Liunx 部署邮件TLS/SSL加密通信服务

部署邮件TLS/SSL加密通信服务

一.部署普通邮件服务器

1) 搭建并检测邮件服务的发送服务

[[email protected] ~]# rpm -q postfix

postfix-2.10.1-6.el7.x86_64

[[email protected] ~]# netstat -pantu | grep :25

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1822/master

tcp6       0      0 ::1:25                  :::*                    LISTEN      1822/master

[[email protected] ~]# ps -C master

PID TTY          TIME CMD

1822 ?        00:00:00 master

[[email protected] ~]# vim /etc/postfix/main.cf

[[email protected] ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf

inet_interfaces = all

#inet_interfaces = localhost

home_mailbox = Maildir/

[[email protected] ~]# systemctl restart postfix.service

[[email protected] ~]# useradd jim

[[email protected] ~]# echo 654321 | passwd --stdin jim

[[email protected] ~]# yum -y install telnet

[[email protected] ~]# telnet localhost 25

Trying ::1...

Connected to localhost.

Escape character is '^]'.

220 mail.com.cn ESMTP Postfix

helo localhost

250 mail.com.cn

mail from:[email protected]

250 2.1.0 Ok

rcpt to:[email protected]

250 2.1.5 Ok

data

354 End data with <CR><LF>.<CR><LF>

XXXXX

XXXX

XXX

XX

X

.

250 2.0.0 Ok: queued as BEDA283BDA92

quit

221 2.0.0 Bye

Connection closed by foreign host.

[[email protected] ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn

Return-Path: <[email protected]>

X-Original-To: [email protected]

Delivered-To: [email protected]

Received: from localhost (localhost [IPv6:::1])

by mail.com.cn (Postfix) with SMTP id BEDA283BDA92

for <[email protected]>; Thu,  4 Jan 2018 01:28:07 -0500 (EST)

Message-Id: <[email protected]>

Date: Thu,  4 Jan 2018 01:28:07 -0500 (EST)

From: [email protected]

XXXXX

XXXX

XXX

XX

X

#可以在发送邮件的时候  抓取发邮件的数据包

[[email protected] ~]# tcpdump -i eth0 -A tcp port 25

2)搭建并检测 邮件服务的收取

[[email protected] ~]# yum -y install dovecot

[[email protected] ~]# rpm -q dovecot

dovecot-2.2.10-5.el7.x86_64

[[email protected] ~]# vim /etc/dovecot/conf.d/10-mail.conf

[[email protected] ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir

[[email protected] ~]# vim /etc/dovecot/conf.d/10-auth.conf

[[email protected] ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes#不禁用明文认证

[[email protected] ~]# systemctl start dovecot

[[email protected] ~]# netstat -pantu | grep :110

tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      4924/dovecot

tcp6       0      0 :::110                  :::*                    LISTEN      4924/dovecot

[[email protected] ~]# netstat -pantu | grep :143

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      4924/dovecot

tcp6       0      0 :::143                  :::*                    LISTEN      4924/dovecot

[[email protected] ~]# telnet localhost 110

Trying ::1...

Connected to localhost.

Escape character is '^]'.

+OK Dovecot ready.

USER jim

+OK

PASS 654321

+OK Logged in.

list

+OK 1 messages:

1 423

.

retr 1

+OK 423 octets

Return-Path: <[email protected]>

X-Original-To: [email protected]

Delivered-To: [email protected]

Received: from localhost (localhost [IPv6:::1])

by mail.com.cn (Postfix) with SMTP id BEDA283BDA92

for <[email protected]>; Thu,  4 Jan 2018 01:28:07 -0500 (EST)

Message-Id: <[email protected]>

Date: Thu,  4 Jan 2018 01:28:07 -0500 (EST)

From: [email protected]

XXXXX

XXXX

XXX

XX

X

.

quit

+OK Logging out.

Connection closed by foreign host.

#可以在收取邮件的时候  抓取收邮件的数据包

[[email protected] ~]# tcpdump -A -i lo  tcp port 110

[[email protected] ~]# tcpdump -A -i lo -w /tmp/mail.cap  tcp port 110

[[email protected] ~]# tcpdump -A -r /tmp/mail.cap | grep user

reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)

.S...R..user jim                                                                        #这里可以通过抓包 抓取到邮件的用户名和密码  因为当前属于明文传输

[[email protected] ~]# tcpdump -A -r /tmp/mail.cap | grep pass

reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)

.S6[.S..pass 654321

二，部署邮件TLS/SSL加密通信服务

1 邮件服务器的配置(192.168.4.2)：

[[email protected] ~]# systemctl restart postfix

[[email protected] ~]# netstat -pantu | grep master

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      5415/master

tcp6       0      0 :::25                   :::*                    LISTEN      5415/master

[[email protected] ~]# systemctl restart dovecot

[[email protected] ~]# netstat -pantu | grep dovecot

tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      5446/dovecot

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      5446/dovecot

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      5446/dovecot

tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      5446/dovecot

tcp6       0      0 :::110                  :::*                    LISTEN      5446/dovecot

tcp6       0      0 :::143                  :::*                    LISTEN      5446/dovecot

tcp6       0      0 :::993                  :::*                    LISTEN      5446/dovecot

tcp6       0      0 :::995                  :::*                    LISTEN      5446/dovecot

2 创建私钥文件：生成证书请求文件  mail.key

[[email protected] ~]# cd /etc/pki/tls/private/#默认搜索私钥目录

[[email protected] private]# openssl genrsa 2048 > mail.key#执行生成私钥命令

3 创建证书请求文件mail.csr

-req 请求

-new 新文件

-key 私钥

[[email protected] private]# openssl req -new -key mail.key > ~/mail.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN#与CA服务器 match 匹配策略 必须一样

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:Xuenqlve

Organizational Unit Name (eg, section) []:ope

Common Name (eg, your name or your server's hostname) []:mail#设置为服务域名或者主机名

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

5 上传证书请求文件给CA服务器(192.168.4.1)

[[email protected] ~]# scp ~/mail.csr 192.168.4.1:/tmp

CA服务器的配置(192.168.4.1):

 CA服务器具体配置 http://blog.51cto.com/13558754/2057718

6 审核证书请求文件，并签发数字证书

[[email protected] certs]# openssl ca -in /tmp/mail.csr > mail.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan  5 04:52:52 2018 GMT

Not After : Jan  5 04:52:52 2019 GMT

Subject:

countryName               = CN

stateOrProvinceName       = beijing

organizationName          = Xuenqlve

organizationalUnitName    = ope

commonName                = mail

emailAddress              = [email protected]

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1

X509v3 Authority Key Identifier:

keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7

Certificate is to be certified until Jan  5 04:52:52 2019 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

注意：审核证书请求文件 报如下的错误时：

error while loading serial number

执行如下操作

[[email protected] CA]# echo 01 > serial

[[email protected] certs]# cat ../index.txt

V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/[email protected]

[[email protected] certs]# cat ../serial

02

7 下发证书给邮件服务器(192.168.4.2)

[[email protected] certs]# scp mail.crt 192.168.4.2:/root/

8 配置服务运行时调用私钥文件 数字证书文件

    8.1 配置发邮件服务

[[email protected] ~]# vim /etc/postfix/main.cf

添加如下配置

[[email protected] ~]# tail -4 /etc/postfix/main.cf

smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/pki/tls/private/mail.key

smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt

[[email protected] ~]# cp /root/mail.crt /etc/pki/tls/certs/

[[email protected] ~]# systemctl restart postfix.service

[[email protected] ~]# netstat -pantu | grep master

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      6461/master

tcp6       0      0 :::25                   :::*                    LISTEN      6461/master

8.2 配置收邮件服务

[[email protected] ~]# vim /etc/dovecot/conf.d/10-ssl.conf

添加如下配置

[[email protected] ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/pki/dovecot/certs/mail.crt

ssl_key = </etc/pki/dovecot/private/mail.key

[[email protected] ~]# cp /etc/pki/tls/private/mail.key  /etc/pki/dovecot/private/mail.key

[[email protected] ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt

[[email protected] ~]# systemctl restart dovecot.service

[[email protected] ~]# netstat -pantu | grep dovecot

tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      6517/dovecot

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      6517/dovecot

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      6517/dovecot

tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      6517/dovecot

tcp6       0      0 :::110                  :::*                    LISTEN      6517/dovecot

tcp6       0      0 :::143                  :::*                    LISTEN      6517/dovecot

tcp6       0      0 :::993                  :::*                    LISTEN      6517/dovecot

tcp6       0      0 :::995                  :::*                    LISTEN      6517/dovecot

三.客户端在软件里设置连接邮件服务器时 是否加密协议

使用客户端软件时将邮件传输方式设置为ssl

传输的数据就会进行加密

原文地址：http://blog.51cto.com/13558754/2057793