SendMail 配置share

1、SendMail 安装分享FreeBSD安装完后有系统自带的SendMail,这个是一个最简单的Mail系统，不带认证等复杂功能，那现在来安装一个基于SASL认证的MailServer. -注，蓝色为命令，红色为标注内容一、 安装基于SASL认证的SendMail1、 禁用已安装的SendMailVi /etc/rc.conf 添加Sendmail_enable=”NONE”重启，查看25port是否已经关闭2、 选择要安装的SendMailCd /usr/portsMake search name=sendmail这里我选择的是带认证的：Port: sendmail+tls+sasl2-8.

2、13.8Path: /usr/ports/mail/sendmail-saslInfo: Reliable, highly configurable mail transfer agent with utilitiesMaint: dinoexFreeBSD.orgB-deps: cyrus-sasl-2.1.22R-deps: cyrus-sasl-2.1.22 cyrus-sasl-saslauthd-2.1.22WWW: /它依赖于cyrus-sasl和cyrus-sasl-saslauthd安装sendmail+tls+sasl2会自动把这两

3、个依赖包给安装上Cd /usr/ports/mail/sendmail-saslsendmail 16:29 /usr/ports/mail/sendmail-sasl -root- make config= No options to configuresendmail 16:30 /usr/ports/mail/sendmail-sasl -root- make install clean默认的下载路径是FreeBSD的官方网站(会比较慢)，下载源码包的路径可于/etc/make.conf进行修改，如下：MASTER_SITE_BACKUP?= ftp:/ ftp:/ftp.freebsd

4、/pub/FreeBSD/ports/distfiles/$DIST_SUBDIR/ ftp:/ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/$DIST_SUBDIR/ ftp:/./pub/FreeBSD/ports/distfiles/$DIST_SUBDIR/ .tw/pub/FreeBSD/ports/distfiles/$DIST_SUBDIR/ .tw/pub/distfiles/$DIST_SUBD

5、IR/MASTER_SITE_OVERRIDE?=$MASTER_SITE_BACKUPMake.conf是安装完perl后才会生成的，如果没有可以自行建立一个写入。安装完成后重要提示信息：To activate sendmail as your default mailer, call the target mailer.conf:$ cd /usr/ports/mail/sendmail & make mailer.confYour /etc/mail/mailer.conf should look like this:# Execute the real sendmail program

6、, named /usr/libexec/sendmail/sendmail#sendmail /usr/local/sbin/sendmailsend-mail /usr/local/sbin/sendmailmailq /usr/local/sbin/sendmailnewaliases /usr/local/sbin/sendmailhoststat /usr/local/sbin/sendmailpurgestat /usr/local/sbin/sendmailYou may also need to update /etc/rc.conf.-= Compressing manual

7、 pages for sendmail+tls+sasl2-8.14.2_1= Registering installation for sendmail+tls+sasl2-8.14.2_1= SECURITY REPORT: This port has installed the following binaries which execute with increased privileges./usr/local/sbin/sendmail This port has installed the following files which may act as network serv

8、ers and may therefore pose a remote security risk to the system./usr/local/sbin/sendmail（sendmail命令的位置） This port has installed the following startup scripts which may cause these network services to be started at boot time./usr/local/etc/rc.d/sm-client.sh.sample/usr/local/etc/rc.d/sendmail.sh.sampl

9、e(执行程式)sendmail 16:40 /usr/ports/mail/sendmail -root- make mailer.conf/bin/mv /etc/mail/mailer.conf.new /etc/mail/mailer.conf 生成/etc/mail/mailer.conf sendmail 10:30 /usr/ports/mail/sendmail-sasl -root- make mailer.conf/bin/mv /etc/mail/mailer.conf.new /etc/mail/mailer.conf 新安装的sendmail的程式是/usr/local

