Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision | ||
centos:mail_c6:mta_14 [18.03.2014 16:31. ] – django | centos:mail_c6:mta_14 [28.03.2014 10:27. ] – django | ||
---|---|---|---|
Zeile 281: | Zeile 281: | ||
# chmod +x / | # chmod +x / | ||
+ | Nun benötigen wir noch ein passendes Shell-Script für unseren **PostSRSd**. | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # | ||
+ | # postsrsd | ||
+ | # | ||
+ | # chkconfig: | ||
+ | # description: | ||
+ | # the popular and secure Postfix Mail Transport Agent | ||
+ | # processname: | ||
+ | # pidfile: | ||
+ | # config: | ||
+ | # sec-key: | ||
+ | ### BEGIN INIT INFO | ||
+ | # Provides: | ||
+ | # Required-Start: | ||
+ | # Required-Stop: | ||
+ | # Default-Start: | ||
+ | # Default-Stop: | ||
+ | # Short-Description: | ||
+ | # Description: | ||
+ | # the popular and secure Postfix Mail Transport Agent | ||
+ | ### END INIT INFO | ||
+ | |||
+ | # Source function library. | ||
+ | . / | ||
+ | |||
+ | # Source networking configuration. | ||
+ | . / | ||
+ | |||
+ | RETVAL=0 | ||
+ | POSTSRSD_CONFIG="/ | ||
+ | NAME=" | ||
+ | DAEMON="/ | ||
+ | PID_FILE="/ | ||
+ | SCRIPTNAME="/ | ||
+ | DESC=" | ||
+ | |||
+ | if [ -f $POSTSRSD_CONFIG ]; then | ||
+ | . $POSTSRSD_CONFIG | ||
+ | else | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | test -x $DAEMON || exit 0 | ||
+ | |||
+ | # Read config file if it is present. | ||
+ | if [ -r / | ||
+ | then | ||
+ | . / | ||
+ | fi | ||
+ | |||
+ | do_start() | ||
+ | { | ||
+ | echo -n " | ||
+ | daemon $DAEMON -4 -f" | ||
+ | | ||
+ | RETVAL=$? | ||
+ | echo | ||
+ | [ $RETVAL -eq 0 ] && touch / | ||
+ | return $RETVAL | ||
+ | } | ||
+ | |||
+ | do_stop() | ||
+ | { | ||
+ | echo -n " | ||
+ | killproc $NAME | ||
+ | RETVAL=$? | ||
+ | echo | ||
+ | [ $RETVAL -eq 0 ] && rm -f / | ||
+ | return $RETVAL | ||
+ | } | ||
+ | |||
+ | case " | ||
+ | start) | ||
+ | do_start | ||
+ | ;; | ||
+ | stop) | ||
+ | do_stop | ||
+ | ;; | ||
+ | status) | ||
+ | status $NAME | ||
+ | ;; | ||
+ | restart|force-reload) | ||
+ | do_stop | ||
+ | do_start | ||
+ | ;; | ||
+ | reload) | ||
+ | ;; | ||
+ | condrestart|try-restart) | ||
+ | if [ -f / | ||
+ | do_stop | ||
+ | do_start | ||
+ | fi | ||
+ | ;; | ||
+ | *) | ||
+ | echo " | ||
+ | [ " | ||
+ | exit 2 | ||
+ | ;; | ||
+ | esac | ||
+ | exit $? | ||
+ | </ | ||
===== Konfiguration ===== | ===== Konfiguration ===== | ||
==== SRS-Deamon ==== | ==== SRS-Deamon ==== | ||
+ | Auf unserem Entwicklungsrechner finden wir eine README-Datei mit weiteren Informationen. | ||
+ | # less / | ||
+ | |||
+ | <file bash README.md> | ||
+ | About | ||
+ | ===== | ||
+ | PostSRSd provides the Sender Rewriting Scheme (SRS) via TCP-based | ||
+ | lookup tables for Postfix. SRS is needed if your mail server acts | ||
+ | as forwarder. | ||
+ | |||
+ | Imagine your server receives a mail from alice@example.com | ||
+ | that is to be forwarded. If example.com uses the Sender Policy Framework | ||
+ | to indicate that all legit mails originate from their server, your | ||
+ | forwarded mail might be bounced, because you have no permission to send | ||
+ | on behalf of example.com. The solution is that you map the address to | ||
+ | your own domain, e.g. | ||
+ | SRS0+xxxx=yy=example.com=alice@yourdomain.org (forward SRS). If the | ||
+ | mail is bounced later and a notification arrives, you can extract the | ||
+ | original address from the rewritten one (revere SRS) and return the | ||
+ | notification to the sender. You might notice that the reverse SRS can | ||
+ | be abused to turn your server into an open relay. For this reason, xxxx | ||
+ | and yy are a cryptographic signature and a time stamp. If the signature | ||
+ | does not match, the address is forged and the mail can be discarded. | ||
+ | |||
+ | Building | ||
+ | ======== | ||
+ | PostSRSd requires a POSIX compatible system and CMake to build. | ||
+ | Optionally, help2man is used to create a manual page. | ||
+ | |||
+ | For convenience, | ||
+ | the recommended command line options. Just run `make`. | ||
+ | |||
+ | Installing | ||
+ | ========== | ||
+ | Run `make install` as root to install the daemon and the configuration | ||
+ | files. | ||
+ | Configuration | ||
+ | ============= | ||
+ | The configuration is located in `/ | ||
+ | at least one secret key in `/ | ||
+ | one from `/ | ||
+ | because anyone who knows it can use your mail server as open relay! | ||
+ | Each line of `/ | ||
+ | used for signing and verification, | ||
+ | |||
+ | PostSRSd exposes its functionality via two TCP lookup tables. The | ||
+ | recommended Postfix configuration is to add the following fragment to | ||
+ | your main.cf: | ||
+ | |||
+ | sender_canonical_maps = tcp: | ||
+ | sender_canonical_classes = envelope_sender | ||
+ | recipient_canonical_maps = tcp: | ||
+ | recipient_canonical_classes= envelope_recipient | ||
+ | |||
+ | This will transparently rewrite incoming and outgoing envelope addresses. | ||
+ | Run `service postsrsd start` and `postfix reload` as root, or reboot. | ||
+ | </ | ||
+ | |||
+ | Wir legen uns nun im ersten Schritt für unsere Konfigurationsdatei im entsprechende Verzeichnis an. | ||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | |||
+ | # Local domain name. | ||
+ | # Addresses are rewritten to originate from this domain. The default value | ||
+ | # is taken from `postconf -h mydomain` and probably okay. | ||
+ | # | ||
+ | # Django : 2014-03-17 | ||
+ | # default: # | ||
+ | SRS_DOMAIN=nausch.org | ||
+ | |||
+ | # Exclude additional domains. | ||
+ | # You may list domains which shall not be subjected to address rewriting. | ||
+ | # If a domain name starts with a dot, it matches all subdomains, but not | ||
+ | # the domain itself. Separate multiple domains by space or comma. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Secret key to sign rewritten addresses. | ||
+ | # When postsrsd is installed for the first time, a random secret is generated | ||
+ | # and stored in / | ||
+ | # | ||
+ | SRS_SECRET=/ | ||
+ | |||
+ | # Local ports for TCP list. | ||
+ | # These ports are used to bind the TCP list for postfix. If you change | ||
+ | # these, you have to modify the postfix settings accordingly. The ports | ||
+ | # are bound to the loopback interface, and should never be exposed on | ||
+ | # the internet. | ||
+ | # | ||
+ | SRS_FORWARD_PORT=10001 | ||
+ | SRS_REVERSE_PORT=10002 | ||
+ | |||
+ | # Drop root privileges and run as another user after initialization. | ||
+ | # This is highly recommended as postsrsd handles untrusted input. | ||
+ | # | ||
+ | RUN_AS=nobody | ||
+ | </ | ||
+ | |||
+ | Zum Signieren der umgeschriebenen Adressen benötigen wir noch einen secret-key, den wir nun anlegen. | ||
+ | # dd if=/ | ||
+ | |||
+ | Anschließend setzen wir die Dateirechte unseres privat-keys, | ||
+ | # chmod 400 / | ||
+ | |||
==== Postfix ==== | ==== Postfix ==== | ||
- | FIXME //... coming soon...// FIXME | + | In der Postfix-Konfigurationsdatei |
+ | |||
+ | <file bash / | ||
+ | |||
+ | # Django : 2014-03-18 | ||
+ | # Lookup-Tabelle zum Umschreibungen von Absender eMail-Adressen im SMTP-Envelop und im Header der eMail | ||
+ | sender_canonical_maps = btree:/etc/ | ||
+ | # | ||
+ | # Definition welche Adressen umgeschrieben werden sollen | ||
+ | sender_canonical_classes = envelope_sender | ||
+ | # | ||
+ | # Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail | ||
+ | recipient_canonical_maps = btree:/ | ||
+ | # | ||
+ | # Definition welche Adressen umgeschrieben werden sollen | ||
+ | recipient_canonical_classes = envelope_recipient | ||
+ | |||
+ | ...</ | ||
+ | |||
+ | ===== Programmstart ===== | ||
+ | ==== erster manueller Start des Daemon ==== | ||
+ | Nun können wir das erste mal **PostSRSd** anstarten. | ||
+ | # service postsrsd start | ||
+ | |||
+ | Starting Postfix Sender Rewriting Scheme Daemon: | ||
+ | |||
+ | In der Prozessliste finden wir mindestens einen neuen Prozess, der gestartet wurde: | ||
+ | # ps aux | grep postsrsd | ||
+ | |||
+ | nobody | ||
+ | |||
+ | Mittels **netstat** können wir überpfüfen, | ||
+ | # netstat -tulpen | grep 1000 | ||
+ | |||
+ | tcp 0 0 127.0.0.1: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | |||
+ | Läuft unser Daemon kann mit Hilfe von **lsof** sehen wir nicht nur den geöffneten port, sondern auch die Verbindungen die dort anliegen. | ||
+ | # lsof -i :10002 | ||
+ | < | ||
+ | postsrsd 5185 nobody | ||
+ | smtpd 5364 postfix | ||
+ | postsrsd 5367 nobody | ||
+ | postsrsd 5367 nobody | ||
+ | cleanup | ||
+ | postsrsd 5370 nobody | ||
+ | postsrsd 5371 nobody | ||
+ | postsrsd 5371 nobody | ||
+ | </ | ||
+ | # lsof -i :10001 | ||
+ | < | ||
+ | postsrsd 5185 nobody | ||
+ | postsrsd 5367 nobody | ||
+ | cleanup | ||
+ | postsrsd 5370 nobody | ||
+ | postsrsd 5370 nobody | ||
+ | postsrsd 5371 nobody | ||
+ | </ | ||
+ | |||
+ | ==== automatisches Starten des Dienste beim Systemstart | ||
+ | Damit der Deamon **PostSRSd** automatisch bei jedem Systemstart startet, denn ohne laufenden **postsrsd** verweigert nun unser **postfix** die Annahme der Nachrichten, | ||
+ | # chkconfig postsrsd on | ||
+ | |||
+ | Die Überprüfungung ob postsrsd wirklich bei jedem Systemstart automatisch mit gestartet werden, kann durch folgenden Befehle erreicht werden: | ||
+ | # chkconfig --list | grep postsrsd | ||
+ | |||
+ | | ||
+ | Wichtig sind jeweils die Schalter **on** bei den Runleveln - **2 3 4 5**. | ||
+ | |||
+ | ===== Umschreibungen / Logging ===== | ||
+ | Im Maillog unseres Mailservers werden die Umschreibungen entsprechend dokumentiert. | ||
+ | # less / | ||
+ | |||
+ | Mar 18 21:01:59 vml000080 postsrsd[5806]: | ||
+ | |||
+ | Im Header zugestellten eMail beim Empfänger wird dies auch im **Return-Path**hinterlegt. | ||
+ | Return-Path: | ||
+ | |||
+ | Bounced das Zielsystem die Nachricht, weil dieses z.B. die Nachricht wegen einer vollen Mailbox nicht zustellen kann, kann das relayende System nun problemlos den eigentlichen Absender informieren, | ||
+ | |||
+ | Mar 13 21:27:25 vml000080 postsrsd[6883]: | ||
+ | ... | ||
+ | ... | ||
+ | Mar 18 21:27:26 vml000080 postfix/ | ||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||
+ | ~~DISCUSSION~~ |