本次试验在服务器上自己搭建的CA
采用上次博客搭建过的环境进行操作
CA这里就不进行介绍了。直接进行操作
本次是在bj.zz.com 区域做的实验。因为smtps是一种点到点的传输。当跨区域进行传输时。它传输的时候还是有明文显示的。实现跨区域传输。所以在windows客户端上
称为PGP机密。网上有pgp加密软件。在linux上称为gpg .大家下去以后可以查看下资料。
[root@mail ~]# mount /dev/cdrom /mnt/cdrom
[root@mail ~]# sendmail -d0.1 –bv //显示sendmail在编译的时候支持的功能
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.zz.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 13 Aug 2012 00:19:24 +0800
EHLO 127.0.0.1
250-mail.bj.zz.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
但是它本身并没有启用starttls 。这里直接进行操作,不明白操作的可以去我的博客去看,里面有详细解释。
[root@mail ~]# vim /etc/pki/tls/openssl.cnf
45 dir = /etc/pki/CA
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
136 countryName_default = CN
141 stateOrProvinceName_default = BEIJING
144 localityName_default = BEIJING
[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# mkdir certs crl newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# ll
总计 20
drwxr-xr-x 2 root root 4096 08-13 00:29 certs
drwxr-xr-x 2 root root 4096 08-13 00:29 crl
-rw-r--r-- 1 root root 0 08-13 00:29 index.txt
drwxr-xr-x 2 root root 4096 08-13 00:29 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root 0 08-13 00:29 serial
[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..........++++++
................++++++
e is 65537 (0x10001)
[root@mail CA]# chmod 600 private/cakey.pem
[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:
邮件传输的加密实现:
[root@mail CA]# mkdir -pv /etc/mail/certs
[root@mail CA]# cd /etc/mail/certs/
[root@mail certs]# openssl genrsa 1024 >sendmail.key
[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:
[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 12 16:46:51 2012 GMT
Not After : Aug 12 16:46:51 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = zz.com
organizationalUnitName = bj
commonName = bj.zz.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:48:FC:86:88:C6:97:5B:50:CE:A2:35:81:C6:B5:18:32:CA:30:83
X509v3 Authority Key Identifier:
keyid:F0:A7:0C:33:52:A1:93:11:E4:14:B6:AD:D0:B6:09:4B:56:2D:25:4F
Certificate is to be certified until Aug 12 16:46:51 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail certs]# chmod 600 *
[root@mail certs]# vim /etc/mail/sendmail.mc
60 define(`confCACERT_PATH', `/etc/pki/CA')dnl //CA目录
61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl //CA证书位置
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl //服务器证书位置
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl //服务器私钥位置
134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl //打开验证功能
[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.zz.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 13 Aug 2012 00:59:09 +0800
EHLO 127.0.0.1
250-mail.bj.zz.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
这时候我们可以看到它已经启用了加密功能
邮件传输我们已经加密,我们还需要对邮件收发进行加密。
[root@mail certs]# mkdir -pv /etc/mail/dovecot
[root@mail certs]# cd /etc/mail/dovecot/
[root@mail dovecot]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
.................................++++++
.................++++++
e is 65537 (0x10001)
[root@mail dovecot]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail dovecot]# openssl ca -in dovecot.csr -out dovecot.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 12 17:17:03 2012 GMT
Not After : Aug 12 17:17:03 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = zz.com
organizationalUnitName = bj
commonName = bj.zz.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:69:F9:FB:4E:97:4C:6F:D8:94:61:97:33:0A:5D:C7:12:A3:C9:91
X509v3 Authority Key Identifier:
keyid:F0:A7:0C:33:52:A1:93:11:E4:14:B6:AD:D0:B6:09:4B:56:2D:25:4F
Certificate is to be certified until Aug 12 17:17:03 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail dovecot]# vim /etc/dovecot.conf
22 protocols = pop3s //只能使用pop3s协议进行邮件收发
91 ssl_cert_file = /etc/mail/dovecot/dovecot.cert //证书位置
92 ssl_key_file = /etc/mail/dovecot/dovecot.key //私钥位置
[root@mail dovecot]# service dovecot restart
这时候我们可以进行邮件传输测试
客户端邮件账户测试如下:
这时候我们是利用了smtps和pop3s协议进行邮件传输和收发。所以我们需要修改如下:
用user1向user2 发送邮件
这是因为我们的客户端并没有安装证书,并不信任这个证书。
这并不影响我们的实验。点击是。
[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 995"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
326.891389 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
326.895489 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=1 Ack=1 Win=65535 Len=0
326.895490 192.168.145.11 -> 192.168.145.100 SSL Client Hello
326.945106 192.168.145.11 -> 192.168.145.100 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
327.145815 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=285 Ack=828 Win=64708 Len=0
327.364851 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=285 Ack=869 Win=64667 Len=0
[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 25"
56.500461 192.168.145.11 -> 192.168.145.100 TCP 1114 > 25 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
56.501229 192.168.145.11 -> 192.168.145.100 TCP 1114 > 25 [ACK] Seq=1 Ack=1 Win=65535 Len=0
56.547270 192.168.145.11 -> 192.168.145.100 SMTP C: EHLO zzuce090d72288
56.548563 192.168.145.11 -> 192.168.145.100 SMTP C: STARTTLS
56.583316 192.168.145.11 -> 192.168.145.100 SMTP C: \200L\001\003\001\0003\000\000\000\020\000\000\004\000\000\005\000\000 | \001\000\200\a\000\300\003\000\200\000\000\t\006\000@\000\000d\000\000b\000\000\003\000\000\006\002\000\200\004\000\200\000\000\023\000\000\022\000\000c\270\033\366\325\371\366\365\232\323\035&\232y\367\215\331