- 论坛徽章:
- 0
|
开始对qmail增加TLS支持给于smtp和pop 服务,进入到如下目录,然后打上位于/usr/local/src下的netqmail-1.05-ucspitls-0.3.patch补丁,
#cd /usr/local/src/netqmail-1.05/netqmail-1.05
#patch -p2 < netqmail-1.05-ucspitls-0.3.patch
如果此时qmail为运行状态,则让其停止
#qmailctl stop
再次重新编译安装qmail
#make
#make setup check
配置证书
#mkdir /var/qmail/ssl
#chown root /var/qmail/ssl
#chmod 700 /var/qmail/ssl
#cd /var/qmail/ssl
#umask 077
#openssl req -new -x509 -keyout key.enc -out cert -days 720
haide1014
#openssl rsa -in key.enc -out key
haide1014
#openssl dhparam -out dhparam 1024
#groupadd ssl
#useradd -g ssl -d /var/qmail ssl
在/var/qmail/ssl/目录下,创立env文件,内容如下
# Set these three
SSL_USER=ssl
SSL_GROUP=ssl
SSL_DIR=/var/qmail/ssl
# Enable UCSPI-TLS
UCSPITLS=1
# The rest are set based on the above three
SSL_CHROOT="$SSL_DIR"
CERTFILE="$SSL_DIR/cert"
KEYFILE="$SSL_DIR/key"
DHFILE="$SSL_DIR/dhparam"
SSL_UID=`id -u "$SSL_USER"`
if [ $? -ne 0 ]; then echo "No such user '$SSL_USER'" >&2; exit; fi
SSL_GID=`id -g "$SSL_GROUP"`
if [ $? -ne 0 ]; then echo "No such group '$SSL_GROUP'" >&2; exit; fi
# Export the variables used by other scripts
export SSL_CHROOT SSL_UID SSL_GID UCSPITLS CERTFILE KEYFILE DHFILE
#umask 022
设置 qmail-smtpd脚本
Edit the qmail-smtpd run file, in /var/qmail/supervise/qmail-smtpd/run. There are three changes required:
The top of the file has several variable settings. Below these lines, include the SSL environment variable script we created above, using the shell's "dot" command, typed as a single period:
. /var/qmail/ssl/env
On the line that contains softlimit, add 10MB (10,000,000) the number after the -m flag. This allows qmail-smtpd to use the extra memory required for SSL. For example, if it's currently 2000000, you would have for that line:
exec /usr/local/bin/softlimit -m 12000000 \
On the line that contains tcpserver, change tcpserver to sslserver -e -n, leaving all of the other flags in place. The line will now look something like:
/usr/local/bin/sslserver -e -n -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "AXSMTPD" \
修改后的qmail-smtpd的run文件
#!/bin/sh
QmailDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
. /var/qmail/ssl/env
exec /usr/local/bin/softlimit -m 12000000 \
/usr/local/bin/sslserver -e -n -v -R -l 0 \
-x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QmailDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1
重启qmail
#qmailctl start
Set up qmail-pop3d
Edit the qmail-pop3d run file, in /var/qmail/supervise/qmail-pop3d/run. There are three changes required:
Near the top of the file, between the #!/bin/sh line and the line that begins with exec, include the SSL environment variable script we created above, using the shell's "dot" command, typed as a single period:
. /var/qmail/ssl/env
On the line that contains softlimit, add 10MB (10,000,000) the number after the -m flag. This allows qmail-smtpd to use the extra memory required for SSL. For example, if it's currently 2000000, you would have for that line:
exec /usr/local/bin/softlimit -m 12000000 \
On the line that contains tcpserver, change tcpserver to sslserver -e -n, leaving all of the other flags in place. The line will now look something like:
/usr/local/bin/sslserver -e -n -v -R -H -l 0 0 110 /var/qmail/bin/qmail-popup \
修改后的qmail-pop3d文件如下:
重启qmail
#qmailctl restart
让Qmail的SMTP支持SSL认证
1、Change directory to /var/qmail/supervise:
cd /var/qmail/supervise
2、Create a service directory and log directory:
mkdir -p qmail-smtpd-ssl/log
3、Copy the run file from the original service, and make it executable:
cp qmail-smtpd/run qmail-smtpd-ssl/
chmod 755 qmail-smtpd-ssl/run
4、Edit the run file (qmail-smtpd-ssl/run) in the following ways:
On the line after . /var/qmail/ssl/env, add unset UCSPITLS
On the line that contains sslserver line, remove the -n flag.
On the next line, which will contain something like 0 smtp, change smtp to smtps; that tells sslserver to listen on the appropriate port for the SSL version of this service.
5、Set up a logging directory for this new service:
mkdir /var/log/qmail/smtpd-ssl
chown qmaill /var/log/qmail/smtpd-ssl
6、Set up the logging program for this new service, by creating a file in qmail-smtpd-ssl/log/run with these contents:
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
/var/log/qmail/smtpd-ssl
Make sure the script is executable:
chmod 755 qmail-smtpd-ssl/log/run
7、Link the new service into the /service directory, to have it start automatically on boot:
ln -s /var/qmail/supervise/qmail-smtpd-ssl /service
8、Add the following to qmailctl's "start" section:
if svok /service/qmail-smtpd-ssl ; then
svc -u /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
else
echo qmail-smtpd-ssl supervise not running
fi
9、Add the following to qmailctl's "stop" section:
echo " qmail-smtpd-ssl"
svc -d /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
10、Add the following to qmailctl's "stat" section:
svstat /service/qmail-smtpd-ssl
svstat /service/qmail-smtpd-ssl/log
11、Add the following to qmailctl's "pause" section:
echo "Pausing qmail-smtpd-ssl"
svc -p /service/qmail-smtpd-ssl
12、Add the following to qmailctl's "cont" section:
echo "Continuing qmail-smtpd-ssl"
svc -c /service/qmail-smtpd-ssl
14、Add the following to qmailctl's "restart" section:
echo "* Restarting qmail-smtpd-ssl."
svc -t /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
原文:http://www.51itstudy.com/7814.html |
|