廣告廣告
  加入我的最愛 設為首頁 風格修改
首頁 首尾
 手機版   訂閱   地圖  簡體 
您是第 6718 個閱讀者
 
發表文章 發表投票 回覆文章
  可列印版   加為IE收藏   收藏主題   上一主題 | 下一主題   
Qoo 手機 會員卡
數位造型
個人文章 個人相簿 個人日記 個人地圖
頭銜:超人超人

級別: 副版主 該用戶目前不上站
版區: 星僑五術軟體
推文 x22 鮮花 x126
分享: 轉寄此文章 Facebook Plurk Twitter 複製連結到剪貼簿 轉換為繁體 轉換為簡體 載入圖片
推文 x0
[FreeBSD][轉載] Sendmail+SASL+SSL HOWTO
Sendmail+SASL+SSL HOWTO

OS:FreeBSD 5.0-RELEASE Sendmail-8.12.9

FreeBSD 系統中已內建 Sendmail 做為 Mail-Server 。

以 4.X 版本的 FreeBSD 為例,系統更新升級 (CVSup) 時,內建的 Sendmail 若有 patch ,
理論上也會一同更新升級。

倘若您一時無法作系統更新升級,用 PORTS 來安裝新版的 Sendmail 也是不錯的方法。

使用 PORTS 安裝 sendmail 之後, FreeBSD 上便會有新舊兩套 Sendmail 。您需要設定成
啟動新的 Sendmail ,而舊的那一套不要跑起來。

請先更新 PORTS-Tree
# cd /usr/ports
# make update

查驗 PORTS-Tree 中 Sendmail 的版本:

grep \PORTVERSION= /usr/ports/mail/sendmail/Makefile


Sendmail 的安裝

先停止 Sendmail
# sh /etc/rc.sendmail stop

使用 PORTS 安裝 Sendmail
# cd /usr/ports/mail/sendmail
# make SENDMAIL_WITH_SASL2=yes SENDMAIL_WITH_SMTPS=yes install clean

除了 make install 就能直接安裝之外,您還可以先查看一下 Makefile 的內容,
還有其他的 OPTIONS 可以加入,就看您需不需要了。

安裝完成後,Sendmail 的檔案在 /usr/local/sbin/ 資料夾中:
# ls -l /usr/local/sbin/sendmail*

-r-xr-sr-x??1?root??smmsp???644148?Mar?18?05:02?sendmail

FreeBSD 原系統預設的 sendmail 是在 /usr/sbin/sendmail 。


安裝新版的 sendmail.cf 檔

編輯 /etc/mail/freebsd.mc檔案,在檔案末端加入以下11行設定
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

在編譯安裝sendmail.cf之前,習慣上我會還做更多的設定,以下是我的
freebsd.mc內容:

divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
#     The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#   notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#   notice, this list of conditions and the following disclaimer in the
#   documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#   must display the following acknowledgement:
#     This product includes software developed by the University of
#     California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#   may be used to endorse or promote products derived from this software
#   without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#

#
# This is a generic configuration file for FreeBSD 4.X and later systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.16 2002/05/22 16:39:14
gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

FEATURE(local_procmail)dnl +
FEATURE(masquerade_entire_domain)dnl *
FEATURE(masquerade_envelope)dnl *
FEATURE(delay_checks)dnl *

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl     your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/

dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr
} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}')

dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Uncomment both of the following lines to listen on IPv6 as well as IPv4
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confDOMAIN_NAME', `$w.$m')dnl *
MASQUERADE_AS(mis.ksut.edu.tw)dnl *
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
MAILER(local)
MAILER(smtp)
MAILER(procmail)dnl +


*部份是我自行加上去的。其中 mis.ksut.edu.tw 是敝校的 domain ,您可別照抄。
其作用是讓主機寄出的信只帶有 domain ,而不是 hostname 。

+的部份則是要配合 procmail 時,才需要加上去的。

為了認證,加入下列內容:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
本例,多加了認證方法:DIGEST-MD5 CRAM-MD5

另外,附加上access_db.m4等檔案內容,如下:
FEATURE(access_db)
FEATURE(delay_checks)
FEATURE(virtusertable)

編譯安裝sendmail.cf:
# cd /etc/mail
# make cf SENDMAIL_MC=/etc/mail/freebsd.mc
# make install

安裝 mail.local
為了讓本機使用者不用經認證即可發信,更改mail.local之使用權限
# chown root /usr/local/libexec/mail.local
# chmod u+s /usr/local/libexec/mail.local
(原本舊的sendmail的mail.local 檔案是在/usr/libexec目錄下)


讓舊的 Sendmail 開機時不啟動

變更 /etc/rc.conf 的設定:


sendmail_enable="YES"
變更為
sendmail_enable="NONE"


讓新的 Sendmail 開機即啟動

/usr/local/etc/rc.d/ 資料夾中有兩個與 Sendmail 啟動相關的新檔案:

-r-xr-xr-x   1 root   wheel     1363 Jul 8 15:58 sendmail.sh
-r-xr-xr-x   1 root   wheel       640 Jul 8 15:58 sm-client.sh

變更這兩個檔案的檔名,以便開機時能自動執行:
mv sendmail.sh.sample sendmail.sh
mv sm-client.sh.sample sm-client.sh

