- 論壇徽章:
- 0
|
注:本文是另一篇文章“配置簡單帶認(rèn)證的Sendmail服務(wù)器”續(xù)篇
STARTTLS介紹
一、SMTP和STARTTLS
SMTP協(xié)議默認(rèn)使用明文在網(wǎng)絡(luò)傳送用戶名和密碼�����,這是十分危險(xiǎn)的�。為此,sendmail使用TLS來解決這個(gè)潛在的危險(xiǎn)問題�。TLS不僅可以用來加密用戶名和密碼,還可以加密傳送信件的內(nèi)容�。Sendmail使用starttls命令來啟動(dòng)一個(gè)SMTP會(huì)話加密進(jìn)程(TLS會(huì)話)。Micorsoft的outlook軟件和其它的許多MUA也支持STARTTLS����。
STARTTLS能實(shí)現(xiàn)什么樣的功能?
1.實(shí)現(xiàn)對一次E-MAIL通訊中server端以及client端彼此身份的校驗(yàn)��;
2.加密傳輸信件(身份不能確認(rèn)的情況下亦可以實(shí)現(xiàn))��;
3.認(rèn)證轉(zhuǎn)發(fā)�����;
由于SMTP是一個(gè)存儲(chǔ)轉(zhuǎn)發(fā)協(xié)議,并且一封電子郵件的轉(zhuǎn)交投遞可能會(huì)涉及到多臺(tái)SMTP服務(wù)器�,因此,一個(gè)MUA就算能夠通過認(rèn)證并把E-MAIL加密傳輸至將要經(jīng)過的第一臺(tái)SMTP服務(wù)器���,讓最終用戶的SMTP通過發(fā)送端的身份認(rèn)證��,并認(rèn)為信件傳送過程中沒有被篡改也是不太可能的����。故而����,RFC文件聲明說一個(gè)實(shí)現(xiàn)公共Email的SMTP服務(wù)器是不必苛求于在傳送郵件中實(shí)現(xiàn)上述功能的。不過�����,對于一個(gè)私有網(wǎng)絡(luò)中的郵件傳輸來講����,能夠以要求必需提供有效證書來實(shí)現(xiàn)嚴(yán)格的身份認(rèn)證和加密傳輸��,因?yàn)槲覀兛梢詫⒆C書部署到需要傳送EMAIL服務(wù)的每個(gè)客戶端。
當(dāng)然����,盡管基于TLS的SMTP服務(wù)所提供的功能不像基于SSL的HTTP服務(wù)那樣完美,但在服務(wù)器和客戶端之間的一次認(rèn)證會(huì)話間加密傳輸用戶名和密碼卻是完全可以實(shí)現(xiàn)的�。
二、STARTTLS的工作方式:
1.sendmail作為服務(wù)端
在一次SMTP會(huì)話中�,客戶端(可能是其它的SMTP服務(wù)器���,也可能是一個(gè)終端用戶的MUA)通過EHLO命令來探測服務(wù)器是否支持STARTTLS�����。如果服務(wù)器支持此種方式�����,客戶就把STARTTLS列入可以使用的命令列里面��。此時(shí)���,客戶端便可以通過STARTTLS命令來和服務(wù)器建立STARTTLS話,服務(wù)器以“準(zhǔn)備好啟動(dòng)TLS”來回應(yīng)客戶端���。
如果客戶端能夠提供一個(gè)SSL證書���,Sendmail將會(huì)從中提取出有關(guān)CA的信息并和自己信任的CA列表進(jìn)行比較���,并嘗試將證書中的common name和客戶端的主機(jī)名加以比較。同時(shí)�,Sendmail還將會(huì)檢查客戶端的證書是否已經(jīng)存在于自己的訪問數(shù)據(jù)庫中。如果一切順利通過��,Sendmail將繼續(xù)后面的會(huì)話����。實(shí)際使用中,即使Sendmail無法驗(yàn)證客戶端的證書�,它也會(huì)接受客戶端會(huì)話。我們可以在TLS日志中找到有關(guān)的詳細(xì)信息�����,如果驗(yàn)證順利進(jìn)行�����,將會(huì)出現(xiàn)類同“verify=OK"之類的日志記示�����,否則����,則可能顯示為“verify=FAIL”或者“verify=NO”。
在無法驗(yàn)證客戶端身份的情況下���,Sendmail也將嘗試實(shí)現(xiàn)信件加密傳送���。此時(shí),日志中如果記錄有類同“ciper=DHE-RSA-AES256-SHA,bit=256/256"的信息���,表示加密成功實(shí)現(xiàn)�����。加密協(xié)商會(huì)話成功實(shí)現(xiàn)后����,服務(wù)器端可能會(huì)使用基于PLAIN或者LOGIN的SMTP AUTH方式來驗(yàn)證身份�,此時(shí)��,STARTTLS將會(huì)把用戶各和密碼加密傳送,從而在很大程度保證了會(huì)話的安全性����。
2.Sendmail作為客戶端
當(dāng)Sendmail服務(wù)器為最終用戶或者其它的Sendmail轉(zhuǎn)發(fā)信件時(shí),它將作為一臺(tái)客戶端與其它的SMTP服務(wù)器通信�。此時(shí),如果服務(wù)端支持STARTTLS�����,即使雙方?jīng)]有配置證書的情況下���,Sendmail(前提是也支持STARTTLS)仍將通過STARTTLS命令與其建立通信會(huì)話��。其過程類同前面所述��。
日志中將會(huì)記錄類同“STARTTLS=client”(客戶端)或者“STARTTLS=server”(服務(wù)端)以及有關(guān)版本號(hào)����、校驗(yàn)方式���、加密方式和加密位數(shù)等信息�����。
安裝過程
本文將以RedHat9.0為例
一��、安裝cyrus-sasl
本文使用系統(tǒng)自帶的saslauthd認(rèn)證服務(wù)�,請檢查你的系統(tǒng)是否已經(jīng)安裝如下軟件����,如果沒有的話,請自行安裝
1.# rpm -aq |grep cyrus-sasl
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-plain-2.1.10-4
cyrus-sasl-md5-2.1.10-4
