邮件服务器的安全传输及账号验证

一.邮件的加密原理

使用ssl证书加密传输

二.账号验证原理

使用saslauthd验证服务器

案例一：加密的发送邮件

服务器的名为“mail.sisco.com” ip地址为 192.168.20.244的服务器上进行配置

第一步：搭建CA服务器

[root@mail mail]# cd  /etc/pki/CA/

编辑CA的配置文件

[root@mail CA]# vim  ../tls/openssl.cnf

45 dir             = /etc/pki/CA           # Where everything is kept

:88,90 s/match/optional/g   如下

88 countryName             = optional

89 stateOrProvinceName     = optional

90 organizationName        = optional

136 countryName_default             = CN

141 stateOrProvinceName_default     = zhengzhou

144 localityName_default            = zhengzhou

147 0.organizationName_default      = huawei

创建 newcerts  certs  crl  三个目录

mkdir  newcerts  certs  crl 

创建 index.txt serial  两个文件

touch index.txt  serial

echo “01” >>serial

[root@mail CA]# openssl genrsa 1024 > private/cakey.pem 

//生成 1024 位的私钥

[root@mail CA]# chmod 600 private/cakey.pem     //修改私钥权限

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650  -out  cacert.pem   //生成自签名证书

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [zhengzhou]:

Locality Name (eg, city) [zhengzhou]:

Organization Name (eg, company) [huawei]:

Organizational Unit Name (eg, section) []:etc

Common Name (eg, your name or your server's hostname) []:ca.huawei.com

Email Address []:

第二步：创建服务器本地的密钥，请求，证书

[root@mail CA]# mkdir -pv /etc/mail/certs

mkdir: created directory `/etc/mail/certs'

[root@mail CA]# cd  /etc/mail/certs

[root@mail certs]# openssl genrsa  1024 > sendmail.key //生成密钥

[root@mail certs]#chmod 600  sendmail.key

[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr

//生成证书请求文件

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [zhengzhou]:

Locality Name (eg, city) [zhengzhou]:

Organization Name (eg, company) [huawei]:

Organizational Unit Name (eg, section) []:tec

Common Name (eg, your name or your server's hostname) []:smtp.huawei.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@mail certs]#

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug  5 11:34:28 2012 GMT

            Not After : Aug  5 11:34:28 2013 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = zhengzhou

            organizationName          = huawei

            organizationalUnitName    = tec

            commonName                = smtp.huawei.com //接收服务器的主机名

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                97:7E:88:21:A1:8B:92:66:C6:2B:69:E8:9D:5E:11:9F:4E:00:81:86

            X509v3 Authority Key Identifier:

                keyid:F3:A6:3B:B5:9C:7D:3E:61:A8:63:50:B2:8D:EA:3E:6D:38:AD:82:CD

Certificate is to be certified until Aug  5 11:34:28 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail certs]# chmod 600 *  //修改权限提高安全性

[root@mail certs]# ll

total 12

-rw------- 1 root root 3088 Aug  5 19:34 sendmail.cert

-rw------- 1 root root  655 Aug  5 19:32 sendmail.csr

-rw------- 1 root root  887 Aug  5 19:31 sendmail.key

第三步：将加密与sendmail结合

sendmail在默认情况下已经安装

Vim    /etc/mail/sendmail.mc

60 define(`confCACERT_PATH', `/etc/pki/CA')dnl

//指定CA服务器的证书路径

61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl

//指定CA服务器的证书的位置

62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl

//指定sendmail服务器的证书的位置

63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl

//指定sendmail服务器的私钥的位置

134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

//强制使用安全的传输协议

在服务器上查看

[root@mail ~]# telnet 127.0.0.1 25

Trying 127.0.0.1...

Connected to localhost (127.0.0.1).

Escape character is '^]'.

220 mail.sisco.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 5 Aug 2012 21:05:27 +0800

EHLO 127.0.0.1

250-mail.huawei.com Hello localhost [127.0.0.1], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-ETRN

250-STARTTLS   //启用了安全的传输

250-DELIVERBY

250 HELP

将客户端上的 user1 与 user2 调成 如下：

发送邮件

Aug  5 22:18:05 mail sendmail[4105]: STARTTLS=server, relay=[192.168.10.99], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128

Aug  5 22:18:05 mail sendmail[4105]: q75EI5AE004105: from=<user1@huawei.com>, size=1173, class=0, nrcpts=1, msgid=<86026205572F4FF3BF64B42C4685F2A1@201208231440>, proto=SMTP, daemon=MTA, relay=[192.168.10.99]

Aug  5 22:18:05 mail sendmail[4106]: q75EI5AE004105: to=<user2@huawei.com>, ctladdr=<user1@huiawei.com> (500/500), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31399, dsn=2.0.0, stat=Sent

案例二：加密的接收邮件

“mail.huawei.com” ip地址为 192.168.10.244的服务器上进行配置

第一步：创建服务器本地的密钥，请求，证书

[root@mail certs]# mkdir -pv  /etc/dovecot/certs

mkdir: created directory `/etc/dovecot'

mkdir: created directory `/etc/dovecot/certs'

