上一篇博文我們讨論了sendmail的安裝及案例配置,我們都知道sendmail伺服器郵件傳輸是明文的,這樣對于郵件的資訊就無法起到安全保障,故本篇博文來讨論下借助CA實作pop3,smtp3,進而實作郵件的密文傳送,還是就是sendmail本身是身份驗證的,也就是任何人都可以給sendmail伺服器發送郵件,前提是允許中繼的ip段或域,這樣無疑就增加了伺服器的負擔,我們可以借助sasl來實作身份驗證。
一、Sendmail加密,
首先檢視編輯環境
[root@localhost mail]# sendmail -d0.1 -bv
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
sendmail 8.13.8版本可以看出是支援STARTTLS的,可以實作加密
CA根證書請求與頒發
1.修改CA檔案的相關路徑;
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223005409.jpg"></a>
87 [ policy_match ]
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
91 organizationalUnitName = optional
2.産生私鑰,并修改私鑰的權限,
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223022234.jpg"></a>
3.以私鑰産生證書鍊,
openssl req -new -key private/cakey.pem -x509 -out cacert.pem
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223150337.jpg"></a>
CA根證書配置好後,為POP3請求證書
1.pop3證書存放在/etc/dovecot/certs下
[root@163 CA]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[root@163 CA]# cd /etc/dovecot/certs/
[root@163 certs]# openssl genrsa 1024 > dovecot.key
Generating RSA private key, 1024 bit long modulus
..............................++++++
........++++++
e is 65537 (0x10001)
[root@163 certs]#chmod 600 dovecot.key
[root@163 certs]# openssl req -new -key dovecot.key -out dovecot.csr
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223303111.jpg"></a>
2.由自己的證書鍊向ca請求,導出自己的證書openssl ca -in dovecot.csr -out dovecot.cert
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223325723.jpg"></a>
3.證書請求之後,
修改dovecot的配置檔案/etc/dovecot.conf
21 protocols = imaps pop3s
91 ssl_cert_file = /etc/dovecot/certs/dovecot.cert
92 ssl_key_file = /etc/dovecot/certs/dovecot.key
[root@163 certs]# netstat -tulpn |grep dovecot
tcp 0 0 :::993 :::* LISTEN 4462/dovecot
tcp 0 0 :::995 :::* LISTEN 4462/dovecot
4.修改配置檔案後,重新開機dovecot檔案,并檢視日志檔案,tail /var/log/maillog,發現可以正常啟動
[root@163 certs]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
5.就有客戶機(192.168.142.5)[email protected]來進行測試,用outlook來接收一封郵件,注意接收時,要對
user1的帳号屬性做如下設定,勾選下圖中的選項:
<a href="http://blog.51cto.com/attachment/201211/235629914.jpg" target="_blank"></a>
在郵件伺服器端安裝wireshark
[root@163 ~]#tshark -ni eth0 -R "tcp.port eq 995"
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223435791.jpg"></a>
SMTP證書請求與頒發
[root@163 certs]# mkdir -pv /etc/sendmail/certs
mkdir: created directory `/etc/sendmail'
mkdir: created directory `/etc/sendmail/certs'
[root@163 certs]# cd /etc/sendmail/certs/
[root@163 certs]# openssl genrsa 1024 > sendmail.key
.....++++++
.....................................++++++
[root@163 certs]# chmod 600 sendmail.key
[root@163 certs]# openssl req -new -key sendmail.key -out sendmail.csr
[root@163 certs]# openssl ca -in sendmail.csr -out sendmail.cert
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223638648.jpg"></a>
修改配置檔案
vim /etc/mail/sendmail.mc
60 define(`confCACERT_PATH', `/etc/pki/CA')dnl
61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl
62 define(`confSERVER_CERT', `/etc/sendmail/certs/sendmail.cert')dnl
63 define(`confSERVER_KEY', `/etc/sendmail/certs/sendmail.key')dnl
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
<a target="_blank" href="http://blog.51cto.com/attachment/201211/223755679.jpg"></a>
用telnet來測試,發現已經支援searttls,
<a target="_blank" href="http://blog.51cto.com/attachment/201211/224112251.jpg"></a>
就用客戶機192.168.142.5測試一下,帳号設定時,進階選項中要勾選下圖中的選項:
<a target="_blank" href="http://blog.51cto.com/attachment/201211/224130343.jpg"></a>
同樣也可以
二、身份驗證
sendmail自身是無法實作身份驗證的,要借助sasl(簡單認證安全層),
而sasl依賴于軟體包:cyrus-sasl,
1.可以檢測相關包是否安裝rpm -qa |grep sasl,并安裝
[root@mailserver sbin]# rpm -qa|grep sasl
cyrus-sasl-2.1.22-5.el5
cyrus-sasl-lib-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-plain-2.1.22-5.el5
2.啟動saslauthd服務,
[root@mailserver sbin]# service saslauthd start
啟動 saslauthd: [确定]
3.編輯sendmail的配置檔案,vim /etc/mail/sendmail.mc
修改39,
39 define(`confAUTH_OPTIONS', `A y')dnl
并啟用52,53行,
52 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
53 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
修改116行
116 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA,M=Ea')dnl
4.重新開機sendmail服務,用telnet指令測試,發現已經支援身份驗證了,
<a target="_blank" href="http://blog.51cto.com/attachment/201211/224710148.jpg"></a>
5.既然支援了,就telnet來發一封郵件來測試下;注意使用者名和密碼要經過base64編碼;
<a target="_blank" href="http://blog.51cto.com/attachment/201211/224920254.jpg"></a>
<a target="_blank" href="http://blog.51cto.com/attachment/201211/225028856.jpg"></a>
發現可以正常發送,接收當然也是可以的,就不再附圖,
6.我們在客戶機上再來測試一下,發現正常存在的使用者也無法正常發送;
<a target="_blank" href="http://blog.51cto.com/attachment/201211/225121957.jpg"></a>
7.修改一下user1屬性,勾上我的伺服器要求身份驗證
<a target="_blank" href="http://blog.51cto.com/attachment/201211/225219224.jpg"></a>
就可以正常發送了,
實驗到此結束,自己動手操作下吧,^_^
本文轉自 劉園 51CTO部落格,原文連結:http://blog.51cto.com/colynn/1059373
![解決應用程式無法正常啟動0xc0150002問題[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)