郵件系統的安全性通過兩個方面:
第一方面:發送與接收(通過協議進行加密)
發送加密(點對點):
通過協議smtp與ssl的結合——》smtps
smtps:
1:使用965端口(smtps)
2:利用25端口直接進行加密:stmp+ssl(即starttls)
查看編譯時是否支持starttls
查看在編譯時是否加密:
3:(端對端)在ftp上與第三方工具(gpg)進行加密。(即s/mime)
接收加密:
通過協議pop2/3與ssl的結合——》pops
通過協議imap與ssl的結合——》imaps
第二方面:身份驗證
啓動STARTTLS進行加密:
編譯製作頒發機構
[root@mail ~]# cd /etc/pki/
[root@mail pki]# ll
total 36
drwx------ 3 root root 4096 Feb 9 00:16 CA
drwxr-xr-x 4 root root 4096 Mar 20 10:27 dovecot
drwxr-xr-x 2 root root 4096 Feb 9 00:15 nssdb
drwxr-xr-x 2 root root 4096 Feb 9 00:15 rpm-gpg
drwxr-xr-x 5 root root 4096 Mar 20 19:37 tls
[root@mail pki]# vim tls/openssl.cnf
[root@mail pki]# cd CA 切換到CA目錄
[root@mail CA]# mkdir certs crl newcerts 創建3個目錄
[root@mailt CA]# touch index.txt serial 創建2個文檔
[root@mail CA]# echo "01" >serial 賦予serial序列號
[root@mail CA]# ll 查看
total 24
drwxr-xr-x 2 root root 4096 Mar 20 20:08 certs
drwxr-xr-x 2 root root 4096 Mar 20 20:08 crl
-rw-r--r-- 1 root root 0 Mar 20 20:08 index.txt
drwxr-xr-x 2 root root 4096 Mar 20 20:08 newcerts
drwx------ 2 root root 4096 Jun 30 2009 private
-rw-r--r-- 1 root root 3 Mar 20 20:09 serial
創建私鑰:
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..........++++++
.++++++
e is 65537 (0x10001)
創建營業執照:
[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:BEIJING
Organization Name (eg, company) [My Company Ltd]:SECCENTER
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
[root@localhost CA]# ll
total 28
-rw-r--r-- 1 root root 1155 Mar 20 20:17 cacert.pem
drwxr-xr-x 2 root root 4096 Mar 20 20:08 certs
drwxr-xr-x 2 root root 4096 Mar 20 20:08 crl
-rw-r--r-- 1 root root 0 Mar 20 20:08 index.txt
drwxr-xr-x 2 root root 4096 Mar 20 20:08 newcerts
drwx------ 2 root root 4096 Mar 20 20:11 private
-rw-r--r-- 1 root root 3 Mar 20 20:09 serial
[root@mail CA]# chmod 600 private/* 更改鑰匙權限
[root@mail CA]# mkdir /etc/mail/certs 創建目錄
[root@mail CA]# cd /etc/mail/certs/ 切換到目錄
[root@mail certs]# ll 查看
total 0
產生鑰匙:
[root@mail certs]# openssl genrsa 1024 >sendmail.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
根據鑰匙做請求文件:
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:mail.bj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
根據鑰匙請求文件得到證書:
[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 20 12:27:04 2012 GMT
Not After : Mar 20 12:27:04 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = zzdx
organizationalUnitName = tec
commonName = mail.bj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:FA:EA:A7:E0:8B:72:DF:57:37:4E:41:84:AA:BA:1A:AB:C4:B7:C9
X509v3 Authority Key Identifier:
keyid:8F:9B:34:8D:DA:DD:63:D5:0B:07:AF:F4:E4:E0:C9:6C:04:44:65:CC
Certificate is to be certified until Mar 20 12:27:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail certs]# ll 查看證書
total 12
-rw-r--r-- 1 root root 3075 Mar 20 20:27 sendmail.cert
-rw-r--r-- 1 root root 647 Mar 20 20:23 sendmail.csr
-rw-r--r-- 1 root root 887 Mar 20 20:19 sendmail.key
[root@mail certs]#cp /etc/pki/CA/cacert.pem . 把證書拷貝當前目錄下
[root@mail certs]# ll 查看
total 16
-rw-r--r-- 1 root root 1155 Mar 12 12:07 cacert.pem
-rw-r--r-- 1 root root 3074 Mar 12 12:06 sendmail.cert
-rw-r--r-- 1 root root 647 Mar 12 12:05 sendmail.csr
-rw-r--r-- 1 root root 887 Mar 12 12:02 sendmail.key
[root@mail certs]# cd ..
[root@mail mail]# vim sendmail.mc 編輯sendmail配置腳本
[root@mail mail]# service sendmail restart 重新啓動sendmail
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
查看日誌:tail –f /var/log/maillog
[root@mail mail]# cd certs/
[root@mail certs]# ll
total 16
-rw-r--r-- 1 root root 1155 Mar 12 12:07 cacert.pem
-rw-r--r-- 1 root root 3074 Mar 12 12:06 sendmail.cert
-rw-r--r-- 1 root root 647 Mar 12 12:05 sendmail.csr
-rw-r--r-- 1 root root 887 Mar 12 12:02 sendmail.key
[root@mail certs]# chmod 600 * 更改權限
[root@mail certs]# ll
total 16
-rw------- 1 root root 1155 Mar 12 12:07 cacert.pem
-rw------- 1 root root 3074 Mar 12 12:06 sendmail.cert
-rw------- 1 root root 647 Mar 12 12:05 sendmail.csr
-rw------- 1 root root 887 Mar 12 12:02 sendmail.key
[root@mail certs]# service sendmail restart
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
創建用戶user1
更改user1的屬性:
設置dns指向
發送一封郵件給自己:
查看日誌:(starttls 啓動)
安裝抓包工具截取明文郵件的賬號:
[root@mail ~]# cd /mnt/cdrom/Server/
[root@mail Server]#vim /etc/yum.repos.d/rhel-debuginfo.repo
[root@mail Server]# yum list all |grep wir 搜索含wir的包
Repository rhel-server is listed more than once in the configuration
This system is not registered with RHN.
RHN support will be disabled.
wireless-tools.i386 1:28-2.el5 installed
wireshark.i386 1.0.8-1.el5_3.1 rhel-server
wireless-tools-devel.i386 1:28-2.el5 rhel-server
wireshark-gnome.i386 1.0.8-1.el5_3.1 rhel-server
[root@mail Server]# yum install wireshark 安裝wireshark
啓用抓包工具:(當用戶接收郵件時:會顯示用戶名和密碼)
爲了安全爲了用戶所以接收時也要進行加密:
[root@mail certs]# mkdir -pv /etc/dovecot/certs 創建目錄
mkdir:created directory `/etc/dovecot`
mkdir: created directory `/etc/dovecot/certs`
[root@mail certs]# cd /etc/dovecot/certs/ 切換到certs目錄
做鑰匙:
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
產生請求文件:
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:pop3.bj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
獲得證書:
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 20 12:27:04 2012 GMT
Not After : Mar 20 12:27:04 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = zzdx
organizationalUnitName = tec
commonName = pop3.bj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:FA:EA:A7:E0:8B:72:DF:57:37:4E:41:84:AA:BA:1A:AB:C4:B7:C9
X509v3 Authority Key Identifier:
keyid:8F:9B:34:8D:DA:DD:63:D5:0B:07:AF:F4:E4:E0:C9:6C:04:44:65:CC
Certificate is to be certified until Mar 20 12:27:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail certs]# ll 查看證書
total 16
-rw-r--r-- 1 root root 3074 Mar 12 12:06 dovecot.cert
-rw-r--r-- 1 root root 647 Mar 12 12:05 dovecot.csr
-rw-r--r-- 1 root root 887 Mar 12 12:02 dovecot.key
[root@mail certs]# chmod 600 * 更改權限
[root@mail certs]# ll
total 16
--rw------- 1 root root 3074 Mar 12 12:06 dovecot.cert
-rw------- 1 root root 647 Mar 12 12:05 dovecot.csr
-rw------- 1 root root 887 Mar 12 12:02 dovecot.key
[root@mail certs]# vim /etc/dovecot.conf 更改配置腳本
[root@mail certs]# service dovecot restart 重新啓動dovecot
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[root@mail certs]# netstat -tupln |grep dov 查看端口
tcp 0 0 :::993 :::* LISTEN 4757/dovecot
tcp 0 0 :::110 :::* LISTEN 4757/dovecot
tcp 0 0 :::143 :::* LISTEN 4757/dovecot
用客戶進行測試(加密的端口):
必須新建一個用戶:
更改用戶user1的屬性:
然後讓用戶user1接收郵件查看日誌:
認證sasl(簡單認證安全協議) 服務器是saslauthd
查看與有關的包:
[root@mail Server]# cd
[root@mail ~]# rpm -qa |grep sasl
cyrus-sasl-lib-2.1.22-5.el5 連接庫包
