![[ 永遠的UNIX::UNIX技術資料的寶庫 ]](/images/title.gif) GB | BIG5
|
| 首頁 > 應用技術 > Sendmail > 正文 |
 |
| 如何在防火牆上設置Sendmail |
| 本文出自:http://www.gouhuo.com 作者: (2001-07-25 07:00:00) |
環境:
公司注冊了正式域名company.com,防火牆運行Linux且用專線接入ISP,是通往Internet的唯一通道,
用來處理公司內部出去的郵件和發往公司內部用戶@company.com的所有郵件。在內部局域網上(僅一
個網段,沒有子網)有一台供內部用戶收發郵件的Linux郵件服務器,兩台機器均運行Sendmail 8.9.3
Sendmail 8.9.3的新特性
Sendmail 8.9.3包含幾個新的特性,如果配置不當,你的Sendmail可能不能正常工作。這些特性主要是
幫助過濾掉垃圾郵件和阻止你的站點被用來作為第三方的mail relay主機(什是third-party mail
relay? 附文章),你能根據你的站點所要求的政策配置這些參數。
1.Mail relay
在Sendmail 8.9.3中Relaying默認被拒絕了,這個特性可能使得運行Sendmail的Linux郵件服務器不允許
你向它發送郵件,有幾種方法來解決。
a. Default
默認情況下,你能簡單地創建文件/etc/mail/relay-domains,它包含你希望接受relay的系統的域名,
例如company.com 。如果不能做反向DNS查找,你應該清楚指明IP范圍,如要允許內部網段上所有用戶向
其發送郵件,設為192.168.11 ,注意:你無法設置這裡為company.com而允許你公司出差在外的旅行用戶
(撥當地ISP)來發送郵件。因為你撥到當地ISP得到的動態IP地址屬當地ISP,反向DNS解析的域名
為ISP的域名,甚至有的不能夠做反向DNS。解決辦法是設置發送郵件服務器為當地ISP的服務器
優點: 如果你僅僅需要relay mail from a few system,這可能是最簡單的解決辦法,它阻止你的服務器
扮演作為relayer,但允許郵件通過。
缺點:你不能不保持文件不斷更新,如果你是ISP,你必須不斷保持這個文件被更新,更新還要重新啟動
Sendmail ( killall -HUP sendmail )
b. promiscuous_relay
這個特性允許你relay來自任何地方的郵件。(不被建議的)
優點: 你不必擔心郵件被拒絕
缺點: 任何人能用你的系統作為mail relay,這個參數的使用取消了8.9.3中新增的反relay 特性。
c. relay_entire_domain
這個特性允許來自在類W中設置的所有域的郵件被允許relay.默認地,這將是*.company.com
優點: 你不會擔心來自你的域中的所有郵件被拒絕,你的域以外的系統不能被relay mail除非在
/etc/mail/relay-domains文件中被指定或/etc/mail/access中被指定。如果你僅僅想relay你自己的域中的
主機,可以用這個參數來代替/etc/mail/relay-domains.
注意: 你需要設置反向DNS,當內部LAN上的主機連接到SMTP服務器上來時能被反向解析到本地域內。如
192.168.11.12被解析到sh12.asiansources.com .
缺點:你可能不想允許你公司的其它組織relay mail。
d. relay_hosts_only
這允許你基個別的主機名relay mail.不是域名。
優點: 細調relay許可權限,基全稱主機名,不是全稱域名。
缺點:需要你指定或者在文件/etc/mail/relay-domains或者在access 數據庫中的系統主機名。如果用
/etc/mail/relay-domains,文件將是
company.com
mailgate.company.com
othername.com
mailgate.othername.com
2. Mail blocking
a. accept_unresolvable_domains
默認地,如果發送者的域名(指發送者郵件地址面的域名)不能被DNS解析 ,郵件被拒絕的。
如:
MAILFrom: wkeys@nonexistent 501 < wkeys@nonexistent>…Sender domain must exist
用參數accept_unresolvable_domains 跨越這個並接受來自任何域或IP地址的郵件。
b. access_db
這個特性使得sendmail尋找數據庫文件(默認是/etc/mail/access.db),決定是否接受或拒絕mail或者你甚至
能設定一個客戶化的錯誤信息,這個特性也能用來控制relay許可。
優點:真的允許你細調將接收從誰來的郵件,如我不想接受來自不能被解析的域的郵件,但對個別域有例外。
c. accept_unqualified_senders
默認地,如果發送者的域不是全稱域名,sendmail將拒絕這個連接。如
mail from:
553 …. Domain name required
用這個特性跨越默認的情況以致連接將能被接受。
優點:我建議總是用全稱域名地址,然而在內部郵件網關上,你可能不能控制其他本地系統如何發送給你郵件,
這將允許你接受帶非全稱發送者地址的郵件。
缺點:你丟失了一些跟蹤郵件來自哪裡的能力,不要在防火牆上用它。
d. blacklist_recipients
這允許你阻止不想接受的郵件帳號發來的郵件。需要在/etc/mail/access中設置。
e. relay_based_on_MX
如果一台主機有MX記錄指向你的站點,這個特性使得能從他們接受郵件。
優點:如果他們有MX記錄指向你你就不需要加任何主機到access database.
缺點:這將允許第三方的mail relay,且不需要你的許可。
3.third-party mail relay
附另外一篇文章(文章薈萃)----sendmail 8.9.3 mail relay規則簡介
公司防火牆上sendmail配置舉例
divert(-1)
include(`/usr/lib/sendmail-cf/m4/cf.m4')
dnl let's define our OS type. This one is mandatory.
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',``8:12'')
define(`ALIAS_FILE',`/etc/mail/aliases')dnl
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
define(`confTO_QUEUERETURN', `4d')dnl
define(`confTO_QUEUEWARN', `4h')dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY') dnl
FEATURE(`redirect')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`local_procmail')dnl
FEATURE(`nouucp')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(`domaintable',`hash -o /etc/mail/domaintable')
FEATURE(`access_db', `hash -o /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
MAILER(procmail)dnl
MAILER(smtp)dnl
use_cw_file
默認為/etc/sendmail.cw文件,指明了屬本地域處理的域名,發到這個域下的郵件為本地郵件。不要在
防火牆上設置company.com到sendmai.cw中,在內部網段上的郵件服務器上設置它。更新該文件不需要重
啟sendmail
* How do I make all my addresses appear to be from a single host?
Using the V8 configuration macros, use:
MASQUERADE_AS(my.dom.ain)
This will cause all addresses to be sent out as being from the indicated domain.
If you're using version 8.7 sendmail, and you want to hide this information in the envelope
as well as the headers, use:
FEATURE(masquerade_envelope)
If you also want to masquerade the recipients, use
FEATURE(allmasquerade)
Mailertable
用這個特性可跨越DNS和DNS MX記錄而relay mail。也可跨越Smart_host(DSxxxx)項.
如 company.com relay:[192.168.11.1]
從防火牆上接收的發往company.com的郵件relay到192.168.11.1
Include a "mailer table" which can be used to override
routing for particular domains. The argument of the
FEATURE may be the key definition. If none is specified,
the definition used is:
hash -o /etc/mailertable
Keys in this database are fully qualified domain names
or partial domains preceded by a dot -- for example,
"vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU".
Values must be of the form:
mailer:domain
where "mailer" is the internal mailer name, and "domain"
is where to send the message. These maps are not
reflected into the message header. As a special case,
the forms:
local:user
will forward to the indicated user using the local mailer,
local:
will forward to the original user in the e-mail address
using the local mailer, and
error:code message
will give an error message with the indicated code and
message.
Domaintable
域替換操作。
如果容易打錯,發往company.com的郵件誤寫為compayn.com則加入一行
compayn.com company.com
Access.db
數據庫記錄包含兩部分:the key and the action:
the key能是用戶名,域名,或IP地址。
The action能是ok, relay,reject discard, or and RFC821 message
如:
cyberspammer.com 550 we don't accept mail form spammers
okay.cyberspammer.com OK
sendmail.org OK
128.32 relay
foobar.com reject
garbage@spam.org discard
Virtusertable
Virtusertable用在這樣的場合中:
發往本地系統的用戶的郵件被重定向到另一個用戶.注意一定要是本地用戶的郵件,否則不檢查virtusertable
數據庫文件.如:
在該防火牆上設定company.com到/etc/sendmail.cw中,然在/etc/mail/virtusertable 加一行
user1@company.com otheruser@otherdomain.com
virtusertable is a domain-specific form of aliasing, allowing multiple virtual domains to be
hosted on one machine. For example,
if the virtuser table contained:
info@foo.com foo-info
info@bar.com bar-info
@baz.org jane@elsewhere.net
then mail addressed to info@foo.com will be sent to the
address foo-info, mail addressed to info@bar.com will be
delivered to bar-info, and mail addressed to anyone at
baz.org will be sent to jane@elsewhere.net. The username
from the original address is passed as %1 allowing:
@foo.org %1@elsewhere.com
meaning someone@foo.org will be sent to someone@elsewhere.com.
All the host names on the left hand side (foo.com, bar.com,
and baz.org) must be in $=w. The default map definition is:
hash -o /etc/virtusertable
FEATURE(genericstable,`hash -o /etc/mail/genericstable'):
Use a hashed table with masquerading information. The unhashed file looks like this:
bg bganslan@myisp.net
root bganslan@myisp.net
nobody bganslan@myisp.net
This file will tell sendmail to rewrite the FROM addresses of your mail, so you will be able
to relay all you mail over your ISPs mail server. The first row contains the local address,
the second one the address which should be used instead. In order for sendmail to read this
file you have to hash it with this command:
makemap -r hash genericstable.db < genericstable
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain'):
You have to add you local domain name to this file, so sendmail knows what mail is local and
has to be masqueraded. To get you local domain, run "hostname".
FAQ: * I'm getting "Local configuration error" messages, such as:
553 MX list for domain.net points back to relay.domain.net
554 ... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be forwarded to a specific
host (in this case, relay.domain.net) by using an MX record, but the relay machine
doesn't recognize itself as domain.net. Add domain.net to /etc/sendmail.cw (if you
are using FEATURE(use_cw_file)) or add "Cw domain.net" to your configuration file.
IMPORTANT: When making changes to your configuration file, be sure you kill and
restart the sendmail daemon (for ANY change in the configuration, not just this one):
kill `head -1 /etc/sendmail.pid`
sh -c "`tail -1 /etc/sendmail.pid`"
Mail for the Home Network ------the Stand Alone Config
FEATURE(always_add_domain)dnl
這是被建議的選項,這個特性強迫local or program mailer需要全稱域名
FEATURE(allmasquerade)
我在防火牆上用這個特性強迫所有的郵件象是來自站點的正式域名,你需要聯合 MASQUERADE_AS特性
FEATURE(masquerade_entire_domain)
這個特性強迫你的域內的任何主機象是來自同一個域
FEATURE(masquerade_envelope)
MASQUERADE_AS(company.com)
明顯地,這是為上面的偽裝特性定義的值
MASQUERADE_DOMAIN( company.com othername.com )
如果你有多個內部域名,想偽裝為同一個公司域名
環境:
考慮這樣的情況:一個公司運行一台Sendmail的Linux郵件服務器,這台機器連有LAN,但通過PPP連接,
Cable modem,or DSL連接上網通過ISP的郵件主機發送郵件. 且該機器上有兩個用戶jephe and hongyi
(用windows機器向company.com發送郵件),域名為company.com,ISP 域名為isp.net,郵件主機為
mail.isp.net且兩人在isp.net上有相同帳號jephe@isp.net and hongyi@isp.net
要求:
jephe發一封信給hongyi@company.com,可以收到,發另一封信給Internet上某個人someone,則要求通過
ISP出去,且回復地址重寫為jephe@isp.net and hongyi@isp.net
#/etc/mail/relay-domains:
jephe.company.com
hongyi.company.com
#/etc/sendmail.cw
company.com
#sendmail.cf
define(`SMART_HOST',`smtp:[ix.deniz.com]')
MASQUERADE_AS(`deniz.com')
FEATURE(`masquerade_envelope')
define(RELAY_MAILER, TCP)
FEATURE(`accept_unqualified_senders')
There are 3 fixes you may have to perform manually if things are not working as you would like them:
1. If sendmail can not "find" your email server:
Edit your /etc/sendmail.cf and look for this line:
#Dj$w.Foo.COM
and change it to:
Djmaster.kulai.org
Where master.kulai.org is the name of your email server. Note: remove the # at the front of
the line as # means: ignore - this is a comment line. This is one of sendmail's rules and it
tells sendmail what the name of the email server is - in case dns, or other ways, do not tell
sendmail what it wants.
2. Masquerading based on destination:
I had the hardest time trying to get sendmail to masquerade only the mail sent to the internet
and not local mail, e.g. I wanted local mail to show the sender as: bmote@kulai.org and not
bmote@deniz.com, but obviously I wanted mail that went out into the internet to show:
bmote@deniz.com. To solve this you have to manually edit the /etc/sendmail.cf. Find the
definitions of local rulesets 10 and 30 within sendmail.cf, (hint: search for S10 and S30) and
delete these 2 lines - or put a # in front of them:
# Envelope sender rewriting
#
S10
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>94 $1 do masquerading <-- delete this line
#
# Header sender rewriting
#
S30
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>93 $1 do masquerading <-- delete this line
There is no m4-based solution for this, so you have to modify sendmail.cf directly. You need
to restart sendmail afterwards, of course.
Note: I have jpollman@kulai.org in my From: line in my email program, so sendmail will
masquerade only out-going mail. Many thanks to: Achim L?bbert for the solution.
3. Using unqualified names fails:
If you type just the user's name in the To: part of the email and it disappears into the
internet, you may have to tell sendmail where to put email with unqualified names. Add this
to the bottom of your master.mc:
define(`LOCAL_RELAY',`mail.kulai.org')
LOCAL_RELAY: again: instead of mail.kulai.org, put your mail server's name here. This line
will make sendmail send unqualified names, like just "bmote", to your mail server, i.e. sendmal
will add the kulai.org onto bmote for you. This way you can type just bmote in the To: field in
your email program instead of bmote.kulai.org. Of course you will have to do the m4, copy,
restart routine again to make it take effect.
Message header and Message envelope
所有的email郵件由三部分組成: envelope , header , and boby.
當兩台電腦在握手處理郵件傳遞時,郵件的信封部分被生成了,它攜帶著真實的郵件接收者地址,在一個
正常的合法的郵件中,信封中的郵件接收者地址匹配著to:地址,但是也有一些例外情況,當郵件發到一個
別名,一個mailing list服務器,或者象假期通知的重定向處理。
有時候你懷疑為什一個封發到to: someone@answerme.com,卻在你的mailbox中,它是由message to:
and envelope to:的不同,具體的實現方法有多種,象BCC:,別名,郵件列表,直接的命令行偽裝,
專門的實現程序(Diffondi 3.1.6),virtusertable虛擬域,前面的單獨撥號配置的偽裝。。。。
Direct Forging
At the Unix command prompt of the second-party test machine, shell.elsewhere.com, telnet to
port 25 of your machine and try the following. (Your responses are in bold. Make sure that
you include a blank line after the From: header and that the message ends with a line
containing nothing but a period.)
telnet mail.killaspammer.com 25
220 mail.killaspammer.com ESMTP Sendmail 8.8.5/8.8.5; Mon, 16 Mar 1998 02:34:20 -0800 (PST)
MAIL FROM:
250 ... Sender ok
RCPT TO:
250 ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
To: insulting@wideopen.com.domain
From: spammer@screwyou.com
Umm, umm, hot spam on rye!
. 250 CAA17232 Message accepted for delivery
quit
221 mail.killaspammer.com closing connection
Connection closed by foreign host.
Now, log in as sam on mail.killaspammer.com and read the message. The headers will look
something like this:
From spammer@worldnet.att.net Mon Mar 16 02:57:02 1998
Received: from shell.elsewhere.com (shell.elsewhere.com [192.168.1.77]) by
mail.killaspammer.com (8.8.5/8.8.5) with SMTP id CAA17232 for ;
Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Date: Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Message-Id: <199803161053.CAA17232@mail.killaspammer.com>
X-Authentication-Warning mail.killaspammer.com: shell.elsewhere.com [192.168.1.77] didn't use HELO protocol
As you can see, spamming is ridiculously easy to do, which is why it has gotten to be such a big problem.
注:你可以有多個rcpt to:行,且有cc: subject: 等等。
在命令行上指定接收者
下面的例子說明了郵件頭中地址和信封地址的又一個不同點,sendmail允許用戶在命令行上指定郵件的
接收者。假設用戶有一封信letter,內容如下:
To: null recipient < >
Subject : header and envelope address
Testing
使用下面命令將其發出
#sendmail yourloginname < letter
郵件遞交過程
如果joe@gonzo.gov發信給betty@zippy.gov , andy@zippy.gov and fred@whizzer.com
To: betty@zippy.gov , andy@zippy.gov , fred@whizzer.com
當位gonzo.gov的sendmail SMTP客戶在發信時,每個信封上只寫一個地址,而接收者的完整清單只放在
message header to:域中,因為郵件在發送時在gonzo.gov和whizzer.com處的SMTP服務器都不會檢查該域。
本例中發給whizzer.com的信只標記寄給fred,而發給zippy.gov的信封再服務器收到再復制到betty and
andy各一份。
Sendmail 命令集合及安全考慮
HELO/HLEO 向服務器標識用戶身份(喂,我是誰,可以欺騙,但記錄IP地址,大多沒用)
MAIL 初始化郵件傳輸 ( mail from: )
RCPT 標識單個的郵件收件人,通常在MAIL命令,(多個rcpt to: )
DATA 在RCPT命令之,表示所有的郵件收件人已標識,並初始化數據傳輸
VRFY 由客戶機使用,用來驗証給定的用戶/郵箱是否存在;由安全方面的原因,某些服務器使用此命令無效
EXPN 由客戶機使用,用來驗証給定郵箱列表是否存在,並用該命令擴充郵箱列表
HELP 查詢服務器支持什命令
NOOP 無操作;服務器響應OK
QUIT 客戶機發送此命令以結束會話
RSET 重置會話;當前傳輸被取消
為了增強Sendmail服務器的安全性,禁止用戶telnet 到端口25作vrfy ,and expn操作。可以更改sendmail.cf如下:
O PrivacyOptions=authwarnings change to:
O PrivacyOptions=authwarnings,noexpn,novrfy
如還未建立sendmail.cf文件,可照上面的防火牆配置:
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
用Mail命令發送郵件
1. cat report.txt | mail -s "Sales Reprorts" jephe@company.com
2. mail -s "Sales Reports" jephe@company.com < reports.txt
3. mail jephe@company.com
Subject: Sales Report
~r report.txt
~.
Cc:
Sendmail 別名文件
1. 一般站點都要求一個管理員地址,許多站點並沒有一個專門的郵件管理員帳號,而使用別名將管理員帳號
定向到一個或多個對郵件管理的用戶郵件地址上:
postmaster: joe,betty
凡送給postmaster的郵件都轉送給用戶joe和betty,此處joe和betty也可以是別名
postmaster: jephe,hongyi
jephe: jephe@company.com
hongyi: hongyi@company.com
注意:sendmail不斷地對別名進行解釋直到得到一個真正的用戶或遠端地址為止。別名定義中,冒號左側的
別名必須是本地用戶/本地域用戶,而右側可以為遠端用戶。
不要設置造成循環查找別名而找不到。
如
postmaster: jephe
jephe: admin
admin:postmaster
2. 從文件中讀取別名:include: 使用
homeboys: :include: /home/alphonese/homeboys.aliases ( 用:include: 把兩邊分隔)
文件homeboys.aliases中包含
alphonse
joe
betty
george
就相當
homeboys: alphonse,joe,betty,george
好處是可以創建一文件讓用戶自己維護。
3.向文件發郵件
nobody: /dev/null
發給nobody的郵件附加到指定文件面。由/dev/null為空文件,故郵件丟棄。
(http://www.fanqiang.com)
進入【UNIX論壇】
|
|
| 相關文章 |
|
|
|
|
|
★ 樊強制作 歡迎分享 ★ |