Liunx 部署邮件TLS/SSL加密通信服务

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Liunx 部署邮件TLS/SSL加密通信服务相关的知识,希望对你有一定的参考价值。

部署邮件TLS/SSL加密通信服务


一.部署普通邮件服务器

1) 搭建并检测邮件服务的发送服务

        [[email protected] ~]# rpm -q postfix 

        postfix-2.10.1-6.el7.x86_64

        [[email protected] ~]# netstat -pantu | grep :25

        tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1822/master         

        tcp6       0      0 ::1:25                  :::*                    LISTEN      1822/master         

        [[email protected] ~]# ps -C master

          PID TTY          TIME CMD

         1822 ?        00:00:00 master

        [[email protected] ~]# vim /etc/postfix/main.cf 

        [[email protected] ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf

        inet_interfaces = all

        #inet_interfaces = localhost

        home_mailbox = Maildir/

        [[email protected] ~]# systemctl restart postfix.service 

        [[email protected] ~]# useradd jim

        [[email protected] ~]# echo 654321 | passwd --stdin jim

        [[email protected] ~]# yum -y install telnet

        [[email protected] ~]# telnet localhost 25

        Trying ::1...

        Connected to localhost.

        Escape character is '^]'.

        220 mail.com.cn ESMTP Postfix

        helo localhost

        250 mail.com.cn

        mail from:[email protected]

        250 2.1.0 Ok

        rcpt to:[email protected]

        250 2.1.5 Ok

        data

        354 End data with <CR><LF>.<CR><LF>

        XXXXX

        XXXX

        XXX

        XX

        X 

        .

        250 2.0.0 Ok: queued as BEDA283BDA92

        quit

        221 2.0.0 Bye

        Connection closed by foreign host.

        [[email protected] ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn

        Return-Path: <[email protected]>

        X-Original-To: [email protected]

        Delivered-To: [email protected]

        Received: from localhost (localhost [IPv6:::1])

        by mail.com.cn (Postfix) with SMTP id BEDA283BDA92

        for <[email protected]>; Thu,  4 Jan 2018 01:28:07 -0500 (EST)

        Message-Id: <[email protected]>

        Date: Thu,  4 Jan 2018 01:28:07 -0500 (EST)

        From: [email protected]

        

        XXXXX

        XXXX

        XXX

        XX

        X

        

        #可以在发送邮件的时候  抓取发邮件的数据包

        [[email protected] ~]# tcpdump -i eth0 -A tcp port 25

        

2)搭建并检测 邮件服务的收取

        [[email protected] ~]# yum -y install dovecot

        [[email protected] ~]# rpm -q dovecot 

        dovecot-2.2.10-5.el7.x86_64

        

        [[email protected] ~]# vim /etc/dovecot/conf.d/10-mail.conf 

        [[email protected] ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf

        mail_location = maildir:~/Maildir

        

        [[email protected] ~]# vim /etc/dovecot/conf.d/10-auth.conf 

        [[email protected] ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf 

        disable_plaintext_auth = yes#不禁用明文认证

        [[email protected] ~]# systemctl start dovecot

        [[email protected] ~]# netstat -pantu | grep :110

        tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      4924/dovecot        

        tcp6       0      0 :::110                  :::*                    LISTEN      4924/dovecot        

        [[email protected] ~]# netstat -pantu | grep :143

        tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      4924/dovecot        

        tcp6       0      0 :::143                  :::*                    LISTEN      4924/dovecot    

        

        [[email protected] ~]# telnet localhost 110

        Trying ::1...

        Connected to localhost.

        Escape character is '^]'.

        +OK Dovecot ready.

        USER jim

        +OK

        PASS 654321

        +OK Logged in.

        list

        +OK 1 messages:

        1 423

        .

        retr 1

        +OK 423 octets

        Return-Path: <[email protected]>

        X-Original-To: [email protected]

        Delivered-To: [email protected]

        Received: from localhost (localhost [IPv6:::1])

        by mail.com.cn (Postfix) with SMTP id BEDA283BDA92

        for <[email protected]>; Thu,  4 Jan 2018 01:28:07 -0500 (EST)

        Message-Id: <[email protected]>

        Date: Thu,  4 Jan 2018 01:28:07 -0500 (EST)

        From: [email protected]

        

        XXXXX

        XXXX

        XXX

        XX

        X

        .

        quit

        +OK Logging out.

        Connection closed by foreign host.

        

        #可以在收取邮件的时候  抓取收邮件的数据包

        [[email protected] ~]# tcpdump -A -i lo  tcp port 110

        [[email protected] ~]# tcpdump -A -i lo -w /tmp/mail.cap  tcp port 110

        [[email protected] ~]# tcpdump -A -r /tmp/mail.cap | grep user

        reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)

        .S...R..user jim                                                                        #这里可以通过抓包 抓取到邮件的用户名和密码  因为当前属于明文传输

        [[email protected] ~]# tcpdump -A -r /tmp/mail.cap | grep pass

        reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)

        .S6[.S..pass 654321

        

        

        

二,部署邮件TLS/SSL加密通信服务


1 邮件服务器的配置(192.168.4.2):

        [[email protected] ~]# systemctl restart postfix         

        [[email protected] ~]# netstat -pantu | grep master

        tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      5415/master         

        tcp6       0      0 :::25                   :::*                    LISTEN      5415/master  

        [[email protected] ~]# systemctl restart dovecot

        [[email protected] ~]# netstat -pantu | grep dovecot

        tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      5446/dovecot        

        tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      5446/dovecot        

        tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      5446/dovecot        

        tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      5446/dovecot        

        tcp6       0      0 :::110                  :::*                    LISTEN      5446/dovecot        

        tcp6       0      0 :::143                  :::*                    LISTEN      5446/dovecot        

        tcp6       0      0 :::993                  :::*                    LISTEN      5446/dovecot        

        tcp6       0      0 :::995                  :::*                    LISTEN      5446/dovecot   

        

2 创建私钥文件:生成证书请求文件  mail.key

        [[email protected] ~]# cd /etc/pki/tls/private/#默认搜索私钥目录

        [[email protected] private]# openssl genrsa 2048 > mail.key#执行生成私钥命令

        


3 创建证书请求文件mail.csr

        -req 请求

        -new 新文件

        -key 私钥

        [[email protected] private]# openssl req -new -key mail.key > ~/mail.csr

        You are about to be asked to enter information that will be incorporated

        into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter '.', the field will be left blank.

        -----

        Country Name (2 letter code) [XX]:CN#与CA服务器 match 匹配策略 必须一样

        State or Province Name (full name) []:beijing

        Locality Name (eg, city) [Default City]:beijing

        Organization Name (eg, company) [Default Company Ltd]:Xuenqlve

        Organizational Unit Name (eg, section) []:ope

        Common Name (eg, your name or your server's hostname) []:mail#设置为服务域名或者主机名

        Email Address []:[email protected]

        

        Please enter the following 'extra' attributes

        to be sent with your certificate request

        A challenge password []:

        An optional company name []:

        

5 上传证书请求文件给CA服务器(192.168.4.1)

        [[email protected] ~]# scp ~/mail.csr 192.168.4.1:/tmp

        

CA服务器的配置(192.168.4.1):

        CA服务器具体配置 http://blog.51cto.com/13558754/2057718

6 审核证书请求文件,并签发数字证书

        [[email protected] certs]# openssl ca -in /tmp/mail.csr > mail.crt

        Using configuration from /etc/pki/tls/openssl.cnf

        Enter pass phrase for /etc/pki/CA/private/my-ca.key:

        Check that the request matches the signature

        Signature ok

        Certificate Details:

                Serial Number: 1 (0x1)

                Validity

                    Not Before: Jan  5 04:52:52 2018 GMT

                    Not After : Jan  5 04:52:52 2019 GMT

                Subject:

                    countryName               = CN

                    stateOrProvinceName       = beijing

                    organizationName          = Xuenqlve

                    organizationalUnitName    = ope

                    commonName                = mail

                    emailAddress              = [email protected]

                X509v3 extensions:

                    X509v3 Basic Constraints: 

                        CA:FALSE

                    Netscape Comment: 

                        OpenSSL Generated Certificate

                    X509v3 Subject Key Identifier: 

                        1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1

                    X509v3 Authority Key Identifier: 

                        keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7

        

        Certificate is to be certified until Jan  5 04:52:52 2019 GMT (365 days)

        Sign the certificate? [y/n]:y

        

        1 out of 1 certificate requests certified, commit? [y/n]y

        Write out database with 1 new entries

        Data Base Updated

        

        注意:审核证书请求文件 报如下的错误时:

        error while loading serial number

        执行如下操作

        [[email protected] CA]# echo 01 > serial

        

        [[email protected] certs]# cat ../index.txt

        V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/[email protected]

        [[email protected] certs]# cat ../serial

        02

        

7 下发证书给邮件服务器(192.168.4.2)

        [[email protected] certs]# scp mail.crt 192.168.4.2:/root/

        



8 配置服务运行时调用私钥文件 数字证书文件

    8.1 配置发邮件服务

        [[email protected] ~]# vim /etc/postfix/main.cf 

        添加如下配置

        [[email protected] ~]# tail -4 /etc/postfix/main.cf

        smtpd_use_tls = yes

        #smtpd_tls_auth_only = yes

        smtpd_tls_key_file = /etc/pki/tls/private/mail.key

        smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt

        [[email protected] ~]# cp /root/mail.crt /etc/pki/tls/certs/

        [[email protected] ~]# systemctl restart postfix.service

        [[email protected] ~]# netstat -pantu | grep master

        tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      6461/master         

        tcp6       0      0 :::25                   :::*                    LISTEN      6461/master   

    8.2 配置收邮件服务

        [[email protected] ~]# vim /etc/dovecot/conf.d/10-ssl.conf 

        添加如下配置

        [[email protected] ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf

        ssl_cert = </etc/pki/dovecot/certs/mail.crt

        ssl_key = </etc/pki/dovecot/private/mail.key

        [[email protected] ~]# cp /etc/pki/tls/private/mail.key  /etc/pki/dovecot/private/mail.key

        [[email protected] ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt

        [[email protected] ~]# systemctl restart dovecot.service

        [[email protected] ~]# netstat -pantu | grep dovecot

        tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      6517/dovecot        

        tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      6517/dovecot        

        tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      6517/dovecot        

        tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      6517/dovecot        

        tcp6       0      0 :::110                  :::*                    LISTEN      6517/dovecot        

        tcp6       0      0 :::143                  :::*                    LISTEN      6517/dovecot        

        tcp6       0      0 :::993                  :::*                    LISTEN      6517/dovecot        

        tcp6       0      0 :::995                  :::*                    LISTEN      6517/dovecot   

        

三.客户端在软件里设置连接邮件服务器时 是否加密协议

     使用客户端软件时将邮件传输方式设置为ssl

         传输的数据就会进行加密


以上是关于Liunx 部署邮件TLS/SSL加密通信服务的主要内容,如果未能解决你的问题,请参考以下文章

Security基础:OpenSSL及证书服务邮件TLS/SSL加密通信

SECURITY 03: 邮件服务TLS/SSL 总结和答疑 CA数字证书服务

TLS(SSL)

SSL/TLS深度解析--测试TLS/SSL加密

在SuperSocket中启用TLS/SSL传输层加密

TLS/SSL 协议-非对称加密(RSA)原理