Qoo
 
   
 超人
|
分享:
▼
x0
|
Sendmail+SASL+SSL HOWTO
OS:FreeBSD 5.0-RELEASE Sendmail-8.12.9
FreeBSD 系统中已内建 Sendmail 做为 Mail-Server 。
以 4.X 版本的 FreeBSD 为例,系统更新升级 (CVSup) 时,内建的 Sendmail 若有 patch ,
理论上也会一同更新升级。
倘若您一时无法作系统更新升级,用 PORTS 来安装新版的 Sendmail 也是不错的方法。
使用 PORTS 安装 sendmail 之后, FreeBSD 上便会有新旧两套 Sendmail 。您需要设定成
启动新的 Sendmail ,而旧的那一套不要跑起来。
请先更新 PORTS-Tree
# cd /usr/ports
# make update
查验 PORTS-Tree 中 Sendmail 的版本:
grep \PORTVERSION= /usr/ports/mail/sendmail/Makefile
Sendmail 的安装
先停止 Sendmail
# sh /etc/rc.sendmail stop
使用 PORTS 安装 Sendmail
# cd /usr/ports/mail/sendmail
# make SENDMAIL_WITH_SASL2=yes SENDMAIL_WITH_SMTPS=yes install clean
除了 make install 就能直接安装之外,您还可以先查看一下 Makefile 的内容,
还有其他的 OPTIONS 可以加入,就看您需不需要了。
安装完成后,Sendmail 的档案在 /usr/local/sbin/ 资料夹中:
# ls -l /usr/local/sbin/sendmail*
-r-xr-sr-x??1?root??smmsp???644148?Mar?18?05:02?sendmail
FreeBSD 原系统预设的 sendmail 是在 /usr/sbin/sendmail 。
安装新版的 sendmail.cf 档
编辑 /etc/mail/freebsd.mc档案,在档案末端加入以下11行设定
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
在编译安装sendmail.cf之前,习惯上我会还做更多的设定,以下是我的
freebsd.mc内容:
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
# This product includes software developed by the University of
# California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
# This is a generic configuration file for FreeBSD 4.X and later systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.16 2002/05/22 16:39:14
gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(local_procmail)dnl +
FEATURE(masquerade_entire_domain)dnl *
FEATURE(masquerade_envelope)dnl *
FEATURE(delay_checks)dnl *
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.
dnl FEATURE(relay_based_on_MX)
dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/
dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr
} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}')
dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')
dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl Uncomment both of the following lines to listen on IPv6 as well as IPv4
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6')
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confDOMAIN_NAME', `$w.$m')dnl *
MASQUERADE_AS(mis.ksut.edu.tw)dnl *
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
MAILER(local)
MAILER(smtp)
MAILER(procmail)dnl +
*部份是我自行加上去的。其中 mis.ksut.edu.tw 是敝校的 domain ,您可别照抄。
其作用是让主机寄出的信只带有 domain ,而不是 hostname 。
+的部份则是要配合 procmail 时,才需要加上去的。
为了认证,加入下列内容:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
本例,多加了认证方法:DIGEST-MD5 CRAM-MD5
另外,附加上access_db.m4等档案内容,如下:
FEATURE(access_db)
FEATURE(delay_checks)
FEATURE(virtusertable)
编译安装sendmail.cf:
# cd /etc/mail
# make cf SENDMAIL_MC=/etc/mail/freebsd.mc
# make install
安装 mail.local
为了让本机使用者不用经认证即可发信,更改mail.local之使用权限
# chown root /usr/local/libexec/mail.local
# chmod u+s /usr/local/libexec/mail.local
(原本旧的sendmail的mail.local 档案是在/usr/libexec目录下)
让旧的 Sendmail 开机时不启动
变更 /etc/rc.conf 的设定:
将
sendmail_enable="YES"
变更为
sendmail_enable="NONE"
让新的 Sendmail 开机即启动
/usr/local/etc/rc.d/ 资料夹中有两个与 Sendmail 启动相关的新档案:
-r-xr-xr-x 1 root wheel 1363 Jul 8 15:58 sendmail.sh
-r-xr-xr-x 1 root wheel 640 Jul 8 15:58 sm-client.sh
变更这两个档案的档名,以便开机时能自动执行:
mv sendmail.sh.sample sendmail.sh
mv sm-client.sh.sample sm-client.sh
编辑/etc/mail/mailer.conf档案
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
hoststat /usr/local/sbin/sendmail
purgestat /usr/local/sbin/sendmail
(新增/etc/mail/local-host-names档:
里面填入localhost以及机器的完整名字(如mail.abc.com),这样一来由
本机发时时便不需再一次做使用者认证。)
(新增/etc/mail/relay-domains档:
填入本地的domainname,例如mydomain.com,当收件者不是给
mydomain.com时便会拒绝。)
编辑/etc/mail/access档案
127.0.0.1 RELAY
主机网域名称 RELAY
# cd /etc/mail
# makemap hash access.db < access
# makemap hash virtusertable.db < virtusertable
使用Cyrus SASL
建立sasl使用者及密码
# /usr/local/sbin/saslpasswd2 -c username
再输入密码
检视使用者帐号
# /usr/local/sbin/sasldblistusers2
注意,使用者帐号会自动附加上domain
使用SSL (此部分文章节录自中研院计算中心 张毓麟先生 所着)
由于Sendmail与OpenSSL都是FreeBSD 4.3-STABLE版作业系统内建的功
能,因此不需额外的安装手续,只需要根据我们的需要进行调整即可,最主要的
是要加上保密连线的金钥(key-pair)与授权凭证(CA; Certification Authority)。
通常,我们会向独立公正单位购买安全金钥以及授权凭证。但如果不愿意花钱
购买,也可以自行制作,自行制作的安全金钥以及授权凭证,在功能上与买来的
相同,但是向独立公正单位购买,会让使用者心理上觉得比较有保障。
安全连线至系需要三个档案才能启用,请将公正单位核发的key-pair与CA放置
于下列目录
server端的(秘錀)key-pair于/etc/mail/cert/mykey.pem
server端的(公錀)CA于/etc/mail/cert/mycert.pem
公正单位的CA于/etc/mail/cert/cacert.pem
请注意!如果使用公正单位所发出的key-pair,务必通知公正单位不可将mykey.pem
做DES编码,否则sendmail将无法于开机时自动启动。
如果想自行制作key-pair与CA,请依照下列指令操作
# mkdir /usr/local/CA
# cd /usr/local/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cp /etc/ssl/openssl.cnf openssl.cnf
编辑openssl.cnf档案,将档案中的第38行的路径由./demoCA改成
/usr/local/CA。接着执行以下指令,假装自己是公正单位,做一个cacert.pem出
来。
# cd /usr/local/CA
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
请按萤幕上的指示,输入相关的系统资料,当萤幕上提示输入公正单位密码
(PEM pass phrase)的时候,请自行设定一个密码,并请牢记这个密码,以便日后
使用。
# cd /usr/local/CA
# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
# rm -f tmp.pem
以下指令将key-pair与CA复制到/etc/mail/cert目录下,并设定正确权限
# mkdir /etc/mail/cert
# cp /usr/local/CA/mykey.pem /etc/mail/cert/
# cp /usr/local/CA/mycert.pem /etc/mail/cert/
# cp /usr/local/CA/cacert.pem /etc/mail/cert/
# chmod og-rwx /etc/mail/cert/mykey.pem
# chmod og=r /etc/mail/cert/mycert.pem
# chmod og=r /etc/mail/cert/cacert.pem
使用以下的指令建立CA的hash link,请特别注意引号的方向(建议剪贴以下指令,
以免不小必打字失误)
# cd /etc/mail/cert
# ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
这样就完成了自行建立key-pair与CA的程序。这组key-pair与CA将可被
sendmail使用于保密连线的资料加密功能上。
现在就启动新的 Sendmail
/usr/local/etc/rc.d/sendmail.sh start
相关连结与资源:
http://www.sendmail.org/
转载自 http://solaris.mis.ksu.edu.tw/course/freebsd/sendmail_howto.txt
|
