Mail的安全
1. 加密认证
1.1sendmail提供的服务
发送 smtps
--Smtp 明文传输
[root@mail ~]# grep smtps /etc/services
smtps 465/tcp # SMTP over SSL (TLS)
[root@mail ~]# sendmail -d0.1 -bv
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.bj.com
(subdomain name) $m = bj.com
(node name) $k = mail.bj.com
========================================================
Recipient names must be specified
[root@mail ~]#
1.2.做ca认证
#ssl安全传输/tsl标准的安全传输
[root@mail ~]# cd /etc/pki
[root@mail pki]# vim tls/openssl.cnf
45 dir = /etc/pki/CA # Where everything is kept
87 [ policy_match ]
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
[root@mail pki]# cd CA/
[root@mail CA]# mkdir certs newcerts crl
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01">serial
[root@mail CA]# openssl genrsa 1024 > private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.......................................++++++
...............++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/*
[root@mail CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:sendmail
Common Name (eg, your name or your server's hostname) []:mail.sh.com
Email Address []:
[root@mail CA]# cd /etc/mail
[root@mail mail]# mkdir certs/
[root@mail mail]# cd certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key
Generating RSA private key, 1024 bit long modulus
...............++++++
.........................................++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:sendmail
Common Name (eg, your name or your server's hostname) []:mail.sh.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--签发证书
[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 15 22:00:40 2011 GMT
Not After : Sep 14 22:00:40 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = ZZU
organizationalUnitName = sendmail
commonName = mail.sh.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
21:9F:4D:91:74:C6:80:EA:B0:38:F4:F2:8D:68:A7:08:4A:15:7F:92
X509v3 Authority Key Identifier:
keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2
Certificate is to be certified until Sep 14 22:00:40 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail certs]# cp /etc/pki/CA/cacert.pem ./
[root@mail certs]# chmod 600 *
1.3.修改配置文件sendmail.mc
[root@mail CA]# vim /etc/mail/sendmail.mc
--启用认证
39 define(`confAUTH_OPTIONS', `A y')dnl
--信用机制
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA IN')dnl
--启用证书
60 define(`confCACERT_PATH', `/etc/mail/certs')dnl
61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
136 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
[root@mail CA]# service sendmail restart
29-1
29-2
账号的域名要与证书的域名相同,否则不信任。
2.Sasl 简单认证安全层
点到点的机制。
2.1.安装认证
服务名称saslauthd,默认是没有启用的
要测试是否启用了认证
--减少垃圾邮件的***
[root@mail ~]# yum list all |grep sasl
This system is not registered with RHN.
RHN support will be disabled.
cyrus-sasl.i386 2.1.22-4 installed
cyrus-sasl-devel.i386 2.1.22-4 installed
cyrus-sasl-lib.i386 2.1.22-4 installed
cyrus-sasl-plain.i386 2.1.22-4 installed
[root@mail ~]# chkconfig saslauthd on
[root@mail ~]# chkconfig --list |grep sasl
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@mail certs]# service saslauthd start
#vim /etc/mail/sendmail.mc
--Mta增加强制认证
118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl
2.2.描述认证方法
[root@mail lib]# cd /usr/lib/sasl2
[root@mail sasl2]# vim Sendmail.conf
pwcheck_method:saslauthd
mech_list:login plain –可以不加,描述的验证机制。
[root@mail sasl2]# service sendmail restart
2.3生成用户信息的密文
--base64编码得到密文,-n 去除换行
[root@mail certs]# echo -n "user5@sh.com"|openssl base64
dXNlcjVAc2guY29t
[root@mail certs]# echo -n "123"|openssl base64
MTIz
2.4 测试认证
[root@mail sasl2]# telnet mail.sh.com 25
Trying 192.168.101.71...
Connected to mail.sh.com (192.168.101.71).
Escape character is '^]'.
220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 16 Sep 2011 06:39:13 +0800
helo mail.sh.com
250 mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you
ehlo mail.sh.com
250-mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN –在开启sasl前是没有的,验证可以防止非法或不存在的用户发邮件。
250-STARTTLS
250-DELIVERBY
250 HELP
auth login dXNlcjVAc2guY29t
334 UGFzc3dvcmQ6
MTIz
235 2.0.0 OK Authenticated
mail from:user5@mail.sh.com
250 2.1.0 user5@mail.sh.com... Sender ok
rcpt to :user6@mail.sh.com
250 2.1.5 user6@mail.sh.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject hh
hello user6.
250 2.0.0 p8FMdDZN008247 Message accepted for delivery
quit
221 2.0.0 mail.sh.com closing connection
Connection closed by foreign host.
2.5 对方测试接收文件
[root@mail sasl2]# su - user6
[user6@mail ~]$ mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/user6": 2 messages 1 new
1 MAILER-DAEMON@mail.s Thu Sep 15 19:09 13/542 "DON'T DELETE THIS MES"
>N 2 user5@mail.sh.com Fri Sep 16 06:46 13/423
& 2
Message 2:
From user5@mail.sh.com Fri Sep 16 06:46:21 2011
Date: Fri, 16 Sep 2011 06:45:54 +0800
From: user5@mail.sh.com
subject hh
hello user6.
