如何在防火墙上设置Sendmail
发表于:2007-07-04来源:作者:点击数:
标签:
环境: 公司注册了正式域名company.com,防火墙运行 Linux 且用专线接入ISP,是通往Internet的唯一通道,用来处理公司内部出去的邮件和发往公司内部用户@company.com的所有邮件。在内部局域网上(仅一个网段,没有子网)有一台供内部用户收发邮件的Linux邮件
环境: 公司注册了正式域名company.com,防火墙运行
Linux且用专线接入ISP,是通往Internet的唯一通道,用来处理公司内部出去的邮件和发往公司内部用户@company.com的所有邮件。在内部局域网上(仅一个网段,没有子网)有一台供内部用户收发邮件的Linux邮件
服务器,两台机器均运行Sendmail 8.9.3
Sendmail 8.9.3的新特性 Sendmail 8.9.3包含几个新的特性,如果配置不当,你的Sendmail可能不能正常工作。这些特性主要是帮助过滤掉垃圾邮件和阻止你的站点被用来作为第三方的mail relay主机(什么是third-party mail relay? 附文章),你能根据你的站点所要求的政策配置这些参数。
1.Mail relay
在Sendmail 8.9.3中Relaying默认被拒绝了,这个特性可能使得运行Sendmail的Linux邮件服务器不允许你向它发送邮件,有几种方法来解决。
a. Default
默认情况下,你能简单地创建文件/etc/mail/relay-domains,它包含你希望接受relay的系统的域名,例如company.com 。如果不能做反向DNS查找,你应该清楚指明IP范围,如要允许内部网段上所有用户向其发送邮件,设为192.168.11 ,注意:你无法设置这里为company.com而允许你公司出差在外的旅行用户(拨当地ISP)来发送邮件。因为你拨到当地ISP后得到的动态IP地址属于当地ISP,反向DNS解析后的域名为ISP的域名,甚至有的不能够做反向DNS。解决办法是设置发送邮件服务器为当地ISP的服务器优点: 如果你仅仅需要relay mail from a few system,这可能是最简单的解决办法,它阻止你的服务器扮演作为relayer,但允许邮件通过。
缺点:你不能不保持文件不断更新,如果你是ISP,你必须不断保持这个文件被更新,更新后还要重新启动Sendmail ( killall -HUP sendmail )
b. promiscuous_relay
这个特性允许你relay来自任何地方的邮件。(不被建议的)
优点: 你不必担心邮件被拒绝
缺点: 任何人能用你的系统作为mail relay,这个参数的使用取消了8.9.3中新增的反relay 特性。
c. relay_entire_domain
这个特性允许来自在类W中设置的所有域的邮件被允许relay.默认地,这将是*.company.com
优点: 你不会担心来自你的域中的所有邮件被拒绝,你的域以外的系统不能被relay mail除非在/etc/mail/relay-domains文件中被指定或/etc/mail/a
clearcase/" target="_blank" >ccess中被指定。如果你仅仅想relay你自己的域中的主机,可以用这个参数来代替/etc/mail/relay-domains. 注意: 你需要设置反向DNS,当内部LAN上的主机连接到SMTP服务器上来时能被反向解析到本地域内。如192.168.11.12被解析到sh12.asiansources.com .
缺点:你可能不想允许你公司的其它组织relay mail。
d. relay_hosts_only
这允许你基于个别的主机名relay mail.不是域名。
优点: 细调relay许可权限,基于全称主机名,不是全称域名。
缺点:需要你指定或者在文件/etc/mail/relay-domains或者在access 数据库中的系统主机名。如果用
/etc/mail/relay-domains,文件将是
company.com
mailgate.company.com
othername.com
mailgate.othername.com
2. Mail blocking
a. accept_unresolvable_domains
默认地,如果发送者的域名(指发送者邮件地址后面的域名)不能被DNS解析 ,邮件被拒绝的。
如:
MAILFrom: wkeys@nonexistent 501 < wkeys@nonexistent>…Sender domain must exist
用参数accept_unresolvable_domains 跨越这个并接受来自任何域或IP地址的邮件。
b. access_db
这个特性使得sendmail寻找数据库文件(默认是/etc/mail/access.db),决定是否接受或拒绝mail或者你甚至能设定一个客户化的错误信息,这个特性也能用来控制relay许可。
优点:真的允许你细调将接收从谁来的邮件,如我不想接受来自不能被解析的域的邮件,但对个别域有例外。
c. accept_unqualified_senders
默认地,如果发送者的域不是全称域名,sendmail将拒绝这个连接。如mail from:553 …. Domain name required用这个特性跨越默认的情况以致连接将能被接受。
优点:我建议总是用全称域名地址,然而在内部邮件网关上,你可能不能控制其他本地系统如何发送给你邮件,这将允许你接受带非全称发送者地址的邮件。
缺点:你丢失了一些跟踪邮件来自哪里的能力,不要在防火墙上用它。
d. blacklist_recipients
这允许你阻止不想接受的邮件帐号发来的邮件。需要在/etc/mail/access中设置。
e. relay_based_on_MX
如果一台主机有MX记录指向你的站点,这个特性使得能从他们接受邮件。
优点:如果他们有MX记录指向你你就不需要加任何主机到access database.
缺点:这将允许第三方的mail relay,且不需要你的许可。
3.third-party mail relay
附另外一篇文章(文章荟萃)----sendmail 8.9.3 mail relay规则简介
公司防火墙上sendmail配置举例
divert(-1)
include(`/usr/lib/sendmail-cf/m4/cf.m4')
dnl let's define our OS type. This one is mandatory.
OSTYPE(`
linux')dnl
define(`confDEF_USER_ID',``8:12')
define(`ALIAS_FILE',`/etc/mail/aliases')dnl
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
define(`confTO_QUEUERETURN', `4d')dnl
define(`confTO_QUEUEWARN', `4h')dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY') dnl
FEATURE(`redirect')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`local_procmail')dnl
FEATURE(`nouucp')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(`domaintable',`hash -o /etc/mail/domaintable')
FEATURE(`access_db', `hash -o /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
MAILER(procmail)dnl
MAILER(smtp)dnl
use_cw_file
默认为/etc/sendmail.cw文件,指明了属于本地域处理的域名,发到这个域下的邮件为本地邮件。不要在防火墙上设置company.com到sendmai.cw中,在内部网段上的邮件服务器上设置它。更新该文件不需要重启sendmail
* How do I make all my addresses appear to be from a single host?
Using the V8 configuration macros, use:
MASQUERADE_AS(my.dom.ain)
This will cause all addresses to be sent out as being from the indicated domain.
If you're using version 8.7 sendmail, and you want to hide this information in the envelope
as well as the headers, use:
FEATURE(masquerade_envelope)
If you also want to masquerade the recipients, use
FEATURE(allmasquerade)
Mailertable
用这个特性可跨越DNS和DNS MX记录而relay mail。也可跨越Smart_host(DSxxxx)项.
如 company.com relay:[192.168.11.1]
从防火墙上接收的发往company.com的邮件relay到192.168.11.1
Include a "mailer table" which can be used to override
routing for particular domains. The argument of the
FEATURE may be the key definition. If none is specified,
the definition used is:
hash -o /etc/mailertable
Keys in this database are fully qualified domain names
or partial domains preceded by a dot -- for example,
"vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU".
Values must be of the form:
mailer:domain
where "mailer" is the internal mailer name, and "domain"
is where to send the message. These maps are not
reflected into the message header. As a special case,
the forms:
local:user
will forward to the indicated user using the local mailer,
local:
will forward to the original user in the e-mail address
using the local mailer, and
error:code message
will give an error message with the indicated code and
message.
