忘记密码   免费注册 查看新帖 | 论坛精华区

ChinaUnix.net

  平台 论坛 博客 认证专区 大话IT HPC论坛 徽章 文库 沙龙 自测 下载 频道自动化运维 虚拟化 储存备份 C/C++ PHP MySQL 嵌入式 Linux系统
最近访问板块 发新帖
查看: 14722 | 回复: 6

[Mail] 原创: Qmail openssl stunnel ssl pop3 995 smtp 465 配置 安装 [复制链接]

论坛徽章:
0
发表于 2007-09-03 13:34 |显示全部楼层
原文在我的blog里:http://spire.spaces.live.com/blog/cns!8CE483F458A23E32!1425.entry :lol:

服务器在境外,GFW很烦,因此给qmail邮件服务器增加了ssl链接方式。而这方面的中文资料很少,尤其是使用stunnel的,所以升级了后,写了这篇手记。

按之前的qmail vpopmail的方式安装好。我的服务器原来就安装qmail,一切工作正常,仅仅打了smtp验证的补丁。

如果是这样,那就可以直接升级。

需要安装下面两个软件:
  • openssl (http://www.openssl.org)
    # cd openssl-0.9.8e
    # ./config
    # make
    # make test
    # make install
    # openssl version

    OpenSSL 0.9.8e 23 Feb 2007
  • stunnel (http://www.stunnel.org) (stunnel 配置的时候主意设定一下安装路径 /sbin/stunnel /etc/stunnel 主要的两个。)
    # ./configure --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var --sbindir=/sbin
    # make
    # make install
    # stunnel -version
    stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
    Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
    Global options
    debug           = 5
    pid             = /usr/local/var/run/stunnel/stunnel.pid
    RNDbytes        = 64
    RNDfile         = /dev/urandom
    RNDoverwrite    = yes
    Service-level options
    cert            = /etc/stunnel/stunnel.pem
    ciphers         = ALL:!ADH:+RC4:@STRENGTH
    key             = /etc/stunnel/stunnel.pem
    session         = 300 seconds
    sslVersion      = SSLv3 for client, all for server
    TIMEOUTbusy     = 300 seconds
    TIMEOUTclose    = 60 seconds
    TIMEOUTconnect  = 10 seconds
    TIMEOUTidle     = 43200 seconds
    verify          = none
安装好后,建立两个文件 /etc/stunnel/pop3.conf
# /etc/stunnel/pop3.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup your.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir
/etc/stunnel/smtp.conf
# /etc/stunnel/smtp.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
建立qmail服务器证书(反正是自己签发证书,想多长时间都可以,这里设定10年,呵呵): # openssl req -new -x509 -nodes -out servercert.pem -days 3650 -keyout servercert.pem 需该服务器证书文件servercert.pem的文件属性: # ln -s /var/qmail/control/servercert.pem clientcert.pem
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
# chmod 600 servercert.pem #这个很重要哦
建立pop3和smtp ssl的run文件 # mkdir -p /var/qmail/supervise/qmail-pop3ds/log /var/qmail/supervise/qmail-smtpds/log /var/log/qmail/pop3ds /var/log/qmail/smtpds /var/qmail/supervise/qmail-pop3ds/run
#!/bin/sh
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -H -R -v -l "$LOCAL" -c "$MAXSMTPD" 0 995 \
/sbin/stunnel /etc/stunnel/pop3.conf 2>&1

/var/qmail/supervise/qmail-pop3ds/run/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
    /var/log/qmail/pop3ds

/var/qmail/supervise/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpds/run
    exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi
exec /usr/local/bin/softlimit -m 20000000 \
        /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
       -u 89 -g 89 0 465 \
        /sbin/stunnel /etc/stunnel/smtp.conf 2>&1
/var/qmail/supervise/qmail-smtpds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpds
将执行文件链接到/service中: # cd /service
# ln -s /var/qmail/supervise/qmail-pop3ds/ qmail-pop3ds
# ln -s /var/qmail/supervise/qmail-smtpds/ qmail-smtpds
修改qmailctl文件: /var/qmail/bin/qmailctl #这个文件编写的有点复杂,我还有个更简单的,我回头贴出来。
#!/bin/sh
# Description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case "$1" in
  start)
    echo "Starting qmail..."
    echo "  qmail-send"
    if svok /service/qmail-send ; then
      svc -u /service/qmail-send /service/qmail-send/log
    else
      echo "  qmail-send supervise not running"
    fi
    echo "  qmail-smtp"
    if svok /service/qmail-smtpd ; then
      svc -u /service/qmail-smtpd /service/qmail-smtpd/log
    else
      echo "  qmail-smtpd supervise not running"
    fi
    echo "  qmail-smtp ssl"
    if svok /service/qmail-smtpds ; then
      svc -u /service/qmail-smtpds /service/qmail-smtpds/log
    else
      echo "  qmail-smtpd ssl supervise not running"
    fi
    echo "  qmail-pop3d"
    if svok /service/qmail-pop3d ; then
      svc -u /service/qmail-pop3d /service/qmail-pop3d/log
    else
      echo "  qmail-pop3d supervise not running"
    fi
    echo "  qmail-pop3d ssl"
    if svok /service/qmail-pop3ds ; then
      svc -u /service/qmail-pop3ds /service/qmail-pop3ds/log
    else
      echo " qmail-pop3d ssl service not running"
    fi
    if [ -d /var/lock/subsys ]; then
      touch /var/lock/subsys/qmail
    fi
    ;;
  stop)
    echo "Stopping qmail..."
    echo "  qmail-smtpd"
    svc -d /service/qmail-smtpd /service/qmail-smtpd/log
    echo "  qmail-smtpd ssl"
    svc -d /service/qmail-smtpds /service/qmail-smtpds/log
    echo "  qmail-send"
    svc -d /service/qmail-send /service/qmail-send/log
    echo "  qmail-pop3d"
    svc -d /service/qmail-pop3d /service/qmail-pop3d/log
    echo "  qmail-pop3d ssl"
    svc -d /service/qmail-pop3ds /service/qmail-pop3ds/log
    if [ -f /var/lock/subsys/qmail ]; then
      rm /var/lock/subsys/qmail
    fi
    ;;
  stat)
    svstat /service/qmail-send
    svstat /service/qmail-send/log
    svstat /service/qmail-smtpd
    svstat /service/qmail-smtpd/log
    svstat /service/qmail-smtpds
    svstat /service/qmail-smtpds/log
    svstat /service/qmail-pop3d
    svstat /service/qmail-pop3d/log
    svstat /service/qmail-pop3ds
    svstat /service/qmail-pop3ds/log
    qmail-qstat
    ;;
  doqueue|alrm|flush)
    echo "Flushing timeout table and sending ALRM signal to qmail-send."
    /var/qmail/bin/qmail-tcpok
    svc -a /service/qmail-send
    ;;
  queue)
    qmail-qstat
    qmail-qread
    ;;
  reload|hup)
    echo "Sending HUP signal to qmail-send."
    svc -h /service/qmail-send
    ;;
  pause)
    echo "Pausing"
    echo "  qmail-send"
    svc -p /service/qmail-send
    echo "  qmail-smtpd"
    svc -p /service/qmail-smtpd
    echo "  qmail-smtpd ssl"
    svc -p /service/qmail-smtpds
    echo "  qmail-pop3d"
    svc -p /service/qmail-pop3d
    echo "  qmail-pop3d ssl"
    svc -p /service/qmail-pop3ds
    ;;
  cont)
    echo "Continuing"
    echo "  qmail-send"
    svc -c /service/qmail-send
    echo "  qmail-smtpd"
    svc -c /service/qmail-smtpd
    echo "  qmail-smtpd ssl"
    svc -c /service/qmail-smtpds
    echo "  qmail-pop3d"
    svc -c /service/qmail-pop3d
    echo "  qmail-pop3ds"
    svc -c /service/qmail-pop3ds
    ;;
  restart)
    echo "Restarting qmail:"
    echo "* Stopping qmail-smtpd."
    svc -d /service/qmail-smtpd /service/qmail-smtpd/log
    echo "* Stopping qmail-smtpd ssl."
    svc -d /service/qmail-smtpds /service/qmail-smtpds/log
    echo "* Sending qmail-send SIGTERM and restarting."
    svc -t /service/qmail-send /service/qmail-send/log
    echo "* Restarting qmail-smtpd."
    svc -u /service/qmail-smtpd /service/qmail-smtpd/log
    echo "* Restarting qmail-smtpd ssl."
    svc -u /service/qmail-smtpds /service/qmail-smtpds/log
    echo "* Restarting qmail-pop3d."
    svc -t /service/qmail-pop3d /service/qmail-pop3d/log
    echo "* Restarting qmail-pop3ds."
    svc -t /service/qmail-pop3ds /service/qmail-pop3ds/log
    ;;
  cdb)
    tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
    chmod 644 /etc/tcp.smtp.cdb
    echo "Reloaded /etc/tcp.smtp."
    ;;
  help)
    cat <<HELP
   stop -- stops mail service (smtp connections refused, nothing goes out)
  start -- starts mail service (smtp connection accepted, mail can go out)
  pause -- temporarily stops mail service (connections accepted, nothing leaves)
   cont -- continues paused mail service
   stat -- displays status of mail service
    cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
  queue -- shows status of queue
   alrm -- same as doqueue
  flush -- same as doqueue
    hup -- same as reload
HELP
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queu
e|help}"
    exit 1
    ;;
esac
exit 0


这个时候,上面的两个文件应该都启动了。但我们还是重新启动一次: # qmailctl stop
# qmailctl start
# qmailctl stat

/service/qmail-send: up (pid 9196) 3561 seconds
/service/qmail-send/log: up (pid 9197) 3561 seconds
/service/qmail-smtpd: up (pid 9200) 3561 seconds
/service/qmail-smtpd/log: up (pid 9202) 3561 seconds
/service/qmail-smtpds: up (pid 9205) 3561 seconds
/service/qmail-smtpds/log: up (pid 9207) 3561 seconds
/service/qmail-pop3d: up (pid 9210) 3561 seconds
/service/qmail-pop3d/log: up (pid 9214) 3561 seconds
/service/qmail-pop3ds: up (pid 9217) 3561 seconds
/service/qmail-pop3ds/log: up (pid 9220) 3561 seconds
messages in queue: 2
messages in queue but not yet preprocessed: 27
#上面的执行qmailctl stat的结果。时间要大于1秒,如果时间一会是0秒,一会是1秒,那表明在执行run文件中有错误,去看日志里的错误提示。 调试方法:
  • # ps -efl | grep "service errors" | grep -v grep
    4 S root      5631  5626  0  75   0 -   303 pipe_w Sep01 ?        00:00:00 readproctitle service errors: .........
  • # telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 c2forum.net ESMTP
    ehlo
    250-your.domain.com
    250-AUTH LOGIN CRAM-MD5 PLAIN
    250-AUTH=LOGIN CRAM-MD5 PLAIN
    250-PIPELINING
    250 8BITMIME
    auth login
    334 VXNlcm5hbWU6
    quit
  • # telnet localhost 110
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    +OK <
    1520.11887344591214@your.domain.com>
    user albert
    +OK
    pass albert
    +OK
    list
    +OK
    1 2734
    2 31807
    3 34957
    4 20644
    5 27798
    6 26584
    .
    quit
  • # openssl s_client -connect localhost:465
    (执行后,会有大段的证书相关的信息,这里省略,只复制来最后一行,然后测试就和telnet localhost 25 一样了)
    220 your.domain.com ESMTP
  • openssl s_client -connect localhost:995
    (执行后,会有大段的证书相关的信息,这里省略,只复制来最后一行,然后测试就和telnet localhost 110 一样了)
    +OK <[email=@your.domain.com]1872.1188791523434@your.domain.com[/email]>
  • 查看主要的日志,包括:
    • /var/log/qmail/current
    • /var/log/qmail/pop3d/current
    • /var/log/qmail/pop3ds/current
    • /var/log/qmail/smtpd/current
    • /var/log/qmail/smtpds/current
    • 另外你也可以在/etc/stunnel/smtp.conf 和 pop3.conf 文件中加入下面两个设置内容,以生成详细的调试日志。
      debug = 7
      output = /var/log/qmail/stunnel.log
可能遇到的问题:
  • 如果你是用复制,那需要很小心,因为有的时候文件的换行在你复制到telnet客户端软件的时候会有可能变了,因为dos格式和unix格式有差别。尤其注意运行文件第一行的声明后的换行。
  • tcpserver: fatal: no IP address for your.domain.com
    表示端口已经被其它进程占用,要么你停掉那个进程,要么换个端口。
  • Wrong permissions on /var/qmail/control/servercert.pem
    servvercert.pem文件属性设置为600即可
  • /etc/stunnel/smtp.conf文件中最后的" /bin/true"不能忘记,否则客户端会提示验证不通过。
  • ssl证书问题,因为我们是自己签发的证书,所以客户端会提示,两个办法:1、购买权威机构签发的证书(非常贵,国内很多是国内范围的便宜价格,国际范围的就不一样了)。2、将serercert.pem文件重命名为 .crt 或 .cer 格式。然后在客户端机器中IE的Internet Options中导入,要选择自动。
如果你有问题,欢迎到我的blog中留言。


