部署邮件TLS/SSL加密通信服务
一.部署普通邮件服务器
1) 搭建并检测邮件服务的发送服务
[root@mail ~]# rpm -q postfix
postfix-2.10.1-6.el7.x86_64
[root@mail ~]# netstat -pantu | grep :25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1822/master
tcp6 0 0 ::1:25 :::* LISTEN 1822/master
[root@mail ~]# ps -C master
PID TTY TIME CMD
1822 ? 00:00:00 master
[root@mail ~]# vim /etc/postfix/main.cf
[root@mail ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf
inet_interfaces = all
#inet_interfaces = localhost
home_mailbox = Maildir/
[root@mail ~]# systemctl restart postfix.service
[root@mail ~]# useradd jim
[root@mail ~]# echo 654321 | passwd --stdin jim
[root@mail ~]# yum -y install telnet
[root@mail ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.com.cn ESMTP Postfix
helo localhost
250 mail.com.cn
mail from:root@localhost
250 2.1.0 Ok
rcpt to:jim@localhost
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
XXXXX
XXXX
XXX
XX
X
.
250 2.0.0 Ok: queued as BEDA283BDA92
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn
Return-Path: <root@localhost.com.cn>
X-Original-To: jim@localhost
Delivered-To: jim@localhost.com.cn
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <20180104062818.BEDA283BDA92@mail.com.cn>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: root@localhost.com.cn
XXXXX
XXXX
XXX
XX
X
#可以在发送邮件的时候 抓取发邮件的数据包
[root@mail ~]# tcpdump -i eth0 -A tcp port 25
2)搭建并检测 邮件服务的收取
[root@mail ~]# yum -y install dovecot
[root@mail ~]# rpm -q dovecot
dovecot-2.2.10-5.el7.x86_64
[root@mail ~]# vim /etc/dovecot/conf.d/10-mail.conf
[root@mail ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
[root@mail ~]# vim /etc/dovecot/conf.d/10-auth.conf
[root@mail ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes#不禁用明文认证
[root@mail ~]# systemctl start dovecot
[root@mail ~]# netstat -pantu | grep :110
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::110 :::* LISTEN 4924/dovecot
[root@mail ~]# netstat -pantu | grep :143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::143 :::* LISTEN 4924/dovecot
[root@mail ~]# telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
USER jim
+OK
PASS 654321
+OK Logged in.
list
+OK 1 messages:
1 423
.
retr 1
+OK 423 octets
Return-Path: <root@localhost.com.cn>
X-Original-To: jim@localhost
Delivered-To: jim@localhost.com.cn
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <20180104062818.BEDA283BDA92@mail.com.cn>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: root@localhost.com.cn
XXXXX
XXXX
XXX
XX
X
.
quit
+OK Logging out.
Connection closed by foreign host.
#可以在收取邮件的时候 抓取收邮件的数据包
[root@mail ~]# tcpdump -A -i lo tcp port 110
[root@mail ~]# tcpdump -A -i lo -w /tmp/mail.cap tcp port 110
[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep user
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S...R..user jim #这里可以通过抓包 抓取到邮件的用户名和密码 因为当前属于明文传输
[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep pass
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S6[.S..pass 654321
二,部署邮件TLS/SSL加密通信服务
1 邮件服务器的配置(192.168.4.2):
[root@mail ~]# systemctl restart postfix
[root@mail ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5415/master
tcp6 0 0 :::25 :::* LISTEN 5415/master
[root@mail ~]# systemctl restart dovecot
[root@mail ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 5446/dovecot
tcp6 0 0 :::110 :::* LISTEN 5446/dovecot
tcp6 0 0 :::143 :::* LISTEN 5446/dovecot
tcp6 0 0 :::993 :::* LISTEN 5446/dovecot
tcp6 0 0 :::995 :::* LISTEN 5446/dovecot
2 创建私钥文件:生成证书请求文件 mail.key
[root@mail ~]# cd /etc/pki/tls/private/#默认搜索私钥目录
[root@mail private]# openssl genrsa 2048 > mail.key#执行生成私钥命令
3 创建证书请求文件mail.csr
-req 请求
-new 新文件
-key 私钥
[root@mail private]# openssl req -new -key mail.key > ~/mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN#与CA服务器 match 匹配策略 必须一样
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Xuenqlve
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:mail#设置为服务域名或者主机名
Email Address []:Xuenqlve@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5 上传证书请求文件给CA服务器(192.168.4.1)
[root@mail ~]# scp ~/mail.csr 192.168.4.1:/tmp
CA服务器的配置(192.168.4.1):
CA服务器具体配置 http://blog.51cto.com/13558754/2057718
6 审核证书请求文件,并签发数字证书
[root@CA certs]# openssl ca -in /tmp/mail.csr > mail.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 5 04:52:52 2018 GMT
Not After : Jan 5 04:52:52 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Xuenqlve
organizationalUnitName = ope
commonName = mail
emailAddress = Xuenqlve@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1
X509v3 Authority Key Identifier:
keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7
Certificate is to be certified until Jan 5 04:52:52 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:审核证书请求文件 报如下的错误时:
error while loading serial number
执行如下操作
[root@CA CA]# echo 01 > serial
[root@CA certs]# cat ../index.txt
V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/emailAddress=Xuenqlve@163.com
[root@CA certs]# cat ../serial
02
7 下发证书给邮件服务器(192.168.4.2)
[root@CA certs]# scp mail.crt 192.168.4.2:/root/
8 配置服务运行时调用私钥文件 数字证书文件
8.1 配置发邮件服务
[root@mail ~]# vim /etc/postfix/main.cf
添加如下配置
[root@mail ~]# tail -4 /etc/postfix/main.cf
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
[root@mail ~]# cp /root/mail.crt /etc/pki/tls/certs/
[root@mail ~]# systemctl restart postfix.service
[root@mail ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 6461/master
tcp6 0 0 :::25 :::* LISTEN 6461/master
8.2 配置收邮件服务
[root@mail ~]# vim /etc/dovecot/conf.d/10-ssl.conf
添加如下配置
[root@mail ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/pki/dovecot/certs/mail.crt
ssl_key = </etc/pki/dovecot/private/mail.key
[root@mail ~]# cp /etc/pki/tls/private/mail.key /etc/pki/dovecot/private/mail.key
[root@mail ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt
[root@mail ~]# systemctl restart dovecot.service
[root@mail ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 6517/dovecot
tcp6 0 0 :::110 :::* LISTEN 6517/dovecot
tcp6 0 0 :::143 :::* LISTEN 6517/dovecot
tcp6 0 0 :::993 :::* LISTEN 6517/dovecot
tcp6 0 0 :::995 :::* LISTEN 6517/dovecot
三.客户端在软件里设置连接邮件服务器时 是否加密协议
使用客户端软件时将邮件传输方式设置为ssl
传输的数据就会进行加密