmail.org
dnpass = secret
ldap_version = 3
base = o=extmailAccount,dc=extmail.org
deref = never
scope = subtree
user_attrs = mail,homeDirectory,,,uidNumber,gidNumber
user_filter = (&(objectClass=extmailUser)(mail=%u)(active=1))
pass_attrs = mail,userPassword
pass_filter = (&(objectClass=extmailUser)(mail=%u)(active=1))
default_pass_scheme = CRYPT
user_global_uid = vmail
user_global_gid = vmail

启动dovecot:
jail# echo 'dovecot_enable="YES"' >> /etc/rc.conf.local
jail# /usr/local/etc/rc.d/dovecot start

4.4 配置postfix:

jail# vi /etc/rc.conf
增加:
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

jail# vi /etc/periodic.conf
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

jail# vi /etc/aliases
加入：
postfix: root
jail# /usr/local/bin/newaliases

jail# chown postfix:postfix /etc/opiekeys

jail# mv /usr/local/etc/postfix/main.cf /usr/local/etc/postfix/main.cf.orig
jail# vi /usr/local/etc/postfix/main.cf
#########basic configure##############
myhostname = jail.fresh.egg
mydomain = fresh.egg
mydestination =
      $myhostname,
      localhost

myorigin = $mydomain
mynetworks = 127.0.0.0/8
smtpd_banner = fresh.egg ESMTP Mail System
message_size_limit = 14680064
daemon_directory = /usr/local/libexec/postfix
command_directory = /usr/local/sbin
mailq_path = /usr/local/bin/mailq
newaliases_path = /usr/local/bin/newaliases
sendmail_path = /usr/local/sbin/sendmail

##########lda configure#####################
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot

#########amavisd-new############
content_filter=smtp-amavis:[127.0.0.1]:10024

###########SASL authentication##############
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

######restrictions and authentication  ##########
smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unauth_destination,
      reject_unauth_pipelining,
      reject_invalid_hostname

###########virtual domain recipient mailbox configure###############
virtual_mailbox_base = /var/domains
virtual_uid_maps=static:1000
virtual_gid_maps=static:1000
virtual_alias_maps = $alias_maps, ldap:/usr/local/etc/postfix/ldap_virtual_alias_maps.cf
virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap_virtual_mailbox_maps.cf
virtual_mailbox_domains = ldap:/usr/local/etc/postfix/ldap_virtual_domains_maps.cf

jail# cp extman/docs/ldap_virtual_domains_maps.cf /usr/local/etc/postfix/ldap_virtual_domains_maps.cf
jail# cp extman/docs/ldap_virtual_alias_maps.cf /usr/local/etc/postfix/ldap_virtual_alias_maps.cf
jail# cp extman/docs/ldap_virtual_mailbox_maps.cf /usr/local/etc/postfix/ldap_virtual_mailbox_maps.cf

jail# vi /usr/local/etc/postfix/master.cf
注释掉maildrop,加入dovecot lda

#maildrop  unix  -     n     n     -     -     pipe
   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

# Dovecot LDA
dovecot  unix  -     n     n     -     -     pipe
    flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -d ${recipient}
在最后加入:
# This section contains the configuration
# necessary for Postfix to use amavisd-new
# as a message content filter.

smtp-amavis unix -    -     y     -     2     smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20

127.0.0.1:10025 inet n  -     n     -     -     smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o mynetworks=127.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

jail# vi /usr/local/etc/amavisd.conf
修改/usr/local/etc/amavisd.conf文件中对应的选项，如下
$max_servers = 10;
$sa_spam_subject_tag = '[SPAM] ';
$mydomain = 'fresh.egg';
$myhostname = 'jail.fresh.egg';
@local_domains_maps = qw(.);
$sa_tag_level_deflt  = undef;
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = 5.0;
$final_virus_destiny    = D_DISCARD;
$final_banned_destiny    = D_DISCARD;
$final_spam_destiny     = D_DISCARD;
$virus_admin          = "postmaster\@$mydomain";
$mailfrom_notify_admin    = "postmaster\@$mydomain";
$mailfrom_notify_recip    = "postmaster\@$mydomain";
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
@whitelist_sender_maps = read_hash("$MYHOME/white.lst");
@blacklist_sender_maps = read_hash("$MYHOME/black.lst");
$spam_quarantine_to = "spam\@$mydomain";
$virus_quarantine_to = "virus\@$mydomain";
$banned_quarantine_to = "spam\@$mydomain";
$hdrfrom_notify_admin = "Content Filter ";
['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],


jail# touch /var/amavis/white.lst
jail# touch /var/amavis/black.lst
jail# chown -R vscan:vscan /var/amavis/

jail# vi /usr/local/etc/clamd.conf
User vscan
jail# vi /usr/local/etc/freshclam.conf
DatabaseOwner vscan

jail# chown -R vscan:vscan /var/run/clamav/
jail# chown -R vscan:vscan /var/log/clamav/
jail# chown -R vscan:vscan /var/db/clamav/

配置Spamassassin
jail# cp /usr/local/etc/mail/spamassassin/local.cf.sample /usr/local/etc/mail/spamassassin/local.cf
jail# vi /usr/local/etc/mail/spamassassin/local.cf
修改/usr/local/etc/mail/spamassassin/local.cf
report_safe         1
use_bayes          0
auto_learn          0
bayes_auto_expire     1
skip_rbl_checks      1
use_razor2          0
use_dcc            0
use_pyzor          0
dns_available        no
lock_method         flock

使用Chinese_rules.cf
编辑脚本/var/cron/sa.sh
#!/bin/sh
cd /tmp/
fetch -q [url]http://www.ccert.edu.cn/spam/sa/Chinese_rules.cf[/url]
mv Chinese_rules.cf /usr/local/share/spamassassin/
/usr/local/etc/rc.d/amavisd forcerestart > /dev/null

增加执行权限
jail# chmod +x /var/cron/sa.sh
jail# vi /etc/crontab
编辑/etc/crontab，增加一行如下，每周6执行一次
0     0     *     *     6     root   /var/cron/sa.sh


4.5 jail特殊的设置

以上是在host环境下的设置方法,
但jail是绑定在特定ip（这里是172.18.2.11）上的,
就是说，10024，10025等是在172.18.2.11上，
所以下面进行jail特定的设置：

jail# vi /usr/local/etc/postfix/main.cf
改:
#content_filter=smtp-amavis:[127.0.0.1]:10024
content_filter=smtp-amavis:[172.18.2.11]:10024
#mynetworks = 127.0.0.0/8
mynetworks = 172.18.2.11/32


jail# vi /usr/local/etc/postfix/master.cf
改127.0.0.1:10025 inet n  -     n     -     -     smtpd为:
172.18.2.11:10025 inet n  -     n     -     -     smtpd
将信件注回路径的选项
   -o mynetworks=127.0.0.0/8
改为：
   -o mynetworks=172.18.2.11/32

jail# vi /usr/local/etc/amavisd.conf
加入：
@inet_acl = qw(172.18.2.11);
$forward_method = 'smtp:[172.18.2.11]:10025';

设置并启动clamav spamd amavisd postfix
jail# vi /etc/rc.conf.local
增加
postfix_enable="YES"
amavisd_enable="YES"
spamd_enable="YES"
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"

jail# /usr/local/etc/rc.d/clamav-clamd start
jail# /usr/local/etc/rc.d/clamav-freshclam start
jail# /usr/local/etc/rc.d/sa-spamd start
jail# /usr/local/etc/rc.d/amavisd start
jail# /usr/local/etc/rc.d/postfix start

4.6 测试

然后测试一下：
jail# telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 fresh.egg ESMTP Mail System
ehlo demo.domain.tld
250-jail.fresh.egg
250-PIPELINING
250-SIZE 14680064
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
334 VXNlcm5hbWU6
dGVzdEBleHRtYWlsLm9yZw==
334 UGFzc3dvcmQ6
dGVzdA==
235 2.0.0 Authentication successful
mail from: <[email]test@extmail.org[/email]>
250 2.1.0 Ok
rcpt to: <[email]test@extmail.org[/email]>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
the first test
.
250 2.0.0 Ok: queued as A81863A1E3
quit
221 2.0.0 Bye
Connection closed by foreign host.

jail# telnet localhost 110
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is &#39;^]&#39;.
+OK Dovecot ready.
user [email]test@extmail.org[/email]
+OK
pass test
+OK Logged in.
list
+OK 2 messages:
1 1020
.
retr 1
quit
+OK Logging out.
Connection closed by foreign host.

