|
Sendmail AUTH/STARTTLS
By David Lechnyr
Sendmail ima 2 malo korišćene opcije koje su odlične za sigurnost i kontrolu pristupa. To su AUTH/STARTTLS.
Opcija AUTH zahteva ispravno korisničko ime i lozinku za sav SMTP saobraćaj, oni koji to imaju mogu da zahtevaju prenos (relay) emaila (super za laptope sa mobilnom IP).
STARTTLS omogućava da je sav SMTP saobraćaj SSL šifrovan.
Za ove 2 opcije treba ti OpenSSL, Cyrus SASL i Sendmail.
OpenSSL
Uzmi OpenSSL sa http://www.openssl.org/source/ i uradi sledeće
$ ./config --prefix=/usr --openssldir=/etc/ssl shared
$ make
$ make test
# make install
# strip /usr/bin/openssl /usr/lib/libcrypto.a /usr/lib/libssl.a
# cp -fa /etc/ssl/man /usr && rm -rf /etc/ssl/man
# ldconfig –v
Cyrus SASL
Uzmi Cyrus SASL 1.5.28 sa ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/. Trenutno Cyrus SASL 2.1.15 ima problem sa Sendmail 8.12.10
$ tar xzf cyrus-sasl-1.5.28.tar.gz
$ cd cyrus-sasl-1.5.28
$ ./configure --prefix=/usr --enable-login
$ make
# make install
# echo "/usr/lib/sasl" >> /etc/ld.so.conf
# ldconfig -v
Napravi AUTH configuracioni fajl za Sendmail (/usr/lib/sasl/Sendmail.conf):
pwcheck_method: shadow
Sendmail
Uzmi Sendmail 8.12.10 sa http://www.sendmail.org
$ tar xzf sendmail.8.12.10.tar.gz
$ cd sendmail-8.12.10/devtools/Site
Kreiraj fajl devtools/Site/site.config.m4 sa sadržajem :
APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL -DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl -lcrypto')
Iz direktorijuma arhive pokreni komandu Build sa opcijom '-c', koja kaže Sendmailu da ponovi učita promene koje smo napravili:
$ cd ../..
$ sh Build -c
$ cd cf/cf
Napravimo Sendmail config fajl cf/cf/sendmail.mc – ovo je moj primer, podesi prema tvojoj konfiguraciji.
VERSIONID(`Sample Sendmail AUTH/STARTTLS configuration file')dnl
OSTYPE(linux)dnl
DOMAIN(generic)dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS', `PLAIN')dnl
TRUST_AUTH_MECH(`PLAIN')dnl
define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confCACERT', `/etc/ssl/certs/certificate-authority.crt')dnl
define(`confSERVER_CERT', `/etc/ssl/certs/server.crt')dnl
define(`confSERVER_KEY', `/etc/ssl/certs/server.key')dnl
define(`confPRIVACY_FLAGS', `goaway')dnl
MAILER(local)dnl
MAILER(smtp)dnl
Ne možemo koristiti cram-md5 ili digest-md5 jer je teško konfigurisati (skoro nemoguće).
Zato koristimo STARTTLS pa je lozinka (običan tekst) šifrovana pri AUTH transakciji.
Napravi konačnu konfiguraciju i instaliraj Sendmail:
$ sh Build sendmail.cf
# mkdir -p /etc/mail
# sh Build install-cf
# cd ../..
# sh Build install
Instaliraj sertifikat
Ako nemaš sertifikat, ja preporučujem Thawte.
Za dodatne informacije poseti http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24
Trebaju ti 3 fajla:
1. /etc/ssl/certs/server.crt – Tvoj SSL sertifikat (chmod 400)
2. /etc/ssl/certs/server.key – Serverov SSL privatni ključ (chmod 400)
3. /etc/ssl/certs/certificate-authority.crt -- Root sertifikat izdat od strane nadležnog organa
Stavi sve zajedno
Pokreni Sendmail:
# /usr/sbin/sendmail -L sm-mta -bd -q30m
# /usr/sbin/sendmail -L sm-msp-queue -Ac -q30m
Testiraj
Na sendmail serveru
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.fluffygerbils.net ESMTP Sendmail 8.12.10/8.12.10; Tue, 23 Sep 2003 12:16:07 -0700
ehlo localhost
250-mail.fluffygerbils.net Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
Vidiš AUTH PLAIN i STARTTLS što je dobar znak.
