document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

translated/tech/20200427 How to secure your Linux email services with SSL-TLS.md

Browse Source
This commit is contained in:
Acceleratorrrr 2020-05-12 17:29:41 +01:00
parent 9819731b9c
commit 22135999d1
2 changed files with 201 additions and 209 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
sources/tech/20200427 How to secure your Linux email services with SSL-TLS.md
View File

@ -1,209 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How to secure your Linux email services with SSL/TLS)
[#]: via: (https://opensource.com/article/20/4/securing-linux-email)
[#]: author: (Marc Skinner https://opensource.com/users/marc-skinner)
How to secure your Linux email services with SSL/TLS
======
Protect your Linux email services by understanding security
certificates.
![email or newsletters via inbox and browser][1]
Traditionally, email services send data in an unprotected way—whether you are sending emails via SMTP or receiving them via IMAP or POP, the defaults are in cleartext. With more online applications enforcing encryption and the general consensus to protect your data, it's best to secure your email services with a Secure Sockets Layer/Transport Layer Security (SSL/TLS) security certificate.
First, a quick review of email services and protocols. Email is sent via a service called Simple Mail Transport Protocol (SMTP) using TCP port 25. This protocol sends emails from server to server based on DNS mail exchanger (MX) record lookups. Once an email is on the email server, it is retrieved using one of two services: Internet Message Access Protocol (IMAP) using port TCP 143, or Post Office Protocol (POP3) using port TCP 110. All of these services, by default, send your email and authentication to/from these services in plain text—thus, it's very unprotected!
To protect the email data and authentication, these services have added a security feature in which they can utilize an SSL/TLS certificate to wrap the data flow and communication with encryption. How SSL/TLS encryption secures information is beyond the scope of this article, but [Bryant Son's internet security article][2] covers it in great detail. At a high level, SSL/TLS encryption is a public/private encryption algorithm.
By adding these security features into the services, they can listen on new TCP ports:
Service | Default TCP Port | SSL/TLS Port
---|---|---
SMTP | 25 | 587
IMAP | 143 | 993
POP3 | 110 | 995
### Generate SSL/TLS certificates
SSL/TLS certificates can be generated for free using tools like [OpenSSL][3], or they can be purchased for a range of prices from public certificate authorities (CAs). In the past, generating your own certificate was easy and worked in most cases, but with the increasing demand for better security, most email clients don't trust self-generated SSL/TLS certificates without a manual exception.
If your use case is private or for testing, then saving money with a self-generated certificate makes sense. But if you're rolling this out to a large group or have paying customers, then you're better served by purchasing a certificate from a public, trusted company that sells them.
In either case, the process to start requesting a new certificate is to use the OpenSSL tooling on your Linux system to create a certificate signing request (CSR):
```
`$ openssl req -new -newkey rsa:2048 -nodes -keyout mail.mydomain.key -out mail.mydomain.csr`
```
This command will create a new CSR and private key at the same time for the service you are trying to secure. The process will ask you a number of questions associated with the certificate: location details, server fully qualified domain name (FQDN), email contact information, etc. Once you have filled out the information, the key and CSR will be generated.
#### If you generate your own certificate
If you want to generate your own certificate, you must create your own [root CA][4] before issuing the CSR command above. You can create your own root CA with:
```
`$ openssl genrsa -des3 -out myCA.key 2048`
```
It will prompt you to add a passphrase. Please give it a secure passphrase and don't lose it—this is your private root CA key, and as the name states, it's the root of all trust in your certificates.
Next, generate the root CA certificate:
```
`$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem`
```
After answering a few more questions, you will generate a root CA certificate with a five-year lifespan.
Using the CSR file from the steps above, you can request a new certificate to be generated and signed by the root CA you just created:
```
`$ openssl x509 -req -in mail.mydomain.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out mail.mydomain.pem -days 1825 -sha256`
```
Enter your private root CA key passphrase to create and sign the certificate.
Now you have the two files needed to configure your email services for enhanced security: the private key file, **mail.mydomain.key**, and the public certificate file, **mail.mydomain.pem**.
#### If you purchase a certificate
If you purchase a certificate from a vendor, it will ask you to upload that CSR to its system, as it is used as the input to generate the SSL/TLS certificate. The certificate will be accessible as a file (such as **mail.mydomain.pem**). Many SSL vendors also require you to download an intermediate certificate. If this is the case, you must combine the two certificate files into one, so the email service can process them both in combination. You can combine your certificate with a third-party intermediate certificate with:
```
`$ cat mail.mydomain.pem gd_bundle-g2-g1.crt > mail.mydomain.pem`
```
Notice that the output's file extension is **.pem**, which stands for Privacy-Enhanced Mail.
Now you have the two files you need to configure your email services for enhanced security: the private key file, **mail.mydomain.key**, and the public combined certificate file, **mail.mydomain.pem**.
### Create a safe directory for your files
Whether you created your own key or bought one from a vendor, create a safe, root-owned directory for the two files you created above. An example workflow to create a safe play would be:
```
$ mkdir /etc/pki/tls
$ chown root:root /etc/pki/tls
$ chmod 700 /etc/pki/tls
```
Make sure to set the permissions on your files after you copy them into **/etc/pki/tls** with:
```
`$ chmod 600 /etc/pki/tls/*`
```
### Configure your SMTP and IMAP services
Next, configure both the SMTP and the IMAP services to use the new security certificates. The programs used in this example for SMTP and IMAP are **postfix** and **dovecot**.
Edit ***/_****etc****_/*****postfix/main.cf** in your preferred text editor. Add the following lines:
```
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/mail.mydomain.pem
smtpd_tls_key_file = /etc/pki/tls/mail.mydomain.key
```
### Customize your config
The following options allow you to disable/enable different ciphers, protocols, etc.:
```
smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
```
Edit **/etc/dovecot/dovecot.conf** by adding these three lines:
```
ssl = required
ssl_cert = </etc/pki/tls/mail.mydomain.pem
ssl_key = </etc/pki/tls/mail.mydomain.key
```
Add the following options to disable/enable different ciphers, protocols, and more (I'll leave understanding and considering these up to you):
```
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:ALL:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SSLv2
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2
```
### Set context for SELinux
If your Linux distribution has SELinux enabled, set the correct SELinux context for your new certificate files.
For Postfix SELinux:
```
`$ chcon -u system_u -t cert_t mail.mydomain.*`
```
For Dovecot SELinux:
```
`$ chcon -u system_u -t dovecot_cert_t mail.mydomain.*`
```
Restart both services and connect with your updated email client configurations. Some email clients will auto-detect the new port numbers; others will require you to update them.
### Test your setup
Quickly test from the command line with **openssl** and the **s_client** plugin:
```
$ openssl s_client -connect mail.mydomain.com:993
$ openssl s_client -starttls imap -connect mail.mydomain.com:143
$ openssl s_client -starttls smtp -connect mail.mydomain.com:587
```
These test commands will show a plethora of data about the connection, certificate, cipher, session, and protocol you're using. This is not only a good way to validate that the new configuration is working but also to confirm you're using the appropriate certificate and security settings you defined in the **postfix** or **dovecot** configuration files.
Stay secure!
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/4/securing-linux-email
作者:[Marc Skinner][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/marc-skinner
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/newsletter_email_mail_web_browser.jpg?itok=Lo91H9UH (email or newsletters via inbox and browser)
[2]: https://opensource.com/article/19/11/internet-security-tls-ssl-certificate-authority
[3]: https://www.openssl.org/
[4]: https://en.wikipedia.org/wiki/Root_certificate

201
translated/tech/20200427 How to secure your Linux email services with SSL-TLS.md Normal file
View File

@ -0,0 +1,201 @@
[#]: collector: (lujun9972)
[#]: translator: (Acceleratorrrr)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How to secure your Linux email services with SSL/TLS)
[#]: via: (https://opensource.com/article/20/4/securing-linux-email)
[#]: author: (Marc Skinner https://opensource.com/users/marc-skinner)
如何利用 SSL/TLS 保护你的Linux邮箱服务
======
通过理解安全证书来保护你的Linux邮箱服务。
![email or newsletters via inbox and browser][1]
通常不管你是通过简单邮件传输协议SMTP或者邮局协议POP发送或者接受邮件邮箱服务默认使用无保护明文来传输数据。近来随着数据加密成为越来越多程序的共识你需要传输层安全性协议 / 安全套接层SSL/TLS的安全证书来保护你的邮箱服务。
首先快速回顾一下邮箱服务和协议的基本流程。邮件通过简单邮件传输协议从端口25发出。这个协议依靠DNS邮件交换服务器里的地址信息来传输邮件。当邮件到达邮件服务器后可以被以下两种服务中的任意一种检索因特网信息访问协议IMAP使用端口143或者邮局协议第3版本POP3使用端口110。然而以上服务默认默认使用明文传输邮件和验证信息。这非常的不安全
以上服务已经添加了安全功能来保护邮件内容和验证信息使它们可以利用SSL/TLS证书包裹和加密数据流。SSL/TLS如何加密数据的细节不在本文讨论范围有兴趣的话可以阅读[布莱恩特关于网络安全的文章][2]。概括的说SSL/TLS 加密本质是一种基于公钥和私钥的算法。
通过加入新的安全功能后这些服务可以监听新的TCP端口
服务 | 默认TCP端口 | SSL/TLS 端口
---|---|---
SMTP | 25 | 587
IMAP | 143 | 993
POP3 | 110 | 995
### 生成 SSL/TLS 证书
[OpenSSL][3] 可以生成免费的 SSL/TLS 证书,或者你也可以从根证书颁发机构购买。过去,生成自签发证书十分简单而且通用,但是由于安全被日益重视,大部分的邮箱客户端是不信任自签发证书的,除非手动设置。
如果你只是自己使用或者做做测试,那就使用自签发证书省点钱吧。但是如果很多人或者客户也需要使用的话,那最好还是从受信任的根证书颁发机构购买。
总之Linux 系统里的 OpenSSL 工具需要一个证书来生成凭证签发请求文件CSR
```
`$ openssl req -new -newkey rsa:2048 -nodes -keyout mail.mydomain.key -out mail.mydomain.csr`
```
这个命令会为你想保护的服务同时生成一个新的 CSR 文件和一个私匙。它会询问你一些证书相关的问题路径服务器的完整网络域名邮件联系信息等等。当你输入完这些信息后密匙和CSR文件就生成完毕了。
#### 如果你想生成自签发证书
如果你想要生成自签发证书的话,在运行以上 CSR 命令之前,你必须先创建一个[自签发证书机构][4]。
```
`$ openssl genrsa -des3 -out myCA.key 2048`
```
命令行会提示你输入密码。请输入一个复杂点的密码而且不要弄丢了,因为这将会是自签发证书机构的密码,并且决定了其签发证书的受信任度。
接下来,生成自签发证书机构:
```
`$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem`
```
在回答完一些问题后你就拥有一个有效期为5年的自签发证书机构了。
用之前生成的 CSR 文件,你可以向刚生成的自签发证书机构请求生成一个新的证书。
```
`$ openssl x509 -req -in mail.mydomain.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out mail.mydomain.pem -days 1825 -sha256`
```
输入自签发证书机构的密码来生成和签发证书。
现在你还需要两个文件来设置你的邮箱服务安全:私匙文件 **mail.mydomain.key** 和证书文件 **mail.mydomain.pem**
#### 如果你愿意购买证书
If you purchase a certificate from a vendor, it will ask you to upload that CSR to its system, as it is used as the input to generate the SSL/TLS certificate. The certificate will be accessible as a file (such as **mail.mydomain.pem**). Many SSL vendors also require you to download an intermediate certificate. If this is the case, you must combine the two certificate files into one, so the email service can process them both in combination. You can combine your certificate with a third-party intermediate certificate with:
如果你愿意从机构购买证书,则需要上传 CSR 文件到机构的系统中,它将会被用于生成 SSL/TLS 证书。证书可作为文件下载,比如 **mail.mydomain.pem**。很多SSL机构也需要你下载一个中间证书。这样的话你必须把这个两个证书合并称一个邮件服务才能够正常运行。可以使用以下命令把你的证书和第三方中间证书合并在一起
```
`$ cat mail.mydomain.pem gd_bundle-g2-g1.crt > mail.mydomain.pem`
```
值得一提的是 **.pem** 文件后缀代表隐私增强邮件。
Now you have the two files you need to configure your email services for enhanced security: the private key file, **mail.mydomain.key**, and the public combined certificate file, **mail.mydomain.pem**.
