部署邮件TLS/SSL加密通信服务
一.部署普通邮件服务器
1) 搭建并检测邮件服务的发送服务
[[email protected] ~]# rpm -q postfix
postfix-2.10.1-6.el7.x86_64
[[email protected] ~]# netstat -pantu | grep :25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1822/master
tcp6 0 0 ::1:25 :::* LISTEN 1822/master
[[email protected] ~]# ps -C master
PID TTY TIME CMD
1822 ? 00:00:00 master
[[email protected] ~]# vim /etc/postfix/main.cf
[[email protected] ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf
inet_interfaces = all
#inet_interfaces = localhost
home_mailbox = Maildir/
[[email protected] ~]# systemctl restart postfix.service
[[email protected] ~]# useradd jim
[[email protected] ~]# echo 654321 | passwd --stdin jim
[[email protected] ~]# yum -y install telnet
[[email protected] ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.com.cn ESMTP Postfix
helo localhost
250 mail.com.cn
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
XXXXX
XXXX
XXX
XX
X
.
250 2.0.0 Ok: queued as BEDA283BDA92
quit
221 2.0.0 Bye
Connection closed by foreign host.
[[email protected] ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <[email protected]>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <[email protected]>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: [email protected]
XXXXX
XXXX
XXX
XX
X
#可以在发送邮件的时候 抓取发邮件的数据包
[[email protected] ~]# tcpdump -i eth0 -A tcp port 25
2)搭建并检测 邮件服务的收取
[[email protected] ~]# yum -y install dovecot
[[email protected] ~]# rpm -q dovecot
dovecot-2.2.10-5.el7.x86_64
[[email protected] ~]# vim /etc/dovecot/conf.d/10-mail.conf
[[email protected] ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
[[email protected] ~]# vim /etc/dovecot/conf.d/10-auth.conf
[[email protected] ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes#不禁用明文认证
[[email protected] ~]# systemctl start dovecot
[[email protected] ~]# netstat -pantu | grep :110
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::110 :::* LISTEN 4924/dovecot
[[email protected] ~]# netstat -pantu | grep :143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::143 :::* LISTEN 4924/dovecot
[[email protected] ~]# telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
USER jim
+OK
PASS 654321
+OK Logged in.
list
+OK 1 messages:
1 423
.
retr 1
+OK 423 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <[email protected]>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <[email protected]>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: [email protected]
XXXXX
XXXX
XXX
XX
X
.
quit
+OK Logging out.
Connection closed by foreign host.
#可以在收取邮件的时候 抓取收邮件的数据包
[[email protected] ~]# tcpdump -A -i lo tcp port 110
[[email protected] ~]# tcpdump -A -i lo -w /tmp/mail.cap tcp port 110
[[email protected] ~]# tcpdump -A -r /tmp/mail.cap | grep user
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S...R..user jim #这里可以通过抓包 抓取到邮件的用户名和密码 因为当前属于明文传输
[[email protected] ~]# tcpdump -A -r /tmp/mail.cap | grep pass
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S6[.S..pass 654321
二,部署邮件TLS/SSL加密通信服务
1 邮件服务器的配置(192.168.4.2):
[[email protected] ~]# systemctl restart postfix
[[email protected] ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5415/master
tcp6 0 0 :::25 :::* LISTEN 5415/master
[[email protected] ~]# systemctl restart dovecot
[[email protected] ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 5446/dovecot
tcp6 0 0 :::110 :::* LISTEN 5446/dovecot
tcp6 0 0 :::143 :::* LISTEN 5446/dovecot
tcp6 0 0 :::993 :::* LISTEN 5446/dovecot
tcp6 0 0 :::995 :::* LISTEN 5446/dovecot
2 创建私钥文件:生成证书请求文件 mail.key
[[email protected] ~]# cd /etc/pki/tls/private/#默认搜索私钥目录
[[email protected] private]# openssl genrsa 2048 > mail.key#执行生成私钥命令
3 创建证书请求文件mail.csr
-req 请求
-new 新文件
-key 私钥
[[email protected] private]# openssl req -new -key mail.key > ~/mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN#与CA服务器 match 匹配策略 必须一样
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Xuenqlve
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:mail#设置为服务域名或者主机名
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5 上传证书请求文件给CA服务器(192.168.4.1)
[[email protected] ~]# scp ~/mail.csr 192.168.4.1:/tmp
CA服务器的配置(192.168.4.1):
CA服务器具体配置 http://blog.51cto.com/13558754/2057718
6 审核证书请求文件,并签发数字证书
[[email protected] certs]# openssl ca -in /tmp/mail.csr > mail.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 5 04:52:52 2018 GMT
Not After : Jan 5 04:52:52 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Xuenqlve
organizationalUnitName = ope
commonName = mail
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1
X509v3 Authority Key Identifier:
keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7
Certificate is to be certified until Jan 5 04:52:52 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:审核证书请求文件 报如下的错误时:
error while loading serial number
执行如下操作
[[email protected] CA]# echo 01 > serial
[[email protected] certs]# cat ../index.txt
V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/[email protected]
[[email protected] certs]# cat ../serial
02
7 下发证书给邮件服务器(192.168.4.2)
[[email protected] certs]# scp mail.crt 192.168.4.2:/root/
8 配置服务运行时调用私钥文件 数字证书文件
8.1 配置发邮件服务
[[email protected] ~]# vim /etc/postfix/main.cf
添加如下配置
[[email protected] ~]# tail -4 /etc/postfix/main.cf
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
[[email protected] ~]# cp /root/mail.crt /etc/pki/tls/certs/
[[email protected] ~]# systemctl restart postfix.service
[[email protected] ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 6461/master
tcp6 0 0 :::25 :::* LISTEN 6461/master
8.2 配置收邮件服务
[[email protected] ~]# vim /etc/dovecot/conf.d/10-ssl.conf
添加如下配置
[[email protected] ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/pki/dovecot/certs/mail.crt
ssl_key = </etc/pki/dovecot/private/mail.key
[[email protected] ~]# cp /etc/pki/tls/private/mail.key /etc/pki/dovecot/private/mail.key
[[email protected] ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt
[[email protected] ~]# systemctl restart dovecot.service
[[email protected] ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 6517/dovecot
tcp6 0 0 :::110 :::* LISTEN 6517/dovecot
tcp6 0 0 :::143 :::* LISTEN 6517/dovecot
tcp6 0 0 :::993 :::* LISTEN 6517/dovecot
tcp6 0 0 :::995 :::* LISTEN 6517/dovecot
三.客户端在软件里设置连接邮件服务器时 是否加密协议
使用客户端软件时将邮件传输方式设置为ssl
传输的数据就会进行加密
原文地址:http://blog.51cto.com/13558754/2057793