2.新建/usr/local/lib/sasl2/Sendmail.conf,添加如下內(nèi)容:
pwcheck_method: saslauthd
mech_list: login plain digest-md5
3.啟動(dòng)服務(wù)
#service saslauthd start
#chkconfig --level 35 saslauthd on
二����、安裝openssl0.98e
1.下載相關(guān)軟件包至/usr/local/src目錄
http://www.openssl.org/source/openssl-0.9.8e.tar.gz
2.安裝
#cd /usr/local/src
#tar zxvf openssl-0.9.8e.tar.gz
#cd openssl-0.9.8e
#./config shared zlib
#make
#make test
#make install
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
3.配置庫文件搜索路徑
#echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
#ldconfig -v
4.查看openssl的版本號(hào),以驗(yàn)正是否安裝正確
#openssl version -a
OpenSSL 0.9.8e 23 Feb 2007
built on: Sat Mar 24 21:24:41 CST 2007
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/local/ssl"
三�����、安裝Sendmail-8.14.0
1.下載相關(guān)軟件包至/usr/local/src目錄
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.0.tar.gz
2.先檢查本機(jī)是否已經(jīng)開啟了MTA�����,若有��,先關(guān)閉并卸載它們,如:
#service sendmail stop
#rpm -e sendmail
3. 安裝:
解壓原碼包
#cd /usr/local/src
#tar zxvf sendmail.8.14.0.tar.gz
#cd sendmail-8.14.0
編輯site.config.m4文件
#vi devtools/Site/site.config.m4
添加:
APPENDDEF(`confENVDEF',`-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS',`-lsasl2')
APPENDDEF(`confINCDIRS',`-I/usr/local/ssl/include')dnl
APPENDDEF(`conf_sendmail_ENVDEF',`-DSTARTTLS')
APPENDDEF(`conf_sendmail_ENVDEF',`-D_FFR_SMTP_SSL')
APPENDDEF(`conf_sendmail_LIBS',`-lssl -lcrypto -L/usr/local/ssl/lib')
編譯并安裝
#sh Build
#mkdir -pv /usr/man/man{1,8}
#sh Build install
拷貝cf目錄至/usr/share/sendmail
#mkdir -pv /usr/share/sendmail
#cp -a cf /usr/share/sendmail
#cd cf/cf
#cp generic-linux.mc sendmail.mc
編輯sendmail.mc文件����,添加如下內(nèi)容:
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
FEATURE(`access_db')dnl
define(`confAUTH_MECHANISMS',`A p y')dnl
define(`confAUTH_MECHANISMS',`LOGIN PLAIN DIGEST-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5')dnl
define(`confCACERT_PATH',`/etc/mail/certs')dnl
define(`confCACERT',`/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT',`/etc/mail/certs/mysmtp.pem')dnl
define(`confSERVER_KEY',`/etc/mail/certs/mysmtp.pem')dnl
define(`confCLIENT_CERT',`/etc/mail/certs/mysmtp.pem')dnl
define(`confCLIENT_KEY',`/etd/mail/certs/mysmtp.pem')dnl
dnl define(`confTLS_SRV_OPTIONS',`V')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=25,Name=MTA,M=Ea')dnl
DAEMON_OPTIONS(`Family=inet,Port=465,Name=MTA-SSL,M=s')dnl
安裝sendmail.cf及submit.cf文件
#make install-cf
#cp sendmail.mc /etc/mail
添加必須的用戶組(redhat9.0上,已經(jīng)存在此用戶和組)
#groupadd –g 51 -r smmsp
#useradd –u 51 -r -g smmsp -s /sbin/nologin smmsp
添加必要的配置文件
#cd /etc/mail
#touch aliases access virtusertable
添加接收郵件的域
#echo "benet.org">local-host-names
#echo "mail.benet.org">>local-host-names
配置轉(zhuǎn)發(fā)域
#echo "localhost RELAY" >> access
#echo "127.0.0.1 RELAY" >> access
生成相應(yīng)的數(shù)據(jù)庫文件
#makemap hash access.db
改變相關(guān)目錄的權(quán)限�,以保證安全(RedHat 9.0上已經(jīng)設(shè)置正確)
#mkdir -pv /var/spool/{mail,mqueue,clientqueue}
#chmod 775 /var/spool/mail
#chown root.mail /var/spool/mail
#chmod 755 /var/spool/mqueue
#chown root.mail /var/spool/mqueue
#chmod 770 /var/spool/clientmqueue
#chown smmsp.smmsp /var/spool/clientmqueue
chmod 4555 /usr/sbin/sendmail
chown root.smmsp /usr/sbin/sendmail
四��、為TLS生成證書:
#cd /etc/mail/certs/
生成CA的簽名及證書
# openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
...............................++++++
.....++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase: Locality Name (eg, city) []:ZZ Organization Name (eg, company) [Internet Widgits Pty Ltd]:BENET Organizational Unit Name (eg, section) []:
生成Sendmail的證書
# openssl req -nodes -new -x509 -keyout mysmtp.pem -out mysmtp.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
...................................++++++
writing new private key to 'mysmtp.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HA
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BENET
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:redhat@benet.org
查看證書內(nèi)容
# openssl x509 -noout -text -in mysmtp.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e7:3a:cf:c4:2c:e9:71:8f
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=HA, L=ZZ,
[email=O=BENET/emailAddress=redhat@benet.org]O=BENET/emailAddress=redhat@benet.org[/email]
Validity
Not Before: Mar 24 14:19:21 2007 GMT
Not After : Mar 21 14:19:21 2017 GMT
Subject: C=CN, ST=HA, L=ZZ,
[email=O=BENET/emailAddress=redhat@benet.org]O=BENET/emailAddress=redhat@benet.org[/email]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f6:17:f8:27:be:9b:c6:b9:b0:b3:0b:0c:62:c1:
7e:cd:19:80:62:b4:83:91:ec:a3:b1:83:df:77:6f:
12:83:56:94:6c:e3:e0:5a:a7:20:75:60:d3:92:00:
18:9a:e5:fc:3a:27:93:bc:10:60:4b:f3:d1:b4:43:
5c:af:17:f9:de:72:04:3a:8e:12:f1:19:c5:11:28:
9c:08:f6:fe:b0:db:e6:c5:8c:c1:c8:d2:86:f2:0a:
d7:b3:a3:e3:08:d0:5b:8c:5a:03:d7:87:0d:4e:56:
62:2b:54:3c:f7:ea:70:03:53:96:4d:bc:ac:f8:de:
cd:2b:87:6f:24:79:d0:8b:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C7:1B:1C:D0:58:B2:A7:19:7F:F1:8C:DB:D0:C9:49:24:A4:BA:B3:FA
X509v3 Authority Key Identifier:
keyid:C7:1B:1C:D0:58:B2:A7:19:7F:F1:8C:DB:D0:C9:49:24:A4:BA:B3:FA
DirName:/C=CN/ST=HA/L=ZZ/O=BENET/emailAddress=redhat@benet.org
serial:E7:3A:CF:C4:2C:E9:71:8F
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
a5:c0:58:52:f4:db:76:78:d3:05:d3:36:a9:7e:ef:05:4a:01:
93:3f:64:48:8a:66:36:20:25:c1:b2:93:b6:a4:05:1b:6e:55:
c6:21:ec:70:a1:41:d8:0f:cd:46:d6:8f:f2:e8:48:c2:0d:5f:
9e:2f:dd:af:61:f6:ca:08:16:20:7c:b5:e6:38:58:d8:e7:cd:
92:d9:35:00:93:70:5d:04:d0:4c:d0:33:e6:49:18:30:a7:1b:
0e:3b:d0:3f:82:ce:6e:03:da:96:32:7b:8a:69:9e:8e:0b:8b:
ab:ea:9a:40:c8:b3:a8:f5:62:a5:0e:ab:bf:24:47:aa:02:ef:
61:0f
修改證書權(quán)限����,如果沒有此步驟����,啟動(dòng)sendmail時(shí)會(huì)報(bào)starttls啟動(dòng)錯(cuò)誤
#chmod 400 mysmtp.pem
五�����、啟動(dòng)并驗(yàn)正Sendmail
1.執(zhí)行如下命令,查看sendmail是否sasl2方式的身份認(rèn)證(按我們?nèi)缟系牟襟E編譯安裝�,sendmail是支持此認(rèn)證的)及starttls:
# sendmail -d0.1 -bv root
Version 8.14.0
Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
STARTTLS USERDB XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.benet.org
(subdomain name) $m = benet.org
(node name) $k = mail.benet.org
========================================================
root... deliverable: mailer local, user root
請查看執(zhí)行結(jié)果中是否顯示為橙色字體的部分�。如果有���,則可進(jìn)行以下步驟�,否則��,請檢查前面的編譯安裝過程是否有遺漏或錯(cuò)誤之處,或者查看日志以檢查錯(cuò)誤之所在。也可以運(yùn)行如下命令仔細(xì)檢查問題所在�����。
#sendmail -O loglevel=14 -bs
2.啟動(dòng)sendmail,
#sendmail -bd -q30m
注:Sendmail的命令參數(shù)的含義如下:
-b:指定Sendmail在后臺(tái)運(yùn)行��,并且監(jiān)聽端口25的請求��。
-d:指定Sendmail以Daemon方式運(yùn)行(守護(hù)進(jìn)程)����。
-q:當(dāng)Sendmail無法將郵件成功地發(fā)送到目的地時(shí)����,它會(huì)將郵件保存在隊(duì)列里�。該參數(shù)指定郵件在隊(duì)列里保存的時(shí)間�。例子里的30m表示保留30分鐘。
3.查看Sendmail對于認(rèn)證及TLS的支持是否已經(jīng)打開
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.benet.org ESMTP Sendmail 8.13.8/8.13.8; Sun, 25 Mar 2007 01:46:08 +0800
ehlo localhost
請注意查看輸出中有沒有類同橙色的兩行���。
六���、開啟基于SSL的IMAP服務(wù)
1.檢查是否已經(jīng)安裝imap軟件包�,如果沒有����,請自行安裝
#rpm -qa |grep imap
imap-2001a-18
imap-devel-2001a-18
2.開啟imaps服務(wù)
#chkconfig imaps on
# chkconfig --list imaps
imaps on
3.重新啟動(dòng)xinetd服務(wù)
#service xinet.d restart
4.查看是否已經(jīng)監(jiān)聽相應(yīng)的993端口:
#netstat -tnlp |grep :993
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 32477/xinetd
七����、驗(yàn)正
1.使用outlook客戶端登錄,測試發(fā)信情況,注意如下設(shè)置:
Outlook設(shè)置1
Outlook設(shè)置2
2.查看日志
#tail /var/log/maillog
Mar 25 03:58:55 mail sendmail[1962]: STARTTLS=server, relay=[192.168.1.100], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Mar 25 03:58:55 mail sendmail[1962]: AUTH=server, relay=[192.168.1.100], authid=redhat, mech=LOGIN, bits=0
Mar 25 03:58:55 mail sendmail[1962]: l2OJwsnF001962: from=
redhat@benet.org
>, size=1700, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA-SSL, relay=[192.168.1.100]
Mar 25 03:58:55 mail sendmail[1963]: l2OJwsnF001962: to=
root@benet.org
>, ctladdr=
redhat@benet.org
> (500/500), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31953, dsn=2.0.0, stat=Sent
本文來自ChinaUnix博客���,如果查看原文請點(diǎn):http://blog.chinaunix.net/u2/64038/showart_2125382.html |
|
免費(fèi)注冊
發(fā)表于 2009-12-19 00:09