Linux Sendmail郵件伺服器認證、SSL配置示例

←手機掃碼閱讀火星人 @ 2014-03-09 , reply:0

1. SMTP Authentication / Cyrus-SASL Configuration

1.1 Install CYLUS-SASL<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

1.2 Configure CYLUS-SASL to support SMTP Authentication

1.2.1 Configure /etc/mail/sendmail.mc to support SMTP authentication:

Uncomment this: TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', ` GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ... DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl

1.2.2 New /usr/lib/sasl2Sendmail.conf:

[root@host sasl2]# vi /usr/lib/sasl2/Sendmail.conf

pwcheck_method:saslauthd

1.3 Restart SASL and Check installation

Start SASL with pam: [root@host sbin]# service saslauthd stop Stopping saslauthd: [ OK ] [root@host sbin]# saslauthd -a shadow pam Test installation: [root@host sasl2]# cat /usr/lib/sasl2/Sendmail.conf

pwcheck_method:saslauthd [root@host sasl2]# service saslauthd restart Stopping saslauthd: [ OK ] Starting saslauthd: [ OK ] [root@host sasl2]# telnet mail.host.com 25 Trying 10.56.233.59... Connected to mail.host.com (192.168.1.5). Escape character is '^]'. 220 host.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010 23:12:20 0800

ehlo localhost 250-host.com Hello host [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP quit

221 2.0.0 host.com closing connection Connection closed by foreign host. [root@host sasl2]# sendmail -d0.1 -bv root | grep SASL NETUNIX NEWDB <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

2. Configuration for SSl

2.1 vi /etc/pki/dovecot/dovecot-openssl.cnf

[root@host mail]# vi /etc/pki/dovecot/dovecot-openssl.cnf [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) #C=FI # State or Province Name (full name) #ST=

# Locality Name (eg. city) #L=Helsinki # Organization (eg. company) #O=Dovecot # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=mail.host.com # E-mail contact emailAddress=bill@host.com [ cert_type ]

nsCertType = server

2.2 Create new dovecot.pem

[root@host dovecot]# rm /etc/pki/dovecot/certs/dovecot.pem [root@host dovecot]# rm /etc/pki/dovecot/private/dovecot.pem [root@host dovecot]# cd /usr/share/doc/dovecot-1.0.7/examples [root@host examples]# ./mkcert.sh Generating a 1024 bit RSA private key ........................................

............. writing new private key to '/etc/pki/dovecot/private/dovecot.pem' ----- subject= /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com SHA1 Fingerprint=5C:DB:2E:7B:A8:A0:4B:B9:43:88:C7:D9:26:AB:70:EF:FA:2C:2D:53

2.3 vi /etc/dovecot.conf

[root@host examples]# vi /etc/dovecot.conf

… # Disable SSL/TLS support. ssl_disable = no … ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem …

2.4 Make sendmail.pem

[root@host mail]# cd /etc/pki/tls/certs

[root@host certs]# make sendmail.pem umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 - days 365 -out $PEM2 -set_serial 0 ; \ cat $PEM1 > sendmail.pem ; \ echo "" >> sendmail.pem ; \

cat $PEM2 >> sendmail.pem ; \ rm -f $PEM1 $PEM2 Generating a 1024 bit RSA private key ......... .......... writing new private key to '/tmp/openssl.xC2939' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:sichuan Locality Name (eg, city) [Newbury]:chengdu Organization Name (eg, company) [My Company Ltd]:nokia Organizational Unit Name (eg, section) []:nbg Common Name (eg, your name or your server's hostname) []:mail.host.com

Email Address []:bill@host.com [root@host certs]# ls ca-bundle.crt localhost.crt make-dummy-cert Makefile sendmail.pem

2.5 Configure /etc/mail/sendmail.mc

[root@host certs]# vi /etc/mail/sendmail.mc ... define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl

define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl ... DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl ... [root@host certs]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

2.6 Restart dovecot and sendmail

[root@host mail]# service dovecot restart

Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: [ OK ] [root@host mail]# service sendmail restart Shutting down sm-client: [ OK ] Shutting down sendmail: [ OK ] Starting sendmail: [ OK ]

Starting sm-client: [ OK ]

2.7 Check installation

Sendmail SSL on port 465; POP3 SSL on 995; IMAP SSL on 993. [root@host mail]# netstat -an |grep 465 tcp 0 0 0.0.0.0:465 0.0.0.0:* LIST EN [root@host mail]# netstat -an |grep 995

tcp 0 0 :::995 :::* LIST EN [root@host mail]# netstat -an |grep 993 tcp 0 0 :::993 :::* LIST EN unix 3 [ ] STREAM CONNECTED 55559934 /tmp/orbit-root/linc- 2466-0-5b1fb2745ff54 unix

3 [ ] STREAM CONNECTED 55559933 unix 3 [ ] STREAM CONNECTED 55559932 /tmp/orbit-root/linc- 1846-0-c008ce5556ba unix 3 [ ] STREAM CONNECTED 55559931 unix 3 [ ] STREAM CONNECTED 55556993

Tags: linux system 系統

[火星人 ] Linux Sendmail郵件伺服器認證、SSL配置示例已經有414次圍觀

本文地址：http://coctec.com/docs/linux/show-post-50827.html