cyrus-sasl-2.1.22-5.el5(很重要的包)
cyrus-sasl-devel-2.1.22-5.el5 開發包
cyrus-sasl-plain-2.1.22-5.el5 驗證方法包
[root@mail ~]# cd /mnt/cdrom/Server/ 切換到光盤上
[root@mail Server]# ll |grep sasl 查找關於sasl的包
-r--r--r-- 103 root root 1251623 Jul 29 2009 cyrus-sasl-2.1.22-5.el5.i386.rpm
-r--r--r-- 99 root root 1418364 Jul 29 2009 cyrus-sasl-devel-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 28967 Jul 29 2009 cyrus-sasl-gssapi-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 24390 Jul 29 2009 cyrus-sasl-ldap-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 129180 Jul 29 2009 cyrus-sasl-lib-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 46415 Jul 29 2009 cyrus-sasl-md5-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 32054 Jul 29 2009 cyrus-sasl-ntlm-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 27027 Jul 29 2009 cyrus-sasl-plain-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 27330 Jul 29 2009 cyrus-sasl-sql-2.1.22-5.el5.i386.rpm
-r--r--r-- 278 root root 39119 Jan 19 2007 gnu-crypto-sasl-jdk1.4-2.1.0-2jpp.1.i386.rpm
[root@mail Server]# chkconfig --list |grep sasl 查看驗證服務器情況
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@mail Server]# service saslauthd start 啓動saslauthd
Starting saslauthd: [ OK ]
[root@mail Server]# chkconfig saslauthd on 設置成開機啓動
[root@mail Server]# vim /usr/lib/sasl2/Sendmail.conf 編輯服務器配置腳本
[root@mail Server]# vim /etc/mail/sendmail.mc 改寫sendmail配置腳本
[root@mail Server]# service sendmail restart 重新啓動sendmail
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
進行測試身份驗證:
[root@mail Server]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 12 Mar 2012 17:48:52 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
MAIL FROM:[email protected] 雖然需要驗證但是還可以匿名
250 2.1.0 [email protected]... Sender ok 發送郵件說明這不是強制的驗證
quit
221 2.0.0 mail.bj.com closing connection
Connection closed by foreign host.
編輯sendmail配置腳本使發郵件的用戶需要強制的進行驗證:
[root@mail Server]# vim /etc/mail/sendmail.mc
[root@mail Server]# service sendmail restart 重新啓動sendmail
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
再次的進行身份驗證測試:發送郵件
[root@mail Server]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 12 Mar 2012 18:29:08 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
MAIL FROM:[email protected]
530 5.7.0 Authentication required 需要驗證不是合法的用戶無法發送郵件
AUTH LOGIN cm9vdA== 輸入有效的用戶的類似base64編碼
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.0.0 OK Authenticated
MAIL FROM:[email protected] 驗證完之後要再次的輸入root郵箱
250 2.1.0 [email protected]... Sender ok
RCPT TO:[email protected]
250 2.1.5 [email protected]... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
4444444444444 郵件內容
. 結束
250 2.0.0 q2CAT8jA005317 Message accepted for delivery
quit 退出
221 2.0.0 mail.bj.com closing connection
Connection closed by foreign host.
[root@mail Server]# su – user1
[user1@mail ~]$ mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/user1": 2 messages 1 new
1 [email protected] Sun Mar 11 23:30 13/542 "DON'T DELETE THIS MESSAGE -- FOLDER INTE"
>N 2 [email protected] Mon Mar 12 18:41 12/390
& 2 查看郵件2
Message 2:
From [email protected] Mon Mar 12 18:41:28 2012
Date: Mon, 12 Mar 2012 18:29:08 +0800
From: root <[email protected]>
4444444444444
& exit 退出
在windows上用用戶user1給自己發送郵件:
發送過程中會出現:出錯信息
查看日誌:看到
要想發送成功必須設置user1的屬性服務器中的登陸於接收郵件具有相同的配置:然後發送
編寫郵件發給root:
查看日誌: