Debian 上用iRedMail和Pure-FTPd的虚拟邮件/FTP主机
iRedMail是一个能让你在两分钟之内快速部署一个全功能邮件解决方案的shell脚本。从0.5版本开始,它已经支持CentOS 5.x,Debian 5.x,Ubuntu 8.04和Ubuntu 9.04(包括i386和x86_64)。iRedMail支持OpenLDAP和MySQL作为存储虚拟域和用户的后端。
iRedMail的OpenLDAP后端允许你集成各种各样的应用。本指南告诉你在Debian Lenny上怎样将pure-ftpd集成到iRedMail的ldap后端。密码将存储在ldap中并且你可以通过webmail来改变它们。
本教程基于Debian 5.01,因此我建议大家安装一个最小化的Debian 5.01,在其上安装iredmail 0.51并选择OpenLDAP作为其后端。在继续本教程之前,你可以参看下述教程:
- iRedMail: Mail Server With LDAP, Postfix, RoundCube/SquirrelMail, Dovecot, ClamAV, SpamAssassin, Amavisd (Debian 5.0.1)
- iRedMail: Build A Full-Featured Mail Server With LDAP, Postfix, RoundCube, Dovecot, ClamAV,SpamAssassin, DKIM, SPF On CentOS 5.x
1 安装Pure-FTPd:apt-get install pure-ftpd-ldap
2 将PureFTPd配置成一个独立运行的服务器
现在你必须将PureFTPd配置成一个独立运行的守护进程(原本由inetd控制)。为了达到这个目的,我们打开/etc/default/pure-ftpd-common并且将参数STANDALONE_OR_INETD的值修改成standalone。
vi /etc/default/pure-ftpd-common
#STANDALONE_OR_INETD=inetd STANDALONE_OR_INETD=standalone #修改成standalone |
然后我们修改/etc/inetd.conf并且将ftp行注释掉:
#ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper |
再然后我们重启inetd和PureFTPd:
/etc/init.d/openbsd-inetd restart
/etc/init.d/pure-ftpd-ldap restart
3 /etc/pure-ftpd/conf/中的基本设置
创建只包括一个简单的yes字符串的/etc/pure-ftpd/conf/ChrootEveryone文件
echo “yes” > /etc/pure-ftpd/conf/ChrootEveryone
这个设置使得PureFTPd的每个虚拟用户chroot到自己的主目录,因此他将无法浏览主目录以外的目录和文件。
另外再创建一个/etc/pure-ftpd/conf/CreateHomeDir文件,也只是简单包含一个叫yes的字符串:
echo “yes” > /etc/pure-ftpd/conf/CreateHomeDir
这将使得用户登录并且主目录尚不存在时,PureFTPd自动创建该用户的主目录。
最后,创建/etc/pure-ftpd/conf/DontResolve,依旧只包含一个yes:
echo “yes” > /etc/pure-ftpd/conf/DontResolve
这将使得PureFTPd不在查找主机名称,可以显著提高连接速度以及降低带宽消耗。
4 查找 cn=vmail密码
Vmail密码是安装iredmail时随机创建的。你可以在etc/postfix/ldap_virtual_mailbox_domains.cf中找到它:
cat /etc/postfix/ldap_virtual_mailbox_domains.cf
bind_dn = cn=vmail,dc=example,dc=com bind_pw = kZ6uB29mViWKWI9lOH3cGnF7z3Dw3B #cn=vmail 密码 |
5 配置LDAP设定
vi /etc/pure-ftpd/db/ldap.conf
LDAPServer localhost LDAPPort 389 LDAPBaseDN o=domains,dc=example,dc=com LDAPBindDN cn=vmail,dc=example,dc=com LDAPBindPW kZ6uB29mViWKWI9lOH3cGnF7z3Dw3B #cn=vmail 密码 LDAPDefaultUID 1000 # <- UID of 'vmail' user. LDAPDefaultGID 1000 # <- GID of 'vmail' user. LDAPFilter (&(objectClass=PureFTPdUser)(mail=\L)(FTPStatus=enabled)) LDAPHomeDir FTPHomeDir # <- This is new attribute, we will add it LDAPVersion 3 |
6 获取模板
有两种办法来得到pureftpd模板,你只需要选择其中一种。
- 下载iredmail修改过的模板。
- 获取pure-ftpd自带的模板并且修改之。
6.1 下载iredmail修改过的模板:
wget http://iredmail.googlecode.com/svn/trunk/extra/pureftpd.schema -P /etc/ldap/schema/
6.2 获取pure-ftpd-1.0.24自带的模板:
cd /tmp/
wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.24.tar.bz2
tar xjf pure-ftpd-1.0.24.tar.bz2
cp pure-ftpd-1.0.24/pureftpd.schema /etc/ldap/schema/
修改/etc/ldap/schema/pureftpd.schema:
我们需要在objectclass定义之前增加一个或多个FTPHomeDir属性,用来存储用户的FTP目录。
vi /etc/ldap/schema/pureftpd.schema
attributetype ( 1.3.6.1.4.1.6981.11.3.9 NAME 'FTPgid'
DESC 'System uid (overrides gidNumber if present)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# 增加新属性FTPHomeDir.
attributetype ( 1.3.6.1.4.1.6981.11.3.10 NAME 'FTPHomeDir'
DESC 'FTP directory'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
## New Pure-FTPd object type
objectclass ( 1.3.6.1.4.1.6981.11.2.3 NAME 'PureFTPdUser'
DESC 'PureFTPd user with optional quota, throttling and ratio'
SUP top AUXILIARY
MAY ( FTPStatus $ FTPQuotaFiles $ FTPQuotaMBytes $ FTPUploadRatio $
FTPDownloadRatio $ FTPUploadBandwidth $ FTPDownloadBandwidth $
FTPuid $ FTPgid $ FTPHomeDir ) ) # <-- Add $ FTPHomeDir
|
7 修改/etc/ldap/slapd.conf
vi /etc/ldap/slapd.conf
在iredmail.schema之后包含pureftpd.schema:
include /etc/ldap/schema/iredmail.schema include /etc/ldap/schema/pureftpd.schema # <-- 增加这一行. |
为pureftpd.schema中定义的属性增加索引:
# Default index. # index objectClass eq,pres index ou,cn,mail,surname,givenname,telephoneNumber eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # <-- 增加以下内容 #Index for FTP attrs. index FTPQuotaFiles,FTPQuotaMBytes eq,pres index FTPUploadRatio,FTPDownloadRatio eq,pres index FTPUploadBandwidth,FTPDownloadBandwidth eq,pres index FTPStatus,FTPuid,FTPgid,FTPHomeDir eq,pres |
8 创建FTP主目录
所有FTP数据都保存在/home/ftp/目录。创建/home/ftp/,所有者必须是root用户。
mkdir /home/ftp/
ls -dl /home/ftp
drwxr-xr-x 2 root root 4096 Oct 3 16:53 /home/ftp
9 重启OpenLDAP服务让pureftpd.schema工作:
/etc/init.d/slapd restart
/etc/init.d/pure-ftpd-ldap restart
确保pure-ftpd处于运行态:
# netstat -ntlp | grep pure-ftpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 12548/pure-ftpd (SE
tcp6 0 0 :::21 :::* LISTEN 12548/pure-ftpd (SE
10 增加LDAP属性及取值
10.1 为已有的邮件用户增加LDAP属性及取值
用phpLDAPadmin或者其他工具来增加已有邮件用户的LDAP示例属性以及对应的取值。
| 属性名 |
取值 |
| objectClass | PureFTPdUser |
| FTPStatus | enabled |
| FTPQuotaFiles | 50 |
| FTPQuotaMBytes | 10 |
| FTPDownloadBandwidth | 50 |
| FTPUploadBandwidth | 50 |
| FTPDownloadRatio | 5 |
| FTPUploadRatio | 1 |
| FTPHomeDir | /home/ftp/example.com/username/ |
登陆phpLDAPadmin:
查找已有的邮件用户www@example.com:
为www@example.com增加对象类:
选择PureFTPdUser这个对象类:
结果如下:
增加PureFTPdUser属性:
所有关于PureFTPdUser的属性:
开启FTP状态:
根据下表增加所有的PureFTP属性:
10.2 为新用户增加LDAP属性和取值
你可以使用iredmail工具快速创建包含PureFTP属性和取值的新用户
cd iRedMail-0.5.1/tools
vi create_mail_user_OpenLDAP.sh
LDAP_SUFFIX="dc=example,dc=com" # <- Change the LDAP suffix BINDPW='passwd' # <- The user cn=manager,dc=example,dc=com password PUREFTPD_INTEGRATION='YES' # <- Change form NO to YES,enable the pureftp inteegration |
运行该脚本来创建user1和user2用户。默认密码和用户名相同。
bash create_mail_user_OpenLDAP.sh example.com user1 user2
adding new entry “ou=Users,domainName=example.com,o=domains,dc=example,dc=com”
ldapadd: Already exists (68)
adding new entry “ou=Groups,domainName=example.com,o=domains,dc=example,dc=com”
ldapadd: Already exists (68)
adding new entry “ou=Aliases,domainName=example.com,o=domains,dc=example,dc=com”
ldapadd: Already exists (68)
adding new entry “mail=user1@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com”
adding new entry “mail=user2@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com”
11 配置iptables
默认情况下20和21端口没有打开。如果你用ftp客户端进行测试则需要打开它们。
vi /etc/default/iptables
# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh -A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,22,20,21 -j ACCEPT # <-- 增加 20 21 |
重启iptables服务:
/etc/init.d/iptables restart
12 测试
你可以使用Windows的FTP客户端或者linux的ftp客户端lftp来测试。
lftp localhost
lftp localhost:~> debug 4
lftp localhost:~> login user1@example.com user1 # <– 输入用户名和密码
lftp user1@example.com@localhost:~> ls
—- Connecting to localhost (127.0.0.1) port 21
<— 220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
<— 220-You are user number 1 of 50 allowed.
<— 220-Local time is now 16:25. Server port: 21.
<— 220-IPv6 connections are also welcome on this server.
<— 220 You will be disconnected after 15 minutes of inactivity.
