http://spire.spaces.live.com/blog/cns!8CE483F458A23E32!1425.entry :lol:
伺服器在境外,GFW很煩,因此給qmail郵件伺服器增加了ssl鏈接方式。而這方面的中文資料很少,尤其是使用stunnel的,所以升級了后,寫了這篇手記。
按之前的qmail vpopmail的方式安裝好。我的伺服器原來就安裝qmail,一切工作正常,僅僅打了smtp驗證的補丁。
如果是這樣,那就可以直接升級。
需要安裝下面兩個軟體:
[*]openssl (http://www.openssl.org)
# cd openssl-0.9.8e
# ./config
# make
# make test
# make install
# openssl version
OpenSSL 0.9.8e 23 Feb 2007[*]stunnel (http://www.stunnel.org) (stunnel 配置的時候主意設定一下安裝路徑 /sbin/stunnel /etc/stunnel 主要的兩個。)
# ./configure --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var --sbindir=/sbin
# make
# make install
# stunnel -version
stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
Global options
debug = 5
pid = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
key = /etc/stunnel/stunnel.pem
session = 300 seconds
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
安裝好后,建立兩個文件 /etc/stunnel/pop3.conf
# /etc/stunnel/pop3.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup your.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir /etc/stunnel/smtp.conf
# /etc/stunnel/smtp.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
建立qmail伺服器證書(反正是自己簽發證書,想多長時間都可以,這裡設定10年,呵呵): # openssl req -new -x509 -nodes -out servercert.pem -days 3650 -keyout servercert.pem 需該伺服器證書文件servercert.pem的文件屬性: # ln -s /var/qmail/control/servercert.pem clientcert.pem
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
# chmod 600 servercert.pem #這個很重要哦 建立pop3和smtp ssl的run文件 # mkdir -p /var/qmail/supervise/qmail-pop3ds/log /var/qmail/supervise/qmail-smtpds/log /var/log/qmail/pop3ds /var/log/qmail/smtpds /var/qmail/supervise/qmail-pop3ds/run
#!/bin/sh
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -H -R -v -l "$LOCAL" -c "$MAXSMTPD" 0 995 \
/sbin/stunnel /etc/stunnel/pop3.conf 2>&1
/var/qmail/supervise/qmail-pop3ds/run/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
/var/log/qmail/pop3ds
/var/qmail/supervise/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpds/run
exit 1
fi if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u 89 -g 89 0 465 \
/sbin/stunnel /etc/stunnel/smtp.conf 2>&1
/var/qmail/supervise/qmail-smtpds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpds 將執行文件鏈接到/service中: # cd /service
# ln -s /var/qmail/supervise/qmail-pop3ds/ qmail-pop3ds
# ln -s /var/qmail/supervise/qmail-smtpds/ qmail-smtpds 修改qmailctl文件: /var/qmail/bin/qmailctl #這個文件編寫的有點複雜,我還有個更簡單的,我回頭貼出來。
#!/bin/sh
# Description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case "$1" in
start)
echo "Starting qmail..."
echo " qmail-send"
if svok /service/qmail-send ; then
svc -u /service/qmail-send /service/qmail-send/log
else
echo " qmail-send supervise not running"
fi
echo " qmail-smtp"
if svok /service/qmail-smtpd ; then
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
else
echo " qmail-smtpd supervise not running"
fi
echo " qmail-smtp ssl"
if svok /service/qmail-smtpds ; then
svc -u /service/qmail-smtpds /service/qmail-smtpds/log
else
echo " qmail-smtpd ssl supervise not running"
fi
echo " qmail-pop3d"
if svok /service/qmail-pop3d ; then
svc -u /service/qmail-pop3d /service/qmail-pop3d/log
else
echo " qmail-pop3d supervise not running"
fi
echo " qmail-pop3d ssl"
if svok /service/qmail-pop3ds ; then
svc -u /service/qmail-pop3ds /service/qmail-pop3ds/log
else
echo " qmail-pop3d ssl service not running"
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo "Stopping qmail..."
echo " qmail-smtpd"
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo " qmail-smtpd ssl"
svc -d /service/qmail-smtpds /service/qmail-smtpds/log
echo " qmail-send"
svc -d /service/qmail-send /service/qmail-send/log
echo " qmail-pop3d"
svc -d /service/qmail-pop3d /service/qmail-pop3d/log
echo " qmail-pop3d ssl"
svc -d /service/qmail-pop3ds /service/qmail-pop3ds/log
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svstat /service/qmail-send
svstat /service/qmail-send/log
svstat /service/qmail-smtpd
svstat /service/qmail-smtpd/log
svstat /service/qmail-smtpds
svstat /service/qmail-smtpds/log
svstat /service/qmail-pop3d
svstat /service/qmail-pop3d/log
svstat /service/qmail-pop3ds
svstat /service/qmail-pop3ds/log
qmail-qstat
;;
doqueue|alrm|flush)
echo "Flushing timeout table and sending ALRM signal to qmail-send."
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo "Sending HUP signal to qmail-send."
svc -h /service/qmail-send
;;
pause)
echo "Pausing"
echo " qmail-send"
svc -p /service/qmail-send
echo " qmail-smtpd"
svc -p /service/qmail-smtpd
echo " qmail-smtpd ssl"
svc -p /service/qmail-smtpds
echo " qmail-pop3d"
svc -p /service/qmail-pop3d
echo " qmail-pop3d ssl"
svc -p /service/qmail-pop3ds
;;
cont)
echo "Continuing"
echo " qmail-send"
svc -c /service/qmail-send
echo " qmail-smtpd"
svc -c /service/qmail-smtpd
echo " qmail-smtpd ssl"
svc -c /service/qmail-smtpds
echo " qmail-pop3d"
svc -c /service/qmail-pop3d
echo " qmail-pop3ds"
svc -c /service/qmail-pop3ds
;;
restart)
echo "Restarting qmail:"
echo "* Stopping qmail-smtpd."
