如何在防火牆上設置Sendmail(2)

火星人 @ 2014-03-12 , reply:0


  3.third-party mail relay
附另外一篇文章(文章薈萃)----sendmail 8.9.3 mail relay規則簡介

公司防火牆上sendmail配置舉例
divert(-1)
include(`/usr/lib/sendmail-cf/m4/cf.m4')
dnl let's define our OS type. This one is mandatory.
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',``8:12'')
define(`ALIAS_FILE',`/etc/mail/aliases')dnl
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
define(`confTO_QUEUERETURN', `4d')dnl
define(`confTO_QUEUEWARN', `4h')dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY') dnl
FEATURE(`redirect')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`local_procmail')dnl
FEATURE(`nouucp')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(`domaintable',`hash -o /etc/mail/domaintable')
FEATURE(`access_db', `hash -o /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
MAILER(procmail)dnl
MAILER(smtp)dnl

use_cw_file
默認為/etc/sendmail.cw文件,指明了屬於本地域處理的域名,發到這個域下的郵件為本地郵件。不要在
防火牆上設置company.com到sendmai.cw中,在內部網段上的郵件伺服器上設置它。更新該文件不需要重
啟sendmail

* How do I make all my addresses appear to be from a single host?

Using the V8 configuration macros, use:

MASQUERADE_AS(my.dom.ain)

This will cause all addresses to be sent out as being from the indicated domain.
If you're using version 8.7 sendmail, and you want to hide this information in the envelope
as well as the headers, use:

FEATURE(masquerade_envelope)

If you also want to masquerade the recipients, use

FEATURE(allmasquerade)


Mailertable
用這個特性可跨越DNS和DNS MX記錄而relay mail。也可跨越Smart_host(DSxxxx)項.
如 company.com relay:[192.168.11.1]
從防火牆上接收的發往company.com的郵件relay到192.168.11.1
Include a "mailer table" which can be used to override
routing for particular domains. The argument of the
FEATURE may be the key definition. If none is specified,
the definition used is:

hash -o /etc/mailertable

Keys in this database are fully qualified domain names
or partial domains preceded by a dot -- for example,
"vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU".
Values must be of the form:
mailer:domain
where "mailer" is the internal mailer name, and "domain"
is where to send the message. These maps are not
reflected into the message header. As a special case,
the forms:
local:user
will forward to the indicated user using the local mailer,
local:
will forward to the original user in the e-mail address
using the local mailer, and
error:code message
will give an error message with the indicated code and
message.
Domaintable
域替換操作。
如果容易打錯,發往company.com的郵件誤寫為compayn.com則加入一行
compayn.com company.com
Access.db
資料庫記錄包含兩部分:the key and the action:
the key能是用戶名,域名,或IP地址。
The action能是ok, relay,reject discard, or and RFC821 message
如:
cyberspammer.com 550 we don't accept mail form spammers
okay.cyberspammer.com OK
sendmail.org OK
128.32 relay
foobar.com reject
garbage@spam.org discard
Virtusertable
Virtusertable用在這樣的場合中:
發往本地系統的用戶的郵件被重定向到另一個用戶.注意一定要是本地用戶的郵件,否則不檢查virtusertable
資料庫文件.如:
在該防火牆上設定company.com到/etc/sendmail.cw中,然後在/etc/mail/virtusertable 加一行
user1@company.com otheruser@otherdomain.com
virtusertable is a domain-specific form of aliasing, allowing multiple virtual domains to be
hosted on one machine. For example,
if the virtuser table contained:

info@foo.com foo-info
info@bar.com bar-info
@baz.org jane@elsewhere.net

then mail addressed to info@foo.com will be sent to the
address foo-info, mail addressed to info@bar.com will be
delivered to bar-info, and mail addressed to anyone at
baz.org will be sent to jane@elsewhere.net. The username
from the original address is passed as %1 allowing:

@foo.org %1@elsewhere.com

meaning someone@foo.org will be sent to someone@elsewhere.com.

All the host names on the left hand side (foo.com, bar.com,
and baz.org) must be in $=w. The default map definition is:

hash -o /etc/virtusertable
FEATURE(genericstable,`hash -o /etc/mail/genericstable'):
Use a hashed table with masquerading information. The unhashed file looks like this:


bg bganslan@myisp.net
root bganslan@myisp.net
nobody bganslan@myisp.net


This file will tell sendmail to rewrite the FROM addresses of your mail, so you will be able
to relay all you mail over your ISPs mail server. The first row contains the local address,
the second one the address which should be used instead. In order for sendmail to read this
file you have to hash it with this command:
makemap -r hash genericstable.db < genericstable

GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain'):
You have to add you local domain name to this file, so sendmail knows what mail is local and
has to be masqueraded. To get you local domain, run "hostname".

FAQ: * I'm getting "Local configuration error" messages, such as:

553 MX list for domain.net points back to relay.domain.net
554 ... Local configuration error

How can I solve this problem?

You have asked mail to the domain (e.g., domain.net) to be forwarded to a specific
host (in this case, relay.domain.net) by using an MX record, but the relay machine
doesn't recognize itself as domain.net. Add domain.net to /etc/sendmail.cw (if you
are using FEATURE(use_cw_file)) or add "Cw domain.net" to your configuration file.

IMPORTANT: When making changes to your configuration file, be sure you kill and
restart the sendmail daemon (for ANY change in the configuration, not just this one):

kill `head -1 /etc/sendmail.pid`
sh -c "`tail -1 /etc/sendmail.pid`"

Mail for the Home Network ------the Stand Alone Config
FEATURE(always_add_domain)dnl
這是被建議的選項,這個特性強迫local or program mailer需要全稱域名
FEATURE(allmasquerade)
我在防火牆上用這個特性強迫所有的郵件象是來自站點的正式域名,你需要聯合 MASQUERADE_AS特性
FEATURE(masquerade_entire_domain)
這個特性強迫你的域內的任何主機象是來自同一個域
FEATURE(masquerade_envelope)
MASQUERADE_AS(company.com)
明顯地,這是為上面的偽裝特性定義的值
MASQUERADE_DOMAIN( company.com othername.com )
如果你有多個內部域名,想偽裝為同一個公司域名
環境:
考慮這樣的情況:一個公司運行一台Sendmail的Linux郵件伺服器,這台機器連有LAN,但通過PPP連接,
Cable modem,or DSL連接上網通過ISP的郵件主機發送郵件. 且該機器上有兩個用戶jephe and hongyi
(用windows機器向company.com發送郵件),域名為company.com,ISP 域名為isp.net,郵件主機為
mail.isp.net且兩人在isp.net上有相同帳號jephe@isp.net and hongyi@isp.net
要求:
jephe發一封信給hongyi@company.com,可以收到,發另一封信給Internet上某個人someone,則要求通過
ISP出去,且回復地址重寫為jephe@isp.net and hongyi@isp.net

#/etc/mail/relay-domains:
jephe.company.com
hongyi.company.com
#/etc/sendmail.cw
company.com
#sendmail.cf

define(`SMART_HOST',`smtp:[ix.deniz.com]')
MASQUERADE_AS(`deniz.com')
FEATURE(`masquerade_envelope')
define(RELAY_MAILER, TCP)
FEATURE(`accept_unqualified_senders')
There are 3 fixes you may have to perform manually if things are not working as you would like them:

1. If sendmail can not "find" your email server:
Edit your /etc/sendmail.cf and look for this line:
#Dj$w.Foo.COM
and change it to:
Djmaster.kulai.org
Where master.kulai.org is the name of your email server. Note: remove the # at the front of
the line as # means: ignore - this is a comment line. This is one of sendmail's rules and it
tells sendmail what the name of the email server is - in case dns, or other ways, do not tell
sendmail what it wants.
2. Masquerading based on destination:
I had the hardest time trying to get sendmail to masquerade only the mail sent to the internet
and not local mail, e.g. I wanted local mail to show the sender as: bmote@kulai.org and not
bmote@deniz.com, but obviously I wanted mail that went out into the internet to show:
bmote@deniz.com. To solve this you have to manually edit the /etc/sendmail.cf. Find the
definitions of local rulesets 10 and 30 within sendmail.cf, (hint: search for S10 and S30) and
delete these 2 lines - or put a # in front of them:

# Envelope sender rewriting
#
S10
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>94 $1 do masquerading <-- delete this line
#
# Header sender rewriting
#
S30
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>93 $1 do masquerading <-- delete this line

There is no m4-based solution for this, so you have to modify sendmail.cf directly. You need
to restart sendmail afterwards, of course.

Note: I have jpollman@kulai.org in my From: line in my email program, so sendmail will
masquerade only out-going mail. Many thanks to: Achim L?bbert for the solution.

3. Using unqualified names fails:
If you type just the user's name in the To: part of the email and it disappears into the
internet, you may have to tell sendmail where to put email with unqualified names. Add this
to the bottom of your master.mc:

define(`LOCAL_RELAY',`mail.kulai.org')

LOCAL_RELAY: again: instead of mail.kulai.org, put your mail server's name here. This line
will make sendmail send unqualified names, like just "bmote", to your mail server, i.e. sendmal
will add the kulai.org onto bmote for you. This way you can type just bmote in the To: field in
your email program instead of bmote.kulai.org. Of course you will have to do the m4, copy,
restart routine again to make it take effect.
Message header and Message envelope
所有的email郵件由三部分組成: envelope , header , and boby.
當兩台電腦在握手處理郵件傳遞時,郵件的信封部分被生成了,它攜帶著真實的郵件接收者地址,在一個
正常的合法的郵件中,信封中的郵件接收者地址匹配著to:地址,但是也有一些例外情況,當郵件發到一個
別名,一個mailing list伺服器,或者象假期通知的重定向處理。
有時候你懷疑為什麼一個封發到to: someone@answerme.com,卻在你的mailbox中,它是由於message to:
and envelope to:的不同,具體的實現方法有多種,象BCC:,別名,郵件列表,直接的命令行偽裝,
專門的實現程序(Diffondi 3.1.6),virtusertable虛擬域,前面的單獨撥號配置的偽裝。。。。
Direct Forging
At the Unix command prompt of the second-party test machine, shell.elsewhere.com, telnet to
port 25 of your machine and try the following. (Your responses are in bold. Make sure that
you include a blank line after the From: header and that the message ends with a line
containing nothing but a period.)
telnet mail.killaspammer.com 25
220 mail.killaspammer.com ESMTP Sendmail 8.8.5/8.8.5; Mon, 16 Mar 1998 02:34:20 -0800 (PST)
MAIL FROM:
250 ... Sender ok
RCPT TO:
250 ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
To: insulting@wideopen.com.domain
From: spammer@screwyou.com
Umm, umm, hot spam on rye!
. 250 CAA17232 Message accepted for delivery
quit
221 mail.killaspammer.com closing connection
Connection closed by foreign host.
Now, log in as sam on mail.killaspammer.com and read the message. The headers will look
something like this:
From spammer@worldnet.att.net Mon Mar 16 02:57:02 1998
Received: from shell.elsewhere.com (shell.elsewhere.com [192.168.1.77]) by
mail.killaspammer.com (8.8.5/8.8.5) with SMTP id CAA17232 for ;
Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Date: Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Message-Id: <199803161053.CAA17232@mail.killaspammer.com>
X-Authentication-Warning mail.killaspammer.com: shell.elsewhere.com [192.168.1.77] didn't use HELO protocol
As you can see, spamming is ridiculously easy to do, which is why it has gotten to be such a big problem.
註:你可以有多個rcpt to:行,且有cc: subject: 等等。
在命令行上指定接收者
下面的例子說明了郵件頭中地址和信封地址的又一個不同點,sendmail允許用戶在命令行上指定郵件的
接收者。假設用戶有一封信letter,內容如下:
To: null recipient < >
Subject : header and envelope address
Testing
使用下面命令將其發出
#sendmail yourloginname < letter
郵件遞交過程
如果joe@gonzo.gov發信給betty@zippy.gov , andy@zippy.gov and fred@whizzer.com
To: betty@zippy.gov , andy@zippy.gov , fred@whizzer.com
當位於gonzo.gov的sendmail SMTP客戶在發信時,每個信封上只寫一個地址,而接收者的完整清單隻放在
message header to:域中,因為郵件在發送時在gonzo.gov和whizzer.com處的SMTP伺服器都不會檢查該域。
本例中發給whizzer.com的信只標記寄給fred,而發給zippy.gov的信封再伺服器收到后再複製到betty and
andy各一份。

Sendmail 命令集合及安全考慮
HELO/HLEO 向伺服器標識用戶身份(喂,我是誰,可以欺騙,但記錄IP地址,大多沒用)
MAIL 初始化郵件傳輸 ( mail from: )
RCPT 標識單個的郵件收件人,通常在MAIL命令后,(多個rcpt to: )
DATA 在RCPT命令之後,表示所有的郵件收件人已標識,並初始化數據傳輸
VRFY 由客戶機使用,用來驗證給定的用戶/郵箱是否存在;由於安全方面的原因,某些伺服器使用此命令無效
EXPN 由客戶機使用,用來驗證給定郵箱列表是否存在,並用該命令擴充郵箱列表
HELP 查詢伺服器支持什麼命令
NOOP 無操作;伺服器響應OK
QUIT 客戶機發送此命令以結束會話
RSET 重置會話;當前傳輸被取消
為了增強Sendmail伺服器的安全性,禁止用戶telnet 到埠25作vrfy ,and expn操作。可以更改sendmail.cf如下:
O PrivacyOptions=authwarnings change to:
O PrivacyOptions=authwarnings,noexpn,novrfy

如還未建立sendmail.cf文件,可照上面的防火牆配置:
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
用Mail命令發送郵件
1. cat report.txt | mail -s "Sales Reprorts" jephe@company.com
2. mail -s "Sales Reports" jephe@company.com < reports.txt
3. mail jephe@company.com
Subject: Sales Report
~r report.txt
~.
Cc:
Sendmail 別名文件
1. 一般站點都要求一個管理員地址,許多站點並沒有一個專門的郵件管理員帳號,而使用別名將管理員帳號
定向到一個或多個對郵件管理的用戶郵件地址上:
postmaster: joe,betty
凡送給postmaster的郵件都轉送給用戶joe和betty,此處joe和betty也可以是別名
postmaster: jephe,hongyi
jephe: jephe@company.com
hongyi: hongyi@company.com

注意:sendmail不斷地對別名進行解釋直到得到一個真正的用戶或遠端地址為止。別名定義中,冒號左側的
別名必須是本地用戶/本地域用戶,而右側可以為遠端用戶。
不要設置造成循環查找別名而找不到。

postmaster: jephe
jephe: admin
admin:postmaster
2. 從文件中讀取別名:include: 使用
homeboys: :include: /home/alphonese/homeboys.aliases ( 用:include: 把兩邊分隔)
文件homeboys.aliases中包含
alphonse
joe
betty
george
就相當於
homeboys: alphonse,joe,betty,george
好處是可以創建一文件讓用戶自己維護。
3.向文件發郵件
nobody: /dev/null
發給nobody的郵件附加到指定文件後面。由於/dev/null為空文件,故郵件丟棄。





[火星人 via ] 如何在防火牆上設置Sendmail(2)已經有208次圍觀

http://www.coctec.com/docs/linux/show-post-70019.html