Shulou(Shulou.com)06/03 Report--

Experimental description

By default, the way of MAPI is securely encrypted

Demo: how to send and receive email with POP3S

Demo: experiment the way of https to send and receive email

Certificat

What is the difference between 1.CA (Certificate Authority) and certificates?

A service in a CA:shi server that is mainly used to issue certificates for computers (users). The server on which CA is installed is called a certificate server.

Certificate: a file (tool) obtained from CA

two。 What is the purpose of the certificate?

1) Security encryption-HTTPS://

Demo: http:\ www.icbc.com- ICBC

Http:\ mail.baidu.com- Baidu email

2) Authentication-U shield (online support, or U shield is required when transferring money). There is a certificate in the U shield.

3. How do I get a certificate?

1) purchase a certificate from a certificate provider on the public network

Foreign certificate manufacturers of www.verisign.com--- who do the best www.ssl.com wwww.wosign.com---- certificates in the world

Www.icbc.com-Industrial and Commercial www.ccb.com---- Construction Bank www.ebank--- Shanghai Pudong Development Bank mail.baidu.com--- Baidu mailbox, the certificate here is the certificate of verisign

2) install the certificate service on the internal server, and then issue the certificate through CA

The name of the CA vbers Enterprise Root CA

4. What is the difference between the certificate purchased on the public network and the certificate issued by CA in the internal deployment of the company?

1) similarities: from the point of view of security encryption, it is exactly the same.

2) difference:

A: for a certificate purchased on the public network, all clients trust the CA; issuing the certificate by default, while users do not trust the CA deployed by themselves.

Www.earthhome.com- untrusted websites

Website of www.12306.cn- Ministry of Railways

B: a lot of encryption needs to go to CA to verify the validity of the certificate. If CA does not work properly, the verification will end in failure, so encryption cannot be realized.

Experimental process

Lab demonstration 1: secure access to OWA-based clients

Step 1: install AD's certificate service on DC and install WEB service

Enter "servermanager.msc" in run

Step 2: check the web institution that registers the certificate here

Select Enterprise because it is a certificate issued for the enterprise

Fill in the common name of CA here: "am I having a problem with this place?" Fill in "contoso Enterprise Root CA" in theory, it doesn't matter much

Enter "inetmgr" in the input run on Exchange 2010, and then enter enter

View local trusted certificate authorities

Apply for a certificate through web on the client side-enter "http:\ vbers\ certsrv" in the address bar

Click to download the CA certificate or certificate chain or CRL below

Choose to download the CA certificate chain below.

Click Save below, and here I save it on the desktop.

As shown in the following figure, this is the certificate chain that has just been downloaded. You can right-click to start importing the certificate chain and import it directly to the trusted authority.

Here, after Exchange Sever 2010 is installed, a certificate is automatically generated locally. This certificate is self-signed, and it does not trust all clients by default.

The following is to create a "domain certificate" on top of Exchange Server 2010-here the method of creating a certificate is wrong, it can only apply for a certificate for a single user, and only supports mailbox access for a single domain name, only through OWA.

Fill in the identifiable certificate information below-a certificate will be generated after completion

Ha ha, found how this place is gray? Well, by the way, this is because there is no trust in the certificate of vbers Enterprise Root CA on DC.

The following local check found that there is no this certificate, so it will show the reason why it is gray

Next, I will force a refresh of group policy on Exchange Server 2010.

Now there is this trusted authority.

Now that there is no problem, let's give the created certificate a good name-provide external network for identity login and verification.

Now it is found that there is an extra certificate locally.

Let's start binding https as an access port.

Replace the certificate of mail.contoso.com

Let's start to force the refresh of the group policy on the client

The following is the address of the client access by entering Internet: http:\ mail.contoso.com\ owa

Now that there is no packet error prompt, it is found that there is an extra lock in the address bar.

View the path of the certificate

| | Demo 2: secure and encrypted access through MAPI |

Use multi-domain name access method, this is the correct demonstration process

Next, delete the mailbox record of "Marry" on the client side.

Create an identifier for a new file. You can take any name you want.

When I directly click on the next step, I find that the account of Aclice is checked automatically, which is very intelligent and simplifies the office.

Oh, see, here is a hint to report an error, what does it mean?

Note: the certificate applied for in the form of web is not enough for local users, so the certificate of a single domain name is not good, so it is necessary to use a certificate of multiple domain names here.

Next, select "New Exchange Certificate" in the server configuration.

Go to a memorable name for the certificate

Here we do not use wildcards to create new certificates, because it is expensive to apply for certificates with wildcards! [] (https://s1.51cto.com/images/blog/201712/19/fd8cb886535f95ae82a2fb61202b01a1.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

Below, you only need to check the above two items. After expanding later, you will find that two items have been checked automatically.

Now set "mail.contoso.com" to the public name-the domain name that provides access to the public network.

Next, export the newly created certificate to the desktop and choose a name that is easy to remember.

A lot of certificates have been found below, one of which is applied now, this is at the front, and one is the wrong application, ranking second.

The next task is to open the file you just exported, and then copy all the contents

Now access to apply for certificates based on bash 64 encoding through web

Click "apply for Certificate" below

Click "Advanced Certificate Application" below.

Select the bash74-coded certificate request here

Next, select web Server in the certificate template, and then click submit.

I am doing this experiment when I use IE access to find that there is a conflict. I can't download the certificate. Below, you can access it through the Firefox browser and download the certificate, as shown below:

Fill in the trusted certification authority here

Click "Yes"

Click "finish shelving request"

Click to visit the certificate you just applied for by the CA institution.

Click "assign Services to certificates"

Check the first four

Delete the local "self-signed" certificate

It is now found that access through OWA is encrypted

View the path of the certificate

Log in via MAPI below

Now it is found that it has passed directly here.

Successful login via MAPI security

The following test logs in to the mailbox through POP3

Choose manual configuration here

When the configuration is complete, click "Test account Settings"

Next, turn on the POP3 service on Exchange 2010.

Let's enable anonymous users to log in.

When you choose to log in anonymously, you don't need to fill in the login account and password here.

Next, check "this server requires an encrypted connection" in the advanced options, then change the port of the sending server to 587, and then the password connection type is automatic.

POP3's mailbox login test was successful

This concludes the client secure access demonstration for OWA, MAPI, and POP3.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.