%%%%%%%%%%INCLUDE default.mgp %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% "tfont" defs in this part is for those who have downloaded Microsoft %% TrueType fonts (or those who mounting Windows partition from your UNIX %% partiton). %% those are available at: http://microsoft.com/typography/fontpack/default.htm %% and they require Windows lisence to extract the archive. %% %% If you got Computer Modern fonts in TrueType format, you may want to %% use the following settings: %% "cmss10.ttf" for standard, "cmssbx10.ttf" for thick, %% "cmtt10.ttf" for typewriter %% CM fonts are avaiable at CTAN mirros, pub/CTAN/fonts/cm/ps-type1/bakoma/ttf. %% unlike MS ones, it does not require Windows license! %% %% see README.fonts{,.jp} for more detailed milage you take. %% %deffont "standard" xfont "helvetica-medium-r", vfont "goth", tfont "arial.ttf", tmfont "msgothic.ttf" %deffont "thick" xfont "helvetica-bold-r", vfont "goth", tfont "arialbd.ttf", tmfont "msgothic.ttf" %deffont "typewriter" xfont "courier-medium-r", vfont "goth", tfont "courbd.ttf", tmfont "msgothic.ttf" %% %% Default settings per each line numbers. %% %default 1 leftfill, size 2, fore "white", back "black", font "thick" %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "gray70", vgap 10 %default 4 size 5, fore "white", vgap 30, prefix " ", font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 5, vgap 40, prefix " ", icon box "green" 50 %tab 2 size 4, vgap 40, prefix " ", icon arc "yellow" 50 %tab 3 size 3, vgap 40, prefix " ", icon delta3 "white" 40 %%%%%%%%%%INCLUDE-END default.mgp %tab 3 size 4 %default 1 leftfill, size 2, fore "white", back "black", vfont "gothsl", xfont "times-medium-i" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %size 8, vfont "gothsl", xfont "times-medium-i", fore "white", vgap 20 %center SMTP AUTH & STARTTLS %size 5 DEBUG 2001 春のイベント 2001 年 4 月 14 日 インターネット互助会横浜 梅本 肇 ume@mahoroba.org ume@{,jp.}FreeBSD.org ume@jp.IPv6.org http://www.imasy.or.jp/~ume/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH POP before SMTP はまやかし メイルを出す前にPOP接続して、一定時間だけPOP接続元のホストからのメイルのリレーを受け付ける ユーザ認証ではなく、あくまでホスト認証 ← POP はユーザ認証 RFC2554 - SMTP Service Extension for Authentication SMTP 自体が SASL を用いた認証機能を提供 ユーザ認証により、リレーを許可 sendmail 8.10.X 以降でサポート - V9/Berkeley %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SASL RFC2222 - Simple Authentication and Security Layer (SASL) 汎用的な認証の枠組を提供 認証の枠組と認証機構が分離 認証機構一覧 ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-mechanisms CRAM-MD5 (RFC2195), DIGEST-MD5 (RFC2831) PLAIN (RFC2595), LOGIN base64 でエンコード 所詮は生パスワード 謎の LOGIN CMU がライブラリを提供 http://asg.web.cmu.edu/sasl/ ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/\ cyrus-sasl-1.5.24.tar.gz %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Cyrus SASL ライブラリのインストール FreeBSD だと ports で OK - /usr/ports/security/cyrus-sasl/ /usr/local/etc/sasldb.db に格納されたパスワードを使用 LOGIN, PLAIN は、/etc/passwd, PAM 等を使うこともできる sasldb 優先 デフォルトでは、sasldb のみ - pwcheck_method で設定 PAM, kerberos_v4, passwd, shadow, pwcheck, sasldb /usr/local/lib/sasl/Sendmail.confを用意 pwcheck_method: pwcheck pwcheck SASLライブラリをリンクしているアプリケーションがroot権限で動いていなくても、/etc/passwdを用いて認証できるように使用されるデーモン auto_transition PLAIN 認証されれば自動的に sasldb に反映 auto_transition: true %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SASL のユーザ管理 パスワード登録・削除 - saslpasswd %size 2 %size 3, font "typewriter" # saslpasswd ume Password: ******** Again (for verification): ******** %font "standard" 登録状況一覧 - sasldblistusers %size 2 %size 3, font "typewriter" # sasldblistusers user: ume realm: mille.mahoroba.org mech: DIGEST-MD5 user: ume realm: mille.mahoroba.org mech: PLAIN user: ume realm: mille.mahoroba.org mech: CRAM-MD5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH 対応 sendmail の作成 オリジナルの場合は devtools/Site/site,config.m4 で指定 %size 2 %size 3, font "typewriter" syscmd(/bin/test -f /usr/local/lib/libsasl.a) ifelse(sysval, 0, ` APPENDDEF(`confENVDEF', `-DSASL -D_FFR_UNSAFE_SASL') APPENDDEF(`confINCDIRS', ``-I/usr/local/include/sasl'') APPENDDEF(`confLIBDIRS', ``-L/usr/local/lib -lsasl'') ')') %font "standard" FreeBSD の場合は /etc/make.conf で指定 %size 2 %size 3, font "typewriter" SENDMAIL_CFLAGS=-I/usr/local/include/sasl \ -DSASL -D_FFR_UNSAFE_SASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl %font "standard" -D_FFR_UNSAFE_SASL は Cyrus 等との共存に必要 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH 対応 sendmail.cf リレーを許可する認証機構を指定 %size 2 %size 4, font "typewriter" define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5') TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5') %font "standard" PLAIN, LOGIN を有効にしたい場合は適宜追加 cyrus-imapd 等と共存する場合 sasldb が group readable であることが必要 %size 2 %size 4, font "typewriter" define(`confDONT_BLAME_SENDMAIL', `GroupReadableSASLFile') define(`confRUN_AS_USER', `root:mail') %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH 動作確認 EHLO に 250-AUTH を返せば OK %size 2 %size 3, font "typewriter" % telnet localhost smtp Trying ::1... Connected to localhost. Escape character is '^]'. 220 mille.mahoroba.org ESMTP Sendmail 8.11.3/8.11.3/mille; Sun, 4 Mar 2001 03:47:34 +0900 (JST) %fore "green" EHLO localhost %fore "white" 250-mille.mahoroba.org Hello ume@localhost [::1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR %fore "green" 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 %cont, fore "red" ← 使用できる認証メカニズム %fore "white" 250 HELP %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH 動作確認 SMTP AUTH で認証された Received: ヘッダの例 %size 3, font "typewriter" Received: from mille.mahoroba.org (ume@mille.mahoroba.org [2001:200:301:0:202:2dff:fe0a:6bee]) %fore "green" (authenticated as ume with CRAM-MD5) %cont, fore "red" ← CRAM-MD5で認証された %fore "white" by peace.mahoroba.org (8.11.3/8.11.3/peace) with ESMTP/inet6 id f23KAE373219 for ; Sun, 4 Mar 2001 05:10:14 +0900 (JST) (envelope-from ume@mahoroba.org) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH 対応 MUA β版を含めると最近は割とあるみたい WinBiff, Datula, 電信八号, AL-Mail, Mew, Wanderlust ... 2 大メジャーは生パスワードのみ Outlook Express: LOGIN Netscape Messenger: PLAIN STARTTLS との併用を検討した方が良い %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SMTP AUTH 導入時の注意事項 生パスワードいやん PLAIN または LOGIN は STARTTLSを併用 EHLO に 250-AUTH を返すと無条件に SMTP AUTH を使う奴がいる Netscape Messenger, Outlook Express 等 ユーザが登録されてないとメイルを出せない auto_transition を使う? SMTP と POP を別々にパスワード設定できない MUA が存在 サーバ側は SMTP と POP でパスワード管理が別 sasldb のパスワード管理は管理者のみ可能 ユーザレベルでパスワードの変更が行える管理ツールが必要 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page STARTTLS RFC2487 - SMTP Service Extension for Secure SMTP over TLS TLS を使用して暗号路を確保 クライアント、サーバの識別が可能 SMTP は end-to-end のメカニズムではないことに注意 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page STARTTLS 対応 sendmail の作成 オリジナルの場合は devtools/Site/site,config.m4 で指定 %size 2 %size 4, font "typewriter" syscmd(/bin/test -f /usr/local/lib/libssl.a) ifelse(sysval, 0, ` PREPENDDEF(`confENVDEF', ``-DSTARTTLS -D_FFR_TLS_O_T \ -D_FFR_TLS_1 -D_FFR_TLS_TOREK'') APPENDDEF(`confINCDIRS', ``-I/usr/local/include'') APPENDDEF(`confLIBS', ``-L/usr/local/lib -lssl -lcrypto'') ')') %font "standard" FreeBSD 4.2-RELEASE 以降はデフォルトで有効 送信先の STARTTLS が有効だったら自動的に暗号路を確保 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page STARTTLS の設定 (verify=NO) CERT の作成 %size 2 %size 3, font "typewriter" # cd /etc/mail # mkdir certs # chmod og-rwx certs # cd certs/ # openssl req -nodes -x509 -new -out cert.pem # ln -sf