Sendmail-SMTP-AUTH-TLS-Howto
版本1.0
作者:Falko Timme
本文档介绍如何安装基于能够进行SMTP-AUTH和TLS的sendmail的邮件服务器。 所有* nix操作系统都应该工作(或许有关于路径等的轻微变化)。 到目前为止,我已经在Debian Woody上测试过了。
这是一个实践指南; 它不包括理论背景。 他们在网络上的许多其他文档中被处理。
本文档不附带任何形式的保证!
1获取来源
我们需要以下软件:openssl,cyrus-sasl2和sendmail。 我们将从/ tmp目录安装软件。
cd / tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget --passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget --passive-ftp ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.11.tar.gz
2安装Openssl
tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
使
安装
ln -s / usr / local / ssl / bin / openssl / usr / bin / openssl
3安装Cyrus-sasl2
cd / tmp
tar xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure --enable-anon --enable-plain --enable-login --disable-krb4 --with-saslauthd = / var / run / saslauthd --with-pam --with-openssl = / usr / local / ssl --with-plugindir = / usr / local / lib / sasl2 --enable-cram --enable-digest --enable-otp (1行!)
使
安装
如果 / usr / lib / sasl2 存在:
mv / usr / lib / sasl2 / usr / lib / sasl2_orig
echo“pwcheck_method:saslauthd”> /usr/local/lib/sasl2/Sendmail.conf
echo“mech_list:login plain”>> /usr/local/lib/sasl2/Sendmail.conf
mkdir -p / var / run / saslauthd
4创建TLS证书
mkdir -p / etc / mail / certs
cd / etc / mail / certs
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365
< - 输入您的smtpd.key密码。
< - 输入您的国家名称(例如,“DE”)。
< - 输入您的州或省名称。
< - 进入你的城市。
< - 输入您的组织名称(例如,您公司的名称)。
< - 输入您的组织单位名称(例如“IT部门”)。
< - 输入系统的完全限定域名(例如“server1.example.com”)。
< - 输入您的电子邮件地址。
openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365
- 再次输入smtpd.key的密码。
< - 输入您的国家名称(例如,“DE”)。
< - 输入您的州或省名称。
< - 进入你的城市。
< - 输入您的组织名称(例如,您公司的名称)。
< - 输入您的组织单位名称(例如“IT部门”)。
< - 输入系统的完全限定域名(例如“server1.example.com”)。
< - 输入您的电子邮件地址。
openssl x509 -noout -text -in sendmail.pem
chmod 600 ./sendmail.pem
5安装Sendmail
cd / tmp
tar xvfz sendmail.8.12.11.tar.gz
cd sendmail-8.12.11 / devtools / Site /
创建 文件 site.config.m4 ( 在devtools / Site /中 ):
# SASL2 (smtp authentication) APPENDDEF(`confENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') # # STARTTLS (smtp + tls/ssl) APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_SMTP_SSL') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto -L/usr/local/ssl/lib') |
mkdir -p / usr / man
mkdir -p / usr / man / man1
mkdir -p / usr / man / man8
cp -pfr / usr / local / lib / sasl2 / usr / lib / sasl2
echo / usr / lib / sasl2 >> /etc/ld.so.conf
ldconfig
ln -s / usr / local / ssl / include / openssl / usr / include / openssl
现在我们可以编译sendmail:
cd /tmp/sendmail-8.12.11/
useradd smmsp
groupadd smmsp
sh Build -c
sh构建安装
我们来创建我们的sendmail.cf:
cd cf / cf /
使用以下内容创建sendmail.mc文件:
dnl ### do SMTPAUTH define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl dnl ### do STARTTLS define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl dnl ### define(`confDEF_CHAR_SET', `iso-8859-1')dnl define(`confMAX_MESSAGE_SIZE', `15000000')dnl Denial of Service Attacks define(`confMAX_DAEMON_CHILDREN', `30')dnl Denial of Service Attacks define(`confCONNECTION_RATE_THROTTLE', `2')dnl Denial of Service Attacks define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks define(`confSINGLE_LINE_FROM_HEADER', `True')dnl define(`confSMTP_LOGIN_MSG', `$j')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`confTO_INITIAL', `6m')dnl define(`confTO_CONNECT', `20s')dnl define(`confTO_HELO', `5m')dnl define(`confTO_HOSTSTATUS', `2m')dnl define(`confTO_DATAINIT', `6m')dnl define(`confTO_DATABLOCK', `35m')dnl define(`confTO_DATAFINAL', `35m')dnl define(`confDIAL_DELAY', `20s')dnl define(`confNO_RCPT_ACTION', `add-apparently-to')dnl define(`confALIAS_WAIT', `0')dnl define(`confMAX_HOP', `35')dnl define(`confQUEUE_LA', `5')dnl define(`confREFUSE_LA', `12')dnl define(`confSEPARATE_PROC', `False')dnl define(`confCON_EXPENSIVE', `true')dnl define(`confWORK_RECIPIENT_FACTOR', `1000')dnl define(`confWORK_TIME_FACTOR', `3000')dnl define(`confQUEUE_SORT_ORDER', `Time')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl OSTYPE(linux)dnl FEATURE(`delay_checks')dnl FEATURE(`generics_entire_domain')dnl FEATURE(`local_procmail')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`nouucp',`reject')dnl FEATURE(`redirect')dnl FEATURE(`relay_entire_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`virtuser_entire_domain')dnl FEATURE(dnsbl,`blackholes.mail-abuse.org', ` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}')dnl FEATURE(dnsbl,`dialups.mail-abuse.org', ` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl FEATURE(access_db)dnl FEATURE(lookupdotdomain)dnl FEATURE(`blacklist_recipients')dnl FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl MAILER(local)dnl MAILER(smtp)dnl MAILER(procmail)dnl |
为了创建/etc/mail/sendmail.cf,运行以下命令:
sh构建sendmail.cf
cp sendmail.cf /etc/mail/sendmail.cf
最后我们要创建一些文件:
cd / etc / mail /
Touch/ etc / mail / local-host-names
Touch/ etc / mail / virtusertable
/ usr / sbin / makemap hash virtusertable <virtusertable
mkdir -p / var / spool / mqueue
chmod 700 / var / spool / mqueue
chown root:root / var / spool / mqueue
chown root:root /etc/mail/sendmail.cf
chmod 444 /etc/mail/sendmail.cf
chown root:root /etc/mail/submit.cf
chmod 444 /etc/mail/submit.cf
Touch/ etc / mail /别名
newaliases
Touch/ etc / mail /访问
/ usr / sbin / makemap哈希访问<访问
我们需要一个用于sendmail的init脚本(这应该被复制到/etc/init.d/sendmail ):
#! /bin/sh case "$1" in start) echo "Initializing SMTP port. (sendmail)" /usr/sbin/sendmail -bd -q1h ;; stop) echo "Shutting down SMTP port:" killall /usr/sbin/sendmail ;; restart|reload) $0 stop && $0 start ;; *) echo "Usage: $0 {start|stop|restart|reload}" exit 1 esac exit 0 |
chmod 755 /etc/init.d/sendmail
为了在启动时启动sendmail ,请执行以下操作:
ln -s /etc/init.d/sendmail /etc/rc2.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc3.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc4.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc5.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc0.d/K20sendmail
ln -s /etc/init.d/sendmail /etc/rc1.d/K20sendmail
ln -s /etc/init.d/sendmail /etc/rc6.d/K20sendmail
6配置Saslauthd
创建/etc/init.d/saslauthd :
#!/bin/sh -e NAME=saslauthd DAEMON="/usr/sbin/${NAME}" DESC="SASL Authentication Daemon" DEFAULTS=/etc/default/saslauthd test -f "${DAEMON}" || exit 0 # Source defaults file; edit that file to configure this script. if [ -e "${DEFAULTS}" ]; then . "${DEFAULTS}" fi # If we're not to start the daemon, simply exit if [ "${START}" != "yes" ]; then exit 0 fi # If we have no mechanisms defined if [ "x${MECHANISMS}" = "x" ]; then echo "You need to configure ${DEFAULTS} with mechanisms to be used" exit 0 fi # Add our mechanimsms with the necessary flag for i in ${MECHANISMS}; do PARAMS="${PARAMS} -a ${i}" done # Consider our options case "${1}" in start) echo -n "Starting ${DESC}: " ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME} ${DAEMON} ${PARAMS} echo "${NAME}." ;; stop) echo -n "Stopping ${DESC}: " PROCS=`ps aux | grep -iw '/usr/sbin/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\n' ' '` if [ "x${PROCS}" != "x" ]; then kill -15 ${PROCS} &> /dev/null fi echo "${NAME}." ;; restart|force-reload) $0 stop sleep 1 $0 start echo "${NAME}." ;; *) echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 |
chmod 755 /etc/init.d/saslauthd
为了在引导时启动saslauthd ,请执行以下操作:
ln -s /etc/init.d/saslauthd /etc/rc2.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd
然后创建/ etc / default / saslauthd :
# This needs to be uncommented before saslauthd will be run automatically START=yes # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb" MECHANISMS=shadow |
如果您发现saslauthd位于/ usr / local / sbin而不是/ usr / sbin中,则创建一个符号链接:
ln -s / usr / local / sbin / saslauthd / usr / sbin / saslauthd
然后启动saslauthd和sendmail :
/etc/init.d/saslauthd开始
/etc/init.d/sendmail启动
7测试您的配置
验证您的sendmail是否使用正确的选项类型进行编译
/ usr / sbin / sendmail -d0.1 -bv root
你应该看到sendmail是用SASLv2和STARTTLS编译的:
要查看SMTP-AUTH和TLS是否正常运行,请运行以下命令:
telnet localhost 25
建立与您的sendmail邮件服务器类型的连接后
ehlo本地主机
如果你看到这些行
250-STARTTLS
和
250-AUTH
一切安好。
类型
放弃
返回系统的shell。
链接
Sendmail MTA: http : //www.sendmail.org/
OpenSSL: http : //www.openssl.org/
Cyrus-SASL: http : //asg.web.cmu.edu/sasl/