带认证的Sendmail安装手册


安装环境:

RedHat Linux 9.0 完全安装或者确保以下安装包已经安装完毕:

  imap-2001a-18.i286.rpm
  sendmail-8.12.8-4.i386.rpm
  m4-1.4.1-13.i386.rpm
  cyrus-sasl-2.1.10-4.i386.rpm
  cyrus-sasl-md5-2.1.10-4.i386.rpm
  cyrus-sasl-plain-2.1.10-4.i386.rpm
  cyrus-sasl-gssapi-2.1.10-4.i386.rpm

实现目的:

  实现带认证功能的邮件服务器的配置安装

一、DNS(域名服务器配置)

  假设安装Linux的机器主机名为server,IP地址为192.168.0.1,设置为DNS,别名为ns, 域名为test.com, 同时将其设置为SendMail服务器,别名为mail
  运行redhat-config-bind, 启动域名服务配置程序
        1. 新建正向区块
             1.1 新建 "正向区块" test.com
             1.2 设置 "正向区块" test.com
 选从列表中test.com,选属性打开"名称到IP的翻译"对话框
 1.2.1 修改主名称服务器
      修改SOA(主名称服务器)为ns.test.com.
                  1.2.1 修改联系人Email地址:root@test.com
                  1.2.2 添加记录(主机或别名)
      1.2.2.1 添加server, 地址192.168.0.1, 邮件交换器为mail
                       1.2.2.1 添加ns, 地址192.168.0.1, 邮件交换器为mail
                       1.2.2.2 添加mail, 地址192.168.0.1
       1.2.2.3 添加localhost,地址192.168.0.1
       1.2.2.4 添加局域网中其他主机
                   1.2.3 设置记录
     选记录列表框中的 test.com,选编辑(按钮),添加名称服务器 ns.test.com. ,设置邮件交换器mail,IP地址192.168.0.1

        2. 新建逆向区块
             2.1 新建 "逆向区块" 192.168.0
             2.2 设置 "逆向区块" 192.168.0
 选从列表中0.168.192.in-addr.arpa,选属性打开"IP到名称的翻译"对话框
 2.2.1 修改主名称服务器
      修改SOA(主名称服务器)为ns.
                  2.2.2 修改联系人Email地址
      修改联系为: root@test.com
 2.2.3 确保名称服务器中有 ns.
                  2.2.4 添加记录(主机或别名)
                       2.2.4.1 地址192.168.0.1, 主机或域为 server.test.com
       2.2.4.2 添加局域网中其他主机

        3. 修改/etc/resolv.conf
             在文件前面添加两行:
                  search  test.com
                  nameserver 192.168.0.1
                  # 后面是ISP的域名服务器地址
 nameserver  202.106.0.20
                  nameserver 202.106.46.151

        4. 重启DNS Server

二、Sendmail服务配置

  1. 修改/etc/mail/sendmail.mc,修改后文件如下:

  divert(-1)dnl
  dnl #
  dnl # This is the sendmail macro config file for m4. If you make changes to
  dnl # /etc/mail/sendmail.mc, you will need to regenerate the
  dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
  dnl # installed and then performing a
  dnl #
  dnl #     make -C /etc/mail
  dnl #
  include(`/usr/share/sendmail-cf/m4/cf.m4′)dnl
  VERSIONID(`setup for Red Hat Linux’)dnl
  OSTYPE(`linux’)dnl
  dnl #
  dnl # Uncomment and edit the following line if your outgoing mail needs to
  dnl # be sent out through an external mail server:
  dnl #
  dnl define(`SMART_HOST’,`smtp.your.provider’)
  dnl #
  define(`confDEF_USER_ID’,“8:12”)dnl
  define(`confTRUSTED_USER’, `smmsp’)dnl
  dnl define(`confAUTO_REBUILD’)dnl
  define(`confTO_CONNECT’, `1m’)dnl
  define(`confTRY_NULL_MX_LIST’,true)dnl
  define(`confDONT_PROBE_INTERFACES’,true)dnl
  define(`PROCMAIL_MAILER_PATH’,`/usr/bin/procmail’)dnl
  define(`ALIAS_FILE’, `/etc/aliases’)dnl
  dnl define(`STATUS_FILE’, `/etc/mail/statistics’)dnl
  define(`UUCP_MAILER_MAX’, `2000000′)dnl
  define(`confUSERDB_SPEC’, `/etc/mail/userdb.db’)dnl
  define(`confPRIVACY_FLAGS’, `authwarnings,novrfy,noexpn,restrictqrun’)dnl
  define(`confAUTH_OPTIONS’, `A’)dnl
  dnl #
  dnl # The following allows relaying if the user authenticates, and disallows
  dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
  dnl #
  dnl define(`confAUTH_OPTIONS’, `A p’)dnl
  dnl # 
  dnl # PLAIN is the preferred plaintext authentication method and used by
  dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
  dnl # use LOGIN. Other mechanisms should be used if the connection is not
  dnl # guaranteed secure.
  dnl #
  [color=red]TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl[/color]
  [color=red]define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl[/color]
  dnl #
  dnl # Rudimentary information on creating certificates for sendmail TLS:
  dnl #     make -C /usr/share/ssl/certs usage
  dnl #
  dnl define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
  dnl define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
  dnl define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
  dnl define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)
  dnl #
  dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP’s
  dnl # slapd, which requires the file to be readble by group ldap
  dnl #
  dnl define(`confDONT_BLAME_SENDMAIL’,`groupreadablekeyfile’)dnl
  dnl #
  dnl define(`confTO_QUEUEWARN’, `4h’)dnl
  dnl define(`confTO_QUEUERETURN’, `5d’)dnl
  dnl define(`confQUEUE_LA’, `12′)dnl
  dnl define(`confREFUSE_LA’, `18′)dnl
  define(`confTO_IDENT’, `0′)dnl
  dnl FEATURE(delay_checks)dnl
  FEATURE(`no_default_msa’,`dnl’)dnl
  FEATURE(`smrsh’,`/usr/sbin/smrsh’)dnl
  FEATURE(`mailertable’,`hash -o /etc/mail/mailertable.db’)dnl
  FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable.db’)dnl
  FEATURE(redirect)dnl
  FEATURE(always_add_domain)dnl
  FEATURE(use_cw_file)dnl
  FEATURE(use_ct_file)dnl
  dnl #
  dnl # The -t option will retry delivery if e.g. the user runs over his quota.
  dnl #
  FEATURE(local_procmail,`’,`procmail -t -Y -a $h -d $u’)dnl
  FEATURE(`access_db’,`hash -T<TMPF> -o /etc/mail/access.db’)dnl
  FEATURE(`blacklist_recipients’)dnl
  EXPOSED_USER(`root’)dnl
  dnl #
  dnl # The following causes sendmail to only listen on the IPv4 loopback address
  dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
  dnl # address restriction to accept email from the internet or intranet.
  dnl #
  [color=red]dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl[/color]
  dnl #
  dnl # The following causes sendmail to additionally listen to port 587 for
  dnl # mail from MUAs that authenticate. Roaming users who can’t reach their
  dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
  dnl # this useful.
  dnl #
  [color=red]DAEMON_OPTIONS(`Port=25, Name=MSA’)dnl[/color]
  dnl #
  dnl # The following causes sendmail to additionally listen to port 465, but
  dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
  dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can’t
  dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
  dnl # and doesn’t support the deprecated smtps; Evolution <1.1.1 uses smtps
  dnl # when SSL is enabled– STARTTLS support is available in version 1.1.1.
  dnl #
  dnl # For this to work your OpenSSL certificates must be configured.
  dnl #
  dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl
  dnl #
  dnl # The following causes sendmail to additionally listen on the IPv6 loopback
  dnl # device. Remove the loopback address restriction listen to the network.
  dnl #
  dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
  dnl #       a kernel patch
  dnl #
  dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl
  dnl #
  dnl # We strongly recommend not accepting unresolvable domains if you want to
  dnl # protect yourself from spam. However, the laptop and users on computers
  dnl # that do not have 24×7 DNS do need this.
  dnl #
  FEATURE(`accept_unresolvable_domains’)dnl
  dnl #
  dnl FEATURE(`relay_based_on_MX’)dnl
  dnl # 
  dnl # Also accept email sent to "localhost.localdomain" as local email.
  dnl # 
  LOCAL_DOMAIN(`localhost.localdomain’)dnl
  dnl #
  dnl # The following example makes mail from this host and any additional
  dnl # specified domains appear to be sent from mydomain.com
  dnl #
  dnl MASQUERADE_AS(`mydomain.com’)dnl
  dnl #
  dnl # masquerade not just the headers, but the envelope as well
  dnl #
  dnl FEATURE(masquerade_envelope)dnl
  dnl #
  dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
  dnl #
  dnl FEATURE(masquerade_entire_domain)dnl
  dnl #
  dnl MASQUERADE_DOMAIN(localhost)dnl
  dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
  dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
  dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
  MAILER(smtp)dnl
  MAILER(procmail)dnl 


  文件中,红色字体[color=red]的行为需要修改的地方,共有五行需要修改。

  第一行和第二行是去掉行首的注释。”TRUST_AUTH_MECH”的作用是使sendmail不管access文件中如何设置,都能 relay 那些通过EXTERNAL, LOGIN, PLAIN, CRAM-MD5或DIGEST-MD5等方式验证的邮件,”confAUTH_MECHANISMS" 的作用是确定系统的认证方式。Outlook Express支持的认证方式是LOGIN。

  第三行是加上注释,以便让sendmail可以侦听所有网络设备,为整个网络提供服务,而不仅仅只对本机提供服务。

  第四行是修改的,原来内容是:

  dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl

  去掉行首的注释符,并且将内容修改成Port=25:

  DAEMON_OPTIONS(`Port=25, Name=MSA’)dnl

  在smtp的默认端口(25)上进行认证,而不是587端口。这样就强制所有使用该邮件服务器进行邮件转发的用户在认证后才能发邮件了。

  2. 重新生成sendmail.cf:

  # make -C /etc/mail

  3. 修改/etc/mail/local-host-names,将希望该邮件服务器使用的邮箱名加进去,比如邮箱为:xxx@abc.com.cn则将abc.com.cn加入到该文件中。

  4. 重新启动sendmail服务,运行:

  # service sendmail restart

  5. 测试sendmail服务是否已经启动
            可以通过telnet 本机IP 25来验证sendmail服务是否已经正常启动,若登陆成功,则说明sendmail服务已经成功启动。
  # telnet localhost 25
  Trying 127.0.0.1…
  Connected to localhost.
  Escape character is ‘^]’
  220 localhost.localdomain ESMTP Sendmail 8.12.8/8.12.8; Wed, 12 May 2004 15:57:01 +0800
  ehlo localhost
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-AUTH GSSAPI LOGIN PLAIN
  250-DELIVERBY
  250-HELP
  quit
  # 

  在AUTH后面有LOGIN就基本上可以在OutlookExpress上认证了。

三、Pop3服务配置:

  1. 启动ipop3服务,运行:

  # setup

  在系统服务列表中选中ipop3,选’OK’保存推出

  2. 重启xinetd服务,运行:

  # service xinetd restart

  3. 查看smtp和pop服务是否启动,运行

  # netstat –l
 
 四、使用
  1. 创建新邮箱
 任何Linux新用户都自动有一个邮箱,比如创建用户newuser,则其邮箱为 newuser@test.com
 
  2. 使用outlook
 新建帐户 newuser,SMTP和POP3服务器为 server, 用户名 newuser,口令为Linux改用户口令,选中"我的服务器要求身份认证"

  3. 使用newuser@test.com
 现在可以使用newuser@test.com收发信


评论

该日志第一篇评论

发表评论

评论也有版权!