1.通过"CentOS4.4下邮件服务器架设笔记之邮件网关功能实现"这一篇文章,我们已经实现了邮件网关功能,但是对于microsoft ad 平台下exchange邮件系统用户来说,外部用户发信到邮件网关,邮件网关找不到用户认证相关信息只会拒绝掉,所以需要能与AD里面的用户进行整合; 2.对于通过LDAP方式去查询MS平台的AD用户信息,我没有成功!这个我没有做成功,在此不表;我的做法:使用Winbind 先将Linux 加入Windows 域环境,Winbind 是Samba 组件,Winbind 通过samba 接口与Windows 域联系,并提供PAM 接口,这样可以让其他应用程序来调用Winbind 。我们设定 Linux 服务器的 nss 配置,可以让系统通过 Winbind 程序来解析用户信息。总的来讲验证过程如下:postfix和dovecot把帐号交给saslauthd,saslauthd把账号交给pam,pam通过winbind联系AD
3.具体实现如下: a.测试环境介绍如下: 邮件网关的名称: 其IP地址:10.6.6.222 邮件服务器的名称:mailserver 域的名称:triumph 域的IP地址:10.0.0.11 完整的FQDN: b.安装samba组件,因为winbind在centos系统下,他包含在samba-common包中 [root@mailgate etc]# yum install -y samba-common samba
Setting up Install Process
Setting up repositories
dag 100% |=========================| 1.1 kB 00:00
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
--> Running transaction check Dependencies Resolved =============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
samba i386 3.0.10-1.4E.12.2 update 13 M
samba-common i386 3.0.10-1.4E.12.2 update 5.0 M Transaction Summary
=============================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 18 M
Downloading Packages:
(1/2): samba-common-3.0.1 100% |=========================| 5.0 MB 02:43
(2/2): samba-3.0.10-1.4E. 100% |=========================| 13 MB 07:38
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: samba-common ######################### [1/2]
Installing: samba ######################### [2/2] Installed: samba.i386 0:3.0.10-1.4E.12.2 samba-common.i386 0:3.0.10-1.4E.12.2
Complete!
[root@mailgate etc]#
c.安装krb5-server包; [root@mailgate etc]# yum install -y krb5-server
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-server to pack into transaction set.
krb5-server-1.3.4-49.i386 100% |=========================| 36 kB 00:02
---> Package krb5-server.i386 0:1.3.4-49 set to be updated
--> Running transaction check
--> Processing Dependency: krb5-libs = 1.3.4-49 for package: krb5-server
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-libs to pack into transaction set.
krb5-libs-1.3.4-49.i386.r 100% |=========================| 31 kB 00:01
---> Package krb5-libs.i386 0:1.3.4-49 set to be updated
--> Running transaction check
--> Processing Dependency: krb5-libs = 1.3.4-33 for package: krb5-devel
--> Processing Dependency: krb5-libs = 1.3.4-33 for package: krb5-workstation
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-devel to pack into transaction set.
krb5-devel-1.3.4-49.i386. 100% |=========================| 38 kB 00:01
---> Package krb5-devel.i386 0:1.3.4-49 set to be updated
---> Downloading header for krb5-workstation to pack into transaction set.
krb5-workstation-1.3.4-49 100% |=========================| 39 kB 00:01
---> Package krb5-workstation.i386 0:1.3.4-49 set to be updated
--> Running transaction check Dependencies Resolved =============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
krb5-server i386 1.3.4-49 update 774 k
Updating for dependencies:
krb5-devel i386 1.3.4-49 update 822 k
krb5-libs i386 1.3.4-49 update 482 k
krb5-workstation i386 1.3.4-49 update 815 k Transaction Summary
=============================================================================
Install 1 Package(s)
Update 3 Package(s)
Remove 0 Package(s)
Total download size: 2.8 M
Downloading Packages:
(1/4): krb5-devel-1.3.4-4 100% |=========================| 822 kB 00:36
(2/4): krb5-libs-1.3.4-49 100% |=========================| 482 kB 00:24
(3/4): krb5-workstation-1 100% |=========================| 815 kB 00:31
(4/4): krb5-server-1.3.4- 100% |=========================| 774 kB 00:34
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : krb5-libs ######################### [1/7]
Updating : krb5-devel ######################### [2/7]
Updating : krb5-workstation ######################### [3/7]
Installing: krb5-server ######################### [4/7]
Cleanup : krb5-devel ######################### [5/7]
Cleanup : krb5-libs ######################### [6/7]
Cleanup : krb5-workstation ######################### [7/7] Installed: krb5-server.i386 0:1.3.4-49
Dependency Updated: krb5-devel.i386 0:1.3.4-49 krb5-libs.i386 0:1.3.4-49 krb5-workstation.i386 0:1.3.4-49
Complete!
[root@mailgate etc]#
d.启动相关服务并修改为自动启动; [root@mailgate ~]# service smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@mailgate ~]# service winbind start
Starting Winbind services: [ OK ]
[root@mailgate ~]# chkconfig winbind on
e.修改smb.conf [root@mailgate etc]# vi /etc/samba/smb.conf 将workgroup = MYGROUP 改为:workgroup = TRIUMPH 增加:realm = TRIUMPH 将security = user 改为:security = ads 将 ; password server = <NT-Server-Name> 改为: password server = mailserver.triumph (注:可以写域控制器的IP地址) 将: ; encrypt passwords = yes 改为: encrypt passwords = yes 找到下面位置修改如下面: #============================ Share Definitions ==============================
password server = 10.0.0.11
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
winbind use default domain = yes
realm = TRIUMPH
并在最后增加: #add
template homedir = /home/%D/%U
f.修改krb5.conf [root@mailgate etc]# vi /etc/krb5.conf 将下面: [libdefaults]
default_realm =
dns_lookup_realm = false
dns_lookup_kdc = false [realms]
= {
kdc = :88
admin_server = :749
default_domain =
} [domain_realm]
. =
=
修改成: [libdefaults]
default_realm = TRIUMPH
dns_lookup_realm = false
dns_lookup_kdc = false [realms]
TRIUMPH = {
kdc = 10.0.0.11:88
admin_server = 10.0.0.11:749
default_domain = triumph
} [domain_realm]
. =
=
g.修改kdc.conf [root@mailgate etc]# vi /var/kerberos/krb5kdc/kdc.conf
将: [realms]
= {
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
修改为: [realms]
TRIUMPH = {
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
h.重新启动相关服务; [root@mailgate ~]# service smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@mailgate ~]# service winbind restart Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@mailgate ~]#
i.加域前检查: [root@mailgate ~]# more /etc/sysconfig/clock检查一下时区; 如果不对,请按下面方法修改: [root@mailgate ~]# vi /etc/sysconfig/clock ZONE="Asia/Chongqing"
UTC=true
ARC=false
[root@mailgate ~]# ln -sf /usr/share/zoneinfo/Asia/Chongqing /etc/localtime
[root@mailgate ~]# date 检查一下时钟,是否与AD相差不到5分钟 如果相差过大,请按下面方法修改; [root@mailgate ~]# date 10122120.54
WedOct23 21:20:54 CST
[root@mailgate ~]# hwclock --systohc 加域前测试,记得域名一定要大写,如果输入账户没有报错,就可以进行加域操作! [root@mailgate ~]# kinitleeki.yan@TRIUMPH
Password forleeki.yan@TRIUMPH:
[root@mailgate ~]#
j.开始加域操作; [root@mailgate ~]# authconfig 按下图:一步一步去操作;即可 图1 图2 图3 图4
图5 图6 图7 j.加好域后,会提示类似如下信息
Joined 'MAIL' to realm 'TRIUMPH'
setsebool: SELinux is disabled. Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@mailgate ~]#
[root@mailgate ~]# wbinfo -g 查看域里面的组;
[root@mailgate ~]# wbinfo -u 查看域里面的用户; [root@mailgate ~]# id spam
uid=16777343(spam) gid=16777216(Domain Users) groups=16777216(Domain Users)
可以查看到域里面用户账户为spam的信息了!
k.与AD整合部分,手工建账户的目录比较麻烦,可能通过下面方法实现,在这种情况下,即使哪天EXCHNAGE邮件服务器坏了,我们也可以完全使用这个邮件网关都行收发邮件!哈哈!
[root@mailgate ~]# vi trinet.awk
#!/bin/awk
BEGIN {
FS = ":"
uidmin = 16777216
uidmax = 33554431
} {
if ($3 >= uidmin && $3 <= uidmax ) {
print "\nmake directory " $6 "\nchown " $3 "." $4 " " S6
system ( "mkdir -p " $6 " ;chown " $3 "." $4 " " $6 )
}
}
[root@mailgate ~]# getent passwd | awk -f trinet.awk
[root@mailgate ~]# getent passwd
[root@mailgate ~]# cd /home
[root@mailgate ~]# mkdir TRIUMPH
[root@mailgate ~]#chown -R postfix TRIUMPH
[root@mailgate ~]# chmod 777 TRIUMPH 4.接下来我们要配置POSTFIX,让其收发信件,用户认证这块,让其通过WINBIND来查询AD里面信息; a.[root@mailgate ~]# vi /etc/pam.d/smtp 增加: auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
b.[root@mailgate ~]# vi /etc/pam.d/dovecot
增加: auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
c..[root@mailgate ~]# vi /etc/pam.d/login 增加: auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
d.[root@mailgate ~]#ln -s /usr/lib/sasl2/smtpd.conf /usr/local/lib/smtpd.conf
[root@mailgate ~]#vi /usr/local/lib/smtpd.conf,内容如下 #pwcheck_method: auxprop
pwcheck_method: saslauthd
log_level:2
mech_list:PLAIN LOGIN e.[root@mailgate ~]# vi /etc/init.d/saslauthd 将MECH=shadow 修改为: MECH=pam 然后重启一下服务: [root@mailgate lib]# service saslauthd restart
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@mailgate lib]#
5.如果发现在外部网络发信被 Relay access denied,请检查一下面: a.vi /etc/sysconfig/saslauthd文件中MECH=pam b.smb 服务是否启动; c.vi /etc/postfix/main.cf中验证是否开启; smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain (注:原来是$myhostname,试着改成$domain看看) 6.补充在邮件网关上,通过MailScanner对邮件监管测试: a. [root@mailgate ~]# vi /etc/MailScanner/MailScanner.conf
找到: Archive Mail = 修改: Archive Mail = %rules-dir%/archive.rules b. [root@mailgate ~]# cd /etc/MailScanner/rules/
[root@mailgate rules]# ls #查看有无archive.rules文件,没有的话手工建立
bounce.rules EXAMPLES max.message.size.rules README spam.whitelist.rules
[root@mailgate rules]# vi archive.rules 增加下面:(表示来自[email]leeki.yan@[/email],抄送一份到[email]spam@[/email]) From: [email]leeki.yan@[/email] yes forward[email]spam@[/email] 然后重启一下: [root@mailgate rules]# service MailScanner restaert
Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms}
[root@mailgate rules]# service MailScanner restart
Shutting down MailScanner daemons:
MailScanner: [ OK ]
incoming postfix: [ OK ]
outgoing postfix: [ OK ]
Waiting for MailScanner to die gracefully ... dead.
Starting MailScanner daemons:
incoming postfix: [ OK ]
outgoing postfix: [ OK ]
MailScanner: [ OK ]
[root@mailgate rules]# 发送一封邮件到[email]leeki.yan@[/email]后,查看maillog如下:见红色部分字体,说明已成功抄送! Nov 1 20:14:44 mailgate postfix/smtpd[26774]: connect from unknown[10.4.4.222]
Nov 1 20:14:44 mailgate postfix/smtpd[26774]: D01AEC882E1: client=unknown[10.4.4.222], sasl_method=LOGIN,sasl_username=leeki.yan@
Nov 1 20:14:44 mailgate postfix/cleanup[26777]: D01AEC882E1: hold: header Received: from triumphweihu (unknown [10.4.4.222])??by (Postfix) with ESMTP id D01AEC882E1??for <[email]leeki.yan@[/email]>; Thu, 1 Nov 20:14:44 +0800 (CST) from unknown[10.4.4.222]; from=<[email]leeki.yan@[/email]> to=<[email]leeki.yan@[/email]> proto=ESMTP helo=<triumphweihu>
Nov 1 20:14:44 mailgate postfix/cleanup[26777]: D01AEC882E1: message-id=<002201c81c80$b96932d0$de04040a@triumphweihu>
Nov 1 20:14:44 mailgate postfix/smtpd[26774]: disconnect from unknown[10.4.4.222]
Nov 1 20:14:45 mailgate MailScanner[26771]: New Batch: Scanning 1 messages, 2386 bytes
Nov 1 20:14:45 mailgate MailScanner[26771]: Virus and Content Scanning: Starting
Nov 1 20:14:47 mailgate MailScanner[26771]: Requeue: D01AEC882E1.EFDC3 to 9FCDAC88479
Nov 1 20:14:47 mailgate postfix/qmgr[26750]: 9FCDAC88479: from=<[email]leeki.yan@[/email]>, size=2547, nrcpt=2 (queue active)
Nov 1 20:14:47 mailgate MailScanner[26771]: Uninfected: Delivered 1 messages
Nov 1 20:14:47 mailgate postfix/smtp[26785]: 9FCDAC88479: to=<[email]leeki.yan@[/email]>, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0 <002201c81c80$b96932d0$de04040a@triumphweihu> Queued mail for delivery)
Nov 1 20:14:47 mailgate postfix/smtp[26785]: 9FCDAC88479: to=<[email]spam@[/email]>, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0 <002201c81c80$b96932d0$de04040a@triumphweihu> Queued mail for delivery)
Nov 1 20:14:47 mailgate postfix/qmgr[26750]: 9FCDAC88479: removed
c.archive.rules文件其它写法说明及注意点: To:[email]spam@[/email]yes forward[email]leeki.yan@[/email] 表示发信到[email]spam@[/email]都抄送一份给[email]leeki.yan@[/email] FromOrTo:[email]spam@[/email]yes forward[email]leeki.yan@[/email] 表示来自或者发信到[email]spam@[/email]都抄送一份给[email]leeki.yan@[/email] To:*@yes forward[email]leeki.yan@[/email] 表示所有发进来的信都抄送一份给[email]leeki.yan@[/email] 比如测试使用[email]leeki.yan@[/email]发信到[email]leeki.yan@[/email],理论上[email]leeki.yan@[/email]应该收到两封信才到,见下面maillog,红色字体部分可以看出,leeki.yan已经收到两份邮件!! Nov 1 20:25:44 mailgate postfix/qmgr[27280]: A8EABC88479: from=<[email]leeki.yan@[/email]>, size=2547, nrcpt=2 (queue active)
Nov 1 20:25:44 mailgate MailScanner[27294]: Uninfected: Delivered 1 messages
Nov 1 20:25:44 mailgate postfix/smtp[27314]: A8EABC88479: to=<[email]leeki.yan@[/email]>, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0 <004a01c81c82$40ab1820$de04040a@triumphweihu> Queued mail for delivery)
Nov 1 20:25:44 mailgate postfix/smtp[27314]: A8EABC88479: to=<[email]leeki.yan@[/email]>, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0 <004a01c81c82$40ab1820$de04040a@triumphweihu> Queued mail for delivery)
Nov 1 20:25:44 mailgate postfix/qmgr[27280]: A8EABC88479: removed
c.其它修改说明: FromOrTo:[email]a@[/email]yes forward[email]b@[/email][email]c@[/email][email]d@[/email] 方法二:同时备份到一个或多个档案及一个或多个信箱
FromOrTo:[email]a@[/email]yes forward /var/spool/MailScanner/archive/a_user_backup.mbx /var/spool/MailScanner/archive/a_user_backup.mbx[email]b@[/email][email]scyz2@[/email] 注:以上为一行,该档案要先建立且确定该档案拥有者与 MailScanner.conf 的 Run As User = XXXXXXX 相同 方法三:备份到文件夹及多个信箱或档案
FromOrTo:[email]a@[/email]yes forward /var/spool/MailScanner/archive/[email]b@[/email][email]dreamflying@[/email]/var/spool/MailScanner/archive/a_user_backup.mbx d.注意:archive.rules文件中语句写法中,注意大小写;以及冒号后面一定得有个空格;还有就是修改后别忘了,重启MailScanner 服务!!! e.还有就是修改main.cf参数实现邮件监控!等随后有空再作补充!!!! 另外main.cf参数还有:
寄件备份 sender_bcc_maps
收件备份 recipient_bcc_maps
寄件及收件备份 always_bcc
本文转自godoha51CTO博客,原文链接:/godoha/47549,如需转载请自行联系原作者
如果觉得《CentOS4.4下邮件服务器架设笔记之windows AD整合功能实现》对你有帮助,请点赞、收藏,并留下你的观点哦!
