本节中将概要的介绍下pop3和ipops服务器的简单配置,以及Linux下抓包工具的使用,国内用户普遍喜欢用pop3协议收取邮件,这非常的不安全,所以本节中也将概要的介绍下ipops服务器的配置,生产环境中配置ipop3服务器需要将pem格式的证书给CA签名才能被其他用户所信任和使用,pop3,imap协议默认使用TCP的110和143端口,ipops和imaps协议默认则使用TCP的993和995端口,邮件服务使用的账号是系统账户,所以安全性相当的重要,这也是RHCE的重点…
[root@server ~]# yum -y install dovecot.i386 //安装dovecot软件包,启动服务,设定下次开启自动启动,查看端口
[root@server ~]# service dovecot start
Starting Dovecot Imap: [ OK ]
[root@server ~]# chkconfig dovecot on
[root@server ~]# netstat -ntpl |grep -E ‘110|143|993|995+’
tcp 0 0 :::993 :::* LISTEN 4652/dovecot
tcp 0 0 :::995 :::* LISTEN 4652/dovecot
tcp 0 0 :::110 :::* LISTEN 4652/dovecot
tcp 0 0 :::143 :::* LISTEN 4652/dovecot
[root@server ~]# useradd test //新建一个系统账户用于测试
[root@server ~]# echo “test” |passwd –stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[root@server ~]# yum -y install wireshark.i386 //安装抓包工具wireshark
[root@server ~]# ifconfig eth1 |grep ‘inet addr’ //查看本机IP地址
inet addr:192.168.100.254 Bcast:192.168.100.255 Mask:255.255.255.0
[root@client ~]# nmap 192.168.100.254 //在客户端使用nmap扫描服务器端开启的端口
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-03-24 00:00 EDT
Interesting ports on 192.168.100.254:
Not shown: 1667 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
763/tcp open cycleserv
784/tcp open unknown
796/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
MAC Address: 00:0C:29:0C:7C:4E (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 23.250 seconds
[root@client ~]# telnet 192.168.100.254 110 //客户端使用telnet登陆POP3服务器
Trying 192.168.100.254…
Connected to 192.168.100.254 (192.168.100.254).
Escape character is ‘^]’.
+OK Dovecot ready.
user test
+OK
pass test
+OK Logged in.
quit
+OK Logging out.
Connection closed by foreign host.
[root@server ~]# tshark -ni eth1 -R “tcp.srcport eq 110 or tcp.dstport eq 110”
Running as user “root” and group “root”. This could be dangerous.
Capturing on eth1
14.993271 192.168.100.20 -> 192.168.100.254 TCP 37073 > 110 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=6422579 TSER=0 WS=3
15.001846 192.168.100.254 -> 192.168.100.20 TCP 110 > 37073 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1702361 TSER=6422579 WS=3
15.003699 192.168.100.20 -> 192.168.100.254 TCP 37073 > 110 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=6422585 TSER=1702361
15.012454 192.168.100.254 -> 192.168.100.20 POP Response: +OK Dovecot ready.
15.015384 192.168.100.20 -> 192.168.100.254 TCP 37073 > 110 [ACK] Seq=1 Ack=21 Win=5840 Len=0 TSV=6422595 TSER=1702365
28.408355 192.168.100.20 -> 192.168.100.254 POP Request: user test //抓取到的用户名
28.412098 192.168.100.254 -> 192.168.100.20 TCP 110 > 37073 [ACK] Seq=21 Ack=12 Win=5792 Len=0 TSV=1705715 TSER=6432640
28.412856 192.168.100.254 -> 192.168.100.20 POP Response: +OK
28.414597 192.168.100.20 -> 192.168.100.254 TCP 37073 > 110 [ACK] Seq=12 Ack=26 Win=5840 Len=0 TSV=6432642 TSER=1705715
32.661573 192.168.100.20 -> 192.168.100.254 POP Request: pass test //抓取到的密码
32.721083 192.168.100.254 -> 192.168.100.20 TCP 110 > 37073 [ACK] Seq=26 Ack=23 Win=5792 Len=0 TSV=1706792 TSER=6435853
32.975813 192.168.100.254 -> 192.168.100.20 POP Response: +OK Logged in.
32.976282 192.168.100.20 -> 192.168.100.254 TCP 37073 > 110 [ACK] Seq=23 Ack=42 Win=5840 Len=0 TSV=6436067 TSER=1706856
34.747399 192.168.100.20 -> 192.168.100.254 POP Request: quit
34.748937 192.168.100.254 -> 192.168.100.20 TCP 110 > 37073 [ACK] Seq=42 Ack=29 Win=5792 Len=0 TSV=1707299 TSER=6437385
34.751905 192.168.100.254 -> 192.168.100.20 POP Response: +OK Logging out.
34.754700 192.168.100.20 -> 192.168.100.254 TCP 37073 > 110 [FIN, ACK] Seq=29 Ack=61 Win=5840 Len=0 TSV=6437389 TSER=1707299
34.755546 192.168.100.254 -> 192.168.100.20 TCP 110 > 37073 [ACK] Seq=61 Ack=30 Win=5792 Len=0 TSV=1707301 TSER=6437389
18 packets captured
以上演示说明使用pop3方式接收邮件十分的不安全,而下面要介绍下ipops服务器的配置
[root@server ~]# cd /etc/pki/tls/certs/ //删除系统为dovecot服务准备的pem格式的默认证书
[root@server certs]# ls
ca-bundle.crt make-dummy-cert Makefile
root@server certs]# rm -i /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem
rm: remove regular file `/etc/pki/dovecot/private/dovecot.pem’? y
rm: remove regular file `/etc/pki/dovecot/certs/dovecot.pem’? y
[root@server certs]# make dovecot.pem //产生新的pem证书
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > dovecot.pem ; \
echo “” >> dovecot.pem ; \
cat $PEM2 >> dovecot.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
………………..++++++
…..++++++
writing new private key to ‘/tmp/openssl.ZU4774’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Fujian
Locality Name (eg, city) [Newbury]:Fuzhou
Organization Name (eg, company) [My Company Ltd]:www.666.com
Organizational Unit Name (eg, section) []:666
Common Name (eg, your name or your server’s hostname) []:mail.666.com
Email Address []:admin@666.com
[root@server certs]# cp dovecot.pem /etc/pki/dovecot/certs/ //将产生的证书放到相关的目录下
[root@server certs]# cp dovecot.pem /etc/pki/dovecot/private/
[root@server certs]# rm -i dovecot.pem
rm: remove regular file `dovecot.pem’? y
[root@server certs]# grep ‘protocols’ /etc/dovecot.conf //修改dovecot服务只监听993和995端口
protocols = imaps pop3s
[root@server certs]# service dovecot restart //重启服务
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[root@server certs]# !net
netstat -ntpl |grep -E ‘110|143|993|995+’
tcp 0 0 :::993 :::* LISTEN 4819/dovecot
tcp 0 0 :::995 :::* LISTEN 4819/dovecot
[root@client ~]# mutt -f ipops://192.168.100.254 //客户端测试
q:Exit ?:Help
This certificate belongs to:
mail.666.com
Unknown
www.666.com
666
Fuzhou
This certificate was issued by:
mail.666.com
Unknown
www.666.com
666
Fuzhou
This certificate is valid
from Mar 24 04:10:10 2010 GMT
to Mar 24 04:10:10 2011 GMT
Fingerprint: E979 F0BA 5FFB 8D25 FFD3 A54D F609 429E
— Mutt: SSL Certificate check
Username at 192.168.100.254: test
Password for test@192.168.100.254:
//下面的抓到的数据包都经过了ssl加密,大大提高了安全性
[root@server certs]# tshark -ni eth1 -R “tcp.srcport eq 993 or tcp.dstport eq 993”
Running as user “root” and group “root”. This could be dangerous.
Capturing on eth1
0.060698 192.168.100.20 -> 192.168.100.254 TLSv1 Application Data, Application Data
0.064789 192.168.100.254 -> 192.168.100.20 TLSv1 Application Data
0.066679 192.168.100.20 -> 192.168.100.254 TCP 57095 > 993 [ACK] Seq=91 Ack=54 Win=1787 Len=0 TSV=7036187 TSER=1911187
0.066683 192.168.100.20 -> 192.168.100.254 TLSv1 Application Data, Application Data
0.072568 192.168.100.254 -> 192.168.100.20 TLSv1 Application Data
0.074538 192.168.100.20 -> 192.168.100.254 TLSv1 Encrypted Alert
0.074542 192.168.100.20 -> 192.168.100.254 TCP 57095 > 993 [FIN, ACK] Seq=218 Ack=140 Win=1787 Len=0
………………………………………输出省略…………………………………………………………………
48 packets captured
//默认网卡混杂模式的修改与还原,改成混杂模式后,网卡将监听网卡所在交换机上的所有数据包
[root@server certs]# ifconfig eth1 |grep -i promisc
[root@server certs]# ifconfig eth1 promisc
[root@server certs]# ifconfig eth1 |grep -i promisc
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
[root@server certs]# ifconfig eth1 -promisc