Sendmail之安全
一、配置STARTTLS
1.產生頒發機構
[root@mail ~]# cd /etc/pki/
[root@mail pki]# vim tls/openssl.cnf
[root@mail CA]# pwd
/etc/pki/CA
[root@mail CA]# mkdir crl certs newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
......................................++++++
.........................................................++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/*
[root@mail CA]#
[root@mail CA]# pwd
/etc/pki/CA
[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
2.爲Sendmail頒發證書
[root@mail mail]# pwd
/etc/mail
[root@mail mail]# mkdir certs
[root@mail mail]# cd certs
[root@mail certs]# openssl genrsa 1024 >Sendmail.key
Generating RSA private key, 1024 bit long modulus
....................++++++
........++++++
e is 65537 (0x10001)
[root@mail certs]# openssl req -new -key Sendmail.key -out Sendmail.csr
[root@mail certs]# openssl ca -in Sendmail.csr -out Sendmail.cert
[root@mail certs]# pwd
/etc/mail/certs
[root@mail certs]# cp /etc/pki/CA/cacert.pem ./
[root@mail certs]# chmod 600 *
[root@mail certs]# cd ..
[root@mail mail]# vim Sendmail.mc
3.Sendmail測試
[root@mail mail]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to mail.bj.com (127.0.0.1).
Escape character is '^]'.
220 mail.bj.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 20 Mar 2012 11:30:14 +0800
EHLO 127.0.0.1
250-mail.bj.com Hello mail.bj.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS 證明已經開啓
250-DELIVERBY
250 HELP
使用主機測試
4.爲dovecot頒發證書
[root@mail mail]# mkdir -pv /etc/dovecot/certs
mkdir: created directory `/etc/dovecot'
mkdir: created directory `/etc/dovecot/certs'
[root@mail mail]# cd /etc/dovecot/certs/
[root@mail certs]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
.......................................................................................++++++
........++++++
e is 65537 (0x10001)
[root@mail certs]#
[root@mail certs]# openssl req -new -key dovecot.key -out dovecot.csr
[root@mail certs]# openssl ca -in dovecot.csr -out dovecot.cert
[root@mail certs]# chmod 600 *
[root@mail certs]# vim /etc/dovecot.conf
[root@mail certs]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[root@mail certs]# netstat -tupln |grep dovecot
tcp 0 0 :::993 :::* LISTEN 3660/dovecot
tcp 0 0 :::110 :::* LISTEN 3660/dovecot
tcp 0 0 :::143 :::* LISTEN 3660/dovecot
[root@mail certs]#
5.dovecot測試
安裝wireshark抓包工具
[root@mail ~]# yum install wireshark.i386
[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 110"
[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 993"
二、配置Sasl
爲了儘可能的提供更高的安全性,需要開啓Sasl對用戶進行驗證。系統默認並不啓用Sasl,這樣就造成了任何人都可以以用戶身份發送郵件。
1.查看安裝Sasl相關組件
[root@mail Server]# pwd
/mnt/cdrom/Server
[root@mail Server]# rpm -qa|grep Sasl
cyrus-Sasl-lib-2.1.22-5.el5
cyrus-Sasl-2.1.22-5.el5
cyrus-Sasl-devel-2.1.22-5.el5
cyrus-Sasl-plain-2.1.22-5.el5
[root@mail Server]#
[root@mail ~]# service Saslauthd start
Starting Saslauthd: [ OK ]
[root@mail ~]#
[root@mail Server]# chkconfig --list|grep Sasl
Saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@mail Server]# chkconfig Saslauthd on
[root@mail Server]# chkconfig --list|grep Sasl
Saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@mail Server]#
[root@mail Server]# rpm -qc cyrus-Sasl
/etc/rc.d/init.d/Saslauthd
/etc/sysconfig/Saslauthd
[root@mail Server]#
2.修改Sasl相關配置文件
[root@mail ~]# cd /usr/lib/Sasl2/
[root@mail Sasl2]# vim Sendmail.conf
[root@mail Sasl2]# cd /etc/mail
[root@mail mail]# pwd
/etc/mail
[root@mail mail]# vim Sendmail.mc
[root@mail mail]# service Sendmail restart
Shutting down sm-client: [ OK ]
Shutting down Sendmail: [ OK ]
Starting Sendmail: [ OK ]
Starting sm-client: [ OK ]
[root@mail mail]#
3.帳號測試
對用戶的帳號進行編碼
[root@mail ~]# echo -n "user1"|openssl base64
dXNlcjE=
[root@mail ~]# echo -n "123"|openssl base64
MTIz
[root@mail ~]#
4.郵件測試
在不開啓身份驗證的情況下,發送郵件
開啓身份驗證