https://wiki.archlinux.org/api.php?action=feedcontributions&user=Timeline.menu&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:22:26ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=List_of_applications_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)/Multimedia_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=688181List of applications (简体中文)/Multimedia (简体中文)2021-07-16T03:09:36Z<p>Timeline.menu: /* 矢量图处理 - CAD */</p>
<hr />
<div><noinclude><br />
[[Category:Applications (简体中文)]]<br />
[[Category:Multimedia (简体中文)]]<br />
[[en:List of applications/Multimedia]]<br />
[[es:List of applications (Español)/Multimedia]]<br />
[[it:List of applications (Italiano)/Multimedia]]<br />
[[ja:アプリケーション一覧/マルチメディア]]<br />
[[pt:List of applications (Português)/Multimedia]]<br />
[[zh-hant:List of applications (正體中文)/Multimedia]]<br />
{{List of applications navigation (简体中文)}}<br />
{{translateme (简体中文)}}<br />
</noinclude><br />
== 多媒体 ==<br />
<br />
=== 解码器 ===<br />
<br />
See the main article: [[Codecs]].<br />
<br />
=== 图像 ===<br />
<br />
==== 图像查看 ====<br />
<br />
See also [[Wikipedia:Comparison of image viewers]].<br />
<br />
===== 命令行 =====<br />
<br />
* {{App|fbi|Image viewer for the linux framebuffer console.|https://www.kraxel.org/blog/linux/fbida/|{{Pkg|fbida}}}}<br />
* {{App|fbv|framebuffer 图像查看器|http://s-tech.elsat.net.pl/fbv/|{{Pkg|fbv}}}}<br />
* {{App|fim|基于fbi的,可定制的,支持脚本Frambuffer图像查看器|https://www.autistici.org/dezperado/|{{AUR|fim}}}}<br />
* {{App|jfbview|Framebuffer PDF and image viewer based on Imlib2. Features include Vim-like controls, rotation and zoom, zoom-to-fit, and fast multi-threaded rendering.|https://github.com/jichu4n/jfbview|{{AUR|jfbview}}}}<br />
<br />
===== 图形环境 =====<br />
<br />
* {{App|[[Wikipedia:Eye_of_GNOME|Eye of GNOME]]|Image viewing and cataloging program, which is a part of the GNOME desktop environment.|https://projects.gnome.org/eog/|{{Pkg|eog}}}}<br />
* {{App|QIV|小巧快速的 gdk/Imlib 图像查看器|http://spiegl.de/qiv/|{{Pkg|qiv}}}}<br />
* {{App|Viewnior|Minimalistic GTK2 viewer featuring support for flip, rotate, animations and configurable mouse actions|https://siyanpanayotov.com/project/viewnior|{{Pkg|viewnior}}}}<br />
* {{App|Eye of MATE|Simple graphics viewer for the MATE desktop.|https://github.com/mate-desktop/eom|{{Pkg|eom}}}}<br />
* {{App|[[Feh]]|使用imlib2的轻量级图像查看器|https://feh.finalrewind.org/|{{Pkg|feh}}}}<br />
* {{App|meh|meh is a small, simple, super fast image viewer using raw XLib.|https://www.johnhawthorn.com/meh/|{{AUR|meh}}{{Broken package link (简体中文)|package not found}}}}<br />
{{App|GalaPix|基于OpenGL的图像查看器,提供同时显示图像集并形成缩略图的功能|https://code.google.com/p/galapix/|{{AUR|galapix}}}}<br />
* {{App|[[Wikipedia:Geeqie|Geeqie]]|Image browser and viewer (fork of GQview) that adds additional functionality such as support for RAW files.|http://geeqie.sourceforge.net/|{{Pkg|geeqie}}}}<br />
* {{App|Gimmage|Gtkmm image viewer.|http://gimmage.berlios.de/|{{AUR|gimmage}}}}<br />
* {{App|GPicView|Simple and fast image viewer for X, which is part of the [[LXDE]] desktop.|http://lxde.sourceforge.net/gpicview/|{{Pkg|gpicview}}}}<br />
* {{App|[[Wikipedia:GQview|GQview]]|Image browser that features single click access to view images and move around the directory tree|http://gqview.sourceforge.net/|{{AUR|gqview-devel}}}}<br />
* {{App|[[Wikipedia:GThumb|gThumb]]|Image viewer for the GNOME desktop.|https://live.gnome.org/gthumb|{{Pkg|gthumb}}}}<br />
* {{App|[[Wikipedia:Gwenview|Gwenview]]|Fast and easy to use image viewer for the KDE desktop.|https://apps.kde.org/gwenview/|{{Pkg|gwenview}}}}<br />
* {{App|Mirage|PyGTK image viewer featuring support for crop and resize, custom actions and a thumbnail panel.|http://mirageiv.berlios.de|{{AUR|mirage}}}}<br />
* {{App|nomacs|Free (GPLv3) Qt image viewer for many operating systems. It is feature-rich but starts fast and can be configured to show additional widgets or only the image.|https://www.nomacs.org/|{{Pkg|nomacs}}}}<br />
* {{App|Phototonic|Fast and functional image viewer and organizer (Qt).| https://github.com/oferkv/phototonic|{{Pkg|phototonic}}}}<br />
* {{App|PhotoQt|Fast and highly configurable image viewer with a simple and nice interface.|https://photoqt.org/|{{AUR|photoqt}}}}<br />
* {{App|[[Wikipedia:Picasa|Picasa]]|Image organizer and viewer from Google that has editing capabilities and integration with the photo-sharing website.|http://picasa.google.com/}}<br />
* {{App|Quick Image Viewer|Very small and fast image viewer based on GTK+ and imlib2.|http://spiegl.de/qiv/|{{Pkg|qiv}}}}<br />
* {{App|Ristretto|Xfce 桌面环境下快速的轻量级图像查看器|https://goodies.xfce.org/projects/applications/ristretto|{{Pkg|ristretto}}}}<br />
* {{App|Shotwell|A digital photo organizer designed for the GNOME desktop environment|https://wiki.gnome.org/Apps/Shotwell|{{Pkg|shotwell}}}}<br />
* {{App|[[Simple Viewer GL]]|Simple image viewer using OpenGL, it has few dependencies.|{{AUR|simpleviewergl-git}}{{Broken package link (简体中文)|package not found}}|{{AUR|simpleviewergl-git}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|SXIV|简单的 X 图像查看器; works well with tiling window managers, uses imlib2|https://github.com/muennich/sxiv|{{Pkg|sxiv}}}}<br />
* {{App|[[Wikipedia:Viewnior|Viewnior]]|Minimalistic GTK+ image viewer featuring support for flipping, rotating, animations and configurable mouse actions.|https://siyanpanayotov.com/project/viewnior|{{Pkg|viewnior}}}}<br />
* {{App|Xloadimage|经典的 X 图像查看器|https://web.archive.org/web/19981207030422/http://world.std.com/~jimf/xloadimage.html|{{Pkg|xloadimage}}}}<br />
* {{App|XnView MP|高效的图像查看,浏览,转换器|https://www.xnview.com/en/index.html|{{AUR|xnviewmp}}}}<br />
* {{App|[[Wikipedia:Xv_(software)|xv]]|Shareware program written by John Bradley to display and modify digital images under the X Window System.|http://www.trilon.com/xv/|{{AUR|xv}}}}<br />
<br />
<!-- Broken links, need to be turned into App Templates.<br />
* [[Background Setter]]<br />
* [[eog]]<br />
* [[GQview]]<br />
* [[gThumb]]<br />
* [[Quick Image Viewer]]<br />
* [[XnView]]<br />
* [[xv]]<br />
* [[Picasa]]<br />
--><br />
<br />
==== 图形和图像处理 ====<br />
<br />
===== 位图编辑器 =====<br />
<br />
* {{App|[[Wikipedia:GIMP|GIMP]]|GIMP 是 [[GNU]] Image Manipulation Program(GNU图像处理程序)的缩写。成立于20世纪90年代中期的GIMP是一个与 Adobe Photoshop 相似的图像编辑套件。Arch Linux 软件仓库拥有数量众多的GIMP插件和辅助工具。可以使用如下命令来搜索它们:<br />
pacman -Ss gimp<br />
还有数量众多的软件包在 [[Arch User Repository]]。您也许会有兴趣阅读 [[CMYK support in The GIMP]]|https://www.gimp.org/|{{Pkg|gimp}}}}<br />
* {{App|KolourPaint|KDE 下免费、快速的图像编辑器,与Windows 7系统之前微软画图软件相似,但是添加了一些如支持透明度等的新特征|http://kolourpaint.org|{{Pkg|kdegraphics-kolourpaint}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|mtPaint|致力于创建色彩索引的调色板图像以及像素画的图像编辑器|http://mtpaint.sourceforge.net/|{{Pkg|mtpaint}}}}<br />
* {{App|darktable|具有完整的照片工作流程并且擅长于RAW格式处理的软件|https://www.darktable.org//|{{Pkg|darktable}}}}<br />
* {{App|MyPaint|数码绘画者的自由图像工具|http://mypaint.intilinux.com|{{Pkg|mypaint}}}}<br />
* {{App|Krita (瑞典语言版本中称为crayon)|基于KDE平台和Koffice库创建的数字绘画设计软件|https://krita.org/|{{Pkg|calligra-krita}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Nathive| “没用的图像编辑器”("the usable image editor"), 一个基于Gnome设计,具有圆滑的学习曲线,着眼于实用性的图像编辑软件|http://www.nathive.org/|{{AUR|nathive}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:ImageMagick|ImageMagick]]|ImageMagick 是一个命令行图像处理程序。 它因为其支持超过100多种格式的精确格式转换而知名。它的API使得它非常易于融入脚本之中,而且它也被用作很多软件的后台处理器——比如创建MediaWiki的图片缩略图。|https://www.imagemagick.org/script/index.php|{{Pkg|imagemagick}}}}<br />
* {{App|[[Wikipedia:GraphicsMagick|GraphicsMagick]]|GraphicsMagick 于2002年基于ImageMagick的设计创建,继承了它的API和命令行稳定性。 而且它还支持多核CPU以增强性能,因为如此它被许多大型机构网站(如Flickr、etsy等)使用。|http://www.graphicsmagick.org/|{{Pkg|graphicsmagick}}}}<br />
* {{App|[[Wikipedia:Shotwell_(software)|Shotwell]]|Shotwell是一个图片管理软件。他只有简单的图像处理功能,比如:旋转、裁剪、色彩矫正和红眼移除等。它可以直接从数码相机中导入照片并且导出到设计媒体网站。|http://yorba.org/shotwell/|{{Pkg|shotwell}}}}<br />
* {{App|[[Wikipedia:digiKam|digiKam]]|digiKam是一个基于KDE的图像/照片管理器。借助插件架构,它内置了大量的图像处理功能。digiKam声称自己比其他很多的图像处理工具拥有更多的图像处理功能,包括RAW格式图像的导入和处理。|https://www.digikam.org/|{{Pkg|digikam}}}}<br />
<br />
===== 矢量图形-图表 =====<br />
<br />
另请参见:[[Wikipedia:Comparison of vector graphics editors]]。<br />
<br />
* {{App|[[Wikipedia:Asymptote_(vector_graphics_language)|Asymptote]]|一个描述性的矢量图形语言(比如PGF / TikZ和Metapost),具有类c语法和LaTex支持。|http://asymptote.sourceforge.net|{{Pkg|asymptote}}}}<br />
* {{App|Dia|一个基于GTK+的创意软件。|https://live.gnome.org/Dia|{{Pkg|dia}}}}<br />
* {{App|[[Wikipedia:Graphviz|Graphviz]]|使用描述性的DOT语言绘图。|https://www.graphviz.org|{{Pkg|graphviz}}}}<br />
* {{App|Gravit|专业的矢量图形设计工具。|https://gravit.io/|{{AUR|gravit-git}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:Inkscape|Inkscape]]|一个开源的矢量图编辑器,功能类似于Illustrator、CorelDraw以及Xara X。它使用W3C标准可放大矢量图格式(SVG)。Inkscape支持众多的高级SVG功能(如标记、克隆、Alpha通道混合等)。并且具有一套认真设计的基于工作流程的界面。它可以很方便地编辑节点,执行复杂的路径操作,描绘位图等等等等。其开发者以其社区维护的开发方法致力于维护一个正在发展中的用户与开发者社区。|https://inkscape.org/|{{Pkg|inkscape}}}}<br />
* {{App|Mockingbot|中文名:墨刀,一个可协作的原型图设计工具。|http://http://mockingbot.com/|{{AUR|mockingbot}}}}<br />
* {{App|[[Wikipedia:Karbon (software)|Karbon]]|矢量图形设计工具,Calligra套件的一部分。|https://www.calligra-suite.org/karbon/|{{Pkg|calligra}}}}<br />
* {{App|[[Wikipedia:Pencil2D|Pencil Project]]|开源的原型设计工具。|https://pencil.evolus.vn/|{{AUR|pencil}}}}<br />
* {{App|qasm2circ|latex的量子电路生成工具|https://www.media.mit.edu/quanta/qasm2circ/|{{AUR|qasm2circ}}}}<br />
* {{App|[[Wikipedia:SK1_(program)|sK1]]|.替代Adobe Illustrator或绘图软件。|https://sk1project.net/|{{AUR|sk1}}}}<br />
* {{App|[[Wikipedia:yEd|yEd]]|通用绘图程序流程图、网络图、UML图,BPMN图、思维导图、组织图、实体关系图。| https://www.yworks.com/en/products_yed_about.html|{{AUR|yed}}}}<br />
<br />
===== 矢量图处理 - CAD =====<br />
<br />
See also [[Wikipedia:List of computer-aided design editors]].<br />
<br />
* {{App|[[Wikipedia:BRL-CAD|BRL-CAD]]|Constructive solid geometry (CSG) solid modeling computer-aided design (CAD) system that includes an interactive geometry editor, ray tracing support for graphics rendering and geometric analysis, computer network distributed framebuffer support, scripting, image-processing and signal-processing tools.|https://brlcad.org/|{{AUR|brlcad}}}}<br />
* {{App|DraftSight|专业级免费CAD软件。DraftSight让专业CAD用户、学生和教育工作者能够创建、编辑和查看DWG文件。 DraftSight适用于Windows®、Mac®环境。目前达索集团已放弃了对Linux系统的支持,安装时需要自行下载源码包。 |http://www.3ds.com/cn/products/draftsight/download-draftsight|{{AUR|Draftsight}}}}<br />
* {{App|[[Wikipedia:FreeCAD|FreeCAD]]|CAD/CAE program, based on OpenCascade, Qt and Python with features such as macro recording, workbenches and the ability to run as server.|https://sourceforge.net/projects/free-cad/|{{Pkg|freecad}}}}<br />
* {{App|LeoCAD|CAD program for creating virtual LEGO models. It has an easy to use interface and currently includes over 6000 different pieces created by the LDraw community.|http://leocad.org|{{Pkg|leocad}}}}<br />
* {{App|[[Wikipedia:LibreCAD|LibreCAD]]|Powerful 2D CAD application based on Qt. It has been forked from QCad Community Edition.|https://www.librecad.org/|{{Pkg|librecad}}}}<br />
* {{App|[[Wikipedia:OpenSCAD|OpenSCAD]]|Open source 2D/3D CAD using programmers approach.|https://www.openscad.org|{{Pkg|openscad}} {{AUR|openscad-git}}}}<br />
* {{App|[[Wikipedia:QCad|QCAD]]|Powerful 2D CAD application that began in 1999. QCaD includes DFX standard file format and supports HPGL format.|https://www.qcad.org/|{{Pkg|qcad}}}}<br />
* {{App|[[Wikipedia:VariCAD|VariCAD]]|3D/2D CAD and mechanical engineering application which provides support for parameters and geometric constraints, tools for shells, pipelines, sheet metal unbending and crash tests, assembly support, mechanical part and symbol libraries, calculations, bills of materials, and more.|https://www.varicad.com/en/home/|{{AUR|varicad}}{{Broken package link (简体中文)|package not found}}}}<br />
<br />
===== 三维建模与渲染 =====<br />
<br />
See also [[Wikipedia:Comparison of 3D computer graphics software]].<br />
* {{App|[[Wikipedia:Art_of_Illusion|Art of Illusion]]|3D modeling and rendering studio written in Java.|http://www.artofillusion.org/|{{AUR|aoi}}}}<br />
* {{App|[[Wikipedia:MakeHuman|MakeHuman™]]|Parametrical modeling program for creating human bodies.|http://www.makehuman.org/|{{AUR|makehuman}}}}<br />
* {{App|[[Wikipedia:POV-Ray|POV-Ray]]|Script-based raytracer for creating 3D graphics.|https://www.povray.org/|{{Pkg|povray}}}}<br />
* {{App|[[Wikipedia:Wings3d|Wings 3D]]|Advanced subdivision modeler that is both powerful and easy to use.|http://www.wings3d.com/|{{Pkg|wings3d}}}}<br />
* {{App|Blender|一个全能的三维在图形创意工具。功能包括三维建模、材质设计、三维动画、后期合成等等功能。同时它也有大量的附加不定和工具扩展它的功能。[[Arch User Repository]].<br />
另外可见:<br />
**[https://www.blender.org/ Blender homepage]<br />
**[https://wiki.blender.org/index.php/Main_Page Blender Wiki]<br />
**[https://en.wikibooks.org/wiki/Blender_3D Blender walkthrough on wikibooks]|https://www.blender.org/|{{Pkg|blender}}}}<br />
<br />
==== 截取屏幕 ====<br />
<br />
See also: [[Taking a screenshot]].<br />
<br />
=== 音频 ===<br />
<br />
==== 音频系统 ====<br />
<br />
See also [[Wikipedia:Sound server]].<br />
<br />
See the main article: [[Sound system]].<br />
<br />
* {{App|wineasio|Provides an ASIO to JACK driver for ''wine''. ASIO is the most common Windows low-latency driver, so is commonly used in audio workstation programs.|https://sourceforge.net/projects/wineasio/|{{AUR|wineasio}}}}<br />
<br />
==== 音频播放器 ====<br />
<br />
See also [[Wikipedia:Comparison of audio player software]].<br />
<br />
===== 音乐播放器守护进程和客户端 (Client) =====<br />
<br />
* {{App|[[Music Player Daemon]]|轻量、可伸缩音乐播放器,C/S结构,MPD 作为一个守护程序运行于后台, 管理播放列表和音乐数据库|https://mpd.wikia.com/wiki/Music_Player_Daemon_Wiki|{{Pkg|mpd}}}}<br />
* [[Music_Player_Daemon#Clients|MPD客户端程序清单]]<br />
* {{App|[[Wikipedia:XMMS2|XMMS2]]|Complete rewrite of the popular music player.|https://xmms2.org|{{Pkg|xmms2}}}}<br />
<br />
===== 命令行 =====<br />
<br />
* {{App|[[cmus]]|Very feature-rich ncurses-based music player.|https://cmus.github.io/|{{Pkg|cmus}}}}<br />
* {{App|Cplay|Curses front-end for various audio players (ogg123, mpg123, mpg321, splay, madplay, and mikmod, xmp, and sox).|https://directory.fsf.org/wiki/Cplay|{{AUR|cplay}}}}<br />
* {{App|Herrie|Minimalistic console-based music player with native AudioScrobbler support.|https://herrie.info/|{{AUR|herrie}}}}<br />
* {{App|[[MOC]]|Ncurses console audio player with support for the MP3, OGG, and WAV formats.|https://moc.daper.net/|{{Pkg|moc}}}}<br />
* {{App|MPFC|Gstreamer-based audio player with curses interface.|https://code.google.com/p/mpfc/|{{AUR|mpfc}}}}<br />
* {{App|[[Wikipedia:Mpg123|mpg123]]|Fast free MP3 console audio player for Linux, FreeBSD, Solaris, HP-UX and nearly all other UNIX systems (also decodes MP1 and MP2 files).|https://www.mpg123.org/|{{Pkg|mpg123}}}}<br />
* {{App|[[pianobar]]|Console-based frontend for Pandora.|https://6xq.net/projects/pianobar/|{{Pkg|pianobar}}}}<br />
* {{App|PyTone|Advanced music jukebox with a console interface.|https://www.luga.de/pytone/|{{AUR|pytone}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|shell-fm|Console-based player for the streams provided by [https://www.last.fm/ last.fm].|https://github.com/jkramer/shell-fm/|{{AUR|shell-fm}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:VLC_media_player|VLC]]|Highly portable multimedia player with ncurses interface module, and multimedia framework capable of reading most audio and video formats as well as DVDs, Audio CDs, VCDs, and various streaming protocols.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
* {{App|whistle|a curses-based commandline audio player.|https://github.com/ap0calypse/whistle/|{{AUR|whistle-git}}}}<br />
<br />
===== 图形环境 =====<br />
<br />
* {{App|[[Amarok]]|Mature Qt-based player known for its plethora of features.|https://amarok.kde.org/|{{AUR|amarok}}}}<br />
* {{App|[[Wikipedia:aTunes|aTunes]]|Audio player written in Java.|http://www.atunes.org/|{{AUR|atunes}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Audacious]]|[[Wikipedia:Winamp|Winamp]] clone like Beep and old XMMS versions.|https://audacious-media-player.org/|{{Pkg|audacious}}}}<br />
* {{App|[[Wikipedia:Banshee (media player)|Banshee]]|[[Wikipedia:iTunes|iTunes]] clone, built with GTK+ and [[Mono]], feature-rich and more actively developed.|http://banshee.fm/|{{AUR|banshee}}}}<br />
* {{App|[[Wikipedia:Clementine_(software)|Clementine]]|Amarok 1.4 clone, ported to Qt 4.|https://www.clementine-player.org/|{{Pkg|clementine}}}}<br />
* {{App|Cuberok|Music player and collection manager with a lightweight interface.|https://code.google.com/p/cuberok/|{{AUR|cuberok}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|DeaDBeeF|Light and fast music player with many features, no GNOME or KDE dependencies, supports console-only, as well as a GTK+ GUI, comes with many plugins, and has a metadata editor.|http://deadbeef.sourceforge.net/|{{AUR|deadbeef}}}}<br />
* {{App|[[Exaile]]|GTK+ clone of Amarok.|https://www.exaile.org/|{{AUR|exaile}}}}<br />
* {{App|gmusicbrowser|Open-source jukebox for large collections of MP3/OGG/FLAC files.|https://gmusicbrowser.org/|{{AUR|gmusicbrowser}}}}<br />
* {{App|GNOME Music|Music is the new GNOME music playing application. It aims to combine an elegant and immersive browsing experience with simple and straightforward controls.|https://wiki.gnome.org/Apps/Music|{{Pkg|gnome-music}}}}<br />
* {{App|Goggles Music Manager|Music collection manager and player that automatically categorizes your music, supports gapless playback, features easy tag editing, and internet radio support. Uses the [[Wikipedia:Fox toolkit|Fox toolkit]].|https://gogglesmm.github.io/|{{Pkg|gogglesmm}}}}<br />
* {{App|Guayadeque|Full featured media player that can easily manage large collections and uses the GStreamer media framework.|http://guayadeque.org/|{{AUR|guayadeque}}}}<br />
* {{App|[[Wikipedia:JuK|JuK]]|JuK is an audio jukebox application, supporting collections of MP3, Ogg Vorbis, and FLAC audio files.|https://www.kde.org/applications/multimedia/juk/|{{Pkg|kdemultimedia-juk}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Listen|Listen is a Music player and management for GNOME written in python.|https://launchpad.net/listen|{{AUR|listen}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|LXMusic|A minimalist xmms2-based music player.|https://wiki.lxde.org/en/LXMusic|{{Pkg|lxmusic}}}}<br />
* {{App|Miam-player|Cross-platform open source music player.|http://miam-player.org/|{{AUR|miam-player}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:Nightingale (software)|Nightingale]]|Open source clone of iTunes-based on [[Wikipedia:Songbird (software)|Songbird]], that uses Mozilla technologies and the GStreamer framework.|https://getnightingale.com/|{{AUR|nightingale}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Noise|Simple, fast, and good looking music player.|https://launchpad.net/noise|{{Pkg|noise}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Nuvola Player|Integrated Google Music, Grooveshark, 8tracks and Hype Machine player.|http://nuvolaplayer.fenryxo.cz/|{{AUR|nuvolaplayer}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Potamus|Lightweight, intuitive GTK+ audio player with an emphasis on high audio quality.|https://offog.org/code/potamus.html|{{AUR|potamus}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Pragha|GTK+ music manager. (fork of the Consonance Music Manager)|https://pragha-music-player.github.io/|{{Pkg|pragha}}}}<br />
* {{App|Qmmp|Qt-based multimedia player with a user interface that is similar to Winamp or XMMS.|https://qmmp.ylsoftware.com/|{{Pkg|qmmp}}}}<br />
* {{App|[[Wikipedia:Quod Libet (software)|Quod Libet]]|Audio player written with PyGTK and GStreamer with support for regular expressions in playlists.|https://code.google.com/p/quodlibet/|{{Pkg|quodlibet}}}}<br />
* {{App|[[Wikipedia:Rhythmbox|Rhythmbox]]|GTK+ clone of iTunes, used by default in GNOME.|https://projects.gnome.org/rhythmbox/|{{Pkg|rhythmbox}}}}<br />
* {{App|[[Spotify]]|Proprietary music streaming service. It supports local playback and streaming from Spotify's vast library (requires a free account).|https://www.spotify.com/|{{AUR|spotify}}}}<br />
* {{App|[[SpotCommander]]|A remote control for Spotify, optimized for mobile devices. It works on any device with a modern browser, and it's free and open source.|https://web.archive.org/web/20200121132702/http://olejon.github.io/spotcommander/|{{AUR|spotcommander}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Tomahawk|Music player application written in C++/Qt. It decouples the name of the song from the source it was shared from - and fulfills the request using all of your available sources.|https://web.archive.org/web/20200412172053/http://www.tomahawk-player.org/|{{AUR|tomahawk}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:VLC_media_player|VLC]]|Highly portable multimedia player and multimedia framework capable of reading most audio and video formats as well as DVDs, Audio CDs, VCDs, and various streaming protocols.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
* {{App|[[wikipedia:XMMS|XMMS]]|Skinnable GTK+ standalone media player similar to Winamp.|http://legacy.xmms2.org/|{{AUR|xmms}}{{Broken package link (简体中文)|package not found}}}}<br />
<br />
==== 音响管理 ====<br />
<br />
* {{App|GVolWheel|An audio mixer which lets you control the volume through a tray icon.|https://sourceforge.net/projects/gvolwheel/|{{AUR|gvolwheel}}}}<br />
* {{App|GVTray|A master volume mixer for the system tray.|https://code.google.com/p/gtk-tray-utils/|{{AUR|gvtray}}{{Broken package link (简体中文)|package not found}}}}<br />
*{{App|pa-applet|PulseAudio system tray applet with volume bar.|https://github.com/fernandotcl/pa-applet|{{Aur|pa-applet-git}}}}<br />
* {{App|PNMixer|A fork of Obmixer. It has many new features such as ALSA channel selection, connect/disconnect detection, shortcuts, etc.|https://github.com/nicklan/pnmixer/wiki|{{AUR|pnmixer}}}}<br />
*{{App|Volctl|Per-application volume control for GNU/Linux desktops.|https://buzz.github.io/volctl/|{{Aur|volctl}}}}<br />
*{{App|Volnoti|Volnoti is a lightweight volume notification daemon for GNU/Linux and other POSIX operating systems.|https://github.com/davidbrazdil/volnoti|{{Aur|volnoti}}}}<br />
* {{App|Volti|A GTK application for controlling audio volume from system tray with an internal mixer and support for multimedia keys that uses only ALSA.|https://code.google.com/p/volti/|{{AUR|volti}}}}<br />
* {{App|VolumeIcon|Another volume control for your system tray with channel selection, themes and an external mixer.|http://softwarebakery.com/maato/volumeicon.html{{Dead link (简体中文)|2021|05|17|status=404}}|{{Pkg|volumeicon}}}}<br />
* {{App|VolWheel|A little application which lets you control the sound volume easily through a tray icon you can scroll on.|https://oliwer.net/b/volwheel.html|{{AUR|volwheel}}}}<br />
<br />
==== 提取 CD ====<br />
<br />
See [[Optical disc drive#CD]].<br />
<br />
==== 可视化 ====<br />
<br />
* {{App|[[Wikipedia:MilkDrop|ProjectM]]|Music visualizer which uses 3D accelerated iterative image-based rendering.|http://projectm.sourceforge.net/|{{Pkg|projectm}}}}<br />
* {{App|[[Wikipedia:VSXu|VSXu]]|Free to use program that lets you create and perform real-time audio visual presets.|https://www.vsxu.com/|{{AUR|vsxu}}}}<br />
<br />
==== 音频标签编辑器 ====<br />
<br />
* {{App|Audio Tag Tool|Tool to edit tags in MP3 and Ogg Vorbis files.|http://tagtool.sourceforge.net/|{{AUR|tagtool}}}}<br />
* {{App|Cowbell|Elegant music organizer that supports many audio formats including MP3, Ogg/FLAC, and MusePack.|http://more-cowbell.org/|{{AUR|cowbell}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:EasyTag|EasyTag]]|Utility for viewing, editing and writing ID3 tags of your MP3 files.|http://easytag.sourceforge.net/|{{Pkg|easytag}}}}<br />
* {{App|[[Wikipedia:Ex Falso (software)|Ex Falso]]|Cross-platform free and open source audio tag editor and library organizer.|https://code.google.com/p/quodlibet/|{{Pkg|exfalso}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|ID3 Mass Tagger|Command-line utility to edit ID3 1.x and 2.x tags.|https://squell.github.io/id3/|{{AUR|id3}}}}<br />
* {{App|Kid3|MP3, Ogg/Vorbis, FLAC, MPC, MP4/AAC, MP2, Speex, TrueAudio, WavPack, WMA, WAV and AIFF files tag editor.|http://kid3.sourceforge.net/|{{Pkg|kid3}}}}<br />
* {{App|MP3Info|MP3 technical info viewer and ID3 1.x tag editor.|https://ibiblio.org/mp3info/|{{Pkg|mp3info}}}}<br />
* {{App|[[Wikipedia:MusicBrainz Picard|MusicBrainz Picard]]|Cross-platform audio tag editor written in Python (the official MusicBrainz tagger).|https://musicbrainz.org/doc/MusicBrainz_Picard|{{Pkg|picard}}}}<br />
* {{App|[[Wikipedia:Puddletag|Puddletag]]|Replacement for the famous MP3tag for Windows.|http://puddletag.sourceforge.net/|{{AUR|puddletag}}}}<br />
* {{App|taffy|Simple command-line tag editor for many audio formats.|https://github.com/jangler/taffy|{{AUR|taffy}}}}<br />
* {{App|Qoobar|Universal QT-based audio tagger (specialized for classical music)|http://qoobar.sourceforge.net/en/index.htm|{{AUR|qoobar}}}}<br />
<br />
==== 声音编辑 ====<br />
<br />
* {{App|[[Wikipedia:Ardour (software)|Ardour]]|Multichannel hard disk recorder and digital audio workstation.|https://ardour.org/|{{Pkg|ardour}}}}<br />
* {{App|[[Wikipedia:Audacity (audio editor)|Audacity]]|Program that lets you manipulate digital audio waveforms.|http://audacity.sourceforge.net/|{{Pkg|audacity}}}}<br />
* {{App|GNOME Sound Recorder|The Sound Recorder application enables you to record and play .flac, .ogg (OGG audio, or .oga), and .wav sound files.|https://git.gnome.org/browse/gnome-sound-recorder|{{Pkg|gnome-sound-recorder}}}}<br />
* {{App|[[Wikipedia:Jokosher|Jokosher]]|Non-linear multi-track digital audio editor that is being developed in Python, using the GTK+ interface and GStreamer as an audio back-end.|https://launchpad.net/jokosher/|{{AUR|jokosher}}}}<br />
* {{App|KWave| KDE的声音编辑器|http://kwave.sourceforge.net/|{{Pkg|kwave}}}}<br />
* {{App|easytag| 查看和编辑多种音频格式的 tag|http://easytag.sourceforge.net/|{{Pkg|easytag}}}}<br />
* {{App|[[LMMS]]|The Linux MultiMedia Studio. Free cross-platform software which allows you to produce music with your computer.|http://lmms.sourceforge.net/|{{Pkg|lmms}}}}<br />
* {{App|[[Wikipedia:Qtractor|Qtractor]]|Qt-based hard disk recorder and digital audio workstation application that aims to provide digital audio workstation software simple enough for the average home user, and yet powerful enough for the professional user.|http://qtractor.sourceforge.net/qtractor-index.html|{{Pkg|qtractor}}}}<br />
* {{App|[[Wikipedia:Rosegarden|Rosegarden]]|Digital audio workstation program developed with ALSA and Qt that acts as an audio and MIDI sequencer, scorewriter and musical composition and editing tool.|https://www.rosegardenmusic.com/|{{Pkg|rosegarden}}}}<br />
* {{App|XCFA|Tool to extract the contens of audio CDs and convert them to various formats.|http://www.xcfa.tuxfamily.org/|{{AUR|xcfa}}{{Broken package link (简体中文)|package not found}}}}<br />
<br />
=== 手机管家 ===<br />
<br />
* {{App|moto4lin| 基于P2K平台,用于摩托罗拉手机文件系统的浏览和编辑器|http://moto4lin.sourceforge.net/|{{AUR|moto4lin}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|GNOME Phone Manager|Control your mobile phone from your GNOME desktop.|https://wiki.gnome.org/Attic/PhoneManager|{{AUR|gnome-phone-manager}}}}<br />
* {{App|KDE Connect|A project that aims to communicate all your devices.|https://community.kde.org/KDEConnect|{{Pkg|kdeconnect}}}}<br />
* {{App|Moto4Lin|File manager and seem editor for Motorola P2K phones (like C380/C650).|https://sourceforge.net/projects/moto4lin/|{{AUR|moto4lin}}{{Broken package link (简体中文)|package not found}}}}<br />
<br />
=== 视频 ===<br />
<br />
==== 视频播放器 ====<br />
<br />
See also [[Wikipedia:Comparison of video player software]].<br />
<br />
===== 命令行 =====<br />
<br />
* {{App|[[MPlayer]]|Video player that supports a complete and versatile array of video and audio formats.|http://www.mplayerhq.hu/design7/news.html|{{Pkg|mplayer}} (See also a very similar fork: {{AUR|mplayer2}}}})<br />
* {{App|[[mpv]]|Movie player based on MPlayer and mplayer2.|https://mpv.io|{{Pkg|mpv}} {{AUR|mpv-git}}}}<br />
* {{App|[[Wikipedia:xine|xine-ui]]|Free multimedia player.|https://www.xine-project.org|{{Pkg|xine-ui}}}}<br />
* {{App|[[Wikipedia:VLC media player|VLC ncurses]]|Command-line version of the famous video player that can play smoothly high definition videos in the TTY.|https://www.videolan.org/vlc/|{{AUR|vlc-nogui}}{{Broken package link (简体中文)|package not found}}}}<br />
<br />
===== 图形化界面 =====<br />
<br />
See also: [[MPlayer#Frontends.2FGUIs|MPlayer frontends]], [[mpv]].<br />
<br />
* {{App|bomi|Powerful and easy to use multimedia player (mpv backend) (Qt 5).|https://bomi-player.github.io/|{{AUR|bomi}}{{Broken package link (简体中文)|package not found}} (previously {{AUR|cmplayer}}{{Broken package link (简体中文)|package not found}}), {{AUR|bomi-git}}}}<br />
* {{App|[[Wikipedia:Kdemultimedia#Dragon Player|Dragon Player]]|Simple video player for KDE. Part of the {{Grp|kdemultimedia}}{{Broken package link (简体中文)|package not found}} group.|https://www.kde.org/applications/multimedia/dragonplayer/|{{Pkg|kdemultimedia-dragonplayer}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:Kaffeine|Kaffeine]]|Very versatile KDE media player that, by default, utilizes Xine as its backend and has excellent support of digital TV (DVB).|https://apps.kde.org/kaffeine/|{{Pkg|kaffeine}}}}<br />
* {{App|Parole|Modern media player based on the GStreamer framework.|https://goodies.xfce.org/projects/applications/parole/|{{Pkg|parole}}}}<br />
* {{App|Rage|Video and audio player written with Enlightenment Foundation Libraries with some extra bells and whistles.|https://www.enlightenment.org/p.php?p&#61;about/rage|{{AUR|rage}}}}<br />
* {{App|Snappy|Powerful media player with a minimalistic interface.|https://wiki.gnome.org/Apps/Snappy|{{Pkg|snappy-player}}}}<br />
* {{App|[[Wikipedia:Totem (software)|Totem]]|Media player (audio and video) for the GNOME desktop that uses GStreamer. Part of {{Grp|gnome}}|https://projects.gnome.org/totem/|{{Pkg|totem}}}}<br />
* {{App|[[Wikipedia:VLC media player|VLC media player]]|Middleweight video player with support for a wide variety of audio and video formats.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
* {{App|Whaaw! Media Player|Lightweight GStreamer-based audio and video player that can serve as a good alternative to Totem for those who do not like all of those GNOME dependencies.|https://web.archive.org/web/20170327065711/http://home.gna.org/whaawmp/|{{AUR|whaawmp}}}}<br />
* {{App|Xnoise|GTK+ and GStreamer-based media player for both audio and video with "a slick GUI, great speed and lots of features." (development ceased)|http://www.xnoise-media-player.com/|{{Pkg|xnoise}}}}<br />
<br />
==== DVD 提取 ====<br />
<br />
See [[Optical disc drive#DVD-Video]].<br />
<br />
==== 视频编辑器 ====<br />
<br />
参见 [[Wikipedia:Comparison of video editing software]].<br />
<br />
===== 命令行 =====<br />
<br />
* {{App|[[Wikipedia:Avidemux|Avidemux]]|免费,天生为简易剪切、过滤和转码而生。|http://fixounet.free.fr/avidemux/|{{Pkg|avidemux-cli}}}}<br />
* {{App|[[Wikipedia:HandBrake|HandBrake-CLI]]|Simple yet powerful video transcoder ideal for batch mkv/x264 ripping.|https://handbrake.fr/|{{Pkg|handbrake-cli}}}}<br />
<br />
===== 图形界面 =====<br />
<br />
* {{App|[[Wikipedia:Avidemux|Avidemux]]|F免费,天生为简易剪切、过滤和转码而生。|http://fixounet.free.fr/avidemux/|{{Pkg|avidemux-gtk}}{{Broken package link (简体中文)|replaced by {{Pkg|avidemux-qt}}}} {{Pkg|avidemux-qt}}}}<br />
* {{App|[[Wikipedia:Cinelerra|Cinelerra (Community Version)]]|专业级别,能够编辑或合成视频的环境。|http://cinelerra-cv.wikidot.com/|{{AUR|cinelerra-cv}}}}<br />
* {{App|[[Wikipedia:HandBrake|HandBrake]]|Simple yet powerful video transcoder ideal for batch mkv/x264 ripping. GTK+ version.|https://handbrake.fr/|{{Pkg|handbrake}}}}<br />
* {{App|[[Wikipedia:Kdenlive|Kdenlive]]|非线性,基本是专业人士用的。|https://kdenlive.org/|{{Pkg|kdenlive}}}}<br />
* {{App|[[Wikipedia:Lightworks|Lightworks]]|非线性,专业级别,支持广泛编码。|https://www.lwks.com/|{{AUR|lwks}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:LiVES|LiVES]]|VJ (live performance) 平台。| http://lives.sourceforge.net/ |{{AUR|lives}}}}<br />
* {{App|Open Movie Editor|制作电影用,比较好上手。| http://www.openmovieeditor.org/ | {{AUR|openmovieeditor}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:OpenShot_Video_Editor|Open Shot]]|非线性,基于 MLT 框架。|http://www.openshotvideo.com/|{{Pkg|openshot}}}}<br />
* {{App|[[Wikipedia:Pitivi|PiTiVi]]|GNOME 专用。|https://www.pitivi.org/ |{{Pkg|pitivi}}}}<br />
* {{App|Transmageddon|Python 写成的简易软件。只要是 GStreamer 支持的编码,都可以转码。|http://www.linuxrising.org/ |{{Pkg|transmageddon}}}}<br />
<br />
==== 录屏 ====<br />
<br />
See also [[Wikipedia:Comparison of screencasting software]].<br />
<br />
Screencast utilities allow you to create a video of your desktop or individual windows.<br />
<br />
* {{App|byzanz|Simple screencast tool that produces GIF animations.|https://blogs.gnome.org/otte/2009/08/30/byzanz-0-2-0/|{{AUR|byzanz-git}}}}<br />
* {{App|glc|Screencast tool that can capture the sound and video from OpenGL applications, such as games, where regular X11 screencast tools produce choppy results.|https://github.com/nullkey/glc{{Dead link (简体中文)|2020|08|02|status=404}}|{{AUR|glc}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Istanbul|Simple desktop session recorder that produces ogg videos.|https://wiki.gnome.org/Projects/Istanbul|{{AUR|istanbul}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|Kazam|Screencasting program with design in mind.|https://launchpad.net/kazam|{{AUR|kazam-bzr}}{{Broken package link (简体中文)|package not found}}}}<br />
* {{App|[[Wikipedia:RecordMyDesktop|RecordMyDesktop]]|An easy to use utility that records your desktop into the ogg format with a CLI, Qt or GTK+ interface.|http://recordmydesktop.sourceforge.net/|{{Pkg|recordmydesktop}} {{AUR|gtk-recordmydesktop}} {{AUR|qt-recordmydesktop}}}}<br />
* {{App|simplescreenrecorder|A feature-rich screen recorder written in C++/Qt4 that supports X11 and OpenGL.|https://www.maartenbaert.be/simplescreenrecorder/|{{Pkg|simplescreenrecorder}}}}<br />
* {{App|vokoscreen|Simple screencast tool, GUI ffmpeg.|https://linuxecke.volkoh.de/vokoscreen/vokoscreen.html|{{Pkg|vokoscreen}}}}<br />
* {{App|[[Wikipedia:XVidCap|XVidCap]]|Application used for recording a screencast or digital recording of an X Window System screen output with an audio narration.|http://xvidcap.sourceforge.net/|{{AUR|xvidcap}}}}<br />
<br />
=== Optical media burning ===<br />
<br />
See [[Optical disc drive#Burning CD/DVD/BD with a GUI]].<br />
<br />
=== Podcasts ===<br />
<br />
see [[List of applications/Internet#Podcast_clients|Podcast clients]]<br />
<br />
=== Collection managers ===<br />
<br />
* {{App|[[Beets]]|Music library organizer, tagger and more.|http://beets.radbox.org/|{{Pkg|beets}}}}<br />
* {{App|Demlo|Batch music tagger, encoder, renamer and more.|https://ambrevar.bitbucket.org/demlo/|{{AUR|demlo}}}}<br />
* {{App|[[Wikipedia:GCstar|GCstar]]|GNOME application for organizing various collections (board games, comic books, movies, stamps, etc.).|http://www.gcstar.org/|{{AUR|gcstar}}}}<br />
* {{App|[[Wikipedia:Tellico|Tellico]]|KDE application for organizing various collections (books, video, music, coins, etc.).|https://tellico-project.org/|{{Pkg|tellico}}}}<br />
* {{App|[[Kodi]]|Application for organizing various collections and automatically retrieving info about them (video, music, photos).|https://kodi.tv/|{{Pkg|kodi}}{{Broken package link (简体中文)|replaced by {{Pkg|kodi-gbm}}}}}}<br />
<br />
=== Lyrics fetchers ===<br />
<br />
* {{App|clyrics|An extensible lyrics fetcher, with daemon support for cmus and mocp.|http://beets.radbox.org/|{{AUR|clyrics}}}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=BIND&diff=650597BIND2021-02-03T03:39:32Z<p>Timeline.menu: /* It should be start named-chroot.service, not restart named.service. Moreover, daemon-reload is needed before this can be done. */</p>
<hr />
<div>[[Category:Domain Name System]]<br />
[[de:BIND]]<br />
[[es:BIND]]<br />
[[fr:BIND]]<br />
[[ja:BIND]]<br />
[[zh-hans:BIND]]<br />
{{Related articles start}}<br />
{{Related|Domain name resolution}}<br />
{{Related articles end}}<br />
{{Style|Numerous style and content issues.}}<br />
[https://www.isc.org/downloads/bind/ BIND] (or named) is the most widely used Domain Name System (DNS) server.<br />
<br />
{{Note|The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]}}<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|bind}} package.<br />
<br />
[[Start/enable]] the {{ic|named.service}} systemd unit.<br />
<br />
To use the DNS server locally, use the {{ic|127.0.0.1}} nameserver (meaning clients like Firefox resolve via 127.0.0.1), see [[Domain name resolution]].<br />
This will however require you to [[#Allow recursion]] while a firewall might block outside queries to your local named.<br />
<br />
== Configuration ==<br />
<br />
BIND is configured in {{ic|/etc/named.conf}}. The available options are documented in {{man|5|named.conf}}.<br />
<br />
[[Reload]] the {{ic|named.service}} unit to apply configuration changes.<br />
<br />
===Restrict access to localhost===<br />
<br />
BIND by defaults listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the options section in {{ic|/etc/named.conf}}:<br />
listen-on { 127.0.0.1; };<br />
<br />
=== Set up DNS forwarding ===<br />
<br />
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.<br />
<br />
Example to make BIND forward to the Google DNS servers:<br />
<br />
forwarders { 8.8.8.8; 8.8.4.4; };<br />
<br />
== A configuration template for running a domain ==<br />
<br />
Following is a simple home nameserver being set up, using ''domain.tld'' as the domain being served world-wide like this wiki's ''archlinux.org'' domain is.<br />
<br />
A more elaborate example is [http://www.howtoforge.com/two_in_one_dns_bind9_views DNS server with BIND9], while [http://www.brennan.id.au/08-Domain_Name_System_BIND.html#yourdomain this shows] how to set up internal network name resolution.<br />
<br />
=== Creating a zonefile ===<br />
<br />
Create {{ic|/var/named/domain.tld.zone}}.<br />
<br />
$TTL 7200<br />
; domain.tld<br />
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (<br />
2018111111 ; Serial<br />
28800 ; Refresh<br />
1800 ; Retry<br />
604800 ; Expire - 1 week<br />
86400 ) ; Negative Cache TTL<br />
IN NS ns01<br />
IN NS ns02<br />
ns01 IN A 0.0.0.0<br />
ns02 IN A 0.0.0.0<br />
localhost IN A 127.0.0.1<br />
@ IN MX 10 mail<br />
imap IN CNAME mail<br />
smtp IN CNAME mail<br />
@ IN A 0.0.0.0<br />
www IN A 0.0.0.0<br />
mail IN A 0.0.0.0<br />
@ IN TXT "v=spf1 mx"<br />
<br />
$TTL defines the default time-to-live in seconds for all record types. Here it is 2 hours.<br />
<br />
Serial must be '''incremented''' manually before restarting named every time you change a resource record for the zone. Otherwise slaves will not re-transfer the zone: they only do it if the serial is '''greater''' than that of the last time they transferred the zone.<br />
<br />
=== Configuring master server ===<br />
<br />
Add your zone to {{ic|/etc/named.conf}}:<br />
zone "domain.tld" IN {<br />
type master;<br />
file "domain.tld.zone";<br />
allow-update { none; };<br />
