邮件服务器加密身份验证(sendmail)
电子邮件服务安全
sendmail能够实现正常发送邮件,如果只是简单的搭建会出现安全隐患,比如我们在服务器安装了wireshark通过抓包就能知道明文的用户和密码。
[[email protected] Server]# yum install wireshark –y
[[email protected] ~]# tshark -ni eth0 -R "tcp.port eq 110"
为确保安全发送电子邮件可以使用两种方式
a.加密 b.身份验证
pki 机制
1. 修改CA文件的相关路径;
[[email protected] ~]# vim /etc/pki/tls/openssl.cnf
45 di r= /etc/pki/CA
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
2填写申请证书可直接采用默认值,可对[req_distinguished_name]做如下修改:
3.产生私钥,并修改私钥的权限
[[email protected] CA]# pwd
/etc/pki/CA
[[email protected] CA]# mkdir crl certs newcerts
[[email protected] CA]# touch index.txt serial
[[email protected] CA]# echo "01">serial
[[email protected] CA]# openssl genrsa 1024>private/cakey.pem
[[email protected] CA]# cd private/
[[email protected] private]# ll
总计 4
-rw-r--r-- 1 root root 887 11-13 19:43 cakey.pem
[[email protected] CA]# chmod 600 private/*
4.以私钥产生证书链,
[[email protected] CA]# req -new -key private/cakey.pem -x509 -out cacert.pem
CA根证书配置好后,为POP3请求证书
1.pop3|证书存放在/etc/dovecot/certs下
[[email protected] CA]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[[email protected] CA]# cd /etc/dovecot/certs/
[[email protected] certs]# openssl genrsa 1024 > dovecot.key
Generating RSA private key, 1024 bit long modulus
..............................++++++
........++++++
e is 65537 (0x10001)
[[email protected] certs]#chmod 600 dovecot.key
[[email protected] certs]# openssl req -new -key dovecot.key -out dovecot.csr
2.由自己的证书链向ca请求,导出自己的证书
[[email protected] certs]# openssl ca -in dovecot.csr -out dovecot.cert
dovecot.cert
92 ssl_key_file = /etc/dovecot/certs/dovecot.key
[[email protected] mail]# netstat -tupln |grep dovecot
tcp 0 0 :::993 :::* LISTEN 7584/dovecot
tcp 0 0 :::995 :::*
3.修改配置文件后,重启dovecot文件
[[email protected] mail]# service dovecot restart
停止 Dovecot Imap: [确定]
启动 Dovecot Imap:
4.使用客户机验证(192.168.1.81)user2收件,
并在服务器上抓包
[[email protected] Server]# tshark -ni eth0 -R "tcp.port eq 995"
5.客户端配置如下:
SMTP证书请求与颁发
1.[[email protected] ~]# mkdir -pv /etc/sendmail/certs
[[email protected] ~]# cd /etc/sendmail/certs/
[[email protected] certs]# openssl genrsa 1024 >sendmail.key
[[email protected] certs]# chmod 600 sendmail.key
[[email protected]]#openssl req -new -key sendmail.key -out sendmail.csr
[[email protected] certs]# openssl ca -in sendmail.csr -out sendmail.cert
修改配置文件
2.vim /etc/mail/sendmail.mc
60 define(`confCACERT_PATH', `/etc/pki/CA')dnl
61 define(`confCACERT', `/etc/pki/tls/certs/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
63 define(`confSERVER_KEY', `/etc/sendmail/certs/key')dnl
143 DAEMON_OPTIONS(`Port=smtps, Name=inet, M=s') dnl
用telnet来测试,发现已经支持searttls
使用客户机192.168.1.81测试
同时抓包 。从tls以后就是加密内容。
二.身份验证
sendmail要借助sasl (简单认证层)进行身份验证。
而sasl依赖于软件包:cyrus-sasl,
1.可以检测相关包是否安装rpm -qa |grep sasl,并安装
[[email protected] Server]# rpm -qa|grep sasl
cyrus-sasl-plain-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-2.1.22-5.el5
cyrus-sasl-lib-2.1.22-5.el5
2.启动saslauthd服务,
[[email protected] Server]# service saslauthd start
启动 saslauthd: [确定]
[[email protected] Server]# vim /etc/mail/sendmail.mc
3.编辑sendmail的配置文件,vim /etc/mail/sendmail.mc
修改
39 define(`confAUTH_OPTIONS', `A y')dnl
并启用52,53行,
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
修改116行
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl
3.重启sendmail服务,用telnet命令测试,发现已经支持身份验证了
4.发送一封邮件测试,不过用户名和密码都是经过base64编码的
[[email protected] mail]# echo -n "[email protected]"|openssl base64
dXNlcjFAMTYzLmNvbQ==
[[email protected] mail]# echo -n "1234"|openssl base64
MTIzNA==
测试发送:
5.客户机显示如下:
已经能够正常实现加密和身份验证了,本实验结束。
转载于:https://blog.51cto.com/dg123/1060880