ucspi-tcp的原理和设置即 smtp用户认证规则

在Qmail的安装过程中提到了 tcp.smtp文件中规则的设置，在这里做一下详细解释

 

qmail-smtpd支持一种有选择性的忽略rcpthosts文件的方法：若qmail-smtpd的环境变量RELAYCLIENT被设置，则rcpthost文件将被忽略，relay将被允许。但是如何识别一个邮件发送者是否是自己的客户呢？qmail并没有采用密码认证的方法，而是判断发送邮件者的源IP地址，若该IP地址属于本地网络，则认为该发送者为自己的客户。 如果要实现SMTP认证后的relay ，不需要对任何IP进行预先设定，所以默认规则设置成"只对本服务器relay"。

这里使用ucspi-tcp软件包。即该软件包的tcpserver程序。该程序的功能类似于inetd-监听进入的连接请求，为要启动的服务设置各种环境变量，然后启动指定的服务。

tcpserver的配置文件是/etc/tcp.smtp，该文件定义了是否对某个网络设置RELAYCLIENT环境变量。例如，本地网络是地址为192.168.10.0/24的C类地址，则tcp.smtp的内容应该设置如下：

　　127.0.0.1:allow,RELAYCLIENT=""
　　192.168.10.:allow,RELAYCLIENT=""
　　:allow

这几个规则的含义是指若连接来自127.0.0.1和192.168.10则允许，并且为其设置环境变量RELAYCLIENT，否则允许其他连接，但是不设置RELAYCLIENT环境变量。如果只需要对本机relay，第二行可以不要。

这样当从其他地方到本地的25号连接将会被允许，但是由于没有被设置环境变量，所以其连接将会被qmail-smptd所拒绝。但是tcpserver并不直接使用/etc/tcp.smtp文件，而是需要先将该文件转化为cbd文件：
[lix@mail /etc]$ # tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp

　　然后再回头看在

　　/service/qmail-smtpd 目录下的run文件中有
　　/usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb

可以看到，tcpserver利用了/etc/smtp.cbd文件。若本地有多个网络，则需要这些网络都出现在/etc/tcp.smtp文件中。这样就实现了允许本地客户relay邮件，而防止relay被滥用。

 

 

tcpserver启动smtp命令：

exec /usr/local/bin/tcpserver -h -p -R -x /etc/tcp.smtp.cdb -u88 -g88 -v -c500 0 smtp /usr/local/bin/rblsmtpd -a rwl.dns.com.cn -r cblless.anti-spam.org.cn /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

 

注：

/home/vpopmail/bin/vchkpw 可以SetUID和SetGID。这点很重要，否则认证无法通过。这是因为smtpd 的进程是由qmaild 执行的。而密码验证程序原来只使用于pop3进程，分别由root或vpopmail执行，为的是读shadow或数据库中的密码，并取出用户的邮件目录。这些操作qmaild 都没有权限去做。如果smtp进程要调用密码验证程序，则必须要使用 setuid 和setgid 。其实这点大可放心，这两个密码验证程序都是带源代码的，本身非常安全，只需要放在安全的目录里就可以了(设置其他用户除qmaild 可执行外都没有权限执行；其实如果没有其他SHELL帐户，也就不用这么麻烦了)。

 Tcpserver连接选项
---------------------------------------------------------------------------
选项                描述

 -h               使用dns查找远程主机

 -p                怀疑。使用反向dns 查找远程主机ip地址，将其与主机名相比较。如果不匹配，删除环境变量$tcpremotehost

 -R                不试图从远程主机获得$tcpremoteinfo数据。你必须为端口53和端口113使用这一选项 
 -x db           使用hash数据库db中的规则来接受或拒绝远程客户端的访问

-g gid           当接受连接准备完成后改变活动组ID为gid
-u uid           当接受连接准备完成后改变活动用户ID为uid
-U                 相当于-g $GID –u UID
-c n              不接受多于n个同时连接

-r                 试图从远程主机获得$tcpremoteinfi (默认)

 

 

 

Tcpserver的unix环境变量

------------------------------------------------------------------------------
变量                              描述
----------------------------------------------------------------------------
$PROTO                        使用的协议（默认为TCP）
$TCPLOCALIP                   本机的IP地址
$TCPLOCALPORT                本地TCP端口号
$TCPLOCALHOST                本地主机的DNS查询值
$TCPREMOTEIP                  远程客户端的IP地址
$TCPREMOTEPROT               远程客户端的TCP端口号
$TCPREMOTEHOST               远程主机的DNS查询值
$TCPREMOTEINFO                远程客户端的用户名

 

 下面是规则配置的详解，如果英文不好的朋友看起来就有点费劲了，不过我还是做了中文解释：

# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set ’allow’, this means that our mail server will allow  the specified IP range to make a TCP connection to our server

#（allow：允许指定的IP范围与我们的服务器建立TCP连接）

# If you set ’deny’, this means that our mail server will not allow the specified IP range to make a TCP connection to our server
#deny：拒绝指定的IP范围与我们的服务器建立TCP连接

# If you set RELAYCLIENT="", this means that the listed IP range is  allowed to relay mail through our server
#RELAYCLIENT=""，允许列表里的IP通过我们的服务器进行转发

# If you dont set RELAYCLIENT="", this means that the listed IP range will not be able to relay mail through our server
# 如果没有RELAYCLIENT=""选项，那就不允许列表里的IP通过我们的服务器进行转发

# If you set RBLSMTPD="", this means that the listed IP ranges will
 not be checked against any of the RBL databases
#RBLSMTPD="",来自列表里特定IP的连接，不检测该IP是否在RBL黑名单

# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#RBLSMTPD="some text here", 来自列表里特定IP的连接，不检测该IP是否在RBL黑名单，但将被拒绝连接而且报“4xx”临时错误

# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#RBLSMTPD="-some text here", 来自列表里特定IP的连接，不检测该IP是否在RBL黑名单，但将被拒绝连接而且报“5xx”临时错误

# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successful, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#
#-----------------------------------------------------
# HERE ARE THE RULES! :
#-----------------------------------------------------
# BYPASS OPEN RELAY CHECKING FOR THESE IPS :
#
# These IPs are ones that we have setup so that they arent RBL checked.
# We have done this because these particular servers are RBL listed,
# and for whatever reason they can’t/won’t fix their open relay problem,
# and we still want to be able to receive mail from them.
#
# reminder text goes here for this entry so we know the story...
#111.111.111.111:allow,RBLSMTPD=""
# reminder text goes here for this entry so we know the story...
#222.222.222.222:allow,RBLSMTPD=""
#
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
#
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
#216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
# heaps of spam from replyto of
[email=*@freeamateurhotties.com]*@freeamateurhotties.com[/email]
dec2001
#64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#154.20.Array4.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#20Array.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#
#-----------------------------------------------------------------
# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER
#
# Local class-c’s from our LAN are allowed to relay,
# and we wont bother doing any RBL checking.
#123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
#123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#
# Connections from localhost are allowed to relay
# (because the WebMail server runs on localhost),
# and obviously there is no point trying to perform an RBL check.
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
:allow