Linux 下sendmail 的加密与认证
上节我们只是搭建了一个初步的sendmail服务器,它没有提供加密和认证的功能,也就是说谁都可以访问你的sendmail服务器,也可以使用你的服务器,最坏的是,它可以任意的给你的sendmail发送垃圾邮件,或者伪造你的任意一个服务器的用户来为别人发送邮件.这些都会一定程度上对你的服务器造成破坏,要想避免这些干扰,我们可以使用sendmail的加密与认证功能.
我们要使用的上节配置好的sendmail服务器,并且使用域名为sina.com.
环境: virtualbox 或vmware
sendmail服务器: redhat5.4 IP:192.168.2.10
测试机: windows2003 IP:192.168.2.20
一.CA认证服务器的配置
1.配置CA主配置文件
[root@localhost ~]# cd /etc/pki
[root@localhost pki]# cd tls
[root@localhost tls]# vim openssl.cnf
修改如下内容
[ CA_default ]
dir = /etc/pki/CA //修改此行,它为CA证书目录
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
2.按照第一步中需要的文件与目录,来创建文件
[root@localhost CA]# cd /etc/pki/CA/
[root@localhost CA]# mkdir certs crl newcerts
[root@localhost CA]# touch index.txt serial
[root@localhost CA]# echo "01">serial
3.产生CA服务器的私钥
[root@localhost CA]# openssl genrsa 1024 > private/cakey.pem
Generating RSA private key, 1024 bit long modulus
............................++++++
...++++++
e is 65537 (0x10001)
4.因为CA服务器是最高的发送证书者,所以它需要为自己申请一个证书证明自己的可靠性,下面生成根证书
在根证书生成之前要先修改一下证书所能使用的区域
[ policy_match ]
countryName = optional //默认为match
stateOrProvinceName = optional //默认为match
organizationName = optional //默认为match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
修改成optional是为了让此CA服务器发布的证书能为不同地区的服务器使用,如果使用match的话,如 果本CA服务器所属的省是河南省,则此CA服务器发布的证书只有河南省的服务器才可以正确认 证,河北省的就不可以得到认证,也就不可靠.使用optional的话,不管此CA服务器在哪个城市,另外的 省 市都可以使用此CA服务器进行认证.
开始生成根证书
[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:sina
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:root.root
Email Address []:
[root@localhost CA]#
二 实现POP3进行加密
1.我们把POP3的证书存放在/etc/dovecot/certs下
首先建立这个目录
[root@localhost CA]# mkdir -pv /etc/dovecot/certs
mkdir: 已创建目录 “/etc/dovecot”
mkdir: 已创建目录 “/etc/dovecot/certs”
2.创建私钥
[root@localhost CA]# cd /etc/dovecot/certs/
[root@localhost certs]# openssl genrsa 1024 > dovecot.key
Generating RSA private key, 1024 bit long modulus
.................................++++++
...++++++
e is 65537 (0x10001)
3.生成此POP3服务器的请求证书
[root@localhost certs]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:Zhengzhou
Organization Name (eg, company) [My Company Ltd]:sina
Organizational Unit Name (eg, section) []:pop3
Common Name (eg, your name or your server's hostname) []:pop3.sina.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost certs]#
4.请求CA服务器颁发证书
[root@localhost certs]# openssl ca -in dovecot.csr -out dovecot.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 15 10:11:00 2012 GMT
Not After : Nov 15 10:11:00 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = sina
organizationalUnitName = pop3
commonName = pop3.sina.com
5.修改pop3的配置文件,使服务器支持pop3加密
[root@localhost certs]# vim /etc/dovecot.conf
修改如下
20行 protocols = imaps pop3s
91 行 ssl_cert_file = /etc/dovecot/certs/dovecot.cert
92 行 ssl_key_file = /etc/dovecot/certs/dovecot.key
6.启动pop3服务器
[root@localhost certs]# service dovecot restart
停止 Dovecot Imap: [确定]
启动 Dovecot Imap: [确定]
[root@localhost certs]#
测试是否启动pop3s
[root@localhost certs]# netstat -tupln |grep dovecot
tcp 0 0 :::993 :::* LISTEN 2740/dovecot
tcp 0 0 :::995 :::* LISTEN 2740/dovecot
7.在客户机上测试是否成功
首先要对客户端的用户进行使用pop3s的设置
点击使用ssl加密,因为前面我们已经去掉了支持pop3,只能使用加密方法pop3s,所以如果直接收邮件 是不成功的.
在服务器端发一个邮件
[root@localhost certs]# mail code
Subject: hello
hello this is a test!
.
Cc:
在客户端接收
接收时会出现下面的情况
直接点击OK就行了,这样就成功了,我们也可以使用抓包的方式来进行验证
首先安装wireshark
[root@localhost yum.repos.d]# yum install wireshark
进行抓包
[root@localhost yum.repos.d]# tshark -ni eth0 -R "tcp.port eq 995"
0.012501 192.168.2.20 -> 192.168.2.10 SSL Client Hello //可以看到使用了ssl加密
0.012567 192.168.2.10 -> 192.168.2.20 TCP 995 > 3624 [ACK] Seq=1 Ack=110 Win=5840 Len=0
0.015353 192.168.2.10 -> 192.168.2.20 TLSv1 Server Hello, Certificate, Server Hello Done
0.016918 192.168.2.20 -> 192.168.2.10 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
三 实现SMTP的加密
1.SMTP的证书的请求基本上与POP3的想像,下面只发一些步骤
[root@localhost ~]# mkdir -pv /etc/sendmail/certs
mkdir: 已创建目录 “/etc/sendmail”
mkdir: 已创建目录 “/etc/sendmail/certs”
[root@localhost ~]# cd /etc/sendmail/certs/
产生私钥
[root@localhost certs]# openssl genrsa 1024 > sendmail.key
Generating RSA private key, 1024 bit long modulus
......++++++
................................................++++++
e is 65537 (0x10001)
生成请求证书
[root@localhost certs]# openssl req -new -key sendmail.key -out sendmail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:Zhengzhou
Organization Name (eg, company) [My Company Ltd]:sina
Organizational Unit Name (eg, section) []:smtp
Common Name (eg, your name or your server's hostname) []: smtp.sina.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name
CA服务器颁发证书
[root@localhost certs]# openssl ca -in sendmail.csr -out sendmail.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 15 10:53:33 2012 GMT
Not After : Nov 15 10:53:33 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = sina
organizationalUnitName = smtp
commonName = smtp.sina.com
X509v3 extensions:
2.修改此证书及私钥的权限
[root@localhost certs]# cd /etc/sendmail/certs
[root@localhost certs]# chmod 600 *
注:这一步一定要做,不然的话,sendmail的加密设置是不成功的.
3.修改配置文件,使服务器支持smtps加密
[root@localhost ~]# vim /etc/mail/sendmail.mc
修改成如下
60 define(`confCACERT_PATH', `/etc/pki/CA')dnl
61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/sendmail/certs/sendmail.cert')
63 define(`confSERVER_KEY', `/etc/sendmail/certs/sendmail.key')
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
4.重启sendmail服务器
[root@localhost ~]# service sendmail restart
关闭 sm-client: [确定]
关闭 sendmail: [确定]
启动 sendmail: [确定]
启动 sm-client: [确定]
4. 测试
首先对客户端用户进行设置
发送邮件检测是否正确
直接点击是即可
也可使用抓包来验证
[root@localhost yum.repos.d]# tshark -ni eth0 -R "tcp.port eq 25"
四 sendmail用户认证配置
SMTP协议并没有提供认证功能,很容易匿名用户进行发邮件,我们可以使用第三方软件来进行 sendmail smtp的认证
sasl(简单难和安全层),是专门用于smtp中对用户的认证功能.
1.查看是否安装此软件
[root@localhost certs]# rpm -qa | grep sasl
cyrus-sasl-lib-2.1.22-5.el5
cyrus-sasl-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-plain-2.1.22-5.el5
若没有安装则自己手动安装
2.若要sendmail发送邮件时拥有认证的功能要在smtp的配置文件中进行加载一定的模块,对配置文件进行配置
[root@localhost ~]# vim /etc/mail/sendmail.mc
39 define(`confAUTH_OPTIONS', `A y')dnl //在A后加上"y"
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA IN')dnl
//这两行去掉前面的dnl注释
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl
//这行后面加上",M=Ea"
3.重新启动sendmail服务器,启动sasl服务器
[root@localhost ~]# service sendmail restart
关闭 sm-client: [确定]
关闭 sendmail: [确定]
启动 sendmail: [确定]
启动 sm-client: [确定]
[ root@localhost ~]# service saslauthd start
启动 saslauthd: [确定]
4.利用telnet功能验证是否支持验证
[root@localhost ~]# telnet 127.0.0.1 25
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN //出现这一行就说明已经支持sasl认证
250-STARTTLS //这个是支持smtp加密,上一节内容
250-DELIVERBY
250 HELP
5.测试
现在我们可以使用一个没有经过认证的用户发送邮件,看能不能发送
[root@localhost ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
220 localhost.localdomain ESMTP Sendmail 8.13.8/8.13.8; Thu, 15 Nov 2012 20:20:31 +0800
mail from:code@sina.com //使用用户code来发邮件
530 5.7.0 Authentication required(认证要求)//系统提示530错误
系统提示是需要认证要求的,现在我们把这个账户进行认证,因为这个认证只支持base64编码的字 符,所以要先把code的用户名与密码用base64编码进行编码
[root@localhost ~]# echo -n "code@sina.com" | openssl base64
Y29kZUBzaW5hLmNvbQ== //用户名进行编码之后显示的字符
[root@localhost ~]# echo -n "abcd1234" | openssl base64
YWJjZDEyMzQ= //密码进行编码之后显示的字符
让系统进行认证
[root@localhost ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.13.8/8.13.8; Thu, 15 Nov 2012 20:36:25 +0800
auth login Y29kZUBzaW5hLmNvbQ== //手动输入,后面是你的用户名编码过的base64编码
334 UGFzc3dvcmQ6
YWJjZDEyMzQ= //输入密码的base64字符
235 2.0.0 OK Authenticated //提示认证成功了
mail from:code@sina.com
250 2.1.0 code@sina.com... Sender ok //可以发送邮件了
在客户端进行配置
因为我们要对用户进行验证,所以要对用户进行如下配置
现在就可以进行正常的使用了,但是只有认证过的用户才可以正常使用