[ sendmail + saslauthd = starttls + 사용자 인증 구성 ]
** 매니지드 서비스를 하고 있는 고객 mail 서버에 ssl 인증할 수 있도록 구성 요청이 들어 왔습니다.해당 작업 후 구성 내용들 입니다.
** 패키지설치
yum install -y sendmail* cyrus-sasl*
** sendmail 설정
[root@cm mail]# vi /etc/mail/sendmail.mc define(`confLOG_LEVEL', `14')dnl ==> 자세한 로그 분석 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ==> 사용자 인증 관련 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ==> 사용자 인증 관련 define(`confCACERT_PATH', `/etc/mail/certs')dnl ==>ssl 인증서 경로 define(`confCACERT', `/etc/mail/certs/AddTrustExternalCARoot.crt')dnl ==>CAroot.crt 인증서 define(`confSERVER_CERT', `/etc/mail/certs/xx_xxxxxx_co_kr.crt')dnl ==> server.crt 인증서 define(`confSERVER_KEY', `/etc/mail/certs/xx_xxxxxx_co_kr_SHA256WITHRSA.key')dnl ==> server.key 인증서 DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0 Name=MTA')dnl ==> 기본 25port DAEMON_OPTIONS(`Port=submission,Addr=0.0.0.0 Name=MSA, M=Ea')dnl => 25 대신 587 오픈. 안해도 무방 DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl ==> 465 port starttls 사용포트 [root@cm mail]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf ==> sendmail.cf 재생성 [root@cm mail]# vi /etc/mail/sendmail.cf O Timeout.starttls=1h ==> 주석해제
** 인증서 경로 디렉토리 생성 및 권한 할당
**** 제일 중요!! 열심히 설정하고 인증서 권한 할당(디렉토리 포함) 안하면 삽질합니다.... ****
[root@cm mail]# mkdir /etc/mail/certs [root@cm mail]# cp -arp {인증서path} /etc/mail/certs/ [root@cm mail]# chmod 600 -R /etc/mail/certs
** saslauthd 설정
[root@cm mail]# vi /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam ==> 사용자 인증 pam으로 사용
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
# DAEMONOPTS=--user saslauth
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=
기본 적용되있으면 그냥 두면됨
vi /etc/sasl2/Sendmail.conf
pwcheck_method:saslauthd
mech_list:LOGIN PLAIN ==> 삽입. "pwcheck_method:saslauthd" 내용은 입력 되어 있음. 없다면 해당 내용 두 줄 입력
** sendmail, saslauthd 재시작
[root@cm mail]# /etc/init.d/sendmail restart [root@cm mail]# /etc/init.d/saslauthd restart
** sendmail 재시작 후 로그 상태
[ 정상 로그 ] Jul 19 14:36:02 cm sendmail[10822]: NOQUEUE: stopping daemon, reason=signal Jul 19 14:36:02 cm sendmail[11019]: starting daemon (8.14.4): SMTP+queueing@01:00:00 Jul 19 14:36:02 cm sendmail[11019]: STARTTLS: CRLFile missing Jul 19 14:36:02 cm sm-msp-queue[11027]: starting daemon (8.14.4): queueing@01:00:00 Jul 19 14:36:03 cm sendmail[11019]: STARTTLS=server, Diffie-Hellman init, key=1024 bit (1) Jul 19 14:36:03 cm sendmail[11019]: STARTTLS=server, init=1 Jul 19 14:36:03 cm sendmail[11019]: started as: /usr/sbin/sendmail -bd -q1h
[ 에러 로그 ] Jul 19 13:31:08 cm sendmail[6837]: NOQUEUE: stopping daemon, reason=signal Jul 19 13:31:08 cm sendmail[8925]: starting daemon (8.14.4): SMTP+queueing@01:00:00 Jul 19 13:31:08 cm sendmail[8925]: STARTTLS: CRLFile missing Jul 19 13:31:08 cm sendmail[8925]: STARTTLS=server: file /etc/mail/certs/COMODORSADomainValidationSecureServerCA.crt unsafe: World writable directory Jul 19 13:31:08 cm sendmail[8925]: started as: /usr/sbin/sendmail -bd -q1h Jul 19 13:31:08 cm sm-msp-queue[8933]: starting daemon (8.14.4): queueing@01:00:00 - 해당 인증서 디렉토리 권한 문제. 위 권한 설정 진행하지 않으면 발생됨.
** telnet 확인
[root@cm mail]# telnet xx.xxxxxx.co.kr 25 Trying 115.xx.xxx.xxx... Connected to xx.xxxxxx.co.kr. Escape character is '^]'. 220 xx.xxxxxx.co.kr ESMTP Sendmail 8.14.4/8.14.4; Wed, 19 Jul 2017 14:51:39 +0900 ehlo localhost ==> 명령어로 확인 250-xx.xxxxxx.co.kr Hello [115.xx.xxx.xxx], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN ==> 사용자 인증 250-STARTTLS ==> 패킷 암호화 패치 250-DELIVERBY 250 HELP
** mail 테스트
php mail test source
<?php
$smtp_mail_id = "smtp 메일계정";
$smtp_mail_pw = "패스워드";
$to_email = "받는 사람 메일";
$to_name = "받는 사람 이름";
$from_name = "보내는 사람 이름";
$from_email = "보내는 사람 메일";
$smtp_use = 'xx.xxxxxx.co.kr';
$title = "서버 메일테스트입니다.";
$content = "서버 메일테스트입니다..";
//메일러 로딩
require_once("./class.smtp.php");
require_once("./class.phpmailer.php");
$mail = new PHPMailer(true);
$mail->IsSMTP();
try {
$mail->Host = $smtp_use; // email 보낼때 사용할 서버를 지정
$mail->SMTPAuth = true; // SMTP 인증을 사용함
$mail->CharSet = 'utf-8';
$mail->Port = 465; // email 보낼때 사용할 포트를 지정
$mail->SMTPSecure = "ssl"; // SSL을 사용함
$mail->Username = $smtp_mail_id; // 계정
$mail->Password = $smtp_mail_pw; // 패스워드
$mail->SetFrom($from_email, $from_name); // 보내는 사람 email 주소와 표시될 이름 (표시될 이름은 생략가능)
$mail->AddAddress($to_email, $to_name); // 받을 사람 email 주소와 표시될 이름 (표시될 이름은 생략가능)
$mail->Subject = $title; // 메일 제목
$mail->MsgHTML($content); // 메일 내용 (HTML 형식도 되고 그냥 일반 텍스트도 사용 가능함)
$mail->Send(); // 실제로 메일을 보냄
$ok_msg = iconv('utf-8','euc-kr','메일을 전송하였습니다.');
echo "<script>alert('".$ok_msg."');</script>";
} catch (phpmailerException $e) {
echo $e->errorMessage();
} catch (Exception $e) {
echo $e->getMessage();
}
?>
** openssl 로 콘솔에서 테스트
[root@cm mail]# openssl s_client -host cm.aumlee.co.kr -port 465 ==> telnet처럼 openssl 메일 송신 테스트 CONNECTED(00000003) depth=0 OU = Domain Control Validated, OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = PositiveSSL, CN = xx.xxxxxx.co.kr verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = PositiveSSL, CN = xx.xxxxxx.co.kr verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = PositiveSSL, CN = xx.xxxxxx.co.kr verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PositiveSSL/CN=xx.xxxxxx.co.kr i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFlTCCBH2gAwIBAgIRAKypsELizD0ZoyKs7S3XU5IwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD . . .(중략) -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PositiveSSL/CN=xx.xxxxxx.co.kr issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- Acceptable client certificate CA names /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Server Temp Key: DH, 1024 bits --- SSL handshake has read 2564 bytes and written 449 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 . . . . .(중략) Start Time: 1500445618 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) === > 인증서 정상적으로 받아온뒤 아래 처럼 메일 테스트 진행 220 xx.xxxxxx.co.kr ESMTP Sendmail 8.14.4/8.14.4; Wed, 19 Jul 2017 15:26:58 +0900 mail from : test@xx.xxxxxx.co.kr 250 2.1.0 test@xx.xxxxxx.co.kr... Sender ok rcpt to : hoguinside@naver.com 250 2.1.5 hoguinside@naver.com... Recipient ok data 354 Enter mail, end with "." on a line by itself test test test . 250 2.0.0 v6J6Qw4O012558 Message accepted for delivery
** 송신 메시지 로그. 정상확인
[ 송신 메시지 정상 로그] Jul 19 14:50:49 cm sendmail[11761]: NOQUEUE: connect from [115.xx.xxx.xxx] Jul 19 14:50:49 cm sendmail[11761]: AUTH: available mech=LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Jul 19 14:50:49 cm sendmail[11761]: v6J5on71011761: Milter: no active filter Jul 19 14:50:49 cm sendmail[11761]: STARTTLS=server, relay=[115.xx.xxx.xxx], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256 Jul 19 14:50:49 cm sendmail[11761]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok Jul 19 14:50:49 cm sendmail[11761]: AUTH: available mech=LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Jul 19 14:50:49 cm sendmail[11761]: AUTH=server, relay=[115.xx.xxx.xxx], authid=xxxxxxxxx@xx.xxxxxx.co.kr, mech=LOGIN, bits=0 Jul 19 14:50:49 cm sendmail[11761]: v6J5on71011761: from=, size=876, class=0, nrcpts=1, msgid=<68d3d47a954e5b85425017e349f44ae6 cm.aumlee.co.kr="">, proto=ESMTP, daemon=TLSMTA, relay=[115.xx.xxx.xxx] Jul 19 14:50:49 cm sendmail[11763]: v6J5on71011761: SMTP outgoing connect on [115.xx.xxx.xxx] Jul 19 14:50:49 cm sendmail[11763]: STARTTLS: ClientCertFile missing Jul 19 14:50:49 cm sendmail[11763]: STARTTLS: ClientKeyFile missing Jul 19 14:50:49 cm sendmail[11763]: STARTTLS: CRLFile missing Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, init=1 Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, start=ok Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, relay=mx2.naver.com., version=TLSv1/SSLv3, verify=OK, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256 Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, cert-subject=/C=KR/postalCode=13561/ST=Gyeonggi-do/L=Seongnam-si/O=NAVER+20Corp./OU=Information+20Security+20Team/OU=Hosted+20by+20Korea+20Information+20Certificate+20Authority,+20Inc./OU=Unified+20Communications/CN=mail.naver.com, cert-issuer=/C=GB/ST=Greater+20Manchester/L=Salford/O=COMODO+20CA+20Limited/CN=COMODO+20RSA+20Organization+20Validation+20Secure+20Server+20CA, verifymsg=ok Jul 19 14:50:49 cm sendmail[11763]: v6J5on71011761: to= , ctladdr= 68d3d47a954e5b85425017e349f44ae6>(514/514), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=120876, relay=mx2.naver.com. [125.209.238.137], dsn=2.0.0, stat=Sent (OK EPcdYHmZSTK2BKWSkYyj0g - nsmtp) Jul 19 14:50:49 cm sendmail[11763]: v6J5on71011761: done; delay=00:00:00, ntries=1 Jul 19 14:50:49 cm sendmail[11763]: STARTTLS=client, SSL_shutdown failed: -1
** TCP DUMP 확인
[root@cm mail]# tcpdump -A '(src host 115.xx.xxx.xxx and dst port 25) or (dst host 115.xx.xxx.xxx and src port 25 )'
E.....@.3...}...sDrz.......#.G.f...r4......
...D.b..250-mx.naver.com Pleased to meet you
250-SIZE 41943040
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 ENHANCEDSTATUSCODES
15:32:55.840996 IP 115.xx.xxx.xxx.57773 > mx3.naver.com.smtp: Flags [P.], seq 23:33, ack 182, win 115, options [nop,nop,TS val 23263012 ecr 350875460], length 10
E..>;a@.@...sDrz}........G.f.......sA......
.b.$...DSTARTTLS
15:32:55.844716 IP mx3.naver.com.smtp > 115.xx.xxx.xxx.57773: Flags [P.], seq 182:243, ack 33, win 114, options [nop,nop,TS val 350875466 ecr 23263012], length 61
E..q..@.3...}...sDrz.........G.p...r.......
...J.b.$220 2.0.0 Ready to start TLS QOMq+FWTSAmCLRMKTcK2QQ - nsmtp
.... 중략중략
0 개의 댓글