sendmail邮件服务器的加密与认证
对于邮件服务器,有 许多客户机/服务器协议没有验证能力,sasl就是用于加强或增加这类协议的一种通用方法。当你设定sasl时,你必须决定两件事;一是用于交换“标识信 息”(或称身份证书)的验证机制;一是决定标识信息存储方法的验证架构。sasl验证机制规范client与server之间的应答过程以及传输内容的编 码法,sasl验证架构决定服务器本身如何存储客户端的身份证书以及如何核验客户端提供的密码。如果客户端能成功通过验证,服务器端就能确定用户的身份,并借此决定用户具有怎样的权限。对sendmail而言,所谓的“权限”指的就是转发服务的访问权。你也可以决定通过验证的用户在转发邮件时,是否要使用特 定的寄件人地址。
搭建邮件服务器
邮件服务器正常使用一般需安装如下软件:
sendmail-8.13.8-2.el5.i386.rpm
1. 安装sendmail-cf
2.
[root@localhost mail]# netstat -tupln |grep sendmail
tcp
3.
[root@localhost Server]# cd /etc/mail
[root@localhost mail]# vim sendmail.mc
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
4.
[root@localhost mail]# service sendmail restart
Shutting down sm-client:
Shutting down sendmail:
Starting sendmail:
Starting sm-client:
5.
[root@localhost mail]# netstat -tupln |grep sendmail
tcp
6.
[root@localhost mail]# useradd user1
[root@localhost mail]# useradd user2
[root@localhost mail]# echo "123" |passwd --stdin user1
[root@localhost mail]# echo "123" |passwd --stdin user2
7.
[root@localhost mail]# vim access
在access文件中添加如下
10 Connect:192.168.2.100
8. 重启sendmail服务
[root@localhost mail]# service sendmail restart
9.
[root@localhost mail]# telnet 192.168.2.100 25
Trying 192.168.2.100...
Connected to 192.168.2.100 (192.168.2.100).
Escape character is '^]'.
mail from:aaa@aaa.com
220 localhost.localdomain ESMTP Sendmail 8.13.8/8.13.8; Wed, 21 Mar 2012 11:53:43 +0800
250 2.1.0 aaa@aaa.com... Sender ok
rcpt to:aa@163.com
250 2.1.5 aa@163.com... Recipient ok (will queue)
quit
可以发/收邮件
10.在local-host-names文件中添加本地域名
[root@localhost mail]# vim local-host-names
bj.com
11修改access文件
[root@localhost mail]# vim access
Connect:192.168.2
sh.com
bj.com
12.DNS服务器的配置
bj架设自己的dns服务
1.安装有关dns服务器的主要软件包
[root@localhost Server]# rpm -ivh bind-9.3.6-4.P1.el5.i386.rpm
[root@localhost Server]# rpm -ivh
bind-chroot-9.3.6-4.P1.el5.i386.rpm
[root@localhost Server]# rpm -ivh caching-nameserver-9.3.6-4.P1.el5.i386.rpm
2.复制named.caching-nameserver.conf文件并命名为named.conf
[root@localhost Server]# cd /var/named/chroot/etc/
[root@localhost etc]# cp -p named.caching-nameserver.conf named.conf
3.编辑name.conf文件
[root@localhost etc]# vim named.conf
15
27
36 view localhost_resolver {
4.编辑区域声明文件(正/反方向解析)
[root@localhost etc]# vim named.rfc1912.zones
复制15-19 并修改
20 zone "bj.com" IN {
复制44-48行 添加如下:
50 zone "2.168.192.in-addr.arpa" IN {
[root@localhost etc]# cd ../var/named/
[root@localhost named]# cp -p localhost.zone bj.com.db
[root@localhost named]# cd /var/named/chroot/var/named/
[root@mail named]# cp -p named.local 192.168.2.db
6.编辑数据库文件
[root@localhost named]# vim bj.com.db
[root@mail named]# vim 192.168.2.db
100 IN
101 IN
[root@localhost named]# chkconfig named on
[root@localhost etc]# service named start
Starting named:
8.设置dns指向
[root@localhost etc]# vim /etc/resolv.conf
nameserver 192.168.2.100
9.编辑network文件
[root@localhost named]# vim /etc/sysconfig/network
HOSTNAME=mail.bj.com
10编辑hosts文件.
[root@localhost named]# vim /etc/hosts
127.0.0.1
11.重启系统
[root@localhost named]# init 6
12.查看dns和sendmail服务器的状态
[root@mail ~]# service named status
server is up and running
named (pid 2378) is running...
[root@mail ~]# service sendmail status
sendmail (pid 2704) is running...
13.检测dns能否解析
[root@mail ~]# nslookup
> set q=any
> mail.bj.com
Server:
Address: 192.168.2.100#53
Name:
Address: 192.168.2.100
14.使用Windows测试内部邮件的发送
使用Outlook Express 步骤如下:
完成user1账户的创建
创建邮件并发送:
发送后在sendmail服务器日志上查看
[root@mail ~]# tail -f /var/log/maillog
Mar 21 17:03:22 mail sendmail[3336]: q2L93MSd003336:
from=
Mar 21 17:03:22 mail sendmail[3339]: q2L93MSd003336:
to=
可以看出已经成功发送!!!
14.为邮件服安装接受邮件服务器(dovecot)
[root@mail ~]# yum install -y dovecot
15.编辑dovecot文件
[root@mail ~]# vim /etc/dovecot.conf
修改如下:
16.设置dovecot服务为开机自动启动,并重启该服务
[root@mail ~]# chkconfig dovecot on
[root@mail ~]# service dovecot restart
Stopping Dovecot Imap:
Starting Dovecot Imap:
17.查看运行该服务的端口
[root@mail ~]# netstat -tupln |grep dov
tcp
tcp
18.检测邮件能否正常接收
[root@mail ~]# tail -f /var/log/maillog
Mar 21 17:40:02 mail dovecot: Dovecot v1.0.7 starting up
Mar 21 17:40:02 mail dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while..
Mar 21 17:40:09 mail dovecot: Killed with signal 15
Mar 21 17:40:09 mail dovecot: Dovecot v1.0.7 starting up
Mar 21 17:40:09 mail dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while..
Mar 21 17:45:41 mail dovecot: pop3-login: Login:
user=
可以看出users1能正常接受邮件!!!
邮件服务器的加密与认证
查看编译信息
[root@mail ~]# sendmail -d0.1 -bv
Version 8.13.8
============ SYSTEM IDENTITY (after readcf) ============
========================================================
Recipient names must be specified
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 15:54:24 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
QUIT
发送邮件服务器
starttls(smtp+ssl)
建立服务器证书
[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# cd ..
[root@mail pki]# vim tls/openssl.cnf
45 dir
88 countryName
[root@mail CA]# mkdir crl certs netcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
创建CA私钥
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..............................................++++++
........................................++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/*
创建ca证书
[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:BEIJING
Organization Name (eg, company) [My Company Ltd]:SECCENTER
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
创建钥匙
[root@mail CA]# cd /etc/mail
[root@mail mail]# mkdir certs
[root@mail mail]# cd certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key
Generating RSA private key, 1024 bit long modulus
........++++++
...........................++++++
e is 65537 (0x10001)
请求文件
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZDX
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:mail.bj.com
Email Address []:
证书
[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
编辑sendmail.mc文件
[root@mail mail]# pwd
/etc/mail
[root@mail mail]# vim sendmail.mc
60 define(`confCACERT_PATH', `/etc/mail/certs')dnl
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
设置钥匙权限
[root@mail certs]# chmod 600 sendmail.key
拷贝cacert.pem到当前目录下
[root@mail certs]# pwd
/etc/mail/certs
[root@mail certs]# cp /etc/pki/CA/cacert.pem ./
重启sendmail服务
[root@mail mail]# service sendmail restart
Shutting down sm-client:
Shutting down sendmail:
Starting sendmail:
Starting sm-client:
查看一下
[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 18:17:34 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
测试
北京外部邮件客户机测试
用户user1选上安全连接ssl
发送邮件和接受邮件时打开日志监控并打开抓包工具,得到如下信息
[root@mail certs]# tail -f /var/log//maillog
Mar 23 19:08:08 mail sendmail[4219]: STARTTLS=server, relay=[192.168.2.3], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 19:08:08 mail sendmail[4219]: q2NB88dj004219:
from=
Mar 23 19:08:09 mail sendmail[4220]: q2NB88dj004219:
to=
Mar 23 19:08:44 mail dovecot: pop3-login: Login:
user=
Mar 23 19:08:44 mail dovecot: POP3(user1): Disconnected: Logged out top=0/0, retr=1/1494, del=1/1, size=1477
[root@mail Server]# tshark -ni etho -R "tcp.dsport eq 110"
130.317087 192.168.2.3 -> 192.168.2.100 TCP 2446 > 110 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3
130.317398 192.168.2.3 -> 192.168.2.100 TCP 2446 > 110 [ACK] Seq=1 Ack=1 Win=372296 Len=0
130.319027 192.168.2.3 -> 192.168.2.100 POP Request: USER user1
130.319511 192.168.2.3 -> 192.168.2.100 POP Request: PASS 123
130.406052 192.168.2.3 -> 192.168.2.100 POP Request: STAT
