当前位置:七道奇文章资讯系统安全Linux安全
日期:2012-03-28 14:18:00  来源:本站整理

<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]

赞助商链接



  本文“<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

  邮件系统安全

  目录:

  一:使sendmail与CA结合实现发送加密:

  二:使dovecot与CA结合实现接纳加密:

  三:使sendmail启用认证功效:

  邮件安全简介: smtp pop3 imap smtps

  1. 465 (smtps)

  2. Smtp+ssl (starttls)

  为邮件服务器增添SMTPS 功效:

  SMTPS:通过一个独立的端口向用户供应ssl/tls 加密的服务,监听端口:465.

  STARTTLS:通过25 号端口同时供应加密/不加密的功效.

  s/mimp gpg pop3-àpop3s

  认证:sasl

  [root@mail ~]# sendmail -d0.1 –bv #查看sendmail的具体信息,查看sendmail 能否支持startls 功效(取决于二进制程序在编译的时刻能否将startls 功效增添进去),若存在STARTTLS,阐明支持发送加密.

  NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

  [root@mail ~]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to mail.bj.com (127.0.0.1). Escape character is '^]'.

  220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:16:04 +0800

  EHLO 127.0.0.1 250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.bj.com closing connection Connection closed by foreign host.

  可以看到:不存在STARTTLS选项!阐明不支持加密!需求举行配置,具体参考下面的资料:

  邮件系统的基本配置请参考博主文章:

  Linux下mail服务器利用之sendmail邮件系统的一个案例

  http://xjzhujunjie.blog.51cto.com/3582724/815292

  Linux下mail服务器利用之邮件系统简介

  http://xjzhujunjie.blog.51cto.com/3582724/815261

  一:使sendmail与CA结合实现发送加密:

  ① ,为CA成立证书: [root@ftp ~]# cd /etc/pki/ [root@ftp pki]# ll [root@ftp pki]# vim tls/openssl.cnf 45 dir = /etc/pki/CA

  88 countryName = optional

  89 stateOrProvinceName = optional

  90 organizationName = optional

  [root@ftp pki]# cd CA/ [root@ftp CA]# mkdir certs newcerts crl [root@ftp CA]# touch index.txt serial

  [root@ftp CA]# echo "01" >serial

  [root@ftp CA]# ll

  [root@ftp CA]# openssl genrsa 1024 > private/cakey.pem

  Generating RSA private key, 1024 bit long modulus

  ...........++++++ ....++++++

  e is 65537 (0x10001)

  [root@ftp CA]# chmod 600 private/cakey.pem [root@ftp CA]# ll private/cakey.pem -rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem

  [root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 888

  You are about to be asked to enter information that will be incorporated

  into your certificate request.

  What you are about to enter is what is called a Distinguished Name or a DN.

  There are quite a few fields but you can leave some blank

  For some fields there will be a default value,

  If you enter '.', the field will be left blank.

  -----

  Country Name (2 letter code) [GB]:cn

  State or Province Name (full name) [Berkshire]:henan

  Locality Name (eg, city) [Newbury]:zhengzhou

  Organization Name (eg, company) [My Company Ltd]:junjie

  Organizational Unit Name (eg, section) []:soft

  Common Name (eg, your name or your server's hostname) []:ca.junjie.com

  Email Address []:junjie@junjie.com [root@ftp CA]#ll [root@ftp CA]#chmod 600 cacert.pem [root@ftp CA]#ll ② ,为sendmail服务器,签发证书: [root@mail CA]# mkdir /etc/mail/certs [root@mail CA]# cd /etc/mail/certs [root@mail certs]# openssl genrsa 1024 >sendmail.key

  Generating RSA private key, 1024 bit long modulus

  .................................++++++ ...........++++++

  e is 65537 (0x10001)

  [root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr

  Country Name (2 letter code) [GB]:cn

  State or Province Name (full name) [Berkshire]:henan

  Locality Name (eg, city) [Newbury]:zhengzhou

  Organization Name (eg, company) [My Company Ltd]:junjie

  Organizational Unit Name (eg, section) []:tec

  Common Name (eg, your name or your server's hostname) []:mail.bj.com

  Email Address []:root@bj.com [root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt

  Sign the certificate? [y/n]:y

  1 out of 1 certificate requests certified, commit? [y/n]y

  [root@mail certs]# chmod 600 * [root@mail certs]# ll total 12

  -rw------- 1 root root 3214 Mar 23 16:35 sendmail.crt

  -rw------- 1 root root 688 Mar 23 16:32 sendmail.csr

  -rw------- 1 root root 887 Mar 23 16:30 sendmail.key

  ③ :使sendmail服务利用证书功效

  三个所需文件已经预备完毕,到此,证书已经申请成功,下面开始改正配置文件/etc/mail/sendmail.mc:以使sendmail服务利用证书功效

  [root@mail certs]# cd /etc/mail/certs/

  [root@mail certs]# cp /etc/pki/CA/cacert.pem .

  [root@mail certs]# vim /etc/mail/sendmail.mc

  21 define(`confLOG_LEVEL', `9')dnl 60 define(`confCACERT_PATH', `/etc/mail/certs')dnl 61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl 62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl 63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl

  134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

  保存,重启服务.line 134 监听smtps(465)端口;翻开日记功效line21

  [root@mail certs]# service sendmail restart Shutting down sm-client: [ OK ]

  Shutting down sendmail: [ OK ]

  Starting sendmail: [ OK ]

  Starting sm-client: [ OK ]

  ④ :利用telnet测试一下

  [root@mail certs]# telnet mail.bj.com 25

  Trying 127.0.0.1...

  Connected to localhost.localdomain (127.0.0.1).

  Escape character is '^]'.

  220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:54:22 +0800

  EHLO mail.bj.com

  250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you

  250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP quit

  221 2.0.0 mail.bj.com closing connection

  Connection closed by foreign host.

  再次可以看到:存在有STARTTLS功效了!阐明可以支持加密了!

  ⑤ :利用windows 上的outlook Express 举行发信测试:

  日记解析:

  [root@mail ~]# tail -f /var/log/maillog

  Mar 23 17:50:17 mail sendmail[3129]: STARTTLS=server, relay=[10.106.6.200], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128

  Mar 23 17:50:57 mail sendmail[3129]: q2N9oHfJ003129: from=, size=1306, class=0, nrcpts=1, msgid=<006001cd0991$d178b870$c8066a0a@hp3aea877158e2>, proto=SMTP, daemon=MTA, relay=[10.106.6.200]

  Mar 23 17:50:57 mail sendmail[3132]: q2N9oHfJ003129: to=, ctladdr= (500/500), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31528, dsn=2.0.0, stat=Sent

  Mar 23 17:51:07 mail dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:10.106.6.200, lip=::ffff:10.106.6.254

  Mar 23 17:51:07 mail dovecot: POP3(user1): Disconnected: Logged out top=0/0, retr=1/1608, del=1/1, size=1591

  二:使dovecot与CA结合实现接纳加密:

  #为dovecot 增添SSL 功效:pop3---->pop3s imap-----> imaps [root@mail ~]# yum install -y wireshark

  [root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 110"

  Running as user "root" and group "root". This could be dangerous.

  Capturing on eth0

  183.544764 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

  183.546267 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=1 Ack=1 Win=64240 Len=0

  183.548706 10.106.6.200 -> 10.106.6.254 POP Request: USER user1 183.562924 10.106.6.200 -> 10.106.6.254 POP Request: PASS 123 183.578535 10.106.6.200 -> 10.106.6.254 POP Request: STAT 183.586984 10.106.6.200 -> 10.106.6.254 POP Request: LIST 183.593295 10.106.6.200 -> 10.106.6.254 POP Request: RETR 1

  183.594018 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=43 Ack=1693 Win=64240 Len=0

  183.642729 10.106.6.200 -> 10.106.6.254 POP Request: DELE 1 183.651676 10.106.6.200 -> 10.106.6.254 POP Request: QUIT

  183.672294 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=57 Ack=1757 Win=64177 Len=0

  183.674327 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [FIN, ACK] Seq=57 Ack=1757 Win=64177 Len=0

  12 packets captured ① ,为dovecot服务器,签发证书
  以上是“<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:

  • <b>hosts是什么 hosts文件在什么位置 若何改正hosts</b>
  • <b>在 Windows 8 中手动安装语言包</b>
  • <b>五个常见 PHP数据库问题</b>
  • Windows中Alt键的12个高效快速的利用本领介绍
  • <b>MySQL ORDER BY 的实现解析</b>
  • <b>详解MySQL存储历程参数有三种范例(in、out、inout)</b>
  • <b>Win8系统恢复出来经典的开始菜单的办法</b>
  • <b>Win8系统花屏怎么办 Win8系统花屏的办理办法</b>
  • <b>Windows 7系统下无线网卡安装</b>
  • <b>为什么 Linux不需求碎片整理</b>
  • <b>Windows 8中删除账户的几种办法(图)</b>
  • <b>教你如安在win7下配置路由器</b>
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .