Linux下的Sendmail邮件服务器的加密和验证
加密和验证原理简介:
Sasl简介:
Cyrus Simple Authentication and Security Layer 简称为 Cyrus-SASL ,他最大的功
能在提供一些应用程序所使用的认证函式库!这里头最有名的例如 Sendmail 这个邮件
服务器了! 应用程序可以透过 SASL 所提供的函式库功能,并且定义出认证的方式,让
SASL 透过与主机的沟通动作,提供应用程序来达到认证的目的!举个例子来说,如果我
的 sendmail 已经提供了 SMTP 认证的功能,那当使用者进入认证阶段时:
1. 首先, sendmail 会去取用 SASL 的函式库资料;
2. 此外,由于 SASL 可以进行的认证机制相当的多,所以 sendmail 必须要指定
SASL 的认证方式,一般而言,我们都会直接以 /etc/shadow 里面的账号密码
来进行认证!至于针对 sendmail 的 SASL 认证方法则预设设定在
/usr/lib/sasl/Sendmail.conf 或 /usr/lib/sasl2/Sendmail.conf (根据
cyrus SASL 版本的不同而异!)
3. SASL 根据设定的方法去取用密码与账号内容,并且加以比对,响应给 sendmail
该次比对是否成功!
基础的流程是这样,不过 SASL 除了 Sendmail 的认证模式之外,其实他还提供很多的
功能啦!因为 SASL 主要就是一个函式库,而这个函式库还具有额外的提供『密码认证
档案』的功能,所以,只要是能够支持 SASL 的应用程序,就可以利用 SASL 所提供的
这个认证功能来达到共享同一认证的好处!
Sh邮件服务器配置
使用bj的克隆镜像成sh的,然后再对其进行配置。
配置sh地址:
[root@mail ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 加入如下内容
BOOTPROTO=none
BROADCAST=192.168.101.255
HWADDR=00:0c:29:c2:f1:73
IPADDR=192.168.101.252
NETMASK=255.255.255.0
NETWORK=192.168.101.0
ONBOOT=yes
GATEWAY=192.168.101.100
删除原有的 bj用户,然后新建用户:
[root@mail ~]# userdel -r user1
[root@mail ~]# userdel -r user2
[root@mail ~]# useradd user3
[root@mail ~]# useradd user4
[root@mail ~]# echo "123" |passwd --stdin user3
[root@mail ~]# echo "123" |passwd --stdin user4
编辑本地主机域名文件:
[root@mail mail]# vim local-host-names做如下修改
sh.com
编辑 sendmail的中继文件 access :
[root@mail mail]# vim access
192.168.101 RELAY
sh.com OK
bj.com RELAY
[root@mail mail]# service sendmail restart 重启sendmail服务
Sh dns 服务器的架设
修改区域文件:
[root@mail mail]# cd /var/named/chroot/etc/
[root@mail etc]# vim named.rfc1912.zones 里面bj改为sh
20 zone "sh.com" IN {
21 type master;
22 file "sh.com.db";
23 allow-update { none; };
24 };
产生数据库:
[root@mail etc]# cd /var/named/ 切换到该目录
将bj.com.db改名为sh.com.db
[root@mail named]# mv bj.com.db sh.com.db
[root@mail named]# vim sh.com.db
$TTL 86400
@ IN SOA ns.sh.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.sh.com.
ns IN A 192.168.101.252
mail IN A 192.168.101.252
pop3 IN CNAME mail
smtp IN CNAME mail
@ IN MX 10 mail
修改nameserver文件:
[root@mail named]# vim /etc/resolv.conf
nameserver 192.168.101.252 将地址改为192.168.101.252
设定主机名:
[root@mail named]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=mail.sh.com 此句改为mail.sh.com
修改 hosts文件:
[root@mail named]# vim /etc/hosts 做如下更改
127.0.0.1 mail.sh.com
然后重启 init 6
[root@mail named]# service named restart重启服务
Sendmail的加密配置:
输出sendmail的详细信息:
[root@server ~]# sendmail -d0.1 –bv
开始创建rsa 密钥:
[root@server ~]# cd /etc/pki/
[root@server pki]# vim tls/openssl.cnf
45 dir = /etc/pki/CA # Where everything is kept
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional 使用88,90 s/match/optional 将88到90行的match换成optional
创建需要用的目录以及文件:
[root@server pki]# cd CA/
[root@server CA]# mkdir crl certs newcerts
[root@server CA]# touch index.txt serial
[root@server CA]# vim serial 加入01即可
01
[root@server CA]# openssl genrsa 1024 >private/cakey.pem 产生 ca 私钥
[root@server CA]# chmod 600 private/* 修改其下文件权限,以使其他人无权修改
[root@server CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 产生证书:
-----
Country Name (2 letter code) [GB]:CN
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:BJJING
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:HENAN
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:SH
State or Province Name (full name) [Berkshire]:AAA
Locality Name (eg, city) [Newbury]:BBB
Organization Name (eg, company) [My Company Ltd]:LJIO
Organizational Unit Name (eg, section) []:III
Common Name (eg, your name or your server's hostname) []:rootca.net
产生sendmail 密钥:
root@server CA]# mkdir /etc/mail/certs
[root@server CA]# cd /etc/mail/certs/
[root@server certs]# openssl genrsa 1024 > sendmail.key
产生证书请求文件:
[root@server certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [GB]:LLL
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:BB
State or Province Name (full name) [Berkshire]:CC
Locality Name (eg, city) [Newbury]:AA
Organization Name (eg, company) [My Company Ltd]:DEW
Organizational Unit Name (eg, section) []:WWQ
Common Name (eg, your name or your server's hostname) []:mail.bj.com 主机名
CA 发证:
[root@server certs]# openssl ca -in sendmail.csr -out sendmail.cert
Certificate is to be certified until Mar 17 19:03:26 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
[root@server certs]# cp /etc/pki/CA/cacert.pem . 将cacert.pem拷贝到当前目录
编辑sendmail 配置文件:
[root@server certs]# cp /etc/pki/CA/cacert.pem .
cd /etc/mail
[root@server mail]# vim sendmail.mc
60 define(`confCACERT_PATH', `/etc/mail/certs')dnl
61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
[root@mail certs]# service sendmail restart
[root@server certs]# cd certs/
[root@server certs]# chmod 600 *
使用telnet 测试看
[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.sh.com (127.0.0.1).
Escape character is '^]'.
220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 21 Feb 2012 11:30:24 +0800
EHLO 127.0.0.1
250-mail.sh.com Hello mail.sh.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS 此说明ssl正确应用
250-DELIVERBY
250 HELP
测试use3 给user4 发信:
User3账户配置:
此时要求发送时使用ssl连接
, 成功发送主题abc 的邮件给user4 ,此时user4 已经接收:
Dovecot 接收邮件服务器加密配置:
使用-p参数创建多级子目录:
[root@mail certs]# mkdir -pv /etc/dovecot/certs
生成接收邮件的私钥:
[root@mail certs]# cd /etc/dovecot/certs/
[root@mail certs]# openssl genrsa 1024 >dovecot.key
产生证书请求文件:
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ABC
Locality Name (eg, city) [Newbury]:BAC
Organization Name (eg, company) [My Company Ltd]:BAC
Organizational Unit Name (eg, section) []:CBA
Common Name (eg, your name or your server's hostname) []:mail.sh.com
颁发证书:
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.cert
[root@mail certs]# chmod 600 *
编辑dovecot的配置文件:
[root@mail certs]# vim /etc/dovecot.conf做如下修改:
94 ssl_cert_file = /etc/dovecot/certs/dovecot.cert
95 ssl_key_file = /etc/dovecot/certs/dovecot.key
20 #protocols = imap imaps pop3 pop3s
21 protocols = imap pop3 imaps
[root@mail certs]# service dovecot restart
使用 user3 给 user4 发送邮件:
User3配置:
此时收发使用ssl加密
User3 给 user4 发邮件主题是
验证功能启用:sasl协议协议双方都需要主体
查询sasl相关数据包:
[root@mail ~]# rpm -qa |grep sasl
cyrus-sasl-plain-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
设定sasl开机启动,并启动该服务:
[root@mail ~]# chkconfig saslauthd on
[root@mail ~]# service saslauthd start
[root@mail ~]# vim /usr/lib/sasl2/Sendmail.conf 该文件可以修改认证使用的方法
编辑sendmail配置文件:
[root@mail ~]# cd /etc/mail
[root@mail mail]# vim sendmail.mc 打开如下两行,去掉前面的dnl
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
39 define(`confAUTH_OPTIONS', `A y')dnl 改行加入y
root@mail mail]# service sendmail restart 重启sendmail 服务
实施强制验证:
[root@mail mail]# vim sendmail.mc
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA ,M=Ea')dnl
[root@mail mail]# service sendmail restart 重启sendmail服务使用根用户测试:执行base64的编码
[root@mail mail]# echo -n "root" |openssl base64
cm9vdA== 测试时使用
[root@mail mail]# echo -n "redhat" |openssl base64
cmVkaGF0
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.sh.com (127.0.0.1).
Escape character is '^]'.
220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 21 Feb 2012 12:39:50 +0800
EHLO
501 5.0.0 EHLO requires domain address
EHLO 127.0.0.1
250-mail.sh.com Hello mail.sh.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH LOGIN cm9vdA==
334 UGFzc3dvcmQ6
cmVkaGF0
235 2.0.0 OK Authenticated 表明认证通过
使用user3给user4发送邮件主题是wo:
User3和user4账户属性的配置:
然后点击设置,并且确定。
user3给user4发送邮件成功。
到此实验结束 ,不过每次发送邮件时记得使用
[root@mail ~]# tail -f /var/log/maillog 查看日志可以帮我们很好的发现可能出现的问题,也可以看发送情况。