Qmail openssl stunnel ssl pop3 995 smtp 465 配置安裝

←手機掃碼閱讀火星人 @ 2014-03-04 , reply:0

http://spire.spaces.live.com/blog/cns!8CE483F458A23E32!1425.entry :lol:

伺服器在境外，GFW很煩，因此給qmail郵件伺服器增加了ssl鏈接方式。而這方面的中文資料很少，尤其是使用stunnel的，所以升級了后，寫了這篇手記。

按之前的qmail vpopmail的方式安裝好。我的伺服器原來就安裝qmail，一切工作正常，僅僅打了smtp驗證的補丁。

如果是這樣，那就可以直接升級。

需要安裝下面兩個軟體：
[*]openssl (http://www.openssl.org)
# cd openssl-0.9.8e
# ./config
# make
# make test
# make install
# openssl version
OpenSSL 0.9.8e 23 Feb 2007[*]stunnel (http://www.stunnel.org) (stunnel 配置的時候主意設定一下安裝路徑 /sbin/stunnel /etc/stunnel 主要的兩個。)
# ./configure --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var --sbindir=/sbin
# make
# make install
# stunnel -version
stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
Global options
debug          = 5
pid          = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes       = 64
RNDfile       = /dev/urandom
RNDoverwrite = yes
Service-level options
cert          = /etc/stunnel/stunnel.pem
ciphers       = ALL:!ADH:+RC4:@STRENGTH
key          = /etc/stunnel/stunnel.pem
session       = 300 seconds
sslVersion    = SSLv3 for client, all for server
TIMEOUTbusy    = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle    = 43200 seconds
verify       = none
安裝好后，建立兩個文件 /etc/stunnel/pop3.conf
# /etc/stunnel/pop3.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup your.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir /etc/stunnel/smtp.conf
# /etc/stunnel/smtp.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
建立qmail伺服器證書(反正是自己簽發證書，想多長時間都可以，這裡設定10年，呵呵)： # openssl req -new -x509 -nodes -out servercert.pem -days 3650 -keyout servercert.pem 需該伺服器證書文件servercert.pem的文件屬性： # ln -s /var/qmail/control/servercert.pem clientcert.pem
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
# chmod 600 servercert.pem #這個很重要哦建立pop3和smtp ssl的run文件 # mkdir -p /var/qmail/supervise/qmail-pop3ds/log /var/qmail/supervise/qmail-smtpds/log /var/log/qmail/pop3ds /var/log/qmail/smtpds /var/qmail/supervise/qmail-pop3ds/run
#!/bin/sh
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -H -R -v -l "$LOCAL" -c "$MAXSMTPD" 0 995 \
/sbin/stunnel /etc/stunnel/pop3.conf 2>&1
/var/qmail/supervise/qmail-pop3ds/run/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
   /var/log/qmail/pop3ds
/var/qmail/supervise/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
   echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
   echo /var/qmail/supervise/qmail-smtpds/run
   exit 1
fi if [ ! -f /var/qmail/control/rcpthosts ]; then
   echo "No /var/qmail/control/rcpthosts!"
   echo "Refusing to start SMTP listener because it'll create an open relay"
   exit 1
fi exec /usr/local/bin/softlimit -m 20000000 \
         /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
      -u 89 -g 89 0 465 \
         /sbin/stunnel /etc/stunnel/smtp.conf 2>&1
/var/qmail/supervise/qmail-smtpds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpds 將執行文件鏈接到/service中： # cd /service
# ln -s /var/qmail/supervise/qmail-pop3ds/ qmail-pop3ds
# ln -s /var/qmail/supervise/qmail-smtpds/ qmail-smtpds 修改qmailctl文件： /var/qmail/bin/qmailctl #這個文件編寫的有點複雜，我還有個更簡單的，我回頭貼出來。
#!/bin/sh
# Description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case "$1" in
   start)
   echo "Starting qmail..."
   echo "  qmail-send"
   if svok /service/qmail-send ; then
      svc -u /service/qmail-send /service/qmail-send/log
   else
      echo "  qmail-send supervise not running"
   fi
   echo "  qmail-smtp"
   if svok /service/qmail-smtpd ; then
      svc -u /service/qmail-smtpd /service/qmail-smtpd/log
   else
      echo "  qmail-smtpd supervise not running"
   fi
   echo "  qmail-smtp ssl"
   if svok /service/qmail-smtpds ; then
      svc -u /service/qmail-smtpds /service/qmail-smtpds/log
   else
      echo "  qmail-smtpd ssl supervise not running"
   fi
   echo "  qmail-pop3d"
   if svok /service/qmail-pop3d ; then
      svc -u /service/qmail-pop3d /service/qmail-pop3d/log
   else
      echo "  qmail-pop3d supervise not running"
   fi
   echo "  qmail-pop3d ssl"
   if svok /service/qmail-pop3ds ; then
      svc -u /service/qmail-pop3ds /service/qmail-pop3ds/log
   else
      echo " qmail-pop3d ssl service not running"
   fi
   if [ -d /var/lock/subsys ]; then
      touch /var/lock/subsys/qmail
   fi
   ;;
   stop)
   echo "Stopping qmail..."
   echo "  qmail-smtpd"
   svc -d /service/qmail-smtpd /service/qmail-smtpd/log
   echo "  qmail-smtpd ssl"
   svc -d /service/qmail-smtpds /service/qmail-smtpds/log
   echo "  qmail-send"
   svc -d /service/qmail-send /service/qmail-send/log
   echo "  qmail-pop3d"
   svc -d /service/qmail-pop3d /service/qmail-pop3d/log
   echo "  qmail-pop3d ssl"
   svc -d /service/qmail-pop3ds /service/qmail-pop3ds/log
   if [ -f /var/lock/subsys/qmail ]; then
      rm /var/lock/subsys/qmail
   fi
   ;;
   stat)
   svstat /service/qmail-send
   svstat /service/qmail-send/log
   svstat /service/qmail-smtpd
   svstat /service/qmail-smtpd/log
   svstat /service/qmail-smtpds
   svstat /service/qmail-smtpds/log
   svstat /service/qmail-pop3d
   svstat /service/qmail-pop3d/log
   svstat /service/qmail-pop3ds
   svstat /service/qmail-pop3ds/log
   qmail-qstat
   ;;
   doqueue|alrm|flush)
   echo "Flushing timeout table and sending ALRM signal to qmail-send."
   /var/qmail/bin/qmail-tcpok
   svc -a /service/qmail-send
   ;;
   queue)
   qmail-qstat
   qmail-qread
   ;;
   reload|hup)
   echo "Sending HUP signal to qmail-send."
   svc -h /service/qmail-send
   ;;
   pause)
   echo "Pausing"
   echo "  qmail-send"
   svc -p /service/qmail-send
   echo "  qmail-smtpd"
   svc -p /service/qmail-smtpd
   echo "  qmail-smtpd ssl"
   svc -p /service/qmail-smtpds
   echo "  qmail-pop3d"
   svc -p /service/qmail-pop3d
   echo "  qmail-pop3d ssl"
   svc -p /service/qmail-pop3ds
   ;;
   cont)
   echo "Continuing"
   echo "  qmail-send"
   svc -c /service/qmail-send
   echo "  qmail-smtpd"
   svc -c /service/qmail-smtpd
   echo "  qmail-smtpd ssl"
   svc -c /service/qmail-smtpds
   echo "  qmail-pop3d"
   svc -c /service/qmail-pop3d
   echo "  qmail-pop3ds"
   svc -c /service/qmail-pop3ds
   ;;
   restart)
   echo "Restarting qmail:"
   echo "* Stopping qmail-smtpd."
   svc -d /service/qmail-smtpd /service/qmail-smtpd/log
   echo "* Stopping qmail-smtpd ssl."
   svc -d /service/qmail-smtpds /service/qmail-smtpds/log
   echo "* Sending qmail-send SIGTERM and restarting."
   svc -t /service/qmail-send /service/qmail-send/log
   echo "* Restarting qmail-smtpd."
   svc -u /service/qmail-smtpd /service/qmail-smtpd/log
   echo "* Restarting qmail-smtpd ssl."
   svc -u /service/qmail-smtpds /service/qmail-smtpds/log
   echo "* Restarting qmail-pop3d."
   svc -t /service/qmail-pop3d /service/qmail-pop3d/log
   echo "* Restarting qmail-pop3ds."
   svc -t /service/qmail-pop3ds /service/qmail-pop3ds/log
   ;;
   cdb)
   tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
   chmod 644 /etc/tcp.smtp.cdb
   echo "Reloaded /etc/tcp.smtp."
   ;;
   help)
   cat <<HELP
stop -- stops mail service (smtp connections refused, nothing goes out)
   start -- starts mail service (smtp connection accepted, mail can go out)
   pause -- temporarily stops mail service (connections accepted, nothing leaves)
   cont -- continues paused mail service
   stat -- displays status of mail service
   cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
   queue -- shows status of queue
   alrm -- same as doqueue
   flush -- same as doqueue
   hup -- same as reload
HELP
   ;;
   *)
   echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queu
e|help}"
   exit 1
   ;;
esac
exit 0

這個時候，上面的兩個文件應該都啟動了。但我們還是重新啟動一次： # qmailctl stop
# qmailctl start
# qmailctl stat
/service/qmail-send: up (pid 9196) 3561 seconds
/service/qmail-send/log: up (pid 9197) 3561 seconds
/service/qmail-smtpd: up (pid 9200) 3561 seconds
/service/qmail-smtpd/log: up (pid 9202) 3561 seconds
/service/qmail-smtpds: up (pid 9205) 3561 seconds
/service/qmail-smtpds/log: up (pid 9207) 3561 seconds
/service/qmail-pop3d: up (pid 9210) 3561 seconds
/service/qmail-pop3d/log: up (pid 9214) 3561 seconds
/service/qmail-pop3ds: up (pid 9217) 3561 seconds
/service/qmail-pop3ds/log: up (pid 9220) 3561 seconds
messages in queue: 2
messages in queue but not yet preprocessed: 27
#上面的執行qmailctl stat的結果。時間要大於1秒，如果時間一會是0秒，一會是1秒，那表明在執行run文件中有錯誤，去看日誌里的錯誤提示。調試方法： [*]# ps -efl | grep "service errors" | grep -v grep
4 S root    5631  5626  0  75 0 - 303 pipe_w Sep01 ?       00:00:00 readproctitle service errors: .........[*]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 c2forum.net ESMTP
ehlo
250-your.domain.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
auth login
334 VXNlcm5hbWU6
quit[*]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK<1520.11887344591214@your.domain.com>
user albert
+OK
pass albert
+OK
list
+OK
1 2734
2 31807
3 34957
4 20644
5 27798
6 26584
.
quit[*]# openssl s_client -connect localhost:465
(執行后，會有大段的證書相關的信息，這裡省略，只複製來最後一行，然後測試就和telnet localhost 25 一樣了)
220 your.domain.com ESMTP[*]openssl s_client -connect localhost:995
(執行后，會有大段的證書相關的信息，這裡省略，只複製來最後一行，然後測試就和telnet localhost 110 一樣了)
+OK<1872.1188791523434@your.domain.com>[*]查看主要的日誌，包括：[*]/var/log/qmail/current[*]/var/log/qmail/pop3d/current[*]/var/log/qmail/pop3ds/current[*]/var/log/qmail/smtpd/current[*]/var/log/qmail/smtpds/current[*]另外你也可以在/etc/stunnel/smtp.conf 和 pop3.conf 文件中加入下面兩個設置內容，以生成詳細的調試日誌。
debug = 7
output = /var/log/qmail/stunnel.log可能遇到的問題： [*]如果你是用複製，那需要很小心，因為有的時候文件的換行在你複製到telnet客戶端軟體的時候會有可能變了，因為dos格式和unix格式有差別。尤其注意運行文件第一行的聲明后的換行。[*]tcpserver: fatal: no IP address for your.domain.com
表示埠已經被其它進程佔用，要麼你停掉那個進程，要麼換個埠。[*]Wrong permissions on /var/qmail/control/servercert.pem
servvercert.pem文件屬性設置為600即可[*]/etc/stunnel/smtp.conf文件中最後的" /bin/true"不能忘記，否則客戶端會提示驗證不通過。[*]ssl證書問題，因為我們是自己簽發的證書，所以客戶端會提示，兩個辦法：1、購買權威機構簽發的證書（非常貴，國內很多是國內範圍的便宜價格，國際範圍的就不一樣了）。2、將serercert.pem文件重命名為 .crt 或 .cer 格式。然後在客戶端機器中IE的Internet Options中導入，要選擇自動。如果你有問題，歡迎到我的blog中留言。

編輯了一下，前面忘記選「禁用 Smilies」了，很多內容變成Smilies了。呵呵。。

Tags:

[火星人 ] Qmail openssl stunnel ssl pop3 995 smtp 465 配置安裝已經有500次圍觀

本文地址：http://coctec.com/docs/service/show-post-13570.html

Qmail openssl stunnel ssl pop3 995 smtp 465 配置安裝

熱門文章

最新文章

Qmail openssl stunnel ssl pop3 995 smtp 465 配置 安裝

熱門文章

最新文章

Qmail openssl stunnel ssl pop3 995 smtp 465 配置安裝