<— 211-Extensions supported:
<— EPRT
<— IDLE
<— MDTM
<— SIZE
<— REST STREAM
<— MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<— MLSD
<— ESTP
<— PASV
<— EPSV
<— SPSV
<— ESTA
<— AUTH TLS
<— PBSZ
<— PROT
<— UTF8
<— 211 End.
<— 500 This security scheme is not implemented
<— 200 OK, UTF-8 enabled
<— 200 MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
<— 331 User user1@example.com OK. Password required
<— 230-Your bandwidth usage is restricted
<— 230-User user1@example.com has group access to: vmail
<— 230-You must respect a 1:5 (UL/DL) ratio
<— 230-OK. Current restricted directory is /
<— 230-0 files used (0%) – authorized: 50 files
<— 230 0 Kbytes used (0%) – authorized: 10240 Kb
<— 257 “/” is your current location
<— 227 Entering Passive Mode (127,0,0,1,32,58)
<— 150 Accepted data connection
<— 226-Options: -l
<— 226 0 matches total
13 故障处理
在pure-ftpd中启用详细信息登陆:
echo “yes” > /etc/pure-ftpd/conf/VerboseLog
vi /etc/rsyslog.conf
ftp.* -/var/log/pure-ftpd/pureftpd.log # <-- 增加条目 |
创建pureftpd.log文件:
touch /var/log/pure-ftpd/pureftpd.log
启用ldap日志:
vi /etc/ldap/slapd.conf
loglevel 256 # <-- 将0改成256 |
重启pure-ftpd,syslog和openldap:
/etc/init.d/pure-ftpd-ldap restart
/etc/init.d/rsyslog restart
/etc/init.d/slapd restart
监控/var/log/pureftpd.log和/var/log/openldap.log用于故障处理:
tail -0f /var/log/openldap.log
mail:~# tail -0f /var/log/openldap.log
Nov 11 17:42:09 mail slapd[16124]: warning: /etc/hosts.deny, line 0: missing newline or line too long
Nov 11 17:42:09 mail slapd[16124]: conn=5 fd=14 ACCEPT from IP=127.0.0.1:46247 (IP=0.0.0.0:389)
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=0 BIND dn=”cn=vmail,dc=example,dc=com” method=128
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=0 BIND dn=”cn=vmail,dc=example,dc=com” mech=SIMPLE ssf=0
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=0 RESULT tag=97 err=0 text=
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=1 SRCH base=”o=domains,dc=example,dc=com” scope=2
deref=0 filter=”(&(objectClass=PureFTPdUser)(mail=user1@example.com)(FTPStatus=enabled))”
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=1 SRCH attr=FTPHomeDir uidNumber
FTPuid gidNumber FTPgid userPassword loginShell FTPStatus FTPQuotaFiles
FTPQuotaMBytes FTPDownloadRatio FTPUploadRatio FTPDownloadBandwidth FTPUploadBandwidth
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=2 UNBIND
Nov 11 17:42:09 mail slapd[16124]: conn=5 fd=14 closed
tail -0f /var/log/pure-ftpd/pureftpd.log
mail:~# tail -0f /var/log/pure-ftpd/pureftpd.log
Nov 11 17:39:37 mail pure-ftpd: (?@123.114.254.226) [INFO] New connection from 123.114.254.226
Nov 11 17:39:37 mail pure-ftpd: (?@123.114.254.226) [DEBUG] Command [user] [user1@example.com]
Nov 11 17:39:38 mail pure-ftpd: (?@123.114.254.226) [DEBUG] Command [pass] [<*>]
Nov 11 17:39:38 mail pure-ftpd: (?@123.114.254.226) [INFO] user1@example.com is now logged in
Nov 11 17:39:38 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [syst] []
Nov 11 17:39:39 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [feat] []
Nov 11 17:39:39 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [pwd] []
Nov 11 17:39:39 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [type] [A]
Nov 11 17:39:40 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [port] [123,114,254,226,17,57]
Nov 11 17:39:40 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [list] [-a]
Nov 11 17:39:48 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [type] [I]
Nov 11 17:39:49 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [port] [123,114,254,226,17,60]
Nov 11 17:39:49 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [stor] [test.pdf]
Nov 11 17:39:51 mail pure-ftpd: (user1@example.com@123.114.254.226) [NOTICE]
/home/ftp/example.com/u/us/use/user1-2009.11.11.17.22.26/ftp//chenshake.pdf uploaded (14317 bytes, 9.45KB/sec)
Nov 11 17:39:51 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [type] [A]
Nov 11 17:39:52 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [port] [123,114,254,226,17,61]
Nov 11 17:39:53 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [list] [-a]
Nov 11 17:40:24 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [pwd] []
Nov 11 17:40:34 mail pure-ftpd: (user1@example.com@123.114.254.226) [INFO] Logout.
14 相关链接
- 讨论论坛: http://www.iredmail.org/forum/
- 项目主页: http://code.google.com/p/iredmail/
- /etc/pure-ftpd/db/ldap.conf 示例文件: click here
via:http://www.linuxeden.com/html/sysadmin/20091203/69356.html