原創(chuàng): Qmail openssl stunnel ssl pop3 995 smtp 465 配置 安裝

amtd

原文在我的blog里：http://spire.spaces.live.com/blog/cns!8CE483F458A23E32!1425.entry :lol:

服務(wù)器在境外，GFW很煩，因此給qmail郵件服務(wù)器增加了ssl鏈接方式。而這方面的中文資料很少，尤其是使用stunnel的，所以升級了后，寫了這篇手記。

按之前的qmail vpopmail的方式安裝好。我的服務(wù)器原來就安裝qmail，一切工作正常，僅僅打了smtp驗證的補丁。

如果是這樣，那就可以直接升級。

需要安裝下面兩個軟件：

• openssl (http://www.openssl.org)
  # cd openssl-0.9.8e
  # ./config
  # make
  # make test
  # make install
  # openssl version
  OpenSSL 0.9.8e 23 Feb 2007
• stunnel (http://www.stunnel.org) (stunnel 配置的時候主意設(shè)定一下安裝路徑 /sbin/stunnel /etc/stunnel 主要的兩個。)
  # ./configure --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var --sbindir=/sbin
  # make
  # make install
  # stunnel -version
  stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
  Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
  Global options
  debug           = 5
  pid             = /usr/local/var/run/stunnel/stunnel.pid
  RNDbytes        = 64
  RNDfile         = /dev/urandom
  RNDoverwrite    = yes
  Service-level options
  cert            = /etc/stunnel/stunnel.pem
  ciphers         = ALL:!ADH:+RC4:@STRENGTH
  key             = /etc/stunnel/stunnel.pem
  session         = 300 seconds
  sslVersion      = SSLv3 for client, all for server
  TIMEOUTbusy     = 300 seconds
  TIMEOUTclose    = 60 seconds
  TIMEOUTconnect  = 10 seconds
  TIMEOUTidle     = 43200 seconds
  verify          = none
  

安裝好后，建立兩個文件 /etc/stunnel/pop3.conf
# /etc/stunnel/pop3.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup your.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir /etc/stunnel/smtp.conf
# /etc/stunnel/smtp.conf
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
建立qmail服務(wù)器證書(反正是自己簽發(fā)證書，想多長時間都可以，這里設(shè)定10年，呵呵)： # openssl req -new -x509 -nodes -out servercert.pem -days 3650 -keyout servercert.pem 需該服務(wù)器證書文件servercert.pem的文件屬性： # ln -s /var/qmail/control/servercert.pem clientcert.pem
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
# chmod 600 servercert.pem #這個很重要哦 建立pop3和smtp ssl的run文件 # mkdir -p /var/qmail/supervise/qmail-pop3ds/log /var/qmail/supervise/qmail-smtpds/log /var/log/qmail/pop3ds /var/log/qmail/smtpds /var/qmail/supervise/qmail-pop3ds/run
#!/bin/sh
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -H -R -v -l "$LOCAL" -c "$MAXSMTPD" 0 995 \
/sbin/stunnel /etc/stunnel/pop3.conf 2>&1
/var/qmail/supervise/qmail-pop3ds/run/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
    /var/log/qmail/pop3ds
/var/qmail/supervise/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpds/run
    exit 1
fi if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi exec /usr/local/bin/softlimit -m 20000000 \
        /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
       -u 89 -g 89 0 465 \
        /sbin/stunnel /etc/stunnel/smtp.conf 2>&1
/var/qmail/supervise/qmail-smtpds/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpds 將執(zhí)行文件鏈接到/service中： # cd /service
# ln -s /var/qmail/supervise/qmail-pop3ds/ qmail-pop3ds
# ln -s /var/qmail/supervise/qmail-smtpds/ qmail-smtpds 修改qmailctl文件： /var/qmail/bin/qmailctl #這個文件編寫的有點復(fù)雜，我還有個更簡單的，我回頭貼出來。
#!/bin/sh
# Description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case "$1" in
  start)
    echo "Starting qmail..."
    echo "  qmail-send"
    if svok /service/qmail-send ; then
      svc -u /service/qmail-send /service/qmail-send/log
    else
      echo "  qmail-send supervise not running"
    fi
    echo "  qmail-smtp"
    if svok /service/qmail-smtpd ; then
      svc -u /service/qmail-smtpd /service/qmail-smtpd/log
    else
      echo "  qmail-smtpd supervise not running"
    fi
    echo "  qmail-smtp ssl"
    if svok /service/qmail-smtpds ; then
      svc -u /service/qmail-smtpds /service/qmail-smtpds/log
    else
      echo "  qmail-smtpd ssl supervise not running"
    fi
    echo "  qmail-pop3d"
    if svok /service/qmail-pop3d ; then
      svc -u /service/qmail-pop3d /service/qmail-pop3d/log
    else
      echo "  qmail-pop3d supervise not running"
    fi
    echo "  qmail-pop3d ssl"
    if svok /service/qmail-pop3ds ; then
      svc -u /service/qmail-pop3ds /service/qmail-pop3ds/log
    else
      echo " qmail-pop3d ssl service not running"
    fi
    if [ -d /var/lock/subsys ]; then
      touch /var/lock/subsys/qmail
    fi
    ;;
  stop)
    echo "Stopping qmail..."
    echo "  qmail-smtpd"
    svc -d /service/qmail-smtpd /service/qmail-smtpd/log
    echo "  qmail-smtpd ssl"
    svc -d /service/qmail-smtpds /service/qmail-smtpds/log
    echo "  qmail-send"
    svc -d /service/qmail-send /service/qmail-send/log
    echo "  qmail-pop3d"
    svc -d /service/qmail-pop3d /service/qmail-pop3d/log
    echo "  qmail-pop3d ssl"
    svc -d /service/qmail-pop3ds /service/qmail-pop3ds/log
    if [ -f /var/lock/subsys/qmail ]; then
      rm /var/lock/subsys/qmail
    fi
    ;;
  stat)
    svstat /service/qmail-send
    svstat /service/qmail-send/log
    svstat /service/qmail-smtpd
    svstat /service/qmail-smtpd/log
    svstat /service/qmail-smtpds
    svstat /service/qmail-smtpds/log
    svstat /service/qmail-pop3d
    svstat /service/qmail-pop3d/log
    svstat /service/qmail-pop3ds
    svstat /service/qmail-pop3ds/log
    qmail-qstat
    ;;
  doqueue|alrm|flush)
    echo "Flushing timeout table and sending ALRM signal to qmail-send."
    /var/qmail/bin/qmail-tcpok
    svc -a /service/qmail-send
    ;;
  queue)
    qmail-qstat
    qmail-qread
    ;;
  reload|hup)
    echo "Sending HUP signal to qmail-send."
    svc -h /service/qmail-send
    ;;
  pause)
    echo "Pausing"
    echo "  qmail-send"
    svc -p /service/qmail-send
    echo "  qmail-smtpd"
    svc -p /service/qmail-smtpd
    echo "  qmail-smtpd ssl"
    svc -p /service/qmail-smtpds
    echo "  qmail-pop3d"
    svc -p /service/qmail-pop3d
    echo "  qmail-pop3d ssl"
    svc -p /service/qmail-pop3ds
    ;;
  cont)
    echo "Continuing"
    echo "  qmail-send"
    svc -c /service/qmail-send
    echo "  qmail-smtpd"
    svc -c /service/qmail-smtpd
    echo "  qmail-smtpd ssl"
    svc -c /service/qmail-smtpds
    echo "  qmail-pop3d"
    svc -c /service/qmail-pop3d
    echo "  qmail-pop3ds"
    svc -c /service/qmail-pop3ds
    ;;
  restart)
    echo "Restarting qmail:"
    echo "* Stopping qmail-smtpd."
    svc -d /service/qmail-smtpd /service/qmail-smtpd/log
    echo "* Stopping qmail-smtpd ssl."
    svc -d /service/qmail-smtpds /service/qmail-smtpds/log
    echo "* Sending qmail-send SIGTERM and restarting."
    svc -t /service/qmail-send /service/qmail-send/log
    echo "* Restarting qmail-smtpd."
    svc -u /service/qmail-smtpd /service/qmail-smtpd/log
    echo "* Restarting qmail-smtpd ssl."
    svc -u /service/qmail-smtpds /service/qmail-smtpds/log
    echo "* Restarting qmail-pop3d."
    svc -t /service/qmail-pop3d /service/qmail-pop3d/log
    echo "* Restarting qmail-pop3ds."
    svc -t /service/qmail-pop3ds /service/qmail-pop3ds/log
    ;;
  cdb)
    tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
    chmod 644 /etc/tcp.smtp.cdb
    echo "Reloaded /etc/tcp.smtp."
    ;;
  help)
    cat <<HELP
   stop -- stops mail service (smtp connections refused, nothing goes out)
  start -- starts mail service (smtp connection accepted, mail can go out)
  pause -- temporarily stops mail service (connections accepted, nothing leaves)
   cont -- continues paused mail service
   stat -- displays status of mail service
    cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
  queue -- shows status of queue
   alrm -- same as doqueue
  flush -- same as doqueue
    hup -- same as reload
HELP
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queu
e|help}"
    exit 1
    ;;
esac
exit 0

這個時候，上面的兩個文件應(yīng)該都啟動了。但我們還是重新啟動一次： # qmailctl stop
# qmailctl start
# qmailctl stat
/service/qmail-send: up (pid 9196) 3561 seconds
/service/qmail-send/log: up (pid 9197) 3561 seconds
/service/qmail-smtpd: up (pid 9200) 3561 seconds
/service/qmail-smtpd/log: up (pid 9202) 3561 seconds
/service/qmail-smtpds: up (pid 9205) 3561 seconds
/service/qmail-smtpds/log: up (pid 9207) 3561 seconds
/service/qmail-pop3d: up (pid 9210) 3561 seconds
/service/qmail-pop3d/log: up (pid 9214) 3561 seconds
/service/qmail-pop3ds: up (pid 9217) 3561 seconds
/service/qmail-pop3ds/log: up (pid 9220) 3561 seconds
messages in queue: 2
messages in queue but not yet preprocessed: 27
#上面的執(zhí)行qmailctl stat的結(jié)果。時間要大于1秒，如果時間一會是0秒，一會是1秒，那表明在執(zhí)行run文件中有錯誤，去看日志里的錯誤提示。 調(diào)試方法：

• # ps -efl | grep "service errors" | grep -v grep
  4 S root      5631  5626  0  75   0 -   303 pipe_w Sep01 ?        00:00:00 readproctitle service errors: .........
• # telnet localhost 25
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220 c2forum.net ESMTP
  ehlo
  250-your.domain.com
  250-AUTH LOGIN CRAM-MD5 PLAIN
  250-AUTH=LOGIN CRAM-MD5 PLAIN
  250-PIPELINING
  250 8BITMIME
  auth login
  334 VXNlcm5hbWU6
  quit
• # telnet localhost 110
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  +OK <1520.11887344591214@your.domain.com>
  user albert
  +OK
  pass albert
  +OK
  list
  +OK
  1 2734
  2 31807
  3 34957
  4 20644
  5 27798
  6 26584
  .
  quit
• # openssl s_client -connect localhost:465
  (執(zhí)行后，會有大段的證書相關(guān)的信息，這里省略，只復(fù)制來最后一行，然后測試就和telnet localhost 25 一樣了)
  220 your.domain.com ESMTP
• openssl s_client -connect localhost:995
  (執(zhí)行后，會有大段的證書相關(guān)的信息，這里省略，只復(fù)制來最后一行，然后測試就和telnet localhost 110 一樣了)
  +OK <[email=@your.domain.com]1872.1188791523434@your.domain.com[/email]>
• 查看主要的日志，包括：
  • /var/log/qmail/current
  • /var/log/qmail/pop3d/current
  • /var/log/qmail/pop3ds/current
  • /var/log/qmail/smtpd/current
  • /var/log/qmail/smtpds/current
  • 另外你也可以在/etc/stunnel/smtp.conf 和 pop3.conf 文件中加入下面兩個設(shè)置內(nèi)容，以生成詳細的調(diào)試日志。
    debug = 7
    output = /var/log/qmail/stunnel.log