編輯/etc/mail/mailer.conf檔案
sendmail     /usr/local/sbin/sendmail
send-mail     /usr/local/sbin/sendmail
mailq       /usr/local/sbin/sendmail
newaliases     /usr/local/sbin/sendmail
hoststat     /usr/local/sbin/sendmail
purgestat     /usr/local/sbin/sendmail


(新增/etc/mail/local-host-names檔:
裡面填入localhost以及機器的完整名字(如mail.abc.com),這樣一來由
本機發時時便不需再一次做使用者認證。)

(新增/etc/mail/relay-domains檔:
填入本地的domainname,例如mydomain.com,當收件者不是給
mydomain.com時便會拒絕。)

編輯/etc/mail/access檔案
127.0.0.1      RELAY
主機網域名稱      RELAY

# cd /etc/mail
# makemap hash access.db < access
# makemap hash virtusertable.db < virtusertable


使用Cyrus SASL

建立sasl使用者及密碼
# /usr/local/sbin/saslpasswd2 -c username
再輸入密碼

檢視使用者帳號
# /usr/local/sbin/sasldblistusers2
注意,使用者帳號會自動附加上domain


使用SSL (此部分文章節錄自中研院計算中心 張毓麟先生 所著)
由於Sendmail與OpenSSL都是FreeBSD 4.3-STABLE版作業系統內建的功
能,因此不需額外的安裝手續,只需要根據我們的需要進行調整即可,最主要的
是要加上保密連線的金鑰(key-pair)與授權憑證(CA; Certification Authority)。

通常,我們會向獨立公正單位購買安全金鑰以及授權憑證。但如果不願意花錢
購買,也可以自行製作,自行製作的安全金鑰以及授權憑證,在功能上與買來的
相同,但是向獨立公正單位購買,會讓使用者心理上覺得比較有保障。

安全連線至系需要三個檔案才能啟用,請將公正單位核發的key-pair與CA放置
於下列目錄

server端的(秘錀)key-pair於/etc/mail/cert/mykey.pem
server端的(公錀)CA於/etc/mail/cert/mycert.pem
公正單位的CA於/etc/mail/cert/cacert.pem

請注意!如果使用公正單位所發出的key-pair,務必通知公正單位不可將mykey.pem
做DES編碼,否則sendmail將無法於開機時自動啟動。

如果想自行製作key-pair與CA,請依照下列指令操作
# mkdir /usr/local/CA
# cd /usr/local/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cp /etc/ssl/openssl.cnf openssl.cnf

編輯openssl.cnf檔案,將檔案中的第38行的路徑由./demoCA改成
/usr/local/CA。接著執行以下指令,假裝自己是公正單位,做一個cacert.pem出
來。
# cd /usr/local/CA
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
請按螢幕上的指示,輸入相關的系統資料,當螢幕上提示輸入公正單位密碼
(PEM pass phrase)的時候,請自行設定一個密碼,並請牢記這個密碼,以便日後
使用。

# cd /usr/local/CA
# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
# rm -f tmp.pem

以下指令將key-pair與CA複製到/etc/mail/cert目錄下,並設定正確權限
# mkdir /etc/mail/cert
# cp /usr/local/CA/mykey.pem /etc/mail/cert/
# cp /usr/local/CA/mycert.pem /etc/mail/cert/
# cp /usr/local/CA/cacert.pem /etc/mail/cert/
# chmod og-rwx /etc/mail/cert/mykey.pem
# chmod og=r /etc/mail/cert/mycert.pem
# chmod og=r /etc/mail/cert/cacert.pem

使用以下的指令建立CA的hash link,請特別注意引號的方向(建議剪貼以下指令,
以免不小必打字失誤)
# cd /etc/mail/cert
# ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0

這樣就完成了自行建立key-pair與CA的程序。這組key-pair與CA將可被
sendmail使用於保密連線的資料加密功能上。

現在就啟動新的 Sendmail

/usr/local/etc/rc.d/sendmail.sh start


相關連結與資源:
http://www.sendmail.org/

轉載自 http://solaris.mis.ksu.edu.tw/course/freebsd/sendmail_howto.txt



獻花 x0 回到頂端 [樓 主] From:台灣新世紀資通 | Posted:2006-09-11 18:25 |
mnbmnb5266
個人文章 個人相簿 個人日記 個人地圖
小有名氣
級別: 小有名氣 該用戶目前不上站
推文 x5 鮮花 x46
分享: 轉寄此文章 Facebook Plurk Twitter 複製連結到剪貼簿 轉換為繁體 轉換為簡體 載入圖片

教學不錯。先收藏,等以後有時間再拿出來研究


我的收藏
https://pan.baidu.com/s/1QUJ9lr_VzxXKRJAlBJgUQA
提取码:am2c
獻花 x0 回到頂端 [1 樓] From:加拿大Rogers | Posted:2010-08-21 22:26 |

首頁  發表文章 發表投票 回覆文章
Powered by PHPWind v1.3.6
Copyright © 2003-04 PHPWind
Processed in 0.063581 second(s),query:16 Gzip disabled
本站由 瀛睿律師事務所 擔任常年法律顧問 | 免責聲明 | 本網站已依台灣網站內容分級規定處理 | 連絡我們 | 訪客留言