Redhat6.2 + qmail + smtpd authentication prevents spammers from abusing your server

Source: Internet
Author: User
Tags qmail
Article Title: Redhat6.2 + qmail + smtpd authentication prevents spammers from abusing your server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Polaris
  
Software environment:
Redhat6.2 qmail1.3
The email server serves both internal and external services. It uses ADSL for Internet access and dns2go.com for domain name resolution. Single Nic. The vro is Linksys.
  
Background:
I have installed the qmail server using the general method, and the DNS is stable. If I do not set the DNS, the following situations may occur: when the Internet is disconnected, you cannot log on to the Intranet email server to receive emails. In addition, my server was recently used to send a large number of spam messages (I do not know how my server address was discovered ), therefore, we want to add the smtpd verification function on the original basis.
  
I'm using the third method in ideal's article (http://www.ccidnet.com/tech/network/2001/04/04/58_1931.html) (this method is recommended)
  
Method 3 to prevent misuse of mail relay
For a Mail System With roaming users, another way to prevent the relay function from being abused is to require user authentication when sending emails, just as users need authentication when receiving emails. It is assumed that the system has been successfully installed with the qmail-1.03 and vpopmail, and the original system runs properly.
  
1. Download the program:
  
Qmail-smtp Patch: http://members.elysium.pl/brush/qmail-smtpd-auth/
  
Password verification Patch: http://members.elysium.pl/brush/cmd5checkpw/
  
Download qmail-smtpd-auth-0.31.tar.gz(the latest signature and 5checkpw-0.22.tar.gz.
  
2. Compile and install qmail-smtpd
  
Decompress qmail-smtpd-auth-0.31.tar.gz:
  
[Root @ www src] # tar xvfz qmail-smtpd-auth-0.31.tar.gz
  
[Root @ www src] # cd qmail-smtpd-auth-0.31
  
[Root @ www qmail-smtpd-auth-0.31] # ls
  
Changes readme. auth. patch base64.c base64.h
  
[Root @ www qmail-smtpd-auth-0.31] # cp README. auth base64.c base64.h ../qmail-1.03/
  
[Root @ www qmail-smtpd-auth-0.31] # patch? D ../qmail-1.03
It is best to back up the original file first. Compile qmail-smtpd separately:
  
[Root @ www qmail-smtpd-auth-0.31] # cd/var/qmail/bin
  
[Root @ www bin] # cp qmail-smtpd qmail-smtpd.old
  
[Root @ www bin] # cd/usr/src/qmail-1.03.
  
[Root@www.qmail-1.03] # make qmail-smtpd
  
./Load qmail-smtpd rcpthosts. o commands. o timeoutread. o
  
Timeoutwrite. o ip. o ipme. o ipalloc. o control. o constmap. o
  
Received. o date822fmt. o now. o qmail. o cdb. a fd. a wait.
  
Datetime. a getln. a open. a sig. a case. a env. a stralloc.
  
Alloc. a substdio. a error. a str. a fs. a auto_qmail.o 'cat
  
Socket. lib'
  
Copy the newly generated qmail-smtpd to the/var/qmail/bin directory.
  
3、compile and install cmd5checkpw-0.22.tar.gz
  
Decompress, compile, and install:
  
[Root @ www src] # tar xvfz cmd5checkpw-0.22.tar.gz
  
[Root @ www src] # cd cmd5checkpw-0.22
  
[Root @ www cmd5checkpw-0.22] # make; make install
  
4. Set relay rules.
  
Relay means that the server accepts smtp requests from the client and forwards emails sent from the client to a third party. It is very easy to control relay under qmail. As long as the environment variables of the smtp process accessed by the client contain (RELAYCLIENT = ""), relay is allowed; otherwise, the relay is rejected. The implementation method is to set RELAYCLIENT = "" One by one (RELAYCLIENT = "") for the IP address that requires relay in/etc/tcp. smtp, and then generate a rule table using tcprules. In this article, we need to implement relay after SMTP authentication and do not need to pre-set any IP addresses. Therefore, the default rule is to "only relay this server ". /Etc/tcp. smtp content should be:
  
127.0.0.1: allow, RELAYCLIENT = ""
  
: Allow
  
Regenerate the tcp. smtp. cdb file:
  
/Usr/local/bin/tcprules/etc/tcp. smtp. cdb/etc/tcp. smtp. tmp </etc/tcp. smtp
  
4. Set the SetUID and SetGID of/home/vpopmail/bin/vchkpw.
  
This is important, otherwise the authentication fails. This is because the smtpd process is executed by qmaild. The password verification program was originally used only by the pop3 process and executed by root or vpopmail respectively to read the passwords in the shadow or database and retrieve the user's email directory. Qmaild has no permission to perform these operations. To call the password verification program, the smtp process must use setuid and setgid. In fact, we can rest assured that these two password verification programs both contain source code and are very secure, you only need to put it in a safe directory (other users do not have the permission to execute the command except qmaild; in fact, if there are no other SHELL accounts, you don't have to worry about it ).
  
Chmod u + s/home/vpopmail/bin/vchkpw
  
Chmod g + s/home/vpopmail/bin/vchkpw
  
5. Modify the smtpd startup command line
My qmail is automatically started and executed under/etc/rc. d/init. d. So modify this file and change the qmail-smtpd part to the following parameter format:
  
/Usr/local/bin/tcpserver-H-R-l 0-t 1-v-p-x/etc/tcp. smtp. cdb-u qmaild-g nofiles 0 smtp/var/qmail/bin/qmail-smtpd/home/vpopmail/bin/vchkpw/bin/true/bin/cmd5checkpw/bin/true 2> & 1/var/qmal/bin/splogger smtpd 3 &
  
6. other settings:
  
Set the vpopmail user directory until the/directory can be read by any user;
  
7. Restart qmail
  
/Etc/rc. d/init. d/qmail stop
  
/Etc/rc. d/init. d/qmail start
  
8. Client Test
  
Use mail software such as OutlookExpress and foxmail on the client for verification.
  
  
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.