Mail服务器的搭建
电子邮件的安全
加密
认证
发送 smtps
smtp 明文
smtps 465 (ssl)
Starttls sasl
接受 pop3s imaps
认证 sasl
验证
sendmail是否启用starttls加密机制(默认是没有启用的) 点到点加密
[root@mail ~]# telnet mail.bj.com 25
Trying 192.168.20.99...
Connected to mail.bj.com (192.168.20.99).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Sat, 6 Aug 2011 18:31:03 +0800
ehlo mail.sh.com
250-mail.bj.com Hello mail.sh.com [192.168.20.88], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
我们这里可以查看是否支持该协议
[root@mail ~]# sendmail -d0.1 -bv
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.sh.com
(subdomain name) $m = sh.com
(node name) $k = mail.sh.com
========================================================
Recipient names must be specified
可以看到,它是支持
SASLv2
与
STARTTLS
的
我们使用
smtps或者starttls都会使用到证书,CA将证书颁发给邮件服务器
下面我们利用上海的服务器搭建一个CA
编译
ssl的主配置文档
[root@mail ~]# cd /etc/pki/
[root@mail pki]# vim tls/openssl.cnf
45dir = /etc/pki/CA CA的路径(定义dir变量)
46certs = $dir/certs 存放证书目录 (需要创建)
47 crl_dir = $dir/crl 吊销证书目录 (需要创建)
48 database = $dir/index.txt 需要创建该文件
51 new_certs_dir = $dir/newcerts 需要创建该目录 .
53 certificate = $dir/cacert.pem
54 serial = $dir/serial (需要创建)发送证书的序列号(需要给一个起始序列号)
匹配条件:(这里选择可以决定能否对外发放证书)
87 [ policy_match ]
88 countryName = optional
(若往下三项都为math则,只能往该城市发证书)
89 stateOrProvinceName = optional
90 organizationName = optional
91 organizationalUnitName = optional
92 commonName = supplied
93 emailAddress = optional
退出编译后,我们首先创建那些目录跟文件
[root@mail pki]# cd CA
[root@mail CA]# mkdir certs newcerts crl
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
给它一个起始序列号
产生一个钥匙输出到
cakey.pem
文件中
[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
里面含有私钥
Generating RSA private key, 1024 bit long modulus
.++++++
....................++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/*
(为了安全起见)
[root@mail CA]# ll private/
-rw------- 1 root root 887 07-24 18:38 cakey.pem
(产生一个钥匙)
自己给自己颁发一个证书
[root@mail CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENZHOU
Organization Name (eg, company) [My Company Ltd]:CACENTER
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:test.net.net
Email Address []:
[root@mail CA]# ll
总计 28
-rw-r--r-- 1 root root 1139 07-24 18:45 cacert.pem
产生了一个CA证书
为我们的邮件服务器做证书
[root@mail CA]# cd /etc/mail
[root@mail mail]# mkdir certs
创建一个存放证书与钥匙的文件夹
[root@mail mail]# cd certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key
产生自己的钥匙
Generating RSA private key, 1024 bit long modulus
........................++++++
................................++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
向CA产生请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:
SH
Locality Name (eg, city) [Newbury]:
SH
Organization Name (eg, company) [My Company Ltd]:LL
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:mail.
sh
.com
服务器名
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail certs]# ll
总计 8
-rw-r--r-- 1 root root 631 07-24 18:53 sendmail.csr
产生的请求文件
-rw-r--r-- 1 root root 887 07-24 18:51 sendmail.key
产生的钥匙文件
根据请求文件让
CA签发一个证书(证书上只包含公钥)
[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt 输出sendmail.crt(邮件证书)
[root@mail certs]# ll
总计 12
-rw-r--r-- 1 root root 3053 07-24 19:05 sendmail.crt
产生一个证书文件
-rw-r--r-- 1 root root 631 07-24 18:53 sendmail.csr
-rw-r--r-- 1 root root 887 07-24 18:51 sendmail.key
[root@mail certs]# chmod 600 *
为了安全起见,更改一个他们的权限
Sendmail在实现smtps时需要ca的证书,必须把ca的证书放到每一个目录上
[root@mail certs]# cp /etc/pki/CA/cacert.pem ./
拷贝ca机构的证书
[root@mail certs]# chmod 600 *
[root@mail certs]# ll
总计 16
-rw------- 1 root root 1139 07-24 19:11 cacert.pem
ca机构的证书(一个证书只包含公钥)
-rw------- 1 root root 3053 07-24 19:05 sendmail.crt
邮件服务器的自己的证书
-rw------- 1 root root 631 07-24 18:53 sendmail.csr
-rw------- 1 root root 887 07-24 18:51 sendmail.key
改写
sendmail的配置,让它支持利用证书来实现加密
[root@mail certs]# vim /etc/mail/sendmail.mc
60 define(`confCACERT_PATH', `/etc/mail/certs')dnl
ca证书存放的路径
61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
ca证书的文件路径及名称
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl
服务的证书及路径
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
服务器的密钥及路径
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
打开smtps
然后重启
sendmail
在就可以检测到
STARTTLS
已经启用了
[root@mail certs]# telnet mail.sh.com 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 24 Jul 2011 19:39:28 +0800
ehlo mail.sh.com
250-mail.sh.com Hello mail.sh.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
此时关于证书的验证,我们在服务器端已经做好
了,下面我们来配置客户端
客户端证书:1.有效期 2.ca是否可信 3.名称
关于
smtps的利用
证书的安全机制便可以实现了
但是
smtps需要证书,但是它只针对有证书段的传输进行了加密,没有证书段的仍是明文传输
认证
Sasl(简单认证安全协议)
系统针对实现sasl协议有专门的软件包 -------cyrus-sasl.i386 (默认已安装)
形成的服务的名称: saslauthd 没有端口号
查看是否安装sasl
[root@mail certs]# telnet mail.sh.com 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 24 Jul 2011 19:39:28 +0800
ehlo mail.sh.com
250-mail.sh.com Hello mail.sh.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
发现系统默认是没有安装
auth 验证的 也就是说现在邮件服务器上任何账户都可以送邮件,这样会造成垃圾邮件范围扩大
所以我们需要对发送邮件的用户身份做认证
[root@mail certs]# vim /etc/mail/sendmail.mc
编译sendmail的主配置文件
39 define(`confAUTH_OPTIONS', `A y')dnl
(“y” 启用认证的选项)
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
(52,53:信任的认证机制)
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl
(“M=Ea”强制认证)
在文件/usr/lib/sasl2/Sendmail.conf
中描述一下验证方法
[root@mail certs]# vim /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd
默认启用sasl验证
做完之后重启
sendmail,saslauthd及再使用telnet进行测试:
[root@mail ~]# service saslauthd restart
停止 saslauthd: [确定]
启动 saslauthd: [确定]
[root@mail ~]# echo -n "user3@sh.com" |openssl base64
dXNlcjNAc2guY29t
输出
user3@sh.com
用
base64加密后的密文(-n表示去后面的回车)
[root@mail ~]# echo -n "123" |openssl base64
MTIz
[root@mail certs]# telnet mail.sh.com 25
使用telnet测试
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 24 Jul 2011 20:33:36 +0800
ehlo mail.sh.com
250-mail.sh.com Hello mail.sh.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN
此时已经启用了验证
250-STARTTLS
250-DELIVERBY
250 HELP
mail from:user
3
@bj.com
使用明文是被拒绝的
530 5.7.0 Authentication required
Help
可以使用help获取帮助
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0
HELO
EHLO
MAIL
RCPT
DATA
214-2.0.0
RSET
NOOP
QUIT
HELP
VRFY
214-2.0.0
EXPN
VERB
ETRN
DSN
AUTH
214-2.0.0
STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0
http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
auth login dXNlcjNAc2guY29t
验证账号
334 UGFzc3dvcmQ6
MTIz
验证密码
235 2.0.0 OK Authenticated
验证成功
mail from:user4@sh.com
测试发邮件
250 2.1.0 user4@sh.com... Sender ok
rcpt to:user4@sh.com
250 2.1.5 user4@sh.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject:hello
11111111111
.
[user4@mail ~]$ mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/user4": 1 message 1 new
>N 1 user4@sh.com Sun Jul 24 20:59 13/401 "hello"
&
客户端收到了邮件,验证成功!!!!
这时我们是
outlook客户端试试:
结果是能发出去的,不信可以试试哦!
做验证时。服务器会对客户端传来的服务器名跟账号做双重验证,验证通过的才通过它发信
实现端到端的加密
s/mime pgp
抓包工具:
tcpdumap wireshark(图形) tshark(字符界面)
wireshark.i386
tshark(字符界面)
wireshark-gnome.i386
wireshark(图形)
我们这里安装基于字符的
安装后使用下列命令抓包
在本地
eth0网卡上抓基于目标与源110端口的包,同时我们在两地使用客户端对发一封邮件,并查看抓包状态
[root@mail ~]# tshark -ni eth0 -R "tcp.srcport eq 110 or tcp.dstport eq 110"
38.002424 192.168.20.88 -> 192.168.20.77 POP Response: +OK Dovecot ready.
38.003489 192.168.20.77 -> 192.168.20.88 POP Request: USER user3
这里抓获到接受方账户
38.003822 192.168.20.88 -> 192.168.20.77 POP Response: +OK
38.004056 192.168.20.77 -> 192.168.20.88 POP Request: PASS 123
接受方密码
38.031182 192.168.20.88 -> 192.168.20.77 POP Response: +OK Logged in.
