一:简介

电子邮件系统是目前Internet上通用的标准,由于具有完善的设计架构,因此可兼容来自不同平台、服务器或应用程序间的信息交换。它的主要优点有:快速:电子邮件寄出后,收件人能在短时间内得到这份邮件。经济:它不需要使用信封和信纸,也不需邮资。多样性:除了文本之外,电子邮件还可传送图片、声音、影像和其他类型的数据。
专有名词
邮件传输代理
邮件传输代理(Mail Transfer Agent,MTA)是一种在服务器端执行的软件,也就是邮件服务器,它可在服务器间传送电子邮件。一般而言,每个系统只有一个MTA保持在运行状态,而在UNIX系统中使用最为广泛的MTA程序有Sendmail、Postfix、Qmail与Fetchmail等。
邮件用户代理
邮件用户代理(Mail User Agent,MUA)是一种客户端软件,它可提供用户读信、回信、写信及处理邮件等功能,但和MTA不同的是,一个系统中可以同时存在多个MUA程序。一般常见的MUA程序包括Linux平台上的mail、mailx、elm和mh等,以及Windows操作系统中的Outlook Express或Netscape Messenger。
邮件传递代理
邮件传递代理(Mail Delivery Agent,MDA)通常与MTA一同运行,将MTA接收的邮件,按照目的位置做出判断,以决定将该邮件放在本机账户下的邮箱,或是再经过MTA将此邮件转发到下个MTA,而MDA一般都在后台执行。
如果此封邮件的目的地为本机用户邮箱,则MDA除了将邮件放在正确的邮箱外,同时还具有邮件过滤的功能。
邮件传递系统
由MTA和MUA组合而成的系统称为邮件传递系统(Mail Transfer System,MTS)

二:案例

1.拓扑图

 

 

2.配置步骤

 163服务器配置;

 安装Dns服务器

[root@localhost ~]# mount /dev/cdrom /mnt/cdrom

mount: block device /dev/cdrom is write-protected, mounting read-only
[root@localhost ~]# cd /mnt/cdrom/Server/
[root@localhost Server]# rpm -ivh bind-9.3.6-4.P1.el5.i386.rpm
warning: bind-9.3.6-4.P1.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:bind                   ########################################### [100%]
[root@localhost Server]# rpm -ivh bind-chroot-9.3.6-4.P1.el5.i386.rpm
warning: bind-chroot-9.3.6-4.P1.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:bind-chroot            ########################################### [100%]
 [root@localhost Server]# rpm -ivh caching-nameserver-9.3.6-4.P1.el5.i386.rpm
warning: caching-nameserver-9.3.6-4.P1.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:caching-nameserver     ########################################### [100%]
[root@localhost Server]# cd /var/named/chroot/etc/
[root@localhost etc]# ll
总计 16
-rw-r--r-- 1 root root   405 08-19 19:25 localtime
-rw-r----- 1 root named 1230 2009-07-30 named.caching-nameserver.conf
-rw-r----- 1 root named 955 2009-07-30 named.rfc1912.zones
-rw-r----- 1 root named 113 09-09 18:07 rndc.key
修改配置文件
[root@localhost etc]# cp -p named.caching-nameserver.conf named.conf
[root@localhost etc]# vim named.conf
        listen-on port 53 { any; };
        allow-query     { any; };
        allow-query-cache { any; };
        match-clients      { any; };
        match-destinations { any; };
 [root@localhost etc]# vim named.rfc1912.zones
zone "163.com" IN {
 22         type master;
 23         file "163.com.zone";
 24         allow-update { none; };
 
[root@localhost named]# vim 163.com.zone
$TTL    86400
@               IN SOA ns.163.com.       root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
 
                IN NS           ns.163.com.
ns              IN A            192.168.101.70
mail            IN A            192.168.101.70
pop3            IN CNAME        mail
smtp            IN CNAME        mail
@               IN MX 10        mail
重启服务
[root@localhost named]# service named start
启动 named:                                               [确定]
[root@localhost named]# chkconfig named on
 
安装邮件发送服务器
 
[root@mail Server]# rpm -ivh sendmail-cf-8.13.8-2.el5.i386.rp
[root@mail ~]# cd /etc/mail
编辑主配置文件
[root@mail mail]# vim sendmail.mc
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
编辑中继文件
[root@mail mail]# vim access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
Connect:192.168.101                     RELAY
sina.com                                RELAY
163.com                                 OK
~                                           
[root@mail mail]# vim local-host-names
# local-host-names - include all aliases for your machine here.
163.com
mail.163.com
~                                                                                                                           
安装邮件接收服务器         
[root@mail Server]# rpm -ivh dovecot-1.0.7-7.el5.i386.rpm
warning: dovecot-1.0.7-7.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:dovecot                ########################################### [100%]
[root@mail Server]# service dovecot start
启动 Dovecot Imap:                                        [确定]
[root@mail Server]# chkconfig dovecot on
 
同理在sina服务器上安装dns服务器和电子邮件服务器,这里就不再列出
 
配置邮件转发
[root@mail ~]# vim /var/named/chroot/etc/named.conf
29         forwarders    { 192.168.101.77; };
 
[root@mail ~]# vim /var/named/chroot/etc/named.conf
     forwarders       { 192.168.101.70; };
[root@mail ~]# rndc reload
server reload successful
 
在发送邮件中延迟较大,配置反向dns,现在163服务器上配置dns反向解析
[root@mail ~]# cd /var/named/chroot/etc/
[root@mail etc]# vim named.rfc1912.zones
[root@mail etc]# cd ../var/named/
[root@mail named]# cp -p named.local 192.168.101.zone
root@mail named]# vim 192.168.101.zone
$TTL    86400
@       IN      SOA     localhost. root.localhost. (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
70       IN      PTR     mail.163.com.
77        IN       PTR   mail.sina.com.
~            
同理在mail.sina.com服务器上配置反向dns
 
测试:
 

163服务器的user1向sina服务器的user4发送电子邮件

 

 

 

 

 

查看日志
[root@mail ~]# tail -f /var/log/maillog
Sep 10 10:33:44 mail sendmail[31218]: q8A2Xhk8031218: from=<user1@163.com>, size=588, class=0, nrcpts=1, msgid=<009f01cd8efc$ad92bc30$4865a8c0@xbjmfrkechdxtww>, proto=ESMTP, daemon=MTA, relay=mail.163.com [192.168.101.70]
Sep 10 10:33:44 mail sendmail[31219]: q8A2Xhk8031218: to=<user4@sina.com>, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30769, dsn=2.0.0, stat=Sent

现在使用Ssl/tls加密发送邮件

[root@mail ~]# vim /etc/pki/tls/openssl.cnf
[ CA_default ]
 
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.
 
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number f
[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# mkdir crl certs newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
...........++++++
.......................++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/*
[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 36500 -out cacert.pem
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HENAN]:
Locality Name (eg, city) [ZHENGZHOU]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
产生钥匙
[root@mail CA]# mkdir -pv /etc/mail/certs
[root@mail CA]# cd /etc/mail/certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key
Generating RSA private key, 1024 bit long modulus
....++++++
....++++++
e is 65537 (0x10001)
证书请求
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HENAN]:
Locality Name (eg, city) [ZHENGZHOU]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:mail.163.com
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
产生证书
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
Subject:
            countryName               = CN
            stateOrProvinceName       = HENAN
            organizationName          = 163
            organizationalUnitName    = tec
            commonName                = mail.163.com
        X509v3 extensions:
            X509v3 Basic Constraints:
证书和服务器捆绑
[root@mail certs]# vim /etc/mail/sendmail.mc
define(`confCACERT_PATH', `/etc/pki/CA')dnl
 61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl
 62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl
 63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
[root@mail certs]# service sendmail restart
关闭 sm-client:                                           [确定]
关闭 sendmail:                                            [确定]
启动 sendmail:                                            [确定]
启动 sm-client:                                           [确定]
[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 10 Sep 2012 04:58:28 +0800
ehlo 127.0.0.1
250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
 
测试:
 

 

 

 

 

[root@mail Server]# tshark -ni eth0 -R "tcp.dstport eq 25"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 29.422781 192.168.101.72 -> 192.168.101.70 TCP 1158 > 25 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
 29.423137 192.168.101.72 -> 192.168.101.70 TCP 1158 > 25 [ACK] Seq=1 Ack=1 Win=65535 Len=0
 29.425336 192.168.101.72 -> 192.168.101.70 SMTP C: EHLO xbjmfrkechdxtww
 29.425692 192.168.101.72 -> 192.168.101.70 SMTP C: STARTTLS
 29.426364 192.168.101.72 -> 192.168.101.70 SMTP C: \026\003\001\000a\001\000\000]\003\001PM\300\221\000\340,i\236c\204\221\021q\325\276+'\375\216.\323 | \24515:\210,\354?\023 \016\225\221\245\240\316\312\330\034\316\005\322\331W\305\274|\234Sv\212\261\211\016\316\006\212\276\235tQ\346\000\026\000\004\000\005\000 | \000\t\000d\000b\000\003\000\006\000\023\000\022\000c\001\000
 29.426739 192.168.101.72 -> 192.168.101.70 TCP 1158 > 25 [ACK] Seq=135 Ack=1994 Win=65535 Len=0
 29.427294 192.168.101.72 -> 192.168.101.70 TCP [TCP segment of a reassembled PDU]
 29.570345 192.168.101.72 -> 192.168.101.70 TCP 1158 > 25 [ACK] Seq=324 Ack=2037
 
接收邮件服务器配置
 
[root@mail ~]# mkdir -pv /etc/dovecot/certs
mkdir: 已创建目录 “/etc/dovecot”
mkdir: 已创建目录 “/etc/dovecot/certs”
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
.......++++++
......++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HENAN]:
Locality Name (eg, city) [ZHENGZHOU]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:pop3.163.com
Email Address []:
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.cert
Subject:
            countryName               = CN
            stateOrProvinceName       = HENAN
            organizationName          = 163
            organizationalUnitName    = tec
            commonName                = pop3.163.com
 
