部署郵件TLS/SSL加密通信服務(wù)
創(chuàng)新互聯(lián)公司專注于北京企業(yè)網(wǎng)站建設(shè),成都響應(yīng)式網(wǎng)站建設(shè)公司,商城系統(tǒng)網(wǎng)站開發(fā)。北京網(wǎng)站建設(shè)公司,為北京等地區(qū)提供建站服務(wù)。全流程定制網(wǎng)站設(shè)計(jì),專業(yè)設(shè)計(jì),全程項(xiàng)目跟蹤,創(chuàng)新互聯(lián)公司專業(yè)和態(tài)度為您提供的服務(wù)一.部署普通郵件服務(wù)器
1) 搭建并檢測(cè)郵件服務(wù)的發(fā)送服務(wù)
[root@mail ~]# rpm -q postfix
postfix-2.10.1-6.el7.x86_64
[root@mail ~]# netstat -pantu | grep :25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1822/master
tcp6 0 0 ::1:25 :::* LISTEN 1822/master
[root@mail ~]# ps -C master
PID TTY TIME CMD
1822 ? 00:00:00 master
[root@mail ~]# vim /etc/postfix/main.cf
[root@mail ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf
inet_interfaces = all
#inet_interfaces = localhost
home_mailbox = Maildir/
[root@mail ~]# systemctl restart postfix.service
[root@mail ~]# useradd jim
[root@mail ~]# echo 654321 | passwd --stdin jim
[root@mail ~]# yum -y install telnet
[root@mail ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.com.cn ESMTP Postfix
helo localhost
250 mail.com.cn
mail from:root@localhost
250 2.1.0 Ok
rcpt to:jim@localhost
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
XXXXX
XXXX
XXX
XX
X
.
250 2.0.0 Ok: queued as BEDA283BDA92
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn
Return-Path: <root@localhost.com.cn>
X-Original-To: jim@localhost
Delivered-To: jim@localhost.com.cn
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <20180104062818.BEDA283BDA92@mail.com.cn>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: root@localhost.com.cn
XXXXX
XXXX
XXX
XX
X
#可以在發(fā)送郵件的時(shí)候 抓取發(fā)郵件的數(shù)據(jù)包
[root@mail ~]# tcpdump -i eth0 -A tcp port 25
2)搭建并檢測(cè) 郵件服務(wù)的收取
[root@mail ~]# yum -y install dovecot
[root@mail ~]# rpm -q dovecot
dovecot-2.2.10-5.el7.x86_64
[root@mail ~]# vim /etc/dovecot/conf.d/10-mail.conf
[root@mail ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
[root@mail ~]# vim /etc/dovecot/conf.d/10-auth.conf
[root@mail ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes#不禁用明文認(rèn)證
[root@mail ~]# systemctl start dovecot
[root@mail ~]# netstat -pantu | grep :110
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::110 :::* LISTEN 4924/dovecot
[root@mail ~]# netstat -pantu | grep :143
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 4924/dovecot
tcp6 0 0 :::143 :::* LISTEN 4924/dovecot
[root@mail ~]# telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
USER jim
+OK
PASS 654321
+OK Logged in.
list
+OK 1 messages:
1 423
.
retr 1
+OK 423 octets
Return-Path: <root@localhost.com.cn>
X-Original-To: jim@localhost
Delivered-To: jim@localhost.com.cn
Received: from localhost (localhost [IPv6:::1])
by mail.com.cn (Postfix) with SMTP id BEDA283BDA92
for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)
Message-Id: <20180104062818.BEDA283BDA92@mail.com.cn>
Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)
From: root@localhost.com.cn
XXXXX
XXXX
XXX
XX
X
.
quit
+OK Logging out.
Connection closed by foreign host.
