TLS | Записки системного администратора

Записи с меткой ‘TLS’

Установка и настройка Sendmail+Dovecot+TLS/SSL на Centos 7

Февраль 23rd, 2015

Evgeniy Kamenev

1.Установка Sendmail+Cyrus-sasl

# yum install sendmail sendmail-cf sendmail-doc cyrus-sasl-{lib,plain}

1	# yum install sendmail sendmail-cf sendmail-doc cyrus-sasl-{lib,plain}

2.Настройка Sendmail

# cd /etc/mail/

1	# cd /etc/mail/

# cp sendmail.mc{,.orig}

1	# cp sendmail.mc{,.orig}

# nano /etc/mail/sendmail.mc

1	# nano /etc/mail/sendmail.mc

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A y')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T&lt;TMPF&gt; -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

divert(-1)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`setup for linux')dnl

OSTYPE(`linux')dnl

define(`confDEF_USER_ID', ``8:12'')dnl

dnl define(`confAUTO_REBUILD')dnl

define(`confTO_CONNECT', `1m')dnl

define(`confTRY_NULL_MX_LIST', `True')dnl

define(`confDONT_PROBE_INTERFACES', `True')dnl

define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl

define(`ALIAS_FILE', `/etc/aliases')dnl

define(`STATUS_FILE', `/var/log/mail/statistics')dnl

define(`UUCP_MAILER_MAX', `2000000')dnl

define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

define(`confAUTH_OPTIONS', `A y')dnl

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confTO_IDENT', `0')dnl

FEATURE(`no_default_msa', `dnl')dnl

FEATURE(`smrsh', `/usr/sbin/smrsh')dnl

FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl

FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl

FEATURE(redirect)dnl

FEATURE(always_add_domain)dnl

FEATURE(use_cw_file)dnl

FEATURE(use_ct_file)dnl

FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl

FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl

FEATURE(`blacklist_recipients')dnl

EXPOSED_USER(`root')dnl

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

FEATURE(`accept_unresolvable_domains')dnl

LOCAL_DOMAIN(`localhost.localdomain')dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

# make all

1	# make all

# systemctl restart  sendmail

1	# systemctl restart sendmail

# systemctl enable sendmail

1	# systemctl enable sendmail

3.Настройка Sendmail на поддержку TLS/SSL

# cd /etc/pki/tls/certs

1	# cd /etc/pki/tls/certs

# make sendmail.pem

1	# make sendmail.pem

# cd /etc/mail

1	# cd /etc/mail

# nano sendmail.mc

1	# nano sendmail.mc

define(`CERT_DIR', `/etc/pki/tls/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/sendmail.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/sendmail.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/sendmail.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/sendmail.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/sendmail.pem')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

define(`CERT_DIR', `/etc/pki/tls/certs')dnl

define(`confCACERT_PATH', `CERT_DIR')dnl

define(`confCACERT', `CERT_DIR/sendmail.pem')dnl

define(`confSERVER_CERT', `CERT_DIR/sendmail.pem')dnl

define(`confSERVER_KEY', `CERT_DIR/sendmail.pem')dnl

define(`confCLIENT_CERT', `CERT_DIR/sendmail.pem')dnl

define(`confCLIENT_KEY', `CERT_DIR/sendmail.pem')dnl

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

# make all

1	# make all

# systemctl restart sendmail

1	# systemctl restart sendmail

Тестируем TLS-поддержку

# openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25

1	# openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25

4.Запуск и добавление в автозагрузку демона аутентификации Cyrus—sasl – saslauthd

# nano /etc/sysconfig/saslauthd

1	# nano /etc/sysconfig/saslauthd

SOCKETDIR=/run/saslauthd
MECH=pam
FLAGS=

SOCKETDIR=/run/saslauthd

MECH=pam

FLAGS=

# systemctl restart saslatuhd

1	# systemctl restart saslatuhd

# systemctl enable saslatuhd

1	# systemctl enable saslatuhd

5.Установка и настройка Dovecot

# yum install dovecot

1	# yum install dovecot

# cd /etc/dovecot

1	# cd /etc/dovecot

# cp -rp conf.d conf.d~

1	# cp -rp conf.d conf.d~

# cp dovecot.conf dovecot.conf~

1	# cp dovecot.conf dovecot.conf~

# nano conf.d/10-mail.conf

1	# nano conf.d/10-mail.conf

mail_location = maildir:~/Maildir

1	mail_location = maildir:~/Maildir

[…]

Опубликовано в рубрике Centos, Mail

Метки: centos 7, dovecot, sendmail, SSL, TLS

Комментарии отключены

Установка и настройка безопасного ProFTPD-сервера TLS/SSL на Centos 6/7

Февраль 4th, 2015

Evgeniy Kamenev

1.Настройка небезопасного ProFTPD -сервера

# yum install proftpd proftpd-utils

1	# yum install proftpd proftpd-utils

# cp /etc/proftpd.conf /etc/proftpd.conf~

1	# cp /etc/proftpd.conf /etc/proftpd.conf~

# nano /etc/proftpd.conf

1	# nano /etc/proftpd.conf

ServerName                     "My FTP server"
ServerIdent                     off
ServerAdmin                     root@localhost
DefaultServer                   on
DefaultRoot                     ~ !adm
AuthPAMConfig                   proftpd
AuthOrder                       mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS                   off
UseIPv6                         off
IdentLookups                    off
User                           nobody
Group                           nobody
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
MaxInstances                   20
MaxClientsPerHost 5
MaxClientsPerUser 5
MaxHostsPerUser 5
MaxLoginAttempts 3
UseSendfile                     off
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                      auth   "%v [%P] %h %t \"%r\" %s"
SystemLog                       /var/log/proftpd/proftpd.log
TransferLog                     /var/log/proftpd/xfer.log
ExtendedLog                     /var/log/proftpd/auth.log AUTH auth

<Global>
Umask                        022
AllowOverwrite               yes
<Limit ALL SITE_CHMOD>

AllowAll

</Limit>
</Global>

ServerName "My FTP server"

ServerIdent off

ServerAdmin root@localhost

DefaultServer on

DefaultRoot ~ !adm

AuthPAMConfig proftpd

AuthOrder mod_auth_pam.c* mod_auth_unix.c

UseReverseDNS off

UseIPv6 off

IdentLookups off

User nobody

Group nobody

TimeoutNoTransfer 600

TimeoutStalled 600

TimeoutIdle 1200

MaxInstances 20

MaxClientsPerHost 5

MaxClientsPerUser 5

MaxHostsPerUser 5

MaxLoginAttempts 3

UseSendfile off

LogFormat default "%h %l %u %t \"%r\" %s %b"

LogFormat auth "%v [%P] %h %t \"%r\" %s"

SystemLog /var/log/proftpd/proftpd.log

TransferLog /var/log/proftpd/xfer.log

ExtendedLog /var/log/proftpd/auth.log AUTH auth

Umask 022

AllowOverwrite yes

AllowAll

</Limit>

</Global>

# proftpd –t

1	# proftpd –t

Centos 6

# chkconfig --level 2345 proftpd on

1	# chkconfig --level 2345 proftpd on

# /etc/init.d/proftpd start

1	# /etc/init.d/proftpd start

Centos 7

# systemctl enable proftpd

1	# systemctl enable proftpd

# systemctl start proftpd

1	# systemctl start proftpd

Настройка firewall Iptables

# iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

1	# iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

1	# iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# nano /etc/sysconfig/iptables-config

1	# nano /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_ftp"

1	IPTABLES_MODULES="ip_conntrack_ftp"

# /etc/init.d/iptables save

1	# /etc/init.d/iptables save

Firewalld

# firewall-cmd --permanent --add-port=21/tcp

1	# firewall-cmd --permanent --add-port=21/tcp

# firewall-cmd --reload

1	# firewall-cmd --reload

2.Настройка ProFTPD на использование TLS/SSL протокола

# mkdir /etc/ssl/proftpd

1	# mkdir /etc/ssl/proftpd

# openssl req -x509 -days 3650 -nodes -newkey rsa:1024 -keyout /etc/ssl/proftpd/proftpd.key -out /etc/ssl/proftpd/proftpd.crt

1	# openssl req -x509 -days 3650 -nodes -newkey rsa:1024 -keyout /etc/ssl/proftpd/proftpd.key -out /etc/ssl/proftpd/proftpd.crt

# chmod 600 /etc/ssl/proftpd/proftpd.key

1	# chmod 600 /etc/ssl/proftpd/proftpd.key

# nano /etc/proftpd.conf

1	# nano /etc/proftpd.conf

PassivePorts 49152 65534

1	PassivePorts 49152 65534

<IfDefine TLS>

TLSEngine                     on
#TLSRequired                 on
TLSRSACertificateFile         /etc/ssl/proftpd/proftpd.crt
TLSRSACertificateKeyFile     /etc/ssl/proftpd/proftpd.key
TLSCipherSuite               ALL:!ADH:!DES
TLSOptions                   NoCertRequest
TLSVerifyClient               off
#TLSRenegotiate               ctrl 3600 data 512000 required off timeout 300
TLSLog                       /var/log/proftpd/tls.log

<IfModule mod_tls_shmcache.c>
TLSSessionCache             shm:/file=/var/run/proftpd/sesscache

</IfModule>
</IfDefine>

TLSEngine on

#TLSRequired on

TLSRSACertificateFile /etc/ssl/proftpd/proftpd.crt

TLSRSACertificateKeyFile /etc/ssl/proftpd/proftpd.key

TLSCipherSuite ALL:!ADH:!DES

TLSOptions NoCertRequest

TLSVerifyClient off

#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300

TLSLog /var/log/proftpd/tls.log

TLSSessionCache shm:/file=/var/run/proftpd/sesscache

</IfModule>

</IfDefine>

Если расскоментировать опцию #TLSRequired on ,тогда только TLS/SSL соединения будут разрешены. Чтобы […]

Опубликовано в рубрике Centos, FTP

Метки: centos 7, profptd, SSL, TLS

Комментарии отключены

Записи с меткой ‘TLS’

Установка и настройка Sendmail+Dovecot+TLS/SSL на Centos 7

Установка и настройка безопасного ProFTPD-сервера TLS/SSL на Centos 6/7

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель