SMTP:simple mail tansfer protocol
本身能實現路由功能,比如從一個用戶到另一個用戶
ESMTP:Extended
POP3:Post Office Protocol
IMAP4:Internet Mail Access Protocol
SMTP(25/tcp)
郵件傳輸:MT
郵件投遞:MD
郵件用戶:MU
郵件用戶代理:MUA mail user agent
郵件傳輸代理:MTA mail tansfer agent
郵件投遞代理:MDA mail delivery agent
郵件取回代理:MRA mail retrieval Agent
MUA--->MTA :使用SMTP協議
SMTPD郵件傳輸分爲兩類:
LMTP:本地郵件傳輸協議
調用本地smtp客戶端再到發送到郵件到對方的SMTPD
Open relay:開放中繼
SASL:simple Authintication secure layer,簡單認證安全層
LDAP:Lightweight Directory Access Protocol
虛擬用戶:僅用戶訪問某服務的數字標識
MTA:郵件傳輸代理軟件:
sendmail:配置文件語法(M4編寫),結合SUID
qmail:發送速度相當快, 2個數量級於sendmail
postfix:模塊化設計,不使用SUID,安全,跟sendmail兼容,效率高,比sendmail高差不多4倍
exim:配置語法簡單,劍橋大學開源項目
exchange:有異步消息協作平臺
SASL:SMTPD的用戶認證功能實現
syrus-sasl V2版本
courier--authlib:一般用來做sasl的認證機制,功能更強大,和靈活
MDA:郵件投遞的實現
procmail(sendmail中使用)
maildrop
MRA:pop3,ima協議的實現
cyrus-imap
dovecot:語法簡單,功能強大
MUA:郵件客戶端
outlook,foxmail,Thunderbird,Evolution,mutt(專業級文件界面)
WEBMAIL: web界面郵件實現
squirrelmail
openwebmail
Extmail(extman)
EMOS,Centos定製版本
smtps
pop3s
imaps
實驗實現:
發郵件方: Postfix + SASL(Courier-authlib) + mysql
收郵件方:Dovecot + MySQL
WebMail: Extmail + extman + httpd
安裝配置postfix:
# groupadd -g 2525 postfix # useradd -g postfix -u 2525 -s /sbin/nologin -M postfix # groupadd -g 2526 postdrop # useradd -g postdrop -u 2526 -s /sbin/nologin -M postdrop # tar zxvf postfix-2.9.3.tar.gz # cd postfix-2.9.3 # make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS ' 'AUXLIBS=-L/usr/lib/mysql -lmysqlclient -lz -lm -L/usr/lib/sasl2 -lsasl2 -lssl -lcrypto' # make # make install CCARGS:指定C編譯參數,告訴系統在哪個位置查找頭文件 -DHAS_MYSQL:MYSQL的連接功能 -I/usr/include/mysql:頭文件路徑 -DUSE_SASL_AUTH:啓用SASL認證 -I/usr/include/sasl:SASL頭文件路徑 -DUSE_TLS:使用支持TLS加密 AUXLIBS:輔助的庫文件路徑 -lz:壓縮文件 -lm:模塊文件 -lsasl2:使用SASL2庫 -lssl:SSL的庫文件 -lcrypto:加密的庫文件 #編譯安裝的SQL,頭文件和庫文件路徑有區別,如下 # make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS ' 'AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm -L/usr/lib/sasl2 -lsasl2 -lssl -lcrypto' 按照以下的提示輸入相關的路徑([]號中的是缺省值,”]”後的是輸入值,省略的表示採用默認值) install_root: [/] / tempdir: [/root/postfix-2.9.3] /tmp/postfix #臨時目錄 config_directory: [/etc/postfix] /etc/postfix #配置目錄 daemon_directory: [/usr/libexec/postfix] #服務進程 command_directory: [/usr/sbin] #命令目錄 queue_directory: [/var/spool/postfix] #郵件隊列位置 sendmail_path: [/usr/sbin/sendmail] #smtp客戶端 newaliases_path: [/usr/bin/newaliases] #生成新別名 mailq_path: [/usr/bin/mailq] #郵件隊列工具 mail_owner: [postfix] #服務運行者 setgid_group: [postdrop] #實現域內用戶郵箱投遞 html_directory: [no]/var/www/html/postfix #幫助文檔 manpages: [/usr/local/man] #MAN手冊 readme_directory: [no] #其他幫助文檔
POST配置文件:
post核心模塊
master:/etc/postfix/master.cf
整個郵件的配置
/etc/postfix/main.cf
參數 = 值 :參數必須寫在行的絕對行首,以空白開關的行被認爲是上一行的延續
Postconf命令:實現配置postfix的命令行工具
-d:查看默認配置信息
-n: 查看修改的配置信息
-m: 查看postfix默認支持的用戶認證方式,即查找表類型
-A: 查看支持的SASL客戶端的插件類型
-e: PARMATER=VALUE:更改某參數配置信息,並保存至main.cf文件中
-a: 服務器商支持的sasl插件類型
smtp--->smtpd的工作步驟:
1、hello(確認服務器狀態,服務器並給予回覆)
2、mail from(確認發件人)
3、rcpt to(rcpt命令確認收件人)
4、data(郵件正文,以.爲結尾,表示郵件內容填寫完成,服務器接收併發送)
smtp協議命令:
helo(smtp協議)
ehlo(Esmtp協議)
mail from:[email protected]
rcpt to:
data
郵件的狀態碼:
1XX:純信息
2XX:正確類信息
3XX:上一步操作尚未完成 ,需要繼續補充
4XX:暫時性錯誤
5XX:永久性錯誤
alias:郵件別名
[email protected]:[email protected]
/etc/aliases,aliases配置文件
/etc/aliases --> hash --> /etc/aliases.db
使用newaliases可以創建/etc/aliases.db
postfix默認把本機的IP地址所在的網段識別爲本地網絡,並且給予中斷
postfix服務啓動腳本:
#!/bin/bash
#
# postfix Postfix Mail Transfer Agent
#
# chkconfig: 2345 80 30
# description: Postfix is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: master
# pidfile: /var/spool/postfix/pid/master.pid
# config: /etc/postfix/main.cf
# config: /etc/postfix/master.cf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ $NETWORKING = "no" ] && exit 3
[ -x /usr/sbin/postfix ] || exit 4
[ -d /etc/postfix ] || exit 5
[ -d /var/spool/postfix ] || exit 6
RETVAL=0
prog="postfix"
start() {
# Start daemons.
echo -n $"Starting postfix: "
/usr/bin/newaliases >/dev/null 2>&1
/usr/sbin/postfix start 2>/dev/null 1>&2 && success || failure $"$prog start"
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down postfix: "
/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure $"$prog stop"
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
echo
return $RETVAL
}
reload() {
echo -n $"Reloading postfix: "
/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure $"$prog reload"
RETVAL=$?
echo
return $RETVAL
}
abort() {
/usr/sbin/postfix abort 2>/dev/null 1>&2 && success || failure $"$prog abort"
return $?
}
flush() {
/usr/sbin/postfix flush 2>/dev/null 1>&2 && success || failure $"$prog flush"
return $?
}
check() {
/usr/sbin/postfix check 2>/dev/null 1>&2 && success || failure $"$prog check"
return $?
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
abort)
abort
;;
flush)
flush
;;
check)
check
;;
status)
status master
;;
condrestart)
[ -f /var/lock/subsys/postfix ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|abort|flush|check|status|condrestart}"
exit 1
esac
exit $?
# END添加服務
[root@localhost postfix-3.0.1]# chmod +x /etc/init.d/postfix [root@localhost postfix-3.0.1]# chkconfig --add postfix [root@localhost postfix-3.0.1]# chkconfig --list postfix postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@localhost postfix-3.0.1]# service postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ]
/etc/postfix/main.cf
進行一些基本配置,測試啓動postfix並進行發信
# vim /etc/postfix/main.cf
修改以下幾項爲您需要的配置
myhostname = mail.magedu.com
myorigin = magedu.com
mydomain = magedu.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
inet_interfaces =
說明:
myorigin參數用來指明發件人所在的域名,即做發件地址僞裝;
mydestination參數指定postfix接收郵件時收件人的域名,即您的postfix系統要接收到哪個域名的郵件;
myhostname 參數指定運行postfix郵件系統的主機的主機名,默認情況下,其值被設定爲本地機器名;
mydomain 參數指定您的域名,默認情況下,postfix將myhostname的第一部分刪除而作爲mydomain的值;
mynetworks 參數指定你所在的網絡的網絡地址,postfix系統根據其值來區別用戶是遠程的還是本地的,如果是本地網絡用戶則允許其訪問;
inet_interfaces 參數指定postfix系統監聽的網絡接口;
注意:
1、在postfix的配置文件中,參數行和註釋行是不能處在同一行中的;
2、任何一個參數的值都不需要加引號,否則,引號將會被當作參數值的一部分來使用;
3、每修改參數及其值後執行 postfix reload 即可令其生效;但若修改了inet_interfaces,則需重新啓動postfix;
4、如果一個參數的值有多個,可以將它們放在不同的行中,只需要在其後的每個行前多置一個空格即可;postfix會把第一個字符爲空格或tab的文本行視爲上一行的延續;
配置postfix服務步驟:
1、設置主機名
[root@localhost postfix-3.0.1]# hostname btsbox.com [root@localhost postfix-3.0.1]# vim /etc/sysconfig/network [root@localhost postfix-3.0.1]# cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=btsbox.com
2、建立DNS服務器
3、建立MRA
安裝dovecot軟件
4、驗證用戶身份發郵件,結合sasl認證
yum install dovecot
dovecot有SASL認證能力,支持pop3,imap4,pops,imaps
郵箱格式:mbox:一個文件存儲所有郵件,中間有分隔符
maildir:一個文件存儲一款郵件 ,所有郵件存儲在一個目錄中
dovecot配置文件
/etc/dovecot.conf
啓用protocols= imap pop3
service dovecot start 啓動服務
命令行收郵件命令:
telnet 10.189.8.109 110
USER username #指定用戶名
PASS password #指定密碼
LIST #查看郵件列表
RETR 1 #查看第一封郵件
postfix+sasl用戶認證
1、啓動sasl,啓動sasl服務
/etc/rc.d/init.d/saslauthd 服務腳本
/etc/sysconfig/saslauthd 配置文件
saslauthd -v :查看支持哪些認證機制,默認爲pam
testsaslauthd :測試saslauthd
testsaslauthd -u openstack -p openstack
2、讓postfix與sasl結合
編輯/etc/postfix/main.cf文件
添加以下內容: ############################CYRUS-SASL############################ broken_sasl_auth_clients = yes smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_application_name = smtpd smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!
編輯/usr/lib/sasl2/smtpd.conf
添加如下內容: pwcheck_method: saslauthd mech_list: PLAIN LOGIN
讓postfix重新加載配置文件
#/usr/sbin/postfix reload
實現postfix基於客戶端的訪問控制
1、基於客戶端的訪問控制概覽
postfix內置了多種反垃圾郵件的機制,其中就包括“客戶端”發送郵件限制。客戶端判別機制可以設定一系列客戶信息的判別條件:
smtpd_client_restrictions
smtpd_data_restrictions
smtpd_helo_restrictions
smtpd_recipient_restrictions
smtpd_sender_restrictions
上面的每一項參數分別用於檢查SMTP會話過程中的特定階段,即客戶端提供相應信息的階段,如當客戶端發起連接請求時,postfix就可以根據配置文件中定義的smtpd_client_restrictions參數來判別此客戶端IP的訪問權限。相應地,smtpd_helo_restrictions則用於根據用戶的helo信息判別客戶端的訪問能力等等。
如果DATA命令之前的所有內容都被接受,客戶端接着就可以開始傳送郵件內容了。郵件內容通常由兩部分組成,前半部分是標題(header),其可以由header_check過濾,後半部分是郵件正文(body),其可以由check_body過濾。這兩項實現的是郵件“內容檢查”。
postfix的默認配置如下:
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions =
這限制了只有mynetworks參數中定義的本地網絡中的客戶端才能通過postfix轉發郵件,其它客戶端則不被允許,從而關閉了開放式中繼(open relay)的功能。
Postfix有多個內置的限制條件,如上面的permit_mynetworks和reject_unauth_destination,但管理員也可以使用訪問表(access map)來自定義限制條件。自定義訪問表的條件通常使用check_client_access, check_helo_access, check_sender_access, check_recipient_access進行,它們後面通常跟上type:mapname格式的訪問表類型和名稱。其中,check_sender_access和check_recipient_access用來檢查客戶端提供的郵件地址,因此,其訪問表中可以使用完整的郵件地址,如[email protected];也可以只使用域名,如magedu.com;還可以只有用戶名的部分,如marion@。
connection:smtpd_client_restrictions = (限定哪此用戶可以連接指令)
helo:smtpd_hello_restrictions = user1 (限定哪此用戶可以使用hello指令)
mail from:smtpd_sender_restrictions =
rcpt to: smtpd_recipient_restrictions = (以上步驟真正實現拒絕用戶,是此步驟)
data:smtpd_data_restrictions =
mail from:user1@ (表示來自此用戶的所有域都拒絕
a.com(表示所有a.com所有的域都不讓發郵件)
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
permit_mynetworks:表示只允許mynetworks指定的主機中繼
