« April 2006 | 首页 | June 2006 »
May 19, 2006
openssh快速编译安装howto
我想当一个称职的linux管理员,openssh的升级一定很重要,毕竟现在telnet早就因为安全的问题被淘汰了,但现在系统自带的openssh有些版本也非常老,不少都有非常严重的漏洞,所以有必要告诉大家怎么在原有系统的基础上升级openssh
首先系统自带的openssh
rpm -qa |grep openssh
查到后,毫不犹豫的删除,一般都版本太老,有不少漏洞
然后到www.openssh.com下载最新的openssh,这次我编译的最新版本是OpenSSH_4.3p2.
下载解压后,用以下参数编译
./configure \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/libexec/openssh \
--with-tcp-wrappers \
--with-rsh=/usr/bin/rsh \
--with-privsep-path=/var/empty/sshd \
--disable-strip \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
make
make install
拷贝服务脚本
cp contrib/redhat/sshd.init /etc/rc.d/init.d/sshd
ok.安装很简单吧
然后编辑
vi /etc/ssh/sshd_config
PermitRootLogin no 限制root用户登陆
PasswordAuthentication no 因为我是用密匙登陆,所以这里取消用简单的密码登陆,大家可参考
linux下SSH配合SecureCRT的密匙完美使用方法
关于SecureCrt使用ssh2的补充
May 12, 2006
在postfix下编译安装amavisd-new+clamav+SpamAssassin
前几天给大家介绍了postfix + cyrus-sasl2 + courier-authlib + Courier-IMAP + postfixadmin和maidrop的安装,基本邮件系统已经可以使用,今天继续给大家讲怎么给postfix邮件系统加上防病毒和防垃圾邮件系统
1.安装clamav
wget http://keihanna.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.tar.gz
groupadd clamav
useradd -g clamav -s/bin/false -d/dev/null clamav
./configure --prefix=/usr/local/clamav --with-dbdir=/usr/local/share/clamav
make
make check
make install
vi /usr/local/clamav/etc/clamd.conf
LogSyslog
LogVerbose
LogFacility LOG_MAIL
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /usr/local/share/clamav
LocalSocket /var/run/clamav/clamd
StreamMaxLength 10M
User amavis
ScanMail
ScanArchive
ScanRAR
vi /usr/local/clamav/etc/freshclam.conf
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog
LogVerbose
DatabaseOwner amavis
Checks 12
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
NotifyClamd
注意:注释掉两个文件中Example那行
添加amavis用户和组,配合amavisd使用
groupadd amavis
useradd -g amavis -s /bin/false -c "Amavis User" -d /dev/null amavis
创建日志文件夹并设置权限
mkdir /var/log/clamav
chmod -R 744 /var/log/clamav
chown -R amavis:amavis /var/log/clamav
chown -R amavis.amavis /usr/local/share/clamav
mkdir /var/run/clamav
chmod 700 /var/run/clamav
chown amavis.amavis /var/run/clamav
手动更新病毒库
/usr/local/clamav/bin/freshclam
设置自动更新病毒库
crontab -e
0 4 * * * root /usr/local/clamav/bin/freshclam --quiet -l /var/log/clamd.log
启动
# /usr/local/clamav/sbin/clamd
2.安装amavisd
wget http://www.ijs.si/software/amavisd/amavisd-new-2.4.1.tar.gz
升级file,可以通过file -v看一下版本,要求4.06版本以上
wget ftp://ftp.astron.com/pub/file/file-4.17.tar.gz
安装以下文件,这些都是安装amavisd需要的
perl -MCPAN -e shell
cpan>install Archive::Tar
cpan>install Archive::Zip
cpan>install Compress::Zlib
cpan>install Convert::UUlib
cpan>install MIME::Base64
cpan>install Mail::Internet
cpan>install Net::Server
cpan>install Net::SMTP
cpan>install Digest::MD5
cpan>install IO::Stringy
cpan>install Time::HiRes
cpan>install Unix::Syslog
cpan>install BerkeleyDB
cpan>install Convert::TNEF
cpan>install MIME::Parser
cpan>install MIME::Tools
升级perl到最新版本,至少5.8.2以上版本
wget http://www.perl.com/CPAN/src/stable.tar.gz
tar zvxf stable.tar.gz
cd perl-5.8.8
./configure.gnu --prefix=/usr -Dpager="/bin/less -isR"
make
make test 测试一下,没问题后再install
make install
注意升级perl的话,可能会造成系统的其他perl应用不正常,请慎重升级,一般redhat9.0默认的5.8.0应该也没问题
mkdir -p /var/amavis /var/amavis/tmp /var/amavis/var /var/amavis/db /var/amavis/home
chown -R amavis:amavis /var/amavis
chmod -R 750 /var/amavis
cp amavisd /usr/local/sbin/
chown root /usr/local/sbin/amavisd
chmod 755 /usr/local/sbin/amavisd
cp amavisd.conf /etc/
chown root /etc/amavisd.conf
chmod 644 /etc/amavisd.conf
mkdir /var/virusmails
chown amavis:amavis /var/virusmails
chmod 750 /var/virusmails
#=====================================
修改 /etc/amavisd.conf
$mydomain = 'example.com';
$virus_admin = "postmaster\@$mydomain"; # notifications recip.
