服务器在境外,GFW很烦,因此给qmail邮件服务器增加了ssl链接方式。而这方面的中文资料很少,尤其是使用stunnel的,所以升级了后,写了这篇手记。
按之前的qmail vpopmail的方式安装好。我的服务器原来就安装qmail,一切工作正常,仅仅打了smtp验证的补丁。
如果是这样,那就可以直接升级。
需要安装下面两个软件:
1. openssl (http://www.openssl.org)
# cd openssl-0.9.8e
# ./config
# make
# make test
# make install
# openssl version
OpenSSL 0.9.8e 23 Feb 2007
2. stunnel (http://www.stunnel.org)
# ./configure --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var --sbindir=/sbin
# make
# make install
# stunnel -version
stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
Global options
debug = 5
pid = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
key = /etc/stunnel/stunnel.pem
session = 300 seconds
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
stunnel 配置的时候主意设定一下安装路径 /sbin/stunnel /etc/stunnel 主要的两个。
安装好后,建立两个文件
/etc/stunnel/pop3.conf
# /etc/stunnel/pop3.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup your.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir
/etc/stunnel/smtp.conf
# /etc/stunnel/smtp.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
建立qmail服务器证书(反正是自己签发证书,想多长时间都可以,这里设定10年,呵呵):
# cd /var/qmail/control
# openssl req -new -x509 -nodes -out servercert.pem -days 3650 -keyout servercert.pem
需改服务器证书文件servercert.pem的文件属性:
# ln -s /var/qmail/control/servercert.pem clientcert.pem
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
# chmod 600 servercert.pem #这个很重要哦
建立pop3和smtp ssl的run文件
# mkdir -p /var/qmail/supervise/qmail-pop3ds/log /var/qmail/supervise/qmail-smtpds/log /var/log/qmail/pop3ds /var/log/qmail/smtpds
/var/qmail/supervise/qmail-pop3ds/run
#!/bin/sh
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -H -R -v -l "$LOCAL" -c "$MAXSMTPD" 0 995 \
/sbin/stunnel /etc/stunnel/pop3.conf 2>&1
/var/qmail/supervise/qmail-pop3ds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
/var/log/qmail/pop3ds
/var/qmail/supervise/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpds/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u 89 -g 89 0 465 \
/sbin/stunnel /etc/stunnel/smtp.conf 2>&1
/var/qmail/supervise/qmail-smtpds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpds
将执行文件链接到/service中:
# chmod 755 /var/qmail/supervise/qmail-pop3ds/run /var/qmail/supervise/qmail-pop3ds/log/run /var/qmail/supervise/qmail-smtpds/run /var/qmail/supervise/qmail-smtpds/log/run
# chown -R qmaill /var/log/qmail/pop3ds/ /var/log/qmail/smtpds/
# cd /service
# ln -s /var/qmail/supervise/qmail-pop3ds/ qmail-pop3ds
# ln -s /var/qmail/supervise/qmail-smtpds/ qmail-smtpds
修改qmailctl文件:
/var/qmail/bin/qmailctl #这个文件编写的有点复杂,我还有个更简单的,我回头贴出来。
#!/bin/sh
# Description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case "$1" in
start)
echo "Starting qmail..."
echo " qmail-send"
if svok /service/qmail-send ; then
svc -u /service/qmail-send /service/qmail-send/log
else
echo " qmail-send supervise not running"
fi
echo " qmail-smtp"
if svok /service/qmail-smtpd ; then
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
else
echo " qmail-smtpd supervise not running"
fi
echo " qmail-smtp ssl"
if svok /service/qmail-smtpds ; then
svc -u /service/qmail-smtpds /service/qmail-smtpds/log
else
echo " qmail-smtpd ssl supervise not running"
fi
echo " qmail-pop3d"
if svok /service/qmail-pop3d ; then
svc -u /service/qmail-pop3d /service/qmail-pop3d/log
else
echo " qmail-pop3d supervise not running"
fi
echo " qmail-pop3d ssl"
if svok /service/qmail-pop3ds ; then
svc -u /service/qmail-pop3ds /service/qmail-pop3ds/log
else
echo " qmail-pop3d ssl service not running"
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo "Stopping qmail..."
echo " qmail-smtpd"
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo " qmail-smtpd ssl"
svc -d /service/qmail-smtpds /service/qmail-smtpds/log
echo " qmail-send"
svc -d /service/qmail-send /service/qmail-send/log
echo " qmail-pop3d"
svc -d /service/qmail-pop3d /service/qmail-pop3d/log
echo " qmail-pop3d ssl"
svc -d /service/qmail-pop3ds /service/qmail-pop3ds/log
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svstat /service/qmail-send
svstat /service/qmail-send/log
svstat /service/qmail-smtpd
svstat /service/qmail-smtpd/log
svstat /service/qmail-smtpds
svstat /service/qmail-smtpds/log
svstat /service/qmail-pop3d
svstat /service/qmail-pop3d/log
svstat /service/qmail-pop3ds
svstat /service/qmail-pop3ds/log
qmail-qstat
;;
doqueue|alrm|flush)
echo "Flushing timeout table and sending ALRM signal to qmail-send."
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo "Sending HUP signal to qmail-send."
svc -h /service/qmail-send
;;
pause)
echo "Pausing"
echo " qmail-send"
svc -p /service/qmail-send
echo " qmail-smtpd"
svc -p /service/qmail-smtpd
echo " qmail-smtpd ssl"
svc -p /service/qmail-smtpds
echo " qmail-pop3d"
svc -p /service/qmail-pop3d
echo " qmail-pop3d ssl"
svc -p /service/qmail-pop3ds
;;
cont)
echo "Continuing"
echo " qmail-send"
svc -c /service/qmail-send
echo " qmail-smtpd"
svc -c /service/qmail-smtpd
echo " qmail-smtpd ssl"
svc -c /service/qmail-smtpds
echo " qmail-pop3d"
svc -c /service/qmail-pop3d
echo " qmail-pop3ds"
svc -c /service/qmail-pop3ds
;;
restart)
echo "Restarting qmail:"
echo "* Stopping qmail-smtpd."