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo "* Stopping qmail-smtpd ssl."
svc -d /service/qmail-smtpds /service/qmail-smtpds/log
echo "* Sending qmail-send SIGTERM and restarting."
svc -t /service/qmail-send /service/qmail-send/log
echo "* Restarting qmail-smtpd."
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
echo "* Restarting qmail-smtpd ssl."
svc -u /service/qmail-smtpds /service/qmail-smtpds/log
echo "* Restarting qmail-pop3d."
svc -t /service/qmail-pop3d /service/qmail-pop3d/log
echo "* Restarting qmail-pop3ds."
svc -t /service/qmail-pop3ds /service/qmail-pop3ds/log
;;
cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 /etc/tcp.smtp.cdb
echo "Reloaded /etc/tcp.smtp."
;;
help)
cat <<HELP
stop -- stops mail service (smtp connections refused, nothing goes out)
start -- starts mail service (smtp connection accepted, mail can go out)
pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
queue -- shows status of queue
alrm -- same as doqueue
flush -- same as doqueue
hup -- same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queu
e|help}"
exit 1
;;
esac
exit 0
這個時候,上面的兩個文件應該都啟動了。但我們還是重新啟動一次: # qmailctl stop
# qmailctl start
# qmailctl stat
/service/qmail-send: up (pid 9196) 3561 seconds
/service/qmail-send/log: up (pid 9197) 3561 seconds
/service/qmail-smtpd: up (pid 9200) 3561 seconds
/service/qmail-smtpd/log: up (pid 9202) 3561 seconds
/service/qmail-smtpds: up (pid 9205) 3561 seconds
/service/qmail-smtpds/log: up (pid 9207) 3561 seconds
/service/qmail-pop3d: up (pid 9210) 3561 seconds
/service/qmail-pop3d/log: up (pid 9214) 3561 seconds
/service/qmail-pop3ds: up (pid 9217) 3561 seconds
/service/qmail-pop3ds/log: up (pid 9220) 3561 seconds
messages in queue: 2
messages in queue but not yet preprocessed: 27
#上面的執行qmailctl stat的結果。時間要大於1秒,如果時間一會是0秒,一會是1秒,那表明在執行run文件中有錯誤,去看日誌里的錯誤提示。 調試方法: [*]# ps -efl | grep "service errors" | grep -v grep
4 S root 5631 5626 0 75 0 - 303 pipe_w Sep01 ? 00:00:00 readproctitle service errors: .........[*]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 c2forum.net ESMTP
ehlo
250-your.domain.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
auth login
334 VXNlcm5hbWU6
quit[*]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK<1520.11887344591214@your.domain.com>
user albert
+OK
pass albert
+OK
list
+OK
1 2734
2 31807
3 34957
4 20644
5 27798
6 26584
.
quit[*]# openssl s_client -connect localhost:465
(執行后,會有大段的證書相關的信息,這裡省略,只複製來最後一行,然後測試就和telnet localhost 25 一樣了)
220 your.domain.com ESMTP[*]openssl s_client -connect localhost:995
(執行后,會有大段的證書相關的信息,這裡省略,只複製來最後一行,然後測試就和telnet localhost 110 一樣了)
+OK<1872.1188791523434@your.domain.com>[*]查看主要的日誌,包括:[*]/var/log/qmail/current[*]/var/log/qmail/pop3d/current[*]/var/log/qmail/pop3ds/current[*]/var/log/qmail/smtpd/current[*]/var/log/qmail/smtpds/current[*]另外你也可以在/etc/stunnel/smtp.conf 和 pop3.conf 文件中加入下面兩個設置內容,以生成詳細的調試日誌。
debug = 7
output = /var/log/qmail/stunnel.log可能遇到的問題: [*]如果你是用複製,那需要很小心,因為有的時候文件的換行在你複製到telnet客戶端軟體的時候會有可能變了,因為dos格式和unix格式有差別。尤其注意運行文件第一行的聲明后的換行。[*]tcpserver: fatal: no IP address for your.domain.com
表示埠已經被其它進程佔用,要麼你停掉那個進程,要麼換個埠。[*]Wrong permissions on /var/qmail/control/servercert.pem
servvercert.pem文件屬性設置為600即可[*]/etc/stunnel/smtp.conf文件中最後的" /bin/true"不能忘記,否則客戶端會提示驗證不通過。[*]ssl證書問題,因為我們是自己簽發的證書,所以客戶端會提示,兩個辦法:1、購買權威機構簽發的證書(非常貴,國內很多是國內範圍的便宜價格,國際範圍的就不一樣了)。2、將serercert.pem文件重命名為 .crt 或 .cer 格式。然後在客戶端機器中IE的Internet Options中導入,要選擇自動。如果你有問題,歡迎到我的blog中留言。
編輯了一下,前面忘記選「禁用 Smilies」了,很多內容變成Smilies了。呵呵。
[火星人 ] Qmail openssl stunnel ssl pop3 995 smtp 465 配置 安裝已經有500次圍觀