130.435409 192.168.2.3 -> 192.168.2.100 POP Request: LIST
130.439985 192.168.2.3 -> 192.168.2.100 POP Request: RETR 1
可以看出发送邮件时已经采用ssl进行加密,接受时还是采用明文pop3接受北抓包工具截获到帐号和密码
dovecot接收服务器实现安全接受(pops)
钥匙请求文件
[root@mail certs]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[root@mail certs]# cd /etc/dovecot/certs/
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
..................++++++
......................++++++
e is 65537 (0x10001)
产生请求
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZDX
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:pop3.bj.com
Email Address []:
请求证书
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.cert
Certificate Details:
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
修改权限
[root@mail certs]# chmod 600 *
编辑dovecot.conf文件
[root@mail certs]# vim /etc/dovecot.conf
21 protocols = imap pop3 imaps
重启服务
[root@mail certs]# service dovecot restart
Stopping Dovecot Imap:
Starting Dovecot Imap:
查看运行端口
[root@mail certs]# netstat -tupln |grep dov
tcp
tcp
tcp
测试接受邮件时是否加密
发送和接收邮件时查看到的日志和抓取到的信息如下
[root@mail certs]# tail -f /var/log/maillog
Mar 23 21:52:23 mail sendmail[4377]: STARTTLS=server, relay=[192.168.2.3], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 21:52:23 mail sendmail[4377]: q2NDqNw5004377:
from=
Mar 23 21:52:23 mail sendmail[4384]: q2NDqNw5004377:
to=
Mar 23 21:52:24 mail dovecot: imap-login: Login:
user=
[root@mail Server]# tshark -ni eth0 -R "tcp.dstport eq 993"
345.571410 192.168.2.3 -> 192.168.2.100 TCP 3032 > 993 [ACK] Seq=292 Ack=836 Win=371464 Len=0
345.573477 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.574578 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.667520 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.673284 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
345.674900 192.168.2.3 -> 192.168.2.100 TLSv1 Application Data
可以看出邮件已成功发送和接收并没有被截获信息,实现了安全性的收发
邮件证书认证sasl
由于邮件服务器能够让所有用户发送邮件,这并不安全,为了解决这一现状,我们采用sasl
是一种双方通信的规则,是合法帐号才可以发送
环境
[root@mail Server]# rpm -qa |grep sasl
cyrus-sasl-lib-2.1.22-5.el5
cyrus-sasl-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-plain-2.1.22-5.el5
[root@mail Server]# chkconfig --list |grep sasl
saslauthd
启动该服务,并设置为开机自动启动
[root@mail Server]# service saslauthd start
Starting saslauthd:
[root@mail Server]# chkconfig saslauthd on
编辑sendmail.mc文件
[root@mail Server]# vim /etc/mail/sendmail.mc
39 define(`confAUTH_OPTIONS', `A y')dnl
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
重启服务
[root@mail Server]# service sendmail restart
Shutting down sm-client:
Shutting down sendmail:
Starting sendmail:
Starting sm-client:
查看
[root@mail Server]# telnet 127.0.0.1
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@mail Server]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 23:24:43 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
强制验证
[root@mail Server]# vim /etc/mail/sendmail.mc
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA M=Ea')dnl
重启服务
[root@mail Server]# service sendmail restart
测试
用客户机user2给root用户发送邮件,查看出的日志如下
编码帐号:
[root@mail ~]# echo -n "root" |openssl base64
cm9vdA==
[root@mail ~]# echo -n "redhat" |openssl base64
cmVkaGF0
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Sat, 24 Mar 2012 00:25:25 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH LOGIN cm9vdA==
334 UGFzc3dvcmQ6
cmVkaGF0
235 2.0.0 OK Authenticated
MAIL FROM:user2@bj.com
250 2.1.0 user2@bj.com... Sender ok
RCPT TO:root@bj.com
250 2.1.5 root@bj.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
111111111111111111
.
250 2.0.0 q2NGPPNd003329 Message accepted for delivery
[root@mail certs]# tail -f /var/log//maillog
Mar 23 23:39:38 mail dovecot: imap-login: Login:
user=
Mar 23 23:40:15 mail sendmail[4768]: STARTTLS=server, relay=[192.168.2.3], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 23 23:40:15 mail sendmail[4768]: AUTH=server, relay=[192.168.2.3], authid=user2, mech=LOGIN, bits=0
Mar 23 23:40:15 mail sendmail[4768]: q2NFeFoM004768:
from=
Mar 23 23:40:15 mail sendmail[4772]: q2NFeFoM004768:
to=
Mar 23 23:40:15 mail dovecot: imap-login: Login:
user=
sendmail-cf-8.13.8-2.el5.i386.rpm
sendmail-doc-8.13.8-2.el5.i386.rpm
m4-1.4.5-3.el5.1.i386.rpm(默认已安装)