Domaintable
域替换操作。
如果容易打错,发往company.com的邮件误写为compayn.com则加入一行
compayn.com company.com
Access.db
数据库记录包含两部分:the key and the action:
the key能是用户名,域名,或IP地址。
The action能是ok, relay,reject discard, or and RFC821 message
如:
cyberspammer.com 550 we don't accept mail form spammers
okay.cyberspammer.com OK
sendmail.org OK
128.32 relay
foobar.com reject
garbage@spam.org discard
Virtusertable
Virtusertable用在这样的场合中:
发往本地系统的用户的邮件被重定向到另一个用户.注意一定要是本地用户的邮件,否则不检查virtusertable数据库文件.如:
在该防火墙上设定company.com到/etc/sendmail.cw中,然后在/etc/mail/virtusertable 加一行user1@company.com otheruser@otherdomain.com virtusertable is a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine. For example, if the virtuser table contained:
info@foo.com foo-info
info@bar.com bar-info
@baz.org jane@elsewhere.net
then mail addressed to info@foo.com will be sent to the address foo-info, mail addressed to info@bar.com will be delivered to bar-info, and mail addressed to anyone at baz.org will be sent to jane@elsewhere.net. The username from the original address is passed as %1 allowing:
@foo.org %1@elsewhere.com
meaning someone@foo.org will be sent to someone@elsewhere.com.
All the host names on the left hand side (foo.com, bar.com,and baz.org) must be in $=w. The default map definition is:
hash -o /etc/virtusertable
FEATURE(genericstable,`hash -o /etc/mail/genericstable'):
Use a hashed table with masquerading information. The unhashed file looks like this:
bg bganslan@myisp.net
root bganslan@myisp.net
nobody bganslan@myisp.net
This file will tell sendmail to rewrite the FROM addresses of your mail, so you will be able to relay all you mail over your ISPs mail server. The first row contains the local address, the second one the address which should be used instead. In order for sendmail to read this file you have to hash it with this command:
makemap -r hash genericstable.db < genericstable
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain'):
You have to add you local domain name to this file, so sendmail knows what mail is local and has to be masqueraded. To get you local domain, run "hostname".
FAQ: * I'm getting "Local configuration error" messages, such as:
553 MX list for domain.net points back to relay.domain.net
554 ... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be forwarded to a specific host (in this case, relay.domain.net) by using an MX record, but the relay machine doesn't recognize itself as domain.net. Add domain.net to /etc/sendmail.cw (if you are using FEATURE(use_cw_file)) or add "Cw domain.net" to your configuration file.
IMPORT
ANT: When making changes to your configuration file, be sure you kill and restart the sendmail daemon (for ANY change in the configuration, not just this one):
kill `head -1 /etc/sendmail.pid`
sh -c "`tail -1 /etc/sendmail.pid`"
Mail for the Home Network ------the Stand Alone Config FEATURE(always_add_domain)dnl 这是被建议的选项,这个特性强迫local or program mailer需要全称域名 FEATURE(allmasquerade)
我在防火墙上用这个特性强迫所有的邮件象是来自站点的正式域名,你需要联合 MASQUERADE_AS特性FEATURE(masquerade_entire_domain)这个特性强迫你的域内的任何主机象是来自同一个域
FEATURE(masquerade_envelope)
MASQUERADE_AS(company.com)
明显地,这是为上面的伪装特性定义的值
MASQUERADE_DOMAIN( company.com othername.com )
如果你有多个内部域名,想伪装为同一个公司域名
环境:
考虑这样的情况:一个公司运行一台Sendmail的Linux邮件服务器,这台机器连有LAN,但通过PPP连接, Cable modem,or DSL连接上网通过ISP的邮件主机发送邮件. 且该机器上有两个用户jephe and hongyi (用
windows机器向company.com发送邮件),域名为company.com,ISP 域名为isp.net,邮件主机为 mail.isp.net且两人在isp.net上有相同帐号jephe@isp.net and hongyi@isp.net
要求:
jephe发一封信给hongyi@company.com,可以收到,发另一封信给Internet上某个人someone,则要求通过ISP出去,且回复地址重写为jephe@isp.net and hongyi@isp.net
#/etc/mail/relay-domains:
jephe.company.com
hongyi.company.com
#/etc/sendmail.cw
company.com
#sendmail.cf
define(`SMART_HOST',`smtp:[ix.deniz.com]')
MASQUERADE_AS(`deniz.com')
FEATURE(`masquerade_envelope')
define(RELAY_MAILER, TCP)
FEATURE(`accept_unqualified_senders')
There are 3 fixes you may have to perform manually if things are not working as you would like them:
1. If sendmail can not "find" your email server:
Edit your /etc/sendmail.cf and look for this line:
#Dj$w.Foo.COM
and change it to:
Djmaster.kulai.org
Where master.kulai.org is the name of your email server. Note: remove the # at the front of the line as # means: ignore - this is a comment line. This is one of sendmail's rules and it tells sendmail what the name of the email server is - in case dns, or other ways, do not tell sendmail what it wants.
2. Masquerading based on destination:
I had the hardest time trying to get sendmail to masquerade only the mail sent to the internet and not local mail, e.g. I wanted local mail to show the sender as: bmote@kulai.org and not bmote@deniz.com, but obviously I wanted mail that went out into the internet to show: bmote@deniz.com. To solve this you have to manually edit the /etc/sendmail.cf. Find the definitions of local rulesets 10 and 30 within sendmail.cf, (hint: search for S10 and S30) and delete these 2 lines - or put a # in front of them:
# Envelope sender rewriting
#
S10
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>94 $1 do masquerading <-- delete this line
#
# Header sender rewriting
#
S30
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>93 $1 do masquerading <-- delete this line
There is no m4-based solution for this, so you have to modify sendmail.cf directly. You need to restart sendmail afterwards, of course.
Note: I have jpollman@kulai.org in my From: line in my email program, so sendmail will masquerade only out-going mail. Many thanks to: Achim L?bbert for the solution.
3. Using unqualified names fails:
If you type just the user's name in the To: part of the email and it disappears into the internet, you may have to tell sendmail where to put email with unqualified names. Add this to the bottom of your master.mc:
define(`LOCAL_RELAY',`mail.kulai.org')
LOCAL_RELAY: again: instead of mail.kulai.org, put your mail server's name here. This line will make sendmail send unqualified names, like just "bmote", to your mail server, i.e. sendmal will add the kulai.org onto bmote for you. This way you can type just bmote in the To: field in your email program instead of bmote.kulai.org. Of course you will have to do the m4, copy, restart routine again to make it take effect.
Message header and Message envelope
所有的email邮件由三部分组成: envelope , header , and boby.
当两台
电脑在握手处理邮件传递时,邮件的信封部分被生成了,它携带着真实的邮件接收者地址,在一个 正常的合法的邮件中,信封中的邮件接收者地址匹配着to:地址,但是也有一些例外情况,当邮件发到一个 别名,一个mailing list服务器,或者象假期通知的重定向处理。 有时候你怀疑为什么一个封发到to: someone@answerme.com,却在你的mailbox中,它是由于message to: and envelope to:的不同,具体的实现方法有多种,象B
CC:,别名,邮件列表,直接的命令行伪装, 专门的实现程序(Diffondi 3.1.6),virtusertable虚拟域,前面的单独拨号配置的伪装。。。。
Direct Forging
At the Unix command prompt of the second-party test machine, shell.elsewhere.com, telnet to port 25 of your machine and try the following. (Your responses are in bold. Make sure that you include a blank line after the From: header and that the message ends with a line containing nothing but a period.)
telnet mail.killaspammer.com 25220 mail.killaspammer.com ESMTP Sendmail 8.8.5/8.8.5; Mon, 16 Mar 1998 02:34:20 -0800 (PST)
MAIL FROM:
250 ... Sender ok
RCPT TO:
250 ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
To: insulting@wideopen.com.domain
From: spammer@screwyou.com
Umm, umm, hot spam on rye!
. 250 CAA17232 Message accepted for delivery
quit
221 mail.killaspammer.com closing connection
Connection closed by foreign host.
Now, log in as sam on mail.killaspammer.com and read the message. The headers will look something like this:
From spammer@worldnet.att.net Mon Mar 16 02:57:02 1998
Received: from shell.elsewhere.com (shell.elsewhere.com [192.168.1.77]) by
mail.killaspammer.com (8.8.5/8.8.5) with SMTP id CAA17232 for ;
Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Date: Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Message-Id: <199803161053.CAA17232@mail.killaspammer.com>
X-Authentication-Warning mail.killaspammer.com: shell.elsewhere.com [192.168.1.77] didn't use HELO protocol As you can see, spamming is ridiculously easy to do, which is why it has gotten to be such a big problem.
注:你可以有多个rcpt to:行,且有cc: subject: 等等。
在命令行上指定接收者
下面的例子说明了邮件头中地址和信封地址的又一个不同点,sendmail允许用户在命令行上指定邮件的接收者。假设用户有一封信letter,内容如下:
To: null recipient < >
Subject : header and envelope address
Testing
使用下面命令将其发出
#sendmail yourloginname < letter
邮件递交过程
如果joe@gonzo.gov发信给betty@zippy.gov , andy@zippy.gov and fred@whizzer.com
To: betty@zippy.gov , andy@zippy.gov , fred@whizzer.com
当位于gonzo.gov的sendmail SMTP客户在发信时,每个信封上只写一个地址,而接收者的完整清单只放在 message header to:域中,因为邮件在发送时在gonzo.gov和whizzer.com处的SMTP服务器都不会检查该域。 本例中发给whizzer.com的信只标记寄给fred,而发给zippy.gov的信封再服务器收到后再复制到betty and andy各一份。
Sendmail 命令集合及
安全考虑
HELO/HLEO 向服务器标识用户身份(喂,我是谁,可以欺骗,但记录IP地址,大多没用)
MAIL 初始化邮件传输 ( mail from: )
RCPT 标识单个的邮件收件人,通常在MAIL命令后,(多个rcpt to: )
DATA 在RCPT命令之后,表示所有的邮件收件人已标识,并初始化数据传输
VRFY 由客户机使用,用来验证给定的用户/邮箱是否存在;由于安全方面的原因,某些服务器使用此命令无效
E
XPN 由客户机使用,用来验证给定邮箱列表是否存在,并用该命令扩充邮箱列表
HELP 查询服务器支持什么命令
NOOP 无操作;服务器响应OK
QUIT 客户机发送此命令以结束会话
RSET 重置会话;当前传输被取消
为了增强Sendmail服务器的安全性,禁止用户telnet 到端口25作vrfy ,and expn操作。可以更改sendmail.cf如下:
O PrivacyOptions=authwarnings change to:
O PrivacyOptions=authwarnings,noexpn,novrfy
如还未建立sendmail.cf文件,可照上面的防火墙配置:
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
用Mail命令发送邮件
1. cat report.txt | mail -s "Sales Reprorts" jephe@company.com
2. mail -s "Sales Reports" jephe@company.com < reports.txt
3. mail jephe@company.com
Subject: Sales Report
~r report.txt
~.
Cc:
Sendmail 别名文件
1. 一般站点都要求一个管理员地址,许多站点并没有一个专门的邮件管理员帐号,而使用别名将管理员帐号定向到一个或多个对邮件管理的用户邮件地址上:
postmaster: joe,betty
凡送给postmaster的邮件都转送给用户joe和betty,此处joe和betty也可以是别名
postmaster: jephe,hongyi
jephe: jephe@company.com
hongyi: hongyi@company.com
注意:sendmail不断地对别名进行解释直到得到一个真正的用户或远端地址为止。别名定义中,冒号左侧的别名必须是本地用户/本地域用户,而右侧可以为远端用户。
不要设置造成循环查找别名而找不到。
如
postmaster: jephe
jephe: admin
admin:postmaster
2. 从文件中读取别名:include: 使用
homeboys: :include: /home/alphonese/homeboys.aliases ( 用:include: 把两边分隔)文件homeboys.aliases中包含
alphonse
joe
betty
george
就相当于
homeboys: alphonse,joe,betty,george
好处是可以创建一文件让用户自己维护。
3.向文件发邮件
nobody: /dev/null
发给nobody的邮件附加到指定文件后面。由于/dev/null为空文件,故邮件丢弃。
原文转自:http://www.ltesting.net