cert.pem `openssl x509 -noout -hash < cert.pem`.0 %fore "red" ↑ ハッシュ値 %fore "white" # chmod og-rwx * %cont, fore "red" ← sendmail が文句を言わないように %fore "white" %font "standard" sendmail.cf (.mc ファイル) %size 2 %size 3, font "typewriter" define(`confCACERT_PATH', `MAIL_SETTINGS_DIR`'certs') define(`confCACERT', `confCACERT_PATH/ %cont, fore "red" ハッシュ値 %cont, fore "white" .0') define(`confSERVER_CERT', `confCACERT_PATH/cert.pem') define(`confSERVER_KEY', `confCACERT_PATH/privkey.pem') %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page STARTTLS 動作確認 EHLO に 250-STARTTLS を返せば OK %size 2 %size 3, font "typewriter" % telnet localhost smtp Trying ::1... Connected to localhost. Escape character is '^]'. 220 mille.mahoroba.org ESMTP Sendmail 8.11.3/8.11.3/mille; Sun, 4 Mar 2001 03:47:34 +0900 (JST) %fore "green" EHLO localhost %fore "white" 250-mille.mahoroba.org Hello ume@localhost [::1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 %fore "green" 250-STARTTLS %fore "white" 250 HELP %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page STARTTLS 動作確認 STARTTLS で認証された Received: ヘッダの例 %size 3, font "typewriter" Received: from piano.mahoroba.org (IDENT:xDqEIMAie1MIHWwnCXeWzMEKnNv4ImZ2S7Oz03k5U1ObdVLO/qf8C6FVaTCG7+eV@piano.mahoroba.org [2001:200:301:0:260:1dff:fe22:dd55]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.3/8.11.3/chaos) with ESMTP/inet6 id f3BIZgc16721 %fore "green" (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) %fore "white" for ; Thu, 12 Apr 2001 03:35:45 +0900 (JST) (envelope-from ume@imasy.or.jp) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page クライアントの識別 CERT の作成 %size 2 クライアント側 %size 3, font "typewriter" cd /etc/mail/certs openssl req -new -nodes -out newreq.pem %font "standard" %size 2 CA %size 3, font "typewriter" cd /etc/ssl/CA openssl ca -policy policy_anything -out cert.pem \ -infiles newreq.pem %font "standard" sendmail.cf (.mc ファイル) %size 2 %size 3, font "typewriter" define(`confCACERT_PATH', `MAIL_SETTINGS_DIR`'certs') define(`confCACERT', `confCACERT_PATH/cacert.pem') define(`confSERVER_CERT', `confCACERT_PATH/cert.pem') define(`confSERVER_KEY', `confCACERT_PATH/privkey.pem') define(`confCLIENT_CERT', `confCACERT_PATH/cert.pem') define(`confCLIENT_KEY', `confCACERT_PATH/privkey.pem') %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page CA の作成 手順例 %size 2 %size 3, font "typewriter" # cd /etc/ssl # mkdir CA # cd CA # mkdir certs crl newcerts private # chmod og-rwx private # echo "01" > serial # cp /dev/null index.txt # vi /etc/ssl/openssl.cnf %cont, fore "red" ← 各種値の設定 %fore "white" -dir = ./demoCA # Where everything is kept +dir = /etc/ssl/CA # Where everything is kept # openssl req -new -x509 -keyout private/cakey.pem \ -out cacert.pem -days 365 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page クライアント認証によるアクセス制御 CA の証明証を confCACERT_PATH に置いておくと識別できる %size 2 %size 3, font "typewriter" # cd /etc/mail/certs # cp SOME/WHERE/cacert.pem mahoroba.pem # ln -sf mahoroba.pem \ `openssl x509 -noout -hash < mahoroba.pem`.0 %font "standard" access map に記述 CERTISSUER - CERT 発行者の DN による制御 CERTSUBJECT - CERT サブジェクトの DN による制御 リレー許可の例 %size 2 %size 3, font "typewriter" CERTISSUER:/C=JP/ST=Kanagawa/L=Yokohama/\ O=Mahoroba.Org/CN=ca.mahoroba.org/\ Email=ca@mahoroba.org RELAY CERTSUBJECT:/C=JP/ST=Kanagawa/L=Yokohama/\ O=Mahoroba.Org/CN=mail.mahoroba.org/\ Email=postmaster@mahoroba.org RELAY %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page おわりに SMTP AUTH を用いるとユーザ認証によりリレーの制御が可能 STARTTLS を用いると暗号路の確保が可能 PLAIN, LOGIN を使う場合は STARTTLS と併用 SMTP は end-to-end のメカニズムではない STARTTLS クライアント認証を使ってリレーの制御も可能 POP before SMTP を駆追しよう %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%