现在你就有全部的设置邮箱服务安全所需文件了:私匙文件 **mail.mydomain.key** 和证书文件 **mail.mydomain.pem**
### 为你的文件生成一个安全的文件夹
不管你是的证书是自签发的或者从机构购买,你都需要生成一个安全的,管理员权限级别的文件夹用于保存这两个文件。可以使用以下命令来生成:
```
$ mkdir /etc/pki/tls
$ chown root:root /etc/pki/tls
$ chmod 700 /etc/pki/tls
```
在复制文件到 **/etc/pki/tls** 后,再次设置这些文件的权限:
```
`$ chmod 600 /etc/pki/tls/*`
```
### 配置你的 SMTP 和 IMAP 服务
接下来,让 SMTP 和 IMAP 服务使用新的安全证书。我们用 **postfix** and **dovecot** 来作为例子。
Edit ***/_****etc****_/*****postfix/main.cf** in your preferred text editor. Add the following lines:
用你顺手的编辑器来编辑 ***/_etc_/postfix/main.cf** 文件。添加以下几行:
```
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/mail.mydomain.pem
smtpd_tls_key_file = /etc/pki/tls/mail.mydomain.key
```
### 自定义选项
以下选项可以启用或禁用各种加密算法,协议等等:
```
smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
```
**/etc/dovecot/dovecot.conf** 文件添加以下三行:
```
ssl = required
ssl_cert = </etc/pki/tls/mail.mydomain.pem
ssl_key = </etc/pki/tls/mail.mydomain.key
```
添加更多选项来启用或禁用各种加密算法,协议等等(可选):
```
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:ALL:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SSLv2
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2
```
### 安全增强式Linux上下文设置
如果使用安全增强式Linux发行版你需要给新证书文件配置正确的安全上下文。
Postfix SELinux 用户:
```
`$ chcon -u system_u -t cert_t mail.mydomain.*`
```
Dovecot SELinux 用户:
```
`$ chcon -u system_u -t dovecot_cert_t mail.mydomain.*`
```
Restart both services and connect with your updated email client configurations. Some email clients will auto-detect the new port numbers; others will require you to update them.
重启这些服务,然后联接上更新后的邮箱客户端。有些邮箱客户端会自动探测到新的端口,有些则需要你手动升级。
### 测试
**openssl** 命令行和 **s_client** 插件来简单测试一下:
```
$ openssl s_client -connect mail.mydomain.com:993
$ openssl s_client -starttls imap -connect mail.mydomain.com:143
$ openssl s_client -starttls smtp -connect mail.mydomain.com:587
```
These test commands will show a plethora of data about the connection, certificate, cipher, session, and protocol you're using. This is not only a good way to validate that the new configuration is working but also to confirm you're using the appropriate certificate and security settings you defined in the **postfix** or **dovecot** configuration files.
这些测试命令会打印出很多信息,关于你使用的联接,证书,加密算法,会话和协议。这不仅是一个验证新设置的好方法,也可以检查你是否使用了适当的证书,以及 **postfix** 或者 **dovecot** 配置文件里的安全设置是否生效。
Stay secure!
保持安全!
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/4/securing-linux-email
作者:[Marc Skinner][a]
选题:[lujun9972][b]
译者:[Acceleratorrrr](https://github.com/Acceleratorrrr)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/marc-skinner
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/newsletter_email_mail_web_browser.jpg?itok=Lo91H9UH (email or newsletters via inbox and browser)
[2]: https://opensource.com/article/19/11/internet-security-tls-ssl-certificate-authority
[3]: https://www.openssl.org/
[4]: https://en.wikipedia.org/wiki/Root_certificate