Sada da uporedimo ne-AUTH/STARTTLS transakciju sa novom transakcijom:
Regularna SMTP Transakcije
E..<..@.@.....3...2\....e...........................xVo.....E..<..@.@.....2\..3.
.......be.......................xVo.....E..4..@.@..'..3...2\....e......c........
....xVo.....E..[b.@.@.p...2\..3........ce........P..........xVo.220.Sendmail.ESM
TP.-.Is.It.Not.Nifty?..E..I..@.@.....3...2\....e...................xVo.....EHLO.
hr.uoregon.edu..E..4b.@.@.p(..2\..3.........e..(................xVo.E...b.@.@.o\
..2\..3.........e..(....H...........xVo.250-hr.uoregon.edu.Hello.[128.223.51.169
],.pleased.to.meet.you..250-ENHANCEDSTATUSCODES..250-PIPELINING..250-8BITMIME..2
50-SIZE..250-DSN..250-ETRN..250-AUTH.PLAIN..250-STARTTLS..250-DELIVERBY..250.HEL
P..E..V..@.@.....3...2\....e..(...U.....X......xVo.....MAIL.FROM: < david@hr.uoreg
on.edu > ..E..cb.@.@.o...2\..3........Ue..J...../..........xVo.250.2.1.0.< david@hr
.uoregon.edu >....Sender.ok..E..T..@.@.....3...2\....e..J........8@......xVo.....
RCPT.TO:..E..fb.@.@.o...2\..3.........e..j.....W..........
xVo.250.2.1.5.< david@hr.uoregon.edu >....Recipient.ok..E..4./@.@.....3...2\....e.
.j.........a......xVo.....E..:.A@.@.....3...2\....e..j................xVo.....DA
TA..E..fb.@.@.o...2\..3.........e..p................xVo.354.Enter.mail,.end.with
.".".on.a.line.by.itself..E....B@.@..c..3...2\....e..p................xVo.....Da
te:.Tue,.30.Sep.2003.09:44:07.-0700..Mime-Version:.1.0.(Apple.Message.framework.
v552)..Content-Type:.text/plain;.charset=US-ASCII;.format=flowed..Subject:.Linus
.Torvalds,.on.releasing.1.3.27..From:.David.Lechnyr...To:.
david@hr.uoregon.edu..Content-Transfer-Encoding:.7bit..Message-Id:.<4EED6E4A-F36
5-11D7-BF81-000A95E359BA@hr.uoregon.edu >..X-Mailer:.Apple.Mail.(2.552)....
Eh,.th
at's.it,.I.guess...No.300.million.dollar.unveiling.event.for.this..kernel,.I'm.a
fraid,.but.you're.still.supposed.to.think.of.this.as.the.."happening.of.the.cent
ury".(at.least.until.the.next.kernel.comes.along)...Oh,.and.this.is.another.kern
el.in.that.great.and.venerable."BugFree(tm)"..series.of.kernels..So.be.not.afrai
d.of.bugs,.but.go.out.in.the.streets..and.deliver.this.message.of.joy.to.the.mas
ses............--.Linus.Torvalds,.on.releasing.1.3.27
...E..4b.@.@.p#..2\..3....
.....e...................xVo.E..7.C@.@.....3...2\....e...........ml......xVo....
....E..4b.@.@.p"..2\..3.........e...................xVo.E..lb.@.@.o...2\..3.....
....e.......D...........xVo.250.2.0.0.h8UGi6WP012112.Message.accepted.for.delive
ry..E..4..@.@..z..3...2\....e............?......xVo.....E..:..@.@..5..3...2\....
e............}......xVo.....QUIT..E..4b.@.@.p...2\..3.........e........u........
..xVo.E..ab.@.@.o...2\..3.........e...................xVo.221.2.0.0.hr.uoregon.e
du.closing.connection..E..4b.@.@.p...2\..3........Me........F..........xVo.E..4.
.@.@..:..3...2\....e............8......xVo.....E..4b.@.@.p...2\..3........Ne....
