3.third-party mail relay
附另外一篇文章(文章荟萃)----sendmail 8.9.3 mail relay规则简介
公司防火墙上sendmail配置举例
divert(-1)
include(``/usr/lib/sendmail-cf/m4/cf.m4'')
dnl let''s define our OS type. This one is mandatory.
OSTYPE(``linux'')dnl
define(``confDEF_USER_ID'',````8:12'''')
define(``ALIAS_FILE'',``/etc/mail/aliases'')dnl
define(``confPRIVACY_FLAGS'', ``authwarnings,needmailhelo,noexpn,novrfy'')dnl
define(``confTO_QUEUERETURN'', ``4d'')dnl
define(``confTO_QUEUEWARN'', ``4h'')dnl
define(``PROCMAIL_MAILER_PATH'',``/usr/bin/procmail'')dnl
undefine(``UUCP_RELAY'')dnl
undefine(``BITNET_RELAY'') dnl
FEATURE(``redirect'')dnl
FEATURE(``always_add_domain'')dnl
FEATURE(``use_cw_file'')dnl
FEATURE(``local_procmail'')dnl
FEATURE(``nouucp'')dnl
FEATURE(``mailertable'', ``hash -o /etc/mail/mailertable'')dnl
FEATURE(``virtusertable'', ``hash -o /etc/mail/virtusertable'')dnl
FEATURE(``domaintable'',``hash -o /etc/mail/domaintable'')
FEATURE(``access_db'', ``hash -o /etc/mail/access'')dnl
FEATURE(``blacklist_recipients'')dnl
MAILER(procmail)dnl
MAILER(smtp)dnl
use_cw_file
默认为/etc/sendmail.cw文件,指明了属于本地域处理的域名,发到这个域下的邮件为本地邮件。不要在
防火墙上设置company.com到sendmai.cw中,在内部网段上的邮件服务器上设置它。更新该文件不需要重
启sendmail
* How do I make all my addresses appear to be from a single host?
Using the V8 configuration macros, use:
MASQUERADE_AS(my.dom.ain)
This will cause all addresses to be sent out as being from the indicated domain.
If you''re using version 8.7 sendmail, and you want to hide this information in the envelope
as well as the headers, use:
FEATURE(masquerade_envelope)
If you also want to masquerade the recipients, use
FEATURE(allmasquerade)
Mailertable
用这个特性可跨越DNS和DNS MX记录而relay mail。也可跨越Smart_host(DSxxxx)项.
如 company.com relay:[192.168.11.1]
从防火墙上接收的发往company.com的邮件relay到192.168.11.1
Include a ""mailer table"" which can be used to override
routing for particular domains. The argument of the
FEATURE may be the key definition. If none is specified,
the definition used is:
hash -o /etc/mailertable
Keys in this database are fully qualified domain names
or partial domains preceded by a dot -- for example,
""vangogh.CS.Berkeley.EDU"" or "".CS.Berkeley.EDU"".
Values must be of the form:
mailer:domain
where ""mailer"" is the internal mailer name, and ""domain""
is where to send the message. These maps are not
reflected into the message header. As a special case,
the forms:
local:user
will forward to the indicated user using the local mailer,
local:
will forward to the original user in the e-mail address
using the local mailer, and
error:code message
will give an error message with the indicated code and
message.
Domaintable
域替换操作。
如果容易打错,发往company.com的邮件误写为compayn.com则加入一行
compayn.com company.com
Access.db
数据库记录包含两部分:the key and the action:
the key能是用户名,域名,或IP地址。
The action能是ok, relay,reject discard, or and RFC821 message
如:
cyberspammer.com 550 we don''t accept mail form spammers
okay.cyberspammer.com OK
sendmail.org OK
128.32 relay
foobar.com reject
[email protected] discard
Virtusertable
Virtusertable用在这样的场合中:
发往本地系统的用户的邮件被重定向到另一个用户.注意一定要是本地用户的邮件,否则不检查virtusertable
数据库文件.如:
在该防火墙上设定company.com到/etc/sendmail.cw中,然后在/etc/mail/virtusertable 加一行
[email protected] [email protected]
virtusertable is a domain-specific form of aliasing, allowing multiple virtual domains to be
hosted on one machine. For example,
if the virtuser table contained:
[email protected] foo-info
[email protected] bar-info
@baz.org
[email protected]
then mail addressed to
[email protected] will be sent to the
address foo-info, mail addressed to
[email protected] will be
delivered to bar-info, and mail addressed to anyone at
baz.org will be sent to
[email protected]. The username
from the original address is passed as %1 allowing:
@foo.org %
[email protected]
meaning
[email protected] will be sent to
[email protected].
All the host names on the left hand side (foo.com, bar.com,
and baz.org) must be in $=w. The default map definition is:
hash -o /etc/virtusertable
FEATURE(genericstable,``hash -o /etc/mail/genericstable''):
Use a hashed table with masquerading information. The unhashed file looks like this:
bg
[email protected]
root
[email protected]
nobody
[email protected]
This file will tell sendmail to rewrite the FROM addresses of your mail, so you will be able
to relay all you mail over your ISPs mail server. The first row contains the local address,
the second one the address which should be used instead. In order for sendmail to read this
file you have to hash it with this command:
makemap -r hash genericstable.db < genericstable
GENERICS_DOMAIN_FILE(``/etc/mail/genericsdomain''):
You have to add you local domain name to this file, so sendmail knows what mail is local and
has to be masqueraded. To get you local domain, run ""hostname"".
FAQ: * I''m getting ""Local configuration error"" messages, such as:
553 MX list for domain.net points back to relay.domain.net
554 ... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be forwarded to a specific
host (in this case, relay.domain.net) by using an MX record, but the relay machine
doesn''t recognize itself as domain.net. Add domain.net to /etc/sendmail.cw (if you
are using FEATURE(use_cw_file)) or add ""Cw domain.net"" to your configuration file.
IMPORTANT: When making changes to your configuration file, be sure you kill and
restart the sendmail daemon (for ANY change in the configuration, not just this one):
kill ``head -1 /etc/sendmail.pid``
sh -c ""``tail -1 /etc/sendmail.pid``""
Mail for the Home Network ------the Stand Alone Config
FEATURE(always_add_domain)dnl
这是被建议的选项,这个特性强迫local or program mailer需要全称域名
FEATURE(allmasquerade)
我在防火墙上用这个特性强迫所有的邮件象是来自站点的正式域名,你需要联合 MASQUERADE_AS特性
FEATURE(masquerade_entire_domain)
这个特性强迫你的域内的任何主机象是来自同一个域
FEATURE(masquerade_envelope)
MASQUERADE_AS(company.com)
明显地,这是为上面的伪装特性定义的值
MASQUERADE_DOMAIN( company.com othername.com )
如果你有多个内部域名,想伪装为同一个公司域名
环境:
考虑这样的情况:一个公司运行一台Sendmail的Linux邮件服务器,这台机器连有LAN,但通过PPP连接,
Cable modem,or DSL连接上网通过ISP的邮件主机发送邮件. 且该机器上有两个用户jephe and hongyi
(用windows机器向company.com发送邮件),域名为company.com,ISP 域名为isp.net,邮件主机为
mail.isp.net且两人在isp.net上有相同帐号
[email protected] and
[email protected]
要求:
jephe发一封信给
[email protected],可以收到,发另一封信给Internet上某个人someone,则要求通过
ISP出去,且回复地址重写为
[email protected] and
[email protected]
#/etc/mail/relay-domains:
jephe.company.com
hongyi.company.com
#/etc/sendmail.cw
company.com
#sendmail.cf
define(``SMART_HOST'',``smtp:[ix.deniz.com]'')
MASQUERADE_AS(``deniz.com'')
FEATURE(``masquerade_envelope'')
define(RELAY_MAILER, TCP)
FEATURE(``accept_unqualified_senders'')
There are 3 fixes you may have to perform manually if things are not working as you would like them:
1. If sendmail can not ""find"" your email server:
Edit your /etc/sendmail.cf and look for this line:
#Dj$w.Foo.COM
and change it to:
Djmaster.kulai.org
Where master.kulai.org is the name of your email server. Note: remove the # at the front of
the line as # means: ignore - this is a comment line. This is one of sendmail''s rules and it
tells sendmail what the name of the email server is - in case dns, or other ways, do not tell
sendmail what it wants.
2. Masquerading based on destination:
I had the hardest time trying to get sendmail to masquerade only the mail sent to the internet
and not local mail, e.g. I wanted local mail to show the sender as:
[email protected] and not
[email protected], but obviously I wanted mail that went out into the internet to show:
[email protected]. To solve this you have to manually edit the /etc/sendmail.cf. Find the
definitions of local rulesets 10 and 30 within sendmail.cf, (hint: search for S10 and S30) and
delete these 2 lines - or put a # in front of them:
# Envelope sender rewriting
#
S10
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>94 $1 do masquerading <-- delete this line
#
# Header sender rewriting
#
S30
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>93 $1 do masquerading <-- delete this line
There is no m4-based solution for this, so you have to modify sendmail.cf directly. You need
to restart sendmail afterwards, of course.
Note: I have
[email protected] in my From: line in my email program, so sendmail will
masquerade only out-going mail. Many thanks to: Achim L?bbert for the solution.
3. Using unqualified names fails:
If you type just the user''s name in the To: part of the email and it disappears into the
internet, you may have to tell sendmail where to put email with unqualified names. Add this
to the bottom of your master.mc:
define(``LOCAL_RELAY'',``mail.kulai.org'')
LOCAL_RELAY: again: instead of mail.kulai.org, put your mail server''s name here. This line
will make sendmail send unqualified names, like just ""bmote"", to your mail server, i.e. sendmal
will add the kulai.org onto bmote for you. This way you can type just bmote in the To: field in
your email program instead of bmote.kulai.org. Of course you will have to do the m4, copy,
restart routine again to make it take effect.
Message header and Message envelope
所有的email邮件由三部分组成: envelope , header , and boby.
当两台电脑在握手处理邮件传递时,邮件的信封部分被生成了,它携带着真实的邮件接收者地址,在一个
正常的合法的邮件中,信封中的邮件接收者地址匹配着to:地址,但是也有一些例外情况,当邮件发到一个
别名,一个mailing list服务器,或者象假期通知的重定向处理。
有时候你怀疑为什么一个封发到to:
[email protected],却在你的mailbox中,它是由于message to:
and envelope to:的不同,具体的实现方法有多种,象BCC:,别名,邮件列表,直接的命令行伪装,
专门的实现程序(Diffondi 3.1.6),virtusertable虚拟域,前面的单独拨号配置的伪装。。。。
Direct Forging
At the Unix command prompt of the second-party test machine, shell.elsewhere.com, telnet to
port 25 of your machine and try the following. (Your responses are in bold. Make sure that
you include a blank line after the From: header and that the message ends with a line
containing nothing but a period.)
telnet mail.killaspammer.com 25
220 mail.killaspammer.com ESMTP Sendmail 8.8.5/8.8.5; Mon, 16 Mar 1998 02:34:20 -0800 (PST)
MAIL FROM:
250 ... Sender ok
RCPT TO:
250 ... Recipient ok
DATA
354 Enter mail, end with ""."" on a line by itself
To:
[email protected]
From:
[email protected]
Umm, umm, hot spam on rye!
. 250 CAA17232 Message accepted for delivery
quit
221 mail.killaspammer.com closing connection
Connection closed by foreign host.
Now, log in as sam on mail.killaspammer.com and read the message. The headers will look
something like this:
From
[email protected] Mon Mar 16 02:57:02 1998
Received: from shell.elsewhere.com (shell.elsewhere.com [192.168.1.77]) by
mail.killaspammer.com (8.8.5/8.8.5) with SMTP id CAA17232 for ;
Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Date: Mon, 16 Mar 1998 02:53:50 -0800 (PST)
Message-Id: <
[email protected]>
X-Authentication-Warning mail.killaspammer.com: shell.elsewhere.com [192.168.1.77] didn''t use HELO protocol
As you can see, spamming is ridiculously easy to do, which is why it has gotten to be such a big problem.
注:你可以有多个rcpt to:行,且有cc: subject: 等等。
在命令行上指定接收者
下面的例子说明了邮件头中地址和信封地址的又一个不同点,sendmail允许用户在命令行上指定邮件的
接收者。假设用户有一封信letter,内容如下:
To: null recipient < >
Subject : header and envelope address
Testing
使用下面命令将其发出
#sendmail yourloginname < letter
邮件递交过程
如果
[email protected]发信给
[email protected] ,
[email protected] and
[email protected]
To:
[email protected] ,
[email protected] ,
[email protected]
当位于gonzo.gov的sendmail SMTP客户在发信时,每个信封上只写一个地址,而接收者的完整清单只放在
message header to:域中,因为邮件在发送时在gonzo.gov和whizzer.com处的SMTP服务器都不会检查该域。
本例中发给whizzer.com的信只标记寄给fred,而发给zippy.gov的信封再服务器收到后再复制到betty and
andy各一份。
Sendmail 命令集合及安全考虑
HELO/HLEO 向服务器标识用户身份(喂,我是谁,可以欺骗,但记录IP地址,大多没用)
MAIL 初始化邮件传输 ( mail from: )
RCPT 标识单个的邮件收件人,通常在MAIL命令后,(多个rcpt to: )
DATA 在RCPT命令之后,表示所有的邮件收件人已标识,并初始化数据传输
VRFY 由客户机使用,用来验证给定的用户/邮箱是否存在;由于安全方面的原因,某些服务器使用此命令无效
EXPN 由客户机使用,用来验证给定邮箱列表是否存在,并用该命令扩充邮箱列表
HELP 查询服务器支持什么命令
NOOP 无操作;服务器响应OK
QUIT 客户机发送此命令以结束会话
RSET 重置会话;当前传输被取消
为了增强Sendmail服务器的安全性,禁止用户telnet 到端口25作vrfy ,and expn操作。可以更改sendmail.cf如下:
O PrivacyOptions=authwarnings change to:
O PrivacyOptions=authwarnings,noexpn,novrfy
如还未建立sendmail.cf文件,可照上面的防火墙配置:
define(``confPRIVACY_FLAGS'', ``authwarnings,needmailhelo,noexpn,novrfy'')dnl
用Mail命令发送邮件
1. cat report.txt | mail -s ""Sales Reprorts""
[email protected]
2. mail -s ""Sales Reports""
[email protected] < reports.txt
3. mail
[email protected]
Subject: Sales Report
~r report.txt
~.
Cc:
Sendmail 别名文件
1. 一般站点都要求一个管理员地址,许多站点并没有一个专门的邮件管理员帐号,而使用别名将管理员帐号
定向到一个或多个对邮件管理的用户邮件地址上:
postmaster: joe,betty
凡送给postmaster的邮件都转送给用户joe和betty,此处joe和betty也可以是别名
postmaster: jephe,hongyi
jephe:
[email protected]
hongyi:
[email protected]
注意:sendmail不断地对别名进行解释直到得到一个真正的用户或远端地址为止。别名定义中,冒号左侧的
别名必须是本地用户/本地域用户,而右侧可以为远端用户。
不要设置造成循环查找别名而找不到。
如
postmaster: jephe
jephe: admin
admin:postmaster
2. 从文件中读取别名:include: 使用
homeboys: :include: /home/alphonese/homeboys.aliases ( 用:include: 把两边分隔)
文件homeboys.aliases中包含
alphonse
joe
betty
george
就相当于
homeboys: alphonse,joe,betty,george
好处是可以创建一文件让用户自己维护。
3.向文件发邮件
nobody: /dev/null
发给nobody的邮件附加到指定文件后面。由于/dev/null为空文件,故邮件丢弃。