电子邮件服务器简介
电子邮件是因特网上最为流行的应用之一。如同邮递员分发投递传统邮件一样,电子邮件也是异步的,也就是说人们是在方便的时候发送和阅读邮件的,无须预先与别人协同。与传统邮件不同的是,电子邮件既迅速,又易于分发,而且成本低廉。另外,现代的电子邮件消息可以包含超链接、HTML格式文本、图像、声音甚至视频数据。我们将在本文中查看处于因特网电子邮件核心地位的应用层协议。
Sendmail是Unix的缺省配置中内置这个软件,只需要设置好操作系统,它就能立即运转起来。在Unix系统中,Sendmail是应用最广的电子邮件服务器软件。它也是一个免费软件,可以支持数千甚至更多的用户,而且占用的系统资源相当少。SUN的iPlanet Messaging Server是一个强大的、可靠的、大容量的Internet邮件服务器,是为企业和服务提供商设计的。它采用集中的LDAP数据库存储用户、组和域的信息,支持标准的协议、多域名和Webmail,具有强大的安全和访问控制。
实验拓扑图:
一.163.COM区域服务器配置
实验前准备
1.vim /etc/sysconfig/network //修改主机名字
文件内容修改:
HOSTNAME=mail.163.com
2.vim /etc/sysconfig/nework-scripts/ifcfg-eth0
文件内容修改:
IPADDR 192.168.2.100
3.vim /etc/hosts
文件内容修改:
127.0.0.1 localhost.localdomain localhost
4.vim /etc/resolv.conf //dns指向
文件内容修改:
namedserver 192.168.2.100
安装dns服务器:
1. vim named.conf
文件内容修改:
15 listen-on port 53 { any; };
27 allow-query { any; };
28 allow-query-cache { any; };
38 match-clients { any; };
39 match-destinations { any; };
2.vim named.rfc1912.zones
文件内容修改:
zone "163.com" IN {
type master;
file "163.com.zone";
allow-update { none; };
};
3.[[email protected] named]# cp -p localhost.zone 163.com.zone
vim 163.com.zone
文件内容修改:
IN NS ns.163.com.
ns IN A 192.168.2.100
mail IN A 192.168.2.100
pop3 IN CNAME mail
smtp IN CNAME mail
@ IN MX 10 mail //MX(邮件服务器)优先级10
重启电脑或者
1.[[email protected] ~]# hostname mail.163.com
2.断开,重新连接服务器
安装sendmail服务(邮件发送)
1.[[email protected] Server]# rpm -ivh sendmail-cf-8.13.8-2.el5.i386.rpm
[[email protected] Server]# cd /etc/mail
2.vim sendmail.mc //sendmail配置文件
文件内容修改:
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl //设置监听地址
3. vim access //配置邮件中继
文件内容修改:
Connect:192.168.2 RELAY //ip地址验证
sina.com RELAY //外地域名转发
163.com OK //本地区无条件处理
4.vim local-host-names //本地域名文件
文件内容修改:
163.com
mail.163.com
5. 增加用户
[[email protected] ~]# useradd user1
[[email protected] ~]# passwd user1
[[email protected] ~]# useradd user2
[[email protected] ~]# passwd user2
安装dovecot服务(邮件接收)
1.[[email protected] Server]# rpm -ivh perl-DBI-1.52-2.el5.i386.rpm
[[email protected] Server]# rpm -ivh mysql-5.0.45-7.el5.i386.rpm //依赖的两个包
[[email protected] Server]# rpm -ivh dovecot-1.0.7-7.el5.i386.rpm //安装接收服务器
2.[[email protected] Server]# service dovecot start
群发功能
vim /etc/aliases
yang: user1,user2 //发送给yang的邮件都发到了user1和user2
[[email protected] Server]# service sendmail restart
二.SINA.COM区域服务器配置
实验前准备
1.vim /etc/sysconfig/network //修改主机名字
文件内容修改:
HOSTNAME=mail.sina.com
2.vim /etc/sysconfig/nework-scripts/ifcfg-eth0
文件内容修改:
IPADDR 192.168.2.11
3.vim /etc/hosts
文件内容修改:
127.0.0.1 localhost.localdomain localhost
安装dns服务器
1. vim named.conf
文件内容修改:
15 listen-on port 53 { any; };
27 allow-query { any; };
28 allow-query-cache { any; };
38 match-clients { any; };
39 match-destinations { any; };
2.vim named.rfc1912.zones
文件内容修改:
zone "sina.com" IN {
type master;
file "sina.com.zone";
allow-update { none; };
};
3. [[email protected] named]# cp -p localhost.zone sina.com.zone
vim sina.com.zone
文件内容修改:
IN NS ns.sina.com.
ns IN A 192.168.2.11
mail IN A 192.168.2.11
pop3 IN CNAME mail
smtp IN CNAME mail
@ IN MX 10 mail
4.vim /etc/resolv.conf
文件内容修改:
namedserver 192.168.2.11
重启电脑
安装sendmail服务(邮件发送)
1.[[email protected] Server]# rpm -ivh sendmail-cf-8.13.8-2.el5.i386.rpm
[[email protected] Server]# cd /etc/mail
2.vim sendmail.mc
文件内容修改:
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl //设置监听地址
3. vim access //中继(ip地址验证)
文件内容修改:
Connect:192.168.2 RELAY
sina.com OK
163.com RELAY
4.vim local-host-names //本地域名文件
文件内容修改:
sina.com
mail.sina.com
5. 增加用户
[[email protected] ~]# useradd user3
[[email protected] ~]# passwd user3
[[email protected] ~]# useradd user4
[[email protected] ~]# passwd user4
安装dovecot服务(邮件接收)
1.[[email protected] Server]# rpm -ivh perl-DBI-1.52-2.el5.i386.rpm
[[email protected] Server]# rpm -ivh mysql-5.0.45-7.el5.i386.rpm //依赖的两个包
[[email protected] Server]# rpm -ivh dovecot-1.0.7-7.el5.i386.rpm //安装接收服务器
2. [[email protected] Server]# service dovecot start
为了实现不同区域间能互发邮件
三.两区域配置转发功能
163.com区域:
vim /var/named/chroot/etc/named.conf
28 forwarders { 192.168.2.11; };
[[email protected] ~]# rndc reload
测试:
[[email protected] ~]# dig -t mx 163.com
; <<>> DiG 9.3.4-P1 <<>> -t mx 163.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10796
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;163.com. IN MX
;; ANSWER SECTION:
163.com. 86400 IN MX 10 mail.163.com.
;; AUTHORITY SECTION:
163.com. 86400 IN NS ns.163.com.
;; ADDITIONAL SECTION:
mail.163.com. 86400 IN A 192.168.2.100
ns.163.com. 86400 IN A 192.168.2.100
;; Query time: 3 msec
;; SERVER: 192.168.2.100#53(192.168.2.100)
;; WHEN: Sat Sep 8 14:43:15 2012
;; MSG SIZE rcvd: 95
Sina.com区域:
vim /var/named/chroot/etc/named.conf
28 forwarders { 192.168.2.100; };
[[email protected] ~]# rndc reload
测试:
[[email protected] ~]# dig -t mx sina.com
; <<>> DiG 9.3.4-P1 <<>> -t mx sina.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53556
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;sina.com. IN MX
;; ANSWER SECTION:
sina.com. 84807 IN MX 10 mail.sina.com.
;; AUTHORITY SECTION:
sina.com. 84807 IN NS ns.sina.com.
;; ADDITIONAL SECTION:
mail.sina.com. 84807 IN A 192.168.2.11
ns.sina.com. 84807 IN A 192.168.2.11
;; Query time: 3 msec
;; SERVER: 192.168.2.100#53(192.168.2.100)
;; WHEN: Sat Sep 8 14:43:53 2012
;; MSG SIZE rcvd: 96
为了过滤垃圾文件,邮件服务器通常采用正向反向解析比对
四.两区域安装反向dns服务
163.com区域:
1.vim named.rfc1912.zones
38 zone "2.168.192.in-addr.arpa" IN {
39 type master;
40 file "192.168.2.zone";
41 allow-update { none; };
42 };
2. [[email protected] named]# cp -p named.local 192.168.2.zone
vim 192.168.2.zone
文件内容修改:
IN NS localhost.
11 IN PTR mail.sina.com.
100 IN PTR mail.163.com.
测试:
反向解析
[[email protected] named]# dig -x 192.168.2.100 //-x表示反向解析
; <<>> DiG 9.3.4-P1 <<>> -x 192.168.2.100
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55421
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;100.2.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.2.168.192.in-addr.arpa. 86400 IN PTR mail.163.com.
Sina.com区域:
1.vim named.rfc1912.zones
38 zone "2.168.192.in-addr.arpa" IN {
39 type master;
40 file "192.168.2.zone";
41 allow-update { none; };
42 };
2. [[email protected] named]# cp -p named.local 192.168.2.zone
vim 192.168.2.zone
文件内容修改:
IN NS localhost.
11 IN PTR mail.sina.com.
100 IN PTR mail.163.com.
测试:
1.反向解析
[[email protected] named]# dig -x 192.168.2.11
; <<>> DiG 9.3.4-P1 <<>> -x 192.168.2.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11040
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;11.2.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.2.168.192.in-addr.arpa. 86400 IN PTR mail.sina.com.
2.uesr3发送给user1邮件
[[email protected] ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.sina.com ESMTP Sendmail 8.13.8/8.13.8; Sat, 8 Sep 2012 16:50:11 +0800
mail from:[email protected]
250 2.1.0 [email protected] Sender ok
rcpt to:[email protected]
250 2.1.5 [email protected] Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject:hello
i am user3
.
250 2.0.0 q888oB40031748 Message accepted for delivery
quit
221 2.0.0 mail.sina.com closing connection
Connection closed by foreign host.
接收邮件:
[[email protected] mail]# su - user1
[[email protected] ~]$ mail
2 [email protected] Sat Sep 8 20:52 17/747 "hello"
subject: hello
i am user3
五.安全测试
1.安装抓包工具
2.user1给user2发送邮件时
[[email protected] ~]# tshark -ni eth0 -R "tcp.dstport eq 110"
36.487293 192.168.2.12 -> 192.168.2.11 POP Request: USER user3
36.488582 192.168.2.12 -> 192.168.2.11 POP Request: PASS 123
测试结果:能抓到用户名和密码
六.安装根证书服务
1. vim /etc/pki/tls/openssl.cnf
文件内容修改:
45 dir = /etc/pki/CA
2.创建目录、文件
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# mkdir crl certs newcerts
[[email protected] CA]# touch index.txt serial
[[email protected] CA]# echo "01" >serial
[[email protected] CA]# openssl genrsa 1024 >private/cakey.pem
3.vim /etc/pki/tls/openssl.cnf
文件内容修改:
:88,90 s/match/optional //底行模式下执行(命令、插入、底行)
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
91 organizationalUnitName = optional
92 commonName = supplied
93 emailAddress = optional
136 countryName_default = CN
141 stateOrProvinceName_default = BEIJING
144 localityName_default = BEIJING
4.分别产生钥匙和证书
[[email protected] CA]# openssl genrsa 1024 >private/cakey.pem
[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:SECCENTER
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
5. [[email protected] private]# chmod 600 cakey.pem
七.163.com区域
申请证书(sendmail)
1.产生钥匙、请求证书、申请证书
[[email protected] ~]# mkdir -pv /etc/mail/certs //创建存放私有钥匙,证书等信息的目录
[[email protected] ~]# cd /etc/mail/certs/
[[email protected] certs]# openssl genrsa 1024 >sendmail.key
[[email protected] certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:smtp.163.com
[[email protected] certs]# openssl ca -in sendmail.csr -out sendmail.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 8 11:30:09 2012 GMT
Not After : Sep 8 11:30:09 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = 163
organizationalUnitName = tec
commonName = smtp.163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0E:99:E0:4B:F5:DD:93:11:8C:43:ED:EA:1D:AE:A7:DF:9E:EB:C6:89
X509v3 Authority Key Identifier:
keyid:AC:3E:A0:D4:2F:3E:AE:61:41:82:2C:71:EC:0E:3D:E5:C3:D6:C0:88
Certificate is to be certified until Sep 8 11:30:09 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.[[email protected] certs]# chmod 600 *
申请证书(dovecot)
1.产生钥匙、请求证书、申请证书
[[email protected] ~]# mkdir -pv /etc/dovecot/certs //创建存放私有钥匙,证书等信息的目录
[[email protected] ~]# cd /etc/dovecot/certs/
[[email protected] certs]# openssl genrsa 1024 >sendmail.key
[[email protected] certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:pop3.163.com
[[email protected] certs]# openssl ca -in sendmail.csr -out sendmail.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 8 11:30:09 2012 GMT
Not After : Sep 8 11:30:09 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = 163
organizationalUnitName = tec
commonName = pop3.163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0E:99:E0:4B:F5:DD:93:11:8C:43:ED:EA:1D:AE:A7:DF:9E:EB:C6:89
X509v3 Authority Key Identifier:
keyid:AC:3E:A0:D4:2F:3E:AE:61:41:82:2C:71:EC:0E:3D:E5:C3:D6:C0:88
Certificate is to be certified until Sep 8 11:30:09 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.[[email protected] certs]# chmod 600 *
八.163.com区域证书与服务器绑定
1. vim /etc/mail/sendmail.mc //配置证书与sendmail的绑定
文件内容修改:
60 define(`confCACERT_PATH', `/etc/pki/CA')dnl
61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl //启用发送加密机制
2.[[email protected] certs]# service sendmail restart
3.[[email protected] certs]# telnet 127.0.0.1 25
ehlo 127.0.0.1
250-STARTTLS //邮件加密服务已经启动
4.安全测试
[[email protected] certs]# tshark -ni eth0 "tcp.dstport eq 25"
70.083538 192.168.2.10 -> 192.168.2.100 SMTP Command: STARTTLS
测试结果:抓不到了用户名和密码
5. vim /etc/dovecot.conf //配置证书与dovecot的绑定
20 #protocols = imap imaps pop3 pop3s //默认都开启
21 protocols = pop3s //只开启pop3(995)端口
91 ssl_cert_file = /etc/dovecot/certs/dovecot.cert
92 ssl_key_file = /etc/dovecot/certs/dovecot.key
6.[[email protected] certs]# service dovecot restart
7.[[email protected] ~]# netstat -tupln |grep dov
tcp 0 0 :::995 :::* LISTEN 5648/dovecot
8.[[email protected] certs]# tshark -ni eth0 "tcp.dstport eq 995 or tcp.srcport eq 995"
邮件客户端设置:
九.邮件中继
1. ip地址验证(前面讲的)
典型案例:任意帐号用户都能发送邮件,会产生垃圾邮件。如:
aaa 用户不存在,但是能发送邮件
[[email protected] ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.sina.com ESMTP Sendmail 8.13.8/8.13.8; Sat, 8 Sep 2012 16:54:52 +0800
mail from:[email protected]
250 2.1.0 [email protected] Sender ok
rcpt to:[email protected]
250 2.1.5 [email protected] Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject:hi
i am aaa
.
250 2.0.0 q888sq39031760 Message accepted for delivery
quit
221 2.0.0 mail.sina.com closing connection
Connection closed by foreign host.
[[email protected] ~]$ mail
2 [email protected] Sat Sep 8 20:56 17/736 "hi"
subject: hi
i am aaa
为解决上面问题,需要采用帐号验证。
2.帐号验证
运用sasl 协议进行验证,服务器端需要安装sasl软件,客户端需要cryus-ssl
实验准备
2.1[[email protected] ~]# rpm -qa |grep sasl //查看sasl安装情况
cyrus-sasl-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-devel-2.1.22-4
2.2 vim /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd //表示sendmail进行帐号检测时可以运用sasl
实验配置
2.3vim /etc/mail/sendmail.mc
文件内容修改:
39 define(`confAUTH_OPTIONS', `A y')dnl //‘y’表示启用身份验证选项
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM- MD5 LOGIN PLAIN')dnl //打开52,53行
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl //添加的M=Ea表示进行强制身份验证
2.4[[email protected] ~]# service sendmail restart
2.5[[email protected] ~]# telnet 127.0.0.1 25
ehlo 127.0.0.1
250-AUTH LOGIN PLAIN //增加了身份验证选项
2.6[[email protected] ~]# chkconfig --list |grep sasl //查看sasl服务状态
saslauthd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:闭
[[email protected] ~]# service saslauthd start //启动身份验证服务
[[email protected] ~]# chkconfig saslauthd on
2.7测试::
[[email protected] ~]# telnet 127.0.0.1 25
mail from:[email protected] //用户发邮件需要进行身份验证
530 5.7.0 Authentication required
2.8帐号验证测试:
发送邮件
验证时必须把用户名和密码改为base64格式
[[email protected] ~]# echo -n "[email protected]" |openssl base64
cm9vdEBzaW5hLmNvbQ==
[[email protected] ~]# echo -n "123456" |openssl base64
MTIzNDU2
[[email protected] ~]# telnet 127.0.0.1 25
auth login
334 VXNlcm5hbWU6
cm9vdEBzaW5hLmNvbQ==
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.0.0 OK Authenticated
mail from:[email protected]
250 2.1.0 [email protected] Sender ok
rcpt to:[email protected]
250 2.1.5 [email protected] Recipient ok
data
354 Enter mail, end with "." on a line by itself
11111
.
250 2.0.0 q889S9Lt032013 Message accepted for delivery
quit
221 2.0.0 mail.sina.com closing connection
Connection closed by foreign host.
接收邮件
[[email protected] ~]# su - user4
[[email protected] ~]$ mail
11111
邮件客户端设置:
转载于:https://blog.51cto.com/yz406/990960