<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]

　　邮件系统的安全性

　　目录:

　　一:使sendmail与CA结合实现发送加密:

　　二:使dovecot与CA结合实现接纳加密:

　　三:使sendmail启用认证功效:

　　邮件安全简介: smtp pop3 imap smtps

　　1. 465 (smtps)

　　2. Smtp+ssl (starttls)

　　为邮件服务器增添SMTPS 功效:

　　SMTPS:通过一个独立的端口向用户供应ssl/tls 加密的服务,监听端口:465.

　　STARTTLS:通过25 号端口同时供应加密/不加密的功效.

　　s/mimp gpg pop3-àpop3s

　　认证:sasl

　　[root@mail ~]# sendmail -d0.1 –bv #查看sendmail的具体信息,查看sendmail 能否支持startls 功效(取决于二进制程序在编译的时刻能否将startls 功效增添进去),若存在STARTTLS,阐明支持发送加密.

　　NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

　　[root@mail ~]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to mail.bj.com (127.0.0.1). Escape character is '^]'.

　　220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:16:04 +0800

　　EHLO 127.0.0.1 250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.bj.com closing connection Connection closed by foreign host.

　　可以看到:不存在STARTTLS选项!阐明不支持加密!需求举行配置,具体参考下面的资料:

　　邮件系统的基本配置请参考博主文章:

　　Linux下mail服务器利用之sendmail邮件系统的一个案例

　　http://xjzhujunjie.blog.51cto.com/3582724/815292

　　Linux下mail服务器利用之邮件系统简介

　　http://xjzhujunjie.blog.51cto.com/3582724/815261

　　一:使sendmail与CA结合实现发送加密:

　　① ,为CA成立证书: [root@ftp ~]# cd /etc/pki/ [root@ftp pki]# ll [root@ftp pki]# vim tls/openssl.cnf 45 dir = /etc/pki/CA

　　88 countryName = optional

　　89 stateOrProvinceName = optional

　　90 organizationName = optional

　　[root@ftp pki]# cd CA/ [root@ftp CA]# mkdir certs newcerts crl [root@ftp CA]# touch index.txt serial

　　[root@ftp CA]# echo "01" >serial

　　[root@ftp CA]# ll

　　[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem

　　Generating RSA private key, 1024 bit long modulus

　　...........++++++ ....++++++

　　e is 65537 (0x10001)

　　[root@ftp CA]# chmod 600 private/cakey.pem [root@ftp CA]# ll private/cakey.pem -rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem

　　[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 888

　　You are about to be asked to enter information that will be incorporated

　　into your certificate request.

　　What you are about to enter is what is called a Distinguished Name or a DN.

　　There are quite a few fields but you can leave some blank

　　For some fields there will be a default value,

　　If you enter '.', the field will be left blank.

　　-----

　　Country Name (2 letter code) [GB]:cn

　　State or Province Name (full name) [Berkshire]:henan

　　Locality Name (eg, city) [Newbury]:zhengzhou

　　Organization Name (eg, company) [My Company Ltd]:junjie

　　Organizational Unit Name (eg, section) []:soft

　　Common Name (eg, your name or your server's hostname) []:ca.junjie.com

　　Email Address []:junjie@junjie.com [root@ftp CA]#ll [root@ftp CA]#chmod 600 cacert.pem [root@ftp CA]#ll ② ,为sendmail服务器,签发证书: [root@mail CA]# mkdir /etc/mail/certs [root@mail CA]# cd /etc/mail/certs [root@mail certs]# openssl genrsa 1024 >sendmail.key

　　Generating RSA private key, 1024 bit long modulus

　　.................................++++++ ...........++++++

　　e is 65537 (0x10001)

　　[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr

　　Country Name (2 letter code) [GB]:cn

　　State or Province Name (full name) [Berkshire]:henan

　　Locality Name (eg, city) [Newbury]:zhengzhou

　　Organization Name (eg, company) [My Company Ltd]:junjie

　　Organizational Unit Name (eg, section) []:tec

　　Common Name (eg, your name or your server's hostname) []:mail.bj.com

　　Email Address []:root@bj.com [root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt

　　Sign the certificate? [y/n]:y

　　1 out of 1 certificate requests certified, commit? [y/n]y

　　[root@mail certs]# chmod 600 * [root@mail certs]# ll total 12

　　-rw------- 1 root root 3214 Mar 23 16:35 sendmail.crt

　　-rw------- 1 root root 688 Mar 23 16:32 sendmail.csr

　　-rw------- 1 root root 887 Mar 23 16:30 sendmail.key

　　③ :使sendmail服务利用证书功效

　　三个所需文件已经预备完毕,到此,证书已经申请成功,下面开始改正配置文件/etc/mail/sendmail.mc:以使sendmail服务利用证书功效

　　[root@mail certs]# cd /etc/mail/certs/

　　[root@mail certs]# cp /etc/pki/CA/cacert.pem .

　　[root@mail certs]# vim /etc/mail/sendmail.mc

　　21 define(`confLOG_LEVEL', `9')dnl 60 define(`confCACERT_PATH', `/etc/mail/certs')dnl 61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl 62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl 63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl

　　134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

　　保存,重启服务.line 134 监听smtps(465)端口;翻开日记功效line21

　　[root@mail certs]# service sendmail restart Shutting down sm-client: [ OK ]

　　Shutting down sendmail: [ OK ]

　　Starting sendmail: [ OK ]

　　Starting sm-client: [ OK ]

　　④ :利用telnet测试一下

　　[root@mail certs]# telnet mail.bj.com 25

　　Trying 127.0.0.1...

　　Connected to localhost.localdomain (127.0.0.1).

　　Escape character is '^]'.

　　220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:54:22 +0800

　　EHLO mail.bj.com

　　250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you

　　250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP quit

　　221 2.0.0 mail.bj.com closing connection

　　Connection closed by foreign host.

　　再次可以看到:存在有STARTTLS功效了!阐明可以支持加密了!

　　⑤ :利用windows 上的outlook Express 举行发信测试:

　　日记解析:

　　[root@mail ~]# tail -f /var/log/maillog

　　Mar 23 17:50:17 mail sendmail[3129]: STARTTLS=server, relay=[10.106.6.200], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128

　　Mar 23 17:50:57 mail sendmail[3129]: q2N9oHfJ003129: from=, size=1306, class=0, nrcpts=1, msgid=<006001cd0991$d178b870$c8066a0a@hp3aea877158e2>, proto=SMTP, daemon=MTA, relay=[10.106.6.200]

　　Mar 23 17:50:57 mail sendmail[3132]: q2N9oHfJ003129: to=, ctladdr= (500/500), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31528, dsn=2.0.0, stat=Sent

　　Mar 23 17:51:07 mail dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:10.106.6.200, lip=::ffff:10.106.6.254

　　Mar 23 17:51:07 mail dovecot: POP3(user1): Disconnected: Logged out top=0/0, retr=1/1608, del=1/1, size=1591

　　二:使dovecot与CA结合实现接纳加密:

　　#为dovecot 增添SSL 功效:pop3---->pop3s imap-----> imaps [root@mail ~]# yum install -y wireshark

　　[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 110"

　　Running as user "root" and group "root". This could be dangerous.

　　Capturing on eth0

　　183.544764 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

　　183.546267 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=1 Ack=1 Win=64240 Len=0

　　183.548706 10.106.6.200 -> 10.106.6.254 POP Request: USER user1 183.562924 10.106.6.200 -> 10.106.6.254 POP Request: PASS 123 183.578535 10.106.6.200 -> 10.106.6.254 POP Request: STAT 183.586984 10.106.6.200 -> 10.106.6.254 POP Request: LIST 183.593295 10.106.6.200 -> 10.106.6.254 POP Request: RETR 1

　　183.594018 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=43 Ack=1693 Win=64240 Len=0

　　183.642729 10.106.6.200 -> 10.106.6.254 POP Request: DELE 1 183.651676 10.106.6.200 -> 10.106.6.254 POP Request: QUIT

　　183.672294 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [ACK] Seq=57 Ack=1757 Win=64177 Len=0

　　183.674327 10.106.6.200 -> 10.106.6.254 TCP 1116 > 110 [FIN, ACK] Seq=57 Ack=1757 Win=64177 Len=0

　　12 packets captured ① ,为dovecot服务器,签发证书
　　以上是“<b>Linux下mail服务器利用之邮件系统的安全性</b>[Linux安全]”的内容，如果你对以上该文章内容感兴趣，你可以看看七道奇为您推荐以下文章：