CentOS4.4下邮件服务器架设笔记之windows AD整合功能实现

本文涉及的产品
全局流量管理 GTM,标准版 1个月
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
云解析 DNS,旗舰版 1个月
简介:
1.通过"CentOS4.4下邮件服务器架设笔记之邮件网关功能实现"这一篇文章,我们已经实现了邮件网关功能,但是对于microsoft ad 平台下exchange邮件系统用户来说,外部用户发信到邮件网关,邮件网关找不到用户认证相关信息只会拒绝掉,所以需要能与AD里面的用户进行整合;
 
      2.对于通过LDAP方式去查询MS平台的AD用户信息,我没有成功!这个我没有做成功,在此不表; 我的做法: 使用Winbind 先将Linux 加入Windows 域环境,Winbind 是Samba 组件,Winbind 通过samba 接口与Windows 域联系,并提供PAM 接口,这样可以让其他应用程序来调用Winbind 。我们设定 Linux 服务器的 nss 配置,可以让系统通过 Winbind 程序来解析用户信息。总的来讲验证过程如下: postfix和dovecot把帐号交给saslauthd,saslauthd把账号交给pam,pam通过winbind联系AD
     3.具体实现如下:
a.测试环境介绍如下:
邮件网关的名称:mxgate.trinet.com.cn 其IP地址:10.6.6.222
邮件服务器的名称:mailserver
域的名称:triumph
域的IP地址:10.0.0.11
完整的FQDN:trinet.com.cn
 
b.安装samba组件,因为winbind在centos系统下,他包含在samba-common包中
[root@mailgate etc]# yum install -y samba-common samba
Setting up Install Process
Setting up repositories
dag                       100% |=========================| 1.1 kB    00:00
update                    100% |=========================|  951 B    00:00
base                      100% |=========================| 1.1 kB    00:00
addons                    100% |=========================|  951 B    00:00
extras                    100% |=========================| 1.1 kB    00:00
Reading repository metadata in from local files
--> Running transaction check
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 samba                   i386       3.0.10-1.4E.12.2  update             13 M
 samba-common            i386       3.0.10-1.4E.12.2  update            5.0 M
Transaction Summary
=============================================================================
Install      2 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 18 M
Downloading Packages:
(1/2): samba-common-3.0.1 100% |=========================| 5.0 MB    02:43
(2/2): samba-3.0.10-1.4E. 100% |=========================|  13 MB    07:38
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: samba-common                 ######################### [1/2]
  Installing: samba                        ######################### [2/2]
Installed: samba.i386 0:3.0.10-1.4E.12.2 samba-common.i386 0:3.0.10-1.4E.12.2
Complete!
[root@mailgate etc]#
c.安装krb5-server包;
[root@mailgate etc]# yum install -y krb5-server
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-server to pack into transaction set.
krb5-server-1.3.4-49.i386 100% |=========================|  36 kB    00:02
---> Package krb5-server.i386 0:1.3.4-49 set to be updated
--> Running transaction check
--> Processing Dependency: krb5-libs = 1.3.4-49 for package: krb5-server
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-libs to pack into transaction set.
krb5-libs-1.3.4-49.i386.r 100% |=========================|  31 kB    00:01
---> Package krb5-libs.i386 0:1.3.4-49 set to be updated
--> Running transaction check
--> Processing Dependency: krb5-libs = 1.3.4-33 for package: krb5-devel
--> Processing Dependency: krb5-libs = 1.3.4-33 for package: krb5-workstation
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-devel to pack into transaction set.
krb5-devel-1.3.4-49.i386. 100% |=========================|  38 kB    00:01
---> Package krb5-devel.i386 0:1.3.4-49 set to be updated
---> Downloading header for krb5-workstation to pack into transaction set.
krb5-workstation-1.3.4-49 100% |=========================|  39 kB    00:01
---> Package krb5-workstation.i386 0:1.3.4-49 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 krb5-server             i386       1.3.4-49         update            774 k
Updating for dependencies:
 krb5-devel              i386       1.3.4-49         update            822 k
 krb5-libs               i386       1.3.4-49         update            482 k
 krb5-workstation        i386       1.3.4-49         update            815 k
Transaction Summary
=============================================================================
Install      1 Package(s)
Update       3 Package(s)
Remove       0 Package(s)
Total download size: 2.8 M
Downloading Packages:
(1/4): krb5-devel-1.3.4-4 100% |=========================| 822 kB    00:36
(2/4): krb5-libs-1.3.4-49 100% |=========================| 482 kB    00:24
(3/4): krb5-workstation-1 100% |=========================| 815 kB    00:31
(4/4): krb5-server-1.3.4- 100% |=========================| 774 kB    00:34
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : krb5-libs                    ######################### [1/7]
  Updating  : krb5-devel                   ######################### [2/7]
  Updating  : krb5-workstation             ######################### [3/7]
  Installing: krb5-server                  ######################### [4/7]
  Cleanup   : krb5-devel                   ######################### [5/7]
  Cleanup   : krb5-libs                    ######################### [6/7]
  Cleanup   : krb5-workstation             ######################### [7/7]
Installed: krb5-server.i386 0:1.3.4-49
Dependency Updated: krb5-devel.i386 0:1.3.4-49 krb5-libs.i386 0:1.3.4-49 krb5-workstation.i386 0:1.3.4-49
Complete!
[root@mailgate etc]#
d.启动相关服务并修改为自动启动;
[root@mailgate ~]# service smb start
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]
[root@mailgate ~]# service winbind start
Starting Winbind services:                                 [  OK  ]
[root@mailgate ~]# chkconfig winbind on
e.修改smb.conf
[root@mailgate etc]# vi /etc/samba/smb.conf
将workgroup = MYGROUP
改为:workgroup = TRIUMPH
增加:realm = TRIUMPH
将security = user
改为:security = ads
将    ;   password server = <NT-Server-Name>
改为:   password server = mailserver.triumph  (注:可以写域控制器的IP地址)
将:       ;  encrypt passwords = yes
改为:   encrypt passwords = yes
找到下面位置修改如下面:
#============================ Share Definitions ==============================
   password server = 10.0.0.11
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /sbin/nologin
   winbind use default domain = yes
   realm = TRIUMPH
并在最后增加:
#add
template homedir = /home/%D/%U
 
f.修改krb5.conf
[root@mailgate etc]# vi /etc/krb5.conf
将下面:
[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
修改成:
[libdefaults]
 default_realm = TRIUMPH
 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 TRIUMPH = {
  kdc = 10.0.0.11:88
  admin_server = 10.0.0.11:749
  default_domain = triumph
 }
[domain_realm]
 .trinet.com.cn = TRINET.COM.CN
 trinet.com.cn = TRINET.COM.CN
g.修改kdc.conf
[root@mailgate etc]# vi /var/kerberos/krb5kdc/kdc.conf
将:
[realms]
 EXAMPLE.COM = {
  master_key_type = des-cbc-crc
  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
修改为:
[realms]
 TRIUMPH = {
  master_key_type = des-cbc-crc
  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
h.重新启动相关服务;
[root@mailgate ~]# service smb restart
Shutting down SMB services:                                [  OK  ]
Shutting down NMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]
[root@mailgate ~]# service winbind restart
Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]
[root@mailgate ~]#
 
i.加域前检查:
[root@mailgate ~]# more /etc/sysconfig/clock    检查一下时区;
如果不对,请按下面方法修改:
[root@mailgate ~]# vi /etc/sysconfig/clock
ZONE="Asia/Chongqing"
UTC=true
ARC=false
[root@mailgate ~]# ln -sf /usr/share/zoneinfo/Asia/Chongqing /etc/localtime
[root@mailgate ~]# date             检查一下时钟,是否与AD相差不到5分钟
如果相差过大,请按下面方法修改;
[root@mailgate ~]# date 101221202007.54
Wed Oct 23 21:20:54 CST 2007
[root@mailgate ~]# hwclock --systohc
 
加域前测试,记得域名一定要大写,如果输入账户没有报错,就可以进行加域操作!
[root@mailgate ~]# kinit  leeki.yan@TRIUMPH
Password for  leeki.yan@TRIUMPH:
[root@mailgate ~]#
 
j.开始加域操作;
[root@mailgate ~]# authconfig
按下图:一步一步去操作;即可
                                                                   图1
                                                                      图2
                                                                     图3
                                                                     图4

