搭建sendmail服务器案例解析(一)
公司决定建立邮件服务器,统一为员工设置企业邮箱。员工收发邮件一般较小,需要做配额限制。为了减少服务器负荷,需要有效拒绝垃圾邮件。
邮件服务器的域名:mail.xianfeng.com
邮件服务器的IP地址:10.1.1.1
邮件服务器的DNS地址:10.1.1.1(虚拟环境,放到一台机器上)
邮件服务器的工作原理不在赘述,下面直接学习此案例的解决方案。
(一)、配置DNS服务器,为了在网络中正确定位邮件服务器的位置,首先为xianfeng.com区域设置域名信息。
安装DNS服务的bind软件包  rpm -ivh bind(版本号略)
修改DNS的主配置文件named.conf,添加xianfeng.com的相关字段,包括正向和反向区域
vi /etc/named.conf
zone "xianfeng.com" IN {
type master;
file "xianfeng.com.zone";
};
zone "1.1.10.in-addr.arpa" IN {
type master;
file "10.1.1.zone";
 
(二)、添加xianfeng.com的正向和反向区域文件
vi /var/named/xianfeng.com.zone
$TTL 86400
@    IN     SOA      mail.xianfeng.com. admin ( 2009 3H 15M 1W 1D )
@    IN     NS        mail.xianfeng.com.
mail    IN      A     10.1.1.1
@       IN      MX     5      mail.xianfeng.com.     #邮件交换记录是不同邮件系统间解析的关键
vi /var/named/10.1.1.zone
$TTL 86400
@      IN    SOA     mail.xianfeng.com. admin ( 2009 3H 15M 1W 1D )
@      IN    NS       mail.xianfeng.com.
1       IN    PTR     mail.zeng.com.
重启DNS服务
service named restart
(三)、修改local-host-names文件,添加邮件域xianfeng.com
vi /etc/mail/local-host-names
# local-host-names - include all aliases for your machine here.
xianfeng.com #添加这个字段
(四)、设置sendmail.cf配置文件
sendmail和m4系统默认已安装,需要安装sendmail-cf软件包
编辑sendmail.mc
vi /etc/mail/sendmail.mc
下面是sendmail.mc配置文件的全部内容,其中以dnl开头的均为注释行,需要改动的地方请参照文中改动的部分
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
#把上面两行前面的dnl给删除掉,让这两行的配置生效,这两行的作用是激活邮件服务器的认证功能
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
#DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
#更改为下面的行
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
生成sendmail.cf,因为sendmail.cf的配置文件全部是用宏语言来编写的,一般人很难读懂,所以我们上步骤中的配置是为了最终体现在sendmail.cf文件中,在这里要用到m4命令
m4 sendmail.mc > sendmail.cf
重启sendmail和saslauthd服务
service sendmail restart
service saslauthd restart
(五)、配置磁盘配额
修改fstab文件。为了方便管理,将用户的邮件信息放到/var/mail目录中,对/var目录划分为独立的分区,对/var文件系统添加磁盘配额功能,在fstab中添加/var文件系统参数。
vi /etc/fstab
# This file is edited by fstab-sync - see 'man fstab-sync' for details
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
LABEL=SWAP-sda3 swap swap defaults 0 0
LABEL=/var /var ext3
defaults,usrquota,grpquota 1 2
/dev/hdc /media/cdrom auto pamconsole,exec,noauto,managed 0 0
/dev/fd0 /media/floppy auto pamconsole,exec,noauto,managed 0 0
创建配额文件。使用quotacheck命令
quotacheck -cumg /var
#会生成两个文件:aquota.group  aquota.user
设置磁盘配额,使用vi编辑器创建脚本quota.sh
for循环语句in后面跟需要进行磁盘配额的用户名
setquota能够在命令行下直接进行磁盘配额的限制,格式如下
setquota -u用户 block 软限制 block硬限制  inode软限制 inode 硬限制
我们将所有用户的磁盘空间硬限制设置为80MB
vi quota.sh
#!/bin/bash
for i in user1 user2 user3
do
setquota -u $i  0  80000   0   0   /var
done
(六)、配置dovecot
安装dovecot软件包,为了保证客户端能够使用加密的形式接受邮件,还需要为dovecot添加相应的密钥和证书,启动pop3s或者IMAPS的支持
生成私钥和自签名证书
make -C /etc/pki/tls/certs/   dovecot.pem
修改dovecot.conf配置文件
vi /etc/dovecot.conf
ssl_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_key_file = /etc/pki/tls/certs/dovecot.pem
重启dovecot服务
service dovecot restart