Service: Sendmail – grnericstable

前言

Sendmail提供重新編寫寄件者（The header of sander）的檔頭資料的功能，可以針對username或dimainname（username@domainname）個別進行資料重編，在建立Sendmail Sender Rewrite功能時先修改/etc/sendmail.mc令Sendmail開啟重新編寫郵件訊息中寄件者資料的功能，再建立寄件者資料對應資料庫（genericstable）與收件者對應資料庫（/etc/aliases）以讓收件者可以收發信件。

Key words: Sendmail, genericstable,

1. 相關設定與調校

   1. 啟用寄件者資料重編功能：

修改/etc/sendmail.mc以啟用Sender write功能，在此一檔案中，以下的設定值必需是在MAILER( )之前；

FEATURE(`genericstable')dnl

FEATURE(always_add_domain)dnl

FEATURE(`generics_entire_domain')dnl

GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl

# make –C /etc/mail

# service sendmail restart

2. 建立寄件者資料對應資料庫（以myuser1為例）：

[root@server1 mail]# cat > genericstable

myuser1 myuser1.alias@example.com

myuser2 myuser2.alias@example.com

[root@server1 mail]# makemap hash genericstable < genericstable

3. 建立服務網域資料庫：

[root@server1 mail]# cat >> local-host-names

server1.example.com

example.com

4. 建立收件者對應資料庫

[root@server1 mail]# cat >> /etc/aliases

myuser1.alias: myuser1

myuser2.alias: myuser2

[root@server1 mail]# newaliases

/etc/aliases: 80 aliases, longest 15 bytes, 848 bytes total

2. 驗證

Local：

[root@server1 mail]# su - myuser1

[myuser1@server1 ~]$ echo 'test alias' | mail -vs 'test' root@station5.example.com

root@station5.example.com... Connecting to [127.0.0.1] via relay...

220 server1.example.com ESMTP Sendmail 8.13.5/8.13.5; Thu, 17 Jan 2008 13:48:44 +0800

>>> EHLO server1.example.com

250-server1.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-ETRN

250-DELIVERBY

250 HELP

>>> MAIL From:<myuser1@server1.example.com> SIZE=56

250 2.1.0 <myuser1@server1.example.com>... Sender ok

>>> RCPT To:<root@station5.example.com>

>>> DATA

250 2.1.5 <root@station5.example.com>... Recipient ok

354 Enter mail, end with "." on a line by itself

>>> .

250 2.0.0 m0H5miI1025855 Message accepted for delivery

root@station5.example.com... Sent (m0H5miI1025855 Message accepted for delivery)

Closing connection to [127.0.0.1]

>>> QUIT

221 2.0.0 server1.example.com closing connection

Remote：

[root@station5 root]# mutt

Date: Thu, 17 Jan 2008 13:48:44 +0800

From: myuser1.aliases@example.com

To: root@station5.example.com

Subject: test

test alias

回信驗證 /etc/aliases 的設定：

Date: Thu, 17 Jan 2008 14:20:50 +0800

From: root <root@station5.example.com>

To: myuser1.alias@example.com

Subject: Re: test

User-Agent: Mutt/1.2.5.1i

In-Reply-To: <200801170555.m0H5tevD025923@server1.example.com>; from

+myuser1.alias@example.com on Thu, Jan 17, 2008 at 01:55:40PM +0800

Alias is OK to go

On Thu, Jan 17, 2008 at 01:55:40PM +0800, myuser1.alias@example.com wrote:

> test alias

Security: The Pluggable Authentication Module (PAM) system

I.Module type

1. auth

2. account

3. passwd

4. session

II.Control flag

1. required

2. requested

3. sufficient

4. optional

實際範例 /etc/pam.d/login

[root@server1 pam.d]# cat /etc/pam.d/login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session include system-auth

session required pam_loginuid.so

session optional pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open

session optional pam_keyinit.so force revoke

實際範例 – 自訂PAM （限制特定的使用者存取檔案）

模組檔存放位置：/lib/security/pam_listfile.so

模組檔說明位置：/usr/share/doc/pam-0.99.6.2/txts

模組用途：限制使用者存取

模組形式：auth,

範例：

auth required pam_listfile.so oneer=succeed item=user sense=allow file=/etc/special

當加入此項於PAM時，任何列名於/etc/special中的使用者，會無法存取。

例如在 /etc/pam.d/vsftpd中的設定便會檢查 /etc/vsftpd/ftpuser中所列的使用者，並限制列名其中的使用者其使用權。

[root@server1 pam.d]# cat vsftpd

#%PAM-1.0

session optional pam_keyinit.so force revoke

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

auth required pam_shells.so

auth include system-auth

account include system-auth

session include system-auth

session required pam_loginuid.so

實際範例 – tally.so模組 （追蹤錯誤的登入行為）

首先我們要了解登入時所帶入的PAM模組的位置，/etc/pam.d/login再其第一行中定義了root的登入僅能藉由secure tty（/etc/securetty）中，而第二行中定義了一般user在登入時的身分驗證行為，故在以下的實際操作中利用在system-auth中加入tally.so模組來追蹤使用者錯誤的登入行為。

# cd /etc/pam.d

# vi /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_tally.so no_magic_root 加入

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

存檔之後進行驗證：

利用其他的tty以一般user進行登入（以下以student做介紹），並故意輸入錯誤的密碼直到出現”Permission denied (publickey,gssapi-with-mic,password).”再進入系統輸入faillog –u student.

[root@server1 pam.d]# faillog -u student

Login Failures Maximum Latest On

student 6 0 01/12/08 09:47:49 +0800 192.168.1.1

用戶建立與預設家目錄中的檔案

家目錄中預設檔案的用途，以umask為例，一般我們預設umask的值為0022，亦即我們所建立的目錄權限為755，而檔案權限為644，當我們要讓相同group內的使用者可以共享檔案(g=rw)時，便可以如此做：

echo “umask 0002” >> /etc/skel/.bashrc

利用for loop快速建立使用者

實作範例：A system with user Joshua and alex in the sales group; dax and byran in the hr group; zak and ed in the web group, and manager in the sales, hr, and web groups.

#for group in sales hr web

>do

>groupadd $group

>done

#for user in Joshua alex dax byran zak ed manager

>do

>useradd $user

>done

#usermod –G sales,hr,web manager