linux-sendmail的安全

火星人 @ 2014-03-08 , reply:0


Mail的安全

1. 加密認證

1.1sendmail提供的服務

發送 smtps

--Smtp 明文傳輸

[root@mail ~]# grep smtps /etc/services

smtps 465/tcp # SMTP over SSL (TLS)

[root@mail ~]# sendmail -d0.1 -bv

Version 8.13.8

Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX

MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6

NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============

(short domain name) $w = mail

(canonical domain name) $j = mail.bj.com

(subdomain name) $m = bj.com

(node name) $k = mail.bj.com

========================================================

Recipient names must be specified

[root@mail ~]#

1.2.做ca認證

#ssl安全傳輸/tsl標準的安全傳輸

[root@mail ~]# cd /etc/pki

[root@mail pki]# vim tls/openssl.cnf

45 dir = /etc/pki/CA # Where everything is kept

87 [ policy_match ]

88 countryName = optional

89 stateOrProvinceName = optional

90 organizationName = optional

[root@mail pki]# cd CA/

[root@mail CA]# mkdir certs newcerts crl

[root@mail CA]# touch index.txt serial

[root@mail CA]# echo "01">serial

[root@mail CA]# openssl genrsa 1024 > private/cakey.pem

Generating RSA private key, 1024 bit long modulus

.......................................

...............

e is 65537 (0x10001)

[root@mail CA]# chmod 600 private/*

[root@mail CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:sendmail

Common Name (eg, your name or your server's hostname) []:mail.sh.com

Email Address []:

[root@mail CA]# cd /etc/mail

[root@mail mail]# mkdir certs/

[root@mail mail]# cd certs/

[root@mail certs]# openssl genrsa 1024 >sendmail.key

Generating RSA private key, 1024 bit long modulus

...............

.........................................

e is 65537 (0x10001)

[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:sendmail

Common Name (eg, your name or your server's hostname) []:mail.sh.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

--簽發證書

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Sep 15 22:00:40 2011 GMT

Not After : Sep 14 22:00:40 2012 GMT

Subject:

countryName = CN

stateOrProvinceName = HN

organizationName = ZZU

organizationalUnitName = sendmail

commonName = mail.sh.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

21:9F:4D:91:74:C6:80:EA:B0:38:F4:F2:8D:68:A7:08:4A:15:7F:92

X509v3 Authority Key Identifier:

keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2

Certificate is to be certified until Sep 14 22:00:40 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail certs]# cp /etc/pki/CA/cacert.pem ./

[root@mail certs]# chmod 600 *

1.3.修改配置文件sendmail.mc

[root@mail CA]# vim /etc/mail/sendmail.mc

--啟用認證

39 define(`confAUTH_OPTIONS', `A y')dnl

--信用機制

52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA IN')dnl

--啟用證書

60 define(`confCACERT_PATH', `/etc/mail/certs')dnl

61 define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl

62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.crt')dnl

63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl

118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

136 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

[root@mail CA]# service sendmail restart

29-1

29-2

賬號的域名要與證書的域名相同,否則不信任.

2.Sasl 簡單認證安全層

點到點的機制.

2.1.安裝認證

服務名稱saslauthd,默認是沒有啟用的

要測試是否啟用了認證

--減少垃圾郵件的攻擊

[root@mail ~]# yum list all |grep sasl

This system is not registered with RHN.

RHN support will be disabled.

cyrus-sasl.i386 2.1.22-4 installed

cyrus-sasl-devel.i386 2.1.22-4 installed

cyrus-sasl-lib.i386 2.1.22-4 installed

cyrus-sasl-plain.i386 2.1.22-4 installed

[root@mail ~]# chkconfig saslauthd on

[root@mail ~]# chkconfig --list |grep sasl

saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[root@mail certs]# service saslauthd start

#vim /etc/mail/sendmail.mc

--Mta增加強制認證

118 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl

2.2.描述認證方法

[root@mail lib]# cd /usr/lib/sasl2

[root@mail sasl2]# vim Sendmail.conf

pwcheck_method:saslauthd

mech_list:login plain –可以不加,描述的驗證機制.

[root@mail sasl2]# service sendmail restart

2.3生成用戶信息的密文

--base64編碼得到密文,-n 去除換行

[root@mail certs]# echo -n "user5@sh.com"|openssl base64

dXNlcjVAc2guY29t

[root@mail certs]# echo -n "123"|openssl base64

MTIz

2.4 測試認證

[root@mail sasl2]# telnet mail.sh.com 25

Trying 192.168.101.71...

Connected to mail.sh.com (192.168.101.71).

Escape character is '^]'.

220 mail.sh.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 16 Sep 2011 06:39:13 0800

helo mail.sh.com

250 mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you

ehlo mail.sh.com

250-mail.sh.com Hello mail.sh.com [192.168.101.71], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-AUTH LOGIN PLAIN –在開啟sasl前是沒有的,驗證可以防止非法或不存在的用戶發郵件.

250-STARTTLS

250-DELIVERBY

250 HELP

auth login dXNlcjVAc2guY29t

334 UGFzc3dvcmQ6

MTIz

235 2.0.0 OK Authenticated

mail from:user5@mail.sh.com

250 2.1.0 user5@mail.sh.com... Sender ok

rcpt to :user6@mail.sh.com

250 2.1.5 user6@mail.sh.com... Recipient ok

data

354 Enter mail, end with "." on a line by itself

subject hh

hello user6.

250 2.0.0 p8FMdDZN008247 Message accepted for delivery

quit

221 2.0.0 mail.sh.com closing connection

Connection closed by foreign host.

2.5 對方測試接收文件

[root@mail sasl2]# su - user6

[user6@mail ~]$ mail

Mail version 8.1 6/6/93. Type ? for help.

"/var/spool/mail/user6": 2 messages 1 new

1 MAILER-DAEMON@mail.s Thu Sep 15 19:09 13/542 "DON'T DELETE THIS MES"

>N 2 user5@mail.sh.com Fri Sep 16 06:46 13/423

& 2

Message 2:

From user5@mail.sh.com Fri Sep 16 06:46:21 2011

Date: Fri, 16 Sep 2011 06:45:54 0800

From: user5@mail.sh.com

subject hh

hello user6.

&

3.抓包工具

[root@mail ~]# yum list all |grep shark

This system is not registered with RHN.

RHN support will be disabled.

wireshark.i386 1.0.3-4.el5_2 rehl-server

wireshark-gnome.i386 1.0.3-4.el5_2 rehl-server

[root@mail ~]# yum install wireshark

4.實現imaps pop3s接收

4.1生成dovecot的證書文件

[root@mail sasl2]# cd /usr/lib/sasl2

[root@mail sasl2]# mkdir -pv /etc/dovecot/certs

mkdir: created directory `/etc/dovecot'

mkdir: created directory `/etc/dovecot/certs'

[root@mail sasl2]# cd /etc/dovecot/certs/

--導出鑰匙

[root@mail certs]# openssl genrsa 1024 >dovecot.key

Generating RSA private key, 1024 bit long modulus

...................................

...............................

e is 65537 (0x10001)

--輸出證書請求文件

[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:sendmail

Common Name (eg, your name or your server's hostname) []:imap.sh.com

--域名要與賬號發送接收的相同

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4.2-頒發證書

[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Sep 15 23:01:08 2011 GMT

Not After : Sep 14 23:01:08 2012 GMT

Subject:

countryName = CN

stateOrProvinceName = HN

organizationName = ZZU

organizationalUnitName = sendmail

commonName = mail.sh.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

BB:2C:B9:99:11:D1:E5:85:53:7F:8E:FE:E4:FC:C2:35:95:2E:08:87

X509v3 Authority Key Identifier:

keyid:CC:F1:AE:5C:1E:96:41:35:AB:3A:E0:69:7C:52:98:D4:35:D9:8F:C2

Certificate is to be certified until Sep 14 23:01:08 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

4.3 編輯dovecot配置文件

[root@mail certs]# vim /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

--接收證書伺服器的文件

92 ssl_cert_file = /etc/dovecot/certs/dovecot.crt

93 ssl_key_file = /etc/dovecot/certs/dovecot.key

[root@mail certs]# chmod 600 *

[root@mail certs]# service dovecot restart

[root@mail certs]# netstat -tulpn |grep dov

4.4添加imap的記錄

[root@mail ~]# vim /var/named/chroot/var/named/sh.com.db

$TTL 86400

@ IN SOA ns.sh.com. root.126.com (

44 ; serial (d. adams)

3H ; refresh

15M ; retry

1W ; expiry

1D ) ; minimum

@ IN NS ns.sh.com.

ns IN A 192.168.101.71

mail IN A 192.168.101.71

pop3 IN CNAME mail

smtp IN CNAME mail

imap IN CNAME mail

@ IN MX 10 mail

[root@mail ~]# rndc reload

server reload successful

[root@mail ~]# dig imap.sh.com

4.5開啟抓包功能

--明文抓包結果

[root@mail certs]# tshark -ni eth0 -R "tcp.srcport eq 110 or tcp.dstport eq 110"Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

302.590811 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

302.590888 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

302.591092 192.168.101.213 -> 192.168.101.71 TCP 1101 > 110 [ACK] Seq=1 Ack=1 Win=65535 Len=0

302.591257 192.168.101.71 -> 192.168.101.213 POP Response: OK Dovecot ready.

302.591718 192.168.101.213 -> 192.168.101.71 POP Request: USER user6

302.591753 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=21 Ack=13 Win=5840 Len=0

302.591877 192.168.101.71 -> 192.168.101.213 POP Response: OK

302.592048 192.168.101.213 -> 192.168.101.71 POP Request: PASS 123

302.600894 192.168.101.71 -> 192.168.101.213 POP Response: OK Logged in.

302.601742 192.168.101.213 -> 192.168.101.71 POP Request: STAT

302.642575 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=42 Ack=29 Win=5840 Len=0

302.648145 192.168.101.71 -> 192.168.101.213 POP Response: OK 0 0

302.648920 192.168.101.213 -> 192.168.101.71 POP Request: QUIT

302.648973 192.168.101.71 -> 192.168.101.213 TCP 110 > 1101 [ACK] Seq=51 Ack=35 Win=5840 Len=0

302.649177 192.168.101.71 -> 192.168.101.213 POP Response: OK Logging out.

--配置imaps后抓包結果

伺服器身份驗證可以是任意一種,登陸方式是在用戶首次使用是要輸入用戶名和密碼

29-3

29-4

[root@mail ~]# tshark -ni eth0 -R "tcp.srcport eq 993 or tcp.dstport eq 993"

Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

4.471940 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

4.471943 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [FIN, ACK] Seq=41 Ack=1 Win=64377 Len=0

4.473771 192.168.101.71 -> 192.168.101.213 TCP 993 > 1147 [FIN, ACK] Seq=1 Ack=42 Win=6432 Len=0

4.480719 192.168.101.213 -> 192.168.101.71 TCP 1147 > 993 [ACK] Seq=42 Ack=2 Win=64377 Len=0

48.113729 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

48.113810 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

48.113889 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=1 Ack=1 Win=65535 Len=0

48.114100 192.168.101.213 -> 192.168.101.71 SSL Client Hello

48.114119 192.168.101.71 -> 192.168.101.213 TCP 993 > 1149 [ACK] Seq=1 Ack=103 Win=5840 Len=0

48.116103 192.168.101.71 -> 192.168.101.213 TLSv1 Server Hello, Certificate, Server Hello Done

48.116845 192.168.101.213 -> 192.168.101.71 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

48.118198 192.168.101.71 -> 192.168.101.213 TLSv1 Change Cipher Spec, Encrypted Handshake Message

48.319185 192.168.101.71 -> 192.168.101.213 TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message

48.319447 192.168.101.213 -> 192.168.101.71 TCP 1149 > 993 [ACK] Seq=285 Ack=823 Win=64713 Len=0

48.319469 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

48.320517 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

48.320690 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

48.321276 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

48.329138 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

48.330432 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

48.330753 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

48.331100 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

48.331247 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

48.331472 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

48.332986 192.168.101.71 -> 192.168.101.213 TLSv1 Application Data

48.333306 192.168.101.213 -> 192.168.101.71 TLSv1 Application Data

本文出自 「一抹茶色陽光」 博客,請務必保留此出處http://sweetsingle.blog.51cto.com/3429592/741833





[火星人 via ] linux-sendmail的安全已經有162次圍觀

http://www.coctec.com/docs/linux/show-post-46678.html