Exim + Cyrus-IMAPD + Cyrus-sasl2-saslauthd Install 簡易安裝
Posted On 2007年8月12日 星期日 at 於 下午2:35 by LaniExim 設定
cyrus-sasl2-saslauthd 安裝
cyrus-imapd 安裝設定
1.安裝 cyrus-sasl2-saslauthd
cd /usr/ports/security/cyrus-sasl2-saslauthd
make 都不選
make install
vi /etc/rc.conf
saslauthd_enable="YES"
2.安裝 cyrus-imapd2
cd /usr/ports/mail/cyrus-imapd2
make
make install
vi /etc/rc.conf
cyrus_imapd_enable="YES"
Configuring IMAP:
1) Create /var/imap and /var/spool/imap
#mkdir /var/imap /var/spool/imap
#chown cyrus:mail /var/imap /var/spool/imap
#chmod 750 /var/imap /var/spool/imap
2) Edit /usr/local/etc/imapd.conf
Make sure you have the following:
admins: cyrus
allowanonymouslogin: no
sasl_pwcheck_method: saslauthd
3) Change to user cyrus and execute this
# su cyrus
% /usr/local/cyrus/bin/mkimap
This should create all the required directories with proper permission.
4) Make sure you have the following in /etc/services
pop3 110/tcp
imap 143/tcp
imsp 406/tcp
acap 674/tcp
imaps 993/tcp
pop3s 995/tcp
kpop 1109/tcp
sieve 2000/tcp
lmtp 2003/tcp
fud 4201/udp
5) Remove any imap, imaps, pop3, pop3s, kpop, lmtp and sieve lines from /etc/inetd.conf
6) Add the following lines to the end of /etc/syslog.conf
local6.debug /var/log/imapd.log
kill -HUP `cat /var/run/syslog.pid `
7) Create the files by
# touch /var/log/imapd.log
8) Start the saslauthd server by doing
#/usr/local/etc/rc.d/saslauthd.sh start
9) Start the IMAPD server (copy imapd.sh.sample to imapd.sh)
#/usr/local/etc/rc.d/imapd.sh start
10) Set the passwd for user cyrus
#saslpasswd2 cyrus
Enter the passwd:
11) Now su as cyrus and test the IMAP server
#su cyrus
%imtest -m login -p imap localhost
Enter the password, if you see OK. User logged in.. then the server is working..Press . logout to exit..
12) Add user mailboxes by logging using cyradm
%cyradm localhost
localhost@xxxx>cm user.lani
localhost@xxxx>quit
%exit
#
the step is create user mailbox
13) Now set passwd for lani using saslpasswd2 (as root)
#saslpasswd2 lani
EnterPasswd:
13.1) cyrus 設定方式:
建立cyrus 連線
cyradm -user cyrus localhost
Password:
localhost.oio.idv.tw>
建立mailbox
localhost.oio.idv.tw>createmailbox user.lani
localhost.oio.idv.tw> listmailbox
user.lani (\HasNoChildren)
設定 mailbox quota
localhost.oio.idv.tw> setquota user.lani 50000
quota:50000
列出 mailbox quota
localhost.oio.idv.tw> listquota user.lani
STORAGE 0/50000 (0%)
刪帳號
localhost.oio.idv.tw> setaclmailbox user.lani cyrus c
localhost.oio.idv.tw> listaclmailbox user.lani
lani lrswipcda
cyrus c
localhost.oio.idv.tw> deletemailbox user.lani
13.2) 認証方式
修改 /usr/local/etc/imapd.conf
# The mechanism used by the server to verify plaintext passwords. Possible
# values include "auxprop" or "saslauthd"
#
#sasl_pwcheck_method: auxprop # auth by sasldb
#sasl_pwcheck_method: saslauthd # auth by saslauthd
sasl_pwcheck_method: saslauthd
13.2.a) 使用sasldb認証
修改 /usr/local/etc/rc.d/saslauthd ,
#saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program 預設 pam
saslauthd_flags=${saslauthd_flags:-"-a sasldb"} # Flags to saslauthd program ## sasldb
sasldb
Authenticate against the SASL authentication database.
Now set passwd for lani using saslpasswd2 (as root)
建立lani passwd 於 sasldb
設定帳號lani 於 sasldb密碼
#saslpasswd2 lani
EnterPasswd:
13.2.b) 使用localhost passwd file
修改 /usr/local/etc/rc.d/saslauthd ,
#saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program 預設 pam
saslauthd_flags=${saslauthd_flags:-"-a getpwent"} # Flags to saslauthd program ## localhost passwd
getpwent
Authenticate using the getpwent() library function. Typically this authenticates against the local password file.
設定系統密碼
#passwd lani
EnterPasswd:
14) Woohoo that's it... Test from someother machine by doing a telnet to imap port and see if you get something similar to this..
# telnet 127.0.0.1 imap
Trying 127.0.0.1...
Connected to localhost.oio.idv.tw.
Escape character is '^]'.
* OK oio.idv.tw Cyrus IMAP4 v2.1.18 server ready
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.
Exim 設定
vi /usr/local/etc/cyrus.conf
SERVICES {
...
lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0
}
/usr/local/etc/rc.d/imapd restart
netstat -an | grep LIST |grep 127.0.0.1
tcp4 0 0 127.0.0.1.2003 *.* LISTEN
## ROUTERS CONFIGURATION ##
localuser:
driver = accept
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user
change transpot
transport = cyrus_lmtp
## TRANSPORTS CONFIGURATION ##
cyrus_lmtp:
driver = smtp
protocol = lmtp
hosts = 127.0.0.1
allow_localhost
port = 2003
測試寄信:
Exim log
2007-08-12 03:38:21 message accepted: sender=
2007-08-12 03:38:22 1IJwmz-000Jm9-QG <= test@oio.idv.tw H=localhost (.) [127.0.0.1] P=smtp S=317
2007-08-12 03:38:23 1IJwmz-000Jm9-QG => test@oio.idv.tw R=localuser T=cyrus_lmtp H=127.0.0.1 [127.0.0.1]
2007-08-12 03:38:23 1IJwmz-000Jm9-QG Completed
測試收信:
tail -f /var/log/imapd.log
Aug 12 03:47:35 oio.idv.tw master[76073]: about to exec /usr/local/cyrus/bin/pop3d
Aug 12 03:47:35 oio.idv.tw pop3[76073]: executed
Aug 12 03:47:35 oio.idv.tw pop3d[76073]: accepted connection
Aug 12 03:47:44 oio.idv.tw pop3d[76073]: login: localhost.oio.idv.tw[127.0.0.1] test plaintext
Aug 12 03:53:18 oio.idv.tw master[76069]: process 76073 exited, status 0
Configuring with ssl
Create a server key and certificate (we're wrapping both of this into one file, although splitting would be possible)
#su - cyrus
#openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 3650
Generating a 1024 bit RSA private key
....++++++
.....++++++
unable to write 'random state'
writing new private key to '/var/imap/server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:oio.idv.tw
Organizational Unit Name (eg, section) []:Se
Common Name (eg, YOUR name) []:Lani
Email Address []:se@oio.idv.tw
Make sure the following options exist in /usr/local/etc/imapd.conf
sasl_pwcheck_method: auxprop # this should be the default, anyway
tls_key_file: /var/imap/server.pem
tls_ca_file: /var/imap/server.pem
tls_cert_file: /var/imap/server.pem
restart imapd
#/usr/local/etc/rc.d/imapd restart
howto test pop3s:
#openssl s_client -connect localhost:995
參考資料:
Cyrus-IMAP:http://www.soe.ucsc.edu/~venkat/tutorial1.html
Exim Tranfer LMTP:http://wiki.exim.org/CyrusImap?highlight=%28cyrus%29
MSN 新病毒~
Posted On 2007年8月8日 星期三 at 於 凌晨1:20 by Lani逛資展
Posted On at 於 凌晨12:46 by LaniExim with DomainKeys Config
Posted On 2007年8月2日 星期四 at 於 下午5:36 by Lani一、運作原理:
網域認證鑰匙 如何運作
網域認證鑰匙 如何運作 - 寄信伺服器
首先,網域認證鑰匙將先進行兩道設定措施:
1.設定鑰匙:網域在寄信時產生兩組「鑰匙」,公開鑰匙以及非公開鑰匙。公開鑰匙將在寄信的過程中被存入「網域名稱伺服器(DNS)」中,而非公開鑰匙將暫時存在寄信伺服器中。即右圖寄信流程中的步驟 "A"。此時虛擬的網域將在第一時間被系統排除。
2.傳送鑰匙:當網域經過認證後,此時系統會根據非公開鑰匙而自動產生一組數位認證簽名檔,此簽名檔將會依附在寄出信件的標頭中,並且傳送到收件者的郵件伺服器裡。即右圖寄信流程中的步驟 "B"。
網域認證鑰匙 如何運作 - 收信伺服器
接下來,網域認證鑰匙將採取三道確認過程:
1.蒐集鑰匙:在網域認證鑰匙運作下,收信伺服器將收到夾帶在寄出信件裡的非公開鑰匙以及自動擷取「網域名稱伺服器(DNS)」裡的公開鑰匙。即右圖寄信流程中的步驟 "C"。
2.比對鑰匙:系統將開始比對兩組鑰匙,比對信件的寄件者名稱是否符合此網域,一旦發現兩組鑰匙不相符,代表著這封信是偽造他人網域而寄出信件,很有可能就是垃圾信或是詐騙信。
3.確定傳送:在比對結束後,比對成功的信件將被順地地寄到收件者的信箱中,而比對失敗的信件將會被系統阻擋、加上標記或是被系統隔離。即右圖寄信流程中的步驟 "D"。
二、安裝方法:
1、安裝Libdomainkey module,直接使用ports安裝libdomainkeys-0.68.tar.gz
cd /usr/ports/mail/libdomainkeys
make
make install
2、重新編譯Exim4,將以下三行,加入Exim Local/Makefile內,重新編譯即可。
EXPERIMENTAL_DOMAINKEYS=yes
CFLAGS += -I/usr/local/include
LDFLAGS += -ldomainkeys -L/usr/local/lib
三、設定方法:
1、產生Public key / Private key
執行下列指令:
執令列 網域名稱 位元組
/usr/ports/mail/libdomainkeys/work/libdomainkeys-0.68/dknewkey rbl.oio.idv.tw 1024
執行後,會自動產生Public key 於dns須設定的txt record。
rbl.oio.idv.tw._domainkey IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIz9mdp6hZJaMQcmKjxZvimLyJkUHOyZCAqcZJw3EJne/nnqsi6Fae9BkGn8PDWJFGY5z2C4Zoo7D6WvVuVXhWoUfbmTo1bCb8XeICLwQlH0Ou42PUsiQaD4ZY10bBqtRwizrFv+RrJdCXdH+Jp6vdP4cfe+JzBVbF5ksaoM+ExQIDAQAB"
只需將rbl.oio.idv.tw._domainkey 異動為private._domainkey.rbl.oio.idv,設定即可生效。
同時自動產生rbl.oio.idv.tw的檔案,內容如下為Private key。
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDIz9mdp6hZJaMQcmKjxZvimLyJkUHOyZCAqcZJw3EJne/nnqsi
6Fae9BkGn8PDWJFGY5z2C4Zoo7D6WvVuVXhWoUfbmTo1bCb8XeICLwQlH0Ou42PU
siQaD4ZY10bBqtRwizrFv+RrJdCXdH+Jp6vdP4cfe+JzBVbF5ksaoM+ExQIDAQAB
AoGBALNPpen5A4JW8TyGZz4F/iRgbjoI0tJrefTppH3JXu5PcSFJtVb+UBqvrIkV
sCCGvXI1ELtDn0lgoW9sOSvEdiaORO1wfmFMe6tfp7I0JopP7cGxDyoaml9ZaQgO
jWKMRcKlWdJaVWd9r/us+ybN8vXgr8+mc1bdE7q6y8/L5cUBAkEA+Lt4iiZZesAx
zsNlDvV5rA6xipYmSMqMmL3dKvQCeLZE27byIF8G8i/KPVbTvqdDUgtJ5suTGmqc
UMbs2o3rXQJBAM6t7rTf6pgRikpxX1/aUlIHqXcbUyrua2VRdAuzOkWBLkMBiSHZ
cfoPoTzwR4+p+negFtvN6yZV2lu1VnEV0IkCQH2b7tuVUkqzFHQeKMLNJIzHPtGF
0f+gii/4ceBnKXhcU5nBYbUHSDK1/6PKXVRCk7SzDrcGx1rny9jfHG2ijeECQFF6
KByOGYGRiJ8ISr0S6FkGRDx8PTEzhIsQrVrfcR1ta7tmo5UAj/owpzPK1atBK0h1
iA1nBEi8l7SHrGgwXWECQAT4idmoGF7H3CCFLg/4LXDxpJzjZVy2goJZMyk/X49W
zkzF9wkzHh6qNrwwr+8DHn/HxramKf+7Zb0D851LcIQ=
-----END RSA PRIVATE KEY-----
2、Exim Configure
Outgoing Mail:
## ROUTERS Configuration ##
dnslookup:
driver = dnslookup
domains = ! +local_domains
# transport = remote_smtp
transport = dk_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
## TRANSPORTS Configuration ##
dk_smtp:
driver = smtp
dk_private_key = /usr/exim/dk/rbl.oio.idv.tw ## private key
dk_selector = private
dk_domain = rbl.oio.idv.tw
dk_canon = nofws
#dk_canon = simple
##### to yahoo mail header #####
From xxx@rbl.oio.idv.tw Wed Jul 25 17:56:27 2007
Return-Path:
Authentication-Results: mta194.mail.tp2.yahoo.com from=rbl.oio.idv.tw; domainkeys=pass (ok)
Received: from 210.68.43.7 (EHLO rbl.oio.idv.tw) (210.68.43.7)
by mta194.mail.tp2.yahoo.com with SMTP; Wed, 25 Jul 2007 17:56:27 +0800
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=rbl.oio.idv.tw;
h=Received:subject:from:rcpt:DomainKeys-Status;
b=XkyCN9f/bymGRW8tZejjxBbRxkQyNc5iXd2jv9pz7XyI1Pq8M5JCm2SethinzoVVbrSsgJcEq3dYyISUkap2tQ==;
Received: from localhost ([127.0.0.1] helo=.)
by rbl.oio.idv.tw with smtp (Exim 4.67)
(envelope-from
id 1IDdbQ-0003cL-Sz
for xxxx@yahoo.com.tw; Wed, 25 Jul 2007 17:56:46 +0800
subject:test
from:xxxx@rbl.oio.idv.tw
rcpt:xxxx@yahoo.com.tw
DomainKeys-Status: no signature
Incoming Mail:
## ACL Configuration ##
rcpt acl:
warn control = dk_verify ## dk function enable
data acl:
warn message = DomainKeys-Status: $dk_status
log_message = DK status: $dk_status testing: $dk_testing signall: $dk_signsall
deny message = DomainKeys signature did not verify.
condition = ${if eq{$dk_testing}{0}{1}{0}}
測試結果:
1、data acl check 未帶signature而reject的log
2007-07-30 18:20:53 1IFSMv-0008QW-Fj H=rbl.oio.idv.tw (rbl.oio.idv.tw) [210.68.43.7] Warning: DK status: no signature testing: 0 signall: 0
2007-07-30 18:20:53 1IFSMv-0008QW-Fj H=rbl.oio.idv.tw (rbl.oio.idv.tw) [210.68.43.7] F=
2、data acl check 有帶signature而pass的log
2007-07-30 18:22:01 1IFSO1-0008QZ-3I H=web72805.mail.tp2.yahoo.com [203.188.200.195] Warning: DK status: good testing: 1 signall: 0
2007-07-30 18:22:01 1IFSO1-0008QZ-3I <= xx@yahoo.com.tw H=web72805.mail.tp2.yahoo.com [203.188.200.195] P=smtp S=2304 id=869287.96999.qm@web72805.mail.tp2.yahoo.com 2007-07-30 18:22:01 1IFSO1-0008QZ-3I => xxx
2007-07-30 18:22:01 1IFSO1-0008QZ-3I Completed
四、參考資料:
Libdomainkey下載點:http://sourceforge.net/projects/domainkeys/
http://domainkeys.sourceforge.net/
Exim wiki http://wiki.exim.org/DomainKeys
Yahoo 中文說明:http://tw.promo.yahoo.com/antispam/domainkeys.html
Yahoo 英文說明:http://antispam.yahoo.com/domainkeys