Liunx 部署郵件TLS/SSL加密通信服務
一.部署普通郵件服務器
1) 搭建並檢測郵件服務的發送服務
[root@mail ~]# rpm -q postfix
postfix-2.10.1-6.el7.x86_64
[root@mail ~]# netstat -pantu | grep :25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1822/master
tcp6 0 0 ::1:25 :::* LISTEN 1822/master
[root@mail ~]# ps -C master
PID TTY TIME CMD
1822 ? 00:00:00 master
[root@mail ~]# vim /etc/postfix/main.cf
[root@mail ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf
inet_interfaces = all
#inet_interfaces = localhost
home_mailbox = Maildir/
[root@mail ~]# systemctl restart postfix.service
[root@mail ~]# useradd jim
[root@mail ~]# echo 654321 | passwd --stdin jim
[root@mail ~]# yum -y install telnet
[root@mail ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.com.cn ESMTP Postfix
helo localhost
250 mail.com.cn
mail from:root@localhost
250 2.1.0 Ok
rcpt to:jim@localhost
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
XXXXX
XXXX
XXX
XX
X
.
250 2.0.0 Ok: queued as BEDA283BDA92
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn
Return-Path: <[email protected]>
X-Original-To: jim@localhost
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <[email protected]>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: [email protected]
XXXXX
XXXX
XXX
XX
X
#可以在發送郵件的時候 抓取發郵件的數據包
[root@mail ~]# tcpdump -i eth0 -A tcp port 25
2)搭建並檢測 郵件服務的收取
[root@mail ~]# yum -y install dovecot
[root@mail ~]# rpm -q dovecot
dovecot-2.2.10-5.el7.x86_64
[root@mail ~]# vim /etc/dovecot/conf.d/10-mail.conf
[root@mail ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
[root@mail ~]# vim /etc/dovecot/conf.d/10-auth.conf
[root@mail ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes#不禁用明文認證
[root@mail ~]# systemctl start dovecot
[root@mail ~]# netstat -pantu | grep :110
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::110 :::* LISTEN 4924/dovecot
[root@mail ~]# netstat -pantu | grep :143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::143 :::* LISTEN 4924/dovecot
[root@mail ~]# telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
USER jim
+OK
PASS 654321
+OK Logged in.
list
+OK 1 messages:
1 423
.
retr 1
+OK 423 octets
Return-Path: <[email protected]>
X-Original-To: jim@localhost
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <[email protected]>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: [email protected]
XXXXX
XXXX
XXX
XX
X
.
quit
+OK Logging out.
Connection closed by foreign host.
#可以在收取郵件的時候 抓取收郵件的數據包
[root@mail ~]# tcpdump -A -i lo tcp port 110
[root@mail ~]# tcpdump -A -i lo -w /tmp/mail.cap tcp port 110
[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep user
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S...R..user jim #這裏可以通過抓包 抓取到郵件的用戶名和密碼 因為當前屬於明文傳輸
[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep pass
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S6[.S..pass 654321
二,部署郵件TLS/SSL加密通信服務
1 郵件服務器的配置(192.168.4.2):
[root@mail ~]# systemctl restart postfix
[root@mail ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5415/master
tcp6 0 0 :::25 :::* LISTEN 5415/master
[root@mail ~]# systemctl restart dovecot
[root@mail ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 5446/dovecot
tcp6 0 0 :::110 :::* LISTEN 5446/dovecot
tcp6 0 0 :::143 :::* LISTEN 5446/dovecot
tcp6 0 0 :::993 :::* LISTEN 5446/dovecot
tcp6 0 0 :::995 :::* LISTEN 5446/dovecot
2 創建私鑰文件:生成證書請求文件 mail.key
[root@mail ~]# cd /etc/pki/tls/private/#默認搜索私鑰目錄
[root@mail private]# openssl genrsa 2048 > mail.key#執行生成私鑰命令
3 創建證書請求文件mail.csr
-req 請求
-new 新文件
-key 私鑰
[root@mail private]# openssl req -new -key mail.key > ~/mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN#與CA服務器 match 匹配策略 必須一樣
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Xuenqlve
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:mail#設置為服務域名或者主機名
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5 上傳證書請求文件給CA服務器(192.168.4.1)
[root@mail ~]# scp ~/mail.csr 192.168.4.1:/tmp
CA服務器的配置(192.168.4.1):
CA服務器具體配置 http://blog.51cto.com/13558754/2057718
6 審核證書請求文件,並簽發數字證書
[root@CA certs]# openssl ca -in /tmp/mail.csr > mail.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 5 04:52:52 2018 GMT
Not After : Jan 5 04:52:52 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Xuenqlve
organizationalUnitName = ope
commonName = mail
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1
X509v3 Authority Key Identifier:
keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7
Certificate is to be certified until Jan 5 04:52:52 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
註意:審核證書請求文件 報如下的錯誤時:
error while loading serial number
執行如下操作
[root@CA CA]# echo 01 > serial
[root@CA certs]# cat ../index.txt
V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/[email protected]
[root@CA certs]# cat ../serial
02
7 下發證書給郵件服務器(192.168.4.2)
[root@CA certs]# scp mail.crt 192.168.4.2:/root/
8 配置服務運行時調用私鑰文件 數字證書文件
8.1 配置發郵件服務
[root@mail ~]# vim /etc/postfix/main.cf
添加如下配置
[root@mail ~]# tail -4 /etc/postfix/main.cf
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
[root@mail ~]# cp /root/mail.crt /etc/pki/tls/certs/
[root@mail ~]# systemctl restart postfix.service
[root@mail ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 6461/master
tcp6 0 0 :::25 :::* LISTEN 6461/master
8.2 配置收郵件服務
[root@mail ~]# vim /etc/dovecot/conf.d/10-ssl.conf
添加如下配置
[root@mail ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/pki/dovecot/certs/mail.crt
ssl_key = </etc/pki/dovecot/private/mail.key
[root@mail ~]# cp /etc/pki/tls/private/mail.key /etc/pki/dovecot/private/mail.key
[root@mail ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt
[root@mail ~]# systemctl restart dovecot.service
[root@mail ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 6517/dovecot
tcp6 0 0 :::110 :::* LISTEN 6517/dovecot
tcp6 0 0 :::143 :::* LISTEN 6517/dovecot
tcp6 0 0 :::993 :::* LISTEN 6517/dovecot
tcp6 0 0 :::995 :::* LISTEN 6517/dovecot
三.客戶端在軟件裏設置連接郵件服務器時 是否加密協議
使用客戶端軟件時將郵件傳輸方式設置為ssl
傳輸的數據就會進行加密
Liunx 部署郵件TLS/SSL加密通信服務