|
★原文转载自openbsd版drillwater的《OpenBSD 下配置sendmail 发信认证 [转]》★<br>
[from <a target=_blank href=https://www.backwatcher.org/writing/howtos/obsd-sendmail+sasl.html]>https://www.backwatcher.org/writing/howtos/obsd-sendmail+sasl.html]</a> <br>
<br>
OpenBSD Sendmail + SMTP AUTH Mini-HOWTO <br>
Introduction <br>
This Mini-HOWTO describes the steps I took to set up sendmail with SMTP AUTH [RFC 2554] support on OpenBSD 2.9. It covers recompiling OpenBSD's sendmail sources with support for SASL [RFC 2222], which SMTP AUTH is based on. Note that I am talking about the sendmail source code distributed with OpenBSD's source tree here (ie. from the OpenBSD 2.9 src.tar.gz archive file) and not the sendmail source tarball distributed by www.sendmail.org. <br>
Caveat and Disclaimer <br>
If you are following these instructions with a version of OpenBSD other than 2.9, your mileage may vary. Another version of OpenBSD should be fairly similar, but you may well have some additional problem solving to do. <br>
As usual, I am responsible for nothing you do. You are responsible for everything you do. If you destroy your system, it is your fault. It is not my fault, the fault of my parents, the fault of my children or the fault of my dog. <br>
<br>
Recompiling OpenBSD's Sendmail with SASL Support <br>
In order to recompile sendmail with SASL support, you will need to first install the 'cyrus-sasl' port from the OpenBSD ports tree. The following steps will accomplish this. <br>
<br>o Download ports.tar.gz <br>
<br>o Untar it in /usr with a command like <br>tar -C /usr -xvzf ports.tar.gz <br>
<br>o cd to <br>/usr/ports/security/cyrus-sasl <br>
<br>o Do a <br>make install ; make clean <br>
<br>
Next, you will need to install the OpenBSD source tree so the sendmail source is available. The following steps will accomplish this. <br>
<br>
<br>o Download src.tar.gz <br>
<br>o Untar it in /usr/src with a command like <br>tar -C /usr/src -xvzf src.tar.gz <br>
<br>
<br>
Now, to recompile sendmail with the SASL libraries and SASL support, do the following. <br>
<br>
<br>o cd to <br>/usr/src/gnu/usr.sbin/sendmail/sendmail <br>
<br>o Edit the Makefile in this directory as follows <br>Add -DSASL to the ENVDEF variable <br>Add -lsasl to the LDADD variable <br>
<br>o Edit the sendmail.h file and change <br># include <sasl.h> <br>to <br># include <sasl/sasl.h> <br>
<br>o Make the following symlinks <br>ln -s /usr/local/include/sasl /usr/include/sasl <br>cd /usr/local/lib ; ln -s libsasl.so.8.8 libsasl.so <br>
<br>o Add /usr/local/lib to your LD_LIBRARY_PATH like so <br>export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib <br>
<br>o cd to <br>/usr/src/gnu/usr.sbin/sendmail <br>
<br>o Do a <br>make ; make install ; make clean <br>
<br>
Now, assuming god loves you, your sendmail binary has SMTP AUTH support. :-) <br>
<br>
Fixing OpenBSD's 'cyrus-sasl' Port <br>
For some reason, although the cyrus-sasl port make symlinks as required in the /usr/local/lib/sasl directory, it makes them all wrong. It makes dangling symlinks to library files that don't exist! In order to have your new sendmail binary actually be able to support SMTP AUTH via these sasl libraries, you need to delete all the symlinks in this directory and re-create them such that they actually point to the real library files. For example, the follwing should do it. <br>
<br>cd /usr/local/lib/sasl <br>find . -type L -exec rm {} \; <br>ln -s libanonymous.so.1.15 libanonymous.so <br>ln -s libcrammd5.so.1.15 libcrammd5.so <br>ln -s libdigestmd5.so.0.17 libdigestmd5.so <br>ln -s libkerberos4.so.1.15 libkerberos4.so <br>ln -s libplain.so.1.14 libplain.so <br>
<br>
At this point, your sendmail binary and the SASL libraries it is dependant on for SMPT AUTH support are all ready to rock. All you need to do now in order to make use of SMTP AUTH is configure SASL and sendmail. Note that if you do no additional configuration from this point, your sendmail should continue to function fine. It will just not have SMTP AUTH configured for use. <br>
<br>
Creating a SASL Sendmail.conf file <br>
