查看编译信息
[root@mail ~]# sendmail -d0.1 -bv
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAPSTARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.bj.com
(subdomain name) $m = bj.com
(node name) $k = mail.bj.com
========================================================
Recipient names must be specified
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 15:54:24 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
QUIT
发送邮件服务器
starttls(smtp+ssl)
建立服务器证书
[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# cd ..
[root@mail pki]# vim tls/openssl.cnf
45 dir= /etc/pki/CA # Where everything is kept
88 countryName= optional
89 stateOrProvinceName= optional
90 organizationName= optional
[root@mail CA]# mkdir crl certs netcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
创建CA私钥
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..............................................++++++
........................................++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/*
创建ca证书
[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:BEIJING
Organization Name (eg, company) [My Company Ltd]:SECCENTER
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
创建钥匙
[root@mail CA]# cd /etc/mail
[root@mail mail]# mkdir certs
[root@mail mail]# cd certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key
Generating RSA private key, 1024 bit long modulus
........++++++
...........................++++++
e is 65537 (0x10001)
请求文件
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZDX
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:mail.bj.com
Email Address []:
证书
[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
编辑sendmail.mc文件
[root@mail mail]# pwd
/etc/mail
[root@mail mail]# vim sendmail.mc
60 define(`confCACERT_PATH', `/etc/mail/certs')dnl
61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
设置钥匙权限
[root@mail certs]# chmod 600 sendmail.key
拷贝cacert.pem到当前目录下
[root@mail certs]# pwd
/etc/mail/certs
[root@mail certs]# cp /etc/pki/CA/cacert.pem ./
重启sendmail服务
[root@mail mail]# service sendmail restart
Shutting down sm-client:[ OK ]
Shutting down sendmail:[ OK ]
Starting sendmail:[ OK ]
Starting sm-client:[ OK ]
查看一下
[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 18:17:34 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
测试
北京外部邮件客户机测试
用户user1选上安全连接ssl
发送邮件和接受邮件时打开日志监控并打开抓包工具,得到如下信息
[root@mail certs]# tail -f /var/log//maillog
Mar 23 19:08:08 mail sendmail[4219]: STARTTLS=server, relay=[192.168.2.3], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 19:08:08 mail sendmail[4219]: q2NB88dj004219: from=, size=1196, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=[192.168.2.3]
Mar 23 19:08:09 mail sendmail[4220]: q2NB88dj004219: to=, ctladdr= (500/500), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=31415, dsn=2.0.0, stat=Sent
Mar 23 19:08:44 mail dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:192.168.2.3, lip=::ffff:192.168.2.100
Mar 23 19:08:44 mail dovecot: POP3(user1): Disconnected: Logged out top=0/0, retr=1/1494, del=1/1, size=1477
[root@mail Server]# tshark -ni etho -R "tcp.dsport eq 110"
130.317087 192.168.2.3 -> 192.168.2.100 TCP 2446 > 110 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3
130.317398 192.168.2.3 -> 192.168.2.100 TCP 2446 > 110 [ACK] Seq=1 Ack=1 Win=372296 Len=0
130.319027 192.168.2.3 -> 192.168.2.100 POP Request: USER user1
130.319511 192.168.2.3 -> 192.168.2.100 POP Request: PASS 123
130.406052 192.168.2.3 -> 192.168.2.100 POP Request: STAT
130.435409 192.168.2.3 -> 192.168.2.100 POP Request: LIST
130.439985 192.168.2.3 -> 192.168.2.100 POP Request: RETR 1
可以看出发送邮件时已经采用ssl进行加密,接受时还是采用明文pop3接受北抓包工具截获到帐号和密码
dovecot接收服务器实现安全接受(pops)
钥匙请求文件
[root@mail certs]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[root@mail certs]# cd /etc/dovecot/certs/
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
..................++++++
......................++++++
e is 65537 (0x10001)
产生请求
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZDX
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:pop3.bj.com
Email Address []:
请求证书
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.cert
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 23 13:04:19 2012 GMT
Not After : Mar 23 13:04:19 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = ZZDX
organizationalUnitName = tec
commonName = pop3.bj.com
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
修改权限
[root@mail certs]# chmod 600 *
编辑dovecot.conf文件
[root@mail certs]# vim /etc/dovecot.conf
21 protocols = imap pop3 imaps
94 ssl_cert_file = /etc/dovecot/certs/dovecot.cert
95 ssl_key_file = /etc/dovecot/certs/dovecot.key
重启服务
[root@mail certs]# service dovecot restart
Stopping Dovecot Imap:[ OK ]
Starting Dovecot Imap:[ OK ]
查看运行端口
[root@mail certs]# netstat -tupln |grep dov
tcp0 0 :::993 :::* LISTEN 4328/dovecot
tcp0 0 :::110 :::* LISTEN 4328/dovecot
tcp0 0 :::143 :::* LISTEN 4328/dovecot
测试接受邮件时是否加密
发送和接收邮件时查看到的日志和抓取到的信息如下
[root@mail certs]# tail -f /var/log/maillog
Mar 23 21:52:23 mail sendmail[4377]: STARTTLS=server, relay=[192.168.2.3], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 21:52:23 mail sendmail[4377]: q2NDqNw5004377: from=, size=1179, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=[192.168.2.3]
Mar 23 21:52:23 mail sendmail[4384]: q2NDqNw5004377: to=, ctladdr= (501/501), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31398, dsn=2.0.0, stat=Sent
Mar 23 21:52:24 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=::ffff:192.168.2.3, lip=::ffff:192.168.2.100, TLS
[root@mail Server]# tshark -ni eth0 -R "tcp.dstport eq 993"
345.571410 192.168.2.3 -> 192.168.2.100 TCP 3032 > 993 [ACK] Seq=292 Ack=836 Win=371464 Len=0
345.573477 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.574578 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.667520 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.673284 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.674900 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
可以看出邮件已成功发送和接收并没有被截获信息,实现了安全性的收发
邮件证书认证sasl
由于邮件服务器能够让所有用户发送邮件,这并不安全,为了解决这一现状,我们采用sasl
是一种双方通信的规则,是合法帐号才可以发送
环境
[root@mail Server]# rpm -qa |grep sasl
cyrus-sasl-lib-2.1.22-5.el5
cyrus-sasl-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-plain-2.1.22-5.el5
[root@mail Server]# chkconfig --list |grep sasl
saslauthd0:off 1:off 2:off 3:off 4:off 5:off 6:off
启动该服务,并设置为开机自动启动
[root@mail Server]# service saslauthd start
Starting saslauthd:[ OK ]
[root@mail Server]# chkconfig saslauthd on
编辑sendmail.mc文件
[root@mail Server]# vim /etc/mail/sendmail.mc
39 define(`confAUTH_OPTIONS', `A y')dnl
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
重启服务
[root@mail Server]# service sendmail restart
Shutting down sm-client:[ OK ]
Shutting down sendmail:[ OK ]
Starting sendmail:[ OK ]
Starting sm-client:[ OK ]
查看
[root@mail Server]# telnet 127.0.0.1
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@mail Server]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 23:24:43 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
强制验证
[root@mail Server]# vim /etc/mail/sendmail.mc
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA M=Ea')dnl
重启服务
[root@mail Server]# service sendmail restart
测试
用客户机user2给root用户发送邮件,查看出的日志如下
编码帐号:
[root@mail ~]# echo -n "root" |openssl base64
cm9vdA==
[root@mail ~]# echo -n "redhat" |openssl base64
cmVkaGF0
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Sat, 24 Mar 2012 00:25:25 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH LOGIN cm9vdA==
334 UGFzc3dvcmQ6
cmVkaGF0
235 2.0.0 OK Authenticated
MAIL FROM:user2@bj.com
250 2.1.0 user2@bj.com... Sender ok
RCPT TO:root@bj.com
250 2.1.5 root@bj.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
111111111111111111
.
250 2.0.0 q2NGPPNd003329 Message accepted for delivery
[root@mail certs]# tail -f /var/log//maillog
Mar 23 23:39:38 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=::ffff:192.168.2.3, lip=::ffff:192.168.2.100, TLS
Mar 23 23:40:15 mail sendmail[4768]: STARTTLS=server, relay=[192.168.2.3], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 23:40:15 mail sendmail[4768]: AUTH=server, relay=[192.168.2.3], authid=user2, mech=LOGIN, bits=0
Mar 23 23:40:15 mail sendmail[4768]: q2NFeFoM004768: from=, size=1199, class=0, nrcpts=1, msgid=<81A4F08C96004DC891735E1C529BFAA1@201106201040>, proto=ESMTP, daemon=MTA M=Ea, relay=[192.168.2.3]
Mar 23 23:40:15 mail sendmail[4772]: q2NFeFoM004768: to=, ctladdr= (501/501), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31442, dsn=2.0.0, stat=Sent
Mar 23 23:40:15 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=::ffff:192.168.2.3, lip=::ffff:192.168.2.100, TLS
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
