郵件系統安全

OpenSSL + Stunnel + Iptable + 數字證書 PGP/GPG..

通過SSL訪問POP、IMAP、SMTP

通過Stunnel 實現SSL連接

  1. 安裝

    AS3,Redhat 9預設已經安裝

    需要下面兩個包:

    openssl

    stunnel

    [root@linuxas3 root]# rpm -qa |grep openssl
    openssl-0.9.7a-22.1
    openssl-devel-0.9.7a-22.1
    [root@linuxas3 root]# rpm -qa |grep stunnel
    stunnel-4.04-4
    [root@linuxas3 root]# cd /etc/stunnel/
    [root@linuxas3 stunnel]# ls
    stunnel.conf-sample stunnel.pem
    				
  2. 配置

    [root@linuxas3 stunnel]# cp stunnel.conf-sample stunnel.conf
    [root@linuxas3 stunnel]# mv stunnel.pem stunnel.pem.old
    [root@linuxas3 stunnel]# vi stunnel.conf
    				

    Example 1. stunnel.conf

    # Sample stunnel configuration file
    # Copyright by Michal Trojnara 2002
    
    # Comment it out on Win32
    cert = /etc/stunnel/stunnel.pem
    # chroot = /usr/var/run/stunnel/
    # PID is created inside chroot jail
    pid = /stunnel.pid
    #setuid = nobody
    #setgid = nogroup
    
    setuid = root
    setgid = root
    
    # Workaround for Eudora bug
    #options = DONT_INSERT_EMPTY_FRAGMENTS
    
    # Authentication stuff
    #verify = 2
    # don't forget about c_rehash CApath
    # it is located inside chroot jail:
    #CApath = /certs
    # or simply use CAfile instead:
    #CAfile = /usr/etc/stunnel/certs.pem
    
    # Some debugging stuff
    debug = 7
    output = stunnel.log
    
    # Use it for client mode
    #client = yes
    
    # Service-level configuration
    
    [pop3s]
    accept  = 995
    connect = 110
    
    [imaps]
    accept  = 993
    connect = 143
    
    [ssmtp]
    accept  = 465
    connect = 25
    
    [s1]
    accept  = 5000
    connect = mail.osw.pl:110
    # delay = yes
    
    [s2]
    accept  = 5001
    connect = mail.osw.pl:25
    
    #[https]
    #accept  = 443
    #connect = 80
    #TIMEOUTclose = 0
    
    [nntps]
    accept  = 563
    connect = 119
    					

    配置/運行 Stunnel

    stunnel 預設配置檔案是 /etc/stunnel/stunnel.conf
    下面是最小的服務方式配置檔案內容示範:
    
    key = stunnel.pem
    [http2ssl]
    accept = 443
    connect = 127.0.0.1:80
    
    含義:使用 stunnel.pem 證書,將 127.0.0.1: 80 的連接埠加密映射成本機443連接埠,“ http2ssl ”是名稱,可以改成其它的標識。 
    
    配置檔案檔案還有其它內容,詳情請看幫助。
    
    直接運行stunnel,就可以啟動 Stunnel 了。
    				

  3. 創建伺服器證書

    [root@linuxas3 stunnel]# cp /usr/share/ssl/openssl.cnf /etc/openssl.cnf
    [root@linuxas3 stunnel]# nano -w /etc/openssl.cnf
    [root@linuxas3 stunnel]# openssl req -new -x509 -days 365 -nodes -config /etc/openssl.cnf -out stunnel.pem -keyout stunnel.pem
    
    Generating a 1024 bit RSA private key
    ....................++++++
    .......................++++++
    writing new private key to 'stunnel.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:CN
    State or Province Name (full name) [Berkshire]:GD
    Locality Name (eg, city) [Newbury]:Shen Zhen
    Organization Name (eg, company) [My Company Ltd]:none
    Organizational Unit Name (eg, section) []:postfix
    Common Name (eg, your name or your server's hostname) []:netkiller
    Email Address []:openunix@163.com
    [root@linuxas3 stunnel]# openssl gendh 512 >> stunnel.pem
    [root@linuxas3 stunnel]# openssl x509 -subject -dates -fingerprint -in stunnel.pem
    [root@linuxas3 stunnel]# chmod 600 /etc/stunnel/stunnel.pem
    				

    Stunnel 客戶方式不需要證書。Stunnel 服務方式需要一個證書檔案。
    Stunnel 在 SSL Http Proxy 伺服器是以服務方式運行的,所以必須要有一個證書。通過 openssl.exe 創建伺服器證書。下面我將 Stunnel 關於創建證書的翻譯如下:
    “...運行下面的命令
    openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem 
    這將會創建一個自己給自己簽名的證書。參數的含義:
    -days 365 
    使這個證書的有效期是1年,之後它將不能再用。
    -new 
    創建一個新的證書
    -x509 
    創建一個 X509 證書(自己簽名的)
    -nodes 
    這個證書沒有密碼
    -config openssl.cnf 
    OpenSSL 使用的配置檔案 (可能需要修改的有[CA_default]和[req_distinguished_name]這兩個 section,譯者)
    -out stunnel.pem 
    把 SSL 證書寫到哪裡
    -keyout stunnel.pem 
    把 SSL 證書放到這個檔案中
    
    這個命令將會問你以下問題:
    問題的回答示範
    Country name 國家代碼 PL, UK, US, CA...我國是CN,HK,TW
    State or Province name 省
    Locality Name 市
    Organization Name 公司、組織名稱
    Organizational Unit Name 部門名稱
    Common Name (FQDN) www.example.com 
    
    注意:Common Name (FQDN) 應該是運行 stunnel 機器的主機名。如果你能通過不同的主機名訪問這台機器,有些 SSL 客戶會警告這個主機的證書有問題,所以最好是使它和用戶訪問的主機名匹配。
    
    openssl gendh 512>> stunnel.pem 
    這將生成 Diffie-Hellman 部分, 追加到 pem 檔案中。
    
    openssl x509 -subject -dates -fingerprint -in stunnel.pem 
    這個命令是將你的證書信息在屏幕顯示出來。”
    					

  4. 運行

    [root@linuxas3 stunnel]# stunnel
    [root@linuxas3 stunnel]# ps ax |grep stunnel
    20733 ?        S      0:00 stunnel
    
    				
  5. 查看連接埠

    [root@linuxas3 stunnel]# nmap localhost
    
    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Interesting ports on linuxas3.9812.net (127.0.0.1):
    (The 1582 ports scanned but not shown below are in state: closed)
    Port       State       Service
    22/tcp     open        ssh
    25/tcp     open        smtp
    80/tcp     open        http
    110/tcp    open        pop-3
    111/tcp    open        sunrpc
    119/tcp    open        nntp
    143/tcp    open        imap2
    443/tcp    open        https
    465/tcp    open        smtps
    563/tcp    open        snews
    631/tcp    open        ipp
    783/tcp    open        hp-alarm-mgr
    993/tcp    open        imaps
    995/tcp    open        pop3s
    3306/tcp   open        mysql
    5000/tcp   open        UPnP
    5001/tcp   open        commplex-link
    8009/tcp   open        ajp13
    8080/tcp   open        http-proxy
    
    Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
    [root@linuxas3 stunnel]#
    				
  6. 測試

    詳細請看Outlook使用幫助

Iptables

查看iptables -L

# SMTP
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT 
# SMTPS
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
# POP3
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
# POP3S
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
# IMAP
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
# IMAPS
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT