Linux下电子邮件的安全传输及验证！

一、不安全测试：

1. 安装抓包工具

[root@mail ~]# mount /dev/cdrom /mnt/cdrom    
mount: block device /dev/cdrom is write-protected, mounting read-only     
[root@mail ~]# cd /mnt/cdrom/Server     
[root@mail Server]# ll  |grep shark     
-r--r--r-- 220 root root 11130359 Jun 11  2009 wireshark-1.0.8-1.el5_3.1.i386.rpm      
-r--r--r-- 220 root root   686650 Jun 11  2009 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm     
[root@mail Server]# rpm -ivh wireshark-1.0.8-1.el5_3.1.i386.rpm     
warning: wireshark-1.0.8-1.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186     
error: Failed dependencies:     
  libsmi.so.2 is needed by wireshark-1.0.8-1.el5_3.1.i386     
[root@mail Server]# ll |grep smi      
-r--r--r-- 327 root root  2540456 Jan 18  2008 libsmi-0.4.5-2.el5.i386.rpm      
-r--r--r-- 327 root root    21212 Jan 18  2008 libsmi-devel-0.4.5-2.el5.i386.rpm     
-r--r--r-- 264 root root    62425 Apr 20  2009 psmisc-22.2-7.i386.rpm

[root@mail Server]# rpm -ql wireshark |less   查看安装路径

2.启动服务

[root@mail ~]# service named start    
[root@mail ~]# service dovecot start     
[root@mail ~]# service sendmail start

3.启动抓包工具        
[root@mail Server]# tshark -ni eth0 -R "tcp.dstport eq 110"

用outlook客户端发送与接收！

抓到的内容：

用户名，密码都能看到，这样非常不安全！

二、安全传输：

smtps  465端口，starttls（传输层安全） 25端口

1.数字证书的配置文件：

[root@mail Server]# vim /etc/pki/tls/openssl.cnf

2.生成相应的文件：

[root@mail Server]# cd /etc/pki/CA    
[root@mail CA]# mkdir crl certs newcerts     
[root@mail CA]# touch index.txt serial     
[root@mail CA]# echo "01" >serial     
[root@mail CA]# openssl genrsa 1024 > private/cakey.pem     
Generating RSA private key, 1024 bit long modulus     
....++++++     
...................................++++++     
e is 65537 (0x10001)     
[root@mail CA]# ll private     
total 4     
-rw-r--r-- 1 root root 887 Aug  5 07:16 cakey.pem     
[root@mail CA]# chmod 600 private/*     
[root@mail CA]# ll private     
total 4     
-rw------- 1 root root 887 Aug  5 07:16 cakey.pem

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem

Country Name (2 letter code) [GB]:      出现这个！

3.CA的认证机构：

[root@mail CA]# vim /etc/pki/tls/openssl.cnf

:88,90s/match/optional

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -days 3650 -out cacert.pem     
You are about to be asked to enter information that will be incorporated     
into your certificate request.     
What you are about to enter is what is called a Distinguished Name or a DN.     
There are quite a few fields but you can leave some blank     
For some fields there will be a default value,     
If you enter '.', the field will be left blank.     
-----     
Country Name (2 letter code) [CN]:     
State or Province Name (full name) [He Nan]:     
Locality Name (eg, city) [Zheng zhou]:     
Organization Name (eg, company) [My Company Ltd]:tec center     
Organizational Unit Name (eg, section) []:diver agent     
Common Name (eg, your name or your server's hostname) []:mail.com

4.为发送服务器申请一个证：

[root@mail CA]# mkdir -pv /etc/mail/certs    
mkdir: created directory `/etc/mail/certs'     
[root@mail CA]# cd /etc/mail/certs/     
[root@mail certs]# openssl genrsa 1024 >sendmail.key   钥匙     
Generating RSA private key, 1024 bit long modulus     
............++++++     
............................++++++     
e is 65537 (0x10001)     
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr  请求文件     
You are about to be asked to enter information that will be incorporated     
into your certificate request.     
What you are about to enter is what is called a Distinguished Name or a DN.     
There are quite a few fields but you can leave some blank     
For some fields there will be a default value,     
If you enter '.', the field will be left blank.     
-----     
Country Name (2 letter code) [CN]:     
State or Province Name (full name) [He Nan]:     
Locality Name (eg, city) [Zheng zhou]:     
Organization Name (eg, company) [My Company Ltd]:163     
Organizational Unit Name (eg, section) []:tecnology     
Common Name (eg, your name or your server's hostname) []:mail.163.com

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert    //证书     
Using configuration from /etc/pki/tls/openssl.cnf     
Check that the request matches the signature     
Signature ok     
Certificate Details:     
       Serial Number: 1 (0x1)     
       Validity     
           Not Before: Aug  4 23:46:58 2012 GMT     
           Not After : Aug  4 23:46:58 2013 GMT     
       Subject:     
           countryName               = CN     
           stateOrProvinceName       = He Nan     
           organizationName          = 163     
           organizationalUnitName    = tecnology     
           commonName                = mail.163.com     
       X509v3 extensions:     
           X509v3 Basic Constraints:     
               CA:FALSE     
           Netscape Comment:     
               OpenSSL Generated Certificate     
           X509v3 Subject Key Identifier:     
               93:33:1C:69:DC:7E:20:B9:C4:F7:37:D5:F8:15:3F:48:A2:C4:36:C4     
           X509v3 Authority Key Identifier:     
               keyid:FE:69:9D:8E:DE:9A:A4:AA:6D:F5:A6:EF:17:DD:AA:CD:D0:59:7E:1E

Certificate is to be certified until Aug  4 23:46:58 2013 GMT (365 days)    
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y    
Write out database with 1 new entries     
Data Base Updated

已经产生证书，此时，请求文件可以删除了！

5.修改sendmail的配置文件（关于证书）

[root@mail certs]# vim /etc/mail/sendmail.mc

 启用smtp

6.申请的证书及申请证书所需的文件存在的路径

[root@mail ~]# cd /etc/mail/certs    
[root@mail certs]# chmod 600 *     
[root@mail certs]# ll     
total 12     
-rw------- 1 root root 3102 Aug  5 07:47 sendmail.cert    证书     
-rw------- 1 root root  655 Aug  5 07:37 sendmail.csr    请求文件     
-rw------- 1 root root  887 Aug  5 07:35 sendmail.key    私钥

[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...     
Connected to localhost.localdomain (127.0.0.1).     
Escape character is '^]'.     
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Sun, 5 Aug 2012 08:19:21 +0800     
helo 127.0.0.1      
250 mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you     
ehlo 127.0.0.1      
250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you     
250-ENHANCEDSTATUSCODES     
250-PIPELINING     
250-8BITMIME     
250-SIZE     
250-DSN     
250-ETRN     
250-STARTTLS      //说明已可以用ssl加密达到安全传输！      
250-DELIVERBY     
250 HELP

7.测试：

[root@mail ~]# tail -f /var/log/maillog    //日志信息

Aug  5 09:15:25 mail sendmail[4974]: STARTTLS=server, relay=[192.168.10.1], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 25 or tcp.srcport eq 25 "

29.378844 192.168.10.99 -> 192.168.10.1 SMTP S: 250-mail.163.com Hello [192.168.10.1], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-SIZE | 250-DSN | 250-ETRN | 250-STARTTLS | 250-DELIVERBY | 250 HELP    
29.379199 192.168.10.1 -> 192.168.10.99 SMTP C: STARTTLS     
29.394166 192.168.10.99 -> 192.168.10.1 SMTP S: 220 2.0.0 Ready to start TLS     
29.529926 192.168.10.1 -> 192.168.10.99 SMTP C: \200O\001\003\001\0006\000\000\000\

发送信息已经可以加密！

smtps 只能点对点的！

8.接收端加密:

  pop2/pop3-------pop3s

  imap4------------imaps

dovecot

配置：

[root@mail ~]# mkdir -pv /etc/dovecot/certs    
mkdir: created directory `/etc/dovecot'     
mkdir: created directory `/etc/dovecot/certs'     
[root@mail ~]# cd /etc/dovecot/certs/     
[root@mail certs]# openssl genrsa 1024 >dovecot.key     
Generating RSA private key, 1024 bit long modulus     
............................................++++++     
.......++++++     
e is 65537 (0x10001)     
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr     
You are about to be asked to enter information that will be incorporated     
into your certificate request.     
What you are about to enter is what is called a Distinguished Name or a DN.     
There are quite a few fields but you can leave some blank     
For some fields there will be a default value,     
If you enter '.', the field will be left blank.     
-----     
Country Name (2 letter code) [CN]:     
State or Province Name (full name) [He Nan]:     
Locality Name (eg, city) [Zheng zhou]:     
Organization Name (eg, company) [My Company Ltd]:163     
Organizational Unit Name (eg, section) []:teconology     
Common Name (eg, your name or your server's hostname) []:pop3.163.com     
Email Address []:

Please enter the following 'extra' attributes    
to be sent with your certificate request     
A challenge password []:     
An optional company name []:

[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr

Subject:    
          countryName               = CN     
          stateOrProvinceName       = He Nan     
          organizationName          = 163     
          organizationalUnitName    = teconology     
          commonName                = pop3.163.com

[root@mail certs]# vim /etc/dovecot.conf

[root@mail certs]# service dovecot restart    
Stopping Dovecot Imap:                                     [  OK  ]     
Starting Dovecot Imap:                                     [  OK  ]

三、用户身份验证：需借助于sasl

sasl只是协议

解决：避免未知名用户向某个邮件服务器不断发送垃圾邮件！

1.查询sasl （默认已安装）

[root@mail certs]# cd /mnt/cdrom/Server      
[root@mail Server]# ll |grep sasl      
-r--r--r-- 103 root root  1251623 Jul 29  2009 cyrus-sasl-2.1.22-5.el5.i386.rpm     
-r--r--r--  99 root root  1418364 Jul 29  2009 cyrus-sasl-devel-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root    28967 Jul 29  2009 cyrus-sasl-gssapi-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root    24390 Jul 29  2009 cyrus-sasl-ldap-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root   129180 Jul 29  2009 cyrus-sasl-lib-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root    46415 Jul 29  2009 cyrus-sasl-md5-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root    32054 Jul 29  2009 cyrus-sasl-ntlm-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root    27027 Jul 29  2009 cyrus-sasl-plain-2.1.22-5.el5.i386.rpm     
-r--r--r-- 103 root root    27330 Jul 29  2009 cyrus-sasl-sql-2.1.22-5.el5.i386.rpm     
-r--r--r-- 278 root root    39119 Jan 19  2007 gnu-crypto-sasl-jdk1.4-2.1.0-2jpp.1.i386.rpm     
[root@mail Server]# rpm -qa |grep sasl   //查询已安装的软件      
cyrus-sasl-lib-2.1.22-5.el5     
cyrus-sasl-plain-2.1.22-5.el5     
cyrus-sasl-devel-2.1.22-5.el5     
cyrus-sasl-2.1.22-5.el5

2.检测该服务是否被chkconfig加载        
[root@mail Server]# chkconfig --list |grep sasl   // 查看chkconfig不能检测此服务     
saslauthd          0:off    1:off    2:off    3:off    4:off    5:off    6:off

[root@mail ~]# chkconfig --add saslauthd   //添加该服务      
[root@mail ~]# chkconfig --level 2345 saslauthd  on  //设置2345级别启动      
[root@mail ~]# chkconfig --list |grep sasl      
saslauthd          0:off    1:off   2:on    3:on    4:on    5:on    6:off

3.配置sendmail的验证功能：

[root@mail ~]# vim /etc/mail/sendmail.mc

4.测试：

4.1 不验证无法 发送邮件

[root@mail ~]# telnet 127.0.0.1 25      
Trying 127.0.0.1...     
Connected to localhost.localdomain (127.0.0.1).     
Escape character is '^]'.     
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 12:54:12 +0800     
ehlo 127.0.0.1      
250-mail.163.com Hello localhost.localdomain [127.0.0.1], pleased to meet you     
250-ENHANCEDSTATUSCODES     
250-PIPELINING     
250-8BITMIME     
250-SIZE     
250-DSN     
250-AUTH LOGIN PLAIN      
250-STARTTLS     
250-DELIVERBY     
250 HELP

4.2 密码必须转换为base64编码      

[root@mail ~]# clear    
[root@mail ~]# echo -n "user1@163.com" |openssl base64

dXNlcjFAMTYzLmNvbQ==    
[root@mail ~]# echo -n "123" |openssl base64     
MTIz

4.3  用认证登录测试：

[root@mail ~]# telnet 127.0.0.1 25    
Trying 127.0.0.1...     
Connected to localhost.localdomain (127.0.0.1).     
Escape character is '^]'.     
220 mail.163.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 6 Aug 2012 13:51:03 +0800     
auth logindXNlcjFAMTYzLmNvbQ==    //用户名      
334 UGFzc3dvcmQ6     
MTIz      密码      
235 2.0.0 OK Authenticated     
mail from :user1@163.com     
250 2.1.0 user1@163.com... Sender ok      
rcpt to :user4@sina.com     
250 2.1.5 user4@si...Recipient ok (will queue)     
250 2.1.5 user4@sina.com... Recipient ok      
data     
354 Enter mail, end with "." on a line by itself     
subject haah     
ha come on !     
.     
250 2.0.0 q765p3oK004322 Message accepted for delivery     
quit     
221 2.0.0 mail.163.com closing connection     
Connection closed by foreign host.

5.用outlook发送邮件测试：

发送不出去，下面设置服务器身份验证就可以发送了！

发送成功  接收也成功！

本文转自 gjp0731 51CTO博客，原文链接:http://blog.51cto.com/guojiping/989969