IT. POST LIST

POST ALL LABEL

sendmail + saslauthd = starttls + 사용자 인증 구성

By 때찌때찌맴매 - 12월 07, 2017

[ sendmail + saslauthd = starttls + 사용자 인증 구성 ]

** 매니지드 서비스를  하고 있는 고객  mail 서버에   ssl 인증할 수 있도록 구성 요청이 들어 왔습니다.해당 작업 후 구성 내용들 입니다.


** 패키지설치
yum install -y sendmail* cyrus-sasl*

** sendmail 설정
[root@cm mail]# vi /etc/mail/sendmail.mc

define(`confLOG_LEVEL', `14')dnl ==> 자세한 로그 분석

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl    ==> 사용자 인증 관련
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ==> 사용자 인증 관련

define(`confCACERT_PATH', `/etc/mail/certs')dnl   ==>ssl 인증서 경로
define(`confCACERT', `/etc/mail/certs/AddTrustExternalCARoot.crt')dnl  ==>CAroot.crt 인증서
define(`confSERVER_CERT', `/etc/mail/certs/xx_xxxxxx_co_kr.crt')dnl ==> server.crt 인증서
define(`confSERVER_KEY', `/etc/mail/certs/xx_xxxxxx_co_kr_SHA256WITHRSA.key')dnl ==> server.key 인증서

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0 Name=MTA')dnl ==> 기본 25port
DAEMON_OPTIONS(`Port=submission,Addr=0.0.0.0 Name=MSA, M=Ea')dnl  => 25 대신 587 오픈. 안해도 무방
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl ==> 465 port starttls 사용포트

[root@cm mail]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf          ==> sendmail.cf 재생성

[root@cm mail]# vi /etc/mail/sendmail.cf
O Timeout.starttls=1h   ==> 주석해제

** 인증서 경로 디렉토리 생성 및 권한 할당
**** 제일 중요!! 열심히 설정하고 인증서 권한 할당(디렉토리 포함) 안하면 삽질합니다.... ****
[root@cm mail]# mkdir /etc/mail/certs
[root@cm mail]# cp -arp {인증서path} /etc/mail/certs/
[root@cm mail]# chmod 600 -R /etc/mail/certs

** saslauthd 설정
[root@cm mail]# vi /etc/sysconfig/saslauthd   

# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam   ==> 사용자 인증  pam으로 사용

# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
# DAEMONOPTS=--user saslauth

# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=

기본 적용되있으면 그냥 두면됨

vi /etc/sasl2/Sendmail.conf

pwcheck_method:saslauthd
mech_list:LOGIN PLAIN ==> 삽입. "pwcheck_method:saslauthd" 내용은 입력 되어 있음. 없다면 해당 내용 두 줄 입력

** sendmail, saslauthd 재시작
[root@cm mail]# /etc/init.d/sendmail restart
[root@cm mail]# /etc/init.d/saslauthd restart

** sendmail 재시작 후 로그 상태
[ 정상 로그 ]
Jul 19 14:36:02 cm sendmail[10822]: NOQUEUE: stopping daemon, reason=signal
Jul 19 14:36:02 cm sendmail[11019]: starting daemon (8.14.4): SMTP+queueing@01:00:00
Jul 19 14:36:02 cm sendmail[11019]: STARTTLS: CRLFile missing
Jul 19 14:36:02 cm sm-msp-queue[11027]: starting daemon (8.14.4): queueing@01:00:00
Jul 19 14:36:03 cm sendmail[11019]: STARTTLS=server, Diffie-Hellman init, key=1024 bit (1)
Jul 19 14:36:03 cm sendmail[11019]: STARTTLS=server, init=1
Jul 19 14:36:03 cm sendmail[11019]: started as: /usr/sbin/sendmail -bd -q1h
[ 에러 로그 ]
Jul 19 13:31:08 cm sendmail[6837]: NOQUEUE: stopping daemon, reason=signal
Jul 19 13:31:08 cm sendmail[8925]: starting daemon (8.14.4): SMTP+queueing@01:00:00
Jul 19 13:31:08 cm sendmail[8925]: STARTTLS: CRLFile missing
Jul 19 13:31:08 cm sendmail[8925]: STARTTLS=server: file /etc/mail/certs/COMODORSADomainValidationSecureServerCA.crt unsafe: World writable directory
Jul 19 13:31:08 cm sendmail[8925]: started as: /usr/sbin/sendmail -bd -q1h
Jul 19 13:31:08 cm sm-msp-queue[8933]: starting daemon (8.14.4): queueing@01:00:00
- 해당 인증서 디렉토리 권한 문제. 위 권한 설정 진행하지 않으면 발생됨.

** telnet 확인
[root@cm mail]# telnet xx.xxxxxx.co.kr 25
Trying 115.xx.xxx.xxx...
Connected to xx.xxxxxx.co.kr.
Escape character is '^]'.
220 xx.xxxxxx.co.kr ESMTP Sendmail 8.14.4/8.14.4; Wed, 19 Jul 2017 14:51:39 +0900
ehlo localhost  ==> 명령어로 확인
250-xx.xxxxxx.co.kr Hello [115.xx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN    ==> 사용자 인증
250-STARTTLS   ==> 패킷 암호화 패치
250-DELIVERBY
250 HELP

** mail 테스트
php mail test source

<?php

$smtp_mail_id = "smtp 메일계정";
$smtp_mail_pw = "패스워드";
$to_email = "받는 사람 메일";
$to_name = "받는 사람 이름";
$from_name = "보내는 사람 이름";
$from_email = "보내는 사람 메일";
$smtp_use = 'xx.xxxxxx.co.kr';
$title = "서버 메일테스트입니다.";
$content = "서버 메일테스트입니다..";

//메일러 로딩
require_once("./class.smtp.php");
require_once("./class.phpmailer.php");

$mail = new PHPMailer(true);
$mail->IsSMTP();
try {
  $mail->Host = $smtp_use; // email 보낼때 사용할 서버를 지정
  $mail->SMTPAuth = true; // SMTP 인증을 사용함
  $mail->CharSet = 'utf-8';

  $mail->Port = 465; // email 보낼때 사용할 포트를 지정
  $mail->SMTPSecure = "ssl"; // SSL을 사용함
  $mail->Username = $smtp_mail_id; // 계정
  $mail->Password = $smtp_mail_pw; // 패스워드

  $mail->SetFrom($from_email, $from_name); // 보내는 사람 email 주소와 표시될 이름 (표시될 이름은 생략가능)
  $mail->AddAddress($to_email, $to_name); // 받을 사람 email 주소와 표시될 이름 (표시될 이름은 생략가능)

  $mail->Subject = $title; // 메일 제목
  $mail->MsgHTML($content); // 메일 내용 (HTML 형식도 되고 그냥 일반 텍스트도 사용 가능함)
  $mail->Send(); // 실제로 메일을 보냄

  $ok_msg = iconv('utf-8','euc-kr','메일을 전송하였습니다.');
  echo "<script>alert('".$ok_msg."');</script>";

} catch (phpmailerException $e) {
  echo $e->errorMessage();
} catch (Exception $e) {
  echo $e->getMessage();
}

?>

** openssl 로 콘솔에서 테스트
[root@cm mail]# openssl s_client -host cm.aumlee.co.kr -port 465   ==> telnet처럼 openssl 메일 송신 테스트
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = PositiveSSL, CN = xx.xxxxxx.co.kr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = PositiveSSL, CN = xx.xxxxxx.co.kr
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = PositiveSSL, CN = xx.xxxxxx.co.kr
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PositiveSSL/CN=xx.xxxxxx.co.kr
  i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFlTCCBH2gAwIBAgIRAKypsELizD0ZoyKs7S3XU5IwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
.
.
.(중략)
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PositiveSSL/CN=xx.xxxxxx.co.kr
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Acceptable client certificate CA names
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2564 bytes and written 449 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
  Protocol : TLSv1.2
  Cipher : DHE-RSA-AES256-GCM-SHA384
.
.
.
.
.(중략)
  Start Time: 1500445618
  Timeout : 300 (sec)
  Verify return code: 21 (unable to verify the first certificate)     === > 인증서 정상적으로 받아온뒤 아래 처럼 메일 테스트 진행

220 xx.xxxxxx.co.kr ESMTP Sendmail 8.14.4/8.14.4; Wed, 19 Jul 2017 15:26:58 +0900
mail from : test@xx.xxxxxx.co.kr
250 2.1.0 test@xx.xxxxxx.co.kr... Sender ok
rcpt to : hoguinside@naver.com
250 2.1.5 hoguinside@naver.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
test
test
test
.
250 2.0.0 v6J6Qw4O012558 Message accepted for delivery


** 송신 메시지 로그. 정상확인
[ 송신 메시지 정상 로그]

Jul 19 14:50:49 cm sendmail[11761]: NOQUEUE: connect from [115.xx.xxx.xxx]
Jul 19 14:50:49 cm sendmail[11761]: AUTH: available mech=LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jul 19 14:50:49 cm sendmail[11761]: v6J5on71011761: Milter: no active filter
Jul 19 14:50:49 cm sendmail[11761]: STARTTLS=server, relay=[115.xx.xxx.xxx], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jul 19 14:50:49 cm sendmail[11761]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
Jul 19 14:50:49 cm sendmail[11761]: AUTH: available mech=LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jul 19 14:50:49 cm sendmail[11761]: AUTH=server, relay=[115.xx.xxx.xxx], authid=xxxxxxxxx@xx.xxxxxx.co.kr, mech=LOGIN, bits=0
Jul 19 14:50:49 cm sendmail[11761]: v6J5on71011761: from=, size=876, class=0, nrcpts=1, msgid=<68d3d47a954e5b85425017e349f44ae6 cm.aumlee.co.kr="">, proto=ESMTP, daemon=TLSMTA, relay=[115.xx.xxx.xxx]
Jul 19 14:50:49 cm sendmail[11763]: v6J5on71011761: SMTP outgoing connect on [115.xx.xxx.xxx]
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS: ClientCertFile missing
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS: ClientKeyFile missing
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS: CRLFile missing
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, init=1
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, start=ok
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, relay=mx2.naver.com., version=TLSv1/SSLv3, verify=OK, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, cert-subject=/C=KR/postalCode=13561/ST=Gyeonggi-do/L=Seongnam-si/O=NAVER+20Corp./OU=Information+20Security+20Team/OU=Hosted+20by+20Korea+20Information+20Certificate+20Authority,+20Inc./OU=Unified+20Communications/CN=mail.naver.com, cert-issuer=/C=GB/ST=Greater+20Manchester/L=Salford/O=COMODO+20CA+20Limited/CN=COMODO+20RSA+20Organization+20Validation+20Secure+20Server+20CA, verifymsg=ok
Jul 19 14:50:49 cm sendmail[11763]: v6J5on71011761: to=, ctladdr= (514/514), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=120876, relay=mx2.naver.com. [125.209.238.137], dsn=2.0.0, stat=Sent (OK EPcdYHmZSTK2BKWSkYyj0g - nsmtp)
Jul 19 14:50:49 cm sendmail[11763]: v6J5on71011761: done; delay=00:00:00, ntries=1
Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, SSL_shutdown failed: -1


** TCP DUMP 확인
[root@cm mail]# tcpdump -A '(src host 115.xx.xxx.xxx and dst port 25) or (dst host 115.xx.xxx.xxx and src port 25 )'

E.....@.3...}...sDrz.......#.G.f...r4......
...D.b..250-mx.naver.com Pleased to meet you
250-SIZE 41943040
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 ENHANCEDSTATUSCODES

15:32:55.840996 IP 115.xx.xxx.xxx.57773 > mx3.naver.com.smtp: Flags [P.], seq 23:33, ack 182, win 115, options [nop,nop,TS val 23263012 ecr 350875460], length 10
E..>;a@.@...sDrz}........G.f.......sA......
.b.$...DSTARTTLS

15:32:55.844716 IP mx3.naver.com.smtp > 115.xx.xxx.xxx.57773: Flags [P.], seq 182:243, ack 33, win 114, options [nop,nop,TS val 350875466 ecr 23263012], length 61
E..q..@.3...}...sDrz.........G.p...r.......
...J.b.$220 2.0.0 Ready to start TLS QOMq+FWTSAmCLRMKTcK2QQ - nsmtp
.... 중략중략

  • Share:

You Might Also Like

0 개의 댓글