notify no;<br />
};<br />
<br />
[[Reload]] the {{ic|named.service}} unit to apply the configuration change.<br />
<br />
== Allow recursion ==<br />
<br />
If you are running your own DNS server, you might as well use it for all DNS lookups, or even locally serve the root-zone yourself following [[RFC:7706]]. The former will require the ability to do ''recursive'' lookups. In order to prevent [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS Amplification Attacks], recursion is turned off by default for most resolvers. The default Arch {{ic|/etc/named.conf}} file allows for recursion only on the loopback interface:<br />
<br />
allow-recursion { 127.0.0.1; };<br />
<br />
{{Accuracy|LAN networking is not recursive.}}<br />
<br />
If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}:<br />
<br />
allow-recursion { 192.168.0.0/24; 127.0.0.1; };<br />
<br />
== Configuring BIND to serve DNSSEC signed zones ==<br />
<br />
To enable DNSSEC support you need to add "dnssec-enable yes;" to /etc/named.conf "options" block.<br />
Do not forget to check that "edns" is not disabled.<br />
<br />
On master DNS server:<br />
* generate KSK and ZSK keys:<br />
<br />
$ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com<br />
$ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com<br />
<br />
* change zone configuration:<br />
<br />
zone "example.com" {<br />
type master;<br />
allow-transfer { ... };<br />
auto-dnssec maintain;<br />
inline-signing yes;<br />
key-directory "master/";<br />
file "master/example.com.zone";<br />
};<br />
<br />
Now bind will sign zone automatically. (This example assumes that all required files are in /var/named/master/)<br />
<br />
Then you should pass DS records (from dsset-example.com. file) to parent zone owner probably using your registrar website. It glues parent zone with your KSK.<br />
<br />
KSK (and corresponding DS records) should be changed rarely because of it needs manual intervention, ZSK can be changed more often because of this key is usually shorter to be faster in signature checking.<br />
<br />
You can schedule old ZSK key expiration and generate new one using:<br />
<br />
$ dnssec-settime -I +172800 -D +345600 Kexample.com.+000+111111.key<br />
$ dnssec-keygen -S Kexample.com.+000+111111.key -i 152800<br />
<br />
Bind should automatically use new ZSK key at appropriate time.<br />
<br />
=== See also ===<br />
<br />
* [http://www.dnssec.net/practical-documents DNSSEC]<br />
* [http://www.cymru.com/Documents/secure-bind-template.html a BIND configuration template]<br />
* [http://www.bind9.net/manuals man bind]<br />
* [http://www.bind9.net/BIND-FAQ bind FAQ]<br />
<br />
There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.<br />
<br />
== Automatically listen on new interfaces ==<br />
<br />
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :<br />
interface-interval <rescan-timeout-in-minutes>;<br />
parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br><br />
You can disable this feature by setting its value to 0.<br />
<br />
Then restart the service.<br />
<br />
== Running BIND in a chrooted environment ==<br />
<br />
Running in a [[chroot]] environment is not required but improves security.<br />
<br />
=== Creating the Jail House ===<br />
In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail.<br />
<br />
mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}<br />
# Copy over required system files<br />
cp -av /etc/{localtime,named.conf} /srv/named/etc/<br />
cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/<br />
cp -av /var/named/* /srv/named/var/named/.<br />
# Set up required dev nodes<br />
mknod /srv/named/dev/null c 1 3<br />
mknod /srv/named/dev/random c 1 8<br />
# Set Ownership of the files<br />
chown -R named:named /srv/named<br />
<br />
This should create the required file system for the jail.<br />
<br />
=== Service File ===<br />
<br />
Next we need to create the new service file which will allow force bind into the chroot<br />
<br />
cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service<br />
<br />
we need to edit how the service calls bind.<br />
<br />
{{hc|/etc/systemd/system/named-chroot.service|<nowiki><br />
ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"<br />
</nowiki>}}<br />
<br />
Now, reload systemd {{ic|systemctl daemon-reload}},and start the {{ic|named-chroot.service}}.<br />
<br />
== See also ==<br />
* [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual]<br />
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]<br />
* [http://shop.oreilly.com/product/9780596100575.do DNS and BIND by Liu and Albitz]<br />
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND] with [http://www.zytrax.com/books/dns/ abbreviated version online]<br />
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]<br />
* [https://cira.ca/domain-name-system-dns-glossary DNS Glossary]{{Dead link|2020|03|28|status=404}}<br />
* [https://lists.archlinux.org/pipermail/arch-dev-public/2013-March/024588.html Archived mailing list discussion on BIND's future]<br />
* [https://www.heise.de/netze/rfc/rfcs/rfc7706.shtml#page-9 root zone transfer made simple - serve root@home] copy the /etc/named.conf , restart BIND & enjoy!</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=BIND_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=650596BIND (简体中文)2021-02-03T03:32:15Z<p>Timeline.menu: /* 修正了 /usr/lib/engines/ 不存在的问题; 修正了 /var/named/* 无法被复制的问题 */</p>
<hr />
<div>[[Category:Domain Name System (简体中文)]]<br />
[[de:BIND]]<br />
[[en:BIND]]<br />
[[es:BIND]]<br />
[[fr:BIND]]<br />
[[ja:BIND]]<br />
{{Related articles start}}<br />
{{Related|DNSCrypt}}<br />
{{Related|dnsmasq}}<br />
{{Related|Pdnsd}}<br />
{{Related|Unbound}}<br />
{{Related|PowerDNS}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|BIND|2017-08-07|474888}}<br />
<br />
伯克利互联网名称服务 (Berkeley Internet Name Daemon,简称 [https://www.isc.org/downloads/bind/ BIND]) 是 DNS 协议的一个参考实现。<br />
<br />
{{注意|开发 BIND 的组织在发现安全漏洞之后,会先通知付费客户,四天以后才会通知 Linux 发行版和大众。[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]}}<br />
<br />
== 安装 ==<br />
<br />
[[Pacman (简体中文)|安装]] 软件包 {{Pkg|bind}}。<br />
<br />
要使用 BIND 提供系统 DNS 服务,修改 [[resolv.conf]],将{{ic|nameserver 127.0.0.1}}放到最前面。<br />
<br />
[[Start/enable|开始/启用]] {{ic|named.service}} 服务。<br />
<br />
== 配置 ==<br />
<br />
BIND 的配置文件是 {{ic|/etc/named.conf}}. {{ic|named.conf}} man 手册页介绍了所有选项。<br />
<br />
[[Reload]] the {{ic|named.service}} unit 以应用配置变更.<br />
<br />
=== 只允许本地访问 ===<br />
如果希望只允许本地网络访问,编辑 {{ic|/etc/named.conf}} 并将这行配置加入到 '''options''' 区域。<br />
listen-on { 127.0.0.1; };<br />
<br />
=== DNS 转发 ===<br />
<br />
要将 DNS 请求请求转发到上游 DNS 服务器(例如说您的 ISP 的服务器,或者 Google、OpenNIC 等知名的服务)。将下面字段加入配置文件的 options 中。.<br />
<br />
forwarders { 8.8.8.8; 8.8.4.4; };<br />
<br />
不要忘记重启 {{ic|named.service}} 服务。<br />
<br />
== 权威 DNS 服务器 ==<br />
<br />
以下为一个设置权威域的简单教程。在这个示例中,我们的权威域名为 "domain.tld"。<br />
<br />
更详尽的教程参见 [http://www.howtoforge.com/two_in_one_dns_bind9_views Two-in-one DNS server with BIND9].<br />
<br />
=== 1. 创建一个 zonefile ===<br />
<br />
# nano /var/named/domain.tld.zone<br />
<br />
$TTL 7200<br />
; domain.tld<br />
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (<br />
2007011601 ; Serial<br />
28800 ; Refresh<br />
1800 ; Retry<br />
604800 ; Expire - 1 week<br />
86400 ) ; Minimum<br />
IN NS ns01<br />
IN NS ns02<br />
ns01 IN A 0.0.0.0<br />
ns02 IN A 0.0.0.0<br />
localhost IN A 127.0.0.1<br />
@ IN MX 10 mail<br />
imap IN CNAME mail<br />
smtp IN CNAME mail<br />
@ IN A 0.0.0.0<br />
www IN A 0.0.0.0<br />
mail IN A 0.0.0.0<br />
@ IN TXT "v=spf1 mx"<br />
<br />
$TTL 定义了默认的 TTL (time-to-live), 单位为秒。在这个例子中,默认 TTL 为 2 小时。<br />
<br />
每次修改 zonefile 的时候,都需要将 Serial (序列号) 加一再重启 '''named'''。只有当新的 Serial 比最后传输的域的序列号大的时候,从服务器才会请求传输新的域。<br />
<br />
=== 2. 配置主服务器 ===<br />
<br />
将您的 zone 文件加到 {{ic|/etc/named.conf}}:<br />
zone "domain.tld" IN {<br />
type master;<br />
file "domain.tld.zone";<br />
allow-update { none; };<br />
notify no;<br />
};<br />
<br />
[[Reload|重新加载]] {{ic|named.service}} 服务。<br />
<br />
=== 3. 将其设置为默认 DNS 服务器 ===<br />
<br />
如果您自己已经在运行 DNS 服务器的话,可以考虑同时将其用来处理 DNS 查询请求。服务器必须支持 '''recursive''' (递归) 查询。为了防止 [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS 放大攻击],许多 DNS 解析程序都默认禁用了递归功能。Arch 的默认 {{ic|/etc/named.conf}} 配置只允许本机地址使用递归:<br />
allow-recursion { 127.0.0.1; };<br />
<br />
[[resolv.conf]] 配置文件必须包含 127.0.0.1 地址以使用您的 DNS 服务器。 参见 [[Resolv.conf#Preserve DNS settings]]{{Broken section link (简体中文)}} 以了解确保这个文件不会被覆盖的方法。<br />
<br />
如果您想为您的局域网提供 DNS 服务的话(例如 192.168.0 IP 段),您必须将对应的 IP 段加入到 {{ic|/etc/named.conf}} 中:<br />
allow-recursion { 192.168.0.0/24; 127.0.0.1; };<br />
<br />
== 配置 DNSSEC ==<br />
<br />
* http://www.dnssec.net/practical-documents<br />
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''<br />
** http://www.bind9.net/manuals<br />
** http://www.bind9.net/BIND-FAQ<br />
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/<br />
* Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)<br />
<br />
== 自动监听新的网络接口 ==<br />
<br />
BIND 会每个每隔几个小时扫描新的网络接口并停止在已经不再不存在的上监听。如果您想修改这个时间的话,可以在 {{ic|/etc/named.conf}} 中增加这个项:<br />
interface-interval <扫描间隔>;<br />
<br />
最大间隔为 28 天 (40230 分钟)。<br />
<br />
如果需要禁用这个功能的话,可以将时间值设置为 '''0'''。<br />
<br />
最后,请重启服务。<br />
<br />
== 在 chroot 环境运行 BIND ==<br />
<br />
在 [chroot] 环境运行可以提高安全性。<br />
<br />
=== 创建 Jail House ===<br />
首先,我们需要创建一个 jail。我们可以使用 {{ic|/srv/named}}, 并将相关文件都放到里面去。<br />
<br />
mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}<br />
# Copy over required system files<br />
cp -av /etc/{localtime,named.conf} /srv/named/etc/<br />
cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/<br />
cp -dfprv /var/named /srv/named/var/<br />
# Set up required dev nodes<br />
mknod /srv/named/dev/null c 1 3<br />
mknod /srv/named/dev/random c 1 8<br />
# Set Ownership of the files<br />
chown -R named:named /srv/named<br />
<br />
这些步骤可以配置 jail 的文件系统。<br />
<br />
=== 服务文件 ===<br />
<br />
接下来我们需要创建服务文件 (service file),以强制 BIND 在 chroot 环境中启动。<br />
<br />
cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service<br />
<br />
我们需要修改 service 启动 BIND 的方法。<br />
<br />
{{hc|/etc/systemd/system/named-chroot.service|<nowiki><br />
ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"<br />
</nowiki>}}}<br />
<br />
最后,重新加载 systemd {{ic|systemctl daemon-reload}}。然后,启动 {{ic|named-chroot.service}}。<br />
<br />
== 参见 ==<br />
* [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual]<br />
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]<br />
* [http://shop.oreilly.com/product/9780596100575.do DNS and BIND by Cricket Liu and Paul Albitz]<br />
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]<br />
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]<br />
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]{{Dead link (简体中文)|2020|08|02|status=404}}<br />
* [https://lists.archlinux.org/pipermail/arch-dev-public/2013-March/024588.html Archived mailing list discussion on BIND's future]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=607300Postfix (简体中文)2020-04-23T03:17:18Z<p>Timeline.menu: /* Secure SMTP (sending) */</p>
<hr />
<div>[[Category:Mail server (简体中文)]]<br />
[[en:Postfix]]<br />
[[es:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Postfix|2018-12-06|558391}}<br />
[[Wikipedia:Postfix (software)|Postfix]] 是[[mail transfer agent|邮件传输代理软件]]。按照其 [http://www.postfix.org/ 官方网站]的说法:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
:快速、管理简单、安全, 同时足够兼容[[Sendmail (简体中文)]],从而不会影响现有用户。 因此,从外面看是sendmail-ish风格,但内部是完全不同的。<br />
<br />
本文基于 [[Mail server|邮件服务器]]。 本文的目标是设置Postfix并解释基本配置文件的功能。 这里有两种交付方式的设置说明:本地系统用户方式 和 虚拟用户方式。 <br />
== 安装 ==<br />
<br />
[[Install|安装]] 软件包 {{Pkg|postfix}}。<br />
<br />
== 配置 ==<br />
<br />
请参照软件开发者提供的: [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration 基础配置项]. 默认的配置文件位于{{ic|/etc/postfix}} 。 其中两个非常重要的文件是:<br />
<br />
* {{ic|master.cf}}, 定义了启用哪些Postfix服务以及客户端如何连接它们, 请参照 {{man|5|master}}<br />
* {{ic|main.cf}}, 主配置文件,请参照 {{man|5|postconf}}(英文)<br />
<br />
配置文件更改过后需要 [[reload|重新加载]] 主服务 {{ic|postfix.service}}。<br />
<br />
=== 别名 Aliases ===<br />
<br />
请参照在线 man 文件: {{man|5|aliases|pkg=postfix}}。<br />
<br />
别名配置文件: {{ic|/etc/postfix/aliases}}。你可以在这个文件里指定别名 (有时候也被称为 forwarders ) 。<br />
<br />
您需要将发往“root”的所有邮件映射到另一个帐户,因为以root身份阅读邮件不是一个好主意。<br />
<br />
将下面这行取消注释,并且把 {{ic|you}} 替换成你要使用的真实账户。<br />
root: you<br />
<br />
一旦你完成了对 {{ic|/etc/postfix/aliases}} 的编辑, 你就需要运行下面的 postalias 命令:<br />
postalias /etc/postfix/aliases<br />
对于以后的更改,您可以使用:<br />
newaliases<br />
<br />
{{提示|或者,你也可以为 root 用户创建这个文件 {{ic|~/.forward}}, 例如 {{ic|/root/.forward}}。 指定将root的邮件转发到哪个用户, 例如 ''user@localhost''。<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== 系统本地用户邮件(Local mail) ===<br />
<br />
要仅向本地系统用户(也就是{{ic|/etc/passwd}}中存在的用户)发送邮件,请更新配置文件:{{ic|/etc/postfix/main.cf}}中的以下配置行(取消注释,更改或添加):<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
所有其他设置维持不变。 完成上面这个配置后,你可能还想配置一些[[#别名 Aliases]]参数,然后[[#启动 Postfix]]。<br />
<br />
=== 虚拟用户邮件(Virtual mail) ===<br />
虚拟用户邮件的邮件账户不存储在本地系统的({{ic|/etc/passwd}}文件中。可以配合数据库完成对用户账户的存储。<br />
<br />
请参见 [[Virtual user mail system with Postfix, Dovecot and Roundcube (简体中文)]] 那是一个如何设置的详细介绍。<br />
<br />
=== 检查配置 Check configuration ===<br />
<br />
运行{{ic|postfix check}} 命令来完成配置检查。它会输出所有你在配置文件中可能写错的东西。 <br />
<br />
运行{{ic|postconf}}命令可以查看所有的配置。运行{{ic|postconf -n}}命令可以查看与默认配置的区别。<br />
<br />
== 启动 Postfix ==<br />
<br />
{{注意|即使你没有设置任何[[#别名 Aliases]],也需要至少运行一次{{ic|newaliases}}命令才能让 Postfix 正常运行。}}<br />
[[Start/enable|启动]] {{ic|postfix.service}} 服务。<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
要强制使用TLS (这种情况下如果远程服务器不支持的话会导致失败), 只需要把 {{ic|may}} 变更为 {{ic|encrypt}} 就行了。 值得注意的是,如果此邮件服务是一个公开的服务(相对于企业内部服务,不对公网提供服务的那种)时,这样的做法会违反 [[RFC:2487]] ,所以请慎重考虑。<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Awesome&diff=584477Awesome2019-10-06T05:40:48Z<p>Timeline.menu: /* Added the "rule" code ,Point out where the toggle code is placed */</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Dynamic WMs]]<br />
[[Category:Tiling WMs]]<br />
[[cs:Awesome]]<br />
[[es:Awesome]]<br />
[[fr:Awesome3]]<br />
[[it:Awesome]]<br />
[[ja:Awesome]]<br />
[[ko:Awesome]]<br />
[[ru:Awesome]]<br />
[[sv:Awesome]]<br />
[[zh-hans:Awesome]]<br />
{{Related articles start}}<br />
{{Related|Window manager}}<br />
{{Related|Comparison of tiling window managers}}<br />
{{Related|Desktop environment}}<br />
{{Related|Display manager}}<br />
{{Related|File manager functionality}}<br />
{{Related|Xdg-menu}}<br />
{{Related articles end}}<br />
From the [https://awesomewm.org/ awesome website]:<br />
<br />
:[[Wikipedia:awesome (window manager)|awesome]] is a highly configurable, next generation framework [[window manager]] for [[Xorg]]. It is very fast and extensible [..]. It is primarily targeted at power users, developers and any people dealing with every day computing tasks and who want to have fine-grained control on its graphical environment.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|awesome}} package. The development version is {{AUR|awesome-git}}, which is considered unstable and may have a different configuration API.<br />
<br />
== Starting ==<br />
<br />
Run {{ic|awesome}} with [[xinit]]. To use the included [[xsession]] file, see [[Display manager]].<br />
<br />
=== KDM ===<br />
<br />
Create as root:<br />
<br />
{{hc|/usr/share/apps/kdm/sessions/awesome.desktop|2=<br />
[Desktop Entry]<br />
Name=Awesome<br />
Comment=Tiling Window Manager<br />
Type=Application<br />
Exec=/usr/bin/awesome<br />
TryExec=/usr/bin/awesome<br />
}}<br />
<br />
=== With GNOME ===<br />
<br />
You can set up [[GNOME]] to use awesome as the visual interface, but have GNOME work in the background. See [http://awesome.naquadah.org/wiki/Quickly_Setting_up_Awesome_with_Gnome awesome wiki]{{Dead link|2018|4|11}} for details.<br />
<br />
=== XFCE ===<br />
<br />
See [[Xfce#Use a different window manager]].<br />
<br />
== Configuration ==<br />
<br />
The lua based configuration file is at {{Ic|~/.config/awesome/rc.lua}}.<br />
<br />
=== Creating the configuration file ===<br />
<br />
First, run the following to create the directory needed in the next step:<br />
<br />
$ mkdir -p ~/.config/awesome/<br />
<br />
Whenever compiled, awesome will attempt to use whatever custom settings are contained in ~/.config/awesome/rc.lua. This file is not created by default, so we must copy the template file first:<br />
<br />
$ cp /etc/xdg/awesome/rc.lua ~/.config/awesome/<br />
<br />
The API for the configuration often changes when awesome updates. So, remember to repeat the command above when you get something strange with awesome, or you want to modify the configuration.<br />
<br />
For more information about configuring awesome, check out the [https://awesomewm.org/apidoc/documentation/90-FAQ.md.html#Configuration configuration section at awesome docs]<br />
<br />
==== Examples ====<br />
<br />
{{Note|The API for awesome configuration changes regularly, so you will likely have to modify any file you download.}}<br />
<br />
Some good examples of rc.lua would be as follows:<br />
<br />
* [https://github.com/setkeh/Awesome Setkeh's Awesome Configuration]<br />
* [http://awesome.naquadah.org/wiki/User_Configuration_Files Collection of user configurations on the awesome homepage]{{Dead link|2018|4|11}}<br />
* [https://github.com/copycat-killer/awesome-copycats User configuration that supports different themes, including a status bar]<br />
<br />
=== Extensions ===<br />
<br />
Several extensions are available for awesome:<br />
<br />
{| class="wikitable"<br />
! style="font-weight: bold;" | Extension<br />
! style="font-weight: bold;" | Functionality<br />
! style="font-weight: bold;" | Version<br />
|-<br />
|<br />
* [https://github.com/guotsuan/awesome-revelation Revelation]<br />
| Bring up a view of all opened clients<br />
| Awesome 3.5+<br />
|-<br />
|<br />
* [https://github.com/bioe007/awesome-shifty Shifty]<br />
| Dynamic tagging<br />
| Awesome 3.5<br />
|-<br />
|<br />
* [https://awesomewm.org/apidoc/libraries/naughty.html Naughty]<br />
| Pop-up notifications<br />
| Awesome 3.5+<br />
|-<br />
| <br />
* [https://github.com/vicious-widgets/vicious Vicious]<br />
* [https://github.com/hoelzro/obvious Obvious]<br />
* [https://code.google.com/archive/p/bashets/ Bashets]<br />
| Additional [https://awesomewm.org/recipes/ widgets]<br />
| Awesome 3.5<br />
|-<br />
|}<br />
<br />
=== Autostart ===<br />
<br />
To autorun programs, create a shell script via <br />
$ touch ~/.config/awesome/autorun.sh<br />
and make it executable by <br />
$ chmod +x ~/.config/awesome/autorun.sh<br />
Open {{ic|autorun.sh}} in an editor and insert the following:<br />
{{hc|head=.config/awesome/autorun.sh|output=<br />
#!/usr/bin/env bash<br />
<br />
function run {<br />
if ! pgrep -f $1 ;<br />
then<br />
$@&<br />
fi<br />
}<br />
}}<br />
<br />
To add programs to autostart, simply append {{ic|run program [some arguments]}} to {{ic|autorun.sh}}. The {{ic|run}} function checks whether there already is an instance of {{ic|program}} running and only runs {{ic|program}} if there is none. You can check your {{ic|autorun.sh}} by running it:<br />
<br />
$ ~/.config/awesome/autorun.sh<br />
<br />
If everything is fine, add the following line to your {{ic|rc.lua}}:<br />
<br />
{{hc|head=.config/awesome/rc.lua|output=<br />
...<br />
awful.spawn.with_shell("~/.config/awesome/autorun.sh")<br />
...<br />
}}<br />
<br />
=== Changing keyboard layout===<br />
There is multiple ways to configure keyboard layers. In the default config awesome already has the layout widget activated - but it wont show up until there is a choice. To set multiple layers temporary, run<br />
<br />
$ setxkbmap -layout "us,de"<br />
<br />
The awesome keyboard widget should appear, clicking on it should toggle the layout. If you want a keycombo to change the layout, you may append {{ic|-option "grp:alt_shift_toggle"}}. This for example will let you change the layout by pressing {{ic|Shift+Alt}}. So the complete command would be:<br />
<br />
$ setxkbmap -layout "us,de" -option "grp:alt_shift_toggle"<br />
<br />
Or you can use Awesome itself to switch(from v.4). Add the following line in the keybindings section of rc.lua:<br />
<br />
awful.key({ "Shift" }, "Alt_L", function ) mykeyboardlayout.next_layout(); end) <br />
awful.key({ "Mod1" }, "Shift_L", function ) mykeyboardlayout.next_layout(); end)<br />
<br />
This requires you to set up the keyboard layouts you want to be able to switch between either by the setxkbmap command or in X configuration files.<br />
<br />
Once you've found the appropriate command to setup your layouts, add it to [[#Autostart]].<br />
<br />
Alternatively, see [[Keyboard configuration in Xorg]].<br />
<br />
=== Theming ===<br />
<br />
[https://awesomewm.org/apidoc/libraries/beautiful.html Beautiful] is a Lua library that allows you to theme awesome using an external file, it becomes very easy to dynamically change your whole awesome colours and wallpaper without changing your {{ic|rc.lua}}. <br />
<br />
The default theme is at {{ic|/usr/share/awesome/themes/default}}. Copy it to {{ic|~/.config/awesome/themes/default}} and change {{ic|theme_path}} in {{ic|rc.lua}}. <br />
<br />
beautiful.init(awful.util.getdir("config") .. "/themes/default/theme.lua")<br />
<br />
See also [https://awesomewm.org/apidoc/libraries/beautiful.html] for additional theming options. To add a useless gap for example, add<br />
<br />
beautiful.useless_gap = 5<br />
<br />
At the bottom of the theming section in your {{ic|rc.lua}}.<br />
<br />
==== Wallpaper ====<br />
<br />
Beautiful can handle your wallpaper, thus you do not need to set it up in your {{ic|.xinitrc}} or {{ic|.xsession}} files. This allows you to have a specific wallpaper for each theme.<br />
<br />
With version 3.5 Awesome no longer provides a awsetbg command, instead it has a gears module. You can set your wallpaper inside {{ic|theme.lua}} with <br />
<br />
theme.wallpaper = "~/.config/awesome/themes/awesome-wallpaper.png" <br />
<br />
To load the wallpaper, make sure your {{ic|rc.lua}} contains<br />
<br />
beautiful.init("~/.config/awesome/themes/default/theme.lua")<br />
for s = 1, screen.count() do<br />
gears.wallpaper.maximized(beautiful.wallpaper, s, true)<br />
end<br />
<br />
For a random background image, add [https://gist.github.com/anonymous/37f3b1c58d6616cab756] to {{ic|rc.lua}} (v3.5+). To automatically fetch images from a given directory use [https://gist.github.com/anonymous/9072154f03247ab6e28c] instead.<br />
<br />
To simply specify the wallpaper in your {{ic|rc.lua}}, add the following line to the theming section:<br />
<br />
beautiful.wallpaper = awful.util.get_configuration_dir() .. "path/to/wallpaper.png"<br />
<br />
The optional {{ic|awful.util.get_configuration_dir()}} simply returns the path to your {{ic|rc.lua}}.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Hide / show wibox ===<br />
<br />
For awesome 4.0:<br />
<br />
awful.key({ modkey }, "b",<br />
function ()<br />
myscreen = awful.screen.focused()<br />
myscreen.mywibox.visible = not myscreen.mywibox.visible<br />
end,<br />
{description = "toggle statusbar"}<br />
),<br />
<br />
=== Screenshot ===<br />
<br />
See [[Extra keyboard keys]] to ensure the {{ic|PrtSc}} button is assigned correctly. Then install a [[Taking a screenshot|screen capturing program]] such as [[Taking a screenshot#scrot|scrot]]<br />
<br />
Add to the {{ic|globalkeys}} array:<br />
<br />
awful.key({ }, "Print", function () awful.util.spawn("scrot -e 'mv $f ~/screenshots/ 2>/dev/null'", false) end),<br />
<br />
This function saves screenshots inside {{ic|~/screenshots/}}, edit as needed.<br />
<br />
=== Removing window gaps ===<br />
<br />
As of awesome 3.4, it is possible to remove the small gaps between windows; in the ''awful.rules.rules'' table there is a ''properties'' section, add to it <br />
<br />
size_hints_honor = false<br />
<br />
=== Transparency ===<br />
<br />
See [[composite manager]].<br />
<br />
In awesome 3.5, window transparency can be set dynamically using signals. For example, {{ic|rc.lua}} could contain the following:<br />
<br />
client.connect_signal("focus", function(c)<br />
c.border_color = beautiful.border_focus<br />
c.opacity = 1<br />
end)<br />
client.connect_signal("unfocus", function(c)<br />
c.border_color = beautiful.border_normal<br />
c.opacity = 0.7<br />
end)<br />
<br />
==== Conky ====<br />
{{Merge|Conky}}<br />
<br />
If using conky, you must set it to create its own window instead of using the desktop. To do so, edit {{ic|~/.conkyrc}} to contain<br />
<br />
own_window yes<br />
own_window_transparent yes<br />
own_window_type desktop<br />
<br />
Otherwise strange behavior may be observed, such as all windows becoming fully transparent. Note also that since conky will be creating a transparent window on your desktop, any actions defined in awesome's {{ic|rc.lua}} for the desktop will not work where conky is.<br />
<br />
==== wiboxes ====<br />
<br />
As of Awesome 3.1, there is built-in pseudo-transparency for wiboxes. To enable it, append 2 hexadecimal digits to the colors in your theme file ({{ic|~/.config/awesome/themes/default}}, which is usually a copy of {{ic|/usr/share/awesome/themes/default}}), like shown here:<br />
<br />
bg_normal = #000000AA<br />
<br />
where "AA" is the transparency value.<br />
<br />
To change transparency for the actual selected window by pressing {{ic|Modkey + PgUp/PgDown}} you can also use {{Pkg|transset-df}} and the following modification to your {{ic|rc.lua}}:<br />
<br />
globalkeys = awful.util.table.join(<br />
-- your keybindings<br />
[...]<br />
awful.key({ modkey }, "Next", function (c)<br />
awful.util.spawn("transset-df --actual --inc 0.1")<br />
end),<br />
awful.key({ modkey }, "Prior", function (c)<br />
awful.util.spawn("transset-df --actual --dec 0.1")<br />
end),<br />
-- Your other key bindings<br />
[...]<br />
)<br />
<br />
==== ImageMagick ====<br />
<br />
{{Merge|Composite manager}}<br />
<br />
You may have problems if you set your wallpaper with imagemagick's ''display'' command. It does not work well with xcompmgr. Please note that awsetbg may be using ''display'' if it does not have any other options. Installing habak, feh, hsetroot or whatever should fix the problem (''grep -A 1 wpsetters /usr/bin/awsetbg'' to see your options).<br />
<br />
=== Passing content to widgets with awesome-client ===<br />
<br />
You can easily send text to an awesome widget. Just create a new widget:<br />
<br />
mywidget = widget({ type = "textbox", name = "mywidget" })<br />
mywidget.text = "initial text"<br />
<br />
To update the text from an external source, use awesome-client:<br />
<br />
echo -e 'mywidget.text = "new text"' | awesome-client<br />
<br />
Do not forget to add the widget to your wibox.<br />
<br />
=== Using a different panel with awesome ===<br />
<br />
If you like awesome's lightweightness and functionality but do not like the way its default panel looks, you can install a different panel, for example {{Pkg|xfce4-panel}}.<br />
<br />
Then add it to the [[#Autostart|autorun section]] of your {{ic|rc.lua}}. You may also comment out the section which creates wiboxes for each screen (starting from {{ic|1=mywibox[s] = awful.wibox({ position = "top", screen = s })}}) but it is not necessary. Do not forget to check your {{ic|rc.lua}} for errors by typing:<br />
<br />
$ awesome -k rc.lua<br />
<br />
You should also change your {{ic|''modkey''+R}} keybinding, in order to start some other application launcher instead of built in awesome. See [[List of applications#Application launchers]] for examples. Do not forget to add:<br />
<br />
{{bc|<nowiki><br />
properties = { floating = true } },<br />
{ rule = { instance = "$yourapplicationlauncher" },<br />
</nowiki>}}<br />
<br />
to your {{ic|rc.lua}}.<br />
<br />
=== Application directories in menubar ===<br />
<br />
{{Pkg|awesome}} includes [https://awesomewm.org/apidoc/libraries/menubar.html menubar]. By default, pressing {{ic|''Mod''+p}} will open a dmenu-like applications menu at the top of the screen. However, this menu only searches for {{ic|.desktop}} files in {{ic|/usr/share/applications}} and {{ic|/usr/local/share/applications}}. <br />
<br />
To change this, add the following line to {{ic|rc.lua}}, ideally, under ''Menubar configuration'':<br />
<br />
app_folders = { "/usr/share/applications/", "~/.local/share/applications/" }<br />
<br />
Note that the {{ic|.desktop}} files are re-read each time awesome starts, thereby slowing down the startup. If you prefer other means of launching programs, the menubar can be disabled in {{ic|rc.lua}} by removing {{ic|local menubar &#61; require("menubar")}} and other references to the {{ic|menubar}} variable.<br />
<br />
=== Pop-up menus ===<br />
<br />
{{Style|Duplicate section?}}<br />
<br />
There is a simple menu by default in awesome 3, simplifying custom menus. [https://awesomewm.org/apidoc/libraries/awful.menu.html] If you want a freedesktop.org menu, you could take a look at ''[https://github.com/copycat-killer/awesome-freedesktop awesome-freedesktop]''.<br />
<br />
=== Applications menu ===<br />
<br />
If you prefer to see a more traditional applications menu when you click on the Awesome icon, or right-click on an empty area of the desktop, you can follow the instructions in [[Xdg-menu#Awesome]]. However this menu is not updated when you add or remove programs. So, be sure to run the command to update your menu. It may look something like:<br />
<br />
xdg_menu --format awesome --root-menu /etc/xdg/menus/arch-applications.menu >~/.config/awesome/archmenu.lua<br />
<br />
=== Titlebars ===<br />
<br />
It is easy to enable titlebars in awesome by simply setting the variable titlebars_enabled to true in the config file. (in rules area)<br />
<br />
{ rule_any = {type = { "normal", "dialog" }<br />
}, properties = { titlebars_enabled = true }<br />
},<br />
<br />
<br />
However, you may want to be able to toggle the titlebar on or off. You can do this by simply adding something like this to your key bindings: (in clientkeys of Key bindings. And don't put the code to the end of the clientkeys area)<br />
<br />
-- working toggle titlebar<br />
awful.key({ modkey, "Control" }, "t", function (c) awful.titlebar.toggle(c) end, <br />
{description = "Show/Hide Titlebars", group="client"}),<br />
<br />
<br />
Then you may want to initially hide the titlebars. To do that just add this immediately after the title bar is created:<br />
<br />
awful.titlebar.hide(c)<br />
<br />
=== Battery notification ===<br />
<br />
See [http://bpdp.blogspot.be/2013/06/battery-warning-notification-for.html this blog post] for a simple battery notification to add to {{ic|rc.lua}}. Note that it needs ''naughty'' for the notifications (installed by default in version 3.5). Other examples are available at [https://awesomewm.org/recipes/ awesome wiki].<br />
<br />
4/10/2018: The above mentioned wiki no longer exists. [https://www.reddit.com/r/awesomewm/comments/5k9vob/what_happened_to_the_wiki/ (Reddit comment: What happened to the wiki?)]<br />
<br />
From the linked Reddit comment:<br />
<br />
'''Workaround:'''<br />
<br />
For those still interested in it's content: [https://github.com/gutierri/awesomewm-wiki-dump/tree/master/markdown https://github.com/gutierri/awesomewm-wiki-dump/tree/master/markdown] has a partial markdown conversion of the old wiki (and the raw dump in xml format too).<br />
<br />
[https://github.com/gutierri/awesomewm-wiki-dump/blob/master/markdown/Acpitools-based_battery_widget.md Here] is the only Battery widget from the partial wiki. It is based on [[ACPI_modules|ACPI]] and written for version 3.5. I am not reproducing it here b/c there may be additional steps to get it working.<br />
<br />
<br />
'''NOTE: This partial wiki only covers versions up to 3.x'''<br />
<br />
=== Media Controls ===<br />
<br />
It is possible to control both volume and media playback via a combination of amixer (available via the {{pkg|alsa-utils}} package) and {{Pkg|playerctl}}. The following can be added to the relevant key binding section of your rc.lua configuration file:<br />
<br />
-- Volume Keys<br />
awful.key({}, "XF86AudioLowerVolume", function ()<br />
awful.util.spawn("amixer -q -D pulse sset Master 5%-", false)<br />
end),<br />
awful.key({}, "XF86AudioRaiseVolume", function ()<br />
awful.util.spawn("amixer -q -D pulse sset Master 5%+", false)<br />
end),<br />
awful.key({}, "XF86AudioMute", function ()<br />
awful.util.spawn("amixer -D pulse set Master 1+ toggle", false)<br />
end),<br />
-- Media Keys<br />
awful.key({}, "XF86AudioPlay", function()<br />
awful.util.spawn("playerctl play-pause", false)<br />
end),<br />
awful.key({}, "XF86AudioNext", function()<br />
awful.util.spawn("playerctl next", false)<br />
end),<br />
awful.key({}, "XF86AudioPrev", function()<br />
awful.util.spawn("playerctl previous", false)<br />
end),<br />
<br />
=== Steam Keyboard ===<br />
<br />
The on screen Steam Keyboard that can be activated by the [[Steam Controller]] appears to freeze after trying to type one character. This is because the client that is supposed to receive the input has to be focussed to receive it and the keyboard will wait until this input is successfully send. Manually focussing another client will send the input to this client and unfreeze the keyboard again until the next character is entered.<br />
<br />
The trick to getting the keyboard to work correctly is to prevent it ever receiving focus. Add the following signal to your config (or merge with an existing client focus signal):<br />
<br />
client.connect_signal("focus", function(c)<br />
if awful.rules.match(c, { name = "^Steam Keyboard$" }) then<br />
awful.client.focus.history.previous()<br />
end<br />
end)<br />
<br />
This will return the focus to the last client whenever the keyboard receives focus. As the input to the keyboard is handled by the [[Steam]] client and as such doesn't need focus, inputting text will now work correctly.<br />
<br />
==Troubleshooting==<br />
<br />
=== Debugging rc.lua ===<br />
<br />
{{Pkg|xorg-server-xephyr}} allows you to run X nested in another X's client window. This allows you to debug rc.lua without breaking your current desktop. Start by copying rc.lua into a new file (e.g. rc.lua.new), and modify it as needed. Then run new instance of awesome in Xephyr, supplying rc.lua.new as a config file like this:<br />
<br />
$ Xephyr :1 -ac -br -noreset -screen 1152x720 &<br />
$ DISPLAY=:1.0 awesome -c ~/.config/awesome/rc.lua.new<br />
<br />
The advantage of this approach is that if you introduce bugs you do not break your current awesome desktop, potentially crashing X apps and losing work. Once you are happy with the new configuration, copy rc.lua.new to rc.lua and restart awesome.<br />
<br />
==== awmtt ====<br />
<br />
{{AUR|awmtt}} (Awesome WM Testing Tool) is an easy to use wrapper script around Xephyr. By default, it will use ~/.config/awesome/rc.lua.test. If it cannot find that test file, it will use your actual rc.lua. You can also specify the location of the configuration file you want to test:<br />
<br />
$ awmtt start -C ~/.config/awesome/rc.lua.new<br />
<br />
When you are done testing, close the window with:<br />
<br />
$ awmtt stop<br />
<br />
Or immediately see the changes you are doing to the configuration file by issuing:<br />
<br />
$ awmtt restart<br />
<br />
=== Log Files ===<br />
<br />
If you are using [[LightDM]], awesome will log errors to `$HOME/.xsession-errors`. If you use {{ic|.xinitrc}} to start awesome, the entry "Where are logs, error messages or something?" in [https://awesomewm.org/apidoc/documentation/90-FAQ.md.html the FAQ] may be a helpful resource.<br />
<br />
=== Mod4 key ===<br />
<br />
{{Merge|Configuring_keyboard_layouts_in_X}}<br />
<br />
Awesome recommends to remap {{ic|mod4}}, which by default should be '''Win key'''. If for some reason it is not mapped to {{ic|mod4}}, use [[xmodmap]] to find out what is. To change the mapping, use {{ic|xev}} to find the keycode and name of the key to be mapped. Then add something like the following to {{ic|~/.xinitrc}} <br />
<br />
xmodmap -e "keycode 115 = Super_L" -e "add mod4 = Super_L"<br />
exec awesome<br />
<br />
The problem in this case is that some xorg installations recognize keycode 115, but incorrectly as the 'Select' key. The above command explictly remaps keycode 115 to the correct 'Super_L' key.<br />
<br />
To remap {{ic|mod4}} with {{ic|setxkbmap}} (conflict with {{ic|xmodmap}}) see:<br />
<br />
tail -50 /usr/share/X11/xkb/rules/evdev<br />
<br />
To set the caps lock key as {{ic|mod4}} add the following to {{ic|~/.xinitrc}}:<br />
<br />
setxkbmap -option caps:hyper<br />
<br />
==== Mod4 key vs. IBM ThinkPad users ====<br />
<br />
{{Style|Duplicate section}}<br />
<br />
IBM ThinkPads, IBM Model M's and Chromebooks do not come equipped with a Window key (although Lenovo have changed this tradition on their ThinkPads). As of writing, the Alt key is not used in command combinations by the default rc.lua (refer to the Awesome wiki for a table of commands), which allows it be used as a replacement for the Super/Mod4/Win key. To do this, edit your rc.lua and replace:<br />
<br />
modkey = "Mod4"<br />
<br />
by:<br />
<br />
modkey = "Mod1"<br />
<br />
Note: Awesome does a have a few commands that make use of Mod4 plus a single letter. Changing Mod4 to Mod1/Alt could cause overlaps for some key combinations. The small amount of instances where this happens can be changed in the rc.lua file.<br />
<br />
If you have a Chromebook or do not like to change the Awesome standards, you might like to remap a key. For instance the caps lock key is rather useless (for me) adding the following contents to ~/.Xmodmap<br />
<br />
clear lock<br />
add mod4 = Caps_Lock<br />
<br />
and run {{ic|xmodmap ~/.Xmodmap}} to (re)load the file.<br />
This will change the caps lock key into the mod4 key and works nicely with the standard awesome settings. In addition, if needed, it provides the mod4 key to other X-programs as well.<br />
<br />
Recent updates of xorg related packages break mentioned remapping the second line can be replaced by (tested on a DasKeyboard and IBM Model M and xorg-server 1.14.5-2):<br />
<br />
keysym Caps_Lock = Super_L Caps_Lock<br />
<br />
=== Fix Java (GUI appears gray only) ===<br />
<br />
{{Merge|Java}}<br />
<br />
See [http://awesome.naquadah.org/wiki/Problems_with_Java awesome wiki]{{Dead link|2018|4|11}} and [https://bbs.archlinux.org/viewtopic.php?pid=450870].<br />
<br />
=== Eclipse: cannot resize/move main window ===<br />
<br />
If you get stuck and cannot move or resize the main window (using mod4 + left/right mouse button) edit the {{ic|workbench.xml}} and set fullscreen/maximized to false (if set) and reduce the width and height to numbers smaller than your single screen desktop area.<br />
<br />
{{ic|workbench.xml}} can be found in {{ic|''eclipse_workspace''/.metadata/.plugins/org.eclipse.ui.workbench/}}. Edit the line:<br />
<br />
<window height&#61;"xx" maximized&#61;"true" width&#61;"xx" x&#61;"xx" y&#61;"xx"<br />
<br />
=== Netbeans: code-prediction appears on wrong screen ===<br />
<br />
If you have two displays and use code-prediction (Ctrl + Space) in Netbeans, the code-predictions might appear on the wrong screen.<br />
This fixed it for me:<br />
{{hc|head=.config/awesome/rc.lua|output=<br />
awful.rules.rules = {<br />
...<br />
{<br />
rule_matches = { -- Fix Netbeans<br />
class = {<br />
"sun-awt-X11-XWindowPeer", "NetBeans IDE 8.2"<br />
},<br />
name = {<br />
"win1"<br />
}<br />
}, properties = { screen = 1 } -- even with screen 1 here, this still works on the seccond screen, too (don't know why).<br />
},<br />
...<br />
<br />
}<br />
}}<br />
<br />
=== IntelliJ: menus appear on incorrect position, some windows don't open ===<br />
<br />
See [https://github.com/awesomeWM/awesome/issues/2204 GitHub issue #2204].<br />
<br />
This fixed it for me:<br />
{{hc|head=.config/awesome/rc.lua|output=<br />
clientbuttons_jetbrains = gears.table.join(<br />
awful.button({ modkey }, 1, awful.mouse.client.move),<br />
awful.button({ modkey }, 3, awful.mouse.client.resize)<br />
)<br />
<br />
...<br />
<br />
awful.rules.rules = {<br />
...<br />
{<br />
rule = {<br />
class = "jetbrains-.*",<br />
}, properties = { focus = true, buttons = clientbuttons_jetbrains }<br />
},<br />
{<br />
rule = {<br />
class = "jetbrains-.*",<br />
name = "win.*"<br />
}, properties = { titlebars_enabled = false, focusable = false, focus = true, floating = true, placement = awful.placement.restore }<br />
},<br />
...<br />
}<br />
}}<br />
<br />
=== scrot: Cannot take a mouse selected screenshot with keyboard shortcuts===<br />
<br />
When using [[w:Scrot|scrot]], you may have problems at assigning a keyboard shortcut to the mouse selection option (formally {{ic|scrot -s}}). To fix it, add the following line to your {{ic|rc.lua}}:<br />
<br />
awful.key( { modkey, }, <shortcut>, nil, function () awful.spawn("scrot -s") end)<br />
<br />
Note that {{ic|nil}} is passed to the {{ic|press}} argument of {{ic|awful.key}}. Instead, the callback function is passed as fourth argument, which is the argument named {{ic|release}}.<br />
<br />
=== YouTube: fullscreen appears in background ===<br />
<br />
If YouTube videos appear underneath your web browser when in fullscreen mode, or underneath the panel with controls hidden, add this to {{ic|rc.lua}}<br />
<br />
{ rule = { instance = "plugin-container" },<br />
properties = { floating = true } },<br />
<br />
With Chromium add<br />
<br />
{ rule = { instance = "exe" },<br />
properties = { floating = true } },<br />
<br />
or:<br />
<br />
{ rule = { role = "_NET_WM_STATE_FULLSCREEN" },<br />
properties = { floating = true } },<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?pid=1085494#p1085494].<br />
<br />
=== Prevent the mouse scroll wheel from changing tags ===<br />
In your rc.lua, change the Mouse Bindings section to the following;<br />
-- {{{ Mouse bindings<br />
root.buttons(awful.util.table.join(<br />
awful.button({ }, 3, function () mymainmenu:toggle() end)))<br />
-- }}}<br />
<br />
=== Starting console clients on specific tags ===<br />
<br />
{{Accuracy|Useless without reasoning, probably related to instance names}}<br />
<br />
It does not work when the console application is invoked from a GTK terminal (e.g. LXTerminal). [[URxvt]] is known to work.<br />
<br />
=== Duplicate menu-entries generated by Xdg-menu ===<br />
<br />
Xdg-menu will generate duplicate entries if you copy desktop-files from /usr/share/applications to ~/.local/share/applications even though it might be preferable to simply override the originals, for example using a different theme for a specific application. One solution to the problem is to filter the generated output trough awk to remove entries with a name identical to the previous entry.<br />
<br />
xdg_menu --format awesome --root-menu /etc/xdg/menus/arch-applications.menu | awk -F, '{if (a!=$1) print $a; a=$1}' >~/.config/awesome/archmenu.lua<br />
<br />
=== Some Shortcuts not Working in Xfce4 overlapping Keys ===<br />
Check your <br />
$ xfce4-keyboard-settings<br />
<br />
for Overlapping keys like "Super L" or Key Combinations which should be run by Awesome<br />
<br />
== See also ==<br />
<br />
* https://awesomewm.org/apidoc/documentation/90-FAQ.md.html - FAQ<br />
* http://www.lua.org/pil/ - Programming in Lua (first edition)<br />
* https://awesomewm.org/ - The official awesome website<br />
* https://bbs.archlinux.org/viewtopic.php?id=88926 - share your awesome!</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Awesome_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=584476Awesome (简体中文)2019-10-06T05:32:12Z<p>Timeline.menu: /* 增加了rule代码,并对切换代码的放置位加以说明 */</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Dynamic WMs (简体中文)]]<br />
[[cs:Awesome]]<br />
[[en:Awesome]]<br />
[[es:Awesome]]<br />
[[fr:Awesome3]]<br />
[[it:Awesome]]<br />
[[ja:Awesome]]<br />
[[ko:Awesome]]<br />
[[ru:Awesome]]<br />
[[sv:Awesome]]<br />
{{TranslationStatus (简体中文)|Awesome|2014-8-12|329002}}<br />
<br />
<br />
来自[[Wikipedia:awesome (window manager)|awesome]]网站:<br />
<br />
''[http://awesome.naquadah.org/ Awesome] 是 XWindows 下可高度定制的新一代窗口管理器。运行快捷、扩展性强,遵循GPLv2发布。''<br />
<br />
''Awesome主要面向高级用户、开发者和那些希望完美控制自己电脑的图形界面的人。''<br />
<br />
本文主要内容为安装、使用、配置和自定义 awesome 窗口管理器。<br />
<br />
==安装==<br />
<br />
[[pacman (简体中文)|安装]]位于[[官方软件仓库]]的软件包 {{Pkg|awesome}}。<br />
<br />
如果你对不稳定的预览版本有兴趣,可以从 [[AUR]] 安装 {{AUR|awesome-git}}。但是请注意,这是一个不稳定的开发版,配置文件会有语法差异。<br />
<br />
==使用Awesome==<br />
<br />
===不使用登陆管理器===<br />
<br />
不使用登录管理器来运行 awesome,只要添加 '''{{Ic|exec awesome}}'''到你的启动脚本(比如 ~/.xinitrc)。 详情参阅[[xinitrc]]<br />
<br />
你也可以甚至不用登陆直接使用预置用户启动Awesome,请参考[[Start X at login]]<br />
<br />
=== 使用登陆管理器 ===<br />
要想用登陆管理器启动awesome,看[[Display manager (简体中文)|这里]].<br />
<br />
==== GDM, LightDM 以及其他使用 /usr/share/xsessions/ 的管理器 ====<br />
<br />
Awesome 会自动地为这些登陆管理器安装一份配置文件,不需要做其他的事就能在登陆时选择启动Awesome。<br />
<br />
==== KDM ====<br />
<br />
以root身份创建:<br />
{{hc|/usr/share/apps/kdm/sessions/awesome.desktop|2=<br />
[Desktop Entry]<br />
Name=Awesome<br />
Comment=Tiling Window Manager<br />
Type=Application<br />
Exec=/usr/bin/awesome<br />
TryExec=/usr/bin/awesome<br />
}}<br />
<br />
==配置==<br />
Awesome默认的配置已经很不错了,不过你迟早会想要做一些修改的。配置文件是一个lua脚本:{{ic|~/.config/awesome/rc.lua}}.<br />
<br />
===创建配置文件===<br />
创建配置文件所在的文件夹<br />
$ mkdir -p ~/.config/awesome/<br />
<br />
Awesome会自动使用~/.config/awesome/rc.lua里的所有配置。这个文件并不会自动创建,所以我们先要从模板复制一个过来:<br />
$ cp /etc/xdg/awesome/rc.lua ~/.config/awesome<br />
<br />
配置文件的语法会随着Awesome的版本升级而变化,所以当你升级了之后遇到问题时,重复上面的步骤,或者你得手动修改配置文件。<br />
<br />
要获得关于配置Awesome的更多信息,请看[http://awesome.naquadah.org/wiki/Awesome_3_configuration Awesome wiki的配置部分]<br />
<br />
===更多的配置资源===<br />
{{注意|Awesome配置文件语法有时会变化,所以你可能得动手修改下载的配置文件。}}<br />
<br />
一些不错的rc.lua的例子可以在下面这些站点找到:<br />
<br />
* http://git.sysphere.org/awesome-configs/tree/ - Adrian C 的 Awesome 3.4 配置文件。 (anrxc)<br />
* http://pastebin.com/f6e4b064e - Darthlukan 的 Awesome 3.4 配置文件. <br />
* http://www.calmar.ws/dotfiles/dotfiledir/dot_awesomerc.lua<br />
* http://oxmoz.no-ip.org/awesome/rc.lua<br />
* http://www.ugolnik.info/downloads/awesome/rc.lua (screen) - 带有小型标题栏和状态栏的Awesome3配置文件。<br />
* http://github.com/wolgri/wolgri.config/tree/master/.config/awesome/rc.lua<br />
* http://github.com/bash/dotfiles/blob/master/.config/awesome/rc.lua<br />
* http://github.com/nblock/config/blob/master/.config/awesome/rc.lua<br />
* https://github.com/setkeh/Awesome-3.5 - [[User:Setkeh|Setkeh]] 的 Awesome 3.5 配置文件.<br />
* http://awesome.naquadah.org/wiki/User_Configuration_Files - Collection of user configurations on the awesome homepage.<br />
<br />
=== 调试 rc.lua ===<br />
<br />
==== 使用 Xephyr ====<br />
<br />
用这种方式可以在不破坏现有桌面的情况下对 rc.lua 进行测试。首先把 rc.lua 复制到一个新文件 rc.lua.new,接着进行修改。然后在 [[Xephyr (简体中文)|Xephyr]] 中运行新的 rc.lua (Xephyr 允许你在 XWindow 中植入一个新的 XWindow - ([http://www.dante4d.cz/pub/screenie/2009-08-01-025216_1920x1200_scrot.png screenshot])。 你可以这样测试你的新 rc.lua<br />
<br />
$ Xephyr -ac -br -noreset -screen 1152x720 :1 &<br />
$ DISPLAY=:1.0 awesome -c ~/.config/awesome/rc.lua.new<br />
<br />
这种方式的巨大优势在于如果你弄坏了 rc.lua.new,你不至于把现有的 Awesome 桌面弄得一团糟(并且很可能还会把 XWindow 弄崩溃了,没保存的工作全部丢失………)。一旦你觉得新的配置文件不错,就用 rc.lua.new 代替 rc.lua,然后重启 Awesome。<br />
<br />
==== 使用 awmtt ====<br />
<br />
{{AUR|awmtt}} (Awesome WM Testing Tool) 是一个基于 Xephyr 的易于使用的脚本。默认情况下,它会测试 {{ic|~/.config/awesome/rc.lua.test}} 。如果该文件不存在,它会测试当前使用的 rc.lua 。也可以指定要测试的配置文件所在路径:<br />
<br />
$ awmtt start -C ~/.config/awesome/rc.lua.new<br />
<br />
当测试完成后,使用以下命令关闭窗口:<br />
<br />
$ awmtt stop<br />
<br />
或者通过以下命令立即查看变化:<br />
$ awmtt restart<br />
<br />
=== 改变键盘布局 ===<br />
<br />
如果需要使用不同的键盘布局 [qwerty -> dvorak] 有两种方法。<br />
* 第一种就是按照 Awesome Wiki [http://awesome.naquadah.org/wiki/Change_keyboard_maps#Display.2Fchange_keyboard_map 这里] 所说的更改 Awesome 的配置<br />
* 第二种就是在 [[Keyboard_configuration_in_Xorg#Using_X_configuration_files|xorg settings]] 改变键盘布局<br />
<br />
==主题==<br />
<br />
[http://awesome.naquadah.org/wiki/Beautiful Beautiful]可以让你动态地改变背景图片和颜色主题,而不需要改变 {{ic|rc.lua}}。<br />
<br />
默认的主题文件在 {{ic|/usr/share/awesome/themes/default}}。把它复制到 {{ic|~/.config/awesome/themes/default}} 然后修改一下 {{ic|rc.lua}} 中的 {{ic|theme_path}}。 <br />
beautiful.init(awful.util.getdir("config") .. "/themes/default/theme.lua")<br />
<br />
更多细节参考 [http://awesome.naquadah.org/wiki/Beautiful 这里]<br />
<br />
一些样例 [http://awesome.naquadah.org/wiki/Beautiful_themes themes]<br />
<br />
===设置墙纸===<br />
<br />
Beautiful 可以设置墙纸,所以你就不用在 {{ic|.xinitrc}} 或者 {{ic|.xsession}} 中自己设置了。这允许你给每个主题配一个墙纸。<br />
<br />
====version >= 3.5====<br />
<br />
3.5 版本的 Awesome 不再提供 awsetbg 命令,但有了一个名为 gears 的模块。你可以在 {{ic|theme.lua}} 通过以下代码设置你的墙纸。<br />
<br />
theme.wallpaper = "~/.config/awesome/themes/awesome-wallpaper.png" <br />
<br />
为了加载你的墙纸,请确保你的 {{ic|rc.lua}} 含有以下代码:<br />
<br />
beautiful.init("~/.config/awesome/themes/default/theme.lua")<br />
for s = 1, screen.count() do<br />
gears.wallpaper.maximized(beautiful.wallpaper, s, true)<br />
end<br />
<br />
====随机墙纸====<br />
请把以下代码加入你的 {{ic|rc.lua}}(for awesome >= 3.5):<br />
{{bc|1=<br />
-- configuration - edit to your liking<br />
wp_index = 1<br />
wp_timeout = 10<br />
wp_path = "/path/to/wallpapers/"<br />
wp_files = { "01.jpg", "02.jpg", "03.jpg" }<br />
<br />
-- setup the timer<br />
wp_timer = timer { timeout = wp_timeout }<br />
wp_timer:connect_signal("timeout", function()<br />
<br />
-- set wallpaper to current index for all screens<br />
for s = 1, screen.count() do<br />
gears.wallpaper.maximized(wp_path .. wp_files[wp_index], s, true)<br />
end<br />
<br />
-- stop the timer (we don't need multiple instances running at the same time)<br />
wp_timer:stop()<br />
<br />
-- get next random index<br />
wp_index = math.random( 1, #wp_files)<br />
<br />
--restart the timer<br />
wp_timer.timeout = wp_timeout<br />
wp_timer:start()<br />
end)<br />
<br />
-- initial start when rc.lua is first run<br />
wp_timer:start()<br />
}}<br />
<br />
如果想从指定目录中自动抓取图片,把以下代码加入你的 {{ic|rc.lua}}(for awesome >= 3.5 ):<br />
{{bc|1=<br />
-- {{{ Function definitions<br />
<br />
-- scan directory, and optionally filter outputs<br />
function scandir(directory, filter)<br />
local i, t, popen = 0, {}, io.popen<br />
if not filter then<br />
filter = function(s) return true end<br />
end<br />
print(filter)<br />
for filename in popen('ls -a "'..directory..'"'):lines() do<br />
if filter(filename) then<br />
i = i + 1<br />
t[i] = filename<br />
end<br />
end<br />
return t<br />
end<br />
<br />
-- }}}<br />
<br />
-- configuration - edit to your liking<br />
wp_index = 1<br />
wp_timeout = 10<br />
wp_path = "/path/to/wallpapers/"<br />
wp_filter = function(s) return string.match(s,"%.png$") or string.match(s,"%.jpg$") end<br />
wp_files = scandir(wp_path, wp_filter)<br />
<br />
-- setup the timer<br />
wp_timer = timer { timeout = wp_timeout }<br />
wp_timer:connect_signal("timeout", function()<br />
<br />
-- set wallpaper to current index for all screens<br />
for s = 1, screen.count() do<br />
gears.wallpaper.maximized(wp_path .. wp_files[wp_index], s, true)<br />
end<br />
<br />
-- stop the timer (we don't need multiple instances running at the same time)<br />
wp_timer:stop()<br />
<br />
-- get next random index<br />
wp_index = math.random( 1, #wp_files)<br />
<br />
--restart the timer<br />
wp_timer.timeout = wp_timeout<br />
wp_timer:start()<br />
end)<br />
<br />
-- initial start when rc.lua is first run<br />
wp_timer:start()<br />
}}<br />
<br />
想要随机切换墙纸,只需要注释掉 {{ic|wallpaper_cmd}} 那一行, 然后把以下代码添加到你的 {{ic|.xinitrc}} 中(for awesome <= 3.4 ):<br />
{{bc|<br />
while true;<br />
do<br />
awsetbg -r <path/to/the/directory/of/your/wallpapers><br />
sleep 15m<br />
done &<br />
}}<br />
<br />
==小技巧==<br />
如果你有自己的小技巧想与大家分享,请随意添加。<br />
<br />
===使用awesome作为GNOME的窗口管理器===<br />
GNOME有“开包即用”的优势,你可以在使用GNOME的同时改用awesome作为窗口管理器。如果你在用GNOME 3的话,你可以安装{{AUR|awesome-gnome}}包,然后在用GDM登陆的时候选择"Awesome GNOME"。更多详细内容请参考[http://awesome.naquadah.org/wiki/Quickly_Setting_up_Awesome_with_Gnome awesome wiki]。<br />
<br />
===像compiz那样的平铺桌面效果===<br />
<br />
Revelation可以显示所有你开启的客户端;左键点击客户端会跳到该客户端所在的第一个标签并聚焦于该客户端。按下回车键会跳到当前聚焦的客户端,按下ESc键退出。更多内容请参考[http://awesome.naquadah.org/wiki/Revelation]。<br />
<br />
===在awesome 3中显示/隐藏wibox===<br />
<br />
要使用Modkey-b来在当前屏幕上隐藏/显示默认的状态栏 (Awesome 2.3中的默认行为),把下面代码加入rc.lua里的globalkeys变量:<br />
<br />
awful.key({ modkey }, "b", function ()<br />
mywibox[mouse.screen].visible = not mywibox[mouse.screen].visible<br />
end),<br />
<br />
===截图===<br />
<br />
在awesome中想要通过PrtScn按键来截图就必须借助其他截图工具. Arch软件仓库中,Scrot是个很简单就可以实现这些功能的截图工具.<br />
<br />
只需要输入:<br />
# pacman -S scrot<br />
<br />
如果optional dependencies中可选的包觉得有用,也可以安装.<br />
<br />
下一步,就是需要获得PrtScr按键的按键名, 如果不确定是什么,一般就是 "Print"了.<br />
<br />
终端里面输入命令:<br />
# xev<br />
<br />
然后按键盘上的PrtScr按键, 将会输出类似下面的结果:<br />
KeyPress event ....<br />
root 0x25c, subw 0x0, ...<br />
state 0x0, keycode 107 (keysym 0xff61, '''Print'''), same_screen YES,<br />
....<br />
<br />
我们判断没错,键名就是 "Print".<br />
<br />
接下来继续配置awesome!<br />
<br />
在配置文件中的全局数组(任意地方)中输入并保存:<br />
<br />
Lua 代码:<br />
<br />
awful.key({ }, "Print", function () awful.util.spawn("scrot -e 'mv $f ~/screenshots/ 2>/dev/null'") end),<br />
<br />
这里的 ~/screenshots/ 可以改成你截图想要保存的地方.<br />
<br />
===动态标签===<br />
<br />
[http://awesome.naquadah.org/wiki/Eminent Eminent]是一个小型的lua库,扩展了awful并提供了简单快速的wmii一样的动态标签功能。跟shifty不同, eminent无意提供全面详尽的标签系统,而是试图让动态标签越简单越好。实际上除了导入eminent库,你不用在rc.lua里改任何东西,eminent会把所有的事情帮你搞定。<br />
<br />
[http://awesome.naquadah.org/wiki/Shifty Shifty]是实现了动态标签的一个Awesome 3的扩展。它也实现了一个配置系统来让你设置几个变量和键位绑定就完全掌控你的桌面!<br />
<br />
===Space Invaders===<br />
[http://awesome.naquadah.org/wiki/Space_Invaders Space Invaders]是一个用来展现Awesome Lua API无限能力的演示。<br />
<br />
请注意它从3.4-rc1版以后就没有被包括进Awesome包里了。<br />
<br />
===Naughty弹窗提醒===<br />
请查看[http://awesome.naquadah.org/wiki/Naughty Awesome维基上的naughty页面].<br />
<br />
===弹出菜单项===<br />
这是一份 awesome3 的默认简单菜单项, 看起来要自定义也十分容易. 然而,如果你在用awesome的 2.x 版本, 那么请看''[http://awesome.naquadah.org/wiki/Awful.menu awful.menu]''.<br />
<br />
如果你想要配置 freedesktop.org 的菜单项,就到 ''[https://github.com/terceiro/awesome-freedesktop awesome-freedesktop]'' .<br />
<br />
一个 awesome3 的菜单配置示例:<br />
{{bc|1=<br />
myawesomemenu = {<br />
{ "lock", "xscreensaver-command -activate" },<br />
{ "manual", terminal .. " -e man awesome" },<br />
{ "edit config", editor_cmd .. " " .. awful.util.getdir("config") .. "/rc.lua" },<br />
{ "restart", awesome.restart },<br />
{ "quit", awesome.quit }<br />
}<br />
<br />
mycommons = {<br />
{ "pidgin", "pidgin" },<br />
{ "OpenOffice", "soffice-dev" },<br />
{ "Graphic", "gimp" }<br />
}<br />
<br />
mymainmenu = awful.menu.new({ items = { <br />
{ "terminal", terminal },<br />
{ "icecat", "icecat" },<br />
{ "Editor", "gvim" },<br />
{ "File Manager", "pcmanfm" },<br />
{ "VirtualBox", "VirtualBox" },<br />
{ "Common App", mycommons, beautiful.awesome_icon },<br />
{ "awesome", myawesomemenu, beautiful.awesome_icon }<br />
}<br />
})<br />
}}<br />
<br />
===Awesome的更多插件===<br />
''Awesome中的插件是一些你可以加入插件栏 (状态栏和标题栏) 的东西,它们提供了关于你的系统的各种信息,并让你很方便地直接在窗口管理器上就看到这些信息。这些插件很简易而且有很强的灵活性。'' -- 来自 [http://awesome.naquadah.org/wiki/Widgets_in_awesome Awesome Wiki: Widgets]。<br />
<br />
有一个被广泛使用的插件库叫'''Wicked''' (只与'''3.4版以前'''的Awesome兼容),它提供了更多插件,比如MPD插件,CPU使用情况,内存使用情况等。要更详细的了解参见 [http://awesome.naquadah.org/wiki/Wicked Wicked]。<br />
<br />
Awesome 3.4中用来代替Wicked的有'''[http://awesome.naquadah.org/wiki/Vicious Vicious]''','''[http://awesome.naquadah.org/wiki/Obvious Obvious]''' 和 '''[http://awesome.naquadah.org/wiki/Bashets Bashets]'''。如果你选择使用vicious,你也应该看看 [http://git.sysphere.org/vicious/tree/README vicious的文档]。<br />
<br />
===Transparency===<br />
{{out of date | Awesome 3.5 has come and add_signal API has changed to connect_signal}}<br />
Awesome has support for true transparency through xcompmgr. Note that you'll probably want the git version of xcompmgr, which is [https://aur.archlinux.org/packages.php?ID=16554 available in AUR]. <br />
<br />
Add this to your ~/.xinitrc:<br />
xcompmgr &<br />
See ''man xcompmgr'' or [[xcompmgr]] for more options.<br />
<br />
In awesome 3.4, window transparency can be set dynamically using signals. For example, your rc.lua could contain the following:<br />
<br />
client.add_signal("focus", function(c)<br />
c.border_color = beautiful.border_focus<br />
c.opacity = 1<br />
end)<br />
client.add_signal("unfocus", function(c)<br />
c.border_color = beautiful.border_normal<br />
c.opacity = 0.7<br />
end)<br />
'''If you got error messages about add_signal, using connect_signal insteaded.''' <br />
<br />
Note that if you are using conky, you must set it to create its own window instead of using the desktop. To do so, edit ~/.conkyrc to contain:<br />
<br />
own_window yes<br />
own_window_transparent yes<br />
own_window_type desktop<br />
<br />
Otherwise strange behavior may be observed, such as all windows becoming fully transparent. Note also that since conky will be creating a transparent window on your desktop, any actions defined in awesome's rc.lua for the desktop will not work where conky is.<br />
<br />
As of Awesome 3.1, there is built-in pseudo-transparency for wiboxes. To enable it, append 2 hexadecimal digits to the colors in your theme file (~/.config/awesome/themes/default, which is usually a copy of /usr/share/awesome/themes/default), like shown here:<br />
<br />
bg_normal = #000000AA<br />
<br />
where "AA" is the transparency value.<br />
<br />
To change transparency for the actual selected window by pressing Modkey + PageUp/PageDown you can also use tansset-df available through the community package repository and the following modification to your rc.lua:<br />
<br />
globalkeys = awful.util.table.join(<br />
-- your keybindings<br />
[...]<br />
awful.key({ modkey }, "Next", function (c)<br />
awful.util.spawn("transset-df --actual --inc 0.1")<br />
end),<br />
awful.key({ modkey }, "Prior", function (c)<br />
awful.util.spawn("transset-df --actual --dec 0.1")<br />
end),<br />
-- Your other key bindings<br />
[...]<br />
)<br />
<br />
==== ImageMagick ====<br />
如果你用ImageMagick的''display''命令来设置你的墙纸,可能会遇到xcompmgr效果不好的问题。请注意awsetbg可能会用''display''如果它没有其他选项。安装habak,feh,hsetroot或者其他的包应该会解决这个问题。<br />
(''grep -A 1 wpsetters /usr/bin/awsetbg'' 来看你有哪些选项)<br />
<br />
===自动运行程序===<br />
''参见 [https://awesome.naquadah.org/wiki/Autostart Awesome维基上的自动运行].''<br />
<br />
Awesome不会运行那些被Freedesktop如GNOME或KDE设置为自动运行的程序。不过Awesome提供了一些运行程序的函数 (除了Lua标准库里的函数 {{Ic|os.execute}})。要运行跟GNOME或KDE里一样自动运行的程序,你可以从 [[AUR]] 安装 {{AUR|dex-git}},然后在你的rc.lua里加入:<br />
<br />
os.execute"dex -a -e Awesome"<br />
<br />
如果你只想列出一些程序来在让Awesome启动时运行,你可以创建一个你需要启动命令的列表然后循环启动:<br />
<br />
do<br />
local cmds = <br />
{ <br />
"swiftfox",<br />
"mutt",<br />
"consonance",<br />
"linux-fetion",<br />
"weechat-curses",<br />
--and so on...<br />
}<br />
<br />
for _,i in pairs(cmds) do<br />
awful.util.spawn(i)<br />
end<br />
end<br />
<br />
(你也可以调用 {{Ic|os.execute}} 加上命令名,在结尾加上 '{{Ic|&}}',但最好还是调用 spawn 函数来运行)<br />
<br />
如要程序仅在当前没有运行情况下运行,你可以只在 {{Ic|pgrep}} 找不到跟它一样名字的进程的时候运行它。<br />
function run_once(prg)<br />
awful.util.spawn_with_shell("pgrep -u $USER -x " .. prg .. " || (" .. prg .. ")")<br />
end<br />
<br />
所以,举个例子,要在当前 {{Ic|parcellite}} 没有运行的情况下运行 {{Ic|parcellite}}:<br />
<br />
run_once("parcellite")<br />
<br />
===使用 awesome-client 给文本插件传递信息===<br />
<br />
只需要创建一个新的插件,就可以很容易的传递信息。<br />
{{bc|<nowiki><br />
mywidget = widget({ type = "textbox", name = "mywidget" })<br />
mywidget.text = "initial text"<br />
</nowiki>}}<br />
<br />
使用 awesome-client 从外部更新“initial text":<br />
<br />
{{bc|<nowiki> <br />
echo -e 'mywidget.text = "new text"' | awesome-client<br />
</nowiki>}}<br />
不要忘记把插件增加到 wibox.<br />
<br />
===使用其他任务栏===<br />
<br />
如果你喜欢 awesome 既轻量又强大的功能,但又不喜欢默认那个任务栏的外观, 你可以安装其他的.比如 xfce4-panel:<br />
{{bc|<br />
sudo pacman -S xfce4-panel<br />
}}<br />
<br />
当然,你可能有更好的选择.然后要把它添加到配置文件 rc.lua 的自动启动部分(该如何写请看wiki吧).你可以注释掉配置文件中给每个桌面创建 wiboxes 的那部分(开头是"mywibox[s] = awful.wibox({ position = "top", screen = s })"),因为已经不需要了. 检查配置文件没有错误之后就可以执行命令生效:<br />
{{bc|<br />
awesome -k rc.lua<br />
}}<br />
另外你还需要改变"modkey+R"的快捷键绑定, 比如用Xfrun4, bashrun等,来替代awesome自带的启动器. 请看这个[[Openbox_Themes_and_Apps#Application_launchers|Openbox]]{{Broken section link}}文章中的启动器部分作为参考. 别忘了添加<br />
{{bc|<nowiki><br />
properties = { floating = true } },<br />
{ rule = { instance = "$yourapplicationlauncher" },<br />
</nowiki>}}<br />
到你 rc.lua 配置文件中<br />
<br />
===Fix Java (GUI appears gray only)===<br />
Guide taken from [https://bbs.archlinux.org/viewtopic.php?pid=450870].<br />
#Install {{Pkg|wmname}} from community<br />
#Run the following command or add it to your {{ic|.xinitrc}}: {{bc|wmname LG3D}}<br />
<br />
{{Note|<br />
If you use a non-reparenting window manager and Java 6, you should uncomment the corresponding line in {{Ic|/etc/profile.d/openjdk6.sh}}<br />
<br />
If you use a non-reparenting window manager and Java 7, you should uncomment the corresponding line in <br />
{{Ic|/etc/profile.d/jre.sh}} <br />
}}<br />
<br />
{{Note|<br />
As of Java 1.7 and Awesome 3.5 (as installed by the awesome-git package) the fixes described above may cause undesirable behaviour related to menus not receiving proper focus. Awesome is now, apparently, a reparenting window manager as of [http://git.naquadah.org/?p&#61;awesome.git;a&#61;commit;h&#61;102063dbbdfb0bc9f43268d98f7dcb5269547395 this commit]. <br />
<br />
If you are experiencing problems having applied the 'wmname' and '_JAVA_AWT_WM_NONREPARENTING' fixes against a recent Java and Awesome, try removing both fixes.<br />
}}<br />
<br />
===Prevent Nautilus from displaying the desktop (Gnome3)===<br />
Run dconf-editor. Navigate to org->gnome->desktop->background and uncheck "draw-background" as well as "show-desktop-icons" for good measure. That's it!<br />
<br />
Another option is moving /usr/bin/nautilus to a new location and replacing it with a script that runs 'nautilus --no-desktop' passing any arguments it receives along.<br />
<br />
#!/bin/sh<br />
/usr/bin/nautilus-real --no-desktop $@<br />
<br />
===Transitioning away from Gnome3===<br />
Run 'gnome-session-properties' and remove programs that you won't be needing anymore (e.g Bluetooth Manager, Login Sounds, etc).<br />
<br />
If you'd like to get rid of GDM, make sure that your rc.conf DAEMONS list includes "dbus" (and "cupsd" if you have a printer). It's advisable to get a different login manager (like [[SLiM]]), but you can do things manually if you wish. That entails setting up your [[Udev|.xinitrc properly]] and installing something like devmon ([https://aur.archlinux.org/packages.php?ID=45842 AUR]).<br />
<br />
If you wan't to keep a few convenient systray applets and your GTK theme, append this to your rc.lua;<br />
function start_daemon(dae)<br />
daeCheck = os.execute("ps -eF | grep -v grep | grep -w " .. dae)<br />
if (daeCheck ~= 0) then<br />
os.execute(dae .. " &")<br />
end<br />
end<br />
<br />
procs = {"gnome-settings-daemon", "nm-applet", "kupfer", "gnome-sound-applet", "gnome-power-manager"}<br />
for k = 1, #procs do<br />
start_daemon(procs[k])<br />
end<br />
<br />
===Prevent the mouse scroll wheel from changing tags===<br />
In your rc.lua, change the Mouse Bindings section to the following;<br />
-- {{{ Mouse bindings<br />
root.buttons(awful.util.table.join(<br />
awful.button({ }, 3, function () mymainmenu:toggle() end)))<br />
-- }}}<br />
<br />
===菜单栏中的应用程序目录===<br />
<br />
[community] 中的 Awesome 软件包含有 [http://awesome.naquadah.org/wiki/Menubar/3.5 menubar] (默认情况下,按下 modkey+p 会在屏幕上方打开一个类似于 dmenu 的应用程序菜单)。但是,它仅搜索位于<br />
{{ic|/usr/share/applications}} 及 {{ic|/usr/local/share/applications}} 目录下的 .desktop 文件 (后者很可能在大多数 Arch 用户的系统中都不存在)。为了改变这一情况,可以把下面这行代码加入到你的 {{ic|rc.lua}} (最好能把它加到 "Menubar configuration" 那一部分中)<br />
<br />
app_folders = { "/usr/share/applications/", "~/.local/share/applications/" }<br />
<br />
{{注意|每次 Awesime 启动都会重新读取 {{ic|.desktop}} 文件,因此文件过多会拖慢 Awesome 的启动速度。如果你更喜欢使用其他方式来运行程序,可以通过在 {{ic|rc.lua}} 移除 {{ic|local menubar &#61; require("menubar")}} 及其它涉及到 {{ic|menubar}} 的变量来禁用菜单栏。}}<br />
<br />
===应用菜单===<br />
<br />
如果想要在点击Awesome图标,或者在桌面空白处右键点击时,看到较传统模式的应用菜单,可以参照[[Xdg-menu#Awesome]]的说明。但应用菜单不会在安装或卸载程序时进行更新。所以,确保运行类似如下的命令,更新应用菜单:<br />
xdg_menu --format awesome --root-menu /etc/xdg/menus/arch-applications.menu >~/.config/awesome/archmenu.lua<br />
<br />
===标题栏===<br />
<br />
你可以很容易地在配置文件中rule把 {{ic|titlebars_enabled}} 设置为 true 来启用标题栏。<br />
<br />
{ rule_any = {type = { "normal", "dialog" }<br />
}, properties = { titlebars_enabled = true }<br />
},<br />
<br />
<br />
<br />
如果想要切换标题栏的显示与否,可以把以下代码加入配置文件中键位绑定部份的{{ic|clientkeys}}部份中间位置(因为这段代码是以逗号结尾,请不要放在{{ic|clientkeys}}的最后),然后通过按 {{ic|modkey + Ctrl + t}} 来切换。<br />
<br />
<br />
-- working toggle titlebar<br />
awful.key({ modkey, "Control" }, "t", function (c) awful.titlebar.toggle(c) end, <br />
{description = "Show/Hide Titlebars", group="client"}),<br />
<br />
<br />
如果想默认情况下隐藏标题栏,仅需要在配置文件中标题栏创建后(即 在 awful.titlebar(c) : setup { 对应的右括号前)加入以下代码<br />
<br />
awful.titlebar.hide(c)<br />
<br />
此代码会覆盖掉前面rule中的配置<br />
<br />
===Start xor jump===<br />
<br />
There is an extension called ''Run or raise'', which makes it possible to configure a key to start a program if no instance exists, else jump to it. This is very useful for some programs: browsers, irc clients, music players, etc. The instructions are very well laid out at http://awesome.naquadah.org/wiki/Run_or_raise, the modular approach is advisable.<br />
<br />
===Battery notification===<br />
If you want to add a simple battery notification you can add following lines to your rc.lua. <br />
These lines originate from a [http://bpdp.blogspot.be/2013/06/battery-warning-notification-for.html blogpost]. Note that you need naughty for the notifications (installed by default in version 3.5).<br />
<br />
{{hc|rc.lua|<br />
<nowiki><br />
-- battery warning<br />
local function trim(s)<br />
return s:find'^%s*$' and '' or s:match'^%s*(.*%S)'<br />
end<br />
<br />
local function bat_notification()<br />
local f_capacity = assert(io.open("/sys/class/power_supply/BAT0/capacity", "r"))<br />
local f_status = assert(io.open("/sys/class/power_supply/BAT0/status", "r"))<br />
local bat_capacity = tonumber(f_capacity:read("*all"))<br />
local bat_status = trim(f_status:read("*all"))<br />
<br />
if (bat_capacity <= 10 and bat_status == "Discharging") then<br />
naughty.notify({ title = "Battery Warning"<br />
, text = "Battery low! " .. bat_capacity .."%" .. " left!"<br />
, fg="#ffffff"<br />
, bg="#C91C1C"<br />
, timeout = 15<br />
, position = "bottom_right"<br />
})<br />
end<br />
end<br />
<br />
battimer = timer({timeout = 60})<br />
battimer:connect_signal("timeout", bat_notification)<br />
battimer:start()<br />
<br />
-- end here for battery warning<br />
</nowiki><br />
}}<br />
<br />
==Troubleshooting==<br />
{{Translateme}}<br />
<br />
=== Mouse Cursor Missing ===<br />
<br />
If you are able to login into awesome, the mouse cursor vanishes while mouse actions are still working, you can try this:<br />
<br />
gsettings set org.gnome.settings-daemon.plugins.cursor active false<br />
<br />
===Grey Java GUIs===<br />
<br />
Some Java Applications may render just grey, empty windows. This is related to nonreparenting.<br />
<br />
A fix might be uncommenting the last line in /etc/profile.d/jre.sh or set this manually.<br />
<br />
export _JAVA_AWT_WM_NONREPARENTING=1<br />
<br />
other Methods could be found here: http://awesome.naquadah.org/wiki/Problems_with_Java<br />
<br />
===LibreOffice===<br />
If you encounter UI problems with libreoffice install libreoffice-gnome.<br />
<br />
===Mod4 key===<br />
<br />
The Mod4 is by default the '''Win key'''. If it's not mapped by default, for some reason, you can check the keycode of your Mod4 key with<br />
<br />
$ xev<br />
<br />
It should be 115 for the left one. Then add this to your ~/.xinitrc<br />
<br />
xmodmap -e "keycode 115 = Super_L" -e "add mod4 = Super_L"<br />
exec awesome<br />
<br />
The problem in this case is that some xorg installations recognize keycode 115, but incorrectly as the 'Select' key. The above command explictly remaps keycode 115 to the correct 'Super_L' key.<br />
<br />
====Mod4 key vs. IBM ThinkPad users====<br />
<br />
IBM ThinkPads do not come equipped with a Window key (although Lenovo have changed this tradition on their ThinkPads). As of writing, the Alt key is not used in command combinations by the default rc.lua (refer to the Awesome wiki for a table of commands), which allows it be used as a replacement for the Super/Mod4/Win key. To do this, edit your rc.lua and replace:<br />
<br />
modkey = "Mod4"<br />
<br />
by:<br />
<br />
modkey = "Mod1"<br />
<br />
Note: Awesome does a have a few commands that make use of Mod4 plus a single letter. Changing Mod4 to Mod1/Alt could cause overlaps for some key combinations. The small amount of instances where this happens can be changed in the rc.lua file.<br />
<br />
If you do not like to change the awesome standards, you might like to remap a key. For instance the caps lock key is rather useless (for me) adding the following contents to ~/.Xmodmap <br />
<br />
clear lock <br />
add mod4 = Caps_Lock<br />
<br />
and [[Xmodmap#Custom table|(re)load]] the file.<br />
This will change the caps lock key into the mod4 key and works nicely with the standard awesome settings. In addition, if needed, it provides the mod4 key to other X-programs as well.<br />
<br />
Not confirmed, but if recent updates of xorg related packages break mentioned remapping the second line can be replaced by (tested on a DasKeyboard with no left Super key):<br />
<br />
keysym Caps_Lock = Super_L Caps_Lock<br />
<br />
===Eclipse: cannot resize/move main window===<br />
If you get stuck and cannot move or resize the main window (using mod4 + left/right mouse button) edit the workbench.xml and set fullscreen/maximized to false (if set) and reduce the width and height to numbers smaller than your single screen desktop area.<br />
{{Note|workbench.xml can be found in: <eclipse_workspace>/.metadata/.plugins/org.eclipse.ui.workbench/ and the line to edit is <window height&#61;"xx" maximized&#61;"true" width&#61;"xx" x&#61;"xx" y&#61;"xx">.}}<br />
<br />
===YouTube: fullscreen appears in background===<br />
[https://bbs.archlinux.org/viewtopic.php?pid=1085494#p1085494] If YouTube videos appear underneath your web browser when in fullscreen mode, add this to your rc.lua<br />
<br />
{ rule = { instance = "plugin-container" },<br />
properties = { floating = true } },<br />
<br />
With Chromium add<br />
<br />
{ rule = { instance = "exe" },<br />
properties = { floating = true } },<br />
<br />
===Starting console clients on specific tags===<br />
It does not work when the console application is invoked from a GTK terminal (e.g. LXTerminal). [[URxvt]] is known to work. <br />
<br />
===Redirecting console output to a file===<br />
Some GUI application are very verbose when launched from a terminal. As a consequence, when started from Awesome, they output everything to the TTY from where Awesome was started, which tend to get messy. To remove the garbage output, you have to redirect it. However, the {{ic|awful.util.spawn}} function does not handle pipes and redirections very well as stated in [http://awesome.naquadah.org/wiki/FAQ#How_to_execute_a_shell_command.3F the official FAQ].<br />
<br />
As example, let's redirect [[Luakit]] output to a temporary file:<br />
<br />
awful.key({ modkey, }, "w", function () awful.util.spawn_with_shell("luakit 2>>/tmp/luakit.log") end),<br />
<br />
==External Links==<br />
* http://awesome.naquadah.org/wiki/FAQ - FAQ<br />
* http://www.lua.org/pil/ - Programming in Lua (first edition)<br />
* http://awesome.naquadah.org/ - The official awesome website<br />
* http://awesome.naquadah.org/wiki/Main_Page - the awesome wiki<br />
* http://www.penguinsightings.org/desktop/awesome/ - A review<br />
* http://compsoc.tardis.ed.ac.uk/wiki/AwesomeWM_guide - Awesome guide<br />
* https://bbs.archlinux.org/viewtopic.php?id=88926 - share your awesome!</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Unbound_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=576050Unbound (简体中文)2019-06-20T14:01:17Z<p>Timeline.menu: /* 手动指定DNS服务器 */</p>
<hr />
<div>[[Category:Domain Name System (简体中文)]]<br />
[[en:Unbound]]<br />
[[ja:Unbound]]<br />
{{Related articles start}}<br />
{{Related|Domain name resolution}}<br />
{{Related articles end}}<br />
<br />
[https://unbound.net/ Unbound] 是一个具有验证,递归和缓存等功能的 DNS 解析器。根据[[Wikipedia:Unbound (DNS Server)|Wikipedia]]:<br />
:Unbound has supplanted the Berkeley Internet Name Domain ([[BIND]]) as the default, base-system name server in several open source projects, where it is perceived as smaller, more modern, and more secure for most applications.<br />
<br />
{{TranslationStatus (简体中文)|Unbound|2019-03-24|397940}}<br />
== 安装 ==<br />
<br />
安装 {{Pkg|unbound}} 软件包。<br />
此外, {{Pkg|expat}} 是使用[[DNSSEC]]验证请求所必须的。<br />
<br />
== 配置 ==<br />
<br />
默认配置已经位于{{ic|/etc/unbound/unbound.conf}}文件中。此外,{{ic|/etc/unbound/unbound.conf.example}}文件包含了其他的可配置设置项,并以注释的形式给出了示范设置。以下章节重点解释和默认配置文件不同的设置项。如需了解更多细节,参见{{man|5|unbound.conf}}。<br />
<br />
除非特别声明,这一节列出的选项都是放置在配置文件的{{ic|server}}节中,类似这样:<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
server:<br />
...<br />
''setting'': ''value''<br />
...<br />
}}<br />
<br />
{{Note|请确保你的配置文件中已经设置了{{ic|do-daemonize: no}},否则{{ic|unbound.service}}会无法启动.}}<br />
<br />
=== 本地DNS服务器 ===<br />
<br />
如果你想要使用''unbound''作为本地DNS服务器,请把[[resolv.conf]]中的域名服务器(nameserver)设置到回环地址{{ic|::1}}和{{ic|127.0.0.1}}。你可能想要让你的配置[[Domain name resolution (简体中文)#给/etc/resolv.conf添加写保护]]。<br />
<br />
{{Tip|实现这个目的的一个简便方法是安装[[openresolv]],然后取消文件{{ic|/etc/resolvconf.conf}}中包含{{ic|1=name_servers="::1 127.0.0.1"}}的那一行的注释。然后运行{{ic|resolvconf -u}}来重新生成{{ic|/etc/resolv.conf}}。}}<br />
<br />
要了解如何测试设置项,参见[[Domain name resolution#Lookup utilities]]。<br />
<br />
在把[[resolv.conf]]中的设置更改为持久化设置后,请特别注意检查正在使用的服务器是{{ic|::1}}或{{ic|127.0.0.1}}。<br />
<br />
你还需要对“unbound”进行设置,以使它[[#转发查询]]到你所选择的DNS服务器。<br />
<br />
=== 访问控制 ===<br />
<br />
你可以通过IP地址来指定响应请求的端口。默认监听的是''localhost''。<br />
<br />
为了在所有端口上监听,使用以下配置:<br />
<br />
interface: 0.0.0.0<br />
<br />
为了通过IP地址来控制可以访问服务器的系统,使用{{ic|access-control}}选项:<br />
<br />
access-control: ''subnet'' ''action''<br />
<br />
例如:<br />
<br />
access-control: 192.168.1.0/24 allow<br />
<br />
''action''可以是{{ic|deny}} (drop message), {{ic|refuse}} (polite error reply), {{ic|allow}} (recursive ok), or {{ic|allow_snoop}} (recursive and nonrecursive ok)中的任意一个。默认除了localhost之外的所有东西都会被拒绝。<br />
<br />
=== 使用DNS over TLS进行转发 ===<br />
<br />
为了使用这个功能,你需要设置{{ic|tls-cert-bundle}}选项来指定本地系统的根证书认证包,以使得unbound可以转发TLS请求并指定允许DNS over TLS的服务器数量。<br />
<br />
对每个服务器你都需要用 @ 来指定连接的端口,同时你也要用 # 来指明它的域名是什么。虽然它看起来像注释,the hashtag name allows for the TLS authentication name to be set for stub-zones and with {{ic|unbound-control forward control}} command。在 @ 和 # 之间不应该有空格。<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
...<br />
server:<br />
...<br />
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt<br />
...<br />
forward-zone:<br />
name: "."<br />
forward-tls-upstream: yes<br />
forward-addr: 1.1.1.1@853#cloudflare-dns.com<br />
}}<br />
<br />
=== 根域名服务器 ===<br />
<br />
为了查询一个没有被缓存成地址的主机,解释器需要从服务器树的根开始、对根服务器进行请求来知道去哪里找到目标地址的顶级域名。Unbound内置了一些根节点,但是推荐你提供一个根节点文件给它以免内置的过于老旧。<br />
<br />
首先,告诉''unbound''使用{{ic|root.hints}}文件:<br />
<br />
root-hints: root.hints<br />
<br />
然后把你的''root hints''文件放进''unbound''的配置文件夹。实现这个目标最简单的方法是运行下面的命令:<br />
<br />
{{bc|<nowiki># curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache</nowiki>}}<br />
<br />
建议每六个月更新一次{{ic|root.hints}}来保持根服务器列表是最新的。你可以手动完成这个任务,也可以使用[[Systemd/Timers]]。详情参见[[#根域名服务器与systemd timer]]。<br />
<br />
=== DNSSEC验证 ===<br />
<br />
{{Out of date|1=DNSSEC默认启用.[https://git.archlinux.org/svntogit/community.git/commit/trunk/conf?h=packages/unbound&id=79f1ebebd72b53d3b597f6dc48b84f3d76dd9a0c].}}<br />
<br />
为了使用[[DNSSEC]]验证,你需要在{{ic|server:}}节中添加以下设置来告诉''unbound''服务器根证书文件的位置:<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
trust-anchor-file: trusted-key.key}}<br />
<br />
{{ic|/etc/unbound/trusted-key.key}}是从依赖项{{Pkg|dnssec-anchors}}所提供的的{{ic|/etc/trusted-key.key}}复制而来的,它的[[PKGBUILD]]按照{{man|8|unbound-anchor}}生成了{{ic|/etc/trusted-key.key}}。<br />
<br />
如果总的[[#转发查询]]设置到了不支持DNSSEC的DNS服务器,那么请确保已经把这些DNS服务器注释掉,否则DNS请求会失败。DNSSEC验证只会在被请求的DNS服务器支持它的时候成功完成。<br />
<br />
{{Note|如果使用DNSSEC,在地址被缓存之前DNS查询时间将会显著增加。}}<br />
<br />
==== 测试DNSSEC ====<br />
<br />
为了测试DNSSEC是否工作,在[[starting]] {{ic|unbound.service}}之后:<br />
<br />
$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net<br />
<br />
得到的回应应该是附带{{ic|(secure)}}字样的ip地址。<br />
<br />
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net<br />
<br />
这次的回应应该包含{{ic|(BOGUS (security failure))}}字样。<br />
<br />
另外你也可以使用“drill”来测试:<br />
<br />
$ drill sigok.verteiltesysteme.net<br />
$ drill sigfail.verteiltesysteme.net<br />
<br />
第一个命令应该返回{{ic|NOERROR}}的{{ic|rcode}};而第二个命令应该返回{{ic|SERVFAIL}}的{{ic|rcode}}。<br />
<br />
=== 转发查询 ===<br />
<br />
如果你只想转发请求到外部的DNS服务器,请跳到[[#转发所有其余的请求]]。<br />
<br />
==== 允许本地网络使用DNS ====<br />
<br />
===== 使用openresolv =====<br />
<br />
如果你的网络管理器支持[[openresolv]],你可以通过设置来使它提供本地DNS服务器、使用unbound来查询域名。<br />
[https://roy.marples.name/projects/openresolv/config]<br />
<br />
{{hc|/etc/resolvconf.conf|2=<br />
...<br />
private_interfaces="*"<br />
<br />
# Write out unbound configuration file<br />
unbound_conf=/etc/unbound/resolvconf.conf<br />
}}<br />
<br />
运行{{ic|resolvconf -u}}来生成文件。<br />
<br />
配置unbound读取openresolv生成的文件并允许回应[[Wikipedia:Private network|private IP address ranges]]:<br />
{{hc|/etc/unbound/unbound.conf|<br />
include: "/etc/unbound/resolvconf.conf"<br />
...<br />
server:<br />
...<br />
private-domain: "intranet"<br />
private-domain: "internal"<br />
private-domain: "private"<br />
private-domain: "corp"<br />
private-domain: "home"<br />
private-domain: "lan"<br />
<br />
unblock-lan-zones: yes<br />
insecure-lan-zones: yes<br />
...<br />
}}<br />
<br />
另外你可能想要对私有DNS域名空间禁用DNSSEC[https://tools.ietf.org/html/rfc6762#appendix-G]:<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
<br />
...<br />
server:<br />
...<br />
domain-insecure: "intranet"<br />
domain-insecure: "internal"<br />
domain-insecure: "private"<br />
domain-insecure: "corp"<br />
domain-insecure: "home"<br />
domain-insecure: "lan"<br />
...<br />
}}<br />
<br />
===== 手动制定DNS服务器 =====<br />
<br />
如果你有一个需要DNS请求的本地网络,同时你想要把请求都转发给一个本地的DNS服务器,那么你需要添加这一行:<br />
private-address: ''本地子网/子网掩码''<br />
<br />
例如:<br />
private-address: 10.0.0.0/24<br />
<br />
{{Note|你可以使用私有地址来防止DNS劫持攻击。为了达到这个目的,你可能需要允许RFC1918网络(10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 fe80::/10)。 Unbound的未来版本可能会默认启用这个功能。}}<br />
<br />
====== 包含本地DNS服务器 ======<br />
<br />
为了包含一个本地DNS服务器,以用于转发和反代本地地址,类似下面的一组配置是必要的(请把下面的10.0.0.1替换为本地网络中提供DNS服务的服务器的地址):<br />
local-zone: "10.in-addr.arpa." transparent<br />
上面这一行对于让反向查询正常工作是非常重要的。<br />
forward-zone:<br />
name: "mynetwork.com."<br />
forward-addr: 10.0.0.1<br />
forward-zone:<br />
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."<br />
{{Note|转发空间和根空间之间的区别是,根空间只有在直接连接到一个authoritative DNS服务器的时候才能正常工作。如果一个[[BIND]]DNS服务器提供authoritative DNS,那么这个特性对于来自于它的请求有用——但是如果你在把请求指向一个''unbound''服务器(内部查询都被转发到另一个DNS服务器),那么把这个指向定义为该机器上的根空间是不会起作用的。在这种情况下,你必须把它定义为上面所说的转发空间,因为转发空间可以通过链式查询去到别的DNS服务器上,亦即转发空间可以把请求指向递归DNS服务器。这个区别是很重要的,因为如果你不恰当地使用根空间,你不会得到能够说明问题的错误信息。}}<br />
<br />
你可以通过下面的配置来设定localhost的前向和反向查询:<br />
<br />
local-zone: "localhost." static<br />
local-data: "localhost. 10800 IN NS localhost."<br />
local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"<br />
local-data: "localhost. 10800 IN A 127.0.0.1"<br />
local-zone: "127.in-addr.arpa." static<br />
local-data: "127.in-addr.arpa. 10800 IN NS localhost."<br />
local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"<br />
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."<br />
<br />
==== 转发所有其余的请求 ====<br />
<br />
===== 使用openresolv =====<br />
<br />
如果你的网络管理器支持[[openresolv]],你可以通过配置使它提供上游DNS服务器给unbound。<br />
[https://roy.marples.name/projects/openresolv/config]<br />
<br />
{{hc|/etc/resolvconf.conf|2=<br />
...<br />
# Write out unbound configuration file<br />
unbound_conf=/etc/unbound/resolvconf.conf<br />
}}<br />
<br />
运行{{ic|resolvconf -u}}来生成文件。<br />
<br />
最后配置unound读取openresolv生成的文件:<br />
include: "/etc/unbound/resolvconf.conf"<br />
<br />
===== 手动指定DNS服务器 =====<br />
<br />
为了使本地机器之外的、本地网络外部的默认转发区域使用指定的服务器,请在配置文件中添加一个名字是{{ic|.}}的转发区域。在这个例子里,所有的请求都被转发到谷歌的DNS服务器:<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 8.8.8.8<br />
forward-addr: 8.8.4.4<br />
<br />
== 使用 ==<br />
<br />
=== 启动unbound ===<br />
<br />
[[Start/enable]] {{ic|unbound.service}} systemd服务。<br />
<br />
=== 远程控制unbound ===<br />
<br />
''unbound''安装的时候自带了{{ic|unbound-control}}工具,利用这个工具我们可以远程控制unbound服务器。它和{{Pkg|pdnsd}}的[[Pdnsd#pdnsd-ctl|pdnsd-ctl]]命令很类似。<br />
<br />
==== 配置unbound-control ====<br />
<br />
在能够使用它之前你需要做下面的事情:<br />
<br />
1) 首先,运行:<br />
<br />
# unbound-control-setup<br />
<br />
来为你的服务器和客户端生成一个self-signed的证书和private key。生成的文件位于{{ic|/etc/unbound}}文件夹。<br />
<br />
2) 然后,把下面的内容放进{{ic|/etc/unbound/unbound.conf}}文件。{{ic|control-enable: yes}}是一定要有的,其余的内容可以按照所需进行调整。<br />
<br />
remote-control:<br />
# Enable remote control with unbound-control(8) here.<br />
# 用unbound-control-setup生成的keys and certificates进行配置。<br />
control-enable: yes<br />
# 设定监听哪个地址.<br />
# give 0.0.0.0 and ::0 to listen to all interfaces.<br />
control-interface: 127.0.0.1<br />
# 远程控制用的端口.<br />
control-port: 8953<br />
# unbound server key file.<br />
server-key-file: "/etc/unbound/unbound_server.key"<br />
# unbound server certificate file.<br />
server-cert-file: "/etc/unbound/unbound_server.pem"<br />
# unbound-control key file.<br />
control-key-file: "/etc/unbound/unbound_control.key"<br />
# unbound-control certificate file.<br />
control-cert-file: "/etc/unbound/unbound_control.pem"<br />
<br />
==== 使用unbound-control ====<br />
<br />
下面是''unbound-control''可以使用的一部分命令:<br />
<br />
* 不重置数据的情况下查看统计数据<br />
# unbound-control stats_noreset<br />
<br />
* 把cache dump到stdout<br />
# unbound-control dump_cache<br />
<br />
* 清空cache并且重新加载配置<br />
# unbound-control reload<br />
<br />
请参考{{man|8|unbound-control}}来了解''unbound-control''支持的操作。<br />
<br />
== 提示与技巧 ==<br />
<br />
=== 域名黑名单 ===<br />
<br />
你可以打开这个网页[https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=&mimetype=plaintext adservers],把它的内容保存到{{ic|/etc/unbound/adservers}},然后把下面的配置直接添加到unbound配置文件里就可以了:<br />
<br />
{{hc|/etc/unbound/unbound.conf|<br />
server:<br />
...<br />
include: /etc/unbound/adservers<br />
}}<br />
<br />
{{Tip|<br />
* 为了在查询这些hosts的时候返回OK状态指示,你可以更改默认的127.0.0.1重定向,改成重定向到你所控制的服务器并让那台服务器返回空的204回应,参考[http://www.shadowandy.net/2014/04/adblocking-nginx-serving-1-pixel-gif-204-content.htm]<br />
* 如果需要把其他格式的hosts文件转换成unbound的格式的,请运行这个命令: {{bc|$ grep '^0\.0\.0\.0' ''hostsfile'' {{!}} awk '{print "local-zone: \""$2"\" always_nxdomain"}' > /etc/unbound/adservers}}<br />
}}<br />
<br />
=== 添加一个authoritative DNS服务器 ===<br />
<br />
{{Accuracy|同时运行两个DNS服务器并不一定比只运行一个提供所有功能的DNS服务器更安全。 }}<br />
<br />
对于想要在一台机器上同时两个DNS服务器(一个是提供验证、递归、缓存功能的DNS服务器,另一个是authoritative DNS服务器)的用户来说,参考[[NSD]]的维基页面可能会有所帮助。那个页面提供了一个示范配置。一个服务器专门响应authoritative DNS请求,另一个服务器提供验证、递归、缓存等DNS功能,这样会比一个服务器提供所有功能会更安全。很多用户已经在使用Bind作为DNS服务器,而针对从Bind变成Bind和NSD协同工作的过程的帮助在[[NSD]]页面有提供。<br />
<br />
=== WAN facing DNS ===<br />
<br />
通过更改配置文件和服务器所监听的接口(地址)来允许来自本地网络之外的机器的DNS请求进入本地网络(LAN)内的某台特定机器,这个想法是可行的。这个功能对于公开的网站服务器和邮件服务器是非常有用的。这个在bind上已经实现了多年的技术,通过正确配置防火墙机器上的端口转发——转发这些请求到正确的机器上——也可以在unbound上实现。<br />
<br />
=== 根域名服务器与systemd timer ===<br />
<br />
下面是一个systemd服务和timer的示例文件,它用来每隔一个月更新一次{{ic|root.hints}},所用的方法与[[#根域名服务器]]中的相同:<br />
<br />
{{hc|1=/etc/systemd/system/roothints.service|2=<br />
[Unit]<br />
Description=Update root hints for unbound<br />
After=network.target<br />
<br />
[Service]<br />
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki><br />
}}<br />
<br />
{{hc|1=/etc/systemd/system/roothints.timer|2=<br />
[Unit]<br />
Description=Run root.hints monthly<br />
<br />
[Timer]<br />
OnCalendar=monthly<br />
Persistent=true<br />
<br />
[Install]<br />
WantedBy=timers.target}}<br />
<br />
最后[[Start/enable]] {{ic|roothints.timer}} systemd timer就可以了。<br />
<br />
== 疑难解答 ==<br />
<br />
=== 有关num-threads的问题 ===<br />
<br />
{{ic|unbound.conf}}的man page提到:<br />
<br />
outgoing-range: <number><br />
Number of ports to open. This number of file descriptors can be opened per thread.<br />
<br />
网上的一些人建议{{ic|num-threads}}这个参数应该设置成你的CPU的核心数量。示范配置文件{{ic|unbound.conf.example}}里关于这个选项只有下面这两行:<br />
<br />
# number of threads to create. 1 disables threading.<br />
# num-threads: 1<br />
<br />
但是人为地把{{ic|num-threads}}提高到比{{ic|1}}就一定会造成''unbound''在启动的时候在log里写一个warning提示说exceeding the number of file descriptors。实际上对于大多数在小型网络或是单机上运行unbound的用户来说,通过让{{ic|num-threads}}超过{{ic|1}}来得到性能提升是徒劳的。如果你一定要这么做,那么请参考[http://www.unbound.net/documentation/howto_optimise.html official documentation]。下面这条经验法则应该对你有所帮助:<br />
<br />
:''Set {{ic|num-threads}} equal to the number of CPU cores on the system. E.g. for 4 CPUs with 2 cores each, use 8.''<br />
<br />
把{{ic|outgoing-range}}设置得尽可能大,参考上面的链接来突破总数是{{ic|1024}}这个限制。这样就会使得unbound可以同时为更多客户端提供服务。1个核心设置{{ic|950}},2个核心设置{{ic|450}},四个核心设置{{ic|200}}。{{ic|num-queries-per-thread}}最好设置成{{ic|outgoing-range}}的一半。<br />
<br />
因为{{ic|outgoing-range}}是有限制的,同时{{ic|num-queries-per-thread}}也因此受到了限制,所以最好在编译的时候带上{{Pkg|libevent}},这样就不会有{{ic|1024}}限制了。如果你有一个高负荷DNS服务器使得你不得不这样编译,你需要从源码编译unbound而不是直接安装{{Pkg|unbound}}。<br />
<br />
== 参阅 ==<br />
<br />
* [https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver Fedora change to Unbound]<br />
* [https://github.com/jodrell/unbound-block-hosts/ Block hosts that contain advertisements]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=565985Postfix (简体中文)2019-02-07T08:03:29Z<p>Timeline.menu: 添加了以后漏翻的一句</p>
<hr />
<div>[[Category:Mail server (简体中文)]]<br />
[[en:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Postfix|2018-12-06|558391}}<br />
[[Wikipedia:Postfix (software)|Postfix]] 是[[mail transfer agent|邮件传输代理软件]]。按照其 [http://www.postfix.org/ 官方网站]的说法:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
:快速、管理简单、安全, 同时足够兼容[[Sendmail (简体中文)]],从而不会影响现有用户。 因此,从外面看是sendmail-ish风格,但内部是完全不同的。<br />
<br />
本文基于 [[Mail server|邮件服务器]]。 本文的目标是设置Postfix并解释基本配置文件的功能。 这里有两种交付方式的设置说明:本地系统用户方式 和 虚拟用户方式。 <br />
== 安装 ==<br />
<br />
[[Install|安装]] 软件包 {{Pkg|postfix}}。<br />
<br />
== 配置 ==<br />
<br />
请参照软件开发者提供的: [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration 基础配置项]. 默认的配置文件位于{{ic|/etc/postfix}} 。 其中两个非常重要的文件是:<br />
<br />
* {{ic|master.cf}}, 定义了启用哪些Postfix服务以及客户端如何连接它们, 请参照 {{man|5|master}}<br />
* {{ic|main.cf}}, 主配置文件,请参照 {{man|5|postconf}}(英文)<br />
<br />
配置文件更改过后需要 [[reload|重新加载]] 主服务 {{ic|postfix.service}}。<br />
<br />
=== 别名 Aliases ===<br />
<br />
请参照在线 man 文件: {{man|5|aliases|url=https://jlk.fjfi.cvut.cz/arch/manpages/man/postfix/aliases.5.en}}。<br />
<br />
别名配置文件: {{ic|/etc/postfix/aliases}}。你可以在这个文件里指定别名 (有时候也被称为 forwarders ) 。<br />
<br />
您需要将发往“root”的所有邮件映射到另一个帐户,因为以root身份阅读邮件不是一个好主意。<br />
<br />
将下面这行取消注释,并且把 {{ic|you}} 替换成你要使用的真实账户。<br />
root: you<br />
<br />
一旦你完成了对 {{ic|/etc/postfix/aliases}} 的编辑, 你就需要运行下面的 postalias 命令:<br />
postalias /etc/postfix/aliases<br />
对于以后的更改,您可以使用:<br />
newaliases<br />
<br />
{{提示|或者,你也可以为 root 用户创建这个文件 {{ic|~/.forward}}, 例如 {{ic|/root/.forward}}。 指定将root的邮件转发到哪个用户, 例如 ''user@localhost''。<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== 系统本地用户邮件(Local mail) ===<br />
<br />
要仅向本地系统用户(也就是{{ic|/etc/passwd}}中存在的用户)发送邮件,请更新配置文件:{{ic|/etc/postfix/main.cf}}中的以下配置行(取消注释,更改或添加):<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
所有其他设置维持不变。 完成上面这个配置后,你可能还想配置一些[[#别名 Aliases]]参数,然后[[#启动 Postfix]]。<br />
<br />
=== 虚拟用户邮件(Virtual mail) ===<br />
虚拟用户邮件的邮件账户不存储在本地系统的({{ic|/etc/passwd}}文件中。可以配合数据库完成对用户账户的存储。<br />
<br />
请参见 [[Virtual user mail system with Postfix, Dovecot and Roundcube (简体中文)]] 那是一个如何设置的详细介绍。<br />
<br />
=== 检查配置 Check configuration ===<br />
<br />
运行{{ic|postfix check}} 命令来完成配置检查。它会输出所有你在配置文件中可能写错的东西。 <br />
<br />
运行{{ic|postconf}}命令可以查看所有的配置。运行{{ic|postconf -n}}命令可以查看与默认配置的区别。<br />
<br />
== 启动 Postfix ==<br />
<br />
{{注意|即使你没有设置任何[[#别名 Aliases]],也需要至少运行一次{{ic|newaliases}}命令才能让 Postfix 正常运行。}}<br />
[[Start/enable|启动]] {{ic|postfix.service}} 服务。<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=563373Postfix (简体中文)2019-01-15T10:27:21Z<p>Timeline.menu: 修改了 笔误</p>
<hr />
<div>[[Category:Mail server (简体中文)]]<br />
[[en:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Postfix|2018-12-06|558391}}<br />
[[Wikipedia:Postfix (software)|Postfix]] 是[[mail transfer agent|邮件传输代理软件]]。按照其 [http://www.postfix.org/ 官方网站]的说法:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
:快速、管理简单、安全, 同时足够兼容[[Sendmail (简体中文)]],从而不会影响现有用户。 因此,从外面看是sendmail-ish风格,但内部是完全不同的。<br />
<br />
本文基于 [[Mail server|邮件服务器]]。 本文的目标是设置Postfix并解释基本配置文件的功能。 这里有两种交付方式的设置说明:本地系统用户方式 和 虚拟用户方式。 <br />
== 安装 ==<br />
<br />
[[Install|安装]] 软件包 {{Pkg|postfix}}。<br />
<br />
== 配置 ==<br />
<br />
请参照软件开发者提供的: [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration 基础配置项]. 默认的配置文件位于{{ic|/etc/postfix}} 。 其中两个非常重要的文件是:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled an what how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, 主配置文件,请参照 {{man|5|postconf}}(英文)<br />
<br />
配置文件更改过后需要 [[reload|重新加载]] 主服务 {{ic|postfix.service}}。<br />
<br />
=== 别名 Aliases ===<br />
<br />
请参照在线 man 文件: {{man|5|aliases|url=https://jlk.fjfi.cvut.cz/arch/manpages/man/postfix/aliases.5.en}}。<br />
<br />
别名配置文件: {{ic|/etc/postfix/aliases}}。你可以在这个文件里指定别名 (有时候也被称为 forwarders ) 。<br />
<br />
您需要将发往“root”的所有邮件映射到另一个帐户,因为以root身份阅读邮件不是一个好主意。<br />
<br />
将下面这行取消注释,并且把 {{ic|you}} 替换成你要使用的真实账户。<br />
root: you<br />
<br />
一旦你完成了对 {{ic|/etc/postfix/aliases}} 的编辑, 你就需要运行下面的 postalias 命令:<br />
postalias /etc/postfix/aliases<br />
对于以后的更改,您可以使用:<br />
newaliases<br />
<br />
{{提示|或者,你也可以为 root 用户创建这个文件 {{ic|~/.forward}}, 例如 {{ic|/root/.forward}}。 指定将root的邮件转发到哪个用户, 例如 ''user@localhost''。<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== 系统本地用户邮件(Local mail) ===<br />
<br />
要仅向本地系统用户(也就是{{ic|/etc/passwd}}中存在的用户)发送邮件,请更新配置文件:{{ic|/etc/postfix/main.cf}}中的以下配置行(取消注释,更改或添加):<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
所有其他设置维持不变。 完成上面这个配置后,你可能还想配置一些[[#别名 Aliases]]参数,然后[[#启动 Postfix]]。<br />
<br />
=== 虚拟用户邮件(Virtual mail) ===<br />
虚拟用户邮件的邮件账户不存储在本地系统的({{ic|/etc/passwd}}文件中。可以配合数据库完成对用户账户的存储。<br />
<br />
请参见 [[Virtual user mail system with Postfix, Dovecot and Roundcube (简体中文)]] 那是一个如何设置的详细介绍。<br />
<br />
=== 检查配置 Check configuration ===<br />
<br />
运行{{ic|postfix check}} 命令来完成配置检查。它会输出所有你在配置文件中可能写错的东西。 <br />
<br />
运行{{ic|postconf}}命令可以查看所有的配置。运行{{ic|postconf -n}}命令可以查看与默认配置的区别。<br />
<br />
== 启动 Postfix ==<br />
<br />
{{注意|即使你没有设置任何[[#别名 Aliases]],也需要至少运行一次{{ic|newaliases}}命令才能让 Postfix 正常运行。}}<br />
[[Start/enable|启动]] {{ic|postfix.service}} 服务。<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=563372Virtual user mail system with Postfix, Dovecot and Roundcube (简体中文)2019-01-15T10:14:07Z<p>Timeline.menu: 译完 2.3</p>
<hr />
<div>[[Category:Mail server (简体中文)]]<br />
[[en:Virtual user mail system with Postfix, Dovecot and Roundcube]]<br />
[[ja:仮想ユーザーメールシステム]]<br />
{{Related articles start}}<br />
{{Related|Courier MTA}}<br />
{{Related|OpenDKIM}}<br />
{{Related|Postfix}}<br />
{{Related|SOGo}}<br />
{{Related articles end}}<br />
{{Merge|Postfix|文章有有和 [[Postfix]]、 [[Dovecot]] 、 [[Roundcube]] 中重复的部份,例如一些配置代码的片断等。}}<br />
<br />
这篇文章主要介绍怎么配置一个使用虚拟用户的邮件系统。例如:些邮件系统的发信人、收信人并不是linux的系统用户(不存在于{{ic|/etc/passwd}}中)。<br />
<br />
概略来讲,本文使用[[Postfix (简体中文)|Postfix]]提供邮件发送服务, 使用[[Dovecot]]提供IMAP接收服务, 使用[[Roundcube]]作为邮件的web前端, 使用[[PostfixAdmin]]作为管理界面来管控这一整套系统。<br />
<br />
本文提供的解决方案将允许您使用当前最好的安全机制,您将能够使用SMTP和SMTPS发送邮件,并使用POP3,POP3S,IMAP和IMAPS接收邮件。 此外,由于使用了PostfixAdmin,配置将很容易,用户将能够使用Roundcube登录。<br />
<br />
== 安装 ==<br />
开始这一步之前, 你需要按照链接中的页面安装好[[MySQL (简体中文)|Mysql]]和[[Postfix (简体中文)|Postfix]]。<br />
<br />
[[Install|安装]] 这两个软件包: {{Pkg|dovecot}} 和 {{Pkg|roundcubemail}} 。<br />
<br />
== 配置 ==<br />
=== 用户 ===<br />
出于安全原因,应创建一个新用户来存储邮件:<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
gid 和 uid 都使用 5000 ,这样可以避免和普通用户的冲突。所有你的邮件都会存储在 {{ic|/home/vmail}}中。也可以将家目录更改到像是 {{ic|/var/mail/vmail}} 这样的你自已定义的目录,需要注意的是下面的所有配置中都要对应修改。<br />
<br />
=== 数据库 ===<br />
你需要建立一个空数据库和相应的用户。 在这篇文章中,用户: ''postfix_user'' 有 读/写 这个数据库: ''postfix_db'' 的权限 我们将这个用户的密码设为: ''hunter2'' 。 你需要去创建数据库和用户,并给它们合适的权限。下面列出了操作命令:<br />
<br />
{{hc|$ mysql -u root -p|<br />
CREATE DATABASE postfix_db;<br />
GRANT ALL ON postfix_db.* TO 'postfix_user'@'localhost' IDENTIFIED BY 'hunter2';<br />
FLUSH PRIVILEGES;<br />
}}<br />
<br />
{{注意|这里没有列出安装mysql的步骤,如果需要请参考这个链接:[[MySQL (简体中文)|Mysql]]}}<br />
<br />
现在您可以转到PostfixAdmin的设置页面,让PostfixAdmin创建所需的表并在那里创建用户。<br />
<br />
==== 使用 PostfixAdmin ====<br />
<br />
请参见: [[PostfixAdmin]].<br />
<br />
=== 通信加密证书 ===<br />
您将需要一个SSL证书来加密邮件通信(SMTPS / IMAPS / POP3S)。 如果您没有,请创建一个:<br />
# cd /etc/ssl/private/<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout vmail.key -out vmail.crt -days 1460 #days are optional<br />
# chmod 400 vmail.key<br />
# chmod 444 vmail.crt<br />
<br />
或者,使用[[Let's Encrypt]]创建免费的可信证书。 私钥会生成在 {{ic|/etc/letsencrypt/live/''yourdomain''/privkey.pem}}, 证书会生成在 {{ic|/etc/letsencrypt/live/''yourdomain''/fullchain.pem}}。 相应地更改配置,或将键符号链接到 {{ic|/etc/ssl/private}}:<br />
# ln -s /etc/letsencrypt/live/''yourdomain''/privkey.pem /etc/ssl/private/vmail.key<br />
# ln -s /etc/letsencrypt/live/''yourdomain''/fullchain.pem /etc/ssl/private/vmail.crt<br />
<br />
=== Postfix ===<br />
<br />
Before you copy & paste the configuration below, check if {{ic|relay_domains}} has already been already set. If you leave more than one active, you will receive warnings during runtime.<br />
<br />
{{Warning|{{ic|<nowiki>relay_domains</nowiki>}} can be dangerous. You usually do not want Postfix to forward mail of strangers. {{ic|<nowiki>$mydestination</nowiki>}} is a sane default value. Double check its value before running postfix! See http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to}} <br />
<br />
Also follow [[Postfix#Secure SMTP (receiving)]] pointing to the files you created in [[#SSL certificate]].<br />
<br />
==== Setting up Postfix ====<br />
<br />
To {{ic|/etc/postfix/main.cf}} append:<br />
relay_domains = $mydestination<br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf<br />
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf<br />
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf<br />
virtual_mailbox_base = /home/vmail<br />
virtual_mailbox_limit = 512000000<br />
virtual_minimum_uid = 5000<br />
virtual_transport = virtual<br />
virtual_uid_maps = static:5000<br />
virtual_gid_maps = static:5000<br />
local_transport = virtual<br />
local_recipient_maps = $virtual_mailbox_maps<br />
transport_maps = hash:/etc/postfix/transport<br />
<br />
smtpd_sasl_auth_enable = yes<br />
smtpd_sasl_type = dovecot<br />
smtpd_sasl_path = /var/run/dovecot/auth-client<br />
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_sasl_security_options = noanonymous<br />
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options<br />
smtpd_tls_security_level = may<br />
smtpd_tls_auth_only = yes<br />
smtpd_tls_received_header = yes<br />
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt<br />
smtpd_tls_key_file = /etc/ssl/private/vmail.key<br />
smtpd_sasl_local_domain = $mydomain<br />
broken_sasl_auth_clients = yes<br />
smtpd_tls_loglevel = 1<br />
smtp_tls_security_level = may<br />
smtp_tls_loglevel = 1<br />
<br />
* In the configuration above {{ic|virtual_mailbox_domains}} is a list of the domains that you want to receive mail for. This CANNOT contain the domain that is set in {{ic|mydestination}}. That is why we left {{ic|mydestination}} to be localhost only.<br />
<br />
* {{ic|virtual_mailbox_maps}} will contain the information of virtual users and their mailbox locations. We are using a hash file to store the more permanent maps, and these will then override the forwards in the MySQL database.<br />
<br />
* {{ic|virtual_mailbox_base}} is the base directory where the virtual mailboxes will be stored.<br />
<br />
The {{ic|virtual_uid_maps}} and {{ic|virtual_gid_maps}} are the real system user IDs that the virtual mails will be owned by. This is for storage purposes. <br />
<br />
{{note|Since we will be using a web interface (Roundcube), and do not want people accessing this by any other means, we will be creating this account later without providing any login access.}}<br />
<br />
==== Create the file structure ====<br />
<br />
Those new additional settings reference a lot of files that do not even exist yet. We will create them with the following steps.<br />
<br />
If you were setting up your database with PostfixAdmin and created the database schema through PostfixAdmin, you can create the following files. Do not forget to change the password:<br />
<br />
{{hc|/etc/postfix/virtual_alias_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = alias<br />
select_field = goto<br />
where_field = address<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = domain<br />
select_field = domain<br />
where_field = domain<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = mailbox<br />
select_field = maildir<br />
where_field = username<br />
</nowiki>}}<br />
<br />
For alias domains functionality adjust the following files:<br />
<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,proxy:mysql:/etc/postfix/virtual_alias_domains_maps.cf<br />
virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_alias_domains.cf<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_domains_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT alias_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'<br />
</nowiki>}}<br />
<br />
{{Note | For setups without using PostfixAdmin, create the following files.}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = domains<br />
select_field = virtual<br />
where_field = domain<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = forwardings<br />
select_field = destination<br />
where_field = source<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = users<br />
select_field = concat(domain,'/',email,'/')<br />
where_field = email<br />
</nowiki>}}<br />
<br />
Run ''postmap'' on ''transport'' to generate its db:<br />
# postmap /etc/postfix/transport<br />
<br />
=== Dovecot ===<br />
<br />
Instead of using the provided Dovecot example config file, we'll create our own {{ic|/etc/dovecot/dovecot.conf}}. Please note that the user and group here might be vmail '''instead of postfix'''!<br />
<br />
{{hc|/etc/dovecot/dovecot.conf|<nowiki><br />
protocols = imap pop3<br />
auth_mechanisms = plain<br />
passdb {<br />
driver = sql<br />
args = /etc/dovecot/dovecot-sql.conf<br />
}<br />
userdb {<br />
driver = sql<br />
args = /etc/dovecot/dovecot-sql.conf<br />
}<br />
<br />
service auth {<br />
unix_listener auth-client {<br />
group = postfix<br />
mode = 0660<br />
user = postfix<br />
}<br />
user = root<br />
}<br />
<br />
mail_home = /home/vmail/%d/%n<br />
mail_location = maildir:~<br />
<br />
ssl_cert = </etc/ssl/private/vmail.crt<br />
ssl_key = </etc/ssl/private/vmail.key<br />
</nowiki>}}<br />
<br />
{{note|If you instead want to modify {{ic|dovecot.conf.sample}}, beware that the default configuration file imports the content of {{ic|conf.d/*.conf}}. Those files call other files that aren't present in our configuration.}}<br />
<br />
Now we create {{ic|/etc/dovecot/dovecot-sql.conf}}, which we just referenced in the config above. Use the following contents and check if everything is set accordingly to your system's configuration.<br />
<br />
If you used PostfixAdmin, then you add the following:<br />
<br />
{{hc|/etc/dovecot/dovecot-sql.conf|<nowiki><br />
driver = mysql<br />
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2<br />
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes<br />
default_pass_scheme = SHA512-CRYPT<br />
# Get the mailbox<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'<br />
# Get the password<br />
password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'<br />
# If using client certificates for authentication, comment the above and uncomment the following<br />
#password_query = SELECT null AS password, ‘%u’ AS user<br />
</nowiki>}}<br />
<br />
Without having used PostfixAdmin you can use:<br />
<br />
{{hc|/etc/dovecot/dovecot-sql.conf|<nowiki><br />
driver = mysql<br />
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2<br />
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes<br />
default_pass_scheme = SHA512-CRYPT<br />
# Get the mailbox<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM users WHERE email = '%u'<br />
# Get the password<br />
password_query = SELECT email as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM users WHERE email = '%u'<br />
# If using client certificates for authentication, comment the above and uncomment the following<br />
#password_query = SELECT null AS password, ‘%u’ AS user<br />
</nowiki>}}<br />
<br />
{{Tip|Visit http://wiki2.dovecot.org/Variables to learn more about Dovecot variables.}}<br />
<br />
==== DH parameters ====<br />
<br />
With v2.3 you are required to provide {{ic|1=ssl_dh = </path/to/dh.pem}} yourself.<br />
<br />
To generate a new DH parameters file (this will take very long):<br />
<br />
# openssl dhparam -out /etc/dovecot/dh.pem 4096<br />
<br />
then add the file to {{ic|/etc/dovecot/dovecot.conf}}<br />
<br />
ssl_dh = </etc/dovecot/dh.pem<br />
<br />
=== PostfixAdmin ===<br />
See [[PostfixAdmin]].<br />
<br />
Note: To match the configuration in this file, config.inc.php should contain the following.<br />
<br />
# /etc/webapps/postfixadmin/config.inc.php<br />
...<br />
$CONF['domain_path'] = 'YES';<br />
$CONF['domain_in_mailbox'] = 'NO';<br />
...<br />
<br />
=== Roundcube ===<br />
<br />
Make sure that both {{ic|1=extension=pdo_mysql}} and {{ic|1=extension=iconv}} are uncommented in your {{ic|php.ini}} file. Also check the {{ic|.htaccess}} for access restrictions. Assuming that localhost is your current host, navigate a browser to {{ic|http://localhost/roundcube/installer/}} and follow the instructions. <br />
<br />
Roundcube needs a separate database to work. You should not use the same database for Roundcube and PostfixAdmin. Create a second database {{ic|roundcube_db}} and a new user named {{ic|roundcube_user}}.<br />
<br />
While running the installer ...<br />
<br />
* For the address of the IMAP host, use {{ic|ssl://localhost/}} or {{ic|tls://localhost/}} and not just {{ic|localhost}}. <br />
* Use port {{ic|993}}. Likewise with SMTP. <br />
* For the address of the SMTP host, use {{ic|tls://localhost/}} and port {{ic|587}} if you used the proper TLS mode. <br />
: (use {{ic|ssl://localhost/}} with port {{ic|465}} if you used the wrapper mode)<br />
* See [[#Postfix]] for an explanation on that.<br />
<br />
The post install process is similar to any other webapp like [[PhpMyAdmin]] or PostFixAdmin. The configuration file is in {{ic|/etc/webapps/roundcubemail/config/config.inc.php}} which works as an override over {{ic|default.inc.php}}.<br />
<br />
==== Apache configuration ====<br />
<br />
If you are using Apache, copy the example configuration file to your webserver configuration directory.<br />
<br />
# cp /etc/webapps/roundcubemail/apache.conf /etc/httpd/conf/extra/httpd-roundcubemail.conf<br />
<br />
Add the following line in<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
Include conf/extra/httpd-roundcubemail.conf<br />
</nowiki>}}<br />
<br />
==== Roundcube: Change Password Plugin ====<br />
<br />
To let users change their passwords from within Roundcube, do the following:<br />
<br />
Enable the password plugin by adding this line to<br />
<br />
{{hc|/etc/webapps/roundcubemail/config/config.inc.php|<nowiki><br />
$config['plugins'] = array('password');<br />
</nowiki>}}<br />
<br />
Configure the password plugin and make sure you alter the settings accordingly:<br />
<br />
{{hc|/usr/share/webapps/roundcubemail/plugins/password/config.inc.php|<nowiki><br />
$config['password_driver'] = 'sql';<br />
$config['password_db_dsn'] = 'mysql://<postfix_database_user>:<password>@localhost/<postfix_database_name>';<br />
// for dovecot salted passwords only<br />
// $config['password_dovecotpw'] = 'doveadm pw';<br />
// $config['password_dovecotpw_method'] = 'SHA512-CRYPT';<br />
// $config['password_dovecotpw_with_method'] = true;<br />
$config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';<br />
</nowiki>}}<br />
<br />
== Fire it up ==<br />
All necessary daemons should be started in order to test the configuration. [[Start]] both {{ic|postfix}} and {{ic|dovecot}}.<br />
<br />
Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.<br />
<br />
== Testing ==<br />
<br />
{{Style|Needs some cleanup. There are probably more general ways to write this.}}<br />
<br />
Now lets see if Postfix is going to deliver mail for our test user.<br />
{{bc|<br />
nc servername 25<br />
helo testmail.org<br />
mail from:<test@testmail.org><br />
rcpt to:<cactus@virtualdomain.tld><br />
data<br />
This is a test email.<br />
.<br />
quit<br />
}}<br />
<br />
=== Error response ===<br />
<br />
451 4.3.0 <lisi@test.com>:Temporary lookup failure<br />
Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.<br />
<br />
This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.<br />
<br />
550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.<br />
Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination<br />
<br />
=== See that you have received a email ===<br />
<br />
Now type {{ic|$ find /home/vmailer}}.<br />
<br />
You should see something like the following:<br />
{{bc|<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org<br />
}}<br />
The key is the last entry. This is an actual email, if you see that, it is working.<br />
<br />
== Optional Items ==<br />
Although these items are not required, they definitely add more completeness to your setup<br />
<br />
=== Quota ===<br />
To enable mailbox quota support by dovecot, do the following: <br />
*First add the following lines to /etc/dovecot/dovecot.conf<br />
dict {<br />
quotadict = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext<br />
}<br />
service dict {<br />
unix_listener dict {<br />
group = vmail<br />
mode = 0660<br />
user = vmail<br />
}<br />
user = root<br />
}<br />
service quota-warning {<br />
executable = script /usr/local/bin/quota-warning.sh<br />
user = vmail<br />
unix_listener quota-warning {<br />
group = vmail<br />
mode = 0660<br />
user = vmail<br />
}<br />
} <br />
mail_plugins=quota<br />
protocol pop3 {<br />
mail_plugins = quota<br />
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh<br />
pop3_uidl_format = %08Xu%08Xv<br />
}<br />
protocol lda {<br />
mail_plugins = quota<br />
postmaster_address = postmaster@yourdomain.com<br />
}<br />
protocol imap {<br />
mail_plugins = $mail_plugins imap_quota<br />
mail_plugin_dir = /usr/lib/dovecot/modules<br />
}<br />
plugin {<br />
quota = dict:User quota::proxy::quotadict<br />
quota_rule2 = Trash:storage=+10%%<br />
quota_warning = storage=100%% quota-warning +100 %u<br />
quota_warning2 = storage=95%% quota-warning +95 %u<br />
quota_warning3 = storage=80%% quota-warning +80 %u<br />
quota_warning4 = -storage=100%% quota-warning -100 %u # user is no longer over quota<br />
}<br />
<br />
*Create a new file /etc/dovecot/dovecot-dict-sql.conf.ext with the following code:<br />
connect = host=localhost dbname=yourdb user=youruser password=yourpassword<br />
map {<br />
pattern = priv/quota/storage<br />
table = quota2<br />
username_field = username<br />
value_field = bytes<br />
}<br />
map {<br />
pattern = priv/quota/messages<br />
table = quota2<br />
username_field = username<br />
value_field = messages<br />
}<br />
*Create a warning script /usr/local/bin/quota-warning.sh and make sure it is executable. This warning script works with postfix lmtp configuration as well.<br />
<pre> #!/bin/sh<br />
BOUNDARY="$1"<br />
USER="$2"<br />
MSG=""<br />
if [[ "$BOUNDARY" = "+100" ]]; then<br />
MSG="Your mailbox is now overfull (>100%). In order for your account to continue functioning properly, you need to remove some emails NOW."<br />
elif [[ "$BOUNDARY" = "+95" ]]; then<br />
MSG="Your mailbox is now over 95% full. Please remove some emails ASAP."<br />
elif [[ "$BOUNDARY" = "+80" ]]; then<br />
MSG="Your mailbox is now over 80% full. Please consider removing some emails to save space."<br />
elif [[ "$BOUNDARY" = "-100" ]]; then<br />
MSG="Your mailbox is now back to normal (<100%)."<br />
fi<br />
<br />
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"<br />
From: postmaster@yourdomain.com<br />
Subject: Email Account Quota Warning<br />
<br />
Dear User,<br />
<br />
$MSG<br />
<br />
Best regards,<br />
Your Mail System<br />
EOF<br />
</pre><br />
<br />
*Edit the user_query line and add iterat_query in dovecot-sql.conf as following:<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'<br />
iterate_query = SELECT username AS user FROM mailbox<br />
*Set up LDA as described above under SpamAssassin. If you're not using SpamAssassin, the pipe should look like this in /etc/postfix/master.cf :<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}<br />
As above activate it in Postfix main.cf<br />
virtual_transport = dovecot<br />
*You can set up quota per each mailbox in postfixadmin. Make sure the relevant lines in config.inc.php look like this:<br />
$CONF['quota'] = 'YES';<br />
$CONF['quota_multiplier'] = '1024000';<br />
<br />
Restart postfix and dovecot services. If things go well, you should be able to list all users' quota and usage by the this command:<br />
doveadm quota get -A<br />
You should be able to see the quota in roundcube too.<br />
<br />
=== Autocreate and autosubscribe folders in Dovecot ===<br />
<br />
To automatically create the "usual" mail hierarchy, modify your {{ic|/etc/dovecot/dovecot.conf}} as follows, editing to your specific needs.<br />
<br />
{{bc|1=<br />
namespace inbox {<br />
type = private<br />
separator = /<br />
prefix =<br />
inbox = yes<br />
}<br />
namespace inbox {<br />
mailbox Drafts {<br />
auto = subscribe<br />
special_use = \Drafts<br />
}<br />
mailbox Junk {<br />
auto = subscribe<br />
special_use = \Junk<br />
}<br />
mailbox Trash {<br />
auto = subscribe<br />
special_use = \Trash<br />
}<br />
mailbox Sent {<br />
auto = subscribe<br />
special_use = \Sent<br />
}<br />
}<br />
}}<br />
<br />
=== Dovecot public folder and global ACLs ===<br />
<br />
In this section we enable IMAP namespace public folders combined with global and per-folder [[ACL]]s.<br />
<br />
First, add the following lines to {{ic|/etc/dovecot/dovecot.conf}}:<br />
<br />
{{bc|1=<br />
### ACLs<br />
mail_plugins = acl<br />
protocol imap {<br />
mail_plugins = $mail_plugins imap_acl<br />
}<br />
plugin {<br />
acl = vfile<br />
# With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):<br />
acl = vfile:/etc/dovecot/dovecot-acl<br />
}<br />
<br />
### Public Mailboxes<br />
namespace {<br />
type = public<br />
separator = /<br />
prefix = public/<br />
location = maildir:/home/vmail/public:INDEXPVT=~/public<br />
subscriptions = no<br />
list = children<br />
}<br />
}}<br />
<br />
Create the root directory {{ic|/home/vmail/public}} and the folders you want to publicly share, for example (the period is required!) {{ic|/home/vmail/public/.example-1}}.<br />
<br />
Change the ownership of all files in the root directory:<br />
<br />
$ chown -R vmail:vmail /home/vmail/public<br />
<br />
Finally, create and modify your global ACL file to allow users access to these folders:<br />
<br />
{{hc|/etc/dovecot/dovecot-acl|2=<br />
public/* user=admin@example.com lrwstipekxa<br />
}}<br />
<br />
In the above example, user {{ic|admin@example.com}} has access to, and can do anything to, all the public folders. Edit to fit your specific needs.<br />
<br />
{{Note|<br />
* {{ic|lrwstipekxa}} are the permissions being granted. Visit the Dovecot wiki for further details.<br />
* Make sure the user subscribes to the folders in the client they are using.<br />
}}<br />
<br />
=== Fighting Spam ===<br />
<br />
As an alternative to SpamAssassin, consider {{AUR|rspamd}}. Out of the box, it delivers an amazing amount of spam reduction, greylisting, etc and includes a nifty webui. See also [https://thomas-leister.de/en/mailserver-debian-stretch/].<br />
<br />
== Sidenotes ==<br />
<br />
=== Alternative vmail folder structure ===<br />
<br />
Instead of having a directory structure like {{ic|/home/vmail/example.com/user@example.com}} you can have cleaner subdirectories (without the additional domain name) by replacing {{ic|select_field}} and {{ic|where_field}} with:<br />
{{bc|1=query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== IMAP/POP3 client failing to receive mails ===<br />
<br />
If you get similar errors, take a look into {{ic|/var/log/mail.log}} or use {{ic|journalctl -xn --unit postfix.service}} to find out more.<br />
<br />
It may turn out that the Maildir {{ic|/home/vmail/mail@domain.tld}} is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory creation before.<br />
<br />
=== Roundcube not able to delete emails or view any 'standard' folders ===<br />
<br />
Ensure that the Roundcube config.inc.php file contains the following:<br />
<br />
{{bc|1=<br />
$rcmail_config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash');<br />
$rcmail_config['create_default_folders'] = true;<br />
$rcmail_config['protect_default_folders'] = true;<br />
}}<br />
<br />
=== LMTP / Sieve ===<br />
<br />
Is LMTP not connecting to sieve? Ensure that your server is not routing the messages locally. This can be set in {{ic| /etc/postfix/main.cf}}:<br />
<br />
{{bc|1=<br />
mydestination = <br />
}}<br />
<br />
=== Are your emails sent to gmail users ending up in their junk/spam folders? ===<br />
<br />
Google gmail (and most other large email providers) will send your emails straight into your recipients junk / spam folder if you have not implemented SPF / DKIM / DMARC policies. (Hint: Rspamd, via the link above, shows you how to set this up, and will DKIM sign your emails.)<br />
<br />
== See also ==<br />
<br />
* [[Gentoo:Complete Virtual Mail Server]]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=558354Virtual user mail system with Postfix, Dovecot and Roundcube (简体中文)2018-12-05T09:02:59Z<p>Timeline.menu: 译完 “安装”之前的,算是“前言”部份</p>
<hr />
<div>[[Category:Mail server]]<br />
[[en:Virtual user mail system with Postfix, Dovecot and Roundcube]]<br />
[[ja:仮想ユーザーメールシステム]]<br />
{{Related articles start}}<br />
{{Related|Courier MTA}}<br />
{{Related|OpenDKIM}}<br />
{{Related|Postfix}}<br />
{{Related|SOGo}}<br />
{{Related articles end}}<br />
{{Merge|Postfix|文章有有和 [[Postfix]]、 [[Dovecot]] 、 [[Roundcube]] 中重复的部份,例如一些配置代码的片断等。}}<br />
<br />
这篇文章主要介绍怎么配置一个使用虚拟用户的邮件系统。例如:些邮件系统的发信人、收信人并不是linux的系统用户(不存在于{{ic|/etc/passwd}}中)。<br />
<br />
概略来讲,本文使用[[Postfix (简体中文)|Postfix]]提供邮件发送服务, 使用[[Dovecot]]提供IMAP接收服务, 使用[[Roundcube]]作为邮件的web前端, 使用[[PostfixAdmin]]作为管理界面来管控这一整套系统。<br />
<br />
本文提供的解决方案将允许您使用当前最好的安全机制,您将能够使用SMTP和SMTPS发送邮件,并使用POP3,POP3S,IMAP和IMAPS接收邮件。 此外,由于使用了PostfixAdmin,配置将很容易,用户将能够使用Roundcube登录。<br />
<br />
== 安装 ==<br />
Before you start, you must have both a working MySQL server as described in [[MySQL]] and a working Postfix server as described in [[Postfix]].<br />
<br />
[[Install]] the {{Pkg|dovecot}} and {{Pkg|roundcubemail}} packages.<br />
<br />
== Configuration ==<br />
=== User ===<br />
For security reasons, a new user should be created to store the mails:<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users. All your mail will then be stored in {{ic|/home/vmail}}. You could change the home directory to something like {{ic|/var/mail/vmail}} but be careful to change this in any configuration below as well.<br />
<br />
=== Database ===<br />
You will need to create an empty database and corresponding user. In this article, the user ''postfix_user'' will have read/write access to the database ''postfix_db'' using ''hunter2'' as password. You are expected to create the database and user yourself, and give the user permission to use the database, as shown in the following code.<br />
<br />
{{hc|$ mysql -u root -p|<br />
CREATE DATABASE postfix_db;<br />
GRANT ALL ON postfix_db.* TO 'postfix_user'@'localhost' IDENTIFIED BY 'hunter2';<br />
FLUSH PRIVILEGES;<br />
}}<br />
<br />
{{Expansion|Further manual database installation is missing. So far, the only way to follow this article is by installing PostfixAdmin with Apache, MySQL and PHP.}}<br />
<br />
Now you can go to the PostfixAdmin's setup page, let PostfixAdmin create the needed tables and create the users in there.<br />
<br />
==== PostfixAdmin ====<br />
<br />
See [[PostfixAdmin]].<br />
<br />
=== SSL certificate ===<br />
You will need a SSL certificate for all encrypted mail communications (SMTPS/IMAPS/POP3S). If you do not have one, create one:<br />
# cd /etc/ssl/private/<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout vmail.key -out vmail.crt -days 1460 #days are optional<br />
# chmod 400 vmail.key<br />
# chmod 444 vmail.crt<br />
<br />
Alternatively, create a free trusted certificate using [[Let's Encrypt]]. The private key will be in {{ic|/etc/letsencrypt/live/''yourdomain''/privkey.pem}}, the certificate in {{ic|/etc/letsencrypt/live/''yourdomain''/fullchain.pem}}. Either change the configuration accordingly, or symlink the keys to {{ic|/etc/ssl/private}}:<br />
# ln -s /etc/letsencrypt/live/''yourdomain''/privkey.pem /etc/ssl/private/vmail.key<br />
# ln -s /etc/letsencrypt/live/''yourdomain''/fullchain.pem /etc/ssl/private/vmail.crt<br />
<br />
=== Postfix ===<br />
<br />
Before you copy & paste the configuration below, check if {{ic|relay_domains}} has already been already set. If you leave more than one active, you will receive warnings during runtime.<br />
<br />
{{Warning|{{ic|<nowiki>relay_domains</nowiki>}} can be dangerous. You usually do not want Postfix to forward mail of strangers. {{ic|<nowiki>$mydestination</nowiki>}} is a sane default value. Double check its value before running postfix! See http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to}} <br />
<br />
Also follow [[Postfix#Secure SMTP (receiving)]] pointing to the files you created in [[#SSL certificate]].<br />
<br />
==== Setting up Postfix ====<br />
<br />
To {{ic|/etc/postfix/main.cf}} append:<br />
relay_domains = $mydestination<br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf<br />
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf<br />
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf<br />
virtual_mailbox_base = /home/vmail<br />
virtual_mailbox_limit = 512000000<br />
virtual_minimum_uid = 5000<br />
virtual_transport = virtual<br />
virtual_uid_maps = static:5000<br />
virtual_gid_maps = static:5000<br />
local_transport = virtual<br />
local_recipient_maps = $virtual_mailbox_maps<br />
transport_maps = hash:/etc/postfix/transport<br />
<br />
smtpd_sasl_auth_enable = yes<br />
smtpd_sasl_type = dovecot<br />
smtpd_sasl_path = /var/run/dovecot/auth-client<br />
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_sasl_security_options = noanonymous<br />
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options<br />
smtpd_tls_security_level = may<br />
smtpd_tls_auth_only = yes<br />
smtpd_tls_received_header = yes<br />
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt<br />
smtpd_tls_key_file = /etc/ssl/private/vmail.key<br />
smtpd_sasl_local_domain = $mydomain<br />
broken_sasl_auth_clients = yes<br />
smtpd_tls_loglevel = 1<br />
smtp_tls_security_level = may<br />
smtp_tls_loglevel = 1<br />
<br />
* In the configuration above {{ic|virtual_mailbox_domains}} is a list of the domains that you want to receive mail for. This CANNOT contain the domain that is set in {{ic|mydestination}}. That is why we left {{ic|mydestination}} to be localhost only.<br />
<br />
* {{ic|virtual_mailbox_maps}} will contain the information of virtual users and their mailbox locations. We are using a hash file to store the more permanent maps, and these will then override the forwards in the MySQL database.<br />
<br />
* {{ic|virtual_mailbox_base}} is the base directory where the virtual mailboxes will be stored.<br />
<br />
The {{ic|virtual_uid_maps}} and {{ic|virtual_gid_maps}} are the real system user IDs that the virtual mails will be owned by. This is for storage purposes. <br />
<br />
{{note|Since we will be using a web interface (Roundcube), and do not want people accessing this by any other means, we will be creating this account later without providing any login access.}}<br />
<br />
==== Create the file structure ====<br />
<br />
Those new additional settings reference a lot of files that do not even exist yet. We will create them with the following steps.<br />
<br />
If you were setting up your database with PostfixAdmin and created the database schema through PostfixAdmin, you can create the following files. Do not forget to change the password:<br />
<br />
{{hc|/etc/postfix/virtual_alias_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = alias<br />
select_field = goto<br />
where_field = address<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = domain<br />
select_field = domain<br />
where_field = domain<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = mailbox<br />
select_field = maildir<br />
where_field = username<br />
</nowiki>}}<br />
<br />
For alias domains functionality adjust the following files:<br />
<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,proxy:mysql:/etc/postfix/virtual_alias_domains_maps.cf<br />
virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_alias_domains.cf<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_domains_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT alias_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'<br />
</nowiki>}}<br />
<br />
{{Note | For setups without using PostfixAdmin, create the following files.}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = domains<br />
select_field = virtual<br />
where_field = domain<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = forwardings<br />
select_field = destination<br />
where_field = source<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = users<br />
select_field = concat(domain,'/',email,'/')<br />
where_field = email<br />
</nowiki>}}<br />
<br />
Run ''postmap'' on ''transport'' to generate its db:<br />
# postmap /etc/postfix/transport<br />
<br />
=== Dovecot ===<br />
<br />
Instead of using the provided Dovecot example config file, we'll create our own {{ic|/etc/dovecot/dovecot.conf}}. Please note that the user and group here might be vmail '''instead of postfix'''!<br />
<br />
{{hc|/etc/dovecot/dovecot.conf|<nowiki><br />
protocols = imap pop3<br />
auth_mechanisms = plain<br />
passdb {<br />
driver = sql<br />
args = /etc/dovecot/dovecot-sql.conf<br />
}<br />
userdb {<br />
driver = sql<br />
args = /etc/dovecot/dovecot-sql.conf<br />
}<br />
<br />
service auth {<br />
unix_listener auth-client {<br />
group = postfix<br />
mode = 0660<br />
user = postfix<br />
}<br />
user = root<br />
}<br />
<br />
mail_home = /home/vmail/%d/%n<br />
mail_location = maildir:~<br />
<br />
ssl_cert = </etc/ssl/private/vmail.crt<br />
ssl_key = </etc/ssl/private/vmail.key<br />
</nowiki>}}<br />
<br />
{{note|If you instead want to modify {{ic|dovecot.conf.sample}}, beware that the default configuration file imports the content of {{ic|conf.d/*.conf}}. Those files call other files that aren't present in our configuration.}}<br />
<br />
Now we create {{ic|/etc/dovecot/dovecot-sql.conf}}, which we just referenced in the config above. Use the following contents and check if everything is set accordingly to your system's configuration.<br />
<br />
If you used PostfixAdmin, then you add the following:<br />
<br />
{{hc|/etc/dovecot/dovecot-sql.conf|<nowiki><br />
driver = mysql<br />
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2<br />
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes<br />
default_pass_scheme = SHA512-CRYPT<br />
# Get the mailbox<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'<br />
# Get the password<br />
password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'<br />
# If using client certificates for authentication, comment the above and uncomment the following<br />
#password_query = SELECT null AS password, ‘%u’ AS user<br />
</nowiki>}}<br />
<br />
Without having used PostfixAdmin you can use:<br />
<br />
{{hc|/etc/dovecot/dovecot-sql.conf|<nowiki><br />
driver = mysql<br />
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2<br />
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes<br />
default_pass_scheme = SHA512-CRYPT<br />
# Get the mailbox<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM users WHERE email = '%u'<br />
# Get the password<br />
password_query = SELECT email as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM users WHERE email = '%u'<br />
# If using client certificates for authentication, comment the above and uncomment the following<br />
#password_query = SELECT null AS password, ‘%u’ AS user<br />
</nowiki>}}<br />
<br />
{{Tip|Visit http://wiki2.dovecot.org/Variables to learn more about Dovecot variables.}}<br />
<br />
==== DH parameters ====<br />
<br />
With v2.3 you are required to provide {{ic|1=ssl_dh = </path/to/dh.pem}} yourself.<br />
<br />
To generate a new DH parameters file (this will take very long):<br />
<br />
# openssl dhparam -out /etc/dovecot/dh.pem 4096<br />
<br />
then add the file to {{ic|/etc/dovecot/dovecot.conf}}<br />
<br />
ssl_dh = </etc/dovecot/dh.pem<br />
<br />
=== PostfixAdmin ===<br />
See [[PostfixAdmin]].<br />
<br />
Note: To match the configuration in this file, config.inc.php should contain the following.<br />
<br />
# /etc/webapps/postfixadmin/config.inc.php<br />
...<br />
$CONF['domain_path'] = 'YES';<br />
$CONF['domain_in_mailbox'] = 'NO';<br />
...<br />
<br />
=== Roundcube ===<br />
<br />
Make sure that both {{ic|1=extension=pdo_mysql}} and {{ic|1=extension=iconv}} are uncommented in your {{ic|php.ini}} file. Also check the {{ic|.htaccess}} for access restrictions. Assuming that localhost is your current host, navigate a browser to {{ic|http://localhost/roundcube/installer/}} and follow the instructions. <br />
<br />
Roundcube needs a separate database to work. You should not use the same database for Roundcube and PostfixAdmin. Create a second database {{ic|roundcube_db}} and a new user named {{ic|roundcube_user}}.<br />
<br />
While running the installer ...<br />
<br />
* For the address of the IMAP host, use {{ic|ssl://localhost/}} or {{ic|tls://localhost/}} and not just {{ic|localhost}}. <br />
* Use port {{ic|993}}. Likewise with SMTP. <br />
* For the address of the SMTP host, use {{ic|tls://localhost/}} and port {{ic|587}} if you used the proper TLS mode. <br />
: (use {{ic|ssl://localhost/}} with port {{ic|465}} if you used the wrapper mode)<br />
* See [[#Postfix]] for an explanation on that.<br />
<br />
The post install process is similar to any other webapp like [[PhpMyAdmin]] or PostFixAdmin. The configuration file is in {{ic|/etc/webapps/roundcubemail/config/config.inc.php}} which works as an override over {{ic|default.inc.php}}.<br />
<br />
==== Apache configuration ====<br />
<br />
If you are using Apache, copy the example configuration file to your webserver configuration directory.<br />
<br />
# cp /etc/webapps/roundcubemail/apache.conf /etc/httpd/conf/extra/httpd-roundcubemail.conf<br />
<br />
Add the following line in<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
Include conf/extra/httpd-roundcubemail.conf<br />
</nowiki>}}<br />
<br />
==== Roundcube: Change Password Plugin ====<br />
<br />
To let users change their passwords from within Roundcube, do the following:<br />
<br />
Enable the password plugin by adding this line to<br />
<br />
{{hc|/etc/webapps/roundcubemail/config/config.inc.php|<nowiki><br />
$config['plugins'] = array('password');<br />
</nowiki>}}<br />
<br />
Configure the password plugin and make sure you alter the settings accordingly:<br />
<br />
{{hc|/usr/share/webapps/roundcubemail/plugins/password/config.inc.php|<nowiki><br />
$config['password_driver'] = 'sql';<br />
$config['password_db_dsn'] = 'mysql://<postfix_database_user>:<password>@localhost/<postfix_database_name>';<br />
// for dovecot salted passwords only<br />
// $config['password_dovecotpw'] = 'doveadm pw';<br />
// $config['password_dovecotpw_method'] = 'SHA512-CRYPT';<br />
// $config['password_dovecotpw_with_method'] = true;<br />
$config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';<br />
</nowiki>}}<br />
<br />
== Fire it up ==<br />
All necessary daemons should be started in order to test the configuration. [[Start]] both {{ic|postfix}} and {{ic|dovecot}}.<br />
<br />
Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.<br />
<br />
== Testing ==<br />
<br />
{{Style|Needs some cleanup. There are probably more general ways to write this.}}<br />
<br />
Now lets see if Postfix is going to deliver mail for our test user.<br />
{{bc|<br />
nc servername 25<br />
helo testmail.org<br />
mail from:<test@testmail.org><br />
rcpt to:<cactus@virtualdomain.tld><br />
data<br />
This is a test email.<br />
.<br />
quit<br />
}}<br />
<br />
=== Error response ===<br />
<br />
451 4.3.0 <lisi@test.com>:Temporary lookup failure<br />
Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.<br />
<br />
This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.<br />
<br />
550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.<br />
Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination<br />
<br />
=== See that you have received a email ===<br />
<br />
Now type {{ic|$ find /home/vmailer}}.<br />
<br />
You should see something like the following:<br />
{{bc|<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org<br />
}}<br />
The key is the last entry. This is an actual email, if you see that, it is working.<br />
<br />
== Optional Items ==<br />
Although these items are not required, they definitely add more completeness to your setup<br />
<br />
=== Quota ===<br />
To enable mailbox quota support by dovecot, do the following: <br />
*First add the following lines to /etc/dovecot/dovecot.conf<br />
dict {<br />
quotadict = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext<br />
}<br />
service dict {<br />
unix_listener dict {<br />
group = vmail<br />
mode = 0660<br />
user = vmail<br />
}<br />
user = root<br />
}<br />
service quota-warning {<br />
executable = script /usr/local/bin/quota-warning.sh<br />
user = vmail<br />
unix_listener quota-warning {<br />
group = vmail<br />
mode = 0660<br />
user = vmail<br />
}<br />
} <br />
mail_plugins=quota<br />
protocol pop3 {<br />
mail_plugins = quota<br />
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh<br />
pop3_uidl_format = %08Xu%08Xv<br />
}<br />
protocol lda {<br />
mail_plugins = quota<br />
postmaster_address = postmaster@yourdomain.com<br />
}<br />
protocol imap {<br />
mail_plugins = $mail_plugins imap_quota<br />
mail_plugin_dir = /usr/lib/dovecot/modules<br />
}<br />
plugin {<br />
quota = dict:User quota::proxy::quotadict<br />
quota_rule2 = Trash:storage=+10%%<br />
quota_warning = storage=100%% quota-warning +100 %u<br />
quota_warning2 = storage=95%% quota-warning +95 %u<br />
quota_warning3 = storage=80%% quota-warning +80 %u<br />
quota_warning4 = -storage=100%% quota-warning -100 %u # user is no longer over quota<br />
}<br />
<br />
*Create a new file /etc/dovecot/dovecot-dict-sql.conf.ext with the following code:<br />
connect = host=localhost dbname=yourdb user=youruser password=yourpassword<br />
map {<br />
pattern = priv/quota/storage<br />
table = quota2<br />
username_field = username<br />
value_field = bytes<br />
}<br />
map {<br />
pattern = priv/quota/messages<br />
table = quota2<br />
username_field = username<br />
value_field = messages<br />
}<br />
*Create a warning script /usr/local/bin/quota-warning.sh and make sure it is executable. This warning script works with postfix lmtp configuration as well.<br />
<pre> #!/bin/sh<br />
BOUNDARY="$1"<br />
USER="$2"<br />
MSG=""<br />
if [[ "$BOUNDARY" = "+100" ]]; then<br />
MSG="Your mailbox is now overfull (>100%). In order for your account to continue functioning properly, you need to remove some emails NOW."<br />
elif [[ "$BOUNDARY" = "+95" ]]; then<br />
MSG="Your mailbox is now over 95% full. Please remove some emails ASAP."<br />
elif [[ "$BOUNDARY" = "+80" ]]; then<br />
MSG="Your mailbox is now over 80% full. Please consider removing some emails to save space."<br />
elif [[ "$BOUNDARY" = "-100" ]]; then<br />
MSG="Your mailbox is now back to normal (<100%)."<br />
fi<br />
<br />
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"<br />
From: postmaster@yourdomain.com<br />
Subject: Email Account Quota Warning<br />
<br />
Dear User,<br />
<br />
$MSG<br />
<br />
Best regards,<br />
Your Mail System<br />
EOF<br />
</pre><br />
<br />
*Edit the user_query line and add iterat_query in dovecot-sql.conf as following:<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'<br />
iterate_query = SELECT username AS user FROM mailbox<br />
*Set up LDA as described above under SpamAssassin. If you're not using SpamAssassin, the pipe should look like this in /etc/postfix/master.cf :<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}<br />
As above activate it in Postfix main.cf<br />
virtual_transport = dovecot<br />
*You can set up quota per each mailbox in postfixadmin. Make sure the relevant lines in config.inc.php look like this:<br />
$CONF['quota'] = 'YES';<br />
$CONF['quota_multiplier'] = '1024000';<br />
<br />
Restart postfix and dovecot services. If things go well, you should be able to list all users' quota and usage by the this command:<br />
doveadm quota get -A<br />
You should be able to see the quota in roundcube too.<br />
<br />
=== Autocreate and autosubscribe folders in Dovecot ===<br />
<br />
To automatically create the "usual" mail hierarchy, modify your {{ic|/etc/dovecot/dovecot.conf}} as follows, editing to your specific needs.<br />
<br />
{{bc|1=<br />
namespace inbox {<br />
type = private<br />
separator = /<br />
prefix =<br />
inbox = yes<br />
}<br />
namespace inbox {<br />
mailbox Drafts {<br />
auto = subscribe<br />
special_use = \Drafts<br />
}<br />
mailbox Junk {<br />
auto = subscribe<br />
special_use = \Junk<br />
}<br />
mailbox Trash {<br />
auto = subscribe<br />
special_use = \Trash<br />
}<br />
mailbox Sent {<br />
auto = subscribe<br />
special_use = \Sent<br />
}<br />
}<br />
}}<br />
<br />
=== Dovecot public folder and global ACLs ===<br />
<br />
In this section we enable IMAP namespace public folders combined with global and per-folder [[ACL]]s.<br />
<br />
First, add the following lines to {{ic|/etc/dovecot/dovecot.conf}}:<br />
<br />
{{bc|1=<br />
### ACLs<br />
mail_plugins = acl<br />
protocol imap {<br />
mail_plugins = $mail_plugins imap_acl<br />
}<br />
plugin {<br />
acl = vfile<br />
# With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):<br />
acl = vfile:/etc/dovecot/dovecot-acl<br />
}<br />
<br />
### Public Mailboxes<br />
namespace {<br />
type = public<br />
separator = /<br />
prefix = public/<br />
location = maildir:/home/vmail/public:INDEXPVT=~/public<br />
subscriptions = no<br />
list = children<br />
}<br />
}}<br />
<br />
Create the root directory {{ic|/home/vmail/public}} and the folders you want to publicly share, for example (the period is required!) {{ic|/home/vmail/public/.example-1}}.<br />
<br />
Change the ownership of all files in the root directory:<br />
<br />
$ chown -R vmail:vmail /home/vmail/public<br />
<br />
Finally, create and modify your global ACL file to allow users access to these folders:<br />
<br />
{{hc|/etc/dovecot/dovecot-acl|2=<br />
public/* user=admin@example.com lrwstipekxa<br />
}}<br />
<br />
In the above example, user {{ic|admin@example.com}} has access to, and can do anything to, all the public folders. Edit to fit your specific needs.<br />
<br />
{{Note|<br />
* {{ic|lrwstipekxa}} are the permissions being granted. Visit the Dovecot wiki for further details.<br />
* Make sure the user subscribes to the folders in the client they are using.<br />
}}<br />
<br />
=== Fighting Spam ===<br />
<br />
As an alternative to SpamAssassin, consider {{AUR|rspamd}}. Out of the box, it delivers an amazing amount of spam reduction, greylisting, etc and includes a nifty webui. See also [https://thomas-leister.de/en/mailserver-debian-stretch/].<br />
<br />
== Sidenotes ==<br />
<br />
=== Alternative vmail folder structure ===<br />
<br />
Instead of having a directory structure like {{ic|/home/vmail/example.com/user@example.com}} you can have cleaner subdirectories (without the additional domain name) by replacing {{ic|select_field}} and {{ic|where_field}} with:<br />
{{bc|1=query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== IMAP/POP3 client failing to receive mails ===<br />
<br />
If you get similar errors, take a look into {{ic|/var/log/mail.log}} or use {{ic|journalctl -xn --unit postfix.service}} to find out more.<br />
<br />
It may turn out that the Maildir {{ic|/home/vmail/mail@domain.tld}} is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory creation before.<br />
<br />
=== Roundcube not able to delete emails or view any 'standard' folders ===<br />
<br />
Ensure that the Roundcube config.inc.php file contains the following:<br />
<br />
{{bc|1=<br />
$rcmail_config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash');<br />
$rcmail_config['create_default_folders'] = true;<br />
$rcmail_config['protect_default_folders'] = true;<br />
}}<br />
<br />
=== LMTP / Sieve ===<br />
<br />
Is LMTP not connecting to sieve? Ensure that your server is not routing the messages locally. This can be set in {{ic| /etc/postfix/main.cf}}:<br />
<br />
{{bc|1=<br />
mydestination = <br />
}}<br />
<br />
=== Are your emails sent to gmail users ending up in their junk/spam folders? ===<br />
<br />
Google gmail (and most other large email providers) will send your emails straight into your recipients junk / spam folder if you have not implemented SPF / DKIM / DMARC policies. (Hint: Rspamd, via the link above, shows you how to set this up, and will DKIM sign your emails.)<br />
<br />
== See also ==<br />
<br />
* [[Gentoo:Complete Virtual Mail Server]]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=558344Postfix (简体中文)2018-12-05T04:29:40Z<p>Timeline.menu: 译到“启动”</p>
<hr />
<div>[[Category:Mail server (简体中文)]]<br />
[[en:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
[[Wikipedia:Postfix (software)|Postfix]] 是一个邮件传输代理软件( 请参见(英文): [[mail transfer agent]] ) 。按照其[http://www.postfix.org/ 官方网站]的说法:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
:快速、管理简单、安全, 同时足够兼容[[Sendmail (简体中文)]],从而不会影响现有用户。 因此,从外面看是sendmail-ish风格,但内部是完全不同的。<br />
<br />
本文基于邮件服务器([[Mail server]](英文))。 本文的目标是设置Postfix并解释基本配置文件的功能。 这里有两种交付方式的设置说明:本地系统用户方式 和 虚拟用户方式。 <br />
== 安装 ==<br />
<br />
安装([[Install]](英文)) {{Pkg|postfix}} 软件包。<br />
<br />
== 配置 ==<br />
<br />
请参照软件开发者提供的: [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration 基础配置项(英文)]. 默认的配置文件位于{{ic|/etc/postfix}} 。 其中两个非常重要的文件是:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled an what how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, 主配置文件,请参照 {{man|5|postconf}}(英文)<br />
<br />
配置文件更改过后需要重新加载([[reload]](英文))主服务( {{ic|postfix.service}}(英文))来使其生效。<br />
<br />
=== 别名 Aliases ===<br />
<br />
请参照在线man文件: {{man|5|aliases|url=https://jlk.fjfi.cvut.cz/arch/manpages/man/postfix/aliases.5.en}}(英文)。<br />
<br />
别名配置文件: {{ic|/etc/postfix/aliases}}。你可以在这个文件里指定别名 (有时候也被称为 forwarders ) 。<br />
<br />
您需要将发往“root”的所有邮件映射到另一个帐户,因为以root身份阅读邮件不是一个好主意。<br />
<br />
将下面这行取消注释,并且把 {{ic|you}} 替换成你要使用的真实账户。<br />
root: you<br />
<br />
一旦你完成了对 {{ic|/etc/postfix/aliases}} 的编辑, 你就需要运行下面的 postalias 命令:<br />
postalias /etc/postfix/aliases<br />
对于以后的更改,您可以使用:<br />
newaliases<br />
<br />
{{提示|或者,你也可以为 root 用户创建这个文件 {{ic|~/.forward}}, 例如 {{ic|/root/.forward}}。 指定将root的邮件转发到哪个用户, 例如 ''user@localhost''。<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== 系统本地用户邮件(Local mail) ===<br />
<br />
要仅向本地系统用户(也就是{{ic|/etc/passwd}}中存在的用户)发送邮件,请更新配置文件:{{ic|/etc/postfix/main.cf}}中的以下配置行(取消注释,更改或添加):<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
所有其他设置维持不变。 完成上面这个配置后,你可能还想配置一些[[#别名 Aliases]]参数,然后[[#启动 Postfix]]。<br />
<br />
=== 虚拟用户邮件(Virtual mail) ===<br />
虚拟用户邮件的邮件账户不存储在本地系统的({{ic|/etc/passwd}}文件中。可以配合数据库完成对用户账户的存储。<br />
<br />
请参见 [[Virtual user mail system with Postfix, Dovecot and Roundcube]](英文) 那是一个如果设置的详细介绍。<br />
<br />
=== 检查配置 Check configuration ===<br />
<br />
运行{{ic|postfix check}} 命令来完成配置检查。它会输出所有你在配置文件中可能写错的东西。 <br />
<br />
运行{{ic|postconf}}命令可以查看所有的配置。运行{{ic|postconf -n}}命令可以查看与默认配置的区别。<br />
<br />
== 启动 Postfix ==<br />
<br />
{{注意|即使你没有设置任何[[#别名 Aliases]],也需要至少运行一次{{ic|newaliases}}命令才能让 Postfix 正常运行。}}<br />
[[Start/enable|启动]] {{ic|postfix.service}} 服务。<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube&diff=558342Virtual user mail system with Postfix, Dovecot and Roundcube2018-12-05T02:37:20Z<p>Timeline.menu: add language zh-hans</p>
<hr />
<div>[[Category:Mail server]]<br />
[[ja:仮想ユーザーメールシステム]]<br />
[[zh-hans:Virtual user mail system with Postfix, Dovecot and Roundcube]]<br />
{{Related articles start}}<br />
{{Related|Courier MTA}}<br />
{{Related|OpenDKIM}}<br />
{{Related|Postfix}}<br />
{{Related|SOGo}}<br />
{{Related articles end}}<br />
{{Merge|Postfix|Article duplicates [[Postfix]], [[Dovecot]] and [[Roundcube]] and mainly consists of config snippets intended to be copy'n'pasted.}}<br />
<br />
This article describes how to set up a virtual user mail system, i.e. where the senders and recipients do not correspond to the Linux system users.<br />
<br />
Roughly, the components used in this article are [[Postfix]] as the mail server, [[Dovecot]] as the IMAP server, [[Roundcube]] as the webmail interface and PostfixAdmin as the administration interface to manage it all.<br />
<br />
In the end, the provided solution will allow you to use the best currently available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to PostfixAdmin and users will be able to login using Roundcube.<br />
<br />
== Installation ==<br />
Before you start, you must have both a working MySQL server as described in [[MySQL]] and a working Postfix server as described in [[Postfix]].<br />
<br />
[[Install]] the {{Pkg|dovecot}} and {{Pkg|roundcubemail}} packages.<br />
<br />
== Configuration ==<br />
=== User ===<br />
For security reasons, a new user should be created to store the mails:<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users. All your mail will then be stored in {{ic|/home/vmail}}. You could change the home directory to something like {{ic|/var/mail/vmail}} but be careful to change this in any configuration below as well.<br />
<br />
=== Database ===<br />
You will need to create an empty database and corresponding user. In this article, the user ''postfix_user'' will have read/write access to the database ''postfix_db'' using ''hunter2'' as password. You are expected to create the database and user yourself, and give the user permission to use the database, as shown in the following code.<br />
<br />
{{hc|$ mysql -u root -p|<br />
CREATE DATABASE postfix_db;<br />
GRANT ALL ON postfix_db.* TO 'postfix_user'@'localhost' IDENTIFIED BY 'hunter2';<br />
FLUSH PRIVILEGES;<br />
}}<br />
<br />
{{Expansion|Further manual database installation is missing. So far, the only way to follow this article is by installing PostfixAdmin with Apache, MySQL and PHP.}}<br />
<br />
Now you can go to the PostfixAdmin's setup page, let PostfixAdmin create the needed tables and create the users in there.<br />
<br />
==== PostfixAdmin ====<br />
<br />
See [[PostfixAdmin]].<br />
<br />
=== SSL certificate ===<br />
You will need a SSL certificate for all encrypted mail communications (SMTPS/IMAPS/POP3S). If you do not have one, create one:<br />
# cd /etc/ssl/private/<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout vmail.key -out vmail.crt -days 1460 #days are optional<br />
# chmod 400 vmail.key<br />
# chmod 444 vmail.crt<br />
<br />
Alternatively, create a free trusted certificate using [[Let's Encrypt]]. The private key will be in {{ic|/etc/letsencrypt/live/''yourdomain''/privkey.pem}}, the certificate in {{ic|/etc/letsencrypt/live/''yourdomain''/fullchain.pem}}. Either change the configuration accordingly, or symlink the keys to {{ic|/etc/ssl/private}}:<br />
# ln -s /etc/letsencrypt/live/''yourdomain''/privkey.pem /etc/ssl/private/vmail.key<br />
# ln -s /etc/letsencrypt/live/''yourdomain''/fullchain.pem /etc/ssl/private/vmail.crt<br />
<br />
=== Postfix ===<br />
<br />
Before you copy & paste the configuration below, check if {{ic|relay_domains}} has already been already set. If you leave more than one active, you will receive warnings during runtime.<br />
<br />
{{Warning|{{ic|<nowiki>relay_domains</nowiki>}} can be dangerous. You usually do not want Postfix to forward mail of strangers. {{ic|<nowiki>$mydestination</nowiki>}} is a sane default value. Double check its value before running postfix! See http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to}} <br />
<br />
Also follow [[Postfix#Secure SMTP (receiving)]] pointing to the files you created in [[#SSL certificate]].<br />
<br />
==== Setting up Postfix ====<br />
<br />
To {{ic|/etc/postfix/main.cf}} append:<br />
relay_domains = $mydestination<br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf<br />
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf<br />
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf<br />
virtual_mailbox_base = /home/vmail<br />
virtual_mailbox_limit = 512000000<br />
virtual_minimum_uid = 5000<br />
virtual_transport = virtual<br />
virtual_uid_maps = static:5000<br />
virtual_gid_maps = static:5000<br />
local_transport = virtual<br />
local_recipient_maps = $virtual_mailbox_maps<br />
transport_maps = hash:/etc/postfix/transport<br />
<br />
smtpd_sasl_auth_enable = yes<br />
smtpd_sasl_type = dovecot<br />
smtpd_sasl_path = /var/run/dovecot/auth-client<br />
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_sasl_security_options = noanonymous<br />
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options<br />
smtpd_tls_security_level = may<br />
smtpd_tls_auth_only = yes<br />
smtpd_tls_received_header = yes<br />
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt<br />
smtpd_tls_key_file = /etc/ssl/private/vmail.key<br />
smtpd_sasl_local_domain = $mydomain<br />
broken_sasl_auth_clients = yes<br />
smtpd_tls_loglevel = 1<br />
smtp_tls_security_level = may<br />
smtp_tls_loglevel = 1<br />
<br />
* In the configuration above {{ic|virtual_mailbox_domains}} is a list of the domains that you want to receive mail for. This CANNOT contain the domain that is set in {{ic|mydestination}}. That is why we left {{ic|mydestination}} to be localhost only.<br />
<br />
* {{ic|virtual_mailbox_maps}} will contain the information of virtual users and their mailbox locations. We are using a hash file to store the more permanent maps, and these will then override the forwards in the MySQL database.<br />
<br />
* {{ic|virtual_mailbox_base}} is the base directory where the virtual mailboxes will be stored.<br />
<br />
The {{ic|virtual_uid_maps}} and {{ic|virtual_gid_maps}} are the real system user IDs that the virtual mails will be owned by. This is for storage purposes. <br />
<br />
{{note|Since we will be using a web interface (Roundcube), and do not want people accessing this by any other means, we will be creating this account later without providing any login access.}}<br />
<br />
==== Create the file structure ====<br />
<br />
Those new additional settings reference a lot of files that do not even exist yet. We will create them with the following steps.<br />
<br />
If you were setting up your database with PostfixAdmin and created the database schema through PostfixAdmin, you can create the following files. Do not forget to change the password:<br />
<br />
{{hc|/etc/postfix/virtual_alias_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = alias<br />
select_field = goto<br />
where_field = address<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = domain<br />
select_field = domain<br />
where_field = domain<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = mailbox<br />
select_field = maildir<br />
where_field = username<br />
</nowiki>}}<br />
<br />
For alias domains functionality adjust the following files:<br />
<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,proxy:mysql:/etc/postfix/virtual_alias_domains_maps.cf<br />
virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_alias_domains.cf<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_domains_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT alias_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'<br />
</nowiki>}}<br />
<br />
{{Note | For setups without using PostfixAdmin, create the following files.}}<br />
<br />
{{hc|/etc/postfix/virtual_alias_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = domains<br />
select_field = virtual<br />
where_field = domain<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_domains.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = forwardings<br />
select_field = destination<br />
where_field = source<br />
</nowiki>}}<br />
<br />
{{hc|/etc/postfix/virtual_mailbox_maps.cf|<nowiki><br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
table = users<br />
select_field = concat(domain,'/',email,'/')<br />
where_field = email<br />
</nowiki>}}<br />
<br />
Run ''postmap'' on ''transport'' to generate its db:<br />
# postmap /etc/postfix/transport<br />
<br />
=== Dovecot ===<br />
<br />
Instead of using the provided Dovecot example config file, we'll create our own {{ic|/etc/dovecot/dovecot.conf}}. Please note that the user and group here might be vmail '''instead of postfix'''!<br />
<br />
{{hc|/etc/dovecot/dovecot.conf|<nowiki><br />
protocols = imap pop3<br />
auth_mechanisms = plain<br />
passdb {<br />
driver = sql<br />
args = /etc/dovecot/dovecot-sql.conf<br />
}<br />
userdb {<br />
driver = sql<br />
args = /etc/dovecot/dovecot-sql.conf<br />
}<br />
<br />
service auth {<br />
unix_listener auth-client {<br />
group = postfix<br />
mode = 0660<br />
user = postfix<br />
}<br />
user = root<br />
}<br />
<br />
mail_home = /home/vmail/%d/%n<br />
mail_location = maildir:~<br />
<br />
ssl_cert = </etc/ssl/private/vmail.crt<br />
ssl_key = </etc/ssl/private/vmail.key<br />
</nowiki>}}<br />
<br />
{{note|If you instead want to modify {{ic|dovecot.conf.sample}}, beware that the default configuration file imports the content of {{ic|conf.d/*.conf}}. Those files call other files that aren't present in our configuration.}}<br />
<br />
Now we create {{ic|/etc/dovecot/dovecot-sql.conf}}, which we just referenced in the config above. Use the following contents and check if everything is set accordingly to your system's configuration.<br />
<br />
If you used PostfixAdmin, then you add the following:<br />
<br />
{{hc|/etc/dovecot/dovecot-sql.conf|<nowiki><br />
driver = mysql<br />
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2<br />
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes<br />
default_pass_scheme = SHA512-CRYPT<br />
# Get the mailbox<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'<br />
# Get the password<br />
password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'<br />
# If using client certificates for authentication, comment the above and uncomment the following<br />
#password_query = SELECT null AS password, ‘%u’ AS user<br />
</nowiki>}}<br />
<br />
Without having used PostfixAdmin you can use:<br />
<br />
{{hc|/etc/dovecot/dovecot-sql.conf|<nowiki><br />
driver = mysql<br />
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2<br />
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes<br />
default_pass_scheme = SHA512-CRYPT<br />
# Get the mailbox<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM users WHERE email = '%u'<br />
# Get the password<br />
password_query = SELECT email as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM users WHERE email = '%u'<br />
# If using client certificates for authentication, comment the above and uncomment the following<br />
#password_query = SELECT null AS password, ‘%u’ AS user<br />
</nowiki>}}<br />
<br />
{{Tip|Visit http://wiki2.dovecot.org/Variables to learn more about Dovecot variables.}}<br />
<br />
==== DH parameters ====<br />
<br />
With v2.3 you are required to provide {{ic|1=ssl_dh = </path/to/dh.pem}} yourself.<br />
<br />
To generate a new DH parameters file (this will take very long):<br />
<br />
# openssl dhparam -out /etc/dovecot/dh.pem 4096<br />
<br />
then add the file to {{ic|/etc/dovecot/dovecot.conf}}<br />
<br />
ssl_dh = </etc/dovecot/dh.pem<br />
<br />
=== PostfixAdmin ===<br />
See [[PostfixAdmin]].<br />
<br />
Note: To match the configuration in this file, config.inc.php should contain the following.<br />
<br />
# /etc/webapps/postfixadmin/config.inc.php<br />
...<br />
$CONF['domain_path'] = 'YES';<br />
$CONF['domain_in_mailbox'] = 'NO';<br />
...<br />
<br />
=== Roundcube ===<br />
<br />
Make sure that both {{ic|1=extension=pdo_mysql}} and {{ic|1=extension=iconv}} are uncommented in your {{ic|php.ini}} file. Also check the {{ic|.htaccess}} for access restrictions. Assuming that localhost is your current host, navigate a browser to {{ic|http://localhost/roundcube/installer/}} and follow the instructions. <br />
<br />
Roundcube needs a separate database to work. You should not use the same database for Roundcube and PostfixAdmin. Create a second database {{ic|roundcube_db}} and a new user named {{ic|roundcube_user}}.<br />
<br />
While running the installer ...<br />
<br />
* For the address of the IMAP host, use {{ic|ssl://localhost/}} or {{ic|tls://localhost/}} and not just {{ic|localhost}}. <br />
* Use port {{ic|993}}. Likewise with SMTP. <br />
* For the address of the SMTP host, use {{ic|tls://localhost/}} and port {{ic|587}} if you used the proper TLS mode. <br />
: (use {{ic|ssl://localhost/}} with port {{ic|465}} if you used the wrapper mode)<br />
* See [[#Postfix]] for an explanation on that.<br />
<br />
The post install process is similar to any other webapp like [[PhpMyAdmin]] or PostFixAdmin. The configuration file is in {{ic|/etc/webapps/roundcubemail/config/config.inc.php}} which works as an override over {{ic|default.inc.php}}.<br />
<br />
==== Apache configuration ====<br />
<br />
If you are using Apache, copy the example configuration file to your webserver configuration directory.<br />
<br />
# cp /etc/webapps/roundcubemail/apache.conf /etc/httpd/conf/extra/httpd-roundcubemail.conf<br />
<br />
Add the following line in<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
Include conf/extra/httpd-roundcubemail.conf<br />
</nowiki>}}<br />
<br />
==== Roundcube: Change Password Plugin ====<br />
<br />
To let users change their passwords from within Roundcube, do the following:<br />
<br />
Enable the password plugin by adding this line to<br />
<br />
{{hc|/etc/webapps/roundcubemail/config/config.inc.php|<nowiki><br />
$config['plugins'] = array('password');<br />
</nowiki>}}<br />
<br />
Configure the password plugin and make sure you alter the settings accordingly:<br />
<br />
{{hc|/usr/share/webapps/roundcubemail/plugins/password/config.inc.php|<nowiki><br />
$config['password_driver'] = 'sql';<br />
$config['password_db_dsn'] = 'mysql://<postfix_database_user>:<password>@localhost/<postfix_database_name>';<br />
// for dovecot salted passwords only<br />
// $config['password_dovecotpw'] = 'doveadm pw';<br />
// $config['password_dovecotpw_method'] = 'SHA512-CRYPT';<br />
// $config['password_dovecotpw_with_method'] = true;<br />
$config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';<br />
</nowiki>}}<br />
<br />
== Fire it up ==<br />
All necessary daemons should be started in order to test the configuration. [[Start]] both {{ic|postfix}} and {{ic|dovecot}}.<br />
<br />
Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.<br />
<br />
== Testing ==<br />
<br />
{{Style|Needs some cleanup. There are probably more general ways to write this.}}<br />
<br />
Now lets see if Postfix is going to deliver mail for our test user.<br />
{{bc|<br />
nc servername 25<br />
helo testmail.org<br />
mail from:<test@testmail.org><br />
rcpt to:<cactus@virtualdomain.tld><br />
data<br />
This is a test email.<br />
.<br />
quit<br />
}}<br />
<br />
=== Error response ===<br />
<br />
451 4.3.0 <lisi@test.com>:Temporary lookup failure<br />
Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.<br />
<br />
This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.<br />
<br />
550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.<br />
Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination<br />
<br />
=== See that you have received a email ===<br />
<br />
Now type {{ic|$ find /home/vmailer}}.<br />
<br />
You should see something like the following:<br />
{{bc|<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org<br />
}}<br />
The key is the last entry. This is an actual email, if you see that, it is working.<br />
<br />
== Optional Items ==<br />
Although these items are not required, they definitely add more completeness to your setup<br />
<br />
=== Quota ===<br />
To enable mailbox quota support by dovecot, do the following: <br />
*First add the following lines to /etc/dovecot/dovecot.conf<br />
dict {<br />
quotadict = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext<br />
}<br />
service dict {<br />
unix_listener dict {<br />
group = vmail<br />
mode = 0660<br />
user = vmail<br />
}<br />
user = root<br />
}<br />
service quota-warning {<br />
executable = script /usr/local/bin/quota-warning.sh<br />
user = vmail<br />
unix_listener quota-warning {<br />
group = vmail<br />
mode = 0660<br />
user = vmail<br />
}<br />
} <br />
mail_plugins=quota<br />
protocol pop3 {<br />
mail_plugins = quota<br />
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh<br />
pop3_uidl_format = %08Xu%08Xv<br />
}<br />
protocol lda {<br />
mail_plugins = quota<br />
postmaster_address = postmaster@yourdomain.com<br />
}<br />
protocol imap {<br />
mail_plugins = $mail_plugins imap_quota<br />
mail_plugin_dir = /usr/lib/dovecot/modules<br />
}<br />
plugin {<br />
quota = dict:User quota::proxy::quotadict<br />
quota_rule2 = Trash:storage=+10%%<br />
quota_warning = storage=100%% quota-warning +100 %u<br />
quota_warning2 = storage=95%% quota-warning +95 %u<br />
quota_warning3 = storage=80%% quota-warning +80 %u<br />
quota_warning4 = -storage=100%% quota-warning -100 %u # user is no longer over quota<br />
}<br />
<br />
*Create a new file /etc/dovecot/dovecot-dict-sql.conf.ext with the following code:<br />
connect = host=localhost dbname=yourdb user=youruser password=yourpassword<br />
map {<br />
pattern = priv/quota/storage<br />
table = quota2<br />
username_field = username<br />
value_field = bytes<br />
}<br />
map {<br />
pattern = priv/quota/messages<br />
table = quota2<br />
username_field = username<br />
value_field = messages<br />
}<br />
*Create a warning script /usr/local/bin/quota-warning.sh and make sure it is executable. This warning script works with postfix lmtp configuration as well.<br />
<pre> #!/bin/sh<br />
BOUNDARY="$1"<br />
USER="$2"<br />
MSG=""<br />
if [[ "$BOUNDARY" = "+100" ]]; then<br />
MSG="Your mailbox is now overfull (>100%). In order for your account to continue functioning properly, you need to remove some emails NOW."<br />
elif [[ "$BOUNDARY" = "+95" ]]; then<br />
MSG="Your mailbox is now over 95% full. Please remove some emails ASAP."<br />
elif [[ "$BOUNDARY" = "+80" ]]; then<br />
MSG="Your mailbox is now over 80% full. Please consider removing some emails to save space."<br />
elif [[ "$BOUNDARY" = "-100" ]]; then<br />
MSG="Your mailbox is now back to normal (<100%)."<br />
fi<br />
<br />
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"<br />
From: postmaster@yourdomain.com<br />
Subject: Email Account Quota Warning<br />
<br />
Dear User,<br />
<br />
$MSG<br />
<br />
Best regards,<br />
Your Mail System<br />
EOF<br />
</pre><br />
<br />
*Edit the user_query line and add iterat_query in dovecot-sql.conf as following:<br />
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'<br />
iterate_query = SELECT username AS user FROM mailbox<br />
*Set up LDA as described above under SpamAssassin. If you're not using SpamAssassin, the pipe should look like this in /etc/postfix/master.cf :<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}<br />
As above activate it in Postfix main.cf<br />
virtual_transport = dovecot<br />
*You can set up quota per each mailbox in postfixadmin. Make sure the relevant lines in config.inc.php look like this:<br />
$CONF['quota'] = 'YES';<br />
$CONF['quota_multiplier'] = '1024000';<br />
<br />
Restart postfix and dovecot services. If things go well, you should be able to list all users' quota and usage by the this command:<br />
doveadm quota get -A<br />
You should be able to see the quota in roundcube too.<br />
<br />
=== Autocreate and autosubscribe folders in Dovecot ===<br />
<br />
To automatically create the "usual" mail hierarchy, modify your {{ic|/etc/dovecot/dovecot.conf}} as follows, editing to your specific needs.<br />
<br />
{{bc|1=<br />
namespace inbox {<br />
type = private<br />
separator = /<br />
prefix =<br />
inbox = yes<br />
}<br />
namespace inbox {<br />
mailbox Drafts {<br />
auto = subscribe<br />
special_use = \Drafts<br />
}<br />
mailbox Junk {<br />
auto = subscribe<br />
special_use = \Junk<br />
}<br />
mailbox Trash {<br />
auto = subscribe<br />
special_use = \Trash<br />
}<br />
mailbox Sent {<br />
auto = subscribe<br />
special_use = \Sent<br />
}<br />
}<br />
}}<br />
<br />
=== Dovecot public folder and global ACLs ===<br />
<br />
In this section we enable IMAP namespace public folders combined with global and per-folder [[ACL]]s.<br />
<br />
First, add the following lines to {{ic|/etc/dovecot/dovecot.conf}}:<br />
<br />
{{bc|1=<br />
### ACLs<br />
mail_plugins = acl<br />
protocol imap {<br />
mail_plugins = $mail_plugins imap_acl<br />
}<br />
plugin {<br />
acl = vfile<br />
# With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):<br />
acl = vfile:/etc/dovecot/dovecot-acl<br />
}<br />
<br />
### Public Mailboxes<br />
namespace {<br />
type = public<br />
separator = /<br />
prefix = public/<br />
location = maildir:/home/vmail/public:INDEXPVT=~/public<br />
subscriptions = no<br />
list = children<br />
}<br />
}}<br />
<br />
Create the root directory {{ic|/home/vmail/public}} and the folders you want to publicly share, for example (the period is required!) {{ic|/home/vmail/public/.example-1}}.<br />
<br />
Change the ownership of all files in the root directory:<br />
<br />
$ chown -R vmail:vmail /home/vmail/public<br />
<br />
Finally, create and modify your global ACL file to allow users access to these folders:<br />
<br />
{{hc|/etc/dovecot/dovecot-acl|2=<br />
public/* user=admin@example.com lrwstipekxa<br />
}}<br />
<br />
In the above example, user {{ic|admin@example.com}} has access to, and can do anything to, all the public folders. Edit to fit your specific needs.<br />
<br />
{{Note|<br />
* {{ic|lrwstipekxa}} are the permissions being granted. Visit the Dovecot wiki for further details.<br />
* Make sure the user subscribes to the folders in the client they are using.<br />
}}<br />
<br />
=== Fighting Spam ===<br />
<br />
As an alternative to SpamAssassin, consider {{AUR|rspamd}}. Out of the box, it delivers an amazing amount of spam reduction, greylisting, etc and includes a nifty webui. See also [https://thomas-leister.de/en/mailserver-debian-stretch/].<br />
<br />
== Sidenotes ==<br />
<br />
=== Alternative vmail folder structure ===<br />
<br />
Instead of having a directory structure like {{ic|/home/vmail/example.com/user@example.com}} you can have cleaner subdirectories (without the additional domain name) by replacing {{ic|select_field}} and {{ic|where_field}} with:<br />
{{bc|1=query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== IMAP/POP3 client failing to receive mails ===<br />
<br />
If you get similar errors, take a look into {{ic|/var/log/mail.log}} or use {{ic|journalctl -xn --unit postfix.service}} to find out more.<br />
<br />
It may turn out that the Maildir {{ic|/home/vmail/mail@domain.tld}} is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory creation before.<br />
<br />
=== Roundcube not able to delete emails or view any 'standard' folders ===<br />
<br />
Ensure that the Roundcube config.inc.php file contains the following:<br />
<br />
{{bc|1=<br />
$rcmail_config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash');<br />
$rcmail_config['create_default_folders'] = true;<br />
$rcmail_config['protect_default_folders'] = true;<br />
}}<br />
<br />
=== LMTP / Sieve ===<br />
<br />
Is LMTP not connecting to sieve? Ensure that your server is not routing the messages locally. This can be set in {{ic| /etc/postfix/main.cf}}:<br />
<br />
{{bc|1=<br />
mydestination = <br />
}}<br />
<br />
=== Are your emails sent to gmail users ending up in their junk/spam folders? ===<br />
<br />
Google gmail (and most other large email providers) will send your emails straight into your recipients junk / spam folder if you have not implemented SPF / DKIM / DMARC policies. (Hint: Rspamd, via the link above, shows you how to set this up, and will DKIM sign your emails.)<br />
<br />
== See also ==<br />
<br />
* [[Gentoo:Complete Virtual Mail Server]]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=557812Postfix (简体中文)2018-11-30T06:25:19Z<p>Timeline.menu: 未译完 2 ,之后有时间再译吧</p>
<hr />
<div>[[Category:Mail server]]<br />
[[en:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
[[Wikipedia:Postfix (software)|Postfix]] 是一个邮件传输代理软件( 请参见(英文): [[mail transfer agent]] ) 。按照其[http://www.postfix.org/ 官方网站]的说法:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
:快速、管理简单、安全, 同时足够兼容[[Sendmail (简体中文)]],从而不会影响现有用户。 因此,从外面看是sendmail-ish风格,但内部是完全不同的。<br />
<br />
本文基于邮件服务器([[Mail server]](英文))。 本文的目标是设置Postfix并解释基本配置文件的功能。 这里有两种交付方式的设置说明:本地系统用户方式 和 虚拟用户方式。 <br />
== 安装 ==<br />
<br />
安装([[Install]](英文)) {{Pkg|postfix}} 软件包。<br />
<br />
== 配置 ==<br />
<br />
请参照软件开发者提供的: [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration 基础配置项(英文)]. 默认的配置文件位于{{ic|/etc/postfix}} 。 其中两个非常重要的文件是:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled an what how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, 主配置文件,请参照 {{man|5|postconf}}(英文)<br />
<br />
配置文件更改过后需要重新加载([[reload]](英文))主服务( {{ic|postfix.service}}(英文))来使其生效。<br />
<br />
=== 别名 Aliases ===<br />
<br />
请参照在线man文件: {{man|5|aliases|url=https://jlk.fjfi.cvut.cz/arch/manpages/man/postfix/aliases.5.en}}(英文)。<br />
<br />
别名配置文件: {{ic|/etc/postfix/aliases}}。你可以在这个文件里指定别名 (有时候也被称为 forwarders ) 。<br />
<br />
您需要将发往“root”的所有邮件映射到另一个帐户,因为以root身份阅读邮件不是一个好主意。<br />
<br />
将下面这行取消注释,并且把 {{ic|you}} 替换成你要使用的真实账户。<br />
root: you<br />
<br />
一旦你完成了对 {{ic|/etc/postfix/aliases}} 的编辑, 你就需要运行下面的 postalias 命令:<br />
postalias /etc/postfix/aliases<br />
对于以后的更改,您可以使用:<br />
newaliases<br />
<br />
{{提示|或者,你也可以为 root 用户创建这个文件 {{ic|~/.forward}}, 例如 {{ic|/root/.forward}}。 指定将root的邮件转发到哪个用户, 例如 ''user@localhost''。<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
See [[Virtual user mail system with Postfix, Dovecot and Roundcube]] for a comprehensive guide how to set it up.<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a config file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for Postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix&diff=557803Postfix2018-11-30T05:55:58Z<p>Timeline.menu: 增加简体中文</p>
<hr />
<div>[[Category:Mail server]]<br />
[[ja:Postfix]]<br />
[[zh-hans:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
[[Wikipedia:Postfix (software)|Postfix]] is a [[mail transfer agent]] that according to [http://www.postfix.org/ its website]:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
This article builds upon [[Mail server]]. The goal of this article is to setup Postfix and explain what the basic configuration files do. There are instructions for setting up local system user-only delivery and a link to a guide for virtual user delivery. <br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|postfix}} package.<br />
<br />
== Configuration ==<br />
<br />
See [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration]. Configuration files are in {{ic|/etc/postfix}} by default. The two most important files are:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled an what how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, the main configuration file, see {{man|5|postconf}}<br />
<br />
Configuration changes need a {{ic|postfix.service}} [[reload]] in order to take effect.<br />
<br />
=== Aliases ===<br />
<br />
See {{man|5|aliases|url=https://jlk.fjfi.cvut.cz/arch/manpages/man/postfix/aliases.5.en}}.<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You need to map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
See [[Virtual user mail system with Postfix, Dovecot and Roundcube]] for a comprehensive guide how to set it up.<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a config file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for Postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Postfix_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=557802Postfix (简体中文)2018-11-30T03:34:45Z<p>Timeline.menu: 未译完</p>
<hr />
<div>[[Category:Mail server]]<br />
[[en:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
[[Wikipedia:Postfix (software)|Postfix]] 是一个邮件传输代理软件( 请参见(英文): [[mail transfer agent]] ) 。按照其[http://www.postfix.org/ 官方网站]的说法:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
:快速、管理简单、安全, 同时足够兼容[[Sendmail (简体中文)]],从而不会影响现有用户。 因此,从外面看是sendmail-ish风格,但内部是完全不同的。<br />
<br />
本文基于邮件服务器([[Mail server]](英文))。 本文的目标是设置Postfix并解释基本配置文件的功能。 这里有两种交付方式的设置说明:本地系统用户方式 和 虚拟用户方式。 <br />
== 安装 ==<br />
<br />
安装([[Install]](英文)) {{Pkg|postfix}} 软件包。<br />
<br />
== 配置 ==<br />
<br />
请参照软件开发者提供的: [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration 基础配置项(英文)]. 默认的配置文件位于{{ic|/etc/postfix}} 。 其中两个非常重要的文件是:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled an what how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, the main configuration file, see {{man|5|postconf}}<br />
<br />
Configuration changes need a {{ic|postfix.service}} [[reload]] in order to take effect.<br />
<br />
=== Aliases ===<br />
<br />
See {{man|5|aliases|url=https://jlk.fjfi.cvut.cz/arch/manpages/man/postfix/aliases.5.en}}.<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You need to map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, $mydomain<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
See [[Virtual user mail system with Postfix, Dovecot and Roundcube]] for a comprehensive guide how to set it up.<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a config file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for Postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== TLS ==<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
You need to [[obtain a certificate]].<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Out of date|Port 465 has been reinstated for SMTPS by [[RFC:8314]].}}<br />
<br />
By default, Postfix will not accept secure mail. <br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
In {{ic|master.cf}}, find and uncomment the following lines to enable the service on that port with the correct settings:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
If you need support for the deprecated SMTPS port 465, also follow the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it, uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
</nowiki>}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
After this, verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload Postfix.<br />
<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[http://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
</nowiki>}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done via editing the {{ic|postgrey.service}} file. First copy it over to edit it.<br />
<br />
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/<br />
<br />
==== Whitelisting ====<br />
To add automatic whitelisting (successful deliveries are whitelisted and don't have to wait any more), you could add the {{ic|<nowiki>--auto-whitelist-clients=N</nowiki>}} option and replace {{ic|N}} by a suitably small number (or leave it at its default of 5).<br />
<br />
...actually, the preferred method should be the override:<br />
<br />
cat /etc/systemd/system/postgrey.service.d/override.conf<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, [[install]] {{AUR|python-postfix-policyd-spf}}.<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In the main.cf add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
You can test your Setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with {{ic|journalctl}}<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
then you can fix it by using these commands depending on the messages you get<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
and restart {{ic|postfix.service}}<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail {{Dead link|2017|08|23}}</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Samba_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=556695Samba (简体中文)2018-11-23T04:49:51Z<p>Timeline.menu: /* 服务器配置 */ 解决日志引起的不启动问题</p>
<hr />
<div>[[Category:Networking (简体中文)]]<br />
[[cs:Samba]]<br />
[[da:Samba]]<br />
[[de:Samba]]<br />
[[en:Samba]]<br />
[[es:Samba]]<br />
[[fr:Samba]]<br />
[[it:Samba]]<br />
[[ja:Samba]]<br />
[[ru:Samba]]<br />
[[sr:Samba]]<br />
[[zh-hant:Samba]]<br />
{{Related articles start (简体中文)}}<br />
{{Related|NFS}}<br />
{{Related|Samba/Active Directory domain controller}}<br />
{{Related|Active Directory Integration}}<br />
{{Related articles end}}<br />
'''Samba''' 是 [[wikipedia:Server_Message_Block|SMB/CIFS]] 网络协议的重新实现, 它作为 [[NFS (简体中文)|NFS]] 的补充使得在 Linux 和 Windows 系统中进行文件共享、打印机共享更容易实现。一些用户说Samba配置简单,操作直观。然而,许多新用户会因为它的复杂性和非直观的机制而遇到问题。强烈建议新用户仔细按照下面的指导。<br />
<br />
== 服务器配置 ==<br />
<br />
要通过 Samba 共享文件,还需额外 [[Pacman|安装]] 软件包 {{Pkg|samba}}。<br />
<br />
Samba 服务的配置文件是 {{ic|/etc/samba/smb.conf}},如果没有则 smbd 无法启动。<br />
<br />
你可以从 [https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD 这里] 获取到默认配置文件:<br />
# wget "https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD" -O /etc/samba/smb.conf<br />
<br />
{{注意|<br />
*从上面载回来的默认配置文件里把日志{{ic|log file}}设置到了一个不能写的地方, 这会导致出错。 下面的办法可以解决这个问题:<br />
** 把日志文件放到可写的路径: {{ic|1=log file = /var/log/samba/%m.log}}<br />
** 把日志存到非文件后端的解决方案里: {{ic|1=logging = syslog}} 配合 {{ic|1=syslog only = yes}}, 或者使用 {{ic|1=logging = systemd}}<br />
*如果需要的话; 在{{ic|[global]}}部份中指定的 {{ic|workgroup}} 需要对应windows工作组的名称 (默认是 {{ic|WORKGROUP}}).<br />
}}<br />
<br />
===建立共享===<br />
<br />
编辑 {{ic|/etc/samba/smb.conf}} ,滚动到 '''Share Definitions''' 部分,默认的配置文件会为所有用户在 HOME 目录建立一个共享。但是需要进行下面配置用户才能登录:<br />
<br />
{{hc|/etc/samba/smb.conf|2=<br />
...<br />
[homes]<br />
comment = Home Directories<br />
browseable = no<br />
writable = yes<br />
valid users = %S<br />
}}<br />
<br />
同时,默认配置文件也共享打印机,包含一些不错的示例配置。更多的可用选项可以通过 {{man|5|smb.conf}} 查询,在此处 [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Here] 是在线版本。<br />
<br />
{{提示|如果需要共享给 Windows,需要在 {{ic|smb.conf}} 中设置当前使用的 Windows 工作组workgroup(默认工作组是 {{ic|WORKGROUP}})。}}<br />
<br />
=== 启动服务 ===<br />
{{注意|在 {{Pkg|samba}} 4.8.0-1里, {{ic|smbd.service}} 和 {{ic|nmbd.service}} 单元被改名为 {{ic|smb.service}} 和 {{ic|nmb.service}}.}}<br />
<br />
为了能够使用 SMB 进行基本的文件共享,[[Systemd#Using units|start/enable]] {{ic|smb.service}} 和 {{ic|nmb.service}} 服务。更多信息参阅 [http://www.samba.org/samba/docs/man/manpages-3/smbd.8.html smbd] 和 [http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html nmbd] 的 man 手册。<br />
{{ic|nmbd.service}} 并不总是需要启用。<br />
<br />
{{提示|除了在启动时启动服务,可以选择启用 {{ic|smbd.socket}},禁用 {{ic|smbd.service}}。这样的话会在第一次收到连接请求是启动后台进程。}}<br />
<br />
===建立 Usershare 路径===<br />
<br />
{{Note|此为可选功能,如无需要可以跳过。}}<br />
<br />
"Usershare" 让不具有 root 权限的用户可以进行添加、修改和删除自己的文件夹的操作。<br />
<br />
以下操作将会在 {{ic|/var/lib/samba}} 添加 usershares 目录:<br />
<br />
# mkdir -p /var/lib/samba/usershare<br />
<br />
以下操作将会建立 sambashare 用户组:<br />
<br />
# groupadd sambashare<br />
<br />
以下操作将会将刚刚建立的文件夹的权限:拥有者更改为 root,群组更改为 sambashare:<br />
<br />
# chown root:sambashare /var/lib/samba/usershare<br />
<br />
以下的操作将会让 sambashare 群组中的用户拥有读取,写入和执行此文件夹中内容的权限:<br />
<br />
# chmod 1770 /var/lib/samba/usershare<br />
<br />
修改 {{ic|smb.conf}} 配置文件中的以下变量:<br />
<br />
{{hc|/etc/samba/smb.conf|2=<br />
...<br />
[global]<br />
usershare path = /var/lib/samba/usershare<br />
usershare max shares = 100<br />
usershare allow guests = yes<br />
usershare owner only = yes<br />
...<br />
}}<br />
<br />
将用户添加到群组 ''sambashare'' 中。其中,替换 {{ic|''your_username''}} 为实际的用户名:<br />
<br />
# usermod -a -G sambashare ''your_username''<br />
<br />
重启 {{ic|smbd.service}} 和 {{ic|nmbd.service}} 服务。<br />
<br />
注销后重新登陆,此时您应该就可以使用 GUI 程序配置您的 samba 共享服务了。例如,在 [[Thunar]] 中您可以右键点击任何一个文件夹将它在局域网中共享。如果你想共享自己主目录内的路径,需要主目录的内容让其它用户可以列出。<br />
<br />
===添加用户===<br />
<br />
Samba 需要 Linux 账户才能使用 - 可以使用已有账户或 [[Users and groups#User management|创建新用户]].<br />
<br />
虽然用户名可以和 Linux 系统共享,Samba 使用单独的密码管理,将下面的 {{ic|samba_user}} 替换为选择的 Samba 用户:<br />
<br />
# smbpasswd -a ''samba_user''<br />
<br />
根据 [https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SERVERROLE 服务器角色] 的差异,可能需要修改已有的 [[File permissions and attributes|文件权限和属性]]。<br />
<br />
要让新创建的用户仅能访问 Samba 远程文件服务器,可以禁用其它登录选项<br />
* 禁用 shell - {{ic|usermod --shell /usr/bin/nologin --lock username}}<br />
* 禁用 SSH logons - /etc/ssh/sshd_conf, option {{ic|AllowUsers}}<br />
<br />
参阅[[Security]]。<br />
<br />
===更改 samba 用户的密码===<br />
<br />
用 {{ic|smbpasswd}} 修改 samba 用户的密码:<br />
<br />
# smbpasswd ''samba_user''<br />
<br />
===端口设置===<br />
<br />
如果使用 [[firewall]],需要将打开 samba 对于的窗口,通常是 137-139 + 445. 完整列表请参考 [https://wiki.samba.org/index.php/Samba_port_usage Samba port].<br />
<br />
=== 验证配置 ===<br />
{{ic|testparm}} 可以检查 samba.conf 是否有错误:<br />
# testparm -s<br />
<br />
== 客户端配置 ==<br />
<br />
如果不需要查询公开的共享,可以安装轻量级的 {{Pkg|cifs-utils}} 软件包,使用 {{ic|/usr/bin/mount.cifs}} 命令挂载共享.<br />
<br />
要使用类似 ftp 的命令行界面,请安装软件包 {{Pkg|smbclient}}。常用命令请参考 {{man|1|smbclient}}。<br />
<br />
[[desktop environment|桌面环境]] 可能提供了图形界面,参考[[#文件管理器配置]].<br />
<br />
{{Note|安装 {{Pkg|cifs-utils}} 或 {{Pkg|smbclient}} 后,请加载 {{ic|cifs}} [[kernel module|内核模块]] 或重启以避免挂载失败。}}<br />
<br />
=== 显示可用共享 ===<br />
下面命令会显示服务器上的可用共享:<br />
<br />
$ smbclient -L ''hostname'' -U%<br />
<br />
''smbtree'' 可用显示共享目录树,不建议再有大量计算机的网络上使用此功能。可用它检查共享名是否可用。<br />
<br />
$ smbtree -b -N<br />
<br />
{{ic|-b}} ({{ic|--broadcast}}) 使用广播模式,{{ic|-N}} ({{ic|-no-pass}}) 不询问密码.<br />
<br />
=== WINS 主机名===<br />
<br />
{{pkg|smbclient}} 提供了一个用 WINS 解析主机名的驱动,要启用它,将 “wins” 添加到 /etc/nsswitch.conf 的 “hosts” 行。<br />
<br />
=== 手动挂载 ===<br />
<br />
创建共享挂载点:<br />
<br />
# mkdir /mnt/''mountpoint''<br />
<br />
使用 {{ic|mount.cifs}} 作为挂载类型 {{ic|type}},下面列出的选项并不是全部都需要:<br />
{{bc|1=<br />
# mount -t cifs //''SERVER''/''sharename'' /mnt/''mountpoint'' -o user=''username'',password=''password'',uid=''username'',gid=''group'',workgroup=''workgroup'',ip=''serverip'',iocharset=''utf8''<br />
}}<br />
<br />
要允许用户挂载到自己可以访问的目录,请使用 {{ic|users}} 挂载选项。<br />
<br />
{{Note|请注意这里有 '''s''',其它文件系统一般用的是 ''user''。}}<br />
使用 {{ic|uid}} 和 {{ic|gid}} 挂载选项时,请注意 [[File permissions and attributes|文件权限]],否则会出现 I/O 错误。}}<br />
<br />
''SERVER''<br />
: 服务器名.<br />
<br />
''sharename''<br />
: 共享目录.<br />
<br />
''mountpoint''<br />
: 本地的挂载点.<br />
<br />
{{ic|<nowiki>-o [options]</nowiki>}}<br />
: 详情请参考 {{man|8|mount.cifs}}.<br />
<br />
{{Note|<br />
* 结尾不要加 {{ic|/}}. {{ic|//''SERVER''/''sharename'''''/'''}} 无法工作.<br />
* 如果挂载工作不稳定,出现死机和掉线问题,请尝试用 {{ic|1=vers=}} 设置不同的 SMB 协议版本。例如, 挂载 Vista 用 {{ic|1=vers=2.0}}.<br />
* 如果挂载了 cifs 机器上出现关机超时,请参考 [[WPA supplicant#Problem with mounted network shares (cifs) and shutdown]].<br />
}}<br />
<br />
===== 保存共享密码 =====<br />
<br />
不建议将密码保存在所有人都可读的文件中,一个更安全的方式是创建密码文件:<br />
{{hc|/path/to/credentials/share|2=<br />
username=''myuser''<br />
password=''mypass''<br />
}}<br />
<br />
将 {{ic|<nowiki>username=myuser,password=mypass</nowiki>}} 替换为 {{ic|<nowiki>credentials=/path/to/credentials/share</nowiki>}}.<br />
<br />
修改密码文件的权限:<br />
# chmod 600 /path/to/credentials/share<br />
<br />
=== 自动挂载 ===<br />
{{Note|You may need to [[enable]] {{ic|systemd-networkd-wait-online.service}} or {{ic| NetworkManager-wait-online.service}} (depending on your setup) to proper enable booting on start-up.}}<br />
<br />
==== As mount entry ====<br />
<br />
This is an simple example of a {{ic|cifs}} [[fstab|mount entry]] that requires authentication:<br />
{{hc|/etc/fstab|2=<br />
//''SERVER''/''sharename'' /mnt/''mountpoint'' cifs username=''myuser'',password=''mypass'' 0 0<br />
}}<br />
<br />
{{Note|Space in sharename should be replaced by {{ic|\040}} (ASCII code for space in octal). For example, {{ic|//''SERVER''/share name}} on the command line should be {{ic|//''SERVER''/share\040name}} in {{ic|/etc/fstab}}.}}<br />
<br />
To speed up the service on boot, add the {{ic|1=x-systemd.automount}} option to the entry:<br />
{{hc|/etc/fstab|2=<br />
//''SERVER''/''SHARENAME'' /mnt/''mountpoint'' cifs credentials=''/path/to/smbcredentials/share'',x-systemd.automount 0 0<br />
}}<br />
<br />
==== As systemd unit ====<br />
Create a new {{ic|.mount}} file inside {{ic|/etc/systemd/system}}, e.g. {{ic|mnt-myshare.mount}}.<br />
<br />
{{ic|1=Requires=}} replace (if needed) with your [[:Category:Network_configuration|Network configuration]].<br />
<br />
{{ic|1=What=}} path to share<br />
<br />
{{ic|1=Where=}} path to mount the share<br />
<br />
{{ic|1=Options=}} share mounting options<br />
<br />
{{hc|/etc/systemd/system/mnt-myshare.mount|<nowiki><br />
[Unit]<br />
Description=Mount Share at boot<br />
Requires=systemd-networkd.service<br />
After=network-online.target<br />
Wants=network-online.target<br />
<br />
[Mount]<br />
What=//server/share<br />
Where=/mnt/myshare<br />
Options=credentials=/etc/samba/creds/myshare,iocharset=utf8,rw,x-systemd.automount<br />
Type=cifs<br />
TimeoutSec=30<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
To use {{ic|mnt-myshare.mount}}, [[start]] the unit and [[enable]] it to run on system boot.<br />
<br />
==== smbnetfs ====<br />
<br />
{{Note|1=smbnetfs needs an intact Samba server setup.<br />
See above on how to do that.}}<br />
<br />
First, check if you can see all the shares you are interested in mounting:<br />
$ smbtree -U ''remote_user''<br />
<br />
If that does not work, find and modify the following line<br />
in {{ic|/etc/samba/smb.conf}} accordingly:<br />
<br />
domain master = auto<br />
<br />
Now [[restart]] {{ic|smbd.service}} and {{ic|nmbd.service}}.<br />
<br />
If everything works as expected, [[pacman#Installing specific packages|install]] {{Pkg|smbnetfs}} from the official repositories.<br />
<br />
Then, add the following line to {{ic|/etc/fuse.conf}}:<br />
<br />
user_allow_other<br />
<br />
Now copy the directory {{ic|/etc/smbnetfs/.smb}} to your home directory:<br />
<br />
$ cp -a /etc/smbnetfs/.smb ~<br />
<br />
Then create a link to {{ic|smb.conf}}:<br />
<br />
$ ln -sf /etc/samba/smb.conf ~/.smb/smb.conf<br />
<br />
If a username and a password are required to access some of the shared folders, edit {{ic|~/.smb/smbnetfs.auth}}<br />
to include one or more entries like this:<br />
<br />
{{hc|~/.smb/smbnetfs.auth|<br />
auth "hostname" "username" "password"<br />
}}<br />
<br />
It is also possible to add entries for specific hosts to be mounted by smbnetfs, if necessary.<br />
More details can be found in {{ic|~/.smb/smbnetfs.conf}}.<br />
<br />
If you are using the [[Dolphin]] or [[GNOME Files]], you may want to add the following to {{ic|~/.smb/smbnetfs.conf}} to avoid "Disk full" errors as smbnetfs by default will report 0 bytes of free space:<br />
{{hc|~/.smb/smbnetfs.conf|<br />
free_space_size 1073741824<br />
}}<br />
<br />
When you are done with the configuration, you need to run<br />
$ chmod 600 ~/.smb/smbnetfs.*<br />
Otherwise, smbnetfs complains about 'insecure config file permissions'.<br />
<br />
Finally, to mount your Samba network neighbourhood to a directory of your choice, call<br />
$ smbnetfs ''mount_point''<br />
<br />
===== Daemon =====<br />
<br />
The Arch Linux package also maintains an additional system-wide operation mode for smbnetfs. To enable it, you need to make the<br />
said modifications in the directoy {{ic|/etc/smbnetfs/.smb}}.<br />
<br />
Then, you can start and/or enable the {{ic|smbnetfs}} [[daemon]] as usual. The system-wide mount point is at {{ic|/mnt/smbnet/}}.<br />
<br />
==== autofs ====<br />
<br />
查看 [[Autofs]] 以获得关于基于内核的 Linux 自动挂载器的相关信息。<br />
<br />
=== 文件管理器配置 ===<br />
<br />
==== GNOME Files, Nemo, Caja, Thunar and PCManFM ====<br />
<br />
In order to access samba shares through GNOME Files, Nemo, Caja, Thunar or PCManFM, install the {{Pkg|gvfs-smb}} package, available in the [[official repositories]].<br />
<br />
Press {{ic|Ctrl+l}} and enter {{ic|smb://''servername''/''share''}} in the location bar to access your share.<br />
<br />
The mounted share is likely to be present at {{ic|/run/user/''your_UID''/gvfs}} or {{ic|~/.gvfs}} in the filesystem.<br />
<br />
==== KDE ====<br />
<br />
KDE, has the ability to browse Samba shares built in. Therefore do not need any additional packages. However, for a GUI in the KDE System Settings, install the {{Pkg|kdenetwork-filesharing}} package from the official repositories.<br />
<br />
If when navigating with Dolphin you get a "Time Out" Error, you should uncomment and edit this line in smb.conf:{{bc|1=name resolve order = lmhosts bcast host wins}}<br />
as shown in this [http://ubuntuforums.org/showthread.php?t=1605499 page].<br />
<br />
==== Other graphical environments ====<br />
<br />
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.<br />
<br />
* {{Pkg|pyneighborhood}} is available in the official repositories.<br />
* LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the AUR. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.<br />
<br />
== Tips and tricks ==<br />
=== Block certain file extensions on Samba share ===<br />
{{Note|Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.}}<br />
Samba offers an option to block files with certain patterns, like file extensions. This option can be used to prevent dissemination of viruses or to dissuade users from wasting space with certain files. More information about this option can be found in {{man|5|smb.conf}}.<br />
<br />
{{hc|/etc/samba/smb.conf|2=<br />
...<br />
[myshare]<br />
comment = Private<br />
path = /mnt/data<br />
read only = no<br />
veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/<br />
}}<br />
<br />
=== Discovering network shares ===<br />
If nothing is known about other systems on the local network, and automated tools such as [[#smbnetfs|smbnetfs]] are not available, the following methods allow one to manually probe for Samba shares.<br />
<br />
1. First, install {{Pkg|nmap}} and {{Pkg|smbclient}} using [[pacman]]:<br />
# pacman -S nmap smbclient<br />
<br />
2. {{ic|nmap}} checks which ports are open:<br />
# nmap -p 139 -sT "192.168.1.*"<br />
<br />
In this case, a scan on the 192.168.1.* IP address range and port 139 has been performed, resulting in:<br />
{{hc<br />
|$ nmap -sT "192.168.1.*"<br />
|Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT<br />
Interesting ports on 192.168.1.1:<br />
(The 1661 ports scanned but not shown below are in state: closed)<br />
PORT STATE SERVICE<br />
'''139/tcp open netbios-ssn'''<br />
5000/tcp open UPnP<br />
<br />
Interesting ports on 192.168.1.5:<br />
(The 1662 ports scanned but not shown below are in state: closed)<br />
PORT STATE SERVICE<br />
6000/tcp open X11<br />
<br />
Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds<br />
}}<br />
<br />
The first result is another system; the second happens to be the client from where this scan was performed.<br />
<br />
3. Now that systems with port 139 open are revealed, use {{ic|nmblookup}} to check for NetBIOS names: <br />
{{hc<br />
|$ nmblookup -A 192.168.1.1<br />
|Looking up status of 192.168.1.1<br />
PUTER <00> - B <ACTIVE><br />
HOMENET <00> - <GROUP> B <ACTIVE><br />
PUTER <03> - B <ACTIVE><br />
'''PUTER <20> - B <ACTIVE>'''<br />
HOMENET <1e> - <GROUP> B <ACTIVE><br />
USERNAME <03> - B <ACTIVE><br />
HOMENET <1d> - B <ACTIVE><br />
MSBROWSE <01> - <GROUP> B <ACTIVE><br />
}}<br />
<br />
Regardless of the output, look for '''<20>''', which shows the host with open services.<br />
<br />
4. Use {{ic|smbclient}} to list which services are shared on ''PUTER''. If prompted for a password, pressing enter should still display the list:<br />
{{hc<br />
|$ smbclient -L \\PUTER<br />
|<nowiki><br />
Sharename Type Comment<br />
--------- ---- -------<br />
MY_MUSIC Disk<br />
SHAREDDOCS Disk<br />
PRINTER$ Disk<br />
PRINTER Printer<br />
IPC$ IPC Remote Inter Process Communication<br />
<br />
Server Comment<br />
--------- -------<br />
PUTER<br />
<br />
Workgroup Master<br />
--------- -------<br />
HOMENET PUTER<br />
</nowiki>}}<br />
<br />
=== Remote control of Windows computer ===<br />
Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.<br />
<br />
Send shutdown command with a comment:<br />
<br />
$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD<br />
A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.<br />
<br />
Stop and start services:<br />
<br />
$ net rpc service stop SERVICENAME -I IPADDRESS -U USERNAME%PASSWORD<br />
<br />
To see all possible net rpc command:<br />
<br />
$ net rpc<br />
<br />
===Share files without a username and password===<br />
Edit {{ic|/etc/samba/smb.conf}} and add the following line:<br />
{{bc|<nowiki>map to guest = Bad User</nowiki>}}<br />
<br />
After this line:<br />
{{bc|<nowiki>security = user</nowiki>}}<br />
<br />
Restrict the shares data to a specific interface replace:<br />
{{bc|<nowiki>; interfaces = 192.168.12.2/24 192.168.13.2/24</nowiki>}}<br />
<br />
with:<br />
<br />
{{bc|<nowiki><br />
interfaces = lo eth0<br />
bind interfaces only = true</nowiki>}}<br />
<br />
Optionally edit the account that access the shares, edit the following line:<br />
{{bc|<nowiki>; guest account = nobody</nowiki>}}<br />
<br />
For example:<br />
{{bc|<nowiki> guest account = pcguest</nowiki>}}<br />
<br />
And do something in the likes of:<br />
{{bc|<nowiki># useradd -c "Guest User" -d /dev/null -s /bin/false pcguest</nowiki>}}<br />
<br />
Then setup a "" password for user pcguest.<br />
<br />
The last step is to create share directory (for write access make writable = yes):<br />
<br />
{{bc|<nowiki><br />
[Public Share]<br />
path = /path/to/public/share<br />
available = yes<br />
browsable = yes<br />
public = yes<br />
writable = no<br />
</nowiki>}}<br />
<br />
{{note|Make sure the guest also has permission to visit /path, /path/to and /path/to/public, according to [http://unix.stackexchange.com/questions/13858/do-the-parent-directorys-permissions-matter-when-accessing-a-subdirectory http://unix.stackexchange.com/questions/13858/do-the-parent-directorys-permissions-matter-when-accessing-a-subdirectory]}}<br />
<br />
==== Sample Passwordless Configuration ====<br />
This is the configuration I use with samba 4 for easy passwordless filesharing with family on a home network. Change any options needed to suit your network (workgroup and interface). I'm restricting it to the static IP I have on my ethernet interface, just delete that line if you do not care which interface is used.<br />
{{hc|/etc/samba/smb.conf|<nowiki><br />
[global]<br />
<br />
workgroup = WORKGROUP<br />
<br />
server string = Media Server<br />
<br />
security = user<br />
map to guest = Bad User<br />
<br />
log file = /var/log/samba/%m.log<br />
<br />
max log size = 50<br />
<br />
<br />
interfaces = 192.168.2.194/24<br />
<br />
<br />
dns proxy = no <br />
<br />
<br />
[media]<br />
path = /shares<br />
public = yes<br />
only guest = yes<br />
writable = yes<br />
<br />
[storage]<br />
path = /media/storage<br />
public = yes<br />
only guest = yes<br />
writable = yes<br />
</nowiki>}}<br />
<br />
=== Build Samba without CUPS ===<br />
<br />
Just build without cups installed. From the [https://wiki.samba.org/index.php/Samba_as_a_print_server Samba Wiki]:<br />
<blockquote>Samba has built-in support [for CUPS] and defaults to CUPS if the development package (aka header files and libraries) could be found at compile time.</blockquote><br />
<br />
Of course, modifications to the PKGBUILD will also be necessary: libcups will have to be removed from the depends and makedepends arrays and other references to cups and printing will need to be deleted. In the case of the 4.1.9-1 PKGBUILD, 'other references' includes lines 169, 170 and 236:<br />
{{bc|<br />
mkdir -p ${pkgdir}/usr/lib/cups/backend<br />
ln -sf /usr/bin/smbspool ${pkgdir}/usr/lib/cups/backend/smb<br />
install -d -m1777 ${pkgdir}/var/spool/samba<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Failed to start Samba SMB/CIFS server ===<br />
<br />
Check if the permissions are set correctly for {{ic|/var/cache/samba/}} and restart the {{ic|smbd.service}} or {{ic|smbd.socket}}:<br />
# chmod 0755 /var/cache/samba/msg<br />
<br />
=== Unable to overwrite files, permissions errors ===<br />
Possible solutions:<br />
*Append the mount option {{ic|nodfs}} to the {{ic|/etc/fstab}} [[#Add_Share_to_.2Fetc.2Ffstab|entry]]{{Broken section link}}.<br />
*Add {{ic|<nowiki>msdfs root = no</nowiki>}} to the {{ic|[global]}} section of the server's {{ic|/etc/samba/smb.conf}}.<br />
<br />
=== Windows clients keep asking for password even if Samba shares are created with guest permissions ===<br />
Set {{ic|map to guest}} inside the {{ic|global}} section of {{ic|/etc/samba/smb.conf}}:<br />
map to guest = Bad User<br />
<br />
=== Windows 7 connectivity problems - mount error(12): cannot allocate memory ===<br />
<br />
A known Windows 7 bug that causes "mount error(12): cannot allocate memory" on an otherwise perfect cifs share on the Linux end can be fixed by setting a few registry keys on the Windows box as follows:<br />
<br />
*{{ic|HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache}} (set to {{ic|1}})<br />
*{{ic|HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size}} (set to {{ic|3}})<br />
<br />
Alternatively, start Command Prompt in Admin Mode and execute the following:<br />
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f<br />
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d 3 /f<br />
<br />
Do one of the following for the settings to take effect:<br />
* Restart Windows<br />
* Restart the Server service via services.msc<br />
* From the Command Prompt run: 'net stop lanmanserver' and 'net start lanmanserver' - The server may automatically restart after stopping it.<br />
<br />
{{Note|Googling will reveal another tweak recommending users to add a key modifying the "IRPStackSize" size. This is incorrect for fixing this issue under Windows 7. Do not attempt it.}}<br />
<br />
[http://alan.lamielle.net/2009/09/03/windows-7-nonpaged-pool-srv-error-2017 Original article].<br />
<br />
=== Trouble accessing a password-protected share from Windows ===<br />
<br />
{{Note|This needs to be added to the '''local smb.conf''', not to the server's smb.conf}}<br />
<br />
For trouble accessing a password protected share from Windows, try adding this to {{ic|/etc/samba/smb.conf}}:[http://blogs.computerworld.com/networking_nightmare_ii_adding_linux]<br />
<br />
[global]<br />
# lanman fix<br />
client lanman auth = yes<br />
client ntlmv2 auth = no<br />
<br />
=== Getting a dialog box up takes a long time ===<br />
<br />
I had a problem that it took ~30 seconds to get a password dialog box up when trying to connect from both Windows XP/Windows 7. Analyzing the error.log on the server I saw:<br />
<br />
[2009/11/11 06:20:12, 0] printing/print_cups.c:cups_connect(103)<br />
Unable to connect to CUPS server localhost:631 - Interrupted system call<br />
<br />
This keeps samba from asking cups and also from complaining about /etc/printcap missing:<br />
<br />
printing = bsd<br />
printcap name = /dev/null<br />
<br />
=== Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL ===<br />
<br />
If you are a home user and using samba purely for file sharing from a server or NAS, you are probably not interested in sharing printers through it. If so, you can prevent this error from occurring by adding the following lines to your {{ic|/etc/samba/smb.conf}}:<br />
{{bc|<nowiki><br />
load printers = No<br />
printing = bsd<br />
printcap name = /dev/null<br />
disable spoolss = Yes<br />
</nowiki>}}<br />
[[Restart]] the samba service, {{ic|smbd.service}}, and then check your logs:<br />
{{bc|cat /var/log/samba/smbd.log}}<br />
and the error should now no longer be appearing.<br />
<br />
=== Sharing a folder fails ===<br />
<br />
It means that while you are sharing a folder from ''Dolphin'' (file manager) and everything seems ok at first, after restarting ''Dolphin'' the share icon is gone from the shared folder, and also some output like this in terminal (''Konsole'') output:<br />
<br />
‘net usershare’ returned error 255: net usershare: usershares are currently disabled<br />
<br />
To fix it, enable usershare as described in [[#Creating usershare path]]{{Broken section link}}.<br />
<br />
=== "Browsing" network fails with "Failed to retrieve share list from server" ===<br />
And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) local network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:{{bc|<br />
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns<br />
}}<br />
to your iptables setup.<br />
<br />
=== You are not the owner of the folder ===<br />
<br />
Simply try to reboot the system.<br />
<br />
=== protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE ===<br />
<br />
The client probably does not have access to shares. Make sure clients' IP address is in {{ic|1=hosts allow =}} line in {{ic|/etc/samba/smb.conf}}.<br />
<br />
=== Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL) ===<br />
<br />
You are probably passing wrong server name to {{ic|smbclient}}. To find out the server name, run {{ic|hostnamectl}} on the server and look at "Transient hostname" line<br />
<br />
=== Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED) ===<br />
<br />
Make sure that the server has started. The shared directories should exist and be accessible.<br />
<br />
== 参阅 ==<br />
<br />
* [http://www.samba.org/samba/docs/SambaIntro.html Samba: An Introduction]<br />
* [http://www.samba.org/ Official Samba site]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Samba_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=556694Samba (简体中文)2018-11-23T04:49:03Z<p>Timeline.menu: /* 服务器配置 */ 解决日志引起的不启动问题</p>
<hr />
<div>[[Category:Networking (简体中文)]]<br />
[[cs:Samba]]<br />
[[da:Samba]]<br />
[[de:Samba]]<br />
[[en:Samba]]<br />
[[es:Samba]]<br />
[[fr:Samba]]<br />
[[it:Samba]]<br />
[[ja:Samba]]<br />
[[ru:Samba]]<br />
[[sr:Samba]]<br />
[[zh-hant:Samba]]<br />
{{Related articles start (简体中文)}}<br />
{{Related|NFS}}<br />
{{Related|Samba/Active Directory domain controller}}<br />
{{Related|Active Directory Integration}}<br />
{{Related articles end}}<br />
'''Samba''' 是 [[wikipedia:Server_Message_Block|SMB/CIFS]] 网络协议的重新实现, 它作为 [[NFS (简体中文)|NFS]] 的补充使得在 Linux 和 Windows 系统中进行文件共享、打印机共享更容易实现。一些用户说Samba配置简单,操作直观。然而,许多新用户会因为它的复杂性和非直观的机制而遇到问题。强烈建议新用户仔细按照下面的指导。<br />
<br />
== 服务器配置 ==<br />
<br />
要通过 Samba 共享文件,还需额外 [[Pacman|安装]] 软件包 {{Pkg|samba}}。<br />
<br />
Samba 服务的配置文件是 {{ic|/etc/samba/smb.conf}},如果没有则 smbd 无法启动。<br />
<br />
你可以从 [https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD 这里] 获取到默认配置文件:<br />
# wget "https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD" -O /etc/samba/smb.conf<br />
<br />
{{注意:|<br />
*从上面载回来的默认配置文件里把日志{{ic|log file}}设置到了一个不能写的地方, 这会导致出错。 下面的办法可以解决这个问题:<br />
** 把日志文件放到可写的路径: {{ic|1=log file = /var/log/samba/%m.log}}<br />
** 把日志存到非文件后端的解决方案里: {{ic|1=logging = syslog}} 配合 {{ic|1=syslog only = yes}}, 或者使用 {{ic|1=logging = systemd}}<br />
*如果需要的话; 在{{ic|[global]}}部份中指定的 {{ic|workgroup}} 需要对应windows工作组的名称 (默认是 {{ic|WORKGROUP}}).<br />
}}<br />
<br />
===建立共享===<br />
<br />
编辑 {{ic|/etc/samba/smb.conf}} ,滚动到 '''Share Definitions''' 部分,默认的配置文件会为所有用户在 HOME 目录建立一个共享。但是需要进行下面配置用户才能登录:<br />
<br />
{{hc|/etc/samba/smb.conf|2=<br />
...<br />
[homes]<br />
comment = Home Directories<br />
browseable = no<br />
writable = yes<br />
valid users = %S<br />
}}<br />
<br />
同时,默认配置文件也共享打印机,包含一些不错的示例配置。更多的可用选项可以通过 {{man|5|smb.conf}} 查询,在此处 [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Here] 是在线版本。<br />
<br />
{{提示|如果需要共享给 Windows,需要在 {{ic|smb.conf}} 中设置当前使用的 Windows 工作组workgroup(默认工作组是 {{ic|WORKGROUP}})。}}<br />
<br />
=== 启动服务 ===<br />
{{注意|在 {{Pkg|samba}} 4.8.0-1里, {{ic|smbd.service}} 和 {{ic|nmbd.service}} 单元被改名为 {{ic|smb.service}} 和 {{ic|nmb.service}}.}}<br />
<br />
为了能够使用 SMB 进行基本的文件共享,[[Systemd#Using units|start/enable]] {{ic|smb.service}} 和 {{ic|nmb.service}} 服务。更多信息参阅 [http://www.samba.org/samba/docs/man/manpages-3/smbd.8.html smbd] 和 [http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html nmbd] 的 man 手册。<br />
{{ic|nmbd.service}} 并不总是需要启用。<br />
<br />
{{提示|除了在启动时启动服务,可以选择启用 {{ic|smbd.socket}},禁用 {{ic|smbd.service}}。这样的话会在第一次收到连接请求是启动后台进程。}}<br />
<br />
===建立 Usershare 路径===<br />
<br />
{{Note|此为可选功能,如无需要可以跳过。}}<br />
<br />
"Usershare" 让不具有 root 权限的用户可以进行添加、修改和删除自己的文件夹的操作。<br />
<br />
以下操作将会在 {{ic|/var/lib/samba}} 添加 usershares 目录:<br />
<br />
# mkdir -p /var/lib/samba/usershare<br />
<br />
以下操作将会建立 sambashare 用户组:<br />
<br />
# groupadd sambashare<br />
<br />
以下操作将会将刚刚建立的文件夹的权限:拥有者更改为 root,群组更改为 sambashare:<br />
<br />
# chown root:sambashare /var/lib/samba/usershare<br />
<br />
以下的操作将会让 sambashare 群组中的用户拥有读取,写入和执行此文件夹中内容的权限:<br />
<br />
# chmod 1770 /var/lib/samba/usershare<br />
<br />
修改 {{ic|smb.conf}} 配置文件中的以下变量:<br />
<br />
{{hc|/etc/samba/smb.conf|2=<br />
...<br />
[global]<br />
usershare path = /var/lib/samba/usershare<br />
usershare max shares = 100<br />
usershare allow guests = yes<br />
usershare owner only = yes<br />
...<br />
}}<br />
<br />
将用户添加到群组 ''sambashare'' 中。其中,替换 {{ic|''your_username''}} 为实际的用户名:<br />
<br />
# usermod -a -G sambashare ''your_username''<br />
<br />
重启 {{ic|smbd.service}} 和 {{ic|nmbd.service}} 服务。<br />
<br />
注销后重新登陆,此时您应该就可以使用 GUI 程序配置您的 samba 共享服务了。例如,在 [[Thunar]] 中您可以右键点击任何一个文件夹将它在局域网中共享。如果你想共享自己主目录内的路径,需要主目录的内容让其它用户可以列出。<br />
<br />
===添加用户===<br />
<br />
Samba 需要 Linux 账户才能使用 - 可以使用已有账户或 [[Users and groups#User management|创建新用户]].<br />
<br />
虽然用户名可以和 Linux 系统共享,Samba 使用单独的密码管理,将下面的 {{ic|samba_user}} 替换为选择的 Samba 用户:<br />
<br />
# smbpasswd -a ''samba_user''<br />
<br />
根据 [https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SERVERROLE 服务器角色] 的差异,可能需要修改已有的 [[File permissions and attributes|文件权限和属性]]。<br />
<br />
要让新创建的用户仅能访问 Samba 远程文件服务器,可以禁用其它登录选项<br />
* 禁用 shell - {{ic|usermod --shell /usr/bin/nologin --lock username}}<br />
* 禁用 SSH logons - /etc/ssh/sshd_conf, option {{ic|AllowUsers}}<br />
<br />
参阅[[Security]]。<br />
<br />
===更改 samba 用户的密码===<br />
<br />
用 {{ic|smbpasswd}} 修改 samba 用户的密码:<br />
<br />
# smbpasswd ''samba_user''<br />
<br />
===端口设置===<br />
<br />
如果使用 [[firewall]],需要将打开 samba 对于的窗口,通常是 137-139 + 445. 完整列表请参考 [https://wiki.samba.org/index.php/Samba_port_usage Samba port].<br />
<br />
=== 验证配置 ===<br />
{{ic|testparm}} 可以检查 samba.conf 是否有错误:<br />
# testparm -s<br />
<br />
== 客户端配置 ==<br />
<br />
如果不需要查询公开的共享,可以安装轻量级的 {{Pkg|cifs-utils}} 软件包,使用 {{ic|/usr/bin/mount.cifs}} 命令挂载共享.<br />
<br />
要使用类似 ftp 的命令行界面,请安装软件包 {{Pkg|smbclient}}。常用命令请参考 {{man|1|smbclient}}。<br />
<br />
[[desktop environment|桌面环境]] 可能提供了图形界面,参考[[#文件管理器配置]].<br />
<br />
{{Note|安装 {{Pkg|cifs-utils}} 或 {{Pkg|smbclient}} 后,请加载 {{ic|cifs}} [[kernel module|内核模块]] 或重启以避免挂载失败。}}<br />
<br />
=== 显示可用共享 ===<br />
下面命令会显示服务器上的可用共享:<br />
<br />
$ smbclient -L ''hostname'' -U%<br />
<br />
''smbtree'' 可用显示共享目录树,不建议再有大量计算机的网络上使用此功能。可用它检查共享名是否可用。<br />
<br />
$ smbtree -b -N<br />
<br />
{{ic|-b}} ({{ic|--broadcast}}) 使用广播模式,{{ic|-N}} ({{ic|-no-pass}}) 不询问密码.<br />
<br />
=== WINS 主机名===<br />
<br />
{{pkg|smbclient}} 提供了一个用 WINS 解析主机名的驱动,要启用它,将 “wins” 添加到 /etc/nsswitch.conf 的 “hosts” 行。<br />
<br />
=== 手动挂载 ===<br />
<br />
创建共享挂载点:<br />
<br />
# mkdir /mnt/''mountpoint''<br />
<br />
使用 {{ic|mount.cifs}} 作为挂载类型 {{ic|type}},下面列出的选项并不是全部都需要:<br />
{{bc|1=<br />
# mount -t cifs //''SERVER''/''sharename'' /mnt/''mountpoint'' -o user=''username'',password=''password'',uid=''username'',gid=''group'',workgroup=''workgroup'',ip=''serverip'',iocharset=''utf8''<br />
}}<br />
<br />
要允许用户挂载到自己可以访问的目录,请使用 {{ic|users}} 挂载选项。<br />
<br />
{{Note|请注意这里有 '''s''',其它文件系统一般用的是 ''user''。}}<br />
使用 {{ic|uid}} 和 {{ic|gid}} 挂载选项时,请注意 [[File permissions and attributes|文件权限]],否则会出现 I/O 错误。}}<br />
<br />
''SERVER''<br />
: 服务器名.<br />
<br />
''sharename''<br />
: 共享目录.<br />
<br />
''mountpoint''<br />
: 本地的挂载点.<br />
<br />
{{ic|<nowiki>-o [options]</nowiki>}}<br />
: 详情请参考 {{man|8|mount.cifs}}.<br />
<br />
{{Note|<br />
* 结尾不要加 {{ic|/}}. {{ic|//''SERVER''/''sharename'''''/'''}} 无法工作.<br />
* 如果挂载工作不稳定,出现死机和掉线问题,请尝试用 {{ic|1=vers=}} 设置不同的 SMB 协议版本。例如, 挂载 Vista 用 {{ic|1=vers=2.0}}.<br />
* 如果挂载了 cifs 机器上出现关机超时,请参考 [[WPA supplicant#Problem with mounted network shares (cifs) and shutdown]].<br />
}}<br />
<br />
===== 保存共享密码 =====<br />
<br />
不建议将密码保存在所有人都可读的文件中,一个更安全的方式是创建密码文件:<br />
{{hc|/path/to/credentials/share|2=<br />
username=''myuser''<br />
password=''mypass''<br />
}}<br />
<br />
将 {{ic|<nowiki>username=myuser,password=mypass</nowiki>}} 替换为 {{ic|<nowiki>credentials=/path/to/credentials/share</nowiki>}}.<br />
<br />
修改密码文件的权限:<br />
# chmod 600 /path/to/credentials/share<br />
<br />
=== 自动挂载 ===<br />
{{Note|You may need to [[enable]] {{ic|systemd-networkd-wait-online.service}} or {{ic| NetworkManager-wait-online.service}} (depending on your setup) to proper enable booting on start-up.}}<br />
<br />
==== As mount entry ====<br />
<br />
This is an simple example of a {{ic|cifs}} [[fstab|mount entry]] that requires authentication:<br />
{{hc|/etc/fstab|2=<br />
//''SERVER''/''sharename'' /mnt/''mountpoint'' cifs username=''myuser'',password=''mypass'' 0 0<br />
}}<br />
<br />
{{Note|Space in sharename should be replaced by {{ic|\040}} (ASCII code for space in octal). For example, {{ic|//''SERVER''/share name}} on the command line should be {{ic|//''SERVER''/share\040name}} in {{ic|/etc/fstab}}.}}<br />
<br />
To speed up the service on boot, add the {{ic|1=x-systemd.automount}} option to the entry:<br />
{{hc|/etc/fstab|2=<br />
//''SERVER''/''SHARENAME'' /mnt/''mountpoint'' cifs credentials=''/path/to/smbcredentials/share'',x-systemd.automount 0 0<br />
}}<br />
<br />
==== As systemd unit ====<br />
Create a new {{ic|.mount}} file inside {{ic|/etc/systemd/system}}, e.g. {{ic|mnt-myshare.mount}}.<br />
<br />
{{ic|1=Requires=}} replace (if needed) with your [[:Category:Network_configuration|Network configuration]].<br />
<br />
{{ic|1=What=}} path to share<br />
<br />
{{ic|1=Where=}} path to mount the share<br />
<br />
{{ic|1=Options=}} share mounting options<br />
<br />
{{hc|/etc/systemd/system/mnt-myshare.mount|<nowiki><br />
[Unit]<br />
Description=Mount Share at boot<br />
Requires=systemd-networkd.service<br />
After=network-online.target<br />
Wants=network-online.target<br />
<br />
[Mount]<br />
What=//server/share<br />
Where=/mnt/myshare<br />
Options=credentials=/etc/samba/creds/myshare,iocharset=utf8,rw,x-systemd.automount<br />
Type=cifs<br />
TimeoutSec=30<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
To use {{ic|mnt-myshare.mount}}, [[start]] the unit and [[enable]] it to run on system boot.<br />
<br />
==== smbnetfs ====<br />
<br />
{{Note|1=smbnetfs needs an intact Samba server setup.<br />
See above on how to do that.}}<br />
<br />
First, check if you can see all the shares you are interested in mounting:<br />
$ smbtree -U ''remote_user''<br />
<br />
If that does not work, find and modify the following line<br />
in {{ic|/etc/samba/smb.conf}} accordingly:<br />
<br />
domain master = auto<br />
<br />
Now [[restart]] {{ic|smbd.service}} and {{ic|nmbd.service}}.<br />
<br />
If everything works as expected, [[pacman#Installing specific packages|install]] {{Pkg|smbnetfs}} from the official repositories.<br />
<br />
Then, add the following line to {{ic|/etc/fuse.conf}}:<br />
<br />
user_allow_other<br />
<br />
Now copy the directory {{ic|/etc/smbnetfs/.smb}} to your home directory:<br />
<br />
$ cp -a /etc/smbnetfs/.smb ~<br />
<br />
Then create a link to {{ic|smb.conf}}:<br />
<br />
$ ln -sf /etc/samba/smb.conf ~/.smb/smb.conf<br />
<br />
If a username and a password are required to access some of the shared folders, edit {{ic|~/.smb/smbnetfs.auth}}<br />
to include one or more entries like this:<br />
<br />
{{hc|~/.smb/smbnetfs.auth|<br />
auth "hostname" "username" "password"<br />
}}<br />
<br />
It is also possible to add entries for specific hosts to be mounted by smbnetfs, if necessary.<br />
More details can be found in {{ic|~/.smb/smbnetfs.conf}}.<br />
<br />
If you are using the [[Dolphin]] or [[GNOME Files]], you may want to add the following to {{ic|~/.smb/smbnetfs.conf}} to avoid "Disk full" errors as smbnetfs by default will report 0 bytes of free space:<br />
{{hc|~/.smb/smbnetfs.conf|<br />
free_space_size 1073741824<br />
}}<br />
<br />
When you are done with the configuration, you need to run<br />
$ chmod 600 ~/.smb/smbnetfs.*<br />
Otherwise, smbnetfs complains about 'insecure config file permissions'.<br />
<br />
Finally, to mount your Samba network neighbourhood to a directory of your choice, call<br />
$ smbnetfs ''mount_point''<br />
<br />
===== Daemon =====<br />
<br />
The Arch Linux package also maintains an additional system-wide operation mode for smbnetfs. To enable it, you need to make the<br />
said modifications in the directoy {{ic|/etc/smbnetfs/.smb}}.<br />
<br />
Then, you can start and/or enable the {{ic|smbnetfs}} [[daemon]] as usual. The system-wide mount point is at {{ic|/mnt/smbnet/}}.<br />
<br />
==== autofs ====<br />
<br />
查看 [[Autofs]] 以获得关于基于内核的 Linux 自动挂载器的相关信息。<br />
<br />
=== 文件管理器配置 ===<br />
<br />
==== GNOME Files, Nemo, Caja, Thunar and PCManFM ====<br />
<br />
In order to access samba shares through GNOME Files, Nemo, Caja, Thunar or PCManFM, install the {{Pkg|gvfs-smb}} package, available in the [[official repositories]].<br />
<br />
Press {{ic|Ctrl+l}} and enter {{ic|smb://''servername''/''share''}} in the location bar to access your share.<br />
<br />
The mounted share is likely to be present at {{ic|/run/user/''your_UID''/gvfs}} or {{ic|~/.gvfs}} in the filesystem.<br />
<br />
==== KDE ====<br />
<br />
KDE, has the ability to browse Samba shares built in. Therefore do not need any additional packages. However, for a GUI in the KDE System Settings, install the {{Pkg|kdenetwork-filesharing}} package from the official repositories.<br />
<br />
If when navigating with Dolphin you get a "Time Out" Error, you should uncomment and edit this line in smb.conf:{{bc|1=name resolve order = lmhosts bcast host wins}}<br />
as shown in this [http://ubuntuforums.org/showthread.php?t=1605499 page].<br />
<br />
==== Other graphical environments ====<br />
<br />
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.<br />
<br />
* {{Pkg|pyneighborhood}} is available in the official repositories.<br />
* LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the AUR. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.<br />
<br />
== Tips and tricks ==<br />
=== Block certain file extensions on Samba share ===<br />
{{Note|Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.}}<br />
Samba offers an option to block files with certain patterns, like file extensions. This option can be used to prevent dissemination of viruses or to dissuade users from wasting space with certain files. More information about this option can be found in {{man|5|smb.conf}}.<br />
<br />
{{hc|/etc/samba/smb.conf|2=<br />
...<br />
[myshare]<br />
comment = Private<br />
path = /mnt/data<br />
read only = no<br />
veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/<br />
}}<br />
<br />
=== Discovering network shares ===<br />
If nothing is known about other systems on the local network, and automated tools such as [[#smbnetfs|smbnetfs]] are not available, the following methods allow one to manually probe for Samba shares.<br />
<br />
1. First, install {{Pkg|nmap}} and {{Pkg|smbclient}} using [[pacman]]:<br />
# pacman -S nmap smbclient<br />
<br />
2. {{ic|nmap}} checks which ports are open:<br />
# nmap -p 139 -sT "192.168.1.*"<br />
<br />
In this case, a scan on the 192.168.1.* IP address range and port 139 has been performed, resulting in:<br />
{{hc<br />
|$ nmap -sT "192.168.1.*"<br />
|Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT<br />
Interesting ports on 192.168.1.1:<br />
(The 1661 ports scanned but not shown below are in state: closed)<br />
PORT STATE SERVICE<br />
'''139/tcp open netbios-ssn'''<br />
5000/tcp open UPnP<br />
<br />
Interesting ports on 192.168.1.5:<br />
(The 1662 ports scanned but not shown below are in state: closed)<br />
PORT STATE SERVICE<br />
6000/tcp open X11<br />
<br />
Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds<br />
}}<br />
<br />
The first result is another system; the second happens to be the client from where this scan was performed.<br />
<br />
3. Now that systems with port 139 open are revealed, use {{ic|nmblookup}} to check for NetBIOS names: <br />
{{hc<br />
|$ nmblookup -A 192.168.1.1<br />
|Looking up status of 192.168.1.1<br />
PUTER <00> - B <ACTIVE><br />
HOMENET <00> - <GROUP> B <ACTIVE><br />
PUTER <03> - B <ACTIVE><br />
'''PUTER <20> - B <ACTIVE>'''<br />
HOMENET <1e> - <GROUP> B <ACTIVE><br />
USERNAME <03> - B <ACTIVE><br />
HOMENET <1d> - B <ACTIVE><br />
MSBROWSE <01> - <GROUP> B <ACTIVE><br />
}}<br />
<br />
Regardless of the output, look for '''<20>''', which shows the host with open services.<br />
<br />
4. Use {{ic|smbclient}} to list which services are shared on ''PUTER''. If prompted for a password, pressing enter should still display the list:<br />
{{hc<br />
|$ smbclient -L \\PUTER<br />
|<nowiki><br />
Sharename Type Comment<br />
--------- ---- -------<br />
MY_MUSIC Disk<br />
SHAREDDOCS Disk<br />
PRINTER$ Disk<br />
PRINTER Printer<br />
IPC$ IPC Remote Inter Process Communication<br />
<br />
Server Comment<br />
--------- -------<br />
PUTER<br />
<br />
Workgroup Master<br />
--------- -------<br />
HOMENET PUTER<br />
</nowiki>}}<br />
<br />
=== Remote control of Windows computer ===<br />
Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.<br />
<br />
Send shutdown command with a comment:<br />
<br />
$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD<br />
A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.<br />
<br />
Stop and start services:<br />
<br />
$ net rpc service stop SERVICENAME -I IPADDRESS -U USERNAME%PASSWORD<br />
<br />
To see all possible net rpc command:<br />
<br />
$ net rpc<br />
<br />
===Share files without a username and password===<br />
Edit {{ic|/etc/samba/smb.conf}} and add the following line:<br />
{{bc|<nowiki>map to guest = Bad User</nowiki>}}<br />
<br />
After this line:<br />
{{bc|<nowiki>security = user</nowiki>}}<br />
<br />
Restrict the shares data to a specific interface replace:<br />
{{bc|<nowiki>; interfaces = 192.168.12.2/24 192.168.13.2/24</nowiki>}}<br />
<br />
with:<br />
<br />
{{bc|<nowiki><br />
interfaces = lo eth0<br />
bind interfaces only = true</nowiki>}}<br />
<br />
Optionally edit the account that access the shares, edit the following line:<br />
{{bc|<nowiki>; guest account = nobody</nowiki>}}<br />
<br />
For example:<br />
{{bc|<nowiki> guest account = pcguest</nowiki>}}<br />
<br />
And do something in the likes of:<br />
{{bc|<nowiki># useradd -c "Guest User" -d /dev/null -s /bin/false pcguest</nowiki>}}<br />
<br />
Then setup a "" password for user pcguest.<br />
<br />
The last step is to create share directory (for write access make writable = yes):<br />
<br />
{{bc|<nowiki><br />
[Public Share]<br />
path = /path/to/public/share<br />
available = yes<br />
browsable = yes<br />
public = yes<br />
writable = no<br />
</nowiki>}}<br />
<br />
{{note|Make sure the guest also has permission to visit /path, /path/to and /path/to/public, according to [http://unix.stackexchange.com/questions/13858/do-the-parent-directorys-permissions-matter-when-accessing-a-subdirectory http://unix.stackexchange.com/questions/13858/do-the-parent-directorys-permissions-matter-when-accessing-a-subdirectory]}}<br />
<br />
==== Sample Passwordless Configuration ====<br />
This is the configuration I use with samba 4 for easy passwordless filesharing with family on a home network. Change any options needed to suit your network (workgroup and interface). I'm restricting it to the static IP I have on my ethernet interface, just delete that line if you do not care which interface is used.<br />
{{hc|/etc/samba/smb.conf|<nowiki><br />
[global]<br />
<br />
workgroup = WORKGROUP<br />
<br />
server string = Media Server<br />
<br />
security = user<br />
map to guest = Bad User<br />
<br />
log file = /var/log/samba/%m.log<br />
<br />
max log size = 50<br />
<br />
<br />
interfaces = 192.168.2.194/24<br />
<br />
<br />
dns proxy = no <br />
<br />
<br />
[media]<br />
path = /shares<br />
public = yes<br />
only guest = yes<br />
writable = yes<br />
<br />
[storage]<br />
path = /media/storage<br />
public = yes<br />
only guest = yes<br />
writable = yes<br />
</nowiki>}}<br />
<br />
=== Build Samba without CUPS ===<br />
<br />
Just build without cups installed. From the [https://wiki.samba.org/index.php/Samba_as_a_print_server Samba Wiki]:<br />
<blockquote>Samba has built-in support [for CUPS] and defaults to CUPS if the development package (aka header files and libraries) could be found at compile time.</blockquote><br />
<br />
Of course, modifications to the PKGBUILD will also be necessary: libcups will have to be removed from the depends and makedepends arrays and other references to cups and printing will need to be deleted. In the case of the 4.1.9-1 PKGBUILD, 'other references' includes lines 169, 170 and 236:<br />
{{bc|<br />
mkdir -p ${pkgdir}/usr/lib/cups/backend<br />
ln -sf /usr/bin/smbspool ${pkgdir}/usr/lib/cups/backend/smb<br />
install -d -m1777 ${pkgdir}/var/spool/samba<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Failed to start Samba SMB/CIFS server ===<br />
<br />
Check if the permissions are set correctly for {{ic|/var/cache/samba/}} and restart the {{ic|smbd.service}} or {{ic|smbd.socket}}:<br />
# chmod 0755 /var/cache/samba/msg<br />
<br />
=== Unable to overwrite files, permissions errors ===<br />
Possible solutions:<br />
*Append the mount option {{ic|nodfs}} to the {{ic|/etc/fstab}} [[#Add_Share_to_.2Fetc.2Ffstab|entry]]{{Broken section link}}.<br />
*Add {{ic|<nowiki>msdfs root = no</nowiki>}} to the {{ic|[global]}} section of the server's {{ic|/etc/samba/smb.conf}}.<br />
<br />
=== Windows clients keep asking for password even if Samba shares are created with guest permissions ===<br />
Set {{ic|map to guest}} inside the {{ic|global}} section of {{ic|/etc/samba/smb.conf}}:<br />
map to guest = Bad User<br />
<br />
=== Windows 7 connectivity problems - mount error(12): cannot allocate memory ===<br />
<br />
A known Windows 7 bug that causes "mount error(12): cannot allocate memory" on an otherwise perfect cifs share on the Linux end can be fixed by setting a few registry keys on the Windows box as follows:<br />
<br />
*{{ic|HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache}} (set to {{ic|1}})<br />
*{{ic|HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size}} (set to {{ic|3}})<br />
<br />
Alternatively, start Command Prompt in Admin Mode and execute the following:<br />
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f<br />
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d 3 /f<br />
<br />
Do one of the following for the settings to take effect:<br />
* Restart Windows<br />
* Restart the Server service via services.msc<br />
* From the Command Prompt run: 'net stop lanmanserver' and 'net start lanmanserver' - The server may automatically restart after stopping it.<br />
<br />
{{Note|Googling will reveal another tweak recommending users to add a key modifying the "IRPStackSize" size. This is incorrect for fixing this issue under Windows 7. Do not attempt it.}}<br />
<br />
[http://alan.lamielle.net/2009/09/03/windows-7-nonpaged-pool-srv-error-2017 Original article].<br />
<br />
=== Trouble accessing a password-protected share from Windows ===<br />
<br />
{{Note|This needs to be added to the '''local smb.conf''', not to the server's smb.conf}}<br />
<br />
For trouble accessing a password protected share from Windows, try adding this to {{ic|/etc/samba/smb.conf}}:[http://blogs.computerworld.com/networking_nightmare_ii_adding_linux]<br />
<br />
[global]<br />
# lanman fix<br />
client lanman auth = yes<br />
client ntlmv2 auth = no<br />
<br />
=== Getting a dialog box up takes a long time ===<br />
<br />
I had a problem that it took ~30 seconds to get a password dialog box up when trying to connect from both Windows XP/Windows 7. Analyzing the error.log on the server I saw:<br />
<br />
[2009/11/11 06:20:12, 0] printing/print_cups.c:cups_connect(103)<br />
Unable to connect to CUPS server localhost:631 - Interrupted system call<br />
<br />
This keeps samba from asking cups and also from complaining about /etc/printcap missing:<br />
<br />
printing = bsd<br />
printcap name = /dev/null<br />
<br />
=== Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL ===<br />
<br />
If you are a home user and using samba purely for file sharing from a server or NAS, you are probably not interested in sharing printers through it. If so, you can prevent this error from occurring by adding the following lines to your {{ic|/etc/samba/smb.conf}}:<br />
{{bc|<nowiki><br />
load printers = No<br />
printing = bsd<br />
printcap name = /dev/null<br />
disable spoolss = Yes<br />
</nowiki>}}<br />
[[Restart]] the samba service, {{ic|smbd.service}}, and then check your logs:<br />
{{bc|cat /var/log/samba/smbd.log}}<br />
and the error should now no longer be appearing.<br />
<br />
=== Sharing a folder fails ===<br />
<br />
It means that while you are sharing a folder from ''Dolphin'' (file manager) and everything seems ok at first, after restarting ''Dolphin'' the share icon is gone from the shared folder, and also some output like this in terminal (''Konsole'') output:<br />
<br />
‘net usershare’ returned error 255: net usershare: usershares are currently disabled<br />
<br />
To fix it, enable usershare as described in [[#Creating usershare path]]{{Broken section link}}.<br />
<br />
=== "Browsing" network fails with "Failed to retrieve share list from server" ===<br />
And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) local network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:{{bc|<br />
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns<br />
}}<br />
to your iptables setup.<br />
<br />
=== You are not the owner of the folder ===<br />
<br />
Simply try to reboot the system.<br />
<br />
=== protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE ===<br />
<br />
The client probably does not have access to shares. Make sure clients' IP address is in {{ic|1=hosts allow =}} line in {{ic|/etc/samba/smb.conf}}.<br />
<br />
=== Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL) ===<br />
<br />
You are probably passing wrong server name to {{ic|smbclient}}. To find out the server name, run {{ic|hostnamectl}} on the server and look at "Transient hostname" line<br />
<br />
=== Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED) ===<br />
<br />
Make sure that the server has started. The shared directories should exist and be accessible.<br />
<br />
== 参阅 ==<br />
<br />
* [http://www.samba.org/samba/docs/SambaIntro.html Samba: An Introduction]<br />
* [http://www.samba.org/ Official Samba site]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=OpenStack_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=552014OpenStack (简体中文)2018-10-30T08:59:31Z<p>Timeline.menu: /* 组件 */</p>
<hr />
<div>[[Category:Networking (简体中文)]]<br />
[[Category:Virtualization (简体中文)]]<br />
[[en:OpenStack]]<br />
[[ja:OpenStack]]<br />
[[Category:简体中文]]<br />
{{Translateme (简体中文)|.}}<br />
{{TranslationStatus (简体中文)|OpenStack|2016-03-22|425647}}<br />
OpenStack is a global collaboration of developers and cloud computing technologists producing the ubiquitous open source cloud computing platform for public and private clouds. The project aims to deliver solutions for all types of clouds by being simple to implement, massively scalable, and feature rich. The technology consists of a series of interrelated projects delivering various components for a cloud infrastructure solution<br />
<br />
== 组件 ==<br />
<br />
=== 计算(Nova) ===<br />
<br />
{{AUR|nova-liberty}} is available in the [[AUR]].<br />
<br />
=== 网络(Neutron) ===<br />
<br />
{{AUR|neutron-liberty}} is available in the [[AUR]].<br />
<br />
=== 镜像服务(Glance) ===<br />
<br />
{{AUR|glance-liberty}} is available in the [[AUR]].<br />
<br />
=== 块存储(Cinder) ===<br />
<br />
{{AUR|cinder-kilo}} is available in the [[AUR]].<br />
<br />
=== 对象存储(Swift) ===<br />
Swift is not available in Arch, yet.<br />
<br />
=== 鉴证(Keystone) ===<br />
<br />
{{AUR|keystone-liberty}} is available in the [[AUR]].<br />
<br />
=== 监控台(Horizon) ===<br />
<br />
{{AUR|horizon-liberty}} is available in the [[AUR]].<br />
<br />
=== Telemetry (Ceilometer) ===<br />
<br />
=== Orchestration (Heat) ===<br />
<br />
{{AUR|heat-engine}}{{Broken package link|package not found}} is available in the [[AUR]].<br />
<br />
== 部署 OpenStack ==<br />
<br />
{{Expansion}}<br />
<br />
== 镜像 ==<br />
<br />
=== 可用的镜像 ===<br />
[http://docs.openstack.org/image-guide/content/ch_obtaining_images.html Official Openstack images] are available from most popular distributions of GNU/Linux.<br />
<br />
Images for Arch are ''work in progress''. http://linuximages.de/openstack/arch/ has ''experimental'' images for download.<br />
<br />
=== 自己创建镜像 ===<br />
OpenStack images need to meet [http://docs.openstack.org/image-guide/content/ch_openstack_images.html certain requirements].<br />
An image can be prepared manually or with help from a tool.<br />
<br />
For a tool, [https://github.com/hartwork/image-bootstrap image-bootstrap] with the {{ic|--openstack}} parameter may be of help. As of 2015-06-24, resulting images are still in ''experimental'' stage.<br />
<br />
For manual creation, the ''essential'' steps are:<br />
* [[Partitioning]] a disk with a single [[ext4|ext3/4]] partition.<br />
* Installing a base system (e.g. using {{ic|pacstrap}} of {{Pkg|arch-install-scripts}}) to it<br />
* Installing a boot loader (e.g. [[GRUB]] or [[extlinux]])<br />
* Installing and configuring [[cloud-init]]<br />
* Adding an unpriviliged user able to run [[sudo]] without a password<br />
* Configuring {{ic|eth0}} for [[DHCP]]<br />
** Configuring [[udev]] to name network interfaces {{ic|eth*}}<br />
** Configuring [[systemd-networkd]] to use [[DHCP]] on {{ic|eth0}}<br />
* Installing [[SSH]] server<br />
* Adjusting [[initramfs]] creation and regenerating initramfs images<br />
** Disabling the {{ic|autodetect}} hook (since autodetection works differently from a chroot)<br />
** Either activating hook {{ic|growfs}} from {{AUR|mkinitcpio-growrootfs}} or installing {{ic|growpart}} from {{AUR|cloud-utils}} and have [[cloud-init]] do resizing by itself<br />
* Making services start automatically (e.g. using {{ic|systemctl enable ...}})<br />
* Deleting generated keys (i.e. those of the SSH server and pacman); optionally generating new ones during first boot<br />
* Delete machine IDs ({{ic|/etc/machine-id}} and {{ic|/var/lib/dbus/machine-id}}) so that two systems are not mistaken for the same thing<br />
<br />
== 参阅 ==<br />
<br />
* [http://www.openstack.org/ Openstack 官方网站]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=FFmpeg_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=546289FFmpeg (简体中文)2018-10-06T03:42:38Z<p>Timeline.menu: /* 屏幕投影 */</p>
<hr />
<div>[[Category:Multimedia (简体中文)]]<br />
[[en:FFmpeg]]<br />
[[ja:FFmpeg]]<br />
{{TranslationStatus (简体中文)|FFmpeg|2015-06-07|376055}}<br />
From the project [http://www.ffmpeg.org/ home page]:<br />
:''FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video. It includes libavcodec - the leading audio/video codec library.''<br />
<br />
== 安装 ==<br />
<br />
你能够从[[official repositories]]和[[AUR]]安装([[pacman|installed]])各种口味相关的项目:<br />
<br />
* {{Pkg|ffmpeg}} – 官方安装包<br />
<br />
不同版本:<br />
<br />
* {{AUR|ffmpeg-git}} – 开发版<br />
* {{AUR|ffmpeg-full}} – 包含尽可能多的选定特征<br />
<br />
Forks:<br />
<br />
* {{AUR|ffmbc}}{{Broken package link|{{aur-mirror|ffmbc}}}} – 以培养习惯为目标<br />
<!-- 为什么在二进制有用的命名中强调差异?需要一个有意义的 libav 取代。 --><br />
* {{AUR|libav-git}}{{Broken package link|{{aur-mirror|libav-git}}}} –{{ic|avconv}}提供替代{{ic|ffmpeg}}的二进制安装包<br />
<br />
== 编码例子 ==<br />
<br />
=== 屏幕捕获(录屏) ===<br />
<br />
FFmpeg 包含 [http://www.ffmpeg.org/ffmpeg-devices.html#x11grab x11grab] 和 [http://www.ffmpeg.org/ffmpeg-devices.html#alsa-1 ALSA] 虚拟化设备,使它能够捕捉用户的全部全部图像和音频输出。<br />
<br />
伴随无损编码创建{{ic|test.mkv}}:<br />
<br />
$ ffmpeg -f x11grab -video_size 1920x1080 -i $DISPLAY -f alsa -i default -c:v ffvhuff -c:a flac test.mkv<br />
<br />
where {{ic|-video_size}} specifies the size of the area to capture. Check the FFmpeg manual for examples of how to change the screen or position of the capture area. <br />
<br />
To implicitely encode to a shareable size use :<br />
<br />
$ ffmpeg -f x11grab -s 1920x1080 -r 25 -i $DISPLAY -f alsa -i default -c:v libx264 -b:v 200k -s 1280x720 test.mp4<br />
<br />
You may want to adjust the parameters (left-to-right): input '''f'''ormat, [input]'''s'''ize, frame'''r'''ate, '''i'''nput (in this case display, but could be a file too), input '''f'''ormat, '''i'''nput, '''c'''odec:'''v'''ideo, '''b'''itrate:'''v'''ideo, [output]'''s'''ize of output. Without context the meaning of the parameters may seem ambigious. See the manpage for the synopsis.<br />
<br />
=== Recording webcam ===<br />
<br />
FFmpeg supports grabbing input from Video4Linux2 devices. The following command will record a video from the webcam, assuming that the webcam is correctly recognized under {{ic|/dev/video0}}:<br />
<br />
$ ffmpeg -f v4l2 -s 640x480 -i /dev/video0 ''output''.mpg<br />
<br />
The above produces a silent video. It is also possible to include audio sources from a microphone. The following command will include a stream from the default [[Advanced Linux Sound Architecture|ALSA]] recording device into the video:<br />
<br />
$ ffmpeg -f alsa -i default -f v4l2 -s 640x480 -i /dev/video0 ''output''.mpg<br />
<br />
To use [[PulseAudio]] with an ALSA backend:<br />
<br />
$ ffmpeg -f alsa -i pulse -f v4l2 -s 640x480 -i /dev/video0 ''output''.mpg<br />
<br />
For a higher quality capture, try encoding the output using higher quality codecs:<br />
<br />
$ ffmpeg -f alsa -i default -f v4l2 -s 640x480 -i /dev/video0 -acodec flac \<br />
-vcodec libx264 ''output''.mkv<br />
<br />
=== VOB to any container ===<br />
<br />
Concatenate the desired [[Wikipedia:VOB|VOB]] files into a single stream and mux them to MPEG-2:<br />
$ cat f0.VOB f1.VOB f2.VOB | ffmpeg -i - out.mp2<br />
<br />
=== x264 lossless ===<br />
<br />
The ''ultrafast'' preset will provide the fastest encoding and is useful for quick capturing (such as screencasting):<br />
$ ffmpeg -i input -c:v libx264 -preset ultrafast -qp 0 -c:a copy output<br />
On the opposite end of the preset spectrum is ''veryslow'' and will encode slower than ''ultrafast'' but provide a smaller output file size:<br />
$ ffmpeg -i input -c:v libx264 -preset veryslow -qp 0 -c:a copy output<br />
Both examples will provide the same quality output.<br />
<br />
=== x265 ===<br />
<br />
In encoding x265 files, you may need to specify the aspect ratio of the file via {{ic|-aspect <width:height>}}. Example :<br />
{{bc|<nowiki> ffmpeg -i input -c:v libx265 -aspect 1920:1080 -preset veryslow -x265-params crf 20 output</nowiki>}}<br />
<br />
=== Single-pass MPEG-2 (near lossless) ===<br />
<br />
Allow FFmpeg to automatically set DVD standardized parameters. Encode to DVD [[Wikipedia:MPEG-2|MPEG-2]] at ~30 FPS:<br />
<br />
$ ffmpeg -i ''video''.VOB -target ntsc-dvd ''output''.mpg<br />
<br />
Encode to DVD MPEG-2 at ~24 FPS:<br />
<br />
$ ffmpeg -i ''video''.VOB -target film-dvd ''output''.mpg<br />
<br />
=== x264: constant rate factor ===<br />
<br />
Used when you want a specific quality output. General usage is to use the highest {{ic|-crf}} value that still provides an acceptable quality. Lower values are higher quality; 0 is lossless, 18 is visually lossless, and 23 is the default value. A sane range is between 18 and 28. Use the slowest {{ic|-preset}} you have patience for. See the [https://ffmpeg.org/trac/ffmpeg/wiki/x264EncodingGuide x264 Encoding Guide] for more information.<br />
$ ffmpeg -i ''video'' -c:v libx264 -tune film -preset slow -crf 22 -x264opts fast_pskip=0 -c:a libmp3lame -aq 4 ''output''.mkv<br />
{{ic|-tune}} option can be used to [http://forum.doom9.org/showthread.php?t=149394 match the type and content of the of media being encoded].<br />
<br />
=== YouTube ===<br />
<br />
FFmpeg is very useful to encode videos and strip their size before you upload them on YouTube. The following single line of code takes an input file and outputs a mkv container. <br />
<br />
$ ffmpeg -i ''video'' -c:v libx264 -crf 18 -preset slow -pix_fmt yuv420p -c:a copy ''output''.mkv<br />