&
3.抓包工具
[root@mail ~]# yum list all |grep shark
This system is not registered with RHN.
RHN support will be disabled.
wireshark.i386 1.0.3-4.el5_2 rehl-server
wireshark-gnome.i386 1.0.3-4.el5_2 rehl-server
[root@mail ~]# yum install wireshark
4.实现imaps pop3s接收
4.1生成dovecot的证书文件
[root@mail sasl2]# cd /usr/lib/sasl2
[root@mail sasl2]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[root@mail sasl2]# cd /etc/dovecot/certs/
--导出钥匙
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
...................................++++++
...............................++++++
e is 65537 (0x10001)
--输出证书请求文件
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:sendmail
Common Name (eg, your name or your server's hostname) []:imap.sh.com
--域名要与账号发送接收的相同
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4.2-颁发证书
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 15 23:01:08 2011 GMT
Not After : Sep 14 23:01:08 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = ZZU
organizationalUnitName = sendmail
commonName = mail.sh.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BB:2C:B9:99:11:D1:E5:85:53:7F:8E:FE:E4:FC:C2:35:95:2E:08:87
X509v3 Authority Key Identifier:
keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2
Certificate is to be certified until Sep 14 23:01:08 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.3 编辑dovecot配置文件
[root@mail certs]# vim /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
--接收证书服务器的文件
92 ssl_cert_file = /etc/dovecot/certs/dovecot.crt
93 ssl_key_file = /etc/dovecot/certs/dovecot.key
[root@mail certs]# chmod 600 *
[root@mail certs]# service dovecot restart
[root@mail certs]# netstat -tulpn |grep dov
4.4添加imap的记录
[root@mail ~]# vim /var/named/chroot/var/named/sh.com.db
$TTL 86400
@ IN SOA ns.sh.com. root.126.com (
44 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.sh.com.
ns IN A 192.168.101.71
mail IN A 192.168.101.71
pop3 IN CNAME mail
smtp IN CNAME mail
imap IN CNAME mail
@ IN MX 10 mail
[root@mail ~]# rndc reload
server reload successful
[root@mail ~]# dig imap.sh.com
4.5开启抓包功能
--明文抓包结果
[root@mail certs]# tshark -ni eth0 -R "tcp.srcport eq 110 or tcp.dstport eq 110"Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
302.590811 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
302.590888 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
302.591092 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [ACK] Seq=1 Ack=1 Win=65535 Len=0
302.591257 192.168.101.71 -> 192.168.101.213 POP Response: +OK Dovecot ready.
302.591718 192.168.101.213 -> 192.168.101.71 POP Request: USER user6
302.591753 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=21 Ack=13 Win=5840 Len=0
302.591877 192.168.101.71 -> 192.168.101.213 POP Response: +OK
302.592048 192.168.101.213 -> 192.168.101.71 POP Request: PASS 123
302.600894 192.168.101.71 -> 192.168.101.213 POP Response: +OK Logged in.
302.601742 192.168.101.213 -> 192.168.101.71 POP Request: STAT
302.642575 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=42 Ack=29 Win=5840 Len=0
302.648145 192.168.101.71 -> 192.168.101.213 POP Response: +OK 0 0
302.648920 192.168.101.213 -> 192.168.101.71 POP Request: QUIT
302.648973 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=51 Ack=35 Win=5840 Len=0
302.649177 192.168.101.71 -> 192.168.101.213 POP Response: +OK Logging out.
--配置imaps后抓包结果
服务器身份验证可以是任意一种,登陆方式是在用户首次使用是要输入用户名和密码
29-3
29-4
[root@mail ~]# tshark -ni eth0 -R "tcp.srcport eq 993 or tcp.dstport eq 993"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
4.471940 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
4.471943 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [FIN, ACK] Seq=41 Ack=1 Win=64377 Len=0
4.473771 192.168.101.71 -> 192.168.101.213 TCP 993 > 1147 [FIN, ACK] Seq=1 Ack=42 Win=6432 Len=0
4.480719 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [ACK] Seq=42 Ack=2 Win=64377 Len=0
48.113729 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
48.113810 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
48.113889 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=1 Ack=1 Win=65535 Len=0
48.114100 192.168.101.213 -> 192.168.101.71 SSL Client Hello
48.114119 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [ACK] Seq=1 Ack=103 Win=5840 Len=0
48.116103 192.168.101.71 -> 192.168.101.213 TLSv1 Server Hello, Certificate, Server Hello Done
48.116845 192.168.101.213 -> 192.168.101.71 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
48.118198 192.168.101.71 -> 192.168.101.213 TLSv1 Change Cipher Spec, Encrypted Handshake Message
48.319185 192.168.101.71 -> 192.168.101.213 TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message
48.319447 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=285 Ack=823 Win=64713 Len=0
48.319469 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data
48.320517 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
48.320690 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data
48.321276 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
48.329138 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data
48.330432 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
48.330753 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data
48.331100 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
48.331247 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data
48.331472 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
48.332986 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data
48.333306 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data
转载于:https://blog.51cto.com/sweetsingle/741833
扫一扫
240
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
