Mail and email service (III): POP3 authentication mechanism and relay rules

Mail and email service (III): POP3 authentication mechanism and relay rules

We use Mago's "Create an existing Mail System based on the virtual user's mail system architecture" to implement the POP3 authentication mechanism.

If you do not have an email service system that can be used, you can follow the instructions provided by magio and proceed step by step. I believe you can do this.

Enter the subject:

POP3 authentication mechanism:

1. Create a CA Service to prepare for certificate issuance

# Cd/etc/pki/CA

# Vim ../tls/OpenSSL. CNF modify the default configuration path and default options

Dir =/etc/pki/CA

Countryname_default = Cn

Stateorprovincename_default = Henan

Localityname_default = ZZ

0. organizationname_default = Linux

Organizationalunitname_default = tech

 

# OpenSSL genrsa 2048> private/cakey. pem

# Opsenssl req-New-X509-key private/cakey. pem-out cacert. pem-days 3650

 

# Chmod 600 private/cakey. pem

# Mkdir certs newcerts CRL

# Touch index.txt serial

# Echo 01> serial

# Ll

 

2. issue a certificate to Dovecot

# Mkdir/etc/Dovecot

# Mkdir/etc/Dovecot/SSL

# Cd/etc/Dovecot/SSL

# (Umask 077; OpenSSL genrsa 1024> Dovecot. Key)

Generate a certificate issuance request

# OpenSSL req-New-key Dovecot. Key-out Dovecot. CSR

The server name is very important: pop3.a.org)

# OpenSSL ca-In Dovecot. CSR-out Dovecot. CRT-days 3650

# Rm Dovecot. CSR

Now, both the certificate and private key are available.

# Dovecot also uses the CA certificate, so we copy

# Cp/etc/pki/CA/cacert. pem ./

# Mv cacert. pem cacert. CRT

# Ll

 

3. Configure Dovecot to support the authentication mechanism

# Vim/etc/Dovecot. conf

Modify

Ssl_cert_file =/etc/Dovecot/SSL/Dovecot. CRT

Ssl_key_file =/etc/Dovecot/SSL/Dovecot. Key

Ssl_ca_file =/etc/Dovecot/SSL/cacert. CRT

Enable

Protocols = IMAP IMAPs POP3 pop3s

# Service Dovecot restart

# Vim/var/named/a.org. Zone

Add the IP corresponding to positive POP3.

# Service named reload

 

# Mutt-F POPs: // weiyan@weiyan.org @ pop3.weiyan.org

Press R to reject and press o to enter. You need to enter the password.

 

At this time, our emails are encrypted.

 

Detection:

Enable the packet capture tool:

# Tshark-Ni eth0-R "TCP. srcport EQ 995 or TCP. dstport EQ 995"

To another host

# Mutt-F POPs: // gentoo@a.org @ 172.16.100.1

 

We can see that all the captured results are displayed as encrypted information.

 

 

Relay rule restrictions:

Define the relay rules in Main. Cf. We use a virtual domain as an example:

 

1. restrict one or more IP addresses in an open CIDR Block

Smtpd_client_restrictions = File

File: You can customize the file content as long as it is written

172.16.100.100 reject

This format indicates that 172.16.100.100 cannot be forwarded, and reject information can be added after reject.

After the definition is complete, use the postmap command to convert it to the *. DB binary file.

# Postmap File

Edit main. Cf Modification

Smtpd_client_restrictions = hash:/filename

 

At this time, we try to send an email to the host with the specified IP address, which should be rejected.

However, we can use other IP addresses.

 

 

2. Restrict the rejection of a specific email address

Smtpd_sender_restrictions = File

We also need to create a new file to define

 

Centos@a.org reject

@ A.org reject

Gentoo @ reject

 

The first meaning is to reject the centos@a.org

The second line means to reject all a.org domain forwarding.

The third line is to reject all Gentoo users' forwarding in whatever region

# Postmap File

Vim/etc/Postfix/Main. cf

Smtpd_sender_restrictions = hash:/etc/Postfix/sender