1.9. 从头安装 Sendmail

1.9.1. 下载软件包
1.9.2. 安装 SASL,以支持SMTP认证 [2]
1.9.3. 支持SMTP over SSL
1.9.4. 安装 sendmail
1.9.5. 配置 sendmail — 支持 SMTP 认证 [2]
1.9.6. 配置 sendmail — 支持 SMTP over SSL [4]
1.9.7. 配置 sendmail — 证书管理
1.9.8. 配置pop3
1.9.9. 关于权限
1.9.10. 启动 sendmail

如果系统中没有安装 sendmail,或者功能达不到需要而需要升级,就需要重新安装。

1.9.1. 下载软件包

1.9.2. 安装 SASL,以支持SMTP认证 [2]

首先要下载sasl库,该函数库提供了安全认证所需函数,当前版本是1.5.28。注意2.X 版本无法与sendmail结合,因为API还未做修改。安装过程如下:

$ gzip cyrus-sasl-1.5.27.tar.gz 
$ tar -xvf cyrus-sasl-1.5.27.tar
$ cd cyrus-sasl-1.5.27
$ ./configure -prefix=/usr --disable-krb4 --disable-gssapi --enable-login
$ make
$ make install

接下来,在编译sendmail之前,需要修改(或添加)配置文件: <sendmail代码树>/devtools/Site/site.config.m4,如下:

dnl APPENDDEF(`confLIBDIRS',`-L/usr/local/lib')
dnl PPENDDEF(`confINCDIRS',`-I/usr/local/include')
APPENDDEF(`confENVDEF',`-DSASL')
APPENDDEF(`conf_sendmail_LIBS',`-lsasl')

1.9.3. 支持SMTP over SSL [4]

修改配置文件: <sendmail代码树>/devtools/Site/site.config.m4,如下:

dnl Stuff for TLS
APPENDDEF(`confINCDIRS', `-I/usr/local/include')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
dnl add to previous direction APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl -lcrypto')

1.9.4. 安装 sendmail

$ sh Build
$ sh Build install

1.9.5. 配置 sendmail — 支持 SMTP 认证 [2]

修改 sendmail.mc 如下:

TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5')dnl
dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth/auth-info')
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=25, Name=MSA, M=Ea')dnl

1.9.6. 配置 sendmail — 支持 SMTP over SSL [4]

修改 sendmail.mc 如下:

dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl      1
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl   2
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl     3
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
1

cacert.pem : Certificate Authority (CA) certificate

2

cert.pem : x.509 certificate, signed by CA

3

key.pem : x.509 private key

1.9.7. 配置 sendmail — 证书管理 [5]

  1. To make certificate authority:

    $ mkdir CA
    $ cd CA
    $ mkdir certs crl newcerts private
    $ echo "01" > serial
    $ cp /dev/null index.txt
    $ cp /usr/local/openssl/openssl.cnf.sample openssl.cnf
    $ vi openssl.cnf   (set values)
    $ openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
    
  2. To make a new certificate:

    $ cd CA        #(same directory created above)   1
    $ openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf
    $ 
    $ #cd CA       #(same directory created above)
    $ openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    $ openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem  2
    $ rm -f tmp.pem
    
    1

    (certificate and private key in file newreq.pem) To sign new certificate with certificate authority:

    1

    (newcert.pem contains signed certificate, newreq.pem still contains unsigned certificate and private key)

  3. Edit newreq.pem

    Remove the unsigned certificate (leaving the private key)

  4. Copy files

    $ cp cacert.pem   /etc/mail/certs/cacert.pem
    $ cp newreq.pem   /etc/mail/certs/key.pem
    $ cp newcert.pem  /etc/mail/certs/cert.pem
    
  5. Set permissions

    $ chmod 400 key.pem
    
  6. Check key properties

    $ openssl x509 -noout -in cacert.pem -text
    
    

    Make sure that the CN of the CA certificate and CN of the server certificate are different, because newer versions of Mozilla and Netscape won't accept the server certificate if it is self-signed.

1.9.8. 配置pop3

参见: 前面章节的描述。

1.9.9. 关于权限

    -r-xr-sr-x  root   smmsp    ... /PATH/TO/sendmail
    drwxrwx---  smmsp  smmsp    ... /var/spool/clientmqueue
    drwx------  root   wheel    ... /var/spool/mqueue
    -r--r--r--  root   wheel    ... /etc/mail/sendmail.cf
    -r--r--r--  root   wheel    ... /etc/mail/submit.cf

1.9.10. 启动 sendmail

$ sendmail -bd -q1h 

-bd 参数,表示将sendmail作为一个守护进程来运行;

-q1h 参数,表示每隔一个小时发送一次邮件,类似地,-q15m是15分钟,等等。