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo "* Stopping qmail-smtpd ssl."
svc -d /service/qmail-smtpds /service/qmail-smtpds/log
echo "* Sending qmail-send SIGTERM and restarting."
svc -t /service/qmail-send /service/qmail-send/log
echo "* Restarting qmail-smtpd."
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
echo "* Restarting qmail-smtpd ssl."
svc -u /service/qmail-smtpds /service/qmail-smtpds/log
echo "* Restarting qmail-pop3d."
svc -t /service/qmail-pop3d /service/qmail-pop3d/log
echo "* Restarting qmail-pop3ds."
svc -t /service/qmail-pop3ds /service/qmail-pop3ds/log
;;
cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp chmod 644 /etc/tcp.smtp.cdb echo "Reloaded /etc/tcp.smtp." ;; help) cat <
user albert
+OK
pass albert
+OK
list
+OK
1 2734
2 31807
3 34957
4 20644
5 27798
6 26584
.
quit
4. # openssl s_client -connect localhost:465
(执行后,会有大段的证书相关的信息,这里省略,只复制来最后一行,然后测试就和telnet localhost 25 一样了)
220 your.domain.com ESMTP
5. openssl s_client -connect localhost:995
(执行后,会有大段的证书相关的信息,这里省略,只复制来最后一行,然后测试就和telnet localhost 110 一样了)
+OK <1872.1188791523434@your.domain.com>
6. 查看主要的日志,包括:
1. /var/log/qmail/current
2. /var/log/qmail/pop3d/current
3. /var/log/qmail/pop3ds/current
4. /var/log/qmail/smtpd/current
5. /var/log/qmail/smtpds/current
6. 另外你也可以在/etc/stunnel/smtp.conf 和 pop3.conf 文件中加入下面两个设置内容,以生成详细的调试日志。
debug = 7
output = /var/log/qmail/stunnel.log
可能遇到的问题:
1. 如果你是用复制,那你需要很小心了,因为有的时候文件的换行在你复制到telnet客户端软件的时候会有可能变了,因为dos格式和unix格式有差别。尤其注意运行文件第一行的声明后的换行。
2. tcpserver: fatal: no IP address for your.domain.com
表示端口已经被其它进程占用,要么你停掉那个进程,要么换个端口。
3. Wrong permissions on /var/qmail/control/servercert.pem
servvercert.pem文件属性设置为600即可
4. /etc/stunnel/smtp.conf文件中最后的" /bin/true"不能忘记,否则客户端会提示验证不通过。
5. ssl证书问题,因为我们是自己签发的证书,所以客户端会提示,两个办法:1、购买权威机构签发的证书(非常贵,国内很多是国内范围的便宜价格,国际范围的就不一样了)。2、将serercert.pem文件重命名为 .crt 或 .cer 格式。然后在IE的Internet Options中导入,要选择自动。
6. 454 oops, unable to write pipe and I can't auth (#4.3.0)
老版本的smtp验证补丁中,你需要加上域名,才可以验证。就是在/etc/stunnel/smtp.conf文件中的qmail-smtpd后面。这样:
execargs = qmail-smtpd your.domain.com /home/vpopmail/bin/vchkpw /bin/true
可以参考这个网页的说明 http://www.fehcom.de/qmail/smtpauth.html
如果你有问题,可以联系我。msn: amtding # msn 。com
下面是那个简单的qmailctl文件。(这里把我的行前缩进给弄没了,你自己加吧。:( )
#!/bin/sh
# chkconfig: 2345 80 30
# description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
SERVICES=" /service/qmail-send \
/service/qmail-send/log \
/service/qmail-smtpd \
/service/qmail-smtpd/log \
/service/qmail-smtpds \
/service/qmail-smtpds/log \
/service/qmail-pop3d \
/service/qmail-pop3d/log \
/service/qmail-pop3ds \
/service/qmail-pop3ds/log"
case "$1" in
start)
echo "Starting qmail"
svc -u ${SERVICES}
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo "Stopping qmail..."
svc -d ${SERVICES}
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svstat ${SERVICES}
qmail-qstat
;;
doqueue|alrm|flush)
echo "Flushing timeout table and sending ALRM signal to qmail-send."
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo "Sending HUP signal to qmail-send."
svc -h /service/qmail-send
;;
pause)
echo "Pausing qmail"
svc -p ${SERVICES}
;;
cont)
echo "Continuing qmail"
svc -c ${SERVICES}
;;
restart)
echo "Restarting qmail"
svc -d ${SERVICES}
svc -u ${SERVICES}
;;
cdb)
/usr/local/bin/tcprules /home/vpopmail/etc/tcp.smtp.cdb /home/vpopmail/etc/tcp.smtp.tmp < /home/vpopmail/etc/tcp.smtp chmod 644 /home/vpopmail/etc/tcp.smtp* echo "Reloaded /home/vpopmail/etc/tcp.smtp." ;; help) cat <
stop -- stops mail service (smtp connections refused, nothing goes out)
start -- starts mail service (smtp connection accepted, mail can go out)
pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
queue -- shows status of queue
alrm -- same as doqueue
flush -- same as doqueue
hup -- same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|paus e|cont|cdb|queue|help}"
exit 1
;;
esac
exit 0
