Qoo
 
   
 超人
|
分享:
▼
x0
|
Sendmail+SASL+SSL HOWTO
OS:FreeBSD 5.0-RELEASE Sendmail-8.12.9
FreeBSD 系統中已內建 Sendmail 做為 Mail-Server 。
以 4.X 版本的 FreeBSD 為例,系統更新升級 (CVSup) 時,內建的 Sendmail 若有 patch ,
理論上也會一同更新升級。
倘若您一時無法作系統更新升級,用 PORTS 來安裝新版的 Sendmail 也是不錯的方法。
使用 PORTS 安裝 sendmail 之後, FreeBSD 上便會有新舊兩套 Sendmail 。您需要設定成
啟動新的 Sendmail ,而舊的那一套不要跑起來。
請先更新 PORTS-Tree
# cd /usr/ports
# make update
查驗 PORTS-Tree 中 Sendmail 的版本:
grep \PORTVERSION= /usr/ports/mail/sendmail/Makefile
Sendmail 的安裝
先停止 Sendmail
# sh /etc/rc.sendmail stop
使用 PORTS 安裝 Sendmail
# cd /usr/ports/mail/sendmail
# make SENDMAIL_WITH_SASL2=yes SENDMAIL_WITH_SMTPS=yes install clean
除了 make install 就能直接安裝之外,您還可以先查看一下 Makefile 的內容,
還有其他的 OPTIONS 可以加入,就看您需不需要了。
安裝完成後,Sendmail 的檔案在 /usr/local/sbin/ 資料夾中:
# ls -l /usr/local/sbin/sendmail*
-r-xr-sr-x??1?root??smmsp???644148?Mar?18?05:02?sendmail
FreeBSD 原系統預設的 sendmail 是在 /usr/sbin/sendmail 。
安裝新版的 sendmail.cf 檔
編輯 /etc/mail/freebsd.mc檔案,在檔案末端加入以下11行設定
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
在編譯安裝sendmail.cf之前,習慣上我會還做更多的設定,以下是我的
freebsd.mc內容:
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
# This product includes software developed by the University of
# California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
# This is a generic configuration file for FreeBSD 4.X and later systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.16 2002/05/22 16:39:14
gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(local_procmail)dnl +
FEATURE(masquerade_entire_domain)dnl *
FEATURE(masquerade_envelope)dnl *
FEATURE(delay_checks)dnl *
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.
dnl FEATURE(relay_based_on_MX)
dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/
dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr
} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}')
dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')
dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl Uncomment both of the following lines to listen on IPv6 as well as IPv4
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6')
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confDOMAIN_NAME', `$w.$m')dnl *
MASQUERADE_AS(mis.ksut.edu.tw)dnl *
dnl The following lines are used to enable the STARTTLS function
define(`CERT_DIR', `/etc/mail/cert')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
dnl The following lines are used to enable CYRUS-SASL function
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl *
MAILER(local)
MAILER(smtp)
MAILER(procmail)dnl +
*部份是我自行加上去的。其中 mis.ksut.edu.tw 是敝校的 domain ,您可別照抄。
其作用是讓主機寄出的信只帶有 domain ,而不是 hostname 。
+的部份則是要配合 procmail 時,才需要加上去的。
為了認證,加入下列內容:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
本例,多加了認證方法:DIGEST-MD5 CRAM-MD5
另外,附加上access_db.m4等檔案內容,如下:
FEATURE(access_db)
FEATURE(delay_checks)
FEATURE(virtusertable)
編譯安裝sendmail.cf:
# cd /etc/mail
# make cf SENDMAIL_MC=/etc/mail/freebsd.mc
# make install
安裝 mail.local
為了讓本機使用者不用經認證即可發信,更改mail.local之使用權限
# chown root /usr/local/libexec/mail.local
# chmod u+s /usr/local/libexec/mail.local
(原本舊的sendmail的mail.local 檔案是在/usr/libexec目錄下)
讓舊的 Sendmail 開機時不啟動
變更 /etc/rc.conf 的設定:
將
sendmail_enable="YES"
變更為
sendmail_enable="NONE"
讓新的 Sendmail 開機即啟動
/usr/local/etc/rc.d/ 資料夾中有兩個與 Sendmail 啟動相關的新檔案:
-r-xr-xr-x 1 root wheel 1363 Jul 8 15:58 sendmail.sh
-r-xr-xr-x 1 root wheel 640 Jul 8 15:58 sm-client.sh
變更這兩個檔案的檔名,以便開機時能自動執行:
mv sendmail.sh.sample sendmail.sh
mv sm-client.sh.sample sm-client.sh
編輯/etc/mail/mailer.conf檔案
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
hoststat /usr/local/sbin/sendmail
purgestat /usr/local/sbin/sendmail
(新增/etc/mail/local-host-names檔:
裡面填入localhost以及機器的完整名字(如mail.abc.com),這樣一來由
本機發時時便不需再一次做使用者認證。)
(新增/etc/mail/relay-domains檔:
填入本地的domainname,例如mydomain.com,當收件者不是給
mydomain.com時便會拒絕。)
編輯/etc/mail/access檔案
127.0.0.1 RELAY
主機網域名稱 RELAY
# cd /etc/mail
# makemap hash access.db < access
# makemap hash virtusertable.db < virtusertable
使用Cyrus SASL
建立sasl使用者及密碼
# /usr/local/sbin/saslpasswd2 -c username
再輸入密碼
檢視使用者帳號
# /usr/local/sbin/sasldblistusers2
注意,使用者帳號會自動附加上domain
使用SSL (此部分文章節錄自中研院計算中心 張毓麟先生 所著)
由於Sendmail與OpenSSL都是FreeBSD 4.3-STABLE版作業系統內建的功
能,因此不需額外的安裝手續,只需要根據我們的需要進行調整即可,最主要的
是要加上保密連線的金鑰(key-pair)與授權憑證(CA; Certification Authority)。
通常,我們會向獨立公正單位購買安全金鑰以及授權憑證。但如果不願意花錢
購買,也可以自行製作,自行製作的安全金鑰以及授權憑證,在功能上與買來的
相同,但是向獨立公正單位購買,會讓使用者心理上覺得比較有保障。
安全連線至系需要三個檔案才能啟用,請將公正單位核發的key-pair與CA放置
於下列目錄
server端的(秘錀)key-pair於/etc/mail/cert/mykey.pem
server端的(公錀)CA於/etc/mail/cert/mycert.pem
公正單位的CA於/etc/mail/cert/cacert.pem
請注意!如果使用公正單位所發出的key-pair,務必通知公正單位不可將mykey.pem
做DES編碼,否則sendmail將無法於開機時自動啟動。
如果想自行製作key-pair與CA,請依照下列指令操作
# mkdir /usr/local/CA
# cd /usr/local/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cp /etc/ssl/openssl.cnf openssl.cnf
編輯openssl.cnf檔案,將檔案中的第38行的路徑由./demoCA改成
/usr/local/CA。接著執行以下指令,假裝自己是公正單位,做一個cacert.pem出
來。
# cd /usr/local/CA
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
請按螢幕上的指示,輸入相關的系統資料,當螢幕上提示輸入公正單位密碼
(PEM pass phrase)的時候,請自行設定一個密碼,並請牢記這個密碼,以便日後
使用。
# cd /usr/local/CA
# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
# rm -f tmp.pem
以下指令將key-pair與CA複製到/etc/mail/cert目錄下,並設定正確權限
# mkdir /etc/mail/cert
# cp /usr/local/CA/mykey.pem /etc/mail/cert/
# cp /usr/local/CA/mycert.pem /etc/mail/cert/
# cp /usr/local/CA/cacert.pem /etc/mail/cert/
# chmod og-rwx /etc/mail/cert/mykey.pem
# chmod og=r /etc/mail/cert/mycert.pem
# chmod og=r /etc/mail/cert/cacert.pem
使用以下的指令建立CA的hash link,請特別注意引號的方向(建議剪貼以下指令,
以免不小必打字失誤)
# cd /etc/mail/cert
# ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
這樣就完成了自行建立key-pair與CA的程序。這組key-pair與CA將可被
sendmail使用於保密連線的資料加密功能上。
現在就啟動新的 Sendmail
/usr/local/etc/rc.d/sendmail.sh start
相關連結與資源:
http://www.sendmail.org/
轉載自 http://solaris.mis.ksu.edu.tw/course/freebsd/sendmail_howto.txt
|