reject_unauth_destination:表示拒絕所有未經認證的用戶
實現示例1
這裏以禁止172.16.100.200這臺主機通過工作在172.16.100.1上的postfix服務發送郵件爲例演示說明其實現過程。訪問表使用hash的格式。
(1)首先,編輯/etc/postfix/access文件,以之做爲客戶端檢查的控制文件,在裏面定義如下一行:
172.16.100.200REJECT
(2)將此文件轉換爲hash格式
# postmap /etc/postfix/access
(3)配置postfix使用此文件對客戶端進行檢查
編輯/etc/postfix/main.cf文件,添加如下參數:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access smtpd_hello_restrictions = check_hello_access mysql:/etc/postfix/mysql_user (數據庫格式) smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient,permit_mynetworks, reject_unauth_destination #後面兩項必須不能少,前面一項必須寫前面,次序要匹配
(4)讓postfix重新載入配置文件即可進行發信控制的效果測試了。
實現示例2
這裏以禁止通過本服務器向microsoft.com域發送郵件爲例演示其實現過程。訪問表使用hash的格式。
(1)首先,建立/etc/postfix/denydstdomains文件(文件名任取),在裏面定義如下一行:
microsoft.comREJECT
(2)將此文件轉換爲hash格式
# postmap /etc/postfix/denydstdomains
(3)配置postfix使用此文件對客戶端進行檢查
編輯/etc/postfix/main.cf文件,添加如下參數:
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/denydstdomains, permit_mynetworks, reject_unauth_destination
(4)讓postfix重新載入配置文件即可進行發信控制的效果測試了。
4、檢查表格式的說明
hash類的檢查表都使用類似如下的格式:
pattern action
檢查表文件中,空白行、僅包含空白字符的行和以#開頭的行都會被忽略。以空白字符開頭後跟其它非空白字符的行會被認爲是前一行的延續,是一行的組成部分。
(1)關於pattern
其pattern通常有兩類地址:郵件地址和主機名稱/地址。
郵件地址的pattern格式如下:
user@doain 用於匹配指定郵件地址m;
domain.tld 用於匹配以此域名作爲郵件地址中的域名部分的所有郵件地址;
user@ 用於匹配以此作爲郵件地址中的用戶名部分的所有郵件地址;
主機名稱/地址的pattern格式如下:
domain.tld 用於匹配指定域及其子域內的所有主機;
.domain.tld 用於匹配指定域的子域內的所有主機;
net.work.addr.ess
net.work.addr
net.work
net 用於匹配特定的IP地址或網絡內的所有主機;
network/mask CIDR格式,匹配指定網絡內的所有主機;
(2)關於action
接受類的動作:
OK 接受其pattern匹配的郵件地址或主機名稱/地址;
全部由數字組成的action 隱式表示OK;
拒絕類的動作(部分):
4NN text
5NN text
其中4NN類表示過一會兒重試;5NN類表示嚴重錯誤,將停止重試郵件發送;421和521對於postfix來說有特殊意義,儘量不要自定義這兩個代碼;
REJECT optional text... 拒絕;text爲可選信息;
DEFER optional text... 拒絕;text爲可選信息;
爲postfix開啓基於cyrus-sasl的認證功能
使用以下命令驗正postfix是否支持cyrus風格的sasl認證,如果您的輸出爲以下結果,則是支持的:
# /usr/local/postfix/sbin/postconf -a
cyrus
dovecot
#vim /etc/postfix/main.cf
添加以下內容:
############################CYRUS-SASL############################
broken_sasl_auth_clients = yes #開啓通過sasl驗證用戶來發郵件,客戶端限制
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
reject_invalid_hostname #拒絕主機不合法的來收發郵件 reject_non_fqdn_hostname #主機名不是FQDN格式,也不允許 reject_unknown_sender_domain #拒絕無法識別的發件人 reject_non_fqdn_sender #拒絕沒有fqdn的發件人 reject_non_fqdn_recipient #拒絕沒有fqdn的接收人 reject_unknown_recipient_domain #拒絕無法識別的收件域 reject_unauth_pipelining #無法認證的管道 reject_unauth_destination # 拒絕無法認證的用戶
smtpd_sasl_auth_enable = yes #啓用smtpd+sasl認證功能
smtpd_sasl_local_domain = $myhostname #本地主機的認證
smtpd_sasl_security_options = noanonymous #sasl的安全選項,不支持匿名用戶
smtpd_sasl_application_name = smtpd #哪個程序要使用sasl功能,2.3版本以前使用這行
smtpd_sasl_path = smtpd #哪個程序要使用sasl功能,2.4及以後版本需要使用這行代碼
smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available! #歡迎信息
# vim /usr/lib/sasl2/smtpd.conf
添加如下內容:
log_level 3 #定義日誌級別,可以看用戶驗證級別的日誌,在郵件的日誌中
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN #PLAIN LOGIN是兩種認證機制
#關閉/etc/postfix/main.cf中的mynetworks選項,如下
mynetworks = 127.0.0.0/8 #只給本機中繼,其他的都使用sasl功能認證
讓postfix重新加載配置文件
#/usr/sbin/postfix reload
重啓saslauthd服務
#server saslauthd restart
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 Welcome to our mail.magedu.com ESMTP,Warning: Version not Available!
ehlo mail.magedu.com
250-mail.magedu.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN (請確保您的輸出以類似兩行)
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Mutt命令的使用:
mut -f pop://[email protected] #-f指定協議 root用戶 @指定主機
Postfix虛擬域的實現:
1、smtp藉助sasl函數庫調用courier-authlib程序到mysql的用戶認證;
2、pop、imap藉助dovecot程序實現到mysql的用戶認證
3、webmail使用extmail,extman程序實現,exmail本身也可以實現用戶到mysql的認證和用戶的 郵件收發
4、exmail,extman需依賴httpd服務,由於exmail是perl開發語言,需要http對perl模塊的支持
SMTP使用courier-authlib完成認證:
安裝postfix-3.0.1
make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS ' 'AUXLIBS=-L/usr/lib64/mysql -lmysqlclient -lz -lm -L/usr/lib64/sasl2 -lsasl2 -lssl -lcrypto' make make install #提供服務腳本配置文件 vim /etc/init.d/postfix chmod +x /etc/init.d/postfix chkconfig --add postfix #vim /etc/postfix/main.cf #配置main.cf中的選項 mynetworks = 127.0.0.0/8 inet_interfaces = all 並添加以下內容: ############################CYRUS-SASL############################ broken_sasl_auth_clients = yes smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_path = smtpd smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!
安裝courier-authlib
#需要先安裝courier-unicode-1.3
tar xf courier-unicode-1.3.tar.bz2
cd courier-unicode-1.3
./configure
make && make install
#編譯安裝courier-authlib
102 ./configure \
--prefix=/usr/local/courier-authlib \ #指定安裝路徑
--sysconfdir=/etc \ #指定配置文件存放路徑
--without-authpam \ #關閉pam認證
--without-authshadow \ #關閉shadow認證
--without-authvchkpw \ #關閉vcchkpw認證
--without-authpgsql \ #關閉pgsql認證
--with-authmysql \ #開啓mysql認證
--with-mysql-libs=/usr/lib64/mysql \ #指定mysql的庫文件
--with-mysql-includes=/usr/include/mysql \ #指定mysql的頭文件
--with-redhat \ #指定安裝平臺,可以優化環境
--with-authmysqlrc=/etc/authmysqlrc \ #基於mysql認證的配置文件
--with-authdaemonrc=/etc/authdaemonrc \ #authlib本身的配置文件
--with-mailuser=postfix \ #服務運行用戶
--with-mailgroup=postfix #服務運行組
備註:可以使用--with-authdaemonvar=/var/spool/authdaemon選項來指定進程套按字目錄路徑
#提供sysv服務腳本:
[root@mail courier-authlib-0.66.3]# cp courier-authlib.sysvinit /etc/init.d/courier-authlib
[root@mail courier-authlib-0.66.3]# chmod 755 /etc/init.d/courier-authlib
[root@mail courier-authlib-0.66.3]# chkconfig --add courier-authlib
[root@mail courier-authlib-0.66.3]# chkconfig --list courier-authlib
courier-authlib 0:off 1:off 2:on 3:on 4:on 5:on 6:of
#配置courier-authlib服務
[root@mail courier-authlib-0.66.3]# chmod 755 /usr/local/courier-authlib/var/spool/authdaemon/ #由於courier-authlib與postfix安裝在一臺電腦,需使用socket通信,需確保其他用戶可訪問。
#重命名authlib的配置文件和mysql的連接配置文件
[root@mail courier-authlib-0.66.3]# cp /etc/authdaemonrc.dist /etc/authdaemonrc
[root@mail courier-authlib-0.66.3]# cp /etc/authmysqlrc.dist /etc/authmysqlrc
#修改/etc/authdaemonrc配置文件
authmodulelist="authmysql" #支持的認證模塊只保留authmsyql
authmodulelistorig="authmysql" #支持的原始模塊也只保留authmysql
daemons=10 #默認啓動的進程
authdaemonvar=/usr/local/courier-authlib/var/spool/authdaemon #courier-authlib的socket保存路徑,默認不更改
DEBUG_LOGIN=0 #調試日誌,級別有0 1 2 ,0表示關閉,1表示開啓 2表示開啓同時記錄密碼
#修改/etc/authmysqlrc配置文件
MYSQL_SERVER localhsot #連接的mysql服務器位置
MYSQL_USERNAME extmail #extmail是extmail連接數據庫extmail所使用的extmail用戶
MYSQL_PASSWORD extmail #密碼與上一致
MYSQL_SOCKET /var/lib/mysql/mysql.sock #mysql的socket文件路徑,通用二進制格式安裝在/tmp
MYSQL_PORT 3306 #mysql服務器的端口號,由於使用的是socket,端口用不上
MYSQL_OPT 0 #mysql額外選項
MYSQL_DATABASE extmail #mysql中的數據庫
MYSQL_USER_TABLE mailbox #mysql中的用戶認證表
MYSQL_CRYPT_PWFIELD password #哪個字段是存放用戶的密碼
MYSQL_UID_FIELD 2525 #郵件運行者的UID,即postfix
MYSQL_GID_FIELD 2525 #GID
MYSQL_LOGIN_FIELD username #哪個字段是存放用戶名
MYSQL_HOME_FIELD concat('/var/mailbox/',homedir) #mysql存放用戶的家目錄,即存郵件 路徑,homedir是一個變量
MYSQL_NAME_FIELD name #用戶的全名在哪個字段上
MYSQL_MAILDIR_FIELD concat('/var/mailbox/',maildir) #用戶的郵箱目錄
#配置完成,啓動服務
[root@mail courier-authlib-0.66.3]# service courier-authlib start
Starting Courier authentication services: authdaemond
#驗證服務啓動情況
[root@mail courier-authlib-0.66.3]# ps aux | grep auth
root 20186 0.0 0.0 4068 520 ? S 16:35 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/usr/local/courier-authlib/var/spool/authdaemon/pid -start /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20187 0.0 0.1 55936 2220 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20188 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20189 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20190 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20191 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20192 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20193 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20194 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20195 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20196 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20197 0.0 0.0 55936 728 ? S 16:35 0:00 /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
root 20199 0.0 0.0 103248 876 pts/3 R+ 16:35 0:00 grep auth
#創建虛擬用戶郵箱所在的目錄,並將其權限給予postfix用戶
[root@mail postfix-3.0.1]# mkdir -pv /var/mailbox
mkdir: created directory `/var/mailbox'
[root@mail postfix-3.0.1]# chown postfix /var/mailbox/
#接下來重新配置SMTP 認證,編輯 /usr/lib/sasl2/smtpd.conf ,確保其爲以下內容:
pwcheck_method: authdaemond #authdaemond是courier-authlib的主進程
log_level: 3
mech_list:PLAIN LOGIN
authdaemond_path:/usr/local/courier-authlib/var/spool/authdaemon/socket #socket的路徑
#注意:使用虛擬域的時候只能使用maildir郵箱格式讓postfix啓用支持虛擬域和虛擬用戶:
1、編輯/etc/postfix/main.cf,添加如下內容: ########################Virtual Mailbox Settings######################## virtual_mailbox_base = /var/mailbox #用戶郵件存放路徑 virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf #用戶帳戶映射表,文件由exmail提供,複製到相當目錄中即可 virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf #虛擬域查詢表 virtual_alias_domains = virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf #別名映射表 virtual_uid_maps = static:2525 virtual_gid_maps = static:2525 virtual_transport = virtual #指定的一個MDA,即投遞代理爲virtual maildrop_destination_recipient_limit = 1 #每次只投遞一封郵件 maildrop_destination_concurrency_limit = 1 #每次一個併發投遞 ##########################QUOTA Settings######################## #郵箱配額選項 message_size_limit = 14336000 virtual_mailbox_limit = 20971520 virtual_create_maildirsize = yes #建倉用戶的時候是否自動創建郵箱目錄 virtual_mailbox_extended = yes #郵箱目錄是否支持擴展方式 virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf #郵箱限定配置表 virtual_mailbox_limit_override = yes #如果mailbox有限制覆蓋postfix中的限定 virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please Tidy your mailbox and try again later. #超限通知 virtual_overquota_bounce = yes #超限是否彈回
配置httpd服務
[root@mail docs]# yum install httpd -y
配置extman:
#使用extman源碼目錄下docs目錄中的extmail.sql和init.sql建立數據庫 [root@mail docs]# mysql -uroot -p < extmail.sql [root@mail docs]# mysql -uroot < init.sql 說明: 1、啓用虛擬域以後,需要取消中心域,即註釋掉myhostname, mydestination, mydomain, myorigin幾個指令;當然,你也可以把mydestionation的值改爲你自己需要的。 2、對於MySQL-5.1以後版本,其中的服務腳本extmail.sql執行會有語法錯誤;可先使用如下命令修改extmail.sql配置文件,而後再執行。修改方法如下: # sed -i 's@TYPE=MyISAM@ENGINE=InnoDB@g' extmail.sql #在5.1以後的Mysql不支持myisam引擎 #授予用戶extmail訪問extmail數據庫的權限 mysql> GRANT all privileges on extmail.* TO extmail@localhost IDENTIFIED BY 'extmail'; mysql> GRANT all privileges on extmail.* TO [email protected] IDENTIFIED BY 'extmail';
配置dovecot-2.0.9-8服務:
#需要安裝dovecot-devel包 yum install dovecot-devel #配置 vim /etc/dovecot/dovecot.conf protocols = imap pop3 vim /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:/var/mailbox/%d/%n/Maildir#用戶郵件存放路徑 %d表示域,%n表示用戶 #!include auth-system.conf.ext #禁用系統認證 !include auth-sql.conf.ext #開啓sql認證 vim /etc/dovecot/dovecot-sql.conf.ext connect = host=localhost dbname=extmail user=extmail password=extmail #mysql爲localhost,數據庫爲extmail,數據庫用戶:extmail 數據庫密碼:extmail default_pass_scheme = CRYPT #密碼加密機制 password_query = SELECT username AS user,password AS password FROM mailbox WHERE username = '%u' #做驗證時的查詢語句 user_query = SELECT maildir, uidnumber AS uid, gidnumber AS gid FROM mailbox WHERE username = '%u' #存放郵件的查詢語句
安裝extmail-1.2
說明:如果extmail的放置路徑做了修改,那麼配置文件webmail.cf中的/var/www路徑必須修改爲你所需要的位置。本文使用了默認的/var/www,所以,以下示例中並沒有包含路徑修改的相關內容。 # tar zxvf extmail-1.2.tar.gz # mkdir -pv /var/www/extsuite # mv extmail-1.2 /var/www/extsuite/extmail # cp /var/www/extsuite/extmail/webmail.cf.default /var/www/extsuite/extmail/webmail.cf 修改主配置文件 #vi /var/www/extsuite/extmail/webmail.cf 部分修改選項的說明: SYS_MESSAGE_SIZE_LIMIT = 5242880 用戶可以發送的最大郵件 SYS_USER_LANG = en_US 語言選項,可改作: SYS_USER_LANG = zh_CN SYS_MAILDIR_BASE = /home/domains 此處即爲您在前文所設置的用戶郵件的存放目錄,可改作: SYS_MAILDIR_BASE = /var/mailbox SYS_MYSQL_USER = db_user SYS_MYSQL_PASS = db_pass 以上兩句句用來設置連接數據庫服務器所使用用戶名、密碼和郵件服務器用到的數據庫,這裏修改爲: SYS_MYSQL_USER = extmail SYS_MYSQL_PASS = extmail SYS_MYSQL_HOST = localhost 指明數據庫服務器主機名,這裏默認即可 SYS_MYSQL_TABLE = mailbox SYS_MYSQL_ATTR_USERNAME = username SYS_MYSQL_ATTR_DOMAIN = domain SYS_MYSQL_ATTR_PASSWD = password 以上用來指定驗正用戶登錄裏所用到的表,以及用戶名、域名和用戶密碼分別對應的表中列的名稱;這裏默認即可 SYS_AUTHLIB_SOCKET = /var/spool/authdaemon/socket 此句用來指明authdaemo socket文件的位置,這裏修改爲: SYS_AUTHLIB_SOCKET = /usr/local/courier-authlib/var/spool/authdaemon/socket
配置apache服務:
#首先關閉中心主機,並添加如下 User postfix Group postfix <VirtualHost *:80> ServerName mail.btsbox.com DocumentRoot /var/www/extsuite/extmail/html/ ScriptAlias /extmail/cgi /var/www/extsuite/extmail/cgi Alias /extmail /var/www/extsuite/extmail/html SuexecUserGroup postfix postfix #suexec可以讓虛擬網站以另一個用戶和組運行,如果需要指定此項,就不需要更改中心主機的user,group </VirtualHost> 修改 cgi執行文件屬主爲apache運行身份用戶: # chown -R postfix.postfix /var/www/extsuite/extmail/cgi/
依賴關係的解決
extmail將會用到perl的Unix::syslogd功能,您可以去http://search.cpan.org搜索下載原碼包進行安裝。 # tar zxvf Unix-Syslog-0.100.tar.gz # cd Unix-Syslog-0.100 # perl Makefile.PL # make # make install 5、啓動apache服務 # service httpd start # chkconfig httpd on
錯誤A:
Can't locate CGI.pm in @INC (@INC contains: /var/www/extsuite/extmail/libs /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl
/usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5) at /var/www/extsuite/extmail/libs/Ext/CGI.pm line 20. BEGIN failed--compilation aborted at
/var/www/extsuite/extmail/libs/Ext/CGI.pm line 20. Compilation failed in require at /var/www/extsuite/extmail/libs/Ext/App.pm line 23. BEGIN failed--compilation
aborted at /var/www/extsuite/extmail/libs/Ext/App.pm line 23. Compilation failed in require at /var/www/extsuite/extmail/libs/Ext/App/Login.pm line 16. BEGIN failed--
compilation aborted at /var/www/extsuite/extmail/libs/Ext/App/Login.pm line 16. Compilation failed in require at /var/www/extsuite/extmail/cgi/index.cgi line 20.
