linux服务器搭建_基于LINUX系统的邮件服务器搭建和详细部署（POSTFIX）

master调度所有的程序：

master-->pickup/cleanup-->rewrite.....

/etc/postfix/master.cf

# ls /etc/postfix/*.cf -l

-rw-r--r-- 1 root root 26737 Aug 11 2008 /etc/postfix/main.cf --主配置文件

-rw-r--r-- 1 root root 4137 Aug 11 2008 /etc/postfix/master.cf --程序调度的配置文件master

# ls /usr/libexec/postfix/ --master调度的程序如下：

anvil error master pipe scache spawn virtual

bounce flush nqmgr proxymap showq tlsmgr

cleanup lmtp oqmgr qmgr smtp trivial-rewrite

discard local pickup qmqpd smtpd verify

如何调度靠/etc/postfix/master.cf文件来：

安装postfix

1.如果有sendmail,需要先停掉旧的MTA

# service sendmail stop

# chkconfig sendmail off

2.安装postfix

# yum -y install postfix

# rpm -ql postfix

/etc/pam.d/smtp.postfix--pam验证设置，默认情况下postfix使用系统验证

/etc/postfix --存放配置文件

/etc/postfix/access --smtp访问控制

/etc/postfix/main.cf --主配置文件,postfix基本所有的配置都在此

/etc/postfix/master.cf--核心配置文件,实现邮件程序的调度

/sbin/ --postfix管理员命令(root)

/usr/libexec/postfix --所有用户都能调用的命令

/var/spool/postfix --邮件投递切换目录

/etc/rc.d/init.d/postfix--启动脚本

# cat /etc/postfix/main.cf|grep -v ^#|grep -v ^$

queue_directory = /var/spool/postfix--邮件队列

command_directory = /usr/sbin --postfix管理员命令

daemon_directory = /usr/libexec/postfix--普通用户能用的命令

mail_owner = postfix --启动postfix用户身份

myhostname = mail.baidu.com --主机名

mydomain = baidu.com --域名

myorigin = $mydomain --自动补全域(用在单域的环境／多域的环境保持为空)

inet_interfaces = all --监听地址，改监听需要service postfix restart其它只要reload

mydestination = $mydomain, localhost--信任域

mynetworks = 127.0.0.0/8 --信任网络

alias_maps = hash:/etc/aliases --别名/群发文件

#home_mailbox = Mailbox

#home_mailbox = Maildir/

unknown_local_recipient_reject_code = 550

alias_database = hash:/etc/aliases --别名/群发的数据库文件

debug_peer_level = 2

debugger_command =

PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.3.3/samples

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

------------------------

/etc/init.d/postfix restart | reload | stop | start --红帽的启动脚本

/usr/sbin/postfix reload | stop | start | check --postfix官方的对服务的管理方式

postfix reload--不重启服务器重新加载配置文件,除:inet_interfaces = all,必须是restart

postconf --查看postfix所有已经生效配置选项(默认＋非默认的配置)

postconf -n--查看用户自动定义的配置选项

postconf -d--查看默认的配置官方选项

postconf -e--通过非交互模式修改主配置文件 /etc/postfix/main.cf

实例:

postfix(MTA smtp)+dovecot(pop3/imap)+squirrelmail(webmail)＋apache+php+bind

确认的DNS的配置(MX记录)/主机名,把邮件服务器的首选DNS指向正确的DNS服务器

# nslookup

> set type=mx

> baidu.com

Server: 192.168.0.39

Address: 192.168.0.39#53

baidu.com mail exchanger = 5 mail.baidu.com.

配置主机名:

# hostname mail.baidu.com

# vim /etc/sysconfig/network

HOSTNAME=mail.baidu.com

# vim /etc/hosts

192.168.0.16 mail.baidu.com baidu.com mail

# postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

home_mailbox = Maildir/ --邮箱的存储格式,mailbox只有一个文件存储邮件

html_directory = no

inet_interfaces = all

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = $mydomain, localhost

mydomain = baidu.com

myhostname = mail.baidu.com

mynetworks = 192.168.0.0/24

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

sample_directory = /usr/share/doc/postfix-2.3.3/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

unknown_local_recipient_reject_code = 550

# service postfix restart

# chkconfig postfix on

# netstat -tnlp |grep :25 --postfix使用smtp协议

使用dovecot实现110/143收信

# yum -y install dovecot

# vim /etc/dovecot/conf.d/10-auth.conf －－让dovecot支持明文验证

disable_plaintext_auth = no

(error -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections. )

# service dovecot start

# chkconfig dovecot on

netstat -tlp|grep dove

tcp 0 0 *:imaps *:* LISTEN 21275/dovecot

tcp 0 0 *:pop3s *:* LISTEN 21275/dovecot

tcp 0 0 *:pop3 *:* LISTEN 21275/dovecot

tcp 0 0 *:imap *:* LISTEN 21275/dovecot

# telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

+OK Dovecot ready.

user mail_a --使用mail_a登录

+OK

pass 123 --密码

+OK Logged in.

list --列出新邮件列表

+OK 1 messages:

1 499

.

retr 1 --读取编号为1的那封邮件.

2、使用outlook或者foxmail图形客户端来收取邮件

+++++++++++++++++++++++++++++++++++++

测试：

本地发送 echo "hello a" | mail -s "a test mail from local" a@baidu.com

收信：1)$HOME/Maildir

2) telnet localhost 110 user a pass 1

网络发送

[root@mail new]# telnet localhost 25

Trying ::1...

telnet: connect to address ::1: Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.baidu.com ESMTP Postfix

ehlo localhost

250-mail.baidu.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:a@baidu.com

250 2.1.0 Ok

rcpt to:b@baidu.com

250 2.1.5 Ok

data

354 End data with .

subject: a test mail

hi b!....

.

250 2.0.0 Ok: queued as 513CD609B4

quit

221 2.0.0 Bye

Connection closed by foreign host.

收信

1)$HOME/Maildir

2) telnet localhost 110 user a pass 1

[root@mail new]# telnet localhost 110

Trying ::1...

Connected to localhost.

Escape character is '^]'.

+OK Dovecot ready.

user b

+OK

pass 1

+OK Logged in.

list

+OK 1 messages:

1 432

.

retr 1

+OK 432 octets

Return-Path:

X-Original-To: b@baidu.com

Delivered-To: b@baidu.com

Received: from localhost (localhost [127.0.0.1])

by mail.baidu.com (Postfix) with ESMTP id 513CD609B4

for ; Thu, 13 Jun 2013 14:16:05 +0800 (CST)

subject: a test mail

Message-Id: <20130613061622.513CD609B4@mail.baidu.com>

Date: Thu, 13 Jun 2013 14:16:05 +0800 (CST)

From: a@baidu.com

To: undisclosed-recipients:;

hi b!....

.

找寻一台客服端如(192.168.0.254)

[root@i ~]# telnet 192.168.0.29 25 → 发送一份邮件

[root@i ~]# telnet 192.168.0.29 110 → 通过客服端来接受邮件

Trying 192.168.0.29...

Connected to 192.168.0.29.

Escape character is '^]'.

+OK Dovecot ready.

user b1

-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

dovecot 默认不支持明文密码传输，需要开启明文传输选项

[root@mail ~]# vim /etc/dovecot/conf.d/10-auth.conf ---此处在服务端修改

disable_plaintext_auth = no

# telnet 192.168.0.29 110

Trying 192.168.0.29...

Connected to 192.168.0.29.

Escape character is '^]'.

+OK Dovecot ready.

user b1

+OK

pass 2

+OK Logged in.

list

+OK 2 messages:

1 303

2 270

.

retr 2

+OK 270 octets

Return-Path:

X-Original-To: b1@baidu.com

Delivered-To: b1@baidu.com

Received: from localhost (unknown [192.168.0.245])

by mail.baidu.com (Postfix) with ESMTP id 5C910609F5

for ; Thu, 13 Jun 2013 14:24:01 +0800 (CST)

hi hi hi hi hi

.

----------------------------------

# yum -y install httpd php

# vim /etc/httpd/conf/httpd.conf

ServerName mail.baidu.com

# service httpd start

# chkconfig httpd on

创建httpd虚拟主机

# vim /etc/httpd/conf/httpd.conf

Options Indexes

AllowOverride None

Order allow,deny

Allow from 192.168.0.0/24

NameVirtualHost *:80

ServerAdmin root@baidu.com

DocumentRoot /mail

ServerName mail.baidu.com

ErrorLog logs/mail.baidu.com-error_log

CustomLog logs/mail.baidu.com-access_log common

# mkdir /mail

# yum -y install php

# service httpd start

# chkconfig httpd on

-------------------------------

创建web,支持通过网页收发邮件

# scp zh_CN-1.4.13-20071220.tar.bz2 squirrelmail-1.4.13.tar.bz2 root@192.168.0.16:/root

# tar xf squirrelmail-1.4.13.tar.bz2

# mv /root/squirrelmail-1.4.13/* /mail/

打中文补丁包

# mkdir /root/zh

# tar xf zh_CN-1.4.13-20071220.tar.bz2 -C /root/zh

cd /root/zh

# ./install

Please enter path to your squirrelmail installation:/mail

创建配置文件 :

# cd /mail/config

# cp config_default.php config.php

# vim /mail/config/config.php

$domain = 'baidu.com';

$squirrelmail_default_language = 'zh_CN';

$default_charset = 'zh_CN.UTF-8';

$data_dir = '/mail/data/'; --邮件数据

$attachment_dir = '/mail/attach/';--邮件附件

# mkdir /mail/{data,attach} -p

# chown -R apache.apache /mail/data/ /mail/attach/

web发：client-->httpd-->squirrelmail-->postfix(127.0.0.1:25)-->

收：client-->httpd-->squirrelmail-->dovecot(127.0.0.1:143/imap)-->$HOME/Maildir/*

---------------------------------------------

别名/群发/转发

# postconf |grep alias

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

# vim /etc/aliases

root: root, mail_a, mail_b--转发

admin: root, mail_a

group: mail_a, mail_b --别名/群发

rs: rs01, rs02, rs03

cw: cw01, cw02, cw03

all: rs, cw

a b c

**************

a: a, c --转发

admin: b --别名

user: a,b,c --群发

***************

# newaliases

# postalias /etc/aliases--更新/etc/aliases至/etc/aliases.db

# postfix reload

-----------------------------------------

smtp发信认证:禁止openrelay

client-->server:25(postfix)-->sasl

# vim /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes --启用sasl验证

smtpd_sasl_security_options = noanonymous --拒绝匿名登录

smtpd_recipient_restrictions = permit_mynetworks, --允许哪些收件人可以接收邮件

permit_sasl_authenticated,

reject_unauth_destination,

reject

permit_mynetworks －－允许本地信任网络的主机可以发件

permit_sasl_authenticated －－已经通过sasl验证用户可以发送邮件

reject_unauth_destination －－拒绝非信任域收件

# postfix check

# postfix reload

启用smtp额外验证模块

# /etc/init.d/saslauthd start

启动 saslauthd： [确定]

# chkconfig saslauthd on

查看是否已经启用smtp认证:

# telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 mail.baidu.com ESMTP Postfix

ehlo localhost

250-mail.baidu.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

# less /usr/share/doc/postfix-2.3.3/README-Postfix-SASL-RedHat.txt --参考文件

测试：

1、转换编码：

# perl -e 'use MIME::Base64; print encode_base64("user01")'

dXNlcjAx

# perl -e 'use MIME::Base64; print encode_base64("123")'

MTIz

2、登录测试：

telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 mail.baidu.com ESMTP Postfix

auth login

334 VXNlcm5hbWU6

dXNlcjAx

334 UGFzc3dvcmQ6

MTIz

235 2.0.0 Authentication successful

3、没有通过验证的发信，则会拒绝：

# telnet 192.168.0.169 25

Trying 192.168.0.169...

Connected to 192.168.0.169 (192.168.0.169).

Escape character is '^]'.

220 mail.baidu.com ESMTP Postfix

mail from:user01@baidu.com

250 2.1.0 Ok

rcpt to:xxx@qq.com

554 5.7.1 : Relay access denied

4、作为邮件客户端，如foxmail/outlook,需要勾选smtp验证

根据/etc/postfix/access文件对客户IP地址作访问控制：

# vim /etc/postfix/main.cf

smtpd_client_restrictions =

check_client_access hash:/etc/postfix/access

# vim /etc/postfix/access

192.168.0.254 REJECT

# postmap /etc/postfix/access --更新.db文件

# ll /etc/postfix/access*

-rw-r--r-- 1 root root 17853 Apr 8 14:22 /etc/postfix/access

-rw-r--r-- 1 root root 12288 Apr 8 14:22 /etc/postfix/access.db

# postfix reload

测试：

client(192.168.0.17)server(192.168.0.1)

# telnet 192.168.0.1 25

Trying 192.168.0.1...

Connected to mail.uplooking.com (192.168.0.144).

Escape character is '^]'.

220 mail.uplooking.com ESMTP Postfix

ehlo localhost

250-mail.uplooking.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:xxx@uplooking.com

250 2.1.0 Ok

rcpt to:mail01@uplooking.com

554 5.7.1 : Client host rejected: Access denied

------------------------------

磁盘配额:

1.系统的配额,因为当前使用的是系统用户

2.postfix自带的功能实现配额(整个邮箱／单封邮件配额)

postconf -e "mailbox_size_limit = 51200000"--邮箱的大小

postconf -e "message_size_limit = 30480000"--单封邮件的大小,单位字节

postfix reload

--------------------------

总结收发信件流程：

1、收信流程：

pop3/imap收信:client-->dovocot(110,143) -->$HOME/Maildir/*

2、发信流程：

smtp:client-->postfix(25)-->smtpd(saslauthd)-->passwd,shadow-->

sendmail命令:sendmail-->postfix-->

3、web的收发：

web收信:client-->httpd(80)-->squirremail-->localhost:143(dovecot)--> passwd,shadow-->Maildir

发信：client-->httpd-->squirremail-->localhost:25(postfix)-->sasl-->passwd/shadow-->

发送邮件

1.localhost [sendmail mail]

2.network

1).本机：telnet localhost 25 其它：telnet smtp_server_ip 25

2) web ({username}passwd/shadow) foxmail [--注意你到DNS，注意验证]

收邮件

1.localhost [/var/spool/mail/$HOME---mailbox $HOME/---> maildir]

2.[dovecot] telnet localhost 110/143 其它：telnet smtp_server_ip 110/143

3.web ({username}passwd/shadow) foxmail [--注意你到DNS，注意验证]

---------------------------------

ssh(secure shell)--加密远程登录管理服务器,加密的数据传输

telnet --通过字符界面远程管理服务器(明文)

ssh/openssh--加密的远程管理，加密的数据传输(scp/winscp/sftp)

client(192.168.0.254)sshserver(192.168.0.172)sshd(密钥对(公钥／私钥))

1、可以使用ssh协议远程加密管理服务器

2、使用SSH协议进行数据传输(scp)

dsa

rsa--ssh默认的加密方式，非对称的公钥加密算法,安全,数据传输速度慢

# rpm -qa |grep ssh －－默认情况下，LINUX发行版都预安装这个软件

openssh-server-4.3p2-36.el5 －－服务端 sshd

openssh-askpass-4.3p2-36.el5－－图形的客户端

openssh-4.3p2-36.el5 －－公共软件包

openssh-clients-4.3p2-36.el5 －－字符的客户端ssh scp sftp

ssh远程登录的过程

1.sshd启动的时候会产生一个公钥,每个小时更新一次公钥

2.当客户端收到服务端公钥会版本协商(sshv1,sshv2)

3.版本协商完后,服务端会发公钥(/etc/ssh/ssh_host_ras.pub给客户端,这一步是没加密

4.客户端返回确认信息,把一个session_key通过公钥加密发给服务端

ssh的配置文件 :

# ls /etc/ssh/ssh*_config -l

-rw-r--r-- 1 root root 1827 2009-06-23 /etc/ssh/ssh_config客户端的配置文件

-rw------- 1 root root 3323 2009-06-23 /etc/ssh/sshd_config服务端的配置文件

# cat /etc/ssh/sshd_config |grep -v '#'|grep -v ^$

Port 22 --监听端口

Protocol 2 --使用版本2

ListenAddress 0.0.0.0 --监听地址

LoginGraceTime 2m --登录超时时间

PermitRootLogin yes --允许root通过ssh登录

MaxAuthTries 6 --密码尝试6次

RSAAuthentication yes --支持ras加密

PubkeyAuthentication yes--是否支持密钥对验证

AuthorizedKeysFile .ssh/authorized_keys--密钥对验证时，客服端公钥存储文件

PermitEmptyPasswords no --是否允许空密码登录

PasswordAuthentication yes --是否支持账号/密码登录方式

UseDNS no --禁用DNS反解

Subsystem sftp /usr/libexec/openssh/sftp-server--支持sftp

AllowUsers root 只允许root 可以远程

客户端的命令:

# rpm -ql openssh-clients-4.3p2-36.el5|grep bin

/usr/bin/scp--支持远程主机之间文件拷贝

scp -P 2222 /root/test.txt kiki@192.168.0.16:/tmp/test.txt

scp -P 2222 -r /root/kiki@192.168.0.16:/tmp/test.txt

scp root@192.168.0.254:/etc/hosts /var/tmp --从0.254主机上下载一个文件

scp /etc/hosts root@192.168.0.254:/var/tmp --往0.254上传一个文件

/usr/bin/sftp--sftp的客户端

# /usr/bin/sftp -oport=2222 kiki@192.168.0.16

/usr/bin/ssh

# ssh -p 2222 kiki@192.168.0.16

/usr/bin/ssh-copy-id --拷贝公钥至远程主机对应的目录

ssh验证:

1.基于账号/密码的验证

服务端：私钥

客服端：公钥

2.基于密钥对的验证

服务端：公钥

客服端：私钥

client(192.168.0.7)server(192.168.0.29)

a. 在客户端生成密钥对

# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): --保存私钥的路径

Enter passphrase (empty for no passphrase): --给私钥加密(123456)

Enter same passphrase again: --确认密码

Your identification has been saved in /root/.ssh/id_rsa. --私钥

Your public key has been saved in /root/.ssh/id_rsa.pub. --公钥

ccess control configuration prevents your request from being

b. 拷贝公钥至服务器,拷贝目标路径:(你想用哪个用户登录就拷贝哪个用户的家目录$HOME/.ssh/authorized_keys)

第一种方法(手工拷贝):

在服务器上的操作：

#useradd kiki

# sudo -u kiki mkdir /home/kiki/.ssh

# sudo -u kiki chmod 700 /home/kiki/.ssh

在客户端上上传公钥

# scp -P2222 /root/.ssh/id_rsa.pub kiki@192.168.0.17:~/.ssh/authorized_keys

第二种方法(使用工具自动完成):

# ssh-copy-id -i /root/.ssh/id_rsa.pub kiki2@192.168.0.17 --一条命令搞定

c. 测试密钥对的登录:

# ssh -p2222kiki@192.168.0.17

Address 192.168.0.16 maps to test, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Enter passphrase for key '/root/.ssh/id_rsa': --输入私钥的加密密码(123456)

Last login: Fri Aug 19 15:47:02 2011 from 192.168.0.222

[kiki@mail ~]$ --这样就不需要输入kiki用户的密码

d.在windows的客户端使用密钥对验证：

1、生成密钥对

2、上传

3、转换：

# ssh-keygen -i -f key_pub >> /root/.ssh/authorized_keys

tcpwrappers(防火墙)－－过滤TCP包头(/usr/sbin/tcpd)

控制文件：

规则

匹配顺序: tcp-->tcpwrappers-->hosts.allow--> hosts.deny,默认情况下这两个文件是空的,规则马上写马上生效.

1、如果在hosts.allow能够匹配到相应的规则，则允许，匹配到此结束。

2、如果在hosts.allow匹配不到相应规则，接下来匹配hosts.deny文件，如果匹配到则拒绝，匹配到此结束。

3、如果在hosts.allow和hosts.deny中都无法匹配到相应规则，则允许。

防火墙的规则设计思路:先在host.deny先拒绝所有,然后再hosts.allow逐个放开。

tcpwrappers过滤的依据：服务名字，其实就是服务对应二进制文件的文件名

vsftpd/httpd/postfix/samba/nfs/sshd/squid/xinetd

vsftpd: /usr/sbin/vsftpd

sshd: /usr/sbin/sshd

portmap: /sbin/portmap --> rpcbind

xinetd: /usr/sbin/xinetd

查看vsftpd是否支持tcpwrappers

client-->vsftpd-(libwrap.so)->tcpwrappers

查看某个服务支持tcpwrappers过滤:

# rpm -ql tcp_wrappers |grep ''

/usr/lib/libwrap.so

查询xinetd服务是否支持tcpwrappers的过滤:

1.

# ldd `which xinetd `|grep wra

libwrap.so.0 => /lib/libwrap.so.0 (0x00110000)

# ldd `which vsftpd` |grep wra

libwrap.so.0 => /lib/libwrap.so.0 (0x003e1000)

2.strings

# strings /sbin/portmap |grep 'hosts.*'

/etc/hosts.allow

/etc/hosts.deny

------------------

实例1:

# service vsftpd start

为 vsftpd 启动 vsftpd： [确定]

# chkconfig krb5-telnet on

# service xinetd restart

停止 xinetd： [确定]

启动 xinetd： [确定]

# netstat -tnlp |grep :21

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2578/vsftpd

# netstat -tnlp |grep :23

tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 2635/xinetd

------------

设置规则:

1.telnet只有192.168.0.254能访问

2.vsftpd192.168.0.0/24都能访问,除192.168.0.254

3.sshd 192.168.0.254,只要有登录则发邮件告知管理员

4.本机能够访问这三个服务.

# vim /etc/hosts.deny

vsftpd: ALL

telnetd: ALL

sshd: ALL

# vim /etc/hosts.allow

in.telnetd: 192.168.0.254

sshd: 192.168.0.254: spawn echo "login attempt from %c to %s" | mail -s "information about sshd login attempt" root@baidu.com

vsftpd: 192.168.0.0/255.255.255.0 EXCEPT 192.168.0.254

ALL: LOCAL .baidu.com

spwan执行命令

%c客户端地址

%s服务器的地址

LOCAL本地主机

hosts.allow和hosts.deny格式：

服务名字1， 服务名字2, ...：客户机地址［:动作］

1、如何找出名字

2、客户机地址：

ALL

network/mask192.168.0.0/255.255.255.0 或192.168.0.

127.

?

.uplooking.com*.uplooking.com

EXCEPT

3、动作：

ALLOW

DENY

*************************************************

[root@mail ]# vim /etc/hosts.deny

vsftpd: ALL

in.telnetd: ALL

sshd: ALL

[root@mail ]# vim /etc/hosts.allow

in.telnetd: 192.168.0.254

vsftpd: 192.168.0.0/255.255.255.0 EXCEPT 192.168.0.254

sshd: 192.168.0.254: spawn echo "login attempt from %c to %s" | mail -s "information about sshd login attempt" root@baidu.com

ALL: LOCAL, .baidu.com