1. SMTP Authentication / Cyrus-SASL Configuration
1.1 Install CYLUS-SASL<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
1.2 Configure CYLUS-SASL to support SMTP Authentication
1.2.1 Configure /etc/mail/sendmail.mc to support SMTP authentication:
Uncomment this:
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', ` GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
...
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl
1.2.2 New /usr/lib/sasl2Sendmail.conf:
[root@host sasl2]# vi /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd
1.3 Restart SASL and Check installation
Start SASL with pam:
[root@host sbin]# service saslauthd stop
Stopping saslauthd: [ OK ]
[root@host sbin]# saslauthd -a shadow pam
Test installation:
[root@host sasl2]# cat /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd
[root@host sasl2]# service saslauthd restart
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@host sasl2]# telnet mail.host.com 25
Trying 10.56.233.59...
Connected to mail.host.com (192.168.1.5).
Escape character is '^]'.
220 host.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 17 Mar 2010 23:12:20 +0800
ehlo localhost
250-host.com Hello host [192.168.1.5], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 host.com closing connection
Connection closed by foreign host.
[root@host sasl2]# sendmail -d0.1 -bv root | grep SASL
NETUNIX NEWDB <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
2. Configuration for SSl
2.1 vi /etc/pki/dovecot/dovecot-openssl.cnf
[root@host mail]# vi /etc/pki/dovecot/dovecot-openssl.cnf
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
# country (2 letter code)
#C=FI
# State or Province Name (full name)
#ST=
# Locality Name (eg. city)
#L=Helsinki
# Organization (eg. company)
#O=Dovecot
# Organizational Unit Name (eg. section)
OU=IMAP server
# Common Name (*.example.com is also possible)
CN=mail.host.com
# E-mail contact
emailAddress=bill@host.com
[ cert_type ]
nsCertType = serve
r
2.2 Create new dovecot.pem
[root@host dovecot]# rm /etc/pki/dovecot/certs/dovecot.pem
[root@host dovecot]# rm /etc/pki/dovecot/private/dovecot.pem
[root@host dovecot]# cd /usr/share/doc/dovecot-1.0.7/examples
[root@host examples]# ./mkcert.sh
Generating a 1024 bit RSA private key
........................................++++++
.............++++++
writing new private key to '/etc/pki/dovecot/private/dovecot.pem'
-----
subject= /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
SHA1 Fingerprint=5C:DB:2E:7B:A8:A0:4B:B9:43:88:C7:D9:26:AB:70:EF:FA:2C:2D:53
2.3 vi /etc/dovecot.conf
[root@host examples]# vi /etc/dovecot.conf
…
# Disable SSL/TLS support.
ssl_disable = no
…
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
…
2.4 Make sendmail.pem
[root@host mail]# cd /etc/pki/tls/certs
[root@host certs]# make sendmail.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 - days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > sendmail.pem ; \
echo "" >> sendmail.pem ; \
cat $PEM2 >> sendmail.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.........++++++
..........++++++
writing new private key to '/tmp/openssl.xC2939'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:sichuan
Locality Name (eg, city) [Newbury]:chengdu
Organization Name (eg, company) [My Company Ltd]:nokia
Organizational Unit Name (eg, section) []:nbg
Common Name (eg, your name or your server's hostname) []:mail.host.com
Email Address []:bill@host.com
[root@host certs]# ls
ca-bundle.crt localhost.crt make-dummy-cert Makefile sendmail.pem
2.5 Configure /etc/mail/sendmail.mc
[root@host certs]# vi /etc/mail/sendmail.mc
...
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
...
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
...
[root@host certs]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
2.6 Restart dovecot and sendmail
[root@host mail]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[root@host mail]# service sendmail restart
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
2.7 Check installation
Sendmail SSL on port 465; POP3 SSL on 995; IMAP SSL on 993.
[root@host mail]# netstat -an |grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:* LIST EN
[root@host mail]# netstat -an |grep 995
tcp 0 0 :::995 :::* LIST EN
[root@host mail]# netstat -an |grep 993
tcp 0 0 :::993 :::* LIST EN
unix 3 [ ] STREAM CONNECTED 55559934 /tmp/orbit-root/linc- 2466-0-5b1fb2745ff54
unix 3 [ ] STREAM CONNECTED 55559933
unix 3 [ ] STREAM CONNECTED 55559932 /tmp/orbit-root/linc- 1846-0-c008ce5556ba
unix 3 [ ] STREAM CONNECTED 55559931
unix 3 [ ] STREAM CONNECTED 55556993
转载于:https://blog.51cto.com/babyhe/323118
256
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