[root@mail certs]# vim /etc/dovecot.conf
protocols = pop3s
ssl_cert_file = /etc/dovecot/certs/dovecot.cert
 92 ssl_key_file = /etc/dovecot/certs/dovecot.key
[root@mail certs]# service dovecot restart
停止 Dovecot Imap:                                        [确定]
启动 Dovecot Imap:                                        [确定]
[root@mail certs]# netstat -tupln |grep dov
tcp        0      0 :::995                      :::*                        LISTEN      322/dovecot  
 

 

 

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 995"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 29.699314 192.168.101.72 -> 192.168.101.70 TCP 1170 > 995 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
 29.699576 192.168.101.72 -> 192.168.101.70 TCP 1170 > 995 [ACK] Seq=1 Ack=1 Win=65535 Len=0
 29.700061 192.168.101.72 -> 192.168.101.70 SSLv2 Client Hello
 29.728786 192.168.101.72 -> 192.168.101.70 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 29.895082 192.168.101.72 -> 192.168.101.70 TCP 1170 > 995 [ACK] Seq=261 Ack=830 Win=64706 Len=0
 30.113033 192.168.101.72 -> 192.168.101.70 TCP 1170 > 995 [ACK] Seq=261 Ack=871 Win=64665 Len=0
 57.655137 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 57.657029 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 57.662891 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 57.663933 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 57.664475 192.168.101.72 -> 192.168.101.70 TCP 1170 > 995 [ACK] Seq=379 Ack=1004 Win=64533 Len=0
 57.664798 192.168.101.72 -> 192.168.101.70 TCP 1170 > 995 [FIN, ACK] Seq=379 Ack=1004 Win=64533 Len=0
 57.668587 192.168.101.72 -> 192.168.101.70 TCP 1171 > 995 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
 57.668734 192.168.101.72 -> 192.168.101.70 TCP 1171 > 995 [ACK] Seq=1 Ack=1 Win=65535 Len=0
 57.669371 192.168.101.72 -> 192.168.101.70 SSL Client Hello
 57.670327 192.168.101.72 -> 192.168.101.70 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 57.785600 192.168.101.72 -> 192.168.101.70 TCP 1171 > 995 [ACK] Seq=285 Ack=830 Win=64706 Len=0
 57.786559 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 57.786949 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 58.249823 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 58.258448 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 58.260590 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 58.263341 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 58.264142 192.168.101.72 -> 192.168.101.70 TLSv1 Application Data
 58.298279 192.168.101.72 -> 192.168.101.70 TCP 1171 > 995 [FIN, ACK] Seq=488 Ack=1930 Win=65430 Len=0
 58.298307 192.168.101.72 -> 192.168.101.70 TCP 1171 > 995 [ACK] Seq=489 Ack=1931 Win=65430 Len=0

身份验证

 

[root@mail certs]# vim /etc/dovecot.conf
39 define(`confAUTH_OPTIONS', `A y')dnl                            //启用身份验证
 
52 dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 53 dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA, M=Ea')dnl     //强制身份验证
[root@mail ~]# service saslauthd start
启动 saslauthd:                                           [确定]
[root@mail ~]# chkconfig saslauthd on
[root@mail ~]# service sendmail restart
关闭 sm-client:                                           [确定]
关闭 sendmail:                                            [确定]
启动 sendmail:                                            [确定]
启动 sm-client:                                           [确定]
 
 
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 10 Sep 2012 06:06:50 +0800
mail from:nxl@163.com
530 5.7.0 Authentication required
 
验证时必须把账户名和密码改为base64格式
[root@mail ~]# echo -n "user1@163.com" |openssl base64
dXNlcjFAMTYzLmNvbQ==
[root@mail ~]# echo -n "123" |openssl base64
MTIz
 
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 10 Sep 2012 06:36:18 +0800
AUTH LOGIN dXNlcjFAMTYzLmNvbQ==
334 UGFzc3dvcmQ6
MTIz
235 2.0.0 OK Authenticated
MAIL FROM:user1@163.com
250 2.1.0 user1@163.com... Sender ok
rcpt to:user2@163.com
250 2.1.5 user2@163.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject:nxl
qqqq
.
250 2.0.0 q89MaITo000922 Message accepted for delivery
 
测试:
 
[root@mail ~]# su - user2
[user2@mail ~]$ mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/user2": 2 messages 1 new
    1 MAILER-DAEMON@mail.1 Sun Sep 09 19:16 13/544   "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
>N 2 user1@163.com         Mon Sep 10 06:38 14/516   "nxl"
& 2
Message 2:
From user1@163.com Mon Sep 10 06:38:14 2012
Date: Mon, 10 Sep 2012 06:36:18 +0800
From: user1@163.com
X-Authentication-Warning: mail.163.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol
subject: nxl
 
qqqq
 
&