[root@mail certs]# cd /etc/dovecot/certs

[root@mail certs]# openssl  genrsa  1024 &gt; dovecot.key

Generating RSA private key, 1024 bit long modulus

........................++++++

................++++++

e is 65537 (0x10001)

[root@mail certs]# openssl req  -new -key dovecot.key -out dovecot.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [zhengzhou]:

Locality Name (eg, city) [zhengzhou]:

Organization Name (eg, company) [huawei]:

Organizational Unit Name (eg, section) []:mkt

Common Name (eg, your name or your server's hostname) []:pop3.huawei.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@mail certs]# openssl  ca -in  dovecot.csr   -out dovecot.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Aug  5 16:06:29 2012 GMT

            Not After : Aug  5 16:06:29 2013 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = zhengzhou

            organizationName          = huawei

            organizationalUnitName    = mkt

            commonName                = pop3.huawei.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                3E:CD:B7:3E:97:97:53:6D:84:73:FB:22:69:F5:F0:86:B2:A2:53:EE

            X509v3 Authority Key Identifier:

keyid:83:95:06:E9:79:B9:02:8B:99:70:B3:8A:DF:7B:80:42:28:F3:FD:5C

Certificate is to be certified until Aug  5 16:06:29 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail certs]# chmod 600 *

[root@mail certs]# ll

total 12

-rw------- 1 root root 3096 Aug  6 00:06 dovecot.cert

-rw------- 1 root root  660 Aug  6 00:06 dovecot.csr

-rw------- 1 root root  891 Aug  6 00:05 dovecot.key

第二步：将加密与 dovecot 结合起来

[root@mail certs]# vim /etc/dovecot.conf

  91 ssl_cert_file = /etc/dovecot/certs/dovecot.cert

  92 ssl_key_file = /etc/dovecot/certs/dovecot.key

重新启动服务

[root@mail certs]# service sendmail restart

Shutting down sm-client:                                   [  OK  ]

Shutting down sendmail:                                    [  OK  ]

Starting sendmail:                                         [  OK  ]

Starting sm-client:                                        [  OK  ]

[root@mail certs]# service dovecot restart

Stopping Dovecot Imap:                                     [  OK  ]

Starting Dovecot Imap:                                     [  OK  ]

客户端的配置

测试服务器的发送邮件的安全性

案例三：使用认证的邮件发送及接收

linux中有一个用于账号认证的软件 cyrus-sasl （默认已经安装）

第一步：查看认证服务器配置并启用

[root@mail ~]# cat  /usr/lib/sasl2/sendmail.conf

pwcheck_method:saslauthd

[root@mail ~]# cd  /usr/lib/sasl2/

service saslauthd restart

第二步：编辑sendmail的配置文件 sendmail.mc

[root@mail ~]# vim /etc/mail/sendmail.mc

39 define(`confAUTH_OPTIONS', `A y')dnl

52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA ,M=Ea ')dnl    //开启强制身份验证

第三步：启动认证服务并登陆查看测试

[root@mail ~]# service  saslauthd  start

Starting saslauthd:                                        [  OK  ]

测试：

在linux中使用openssl 生成一个64位的完整账号及密码

echo –n  “user1@huawei.com” |openssl base64

echo –n  “123456” |openssl base64

[root@mail ~]# telnet 127.0.0.1 25

Trying 127.0.0.1...

Connected to localhost (127.0.0.1).

Escape character is '^]'.

220 mail.huawei.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 14:01:26 +0800

EHLO 127.0.0.1

250-mail.huawei.com Hello localhost [127.0.0.1], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-ETRN

250-AUTH LOGIN PLAIN

250-STARTTLS

250-DELIVERBY

250 HELP

AUTH LOGIN cm9vdEBodWF3ZWkuY29t

334 UGFzc3dvcmQ6

MTIzNDU2

235 2.0.0 OK Authenticated

mail from:user1@huawei.com

250 2.1.0 user1@huawei.com... Sender ok

rcpt to:user2@huawei.com

250 2.1.5 user2@huawei.com... Recipient ok

data

354 Enter mail, end with "." on a line by itself

subject:ok1111

ok111

.

250 2.0.0 q7661Q8B003877 Message accepted for delivery

500 5.5.1 Command unrecognized: ""

quit

221 2.0.0 mail.huawei.com closing connection

Connection closed by foreign host.

[root@mail ~]# su - user2

[user2@mail ~]$ mail

Mail version 8.1 6/6/93.  Type ? for help.

"/var/spool/mail/user2": 1 message 1 new

&gt;N  1 user1@huawei.com      Mon Aug  6 14:03  13/414   "ok1111"

&

Message 1:

From user1@huawei.com  Mon Aug  6 14:03:59 2012

Date: Mon, 6 Aug 2012 14:01:26 +0800

From: user1@huawei.com

subject: ok1111

ok111

& q

使用outlook客户端测试

在客户端主机上新创建一个账号为 user5 的用户

验证出错

在服务器上创建 user5 账号

[root@mail ~]# useradd user5

[root@mail ~]# passwd user5

Changing password for user user5.

New UNIX password:

BAD PASSWORD: it is WAY too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

此时就可以通过验证

        嗯，韩宇说的对！！！

转载于:https://blog.51cto.com/donghao123/991940