RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

環境：RedHat Linux 9.0 完全安裝或者確保以下安裝包已經安裝完畢：
imap-2001a-18.i286.rpm
sendmail-8.12.8-4.i386.rpm
m4-1.4.1-13.i386.rpm
cyrus-sasl-2.1.10-4.i386.rpm
cyrus-sasl-md5-2.1.10-4.i386.rpm
cyrus-sasl-plain-2.1.10-4.i386.rpm
cyrus-sasl-gssapi-2.1.10-4.i386.rpm
目的：實現帶認證功能的郵件伺服器的配置安裝

一.        Sendmail服務配置
1.        安裝RedHat Linux 9.0后，修改/etc/mail/sendmail.mc，修改後文件如下：
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTRUSTED_USER', `smmsp')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
define(QUEUE_DIR, `/var/spool/mqueue/q*')
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF>; -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
DAEMON_OPTIONS(`Port=25, Name=MSA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl #       a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

文件中，紅色字體的行為需要修改的地方，共有五行需要修改。
第一行是手動添加的，與認證無關，作用是啟動多個郵件隊列，為了獲得更好的傳輸性能。
第二行和第三行是去掉行首的註釋。」TRUST_AUTH_MECH」的作用是使sendmail不管access文件中如何設置，都能 relay 那些通過EXTERNAL, LOGIN, PLAIN, CRAM-MD5或DIGEST-MD5等方式驗證的郵件，」confAUTH_MECHANISMS" 的作用是確定系統的認證方式。Outlook Express支持的認證方式是LOGIN。
第四行是加上註釋，以便讓sendmail可以偵聽所有網路設備，為整個網路提供服務，而不僅僅只對本機提供服務。
第五行是修改的，原來內容是:
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
去掉行首的註釋符，並且將內容修改成Port=25:
DAEMON_OPTIONS(`Port=25, Name=MSA')dnl
在smtp的默認埠（25）上進行認證，而不是587埠。這樣就強制所有使用該郵件伺服器進行郵件轉發的用戶在認證后才能發郵件了。


2.        運行：
# m4 /etc/mail/sendmail.mc >; /etc/sendmail.cf
用m4重新生成sendmail.cf文件

3.        既然我們打開了多個隊列，現在我們在/var/spool/mqueue/下創建任意多個隊列目錄，運行：
# cd /var/spool/mqueue
# mkdir q1 q2 q3 q4 q5 q6

4.        修改/etc/mail/local-host-names，將希望該郵件伺服器使用的郵箱名加進去，比如郵箱為：xxx@abc.com.cn則將abc.com.cn加入到該文件中。
5.        重新啟動sendmail服務，運行：
# killall –HUP sendmail
6.        可以通過telnet 本機IP 25來驗證sendmail服務是否已經正常啟動，若登陸成功，則說明sendmail服務已經成功啟動。
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'
220 localhost.localdomain ESMTP Sendmail 8.12.8/8.12.8; Wed, 12 May 2004 15:57:01 +0800
ehlo localhost
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI LOGIN PLAIN
250-DELIVERBY
250-HELP
quit
#
在AUTH後面有LOGIN就基本上可以在OutlookExpress上認證了。

二.        Pop3服務配置：
1.        運行：
# ntsysv
在系統服務列表中選中ipop3，選』OK』保存推出
2.        重啟xinetd服務，運行：
# service xinetd restart
3.        運行netstat命令看smtp和pop3服務是否都已經啟動
# netstat -l

以前曾經參考過心餘和peng兩位大俠的關於在RedHat8.0下配置帶認證功能的sendmail郵件伺服器的帖子，但是照做后發現有問題。不妥的地方在於配置文件
/etc/mail/sendmail.mc中的兩句：
DAEMON_OPTIONS(`Port=25, Name=MTA')dnl
DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')dnl
根據這樣的配置，sendmail只有在587埠才對用戶強制進行身份認證，而在smtp服務默認用的埠25（OutlookExpress上默認用的就是25）上則用戶認不
認證都無所謂，我在OutlookExpress上選擇「我的伺服器要求身份認證」sendmail就進行認證，若不選該選項，sendmail伺服器不加任何認證就會轉發任
何郵件。這種策略顯然是不合理的，安全的策略是只在默認的25埠強制進行身份認證，否則不予轉發郵件，在其他埠根本不打開。因而這兩句應合成一
句：
DAEMON_OPTIONS(`Port=25, Name=MSA')dnl

在這種配置下，郵件伺服器僅在收發雙方都是本地用戶的時候才不強制進行身份認證，其他情況的時候都要進行認證。這篇貼子沒有經過嚴格測試就發出來了，實在是對不住大家，現在我已經改正了相應的配置，就是上面的一句話。在此道歉！ :oops:

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

Thanks!
I want this long time... :em10:

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

我將587改為25后，一發郵件，sendmail進程就退出啊。請樓主賜教。

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

不好意思，沒有遇到過這種現象，是不是系統裝的有問題？不應該的呀，沒有道理一個請求使得後台服務進程退出的。可以察看一下日誌文件，看看有沒有什麼錯誤信息，日誌文件位置在：
/var/log/maillog
最新的內容在最後面，查查看先？

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: server SMTP socket wedged: exiting
怎麼解決啊？

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

OQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use daemon MSA: problem creating SMTP socket
NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: server SMTP socket wedged: exiting
怎麼解決啊？

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

請將DAEMON_OPTIONS(`Port=25, Name=MSA, M=Ea')dnl中的M=Ea改為M=E即可

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

謝謝。不過，foxmail居然不用認證也能發郵件，鬱悶。outlook倒是不經認證就不能發送。

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

根據這樣的配置，sendmail只有在587埠才對用戶強制進行身份認證，而在smtp服務默認用的埠25（OutlookExpress上默認用的就是25）上則用戶認不
認證都無所謂，我在OutlookExpress上選擇「我的伺服器要求身份認證」sendmail就進行認證，若不選該選項，sendmail伺服器不加任何認證就會轉發任
何郵件。這種策略顯然是不合理的，安全的策略是只在默認的25埠強制進行身份認證，否則不予轉發郵件，在其他埠根本不打開。因而這兩句應合成一

這個不對吧。印象中 sendmail.mc中的註釋不是這樣講的。

RedHat9.0下帶認證的Sendmail郵件伺服器安裝手冊

dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.

Tags: