Linux系统邮件的安全传输及验证

本文发布时间: 2019-Mar-21
一、不安全测试:1. 安装抓包工具[[email protected] ~]# mount /dev/cdrom /mnt/cdrommount: block device /dev/cdrom is write-protected, mounting read-only[[email protected] ~]# cd /mnt/cdrom/Server[[email protected] Server]# ll |grep shark-r--r--r-- 220 root root 11130359 Jun 11 2009 wireshark-1.0.8-1.el5_3.1.i386.rpm-r--r--r-- 220 root root 686650 Jun 11 2009 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm[[email protected] Server]# rpm -ivh wireshark-1.0.8-1.el5_3.1.i386.rpmwarning: wireshark-1.0.8-1.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186error: Failed dependencies: libsmi.so.2 is needed by wireshark-1.0.8-1.el5_3.1.i386[[email protected] Server]# ll |grep smi-r--r--r-- 327 root root 2540456 Jan 18 2008 libsmi-0.4.5-2.el5.i386.rpm-r--r--r-- 327 root root 21212 Jan 18 2008 libsmi-devel-0.4.5-2.el5.i386.rpm-r--r--r-- 264 root root 62425 Apr 20 2009 psmisc-22.2-7.i386.rpm2.启动服务[[email protected] ~]# service named start[[email protected] ~]# service dovecot start[[email protected] ~]# service sendmail start3.启动抓包工具[[email protected] Server]# tshark -ni eth0 -R "tcp.dstport eq 110"用outlook客户端发送与接收!抓到的内容:用户名,密码都能看到,这样非常不安全!二、安全传输:smtps 465端口,starttls(传输层安全) 25端口1.数字证书的配置文件:[[email protected] Server]# vim /etc/pki/tls/openssl.cnf2.生成相应的文件:[[email protected] Server]# cd /etc/pki/CA[[email protected] CA]# mkdir crl certs newcerts[[email protected] CA]# touch index.txt serial[[email protected] CA]# echo "01" >serial[[email protected] CA]# openssl genrsa 1024 > private/cakey.pemGenerating RSA private key, 1024 bit long modulus....++++++...................................++++++e is 65537 (0x10001)[[email protected] CA]# ll privatetotal 4-rw-r--r-- 1 root root 887 Aug 5 07:16 cakey.pem[[email protected] CA]# chmod 600 private/*[[email protected] CA]# ll privatetotal 4-rw------- 1 root root 887 Aug 5 07:16 cakey.pem[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pemCountry Name (2 letter code) [GB]: 出现这个!3.CA的认证机构:[[email protected] CA]# vim /etc/pki/tls/openssl.cnf:88,90s/match/optional[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [He Nan]:Locality Name (eg, city) [Zheng zhou]:Organization Name (eg, company) [My Company Ltd]:tec centerOrganizational Unit Name (eg, section) []:diver agentCommon Name (eg, your name or your server's hostname) []:mail.com4.为发送服务器申请一个证:[[email protected] CA]# mkdir -pv /etc/mail/certsmkdir: created directory `/etc/mail/certs'[[email protected] CA]# cd /etc/mail/certs/[[email protected] certs]# openssl genrsa 1024 >sendmail.key 钥匙Generating RSA private key, 1024 bit long modulus............++++++............................++++++e is 65537 (0x10001)[[email protected] certs]# openssl req -new -key sendmail.key -out sendmail.csr 请求文件You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [He Nan]:Locality Name (eg, city) [Zheng zhou]:Organization Name (eg, company) [My Company Ltd]:163Organizational Unit Name (eg, section) []:tecnologyCommon Name (eg, your name or your server's hostname) []:mail.163.com[[email protected] certs]# openssl ca -in sendmail.csr -out sendmail.cert //证书Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 4 23:46:58 2012 GMT Not After : Aug 4 23:46:58 2013 GMT Subject: countryName = CN stateOrProvinceName = He Nan organizationName = 163 organizationalUnitName = tecnology commonName = mail.163.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93:33:1C:69:DC:7E:20:B9:C4:F7:37:D5:F8:15:3F:48:A2:C4:36:C4 X509v3 Authority Key Identifier: keyid:FE:69:9D:8E:DE:9A:A4:AA:6D:F5:A6:EF:17:DD:AA:CD:D0:59:7E:1ECertificate is to be certified until Aug 4 23:46:58 2013 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated已经产生证书,此时,请求文件可以删除了!5.修改sendmail的配置文件(关于证书)[[email protected] certs]# vim /etc/mail/sendmail.mc6.申请的证书及申请证书所需的文件存在的路径[[email protected] ~]# cd /etc/mail/certs[[email protected] certs]# chmod 600 *[[email protected] certs]# lltotal 12-rw------- 1 root root 3102 Aug 5 07:47 sendmail.cert 证书-rw------- 1 root root 655 Aug 5 07:37 sendmail.csr 请求文件-rw------- 1 root root 887 Aug 5 07:35 sendmail.key 私钥[[email protected] certs]# telnet 127.0.0.1 25Trying 127.0.0.1...Connected to localhost.localdomain (127.0.0.1).Escape character is '^]'.220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 5 Aug 2012 08:19:21 +0800helo 127.0.0.1250 mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet youehlo 127.0.0.1250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE250-DSN250-ETRN250-STARTTLS //说明已可以用ssl加密达到安全传输!250-DELIVERBY250 HELP7.测试:[[email protected] ~]# tail -f /var/log/maillog //日志信息Aug 5 09:15:25 mail sendmail[4974]: STARTTLS=server, relay=[192.168.10.1], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128[[email protected] ~]# tshark -ni eth0 -R "tcp.dstport eq 25 or tcp.srcport eq 25 "29.378844 192.168.10.99 -> 192.168.10.1 SMTP S: 250-mail.163.com Hello [192.168.10.1], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-SIZE | 250-DSN | 250-ETRN | 250-STARTTLS | 250-DELIVERBY | 250 HELP29.379199 192.168.10.1 -> 192.168.10.99 SMTP C: STARTTLS29.394166 192.168.10.99 -> 192.168.10.1 SMTP S: 220 2.0.0 Ready to start TLS29.529926 192.168.10.1 -> 192.168.10.99 SMTP C: \200O\001\003\001\0006\000\000\000\发送信息已经可以加密!smtps 只能点对点的!8.接收端加密: pop2/pop3-------pop3s imap4------------imapsdovecot配置:[[email protected] ~]# mkdir -pv /etc/dovecot/certsmkdir: created directory `/etc/dovecot'mkdir: created directory `/etc/dovecot/certs'[[email protected] ~]# cd /etc/dovecot/certs/[[email protected] certs]# openssl genrsa 1024 >dovecot.keyGenerating RSA private key, 1024 bit long modulus............................................++++++.......++++++e is 65537 (0x10001)[[email protected] certs]# openssl req -new -key dovecot.key -out dovecot.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [He Nan]:Locality Name (eg, city) [Zheng zhou]:Organization Name (eg, company) [My Company Ltd]:163Organizational Unit Name (eg, section) []:teconologyCommon Name (eg, your name or your server's hostname) []:pop3.163.comEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[[email protected] certs]# openssl req -new -key dovecot.key -out dovecot.csrSubject: countryName = CN stateOrProvinceName = He Nan organizationName = 163 organizationalUnitName = teconology commonName = pop3.163.com[[email protected] certs]# vim /etc/dovecot.conf[[email protected] certs]# service dovecot restartStopping Dovecot Imap: [ OK ]Starting Dovecot Imap: [ OK ]三、用户身份验证:需借助于saslsasl只是协议解决:避免未知名用户向某个邮件服务器不断发送垃圾邮件!1.查询sasl (默认已安装)[[email protected] certs]# cd /mnt/cdrom/Server[[email protected] Server]# ll |grep sasl-r--r--r-- 103 root root 1251623 Jul 29 2009 cyrus-sasl-2.1.22-5.el5.i386.rpm-r--r--r-- 99 root root 1418364 Jul 29 2009 cyrus-sasl-devel-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 28967 Jul 29 2009 cyrus-sasl-gssapi-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 24390 Jul 29 2009 cyrus-sasl-ldap-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 129180 Jul 29 2009 cyrus-sasl-lib-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 46415 Jul 29 2009 cyrus-sasl-md5-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 32054 Jul 29 2009 cyrus-sasl-ntlm-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 27027 Jul 29 2009 cyrus-sasl-plain-2.1.22-5.el5.i386.rpm-r--r--r-- 103 root root 27330 Jul 29 2009 cyrus-sasl-sql-2.1.22-5.el5.i386.rpm-r--r--r-- 278 root root 39119 Jan 19 2007 gnu-crypto-sasl-jdk1.4-2.1.0-2jpp.1.i386.rpm[[email protected] Server]# rpm -qa |grep sasl //查询已安装的软件cyrus-sasl-lib-2.1.22-5.el5cyrus-sasl-plain-2.1.22-5.el5cyrus-sasl-devel-2.1.22-5.el5cyrus-sasl-2.1.22-5.el52.检测该服务是否被chkconfig加载[[email protected] Server]# chkconfig --list |grep sasl // 查看chkconfig不能检测此服务saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off[[email protected] ~]# chkconfig --add saslauthd //添加该服务[[email protected] ~]# chkconfig --level 2345 saslauthd on //设置2345级别启动[[email protected] ~]# chkconfig --list |grep saslsaslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off3.配置sendmail的验证功能:[[email protected] ~]# vim /etc/mail/sendmail.mc4.测试:4.1 不验证无法 发送邮件[[email protected] ~]# telnet 127.0.0.1 25Trying 127.0.0.1...Connected to localhost.localdomain (127.0.0.1).Escape character is '^]'.220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 12:54:12 +0800ehlo 127.0.0.1250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE250-DSN250-AUTH LOGIN PLAIN250-STARTTLS250-DELIVERBY250 HELP4.2 密码必须转换为base64编码[[email protected] ~]# clear[[email protected] ~]# echo -n "[email protected]" |openssl base64dXNlcjFAMTYzLmNvbQ==[[email protected] ~]# echo -n "123" |openssl base64MTIz4.3 用认证登录测试:[[email protected] ~]# telnet 127.0.0.1 25Trying 127.0.0.1...Connected to localhost.localdomain (127.0.0.1).Escape character is '^]'.220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 13:51:03 +0800auth login dXNlcjFAMTYzLmNvbQ== //用户名334 UGFzc3dvcmQ6MTIz 密码235 2.0.0 OK Authenticatedmail from :[email protected] 2.1.0 [email protected] Sender okrcpt to :[email protected] 2.1.5 [email protected] Recipient ok (will queue)250 2.1.5 [email protected] Recipient okdata354 Enter mail, end with "." on a line by itselfsubject haahha come on !.250 2.0.0 q765p3oK004322 Message accepted for deliveryquit221 2.0.0 mail.163.com closing connectionConnection closed by foreign host.5.用outlook发送邮件测试:发送不出去,下面设置服务器身份验证就可以发送了!发送成功 接收也成功!


(以上内容不代表本站观点。)
---------------------------------
本网站以及域名有仲裁协议。
本網站以及域名有仲裁協議。

2020-Jul-13 01:11am
栏目列表