测试杀毒:

jail# telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is &#39;^]&#39;.
220 fresh.egg ESMTP Mail System
mail from: [email]test@extmail.org[/email]
250 2.1.0 Ok
rcpt to: [email]test@extmail.org[/email]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.
250 2.0.0 Ok: queued as 4B5BF3A1FC
quit

jail# tail -40 /var/log/maillog
日志里有下面信息表示成功：
Blocked INFECTED (Eicar-Test-Signature)

4.7 配置webmail：

修改apache的配置文件/usr/local/etc/apache22/httpd.conf，使apache运行时的权限为vmail:vmail
jail# vi /usr/local/etc/apache22/httpd.conf
User vmail
Group vmail
去掉下面一行的注释
#LoadModule fastcgi_module    libexec/apache22/mod_fastcgi.so
并增加：
<IfModule mod_fastcgi.c>
FastCgiIpcDir /var/lib/fcgi
</IfModule>

jail# mkdir -p /var/lib/fcgi/dynamic
jail# chmod -R 777 /var/lib/fcgi
jail# chmod o+rx /var/lib

虚拟主机配置
编辑/usr/local/etc/apache22/Includes/extmail.conf

jail# vi /usr/local/etc/apache22/Includes/extmail.conf
<VirtualHost *:80>
   ServerName jail.fresh.egg
   DocumentRoot /usr/local/www/extmail/html/

   ScriptAlias /extmail/cgi /usr/local/www/extmail/dispatch.fcgi/
   Alias /extmail /usr/local/www/extmail/html/
   ScriptAlias /extman/cgi "/usr/local/www/extman/cgi/"
   Alias /extman "/usr/local/www/extman/html/"

   <Location "/extmail/cgi">
      SetHandler fastcgi-script
   </Location>


   <Location "/extman/cgi">
      SetHandler cgi-script
      Options +ExecCGI
   </Location>
   <Directory "/usr/local/www">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
   </Directory>

#   SuexecUserGroup vmail vmail
</VirtualHost>


安装配置ExtMan:
jail# cp -Rf extman /usr/local/www/extman/
jail# vi /usr/local/www/extman/webman.cf
jail# grep -v &#39;^ *#&#39; /usr/local/www/extman/webman.cf | grep -v &#39;^$&#39;
SYS_CONFIG = /usr/local/www/extman/
SYS_LANGDIR = /usr/local/www/extman/lang
SYS_TEMPLDIR = /usr/local/www/extman/html
SYS_MAILDIR_BASE = /var/domains
SYS_SHOW_WARN = 0
SYS_SESS_DIR = /var/tmp/extman/
SYS_SESS_TIMEOUT = 21600
SYS_PSIZE = 50
SYS_LANG = zh_CN
SYS_TEMPLATE_NAME = default
SYS_DEFAULT_EXPIRE = 10m
SYS_DEFAULT_SERVICES = webmail,smtpd,smtp,pop3,netdisk
SYS_MIN_UID = 500
SYS_MIN_GID = 100
SYS_DEFAULT_UID = 1000
SYS_DEFAULT_GID = 1000
SYS_QUOTA_MULTIPLIER = 1048576
SYS_QUOTA_TYPE = courier
SYS_DEFAULT_MAXQUOTA = 10000
SYS_DEFAULT_MAXALIAS = 10000
SYS_DEFAULT_MAXUSERS = 1000
SYS_DEFAULT_MAXNDQUOTA = 100
SYS_BACKEND_TYPE = ldap
SYS_CRYPT_TYPE = crypt
SYS_MYSQL_USER = webman
SYS_MYSQL_PASS = webman
SYS_MYSQL_DB = extmail
SYS_MYSQL_HOST = localhost
SYS_MYSQL_SOCKET = /var/lib/mysql/mysql.sock
SYS_MYSQL_TABLE = manager
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_PASSWD = password
SYS_LDAP_BASE = dc=extmail.org
SYS_LDAP_RDN = cn=Manager,dc=extmail.org
SYS_LDAP_PASS = secret
SYS_LDAP_HOST = localhost
SYS_LDAP_ATTR_USERNAME = mail
SYS_LDAP_ATTR_PASSWD = userPassword
SYS_RRD_DATADIR = /var/lib
SYS_RRD_TMPDIR = /tmp/viewlog
SYS_RRD_QUEUE_ON = yes


jail# mkdir /var/tmp/extman/
jail# chown -R vmail:vmail /var/tmp/extman/
jail# chmod 700 /var/tmp/extman/
jail# chgrp vmail /usr/local/www/extman/webman.cf
jail# chmod 640 /usr/local/www/extman/webman.cf

jail# cp extmail/libs/Ext/CGI.pm /usr/local/www/extman/libs/Ext/
jail# cp extmail/libs/Ext/Config.pm  /usr/local/www/extman/libs/Ext/
jail# cp extmail/libs/Ext/Lang.pm  /usr/local/www/extman/libs/Ext/
jail# cp extmail/libs/Ext/Session.pm  /usr/local/www/extman/libs/Ext/
jail# cp extmail/libs/Ext/Utils.pm  /usr/local/www/extman/libs/Ext/
jail# cp extmail/libs/Ext/RFC822.pm  /usr/local/www/extman/libs/Ext/

安装配置Extmail
jail# cp -Rf extmail /usr/local/www/extmail/
jail# cp /usr/local/www/extmail/webmail.cf.default /usr/local/www/extmail/webmail.cf
jail# vi /usr/local/www/extmail/webmail.cf
jail# grep -v &#39;^ *#&#39; /usr/local/www/extmail/webmail.cf | grep -v &#39;^$&#39;
SYS_CONFIG = /usr/local/www/extmail/
SYS_LANGDIR = /usr/local/www/extmail/lang
SYS_TEMPLDIR = /usr/local/www/extmail/html
SYS_SHOW_WARN = 0
SYS_PERMIT_NOQUOTA = 1
SYS_SESS_DIR = /var/tmp/extmail/
SYS_SESS_TIMEOUT = 0
SYS_SESS_COOKIE_ONLY = 1
SYS_USER_PSIZE = 10
SYS_USER_SCREEN = auto
SYS_USER_LANG = zh_CN
SYS_USER_TEMPLATE = default
SYS_USER_CHARSET = utf-8
SYS_USER_TRYLOCAL = 1
SYS_USER_TIMEZONE = +0800
SYS_USER_CCSENT = 1
SYS_USER_SHOW_HTML = 1
SYS_USER_COMPOSE_HTML = 1
SYS_USER_CONV_LINK =1
SYS_USER_ADDR2ABOOK = 1
SYS_MIN_PASS_LEN = 2
SYS_MFILTER_ON = 1
SYS_NETDISK_ON = 1
SYS_DEBUG_ON = 1
SYS_AUTH_TYPE = ldap
SYS_MAILDIR_BASE = /var/domains
SYS_AUTH_SCHEMA = virtual
SYS_CRYPT_TYPE = crypt
SYS_MYSQL_USER = db_user
SYS_MYSQL_PASS = db_pass
SYS_MYSQL_DB = extmail
SYS_MYSQL_HOST = localhost
SYS_MYSQL_SOCKET = /var/lib/mysql/mysql.sock
SYS_MYSQL_TABLE = mailbox
SYS_MYSQL_ATTR_USERNAME = username
SYS_MYSQL_ATTR_DOMAIN = domain
SYS_MYSQL_ATTR_PASSWD = password
SYS_MYSQL_ATTR_QUOTA = quota
SYS_MYSQL_ATTR_NDQUOTA = netdiskquota
SYS_MYSQL_ATTR_HOME = homedir
SYS_MYSQL_ATTR_MAILDIR = maildir
SYS_MYSQL_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_MYSQL_ATTR_DISABLENETDISK = disablenetdisk
SYS_MYSQL_ATTR_ACTIVE = active
SYS_LDAP_BASE = o=extmailAccount,dc=extmail.org
SYS_LDAP_RDN = cn=Manager,dc=extmail.org
SYS_LDAP_PASS = secret
SYS_LDAP_HOST = localhost
SYS_LDAP_ATTR_USERNAME = mail
SYS_LDAP_ATTR_DOMAIN = virtualDomain
SYS_LDAP_ATTR_PASSWD = userPassword
SYS_LDAP_ATTR_QUOTA = mailQuota
SYS_LDAP_ATTR_NDQUOTA = netdiskQuota
SYS_LDAP_ATTR_HOME = homeDirectory
SYS_LDAP_ATTR_MAILDIR = mailMessageStore
SYS_LDAP_ATTR_DISABLEWEBMAIL = disablewebmail
SYS_LDAP_ATTR_DISABLENETDISK = disablenetdisk
SYS_LDAP_ATTR_ACTIVE = active
SYS_AUTHLIB_SOCKET = /var/run/dovecot/auth-client
SYS_G_ABOOK_TYPE = file
SYS_G_ABOOK_LDAP_HOST = localhost
SYS_G_ABOOK_LDAP_BASE = ou=AddressBook,dc=example.com
SYS_G_ABOOK_LDAP_ROOTDN = cn=Manager,dc=example.com
SYS_G_ABOOK_LDAP_ROOTPW = secret
SYS_G_ABOOK_LDAP_FILTER = objectClass=OfficePerson
SYS_G_ABOOK_FILE_PATH = /var/www/extsuite/extmail/globabook.cf
SYS_G_ABOOK_FILE_LOCK = 1
SYS_G_ABOOK_FILE_CONVERT = 0
SYS_G_ABOOK_FILE_CHARSET = utf-8

jail# mkdir /var/tmp/extmail
jail# chown vmail:vmail /var/tmp/extmail/
jail# chmod 700 /var/tmp/extmail

jail# vi /etc/rc.conf.local
添加：
apache22_enable="YES"

jail# /usr/local/etc/rc.d/apache22 start

4.8 安装slockd

jail# pkg_info | grep Digest-HMAC
p5-Digest-HMAC-1.01 Perl5 interface to HMAC Message-Digest Algorithms
jail# pkg_info | grep Digest-MD5
p5-Digest-MD5-2.36  Perl5 interface to the MD5 algorithm
jail# pkg_info | grep Digest-SHA1
p5-Digest-SHA1-2.11 Perl interface to the SHA-1 Algorithm
jail# pkg_info | grep Net-IP
p5-Net-IP-1.25    Perl extension for manipulating IPv4/IPv6 addresses
jail# pkg_info | grep Net-DNS
p5-Net-DNS-0.59    Perl5 interface to the DNS resolver, and dynamic updates
表明安装slockd需要的ports前面因为依赖已经安装

jail# tar -xvf slockd-0.2beta1.tar.gz
jail# mv slockd-0.2beta1 slockd
jail# cp -Rf slockd /usr/local/slockd

jail# vi /usr/local/slockd/config/main.cf
去掉下面2行注释
#log_file  /var/log/slockd.log
# setsid           1

jail# vi /usr/local/etc/postfix/main.cf
将
      check_policy_service inet:172.18.2.11:10030
增加到smtpd_recipient_restrictions 里：
smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unauth_destination,
      reject_unauth_pipelining,
      reject_invalid_hostname,
      check_policy_service inet:172.18.2.11:10030

编辑生成rc.d脚本
jail# vi /usr/local/etc/rc.d/slockd
#!/bin/sh
#
# FreeBSD rc.d script /usr/local/etc/rc.d/slockd, v0.1 2007/01/16 author:freshegg
#
# PROVIDE: slockd
# REQUIRE: NETWORKING
# BEFORE: postfix
# KEYWORD: shutdown

. /etc/rc.subr

name="slockd"
rcvar=`set_rcvar`
command="/usr/local/${name}/${name}"
pidfile="/var/run/${name}.pid"
required_files="/usr/local/${name}/config/main.cf"

load_rc_config $name
eval "${rcvar}=\${${rcvar}:-&#39;NO&#39;}"
start_precmd="${name}_prestart"
stop_postcmd="${name}_poststop"

slockd_prestart()
{
      cd /usr/local/${name}
}


slockd_poststop()
{
      rm -f $pidfile
}


run_rc_command "$1"

jail# chmod +x /usr/local/etc/rc.d/slockd
jail# vi /etc/rc.conf.local
加入：
slockd_enable="YES"

jail# /usr/local/etc/rc.d/slockd start
jail# /usr/local/etc/rc.d/postfix reload

测试：

jail# perl policy_sig -h 172.18.2.11 -p 10030 --helo FOOBAR \
? --ip 192.168.0.1 --from [email]test@foo.com[/email] --to [email]test@bar.com[/email]
jail# tail /var/log/slockd.log
有以下信息表示成功
[504 <FOOBAR>: rejected, see [url]http://bl.extmail.org/cgi/why?fqdn[/url] ,from=<[email]test@foo.com[/email]> to=<[email]test@bar.com[/email]>
helo=<FOOBAR> client=<192.168.0.1>]



5、ssl配置：

    现在准备最后的ssl的设置，
    前面配置的extmail，extman，还有smtp认证、通信，pop3，imap都使用明文，
    在现在这种网络环境里，设置ssl就很必要了。

    自己制作ssl的Root CA的好处当然是不花钱拉。另外，只使用一个Root CA对于ssl key的管理
    和分发有显而易见的好处。

5.1 设置OpenSSL 的环境

jail# mkdir -p /etc/ssl/private
jail# chmod og-rwx /etc/ssl/private
jail# mkdir -p /etc/ssl/certs
jail# mkdir -p /etc/ssl/crl
jail# mkdir -p /etc/ssl/newcerts
jail# echo &#39;setenv OPENSSL_CONF "/etc/ssl/openssl.cnf"&#39; >> ~/.cshrc
jail# setenv OPENSSL_CONF "/etc/ssl/openssl.cnf"
jail# openssl rand -out /etc/ssl/private/.rand 1024

5.2 制作最高层认证中心 (Root CA)
制作 RSA Private Key:
jail# openssl genrsa -des3 -out /etc/ssl/private/myrootca.key.pem 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/ssl/private/myrootca.key.pem:
Verifying - Enter pass phrase for /etc/ssl/private/myrootca.key.pem:
jail# chmod og-rwx /etc/ssl/private/myrootca.key.pem

填写凭证申请书:
jail# openssl req -new -key /etc/ssl/private/myrootca.key.pem -out /tmp/myrootca.req.pem
Enter pass phrase for /etc/ssl/private/myrootca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter &#39;.&#39;, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:cq
Locality Name (eg, city) []:cq
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fresh.egg
Organizational Unit Name (eg, section) []:fresh.egg
Common Name (eg, YOUR name) []:fresh.egg
Email Address []:postmaster@fresh.egg

Please enter the following &#39;extra&#39; attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

最高层认证中心自己给自己签名
jail# openssl x509 -req -days 7305 -sha1 \
? -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
? -signkey /etc/ssl/private/myrootca.key.pem \
? -in /tmp/myrootca.req.pem -out /etc/ssl/certs/myrootca.crt.pem
Signature ok
subject=/C=CN/ST=cq/L=cq/O=fresh.egg/OU=fresh.egg/CN=fresh.egg/emailAddress=postmaster@fresh.egg
Getting Private key
Enter pass phrase for /etc/ssl/private/myrootca.key.pem:

删除凭证申请书
jail# rm -f /tmp/myrootca.req.pem

jail# vi /usr/local/bin/c_rehash
代码从 FreeBSD CVS 树中（[url]http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/courier/scripts/c_rehash[/url]）下载
jail# chmod 0555 /usr/local/bin/c_rehash
jail# rehash
jail# c_rehash /etc/ssl/certs
Doing /etc/ssl/certs
myrootca.crt.pem => 92a07e1f.0

5.3 制作服务器用的凭证:
制作 RSA Private Key:
jail# openssl genrsa -out /etc/ssl/private/fresh.egg.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................................+++
.........................+++
e is 65537 (0x10001)
jail# chmod og-rwx /etc/ssl/private/fresh.egg.key.pem

填写凭证申请书:
jail# openssl req -new -key /etc/ssl/private/fresh.egg.key.pem -out /tmp/fresh.egg.req.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter &#39;.&#39;, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:cq
Locality Name (eg, city) []:cq
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fresh.egg
Organizational Unit Name (eg, section) []:fresh.egg
Common Name (eg, YOUR name) []:jail.fresh.egg
Email Address []:postmaster@fresh.egg

Please enter the following &#39;extra&#39; attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

签发凭证:
jail# openssl x509 -req -days 3650 -sha1 \
? -extfile /etc/ssl/openssl.cnf -extensions v3_req \
? -CA /etc/ssl/certs/myrootca.crt.pem -CAkey /etc/ssl/private/myrootca.key.pem \
? -CAserial /etc/ssl/myrootca.srl -CAcreateserial \
? -in /tmp/fresh.egg.req.pem -out /etc/ssl/certs/fresh.egg.crt.pem
Signature ok
subject=/C=CN/ST=cq/L=cq/O=fresh.egg/OU=fresh.egg/CN=jail.fresh.egg/emailAddress=postmaster@fresh.egg
Getting CA Private Key
Enter pass phrase for /etc/ssl/private/myrootca.key.pem:

删除凭证申请书:
jail# rm -f /tmp/fresh.egg.req.pem

5.4 编辑/usr/local/etc/postfix/main.cf使postfix支持smtps(TLS):
加入：
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/ssl/private/fresh.egg.key.pem
smtpd_tls_cert_file = /etc/ssl/certs/fresh.egg.crt.pem
smtpd_tls_CAfile = /etc/ssl/certs/myrootca.crt.pem

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

  注：smtpd_tls_security_level = may是postfix2.3以后推荐用的参数，
      原来的smtpd_use_tls = yes将可能在以后（而不是现在）作废。

5.5 编辑/usr/local/etc/dovecot.conf配置pop3s imaps
jail# vi /usr/local/etc/dovecot.conf
protocols = imap pop3 pop3s imaps
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/fresh.egg.crt.pem
ssl_key_file = /etc/ssl/private/fresh.egg.key.pem


5.6 设置apache ssl支持:
jail# vi /usr/local/etc/apache22/Includes/extmail-ssl.conf
jail# cat /usr/local/etc/apache22/Includes/extmail-ssl.conf
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl   .crt

SSLPassPhraseDialog  builtin
SSLSessionCache    shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex  file:/var/run/ssl_mutex

<VirtualHost _default_:443>

   DocumentRoot "/usr/local/www/extmail/html"
   ServerName jail.fresh.egg:443

   ScriptAlias  /extmail/cgi  /usr/local/www/extmail/dispatch.fcgi/
   Alias  /extmail  /usr/local/www/extmail/html/
   ScriptAlias  /extman/cgi "/usr/local/www/extman/cgi/"
   Alias  /extman "/usr/local/www/extman/html/"

   <Location "/extmail/cgi">
      SetHandler fastcgi-script
   </Location>

   ServerAdmin [email]postmaster@fresh.egg[/email]
   ErrorLog  /var/log/httpd-error.log
   TransferLog  /var/log/httpd-access.log
   SSLEngine on
   SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   SSLCertificateFile  /etc/ssl/certs/fresh.egg.crt.pem
   SSLCertificateKeyFile  /etc/ssl/private/fresh.egg.key.pem

   <Directory "/usr/local/www">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
   </Directory>

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/extmail/dispatch.fcgi">
      SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
   CustomLog /var/log/httpd-ssl_request.log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