38.031324 192.168.20.77 -> 192.168.20.88 POP Request: STAT
38.033710 192.168.20.88 -> 192.168.20.77 POP Response: +OK 0 0
38.034272 192.168.20.77 -> 192.168.20.88 POP Request: QUIT
38.035143 192.168.20.88 -> 192.168.20.77 POP Response: +OK Logging out.
由此可以发现,在接受的过程我们很容易就能抓获到通信的账户密码,这样是很不安全的
让
CA给dovecot颁发证书
为dovecot创建存放证书目录
[root@mail ~]# mkdir -pv /etc/dovecot/certs
mkdir: 已创建目录 “/etc/dovecot”
mkdir: 已创建目录 “/etc/dovecot/certs”
[root@mail ~]# cd /etc/dovecot/certs/
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
...............................................................++++++
......................................++++++
e is 65537 (0x10001)
产生证书请求文件:
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:sh
Locality Name (eg, city) [Newbury]:sh
Organization Name (eg, company) [My Company Ltd]:ll
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:imap.sh.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail certs]# ll
-rw-r--r-- 1 root root 631 07-25 01:57 dovecot.csr
产生了请求文件
-rw-r--r-- 1 root root 887 07-25 01:53 dovecot.key
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.crt
颁发证书
[root@mail certs]# ll
总计 12
-rw-r--r-- 1 root root 3053 07-25 01:57 dovecot.crt
产生一个证书文件
-rw-r--r-- 1 root root 631 07-25 01:57 dovecot.csr
-rw-r--r-- 1 root root 887 07-25 01:53 dovecot.key
[root@mail certs]# chmod 600 *
将该目录下所有文件的权限改了
[root@mail certs]# vim /etc/dovecot.conf
编译dovecot的主配置文件
21 protocols = pop3 去掉之前我们添加的这一行,改为默认配置
91 ssl_cert_file = /etc/dovecot/certs/dovecot.crt
添加dovecot证书的路径
92 ssl_key_file = /etc/dovecot/certs/dovecot.key
添加dovecot密钥的路径
做完之后重启
dovecot
[root@mail certs]# service dovecot restart
停止 Dovecot Imap: [确定]
启动 Dovecot Imap: [确定]
[root@mail certs]# netstat -tupln |grep dov
查看dovecot的端口
tcp 0 0 :::993 :::* LISTEN 5183/dovecot
tcp 0 0 :::9
95
:::* LISTEN 5183/dovecot
tcp 0 0 :::110 :::* LISTEN 5183/dovecot
tcp 0
0 :::143 :::* LISTEN 5183/dovecot
这时我们利用客户端给上海的用户发邮件,然后使用该用户接受,并使用
wireshark抓接受时的包
[root@mail certs]# tshark -ni eth0 -R "tcp.srcport eq 110 or tcp.dstport eq 110"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
115.580578 192.168.20.88 -> 192.168.20.77 POP Response: +OK Dovecot ready.
115.584041 192.168.20.77 -> 192.168.20.88 POP Request: USER user4
115.584105 192.168.20.88 -> 192.168.20.77 TCP 110 > 1176 [ACK] Seq=21 Ack=13 Win=5840 Len=0
115.588781 192.168.20.88 -> 192.168.20.77 POP Response: +OK
115.589361 192.168.20.77 -> 192.168.20.88 POP Request: PASS 123
发现还是能抓获到接收用户的账户密码
现在我们采用加密的方法进行接收:
接着为
imap在dns上添加记录:
[root@mail ~]# vim /var/named/chroot/var/named/sh.com.db
编译数据库文件
imap IN CNAME mail
添加一条关于imap的记录
完成之后重读数据库文件 rndc reload
再使用客户端对本地用户发邮件,并接受,然后抓包,因为我们该用imap服务器接受包了,所以抓包是监听的端口是993
[root@mail certs]# tshark -ni eth0 -R "tcp.srcport eq 993 or tcp.dstport eq 993"
25.564050 192.168.20.88 -> 192.168.20.77 TLSv1 Application Data
25.564435 192.168.20.77 -> 192.168.20.88 TLSv1 Application Data
25.594029 192.168.20.88 -> 192.168.20.77 TLSv1 Application Data
25.596274 192.168.20.77 -> 192.168.20.88 TLSv1 Application Data
25.669378 192.168.20.88 -> 192.168.20.77 TCP 993 > 1184 [ACK] Seq=1202 Ack=914 Win=7504 Len=0
25.669655 192.168.20.77 -> 192.168.20.88 TLSv1 Application Data
25.669736 192.168.20.88 -> 192.168.20.77 TCP 993 > 1184 [ACK] Seq=1202 Ack=937 Win=7504 Len=0
25.735889 192.168.20.88 -> 192.168.20.77 TLSv1 Application Data
这时我们发现抓获的包都是被加密的,再没有账户密码信息了
转载于:https://blog.51cto.com/3428760/668470
5万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