....E..........xVo.E..(..@.@..E..3...2\....e.......P.............E..(..@.@..D..3
...2\....e.......P.............E..(..@.@..C..3...2\....e.......P.............
AUTH/SASL SMTP Transakcija
E..<..@.@.....3...2\................\[..............xVpy....E..<..@.@.....2\..3.
.......h........L...............xVpy....E..4..@.@.....3...2\...........i........
....xVpy....E..[O.@.@.....2\..3........i.........o..........xVpy220.Sendmail.ESM
TP.-.Is.It.Not.Nifty?..E..I..@.@.....3...2\................F.......xVpy....EHLO.
hr.uoregon.edu..E..4O.@.@../..2\..3.................x8..........xVpyE...O.@.@..c
..2\..3.............................xVpy250-hr.uoregon.edu.Hello.[128.223.51.169
],.pleased.to.meet.you..250-ENHANCEDSTATUSCODES..250-PIPELINING..250-8BITMIME..2
50-SIZE..250-DSN..250-ETRN..250-AUTH.PLAIN..250-STARTTLS..250-DELIVERBY..250.HEL
P..E..>..@.@.....3...2\...........[............xVpy....STARTTLS..E..RO.@.@.....2
\..3........[........`...........xVpy220.2.0.0.Ready.to.start.TLS..E..4..@.@....
.3...2\...........y............xVpy....E..z..@.@.....3...2\...........y.........
...xVpy........A...=..?y.O.`.........]....2:b..?,..t.!..........................
.E...O.@.@.}...2\..3........y........M...........xVpy....J...F..?y.N..(......'..
..>1..<.w.||lod...+....vo...>.^.Qby..+Z....=.Y.....................0...0..M.....
...i.0...*.H........0..1.0...U....ZA1.0...U....Western.Cape1.0...U....Cape.Town1
.0...U....Thawte.Consulting.cc1(0&..U....Certification.Services.Division1.0...U.
...Thawte.Server.CA1&0$..*.H........server-certs@thawte.com0...020919201425Z..03
1008230345Z0..1.0...U....US1.0...U....Oregon1.0...U....Eugene1.0...U....Universi
ty.of.Oregon1.0...U....Human.Resources1.0...U....hr.uoregon.edu0..0...*.H.......
.....0.........y.......e..PG3.!\j.Z.lP...b.dE|.S....&:.....!.Z..&.o..[.h.#E....$
.l.[............M.....u..*s.....2.~.<...t.._..S.LN.|...T.Bm.......%0#0...U.%..0.
..+.......0...U.......0.0...*.H............q.`'.r.x|..+5F...6o....hk.....bpq{f..
....+.?K.s{.[%-..\....C....|....5...iE....3.......u._....B..."`.U!.g^....#UQ....
-t..s.........0...0..|........0...*.H........0..1.0...U....ZA1.0...U....Western.
Cape1.0...U....Cape.Town1.0...U....Thawte.Consulting.cc1(0&..U....Certification.
Services.Division1.0...U....Thawte.Server.CA1&0$..*.H........server-certs@thawte
.com0...960801000000Z..201231235959Z0..1.0...U....ZA1.0...U....Western.Cape1.0..
.U....Cape.Town1.0...U....Thawte.Consulting.cc1(0&..U....Certification.Services.
Division1.0...U....Thawte.Server.CA1&0$..*.H........server-certs@thawte.com0..0.
..*.H............0........Pn..Vk..]...huG.....%...GQ....t....u...a..m0n....R.b.M
...j.D8....d.p...k)./I.;.'.%../..m.(B..LC...!mT.].X....[....{E...O.@.@.....2\..3
........!........;w..........xVpy.6:..f"...........0.0...U.......0....0...*.H...
...........Li\...F...M!0....oI...Q.`pl.a....H>YC}O.=....b.zu...NN.@...2t.o....D.
..o.)...(;..@(.Z<...........Q..L,Y....u..B...........#.pG................0..1.0.
..U....ZA1.0...U....Western.Cape1.0...U....Cape.Town1.0...U....Thawte.Consulting
.cc1(0&..U....Certification.Services.Division1.0...U....Thawte.Server.CA1&0$..*.
H........server-certs@thawte.com....E..@.`@.@.....3...2\.................'......
xVpy................E..4O.@.@..*..2\..3.................o...........xVpyE....c@.
@.....3...2\.................I......xVpy................._b...H.qf..[..}H(J....U
HDO.IZ..]..q.K...S...$..D.tv.....*{^..4..e....B....6$HRq........<.S......o.1....
1.s.6[.ZM....r.L..k.J.]..........(..+...........m6.*...C}>.......s.\R.....E..4O.
@.@..)..2\..3.................n...........xVpyE..gO.@.@.....2\..3...............
..iV..........xVpy..........(..k.X./:...T!...{~.!.wD.......=..*..;..qE..i.d@.@..
g..3...2\........................xVpy........0.....e..v._...5&K..=.;.`08....:.uI
=b..p...Y...G.E...O.@.@..J..2\..3.............................xVpy........@.RI..
..`vX.P.....6W.H.A.....h......P....Z..5..G..}....S.-=.....#e...}..<.Ym.h..N..\.4
\LV..........P|......i1p6./".......d.....@V..z.^.>.....k.>....-.N*....l...4.(...
.xa..tg...?x..=...?......D.fN@;..O.D/...J*....}E..y.e@.@..V..3...2\.............
...........xVpy........@>z,%+m.;k.B..y..M.0;...X$.....9..nP.!.y.fE9..T.<~..W."..
...Q.&.mE..qO.@.@.....2\..3............-................xVpy....8.F......h....1.
U.gU..MA}G....].J.N+7.x......G..o........E..q.f@.@..]..3...2\.......-...........
.....xVpy........8....7fk...}...o@$...h4."...Z.O.9-.L..D...A.*........._)cE...O.
@.@.....2\..3............j................xVpy....H.....2...\Z....V..Y.i.az'.]@.
j..K....v.........[...Z9.R.3.....e.0....i..E..q.g@.@..\..3...2\.......j...N....f
p......xVpy........8.vh..&W..XO......3...2.?.OF..............g....pzy.m*...QE...
O.@.@.....2\..3........N....................xVpy....H<........B`7./)..I/.dR...Uq
....Q..&.....W=o...{..]...a.5......].PL.}....E..Y.h@.@..s..3...2\...............
.........xVpy.........x..C..%.Xmo.p.n.T...(.i..[......E...O.@.@.....2\..3.......
......................xVpy....H.;X..0..>C....#.3.....N...+%..V......5IHl$5*UG.8x
=.........:9.^k..0oW.%mE.....@.@.....3...2\........................xVpz........p
yB).......D.:9..\g7@...y.$].........g.=.D1..5......I......O.H..iM.J.$..O...9..S.
......>%.~...Z.Ir....[.R........v./...A..v.h..J.......,....).....T.....l.......:
.T^..!y..Y_.|.1u..O..m....L..f...d.J....i.MoZ..T.l.Igy....$.3.......:@E.I,C#....
X..9....).(..bt.T#.<...!..\..;),.....u,.......1IQkVw..,..WU?".....#..)..10..\m..
h.S.0.........sh.._=..:.......B.......=.VK..A\...P..(]+.)?7...E....x.#.....;.L..
\.O...>q<..N.V..G...M....9.p(....d6..F.....9x.5+:..Syr.Y....afg.a.[...]I<8.^...E
.g...*...z..4.~..OO..._......j..6V...0.`....A./b..{q'.I........7......)O:j.8...J
..O.\.....oP.."......N&..t.*.v.e....+Z+-.<..p^.0nX.......9..nh..&x.{U...'......!
......:..U.D.1...KB.X!.E..vF.......zi>.<6.<....y..S.....?..0.n.m}.:7m..Qi......m
Bra..T....QM...U...)...)..y...._]0f...O.G.9..u..f*_f..e.W..V-....Q.i3b?:(.../n!.
...T....8..*;..X.\=....h.5.P._.N.wd........m..OX.|....3..(...W.......t/}.;bfm?w.
E..4O.@.@.."..2\..3............A....c...........xVpzE..(..@.@.....2\..3........=
....P...."..
Napomena prevodioca:
Ја sam 100% amater u prevođenju i veoma se dvoumim kada treba da prevedem neke reči karakteristične za oblast računara.
Biće mi drago ako ima onih koji su veštiji u prevođenju i voljni da razvijaju ovaj sajt.
| |
