Postfix + TLS + SASL2 + Courier-imap ( 建立加密及安全認證之郵件伺服器 )
Setp 1. 伺服器的 SMTP 安全強化
# 安裝 Postfix MTA 郵件伺服器軟體
#cd /usr/ports/mail/postfix
#make install clean
※ 出現的第一個選單只選擇 SASL 跟 TLS
[X] SASL2 Cyrus SASLv2 (Simple Authentication and Security Layer)
[X] TLS SSL and TLS
[X] DB41 Berkeley DB4.1 (required if SASL also built with DB4.1)
You need user "postfix" added to group "mail".
Would you like me to add it [y]? y
Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y
# 安裝 cyrus-sasl2-saslauthd
# cd /usr/ports/security/cyrus-sasl2-saslauthd
#make install clean
#vi /etc/rc.conf
# 關閉 sendmail , 在 FreeBSD 中 Sendmail
#預設是開機會自動啟動 127.0.0.1 本機的 MTA 功能,
#同時也加入開機自動啟動 postfix 及 saslauthd
sendmail_enable="NONE"
postfix_enable="YES"
saslauthd_enable="YES"
#vi /usr/local/etc/postfix/main.cf
# 修改 postfix 設定檔 main.cf
myhostname = ms1.ntut.idv.tw
mydomain = nttu.idv.tw
alias_maps = hash:/usr/local/etc/postfix/aliases
smtpd_banner = $myhostname ESMTP
myorigin = $myhostname
mynetworks = $myhostname, 127.0.0.1
home_mailbox = Maildir/
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable= yes
smtpd_sasl_security_options= noanonymous
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
#vi master.conf
# 修改 master.conf 中的 smtp 及 smtps,smtps 是開 465 port
#提供 outlook express 做加密傳輸使用
#將註解拿掉即可
smtp inet n n n - - smtpd
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#postalias /usr/local/etc/postfix/aliases # 製做 aliases.db 檔
#vi /usr/local/lib/sasl2/smtpd.conf # 編寫 SASL smtpd 的認證方式採用 plain login
pwcheck_method: saslauthd
mechlist: plain login crammd5 digestmd5
#vi /usr/local/etc/rc.d/saslauthd.sh # 修改 saslauthd.sh
原本 >> saslauthd_flags=${saslauthd_flags:-"-a pam"}
改為 >> saslauthd_flags=${saslauthd_flags:-"-a getpwent"}
# 重新啟動 saslauthd 及 postfix
以 /usr/local/etc/rc.d下的.sh檔重啟
#ps -aux | grep saslauthd # 再次確認 saslauthd 有無啟動
584 ?? Is 0:00.01 /usr/local/sbin/saslauthd -a getpwent
585 ?? I 0:00.00 /usr/local/sbin/saslauthd -a getpwent
586 ?? I 0:00.00 /usr/local/sbin/saslauthd -a getpwent
587 ?? I 0:00.00 /usr/local/sbin/saslauthd -a getpwent
588 ?? I 0:00.00 /usr/local/sbin/saslauthd -a getpwent
#telnet localhost 25 # 測試 25 port 看是否多了兩行 250-AUTH
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.ntut.idv.tw.
Escape character is '^]'.
220 ms1.ntut.idv.tw ESMTP
ehlo locahost
250-ms1.ntut.idv.tw
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
Setp 2. 伺服器的 SMTP 憑證製作
先注意系統是否已安裝 /usr/bin/openssl, 若有則使用內建 以免裝了兩個版本ssl
內建ssl的 CA.pl在 /usr/src/crypto/openssl/apps/CA.pl
另外裝的ssl的 CA.pl在/usr/local/openssl/misc/CA.pl
另外設定檔各別位於
/etc/ssl/openssl.cnf
/usr/local/openssl/openssl.cnf
視使用情況修改 openssl.cnf及 CA.pl內的 ./demoCA成 ./CA
#cd /usr/ports/security/openssl
# 安裝 openssl 的目的為產生 CA.pl 這支 perl 程式,好讓我們可以輕鬆產生金鑰
#make install clean
#mkdir /usr/local/etc/postfix/CA # 建立 CA 存放的資料夾
#cd /usr/local/etc/postfix/CA
#cp /usr/local/openssl/misc/CA.pl ./ # 將 CA.pl 這支 perl 程式 copy 到剛剛建立的 CA 目錄
# perl CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.++++++
.......................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: ( 輸入密碼 )
Verifying - Enter PEM pass phrase: ( 輸入密碼 )
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ERA
Organizational Unit Name (eg, section) []:ISP
Common Name (eg, YOUR name) []:ms1.ntut.idv.tw
Email Address []:xxxxx@gmail.com
#cd /usr/local/postfix/CA
#openssl req -nodes -config /usr/local/openssl/openssl.cnf -new -days 3650 -newkey rsa:1024 -keyout serverkey.pem -out serverreq.pem
Generating a 1024 bit RSA private key
......++++++
...............++++++
writing new private key to 'serverkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ERA
Organizational Unit Name (eg, section) []:ISP
Common Name (eg, YOUR name) []:ms1.ntut.idv.tw
Email Address []:xxxxxx@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ( 輸入密碼 )
An optional company name []:ERA
#回到上一層目錄
#cd /usr/local/etc/postfix
#openssl ca -config /usr/local/openssl/openssl.cnf -policy policy_anything -out servercert.pem -infiles serverreq.pem
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
96:a5:d5:76:64:ad:3f:31
Validity
Not Before: Apr 13 01:52:30 2006 GMT
Not After : Apr 13 01:52:30 2007 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taichung
organizationName = ERA
organizationalUnitName = ISP
commonName = ms1.ntut.idv.tw
emailAddress = xxxxx@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
32:98:18:2A:98:B9:03:EC:A2:A9:E5:1A:C9:09:82:6B:95:5D:D2:D3
X509v3 Authority Key Identifier:
keyid:66:9D:78:67:61:75:95:B0:60:72:59:F5:77:4B:83:0D:D1:E4:B7:E8
DirName:/C=TW/ST=Taiwan/L=Taichung/O=ERA/OU=ISP/CN=ms1.ntut.idv.tw/emailAddress=xxxxx@gmail.com
serial:96:A5:D5:76:64:AD:3F:30
Certificate is to be certified until Apr 13 01:52:30 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#cat serverkey.pem servercert.pem > post.pem
#vi /usr/local/etc/postfix/main.cf # 將 Postfix 的 smtpd 加入 TLS 設定
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/etc/postfix/CA/post.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/CA/post.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/CA/post.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
mtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#postfix reload # 重新啟動 postfix
#telnet loadlhost 25 # 測試是否啟動 TLS 加密,手動輸入 STARTTLS 如果成功會回應下面那行紅字
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.ntut.idv.tw.
