Linux下电子邮件的安全传输及验证！

一、不安全测试：1. 安装抓包工具[root@mail ~]# mount /dev/cdrom /mnt/cdrommount: block device /dev/cdrom is write-protected, mounting read-only[root@mail ~]# cd /mnt/cdrom/Server[root@mail S...

weixin_34289454

3515人浏览 · 2012-09-13 18:30:15

weixin_34289454 · 2012-09-13 18:30:15 发布

一、不安全测试：

1. 安装抓包工具

[root@mail ~]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@mail ~]# cd /mnt/cdrom/Server
[root@mail Server]# ll |grep shark
-r--r--r-- 220 root root 11130359 Jun 11 2009 wireshark-1.0.8-1.el5_3.1.i386.rpm
-r--r--r-- 220 root root 686650 Jun 11 2009 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm
[root@mail Server]# rpm -ivh wireshark-1.0.8-1.el5_3.1.i386.rpm
warning: wireshark-1.0.8-1.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
error: Failed dependencies:
libsmi.so.2 is needed by wireshark-1.0.8-1.el5_3.1.i386
[root@mail Server]# ll |grep smi
-r--r--r-- 327 root root 2540456 Jan 18 2008 libsmi-0.4.5-2.el5.i386.rpm
-r--r--r-- 327 root root 21212 Jan 18 2008 libsmi-devel-0.4.5-2.el5.i386.rpm
-r--r--r-- 264 root root 62425 Apr 20 2009 psmisc-22.2-7.i386.rpm

[root@mail Server]# rpm -ql wireshark |less 查看安装路径

2.启动服务

[root@mail ~]# service named start
[root@mail ~]# service dovecot start
[root@mail ~]# service sendmail start

3.启动抓包工具
[root@mail Server]# tshark -ni eth0 -R "tcp.dstport eq 110"

用outlook客户端发送与接收！

抓到的内容：

用户名，密码都能看到，这样非常不安全！

二、安全传输：

smtps 465端口，starttls（传输层安全） 25端口

1.数字证书的配置文件：

[root@mail Server]# vim /etc/pki/tls/openssl.cnf

2.生成相应的文件：

[root@mail Server]# cd /etc/pki/CA
[root@mail CA]# mkdir crl certs newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 > private/cakey.pem
Generating RSA private key, 1024 bit long modulus
....++++++
...................................++++++
e is 65537 (0x10001)
[root@mail CA]# ll private
total 4
-rw-r--r-- 1 root root 887 Aug 5 07:16 cakey.pem
[root@mail CA]# chmod 600 private/*
[root@mail CA]# ll private
total 4
-rw------- 1 root root 887 Aug 5 07:16 cakey.pem

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem

Country Name (2 letter code) [GB]: 出现这个！

3.CA的认证机构：

[root@mail CA]# vim /etc/pki/tls/openssl.cnf

:88,90s/match/optional

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [He Nan]:
Locality Name (eg, city) [Zheng zhou]:
Organization Name (eg, company) [My Company Ltd]:tec center
Organizational Unit Name (eg, section) []:diver agent
Common Name (eg, your name or your server's hostname) []:mail.com

4.为发送服务器申请一个证：

[root@mail CA]# mkdir -pv /etc/mail/certs
mkdir: created directory `/etc/mail/certs'
[root@mail CA]# cd /etc/mail/certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key 钥匙
Generating RSA private key, 1024 bit long modulus
............++++++
............................++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr 请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [He Nan]:
Locality Name (eg, city) [Zheng zhou]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tecnology
Common Name (eg, your name or your server's hostname) []:mail.163.com

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert //证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 4 23:46:58 2012 GMT
Not After : Aug 4 23:46:58 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = He Nan
organizationName = 163
organizationalUnitName = tecnology
commonName = mail.163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:33:1C:69:DC:7E:20:B9:C4:F7:37:D5:F8:15:3F:48:A2:C4:36:C4
X509v3 Authority Key Identifier:
keyid:FE:69:9D:8E:DE:9A:A4:AA:6D:F5:A6:EF:17:DD:AA:CD:D0:59:7E:1E

Certificate is to be certified until Aug 4 23:46:58 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

已经产生证书，此时，请求文件可以删除了！

5.修改sendmail的配置文件（关于证书）

[root@mail certs]# vim /etc/mail/sendmail.mc

启用smtp

6.申请的证书及申请证书所需的文件存在的路径

[root@mail ~]# cd /etc/mail/certs
[root@mail certs]# chmod 600 *
[root@mail certs]# ll
total 12
-rw------- 1 root root 3102 Aug 5 07:47 sendmail.cert 证书
-rw------- 1 root root 655 Aug 5 07:37 sendmail.csr 请求文件
-rw------- 1 root root 887 Aug 5 07:35 sendmail.key 私钥

[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 5 Aug 2012 08:19:21 +0800
helo 127.0.0.1
250 mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
ehlo 127.0.0.1
250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS //说明已可以用ssl加密达到安全传输！
250-DELIVERBY
250 HELP

7.测试：

[root@mail ~]# tail -f /var/log/maillog //日志信息

Aug 5 09:15:25 mail sendmail[4974]: STARTTLS=server, relay=[192.168.10.1], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 25 or tcp.srcport eq 25 "

29.378844 192.168.10.99 -> 192.168.10.1 SMTP S: 250-mail.163.com Hello [192.168.10.1], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-SIZE | 250-DSN | 250-ETRN | 250-STARTTLS | 250-DELIVERBY | 250 HELP
29.379199 192.168.10.1 -> 192.168.10.99 SMTP C: STARTTLS
29.394166 192.168.10.99 -> 192.168.10.1 SMTP S: 220 2.0.0 Ready to start TLS
29.529926 192.168.10.1 -> 192.168.10.99 SMTP C: \200O\001\003\001\0006\000\000\000\

发送信息已经可以加密！

smtps 只能点对点的！

8.接收端加密:

pop2/pop3-------pop3s

imap4------------imaps

dovecot

配置：

[root@mail ~]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[root@mail ~]# cd /etc/dovecot/certs/
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
............................................++++++
.......++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [He Nan]:
Locality Name (eg, city) [Zheng zhou]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:teconology
Common Name (eg, your name or your server's hostname) []:pop3.163.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr

Subject:
countryName = CN
stateOrProvinceName = He Nan
organizationName = 163
organizationalUnitName = teconology
commonName = pop3.163.com

[root@mail certs]# vim /etc/dovecot.conf

[root@mail certs]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]

三、用户身份验证：需借助于sasl

sasl只是协议

解决：避免未知名用户向某个邮件服务器不断发送垃圾邮件！

1.查询sasl （默认已安装）

[root@mail certs]# cd /mnt/cdrom/Server
[root@mail Server]# ll |grep sasl
-r--r--r-- 103 root root 1251623 Jul 29 2009 cyrus-sasl-2.1.22-5.el5.i386.rpm
-r--r--r-- 99 root root 1418364 Jul 29 2009 cyrus-sasl-devel-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 28967 Jul 29 2009 cyrus-sasl-gssapi-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 24390 Jul 29 2009 cyrus-sasl-ldap-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 129180 Jul 29 2009 cyrus-sasl-lib-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 46415 Jul 29 2009 cyrus-sasl-md5-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 32054 Jul 29 2009 cyrus-sasl-ntlm-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 27027 Jul 29 2009 cyrus-sasl-plain-2.1.22-5.el5.i386.rpm
-r--r--r-- 103 root root 27330 Jul 29 2009 cyrus-sasl-sql-2.1.22-5.el5.i386.rpm
-r--r--r-- 278 root root 39119 Jan 19 2007 gnu-crypto-sasl-jdk1.4-2.1.0-2jpp.1.i386.rpm
[root@mail Server]# rpm -qa |grep sasl //查询已安装的软件
cyrus-sasl-lib-2.1.22-5.el5
cyrus-sasl-plain-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-2.1.22-5.el5

2.检测该服务是否被chkconfig加载
[root@mail Server]# chkconfig --list |grep sasl // 查看chkconfig不能检测此服务
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[root@mail ~]# chkconfig --add saslauthd //添加该服务
[root@mail ~]# chkconfig --level 2345 saslauthd on //设置2345级别启动
[root@mail ~]# chkconfig --list |grep sasl
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

3.配置sendmail的验证功能：

[root@mail ~]# vim /etc/mail/sendmail.mc

4.测试：

4.1 不验证无法发送邮件

[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 12:54:12 +0800
ehlo 127.0.0.1
250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

4.2 密码必须转换为base64编码

[root@mail ~]# clear
[root@mail ~]# echo -n "user1@163.com" |openssl base64

dXNlcjFAMTYzLmNvbQ==
[root@mail ~]# echo -n "123" |openssl base64
MTIz

4.3 用认证登录测试：

[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 13:51:03 +0800
auth logindXNlcjFAMTYzLmNvbQ== //用户名
334 UGFzc3dvcmQ6
MTIz 密码
235 2.0.0 OK Authenticated
mail from :user1@163.com
250 2.1.0 user1@163.com... Sender ok
rcpt to :user4@sina.com
250 2.1.5 user4@si...Recipient ok (will queue)
250 2.1.5 user4@sina.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject haah
ha come on !
.
250 2.0.0 q765p3oK004322 Message accepted for delivery
quit
221 2.0.0 mail.163.com closing connection
Connection closed by foreign host.

5.用outlook发送邮件测试：

发送不出去，下面设置服务器身份验证就可以发送了！

发送成功接收也成功！

转载于:https://blog.51cto.com/guojiping/989969

Linux

更多推荐

Linux虚拟文件系统之文件系统卸载（sys_umount())

Linux中卸载文件系统由umount系统调用实现，入口函数为sys_umount()。较于文件系统的安装较为简单，下面是具体的实现。1. /*sys_umont系统调用*/2. SYSCALL_DEFINE2(umount, char __user *, name, int, flags)3. {4.struct path path;

Linux

网卡速率和双工模式的配置

http://linux.chinaitlab.com/system/792187.html1、mii-tool 配置网络设备协商方式的工具； 1.1 mii-tool 介绍； mii-tool - view, manipulate media-independent interface status （mii-tool 是查看，管理介质的网络接口的状态）

Linux

Linux系统下超级终端Minicom的使用方法（例如：连接交换机，路由器等）转http://baike.baidu.com/view/2911642.htm?fr=ala0_1

Linux系统下超级终端Minicom的使用方法 　　Linux下的Minicom的功能与下的超级终端功能相似，适于在通过超级终端对设备的管理以及对嵌入操作系统的升级，现写出Minicom的使用手册： 　　1．启动minicom 　　以root权限登录系统 　　使用命令 　　minicom –s 则minicom启动，屏