10、/etc/rc.d/sendmail.sh.sample和/usr/local/etc/rc.d/sm-client.sh.sample,如果让sendmail随机自动启动，要 Sendmail 17:05 /usr/local/etc/rc.d root- mv sendmail.sh.sample sendmail.sh Sendmail 17:05 /usr/local/etc/rc.d root- mv sm-client.sh.sample sm-client.sh 生成新的mailer.conf后，现在调用sendmail便是最新安装的那个sendmail了3、 验证sasl是否成

11、功启用 sendmail 10:31 /root -root- sendmail -bv -d0.1Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG出现以上“SASLv2”表示针对目前的sendmail有启用sasl认证了。开机自动启动SASL，vi /etc/rc

12、.conf写入saslauthd_enable=”YES”重启，搜索SASL是否存在sendmail 17:22 /root -root- ps -ax | grep sasl 548 ? Is 0:00.01 /usr/local/sbin/saslauthd -a pam 550 ? I 0:00.00 /usr/local/sbin/saslauthd -a pam 551 ? I 0:00.00 /usr/local/sbin/saslauthd -a pam 552 ? I 0:00.00 /usr/local/sbin/saslauthd -a pam 553 ? I 0:00.0

13、0 /usr/local/sbin/saslauthd -a pam默认的认证方式为：AUTH GSSAPI DIGEST-MD5 CRAM-MD5，如：sendmail 17:22 /root -root- telnet 0 25Trying .Connected to 0.Escape character is .220 ESMTP Sendmail 8.14.2/8.13.8; Tue, 15 Apr 2008 17:23:15 +0800 (CST)ehlo aa250- Hello , pleased to meet you250-ENHANCEDST

14、ATUSCODES250-PIPELINING250-8BITMIME250-SIZE250-DSN250-ETRN250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5250-DELIVERBY250 HELPauth login504 5.3.3 AUTH mechanism login not available对应的是/etc/mail/sendmail.cf中543 #O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5修改认证方式，在下面添加数据544 CTrustAuthMechLOGIN

15、 PLAIN 545 O AuthMechanisms=LOGIN PLAIN 保存，重启sendmail/usr/local/etc/rc.d/sendmail.sh stop/usr/local/etc/rc.d/sendmail.sh start 测试SASL认证： sendmail 17:23 /root -root- telnet 0 25Trying .Connected to 0.Escape character is .220 ESMTP Sendmail 8.14.2/8.13.8; Tue, 15 Apr 2008 17:29:21 +0800 (CST)eh

16、lo aa250- Hello , pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE250-DSN250-ETRN250-AUTH LOGIN PLAIN250-DELIVERBY250 HELPauth login334 VXNlcm5hbWU6YWRt334 UGFzc3dvcmQ6YXJib3JhYmM=235 2.0.0 OK Authenticatedquit221 2.0.0 closing connectionConnection closed by fore

17、ign host.使用64位编码进行SASL认证，测试SASL认证是成功的 关于说明认证方式的文件是/usr/local/lib/sasl2下面的Sendmail.conf文件，内容下：pwcheck_method: saslauthd64位编码URL请参考：那现在关于SMTP这部份的已经描述完毕，下面来描述一下关于POP3这部份的实现，这里POP3的软件介绍两个popa3d和dovecot二、 Popa3d非加密收邮件软件的安装Pop3ad 是一个非常简单的非加密的pop3软件，可基于xinetd使用。1、 安装popa3dsendmail 17:34 /usr/local/lib/sasl

18、2 -root- cd /usr/portssendmail 17:34 /usr/ports -root- make search name=popaPort: popa3d-1.0.2_1Path: /usr/ports/mail/popa3dInfo: Secure, performance, tiny POP3 daemonMaint: dinoexFreeBSD.orgB-deps:R-deps:WWW: sendmail 17:34 /usr/ports -root- cd /usr/ports/mail/popa3dsendmail 17:34 /usr/ports/mail/p

19、opa3d -root- make config选择STANDALONE_POP3模式sendmail 17:34 /usr/ports/mail/popa3d -root- make install clean安装完后重要提示信息：This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system./usr/local/libexec/popa3d This port has instal

20、led the following startup scripts which may cause these network services to be started at boot time./usr/local/etc/rc.d/popa3d.sh启用popa3d可采用两种方式，基于inetd方式，Vi /etc/inetd.conf找到pop3写入下面一行数据：#pop3 stream tcp nowait root /usr/local/libexec/popper popperpop3 stream tcp nowait root /usr/local/libexec/popa

21、3d popa3d保存退出，重启inetdsendmail 17:38 /usr/ports/mail/popa3d -root- inetd -wW -C 30sendmail 17:39 /usr/ports/mail/popa3d -root- kill -1 cat /var/run/inetd.pidsendmail 17:39 /usr/ports/mail/popa3d -root- sockstat -4USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESSroot inetd 1202 5 tcp4 *:110 *:*要

22、注意一点是现在启动pop3的是inetd而非popa3d，所以如果想要popa3d随机自动启动的话要把inetd_enable=”YES”加入到/etc/rc.conf中去。测试110:sendmail 17:39 /usr/ports/mail/popa3d -root- telnet 0 110Trying .Connected to 0.Escape character is .+OKuser adm+OKpass arborabc+OKlist+OK.quit+OKConnection closed by foreign host.使用daemon独立方式启动popa3d

23、Popa3d安装完成后会在/usr/local/etc/rc.d下面生成一个执行文件popa3d.sh，把popa3d_enable=”YES”写入/etc/rc.conf便会随机自动启动。当使用daemon独立启动popa3d方式时别忘了把inetd.conf里面的popa3d那一行注释掉使用daemon方式启动popa3d后测试：USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESSroot popa3d 608 3 tcp4 *:110 *:*现在可以看到启动110port的命令是popa3d而非inetd了sendmail 18:

24、12 /root -root- telnet 0 110Trying .Connected to 0.Escape character is .+OKuser adm+OKpass arborabc+OKlist+OK.quit+OKConnection closed by foreign host. 现在一个基于sendmail+sasl+popa的邮件系统但完全构建完成了 那现在来测试一下sendmail+sasl+dovecot的配置三、 Dovecot安装配置1、 Dovecot安装sendmail 18:20 /root -root- cd /usr/portssend

25、mail 18:20 /usr/ports -root- make search name=dovecotPort: dovecot-1.0.r7_2Path: /usr/ports/mail/dovecotInfo: Secure and compact IMAP and POP3 serversMaint: robinB-deps: libiconv-1.9.2_2R-deps: libiconv-1.9.2_2WWW: /Dovecot支持两种认证方式，加密与非加密sendmail 18:20 /usr/ports -root- cd /usr/

26、ports/mail/dovecotsendmail 18:20 /usr/ports/mail/dovecot -root- make config只选择pop3 SSl二项安装完后会在/usr/local/etc/下面生成一个dovecot-example.conf的文件，cp 生成dovecot.conf作为dovecot的配置文件，如：sendmail 18:31 /usr/local/etc -root- cp dovecot-example.conf dovecot.conf把dovecot_enable=”YES”写入/etc/rc.conf作为简单的pop3（非加密）使用时的配

27、置：# IP or host address where to listen in for connections. Its not currently# possible to specify multiple addresses. * listens in all IPv4 interfaces.# : listens in all IPv6 interfaces, but may also listen in all IPv4# interfaces depending on the operating system.# If you want to specify ports for

28、each service, you will need to configure# these settings inside the protocol imap/pop3 . section, so you can# specify different ports for IMAP/POP3. For example:# protocol imap # listen = *:10143# ssl_listen = *:10943# .# # protocol pop3 # listen = *:10100# .# listen = *采用统一端口# Disable LOGIN command

29、 and all other plaintext authentications unless# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP# matches the local IP (ie. youre connecting from the same computer), the# connection is considered secure and plaintext authentication is allowed.disable_plaintext_auth = no(支持明文认证

30、)为了简单起见，不配置SSL，所以必须支持plaintext的认证方式# Log file to use for error messages, instead of sending them to syslog.# /dev/stderr can be used to log into stderr.log_path = /var/log/dovecot将dovecot的日志写到自己可以看到的地方，这个很重要，因为你的配置不会一次成功# Disable SSL/TLS support.ssl_disable = yes禁用SSL# Greeting message for clients.l

31、ogin_greeting = Welcome to Forrest Dovecot.登录时候的问候信息# Location for users mailboxes. This is the same as the old default_mail_env# setting. The default is empty, which means that Dovecot tries to find the# mailboxes automatically. This wont work if the user doesnt have any mail# yet, so you should ex

32、plicitly tell Dovecot the full location.# If youre using mbox, giving a path to the INBOX file (eg. /var/mail/%u)# isnt enough. Youll also need to tell Dovecot where the other mailboxes are# kept. This is called the root mail directory, and it must be the first# path given in the mail_location setti

33、ng.# There are a few special variables you can use, eg.:# %u - username# %n - user part in userdomain, same as %u if theres no domain# %d - domain part in userdomain, empty if theres no domain# %h - home directory# See doc/wiki/Variables.txt for full list. Some examples:# mail_location = maildir:/Ma

34、ildir# mail_location = mbox:/mail:INBOX=/var/mail/%u# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n# #mail_location = mbox:/mail:INBOX=/var/mail/%u用户邮件所在地# More verbose logging. Useful for figuring out why authentication isnt# working.auth_verbose = yes# Even more verbose log

35、ging for debugging purposes. Shows for example SQL# queries.auth_debug = yes# System users (NSS, /etc/passwd, or similiar)# In many systems nowadays this uses Name Service Switch, which is# configured in /etc/nsswitch.conf. passdb passwd # blocking=yes - See userdb passwd for explanation #args =# Sh

36、adow passwords for system users (NSS, /etc/shadow or similiar).# Deprecated by PAM nowadays.# #passdb shadow # blocking=yes - See userdb passwd for explanation #args =#其它的保持原样就可以了启动dovecot：sendmail 18:35 /usr/local/etc -root- usr/local/etc/rc.d/dovecot start测试dovecot:sendmail 18:35 /usr/local/etc -r

37、oot- sockstat -4USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESSroot dovecot 30854 5 tcp4 *:110 *:*Dovecot有正常启动sendmail 18:37 /usr/local/etc -root- telnet 0 110Trying .Connected to 0.Escape character is .+OK Dovecot ready.user adm+OKpass arborabc+OK Logged in.list+OK 0 messages:.quit+O

38、K Logging out.Connection closed by foreign host.Dovecot可正常使用 编辑配置文件/usr/local/etc/dovecot.conf 与非加密不同之处为： protocols = imap imaps pop3 pop3s开启imaps、pop3s # SSL settings# # IP or host address where to listen in for SSL connections. Defaults# to above if not specified.#ssl_listen = # Disable SSL/TLS su

39、pport.ssl_disable = no启用SSL # PEM encoded X.509 SSL/TLS certificate and private key. Theyre #opened before# dropping root privileges, so keep the key file unreadable by #anyone but# root. Included doc/mkcert.sh can be used to easily generate #self-signed# certificate, just make sure to update the do

40、mains in #dovecot-f#ssl_cert_file = /etc/ssl/certs/dovecot.pemssl_cert_file = /etc/ssl/certs/dovecot-pub.pemSSL公钥存放位置#ssl_key_file = /etc/ssl/private/dovecot.pemssl_key_file = /etc/ssl/private/dovecot-private.pemSSL私钥存放位置# If key file is password protected, give the password here. #Alternatively# gi

41、ve it when starting dovecot with -p parameter.ssl_key_password = arborabc加密密钥的password其余与非加密相同使用openssl生成密钥文件：openssl req -new -x509 -keyout cakey.pem(私钥) -out cacert.pem(公钥) -days 3650(证书的有效天数)sendmail 18:37 /usr/local/etc -root- openssl req -new -x509 -keyout private.pem -out pub.pem -days 3650Gen

42、erating a 1024 bit RSA private key.+.+writing new private key to private.pemEnter PEM pass phrase:Verifying - Enter PEM pass phrase:-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leav