编辑了一下,前面忘记选“禁用 Smilies”了,很多内容变成Smilies了。呵呵。

[ 本帖最后由 amtd 于 2007-9-3 13:36 编辑 ]

论坛徽章:
0
发表于 2007-09-03 14:13 |显示全部楼层
帖子发了内容格式有点乱了。没辙。

论坛徽章:
0
发表于 2007-09-25 05:18 |显示全部楼层

认证出问题?

我不用stunnel能发信, 根据如上的方法加上stunnel后,我就stunnel了

由于服务器拒绝收件人之一,无法发送邮件。被拒绝的电子邮件地址是“xue@chinats.net”。 主题 'test', 帐户: 'xue@chinats.net', 服务器: 'mail1.chinats.net', 协议: SMTP, 服务器响应: 'CHKUSER relaying rcpt: from <xue@chinats.netue@chinats.net:> remote <xuedesk:unknown:192.168.1.102> rcpt <xue@chinats.net> : client allowed to relay', 端口: 465, 安全(SSL): 是, 错误号: 0x800CCC79


run:  


#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]
then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpds/run
    exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]
then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi
exec /usr/local/bin/softlimit -m 20000000 \
        /usr/local/bin/tcpserver -v -R -H -l "$LOCAL" -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
       -u 89 -g 89 0 465 \
        /sbin/stunnel /etc/stunnel/smtps.conf 2>&1



smtps.conf  :


# /etc/stunnel/smtps.conf
cert = /var/qmail/control/servercert.pem
#key = /var/qmail/control/clientcert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1

请大侠帮忙看看

论坛徽章:
0
发表于 2008-05-05 16:09 |显示全部楼层
谢谢楼主了。

论坛徽章:
0
发表于 2009-07-10 16:16 |显示全部楼层
我已经成功设置了,感谢你

不过我有个问题,我的qmail server是有多个mail domain的,如果每个domain都需要ssl pop3收邮件,请问我是不是需要把所有的domain name的ssl证书复制到servercert.pem文件中呢?

我经过测试,好像不正常,多谢指教,谢谢.

论坛徽章:
0
发表于 2010-10-26 18:04 |显示全部楼层
我的pop3可以了,但是smtp有问题:

openssl s_client -connect localhost:465
CONNECTED(00000003)
write:errno=104
——————————————————
log日志:
ok 5576 meis.com.cn:127.0.0.1:465 localhost:127.0.0.1::48487
Snagged 64 random bytes from /dev/urandom
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /var/qmail/control/servercert.pem
Error reading certificate file: /var/qmail/control/servercert.pem
error stack: 140DC002 : error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
error stack: 20074002 : error:20074002:BIO routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopenermission denied

———————————————————

论坛徽章:
0
发表于 2011-12-24 08:50 |显示全部楼层
再次把此帖顶出来,其实我也遇到了和楼上一样的问题,不知楼主是否解决。
您需要登录后才可以回帖 登录 | 注册

本版积分规则

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号 北京市公安局海淀分局网监中心备案编号:11010802020122
广播电视节目制作经营许可证(京) 字第1234号 中国互联网协会会员  联系我们:
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP