广告广告
  加入我的最爱 设为首页 风格修改
首页 首尾
 手机版   订阅   地图  繁体 
您是第 6731 个阅读者
 
发表文章 发表投票 回覆文章
  可列印版   加为IE收藏   收藏主题   上一主题 | 下一主题   
Qoo 手机 会员卡
数位造型
个人文章 个人相簿 个人日记 个人地图
头衔:超人超人

级别: 副版主 该用户目前不上站
版区: 星侨五术软体
推文 x22 鲜花 x126
分享: 转寄此文章 Facebook Plurk Twitter 复制连结到剪贴簿 转换为繁体 转换为简体 载入图片
推文 x0
[FreeBSD][转载] Sendmail+SASL+SSL HOWTO
Sendmail+SASL+SSL HOWTO

OS:FreeBSD 5.0-RELEASE Sendmail-8.12.9

FreeBSD 系统中已内建 Sendmail 做为 Mail-Server 。

以 4.X 版本的 FreeBSD 为例,系统更新升级 (CVSup) 时,内建的 Sendmail 若有 patch ,
理论上也会一同更新升级。

倘若您一时无法作系统更新升级,用 PORTS 来安装新版的 Sendmail 也是不错的方法。

使用 PORTS 安装 sendmail 之后, FreeBSD 上便会有新旧两套 Sendmail 。您需要设定成
启动新的 Sendmail ,而旧的那一套不要跑起来。

请先更新 PORTS-Tree
# cd /usr/ports
# make update

查验 PORTS-Tree 中 Sendmail 的版本:

grep \PORTVERSION= /usr/ports/mail/sendmail/Makefile


Sendmail 的安装

先停止 Sendmail
# sh /etc/rc.sendmail stop

使用 PORTS 安装 Sendmail
# cd /usr/ports/mail/sendmail
# make SENDMAIL_WITH_SASL2=yes SENDMAIL_WITH_SMTPS=yes install clean

除了 make install 就能直接安装之外,您还可以先查看一下 Makefile 的内容,
还有其他的 OPTIONS 可以加入,就看您需不需要了。

安装完成后,Sendmail 的档案在 /usr/local/sbin/ 资料夹中:
# ls -l /usr/local/sbin/sendmail*

-r-xr-sr-x??1?root??smmsp???644148?Mar?18?05:02?sendmail

FreeBSD 原系统预设的 sendmail 是在 /usr/sbin/sendmail 。


安装新版的 sendmail.cf 档

编辑 /etc/mail/freebsd.mc档案,在档案末端加入以下11行设定
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

在编译安装sendmail.cf之前,习惯上我会还做更多的设定,以下是我的
freebsd.mc内容:

divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
#     The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#   notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#   notice, this list of conditions and the following disclaimer in the
#   documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#   must display the following acknowledgement:
#     This product includes software developed by the University of
#     California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#   may be used to endorse or promote products derived from this software
#   without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#

#
# This is a generic configuration file for FreeBSD 4.X and later systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.16 2002/05/22 16:39:14
gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

FEATURE(local_procmail)dnl +
FEATURE(masquerade_entire_domain)dnl *
FEATURE(masquerade_envelope)dnl *
FEATURE(delay_checks)dnl *

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl     your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/

dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr
} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}')

dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Uncomment both of the following lines to listen on IPv6 as well as IPv4
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confDOMAIN_NAME', `$w.$m')dnl *
MASQUERADE_AS(mis.ksut.edu.tw)dnl *
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
MAILER(local)
MAILER(smtp)
MAILER(procmail)dnl +


*部份是我自行加上去的。其中 mis.ksut.edu.tw 是敝校的 domain ,您可别照抄。
其作用是让主机寄出的信只带有 domain ,而不是 hostname 。

+的部份则是要配合 procmail 时,才需要加上去的。

为了认证,加入下列内容:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
本例,多加了认证方法:DIGEST-MD5 CRAM-MD5

另外,附加上access_db.m4等档案内容,如下:
FEATURE(access_db)
FEATURE(delay_checks)
FEATURE(virtusertable)

编译安装sendmail.cf:
# cd /etc/mail
# make cf SENDMAIL_MC=/etc/mail/freebsd.mc
# make install

安装 mail.local
为了让本机使用者不用经认证即可发信,更改mail.local之使用权限
# chown root /usr/local/libexec/mail.local
# chmod u+s /usr/local/libexec/mail.local
(原本旧的sendmail的mail.local 档案是在/usr/libexec目录下)


让旧的 Sendmail 开机时不启动

变更 /etc/rc.conf 的设定:


sendmail_enable="YES"
变更为
sendmail_enable="NONE"


让新的 Sendmail 开机即启动

/usr/local/etc/rc.d/ 资料夹中有两个与 Sendmail 启动相关的新档案:

-r-xr-xr-x   1 root   wheel     1363 Jul 8 15:58 sendmail.sh
-r-xr-xr-x   1 root   wheel       640 Jul 8 15:58 sm-client.sh

变更这两个档案的档名,以便开机时能自动执行:
mv sendmail.sh.sample sendmail.sh
mv sm-client.sh.sample sm-client.sh

