Shulou(Shulou.com)06/03 Report--

Deploy mail TLS/SSL encrypted communication service

one。 Deploy a regular mail server

1) build and test the sending service of the mail service

[root@mail] # rpm-Q postfix

Postfix-2.10.1-6.el7.x86_64

[root@mail ~] # netstat-pantu | grep: 25

Tcp 0 0 127.0.0.1 25 0.0.0. 0 LISTEN 1822/master

Tcp6 0 0:: 1:25: * LISTEN 1822/master

[root@mail] # ps-C master

PID TTY TIME CMD

1822? 00:00:00 master

[root@mail ~] # vim / etc/postfix/main.cf

[root@mail ~] # sed-n "113p / etc/postfix/main.cf" 116p / etc/postfix/main.cf

Inet_interfaces = all

# inet_interfaces = localhost

Home_mailbox = Maildir/

[root@mail ~] # systemctl restart postfix.service

[root@mail ~] # useradd jim

[root@mail ~] # echo 654321 | passwd-- stdin jim

[root@mail ~] # yum-y install telnet

[root@mail ~] # telnet localhost 25

Trying:: 1...

Connected to localhost.

Escape character is'^]'.

220 mail.com.cn ESMTP Postfix

Helo localhost

250 mail.com.cn

Mail from:root@localhost

250 2.1.0 Ok

Rcpt to:jim@localhost

250 2.1.5 Ok

Data

354 End data with.

XXXXX

XXXX

XXX

XX

X

.

250 2.0.0 Ok: queued as BEDA283BDA92

Quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~] # cat / home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn

Return-Path:

X-Original-To: jim@localhost

Delivered-To: jim@localhost.com.cn

Received: from localhost (localhost [IPv6:::1])

By mail.com.cn (Postfix) with SMTP id BEDA283BDA92

For; Thu, 4 Jan 2018 01:28:07-0500 (EST)

Message-Id:

Date: Thu, 4 Jan 2018 01:28:07-0500 (EST)

From: root@localhost.com.cn

XXXXX

XXXX

XXX

XX

X

# you can grab the packets that send mail when sending mail

[root@mail] # tcpdump-I eth0-A tcp port 25

2) set up and test the collection of mail services

[root@mail ~] # yum-y install dovecot

[root@mail] # rpm-Q dovecot

Dovecot-2.2.10-5.el7.x86_64

[root@mail ~] # vim / etc/dovecot/conf.d/10-mail.conf

[root@mail ~] # sed-n '24p' / etc/dovecot/conf.d/10-mail.conf

Mail_location = maildir:~/Maildir

[root@mail ~] # vim / etc/dovecot/conf.d/10-auth.conf

[root@mail ~] # sed-n '10p' / etc/dovecot/conf.d/10-auth.conf

Disable_plaintext_auth = yes# can not prohibit using plaintext authentication

[root@mail ~] # systemctl start dovecot

[root@mail ~] # netstat-pantu | grep: 110

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 00

Tcp6 0 0: 110: * LISTEN 4924/dovecot

[root@mail ~] # netstat-pantu | grep: 143

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 14. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp6 0 0: 143: * LISTEN 4924/dovecot

[root@mail ~] # telnet localhost 110

Trying:: 1...

Connected to localhost.

Escape character is'^]'.

+ OK Dovecot ready.

USER jim

+ OK

PASS 654321

+ OK Logged in.

List

+ OK 1 messages:

1 423

.

Retr 1

+ OK 423 octets

Return-Path:

X-Original-To: jim@localhost

Delivered-To: jim@localhost.com.cn

Received: from localhost (localhost [IPv6:::1])

By mail.com.cn (Postfix) with SMTP id BEDA283BDA92

For; Thu, 4 Jan 2018 01:28:07-0500 (EST)

Message-Id:

Date: Thu, 4 Jan 2018 01:28:07-0500 (EST)

From: root@localhost.com.cn

XXXXX

XXXX

XXX

XX

X

.

Quit

+ OK Logging out.

Connection closed by foreign host.

# you can grab mail packets when you receive mail

[root@mail] # tcpdump-A-i lo tcp port 110

[root@mail] # tcpdump-A-I lo-w / tmp/mail.cap tcp port

[root@mail ~] # tcpdump-A-r / tmp/mail.cap | grep user

Reading from file / tmp/mail.cap, link-type EN10MB (Ethernet)

.S.R.. user jim # here you can grab the username and password of the email by grabbing the packet because it currently belongs to plaintext transmission

[root@mail ~] # tcpdump-A-r / tmp/mail.cap | grep pass

Reading from file / tmp/mail.cap, link-type EN10MB (Ethernet)

.S6 [.S..pass 654321

Second, deploy email TLS/SSL encrypted communication service

1 configuration of mail server (192.168.4.2):

[root@mail ~] # systemctl restart postfix

[root@mail ~] # netstat-pantu | grep master

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp6 0 0: 25: * LISTEN 5415/master

[root@mail ~] # systemctl restart dovecot

[root@mail ~] # netstat-pantu | grep dovecot

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 00

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 14. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp 0 0 0 9 9 0 0 0. 0 0 LISTEN 5446/dovecot

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 9. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 of the LISTEN 5446/dovecot

Tcp6 0 0: 110: * LISTEN 5446/dovecot

Tcp6 0 0: 143: * LISTEN 5446/dovecot

Tcp6 0 0: 993: * LISTEN 5446/dovecot

Tcp6 0 0: 995: * LISTEN 5446/dovecot

2 create private key file: generate certificate request file mail.key

[root@mail ~] # cd / etc/pki/tls/private/# searches the private key directory by default

[root@mail private] # openssl genrsa 2048 > mail.key# executes the command to generate private key

3 create a certificate request file mail.csr

-req request

-New new file

-key private key

[root@mail private] # openssl req-new-key mail.key > ~ / mail.csr

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [XX]: CN# and CA server match matching policy must be the same

State or Province Name (full name) []: beijing

Locality Name (eg, city) [Default City]: beijing

Organization Name (eg, company) [Default Company Ltd]: Xuenqlve

Organizational Unit Name (eg, section) []: ope

Common Name (eg, your name or your server's hostname) []: mail# is set to the service domain name or host name

Email Address []: Xuenqlve@163.com

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

5 upload the certificate request file to the CA server (192.168.4.1)

[root@mail] # scp ~ / mail.csr 192.168.4.1:/tmp

Configuration of the CA server (192.168.4.1):

Specific configuration of https://blog.51cto.com/13558754/2057718 for CA server

6 examine the certificate request document and issue the digital certificate

[root@CA certs] # openssl ca-in / tmp/mail.csr > mail.crt

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan 5 04:52:52 2018 GMT

Not After: Jan 5 04:52:52 2019 GMT

Subject:

CountryName = CN

StateOrProvinceName = beijing

OrganizationName = Xuenqlve

OrganizationalUnitName = ope

CommonName = mail

EmailAddress = Xuenqlve@163.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1

X509v3 Authority Key Identifier:

Keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7

Certificate is to be certified until Jan 5 04:52:52 2019 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

Note: when the audit certificate request file reports the following error:

Error while loading serial number

Do the following

[root@CA CA] # echo 01 > serial

[root@CA certs] # cat.. / index.txt

V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/emailAddress=Xuenqlve@163.com

[root@CA certs] # cat.. / serial

02

7 issue certificates to mail server (192.168.4.2)

[root@CA certs] # scp mail.crt 192.168.4.2:/root/

8 configuration service runtime invokes private key file digital certificate file

8.1 configure the outgoing email service

[root@mail ~] # vim / etc/postfix/main.cf

Add the following configuration

[root@mail] # tail-4 / etc/postfix/main.cf

Smtpd_use_tls = yes

# smtpd_tls_auth_only = yes

Smtpd_tls_key_file = / etc/pki/tls/private/mail.key

Smtpd_tls_cert_file = / etc/pki/tls/certs/mail.crt

[root@mail ~] # cp / root/mail.crt / etc/pki/tls/certs/

[root@mail ~] # systemctl restart postfix.service

[root@mail ~] # netstat-pantu | grep master

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp6 0 0: 25: * LISTEN 6461/master

8.2 configure incoming mail service

[root@mail ~] # vim / etc/dovecot/conf.d/10-ssl.conf

Add the following configuration

[root@mail] # sed-n '14p * 15p' / etc/dovecot/conf.d/10-ssl.conf

Ssl_cert =

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.