linux-sendmail的安全-029
Mail的安全 1. 加密认证 1.1sendmail提供的服务 发送 smtps --Smtp 明文传输 [root@mail ~]# grep smtps /etc/services smtps 465/tcp # SMTP over SSL (TLS) [root@mail ~]# sendmail -d0.1 -bv Version 8.13.8 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT ============ SYSTEM IDENTITY (after readcf) ============ (short domain name) $w = mail (canonical domain name) $j = mail.bj.com (subdomain name) $m = bj.com (node name) $k = mail.bj.com ======================================================== Recipient names must be specified [root@mail ~]# 1.2.做ca认证 #ssl安全传输/tsl标准的安全传输 [root@mail ~]# cd /etc/pki [root@mail pki]# vim tls/openssl.cnf 45 dir = /etc/pki/CA # Where everything is kept 87 [ policy_match ] 88 countryName = optional 89 stateOrProvinceName = optional 90 organizationName = optional [root@mail pki]# cd CA/ [root@mail CA]# mkdir certs newcerts crl [root@mail CA]# touch index.txt serial [root@mail CA]# echo "01">serial [root@mail CA]# openssl genrsa 1024 > private/cakey.pem Generating RSA private key, 1024 bit long modulus ....................................... ............... e is 65537 (0x10001) [root@mail CA]# chmod 600 private/* [root@mail CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ''.'', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:HN Locality Name (eg, city) [Newbury]:ZZ Organization Name (eg, company) [My Company Ltd]:ZZU Organizational Unit Name (eg, section) []:sendmail Common Name (eg, your name or your server''s hostname) []:mail.sh.com Email Address []: [root@mail CA]# cd /etc/mail [root@mail mail]# mkdir certs/ [root@mail mail]# cd certs/ [root@mail certs]# openssl genrsa 1024 >sendmail.key Generating RSA private key, 1024 bit long modulus ............... ......................................... e is 65537 (0x10001) [root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ''.'', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:HN Locality Name (eg, city) [Newbury]:ZZ Organization Name (eg, company) [My Company Ltd]:ZZU Organizational Unit Name (eg, section) []:sendmail Common Name (eg, your name or your server''s hostname) []:mail.sh.com Email Address []: Please enter the following ''extra'' attributes to be sent with your certificate request A challenge password []: An optional company name []: --签发证书 [root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 15 22:00:40 2011 GMT Not After : Sep 14 22:00:40 2012 GMT Subject: countryName = CN stateOrProvinceName = HN organizationName = ZZU organizationalUnitName = sendmail commonName = mail.sh.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 21:9F:4D:91:74:C6:80:EA:B0:38:F4:F2:8D:68:A7:08:4A:15:7F:92 X509v3 Authority Key Identifier: keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2 Certificate is to be certified until Sep 14 22:00:40 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@mail certs]# cp /etc/pki/CA/cacert.pem ./ [root@mail certs]# chmod 600 * 1.3.修改配置文件sendmail.mc [root@mail CA]# vim /etc/mail/sendmail.mc --启用认证 39 define(`confAUTH_OPTIONS'', `A y'')dnl --信用机制 52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN'')dnl 53 define(`confAUTH_MECHANISMS'', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA IN'')dnl --启用证书 60 define(`confCACERT_PATH'', `/etc/mail/certs'')dnl 61 define(`confCACERT'', `/etc/mail/certs/cacert.pem'')dnl 62 define(`confSERVER_CERT'', `/etc/mail/certs/sendmail.crt'')dnl 63 define(`confSERVER_KEY'', `/etc/mail/certs/sendmail.key'')dnl 118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA'')dnl 136 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s'')dnl [root@mail CA]# service sendmail restart 29-1 29-2 账号的域名要与证书的域名相同,否则不信任. 2.Sasl 简单认证安全层 点到点的机制. 2.1.安装认证 服务名称saslauthd,默认是没有启用的 要测试是否启用了认证 --减少垃圾邮件的攻击 [root@mail ~]# yum list all |grep sasl This system is not registered with RHN. RHN support will be disabled. cyrus-sasl.i386 2.1.22-4 installed cyrus-sasl-devel.i386 2.1.22-4 installed cyrus-sasl-lib.i386 2.1.22-4 installed cyrus-sasl-plain.i386 2.1.22-4 installed [root@mail ~]# chkconfig saslauthd on [root@mail ~]# chkconfig --list |grep sasl saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@mail certs]# service saslauthd start #vim /etc/mail/sendmail.mc --Mta增加强制认证 118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea'')dnl 2.2.描述认证方法 [root@mail lib]# cd /usr/lib/sasl2 [root@mail sasl2]# vim Sendmail.conf pwcheck_method:saslauthd mech_list:login plain –可以不加,描述的验证机制. [root@mail sasl2]# service sendmail restart 2.3生成用户信息的密文 --base64编码得到密文,-n 去除换行 [root@mail certs]# echo -n "user5@sh.com"|openssl base64 dXNlcjVAc2guY29t [root@mail certs]# echo -n "123"|openssl base64 MTIz 2.4 测试认证 [root@mail sasl2]# telnet mail.sh.com 25 Trying 192.168.101.71... Connected to mail.sh.com (192.168.101.71). Escape character is ''^]''. 220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 16 Sep 2011 06:39:13 0800 helo mail.sh.com 250 mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you ehlo mail.sh.com 250-mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH LOGIN PLAIN –在开启sasl前是没有的,验证可以防止非法或不存在的用户发邮件. 250-STARTTLS 250-DELIVERBY 250 HELP auth login dXNlcjVAc2guY29t 334 UGFzc3dvcmQ6 MTIz 235 2.0.0 OK Authenticated mail from:user5@mail.sh.com 250 2.1.0 user5@mail.sh.com... Sender ok rcpt to :user6@mail.sh.com 250 2.1.5 user6@mail.sh.com... Recipient ok data 354 Enter mail, end with "." on a line by itself subject hh hello user6. 250 2.0.0 p8FMdDZN008247 Message accepted for delivery quit 221 2.0.0 mail.sh.com closing connection Connection closed by foreign host. 2.5 对方测试接收文件 [root@mail sasl2]# su - user6 [user6@mail ~]$ mail Mail version 8.1 6/6/93. Type ? for help. "/var/spool/mail/user6": 2 messages 1 new 1 MAILER-DAEMON@mail.s Thu Sep 15 19:09 13/542 "DON''T DELETE THIS MES" >N 2 user5@mail.sh.com Fri Sep 16 06:46 13/423 & 2 Message 2: From user5@mail.sh.com Fri Sep 16 06:46:21 2011 Date: Fri, 16 Sep 2011 06:45:54 0800 From: user5@mail.sh.com subject hh hello user6. & 3.抓包工具 [root@mail ~]# yum list all |grep shark This system is not registered with RHN. RHN support will be disabled. wireshark.i386 1.0.3-4.el5_2 rehl-server wireshark-gnome.i386 1.0.3-4.el5_2 rehl-server [root@mail ~]# yum install wireshark 4.实现imaps pop3s接收 4.1生成dovecot的证书文件 [root@mail sasl2]# cd /usr/lib/sasl2 [root@mail sasl2]# mkdir -pv /etc/dovecot/certs mkdir: created directory `/etc/dovecot'' mkdir: created directory `/etc/dovecot/certs'' [root@mail sasl2]# cd /etc/dovecot/certs/ --导出钥匙 [root@mail certs]# openssl genrsa 1024 >dovecot.key Generating RSA private key, 1024 bit long modulus ................................... ............................... e is 65537 (0x10001) --输出证书请求文件 [root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ''.'', the field will be left blank. Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:HN Locality Name (eg, city) [Newbury]:ZZ Organization Name (eg, company) [My Company Ltd]:ZZU Organizational Unit Name (eg, section) []:sendmail Common Name (eg, your name or your server''s hostname) []:imap.sh.com --域名要与账号发送接收的相同 Email Address []: Please enter the following ''extra'' attributes to be sent with your certificate request A challenge password []: An optional company name []: 4.2-颁发证书 [root@mail certs]# openssl ca -in dovecot.csr -out dovecot.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Sep 15 23:01:08 2011 GMT Not After : Sep 14 23:01:08 2012 GMT Subject: countryName = CN stateOrProvinceName = HN organizationName = ZZU organizationalUnitName = sendmail commonName = mail.sh.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BB:2C:B9:99:11:D1:E5:85:53:7F:8E:FE:E4:FC:C2:35:95:2E:08:87 X509v3 Authority Key Identifier: keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2 Certificate is to be certified until Sep 14 23:01:08 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 4.3 编辑dovecot配置文件 [root@mail certs]# vim /etc/dovecot.conf protocols = imap imaps pop3 pop3s --接收证书服务器的文件 92 ssl_cert_file = /etc/dovecot/certs/dovecot.crt 93 ssl_key_file = /etc/dovecot/certs/dovecot.key [root@mail certs]# chmod 600 * [root@mail certs]# service dovecot restart [root@mail certs]# netstat -tulpn |grep dov 4.4添加imap的记录 [root@mail ~]# vim /var/named/chroot/var/named/sh.com.db $TTL 86400 @ IN SOA ns.sh.com. root.126.com ( 44 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum @ IN NS ns.sh.com. ns IN A 192.168.101.71 mail IN A 192.168.101.71 pop3 IN CNAME mail smtp IN CNAME mail imap IN CNAME mail @ IN MX 10 mail [root@mail ~]# rndc reload server reload successful [root@mail ~]# dig imap.sh.com 4.5开启抓包功能 --明文抓包结果 [root@mail certs]# tshark -ni eth0 -R "tcp.srcport eq 110 or tcp.dstport eq 110"Running as user "root" and group "root". This could be dangerous. Capturing on eth0 302.590811 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 302.590888 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 302.591092 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [ACK] Seq=1 Ack=1 Win=65535 Len=0 302.591257 192.168.101.71 -> 192.168.101.213 POP Response: OK Dovecot ready. 302.591718 192.168.101.213 -> 192.168.101.71 POP Request: USER user6 302.591753 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=21 Ack=13 Win=5840 Len=0 302.591877 192.168.101.71 -> 192.168.101.213 POP Response: OK 302.592048 192.168.101.213 -> 192.168.101.71 POP Request: PASS 123 302.600894 192.168.101.71 -> 192.168.101.213 POP Response: OK Logged in. 302.601742 192.168.101.213 -> 192.168.101.71 POP Request: STAT 302.642575 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=42 Ack=29 Win=5840 Len=0 302.648145 192.168.101.71 -> 192.168.101.213 POP Response: OK 0 0 302.648920 192.168.101.213 -> 192.168.101.71 POP Request: QUIT 302.648973 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=51 Ack=35 Win=5840 Len=0 302.649177 192.168.101.71 -> 192.168.101.213 POP Response: OK Logging out. --配置imaps后抓包结果 服务器身份验证可以是任意一种,登陆方式是在用户首次使用是要输入用户名和密码 29-3 29-4 [root@mail ~]# tshark -ni eth0 -R "tcp.srcport eq 993 or tcp.dstport eq 993" Running as user "root" and group "root". This could be dangerous. Capturing on eth0 4.471940 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data 4.471943 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [FIN, ACK] Seq=41 Ack=1 Win=64377 Len=0 4.473771 192.168.101.71 -> 192.168.101.213 TCP 993 > 1147 [FIN, ACK] Seq=1 Ack=42 Win=6432 Len=0 4.480719 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [ACK] Seq=42 Ack=2 Win=64377 Len=0 48.113729 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 48.113810 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 48.113889 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=1 Ack=1 Win=65535 Len=0 48.114100 192.168.101.213 -> 192.168.101.71 SSL Client Hello 48.114119 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [ACK] Seq=1 Ack=103 Win=5840 Len=0 48.116103 192.168.101.71 -> 192.168.101.213 TLSv1 Server Hello, Certificate, Server Hello Done 48.116845 192.168.101.213 -> 192.168.101.71 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 48.118198 192.168.101.71 -> 192.168.101.213 TLSv1 Change Cipher Spec, Encrypted Handshake Message 48.319185 192.168.101.71 -> 192.168.101.213 TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 48.319447 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=285 Ack=823 Win=64713 Len=0 48.319469 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data 48.320517 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data 48.320690 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data 48.321276 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data 48.329138 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data 48.330432 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data 48.330753 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data 48.331100 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data 48.331247 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data 48.331472 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data 48.332986 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data 48.333306 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data |
|
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
