<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]
本文“<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:
目录:
一:使sendmail与CA结合实现发送加密:
二:使dovecot与CA结合实现接纳加密:
三:使sendmail启用认证功效:
邮件安全简介: smtp pop3 imap smtps
1. 465 (smtps)
2. Smtp+ssl (starttls)
为邮件服务器增添SMTPS 功效:
SMTPS:通过一个独立的端口向用户供应ssl/tls 加密的服务,监听端口:465.
STARTTLS:通过25 号端口同时供应加密/不加密的功效.
s/mimp gpg pop3-àpop3s
认证:sasl
[root@mail ~]# sendmail -d0.1 –bv #查看sendmail的具体信息,查看sendmail 能否支持startls 功效(取决于二进制程序在编译的时刻能否将startls 功效增添进去),若存在STARTTLS,阐明支持发送加密.
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
[root@mail ~]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to mail.bj.com (127.0.0.1). Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:16:04 +0800
EHLO 127.0.0.1 250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.bj.com closing connection Connection closed by foreign host.
可以看到:不存在STARTTLS选项!阐明不支持加密!需求举行配置,具体参考下面的资料:
邮件系统的基本配置请参考博主文章:
Linux下mail服务器利用之sendmail邮件系统的一个案例
http://xjzhujunjie.blog.51cto.com/3582724/815292
Linux下mail服务器利用之邮件系统简介
http://xjzhujunjie.blog.51cto.com/3582724/815261
一:使sendmail与CA结合实现发送加密:
① ,为CA成立证书: [root@ftp ~]# cd /etc/pki/ [root@ftp pki]# ll [root@ftp pki]# vim tls/openssl.cnf 45 dir = /etc/pki/CA
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
[root@ftp pki]# cd CA/ [root@ftp CA]# mkdir certs newcerts crl [root@ftp CA]# touch index.txt serial
[root@ftp CA]# echo "01" >serial
[root@ftp CA]# ll
[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem
Generating RSA private key, 1024 bit long modulus
...........++++++ ....++++++
e is 65537 (0x10001)
[root@ftp CA]# chmod 600 private/cakey.pem [root@ftp CA]# ll private/cakey.pem -rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 888
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:henan
Locality Name (eg, city) [Newbury]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:junjie
Organizational Unit Name (eg, section) []:soft
Common Name (eg, your name or your server's hostname) []:ca.junjie.com
Email Address []:junjie@junjie.com [root@ftp CA]#ll [root@ftp CA]#chmod 600 cacert.pem [root@ftp CA]#ll ② ,为sendmail服务器,签发证书: [root@mail CA]# mkdir /etc/mail/certs [root@mail CA]# cd /etc/mail/certs [root@mail certs]# openssl genrsa 1024 >sendmail.key
Generating RSA private key, 1024 bit long modulus
.................................++++++ ...........++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:henan
Locality Name (eg, city) [Newbury]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:junjie
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:mail.bj.com
Email Address []:root@bj.com [root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@mail certs]# chmod 600 * [root@mail certs]# ll total 12
-rw------- 1 root root 3214 Mar 23 16:35 sendmail.crt
-rw------- 1 root root 688 Mar 23 16:32 sendmail.csr
-rw------- 1 root root 887 Mar 23 16:30 sendmail.key
③ :使sendmail服务利用证书功效
三个所需文件已经预备完毕,到此,证书已经申请成功,下面开始改正配置文件/etc/mail/sendmail.mc:以使sendmail服务利用证书功效
[root@mail certs]# cd /etc/mail/certs/
[root@mail certs]# cp /etc/pki/CA/cacert.pem .
[root@mail certs]# vim /etc/mail/sendmail.mc
21 define(`confLOG_LEVEL', `9')dnl 60 define(`confCACERT_PATH', `/etc/mail/certs')dnl 61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl 62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl 63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
保存,重启服务.line 134 监听smtps(465)端口;翻开日记功效line21
[root@mail certs]# service sendmail restart Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
④ :利用telnet测试一下
[root@mail certs]# telnet mail.bj.com 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:54:22 +0800
EHLO mail.bj.com
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP quit
221 2.0.0 mail.bj.com closing connection
Connection closed by foreign host.
再次可以看到:存在有STARTTLS功效了!阐明可以支持加密了!
⑤ :利用windows 上的outlook Express 举行发信测试:
日记解析:
[root@mail ~]# tail -f /var/log/maillog
Mar 23 17:50:17 mail sendmail[3129]: STARTTLS=server, relay=[10.106.6.200], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 17:50:57 mail sendmail[3129]: q2N9oHfJ003129: from=
Mar 23 17:50:57 mail sendmail[3132]: q2N9oHfJ003129: to=
Mar 23 17:51:07 mail dovecot: pop3-login: Login: user=
Mar 23 17:51:07 mail dovecot: POP3(user1): Disconnected: Logged out top=0/0, retr=1/1608, del=1/1, size=1591
二:使dovecot与CA结合实现接纳加密:
#为dovecot 增添SSL 功效:pop3---->pop3s imap-----> imaps [root@mail ~]# yum install -y wireshark
[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 110"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
183.544764 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
183.546267 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=1 Ack=1 Win=64240 Len=0
183.548706 10.106.6.200 -> 10.106.6.254 POP Request: USER user1 183.562924 10.106.6.200 -> 10.106.6.254 POP Request: PASS 123 183.578535 10.106.6.200 -> 10.106.6.254 POP Request: STAT 183.586984 10.106.6.200 -> 10.106.6.254 POP Request: LIST 183.593295 10.106.6.200 -> 10.106.6.254 POP Request: RETR 1
183.594018 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=43 Ack=1693 Win=64240 Len=0
183.642729 10.106.6.200 -> 10.106.6.254 POP Request: DELE 1 183.651676 10.106.6.200 -> 10.106.6.254 POP Request: QUIT
183.672294 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=57 Ack=1757 Win=64177 Len=0
183.674327 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [FIN, ACK] Seq=57 Ack=1757 Win=64177 Len=0
12 packets captured ① ,为dovecot服务器,签发证书
以上是“<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
本文地址: | 与您的QQ/BBS好友分享! |