利用CA實現電子郵件的安全傳輸

本次試驗在服務器上本身搭建的CA

採用上次博客搭建過的環境進行操做

CA這裏就不進行介紹了。直接進行操做

本次是在bj.zz.com 區域作的實驗。由於smtps是一種點到點的傳輸。當跨區域進行傳輸時。它傳輸的時候仍是有明文顯示的。實現跨區域傳輸。因此在windows客戶端上

稱爲PGP機密。網上有pgp加密軟件。在linux上稱爲gpg .你們下去之後能夠查看下資料。

[root@mail ~]# mount /dev/cdrom /mnt/cdrom

[root@mail ~]# sendmail -d0.1 –bv //顯示sendmail在編譯的時候支持的功能

Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT

[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.zz.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 13 Aug 2012 00:19:24 +0800
EHLO 127.0.0.1
250-mail.bj.zz.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

可是它自己並無啓用starttls 。這裏直接進行操做，不明白操做的能夠去個人博客去看，裏面有詳細解釋。

[root@mail ~]# vim /etc/pki/tls/openssl.cnf

45 dir = /etc/pki/CA

88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional

136 countryName_default = CN
141 stateOrProvinceName_default = BEIJING
144 localityName_default = BEIJING

[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# mkdir certs crl newcerts
[root@mail CA]# touch index.txt serial
[root@mail CA]# ll
總計 20
drwxr-xr-x 2 root root 4096 08-13 00:29 certs
drwxr-xr-x 2 root root 4096 08-13 00:29 crl
-rw-r--r-- 1 root root 0 08-13 00:29 index.txt
drwxr-xr-x 2 root root 4096 08-13 00:29 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root 0 08-13 00:29 serial

[root@mail CA]# echo "01" >serial
[root@mail CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..........++++++
................++++++
e is 65537 (0x10001)

[root@mail CA]# chmod 600 private/cakey.pem

[root@mail CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:

郵件傳輸的加密實現：

[root@mail CA]# mkdir -pv /etc/mail/certs

[root@mail CA]# cd /etc/mail/certs/

[root@mail certs]# openssl genrsa 1024 >sendmail.key

[root@mail certs]# openssl req -new -key sendmail.key -out sendmail.csr

Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:

[root@mail certs]# openssl ca -in sendmail.csr -out sendmail.cert

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 12 16:46:51 2012 GMT
Not After : Aug 12 16:46:51 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = zz.com
organizationalUnitName = bj
commonName = bj.zz.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:48:FC:86:88:C6:97:5B:50:CE:A2:35:81:C6:B5:18:32:CA:30:83
X509v3 Authority Key Identifier:
keyid:F0:A7:0C:33:52:A1:93:11:E4:14:B6:AD:D0:B6:09:4B:56:2D:25:4F

Certificate is to be certified until Aug 12 16:46:51 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@mail certs]# chmod 600 *

[root@mail certs]# vim /etc/mail/sendmail.mc

60 define(`confCACERT_PATH', `/etc/pki/CA')dnl //CA目錄

61 define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl //CA證書位置
62 define(`confSERVER_CERT', `/etc/mail/certs/sendmail.cert')dnl //服務器證書位置
63 define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl //服務器私鑰位置

134 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl //打開驗證功能

[root@mail certs]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.bj.zz.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 13 Aug 2012 00:59:09 +0800

EHLO 127.0.0.1
250-mail.bj.zz.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP

這時候咱們能夠看到它已經啓用了加密功能

郵件傳輸咱們已經加密，咱們還須要對郵件收發進行加密。

[root@mail certs]# mkdir -pv /etc/mail/dovecot

[root@mail certs]# cd /etc/mail/dovecot/

[root@mail dovecot]# openssl genrsa 1024 >dovecot.key
Generating RSA private key, 1024 bit long modulus
.................................++++++
.................++++++
e is 65537 (0x10001)
[root@mail dovecot]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:zz.com
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server's hostname) []:bj.zz.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail dovecot]# openssl ca -in dovecot.csr -out dovecot.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 12 17:17:03 2012 GMT
Not After : Aug 12 17:17:03 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = zz.com
organizationalUnitName = bj
commonName = bj.zz.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:69:F9:FB:4E:97:4C:6F:D8:94:61:97:33:0A:5D:C7:12:A3:C9:91
X509v3 Authority Key Identifier:
keyid:F0:A7:0C:33:52:A1:93:11:E4:14:B6:AD:D0:B6:09:4B:56:2D:25:4F

Certificate is to be certified until Aug 12 17:17:03 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@mail dovecot]# vim /etc/dovecot.conf

22 protocols = pop3s //只能使用pop3s協議進行郵件收發

91 ssl_cert_file = /etc/mail/dovecot/dovecot.cert //證書位置
92 ssl_key_file = /etc/mail/dovecot/dovecot.key //私鑰位置

[root@mail dovecot]# service dovecot restart

這時候咱們能夠進行郵件傳輸測試

客戶端郵件帳戶測試以下：

這時候咱們是利用了smtps和pop3s協議進行郵件傳輸和收發。因此咱們須要修改以下：

用user1向user2 發送郵件

這是由於咱們的客戶端並無安裝證書，並不信任這個證書。

這並不影響咱們的實驗。點擊是。

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 995"

Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
326.891389 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
326.895489 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=1 Ack=1 Win=65535 Len=0
326.895490 192.168.145.11 -> 192.168.145.100 SSL Client Hello
326.945106 192.168.145.11 -> 192.168.145.100 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
327.145815 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=285 Ack=828 Win=64708 Len=0
327.364851 192.168.145.11 -> 192.168.145.100 TCP 1115 > 995 [ACK] Seq=285 Ack=869 Win=64667 Len=0

[root@mail ~]# tshark -ni eth0 -R "tcp.dstport eq 25"

56.500461 192.168.145.11 -> 192.168.145.100 TCP 1114 > 25 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 56.501229 192.168.145.11 -> 192.168.145.100 TCP 1114 > 25 [ACK] Seq=1 Ack=1 Win=65535 Len=0 56.547270 192.168.145.11 -> 192.168.145.100 SMTP C: EHLO zzuce090d72288 56.548563 192.168.145.11 -> 192.168.145.100 SMTP C: STARTTLS 56.583316 192.168.145.11 -> 192.168.145.100 SMTP C: \200L\001\003\001\0003\000\000\000\020\000\000\004\000\000\005\000\000 | \001\000\200\a\000\300\003\000\200\000\000\t\006\000@\000\000d\000\000b\000\000\003\000\000\006\002\000\200\004\000\200\000\000\023\000\000\022\000\000c\270\033\366\325\371\366\365\232\323\035&\232y\367\215\331