#可以在收取郵件的時(shí)候 抓取收郵件的數(shù)據(jù)包
[root@mail ~]# tcpdump -A -i lo tcp port 110
[root@mail ~]# tcpdump -A -i lo -w /tmp/mail.cap tcp port 110
[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep user
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S...R..user jim #這里可以通過抓包 抓取到郵件的用戶名和密碼 因?yàn)楫?dāng)前屬于明文傳輸
[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep pass
reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)
.S6[.S..pass 654321
二,部署郵件TLS/SSL加密通信服務(wù)
1 郵件服務(wù)器的配置(192.168.4.2):
[root@mail ~]# systemctl restart postfix
[root@mail ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5415/master
tcp6 0 0 :::25 :::* LISTEN 5415/master
[root@mail ~]# systemctl restart dovecot
[root@mail ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 5446/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 5446/dovecot
tcp6 0 0 :::110 :::* LISTEN 5446/dovecot
tcp6 0 0 :::143 :::* LISTEN 5446/dovecot
tcp6 0 0 :::993 :::* LISTEN 5446/dovecot
tcp6 0 0 :::995 :::* LISTEN 5446/dovecot
2 創(chuàng)建私鑰文件:生成證書請(qǐng)求文件 mail.key
[root@mail ~]# cd /etc/pki/tls/private/#默認(rèn)搜索私鑰目錄
[root@mail private]# openssl genrsa 2048 > mail.key#執(zhí)行生成私鑰命令
3 創(chuàng)建證書請(qǐng)求文件mail.csr
-req 請(qǐng)求
-new 新文件
-key 私鑰
[root@mail private]# openssl req -new -key mail.key > ~/mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN#與CA服務(wù)器 match 匹配策略 必須一樣
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Xuenqlve
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:mail#設(shè)置為服務(wù)域名或者主機(jī)名
Email Address []:Xuenqlve@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5 上傳證書請(qǐng)求文件給CA服務(wù)器(192.168.4.1)
[root@mail ~]# scp ~/mail.csr 192.168.4.1:/tmp
CA服務(wù)器的配置(192.168.4.1):
CA服務(wù)器具體配置 https://blog.51cto.com/13558754/2057718
6 審核證書請(qǐng)求文件,并簽發(fā)數(shù)字證書
[root@CA certs]# openssl ca -in /tmp/mail.csr > mail.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 5 04:52:52 2018 GMT
Not After : Jan 5 04:52:52 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Xuenqlve
organizationalUnitName = ope
commonName = mail
emailAddress = Xuenqlve@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1
X509v3 Authority Key Identifier:
keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7
Certificate is to be certified until Jan 5 04:52:52 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:審核證書請(qǐng)求文件 報(bào)如下的錯(cuò)誤時(shí):
error while loading serial number
執(zhí)行如下操作
[root@CA CA]# echo 01 > serial
[root@CA certs]# cat ../index.txt
V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/emailAddress=Xuenqlve@163.com
[root@CA certs]# cat ../serial
02
7 下發(fā)證書給郵件服務(wù)器(192.168.4.2)
[root@CA certs]# scp mail.crt 192.168.4.2:/root/
8 配置服務(wù)運(yùn)行時(shí)調(diào)用私鑰文件 數(shù)字證書文件
8.1 配置發(fā)郵件服務(wù)
[root@mail ~]# vim /etc/postfix/main.cf
添加如下配置
[root@mail ~]# tail -4 /etc/postfix/main.cf
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
[root@mail ~]# cp /root/mail.crt /etc/pki/tls/certs/
[root@mail ~]# systemctl restart postfix.service
[root@mail ~]# netstat -pantu | grep master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 6461/master
tcp6 0 0 :::25 :::* LISTEN 6461/master
8.2 配置收郵件服務(wù)
[root@mail ~]# vim /etc/dovecot/conf.d/10-ssl.conf
添加如下配置
[root@mail ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/pki/dovecot/certs/mail.crt
ssl_key = </etc/pki/dovecot/private/mail.key
[root@mail ~]# cp /etc/pki/tls/private/mail.key /etc/pki/dovecot/private/mail.key
[root@mail ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt
[root@mail ~]# systemctl restart dovecot.service
[root@mail ~]# netstat -pantu | grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 6517/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 6517/dovecot
tcp6 0 0 :::110 :::* LISTEN 6517/dovecot
tcp6 0 0 :::143 :::* LISTEN 6517/dovecot
tcp6 0 0 :::993 :::* LISTEN 6517/dovecot
tcp6 0 0 :::995 :::* LISTEN 6517/dovecot
三.客戶端在軟件里設(shè)置連接郵件服務(wù)器時(shí) 是否加密協(xié)議
使用客戶端軟件時(shí)將郵件傳輸方式設(shè)置為ssl
傳輸?shù)臄?shù)據(jù)就會(huì)進(jìn)行加密
另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn,海內(nèi)外云服務(wù)器15元起步,三天無(wú)理由+7*72小時(shí)售后在線,公司持有idc許可證,提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國(guó)服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡(jiǎn)單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢(shì),專為企業(yè)上云打造定制,能夠滿足用戶豐富、多元化的應(yīng)用場(chǎng)景需求。
當(dāng)前標(biāo)題:Liunx部署郵件TLS/SSL加密通信服務(wù)-創(chuàng)新互聯(lián)
網(wǎng)頁(yè)URL:http://muchs.cn/article18/dhgodp.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供移動(dòng)網(wǎng)站建設(shè)、小程序開發(fā)、服務(wù)器托管、網(wǎng)站導(dǎo)航、虛擬主機(jī)、Google
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來源: 創(chuàng)新互聯(lián)
猜你還喜歡下面的內(nèi)容