编辑/etc/mail/mailer.conf档案
sendmail     /usr/local/sbin/sendmail
send-mail     /usr/local/sbin/sendmail
mailq       /usr/local/sbin/sendmail
newaliases     /usr/local/sbin/sendmail
hoststat     /usr/local/sbin/sendmail
purgestat     /usr/local/sbin/sendmail


(新增/etc/mail/local-host-names档:
里面填入localhost以及机器的完整名字(如mail.abc.com),这样一来由
本机发时时便不需再一次做使用者认证。)

(新增/etc/mail/relay-domains档:
填入本地的domainname,例如mydomain.com,当收件者不是给
mydomain.com时便会拒绝。)

编辑/etc/mail/access档案
127.0.0.1      RELAY
主机网域名称      RELAY

# cd /etc/mail
# makemap hash access.db < access
# makemap hash virtusertable.db < virtusertable


使用Cyrus SASL

建立sasl使用者及密码
# /usr/local/sbin/saslpasswd2 -c username
再输入密码

检视使用者帐号
# /usr/local/sbin/sasldblistusers2
注意,使用者帐号会自动附加上domain


使用SSL (此部分文章节录自中研院计算中心 张毓麟先生 所着)
由于Sendmail与OpenSSL都是FreeBSD 4.3-STABLE版作业系统内建的功
能,因此不需额外的安装手续,只需要根据我们的需要进行调整即可,最主要的
是要加上保密连线的金钥(key-pair)与授权凭证(CA; Certification Authority)。

通常,我们会向独立公正单位购买安全金钥以及授权凭证。但如果不愿意花钱
购买,也可以自行制作,自行制作的安全金钥以及授权凭证,在功能上与买来的
相同,但是向独立公正单位购买,会让使用者心理上觉得比较有保障。

安全连线至系需要三个档案才能启用,请将公正单位核发的key-pair与CA放置
于下列目录

server端的(秘錀)key-pair于/etc/mail/cert/mykey.pem
server端的(公錀)CA于/etc/mail/cert/mycert.pem
公正单位的CA于/etc/mail/cert/cacert.pem

请注意!如果使用公正单位所发出的key-pair,务必通知公正单位不可将mykey.pem
做DES编码,否则sendmail将无法于开机时自动启动。

如果想自行制作key-pair与CA,请依照下列指令操作
# mkdir /usr/local/CA
# cd /usr/local/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cp /etc/ssl/openssl.cnf openssl.cnf

编辑openssl.cnf档案,将档案中的第38行的路径由./demoCA改成
/usr/local/CA。接着执行以下指令,假装自己是公正单位,做一个cacert.pem出
来。
# cd /usr/local/CA
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
请按萤幕上的指示,输入相关的系统资料,当萤幕上提示输入公正单位密码
(PEM pass phrase)的时候,请自行设定一个密码,并请牢记这个密码,以便日后
使用。

# cd /usr/local/CA
# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
# rm -f tmp.pem

以下指令将key-pair与CA复制到/etc/mail/cert目录下,并设定正确权限
# mkdir /etc/mail/cert
# cp /usr/local/CA/mykey.pem /etc/mail/cert/
# cp /usr/local/CA/mycert.pem /etc/mail/cert/
# cp /usr/local/CA/cacert.pem /etc/mail/cert/
# chmod og-rwx /etc/mail/cert/mykey.pem
# chmod og=r /etc/mail/cert/mycert.pem
# chmod og=r /etc/mail/cert/cacert.pem

使用以下的指令建立CA的hash link,请特别注意引号的方向(建议剪贴以下指令,
以免不小必打字失误)
# cd /etc/mail/cert
# ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0

这样就完成了自行建立key-pair与CA的程序。这组key-pair与CA将可被
sendmail使用于保密连线的资料加密功能上。

现在就启动新的 Sendmail

/usr/local/etc/rc.d/sendmail.sh start


相关连结与资源:
http://www.sendmail.org/

转载自 http://solaris.mis.ksu.edu.tw/course/freebsd/sendmail_howto.txt



献花 x0 回到顶端 [楼 主] From:台湾新世纪资通 | Posted:2006-09-11 18:25 |
mnbmnb5266
个人文章 个人相簿 个人日记 个人地图
小有名气
级别: 小有名气 该用户目前不上站
推文 x5 鲜花 x46
分享: 转寄此文章 Facebook Plurk Twitter 复制连结到剪贴簿 转换为繁体 转换为简体 载入图片

教学不错。先收藏,等以后有时间再拿出来研究


我的收藏
https://pan.baidu.com/s/1QUJ9lr_VzxXKRJAlBJgUQA
提取码:am2c
献花 x0 回到顶端 [1 楼] From:加拿大Rogers | Posted:2010-08-21 22:26 |

首页  发表文章 发表投票 回覆文章
Powered by PHPWind v1.3.6
Copyright © 2003-04 PHPWind
Processed in 0.052876 second(s),query:16 Gzip disabled
本站由 瀛睿律师事务所 担任常年法律顾问 | 免责声明 | 本网站已依台湾网站内容分级规定处理 | 连络我们 | 访客留言