4、TLS支持
通过修改/usr/lib/ssl/misc/CA.pll脚本实现,以下修改后CA1.pl和未修改CA.pl之间的对比:
*** CA.pl
--- CA1.pl
***************
*** 59,69 ****
} elsif (/^-newcert$/) {
# create a certificate
! system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
! system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";
} elsif (/^-newca$/) {
--- 59,69 ----
} elsif (/^-newcert$/) {
# create a certificate
! system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
! system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";
} elsif (/^-newca$/) {
现在就可以使用修改的CA1.pl来签发证书:
# cd /usr/local/ssl/misc
# ./CA1.pl -newca
# ./CA1.pl -newreq
# ./CA1.pl -sign
# cp demoCA/cacert.pem /etc/postfix/CAcert.pem
# cp newcert.pem /etc/postfix/cert.pem
# cp newreq.pem /etc/postfix/key.pem
修改main.cf,添加:
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/privkey.pem
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
重起postfix后就可以看到250-STARTTLS
很多邮件客户端对TLS的支持并不是非常好,建议使用stunnel来实现相应的smtp和pop3加密。
# apt-get install stunnel
证书:
# openssl req -new -x509 -days 365 -nodes -config /etc/ssl/openssl.cnf -out stunnel.pem -keyout stunnel.pem
# openssl gendh 512 >> stunnel.pem
服务端:
# stunnel -d 60025 -r 25 -s nobody -g nogroup
# stunnel -d 60110 -r 110 -s nobody -g nogroup
如果使用-n pop3等参数就只能用邮件客户端收信。
客户端:
建一个stunnel.conf文件:
client = yes
[pop3]
accept = 127.0.0.1:110
connect = 192.168.7.144:60110
[smtp]
accept = 127.0.0.1:25
connect = 192.168.7.144:60025
然后启动stunnel.exe,在邮件客户端的smtp和pop3的服务器都填127.0.0.1就可以了,这样从你到邮件服务器端的数据传输就让stunnel给你加密了。
5、测试用户
# mkdir -p /home/vmail/test.org/san/
# chown -R nobody.nogroup /home/vmail
# chmod -R 700 /home/vmail
mysql> use postfix
mysql> insert into transport set domain=‘test.org‘, destination=‘virtual:‘;
mysql> insert into users set email=‘san@test.org‘,clear=‘test‘,name=‘‘,uid=‘65534‘,gid=‘65534‘,homedir=‘home/vmail‘,maildir=‘test.org/san/‘;
然后就可以使用客户端收发邮件,记得用户名是email地址。
二、防病毒系统
1、安装McAfee uvscan for linux
McAfee uvscan for linux虽然是试用,但是没有什么限制,可以升级,也没有过期。
# wget http://download.nai.com/products/evaluation/virusscan/english/cmdline/linux/version_4.24/intel/vlnx424e.tar.Z
# tar xzf vlnx424e.tar.Z
# ./install-uvscan
默认会装到/usr/local/uvscan目录下,不过uvscan需要libstdc++.so.2.8,直接运行出现如下错误:
# uvscan
uvscan: error while loading shared libraries: libstdc++.so.2.8: cannot open shared object file: No such file or directory
可以从如下地址获得libstdc++.so.2.8的安装包:
# wget http://debian.marlow.dk/dists/woody/virus/pool/lib/libstdc++2.8_2.90.29-2.deb
# dpkg -i libstdc++2.8_2.90.29-2.deb
这样uvscan就可以正常运行了,不过会提示病毒库比较老了云云。写个病毒库更新脚本扔到crontab跑去吧:
#!/bin/sh
#
# update-dat.sh
#
cd /usr/local/uvscan/
wget -q -O readme.txt http://download.nai.com/products/datfiles/4.x/nai/readme.txt >/dev/null
AVVER=`head -5 readme.txt | grep ‘ 4[0-9][0-9][0-9] ‘ | head -1 | sed -e ‘s/^.* \(4[0-9]*\) .*$/\1/‘`
if [ ! -f dat-$AVVER.tar ]; then
for i in *.tar ; do
mv $i $i.old
done
if wget http://download.nai.com/products/datfiles/4.x/nai/dat-$AVVER.tar >/dev/null ; then
for i in *.dat ; do
cp -p $i $i.bak
done
if tar xf dat-$AVVER.tar ; then
rm -f *.old
echo `date` Successfully updated AntiVirus DAT files to $AVVER
fi
fi
fi
2、AMaViS的安装
AMaViS是uvscan和postfix之间的一个桥梁,完成邮件解码,交给uvscan查毒,然后再处理,转发操作。
安装amavisd前先确定以下软件已经安装,lha、unarj等使用的no-free的分支版本:
# apt-get install libio-stringy-perl mailtools libmime-perl libmailtools-perl libmime-base64-perl \
libcompress-zlib-perl libconvert-uulib-perl libconvert-tnef-perl tnef libarchive-tar-perl \
libarchive-zip-perl libtime-hires-perl libunix-syslog-perl libdigest-md5-perl lha unarj unzip \
gzip unrar zoo
stable版本的amavisd比较老,使用如下链接:
# wget http://debian.marlow.dk/dists/woody/custom/pool/compress/arc_5.21e-5_i386.deb
# wget http://debian.marlow.dk/dists/woody/virus/pool/wrapper/amavisd-new_20030314p1-2_all.deb
# wget http://debian.marlow.dk/dists/woody/virus/pool/lib/libnet-perl_1.12-1_all.deb
# wget http://debian.marlow.dk/dists/woody/virus/pool/lib/libnet-server-perl_0.84-3_all.deb
先安装CPAN:
# perl -MCPAN -e shell
cpan> install CPAN
cpan> install LWP
cpan> install Archive::Tar
cpan> install Archive::Zip
cpan> install Compress::Zlib
cpan> install Convert::TNEF
cpan> install Convert::UUlib
cpan> install MIME::Base64
cpan> install MIME::Parser
cpan> install Mail::Internet
cpan> install Net::Server
cpan> install Net::SMTP
cpan> install Digest::MD5
cpan> install IO::Stringy
cpan> install Time::HiRes
cpan> install Unix::Syslog
安装四个下载的软件包:
# dpkg -i *.deb
修改/etc/amavis/amavisd.conf:
@inet_acl = qw( 127/8 1.2.3.4/32 ); # 1.2.3.4 is your external ip .. because want maybe also accept mail from that interface, it‘s up to you.
$warnvirussender = 1; # I want to warn people, who have got virus.
$warnvirusrecip = 1; # I want to warn my users about virus send to them.
$warn_offsite = 1; # I want to warn senders/recipients, that are not located on my server
$mailfrom_notify_admin = ‘virusalert@example.com‘; #
$mailfrom_notify_recip = ‘virusalert@example.com‘; # Change these to the appropriate email-adresses, you wish to use as sender
$mailfrom_notify_spamadmin = ‘spam.police@example.com‘; # for spam and virus warnings
$hdrfrom_notify_sender = ‘AMaViS (content filter) <postmaster@example.com>‘;
$virus_admin = ‘virus-admin@example.com‘; #
$spam_admin = ‘spam-admin@example.com‘; #
指定使用uvscan:
@av_scanners = (
[‘NAI McAfee AntiVirus (uvscan)‘, ‘uvscan‘,
‘--secure -rv --summary --noboot {}‘, [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/ ],
);
找到/etc/postfix/master.cf如下行:
smtp inet n - n - - smtpd
改为如下:
smtp inet n n n - - smtpd -o content_filter=smtp-amavis:[127.0.0.1]:10024
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o local_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o strict_rfc821_envelopes=yes
重启postfix,这样在收到病毒邮件的时候能够在日志文件看到如下的信息:
Jul 16 15:34:22 xxx amavis[30997]: (30997-09) INFECTED (W32/Nimda.gen@MM), (?) -> <xxx@xxx.org>, quarantine virus-20030716-153422-30997-09, Message-ID: 20030716073414.520D3E5C2F@xxx
分页: [1] [2] [3]
- 上一篇:qmail收邮件很慢的问题
- 下一篇:浅析网络安全防护技术