You need to create a /usr/local/lib/sasl/Sendmail.conf file for sendmail. The contents of mine is as folows, but your requirements may differ. <br>
<br>pwcheck_method: sasldb <br>
<br>
This makes SMTP AUTH use /etc/sasldb, the SASL database. <br>
<br>
The possible arguments to pwcheck_method here are: <br>
<br>
<br>sasldb The user is looked up in sasldb with the realm <br>passwd The user is looked up via getpwnam() <br>shadow The user is looked up via getspnam() <br>PAM The user is looked up via PAM <br>kerberos_v4 The user is looked up via KERBEROS V4 <br>pwcheck The user/passwd combination is checked via a seperate daemon <br>
<br>
Use whatever suits your need, but I am concentrating on sasldb here. <br>
<br>
Configuring Users <br>
To create users with associated passwords in /etc/sasldb, use the 'saslpasswd' command as follows: <br>
<br>saslpasswd someuser <br>
<br>
It will prompt you to enter the password twice and then create or modify the specified user accordingly. Note that the /etc/sasldb file is created the first time this command is used. Be sure the ownership and permissions are appropriate upon creation (ie. read and write by root only). <br>
<br>
You can check the conents of /etc/sasldb with the 'sasldblistusers' command. <br>
<br>
Configuring /etc/mail/sendmail.cf <br>
In order to have relaying for authenticated users actually work, you will need to make some additions to your /etc/mail/sendmail.cf file. Using the m4 configuration method, I added the following to my domain.m4 file and regenerated senmdail.cf. <br>
<br>
define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5 GSSAPI KERBEROS_V4')dnl <br>
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 GSSAPI KERBEROS_V4')dnl <br>
define(`confDEF_AUTH_INFO', `/etc/mail/default-auth-info')dnl <br>
FEATURE(`no_default_msa') <br>
DAEMON_OPTIONS(`Name=MTA') <br>
DAEMON_OPTIONS(`Port=587, Name=MSA, M=a')dnl <br>
<br>
Your requirements may be different however, so I caution you to read the relevant sections of the sendmail README file and whatever other resources are necessary for you to have properly done your homework on this. <br>
<br>
That's all I'm going to say about configuring sendmail because I figure that if you don't already have a pretty darn good idea how to do it, you probably aren't reading this. <br>
<br>
Resources <br>
Additional, relevant webpages that may be of interest: <br>
<br>o SMTP AUTH in sendmail 8.10/8.11 <br>
<br>o Cyrus SASL for System Administrators <br>
<br>
Additional, relevant RFCs that may be of interest: <br>
<br>
<br>o RFC 2595 Using TLS with IMAP, POP3 and ACAP <br>
<br>
Why this Mini-HOWTO sucks <br>
This sucks because I'm busy (sorry), but it is better that you found this from a web search than nothing at all. :-) <br>
Good Luck, <br>
<br>
-- Kyle Amon <br>
<br>
Afterthought <br>
One can remove the program identification and version number from sendmail's SMTP login message by including something like... <br>
<br>define(`confSMTP_LOGIN_MSG', `$j MYOB; $b')dnl <br>
<br>
in one of the m4 configuration files used to generate one's sendmail.cf file. <br>
<br>
One can remove the program identification and version number from sendmail's Recieved: headers by including something like... <br>
<br>
<br>define(`confRECEIVED_HEADER', `$?sfrom $s $.$?_($?s$|from $.$_) <br>$.$?{auth_type}(authenticated) <br>by $j (MYOB)$?r with $r$. id $i$?u <br>for $u; $|; $.$b')dnl <br>
<br>
in one of the m4 configuration files used to generate one's sendmail.cf file. <br>
<br>
Unfortunately, however, there is no configuration option I am aware of that will allow one to remove the program identification and version number from sendmail's response to the HELP command. Therefore, one must edit sendmail's srvrsmtp.c source file and recompile sendmail in order to eliminate this. For example: <br>
<br>
<br>vi /usr/src/gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c <br>
<br>and change <br>
<br>message("502 5.3.0 Sendmail %s -- HELP not implemented", <br>Version); <br>
<br>to something like <br>
<br>message("502 5.3.0 MYOB"); <br>
|
狗仔卡
发表于 2003-6-23 15:25:40
收藏
分享
淘帖
支持
反对
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主