RHEL5中配置Sendmail邮件服务 收藏二
2009-12-01 15:31
513 查看
19 ☆sendmail别名
sendmail的主要的别名配置文件是/etc/aliases。在sendmail决定消息的接受者的目的地的之前,其先试图在别名中查找。为了优化查找,sendmail为其别名记录建立了一个哈希表数据库/etc/aliases.db该文件通过newaliases命令产生(该命令是sendmail -bi的同名)下列命令将增加用户student(如果不存在的话)useradd student在/etc/aliases 行加入如下的行:me: student(别名:实际用户名)wizards: root, memethere: student@panda.panda.com现在运行newaliases命令来更新数据库尝试发送邮件给您定义的收件人:echo "hello there" | mail -s "hello" meecho "hello there" | mail -s "hello" wizardsecho "hello there" | mail -s "hello" methere您是否得到了期望的结果?是否所有的位于wizards的收件人都受到了邮件?如果没有,su - 到不是root的用户再试一次。如果没有收到,可能需要在/etc/mail/access中打开权限20 ☆sendmail允许转发
通过控制您的机器的混杂转发,您可以使得任何人都能够将您的机器作为转发的主机。配置/etc/mail/sendmail.mc, 通过加入如下行使得m4前置处理器允许混杂转发(可以发到任何地址):/etc/mail/sendmail.mc中添加FEATURE(`promiscuous_relay')dnl使用m4前置处理机通过这个模板文件生成一个新的sendmail配置文件,然后将新生成的文件与通过sendmail RPM软件包提供的进行比较m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.relaydiff /etc/mail/sendmail.relay /etc/mail/sendmail.cf使用混杂转发以后会有多大的不同呢?现在将新建立的sendmail.relay放置在恰当的位置上,重新启动sendmail.mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.accept-mailcp /etc/mail/sendmail.relay /etc/mail/sendmail.cfservice sendmail restart让您的伙伴扮演恶意的垃圾邮件的发送者,该人能够通过telnet到您的机器上的smtp(sendmail)的25号断口,进行垃圾邮件发送地址的欺骗,在panda主机上键入如下命令:[root@panda ~]# telnet panda 25Trying 127.0.0.1...Connected to panda.panda.com (127.0.0.1).Escape character is '^]'.220 panda.panda.com ESMTP Sendmail 8.13.1/8.13.1; Thu, 27 Jul 2006 01:12:37 +0800helo panda.panda.com250 panda.panda.com Hello panda.panda.com [127.0.0.1], pleased to meet youmail from: panda@panda.panda.com250 2.1.0 panda@panda.panda.com... Sender okrcpt to:root@panda.panda.com250 2.1.5 root@panda.panda.com... Recipient okdata354 Enter mail, end with "." on a line by itselfSubject: Fakedthis was faked!250 2.0.0 k6QHCb8x007709 Message accepted for deliveryquit221 2.0.0 panda.panda.com closing connectionConnection closed by foreign host.垃圾邮件现在送到您的机器上了。下一步,发给其他主机21 ☆sendmail不允许转发
通过替换新的sendmail.cf为接受传入的信件的配置文件来恢复缺省的sendmail的配置,并且重新启动sendmail:注释掉这行FEATURE(promiscuous_relay)dnlmv /etc/mail/sendmail.cf.accept-mail /etc/mail/sendmail.cfservice sendmail restart让您的伙伴再从stationY转发垃圾邮件。您的sendmail还是一个转发器么?任何一个转发的都会产生如下的消息:550 5.7.1 kddk@kdk.com... Relaying denied但是本机是可以转发的(access文件中定义)22 ☆sendmail选择性的转发
对于特定的主机,域或者网络,编辑/etc/mail/access并且重新启动sendmail。为了允许所有在panda.com域中的机器可以把您的机器作为邮件转发服务器,你在/etc/mail/access中添加如panda.com域。然后用#makemap hash access.db<access23 ☆m4
sendmail是一个极为复杂的程序,其行为主要地依赖于在UNIX界"臭名昭著"的/etc/sendmail.cf配置文件。实际上,我怀疑会有谁真的从头去写一个sendmail.cf文件。一般来说,我们总是用m4宏处理来书写sendmail.cf。实际上,m4程序几乎和sendmail.cf一样复杂,不过,通常我们只需要关心一些比较重要的部分。 要使用宏处理程序,必须确定你已经安装了m4和sendmail-cf这样两个软件包用m4程序可以生成一个sendmail.cf: #m4 sendmail.mc > /sendmail.cf24 ☆sendmail总结
配置接收邮件,/etc/mail/sendmail.mc dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')m4 sendmail.mc > sendmail.cf添加别名 在/etc/aliases加入别名,newaliases不充许转发:默认转发:在sendmail.mc 加入 FEATURE(promiscuous_relay) dnl选择转发: /etc/mail/access 用户和主机访问控制/etc/mail/accessdomain.com RELAYUSER@ REJECTUSER@domain.com REJECTIP RELAYmakemap hash access.db<access或makemap hash access <access .db可以省略25 ☆新建E-Mail帐号
在LINUX中,要为一个新的用户开E-Mail帐号是十分简单的。只要在LINUX系统中新增一个用户就可以了。那么这个用户帐号和密码就是E-Mail的帐号和密码。我为一个新用户test开一个E-Mail帐号。就用以下命令:#adduser panda, # passwd panda这样,这个新用户的E-Mail地址就是: panda@panda.com 密码当然就是帐号的密码了。要防止本地用户利用 sendmail 服务器上的漏洞,最好是让邮件用户只使用电子邮件程序来访问 sendmail 服务器。邮件服务器上的 Shell 帐号不应该被允许,/etc/passwd 文件中的所有用户 shell 都应该被设置为 /sbin/nologin,在添加系统用户时可以useradd -s /sbin/nologin 用户名,这样添加的用户名就没有了shell,只能收发信而不能登陆到服务器运行其他程序,安全一点。26 ☆sendmail邮件限额
当一个E-Mail服务器为许多人提供E-Mail服务的时候,无限量的电子邮件将很容易塞满服务器的硬盘,造成很大的负载。如果你的服务器不想为用户提供无限空间的E-Mail暂存空间,那么你就可以使用"邮件限额"来给用户一个有限的暂存空间。 其实,它是利用磁盘限额功能来实现的。电子邮件的暂存空间是在/var/spool/mail目录下,只要通过磁盘限额设定每一个用户在这个目录下能使用的最大空间就可以了。27 ☆mailstats
邮寄状态查询命令,可查询sendmail运行作至今邮件收发总计资料。M :msgsfr:发送的邮件数量bytes_from:邮件容量megsto:收到邮件的数量。bytes_to:同上msgsrej:邮件deny的次数。msgsdis:邮件discard的次数。Mailer :esmtp对外邮件,local本地邮件。28 ☆mailq
#/usr/bin/mailq邮件队列查询命令。Q-ID 邮件id号。Size 邮件容量。Q-Time 邮件进入队列(也就是/var/spool/mqueue目录)的时间和不能邮寄的原因。Sender/Recipient 发信和收信人的邮箱地址。29 ☆sendmail -q
当命令sendmail -q发出以后,sendmail将会试图仍在队列中等待的邮件。可以在后面跟上时间‘s’是秒,‘m’分钟(缺省),‘h’小时, ‘d’天,‘w’周. 30 ☆sendmail管理邮件队列
一般当你发送一封邮件的时候,sendmail倾向于立刻发送这一封电子邮件。但是如果 当前网络忙使得无法立刻投递信件,或者是目标地址的连接速度太慢,无法在短时间内投递到目标地址处,那么sendmail将把待发送的邮件排入队列,并在合适的时候重新发送。队列文件通常存放在/var/spool/mqueue下面,每个待发送的邮件由几个文件构成例如,我们可以看到下面的目录文件列表: [root@mail mqueue]# ls dfRAA27175 xfAAA00733 xfBAA00819 xfEAA32763 xfXAA00706 qfRAA27175 xfAAA00784 xfDAA01360 xfFAA01616 文件名字总是由一个两字符的前缀加上一个随机数字。前缀有四钟: df:邮件内容 qf:邮件头和一些控制信息 xf:一些临时文件 tf:qf文件的临时存储文件 可以通过看队列中的qf文件来确定当前队列信息,不过通常都可以用mailq程序来完成 对队列状态的查询: [root@mail mqueue]# mailq Mail Queue (1 request) --Q-ID-- --Size-- -----Q-Time----- ------------Sender/Recipient----------- - RAA27175 22429 Fri Feb 25 17:34 : deferred) chaszhj@21cn.net 这表示队列中目前只有一封信,由zhangfl发出,收信人是chaszhj@21cn.net。 由sendmail接受到的信件在用户取走之前将暂时存储在/var/spool/mail目录下面,存 储的方法非常简单,就是每个有待读邮件的用户一个文件: [root@mail spool]# ls -l /var/spool/mail |more total 19364 -rw-rw---- 1 anyi mail 7559035 Feb 28 22:04 anyi -rw-rw---- 1 baixuan mail 514 Nov 7 01:32 baixuan -rw-rw---- 1 cwc mail 515 Feb 28 08:35 cwc 如果一个用户有多封电子邮件,那么这些邮件就被简单地连接在一起构成一个大文件 (所以你会看到非常巨大的邮件文件)。 如果你面对的是一个很庞大的邮件服务系统,有时会在某个邮件队列中拥塞太多的消 息,你可能想把这个队列暂停并且在网络空闲的时候再发送,暂停一个邮件队列的办法非常简单,就是将/var/spool/mqueue目录移走: killall sendmail mv /var/spool/mqueue /var/spool/mqueue.stop mkdir /var/spool/mqueue sendmail -bd 当网络空闲的时候,可以用-oQ参数立即处理拥塞的队列: sendmail -oQ /var/spool/mqueue.stop -q 31 ☆SMTP协议的基本命令
在/etc/mail/helpfile中有描述为了使用这种测试技术,你需要了解SMTP协议的基本命令,这样的命令有14个,在下面列出: HELO 标志发起smtp请求的主机,例如,从client1发起smtp会话,可以使用 HELO client1 MAIL FROM: 启动一个邮件会话,在这个行中需要标志发信人的信封地址,例如,要从user1@client1发出邮件,使用MAIL FROM:user1@client1,注意尖括号的用法。 RCPT TO: 标志收信人的信封地址,例如,要发送给user2@mail2,使用RCPT TO: user2@mail2。在一个MAIL FROM之后可以给出多个收信人地址,以便实现多副本的传送。 VRFY 验证某个地址,例如,要确定test@mail是一个可以投递的地址,使用VRFY test@mail。 EXPN 显示某个收件人地址或者用户名的实际名字。例如,要显示postmaster用户的实际投 递地址,使用EXPN postmaster。如果在某个用户的目录下有.forward文件,这个文件的 内容将会被自动使用。 DATA 开始写信,在MAIL和RCPT之后可以使用这个命令传输信件正文,传输完毕之后输入一 个.退出。 QUIT 关闭smtp会话 RSET 复位连接状态 HELP 显示这个命令表。 32 ☆sendmail测试
/etc/mail目录下配置一些文档。# cd /etc/mail # echo 'examply.com' >> local-host-names 接收邮件的主机名# echo 'localhost RELAY' >> access 用来拒绝或允许来自某个域的邮件,本例允许本地转发。# makemap hash access < access 生成access.db数据库# touch domaintable 用来把旧域名映射互新域名# makemap hash domaintable < domaintable # touch mailertable 来覆盖向指定域的路由# makemap hash mailertable < mailertable # touch trusted-users # touch virtusertable 用来把用户和域名映射到其它地址# makemap hash virtusertable < virtusertable # chown root:wheel /var/spool/mqueue/ # chmod 700 /var/spool/mqueue # touch aliases 别名数据库,文本形式。可参照源码目录树下sendmail/aliases文件。# newaliases 从文本文件中创建一个新的别名数据库文件。# sendmail -v -bi 调试启动。/etc/mail/aliases: 42 aliases, longest 10 bytes, 432 bytes total如果出现以上提示信息,则启动成功。可用以下命令正式启动: 打开你喜欢的Mail Client,设置smtp服务器为:localhost (假如和服务器在同一台机子上,也可以设置本机的IP),端口为:25.然后随便一段测试信息,填写好接收邮件的地址,按发送。你的Mail Client会提示邮件已发送。实际上你的邮件还在计算机上排队,并未发出!要发送所有排队的邮件,你需要连上网,然后你root身份登陆,并运行:# sendmail -q .现在你的邮件就会发送到指定的邮箱中。 33 ☆postfix安装
在安装Postfix前,需要关闭sendmail服务和开机时的自启动,使用如下命令: #service sendmail stop #chkconfig sendmail off在http://www.postfix.com/上下载需要的postfix的rpm安装包,或在RHEL5的安装光盘中找到需要安装的rpm包,然后进行安装: #rpm -ivh postfix-2.3.3-2.i386.rpm (第三张光盘)34 ☆postfix收取邮件
为了安全的原因,sendmail和postfix的缺省的配置允许发邮件但是不允许从网络上接收邮件(缺省的它们只接受从回环接口上的连接)。修改/etc/postfix/main.cf找到并注释如下行inet_interfaces = localhost取消注释该行:inet_interfaces = all35 ☆Postfix启动和校验
运行#service sendmail start#/etc/init.d/postfix start使用图形工具#system-switch-mail使得postfix成为活跃的MTA。也可以使用如下的命令行:#alternatives -set mta /usr/sbin/sendmail.postfix重新启动命令如下:#service postfix restart确定hostname命令正确的返回您的主机名称。确保DNS配置正确应该是您的FQDN。如果sendmail返回您的主机名称为localhost,您可能错误配置了/etc/hosts文件。检查您的/etc/hosts文件,删除所有的但记住留下localhost的指向,然后再试一遍。如果/etc/hosts文件是正确的,那么检查一下在/etc/sysconfig/netwoek中的HOSTNAME的定义。当这些值都正确的时候,启动postfix服务。确定postfix在启动的时候没有错误Red Hat Linux的安装使用提供的syslog工具来记录所有的信息到文件/var/log/maillog中去。检查此文件中的最后查找任何错误信息。试图向root@server1发送简单的邮件并且检查/var/log/maillog的记录文件#mail -s `echo $USER` root@panda < /etc/redhat-release应该如下所示:Jul 26 20:55:10 localhost postfix/pickup[4902]: 717AB335FE: uid=0 from=<root>Jul 26 20:55:10 localhost postfix/cleanup[4943]: 717AB335FE: message-id=<20060726125510.717AB335FE@panda.com>Jul 26 20:55:10 localhost postfix/qmgr[4903]: 717AB335FE: from=<root@panda.com>, size=314, nrcpt=1 (queue active)Jul 26 20:55:10 localhost postfix/local[4945]: 717AB335FE: to=<root@panda.com>, relay=local, delay=0, status=sent (delivered to mailbox)Jul 26 20:55:10 localhost postfix/qmgr[4903]: 717AB335FE: removed36 ☆Postfix的别名
在postfix决定消息的接受者的目的地的之前,其先试图在别名中查找。postfix的主要的别名配置文件是/etc/aliases。为了优化查找,postfix为其别名记录建立了一个哈希表别名数据库/etc/aliases.db(和sendmail类似).该文件通过newaliases命令产生。下列命令将增加用户student(如果不存在的话)useradd student在/etc/aliases 行加入如下的行:注意:注释root别名的那一行为postfixme: studentwizards: root, memethere: panda@panda.com现在运行newaliases 更新数据库尝试发送邮件给您定义的收件人:echo "hello there" | mail -s "hello" meecho "hello there" | mail -s "hello" wizardsecho "hello there" | mail -s "hello" methere是否所有的位于wizards的收件人都受到了邮件?要确认/etc/mail/access中打开权限37 ☆postfix允许转发
缺省的postfix允许在子网上的任何人通过您的机器进行转发。但是并不是在每一个环境中都安全的。例如,您的机器和其他机器在一起,如果您的本地子网里有一台机器被其他人控制,那么其他的机器都会有麻烦。让您的伙伴扮演恶意的垃圾邮件的发送者,该人能够通过telnet到您的机器上的postfix的25号断口,进行垃圾邮件发送地址的欺骗,在panda键入如下命令: [root@panda mail]# telnet panda 25Trying 127.0.0.1...Connected to panda.com (127.0.0.1).Escape character is '^]'.220 panda.com ESMTP Postfixhelo root.panda.com250 panda.commail from:panda@panda.com250 Okrcpt to: root@panda.com250 Okdata354 End data with <CR><LF>.<CR><LF>Subject: Fakedthis was faked!250 Ok: queued as 9DB2733601quit221 ByeConnection closed by foreign host.垃圾邮件现在送到您的机器上了。下一步,看看您的伙伴能不能从您的机器转发给第三台机器:由于您的机器已经被配置成为允许混杂转发,垃圾邮件可以通过您的机器进行邮件转发。注意/var/log/maillog的变化38 ☆postfix不允许转发
编辑文件/etc/postfix/main.cf取消转发。查找并且取消注释下面的行,mynetworks_style = host并且重新启动postfix让您的伙伴再从stationY转发垃圾邮件。您的postfix还是一个转发器么?任何一个转发的都会产生如下的消息:554 <root@panda.panda.com>: Recipient address rejected: Relay access denied39 ☆postfix选择性的转发
对于特定的主机,域或者网络,编辑/etc/postfix/main.cf并且重新启动postfix。对于特定的主机允许通过您的机器进行转发,找到并且取消注释该行:mynetworks_style = host然后添加新行来允许转发的主机和网络,在这里允许station1和本地转发mynetworks = 192.168.152.128, 127.0.0.0/840 ☆postfix接收和转发的条件
(1)默认情况下,postfix接收符合以下条件的邮件:目的地为$inet interfaces的邮件;目的地为$mydestination的邮件;目的地为$virtual_alias_maps的邮件。(2)默认情况下,postfix转发符合以下条件的邮件:来自客户端IP地址符合$mynetworks的邮件;来自客户端主机名称符合relay_domains及其子域的邮件;目的地为$relay_domains及其子域的邮件。41 ☆主配置文件main.cf
修改/etc/postfix/main.cf的配置:myhostname = mail.cngnu.org指定运行postfix服务的邮件主机的主机名称(FQDN名)mydomain = cngnu.org指定运行postfix服务的邮件主机的域名称myorigin = $mydomain设置由本台邮件主机寄出的每封邮件的邮件头中mail from的地址inet interfaces = all默认情况下,inet interfaces参数的值被设置为localhost,这表明只能在本地邮件主机上寄信。如果邮件主机上有多个网络接口,而又不想使全部的网络接口都开放Postfix服务,就可以用主机名指定需要开放的网络接口。不过,通常是将所有的网络接口都开放,以便接收从任何网络接口来的邮件,即将inet interfaces参数的值设置为“all”。mydestination = $mydomain,$myhostname只有当发来的邮件的收件人地址与该参数值相匹配时,Postfix才会将该邮件接收下来。例如,这里将该参数值设置为$mydomain,$myhosname,表明无论来信的收件人地址是xxx@cngnu.org(其中,XXX表示某用户的邮件账户名),还是xxx@mail.cngnu.org,Postfix都会接收这些邮件。mynetworks_style = hostmynetworks = 127.0.0.0/8,192.168.1.0/24设置可转发(Relay)哪些网络的邮件.可以使用mynetworks参数来设置。可将该参数值设置为所信任的某台主机的IP地址,也可设置为所信任的某个IP子网或多个IP子网(用“,”或者“”分隔)。这里,将mynetworks参数值设置为192.168.16.0/24,则表示这台邮件主机只转发子网192.168.16.0/24中的客户端所发来的邮件,而拒绝为其他子网转发邮件。relay_domains = gdvcp.netmynetworks参数是针对邮件来源的IP来设置的,而relay_domains参数则是针对邮件来源的域名或主机名来设置的。例如,将该参数值设置为gdvcp.net,则表示任何由域gdvcp.net发来的邮件都会被认为是信任的,Postfix会自动对这些邮件进行转发。virtual_alias_domains = dzxx.cn,panda.com用来指定虚拟别名域的名称virtual_maps = hash:/etc/postfix/virtual #,mysql:/etc/postfix/virtual.mysql含有虚拟别名域定义的文件路径。alias_maps = hash:/etc/aliases指定含有用户别名定义的文件路径alias_database = hash:/etc/aliases指定别名表数据库文件路径。home_mailbox = Maildir/mailbox_transport = cyrusfallback_transport = cyrussmtpd_sasl_auth_enable = yes指定是否要启用SASL作为SMTP认证方式。默认不启用,这里必须将它启用,所以要将该参数值设置为“yes”。smtpd_sasl_local_domain = ''如果采用Cyrus-SASL V2版进行认证,那么这里不作设置。 smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination表示通过收件人地址对客户端发来的邮件进行过滤。通常有以下几种限制规则。permit_mynetworks:表示只要是收件人地址位于mynetworks参数中指定的网段就可以被转发邮件permit_sasl_authenticated:表示允许转发通过SASL认证的邮件。reject_unauth_destination:表示拒绝转发含未信任的目标地址的邮件。broken_sasl_auth_clients = yes表示是否兼容非标准的SMTP认证。有一些Microsoft的SMTP客户端(如Outlook Express 4.x)采用非标准的SMTP认证协议,只需将该参数设置为"yes"就可解决这类不兼容问题。smtpd_client_restrictions = permit_sasl_authenticated表示限制可以向postfix发起SMTP连接的客户端。如果要禁止未经过认证的客户端向postfix发起SMTP连接,则可将该参数值设置为permit_sasl_authenticatedsmtpd_sasl_security_options = noanonymous用来限制某些登录的方式。如果将该参数值设置为noanonymous,则表示禁止采用匿名登录方式。 permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/filter.mysql, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, permit如果希望支持更多的虚拟域,可以在mydestination参数后面加上你所要支持的域即可。通过virtual和virtual.mysql为系统提供了邮箱本地查询表。42 ☆virtual
/etc/postfix/virtual虚拟别名 实际名@dzxx.cn @gdvcp.netadmin@panda.com lbtst123@panda.com st123001,st123002,st123003daliu@panda.com lbt,liu6812@163.com43 ☆master.cf
由postfix运行的守护程序44 ☆pcre_table
地址改写的或邮件路由的perl表达式45 ☆postfix-files
postfix文件和权限46 ☆postfix-script
管理postfix,类似start,stop47 ☆regexp_table
从postfix查找账号的表用postconf -m来检查48 ☆relocated
用户转移到新位置,用这里来重定向49 ☆transport
指定一个传输协议50 ☆postconf
postconf测试配置文件postconf -n看当前配置文件的路径51 ☆重启postfix
修改main.cf和virtual,aliases后postmap /etc/postfix/virtual生成etc/postfix/virtual.dbpostalias /etc/aliases生成/etc/aliases.dbpostfix reload重载main.cf 52 ☆SMTP认证的配置
如果任何人都可以通过一台邮件服务器来转发邮件,会有什么后果呢?很可能这台邮件服务器就成为了各类广告与垃圾信件的集结地或中转站,网络带宽也会很快被耗尽。为了避免这种情况的出现,MTA默认不会对外开放转发功能,而仅对本机(1ocalhost)开放转发功能。但是,在实际应用中,必须在MTA主配置文件中通过设置mynetworks、relay domains参数来开放一些所信任的网段或网域,否则该邮件服务器几乎没有什么用途。在开放了这些所信任的网段或网域后,还可以通过设置SMTP认证,对要求转发邮件的客户端进行用户身份(用户账户名与密码)验证。只有通过了验证,才能接收该用户寄来的邮件并帮助转发。目前,比较常用的SMTP认证机制是通过Cyrus-SASI.。包来实现的。53 ☆Cyrus-SASL
是Cyrus Simple Authentication and Security Layer的简写,它最大的功能是为应用程序提供了认证函数库。应用程序可以通过函数库所提供的功能定义认证方式,并让SASL。通过与邮件服务器主机的沟通从而提供认证的功能。54 ☆Cyrus-SASL安装
rpm -qa | grep sasl55 ☆Cyrus-SASL启动
运行saslauthd守护进程service saslauthd restart56 ☆Cyrus-SASL认证机制
默认情况下,Cyrus-SASL V2版使用saslauthd这个守护进程进行密码认证,而密码认证的方法有多种,使用下面的命令可查看当前系统中的Cyrus-SASL V2所支持的密码验证机制。[root@panda mail]# saslauthd -vsaslauthd 2.1.19authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap57 ☆saslauthd配置
配置saslauthd使用shadow认证方案:/etc/sysconfig/saslauthdMECH=shadow配置saslauthd使用PAM认证方案(非默认,需要配置pam,否则测试失败):/etc/sysconfig/saslauthdMECH=pam 命令行方式启动验证方案:saslauthd -a shadow 用shadow的用户和密码进行验证58 ☆测试Cyrus-SASL
ps aux | grep saslauthdservice saslauthd restarttestsaslauthd -u userid -p password [root@panda ~]# testsaslauthd -u student -p '111111'0: OK "Success."如果出现以上信息,就说明saslauthd正常运行了。表示认证功能有效服务器启动后,可以用telnet连接服务器。# telnet localhost 25Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.220 test.tigerhead ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Mar 2004 14:50:14 +0800ehlo test (!!!!!!!!注意命令是ehlo)你输入的命令,按回车结束。250-test.tigerhead Hello LOCALHOST.localdomain [127.0.0.1], pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE250-DSN250-ETRN250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN #就表明SMTP认证成功250-DELIVERBY250 HELP以250-开头的为服务器的响应信息。注意倒数第三行,这就是成功配置smtp验证的显示。输入quit离开。59 ☆Cyrus-SASL配置MTA
postfix中更改main.cf中的配置smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes 建立/usr/lib/sasl2/smtpd.conf设置Postfix使用SASL的saslauthd认证守护进程来支持smtp auth认证,并只打开了plain和login认证模块:[root@mail root]# echo pwcheck_method:saslauthd > /usr/lib/sasl2/smtpd.conf[root@mail root]# echo mech_list: plain login >> /usr/lib/sasl2/smtpd.conf sendmail中更改/etc/mail/sendmail.mc去掉下面俩行的注释TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnldefine(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl如果sendmail没办法收信,就把DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')dnl 改为 DAEMON_OPTIONS(`Port=25, Name=MSA')dnl (这一句不能和DAEMON_OPTIONS(`Port=25, Name=MTA')dnl同时存在)建立/usr/lib/sasl2/Sendmail.conf当sendmail要使用SMTP认证时,必须创建一个SASL的配置文件来把MTA程序定义成一个SASL应用。配置文件名为Sendmail.conf(注意是大写的S),位于/usr/lib/sasl2目录中,也就是/usr/local/sasl2/lib/sasl2这个目录,记得上面新建的链接了吗?在该文件中你定义你希望使用的认证数据库方法,以下这个例子使用saslauthd来验证认证请求。# echo 'pwcheck_method: saslauthd' > /usr/lib/sasl2/Sendmail.conf(注意大小写)如果是pwcheck_method: pam的话是直接调用 pam认证如果是pwcheck_method: saslauth的话要启用 saslauth -a pam ,让saslauth调用pam认证将这个文件复制成smtpd.conf,即cp Sendmail.conf smtpd.conf,这个文件也要在/usr/lib/sasl2/目录下在/etc/pam.d/目录下参照其它文件建立一个“smtp”文件(postfix的是smtp.postfix),内容如下:#%PAM-1.0auth required pam_stack.so service=system-authaccount required pam_stack.so service=system-auth60 ☆dovecot配置
postfix服务只是一个MTA(邮件传输代理),它只提供SMTP服务,也就是只提供邮件的转发及本地的分发功能。要实现邮件的异地接收,还必须安装POP或IMAP服务。dovecot提供了这些服务:POP3,POP3S,IMAP,IMAPS编辑/etc/dovecot.conf文件在protocols = 一行,加入你需要的的服务缺省的ports:imap: 143imaps: 993pop3: 110pop3s: 995ssl_cert_file 和 ssl_key_file,可以看到dovecot是拿什么文件来做ssl认证的,可以自己创建新的pem文件。将disable_plaintext_auth 配置为no(非缺省)将auth_mechanisms配置为plain(缺省的)将auth_userdb配置为passwd也就是说缺省为所有local user 都能登录。将auth_passdb设置为shadow或者将auth_passdb设置为pam增加对pop3配置文件。(缺省没有,要自己建立)/etc/pam.d/pop3文件内容如:代码:auth required /lib/security/pam_stack.so service=system-authauth required pam_unix.soauth required pam_listfile.so item=user sense=deny file=/etc/security/dovecot.deny onerr=failaccount required /lib/security/pam_stack.so service=system-auth#account required pam_access.soaccount required pam_unix.so用了pam_listfile.so模块,当然也可以用pam_access.so模块来限定。61 ☆dovecot.conf
## Dovecot 1.0 configuration file# Default values are shown after each value, it's not required to uncomment# any of the lines. Exception to this are paths, they're just examples# with real defaults being based on configure options. The paths listed here# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var# --with-ssldir=/usr/share/ssl# 运行时存储数据的目录#base_dir = /var/run/dovecot/# 加入你需要的的服务:# imap imaps pop3 pop3s#protocols = imap imaps# 监听的IP或者主机地址.# It's not currently possible to specify multiple addresses. # "*" 是指定监听所有IPv4的interfaces.# "[::]" 监听所有IPv6的interfaces,可能会监听所有的IPv4的interfaces但是这个取决于操作系统# 指定端口的格式是:"host:port".imap_listen = [::]pop3_listen = [::]# 监听SSL连接的IP或主机地址. # Defaults to above non-SSL equilevants if not specified.#imaps_listen =#pop3s_listen =# 禁用SSL/TLS支持.#ssl_disable = no# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before# dropping root privileges, so keep the key file unreadable by anyone but# root. Included doc/mkcert.sh can be used to easily generate self-signed# certificate, 要保证在dovecot-openssl.cnf中更新域#ssl_cert_file = /usr/share/ssl/certs/dovecot.pem#ssl_key_file = /usr/share/ssl/private/dovecot.pem# SSL parameter file. Master process generates this file for login processes.# It contains Diffie Hellman and RSA parameters.#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat# How often to regenerate the SSL parameters file. Generation is quite CPU# intensive operation. The value is in hours, 0 disables regeneration# entirely.#ssl_parameters_regenerate = 24# Disable LOGIN command and all other plaintext authentications unless# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and# IPv6 ::1 addresses are considered secure, this setting has no effect if# you connect from those addresses.#disable_plaintext_auth = yes# Use this logfile instead of syslog(). /dev/stderr can be used if you want to# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).#log_path =# For informational messages, use this logfile instead of the default#info_log_path =# Prefix for each line written to log file. % codes are in strftime(3)# format.#log_timestamp = "%b %d %H:%M:%S "#### Login processes### Directory where authentication process places authentication UNIX sockets# which login needs to be able to connect to. The sockets are created when# running as root, so you don't have to worry about permissions. Note that# everything in this directory is deleted when Dovecot is started.login_dir = /var/run/dovecot-login# chroot login process to the login_dir. Only reason not to do this is if you# wish to run the whole Dovecot without roots.#login_chroot = yes#### IMAP login process##login = imap# Executable location.#login_executable = /usr/libexec/dovecot/imap-login# User to use for the login process. Create a completely new user for this,# and don't use it anywhere else. The user must also belong to a group where# only it has access, it's used to control access for authentication process.#login_user = dovecot# Set max. process size in megabytes. If you don't use# login_process_per_connection you might need to grow this.#login_process_size = 32# Should each login be processed in it's own process (yes), or should one# login process be allowed to process multiple connections (no)? Yes is more# secure, espcially with SSL/TLS enabled. No is faster since there's no need# to create processes all the time.#login_process_per_connection = yes# Number of login processes to create. If login_process_per_user is# yes, this is the number of extra processes waiting for users to log in.#login_processes_count = 3# Maximum number of extra login processes to create. The extra process count# usually stays at login_processes_count, but when multiple users start logging# in at the same time more extra processes are created. To prevent fork-bombing# we check only once in a second if new processes should be created - if all# of them are used at the time, we double their amount until limit set by this# setting is reached. This setting is used only if login_process_per_use is yes.#login_max_processes_count = 128# Maximum number of connections allowed in login state. When this limit is# reached, the oldest connections are dropped. If login_process_per_user# is no, this is a per-process value, so the absolute maximum number of users# logging in actually login_processes_count * max_logging_users.#login_max_logging_users = 256#### POP3 login process### Settings default to same as above, so you don't have to set anything# unless you want to override them.login = pop3# Exception to above rule being the executable location.#login_executable = /usr/libexec/dovecot/pop3-login#### Mail processes### Maximum number of running mail processes. When this limit is reached,# new users aren't allowed to log in.#max_mail_processes = 1024# Show more verbose process titles (in ps). Currently shows user name and# IP address. Useful for seeing who are actually using the IMAP processes# (eg. shared mailboxes or if same uid is used for multiple accounts).#verbose_proctitle = no# Show protocol level SSL errors.#verbose_ssl = no# Valid UID range for users, defaults to 500 and above. This is mostly# to make sure that users can't log in as daemons or other system users.# Note that denying root logins is hardcoded to dovecot binary and can't# be done even if first_valid_uid is set to 0.#first_valid_uid = 500#last_valid_uid = 0# Valid GID range for users, defaults to non-root/wheel. Users having# non-valid GID as primary group ID aren't allowed to log in. If user# belongs to supplementary groups with non-valid GIDs, those groups are# not set.#first_valid_gid = 1#last_valid_gid = 0# Grant access to these extra groups for mail processes. Typical use would be# to give "mail" group write access to /var/mail to be able to create dotlocks.#mail_extra_groups =# ':' separated list of directories under which chrooting is allowed for mail# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).# This setting doesn't affect login_chroot or auth_chroot variables.# WARNING: Never add directories here which local users can modify, that# may lead to root exploit. Usually this should be done only if you don't# allow shell access for users. See doc/configuration.txt for more information.#valid_chroot_dirs =# Default chroot directory for mail processes. This can be overridden by# giving /./ in user's home directory (eg. /home/./user chroots into /home).#mail_chroot =# Default MAIL environment to use when it's not set. By leaving this empty# dovecot tries to do some automatic detection as described in# doc/mail-storages.txt. There's a few special variables you can use:# %u - username# %n - user part in user@domain, same as %u if there's no domain# %d - domain part in user@domain, empty if user there's no domain# %h - home directory# You can also limit a width of string by giving the number of max. characters# after the '%' character. For example %1u gives the first character of# username. Some examples:# default_mail_env = maildir:/var/mail/%1u/%u/Maildir# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n#default_mail_env =# Space-separated list of fields to cache for all mails. Currently these# fields are allowed followed by a list of commands they speed up:## Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,# HEADER IN-REPLY-TO# Body - FETCH BODY# Bodystructure - FETCH BODY, BODYSTRUCTURE# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE# generation. This is always set with mbox mailboxes, and# also default with Maildir.# Different IMAP clients work in different ways, that's why Dovecot by default# only caches MessagePart which speeds up most operations. Whenever client# does something where caching could be used, the field is automatically marked# to be cached later. For example after FETCH BODY the BODY will be cached# for all new messages. Normally you should leave this alone, unless you know# what most of your IMAP clients are. Caching more fields than needed makes# the index files larger and generate useless I/O.# With maildir there's one extra optimization - if nothing is cached, indexing# the maildir becomes much faster since it's not opening any of the mail files.# This could be useful if your IMAP clients access only new mails.#mail_cache_fields = MessagePart# Space-separated list of fields that Dovecot should never set to be cached.# Useful if you want to save disk space at the cost of more I/O when the fields# needed.#mail_never_cache_fields =# Workarounds for various client bugs:# oe6-fetch-no-newmail:# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express# seems to think they are FETCH replies and gives user "Message no longer# in server" error. Note that OE6 still breaks even with this workaround# if synchronization is set to "Headers Only".# outlook-idle:# Outlook and Outlook Express never abort IDLE command, so if no mail# arrives in half a hour, Dovecot closes the connection. This is still# fine, except Outlook doesn't connect back so you don't see if new mail# arrives.# outlook-pop3-no-nuls:# Outlook and Outlook Express hang if mails contain NUL characters.# This setting replaces them with 0x80 character.#client_workarounds = # Dovecot can notify client of new mail in selected mailbox soon after it's# received. This setting specifies the minimum interval in seconds between# new mail notifications to client - internally they may be checked more or# less often. Setting this to 0 disables the checking.# NOTE: Evolution client breaks with this option when it's trying to APPEND.#mailbox_check_interval = 0 # Like mailbox_check_interval, but used for IDLE command.#mailbox_idle_check_interval = 30 # Allow full filesystem access to clients. There's no access checks other than# what the operating system does for the active UID/GID. It works with both# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/# or ~user/.#mail_full_filesystem_access = no # Maximum allowed length for custom flag name. It's only forced when trying# to create new flags.#mail_max_flag_length = 50 # Save mails with CR+LF instead of plain LF. This makes sending those mails# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.# But it also creates a bit more disk I/O which may just make it slower.#mail_save_crlf = no # Use mmap() instead of read() to read mail files. read() seems to be a bit# faster with my Linux/x86 and it's better with NFS, so that's the default.#mail_read_mmaped = no # By default LIST command returns all entries in maildir beginning with dot.# Enabling this option makes Dovecot return only entries which are directories.# This is done by stat()ing each entry, so it causes more disk I/O.# (For systems setting struct dirent->d_type, this check is free and it's# done always regardless of this setting)#maildir_stat_dirs = no # Copy mail to another folders using hard links. This is much faster than# actually copying the file. This is problematic only if something modifies# the mail in one folder but doesn't want it modified in the others. I don't# know any MUA which would modify mail files directly. IMAP protocol also# requires that the mails don't change, so it would be problematic in any case.# If you care about performance, enable it.#maildir_copy_with_hardlinks = no # Check if mails' content has been changed by external programs. This slows# down things as extra stat() needs to be called for each file. If changes are# noticed, the message is treated as a new message, since IMAP protocol# specifies that existing messages are immutable.#maildir_check_content_changes = no# Which locking methods to use for locking mbox. There's three available:# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe# solution. If you want to use /var/mail/ like directory, the users# will need write access to that directory.# fcntl : Use this if possible. Works with NFS too if lockd is used.# flock : May not exist in all systems. Doesn't work with NFS.# You can use both fcntl and flock too; if you do the order they're declared# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl# and flock. Some operating systems don't allow using both of them# simultaneously, eg. BSDs. If dotlock is used, it's always created first.mbox_locks = fcntl# Should we create dotlock file even when we want only a read-lock? Setting# this to yes hurts the performance when the mailbox is accessed simultaneously# by multiple processes, but it's needed for reliable reading if no other# locking methods are available.#mbox_read_dotlock = no# Maximum time in seconds to wait for lock (all of them) before aborting.#mbox_lock_timeout = 300# If dotlock exists but the mailbox isn't modified in any way, override the# lock file after this many seconds.#mbox_dotlock_change_timeout = 30# umask to use for mail files and directories#umask = 0077# Drop all privileges before exec()ing the mail process. This is mostly# meant for debugging, otherwise you don't get core dumps. Note that setting# this to yes means that log file is opened as the logged in user, which# might not work. It could also be a small security risk if you use single UID# for multiple users, as the users could ptrace() each others processes then.#mail_drop_priv_before_exec = no#### IMAP process### Executable location#imap_executable = /usr/libexec/dovecot/imap# Set max. process size in megabytes. Most of the memory goes to mmap()ing# files, so it shouldn't harm much even if this limit is set pretty high.#imap_process_size = 256# Support for dynamically loadable modules.#imap_use_modules = no#imap_modules = /usr/lib/dovecot/imap#### POP3 process### Executable location#pop3_executable = /usr/libexec/dovecot/pop3# Set max. process size in megabytes. Most of the memory goes to mmap()ing# files, so it shouldn't harm much even if this limit is set pretty high.#pop3_process_size = 256# Support for dynamically loadable modules.#pop3_use_modules = no#pop3_modules = /usr/lib/dovecot/pop3#### Authentication processes### An Authentication process is a child process used by Dovecot that# handles the authentication steps. The steps cover an authentication# mechanism (auth_mechanisms, how the client authenticates in the IMAP or# POP3 protocol), which password database should be queried (auth_passdb),# and which user database should be queried (auth_userdb, to obtain# UID, GID, and location of the user's mailbox/home directory).# You can have multiple processes, though a typical configuration will# have only one. Each time "auth = xx" is seen, a new process# definition is started. The point of multiple processes is to be able# to set stricter permissions. (See auth_user below.)# Just remember that only one Authentication process is asked for the# password, so you can't have different passwords accessible through# different process definitions (unless they have different# auth_mechanisms, and you're ok with having different password for# each mechanisms).# Authentication process name.auth = default# Specifies how the client authenticates in the IMAP protocol.# Space separated list of permitted authentication mechanisms:# anonymous plain digest-md5 cram-md5# anonymous - No authentication required.# plain - The password is sent as plain text. All IMAP/POP3 clients# support this, and the password can be encrypted by Dovecot to match# any of the encryption schemes used in password databases.# digest-md5 and cram-md5 - both encrypt the password so it is more# secure in transit, but are not well supported by clients, and# require that the password database use a matching encryption# scheme (or be in plaintext).# See auth.txt for more details.# If you are using SSL there is less benefit to digest-md5 and# cram-md5 as the communication is already encrypted.auth_mechanisms = plain# Space separated list of realms for SASL authentication mechanisms that need# them. You can leave it empty if you don't want to support multiple realms.# Many clients simply use the first one listed here, so keep the default realm# first.#auth_realms =# Default realm/domain to use if none was specified. This is used for both# SASL realms and appending @domain to username in plaintext logins.#auth_default_realm =# Where user database is kept:# passwd: /etc/passwd or similiar, using getpwnam()# passwd-file <path>: passwd-like file with specified location# static uid=<uid> gid=<gid> home=<dir template>: static settings# vpopmail: vpopmail library# ldap <config path>: LDAP, see doc/dovecot-ldap.conf# pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.confauth_userdb = passwd# Where password database is kept:# passwd: /etc/passwd or similiar, using getpwnam()# shadow: /etc/shadow or similiar, using getspnam()# pam [<service> | *]: PAM authentication# passwd-file <path>: passwd-like file with specified location# vpopmail: vpopmail authentication# ldap <config path>: LDAP, see doc/dovecot-ldap.conf# pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf#auth_passdb = pgsql /usr/local/etc/dovecot-pgsql.confauth_passdb = pam#auth_executable = /usr/libexec/dovecot/dovecot-auth# Set max. process size in megabytes.#auth_process_size = 256# User to use for the process. This user needs access to only user and# password databases, nothing else. Only shadow and pam authentication# requires roots, so use something else if possible. Note that passwd# authentication with BSDs internally accesses shadow files, which also# requires roots.auth_user = root# Directory where to chroot the process. Most authentication backends don't# work if this is set, and there's no point chrooting if auth_user is root.#auth_chroot =# Number of authentication processes to create#auth_count = 1# List of allowed characters in username. If the user-given username contains# a character not listed in here, the login automatically fails. This is just# an extra check to make sure user can't exploit any potential quote escaping# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,# set this value to empty.#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@# Username to use for users logging in with ANONYMOUS SASL mechanism#auth_anonymous_username = anonymous# More verbose logging. Useful for figuring out why authentication isn't# working.#auth_verbose = no# Even more verbose logging for debugging purposes. Shows for example SQL# queries.#auth_debug = no# digest-md5 authentication process. It requires special MD5 passwords which# /etc/shadow and PAM doesn't support, so we never need roots to handle it.# Note that the passwd-file is opened before chrooting and dropping root# privileges, so it may be 0600-root owned file.#auth = digest_md5#auth_mechanisms = digest-md5#auth_realms =#auth_userdb = passwd-file /etc/passwd.imap#auth_passdb = passwd-file /etc/passwd.imap#auth_user = imapauth#auth_chroot =# if you plan to use only passwd-file, you don't need the two auth processes,# simply set "auth_methods = plain digest-md5"62 ☆Mail测试
[root@mail root]# mail virtualuser@cngnu.orgSubject: test by methis is a test.CC: [root@mail root]# mailqMail queue is empty [root@mail root]# tail /var/log/maillog使用mailq来查看邮件队列是否有错误,并查看/var/log/mail/*是否有错误信息。如果一切正常,说明信件已经发送到tester了。63 ☆测试pop/imap
测试收信,先测试POP3:telnet panda 110然后输入:user username+OKpass password (注意是pass)如果LOGIN成功,会有提示。+OK Logged in.list+OK 2 messages:1 8492 823这样的返回信息说明已经一切正常,可以提供服务了。STAT+OK 2 1672TOP 1+OKReturn-Path: <student@panda.panda.com>Received: from panda ([192.168.152.1]) by panda.panda.com (8.13.1/8.13.1) with SMTP id k7KJE2DZ004002 for <student@panda.panda.com>; Mon, 21 Aug 2006 03:14:02 +0800Date: Mon, 21 Aug 2006 03:14:02 +0800From: student@panda.panda.comMessage-Id: <200608201914.k7KJE2DZ004002@panda.panda.com>To: <student@panda.panda.com>Subject: =?utf-8?B?TWljcm9zb2Z0IE9mZmljZSBPdXRsb29rIOa1i+ivlea2iOaBrw==?=MIME-Version: 1.0Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 8bitX-IMAPbase: 1154223507 6Status: OX-UID: 5Content-Length: 120X-Keywords: DELE 1+OK Marked to be deleted.QUIT+OK SayonaraConnection closed by foreign host.再测试IMAP:imtest -m login -a panda@panda.panda.com localhost C: C01 CAPABILITYS: * OK mail.cngnu.org Cyrus IMAP4 v2.1.16 server readyS: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLES: C01 OK CompletedPassword: C: L01 LOGIN virtualuser {6}+ go aheadC: <omitted>L01 OK User logged inAuthenticated.Security strength factor: 0. select inbox* FLAGS (\Answered \Flagged \Draft \Deleted \Seen)* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 1 EXISTS* 1 RECENT* OK [UIDVALIDITY 1021736432] * OK [UIDNEXT 3] . OK [READ-WRITE] Completed. fetch 1:1 (FLAGS BODY[HEADER.FIELDS (DATE FROM)])* 1 FETCH (FLAGS (\Seen) BODY[HEADER.FIELDS (DATE FROM)] {68}Date: Mon, 20 May 2002 09:26:09 +0800 (CST)From: wxy@cngnu.org) . OK Completed . logout* BYE LOGOUT received . OK Completed64 ☆procmail
邮件分拣 Linux的sendmail使用procmail作为信件的最终投递代理。这个程序有一些非常有用的 ,对于我们来说,最重要的功能是信件的自动过滤和分拣功能。 信件分拣大概是用户最希望的功能,它按照邮件的文件头(发信地址,收信地址等等 )甚至邮件的正文进行归类,并且可以自动存放在各个文件中或者转发给别的用户账号 。马上我们会看到,用procmail配置自动分拣是一件非常容易的事情。 通常的sendmail配置中已经使用了procmail作为邮件最终投递代理,如果你的sendmail已经改乱了,可以使用FEATURE(local_procmail)设置这个功能。 procmail主要依靠用户宿主目录下面的.procmailrc中的信息来处理邮件.如果这个配 制文件不存在,则procmail只是简单的将邮件保存到用户的信箱中. 一般来说,.procmailrc文件由配置行和行为规则组成,规则的一般格式是 0 选项 [零个或多个条件,每个一行] [动作命令] [动作命令] 0表示开始一条规则,后面可以加上一些单字符的选项,选项主要有下面的一些: H 搜索匹配邮件头部 B 搜索匹配整个邮件 D 匹配时区分大小写 A 如果前面最近的一个没有A或a选项的规则执行,执行本规则 a 如果上面一条规则执行,则本规则执行 E 同A相反,前面最近的没有E或e选项的规则没有执行,则执行本规则 e 同a相反 h 通过管道传送邮件首部(缺省) b 通过管道传送邮件主体(缺省) c 复制一个邮件 I 忽略所有写操作中的错误 r 原始模式,即procmail不对mail进行任何模式的处理 条件用一个*号开始,后面跟上正则表达式动作命令就是procmail在规则成功之后使用的命令,一般的命令有下面一些: {} 开始一个语句段,表示把一组命令集合成一个动作。如果你要嵌套处理规则,(例如 ,对于来自test的邮件,区分是含有computer字符串还是含有physics字符串)那么必须 使用语句段把子规则括起来。 ! 转发信件给某个用户 | 启用管道将邮件传送给后面的程序,例如|auto-reply表示启动auto-reply程序并且将 邮件内容作为标准输入传递给它。 任意文件名 将邮件存入某个文件。如果文件已经存在,就添加在文件的末尾。 对于熟悉perl或C语言的的用户,很容易用procmail的管道功能做出邮件的自动回复程序,这里不再介绍了,想进一步了解procmail的用户可以用 65 ☆使用POP客户端
所有的现在的邮件用户代理(MUA),例如netscape,elm,Outlook,pine和mutt都是使用POP的,可以被用作POP的客户端。每一个的配置都有所不同。同样有一个流行字符界面的的POP客户端叫做fetchmail。fetchmail是高度的可配置的,可以查询多个邮箱,可以作为守护进程运行,这样使得其每五分钟查询用户的邮箱。fetchmail在主机上递送邮件到邮件传送代理(MTA),例如sendmail。我们将勾画出以后如何安装fetchmail和使用其来查询我们装过的POP服务器。注意到有很多选项可以影响fetchmail的行为。建立一个~/.fetchmailrc文件如下所示:~student/.fetchmailrcpoll stationX.exmaple.com with protocol pop3: user studentXX there is user studentXX here password "password"由于密码存储在该文件中,因此fetchmail将会拒绝运行除非您把该文件的属性设定为对于仅仅文件的所有者只读。注意还可以使用chown改变由root创建的文件的所有者为studentXX。chmod 600 ~student/.fetchmailrcchown student.student ~student/.fetchmailrc尝试使用studentXX登陆到POP3邮箱echo "hello student" | mail -s "Hola" studentsu - studentfetchmail -vexitfetchmail能不能接收到student的POP邮件?将递送student的邮件到哪里?比从本地获取POP邮件有意义么?让您的伙伴在另外一台机器上建立相同的~/.fetchmailrc文件(或者配置其它诸如mozilla的MTA)试图从您的服务器上进行收信。66 ☆fetchmail
许多用户有多个邮件账户,有些在你的管理范围之内,有些在别的服务器上面。管理 所有这些邮件是非常恶心的事情。另外,也许你的系统仅仅是一个拨号代理(参考第八 章),不可能始终接在internet上面。你需要的是在系统连接到internet的时候发出电 子邮件,同时自动去接收电子邮件。在国内,典型的做法是每人申请一个本地电子邮件 账户和一个免费电子邮件账号,问题就是,如何从另外的ISP提供的电子邮件账号哪里自 动地接收邮件? 当然你可以让你的用户自己解决这个问题,不过这种僵硬的方法不见得合适。一般我 们采用另外的办法,就是fetchmail,它是一个自动的邮件接力程序,可以让它从远程的 pop3账号处取得邮件,然后扔进用户的本地邮箱。(关于pop3的情况参考下一节)可以直接用命令行调用fetchmail: $ fetchmail -p [协议] -u [用户名] [服务器] fetchmail得到的信息将直接投入localhost机器,账号是你启动fetchmail时使用的账 号。 $ fetchmail -p POP3 -u yuanban mail.asnc.edu.cn Enter password for yuanban@mail.asnc.edu.cn: 使用pop3协议从mail.asnc.edu.cn取得yuanban的信件。fetchmail要求你输入yuanba n的密码,然后进行验证,成功的话会出现下面的信息: 1 message for yuanban at mail.asnc.edu.cn (551840 octets). reading message 1 of 1 (551840 octets) ................................... .....d 表示已经完成了一封信件的转交。 对于更复杂的情况,建议你使用fetchmail的配置文件,即用户宿主目录下面的.fetc hmailrc。这个文件的详细资料可以参考fetchmail的文档,这里只用一个简单地例子来 介绍它。我们看一个简单的.fetchmailrc范例: set syslog set postmaster "isee" poll 202.96.44.11 with proto POP3 and options envelope Delivered-To: user "mere" there with password "xxxxxxx" is isee@snail.home here no keep user "isee" there with password "yyyyyyy" is isee@snail.home here no keep 这个范例相当简单。fetchmail在读取配置文件的时候会忽略所有的"there","here", "and","with","has","wants","options"之类的单词。 第一行set syslog程序定义fetchmail的记录文件使用系统记录功能。set postmaste r设置的是出错时的管理员账号,接下来的poll行定义了fetchmail使用的协议为POP3, 连接的服务器是202.96.44.11。 envelope Delivered-To:这个选项比较有趣,它在信封上加上一个Delivered-To说明 ,这主要是为了让fetchmail可以把信件投递到一些使用qmail(见下面)的系统中。 接下来是fetchmail的主体部分,一个user的行定义了一个接力方法,现在的定义是取 得202.96.44.11服务器上mere账号的信件,取信的口令是xxxxxxx,然后投递到isee@sn ail.home,同样,isee的信件也被自动投递到isee@snail.home。no-keep选项表示不在 原始服务器上保留邮件。 下面是配置fetchmail的一些常用选项: set logfile 制定log文件 set syslog 使用系统log文件 via 指定DNS机器名来取代poll中的机器明 proto 指定协议 port 指定端口 timeout 指定超时时间 interface 指定网络界面 user 指定远程用户 is 将本地用户和远程用户联系起来 to 同is pass 口令 preconnect 连接开始前执行的外部命令 postconnect 连接结束后执行的外部命令 keep 在服务器上保留邮件备份 no keep 不保留邮件备份 在配置了.fetchmailrc之后,只要直接执行fetchmail就可以实现自动的信件投递了。 实际上,你甚至可能使用fetchmail作为一个daemon程序来实现自动的邮件转交,或是设 置fetchmail让它支持qmail的虚拟域。 在fetchmail的发行版本中还提供了一个图形化的fetchmail配置程序,称为fetchmail conf。如果你对fetchmail的语法感到困难,只要使用这个程序就可以进行配置。启动这 个程序的方法很简单,直接在xterm下面执行fetchmailconf &: 图7.1 配置fetchmail 选择configure fetchmail出现: 图7.2 配置fetchmail(2) 只要选择Novice Configuration,然后出现服务器设置选单: 图7.3 配置fetchmail(3) 在New Server中加入你准备收信的服务器,然后回车,服务器名字就会出现在列表框 中,双击服务器名字,编辑关于服务器的设置: 图7.4 配置fetchmail(4)设置服务器的类型和服务器上的账户名字,双击账户名字并且输入对应的密码以及和 本地账户之间的对应关系,OK退出就可以了 67 ☆squirrelmail
rpm -q squirrelmailsquirrelmail的主配置文件为/etc/squirrelmail/config.php更改这个配置用/usr/share/squirrelmail/config/conf.pl更方便
sendmail的主要的别名配置文件是/etc/aliases。在sendmail决定消息的接受者的目的地的之前,其先试图在别名中查找。为了优化查找,sendmail为其别名记录建立了一个哈希表数据库/etc/aliases.db该文件通过newaliases命令产生(该命令是sendmail -bi的同名)下列命令将增加用户student(如果不存在的话)useradd student在/etc/aliases 行加入如下的行:me: student(别名:实际用户名)wizards: root, memethere: student@panda.panda.com现在运行newaliases命令来更新数据库尝试发送邮件给您定义的收件人:echo "hello there" | mail -s "hello" meecho "hello there" | mail -s "hello" wizardsecho "hello there" | mail -s "hello" methere您是否得到了期望的结果?是否所有的位于wizards的收件人都受到了邮件?如果没有,su - 到不是root的用户再试一次。如果没有收到,可能需要在/etc/mail/access中打开权限20 ☆sendmail允许转发
通过控制您的机器的混杂转发,您可以使得任何人都能够将您的机器作为转发的主机。配置/etc/mail/sendmail.mc, 通过加入如下行使得m4前置处理器允许混杂转发(可以发到任何地址):/etc/mail/sendmail.mc中添加FEATURE(`promiscuous_relay')dnl使用m4前置处理机通过这个模板文件生成一个新的sendmail配置文件,然后将新生成的文件与通过sendmail RPM软件包提供的进行比较m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.relaydiff /etc/mail/sendmail.relay /etc/mail/sendmail.cf使用混杂转发以后会有多大的不同呢?现在将新建立的sendmail.relay放置在恰当的位置上,重新启动sendmail.mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.accept-mailcp /etc/mail/sendmail.relay /etc/mail/sendmail.cfservice sendmail restart让您的伙伴扮演恶意的垃圾邮件的发送者,该人能够通过telnet到您的机器上的smtp(sendmail)的25号断口,进行垃圾邮件发送地址的欺骗,在panda主机上键入如下命令:[root@panda ~]# telnet panda 25Trying 127.0.0.1...Connected to panda.panda.com (127.0.0.1).Escape character is '^]'.220 panda.panda.com ESMTP Sendmail 8.13.1/8.13.1; Thu, 27 Jul 2006 01:12:37 +0800helo panda.panda.com250 panda.panda.com Hello panda.panda.com [127.0.0.1], pleased to meet youmail from: panda@panda.panda.com250 2.1.0 panda@panda.panda.com... Sender okrcpt to:root@panda.panda.com250 2.1.5 root@panda.panda.com... Recipient okdata354 Enter mail, end with "." on a line by itselfSubject: Fakedthis was faked!250 2.0.0 k6QHCb8x007709 Message accepted for deliveryquit221 2.0.0 panda.panda.com closing connectionConnection closed by foreign host.垃圾邮件现在送到您的机器上了。下一步,发给其他主机21 ☆sendmail不允许转发
通过替换新的sendmail.cf为接受传入的信件的配置文件来恢复缺省的sendmail的配置,并且重新启动sendmail:注释掉这行FEATURE(promiscuous_relay)dnlmv /etc/mail/sendmail.cf.accept-mail /etc/mail/sendmail.cfservice sendmail restart让您的伙伴再从stationY转发垃圾邮件。您的sendmail还是一个转发器么?任何一个转发的都会产生如下的消息:550 5.7.1 kddk@kdk.com... Relaying denied但是本机是可以转发的(access文件中定义)22 ☆sendmail选择性的转发
对于特定的主机,域或者网络,编辑/etc/mail/access并且重新启动sendmail。为了允许所有在panda.com域中的机器可以把您的机器作为邮件转发服务器,你在/etc/mail/access中添加如panda.com域。然后用#makemap hash access.db<access23 ☆m4
sendmail是一个极为复杂的程序,其行为主要地依赖于在UNIX界"臭名昭著"的/etc/sendmail.cf配置文件。实际上,我怀疑会有谁真的从头去写一个sendmail.cf文件。一般来说,我们总是用m4宏处理来书写sendmail.cf。实际上,m4程序几乎和sendmail.cf一样复杂,不过,通常我们只需要关心一些比较重要的部分。 要使用宏处理程序,必须确定你已经安装了m4和sendmail-cf这样两个软件包用m4程序可以生成一个sendmail.cf: #m4 sendmail.mc > /sendmail.cf24 ☆sendmail总结
配置接收邮件,/etc/mail/sendmail.mc dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')m4 sendmail.mc > sendmail.cf添加别名 在/etc/aliases加入别名,newaliases不充许转发:默认转发:在sendmail.mc 加入 FEATURE(promiscuous_relay) dnl选择转发: /etc/mail/access 用户和主机访问控制/etc/mail/accessdomain.com RELAYUSER@ REJECTUSER@domain.com REJECTIP RELAYmakemap hash access.db<access或makemap hash access <access .db可以省略25 ☆新建E-Mail帐号
在LINUX中,要为一个新的用户开E-Mail帐号是十分简单的。只要在LINUX系统中新增一个用户就可以了。那么这个用户帐号和密码就是E-Mail的帐号和密码。我为一个新用户test开一个E-Mail帐号。就用以下命令:#adduser panda, # passwd panda这样,这个新用户的E-Mail地址就是: panda@panda.com 密码当然就是帐号的密码了。要防止本地用户利用 sendmail 服务器上的漏洞,最好是让邮件用户只使用电子邮件程序来访问 sendmail 服务器。邮件服务器上的 Shell 帐号不应该被允许,/etc/passwd 文件中的所有用户 shell 都应该被设置为 /sbin/nologin,在添加系统用户时可以useradd -s /sbin/nologin 用户名,这样添加的用户名就没有了shell,只能收发信而不能登陆到服务器运行其他程序,安全一点。26 ☆sendmail邮件限额
当一个E-Mail服务器为许多人提供E-Mail服务的时候,无限量的电子邮件将很容易塞满服务器的硬盘,造成很大的负载。如果你的服务器不想为用户提供无限空间的E-Mail暂存空间,那么你就可以使用"邮件限额"来给用户一个有限的暂存空间。 其实,它是利用磁盘限额功能来实现的。电子邮件的暂存空间是在/var/spool/mail目录下,只要通过磁盘限额设定每一个用户在这个目录下能使用的最大空间就可以了。27 ☆mailstats
邮寄状态查询命令,可查询sendmail运行作至今邮件收发总计资料。M :msgsfr:发送的邮件数量bytes_from:邮件容量megsto:收到邮件的数量。bytes_to:同上msgsrej:邮件deny的次数。msgsdis:邮件discard的次数。Mailer :esmtp对外邮件,local本地邮件。28 ☆mailq
#/usr/bin/mailq邮件队列查询命令。Q-ID 邮件id号。Size 邮件容量。Q-Time 邮件进入队列(也就是/var/spool/mqueue目录)的时间和不能邮寄的原因。Sender/Recipient 发信和收信人的邮箱地址。29 ☆sendmail -q
当命令sendmail -q发出以后,sendmail将会试图仍在队列中等待的邮件。可以在后面跟上时间‘s’是秒,‘m’分钟(缺省),‘h’小时, ‘d’天,‘w’周. 30 ☆sendmail管理邮件队列
一般当你发送一封邮件的时候,sendmail倾向于立刻发送这一封电子邮件。但是如果 当前网络忙使得无法立刻投递信件,或者是目标地址的连接速度太慢,无法在短时间内投递到目标地址处,那么sendmail将把待发送的邮件排入队列,并在合适的时候重新发送。队列文件通常存放在/var/spool/mqueue下面,每个待发送的邮件由几个文件构成例如,我们可以看到下面的目录文件列表: [root@mail mqueue]# ls dfRAA27175 xfAAA00733 xfBAA00819 xfEAA32763 xfXAA00706 qfRAA27175 xfAAA00784 xfDAA01360 xfFAA01616 文件名字总是由一个两字符的前缀加上一个随机数字。前缀有四钟: df:邮件内容 qf:邮件头和一些控制信息 xf:一些临时文件 tf:qf文件的临时存储文件 可以通过看队列中的qf文件来确定当前队列信息,不过通常都可以用mailq程序来完成 对队列状态的查询: [root@mail mqueue]# mailq Mail Queue (1 request) --Q-ID-- --Size-- -----Q-Time----- ------------Sender/Recipient----------- - RAA27175 22429 Fri Feb 25 17:34 : deferred) chaszhj@21cn.net 这表示队列中目前只有一封信,由zhangfl发出,收信人是chaszhj@21cn.net。 由sendmail接受到的信件在用户取走之前将暂时存储在/var/spool/mail目录下面,存 储的方法非常简单,就是每个有待读邮件的用户一个文件: [root@mail spool]# ls -l /var/spool/mail |more total 19364 -rw-rw---- 1 anyi mail 7559035 Feb 28 22:04 anyi -rw-rw---- 1 baixuan mail 514 Nov 7 01:32 baixuan -rw-rw---- 1 cwc mail 515 Feb 28 08:35 cwc 如果一个用户有多封电子邮件,那么这些邮件就被简单地连接在一起构成一个大文件 (所以你会看到非常巨大的邮件文件)。 如果你面对的是一个很庞大的邮件服务系统,有时会在某个邮件队列中拥塞太多的消 息,你可能想把这个队列暂停并且在网络空闲的时候再发送,暂停一个邮件队列的办法非常简单,就是将/var/spool/mqueue目录移走: killall sendmail mv /var/spool/mqueue /var/spool/mqueue.stop mkdir /var/spool/mqueue sendmail -bd 当网络空闲的时候,可以用-oQ参数立即处理拥塞的队列: sendmail -oQ /var/spool/mqueue.stop -q 31 ☆SMTP协议的基本命令
在/etc/mail/helpfile中有描述为了使用这种测试技术,你需要了解SMTP协议的基本命令,这样的命令有14个,在下面列出: HELO 标志发起smtp请求的主机,例如,从client1发起smtp会话,可以使用 HELO client1 MAIL FROM: 启动一个邮件会话,在这个行中需要标志发信人的信封地址,例如,要从user1@client1发出邮件,使用MAIL FROM:user1@client1,注意尖括号的用法。 RCPT TO: 标志收信人的信封地址,例如,要发送给user2@mail2,使用RCPT TO: user2@mail2。在一个MAIL FROM之后可以给出多个收信人地址,以便实现多副本的传送。 VRFY 验证某个地址,例如,要确定test@mail是一个可以投递的地址,使用VRFY test@mail。 EXPN 显示某个收件人地址或者用户名的实际名字。例如,要显示postmaster用户的实际投 递地址,使用EXPN postmaster。如果在某个用户的目录下有.forward文件,这个文件的 内容将会被自动使用。 DATA 开始写信,在MAIL和RCPT之后可以使用这个命令传输信件正文,传输完毕之后输入一 个.退出。 QUIT 关闭smtp会话 RSET 复位连接状态 HELP 显示这个命令表。 32 ☆sendmail测试
/etc/mail目录下配置一些文档。# cd /etc/mail # echo 'examply.com' >> local-host-names 接收邮件的主机名# echo 'localhost RELAY' >> access 用来拒绝或允许来自某个域的邮件,本例允许本地转发。# makemap hash access < access 生成access.db数据库# touch domaintable 用来把旧域名映射互新域名# makemap hash domaintable < domaintable # touch mailertable 来覆盖向指定域的路由# makemap hash mailertable < mailertable # touch trusted-users # touch virtusertable 用来把用户和域名映射到其它地址# makemap hash virtusertable < virtusertable # chown root:wheel /var/spool/mqueue/ # chmod 700 /var/spool/mqueue # touch aliases 别名数据库,文本形式。可参照源码目录树下sendmail/aliases文件。# newaliases 从文本文件中创建一个新的别名数据库文件。# sendmail -v -bi 调试启动。/etc/mail/aliases: 42 aliases, longest 10 bytes, 432 bytes total如果出现以上提示信息,则启动成功。可用以下命令正式启动: 打开你喜欢的Mail Client,设置smtp服务器为:localhost (假如和服务器在同一台机子上,也可以设置本机的IP),端口为:25.然后随便一段测试信息,填写好接收邮件的地址,按发送。你的Mail Client会提示邮件已发送。实际上你的邮件还在计算机上排队,并未发出!要发送所有排队的邮件,你需要连上网,然后你root身份登陆,并运行:# sendmail -q .现在你的邮件就会发送到指定的邮箱中。 33 ☆postfix安装
在安装Postfix前,需要关闭sendmail服务和开机时的自启动,使用如下命令: #service sendmail stop #chkconfig sendmail off在http://www.postfix.com/上下载需要的postfix的rpm安装包,或在RHEL5的安装光盘中找到需要安装的rpm包,然后进行安装: #rpm -ivh postfix-2.3.3-2.i386.rpm (第三张光盘)34 ☆postfix收取邮件
为了安全的原因,sendmail和postfix的缺省的配置允许发邮件但是不允许从网络上接收邮件(缺省的它们只接受从回环接口上的连接)。修改/etc/postfix/main.cf找到并注释如下行inet_interfaces = localhost取消注释该行:inet_interfaces = all35 ☆Postfix启动和校验
运行#service sendmail start#/etc/init.d/postfix start使用图形工具#system-switch-mail使得postfix成为活跃的MTA。也可以使用如下的命令行:#alternatives -set mta /usr/sbin/sendmail.postfix重新启动命令如下:#service postfix restart确定hostname命令正确的返回您的主机名称。确保DNS配置正确应该是您的FQDN。如果sendmail返回您的主机名称为localhost,您可能错误配置了/etc/hosts文件。检查您的/etc/hosts文件,删除所有的但记住留下localhost的指向,然后再试一遍。如果/etc/hosts文件是正确的,那么检查一下在/etc/sysconfig/netwoek中的HOSTNAME的定义。当这些值都正确的时候,启动postfix服务。确定postfix在启动的时候没有错误Red Hat Linux的安装使用提供的syslog工具来记录所有的信息到文件/var/log/maillog中去。检查此文件中的最后查找任何错误信息。试图向root@server1发送简单的邮件并且检查/var/log/maillog的记录文件#mail -s `echo $USER` root@panda < /etc/redhat-release应该如下所示:Jul 26 20:55:10 localhost postfix/pickup[4902]: 717AB335FE: uid=0 from=<root>Jul 26 20:55:10 localhost postfix/cleanup[4943]: 717AB335FE: message-id=<20060726125510.717AB335FE@panda.com>Jul 26 20:55:10 localhost postfix/qmgr[4903]: 717AB335FE: from=<root@panda.com>, size=314, nrcpt=1 (queue active)Jul 26 20:55:10 localhost postfix/local[4945]: 717AB335FE: to=<root@panda.com>, relay=local, delay=0, status=sent (delivered to mailbox)Jul 26 20:55:10 localhost postfix/qmgr[4903]: 717AB335FE: removed36 ☆Postfix的别名
在postfix决定消息的接受者的目的地的之前,其先试图在别名中查找。postfix的主要的别名配置文件是/etc/aliases。为了优化查找,postfix为其别名记录建立了一个哈希表别名数据库/etc/aliases.db(和sendmail类似).该文件通过newaliases命令产生。下列命令将增加用户student(如果不存在的话)useradd student在/etc/aliases 行加入如下的行:注意:注释root别名的那一行为postfixme: studentwizards: root, memethere: panda@panda.com现在运行newaliases 更新数据库尝试发送邮件给您定义的收件人:echo "hello there" | mail -s "hello" meecho "hello there" | mail -s "hello" wizardsecho "hello there" | mail -s "hello" methere是否所有的位于wizards的收件人都受到了邮件?要确认/etc/mail/access中打开权限37 ☆postfix允许转发
缺省的postfix允许在子网上的任何人通过您的机器进行转发。但是并不是在每一个环境中都安全的。例如,您的机器和其他机器在一起,如果您的本地子网里有一台机器被其他人控制,那么其他的机器都会有麻烦。让您的伙伴扮演恶意的垃圾邮件的发送者,该人能够通过telnet到您的机器上的postfix的25号断口,进行垃圾邮件发送地址的欺骗,在panda键入如下命令: [root@panda mail]# telnet panda 25Trying 127.0.0.1...Connected to panda.com (127.0.0.1).Escape character is '^]'.220 panda.com ESMTP Postfixhelo root.panda.com250 panda.commail from:panda@panda.com250 Okrcpt to: root@panda.com250 Okdata354 End data with <CR><LF>.<CR><LF>Subject: Fakedthis was faked!250 Ok: queued as 9DB2733601quit221 ByeConnection closed by foreign host.垃圾邮件现在送到您的机器上了。下一步,看看您的伙伴能不能从您的机器转发给第三台机器:由于您的机器已经被配置成为允许混杂转发,垃圾邮件可以通过您的机器进行邮件转发。注意/var/log/maillog的变化38 ☆postfix不允许转发
编辑文件/etc/postfix/main.cf取消转发。查找并且取消注释下面的行,mynetworks_style = host并且重新启动postfix让您的伙伴再从stationY转发垃圾邮件。您的postfix还是一个转发器么?任何一个转发的都会产生如下的消息:554 <root@panda.panda.com>: Recipient address rejected: Relay access denied39 ☆postfix选择性的转发
对于特定的主机,域或者网络,编辑/etc/postfix/main.cf并且重新启动postfix。对于特定的主机允许通过您的机器进行转发,找到并且取消注释该行:mynetworks_style = host然后添加新行来允许转发的主机和网络,在这里允许station1和本地转发mynetworks = 192.168.152.128, 127.0.0.0/840 ☆postfix接收和转发的条件
(1)默认情况下,postfix接收符合以下条件的邮件:目的地为$inet interfaces的邮件;目的地为$mydestination的邮件;目的地为$virtual_alias_maps的邮件。(2)默认情况下,postfix转发符合以下条件的邮件:来自客户端IP地址符合$mynetworks的邮件;来自客户端主机名称符合relay_domains及其子域的邮件;目的地为$relay_domains及其子域的邮件。41 ☆主配置文件main.cf
修改/etc/postfix/main.cf的配置:myhostname = mail.cngnu.org指定运行postfix服务的邮件主机的主机名称(FQDN名)mydomain = cngnu.org指定运行postfix服务的邮件主机的域名称myorigin = $mydomain设置由本台邮件主机寄出的每封邮件的邮件头中mail from的地址inet interfaces = all默认情况下,inet interfaces参数的值被设置为localhost,这表明只能在本地邮件主机上寄信。如果邮件主机上有多个网络接口,而又不想使全部的网络接口都开放Postfix服务,就可以用主机名指定需要开放的网络接口。不过,通常是将所有的网络接口都开放,以便接收从任何网络接口来的邮件,即将inet interfaces参数的值设置为“all”。mydestination = $mydomain,$myhostname只有当发来的邮件的收件人地址与该参数值相匹配时,Postfix才会将该邮件接收下来。例如,这里将该参数值设置为$mydomain,$myhosname,表明无论来信的收件人地址是xxx@cngnu.org(其中,XXX表示某用户的邮件账户名),还是xxx@mail.cngnu.org,Postfix都会接收这些邮件。mynetworks_style = hostmynetworks = 127.0.0.0/8,192.168.1.0/24设置可转发(Relay)哪些网络的邮件.可以使用mynetworks参数来设置。可将该参数值设置为所信任的某台主机的IP地址,也可设置为所信任的某个IP子网或多个IP子网(用“,”或者“”分隔)。这里,将mynetworks参数值设置为192.168.16.0/24,则表示这台邮件主机只转发子网192.168.16.0/24中的客户端所发来的邮件,而拒绝为其他子网转发邮件。relay_domains = gdvcp.netmynetworks参数是针对邮件来源的IP来设置的,而relay_domains参数则是针对邮件来源的域名或主机名来设置的。例如,将该参数值设置为gdvcp.net,则表示任何由域gdvcp.net发来的邮件都会被认为是信任的,Postfix会自动对这些邮件进行转发。virtual_alias_domains = dzxx.cn,panda.com用来指定虚拟别名域的名称virtual_maps = hash:/etc/postfix/virtual #,mysql:/etc/postfix/virtual.mysql含有虚拟别名域定义的文件路径。alias_maps = hash:/etc/aliases指定含有用户别名定义的文件路径alias_database = hash:/etc/aliases指定别名表数据库文件路径。home_mailbox = Maildir/mailbox_transport = cyrusfallback_transport = cyrussmtpd_sasl_auth_enable = yes指定是否要启用SASL作为SMTP认证方式。默认不启用,这里必须将它启用,所以要将该参数值设置为“yes”。smtpd_sasl_local_domain = ''如果采用Cyrus-SASL V2版进行认证,那么这里不作设置。 smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination表示通过收件人地址对客户端发来的邮件进行过滤。通常有以下几种限制规则。permit_mynetworks:表示只要是收件人地址位于mynetworks参数中指定的网段就可以被转发邮件permit_sasl_authenticated:表示允许转发通过SASL认证的邮件。reject_unauth_destination:表示拒绝转发含未信任的目标地址的邮件。broken_sasl_auth_clients = yes表示是否兼容非标准的SMTP认证。有一些Microsoft的SMTP客户端(如Outlook Express 4.x)采用非标准的SMTP认证协议,只需将该参数设置为"yes"就可解决这类不兼容问题。smtpd_client_restrictions = permit_sasl_authenticated表示限制可以向postfix发起SMTP连接的客户端。如果要禁止未经过认证的客户端向postfix发起SMTP连接,则可将该参数值设置为permit_sasl_authenticatedsmtpd_sasl_security_options = noanonymous用来限制某些登录的方式。如果将该参数值设置为noanonymous,则表示禁止采用匿名登录方式。 permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/filter.mysql, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, permit如果希望支持更多的虚拟域,可以在mydestination参数后面加上你所要支持的域即可。通过virtual和virtual.mysql为系统提供了邮箱本地查询表。42 ☆virtual
/etc/postfix/virtual虚拟别名 实际名@dzxx.cn @gdvcp.netadmin@panda.com lbtst123@panda.com st123001,st123002,st123003daliu@panda.com lbt,liu6812@163.com43 ☆master.cf
由postfix运行的守护程序44 ☆pcre_table
地址改写的或邮件路由的perl表达式45 ☆postfix-files
postfix文件和权限46 ☆postfix-script
管理postfix,类似start,stop47 ☆regexp_table
从postfix查找账号的表用postconf -m来检查48 ☆relocated
用户转移到新位置,用这里来重定向49 ☆transport
指定一个传输协议50 ☆postconf
postconf测试配置文件postconf -n看当前配置文件的路径51 ☆重启postfix
修改main.cf和virtual,aliases后postmap /etc/postfix/virtual生成etc/postfix/virtual.dbpostalias /etc/aliases生成/etc/aliases.dbpostfix reload重载main.cf 52 ☆SMTP认证的配置
如果任何人都可以通过一台邮件服务器来转发邮件,会有什么后果呢?很可能这台邮件服务器就成为了各类广告与垃圾信件的集结地或中转站,网络带宽也会很快被耗尽。为了避免这种情况的出现,MTA默认不会对外开放转发功能,而仅对本机(1ocalhost)开放转发功能。但是,在实际应用中,必须在MTA主配置文件中通过设置mynetworks、relay domains参数来开放一些所信任的网段或网域,否则该邮件服务器几乎没有什么用途。在开放了这些所信任的网段或网域后,还可以通过设置SMTP认证,对要求转发邮件的客户端进行用户身份(用户账户名与密码)验证。只有通过了验证,才能接收该用户寄来的邮件并帮助转发。目前,比较常用的SMTP认证机制是通过Cyrus-SASI.。包来实现的。53 ☆Cyrus-SASL
是Cyrus Simple Authentication and Security Layer的简写,它最大的功能是为应用程序提供了认证函数库。应用程序可以通过函数库所提供的功能定义认证方式,并让SASL。通过与邮件服务器主机的沟通从而提供认证的功能。54 ☆Cyrus-SASL安装
rpm -qa | grep sasl55 ☆Cyrus-SASL启动
运行saslauthd守护进程service saslauthd restart56 ☆Cyrus-SASL认证机制
默认情况下,Cyrus-SASL V2版使用saslauthd这个守护进程进行密码认证,而密码认证的方法有多种,使用下面的命令可查看当前系统中的Cyrus-SASL V2所支持的密码验证机制。[root@panda mail]# saslauthd -vsaslauthd 2.1.19authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap57 ☆saslauthd配置
配置saslauthd使用shadow认证方案:/etc/sysconfig/saslauthdMECH=shadow配置saslauthd使用PAM认证方案(非默认,需要配置pam,否则测试失败):/etc/sysconfig/saslauthdMECH=pam 命令行方式启动验证方案:saslauthd -a shadow 用shadow的用户和密码进行验证58 ☆测试Cyrus-SASL
ps aux | grep saslauthdservice saslauthd restarttestsaslauthd -u userid -p password [root@panda ~]# testsaslauthd -u student -p '111111'0: OK "Success."如果出现以上信息,就说明saslauthd正常运行了。表示认证功能有效服务器启动后,可以用telnet连接服务器。# telnet localhost 25Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.220 test.tigerhead ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Mar 2004 14:50:14 +0800ehlo test (!!!!!!!!注意命令是ehlo)你输入的命令,按回车结束。250-test.tigerhead Hello LOCALHOST.localdomain [127.0.0.1], pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE250-DSN250-ETRN250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN #就表明SMTP认证成功250-DELIVERBY250 HELP以250-开头的为服务器的响应信息。注意倒数第三行,这就是成功配置smtp验证的显示。输入quit离开。59 ☆Cyrus-SASL配置MTA
postfix中更改main.cf中的配置smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes 建立/usr/lib/sasl2/smtpd.conf设置Postfix使用SASL的saslauthd认证守护进程来支持smtp auth认证,并只打开了plain和login认证模块:[root@mail root]# echo pwcheck_method:saslauthd > /usr/lib/sasl2/smtpd.conf[root@mail root]# echo mech_list: plain login >> /usr/lib/sasl2/smtpd.conf sendmail中更改/etc/mail/sendmail.mc去掉下面俩行的注释TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnldefine(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl如果sendmail没办法收信,就把DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')dnl 改为 DAEMON_OPTIONS(`Port=25, Name=MSA')dnl (这一句不能和DAEMON_OPTIONS(`Port=25, Name=MTA')dnl同时存在)建立/usr/lib/sasl2/Sendmail.conf当sendmail要使用SMTP认证时,必须创建一个SASL的配置文件来把MTA程序定义成一个SASL应用。配置文件名为Sendmail.conf(注意是大写的S),位于/usr/lib/sasl2目录中,也就是/usr/local/sasl2/lib/sasl2这个目录,记得上面新建的链接了吗?在该文件中你定义你希望使用的认证数据库方法,以下这个例子使用saslauthd来验证认证请求。# echo 'pwcheck_method: saslauthd' > /usr/lib/sasl2/Sendmail.conf(注意大小写)如果是pwcheck_method: pam的话是直接调用 pam认证如果是pwcheck_method: saslauth的话要启用 saslauth -a pam ,让saslauth调用pam认证将这个文件复制成smtpd.conf,即cp Sendmail.conf smtpd.conf,这个文件也要在/usr/lib/sasl2/目录下在/etc/pam.d/目录下参照其它文件建立一个“smtp”文件(postfix的是smtp.postfix),内容如下:#%PAM-1.0auth required pam_stack.so service=system-authaccount required pam_stack.so service=system-auth60 ☆dovecot配置
postfix服务只是一个MTA(邮件传输代理),它只提供SMTP服务,也就是只提供邮件的转发及本地的分发功能。要实现邮件的异地接收,还必须安装POP或IMAP服务。dovecot提供了这些服务:POP3,POP3S,IMAP,IMAPS编辑/etc/dovecot.conf文件在protocols = 一行,加入你需要的的服务缺省的ports:imap: 143imaps: 993pop3: 110pop3s: 995ssl_cert_file 和 ssl_key_file,可以看到dovecot是拿什么文件来做ssl认证的,可以自己创建新的pem文件。将disable_plaintext_auth 配置为no(非缺省)将auth_mechanisms配置为plain(缺省的)将auth_userdb配置为passwd也就是说缺省为所有local user 都能登录。将auth_passdb设置为shadow或者将auth_passdb设置为pam增加对pop3配置文件。(缺省没有,要自己建立)/etc/pam.d/pop3文件内容如:代码:auth required /lib/security/pam_stack.so service=system-authauth required pam_unix.soauth required pam_listfile.so item=user sense=deny file=/etc/security/dovecot.deny onerr=failaccount required /lib/security/pam_stack.so service=system-auth#account required pam_access.soaccount required pam_unix.so用了pam_listfile.so模块,当然也可以用pam_access.so模块来限定。61 ☆dovecot.conf
## Dovecot 1.0 configuration file# Default values are shown after each value, it's not required to uncomment# any of the lines. Exception to this are paths, they're just examples# with real defaults being based on configure options. The paths listed here# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var# --with-ssldir=/usr/share/ssl# 运行时存储数据的目录#base_dir = /var/run/dovecot/# 加入你需要的的服务:# imap imaps pop3 pop3s#protocols = imap imaps# 监听的IP或者主机地址.# It's not currently possible to specify multiple addresses. # "*" 是指定监听所有IPv4的interfaces.# "[::]" 监听所有IPv6的interfaces,可能会监听所有的IPv4的interfaces但是这个取决于操作系统# 指定端口的格式是:"host:port".imap_listen = [::]pop3_listen = [::]# 监听SSL连接的IP或主机地址. # Defaults to above non-SSL equilevants if not specified.#imaps_listen =#pop3s_listen =# 禁用SSL/TLS支持.#ssl_disable = no# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before# dropping root privileges, so keep the key file unreadable by anyone but# root. Included doc/mkcert.sh can be used to easily generate self-signed# certificate, 要保证在dovecot-openssl.cnf中更新域#ssl_cert_file = /usr/share/ssl/certs/dovecot.pem#ssl_key_file = /usr/share/ssl/private/dovecot.pem# SSL parameter file. Master process generates this file for login processes.# It contains Diffie Hellman and RSA parameters.#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat# How often to regenerate the SSL parameters file. Generation is quite CPU# intensive operation. The value is in hours, 0 disables regeneration# entirely.#ssl_parameters_regenerate = 24# Disable LOGIN command and all other plaintext authentications unless# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and# IPv6 ::1 addresses are considered secure, this setting has no effect if# you connect from those addresses.#disable_plaintext_auth = yes# Use this logfile instead of syslog(). /dev/stderr can be used if you want to# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).#log_path =# For informational messages, use this logfile instead of the default#info_log_path =# Prefix for each line written to log file. % codes are in strftime(3)# format.#log_timestamp = "%b %d %H:%M:%S "#### Login processes### Directory where authentication process places authentication UNIX sockets# which login needs to be able to connect to. The sockets are created when# running as root, so you don't have to worry about permissions. Note that# everything in this directory is deleted when Dovecot is started.login_dir = /var/run/dovecot-login# chroot login process to the login_dir. Only reason not to do this is if you# wish to run the whole Dovecot without roots.#login_chroot = yes#### IMAP login process##login = imap# Executable location.#login_executable = /usr/libexec/dovecot/imap-login# User to use for the login process. Create a completely new user for this,# and don't use it anywhere else. The user must also belong to a group where# only it has access, it's used to control access for authentication process.#login_user = dovecot# Set max. process size in megabytes. If you don't use# login_process_per_connection you might need to grow this.#login_process_size = 32# Should each login be processed in it's own process (yes), or should one# login process be allowed to process multiple connections (no)? Yes is more# secure, espcially with SSL/TLS enabled. No is faster since there's no need# to create processes all the time.#login_process_per_connection = yes# Number of login processes to create. If login_process_per_user is# yes, this is the number of extra processes waiting for users to log in.#login_processes_count = 3# Maximum number of extra login processes to create. The extra process count# usually stays at login_processes_count, but when multiple users start logging# in at the same time more extra processes are created. To prevent fork-bombing# we check only once in a second if new processes should be created - if all# of them are used at the time, we double their amount until limit set by this# setting is reached. This setting is used only if login_process_per_use is yes.#login_max_processes_count = 128# Maximum number of connections allowed in login state. When this limit is# reached, the oldest connections are dropped. If login_process_per_user# is no, this is a per-process value, so the absolute maximum number of users# logging in actually login_processes_count * max_logging_users.#login_max_logging_users = 256#### POP3 login process### Settings default to same as above, so you don't have to set anything# unless you want to override them.login = pop3# Exception to above rule being the executable location.#login_executable = /usr/libexec/dovecot/pop3-login#### Mail processes### Maximum number of running mail processes. When this limit is reached,# new users aren't allowed to log in.#max_mail_processes = 1024# Show more verbose process titles (in ps). Currently shows user name and# IP address. Useful for seeing who are actually using the IMAP processes# (eg. shared mailboxes or if same uid is used for multiple accounts).#verbose_proctitle = no# Show protocol level SSL errors.#verbose_ssl = no# Valid UID range for users, defaults to 500 and above. This is mostly# to make sure that users can't log in as daemons or other system users.# Note that denying root logins is hardcoded to dovecot binary and can't# be done even if first_valid_uid is set to 0.#first_valid_uid = 500#last_valid_uid = 0# Valid GID range for users, defaults to non-root/wheel. Users having# non-valid GID as primary group ID aren't allowed to log in. If user# belongs to supplementary groups with non-valid GIDs, those groups are# not set.#first_valid_gid = 1#last_valid_gid = 0# Grant access to these extra groups for mail processes. Typical use would be# to give "mail" group write access to /var/mail to be able to create dotlocks.#mail_extra_groups =# ':' separated list of directories under which chrooting is allowed for mail# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).# This setting doesn't affect login_chroot or auth_chroot variables.# WARNING: Never add directories here which local users can modify, that# may lead to root exploit. Usually this should be done only if you don't# allow shell access for users. See doc/configuration.txt for more information.#valid_chroot_dirs =# Default chroot directory for mail processes. This can be overridden by# giving /./ in user's home directory (eg. /home/./user chroots into /home).#mail_chroot =# Default MAIL environment to use when it's not set. By leaving this empty# dovecot tries to do some automatic detection as described in# doc/mail-storages.txt. There's a few special variables you can use:# %u - username# %n - user part in user@domain, same as %u if there's no domain# %d - domain part in user@domain, empty if user there's no domain# %h - home directory# You can also limit a width of string by giving the number of max. characters# after the '%' character. For example %1u gives the first character of# username. Some examples:# default_mail_env = maildir:/var/mail/%1u/%u/Maildir# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n#default_mail_env =# Space-separated list of fields to cache for all mails. Currently these# fields are allowed followed by a list of commands they speed up:## Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,# HEADER IN-REPLY-TO# Body - FETCH BODY# Bodystructure - FETCH BODY, BODYSTRUCTURE# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE# generation. This is always set with mbox mailboxes, and# also default with Maildir.# Different IMAP clients work in different ways, that's why Dovecot by default# only caches MessagePart which speeds up most operations. Whenever client# does something where caching could be used, the field is automatically marked# to be cached later. For example after FETCH BODY the BODY will be cached# for all new messages. Normally you should leave this alone, unless you know# what most of your IMAP clients are. Caching more fields than needed makes# the index files larger and generate useless I/O.# With maildir there's one extra optimization - if nothing is cached, indexing# the maildir becomes much faster since it's not opening any of the mail files.# This could be useful if your IMAP clients access only new mails.#mail_cache_fields = MessagePart# Space-separated list of fields that Dovecot should never set to be cached.# Useful if you want to save disk space at the cost of more I/O when the fields# needed.#mail_never_cache_fields =# Workarounds for various client bugs:# oe6-fetch-no-newmail:# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express# seems to think they are FETCH replies and gives user "Message no longer# in server" error. Note that OE6 still breaks even with this workaround# if synchronization is set to "Headers Only".# outlook-idle:# Outlook and Outlook Express never abort IDLE command, so if no mail# arrives in half a hour, Dovecot closes the connection. This is still# fine, except Outlook doesn't connect back so you don't see if new mail# arrives.# outlook-pop3-no-nuls:# Outlook and Outlook Express hang if mails contain NUL characters.# This setting replaces them with 0x80 character.#client_workarounds = # Dovecot can notify client of new mail in selected mailbox soon after it's# received. This setting specifies the minimum interval in seconds between# new mail notifications to client - internally they may be checked more or# less often. Setting this to 0 disables the checking.# NOTE: Evolution client breaks with this option when it's trying to APPEND.#mailbox_check_interval = 0 # Like mailbox_check_interval, but used for IDLE command.#mailbox_idle_check_interval = 30 # Allow full filesystem access to clients. There's no access checks other than# what the operating system does for the active UID/GID. It works with both# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/# or ~user/.#mail_full_filesystem_access = no # Maximum allowed length for custom flag name. It's only forced when trying# to create new flags.#mail_max_flag_length = 50 # Save mails with CR+LF instead of plain LF. This makes sending those mails# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.# But it also creates a bit more disk I/O which may just make it slower.#mail_save_crlf = no # Use mmap() instead of read() to read mail files. read() seems to be a bit# faster with my Linux/x86 and it's better with NFS, so that's the default.#mail_read_mmaped = no # By default LIST command returns all entries in maildir beginning with dot.# Enabling this option makes Dovecot return only entries which are directories.# This is done by stat()ing each entry, so it causes more disk I/O.# (For systems setting struct dirent->d_type, this check is free and it's# done always regardless of this setting)#maildir_stat_dirs = no # Copy mail to another folders using hard links. This is much faster than# actually copying the file. This is problematic only if something modifies# the mail in one folder but doesn't want it modified in the others. I don't# know any MUA which would modify mail files directly. IMAP protocol also# requires that the mails don't change, so it would be problematic in any case.# If you care about performance, enable it.#maildir_copy_with_hardlinks = no # Check if mails' content has been changed by external programs. This slows# down things as extra stat() needs to be called for each file. If changes are# noticed, the message is treated as a new message, since IMAP protocol# specifies that existing messages are immutable.#maildir_check_content_changes = no# Which locking methods to use for locking mbox. There's three available:# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe# solution. If you want to use /var/mail/ like directory, the users# will need write access to that directory.# fcntl : Use this if possible. Works with NFS too if lockd is used.# flock : May not exist in all systems. Doesn't work with NFS.# You can use both fcntl and flock too; if you do the order they're declared# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl# and flock. Some operating systems don't allow using both of them# simultaneously, eg. BSDs. If dotlock is used, it's always created first.mbox_locks = fcntl# Should we create dotlock file even when we want only a read-lock? Setting# this to yes hurts the performance when the mailbox is accessed simultaneously# by multiple processes, but it's needed for reliable reading if no other# locking methods are available.#mbox_read_dotlock = no# Maximum time in seconds to wait for lock (all of them) before aborting.#mbox_lock_timeout = 300# If dotlock exists but the mailbox isn't modified in any way, override the# lock file after this many seconds.#mbox_dotlock_change_timeout = 30# umask to use for mail files and directories#umask = 0077# Drop all privileges before exec()ing the mail process. This is mostly# meant for debugging, otherwise you don't get core dumps. Note that setting# this to yes means that log file is opened as the logged in user, which# might not work. It could also be a small security risk if you use single UID# for multiple users, as the users could ptrace() each others processes then.#mail_drop_priv_before_exec = no#### IMAP process### Executable location#imap_executable = /usr/libexec/dovecot/imap# Set max. process size in megabytes. Most of the memory goes to mmap()ing# files, so it shouldn't harm much even if this limit is set pretty high.#imap_process_size = 256# Support for dynamically loadable modules.#imap_use_modules = no#imap_modules = /usr/lib/dovecot/imap#### POP3 process### Executable location#pop3_executable = /usr/libexec/dovecot/pop3# Set max. process size in megabytes. Most of the memory goes to mmap()ing# files, so it shouldn't harm much even if this limit is set pretty high.#pop3_process_size = 256# Support for dynamically loadable modules.#pop3_use_modules = no#pop3_modules = /usr/lib/dovecot/pop3#### Authentication processes### An Authentication process is a child process used by Dovecot that# handles the authentication steps. The steps cover an authentication# mechanism (auth_mechanisms, how the client authenticates in the IMAP or# POP3 protocol), which password database should be queried (auth_passdb),# and which user database should be queried (auth_userdb, to obtain# UID, GID, and location of the user's mailbox/home directory).# You can have multiple processes, though a typical configuration will# have only one. Each time "auth = xx" is seen, a new process# definition is started. The point of multiple processes is to be able# to set stricter permissions. (See auth_user below.)# Just remember that only one Authentication process is asked for the# password, so you can't have different passwords accessible through# different process definitions (unless they have different# auth_mechanisms, and you're ok with having different password for# each mechanisms).# Authentication process name.auth = default# Specifies how the client authenticates in the IMAP protocol.# Space separated list of permitted authentication mechanisms:# anonymous plain digest-md5 cram-md5# anonymous - No authentication required.# plain - The password is sent as plain text. All IMAP/POP3 clients# support this, and the password can be encrypted by Dovecot to match# any of the encryption schemes used in password databases.# digest-md5 and cram-md5 - both encrypt the password so it is more# secure in transit, but are not well supported by clients, and# require that the password database use a matching encryption# scheme (or be in plaintext).# See auth.txt for more details.# If you are using SSL there is less benefit to digest-md5 and# cram-md5 as the communication is already encrypted.auth_mechanisms = plain# Space separated list of realms for SASL authentication mechanisms that need# them. You can leave it empty if you don't want to support multiple realms.# Many clients simply use the first one listed here, so keep the default realm# first.#auth_realms =# Default realm/domain to use if none was specified. This is used for both# SASL realms and appending @domain to username in plaintext logins.#auth_default_realm =# Where user database is kept:# passwd: /etc/passwd or similiar, using getpwnam()# passwd-file <path>: passwd-like file with specified location# static uid=<uid> gid=<gid> home=<dir template>: static settings# vpopmail: vpopmail library# ldap <config path>: LDAP, see doc/dovecot-ldap.conf# pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.confauth_userdb = passwd# Where password database is kept:# passwd: /etc/passwd or similiar, using getpwnam()# shadow: /etc/shadow or similiar, using getspnam()# pam [<service> | *]: PAM authentication# passwd-file <path>: passwd-like file with specified location# vpopmail: vpopmail authentication# ldap <config path>: LDAP, see doc/dovecot-ldap.conf# pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf#auth_passdb = pgsql /usr/local/etc/dovecot-pgsql.confauth_passdb = pam#auth_executable = /usr/libexec/dovecot/dovecot-auth# Set max. process size in megabytes.#auth_process_size = 256# User to use for the process. This user needs access to only user and# password databases, nothing else. Only shadow and pam authentication# requires roots, so use something else if possible. Note that passwd# authentication with BSDs internally accesses shadow files, which also# requires roots.auth_user = root# Directory where to chroot the process. Most authentication backends don't# work if this is set, and there's no point chrooting if auth_user is root.#auth_chroot =# Number of authentication processes to create#auth_count = 1# List of allowed characters in username. If the user-given username contains# a character not listed in here, the login automatically fails. This is just# an extra check to make sure user can't exploit any potential quote escaping# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,# set this value to empty.#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@# Username to use for users logging in with ANONYMOUS SASL mechanism#auth_anonymous_username = anonymous# More verbose logging. Useful for figuring out why authentication isn't# working.#auth_verbose = no# Even more verbose logging for debugging purposes. Shows for example SQL# queries.#auth_debug = no# digest-md5 authentication process. It requires special MD5 passwords which# /etc/shadow and PAM doesn't support, so we never need roots to handle it.# Note that the passwd-file is opened before chrooting and dropping root# privileges, so it may be 0600-root owned file.#auth = digest_md5#auth_mechanisms = digest-md5#auth_realms =#auth_userdb = passwd-file /etc/passwd.imap#auth_passdb = passwd-file /etc/passwd.imap#auth_user = imapauth#auth_chroot =# if you plan to use only passwd-file, you don't need the two auth processes,# simply set "auth_methods = plain digest-md5"62 ☆Mail测试
[root@mail root]# mail virtualuser@cngnu.orgSubject: test by methis is a test.CC: [root@mail root]# mailqMail queue is empty [root@mail root]# tail /var/log/maillog使用mailq来查看邮件队列是否有错误,并查看/var/log/mail/*是否有错误信息。如果一切正常,说明信件已经发送到tester了。63 ☆测试pop/imap
测试收信,先测试POP3:telnet panda 110然后输入:user username+OKpass password (注意是pass)如果LOGIN成功,会有提示。+OK Logged in.list+OK 2 messages:1 8492 823这样的返回信息说明已经一切正常,可以提供服务了。STAT+OK 2 1672TOP 1+OKReturn-Path: <student@panda.panda.com>Received: from panda ([192.168.152.1]) by panda.panda.com (8.13.1/8.13.1) with SMTP id k7KJE2DZ004002 for <student@panda.panda.com>; Mon, 21 Aug 2006 03:14:02 +0800Date: Mon, 21 Aug 2006 03:14:02 +0800From: student@panda.panda.comMessage-Id: <200608201914.k7KJE2DZ004002@panda.panda.com>To: <student@panda.panda.com>Subject: =?utf-8?B?TWljcm9zb2Z0IE9mZmljZSBPdXRsb29rIOa1i+ivlea2iOaBrw==?=MIME-Version: 1.0Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 8bitX-IMAPbase: 1154223507 6Status: OX-UID: 5Content-Length: 120X-Keywords: DELE 1+OK Marked to be deleted.QUIT+OK SayonaraConnection closed by foreign host.再测试IMAP:imtest -m login -a panda@panda.panda.com localhost C: C01 CAPABILITYS: * OK mail.cngnu.org Cyrus IMAP4 v2.1.16 server readyS: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLES: C01 OK CompletedPassword: C: L01 LOGIN virtualuser {6}+ go aheadC: <omitted>L01 OK User logged inAuthenticated.Security strength factor: 0. select inbox* FLAGS (\Answered \Flagged \Draft \Deleted \Seen)* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 1 EXISTS* 1 RECENT* OK [UIDVALIDITY 1021736432] * OK [UIDNEXT 3] . OK [READ-WRITE] Completed. fetch 1:1 (FLAGS BODY[HEADER.FIELDS (DATE FROM)])* 1 FETCH (FLAGS (\Seen) BODY[HEADER.FIELDS (DATE FROM)] {68}Date: Mon, 20 May 2002 09:26:09 +0800 (CST)From: wxy@cngnu.org) . OK Completed . logout* BYE LOGOUT received . OK Completed64 ☆procmail
邮件分拣 Linux的sendmail使用procmail作为信件的最终投递代理。这个程序有一些非常有用的 ,对于我们来说,最重要的功能是信件的自动过滤和分拣功能。 信件分拣大概是用户最希望的功能,它按照邮件的文件头(发信地址,收信地址等等 )甚至邮件的正文进行归类,并且可以自动存放在各个文件中或者转发给别的用户账号 。马上我们会看到,用procmail配置自动分拣是一件非常容易的事情。 通常的sendmail配置中已经使用了procmail作为邮件最终投递代理,如果你的sendmail已经改乱了,可以使用FEATURE(local_procmail)设置这个功能。 procmail主要依靠用户宿主目录下面的.procmailrc中的信息来处理邮件.如果这个配 制文件不存在,则procmail只是简单的将邮件保存到用户的信箱中. 一般来说,.procmailrc文件由配置行和行为规则组成,规则的一般格式是 0 选项 [零个或多个条件,每个一行] [动作命令] [动作命令] 0表示开始一条规则,后面可以加上一些单字符的选项,选项主要有下面的一些: H 搜索匹配邮件头部 B 搜索匹配整个邮件 D 匹配时区分大小写 A 如果前面最近的一个没有A或a选项的规则执行,执行本规则 a 如果上面一条规则执行,则本规则执行 E 同A相反,前面最近的没有E或e选项的规则没有执行,则执行本规则 e 同a相反 h 通过管道传送邮件首部(缺省) b 通过管道传送邮件主体(缺省) c 复制一个邮件 I 忽略所有写操作中的错误 r 原始模式,即procmail不对mail进行任何模式的处理 条件用一个*号开始,后面跟上正则表达式动作命令就是procmail在规则成功之后使用的命令,一般的命令有下面一些: {} 开始一个语句段,表示把一组命令集合成一个动作。如果你要嵌套处理规则,(例如 ,对于来自test的邮件,区分是含有computer字符串还是含有physics字符串)那么必须 使用语句段把子规则括起来。 ! 转发信件给某个用户 | 启用管道将邮件传送给后面的程序,例如|auto-reply表示启动auto-reply程序并且将 邮件内容作为标准输入传递给它。 任意文件名 将邮件存入某个文件。如果文件已经存在,就添加在文件的末尾。 对于熟悉perl或C语言的的用户,很容易用procmail的管道功能做出邮件的自动回复程序,这里不再介绍了,想进一步了解procmail的用户可以用 65 ☆使用POP客户端
所有的现在的邮件用户代理(MUA),例如netscape,elm,Outlook,pine和mutt都是使用POP的,可以被用作POP的客户端。每一个的配置都有所不同。同样有一个流行字符界面的的POP客户端叫做fetchmail。fetchmail是高度的可配置的,可以查询多个邮箱,可以作为守护进程运行,这样使得其每五分钟查询用户的邮箱。fetchmail在主机上递送邮件到邮件传送代理(MTA),例如sendmail。我们将勾画出以后如何安装fetchmail和使用其来查询我们装过的POP服务器。注意到有很多选项可以影响fetchmail的行为。建立一个~/.fetchmailrc文件如下所示:~student/.fetchmailrcpoll stationX.exmaple.com with protocol pop3: user studentXX there is user studentXX here password "password"由于密码存储在该文件中,因此fetchmail将会拒绝运行除非您把该文件的属性设定为对于仅仅文件的所有者只读。注意还可以使用chown改变由root创建的文件的所有者为studentXX。chmod 600 ~student/.fetchmailrcchown student.student ~student/.fetchmailrc尝试使用studentXX登陆到POP3邮箱echo "hello student" | mail -s "Hola" studentsu - studentfetchmail -vexitfetchmail能不能接收到student的POP邮件?将递送student的邮件到哪里?比从本地获取POP邮件有意义么?让您的伙伴在另外一台机器上建立相同的~/.fetchmailrc文件(或者配置其它诸如mozilla的MTA)试图从您的服务器上进行收信。66 ☆fetchmail
许多用户有多个邮件账户,有些在你的管理范围之内,有些在别的服务器上面。管理 所有这些邮件是非常恶心的事情。另外,也许你的系统仅仅是一个拨号代理(参考第八 章),不可能始终接在internet上面。你需要的是在系统连接到internet的时候发出电 子邮件,同时自动去接收电子邮件。在国内,典型的做法是每人申请一个本地电子邮件 账户和一个免费电子邮件账号,问题就是,如何从另外的ISP提供的电子邮件账号哪里自 动地接收邮件? 当然你可以让你的用户自己解决这个问题,不过这种僵硬的方法不见得合适。一般我 们采用另外的办法,就是fetchmail,它是一个自动的邮件接力程序,可以让它从远程的 pop3账号处取得邮件,然后扔进用户的本地邮箱。(关于pop3的情况参考下一节)可以直接用命令行调用fetchmail: $ fetchmail -p [协议] -u [用户名] [服务器] fetchmail得到的信息将直接投入localhost机器,账号是你启动fetchmail时使用的账 号。 $ fetchmail -p POP3 -u yuanban mail.asnc.edu.cn Enter password for yuanban@mail.asnc.edu.cn: 使用pop3协议从mail.asnc.edu.cn取得yuanban的信件。fetchmail要求你输入yuanba n的密码,然后进行验证,成功的话会出现下面的信息: 1 message for yuanban at mail.asnc.edu.cn (551840 octets). reading message 1 of 1 (551840 octets) ................................... .....d 表示已经完成了一封信件的转交。 对于更复杂的情况,建议你使用fetchmail的配置文件,即用户宿主目录下面的.fetc hmailrc。这个文件的详细资料可以参考fetchmail的文档,这里只用一个简单地例子来 介绍它。我们看一个简单的.fetchmailrc范例: set syslog set postmaster "isee" poll 202.96.44.11 with proto POP3 and options envelope Delivered-To: user "mere" there with password "xxxxxxx" is isee@snail.home here no keep user "isee" there with password "yyyyyyy" is isee@snail.home here no keep 这个范例相当简单。fetchmail在读取配置文件的时候会忽略所有的"there","here", "and","with","has","wants","options"之类的单词。 第一行set syslog程序定义fetchmail的记录文件使用系统记录功能。set postmaste r设置的是出错时的管理员账号,接下来的poll行定义了fetchmail使用的协议为POP3, 连接的服务器是202.96.44.11。 envelope Delivered-To:这个选项比较有趣,它在信封上加上一个Delivered-To说明 ,这主要是为了让fetchmail可以把信件投递到一些使用qmail(见下面)的系统中。 接下来是fetchmail的主体部分,一个user的行定义了一个接力方法,现在的定义是取 得202.96.44.11服务器上mere账号的信件,取信的口令是xxxxxxx,然后投递到isee@sn ail.home,同样,isee的信件也被自动投递到isee@snail.home。no-keep选项表示不在 原始服务器上保留邮件。 下面是配置fetchmail的一些常用选项: set logfile 制定log文件 set syslog 使用系统log文件 via 指定DNS机器名来取代poll中的机器明 proto 指定协议 port 指定端口 timeout 指定超时时间 interface 指定网络界面 user 指定远程用户 is 将本地用户和远程用户联系起来 to 同is pass 口令 preconnect 连接开始前执行的外部命令 postconnect 连接结束后执行的外部命令 keep 在服务器上保留邮件备份 no keep 不保留邮件备份 在配置了.fetchmailrc之后,只要直接执行fetchmail就可以实现自动的信件投递了。 实际上,你甚至可能使用fetchmail作为一个daemon程序来实现自动的邮件转交,或是设 置fetchmail让它支持qmail的虚拟域。 在fetchmail的发行版本中还提供了一个图形化的fetchmail配置程序,称为fetchmail conf。如果你对fetchmail的语法感到困难,只要使用这个程序就可以进行配置。启动这 个程序的方法很简单,直接在xterm下面执行fetchmailconf &: 图7.1 配置fetchmail 选择configure fetchmail出现: 图7.2 配置fetchmail(2) 只要选择Novice Configuration,然后出现服务器设置选单: 图7.3 配置fetchmail(3) 在New Server中加入你准备收信的服务器,然后回车,服务器名字就会出现在列表框 中,双击服务器名字,编辑关于服务器的设置: 图7.4 配置fetchmail(4)设置服务器的类型和服务器上的账户名字,双击账户名字并且输入对应的密码以及和 本地账户之间的对应关系,OK退出就可以了 67 ☆squirrelmail
rpm -q squirrelmailsquirrelmail的主配置文件为/etc/squirrelmail/config.php更改这个配置用/usr/share/squirrelmail/config/conf.pl更方便
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- RHEL5中配置Sendmail邮件服务 收藏一
- 邮件服务/Sendmail/Dovecot/Postfix的配置与应用
- 教你如何快速为企业公司搭建sendmail邮件服务;以及安装配置OpenWebmail的安装、测
- zz LAB_RHEL5下sendmail+dovecot+openwebmail邮件系统配置(图片链接已失效 2010/11/08)
- RHEl 5服务篇—部署Postfix邮件服务(二)配置邮件服务器的收、发信服务
- sendmail邮件网络服务的搭建和配置
- linux环境下安装及配置sendmail服务(邮件服务)
- RHEl 5服务篇—部署Postfix邮件服务(二)配置邮件服务器的收、发信服务
- RHEL5中配置DHCP服务 收藏
- RHEL6 postfix+dovecot 邮件服务配置
- LAB_RHEL5下sendmail+dovecot+openwebmail邮件系统配置
- nagios中告警邮件-sendmail服务的配置
- RHEL6 postfix+dovecot+mysql 邮件服务配置
- RHEL5中配置NIS服务 收藏
- linux之发送邮件--sendmail服务配置
- RHEL4- FTP服务(四)配置本地用户访问VSFTP服务器
- RHEL5下sendmail服务和dovecot服务的安装
- RHEL5中配置MySQL 收藏
- XAMPP 下配置SMTP mail服务,使PHP的mail() 函数可以发送邮件
- CentOS-7.2下配置邮件服务