本次试验在服务器上自己搭建的CA

采用上次博客搭建过的环境进行操作

CA这里就不进行介绍了。直接进行操作

本次是在bj.zz.com 区域做的实验。因为smtps是一种点到点的传输。当跨区域进行传输时。它传输的时候还是有明文显示的。实现跨区域传输。所以在windows客户端上

称为PGP机密。网上有pgp加密软件。在linux上称为gpg .大家下去以后可以查看下资料。

[root@mail ~]# mount /dev/cdrom /mnt/cdrom

[root@mail ~]# sendmail -d0.1 –bv    //显示sendmail在编译的时候支持的功能

Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
        MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
        NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
        TCPWRAPPERS USERDB USE_LDAP_INIT

[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.zz.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 13 Aug 2012 00:19:24 +0800
EHLO 127.0.0.1
250-mail.bj.zz.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

但是它本身并没有启用starttls 。这里直接进行操作,不明白操作的可以去我的博客去看,里面有详细解释。

 

[root@mail ~]# vim /etc/pki/tls/openssl.cnf

45 dir             = /etc/pki/CA   

88 countryName             = optional
89 stateOrProvinceName     = optional
90 organizationName        = optional

136 countryName_default             = CN
141 stateOrProvinceName_default     = BEIJING
144 localityName_default            = BEIJING

[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# mkdir certs crl newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# ll
总计 20
drwxr-xr-x 2 root root 4096 08-13 00:29 certs
drwxr-xr-x 2 root root 4096 08-13 00:29 crl
-rw-r--r-- 1 root root    0 08-13 00:29 index.txt
drwxr-xr-x 2 root root 4096 08-13 00:29 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root    0 08-13 00:29 serial

[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..........++++++
................++++++
e is 65537 (0x10001)

[root@mail CA]# chmod 600 private/cakey.pem

[root@mail CA]# openssl req -new -key private/cakey.pem  -x509 -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:

邮件传输的加密实现:

[root@mail CA]# mkdir -pv /etc/mail/certs

[root@mail CA]# cd /etc/mail/certs/

[root@mail certs]# openssl genrsa 1024 >sendmail.key

[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr

Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 12 16:46:51 2012 GMT
            Not After : Aug 12 16:46:51 2013 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = zz.com
            organizationalUnitName    = bj
            commonName                = bj.zz.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                00:48:FC:86:88:C6:97:5B:50:CE:A2:35:81:C6:B5:18:32:CA:30:83
            X509v3 Authority Key Identifier:
                keyid:F0:A7:0C:33:52:A1:93:11:E4:14:B6:AD:D0:B6:09:4B:56:2D:25:4F

Certificate is to be certified until Aug 12 16:46:51 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@mail certs]# chmod 600 *

[root@mail certs]# vim /etc/mail/sendmail.mc

60 define(`confCACERT_PATH', `/etc/pki/CA')dnl   //CA目录

61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl   //CA证书位置
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl   //服务器证书位置
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl     //服务器私钥位置

134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl      //打开验证功能

[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.zz.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 13 Aug 2012 00:59:09 +0800

EHLO 127.0.0.1             
250-mail.bj.zz.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP

这时候我们可以看到它已经启用了加密功能

邮件传输我们已经加密,我们还需要对邮件收发进行加密。

[root@mail certs]# mkdir -pv /etc/mail/dovecot

[root@mail certs]# cd /etc/mail/dovecot/

[root@mail dovecot]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
.................................++++++
.................++++++
e is 65537 (0x10001)
[root@mail dovecot]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail dovecot]# openssl ca -in dovecot.csr -out dovecot.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Aug 12 17:17:03 2012 GMT
            Not After : Aug 12 17:17:03 2013 GMT
        Subject:
           countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = zz.com
            organizationalUnitName    = bj
            commonName                = bj.zz.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E3:69:F9:FB:4E:97:4C:6F:D8:94:61:97:33:0A:5D:C7:12:A3:C9:91
            X509v3 Authority Key Identifier:
                keyid:F0:A7:0C:33:52:A1:93:11:E4:14:B6:AD:D0:B6:09:4B:56:2D:25:4F

Certificate is to be certified until Aug 12 17:17:03 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@mail dovecot]# vim /etc/dovecot.conf

22 protocols = pop3s     //只能使用pop3s协议进行邮件收发

91 ssl_cert_file = /etc/mail/dovecot/dovecot.cert      //证书位置
  92 ssl_key_file = /etc/mail/dovecot/dovecot.key      //私钥位置

[root@mail dovecot]# service dovecot restart

这时候我们可以进行邮件传输测试

客户端邮件账户测试如下:

这时候我们是利用了smtps和pop3s协议进行邮件传输和收发。所以我们需要修改如下:

利用CA实现电子邮件的安全传输_第1张图片

利用CA实现电子邮件的安全传输_第2张图片

 

用user1向user2 发送邮件

利用CA实现电子邮件的安全传输_第3张图片

这是因为我们的客户端并没有安装证书,并不信任这个证书。

这并不影响我们的实验。点击是。

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 995"

Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
326.891389 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
326.895489 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=1 Ack=1 Win=65535 Len=0
326.895490 192.168.145.11 -> 192.168.145.100 SSL Client Hello
326.945106 192.168.145.11 -> 192.168.145.100 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
327.145815 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=285 Ack=828 Win=64708 Len=0
327.364851 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=285 Ack=869 Win=64667 Len=0

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 25"

56.500461 192.168.145.11 -> 192.168.145.100 TCP 1114 > 25 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
56.501229 192.168.145.11 -> 192.168.145.100 TCP 1114 > 25 [ACK] Seq=1 Ack=1 Win=65535 Len=0
56.547270 192.168.145.11 -> 192.168.145.100 SMTP C: EHLO zzuce090d72288
56.548563 192.168.145.11 -> 192.168.145.100 SMTP C: STARTTLS
56.583316 192.168.145.11 -> 192.168.145.100 SMTP C: \200L\001\003\001\0003\000\000\000\020\000\000\004\000\000\005\000\000 | \001\000\200\a\000\300\003\000\200\000\000\t\006\000@\000\000d\000\000b\000\000\003\000\000\006\002\000\200\004\000\200\000\000\023\000\000\022\000\000c\270\033\366\325\371\366\365\232\323\035&\232y\367\215\331

这时候已经抓取不到有价值的信息了。