linux-sendmail的安全

Mail的安全

1. 加密认证

1.1sendmail提供的服务

发送 smtps 

--Smtp 明文传输

[root@mail ~]# grep smtps /etc/services 

smtps 465/tcp # SMTP over SSL (TLS)

[root@mail ~]# sendmail -d0.1 -bv

Version 8.13.8

 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX

MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6

NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============

      (short domain name) $w = mail

  (canonical domain name) $j = mail.bj.com

         (subdomain name) $m = bj.com

              (node name) $k = mail.bj.com

========================================================

Recipient names must be specified

[root@mail ~]#

1.2.做ca认证

#ssl安全传输/tsl标准的安全传输

[root@mail ~]# cd /etc/pki 

[root@mail pki]# vim tls/openssl.cnf

45 dir             = /etc/pki/CA           # Where everything is kept

87 [ policy_match ]

88 countryName             = optional

89 stateOrProvinceName     = optional

90 organizationName        = optional

[root@mail pki]# cd CA/

[root@mail CA]# mkdir certs newcerts crl

[root@mail CA]# touch index.txt serial 

[root@mail CA]# echo "01">serial

[root@mail CA]# openssl genrsa 1024 > private/cakey.pem

Generating RSA private key, 1024 bit long modulus

.......................................++++++

...............++++++

e is 65537 (0x10001)

[root@mail CA]# chmod 600 private/*

[root@mail CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU    

Organizational Unit Name (eg, section) []:sendmail   

Common Name (eg, your name or your server's hostname) []:mail.sh.com

Email Address []:

[root@mail CA]# cd /etc/mail

[root@mail mail]# mkdir certs/

[root@mail mail]# cd certs/

[root@mail certs]# openssl genrsa 1024 >sendmail.key

Generating RSA private key, 1024 bit long modulus

...............++++++

.........................................++++++

e is 65537 (0x10001)

[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr 

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:sendmail

Common Name (eg, your name or your server's hostname) []:mail.sh.com

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

--签发证书

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt 

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 15 22:00:40 2011 GMT

            Not After : Sep 14 22:00:40 2012 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HN

            organizationName          = ZZU

            organizationalUnitName    = sendmail

            commonName                = mail.sh.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                21:9F:4D:91:74:C6:80:EA:B0:38:F4:F2:8D:68:A7:08:4A:15:7F:92

            X509v3 Authority Key Identifier: 

                keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2

Certificate is to be certified until Sep 14 22:00:40 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail certs]# cp /etc/pki/CA/cacert.pem ./

[root@mail certs]# chmod 600 *

1.3.修改配置文件sendmail.mc

[root@mail CA]# vim /etc/mail/sendmail.mc

--启用认证

39 define(`confAUTH_OPTIONS', `A y')dnl

--信用机制

52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA    IN')dnl

 

--启用证书

60 define(`confCACERT_PATH', `/etc/mail/certs')dnl

61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl

62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl

63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl

118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

136 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

[root@mail CA]# service sendmail restart

 

29-1

 

29-2

账号的域名要与证书的域名相同，否则不信任。

2.Sasl 简单认证安全层

点到点的机制。

2.1.安装认证

服务名称saslauthd，默认是没有启用的

要测试是否启用了认证

--减少垃圾邮件的攻击

[root@mail ~]# yum list all |grep sasl

This system is not registered with RHN.

RHN support will be disabled.

cyrus-sasl.i386                        2.1.22-4              installed          

cyrus-sasl-devel.i386                  2.1.22-4              installed          

cyrus-sasl-lib.i386                    2.1.22-4              installed          

cyrus-sasl-plain.i386                  2.1.22-4              installed                 

[root@mail ~]# chkconfig saslauthd on

[root@mail ~]# chkconfig --list |grep sasl

saslauthd       0:off   1:off   2:on    3:on    4:on    5:on    6:off

[root@mail certs]# service saslauthd start

#vim /etc/mail/sendmail.mc

--Mta增加强制认证

118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl

2.2.描述认证方法

[root@mail lib]# cd /usr/lib/sasl2

[root@mail sasl2]# vim Sendmail.conf

pwcheck_method:saslauthd

mech_list:login plain –可以不加，描述的验证机制。

[root@mail sasl2]# service sendmail restart

2.3生成用户信息的密文

--base64编码得到密文，-n 去除换行

[root@mail certs]# echo -n "user5@sh.com"|openssl base64

dXNlcjVAc2guY29t

[root@mail certs]# echo -n "123"|openssl base64

MTIz

2.4 测试认证

[root@mail sasl2]# telnet mail.sh.com 25

Trying 192.168.101.71...

Connected to mail.sh.com (192.168.101.71).

Escape character is '^]'.

220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 16 Sep 2011 06:39:13 +0800

helo mail.sh.com        

250 mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you

ehlo mail.sh.com

250-mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-AUTH LOGIN PLAIN –在开启sasl前是没有的，验证可以防止非法或不存在的用户发邮件。

250-STARTTLS

250-DELIVERBY

250 HELP

auth login dXNlcjVAc2guY29t

334 UGFzc3dvcmQ6

MTIz

235 2.0.0 OK Authenticated

mail from:user5@mail.sh.com

250 2.1.0 user5@mail.sh.com... Sender ok

rcpt to :user6@mail.sh.com

250 2.1.5 user6@mail.sh.com... Recipient ok

data

354 Enter mail, end with "." on a line by itself

subject hh

hello user6.

250 2.0.0 p8FMdDZN008247 Message accepted for delivery

quit

221 2.0.0 mail.sh.com closing connection

Connection closed by foreign host.

2.5 对方测试接收文件

[root@mail sasl2]# su - user6

[user6@mail ~]$ mail

Mail version 8.1 6/6/93.  Type ? for help.

"/var/spool/mail/user6": 2 messages 1 new

    1 MAILER-DAEMON@mail.s  Thu Sep 15 19:09  13/542   "DON'T DELETE THIS MES"

>N  2 user5@mail.sh.com     Fri Sep 16 06:46  13/423  

& 2

Message 2:

From user5@mail.sh.com  Fri Sep 16 06:46:21 2011

Date: Fri, 16 Sep 2011 06:45:54 +0800

From: user5@mail.sh.com

subject hh

hello user6.

&

 

3.抓包工具

[root@mail ~]# yum list all |grep shark

This system is not registered with RHN.

RHN support will be disabled.

wireshark.i386                         1.0.3-4.el5_2         rehl-server        

wireshark-gnome.i386                   1.0.3-4.el5_2         rehl-server        

[root@mail ~]# yum install wireshark

 

4.实现imaps pop3s接收

4.1生成dovecot的证书文件

[root@mail sasl2]# cd /usr/lib/sasl2

[root@mail sasl2]# mkdir -pv /etc/dovecot/certs

mkdir: created directory `/etc/dovecot'

mkdir: created directory `/etc/dovecot/certs'

[root@mail sasl2]# cd /etc/dovecot/certs/

--导出钥匙

[root@mail certs]# openssl genrsa 1024 >dovecot.key

Generating RSA private key, 1024 bit long modulus

...................................++++++

...............................++++++

e is 65537 (0x10001)

--输出证书请求文件

[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr 

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:sendmail     

Common Name (eg, your name or your server's hostname) []:imap.sh.com

--域名要与账号发送接收的相同

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4.2-颁发证书

[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Sep 15 23:01:08 2011 GMT

            Not After : Sep 14 23:01:08 2012 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HN

            organizationName          = ZZU

            organizationalUnitName    = sendmail

            commonName                = mail.sh.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                BB:2C:B9:99:11:D1:E5:85:53:7F:8E:FE:E4:FC:C2:35:95:2E:08:87

            X509v3 Authority Key Identifier: 

                keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2

Certificate is to be certified until Sep 14 23:01:08 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

4.3 编辑dovecot配置文件

[root@mail certs]# vim /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

--接收证书服务器的文件

92 ssl_cert_file = /etc/dovecot/certs/dovecot.crt

93 ssl_key_file = /etc/dovecot/certs/dovecot.key

[root@mail certs]# chmod 600 *

[root@mail certs]# service dovecot restart

[root@mail certs]# netstat -tulpn |grep dov

 

4.4添加imap的记录

[root@mail ~]# vim /var/named/chroot/var/named/sh.com.db 

$TTL    86400

@               IN SOA  ns.sh.com.       root.126.com (

                                        44              ; serial (d. adams)

                                        3H              ; refresh

                                        15M             ; retry

                                        1W              ; expiry

                                        1D )            ; minimum

 

@               IN NS           ns.sh.com.

ns              IN A            192.168.101.71

mail            IN A            192.168.101.71

pop3            IN CNAME        mail

smtp            IN CNAME        mail

imap            IN CNAME        mail

@               IN MX      10   mail

[root@mail ~]# rndc  reload

server reload successful

[root@mail ~]# dig imap.sh.com

4．5开启抓包功能

--明文抓包结果

[root@mail certs]# tshark -ni eth0 -R "tcp.srcport eq 110 or tcp.dstport eq 110"Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

302.590811 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

302.590888 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

302.591092 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [ACK] Seq=1 Ack=1 Win=65535 Len=0

302.591257 192.168.101.71 -> 192.168.101.213 POP Response: +OK Dovecot ready.

302.591718 192.168.101.213 -> 192.168.101.71 POP Request: USER user6

302.591753 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=21 Ack=13 Win=5840 Len=0

302.591877 192.168.101.71 -> 192.168.101.213 POP Response: +OK

302.592048 192.168.101.213 -> 192.168.101.71 POP Request: PASS 123

302.600894 192.168.101.71 -> 192.168.101.213 POP Response: +OK Logged in.

302.601742 192.168.101.213 -> 192.168.101.71 POP Request: STAT

302.642575 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=42 Ack=29 Win=5840 Len=0

302.648145 192.168.101.71 -> 192.168.101.213 POP Response: +OK 0 0

302.648920 192.168.101.213 -> 192.168.101.71 POP Request: QUIT

302.648973 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=51 Ack=35 Win=5840 Len=0

302.649177 192.168.101.71 -> 192.168.101.213 POP Response: +OK Logging out.

--配置imaps后抓包结果

服务器身份验证可以是任意一种，登陆方式是在用户首次使用是要输入用户名和密码

 

29-3

 

29-4

 

[root@mail ~]# tshark -ni eth0 -R "tcp.srcport eq 993 or tcp.dstport eq 993"

Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

  4.471940 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

  4.471943 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [FIN, ACK] Seq=41 Ack=1 Win=64377 Len=0

  4.473771 192.168.101.71 -> 192.168.101.213 TCP 993 > 1147 [FIN, ACK] Seq=1 Ack=42 Win=6432 Len=0

  4.480719 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [ACK] Seq=42 Ack=2 Win=64377 Len=0

 48.113729 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

 48.113810 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

 48.113889 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=1 Ack=1 Win=65535 Len=0

 48.114100 192.168.101.213 -> 192.168.101.71 SSL Client Hello

 48.114119 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [ACK] Seq=1 Ack=103 Win=5840 Len=0

 48.116103 192.168.101.71 -> 192.168.101.213 TLSv1 Server Hello, Certificate, Server Hello Done

 48.116845 192.168.101.213 -> 192.168.101.71 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

 48.118198 192.168.101.71 -> 192.168.101.213 TLSv1 Change Cipher Spec, Encrypted Handshake Message

 48.319185 192.168.101.71 -> 192.168.101.213 TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message

 48.319447 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=285 Ack=823 Win=64713 Len=0

 48.319469 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

 48.320517 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

 48.320690 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

 48.321276 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

 48.329138 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

 48.330432 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

 48.330753 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

 48.331100 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

 48.331247 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

 48.331472 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

 48.332986 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

 48.333306 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data