<br />
For more information see the [https://bbs.archlinux.org/viewtopic.php?pid=1200667#p1200667 forums]. You can also create a shell function {{ic|ytconvert}} which takes the name of the input file as first argument and the name of the .mkv container as second argument. To do so add the following to your {{ic|~/.bashrc}}:<br />
<br />
{{bc|<nowiki><br />
ytconvert() {<br />
ffmpeg -i "$1" -c:v libx264 -crf 18 -preset slow -pix_fmt yuv420p -c:a copy "$2.mkv"<br />
}<br />
</nowiki>}}<br />
See also [https://bbs.archlinux.org/viewtopic.php?pid=1200542#p1200542 Arch Linux forum thread].<br />
<br />
=== Two-pass x264 (very high-quality) ===<br />
<br />
Audio deactivated as only video statistics are recorded during the first of multiple pass runs: <br />
$ ffmpeg -i ''video''.VOB -an -vcodec libx264 -pass 1 -preset veryslow \<br />
-threads 0 -b 3000k -x264opts frameref=15:fast_pskip=0 -f rawvideo -y /dev/null<br />
Container format is automatically detected and muxed into from the output file extenstion ({{ic|.mkv}}):<br />
$ ffmpeg -i ''video''.VOB -acodec libvo-aacenc -ab 256k -ar 96000 -vcodec libx264 \<br />
-pass 2 -preset veryslow -threads 0 -b 3000k -x264opts frameref=15:fast_pskip=0 ''video''.mkv<br />
<br />
{{Tip|If you receive {{ic|Unknown encoder 'libvo-aacenc'}} error (given the fact that your ffmpeg is compiled with libvo-aacenc enabled), you may want to try {{ic|-acodec libvo_aacenc}}, an underscore instead of hyphen.}}<br />
<br />
=== Two-pass MPEG-4 (very high-quality) ===<br />
<br />
Audio deactivated as only video statistics are logged during the first of multiple pass runs: <br />
$ ffmpeg -i ''video''.VOB -an -vcodec mpeg4 -pass 1 -mbd 2 -trellis 2 -flags +cbp+mv0 \<br />
-pre_dia_size 4 -dia_size 4 -precmp 4 -cmp 4 -subcmp 4 -preme 2 -qns 2 -b 3000k \<br />
-f rawvideo -y /dev/null<br />
<br />
Container format is automatically detected and muxed into from the output file extenstion ({{ic|.avi}}):<br />
$ ffmpeg -i ''video''.VOB -acodec copy -vcodec mpeg4 -vtag DX50 -pass 2 -mbd 2 -trellis 2 \<br />
-flags +cbp+mv0 -pre_dia_size 4 -dia_size 4 -precmp 4 -cmp 4 -subcmp 4 -preme 2 -qns 2 \<br />
-b 3000k ''video''.avi<br />
* Introducing {{ic|threads}}={{ic|n}}>{{ic|1}} for {{ic|-vcodec mpeg4}} may skew the effects of [[Wikipedia:Motion_estimation|motion estimation]] and lead to [http://ffmpeg.org/faq.html#Why-do-I-see-a-slight-quality-degradation-with-multithreaded-MPEG_002a-encoding_003f reduced video quality] and compression efficiency.<br />
* The two-pass MPEG-4 example above also supports output to the [[Wikipedia:MPEG-4_Part_14|MP4]] container (replace {{ic|.avi}} with {{ic|.mp4}}).<br />
<br />
==== Determining bitrates with fixed output file sizes ====<br />
<br />
* (Desired File Size in MB - Audio File Size in MB) '''x''' 8192 kb/MB '''/''' Length of Media in Seconds (s) '''=''' [[Wikipedia:Bitrate|Bitrate]] in kb/s<br />
:* (3900 MB - 275 MB) = 3625 MB '''x''' 8192 kb/MB '''/''' 8830 s = 3363 kb/s required to achieve an approximate total output file size of 3900 MB<br />
<br />
=== x264 video stabilization ===<br />
Video stablization using the vbid.stab plugin entails two passes. <br />
<br />
==== First pass ====<br />
<br />
The first pass records stabilization parameters to a file and/or a test video for visual analysis.<br />
<br />
* Records stabilization parameters to a file only <br />
<br />
$ ffmpeg -i input -vf vidstabdetect=stepsize=4:mincontrast=0:result=transforms.trf -f null -<br />
<br />
* Records stabilization parameters to a file and create test video "output-stab" for visual analysis<br />
<br />
$ ffmpeg -i input -vf vidstabdetect=stepsize=4:mincontrast=0:result=transforms.trf -f output-stab<br />
<br />
==== Second pass ====<br />
<br />
The second pass parses the stabilization parameters generated from the first pass and applies them to produce "output-stab_final". You will want to apply any additional filters at this point so as to aboid subsequent transcoding to preserve as much video quality as possible. The following example performs the following in addition to video stabilization:<br />
<br />
* {{ic|unsharp}} is recommended by the author of vid.stab. Here we are simply using the defaults of 5:5:1.0:5:5:1.0<br />
* {{Tip|1=fade=t=in:st=0:d=4}} fade in from black starting from the beginning of the file for four seconds<br />
* {{Tip|1=fade=t=out:st=60:d=4}} fade out to black starting from sixty seconds into the video for four seconds<br />
* {{ic|-c:a pcm_s16le}} XAVC-S codec records in pcm_s16be which is losslessly transcoded to pcm_s16le<br />
<br />
$ ffmpeg -i input -vf vidstabtransform=smoothing=30:interpol=bicubic:input=transforms.trf,unsharp,fade=t=in:st=0:d=4,fade=t=out:st=60:d=4 -c:v libx264 -tune film -preset veryslow -crf 8 -x264opts fast_pskip=0 -c:a pcm_s16le output-stab_final<br />
<br />
=== Subtitles ===<br />
<br />
==== Extracting ====<br />
<br />
Subtitles embedded in container files, such as MPEG-2 and Matroska, can be extracted and converted into SRT, SSA, among other subtitle formats.<br />
<br />
* Inspect a file to determine if it contains a subtitle stream:<br />
<br />
{{hc|$ ffprobe foo.mkv|<br />
...<br />
Stream #0:0(und): Video: h264 (High), yuv420p, 1920x800 [SAR 1:1 DAR 12:5], 23.98 fps, 23.98 tbr, 1k tbn, 47.95 tbc (default)<br />
Metadata:<br />
CREATION_TIME : 2012-06-05 05:04:15<br />
LANGUAGE : und<br />
Stream #0:1(und): Audio: aac, 44100 Hz, stereo, fltp (default)<br />
Metadata:<br />
CREATION_TIME : 2012-06-05 05:10:34<br />
LANGUAGE : und<br />
HANDLER_NAME : GPAC ISO Audio Handler<br />
'''Stream #0:2: Subtitle: ssa (default)}}<br />
<br />
* {{ic|foo.mkv}} has an embedded SSA subtitle which can be extracted into an independent file:<br />
<br />
$ ffmpeg -i foo.mkv foo.ssa<br />
<br />
==== Hardsubbing ====<br />
<br />
(instructions based on an [http://trac.ffmpeg.org/wiki/How%20to%20burn%20subtitles%20into%20the%20video FFmpeg wiki article])<br />
<br />
[[Wikipedia:Hardsub|Hardsubbing]] entails merging subtitles with the video. Hardsubs can't be disabled, nor language switched.<br />
<br />
* Overlay {{ic|foo.mpg}} with the subtitles in {{ic|foo.ssa}}:<br />
<br />
$ ffmpeg -i foo.mpg -c copy -vf subtitles=foo.ssa out.mpg<br />
<br />
=== Volume gain ===<br />
<br />
Change the audio volume in multiples of 256 where '''256 = 100%''' (normal) volume. Additional values such as 400 are also valid options. <br />
-vol 256 = 100%<br />
-vol 512 = 200%<br />
-vol 768 = 300%<br />
-vol 1024 = 400%<br />
-vol 2048 = 800%<br />
<br />
To double the volume '''(512 = 200%)''' of an [[Wikipedia:Mp3|MP3]] file:<br />
$ ffmpeg -i ''file''.mp3 -vol 512 ''louder_file''.mp3<br />
<br />
To quadruple the volume '''(1024 = 400%)''' of an [[Wikipedia:Ogg|Ogg]] file:<br />
$ ffmpeg -i ''file''.ogg -vol 1024 ''louder_file''.ogg<br />
<br />
Note that gain metadata is only written to the output file. Unlike mp3gain or ogggain, the source sound file is untouched.<br />
<br />
=== Extracting audio ===<br />
<br />
{{hc|$ ffmpeg -i ''video''.mpg|<br />
...<br />
Input #0, avi, from '''video''.mpg':<br />
Duration: 01:58:28.96, start: 0.000000, bitrate: 3000 kb/s<br />
Stream #0.0: Video: mpeg4, yuv420p, 720x480 [PAR 1:1 DAR 16:9], 29.97 tbr, 29.97 tbn, 29.97 tbc<br />
Stream #0.1: Audio: ac3, 48000 Hz, stereo, s16, 384 kb/s<br />
Stream #0.2: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s<br />
Stream #0.3: Audio: dts, 48000 Hz, 5.1 768 kb/s<br />
...<br />
}}<br />
<br />
Extract the first ({{ic|-map 0:1}}) [[Wikipedia:Dolby_Digital|AC-3]] encoded audio stream exactly as it was multiplexed into the file: <br />
$ ffmpeg -i ''video''.mpg -map 0:1 -acodec copy -vn ''video''.ac3<br />
Convert the third ({{ic|-map 0:3}}) [[Wikipedia:DTS_(sound_system)|DTS]] audio stream to an [[Wikipedia:Advanced_Audio_Coding|AAC]] file with a bitrate of 192 kb/s and a [[Wikipedia:Sampling_rate|sampling rate]] of 96000 Hz:<br />
$ ffmpeg -i ''video''.mpg -map 0:3 -acodec libvo-aacenc -ab 192k -ar 96000 -vn ''output''.aac<br />
{{ic|-vn}} disables the processing of the video stream.<br />
<br />
Extract audio stream with certain time interval: <br />
$ ffmpeg -ss 00:01:25 -t 00:00:05 -i ''video''.mpg -map 0:1 -acodec copy -vn ''output''.ac3<br />
{{ic|-ss}} specifies the start point, and {{ic|-t}} specifies the duration.<br />
<br />
=== Stripping audio ===<br />
<br />
# Copy the first video stream ({{ic|-map 0:0}}) along with the second AC-3 audio stream ({{ic|-map 0:2}}).<br />
# Convert the AC-3 audio stream to two-channel MP3 with a bitrate of 128 kb/s and a sampling rate of 48000 Hz.<br />
$ ffmpeg -i ''video''.mpg -map 0:0 -map 0:2 -vcodec copy -acodec libmp3lame \<br />
-ab 128k -ar 48000 -ac 2 ''video''.mkv<br />
<br />
{{hc|$ ffmpeg -i ''video''.mkv|<br />
...<br />
Input #0, avi, from '''video''.mpg':<br />
Duration: 01:58:28.96, start: 0.000000, bitrate: 3000 kb/s<br />
Stream #0.0: Video: mpeg4, yuv420p, 720x480 [PAR 1:1 DAR 16:9], 29.97 tbr, 29.97 tbn, 29.97 tbc<br />
Stream #0.1: Audio: mp3, 48000 Hz, stereo, s16, 128 kb/s<br />
}}<br />
<br />
{{Note|Removing undesired audio streams allows for additional bits to be allocated towards improving video quality.}}<br />
<br />
=== Splitting files ===<br />
<br />
You can use the {{ic|copy}} codec to perform operations on a file without changing the encoding. For example, this allows you to easily split any kind of media file into two<br />
<br />
$ ffmpeg -i file.ext -t 00:05:30 -c copy part1.ext -ss 00:05:30 -c copy part2.ext<br />
<br />
== Preset files ==<br />
<br />
Populate {{ic|~/.ffmpeg}} with the default [http://ffmpeg.org/ffmpeg-doc.html#SEC13 preset files]: <br />
<br />
$ cp -iR /usr/share/ffmpeg ~/.ffmpeg<br />
<br />
Create new and/or modify the default preset files:<br />
<br />
{{hc|~/.ffmpeg/libavcodec-vhq.ffpreset|2=<br />
vtag=DX50<br />
mbd=2<br />
trellis=2<br />
flags=+cbp+mv0<br />
pre_dia_size=4<br />
dia_size=4<br />
precmp=4<br />
cmp=4<br />
subcmp=4<br />
preme=2<br />
qns=2<br />
}}<br />
<br />
=== Using preset files ===<br />
<br />
Enable the {{ic|-vpre}} option after declaring the desired {{ic|-vcodec}}<br />
<br />
==== libavcodec-vhq.ffpreset ====<br />
<br />
* {{ic|libavcodec}} '''=''' Name of the vcodec/acodec<br />
* {{ic|vhq}} '''=''' Name of specific preset to be called out<br />
* {{ic|ffpreset}} '''=''' FFmpeg preset filetype suffix <br />
<br />
===== Two-pass MPEG-4 (very high quality) =====<br />
<br />
First pass of a multipass (bitrate) ratecontrol transcode:<br />
$ ffmpeg -i ''video''.mpg -an -vcodec mpeg4 -pass 1 -vpre vhq -f rawvideo -y /dev/null<br />
Ratecontrol based on the video statistics logged from the first pass: <br />
$ ffmpeg -i ''video''.mpg -acodec libvorbis -aq 8 -ar 48000 -vcodec mpeg4 \<br />
-pass 2 -vpre vhq -b 3000k ''output''.mp4<br />
<br />
* '''libvorbis quality settings (VBR)'''<br />
:* {{ic|-aq 4}} = 128 kb/s<br />
:* {{ic|-aq 5}} = 160 kb/s<br />
:* {{ic|-aq 6}} = 192 kb/s<br />
:* {{ic|-aq 7}} = 224 kb/s<br />
:* {{ic|-aq 8}} = 256 kb/s<br />
<br />
* [http://www.geocities.jp/aoyoume/aotuv/ aoTuV] is generally preferred over [http://vorbis.com/ libvorbis] provided by [http://www.xiph.org/ Xiph.Org] and is provided by [https://aur.archlinux.org/packages.php?ID=6155 libvorbis-aotuv] in the [[AUR]].<br />
<br />
== Package removal ==<br />
<br />
[[pacman]] will not [[Pacman#Removing_packages|remove]] configuration files outside of the defaults that were created during package installation. This includes user-created preset files.<br />
<br />
== See also ==<br />
<br />
* [http://mewiki.project357.com/wiki/X264_Settings x264 Settings] - MeWiki documentation<br />
* [http://ffmpeg.org/ffmpeg-doc.html FFmpeg documentation] - official documentation<br />
* [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-x264.html Encoding with the x264 codec] - MEncoder documentation<br />
* [http://avidemux.org/admWiki/doku.php?id=tutorial:h.264 H.264 encoding guide] - Avidemux wiki<br />
* [http://howto-pages.org/ffmpeg/ Using FFmpeg] - Linux how to pages<br />
* [http://ffmpeg.org/general.html#Supported-File-Formats-and-Codecs List] of supported audio and video streams</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523908Apache HTTP Server (简体中文)2018-05-30T03:43:46Z<p>Timeline.menu: /* 使用 libphp */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另外在本小节的下方还有两种处理高并发的方案供选择. ( [[#使用 php-fpm 和 mod_proxy_fcgi|使用php-fpm管理进程]] 和 [[#使用 apache2-mpm-worker 和 mod_fcgid|使用mod_fcgid管理进程]] )<br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
这种方式是使用php-fpm来管理进程的,进程不是由apache启动和管理的.<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置遵守Apache指令,例如DirectoryIndex。 这是为了确保与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
这种方式和上一种方式(php-fpm)的区别:<br />
<br />
php-fgi进程是由apache模块启动并管理,而不需要配置和使用php-fpm来管理进程。<br />
在php-cgi进程以apache用户身份运行,php程序写的文件,其权限为apache用户(而不像php-fpm下写文件为php-fpm用户所有,默认是nobody),这样在目录权限管理方面一致性高些。<br />
<br />
[[安装]] 软件包 {{pkg|mod_fcgid}}([https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html 详情])和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|libnghttp2}} 软件包(属于core仓库,一般默认已经安装)。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523907Apache HTTP Server (简体中文)2018-05-30T03:18:33Z<p>Timeline.menu: /* 使用 php-fpm 和 mod_proxy_fcgi */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另一种选择, 你可以使用{{ic|mod_proxy_fcgi}} ( [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|使用php-fpm和mod_proxy_fcgi]] <br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
这种方式是使用php-fpm来管理进程的,进程不是由apache启动和管理的.<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置遵守Apache指令,例如DirectoryIndex。 这是为了确保与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
这种方式和上一种方式(php-fpm)的区别:<br />
<br />
php-fgi进程是由apache模块启动并管理,而不需要配置和使用php-fpm来管理进程。<br />
在php-cgi进程以apache用户身份运行,php程序写的文件,其权限为apache用户(而不像php-fpm下写文件为php-fpm用户所有,默认是nobody),这样在目录权限管理方面一致性高些。<br />
<br />
[[安装]] 软件包 {{pkg|mod_fcgid}}([https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html 详情])和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|libnghttp2}} 软件包(属于core仓库,一般默认已经安装)。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523906Apache HTTP Server (简体中文)2018-05-30T03:17:28Z<p>Timeline.menu: /* 使用 php-fpm 和 mod_proxy_fcgi */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另一种选择, 你可以使用{{ic|mod_proxy_fcgi}} ( [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|使用php-fpm和mod_proxy_fcgi]] <br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
这种方式是使用php-fpm来管理进程的,进程不是由apache模块启动和管理的.<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置遵守Apache指令,例如DirectoryIndex。 这是为了确保与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
这种方式和上一种方式(php-fpm)的区别:<br />
<br />
php-fgi进程是由apache模块启动并管理,而不需要配置和使用php-fpm来管理进程。<br />
在php-cgi进程以apache用户身份运行,php程序写的文件,其权限为apache用户(而不像php-fpm下写文件为php-fpm用户所有,默认是nobody),这样在目录权限管理方面一致性高些。<br />
<br />
[[安装]] 软件包 {{pkg|mod_fcgid}}([https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html 详情])和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|libnghttp2}} 软件包(属于core仓库,一般默认已经安装)。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523905Apache HTTP Server (简体中文)2018-05-30T03:15:22Z<p>Timeline.menu: /* 使用 apache2-mpm-worker 和 mod_fcgid */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另一种选择, 你可以使用{{ic|mod_proxy_fcgi}} ( [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|使用php-fpm和mod_proxy_fcgi]] <br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置遵守Apache指令,例如DirectoryIndex。 这是为了确保与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
这种方式和上一种方式(php-fpm)的区别:<br />
<br />
php-fgi进程是由apache模块启动并管理,而不需要配置和使用php-fpm来管理进程。<br />
在php-cgi进程以apache用户身份运行,php程序写的文件,其权限为apache用户(而不像php-fpm下写文件为php-fpm用户所有,默认是nobody),这样在目录权限管理方面一致性高些。<br />
<br />
[[安装]] 软件包 {{pkg|mod_fcgid}}([https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html 详情])和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|libnghttp2}} 软件包(属于core仓库,一般默认已经安装)。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523900Apache HTTP Server (简体中文)2018-05-30T01:16:10Z<p>Timeline.menu: /* HTTP2 */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另一种选择, 你可以使用{{ic|mod_proxy_fcgi}} ( [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|使用php-fpm和mod_proxy_fcgi]] <br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置遵守Apache指令,例如DirectoryIndex。 这是为了确保与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
[[安装]] 软件包 {{pkg|mod_fcgid}} 和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|libnghttp2}} 软件包(属于core仓库,一般默认已经安装)。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523870Apache HTTP Server (简体中文)2018-05-29T13:09:21Z<p>Timeline.menu: /* 使用 php-fpm 和 mod_proxy_fcgi */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另一种选择, 你可以使用{{ic|mod_proxy_fcgi}} ( [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|使用php-fpm和mod_proxy_fcgi]] <br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置遵守Apache指令,例如DirectoryIndex。 这是为了确保与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
[[安装]] 软件包 {{pkg|mod_fcgid}} 和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|nghttp2}} 软件包。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523869Apache HTTP Server (简体中文)2018-05-29T13:04:21Z<p>Timeline.menu: /* 使用 php-fpm 和 mod_proxy_fcgi */</p>
<hr />
<div>[[Category:Web server (简体中文)]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[en:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|PHP}}<br />
{{Related|MySQL}}<br />
{{Related|PhpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|XAMPP}}<br />
{{Related|mod_perl}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Apache_HTTP_Server|2017-12-04|500853}}<br />
LAMP是指在许多web 服务器上使用的一个软件组合:Linux,Apache,MySQL/MariaDB以及PHP。<br />
<br />
[[Wikipedia:Apache HTTP Server|Apache HTTP 服务器]],简称 Apache,是非常流行的Web服务器软件。通常和脚本语言比如 PHP,数据库 MySQL 一起工作,合称为 [[Wikipedia:LAMP (software bundle)|LAMP]] 栈('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). 本文介绍。本文档描述了怎样安装设置 Apache 网页服务器。以及选择安装 [[PHP]]和 [[MySQL]] 并集成到Apache服务器中。<br />
<br />
==安装==<br />
<br />
[[安装]] 软件包 {{Pkg|apache}}.<br />
<br />
==配置==<br />
<br />
Apache 配置文件位于 {{ic|/etc/httpd/conf}},主要的配置文件是 {{ic|/etc/httpd/conf/httpd.conf}}, 此文件会引用其它文件。<br />
<br />
用默认配置可以启动一个简单的服务,有用户访问时会提供目录 {{ic|/srv/http}} 下的内容。<br />
<br />
启动 {{ic|httpd.service}} [[systemd#Using units|systemd 服务]],Apache 就会启动,从浏览器中访问 http://localhost/ 会显示一个简单的索引页面。<br />
<br />
=== 高级选项 ===<br />
<br />
请参考 [https://httpd.apache.org/docs/trunk/mod/directives.html Apache 完整 directives 配置选项] 和 [https://httpd.apache.org/docs/trunk/mod/quickreference.htm directive 快速参考].<br />
<br />
请关注一下 {{ic|/etc/httpd/conf/httpd.conf}} 中的下面选项:<br />
<br />
User http<br />
:出于安全原因,Apache以root用户身份启动(直接的或者通过启动脚本)后将立即切换为 {{ic|/etc/httpd/conf/httpd.conf}}中指定的 UID,默认配置是 ''http'', 安装时会自动创建此用户。<br />
<br />
Listen 80<br />
:Apache 监听的端口,要被外网访问,请在路由器开放此端口。<br />
:如果是本地调试用,可以用下面命令设置为仅供本地访问 {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:管理员的电子邮件,在错误页面会展示给用户。<br />
<br />
DocumentRoot "/srv/http"<br />
:网页的目录.<br />
:如果需要可以修改这个目录,请记得同步修改 {{ic|<Directory "/srv/http">}} 和{{ic|DocumentRoot}},否则访问新位置时可能出现 '''403 Error''' (缺少权限)问题。不要忘记修改 {{ic|Require all denied}} 行到 {{ic|Require all granted}},否则会出现 '''403 Error'''. DocumentRoot 目录及其父目录必须有可执行权限,这样再能被服务器进程使用的用户访问到(用 {{ic|chmod o+x /path/to/DocumentRoot}} 设置),否则会出现 '''403 Error'''.<br />
<br />
AllowOverride None<br />
:在 {{ic|<Directory>}} 段落中的这个设置会让 Apache 完全忽略 {{ic|.htaccess}} 文件。从 Apache 2.4,这个设置以及是默认的,所以如果要使用 {{ic|.htaccess}},亲允许Overide. 如果要在 {{ic|.htaccess}} 中使用 {{ic|mod_rewrite}} 或其它设置, 可以指定哪些目录允许覆盖服务器配置。更多信息请访问 [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache 文档].<br />
<br />
{{Tip|可以用 {{ic|apachectl configtest}} 检查配置文件是否存在问题。}}<br />
<br />
更多设置可以访问 {{ic|/etc/httpd/conf/extra/httpd-default.conf}},例如<br />
<br />
关闭服务器签名:<br />
ServerSignature Off<br />
<br />
隐藏 Apache 和 PHP 版本等属性:<br />
ServerTokens Prod<br />
<br />
=== 用户目录 ===<br />
<br />
在默认设置下,可以通过 http://localhost/~yourusername/ 访问用户的主目录并显示 {{ic|~/public_html}} 中的内容 (可以通过 {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}} 设置). 要禁用这个访问,请注释掉 {{ic|/etc/httpd/conf/httpd.conf}} 文件中的如下行: <br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
请正确设置目录的权限,使得 Apache 可以访问到文件。主目录和 {{ic|~/public_html}} 必须是可被其它用户执行:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
重启 {{ic|httpd.service}} 服务以应用更改。参考 [[Umask#Set the mask value]].<br />
<br />
=== TLS/SSL ===<br />
{{警告|如果计划使用 SSL/TLS,请注意某些版本和实现 [https://weakdh.org/#affected 依然] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|有安全漏洞]]. 访问 http://disablessl3.com/ 和 https://weakdh.org/sysadmin.html 可以查看当前的安全漏洞和服务器处理方式。}}<br />
<br />
[[OpenSSL]] 提供了 TLS/SSL 支持,默认已经安装在 Arch 中。<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中,取消下面行的注释:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
TLS/SSL 需要密钥和认证,如果你有公开域名,可以使用 [[Let's Encrypt]] 免费获取认证,如果没有,请参考 [[#创建密钥并自签名]].<br />
<br />
获取密钥和认证之后,请将 {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} 中的 {{ic|SSLCertificateFile}} 和 {{ic|SSLCertificateKeyFile}} 指向对应的文件。如果还生成了 CA 认证链,请将文件名设置到 {{ic|SSLCertificateChainFile}}.<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
{{Tip|Mozilla 的 [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS 文章] 包含了 [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache 相关] 配置的指南和一个 [https://mozilla.github.io/server-side-tls/ssl-config-generator/ 自动生成工具],可以有助于创建更安全的配置。}}<br />
<br />
==== 创建密钥并自签名 ====<br />
<br />
创建一个私钥并自己签名认证,对于不需要 [[wikipedia:Certificate signing request|CSR]] 的大部分使用来说已经足够:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|-days 参数是可选的,RSA 密钥大小最低是 2048 (default).}}<br />
<br />
如果需要创建 [[wikipedia:Certificate signing request|CSR]],用下面的密钥创建方:<br />
<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|[https://www.openssl.org/docs/apps/openssl.html openssl 手册] 和 [https://www.openssl.org/docs/ opnssl 文档] 包含了更多信息。}}<br />
<br />
=== Virtual Hosts ===<br />
<br />
{{Note|You will need to add a separate <VirtualHost *:443> section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]]{{Broken section link}} for an example file.}}<br />
<br />
如果需要不止一个主机,取消 {{ic|/etc/httpd/conf/httpd.conf}}行的注释:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
在 {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} 中设置虚拟主机,默认文件包含了一个示例。<br />
<br />
要在本地机器测试虚拟主机,将虚拟名称加入 {{ic|/etc/hosts}} 文件:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
重启 {{ic|httpd.service}} 服务。<br />
<br />
==== 管理多个主机 ====<br />
如果要管理的主机非常多,希望更方便的维护,建议为每一个虚拟主机创建一个配置文件并文件存储到一个文件夹中 {{ic|/etc/httpd/conf/vhosts}}。<br />
<br />
创建目录:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
编写单独的配置文件:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
在 {{ic|/etc/httpd/conf/httpd.conf}} 中 {{ic|Include}} 单独的配置文件:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
通过注释或取消注释可以单独启用或禁用一个虚拟主机。<br />
<br />
基本的 vhost 文件:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/apache.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/apache.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== 扩展 ==<br />
=== PHP ===<br />
首先,参考 [[PHP]] 页面,完成 PHP 的安装。<br />
<br />
有多种方式可以在 Apache 下使用 PHP,[[#使用 libphp]] 最简单,但是扩展性最差,libphp 还需要修改 mpm 模块,可能影响其它扩展,比如和 [[#HTTP2]] 不兼容。<br />
<br />
==== 使用 libphp ====<br />
<br />
[[安装]]软件包 {{Pkg|php-apache}}。<br />
<br />
{{pkg|php-apache}} 中包含的 {{ic|libphp7.so}} 不支持 {{ic|mod_mpm_event}},仅支持 {{ic|mod_mpm_prefork}}({{bug|39218}})。需要在 {{ic|/etc/httpd/conf/httpd.conf}} 中注释掉:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
取消下面行的注释:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
不然将发生下面的错误:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
另一种选择, 你可以使用{{ic|mod_proxy_fcgi}} ( [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|使用php-fpm和mod_proxy_fcgi]] <br />
<br />
要启用 PHP,在 {{ic|/etc/httpd/conf/httpd.conf}} 中添加如下行:<br />
<br />
* 将这一行放在{{ic|LoadModule}} 的末尾:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script php<br />
* 将这一行放到{{ic|Include}}列表的末尾:<br />
Include conf/extra/php7_module.conf<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}}。<br />
<br />
==== 使用 php-fpm 和 mod_proxy_fcgi ====<br />
<br />
{{Note|与使用ProxyPass的广泛设置不同,使用SetHandler的代理配置尊守Apache指令,如DirectoryIndex。 这确保了与为libphp7、mod_fastcgi和mod_fcgid而设计的软件有更好的兼容性。 如果您仍然想尝试使用ProxyPass,请尝试使用如下所示的行:{{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[安装]] 官方软件包 {{pkg|php-fpm}} .<br />
<br />
启用代理模块:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
创建文件: {{ic|/etc/httpd/conf/extra/php-fpm.conf}} 写入以下内容:<br />
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
把以下这句添加到配置文件 {{ic|/etc/httpd/conf/httpd.conf}} 中 include 部份的最后<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|在 {{ic|sock}} 和 {{ic|fcgi}} 中间的管道符两边不要有空格! {{ic|localhost}} 可以替换成任何的字符串. 详细请见 [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
你可以自行配置 PHP-FPM 通过这个编辑这个配置文件 {{ic|/etc/php/php-fpm.d/www.conf}}, 但是默认的配置已经工作的很好了.<br />
<br />
[[systemd#Using units|重启]] {{ic|httpd.service}} 和 {{ic|php-fpm.service}} 这两个服务.<br />
<br />
{{Note|如果之前在 {{ic|httpd.conf}} 加入了下面内容,请删除它们,已经不再需要:<br />
LoadModule php7_module modules/libphp7.so<br />
Include conf/extra/php7_module.conf<br />
}}<br />
<br />
==== 使用 apache2-mpm-worker 和 mod_fcgid ====<br />
[[安装]] 软件包 {{pkg|mod_fcgid}} 和 {{Pkg|php-cgi}}。<br />
<br />
创建需要的目录并建立软链接:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
创建 {{ic|/etc/httpd/conf/extra/php-fcgid.conf}},内容是:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
编辑 {{ic|/etc/httpd/conf/httpd.conf}},启用 actions 模块:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
并添加如下配置:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== 测试 PHP ====<br />
在 apache 文档根目录(即{{ic|/srv/http/}}或{{ic|~public_html}})中创建test.php文件,在其中写入:<br />
<?php phpinfo(); ?><br />
然后访问: http://localhost/test.php 或者 http://localhost/~myname/test.php<br />
<br />
高级的配置和扩展,请设置 [[PHP]].<br />
<br />
=== HTTP2 ===<br />
<br />
要启用 http2,安装 {{Pkg|nghttp2}} 软件包。然后取消 {{ic|httpd.conf}} 中下面行前的注释:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
并加入:<br />
Protocols h2 http/1.1<br />
<br />
更多信息请参考 [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] 文档。<br />
<br />
== 问题处理 ==<br />
<br />
=== Apache 的状态和日志 ===<br />
<br />
状态信息可以用 [[systemctl]] 查询。<br />
<br />
Apache 默认的系统日志位于 {{ic|/var/log/httpd/}}。<br />
<br />
=== 启动后出现 Error: PID file /run/httpd/httpd.pid not readable ===<br />
<br />
在 {{ic|httpd.conf}} 中注释掉 {{ic|unique_id_module}} 行:<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
最近的升级需要修改 {{ic|httpd.conf}} 配置文件,取消下面行前的注释:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
多种都可能导致此问题,最常见的问题是已经有程序监听了设置的端口,通过下面命令确认:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
如该能查到结果,关闭占用端口的程序,然后重试。<br />
<br />
还有一个原因是 Apache 没有以 root 执行,运行下面命令看看问题是否依然发生:<br />
<br />
# httpd -k start<br />
<br />
最后,可能配置有问题,导致程序同时监听了端口两次,例如下面的配置就有这个问题:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== php.ini 中的 max_execution_time 设置无效 ===<br />
<br />
{{ic|php.ini}} 中的 {{ic|max_execution_time}} 设置为大于 30 (秒), 还会受到 {{ic|503 Service Unavailable}} 的话,还需要添加 {{ic|ProxyTimeout}} 到 {{ic|<FilesMatch \.php$>}} 段落之前:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
重启 {{ic|httpd.service}}.<br />
<br />
== 参阅 ==<br />
* [http://www.apache.org/ Apache 官方网站]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [http://www.akadia.com/services/ssh_test_certificate.html 生成ssh_test_certificate的教程]<br />
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache故障排除Wiki]</div>Timeline.menuhttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_from_existing_Linux_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)&diff=523315Install Arch Linux from existing Linux (简体中文)2018-05-26T14:15:53Z<p>Timeline.menu: /* 创建 chroot */</p>
<hr />
<div>[[Category:Getting and installing Arch (简体中文)]]<br />
[[en:Install from existing Linux]]<br />
[[es:Install from existing Linux]]<br />
[[fr:Install chroot]]<br />
[[it:Install from existing Linux]]<br />
[[ja:既存の Linux からインストール]]<br />
[[pt:Install from existing Linux]]<br />
[[ru:Install from existing Linux]]<br />
[[zh-hant:Install from existing Linux]]<br />
{{Related articles start}}<br />
{{Related|Install from SSH}}<br />
{{Related articles end}}<br />
{{TranslationStatus (简体中文)|Install_from_Existing_Linux|2015-10-16|407080}}<br />
本指南给出了从当前 Linux 发行版安装 Arch Linux 所需的准备步骤。<br />
准备完成后的安装参考[[Installation guide (简体中文)]]。<br />
<br />
从当前 Linux 发行版安装 Arch Linux 对以下情形有所帮助:<br />
* 远程安装 Arch Linux,如一台(虚拟的)根服务器<br />
* 无需 LiveCD 替换当前 Linux 发行版(参见[[#无 LiveCD 替换当前系统]])<br />
* 创建基于 Arch Linux 的新 Linux 发行版或 LiveCD<br />
* 创建 Arch Linux 的 chroot 环境,如可为 Docker 基础容器创建<br />
* [[Diskless_network_boot_NFS_root|为无盘机器准备 rootfs-over-NFS]]<br />
<br />
这些准备步骤的目的在于为搭建一个 {{Pkg|arch-install-scripts}}(如 {{ic|pacstrap}} 和 {{ic|arch-root}})可运行的环境。<br />
这个目的可通过在当前系统安装 {{Pkg|arch-install-scripts}} 或搭建基于 Arch Linux-based 的 chroot 环境达成。<br />
<br />
若当前发行版为 Arch Linux,可直接安装 {{Pkg|arch-install-scripts}}。<br />
<br />
{{注意|本指南要求当前系统能够运行目标 Arch Linux 构架的程序。x86_64 系统可通过 i686-pacman 搭建起32位的 chroot 环境。参见 [[Arch64 Install bundled 32bit system]]。但从32位系统搭建64位的环境并不容易。}}<br />
<br />
== 从一个主机运行Arch Linux ==<br />
<br />
安装 {{Pkg|arch-install-scripts}} 通过 [[official repositories]].<br />
<br />
=== 安装和配置 ===<br />
参考 [[Installation guide#Mount the partitions]]{{Broken section link}}。如果 {{ic|/mnt}}文件夹已经被占用 , 只要新建一个文件夹,比如 {{ic|/mnt/install}}用来替代即可。<br />
<br />
然后参考 [[Installation guide#Installation]]。你可以跳过 [[Installation guide#Select the mirrors]],因为主机中应该已经有了合适的镜像列表。<br />
<br />
{{Merge|Moving_an_existing_install_into_(or_out_of)_a_virtual_machine#Moving_into_a_VM|Same approach.}}<br />
<br />
{{注意|如果你只想创建当前已经存在的Arch系统的备份, 可能只需要复制文件系统到新分区即可。但是你仍然需要做如下操作:<br />
<br />
* 创建 [[Installation guide#Fstab|{{ic|/etc/fstab}}]] 并编辑 {{ic|/etc/hostname}};<br />
* 删除 {{ic|/etc/machine-id}} ,这样在系统启动时将生成一个全新的、独一无二的matchine-id;<br />
* 对安装媒介做其它相关更改;<br />
* 安装 bootloader。<br />
<br />
当复制文件系统根目录时, 使用比如{{ic|cp -ax}} 或 {{ic|rsync -axX}}来操作. 这可以避免复制挂载点的内容 ({{ic|-x}}), 并且保护[[capabilities]] 一些系统二进制文件的属性 ({{ic|rsync -X}}).<br />
}}<br />
<br />
== 从一个主机运行另一个Linux发行版 ==<br />
<br />
下列是多个可以自动处理大量步骤的工具。具体方法可以参考他们各自主页的相关说明。<br />
<br />
* [https://github.com/tokland/arch-bootstrap arch-bootstrap] (Bash)<br />
* [https://github.com/hartwork/image-bootstrap image-bootstrap] (Python)<br />
* [https://github.com/drizzt/vps2arch vps2arch] (Bash)<br />
* [https://github.com/m4rienf/ArchCX archcx] (Bash, from Hetzner CX Rescue System)<br />
<br />
以下是介绍手动处理的办法。具体思路是在主机系统中运行Arch系统,并且是在Arch系统中进行的实际安装。这个嵌套系统是位于chroot中。<br />
<br />
===创建 chroot===<br />
以下是两个创建并进入chroot的方法,从最简单到最复杂。二者选其一,然后参考[[#Using the chroot environment]]{{Broken section link}}.<br />
<br />
====方法一:使用 Bootstrap 镜像(推荐)====<br />
<br />
从[https://www.archlinux.org/download 镜像站]下载 bootstrap 镜像:<br />
$ curl -O https://mirrors.kernel.org/archlinux/iso/latest/archlinux-bootstrap-2018.05.01-x86_64.tar.gz<br />
解压 tarball:<br />
# cd /tmp<br />
# tar xzf <path-to-bootstrap-image>/archlinux-bootstrap-2017.08.01-x86_64.tar.gz<br />
选择软件仓库服务器:<br />
# nano /tmp/root.x86_64/etc/pacman.d/mirrorlist<br />
<br />
{{注意|从 x86_64 系统通过 bootstrap 引导 i686 镜像,须编辑 {{Ic|/tmp/root.i686/etc/pacman.conf}} 并设置 {{Ic|1=Architecture = i686}} 以便 pacman 获取 i686 的软件包。}}<br />
<br />
进入 chroot<br />
* 若安装了4或更高版本的 bash:<br />
# /tmp/root.x86_64/bin/arch-chroot /tmp/root.x86_64/<br />
* 若无,执行:<br />
# cd /tmp/root.x86_64<br />
# cp /etc/resolv.conf etc<br />
# mount --rbind /proc proc<br />
# mount --rbind /sys sys<br />
# mount --rbind /dev dev<br />
# mount --rbind /run run<br />
(假设 /run 存在)<br />
# chroot /tmp/root.x86_64 /bin/bash<br />
<br />
====方法二:使用 LiveCD 镜像====<br />
<br />
挂载最新的 Arch Linux 安装介质并 chroot 是可能的。这种方法为当前系统提供了可运作的 Arch Linux 安装程序而无需另外准备。<br />
<br />
{{注意|开始前,确保最近版本的 [http://squashfs.sourceforge.net/ squashfs] 已安装。否则会出现诸如 {{ic|FATAL ERROR aborting: uncompress_inode_table: failed to read block}}的错误信息。}}<br />
<br />
* 依据构架的不同,根镜像能在[https://www.archlinux.org/download 镜像站]的 arch/x86_64/ 或 arch/i686/ 目录下找到。squashfs 格式无法编辑,因此需要解压出根镜像并挂载。<br />
<br />
*解压,运行<br />
{{bc|# unsquashfs -d /squashfs-root root-image.fs.sfs}}<br />
<br />
* 以 loop 挂载根镜像<br />
{{bc|<br />
# mkdir /arch<br />
# mount -o loop /squashfs-root/root-image.fs /arch<br />
}}<br />
<br />
* [[Change root|chroot]] 前需设置些挂载点并为网络连接复制 resolv.conf。<br />
{{bc|<br />
# mount -t proc none /arch/proc<br />
# mount -t sysfs none /arch/sys<br />
# mount -o bind /dev /arch/dev<br />
# mount -o bind /dev/pts /arch/dev/pts # pacman 所需(用于签名检查)<br />
# cp -L /etc/resolv.conf /arch/etc # 网络连接所需<br />
}}<br />
<br />
* 准备完毕,chroot 入新系统<br />
{{bc|# chroot /arch bash}}<br />
<br />
===使用 chroot 环境===<br />
<br />
====初始化 pacman 密匙环====<br />
开始安装前,需要设置 pacman 密匙。执行以下命令前请阅读[[Pacman-key (简体中文)#初始化密钥环]]以理解其对熵的要求:<br />
{{bc|<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
}}<br />
<br />
==== 选择镜像和下载基本工具 ====<br />
<br />
After [[Mirrors#Enabling_a_specific_mirror|selecting a mirror]], [[Mirrors#Force_pacman_to_refresh_the_package_lists|refresh the package lists]] and [[install]] what you need: {{Grp|base}}, {{Grp|base-devel}}, {{Pkg|parted}} etc.<br />
<br />
====安装提示====<br />
请按照[[Installation guide (简体中文)]]中的[[Installation guide (简体中文)#Mount the partitions|挂载分区]]{{Broken section link}}和[[Installation guide (简体中文)#Install the base system|安装基本系统]]{{Broken section link}}小节进行安装。<br />
<br />
=====基于 Debian 的当前系统=====<br />
====== /dev/shm ======<br />
在基于 Debian 的当前系统上,{{ic|pacstrap}} 会发生以下错误:<br />
# pacstrap /mnt base<br />
# ==> Creating install root at /mnt<br />
# mount: mount point /mnt/dev/shm is a symbolic link to nowhere<br />
# ==> ERROR: failed to setup API filesystems in new root<br />
<br />
Debian 中,/dev/shm 指向 /run/shm。而在基于 Arch 的 chroot 中,/run/shm 并不存在,因而链接失效。创建 /run/shm 目录可修复此错误:<br />
# mkdir /run/shm<br />
<br />
====== /dev/pts ======<br />
<br />
While installing {{ic|archlinux-2015.07.01-x86_64}} from a Debian 7 host, the following error prevented both [https://projects.archlinux.org/arch-install-scripts.git/tree/pacstrap.in pacstrap] and [[Change_root#Using_arch-chroot|arch-chroot]] from working:<br />
<br />
{{hc|# pacstrap -i /mnt|<br />
mount: mount point /mnt/dev/pts does not exist<br />
==> ERROR: failed to setup chroot /mnt<br />
}}<br />
<br />
Apparently, this is because these two scripts use a common function. {{ic|chroot_setup()}}[https://projects.archlinux.org/arch-install-scripts.git/tree/common#n76] relies on newer features of {{Pkg|util-linux}}, which are incompatible with Debian 7 userland (see {{Bug|45737}}).<br />
<br />
The solution for ''pacstrap'' is to manually execute its [https://projects.archlinux.org/arch-install-scripts.git/tree/pacstrap.in#n77 various tasks], but use the [[Change_root#Using_chroot|regular procedure]] to mount the kernel filesystems on the target directory ({{ic|"$newroot"}}):<br />
<br />
{{bc|1=<br />
# newroot=/mnt<br />
# mkdir -m 0755 -p "$newroot"/var/{cache/pacman/pkg,lib/pacman,log} "$newroot"/{dev,run,etc}<br />
# mkdir -m 1777 -p "$newroot"/tmp<br />
# mkdir -m 0555 -p "$newroot"/{sys,proc}<br />
# mount -t proc /proc "$newroot/proc"<br />
# mount --rbind /sys "$newroot/sys"<br />
# mount --rbind /run "$newroot/run"<br />
# mount --rbind /dev "$newroot/dev"<br />
# pacman -r "$newroot" --cachedir="$newroot/var/cache/pacman/pkg" -Sy base base-devel ... ## add the packages you want<br />
# cp -a /etc/pacman.d/gnupg "$newroot/etc/pacman.d/" ## copy keyring<br />
# cp -a /etc/pacman.d/mirrorlist "$newroot/etc/pacman.d/" ## copy mirrorlist<br />
}}<br />
<br />
Instead of using {{ic|arch-chroot}} for [[Installation guide#Chroot]], simply use {{ic|chroot "$newroot"}}.<br />
<br />
====== lvmetad ======<br />
<br />
Trying to create [[LVM]] [[LVM#Logical_volumes|logical volumes]] from an {{ic|archlinux-bootstrap-2015.07.01-x86_64}} environment on a Debian 7 host resulted in the following error:<br />
<br />
{{hc|# lvcreate -L 20G lvm -n root|<br />
/run/lvm/lvmetad.socket: connect failed: No such file or directory<br />
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.<br />
/dev/lvm/root: not found: device not cleared<br />
Aborting. Failed to wipe start of new LV.}}<br />
<br />
(Physical volume and volume group creation worked despite {{ic|/run/lvm/lvmetad.socket: connect failed: No such file or directory}} being displayed.)<br />
<br />
This could be easily worked around by creating the logical volumes outside the chroot (from the Debian host). They are then available once chrooted again.<br />
<br />
{{Accuracy|This problem did not arise when installing from a Debian 7 host without lvmetad enabled. The recommended messaround with {{ic|/etc/lvm/lvm.conf}} looks rather error prone (2015-07-26).}}<br />
{{Style|Language and formatting are lacking, links to relevant articles in the wiki as well.}}<br />
<br />
Also, if the system you are using has lvm, you might have the following output:<br />
<br />
{{hc|1=# grub-install --target=i386-pc --recheck /dev/mapper/main-archroot|2=<br />
Installing for i386-pc platform.<br />
/run/lvm/lvmetad.socket: connect failed: No such file or directory<br />
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.<br />
/run/lvm/lvmetad.socket: connect failed: No such file or directory<br />
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.<br />
/run/lvm/lvmetad.socket: connect failed: No such file or directory<br />
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.<br />
/run/lvm/lvmetad.socket: connect failed: No such file or directory<br />
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.<br />
/run/lvm/lvmetad.socket: connect failed: No such file or directory<br />
WARNING: Failed to connect to lvmetad. Falling back to internal scanning.<br />
}}<br />
<br />
This is because debian does not use lvmetad by default. You need to edit {{ic|/etc/lvm/lvm.conf}} and set {{ic|use_lvmetad}} to {{ic|0}}:<br />
<br />
use_lvmetad = 0<br />
<br />
This will trigger later an error on boot in the initrd stage. Therefore, you have to change it back after the grub generation. In a software RAID + LVM, steps would be the following:<br />
<br />
* After installing all the system, when you have to do all the initramfs (mkinitcpio) and grub thing.<br />
* Change /etc/mdadm.conf to reflect your RAID config (if any)<br />
* Change HOOKS and MODULES according to lvm and raid requirements: {{ic|1=MODULES="dm_mod" HOOKS="base udev '''mdadm_udev''' ... block '''lvm2''' filesystems ..."}}<br />
* Generate initrd images with mkinitcpio<br />
* Change /etc/lvm/lvm.conf to put use_lvmetad = 0<br />
* Generate grub config (grub-mkconfig)<br />
* Change /etc/lvm/lvm.conf to put use_lvmetad = 1<br />
<br />
===== 基于Fedora的当前系统 =====<br />
<br />
On Fedora based hosts and live USBs you may encounter problems when using {{ic|genfstab}} to generate your [[fstab]]. Remove duplicate entries and the "seclabel" option where it appears, as this is Fedora-specific and will keep your system from booting normally.<br />
<br />
==无 LiveCD 替换当前系统==<br />
在硬盘上划分出 ~650MB 的空闲空间,如分割 swap 分区。若空闲空间小于 600 MB,则须筛选软件包,恰好使系统能在该分区上运行建立网络连接。这意味着需要为 pacstrap 通过选项 -c 指定软件包,以免占满了宝贵的空间。<br />
<br />
一旦完成安装,重启进入该系统并[[Full system backup with rsync (简体中文)#With_a_single_command|rsync 整个系统]]至主分区。<br />
重启前须修改引导器配置。<br />
<br />
====配置系统====<br />
<br />
请按照[[Installation guide (简体中文)]]中的[[Installation guide (简体中文)#Mount the partitions|挂载分区]]{{Broken section link}}及余下小节完成配置。</div>Timeline.menu