$mailfrom_notify_admin = "postmaster\@$mydomain"; # notifications sender
$mailfrom_notify_recip = "postmaster\@$mydomain"; # notifications sender
$mailfrom_notify_spamadmin = "postmaster\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
加入对Clamav 的支持
# ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
3.安装SpamAssassin
perl -MCPAN -e shell
cpan>install Digest::SHA1
cpan>install HTML::Parser
cpan>install Net::DNS
cpan>install Mail::SPF::Query
cpan>install IP::Country
cpan>install Net::Ident
cpan>install IO::Socket::INET6
cpan>install IO::Socket::SSL
cpan>install DBI
cpan>install LWP::UserAgent
cpan>install Mail::SpamAssassin
SA的配置我这里不讲了,如果你想了解一点,也可参考我在这里的blog笔记
测试amavis
# /usr/local/sbin/amavisd debug
启动停止服务
# /usr/local/sbin/amavisd start|stop
4.让postfix使用amavisd
在/usr/local/etc/postfix/main.cf 加入
content_filter = smtp-amavis:[127.0.0.1]:10024
在/usr/local/etc/postfix/master.cf 加入
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
#============================================
参考文档
http://www.xjtusky.com/article.asp?id=109
http://genco.gen.tc/postfix_virtual.php#amavisdclamav
http://www.toping.net/bbs/htm_data/10/0602/1042.html
http://www.freespamfilter.org/FC4.html
May 10, 2006
Maildrop安装调试笔记
groupadd vmail -g 1001
useradd vmail -u 1001 -g 1001
wget http://internap.dl.sourceforge.net/sourceforge/courier/maildrop-2.0.2.tar.bz2
tar jvxf maildrop-2.0.2.tar.bz2
./configure --enable-sendmail=/usr/sbin/sendmail --enable-trusted-users='root vmail' --enable-syslog=1 --enable-maildirquota --enable-maildrop-uid=1001 --enable-maildrop-uid=1001 --with-trashquota --with-dirsync
make
make install
注意源码安装的,将courierauthconfig 命令链接到/usr/bin里,假设装在:
/usr/local/courier-authlib/bin/courierauthconfig,则:
ln -s /usr/local/courier-authlib/bin/courierauthconfig /usr/bin/courierauthconfig
这样编译出来的maildrop才会ourier Authentication Library extension enabled.
maildrop -v
maildrop 2.0.2 Copyright 1998-2005 Double Precision, Inc.
GDBM extensions enabled.
Courier Authentication Library extension enabled.
Maildir quota extension enabled.
This program is distributed under the terms of the GNU General Public
License. See COPYING for additional information.
如果没有显示Courier Authentication Library extension enabled.说明你的maidrop还不支持courier auth,请仔细检查,重新编译
maildrop建议不要自定义目录安装,可以减少不必要的麻烦,删除很方便:直接在已经编译的源代码目录 make uninstall 就行
配置main.cf和master.cf使postfix调用maildrop
========================
vi /etc/postfix/main.cf
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1
========================
vi /etc/postfix/master.cf
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -w 90 -d ${user}@${nexthop} ${recipient} ${user} ${extension}${nexthop}
调试maildrop是否正常工作
从其他邮箱发一份邮件到你新建立的email地址,看到类似log记录
May 10 07:21:05 mail postfix/pipe[13994]: 78DCC156AE7: to=<frank@domain.com>, relay=maildrop, delay=0, status=sent
(domain.com)
看到relay=maildrop 并且log没有报错,则说明maildrop已经正常工作
FAQ:
1. 编译安装的时候出现以下报错configure: error: pcre.h not found - install PCRE from www.pcre.org
请安装pcre-devel包
May 7, 2006
笔记postfix + cyrus-sasl2 + courier-authlib + Courier-IMAP + postfixadmin
postfix + cyrus-sasl2 + courier-authlib + Courier-IMAP + postfixadmin
最终修改:2006.5.10
1.安装cyrus-sasl-2.x
删除以前的rpm包以及相关目录
rpm -e --nodeps cyrus-sasl-2.1.10-4 cyrus-sasl-plain-2.1.10-4 cyrus-sasl-md5-2.1.10-4 cyrus-sasl-devel-2.1.10-4
rm -rf /usr/lib/sasl
rm -rf /usr/lib/sasl2
wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
./configure
--enable-plain --enable-cram --enable-digest --enable-login --enable-sql
--disable-anon --disable-ntlm --disable-gssapi --disable-krb4 --disable-otp --disable-srp --disable-srp-setpass
-with-authdaemond=/usr/local/courier-authlib/var/spool/authdaemon/socket
--with-mysql=/usr/local/mysql --with-mysql-includes=/usr/local/mysql/include/mysql --with-mysql-
libs=/usr/local/mysql/lib/mysql
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
增加"/usr/local/lib"到你的"/etc/ld.so.conf",并执行ldconfig命令。
vi /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/usr/local/courier-authlib/var/spool/authdaemon/socket
注意,这个文件的编辑不要多写一个空格,否则会出现smtp验证不过的问题
2.编译postfix2.x
wget ftp://postfix.cn99.com/postfix/official/postfix-2.2.10.tar.gz
tar zvxf postfix-2.2.10.tar.gz
下载VDA补丁,使postfix支持磁盘限额
wget http://web.onda.com.br/nadal/postfix/VDA/postfix-2.2.10-vda.patch.gz
gzip -d postfix-2.2.10-vda.patch.gz
chkconfig --level 2345 sendmail off
安装postfix之前添加相关的用户&用户组
groupadd postfix -g 1000
groupadd postdrop
useradd postfix -u 1000 -g postfix -G postdrop
groupadd vmail -g 1001
useradd vmail -u 1001 -g 1001
mkdir /home/mail
chown vmail:vmail /home/mail
chmod -R 771 /home/mail
打补丁
patch -p1 < ../postfix-2.2.10-vda.patch
make tidy
make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH -I/usr/local/include/sasl' 'AUXLIBS=-
L/usr/local/mysql/lib/mysql -lmysqlclient -lm -lz -L/usr/local/lib -lsasl2'
make
make install
mv /etc/aliases /etc/aliases.old
ln -s /etc/postfix/aliases /etc/aliases
echo 'root: admin@example.com'>>/etc/postfix/aliases
/usr/bin/newaliases
touch /etc/postfix/mysql_virtual_alias_maps.cf
touch /etc/postfix/mysql_virtual_domains_maps.cf
touch /etc/postfix/mysql_virtual_mailbox_maps.cf
touch /etc/postfix/mysql_virtual_limit_maps.cf
vi /etc/postfix/main.cf
myhostname = mail.example.com # mail.example.com是安装Postfix软件的主机名
mydomain = example.com # example.com是安装Postfix软件的主机名中的域名部分
myorigin = $mydomain
mydestination =
alias_maps = hash:/etc/aliases
home_mailbox = Maildir/ # 使用Maildir作为邮件的存储格式
#=====================MySQL=====================
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 102400000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_transport = virtual
#"virtual_gid_maps"和"virtual_uid_maps"是postfix用户的gid和uid, "virtual_minimum_uid"应当≤"virtual_uid_maps",
"virtual_mailbox_limit"是每个邮箱的大小。
#=====================Quota=====================
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
virtual_overquota_bounce = yes
#virtual_trash_count=yes
#virtual_trash_name=.Trash
#====================SASL======================
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname
#reject_rbl_client opm.blitzed.org,
#reject_rbl_client list.dsbl.org,
#reject_rbl_client bl.spamcop.net,
#reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#=============================================
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
unknown_local_recipient_reject_code = 550
编辑cf配置文件
vi /etc/postfix/mysql_virtual_alias_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = AND active = '1'
=================================
vi /etc/postfix/mysql_virtual_domains_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = domain
select_field = description
where_field = domain
additional_conditions = AND active = '1'
=================================
vi /etc/postfix/mysql_virtual_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = AND active = '1'
=================================
vi /etc/postfix/mysql_virtual_limit_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
additional_conditions = AND active = '1'
启动和挺直postfix服务
/usr/sbin/postfix start
/usr/sbin/postfix stop
3.编译courier-authlib
wget http://kent.dl.sourceforge.net/sourceforge/courier/courier-authlib-0.58.tar.bz2
tar jvxf courier-authlib-0.58.tar.bz2
./configure
--prefix=/usr/local/courier-authlib --without-stdheaderdir
--without-authuserdb --without-authpam --without-authldap --without-authpwd --without-authshadow --without-authvchkpw --without-authpgsql --without-authcustom
--with-authmysql --with-mysql-libs=/usr/local/mysql/lib/mysql --with-mysql-includes=/usr/local/mysql/include/mysql
--with-redhat
一个关键点:
如果courier-authlib安装到非标准位置(例如安装到/usr/local下),一定记得在./configure时增加--without-stdheaderdir,这样以后在编译Courier-IMAP和maildrop的时候,不用特别指定courier-authlib的库文件位置
make
make install
make install-configure
增加"/usr/local/courier-authlib/lib/courier-authlib"到你的"/etc/ld.so.conf",并执行ldconfig命令。
chmod +x /usr/local/courier-authlib/var/spool/authdaemon
vi /usr/local/courier-authlib/etc/authlib/authdaemonrc 可以不修改
authmodulelist="authmysql"
authmodulelistorig="authmysql"
daemons=10
vi /usr/local/courier-authlib/etc/authlib/authmysqlrc
MYSQL_SERVER localhost
MYSQL_USERNAME postfix
MYSQL_PASSWORD yourpassword
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_DATABASE postfix
MYSQL_USER_TABLE mailbox
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD 1001
MYSQL_GID_FIELD 1001
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD '/home/mail/' #设置postfix存储邮件的目录
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD maildir
MYSQL_QUOTA_FIELD quota
MYSQL_WHERE_CLAUSE active='1'
启动courier-authlib
/usr/local/courier-authlib/sbin/authdaemond start
4.编译安装安装Courier-IMAP
wget http://surfnet.dl.sourceforge.net/sourceforge/courier/courier-imap-4.1.0.tar.bz2
tar jvxf courier-imap-4.1.0.tar.bz2
./configure --prefix=/usr/local/courier-imap --with-redhat --enable-unicode --disable-root-check --with-trashquota --without
-ipv6 CPPFLAGS='-I/usr/local/courier-authlib/include' COURIERAUTHCONFIG='/usr/local/courier-authlib/bin/courierauthconfig'
CPPFLAGS='-I/usr/local/courier-authlib/include' 如果编译courier-authlib没有安装在默认路径,必须指定这个,如果之前编译courier-authlib加了--without-stdheaderdir,就不需要指定了
make
make install
cp /usr/local/courier-imap/etc/imapd.dist /usr/local/courier-imap/etc/imapd
cp /usr/local/courier-imap/etc/imapd-ssl.dist /usr/local/courier-imap/etc/imapd-ssl
cp /usr/local/courier-imap/etc/pop3d.dist /usr/local/courier-imap/etc/pop3d
cp /usr/local/courier-imap/etc/pop3d-ssl.dist /usr/local/courier-imap/etc/pop3d-ssl
配置Courier-IMAP,为用户提供pop3服务:
vi /usr/local/courier-imap/etc/pop3d
POP3DSTART=yes
注:如果你想为用户提供IMAP服务,可以在"/usr/local/courier-imap/etc/imapd"文件中设置"IMAPDSTART=yes"。
cp courier-imap.sysvinit /etc/rc.d/init.d/imapd
chmod 755 /etc/rc.d/init.d/imapd
chkconfig --add imapd
5.编译安装postfixadmin
wget http://high5.net/postfixadmin/download.php?file=postfixadmin-2.1.0.tgz
tar -zxvf postfixadmin-2.1.0.tgz
把解压的目录改名拷贝到默认的web目录下,比如 /var/www
cd /var/www/postfixadmin
$ chmod 640 *.php *.css
$ cd /var/www/postfixadmin/admin
$ chmod 640 *.php .ht*
$ cd /var/www/postfixadmin/images/
$ chmod 640 *.gif *.png
$ cd /var/www/postfixadmin/languages/
$ chmod 640 *.lang
$ cd /var/www/postfixadmin/templates/
$ chmod 640 *.tpl
$ cd /var/www/postfixadmin/users/
$ chmod 640 *.php
导入数据库
mysql -uroot -p < DATABASE_MYSQL.TXT
访问:
http://域名/postfixadmin/
6.FAQ:
1.出现authentication error: Input/output error错误的时候
估计是查询mysql时,authdaemond出错了。具体要打开authdaemonrc里的:
DEBUG_LOGIN=2 原来默认是0
然后看看/var/log/message或/var/log/maillog 在认证失败时有什么提示。根据提示去检查问题到底出在哪儿
2.warning: SASL authentication failure: cannot connect to Courier authdaemond: Permission denied
检查 authdaemond的socket所在目录及其父目录的属性是否对smtpd可读。如果不可读则出现这个问题(permission的问题)。
3.warning: SASL authentication failure: cannot connect to Courier authdaemond: No such file or directory
检查/usr/local/lib/sasl2/smtpd.conf,看看是否有多写一个空格,一般空格很难直观的发现