解決辦法:安裝perl-CGI和perl-CGI-Session
# yum install perl-CGI
#yum install perl-CGI-Session
安裝Extman-1.1
1、安裝及基本配置
# tar zxvf extman-1.1.tar.gz # mv extman-1.1 /var/www/extsuite/extman #修改配置文件以符合本例的需要: # cp /var/www/extsuite/extman/webman.cf.default /var/www/extsuite/extman/webman.cf # vi /var/www/extsuite/extman/webman.cf SYS_MAILDIR_BASE = /home/domains #此處即爲您在前文所設置的用戶郵件的存放目錄,可改作: SYS_MAILDIR_BASE = /var/mailbox SYS_DEFAULT_UID = 1000 SYS_DEFAULT_GID = 1000 此兩處後面設定的ID號需更改爲前而創建的postfix用戶和postfix組的id號,本文使用的是2525,因此,上述兩項需要修改爲: SYS_DEFAULT_UID = 2525 SYS_DEFAULT_GID = 2525 SYS_MYSQL_USER = webman SYS_MYSQL_PASS = webman 修改爲: SYS_MYSQL_USER = extmail SYS_MYSQL_PASS = extmail #而後修改cgi目錄的屬主: # chown -R postfix.postfix /var/www/extsuite/extman/cgi/ 在apache的主配置文件中Extmail的虛擬主機部分,添加如下兩行: ScriptAlias /extman/cgi /var/www/extsuite/extman/cgi Alias /extman /var/www/extsuite/extman/html 創建其運行時所需的臨時目錄,並修改其相應的權限: #mkdir -pv /tmp/extman #chown postfix.postfix /tmp/extman 修改 SYS_CAPTCHA_ON = 1 爲 SYS_CAPTCHA_ON = 0
好了,到此爲止,重新啓動apache服務器後,您的Webmail和Extman已經可以使用了,可以在瀏覽器中輸入指定的虛擬主機的名稱進行訪問,如下:
http://mail.magedu.com
選擇管理即可登入extman進行後臺管理了。默認管理帳號爲:[email protected] 密碼爲:extmail*123*
說明:
(1) 如果您安裝後無法正常顯示校驗碼,安裝perl-GD模塊會解決這個問題。如果想簡單,您可以到以下地址下載適合您的平臺的rpm包,安裝即可: http://dries.ulyssis.org/rpm/packages/perl-GD/info.html
(2) extman-1.1自帶了圖形化顯示日誌的功能;此功能需要rrdtool的支持,您需要安裝此些模塊纔可能正常顯示圖形日誌。
郵件加密:
smtp-->smtps
25-->465
S/MIME
security/MIME
USER<-->USER
實現S/MIME的功能有如下:
OpenSSL,GPG(PGP)
GPG:GUN privacy Guard,是PGP技術的一種實現
pops,imaps:支持基於openssl實現
pop3:995/tcp
imaps: 993/tcp
配置doveoct的pops
#創建CA並生成證書 [root@mail conf.d]# cd /etc/pki/CA/ [root@mail CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #創建CA key Generating RSA private key, 2048 bit long modulus ......................................................+++ ......................................................................................................................+++ e is 65537 (0x10001) #創建自簽證書 [root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3657 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHai Locality Name (eg, city) [Default City]:ShangHai Organization Name (eg, company) [Default Company Ltd]:ogilvy Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:ca.btsbox.com Email Address []:[email protected] [root@mail CA]# cd /etc/dovecot/^C [root@mail CA]# cd /etc/dovecot/ [root@mail dovecot]# mkdir ssl [root@mail dovecot]# cd ssl/ [root@mail ssl]# (umask 077;openssl genrsa 1024 -out dovecot.key) Generating RSA private key, 1024 bit long modulus ......++++++ ..........................................++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDdivw4Vgw/HY1R3KQ+01D+NwrsZwMdvipNHjf640buvhUB85Y5 MdjEoDkh4SikTV7tUIkyBeoq78LwjaPu2DUNyoZHNzuhWnEY6kpXhqWbJn+zX5/Y cuTI/rRSPzn67X4jNPoFIghxg9nfl/n60GqJKpJ9a2+ig5osC1m2+9sigwIDAQAB AoGBALMzIA8lsyQ+cDg+Q/C5l3L57PEJ5iBh2O+mONvMiWzF/lIkyWecJV3uyCfa a7hzCQzmrwLye9adN87Ck064PjhXQsoGuXQwOW8EcCQam+fyHQNjwztNw0Zwfr2V al7IOTLzhWM+JQyt9K30dz2P2MpdUXDzyTw3z7QqMEGPSp25AkEA8UdqGm6h1ok6 ETECGDqPkV3y7Ah/ccUnLsJQjJVTo4+xK5V3yM33rr9rwHniAqkhZtLgHxKB73Ze HAlkba6hLwJBAOsPTzCc09ALZcze5d+dPfDzCV+SO7Xn/ADXCQXf2n/b6j8Dsb0d KKTli1v2ydsT1+XX7tQO5PjHzcB392vQNu0CQEsfVhzWt1LptQenP6S1jv/OxZTR 7IRKwzFe1N+AmuMBGUOdrQb7ghOJjA4IpOL5L+oo3BkwlP4u14xZLEiuJ4cCQHri DP8X7W9klfqNSFUnadtN4seQtiB5v3dc8z2b8ilHeWUp9EAuPzI9QiZ4lLwv2n0w 7ozzoGYiZgDJdpJpTl0CQH9SONpdnf6EQ3FUEWohWF+6aPVvB7fPpkSdeCI6C0FS kSErVVG1AKLnteKzvSXBQiETqYk4k2tQZ8kz59tBef4= -----END RSA PRIVATE KEY----- #創建CA所需文件及CA序列 [root@mail CA]# touch index.txt [root@mail CA]# echo 01 > serial #創建dovecot ssl所需目錄 [root@mail dovecot]# mkdir ssl #創建dovecot的key [root@mail ssl]# (umask 077;openssl genrsa 1024 > dovecot.key) Generating RSA private key, 1024 bit long modulus .++++++ .......++++++ e is 65537 (0x10001) #導出dovecot key的簽署文件 [root@mail ssl]# openssl req -new -key dovecot.key -out dovecot.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHai Locality Name (eg, city) [Default City]:ShangHai Organization Name (eg, company) [Default Company Ltd]:ogilvy Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:mail.btsbox.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #到CA服務器中籤署公鑰證書 [root@mail ssl]# openssl ca -in dovecot.csr -out dovecot.crt -days 3657 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 2 02:28:38 2015 GMT Not After : Jul 6 02:28:38 2025 GMT Subject: countryName = CN stateOrProvinceName = ShangHai organizationName = ogilvy organizationalUnitName = Tech commonName = mail.btsbox.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 95:B8:9F:C9:55:0B:D5:F5:77:62:F4:23:26:90:D7:48:EE:04:9B:4D X509v3 Authority Key Identifier: keyid:61:13:E2:C0:BE:54:40:A6:9E:26:F8:E3:6E:2D:61:00:1E:08:9A:FB Certificate is to be certified until Jul 6 02:28:38 2025 GMT (3657 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated #證書文件,注意修改權限 [root@mail ssl]# ls -l total 12 -rw-r--r--. 1 root root 3872 Jul 2 10:28 dovecot.crt -rw-r--r--. 1 root root 708 Jul 2 10:26 dovecot.csr -rw-------. 1 root root 887 Jul 2 10:25 dovecot.key #在dovecot的認證文件中配置ssl設置 [root@mail conf.d]# cat 10-ssl.conf ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> #ssl = yes ssl = yes #啓用ssl認證 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf #ssl_cert = </etc/pki/dovecot/certs/dovecot.pem #ssl_key = </etc/pki/dovecot/private/dovecot.pem ssl_cert = </etc/dovecot/ssl/dovecot.crt #dovecot的公鑰文件位置 ssl_key = </etc/dovecot/ssl/dovecot.key #dovecot的私鑰文件位置 # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = #dovecot key的密碼設置 # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem) #ssl_ca = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. #ssl_parameters_regenerate = 168 # SSL protocols to use #ssl_protocols = !SSLv2 !SSLv3 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL #監聽系統端口 [root@mail conf.d]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 15696/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 15696/dovecot tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 12452/mysqld tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 15696/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 15696/dovecot tcp 0 0 10.189.9.204:53 0.0.0.0:* LISTEN 15093/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1116/sshd tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 15093/named tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 14053/master tcp 0 0 :::993 :::* LISTEN 15696/dovecot tcp 0 0 :::995 :::* LISTEN 15696/dovecot tcp 0 0 :::110 :::* LISTEN 15696/dovecot tcp 0 0 :::143 :::* LISTEN 15696/dovecot tcp 0 0 :::80 :::* LISTEN 13190/httpd tcp 0 0 :::22 :::* LISTEN 1116/sshd udp 0 0 10.189.9.204:53 0.0.0.0:* 15093/named #使用openssl s_client工具驗證pop3s的工作狀態 [root@mail conf.d]# openssl s_client -connect mail.btsbox.com:995 CONNECTED(00000003) depth=0 C = CN, ST = ShangHai, O = ogilvy, OU = Tech, CN = mail.btsbox.com, emailAddress = [email protected] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = CN, ST = ShangHai, O = ogilvy, OU = Tech, CN = mail.btsbox.com, emailAddress = [email protected] verify error:num=27:certificate not trusted verify return:1 depth=0 C = CN, ST = ShangHai, O = ogilvy, OU = Tech, CN = mail.btsbox.com, emailAddress = [email protected] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=CN/ST=ShangHai/O=ogilvy/OU=Tech/CN=mail.btsbox.com/[email protected] i:/C=CN/ST=ShangHai/L=ShangHai/O=ogilvy/OU=Tech/CN=ca.btsbox.com/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCQ04x ETAPBgNVBAgMCFNoYW5nSGFpMREwDwYDVQQHDAhTaGFuZ0hhaTEPMA0GA1UECgwG b2dpbHZ5MQ0wCwYDVQQLDARUZWNoMRYwFAYDVQQDDA1jYS5idHNib3guY29tMR8w HQYJKoZIhvcNAQkBFhBhZG1pbkBidHNib3guY29tMB4XDTE1MDcwMjAyMjgzOFoX DTI1MDcwNjAyMjgzOFowfTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5nSGFp MQ8wDQYDVQQKDAZvZ2lsdnkxDTALBgNVBAsMBFRlY2gxGDAWBgNVBAMMD21haWwu YnRzYm94LmNvbTEhMB8GCSqGSIb3DQEJARYScG9zdGZpeEBidHNib3guY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwp4HeOf9oGDCkIj83XX8bjnkpJFWe v1V29fLEKotEeLCV24WdwzIhoLtuNRDTXvu6ThypYGR3ij7jwNR7LyYfdE7fMlSN L+KGY0pAeOV3Fszf1+1+Ako0DAtNdu7JQtTwnvFXTK+yRBwHE2s5tEgt1ER4L6C+ sEc70/gg84mWKwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUlbifyVUL1fV3 YvQjJpDXSO4Em00wHwYDVR0jBBgwFoAUYRPiwL5UQKaeJvjjbi1hAB4ImvswDQYJ KoZIhvcNAQEFBQADggEBAIadsaPCqzHyEpelrNKuEd9l3MoSqq0dzLYtB1SlUeD2 ETT8DWahW991fqRrDBIQtRgz+VWuTSOMK4QrBpkofvtEUTMuhAoH52osK7rQv7Rq 2RV8nnLL8isedWdUwE6k+X46yO1Tkkc2pVLAWv4taMOggnQy25ivPSz/FZDJ1+uY X4fAHJrjYALjMfg8eZJKxMnDYuYe2ElzI55ATkFAKquunUSmof9xOiQBdJTM+fz7 Sg2Po/reIcvw+okc7RNzhLeChJpFMQTwolGyZWfkP9tVyonHFaFpXkqF0BS/QBrc C647rDdRpVj1svNvt49meg0KogBfdaPjffTJa5tTiQU= -----END CERTIFICATE----- subject=/C=CN/ST=ShangHai/O=ogilvy/OU=Tech/CN=mail.btsbox.com/[email protected] issuer=/C=CN/ST=ShangHai/L=ShangHai/O=ogilvy/OU=Tech/CN=ca.btsbox.com/[email protected] --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 1613 bytes and written 439 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: AF9DFEF321090081700CCB0CBA90F818DA05071796CA227B64BE583C61CB33E2 Session-ID-ctx: Master-Key: A6859690FFB09B01623A28DF6C6E5DB874E24454D86BF72736D769EE9EF82D336294521B9C55329DFE72B5A7CB137633 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - b8 da 5e db ba 09 d6 68-c3 71 68 95 29 2a d7 44 ..^....h.qh.)*.D 0010 - 07 ee 28 f9 e8 d1 4f 9c-0d ae 6e 99 9f 4f c5 f6 ..(...O...n..O.. 0020 - dd b1 95 7e 72 36 69 f6-b2 f8 1c 5b 14 e5 74 bc ...~r6i....[..t. 0030 - 34 3e 48 53 59 c1 9e 8c-b5 d8 cb 21 ae 13 64 4b 4>HSY......!..dK 0040 - 82 3a 19 da e7 73 a7 f7-01 24 87 14 f9 f1 4d e8 .:...s...$....M. 0050 - 8f e4 c1 49 4a c1 f5 c0-9e 2e 38 5b e3 ba e2 ec ...IJ.....8[.... 0060 - 62 de 2f 1e bb 80 34 87-55 26 0e b9 66 35 d5 77 b./...4.U&..f5.w 0070 - b5 0c d5 1f 10 c5 b0 eb-07 bd d4 9e 5c 39 65 a5 ............\9e. 0080 - b7 ec 81 0b 57 d8 69 7d-fc b3 88 f3 41 de 7c 46 ....W.i}....A.|F 0090 - 38 7d 00 9b 5f d4 e3 5d-ae 7a 5e 81 48 5f 9d 8}.._..].z^.H_. 00a0 - <SPACES/NULS> Start Time: 1435806118 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- +OK Dovecot ready. user hadoop +OK pass hadoop -ERR Authentication failed. user [email protected] +OK pass hadoop +OK Logged in. list +OK 0 messages: . quit +OK Logging out.
對Https pop3s imaps等基於SSL會話,需要遠程測試的時候,需使用:
openssl s_client -connect SERVER:PORT -CAfile /path/to/ca_cert
協議報文分析器:
sniffer:商業工具
tcpdump,wireshark(GUI),tshark(CLI)
Tcpdump工具的使用:
語法:
tcpdump [options] [protocol][direction][Host(s)][Value][logical operations][Other exp ression] tcpdump ip src host 172.16.100.1 tcpdump src or dst port 21 tcpdump udp dst port 53 tcpdump src or dst port 21 AND src host 172.16.100.1
protocol(協議)
values(取值):ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp and udp
if no protocol is specified,all the protocols are used.
ether:以太網偵
fddi:分佈式光纖通道
Direction(流向)
values(取值):src,dst,src and dst,src or dst
if no source or destination is specified,the "src or dst" keywords are applied(默認是src or dst)
for example: "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2"
Host主機:
values(替代關鍵字):net,port,host,portrange
if no host(s) is specified the "host" keyword is used. 默認如果此段沒有指定關鍵字,即host.
for example,"src 10.1.1.1" is equivalent to "src host 10.1.1.1".
logical operations:
(1)AND
and or &&
(2)OR
or or ||
(3)EXCEPT
net or !
常用選項:
-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.不反解主機名
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.顯示報文以16進制和ascii格式
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c # : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-A :Display Captured Packets in ASCII
-w /path/to/some_file : Capture the packets and write into a file
-r /path/from/some_file : Reading the packets from a saved file
-tttt : Capture packets with proper readable timestamp
反垃圾郵件組件:
內容過濾器:
Apache:Spamassassin(perl開發,垃圾郵件分揀器,利用、特徵碼庫分析)
實時過慮表(realtime black list)
實時黑名單
病毒郵件網關:
clamav:開源殺毒軟件
病毒郵件服務器網關
郵件服務器的呼叫器:
反垃圾組件與郵件系統的連接器
MIMEDefang
Mailscanner
Amavisd-new(基於smtp模式開發,一般都基於此插件過濾郵件,也基於perl開發)
Postfix+maildrop-2.8.3的實現:
#輸入courier-authlib的庫文件和頭文件,courier-maildorp依賴於authlib
[root@mail ~]# cat /etc/ld.so.conf.d/courier-authlib.conf
/usr/local/courier-authlib/lib/courier-authlib/
[root@mail ld.so.conf.d]# ldconfig -v
#輸入courier-authlib的頭文件,需要直接將頭文件單個連接到/usr/include目錄中
[root@mail ld.so.conf.d]# ln -sv /usr/local/courier-authlib/include/* /usr/include/
#創建maildrop運行時所需要的用戶和組,GID,UID一般爲1001
[root@mail ~]# groupadd -g 1001 vmail
[root@mail ~]# useradd -g 1001 -u 1001 -M -s /sbin/nologin vmail
#安裝courier-authlib所需的依賴軟件pcre--devel包
[root@mail ~]# yum install pcre-devel -y
#安裝Maildrop軟件
[root@mail ~]# tar xf maildrop-2.8.3.tar.bz2
[root@mail ~]# cd maildrop-2.8.3
# ./configure \
--enable-sendmail=/usr/sbin/sendmail \
--enable-trusted-users='root vmail' \
--enable-syslog=1 --enable-maildirquota \
--enable-maildrop-uid=1001 \
--enable-maildrop-gid=1001 \
--with-trashquota --with-dirsync
--enable-sendmail=/usr/sbin/sendmail:開啓客戶端支持sendmail
--enable-trusted-users='root vmail':信任傳送郵件的用戶root,vmail
--enable-syslog=1:使用syslog記錄日誌
--enable-maildirquota:開啓maildrop磁盤配額
--enable-maildrop-uid=1001:指定maildrop運行的用戶
--enable-maildrop-gid=1001:指定maildrop運行的組
--with-dirsync:支持目錄自動同步
--with-trashquota:回收站配額
# make
# make install
注:maildrop安裝的時候沒有指定安裝路徑,默認路徑爲/usr/local/bin/maildrop,即在postfix中的master.cf中調用maildrop,已經指定的路徑
[root@mail maildrop-2.8.3]# maildrop -v
maildrop 2.8.3 Copyright 1998-2015 Double Precision, Inc.
GDBM/DB extensions enabled.
Courier Authentication Library extension enabled.
Maildir quota extension are now always enabled.
This program is distributed under the terms of the GNU General Public
License. See COPYING for additional information.
#添加maildrop的配置文件
[root@mail maildrop-2.8.3]# cat /etc/maildroprc
logfile "/var/log/maildrop.log"
#準備maildrop的日誌文件
[root@mail maildrop-2.8.3]# touch /var/log/maildrop.log
[root@mail maildrop-2.8.3]# chown -R vmail.vmail /var/log/maildrop.log
#啓用postfix對maildrop的連接
[root@mail courier-unicode-1.3]# vim /etc/postfix/master.cf
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}#參數行必須以空格開始
# vi /etc/postfix/main.cf
virtual_transport = virtual
修改爲:
virtual_transport = maildrop
將下面兩項指定的UID和GID作相應的修改:
virtual_uid_maps = static:2525
virtual_gid_maps = static:2525
修改爲:
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
#修改courier-authlib對sql的連接用戶
# vi /etc/authmysqrc
MYSQL_UID_FIELD '2525'
MYSQL_GID_FIELD '2525'
更改爲:
MYSQL_UID_FIELD '1001'
MYSQL_GID_FIELD '1001'
#修改httpd的運行用戶和組身份:
[root@mail maildrop-2.8.3]# cat /etc/httpd/conf/httpd.conf | grep vmail
User vmail
Group vmail
#修改用戶郵箱存放位置及extman的運行臨時目錄權限
[root@mail maildrop-2.8.3]# chown -R vmail.vmail /var/mailbox/
[root@mail maildrop-2.8.3]# chown -R vmail.vmail /tmp/extman/
#修改extman的運行身份
[root@mail maildrop-2.8.3]# cat /var/www/extsuite/extman/webman.cf | grep 1001
SYS_DEFAULT_UID = 1001
SYS_DEFAULT_GID = 1001
#重啓apache、postfix、courier-authlib服務,由於maildrop是postfix的master.cf調用,故不需要單獨啓動,是由master.cf需要使用的時候