                                                                     图5
                                                                     图6
                                                                     图7
j.加好域后,会提示类似如下信息
Joined 'MAIL' to realm 'TRIUMPH'
setsebool:  SELinux is disabled.
Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]
[root@mailgate ~]#
[root@mailgate ~]# wbinfo -g  查看域里面的组;
[root@mailgate ~]# wbinfo -u  查看域里面的用户;
[root@mailgate ~]# id spam  
uid=16777343(spam) gid=16777216(Domain Users) groups=16777216(Domain Users)
可以查看到域里面用户账户为spam的信息了!
 
 
k.与AD整合部分,手工建账户的目录比较麻烦,可能通过下面方法实现,在这种情况下,即使哪天EXCHNAGE邮件服务器坏了,我们也可以完全使用这个邮件网关都行收发邮件!哈哈!
[root@mailgate ~]# vi trinet.awk
#!/bin/awk
BEGIN {
FS = ":"
uidmin = 16777216
uidmax = 33554431
 

}
 
{
if ($3 >= uidmin && $3 <= uidmax ) {
print "\nmake directory " $6 "\nchown " $3 "." $4 " " S6
system ( "mkdir -p " $6 " ;chown " $3 "." $4 " " $6 )
}
}
 

[root@mailgate ~]# getent passwd | awk -f trinet.awk 
[root@mailgate ~]# getent passwd
[root@mailgate ~]# cd /home
[root@mailgate ~]# mkdir TRIUMPH
[root@mailgate ~]#chown -R postfix TRIUMPH
[root@mailgate ~]# chmod 777 TRIUMPH
 
4.接下来我们要配置POSTFIX,让其收发信件,用户认证这块,让其通过WINBIND来查询AD里面信息;
a.[root@mailgate ~]# vi /etc/pam.d/smtp
增加:
auth              sufficient        pam_winbind.so
account           sufficient        pam_winbind.so
password          sufficient        pam_winbind.so use_authtok
b.[root@mailgate ~]# vi /etc/pam.d/dovecot
增加:
auth              sufficient        pam_winbind.so
account           sufficient        pam_winbind.so
password          sufficient        pam_winbind.so use_authtok
c..[root@mailgate ~]# vi /etc/pam.d/login
增加:
auth              sufficient        pam_winbind.so
account           sufficient        pam_winbind.so
password          sufficient        pam_winbind.so use_authtok
d.[root@mailgate ~]#ln -s /usr/lib/sasl2/smtpd.conf /usr/local/lib/smtpd.conf
[root@mailgate ~]#vi /usr/local/lib/smtpd.conf,内容如下
#pwcheck_method: auxprop
pwcheck_method: saslauthd
log_level:2
mech_list:PLAIN LOGIN
 
e.[root@mailgate ~]# vi /etc/init.d/saslauthd
将MECH=shadow
修改为:
MECH=pam
然后重启一下服务:
[root@mailgate lib]# service saslauthd restart
Stopping saslauthd:                                        [  OK  ]
Starting saslauthd:                                        [  OK  ]
[root@mailgate lib]#
 
5.如果发现在外部网络发信被 Relay access denied,请检查一下面:
a.vi /etc/sysconfig/saslauthd文件中MECH=pam
b.smb 服务是否启动;
c.vi /etc/postfix/main.cf中验证是否开启;
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain  (注:原来是$myhostname,试着改成$domain看看)
 
6.补充在邮件网关上,通过MailScanner对邮件监管测试:
a.
[root@mailgate ~]# vi /etc/MailScanner/MailScanner.conf
找到:
Archive Mail =
修改:
Archive Mail = %rules-dir%/archive.rules
b.
[root@mailgate ~]# cd /etc/MailScanner/rules/
[root@mailgate rules]# ls             #查看有无archive.rules文件,没有的话手工建立
bounce.rules  EXAMPLES  max.message.size.rules  README  spam.whitelist.rules
[root@mailgate rules]# vi archive.rules
From: [email]leeki.yan@trinet.com.cn[/email] yes forward  [email]spam@trinet.com.cn[/email]
然后重启一下:
[root@mailgate rules]# service MailScanner restaert
Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms}
[root@mailgate rules]# service MailScanner restart
Shutting down MailScanner daemons:
         MailScanner:                                      [  OK  ]
         incoming postfix:                                 [  OK  ]
         outgoing postfix:                                 [  OK  ]
Waiting for MailScanner to die gracefully ... dead.
Starting MailScanner daemons:
         incoming postfix:                                 [  OK  ]
         outgoing postfix:                                 [  OK  ]
         MailScanner:                                      [  OK  ]
[root@mailgate rules]#
发送一封邮件到 [email]leeki.yan@trinet.com.cn[/email]后,查看maillog如下:见红色部分字体,说明已成功抄送!
Nov  1 20:14:44 mailgate postfix/smtpd[26774]: connect from unknown[10.4.4.222]
Nov  1 20:14:44 mailgate postfix/smtpd[26774]: D01AEC882E1: client=unknown[10.4.4.222], sasl_method=LOGIN,  sasl_username=leeki.yan@mailgate.trinet.com.cn
Nov  1 20:14:44 mailgate postfix/cleanup[26777]: D01AEC882E1: hold: header Received: from triumphweihu (unknown [10.4.4.222])??by mailgate.trinet.com.cn (Postfix) with ESMTP id D01AEC882E1??for < [email]leeki.yan@trinet.com.cn[/email]>; Thu,  1 Nov 2007 20:14:44 +0800 (CST) from unknown[10.4.4.222]; from=< [email]leeki.yan@trinet.com.cn[/email]> to=< [email]leeki.yan@trinet.com.cn[/email]> proto=ESMTP helo=<triumphweihu>
Nov  1 20:14:44 mailgate postfix/cleanup[26777]: D01AEC882E1: message-id=< 002201c81c80$b96932d0$de04040a@triumphweihu>
Nov  1 20:14:44 mailgate postfix/smtpd[26774]: disconnect from unknown[10.4.4.222]
Nov  1 20:14:45 mailgate MailScanner[26771]: New Batch: Scanning 1 messages, 2386 bytes
Nov  1 20:14:45 mailgate MailScanner[26771]: Virus and Content Scanning: Starting
Nov  1 20:14:47 mailgate MailScanner[26771]: Requeue: D01AEC882E1.EFDC3 to 9FCDAC88479
Nov  1 20:14:47 mailgate postfix/qmgr[26750]: 9FCDAC88479: from=< [email]leeki.yan@trinet.com.cn[/email]>, size=2547, nrcpt=2 (queue active)
Nov  1 20:14:47 mailgate MailScanner[26771]: Uninfected: Delivered 1 messages
Nov  1 20:14:47 mailgate postfix/smtp[26785]: 9FCDAC88479: to=< [email]leeki.yan@trinet.com.cn[/email] >, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0  < 002201c81c80$b96932d0$de04040a@triumphweihu > Queued mail for delivery)
Nov  1 20:14:47 mailgate postfix/smtp[26785]: 9FCDAC88479: to=<
[email]spam@trinet.com.cn[/email] >, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0  < 002201c81c80$b96932d0$de04040a@triumphweihu > Queued mail for delivery)
Nov  1 20:14:47 mailgate postfix/qmgr[26750]: 9FCDAC88479: removed

c.archive.rules文件其它写法说明及注意点:
 
表示来自或者发信到 [email]spam@trinet.com.cn[/email]都抄送一份给 [email]leeki.yan@trinet.com.cn[/email]
 
表示所有发进来的信都抄送一份给 [email]leeki.yan@trinet.com.cn[/email]
比如测试使用 [email]leeki.yan@trinet.com.cn[/email]发信到 [email]leeki.yan@trinet.com.cn[/email],理论上 [email]leeki.yan@trinet.com.cn[/email]应该收到两封信才到,见下面maillog,红色字体部分可以看出,leeki.yan已经收到两份邮件!!
Nov  1 20:25:44 mailgate postfix/qmgr[27280]: A8EABC88479: from=< [email]leeki.yan@trinet.com.cn[/email]>, size=2547, nrcpt=2 (queue active)
Nov  1 20:25:44 mailgate MailScanner[27294]: Uninfected: Delivered 1 messages
Nov  1 20:25:44 mailgate postfix/smtp[27314]: A8EABC88479: to=< [email]leeki.yan@trinet.com.cn[/email] >, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0  < 004a01c81c82$40ab1820$de04040a@triumphweihu > Queued mail for delivery)
Nov  1 20:25:44 mailgate postfix/smtp[27314]: A8EABC88479: to=<
[email]leeki.yan@trinet.com.cn[/email] >, relay=10.0.0.11[10.0.0.11], delay=3, status=sent (250 2.6.0  < 004a01c81c82$40ab1820$de04040a@triumphweihu > Queued mail for delivery)
Nov  1 20:25:44 mailgate postfix/qmgr[27280]: A8EABC88479: removed
 
c.其它修改说明:
方法二:同时备份到一个或多个档案及一个或多个信箱

FromOrTo:  [email]a@test.com[/email] yes forward /var/spool/MailScanner/archive/a_user_backup.mbx /var/spool/MailScanner/archive/a_user_backup.mbx  [email]b@toping.net[/email]  [email]scyz2@163.com[/email]
注:以上为一行,该档案要先建立且确定该档案拥有者与 MailScanner.conf 的 Run As User = XXXXXXX 相同
方法三:备份到文件夹及多个信箱或档案

FromOrTo:  [email]a@test.com[/email] yes forward /var/spool/MailScanner/archive/  [email]b@test.com[/email]  [email]dreamflying2006@163.com[/email] /var/spool/MailScanner/archive/a_user_backup.mbx
 
d.注意:archive.rules文件中语句写法中,注意大小写;以及冒号后面一定得有个空格;还有就是修改后别忘了,重启MailScanner 服务!!!
 
e.还有就是修改main.cf参数实现邮件监控!等随后有空再作补充!!!!
另外main.cf参数还有:
寄件备份 sender_bcc_maps 
收件备份 recipient_bcc_maps 
寄件及收件备份 always_bcc

本文转自  godoha  51CTO博客,原文链接:http://blog.51cto.com/godoha/47549 ,如需转载请自行联系原作者

相关文章
|
20天前
|
NoSQL 应用服务中间件 PHP
布谷一对一直播源码服务器环境配置及app功能
一对一直播源码阿里云服务器环境配置及要求
|
1月前
|
人工智能 JavaScript 网络安全
ToB项目身份认证AD集成(三完):利用ldap.js实现与windows AD对接实现用户搜索、认证、密码修改等功能 - 以及针对中文转义问题的补丁方法
本文详细介绍了如何使用 `ldapjs` 库在 Node.js 中实现与 Windows AD 的交互,包括用户搜索、身份验证、密码修改和重置等功能。通过创建 `LdapService` 类,提供了与 AD 服务器通信的完整解决方案,同时解决了中文字段在 LDAP 操作中被转义的问题。
|
1月前
|
网络协议 Windows
Windows Server 2019 DHCP服务器搭建
Windows Server 2019 DHCP服务器搭建
|
1月前
|
网络协议 Windows
Windows Server 2003 DHCP服务器搭建
Windows Server 2003 DHCP服务器搭建
|
1月前
|
网络协议 定位技术 Windows
Windows Server 2019 DNS服务器搭建
Windows Server 2019 DNS服务器搭建
|
1月前
|
安全 网络协议 网络安全
Windows Server 2003 Web服务器搭建
Windows Server 2003 Web服务器搭建
|
1月前
|
域名解析 弹性计算 缓存
阿里云国际云服务器全局流量分析功能详细介绍
阿里云国际云服务器全局流量分析功能详细介绍
|
1月前
|
Apache 数据中心 Windows
将网站迁移到阿里云Windows系统云服务器,访问该站点提示连接被拒绝,如何处理?
将网站迁移到阿里云Windows系统云服务器,访问该站点提示连接被拒绝,如何处理?
|
1月前
|
域名解析 缓存 网络协议
Windows系统云服务器自定义域名解析导致网站无法访问怎么解决?
Windows系统云服务器自定义域名解析导致网站无法访问怎么解决?
|
1月前
|
弹性计算 安全 Windows
通过远程桌面连接Windows服务器提示“由于协议错误,会话将被中断,请重新连接到远程计算机”错误怎么办?
通过远程桌面连接Windows服务器提示“由于协议错误,会话将被中断,请重新连接到远程计算机”错误怎么办?