Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Liunx deploys email TLS/SSL encrypted Communication Service

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

Deploy mail TLS/SSL encrypted communication service

one。 Deploy a regular mail server

1) build and test the sending service of the mail service

[root@mail] # rpm-Q postfix

Postfix-2.10.1-6.el7.x86_64

[root@mail ~] # netstat-pantu | grep: 25

Tcp 0 0 127.0.0.1 25 0.0.0. 0 LISTEN 1822/master

Tcp6 0 0:: 1:25: * LISTEN 1822/master

[root@mail] # ps-C master

PID TTY TIME CMD

1822? 00:00:00 master

[root@mail ~] # vim / etc/postfix/main.cf

[root@mail ~] # sed-n "113p / etc/postfix/main.cf" 116p / etc/postfix/main.cf

Inet_interfaces = all

# inet_interfaces = localhost

Home_mailbox = Maildir/

[root@mail ~] # systemctl restart postfix.service

[root@mail ~] # useradd jim

[root@mail ~] # echo 654321 | passwd-- stdin jim

[root@mail ~] # yum-y install telnet

[root@mail ~] # telnet localhost 25

Trying:: 1...

Connected to localhost.

Escape character is'^]'.

220 mail.com.cn ESMTP Postfix

Helo localhost

250 mail.com.cn

Mail from:root@localhost

250 2.1.0 Ok

Rcpt to:jim@localhost

250 2.1.5 Ok

Data

354 End data with.

XXXXX

XXXX

XXX

XX

X

.

250 2.0.0 Ok: queued as BEDA283BDA92

Quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~] # cat / home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn

Return-Path:

X-Original-To: jim@localhost

Delivered-To: jim@localhost.com.cn

Received: from localhost (localhost [IPv6:::1])

By mail.com.cn (Postfix) with SMTP id BEDA283BDA92

For; Thu, 4 Jan 2018 01:28:07-0500 (EST)

Message-Id:

Date: Thu, 4 Jan 2018 01:28:07-0500 (EST)

From: root@localhost.com.cn

XXXXX

XXXX

XXX

XX

X

# you can grab the packets that send mail when sending mail

[root@mail] # tcpdump-I eth0-A tcp port 25

2) set up and test the collection of mail services

[root@mail ~] # yum-y install dovecot

[root@mail] # rpm-Q dovecot

Dovecot-2.2.10-5.el7.x86_64

[root@mail ~] # vim / etc/dovecot/conf.d/10-mail.conf

[root@mail ~] # sed-n '24p' / etc/dovecot/conf.d/10-mail.conf

Mail_location = maildir:~/Maildir

[root@mail ~] # vim / etc/dovecot/conf.d/10-auth.conf

[root@mail ~] # sed-n '10p' / etc/dovecot/conf.d/10-auth.conf

Disable_plaintext_auth = yes# can not prohibit using plaintext authentication

[root@mail ~] # systemctl start dovecot

[root@mail ~] # netstat-pantu | grep: 110

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 00

Tcp6 0 0: 110: * LISTEN 4924/dovecot

[root@mail ~] # netstat-pantu | grep: 143

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 14. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp6 0 0: 143: * LISTEN 4924/dovecot

[root@mail ~] # telnet localhost 110

Trying:: 1...

Connected to localhost.

Escape character is'^]'.

+ OK Dovecot ready.

USER jim

+ OK

PASS 654321

+ OK Logged in.

List

+ OK 1 messages:

1 423

.

Retr 1

+ OK 423 octets

Return-Path:

X-Original-To: jim@localhost

Delivered-To: jim@localhost.com.cn

Received: from localhost (localhost [IPv6:::1])

By mail.com.cn (Postfix) with SMTP id BEDA283BDA92

For; Thu, 4 Jan 2018 01:28:07-0500 (EST)

Message-Id:

Date: Thu, 4 Jan 2018 01:28:07-0500 (EST)

From: root@localhost.com.cn

XXXXX

XXXX

XXX

XX

X

.

Quit

+ OK Logging out.

Connection closed by foreign host.

# you can grab mail packets when you receive mail

[root@mail] # tcpdump-A-i lo tcp port 110

[root@mail] # tcpdump-A-I lo-w / tmp/mail.cap tcp port

[root@mail ~] # tcpdump-A-r / tmp/mail.cap | grep user

Reading from file / tmp/mail.cap, link-type EN10MB (Ethernet)

.S.R.. user jim # here you can grab the username and password of the email by grabbing the packet because it currently belongs to plaintext transmission

[root@mail ~] # tcpdump-A-r / tmp/mail.cap | grep pass

Reading from file / tmp/mail.cap, link-type EN10MB (Ethernet)

.S6 [.S..pass 654321

Second, deploy email TLS/SSL encrypted communication service

1 configuration of mail server (192.168.4.2):

[root@mail ~] # systemctl restart postfix

[root@mail ~] # netstat-pantu | grep master

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp6 0 0: 25: * LISTEN 5415/master

[root@mail ~] # systemctl restart dovecot

[root@mail ~] # netstat-pantu | grep dovecot

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 00

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 14. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp 0 0 0 9 9 0 0 0. 0 0 LISTEN 5446/dovecot

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 9. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 of the LISTEN 5446/dovecot

Tcp6 0 0: 110: * LISTEN 5446/dovecot

Tcp6 0 0: 143: * LISTEN 5446/dovecot

Tcp6 0 0: 993: * LISTEN 5446/dovecot

Tcp6 0 0: 995: * LISTEN 5446/dovecot

2 create private key file: generate certificate request file mail.key

[root@mail ~] # cd / etc/pki/tls/private/# searches the private key directory by default

[root@mail private] # openssl genrsa 2048 > mail.key# executes the command to generate private key

3 create a certificate request file mail.csr

-req request

-New new file

-key private key

[root@mail private] # openssl req-new-key mail.key > ~ / mail.csr

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [XX]: CN# and CA server match matching policy must be the same

State or Province Name (full name) []: beijing

Locality Name (eg, city) [Default City]: beijing

Organization Name (eg, company) [Default Company Ltd]: Xuenqlve

Organizational Unit Name (eg, section) []: ope

Common Name (eg, your name or your server's hostname) []: mail# is set to the service domain name or host name

Email Address []: Xuenqlve@163.com

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

5 upload the certificate request file to the CA server (192.168.4.1)

[root@mail] # scp ~ / mail.csr 192.168.4.1:/tmp

Configuration of the CA server (192.168.4.1):

Specific configuration of https://blog.51cto.com/13558754/2057718 for CA server

6 examine the certificate request document and issue the digital certificate

[root@CA certs] # openssl ca-in / tmp/mail.csr > mail.crt

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan 5 04:52:52 2018 GMT

Not After: Jan 5 04:52:52 2019 GMT

Subject:

CountryName = CN

StateOrProvinceName = beijing

OrganizationName = Xuenqlve

OrganizationalUnitName = ope

CommonName = mail

EmailAddress = Xuenqlve@163.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1

X509v3 Authority Key Identifier:

Keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7

Certificate is to be certified until Jan 5 04:52:52 2019 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

Note: when the audit certificate request file reports the following error:

Error while loading serial number

Do the following

[root@CA CA] # echo 01 > serial

[root@CA certs] # cat.. / index.txt

V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/emailAddress=Xuenqlve@163.com

[root@CA certs] # cat.. / serial

02

7 issue certificates to mail server (192.168.4.2)

[root@CA certs] # scp mail.crt 192.168.4.2:/root/

8 configuration service runtime invokes private key file digital certificate file

8.1 configure the outgoing email service

[root@mail ~] # vim / etc/postfix/main.cf

Add the following configuration

[root@mail] # tail-4 / etc/postfix/main.cf

Smtpd_use_tls = yes

# smtpd_tls_auth_only = yes

Smtpd_tls_key_file = / etc/pki/tls/private/mail.key

Smtpd_tls_cert_file = / etc/pki/tls/certs/mail.crt

[root@mail ~] # cp / root/mail.crt / etc/pki/tls/certs/

[root@mail ~] # systemctl restart postfix.service

[root@mail ~] # netstat-pantu | grep master

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp6 0 0: 25: * LISTEN 6461/master

8.2 configure incoming mail service

[root@mail ~] # vim / etc/dovecot/conf.d/10-ssl.conf

Add the following configuration

[root@mail] # sed-n '14p * 15p' / etc/dovecot/conf.d/10-ssl.conf

Ssl_cert =

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report