论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2007-09-03 13:34 |只看该作者 |倒序浏览

原文在我的blog里：http://spire.spaces.live.com/blog/cns!8CE483F458A23E32!1425.entry :lol:

服务器在境外，GFW很烦，因此给qmail邮件服务器增加了ssl链接方式。而这方面的中文资料很少，尤其是使用stunnel的，所以升级了后，写了这篇手记。

按之前的qmail vpopmail的方式安装好。我的服务器原来就安装qmail，一切工作正常，仅仅打了smtp验证的补丁。

如果是这样，那就可以直接升级。

需要安装下面两个软件：

openssl (http://www.openssl.org)
# cd openssl-0.9.8e
# ./config
# make
# make test
# make install
# openssl version
OpenSSL 0.9.8e 23 Feb 2007
stunnel (http://www.stunnel.org) (stunnel 配置的时候主意设定一下安装路径 /sbin/stunnel /etc/stunnel 主要的两个。)
# ./configure --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var --sbindir=/sbin
# make
# make install
# stunnel -version
stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
Global options
debug          = 5
pid          = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes       = 64
RNDfile       = /dev/urandom
RNDoverwrite = yes
Service-level options
cert          = /etc/stunnel/stunnel.pem
ciphers       = ALL:!ADH:+RC4:@STRENGTH
key          = /etc/stunnel/stunnel.pem
session       = 300 seconds
sslVersion    = SSLv3 for client, all for server
TIMEOUTbusy    = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle    = 43200 seconds
verify       = none

安装好后，建立两个文件 /etc/stunnel/pop3.conf
# /etc/stunnel/pop3.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup your.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir /etc/stunnel/smtp.conf
# /etc/stunnel/smtp.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
建立qmail服务器证书(反正是自己签发证书，想多长时间都可以，这里设定10年，呵呵)： # openssl req -new -x509 -nodes -out servercert.pem -days 3650 -keyout servercert.pem 需该服务器证书文件servercert.pem的文件属性： # ln -s /var/qmail/control/servercert.pem clientcert.pem
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
# chmod 600 servercert.pem #这个很重要哦建立pop3和smtp ssl的run文件 # mkdir -p /var/qmail/supervise/qmail-pop3ds/log /var/qmail/supervise/qmail-smtpds/log /var/log/qmail/pop3ds /var/log/qmail/smtpds /var/qmail/supervise/qmail-pop3ds/run
#!/bin/sh
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -H -R -v -l "$LOCAL" -c "$MAXSMTPD" 0 995 \
/sbin/stunnel /etc/stunnel/pop3.conf 2>&1
/var/qmail/supervise/qmail-pop3ds/run/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
/var/log/qmail/pop3ds
/var/qmail/supervise/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpds/run
exit 1
fi if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi exec /usr/local/bin/softlimit -m 20000000 \
      /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
   -u 89 -g 89 0 465 \
      /sbin/stunnel /etc/stunnel/smtp.conf 2>&1
/var/qmail/supervise/qmail-smtpds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpds 将执行文件链接到/service中： # cd /service
# ln -s /var/qmail/supervise/qmail-pop3ds/ qmail-pop3ds
# ln -s /var/qmail/supervise/qmail-smtpds/ qmail-smtpds 修改qmailctl文件： /var/qmail/bin/qmailctl #这个文件编写的有点复杂，我还有个更简单的，我回头贴出来。
#!/bin/sh
# Description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case "$1" in
  start)
echo "Starting qmail..."
echo "  qmail-send"
if svok /service/qmail-send ; then
   svc -u /service/qmail-send /service/qmail-send/log
else
   echo "  qmail-send supervise not running"
fi
echo "  qmail-smtp"
if svok /service/qmail-smtpd ; then
   svc -u /service/qmail-smtpd /service/qmail-smtpd/log
else
   echo "  qmail-smtpd supervise not running"
fi
echo "  qmail-smtp ssl"
if svok /service/qmail-smtpds ; then
   svc -u /service/qmail-smtpds /service/qmail-smtpds/log
else
   echo "  qmail-smtpd ssl supervise not running"
fi
echo "  qmail-pop3d"
if svok /service/qmail-pop3d ; then
   svc -u /service/qmail-pop3d /service/qmail-pop3d/log
else
   echo "  qmail-pop3d supervise not running"
fi
echo "  qmail-pop3d ssl"
if svok /service/qmail-pop3ds ; then
   svc -u /service/qmail-pop3ds /service/qmail-pop3ds/log
else
   echo " qmail-pop3d ssl service not running"
fi
if [ -d /var/lock/subsys ]; then
   touch /var/lock/subsys/qmail
fi
;;
  stop)
echo "Stopping qmail..."
echo "  qmail-smtpd"
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo "  qmail-smtpd ssl"
svc -d /service/qmail-smtpds /service/qmail-smtpds/log
echo "  qmail-send"
svc -d /service/qmail-send /service/qmail-send/log
echo "  qmail-pop3d"
svc -d /service/qmail-pop3d /service/qmail-pop3d/log
echo "  qmail-pop3d ssl"
svc -d /service/qmail-pop3ds /service/qmail-pop3ds/log
if [ -f /var/lock/subsys/qmail ]; then
   rm /var/lock/subsys/qmail
fi
;;
  stat)
svstat /service/qmail-send
svstat /service/qmail-send/log
svstat /service/qmail-smtpd
svstat /service/qmail-smtpd/log
svstat /service/qmail-smtpds
svstat /service/qmail-smtpds/log
svstat /service/qmail-pop3d
svstat /service/qmail-pop3d/log
svstat /service/qmail-pop3ds
svstat /service/qmail-pop3ds/log
qmail-qstat
;;
  doqueue|alrm|flush)
echo "Flushing timeout table and sending ALRM signal to qmail-send."
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
  queue)
qmail-qstat
qmail-qread
;;
  reload|hup)
echo "Sending HUP signal to qmail-send."
svc -h /service/qmail-send
;;
  pause)
echo "Pausing"
echo "  qmail-send"
svc -p /service/qmail-send
echo "  qmail-smtpd"
svc -p /service/qmail-smtpd
echo "  qmail-smtpd ssl"
svc -p /service/qmail-smtpds
echo "  qmail-pop3d"
svc -p /service/qmail-pop3d
echo "  qmail-pop3d ssl"
svc -p /service/qmail-pop3ds
;;
  cont)
echo "Continuing"
echo "  qmail-send"
svc -c /service/qmail-send
echo "  qmail-smtpd"
svc -c /service/qmail-smtpd
echo "  qmail-smtpd ssl"
svc -c /service/qmail-smtpds
echo "  qmail-pop3d"
svc -c /service/qmail-pop3d
echo "  qmail-pop3ds"
svc -c /service/qmail-pop3ds
;;
  restart)
echo "Restarting qmail:"
echo "* Stopping qmail-smtpd."
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo "* Stopping qmail-smtpd ssl."
svc -d /service/qmail-smtpds /service/qmail-smtpds/log
echo "* Sending qmail-send SIGTERM and restarting."
svc -t /service/qmail-send /service/qmail-send/log
echo "* Restarting qmail-smtpd."
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
echo "* Restarting qmail-smtpd ssl."
svc -u /service/qmail-smtpds /service/qmail-smtpds/log
echo "* Restarting qmail-pop3d."
svc -t /service/qmail-pop3d /service/qmail-pop3d/log
echo "* Restarting qmail-pop3ds."
svc -t /service/qmail-pop3ds /service/qmail-pop3ds/log
;;
  cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 /etc/tcp.smtp.cdb
echo "Reloaded /etc/tcp.smtp."
;;
  help)
cat <<HELP
stop -- stops mail service (smtp connections refused, nothing goes out)
  start -- starts mail service (smtp connection accepted, mail can go out)
  pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
  queue -- shows status of queue
alrm -- same as doqueue
  flush -- same as doqueue
hup -- same as reload
HELP
;;
  *)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queu
e|help}"
exit 1
;;
esac
exit 0

这个时候，上面的两个文件应该都启动了。但我们还是重新启动一次： # qmailctl stop
# qmailctl start
# qmailctl stat
/service/qmail-send: up (pid 9196) 3561 seconds
/service/qmail-send/log: up (pid 9197) 3561 seconds
/service/qmail-smtpd: up (pid 9200) 3561 seconds
/service/qmail-smtpd/log: up (pid 9202) 3561 seconds
/service/qmail-smtpds: up (pid 9205) 3561 seconds
/service/qmail-smtpds/log: up (pid 9207) 3561 seconds
/service/qmail-pop3d: up (pid 9210) 3561 seconds
/service/qmail-pop3d/log: up (pid 9214) 3561 seconds
/service/qmail-pop3ds: up (pid 9217) 3561 seconds
/service/qmail-pop3ds/log: up (pid 9220) 3561 seconds
messages in queue: 2
messages in queue but not yet preprocessed: 27
#上面的执行qmailctl stat的结果。时间要大于1秒，如果时间一会是0秒，一会是1秒，那表明在执行run文件中有错误，去看日志里的错误提示。调试方法：

# ps -efl | grep "service errors" | grep -v grep
4 S root 5631 5626 0 75 0 - 303 pipe_w Sep01 ? 00:00:00 readproctitle service errors: .........
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 c2forum.net ESMTP
ehlo
250-your.domain.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
auth login
334 VXNlcm5hbWU6
quit
# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK <1520.11887344591214@your.domain.com>
user albert
+OK
pass albert
+OK
list
+OK
1 2734
2 31807
3 34957
4 20644
5 27798
6 26584
.
quit
# openssl s_client -connect localhost:465
(执行后，会有大段的证书相关的信息，这里省略，只复制来最后一行，然后测试就和telnet localhost 25 一样了)
220 your.domain.com ESMTP
openssl s_client -connect localhost:995
(执行后，会有大段的证书相关的信息，这里省略，只复制来最后一行，然后测试就和telnet localhost 110 一样了)
+OK <[email=@your.domain.com]1872.1188791523434@your.domain.com[/email]>
查看主要的日志，包括：
- /var/log/qmail/current
- /var/log/qmail/pop3d/current
- /var/log/qmail/pop3ds/current
- /var/log/qmail/smtpd/current
- /var/log/qmail/smtpds/current
- 另外你也可以在/etc/stunnel/smtp.conf 和 pop3.conf 文件中加入下面两个设置内容，以生成详细的调试日志。
  debug = 7
  output = /var/log/qmail/stunnel.log

可能遇到的问题：

如果你是用复制，那需要很小心，因为有的时候文件的换行在你复制到telnet客户端软件的时候会有可能变了，因为dos格式和unix格式有差别。尤其注意运行文件第一行的声明后的换行。
tcpserver: fatal: no IP address for your.domain.com
表示端口已经被其它进程占用，要么你停掉那个进程，要么换个端口。
Wrong permissions on /var/qmail/control/servercert.pem
servvercert.pem文件属性设置为600即可
/etc/stunnel/smtp.conf文件中最后的" /bin/true"不能忘记，否则客户端会提示验证不通过。
ssl证书问题，因为我们是自己签发的证书，所以客户端会提示，两个办法：1、购买权威机构签发的证书（非常贵，国内很多是国内范围的便宜价格，国际范围的就不一样了）。2、将serercert.pem文件重命名为 .crt 或 .cer 格式。然后在客户端机器中IE的Internet Options中导入，要选择自动。

如果你有问题，欢迎到我的blog中留言。

编辑了一下，前面忘记选“禁用 Smilies”了，很多内容变成Smilies了。呵呵。

[ 本帖最后由 amtd 于 2007-9-3 13:36 编辑 ]

文库|博客

amtd

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2007-09-03 14:13 |只看该作者

帖子发了内容格式有点乱了。没辙。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

xuexh

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2007-09-25 05:18 |只看该作者

认证出问题?

我不用stunnel能发信, 根据如上的方法加上stunnel后,我就stunnel了

由于服务器拒绝收件人之一，无法发送邮件。被拒绝的电子邮件地址是“xue@chinats.net”。主题 'test', 帐户: 'xue@chinats.net', 服务器: 'mail1.chinats.net', 协议: SMTP, 服务器响应: 'CHKUSER relaying rcpt: from <xue@chinats.net

ue@chinats.net:> remote <xuedesk:unknown:192.168.1.102> rcpt <xue@chinats.net> : client allowed to relay', 端口: 465, 安全(SSL): 是, 错误号: 0x800CCC79

run:

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]
then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpds/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]
then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 20000000 \
      /usr/local/bin/tcpserver -v -R -H -l "$LOCAL" -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
   -u 89 -g 89 0 465 \
      /sbin/stunnel /etc/stunnel/smtps.conf 2>&1

smtps.conf  :

# /etc/stunnel/smtps.conf
cert = /var/qmail/control/servercert.pem
#key = /var/qmail/control/clientcert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1

请大侠帮忙看看

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

nicsky

稍有积蓄

论坛徽章:: 0

4楼 [报告]

发表于 2008-05-05 16:09 |只看该作者

谢谢楼主了。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

netlogon

稍有积蓄

论坛徽章:: 0

5楼 [报告]

发表于 2009-07-10 16:16 |只看该作者

我已经成功设置了,感谢你

不过我有个问题,我的qmail server是有多个mail domain的,如果每个domain都需要ssl pop3收邮件,请问我是不是需要把所有的domain name的ssl证书复制到servercert.pem文件中呢?

我经过测试,好像不正常,多谢指教,谢谢.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

earlcn

白手起家

论坛徽章:: 0

6楼 [报告]

发表于 2010-10-26 18:04 |只看该作者

我的pop3可以了，但是smtp有问题：

openssl s_client -connect localhost:465
CONNECTED(00000003)
write:errno=104
——————————————————
log日志：
ok 5576 meis.com.cn:127.0.0.1:465 localhost:127.0.0.1::48487
Snagged 64 random bytes from /dev/urandom
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /var/qmail/control/servercert.pem
Error reading certificate file: /var/qmail/control/servercert.pem
error stack: 140DC002 : error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
error stack: 20074002 : error:20074002:BIO routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopen