Февраль 23rd, 2015 
Evgeniy Kamenev 1.Установка Sendmail+Cyrus-sasl
|
1 |
# yum install sendmail sendmail-cf sendmail-doc cyrus-sasl-{lib,plain} |
2.Настройка Sendmail
|
1 |
# cd /etc/mail/ |
|
1 |
# cp sendmail.mc{,.orig} |
|
1 |
# nano /etc/mail/sendmail.mc |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for linux')dnl OSTYPE(`linux')dnl define(`confDEF_USER_ID', ``8:12'')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A y')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confTO_IDENT', `0')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`localhost.localdomain')dnl MAILER(smtp)dnl MAILER(procmail)dnl |
|
1 |
# make all |
|
1 |
# systemctl restart sendmail |
|
1 |
# systemctl enable sendmail |
3.Настройка Sendmail на поддержку TLS/SSL
|
1 |
# cd /etc/pki/tls/certs |
|
1 |
# make sendmail.pem |
|
1 |
# cd /etc/mail |
|
1 |
# nano sendmail.mc |
|
1 2 3 4 5 6 7 8 |
define(`CERT_DIR', `/etc/pki/tls/certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/sendmail.pem')dnl define(`confSERVER_CERT', `CERT_DIR/sendmail.pem')dnl define(`confSERVER_KEY', `CERT_DIR/sendmail.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/sendmail.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/sendmail.pem')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl |
|
1 |
# make all |
|
1 |
# systemctl restart sendmail |
Тестируем TLS-поддержку
|
1 |
# openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 |
4.Запуск и добавление в автозагрузку демона аутентификации Cyrus—sasl – saslauthd
|
1 |
# nano /etc/sysconfig/saslauthd |
|
1 2 3 |
SOCKETDIR=/run/saslauthd MECH=pam FLAGS= |
|
1 |
# systemctl restart saslatuhd |
|
1 |
# systemctl enable saslatuhd |
5.Установка и настройка Dovecot
|
1 |
# yum install dovecot |
|
1 |
# cd /etc/dovecot |
|
1 |
# cp -rp conf.d conf.d~ |
|
1 |
# cp dovecot.conf dovecot.conf~ |
|
1 |
# nano conf.d/10-mail.conf |
|
1 |
mail_location = maildir:~/Maildir |
|
1 |
# nano conf.d/10-ssl.conf |
|
1 2 3 |
ssl = yes ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem |
|
1 |
# nano conf.d/10-auth.conf |
|
1 2 |
disable_plaintext_auth = no auth_mechanisms = plain login |
|
1 |
# nano dovecot.conf |
|
1 2 |
listen = * protocols = imap pop3 lmtp |
6.Настройка Dovecot на поддержку TLS/SSL
|
1 |
# mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem~ |
|
1 |
# mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem~ |
|
1 |
# nano /etc/pki/dovecot/dovecot-openssl.cnf |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=UA ST=Kharkov L=Kharkov O=Our organization OU=IT-Department CN=<FQDN> emailAddress=root@<FQDN> nsCertType = server |
|
1 |
# rpm -ql dovecot | grep mkcert.sh |
|
1 2 |
/usr/libexec/dovecot/mkcert.sh /usr/share/doc/dovecot-2.2.10/mkcert.sh |
|
1 |
# sh /usr/share/doc/dovecot-2.2.10/mkcert.sh |
|
1 |
# ls -al /etc/pki/dovecot/certs/dovecot.pem |
|
1 |
-rw------- 1 root root 1001 Feb 16 15:04 /etc/pki/dovecot/certs/dovecot.pem |
|
1 |
# ls -al /etc/pki/dovecot/private/dovecot.pem |
|
1 |
-rw------- 1 root root 912 Feb 16 15:04 /etc/pki/dovecot/private/dovecot.pem |
|
1 |
# systemctl restart dovecot |
|
1 |
# systemctl enable dovecot |
Тестируем Dovecot TLS-поддержку
POP3S
|
1 |
# openssl s_client -connect 127.0.0.1:995 |
|
1 2 3 |
Verify return code: 18 (self signed certificate) --- +OK Dovecot ready. |
IMAPS
|
1 |
# openssl s_client -connect 127.0.0.1:993 |
|
1 2 3 |
Verify return code: 18 (self signed certificate) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. |
7.Настройка procmail
|
1 |
# nano /etc/procmailrc |
|
1 |
DEFAULT=$HOME/Maildir/ |
8.Добавление системных пользователей с /sbin/nologin-оболочкой
|
1 |
# cat /etc/shells | grep nologin |
|
1 2 |
/sbin/nologin /usr/sbin/nologin |
|
1 |
# useradd -m user1 -s /sbin/nologin |
|
1 |
# useradd -m user2 -s /sbin/nologin |
|
1 |
# useradd -m user3 -s /sbin/nologin |
|
1 |
# passwd user1 |
|
1 |
# passwd user2 |
|
1 |
# passwd user3 |
Добавление доменов, для которых будем обслуживать почту
|
1 |
# nano /etc/mail/local-host-names |
|
1 2 3 |
domain1.org.ua domain2.org.ua domain3.org.ua |
Добавление связи между почтовыми ящиками и созданными ранее системными пользователями
|
1 |
# nano /etc/mail/virtusertable |
|
1 2 3 |
user1@domain1.org.ua user1 user2@domain2.org.ua user2 user3@domain3.org.ua user3 |
|
1 |
# cd /etc/mail |
|
1 |
# make all |
|
1 |
# systemctl restart sendmail |
9.Тестирование Cyrus SASL
|
1 |
# testsaslauthd -u user1 -pXXX -s smtp |
|
1 |
0: OK "Success." |
8.Настройка почтовых клиентов(Mozilla Thunderbird,Bat и т.д) на поддержку
25(smtp),587(submission) через STARTTLS или на 465(smtps) порт(SSL/TLS) – для исходящего почтового сервера
110(pop3),143(imap) через STARTTLS или на 995(pop3s),993(imaps)(через SSL/TLS) – для входящего почтового сервера
Источник:
Опубликовано в рубрике 
Метки: