<b>Sendmail的安全</b>
環境:DNS server :server1.example.com 192.168.32.31
Mail Server : station2.example.com 192.168.32.32
Mail Client : station3.example.com 192.168.32.33
<b>一、實作station2.example.com收發example.com域名郵件</b>
1、修改DNS配置
[root@server1 ~]# vi /var/named/chroot/var/named/example.com.zone
<b>@ IN MX 10 station2.example.com.</b>
#example.com的郵件都由station2.example.com來發送和接受
2、Mail Server配置
<b>[root@station2 mail]# alternatives --config mta</b>
共有 2 個程式提供“mta”。
選擇 指令
-----------------------------------------------
<b>*+ 1 /usr/sbin/sendmail.sendmail</b>
2 /usr/sbin/sendmail.postfix
按 Enter 來儲存目前選擇[+],或鍵入選擇号碼:
#選擇sendmail為預設mta伺服器
[root@station2 mail]# vi /etc/mail/sendmail.mc
<b>dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl</b>
#登出127.0.0.1監聽,預設監聽所有接口
<b>[root@station2 mail]# vi /etc/mail/local-host-names</b>
<b></b>
<b>example.com</b>
#所有example.com内計算機的别名都為example.com,即實作example.com内所有的郵件由station2.example.com内接受和發送
<b>[root@station2 mail]# m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf</b>
[root@station2 mail]# service sendmail restart
二、Mail Server安全(/etc/mail/sendmail.mc配置選項)
1、修改各種顯示資訊
define(`confSMTP_LOGIN_MSG', `Exchange server 2008') #更改版本資訊顯示
define(`confPRIVACY_FLAGS', `goaway')
#隐藏各種資訊,資訊不是随意定義的,格式有嚴格要求
2、防Dos攻擊
define(confMAX_MESSAGE_SIZE,`1000000') #限制郵件大小1M
define(`confMAX_DAEMON_CHILDREN', `20') #限制服務的子程序
define(`confCONNECTION_RATE_THROTTLE', `3') #限制每秒連接配接數
define(`confMIN_FREE_BLOCKS',`100') #預留用來接收郵件的最小空間
3、其他小參數
confMAX_HEADERS_LENGTH
#maximum length of all message headers in bytes,
confMAX_HOP
# number of times messages can pass through server before being considered in a loop
confMAX_RCPTS_PER_MESSAGE
#limit maximum number of recipients for a message,
confREFUSE_LA
#incoming mail connections will be refused if the system load average increases above this value.
4、相關檔案權限
• Restrict write access to root only
#Configuration files
#Database files
• confSAFE_FILE_ENV #Only deliver to regular files
• confDONT_BLAME_SENDMAIL #Turns off safety checks, avoid using
三、别名和郵件轉發
1、/etc/aliases:使用者别名,隻能root使用者定義和修改
[root@station2 mail]# vi /etc/aliases
admin: guest2001
#發送給admin的郵件都轉發給guest2001
[root@station2 mail]# newaliases #更新别名清單
2、~/.forward :使用者個人自定義的轉發郵件
[root@station2 ~]# vi .forward
user3
[root@station2 ~]#
#發送給root的郵件都會自動轉發一份給user3
四、通路控制
1、/etc/mail/access :記錄mail黑名單檔案
[root@station2 ~]# vi /etc/mail/access
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Connect:192.168.40 OK
Connect:spamRus.net REJECT
Connect:nobody@ ERROR:550 bad name
Connect:[email protected] ERROR:500 disabled
<b>結果:REJECT:拒絕</b>
<b> OK:無條件接收,放行</b>
<b> RELAY:接收</b>
<b> DISCARD:拒絕,不顯示任何資訊</b>
<b> ERROR:拒絕,報錯</b>
2、Authenticated Relay(身份驗證)
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOG
IN PLAIN') #啟用smtp身份驗證功能,多用于移動使用者
3、DNS Blackhole List(DNS黑洞)
[root@station2 ~]# vi /etc/mail/sendmail.mc
<b>FEATURE(`dnsbl',`station3.example.com',`"550 Message"')dnl</b>
#開啟DNS黑洞,拒絕station3.example.com發送過來的郵件
[root@station2 ~]# m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf
[root@station2 ~]# service sendmail restart
<b>33.32.168.192.station3.example.com. IN A 127.0.0.2</b>
#将192.168.32.33發送的郵件解析為127.0.0.2發送的郵件
[root@server1 ~]# service named restart
[root@server1 ~]# nslookup
> 33.32.168.192.station3.example.com
Server: 192.168.32.31
Address: 192.168.32.31#53
Name: 33.32.168.192.station3.example.com
Address: 127.0.0.2
#以上步驟,将會出現station3.example.com發送給example.com域内的郵件投遞失敗,并傳回550錯誤資訊給station3.example.com
本文轉自netsword 51CTO部落格,原文連結:http://blog.51cto.com/netsword/529113
![圖解HTTP八:确認通路使用者身份的認證[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)