centos:mail_c7:postfix3_5

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

centos:mail_c7:postfix3_5 [15.02.2019 10:04. ] – [ankommender TLS-Verkehr] djangocentos:mail_c7:postfix3_5 [18.11.2024 19:13. ] (aktuell) – Externe Bearbeitung 127.0.0.1
Zeile 537: Zeile 537:
 <file perl /usr/local/bin/ca-list>#!/usr/bin/perl <file perl /usr/local/bin/ca-list>#!/usr/bin/perl
 # Liste eines Zertifikatsbundles ausgeben. # Liste eines Zertifikatsbundles ausgeben.
-# Django <django@mailserver.guru> (c) 2019+# Django <django@nausch.org> (c) 2019
 # #
 $file = shift; $file = shift;
Zeile 565: Zeile 565:
   subject= /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root   subject= /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
  
-==== CA Vetrauensmodell - CA Trust ====+==== CA Vertrauensmodell - CA Trust ====
 {{page>centos:ca-trust&nofooter&showheader}} {{page>centos:ca-trust&nofooter&showheader}}
  
Zeile 1897: Zeile 1897:
 <file bash edh_keygen>#!/bin/bash <file bash edh_keygen>#!/bin/bash
 # Script zum Erstellen der Diffie Hellman Schlüssel # Script zum Erstellen der Diffie Hellman Schlüssel
-# Django <django@mailserver.guru> (c) 2019+# Django <django@nausch.org> (c) 2019
 cd /etc/pki/tls/tmp cd /etc/pki/tls/tmp
 umask 022 umask 022
Zeile 3605: Zeile 3605:
 Bei Bedarf können wir uns bei unserem Mailserver, mit Hilfe der nachfolgenden Befehle, einen Überblick über Anzahl und Art der einzelnen TLS-Verbindungen anzeigen lassen. Bei Bedarf können wir uns bei unserem Mailserver, mit Hilfe der nachfolgenden Befehle, einen Überblick über Anzahl und Art der einzelnen TLS-Verbindungen anzeigen lassen.
  
 +=== ankommender TLS-Verkehr ===
 +Wieviele verschlüsselte Verbindungen unser MTA angenommen hat, verrät uns ein Blick in das Maillog. Dort suchen wir nach den entsprechenden Zeilen mit z.B. mit folgender Abfrage.
  
 +   # egrep "TLS connection established from.*with cipher" /var/log/maillog | awk '{printf("%s\n", $12)}'  \
 +           | sort | uniq -c | sort -nr
  
-<WRAP center round todo 30%+<code>193593 TLSv1.2 
-FIXME FIXME FIXME  +   9578 TLSv1 
-  * //**... in Überarbeitung!**//   +    868 TLSv1.1 
-FIXME FIXME FIXME  +</code>
-</WRAP>+
  
-=== ankommender TLS-Verkehr === +Eine Aufstellung der unterschiedlichen Protokolle mit den verwendeten Ciphern ermitteln wir mit folgendem Befehl
-   # grep 'TLS connection established from' /var/log/maillog | sed -e 's/^.*\]\//' -e 's/ with cipher.*//' | sort | uniq -c +
- +
-<code>  42184 TLSv1 +
- 167813 TLSv1.2</code>+
  
    # egrep "TLS connection established from.*with cipher" /var/log/maillog | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' \    # egrep "TLS connection established from.*with cipher" /var/log/maillog | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' \
            | sort | uniq -c | sort -nr            | sort | uniq -c | sort -nr
-<code>   8038 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 + 
-   3981 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 +<code> 238038 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
-    705 TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 + 173981 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 
-    614 TLSv1 with cipher DHE-RSA-AES256-SHA +  10705 TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 
-    440 TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA384 +   6914 TLSv1 with cipher DHE-RSA-AES256-SHA 
-    265 TLSv1 with cipher ECDHE-RSA-AES256-SHA +   5540 TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA384 
-     75 TLSv1 with cipher ECDHE-ECDSA-AES256-SHA +   1265 TLSv1 with cipher ECDHE-RSA-AES256-SHA 
-     62 TLSv1.2 with cipher AES256-GCM-SHA384 +    765 TLSv1 with cipher ECDHE-ECDSA-AES256-SHA 
-     41 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 +    666 TLSv1.2 with cipher AES256-GCM-SHA384 
-     40 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA +    421 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 
-     39 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA +    400 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA 
-     25 TLSv1.1 with cipher ECDHE-ECDSA-AES256-SHA +    379 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA 
-     21 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 +    167 TLSv1.1 with cipher ECDHE-ECDSA-AES256-SHA 
-     20 TLSv1.2 with cipher AES256-SHA256 +    121 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 
-     20 TLSv1.2 with cipher AES256-SHA +    105 TLSv1.2 with cipher AES256-SHA256 
-     20 TLSv1.2 with cipher AES128-GCM-SHA256 +    105 TLSv1.2 with cipher AES256-SHA 
-     19 TLSv1.2 with cipher AES128-SHA256 +    103 TLSv1.2 with cipher AES128-GCM-SHA256 
-     19 TLSv1.2 with cipher AES128-SHA +    102 TLSv1.2 with cipher AES128-SHA256 
-     16 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 +    102 TLSv1.2 with cipher AES128-SHA 
-     16 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA +    102 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 
-     16 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 +    101 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA 
-     16 TLSv1.2 with cipher DHE-RSA-CAMELLIA256-SHA +    101 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 
-     16 TLSv1.2 with cipher DHE-RSA-CAMELLIA128-SHA +    101 TLSv1.2 with cipher DHE-RSA-CAMELLIA256-SHA 
-     16 TLSv1.2 with cipher DHE-RSA-AES256-SHA +    101 TLSv1.2 with cipher DHE-RSA-CAMELLIA128-SHA 
-     16 TLSv1.2 with cipher DHE-RSA-AES128-SHA256 +    100 TLSv1.2 with cipher DHE-RSA-AES256-SHA 
-     16 TLSv1.2 with cipher DHE-RSA-AES128-SHA +    100 TLSv1.2 with cipher DHE-RSA-AES128-SHA256 
-     16 TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 +    100 TLSv1.2 with cipher DHE-RSA-AES128-SHA 
-     15 TLSv1.1 with cipher AES256-SHA +    100 TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 
-     14 TLSv1 with cipher AES256-SHA +     99 TLSv1.1 with cipher AES256-SHA 
-     14 TLSv1 with cipher AES128-SHA +     99 TLSv1 with cipher AES256-SHA 
-     12 TLSv1.2 with cipher CAMELLIA256-SHA +     93 TLSv1 with cipher AES128-SHA 
-     11 TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA +     92 TLSv1.2 with cipher CAMELLIA256-SHA 
-     11 TLSv1.2 with cipher CAMELLIA128-SHA +     92 TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA 
-     11 TLSv1.1 with cipher AES128-SHA +     89 TLSv1.2 with cipher CAMELLIA128-SHA 
-     10 TLSv1 with cipher ECDHE-RSA-AES128-SHA +     89 TLSv1.1 with cipher AES128-SHA 
-     10 TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA +     88 TLSv1 with cipher ECDHE-RSA-AES128-SHA 
-     10 TLSv1 with cipher DHE-RSA-CAMELLIA128-SHA +     88 TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA 
-     10 TLSv1 with cipher DHE-RSA-AES128-SHA +     86 TLSv1 with cipher DHE-RSA-CAMELLIA128-SHA 
-     10 TLSv1 with cipher CAMELLIA256-SHA +     52 TLSv1 with cipher DHE-RSA-AES128-SHA 
-     10 TLSv1 with cipher CAMELLIA128-SHA +     50 TLSv1 with cipher CAMELLIA256-SHA 
-      TLSv1.2 with cipher ECDHE-ECDSA-AES128-SHA256 +     47 TLSv1 with cipher CAMELLIA128-SHA 
-      TLSv1.2 with cipher ECDHE-ECDSA-AES128-SHA +     23 TLSv1.2 with cipher ECDHE-ECDSA-AES128-SHA256 
-      TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 +     21 TLSv1.2 with cipher ECDHE-ECDSA-AES128-SHA 
-      TLSv1.1 with cipher ECDHE-RSA-AES128-SHA +     19 TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 
-      TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA +     17 TLSv1.1 with cipher ECDHE-RSA-AES128-SHA 
-      TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA +     17 TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA 
-      TLSv1.1 with cipher DHE-RSA-AES256-SHA +     17 TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA 
-      TLSv1.1 with cipher DHE-RSA-AES128-SHA +     17 TLSv1.1 with cipher DHE-RSA-AES256-SHA 
-      TLSv1.1 with cipher CAMELLIA256-SHA +     17 TLSv1.1 with cipher DHE-RSA-AES128-SHA 
-      TLSv1.1 with cipher CAMELLIA128-SHA +     17 TLSv1.1 with cipher CAMELLIA256-SHA 
-      TLSv1 with cipher ECDHE-ECDSA-AES128-SHA +     17 TLSv1.1 with cipher CAMELLIA128-SHA 
-      TLSv1.1 with cipher ECDHE-ECDSA-AES128-SHA</code>+     16 TLSv1 with cipher ECDHE-ECDSA-AES128-SHA 
 +     15 TLSv1.1 with cipher ECDHE-ECDSA-AES128-SHA</code>
 === ausgehender TLS-Verkehr === === ausgehender TLS-Verkehr ===
 +Wollen wir wissen wieviele TLS gesichete Verbindungen unser Mailserver zu anderen aufbaut können wir dies wie folgt abrufen
    # grep 'TLS connection established to' /var/log/maillog | sed -e 's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c    # grep 'TLS connection established to' /var/log/maillog | sed -e 's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c
  
-<code>  69741 TLSv1 +<code>  324664 TLSv1.2</code> 
-   3323 TLSv1.1 + 
- 396939 TLSv1.2</code>+Wollen wir wissen welche Cipher bei den unterschiedlichen Protokollen verwendet wurden, fragen wir dies mit folgendem Befehl ab: 
 +   # egrep "TLS connection established to.*with cipher" /var/log/maillog | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' \  
 +             | sort | uniq -c | sort -nr 
 +<code> 181337 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 
 + 140867 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
 +   1337 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 
 +    679 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 
 +    423 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 
 +     21 TLSv1.2 with cipher AES256-GCM-SHA384</code>
  
 === graphische Übersicht des TLS-Clientverkehrs === === graphische Übersicht des TLS-Clientverkehrs ===
  • centos/mail_c7/postfix3_5.1550225055.txt.gz
  • Zuletzt geändert: 15.02.2019 10:04.
  • von django