乐虎游戏|乐虎国际登录|欢迎你

邮件服务器之sendmail的安全配置之加密

日期:2019-12-05编辑作者:计算机资讯

邮件服务器之sendmail的安全配置之加密

Linux下mail服务器应用之邮件系统的安全性 

一、不安全测试:

导读

邮件系统的安全性

1. 安装抓包工具

继上篇文章配置了简单的邮件服务器,但是当接收发邮件是容易被抓包获取到我们的敏感信息,为此这篇文章讨论一下邮件服务器的加密

目录:

[root@mail ~]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@mail ~]# cd /mnt/cdrom/Server
[root@mail Server]# ll  |grep shark
-r--r--r-- 220 root root 11130359 Jun 11  2009 wireshark-1.0.8-1.el5_3.1.i386.rpm
-r--r--r-- 220 root root   686650 Jun 11  2009 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm
[root@mail Server]# rpm -ivh wireshark-1.0.8-1.el5_3.1.i386.rpm
warning: wireshark-1.0.8-1.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
计算机,error: Failed dependencies:
   libsmi.so.2 is needed by wireshark-1.0.8-1.el5_3.1.i386
[root@mail Server]# ll |grep smi -r--r--r-- 327 root root  2540456 Jan 18  2008 libsmi-0.4.5-2.el5.i386.rpm
-r--r--r-- 327 root root    21212 Jan 18  2008 libsmi-devel-0.4.5-2.el5.i386.rpm
-r--r--r-- 264 root root    62425 Apr 20  2009 psmisc-22.2-7.i386.rpm

① Pop3s加密协议 端口为995

一:使sendmail与CA结合实现发送加密:

计算机 1 
[root@mail Server]# rpm -ql wireshark |less   查看安装路径

② 通过startts工作在smtp协议的25端口加密

二:使dovecot与CA结合实现接收加密:

2.启动服务

当收件人接受邮件时开启咱们的wireshark抓包工具,看看能不能获得敏感信息。

三:使sendmail启用认证功能:

[root@mail ~]# service named start
[root@mail ~]# service dovecot start
[root@mail ~]# service sendmail start

tshark -ni eth0 -R "tcp.port eq 110"

邮件安全简介:

3.启动抓包工具 [root@mail Server]# tshark -ni eth0 -R "tcp.dstport eq 110"

计算机 2

smtp pop3 imap

用outlook客户端发送与接收!

如上可以获得到收信人的账户和密码

smtps

计算机 3 

下面我们做的主要工作时防止被人抓包获取敏感信息。。

1.    465 (smtps)

抓到的内容:

1、 创建CA认证中心

2.    Smtp+ssl (starttls)

计算机 4 

1)编辑/etc/pki/tls/openssl.cnf文件 修改如下几行为如下:

为邮件服务器添加SMTPS 功能:

用户名,密码都能看到,这样非常不安全!

45 dir                        = /etc/pki/CA

SMTPS:通过一个独立的端口向用户提供ssl/tls 加密的服务,监听端口:465。

二、安全传输:

88 countryName               = optional

STARTTLS:通过25 号端口同时提供加密/不加密的功能。

smtps  465端口,starttls(传输层安全) 25端口

89 stateOrProvinceName        = optional

s/mimp gpg

1.数字证书的配置文件:

90 organizationName           = optional

pop3-àpop3s

[root@mail Server]# vim /etc/pki/tls/openssl.cnf

2)cd /etc/pki/CA

认证:sasl

计算机 5 

[[email protected] CA]# mkdir crl certs newcerts

[root@mail ~]# sendmail -d0.1 –bv         #查看sendmail的详细信息,查看sendmail 是否支持startls 功能(取决于二进制程序在编译的时候是否将startls 功能添加进去),若存在STARTTLS,说明支持发送加密。

2.生成相应的文件:

[[email protected] CA]# touch index.txt serial

NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

[root@mail Server]# cd /etc/pki/CA
[root@mail CA]# mkdir crl certs newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 > private/cakey.pem
Generating RSA private key, 1024 bit long modulus
....++++++
...................................++++++
e is 65537 (0x10001)
[root@mail CA]# ll private
total 4
-rw-r--r-- 1 root root 887 Aug  5 07:16 cakey.pem
[root@mail CA]# chmod 600 private/*
[root@mail CA]# ll private
total 4
-rw------- 1 root root 887 Aug  5 07:16 cakey.pem

[[email protected] CA]# echo "01" serial

[root@mail ~]# telnet 127.0.0.1 25

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem

3)创建自己的私钥

Trying 127.0.0.1...

Country Name (2 letter code) [GB]:      出现这个!

[[email protected] CA]# openssl genrsa 1024 >private/cakey.pem

Connected to mail.bj.com (127.0.0.1).

3.CA的认证机构:

Generating RSA private key, 1024 bit long modulus

Escape character is '^]'.

[root@mail CA]# vim /etc/pki/tls/openssl.cnf

.....++++++

220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 23 Mar 2012 16:16:04 +0800

计算机 6 

................++++++

EHLO 127.0.0.1

:88,90s/match/optional

e is 65537 (0x10001)

250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you

计算机 7 

4)生产证书

250-ENHANCEDSTATUSCODES

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem

250-PIPELINING

If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [He Nan]:
Locality Name (eg, city) [Zheng zhou]:
Organization Name (eg, company) [My Company Ltd]:tec center
Organizational Unit Name (eg, section) []:diver agent
Common Name (eg, your name or your server's hostname) []:mail.com

计算机 8 

4.为发送服务器申请一个证:

[root@mail CA]# mkdir -pv /etc/mail/certs
mkdir: created directory `/etc/mail/certs'
[root@mail CA]# cd /etc/mail/certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key   钥匙
Generating RSA private key, 1024 bit long modulus
............++++++
............................++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr  请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

计算机 9

250-8BITMIME

If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [He Nan]:
Locality Name (eg, city) [Zheng zhou]:
Organization Name (eg, company) [My Company Ltd]:163
Organizational Unit Name (eg, section) []:tecnology
Common Name (eg, your name or your server's hostname) []:mail.163.com

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert    //证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  4 23:46:58 2012 GMT
            Not After : Aug  4 23:46:58 2013 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = He Nan
            organizationName          = 163
            organizationalUnitName    = tecnology
            commonName                = mail.163.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                93:33:1C:69:DC:7E:20:B9:C4:F7:37:D5:F8:15:3F:48:A2:C4:36:C4
            X509v3 Authority Key Identifier:
                keyid:FE:69:9D:8E:DE:9A:A4:AA:6D:F5:A6:EF:17:DD:AA:CD:D0:59:7E:1E

Certificate is to be certified until Aug  4 23:46:58 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

已经产生证书,此时,请求文件可以删除了!

计算机 10

[[email protected] CA]# chmod 600 private/*

250-SIZE

5)创建用于存放邮件服务器的证书目录

250-DSN

mkdir /etc/mail/certs   

250-ETRN

6)产生私钥

250-DELIVERBY

[[email protected] certs]# openssl  genrsa 1024 > mail.key

250 HELP

Generating RSA private key, 1024 bit long modulus

quit

....................................++++++

221 2.0.0 mail.bj.com closing connection

...++++++

Connection closed by foreign host.

本文由乐虎游戏发布于计算机资讯,转载请注明出处:邮件服务器之sendmail的安全配置之加密

关键词:

乐虎国际登录:Win2008 R2 mysql 5.5 zip格式mysql 安装与配置

Win2008 R2 mysql 5.5 zip格式mysql 安装与配置 Win2008 R2 zip格式mysql 安装与配置 一、百度mysql5.6 ZIP 64位免安装版 下载好后 解...

详细>>

Heartbeat+DRBD+NFS案例详解

DRBD简介 DRBD+Heartbeat 解决NFS单点故障 1.1  环境准备 1.1.1          添加新磁盘,分区并格式化 fdisk -uc /dev/sdb mkfs.ext...

详细>>

SQL计算timestamp的差值的方法

SQL计算timestamp的差值的方法 SQL计算timestamp的差值的方法 mg电子游戏网址 , mg娱乐电子游戏 , 概述 有时候我们需要按...

详细>>

Ubuntu16.04+Cuda8.0+Theano深度学习环境搭建一

ubuntu 16.04安装nVidia显卡驱动和cuda/cudnn踩坑过程,cudacudnn 推荐新版安装教程 安装深度学习框架需要使用cuda/cudnn(GPU)来...

详细>>