Escape character is '^]'.
220 ms1.ntut.idv.tw ESMTP
ehlo localhost
250-ms1.ntut.idv.tw
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250 8BITMIME
STARTTLS
220 Ready to start TLS
quit
quit
221 Bye
Connection closed by foreign host.
2007年9月10日 星期一
產生ssl
C.安裝Private key
——————————————————
先找到 openssl 程式的路徑
which openssl
/usr/bin/openssl
切換到 /usr/local/apache/conf/ssl.key 目錄下
cd /usr/local/apache/conf/ssl.key
/usr/bin/openssl genrsa -des3 1024 > Floatisha.key
chmod 400 Floatisha.key
D.產生認證請求(CSR)
——————————————
切換到 /usr/local/apache/conf/ssl.csr 目錄下
cd /usr/local/apache/conf/ssl.csr
/usr/bin/openssl req -new -key ../ssl.key/Floatisha.key -out Floatisha.csr
E.產生暫時認證書
——————————————
切換到 /usr/local/apache/conf/ssl.crt 目錄下
cd /usr/local/apache/conf/ssl.crt
/usr/bin/openssl req -x509 -days 365 -key ../ssl.key/Floatisha.key -in
../ssl.csr/Floatisha.csr -out Floatisha.crt
——————————————————
先找到 openssl 程式的路徑
which openssl
/usr/bin/openssl
切換到 /usr/local/apache/conf/ssl.key 目錄下
cd /usr/local/apache/conf/ssl.key
/usr/bin/openssl genrsa -des3 1024 > Floatisha.key
chmod 400 Floatisha.key
D.產生認證請求(CSR)
——————————————
切換到 /usr/local/apache/conf/ssl.csr 目錄下
cd /usr/local/apache/conf/ssl.csr
/usr/bin/openssl req -new -key ../ssl.key/Floatisha.key -out Floatisha.csr
E.產生暫時認證書
——————————————
切換到 /usr/local/apache/conf/ssl.crt 目錄下
cd /usr/local/apache/conf/ssl.crt
/usr/bin/openssl req -x509 -days 365 -key ../ssl.key/Floatisha.key -in
../ssl.csr/Floatisha.csr -out Floatisha.crt
2007年9月6日 星期四
SMP 雙核心的kernel + Firewall+NAT
#沒有 USB, SCSI, RAID, Wireless, 網卡驅動, IPV6, NFS, PCMIA
#取名為 MyKernel
machine i386
cpu I686_CPU
ident MyKernel
options SMP
options SCHED_ULE # 5BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options SCSI_DELAY=1000 # Delay (in ms) before probing SCSI
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
device pci
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
device scbus # SCSI bus (required for SCSI)
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
device apm
# Add suspend/resume support for the i8254.
device pmtimer
device cbb # cardbus (yenta) bridge
device ppc
device ppbus # Parallel port bus (required)
device sio # 8250, 16[45]50 based serial ports
device miibus # MII bus support
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
# FireWire support
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)
#Firewall
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPDIVERT
options ACCEPT_FILTER_HTTP
#取名為 MyKernel
machine i386
cpu I686_CPU
ident MyKernel
options SMP
options SCHED_ULE # 5BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options SCSI_DELAY=1000 # Delay (in ms) before probing SCSI
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
device pci
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
device scbus # SCSI bus (required for SCSI)
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
device apm
# Add suspend/resume support for the i8254.
device pmtimer
device cbb # cardbus (yenta) bridge
device ppc
device ppbus # Parallel port bus (required)
device sio # 8250, 16[45]50 based serial ports
device miibus # MII bus support
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
# FireWire support
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)
#Firewall
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPDIVERT
options ACCEPT_FILTER_HTTP
訂閱:
意見 (Atom)