#SuexecUserGroup vmail vmail
  
</VirtualHost>

重新启动服务：
jail# /usr/local/etc/rc.d/dovecot  restart
jail# /usr/local/etc/rc.d/apache22  restart
jail# /usr/local/etc/rc.d/postfix  restart

5.7 ssl客户端设置

如果不想看见ssl连线时的警告，
将myrootca.crt.pem通过sftp下载到客户端，在firefox的工具=》选项=》高级=》查看证书=》证书机构=》导入刚才下载的myrootca.crt.pem。

WINDOWS 设有共用的凭证库。自制的认证中心加进来，ie，Outlook Express、Outlook都可以用到。具体参考 依玛猫 《如何制作 SSL X.509 凭证？》这篇文章

6、后记
以上操作是在fat jail中进行的，如果要应用到生产线上，应该使用thin jail。
所谓thin jail，就是jail只提供被jailed的服务运行所必需的环境，去掉多余的。

参考资料：

[url]http://blog.gslin.org/archives/2005/12/31/279/[/url]  FreeBSD 6.0 與 jail 作者：Gea-Suan Lin
[url]http://www.imacat.idv.tw/tech/sslcerts.html[/url] 如何制作 SSL X.509 凭证？作者：依玛猫
extmail 各种README、INSTALL文挡  作者：hzqbbc
[url]http://www.extmail.org/docs/extmail_solution_freebsd/[/url]  ExtMail Solution for FreeBSD 作者：chifeng
[url]http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/[/url] The FreeBSD Documentation Project FreeBSD 使用手册
[url]http://wiki.dovecot.org/FrontPage?action=show&redirect=%E9%A6%96%E9%A1%B5[/url] Dovecot Wiki
[url]http://www.postfix.org/documentation.html[/url]  Postfix Documentation
《The Book Of Postfix》 Author：Ralf Hildebrandt , Patrick Koetter Publisher: No Starch Press

最后，祝大家玩得开心 ^_^

netkey 发表于 2007-2-11 22:55

好文，建议何老大加精

success 发表于 2007-2-12 12:10

老MAN真厉害，佩服啊！

chifeng 发表于 2007-2-13 09:07

赞一下楼主。。。。FreeBSD的jail的确很爽，我用他来做relay服务器。:P

szrenhua 发表于 2007-2-14 03:29

[quote][b]下面是引用netkey于2007-02-11 22:55发表的:[/b]
好文，建议何老大加精[/quote]

opqr947 发表于 2008-8-5 09:03

抗衰老

[img]http://2345566.com/images/index_r1_c1.gif[/img]
[img]http://2345566.com/images/index_r2_c1.gif[/img]
[url=http://2345566.com/jieshao.html][img]http://2345566.com/images/index_r3_c1.gif[/img][/url]
[url=http://2345566.com/jieshao.html][img]http://2345566.com/images/index_r4_c1.gif[/img][/url]
[img]http://2345566.com/images/index_r5_c1.gif[/img]
[img]http://2345566.com/images/index_r6_c1.gif[/img]
[img]http://2345566.com/images/index_r7_c1.gif[/img]
[img]http://2345566.com/images/index_r8_c1.gif[/img][img]http://2345566.com/images/index_r9_c1.gif[/img]
[img]http://2345566.com/images/index_r10_c1.gif[/img]
[img]http://2345566.com/images/index_r11_c1.gif[/img]
[img]http://2345566.com/images/index_r12_c1.gif[/img]
[img]http://2345566.com/images/index_r13_c1.gif[/img]
[img]http://2345566.com/images/index_r14_c1.gif[/img]
[url=http://2345566.com/dinggou.html][img]http://2345566.com/images/index_r15_c1.gif[/img][/url][img]http://2345566.com/images/index_r15_c2.gif[/img][url=http://2345566.com/dinggou.html][img]http://2345566.com/images/index_r15_c3.gif[/img][/url][img]http://2345566.com/images/index_r16_c1.gif[/img]
[img]http://2345566.com/images/index_r17_c1.gif[/img][img]http://2345566.com/images/index_r17_c3.gif[/img]

查看完整版本: 用FreeBSD6.2+jail建立邮件系统（postfix openldap dovecot amavisd extmail）测试环境