<b>Sendmail的安全</b>
环境:DNS server :server1.example.com 192.168.32.31
Mail Server : station2.example.com 192.168.32.32
Mail Client : station3.example.com 192.168.32.33
<b>一、实现station2.example.com收发example.com域名邮件</b>
1、修改DNS配置
[root@server1 ~]# vi /var/named/chroot/var/named/example.com.zone
<b>@ IN MX 10 station2.example.com.</b>
#example.com的邮件都由station2.example.com来发送和接受
2、Mail Server配置
<b>[root@station2 mail]# alternatives --config mta</b>
共有 2 个程序提供“mta”。
选择 命令
-----------------------------------------------
<b>*+ 1 /usr/sbin/sendmail.sendmail</b>
2 /usr/sbin/sendmail.postfix
按 Enter 来保存当前选择[+],或键入选择号码:
#选择sendmail为默认mta服务器
[root@station2 mail]# vi /etc/mail/sendmail.mc
<b>dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl</b>
#注销127.0.0.1监听,默认监听所有接口
<b>[root@station2 mail]# vi /etc/mail/local-host-names</b>
<b></b>
<b>example.com</b>
#所有example.com内计算机的别名都为example.com,即实现example.com内所有的邮件由station2.example.com内接受和发送
<b>[root@station2 mail]# m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf</b>
[root@station2 mail]# service sendmail restart
二、Mail Server安全(/etc/mail/sendmail.mc配置选项)
1、修改各种显示信息
define(`confSMTP_LOGIN_MSG', `Exchange server 2008') #更改版本信息显示
define(`confPRIVACY_FLAGS', `goaway')
#隐藏各种信息,信息不是随意定义的,格式有严格要求
2、防Dos攻击
define(confMAX_MESSAGE_SIZE,`1000000') #限制邮件大小1M
define(`confMAX_DAEMON_CHILDREN', `20') #限制服务的子进程
define(`confCONNECTION_RATE_THROTTLE', `3') #限制每秒连接数
define(`confMIN_FREE_BLOCKS',`100') #预留用来接收邮件的最小空间
3、其他小参数
confMAX_HEADERS_LENGTH
#maximum length of all message headers in bytes,
confMAX_HOP
# number of times messages can pass through server before being considered in a loop
confMAX_RCPTS_PER_MESSAGE
#limit maximum number of recipients for a message,
confREFUSE_LA
#incoming mail connections will be refused if the system load average increases above this value.
4、相关文件权限
• Restrict write access to root only
#Configuration files
#Database files
• confSAFE_FILE_ENV #Only deliver to regular files
• confDONT_BLAME_SENDMAIL #Turns off safety checks, avoid using
三、别名和邮件转发
1、/etc/aliases:用户别名,只能root用户定义和修改
[root@station2 mail]# vi /etc/aliases
admin: guest2001
#发送给admin的邮件都转发给guest2001
[root@station2 mail]# newaliases #更新别名列表
2、~/.forward :用户个人自定义的转发邮件
[root@station2 ~]# vi .forward
user3
[root@station2 ~]#
#发送给root的邮件都会自动转发一份给user3
四、访问控制
1、/etc/mail/access :记录mail黑名单文件
[root@station2 ~]# vi /etc/mail/access
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Connect:192.168.40 OK
Connect:spamRus.net REJECT
Connect:nobody@ ERROR:550 bad name
Connect:[email protected] ERROR:500 disabled
<b>结果:REJECT:拒绝</b>
<b> OK:无条件接收,放行</b>
<b> RELAY:接收</b>
<b> DISCARD:拒绝,不显示任何信息</b>
<b> ERROR:拒绝,报错</b>
2、Authenticated Relay(身份验证)
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOG
IN PLAIN') #启用smtp身份验证功能,多用于移动用户
3、DNS Blackhole List(DNS黑洞)
[root@station2 ~]# vi /etc/mail/sendmail.mc
<b>FEATURE(`dnsbl',`station3.example.com',`"550 Message"')dnl</b>
#开启DNS黑洞,拒绝station3.example.com发送过来的邮件
[root@station2 ~]# m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf
[root@station2 ~]# service sendmail restart
<b>33.32.168.192.station3.example.com. IN A 127.0.0.2</b>
#将192.168.32.33发送的邮件解析为127.0.0.2发送的邮件
[root@server1 ~]# service named restart
[root@server1 ~]# nslookup
> 33.32.168.192.station3.example.com
Server: 192.168.32.31
Address: 192.168.32.31#53
Name: 33.32.168.192.station3.example.com
Address: 127.0.0.2
#以上步骤,将会出现station3.example.com发送给example.com域内的邮件投递失败,并返回550错误信息给station3.example.com
本文转自netsword 51CTO博客,原文链接:http://blog.51cto.com/netsword/529113
![图解HTTP八:确认访问用户身份的认证[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)