搭建sendmail服务器案例解析(一)
公司决定建立邮件服务器,统一为员工设置企业邮箱。员工收发邮件一般较小,需要做配额限制。为了减少服务器负荷,需要有效拒绝垃圾邮件。
邮件服务器的域名:mail.xianfeng.com
邮件服务器的IP地址:10.1.1.1
邮件服务器的DNS地址:10.1.1.1(虚拟环境,放到一台机器上)
邮件服务器的工作原理不在赘述,下面直接学习此案例的解决方案。
(一)、配置DNS服务器,为了在网络中正确定位邮件服务器的位置,首先为xianfeng.com区域设置域名信息。
安装DNS服务的bind软件包 rpm -ivh bind(版本号略)
修改DNS的主配置文件named.conf,添加xianfeng.com的相关字段,包括正向和反向区域
vi /etc/named.conf
zone "xianfeng.com" IN {
type master; file "xianfeng.com.zone"; }; zone "1.1.10.in-addr.arpa" IN { type master; file "10.1.1.zone"; |
(二)、添加xianfeng.com的正向和反向区域文件
vi /var/named/xianfeng.com.zone
$TTL 86400
@ IN SOA mail.xianfeng.com. admin ( 2009 3H 15M 1W 1D ) @ IN NS mail.xianfeng.com. mail IN A 10.1.1.1 @ IN MX 5 mail.xianfeng.com. #邮件交换记录是不同邮件系统间解析的关键 |
vi /var/named/10.1.1.zone
$TTL 86400
@ IN SOA mail.xianfeng.com. admin ( 2009 3H 15M 1W 1D ) @ IN NS mail.xianfeng.com. 1 IN PTR mail.zeng.com. |
重启DNS服务
service named restart |
(三)、修改local-host-names文件,添加邮件域xianfeng.com
vi /etc/mail/local-host-names
# local-host-names - include all aliases for your machine here.
xianfeng.com #添加这个字段 |
(四)、设置sendmail.cf配置文件
sendmail和m4系统默认已安装,需要安装sendmail-cf软件包
编辑sendmail.mc
vi /etc/mail/sendmail.mc
下面是sendmail.mc配置文件的全部内容,其中以dnl开头的均为注释行,需要改动的地方请参照文中改动的部分
divert(-1)dnl
dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl # include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for Red Hat Linux')dnl OSTYPE(`linux')dnl dnl # dnl # default logging level is 9, you might want to set it higher to dnl # debug the configuration dnl # dnl define(`confLOG_LEVEL', `9')dnl dnl # dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # dnl define(`SMART_HOST',`smtp.your.provider') dnl # define(`confDEF_USER_ID',``8:12'')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl dnl # dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # dnl define(`confAUTH_OPTIONS', `A p')dnl dnl # dnl # PLAIN is the preferred plaintext authentication method and used by dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do dnl # use LOGIN. Other mechanisms should be used if the connection is not dnl # guaranteed secure. dnl # Please remember that saslauthd needs to be running for AUTH. dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
#把上面两行前面的dnl给删除掉,让这两行的配置生效,这两行的作用是激活邮件服务器的认证功能
dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem dnl # Complete usage: dnl # make -C /usr/share/ssl/certs usage dnl # dnl define(`confCACERT_PATH',`/usr/share/ssl/certs') dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap dnl # dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl dnl # dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl define(`confTO_IDENT', `0')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl # dnl # The following limits the number of processes sendmail can fork to accept dnl # incoming messages or process its message queues to 12.) sendmail refuses dnl # to accept connections once it has reached its quota of child processes. dnl # dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl dnl # dnl # Limits the number of new connections per second. This caps the overhead dnl # incurred due to forking new sendmail processes. May be useful against dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address dnl # limit would be useful but is not available as an option at this writing.) dnl # dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl dnl # dnl # The -t option will retry delivery if e.g. the user runs over his quota. dnl # FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # #DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
#更改为下面的行
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl dnl # dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. dnl # dnl # For this to work your OpenSSL certificates must be configured. dnl # dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl # dnl # The following causes sendmail to additionally listen on the IPv6 loopback dnl # device. Remove the loopback address restriction listen to the network. dnl # dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl dnl # dnl # enable both ipv6 and ipv4 in sendmail: dnl # dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl # FEATURE(`accept_unresolvable_domains')dnl dnl # dnl FEATURE(`relay_based_on_MX')dnl dnl # dnl # Also accept email sent to "localhost.localdomain" as local email. dnl # LOCAL_DOMAIN(`localhost.localdomain')dnl dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # dnl MASQUERADE_AS(`mydomain.com')dnl dnl # dnl # masquerade not just the headers, but the envelope as well dnl # dnl FEATURE(masquerade_envelope)dnl dnl # dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well dnl # dnl FEATURE(masquerade_entire_domain)dnl dnl # dnl MASQUERADE_DOMAIN(localhost)dnl dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl dnl MASQUERADE_DOMAIN(mydomain.lan)dnl MAILER(smtp)dnl MAILER(procmail)dnl |
生成sendmail.cf,因为sendmail.cf的配置文件全部是用宏语言来编写的,一般人很难读懂,所以我们上步骤中的配置是为了最终体现在sendmail.cf文件中,在这里要用到m4命令
m4 sendmail.mc > sendmail.cf
|
重启sendmail和saslauthd服务
service sendmail restart service saslauthd restart |
(五)、配置磁盘配额
修改fstab文件。为了方便管理,将用户的邮件信息放到/var/mail目录中,对/var目录划分为独立的分区,对/var文件系统添加磁盘配额功能,在fstab中添加/var文件系统参数。
vi /etc/fstab
# This file is edited by fstab-sync - see 'man fstab-sync' for details
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=SWAP-sda3 swap swap defaults 0 0 LABEL=/var /var ext3 defaults,usrquota,grpquota 1 2 /dev/hdc /media/cdrom auto pamconsole,exec,noauto,managed 0 0 /dev/fd0 /media/floppy auto pamconsole,exec,noauto,managed 0 0 |
创建配额文件。使用quotacheck命令
quotacheck -cumg /var #会生成两个文件:aquota.group aquota.user |
设置磁盘配额,使用vi编辑器创建脚本quota.sh
for循环语句in后面跟需要进行磁盘配额的用户名
setquota能够在命令行下直接进行磁盘配额的限制,格式如下
setquota -u用户 block 软限制 block硬限制 inode软限制 inode 硬限制
我们将所有用户的磁盘空间硬限制设置为80MB
vi quota.sh #!/bin/bash for i in user1 user2 user3 do setquota -u $i 0 80000 0 0 /var done |
(六)、配置dovecot
安装dovecot软件包,为了保证客户端能够使用加密的形式接受邮件,还需要为dovecot添加相应的密钥和证书,启动pop3s或者IMAPS的支持
生成私钥和自签名证书
make -C /etc/pki/tls/certs/ dovecot.pem |
修改dovecot.conf配置文件
vi /etc/dovecot.conf
ssl_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_key_file = /etc/pki/tls/certs/dovecot.pem |
重启dovecot服务
service dovecot restart |
转载于:https://blog.51cto.com/verycto/203102