Redhat6.2 + qmail + smtpd authentication prevents spammers from abusing your server

Article Title: Redhat6.2 + qmail + smtpd authentication prevents spammers from abusing your server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Polaris
　　
Software environment:
Redhat6.2 qmail1.3
The email server serves both internal and external services. It uses ADSL for Internet access and dns2go.com for domain name resolution. Single Nic. The vro is Linksys.
　　
Background:
I have installed the qmail server using the general method, and the DNS is stable. If I do not set the DNS, the following situations may occur: when the Internet is disconnected, you cannot log on to the Intranet email server to receive emails. In addition, my server was recently used to send a large number of spam messages (I do not know how my server address was discovered ), therefore, we want to add the smtpd verification function on the original basis.
　　
I'm using the third method in ideal's article (http://www.ccidnet.com/tech/network/2001/04/04/58_1931.html) (this method is recommended)
　　
Method 3 to prevent misuse of mail relay
For a Mail System With roaming users, another way to prevent the relay function from being abused is to require user authentication when sending emails, just as users need authentication when receiving emails. It is assumed that the system has been successfully installed with the qmail-1.03 and vpopmail, and the original system runs properly.
　　
1. Download the program:
　　
Qmail-smtp Patch: http://members.elysium.pl/brush/qmail-smtpd-auth/
　　
Password verification Patch: http://members.elysium.pl/brush/cmd5checkpw/
　　
Download qmail-smtpd-auth-0.31.tar.gz(the latest signature and 5checkpw-0.22.tar.gz.
　　
2. Compile and install qmail-smtpd
　　
Decompress qmail-smtpd-auth-0.31.tar.gz:
　　
[Root @ www src] # tar xvfz qmail-smtpd-auth-0.31.tar.gz
　　
[Root @ www src] # cd qmail-smtpd-auth-0.31
　　
[Root @ www qmail-smtpd-auth-0.31] # ls
　　
Changes readme. auth. patch base64.c base64.h
　　
[Root @ www qmail-smtpd-auth-0.31] # cp README. auth base64.c base64.h ../qmail-1.03/
　　
[Root @ www qmail-smtpd-auth-0.31] # patch? D ../qmail-1.03
It is best to back up the original file first. Compile qmail-smtpd separately:
　　
[Root @ www qmail-smtpd-auth-0.31] # cd/var/qmail/bin
　　
[Root @ www bin] # cp qmail-smtpd qmail-smtpd.old
　　
[Root @ www bin] # cd/usr/src/qmail-1.03.
　　
[Root@www.qmail-1.03] # make qmail-smtpd
　　
./Load qmail-smtpd rcpthosts. o commands. o timeoutread. o
　　
Timeoutwrite. o ip. o ipme. o ipalloc. o control. o constmap. o
　　
Received. o date822fmt. o now. o qmail. o cdb. a fd. a wait.
　　
Datetime. a getln. a open. a sig. a case. a env. a stralloc.
　　
Alloc. a substdio. a error. a str. a fs. a auto_qmail.o 'cat
　　
Socket. lib'
　　
Copy the newly generated qmail-smtpd to the/var/qmail/bin directory.
　　
3、compile and install cmd5checkpw-0.22.tar.gz
　　
Decompress, compile, and install:
　　
[Root @ www src] # tar xvfz cmd5checkpw-0.22.tar.gz
　　
[Root @ www src] # cd cmd5checkpw-0.22
　　
[Root @ www cmd5checkpw-0.22] # make; make install
　　
4. Set relay rules.
　　
Relay means that the server accepts smtp requests from the client and forwards emails sent from the client to a third party. It is very easy to control relay under qmail. As long as the environment variables of the smtp process accessed by the client contain (RELAYCLIENT = ""), relay is allowed; otherwise, the relay is rejected. The implementation method is to set RELAYCLIENT = "" One by one (RELAYCLIENT = "") for the IP address that requires relay in/etc/tcp. smtp, and then generate a rule table using tcprules. In this article, we need to implement relay after SMTP authentication and do not need to pre-set any IP addresses. Therefore, the default rule is to "only relay this server ". /Etc/tcp. smtp content should be:
　　
127.0.0.1: allow, RELAYCLIENT = ""
　　
: Allow
　　
Regenerate the tcp. smtp. cdb file:
　　
/Usr/local/bin/tcprules/etc/tcp. smtp. cdb/etc/tcp. smtp. tmp </etc/tcp. smtp
　　
4. Set the SetUID and SetGID of/home/vpopmail/bin/vchkpw.
　　
This is important, otherwise the authentication fails. This is because the smtpd process is executed by qmaild. The password verification program was originally used only by the pop3 process and executed by root or vpopmail respectively to read the passwords in the shadow or database and retrieve the user's email directory. Qmaild has no permission to perform these operations. To call the password verification program, the smtp process must use setuid and setgid. In fact, we can rest assured that these two password verification programs both contain source code and are very secure, you only need to put it in a safe directory (other users do not have the permission to execute the command except qmaild; in fact, if there are no other SHELL accounts, you don't have to worry about it ).
　　
Chmod u + s/home/vpopmail/bin/vchkpw
　　
Chmod g + s/home/vpopmail/bin/vchkpw
　　
5. Modify the smtpd startup command line
My qmail is automatically started and executed under/etc/rc. d/init. d. So modify this file and change the qmail-smtpd part to the following parameter format:
　　
/Usr/local/bin/tcpserver-H-R-l 0-t 1-v-p-x/etc/tcp. smtp. cdb-u qmaild-g nofiles 0 smtp/var/qmail/bin/qmail-smtpd/home/vpopmail/bin/vchkpw/bin/true/bin/cmd5checkpw/bin/true 2> & 1/var/qmal/bin/splogger smtpd 3 &
　　
6. other settings:
　　
Set the vpopmail user directory until the/directory can be read by any user;
　　
7. Restart qmail
　　
/Etc/rc. d/init. d/qmail stop
　　
/Etc/rc. d/init. d/qmail start
　　
8. Client Test
　　
Use mail software such as OutlookExpress and foxmail on the client for verification.