可能遇到的問題：

• 如果你是用復(fù)制，那需要很小心，因為有的時候文件的換行在你復(fù)制到telnet客戶端軟件的時候會有可能變了，因為dos格式和unix格式有差別。尤其注意運行文件第一行的聲明后的換行。
• tcpserver: fatal: no IP address for your.domain.com
  表示端口已經(jīng)被其它進程占用，要么你停掉那個進程，要么換個端口。
• Wrong permissions on /var/qmail/control/servercert.pem
  servvercert.pem文件屬性設(shè)置為600即可
• /etc/stunnel/smtp.conf文件中最后的" /bin/true"不能忘記，否則客戶端會提示驗證不通過。
• ssl證書問題，因為我們是自己簽發(fā)的證書，所以客戶端會提示，兩個辦法：1、購買權(quán)威機構(gòu)簽發(fā)的證書（非常貴，國內(nèi)很多是國內(nèi)范圍的便宜價格，國際范圍的就不一樣了）。2、將serercert.pem文件重命名為 .crt 或 .cer 格式。然后在客戶端機器中IE的Internet Options中導(dǎo)入，要選擇自動。

如果你有問題，歡迎到我的blog中留言。


編輯了一下，前面忘記選“禁用 Smilies”了，很多內(nèi)容變成Smilies了。呵呵。

[ 本帖最后由 amtd 于 2007-9-3 13:36 編輯 ]

amtd

帖子發(fā)了內(nèi)容格式有點亂了。沒轍。

xuexh

我不用stunnel能發(fā)信, 根據(jù)如上的方法加上stunnel后,我就stunnel了

由于服務(wù)器拒絕收件人之一，無法發(fā)送郵件。被拒絕的電子郵件地址是“xue@chinats.net”。 主題 'test', 帳戶: 'xue@chinats.net', 服務(wù)器: 'mail1.chinats.net', 協(xié)議: SMTP, 服務(wù)器響應(yīng): 'CHKUSER relaying rcpt: from <xue@chinats.netue@chinats.net:> remote <xuedesk:unknown:192.168.1.102> rcpt <xue@chinats.net> : client allowed to relay', 端口: 465, 安全(SSL): 是, 錯誤號: 0x800CCC79


run:  


#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]
then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpds/run
    exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]
then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi
exec /usr/local/bin/softlimit -m 20000000 \
        /usr/local/bin/tcpserver -v -R -H -l "$LOCAL" -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
       -u 89 -g 89 0 465 \
        /sbin/stunnel /etc/stunnel/smtps.conf 2>&1



smtps.conf  :


# /etc/stunnel/smtps.conf
cert = /var/qmail/control/servercert.pem
#key = /var/qmail/control/clientcert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1

請大俠幫忙看看

nicsky

謝謝樓主了。

netlogon

我已經(jīng)成功設(shè)置了,感謝你

不過我有個問題,我的qmail server是有多個mail domain的,如果每個domain都需要ssl pop3收郵件,請問我是不是需要把所有的domain name的ssl證書復(fù)制到servercert.pem文件中呢?

我經(jīng)過測試,好像不正常,多謝指教,謝謝.

earlcn

我的pop3可以了，但是smtp有問題：

openssl s_client -connect localhost:465
CONNECTED(00000003)
write:errno=104
——————————————————
log日志：
ok 5576 meis.com.cn:127.0.0.1:465 localhost:127.0.0.1::48487
Snagged 64 random bytes from /dev/urandom
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /var/qmail/control/servercert.pem
Error reading certificate file: /var/qmail/control/servercert.pem
error stack: 140DC002 : error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
error stack: 20074002 : error:20074002:BIO routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopenermission denied

———————————————————

haide1014

再次把此帖頂出來，其實我也遇到了和樓上一樣的問題，不知樓主是否解決。