2. The way through the LDAP query MS platform AD user information, I do not have success! I do not have to do this successfully, not in this; my approach: the use of Linux by adding Winbind first Windows domain environment, Winbind is a component of Samba, Winbind through samba contact interface with the Windows domain and provide PAM interface, this will enable other applications to call Winbind. We have Linux server settings nss configuration allows Winbind system, through the process to resolve the user's information. Overall, the verification process is as follows: postfix and dovecot to account to the saslauthd, saslauthd to account to the pam, pam through winbind Contact AD
3. Concrete realization is as follows:
a. test environment is as follows:
Name e-mail gateway: mxgate.trinet.com.cn its IP address: 10.6.6.222
The name of the mail server: mailserver
Domain name: triumph
Domain IP Address: 10.0.0.11
Complete FQDN: trinet.com.cn
b. components installed samba, winbind in centos system because, he included in the package samba-common
[root @ mailgate etc] # yum install-y samba-common samba
Setting up Install Process
Setting up repositories
dag 100% |=========================| 1.1 kB 00:00
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
-> Running transaction check
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
samba i386 3.0.10-1.4E.12.2 update 13 M
samba-common i386 3.0.10-1.4E.12.2 update 5.0 M
Transaction Summary
================================================== ===========================
Install 2 Package (s)
Update 0 Package (s)
Remove 0 Package (s)
Total download size: 18 M
Downloading Packages:
(1 / 2): samba-common-3.0.1 100% |=========================| 5.0 MB 02:43
(2 / 2): samba-3.0.10-1.4E. 100% |=========================| 13 MB 07:38
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: samba-common ######################### [1 / 2]
Installing: samba ######################### [2 / 2]
Installed: samba.i386 0:3.0.10-1.4 E.12.2 samba-common.i386 0:3.0.10-1.4 E.12.2
Complete!
[root @ mailgate etc] #
c. the installation of krb5-server package;
[root @ mailgate etc] # yum install-y krb5-server
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
-> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-server to pack into transaction set.
krb5-server-1.3.4-49.i386 100% |=========================| 36 kB 00:02
---> Package krb5-server.i386 0:1.3.4-49 set to be updated
-> Running transaction check
-> Processing Dependency: krb5-libs = 1.3.4-49 for package: krb5-server
-> Restarting Dependency Resolution with new changes.
-> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-libs to pack into transaction set.
krb5-libs-1.3.4-49.i386.r 100% |=========================| 31 kB 00:01
---> Package krb5-libs.i386 0:1.3.4-49 set to be updated
-> Running transaction check
-> Processing Dependency: krb5-libs = 1.3.4-33 for package: krb5-devel
-> Processing Dependency: krb5-libs = 1.3.4-33 for package: krb5-workstation
-> Restarting Dependency Resolution with new changes.
-> Populating transaction set with selected packages. Please wait.
---> Downloading header for krb5-devel to pack into transaction set.
krb5-devel-1.3.4-49.i386. 100% |=========================| 38 kB 00:01
---> Package krb5-devel.i386 0:1.3.4-49 set to be updated
---> Downloading header for krb5-workstation to pack into transaction set.
krb5-workstation-1.3.4-49 100% |=========================| 39 kB 00:01
---> Package krb5-workstation.i386 0:1.3.4-49 set to be updated
-> Running transaction check
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
krb5-server i386 1.3.4-49 update 774 k
Updating for dependencies:
krb5-devel i386 1.3.4-49 update 822 k
krb5-libs i386 1.3.4-49 update 482 k
krb5-workstation i386 1.3.4-49 update 815 k
Transaction Summary
================================================== ===========================
Install 1 Package (s)
Update 3 Package (s)
Remove 0 Package (s)
Total download size: 2.8 M
Downloading Packages:
(1 / 4): krb5-devel-1.3.4-4 100% |=========================| 822 kB 00:36
(2 / 4): krb5-libs-1.3.4-49 100% |=========================| 482 kB 00:24
(3 / 4): krb5-workstation-1 100% |=========================| 815 kB 00:31
(4 / 4): krb5-server-1.3.4-100% |=========================| 774 kB 00:34
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating: krb5-libs ######################### [1 / 7]
Updating: krb5-devel ######################### [2 / 7]
Updating: krb5-workstation ######################### [3 / 7]
Installing: krb5-server ######################### [4 / 7]
Cleanup: krb5-devel ######################### [5 / 7]
Cleanup: krb5-libs ######################### [6 / 7]
Cleanup: krb5-workstation ######################### [7 / 7]
Installed: krb5-server.i386 0:1.3.4-49
Dependency Updated: krb5-devel.i386 0:1.3.4-49 krb5-libs.i386 0:1.3.4-49 krb5-workstation.i386 0:1.3.4-49
Complete!
[root @ mailgate etc] #
d. Start and modify related services to start automatically;
[root @ mailgate ~] # service smb start
Starting SMB services: [OK]
Starting NMB services: [OK]
[root @ mailgate ~] # service winbind start
Starting Winbind services: [OK]
[root @ mailgate ~] # chkconfig winbind on
e. modify smb.conf
[root @ mailgate etc] # vi / etc / samba / smb.conf
The workgroup = MYGROUP
Change: workgroup = TRIUMPH
Increase: realm = TRIUMPH
Will be security = user
Changed to: security = ads
Will; password server =
Changed: password server = mailserver.triumph (Note: The domain controller can write the IP address)
Will be:; encrypt passwords = yes
Changed to: encrypt passwords = yes
Find the following modifications, such as the following locations:
#============================ Share Definitions =================== ===========
password server = 10.0.0.11
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = / sbin / nologin
winbind use default domain = yes
realm = TRIUMPH
And an increase in the final:
# add
template homedir = / home /% D /% U
f. modified krb5.conf
[root @ mailgate etc] # vi / etc/krb5.conf
The following:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = (
kdc = kerberos.example.com: 88
admin_server = kerberos.example.com: 749
default_domain = example.com
)
[domain_realm]
. example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Modified as follows:
[libdefaults]
default_realm = TRIUMPH
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TRIUMPH = (
kdc = 10.0.0.11:88
admin_server = 10.0.0.11:749
default_domain = triumph
)
[domain_realm]
. trinet.com.cn = TRINET.COM.CN
trinet.com.cn = TRINET.COM.CN
g. modify kdc.conf
[root @ mailgate etc] # vi / var/kerberos/krb5kdc/kdc.conf
Will:
[realms]
EXAMPLE.COM = (
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac: normal arcfour-hmac: norealm arcfour-hmac: onlyrealm des3-hmac-sha1: normal des-hmac-sha1: normal des-cbc-md5: normal des-cbc-crc: normal des-cbc-crc : v4 des-cbc-crc: afs3
)
Amended to read:
[realms]
TRIUMPH = (
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac: normal arcfour-hmac: norealm arcfour-hmac: onlyrealm des3-hmac-sha1: normal des-hmac-sha1: normal des-cbc-md5: normal des-cbc-crc: normal des-cbc-crc : v4 des-cbc-crc: afs3
)
h. Restart the related services;
[root @ mailgate ~] # service smb restart
Shutting down SMB services: [OK]
Shutting down NMB services: [OK]
Starting SMB services: [OK]
Starting NMB services: [OK]
[root @ mailgate ~] # service winbind restart
Shutting down Winbind services: [OK]
Starting Winbind services: [OK]
[root @ mailgate ~] #
i. Add the domain before the examination:
[root @ mailgate ~] # more / etc / sysconfig / clock to check time zone;
If not, please amend the following methods:
[root @ mailgate ~] # vi / etc / sysconfig / clock
ZONE = "Asia / Chongqing"
UTC = true
ARC = false
[root @ mailgate ~] # ln-sf / usr / share / zoneinfo / Asia / Chongqing / etc / localtime
[root @ mailgate ~] # date look at the clock, whether the AD was less than 5 minutes
If the difference is too large, please amend the following methods;
[root @ mailgate ~] # date 101221202007.54
Wed Oct 23 21:20:54 CST 2007
[root @ mailgate ~] # hwclock - systohc
Add the domain before the test, remember that the domain name must be capitalized, enter the account if there is no error, we can add the domain to operate!
[root @ mailgate ~] # kinit leeki.yan @ TRIUMPH
Password for leeki.yan @ TRIUMPH:
[root @ mailgate ~] #
j. Add the domain to start operation;
[root @ mailgate ~] # authconfig
Press Photo: step by step, to operate; can
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
j. Add a good domain, similar to the following information will be prompted to
Joined 'MAIL' to realm 'TRIUMPH'
setsebool: SELinux is disabled.
Shutting down Winbind services: [OK]
Starting Winbind services: [OK]
[root @ mailgate ~] #
[root @ mailgate ~] # wbinfo-g to view the group inside the domain;
[root @ mailgate ~] # wbinfo-u see inside the user domain;
[root @ mailgate ~] # id spam
uid = 16777343 (spam) gid = 16777216 (Domain Users) groups = 16777216 (Domain Users)
Can see inside the domain user account information for the spam!
k. integration with the AD part, hand-built directory account is too much trouble to the following method may be adopted, in which case, even if the mail server EXCHNAGE bad day, we can also use this e-mail gateway to send and receive e-mail will do! ha ha!
[root @ mailgate ~] # vi trinet.awk
#! / bin / awk
BEGIN (
FS = ":"
uidmin = 16777216
uidmax = 33554431
)
(
if ($ 3> = uidmin & & $ 3 <= uidmax) (
print "\ nmake directory" $ 6 "\ nchown" $ 3 "." $ 4 "" S6
system ( "mkdir-p" $ 6 "; chown" $ 3 "." $ 4 "" $ 6)
)
)
[root @ mailgate ~] # getent passwd | awk-f trinet.awk
[root @ mailgate ~] # getent passwd
[root @ mailgate ~] # cd / home
[root @ mailgate ~] # mkdir TRIUMPH
[root @ mailgate ~] # chown-R postfix TRIUMPH
[root @ mailgate ~] # chmod 777 TRIUMPH
4. Then we have to configure POSTFIX, to send and receive mail, user authentication of this, to query AD through to WINBIND inside information;
a. [root @ mailgate ~] # vi / etc / pam.d / smtp
Increase:
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
b. [root @ mailgate ~] # vi / etc / pam.d / dovecot
Increase:
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
c.. [root @ mailgate ~] # vi / etc / pam.d / login
Increase:
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
d. [root @ mailgate ~] # ln-s / usr/lib/sasl2/smtpd.conf / usr / local / lib / smtpd.conf
[root @ mailgate ~] # vi / usr / local / lib / smtpd.conf, reads as follows
# pwcheck_method: auxprop
pwcheck_method: saslauthd
log_level: 2
mech_list: PLAIN LOGIN
e. [root @ mailgate ~] # vi / etc / init.d / saslauthd
MECH = shadow will
Amended to read:
MECH = pam
Click services and then restart:
[root @ mailgate lib] # service saslauthd restart
Stopping saslauthd: [OK]
Starting saslauthd: [OK]
[root @ mailgate lib] #
5. If it is found in the external network has been sending letters Relay access denied, please check one below:
a.vi / etc / sysconfig / saslauthd file MECH = pam
Start b.smb services;
c.vi / etc / postfix / main.cf and verify whether or not to open;
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $ mydomain (Note: The original is $ myhostname, try to look into $ domain)
6. Add in the mail gateway, and through e-mail MailScanner monitoring of test:
a.
[root @ mailgate ~] # vi / etc / MailScanner / MailScanner.conf
Find:
Archive Mail =
Modifications:
Archive Mail =% rules-dir% / archive.rules
b.
[root @ mailgate ~] # cd / etc / MailScanner / rules /
[root @ mailgate rules] # ls # check archive.rules documents, not hand-building
bounce.rules EXAMPLES max.message.size.rules README spam.whitelist.rules
[root @ mailgate rules] # vi archive.rules
Add the following: (expressed from leeki.yan @ trinet.com.cn, a copy of the spam@trinet.com.cn)
From: leeki.yan @ trinet.com.cn yes forward spam@trinet.com.cn
And then restart it:
[root @ mailgate rules] # service MailScanner restaert
Usage: service MailScanner (start | stop | status | restart | reload | startin | startout | stopms)
[root @ mailgate rules] # service MailScanner restart
Shutting down MailScanner daemons:
MailScanner: [OK]
incoming postfix: [OK]
outgoing postfix: [OK]
Waiting for MailScanner to die gracefully ... dead.
Starting MailScanner daemons:
incoming postfix: [OK]
outgoing postfix: [OK]
MailScanner: [OK]
[root @ mailgate rules] #
Send a message to leeki.yan @ trinet.com.cn, view the maillog as follows: See the red part of the font that has been successfully copied!
Nov 1 20:14:44 mailgate postfix / smtpd [26774]: connect from unknown [10.4.4.222]
Nov 1 20:14:44 mailgate postfix / smtpd [26774]: D01AEC882E1: client = unknown [10.4.4.222], sasl_method = LOGIN, sasl_username = leeki.yan @ mailgate.trinet.com.cn
Nov 1 20:14:44 mailgate postfix / cleanup [26777]: D01AEC882E1: hold: header Received: from triumphweihu (unknown [10.4.4.222])?? By mailgate.trinet.com.cn (Postfix) with ESMTP id D01AEC882E1? ? for
Nov 1 20:14:44 mailgate postfix / cleanup [26777]: D01AEC882E1: message-id = <002201c81c80 $ b96932d0 $ de04040a @ triumphweihu>
Nov 1 20:14:44 mailgate postfix / smtpd [26774]: disconnect from unknown [10.4.4.222]
Nov 1 20:14:45 mailgate MailScanner [26771]: New Batch: Scanning 1 messages, 2386 bytes
Nov 1 20:14:45 mailgate MailScanner [26771]: Virus and Content Scanning: Starting
Nov 1 20:14:47 mailgate MailScanner [26771]: Requeue: D01AEC882E1.EFDC3 to 9FCDAC88479
Nov 1 20:14:47 mailgate postfix / qmgr [26750]: 9FCDAC88479: from =
Nov 1 20:14:47 mailgate MailScanner [26771]: Uninfected: Delivered 1 messages
Nov 1 20:14:47 mailgate postfix / smtp [26785]: 9FCDAC88479: to =
Nov 1 20:14:47 mailgate postfix / smtp [26785]: 9FCDAC88479: to =
Nov 1 20:14:47 mailgate postfix / qmgr [26750]: 9FCDAC88479: removed
c.archive.rules document written instructions and pay attention to other points:
To: spam@trinet.com.cn yes forward leeki.yan @ trinet.com.cn
Spam@trinet.com.cn said to have sent a letter to a copy of leeki.yan @ trinet.com.cn
FromOrTo: spam@trinet.com.cn yes forward leeki.yan @ trinet.com.cn
Said a letter from or to have a copy of spam@trinet.com.cn to leeki.yan @ trinet.com.cn
To: * @ trinet.com.cn yes forward leeki.yan @ trinet.com.cn
All the incoming that have a copy of a letter to the leeki.yan @ trinet.com.cn
For example, to test the use of leeki.yan @ trinet.com.cn letters to leeki.yan @ trinet.com.cn, in theory, should leeki.yan @ trinet.com.cn only received two letters to, see the following maillog, red some fonts can be seen, leeki.yan have received two e-mail!!
Nov 1 20:25:44 mailgate postfix / qmgr [27280]: A8EABC88479: from =
Nov 1 20:25:44 mailgate MailScanner [27294]: Uninfected: Delivered 1 messages
Nov 1 20:25:44 mailgate postfix / smtp [27314]: A8EABC88479: to =
Nov 1 20:25:44 mailgate postfix / smtp [27314]: A8EABC88479: to =
Nov 1 20:25:44 mailgate postfix / qmgr [27280]: A8EABC88479: removed
c. Other modifications Description:
FromOrTo: a@test.com yes forward b@test.com c@test.com d@test.com
Method 2: At the same time, the backup to one or more files and one or more mailboxes
FromOrTo: a@test.com yes forward / var / spool / MailScanner / archive / a_user_backup.mbx / var / spool / MailScanner / archive / a_user_backup.mbx b@toping.net scyz2@163.com
Note: The above line, the file must first establish and identify the owner of the file and MailScanner.conf the Run As User = XXXXXXX same
Method three: backup to a folder and a number of mail or files
FromOrTo: a@test.com yes forward / var / spool / MailScanner / archive / b@test.com dreamflying2006@163.com / var / spool / MailScanner / archive / a_user_backup.mbx
d. Note: archive.rules document written statement, the attention of upper and lower case; and colon must be followed to have a space; do not forget there is a revised and restart MailScanner service! ! !
e. there is modify main.cf parameters to monitor the realization of e-mail! And so on add the subsequent free! ! ! !
In addition main.cf parameters are:
Sent sender_bcc_maps
Write backup recipient_bcc_maps
Sent and always_bcc Write backup
0 评论:
发表评论