postfix SSL
發表於 : 2009年 2月 21日, 22:23#如果要啟用 SSL 安全通道,讓支援 spop3 或 simap 的 MUA 能夠以更安全的方式來連線,請執行底下的指令,以便建立安全憑證,並將此兩個金鑰檔案的權限設定為 600
#fc3
vi /etc/dovecot.conf
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
cd /usr/share/ssl/
openssl req -new -x509 -nodes -out certs/dovecot.pem -keyout private/dovecot.pem -days 3650
chmod 600 certs/dovecot.pem private/dovecot.pem
#fc5+
vi /etc/dovecot.conf
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
cd /etc/pki/dovecot
openssl req -new -x509 -nodes -out certs/dovecot.pem -keyout private/dovecot.pem -days 3650
chmod 600 certs/dovecot.pem private/dovecot.pem
前置安裝
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain
vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
vi /etc/postfix/master.cf
smtps inet n - n - - smtpd -v -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
vi /etc/postfix/main.cf
#smtpd_client_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
# check_policy_service unix:/var/spool/postfix/postgrey/socket
# reject_rbl_client opm.blitzed.org
# check_client_access regexp:/etc/postfix/dynip_check
check_helo_access regexp:/etc/postfix/helo_checks
reject_unauth_destination
permit
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_use_tls = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
initial_destination_concurrency = 25
default_destination_concurrency_limit = 50
smtpd_helo_required = yes
smtp_connect_timeout = 80s
fallback_relay =
smtp_destination_recipient_limit = 50
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 50
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
/etc/nat/nat.cfg
OPENPORT: 465 TCP (465/SMTP/SSL)
OPENPORT: 993 TCP (993/IMAP/SSL)
OPENPORT: 995 TCP (995/POP3/SSL)
service saslauthd restart
service dovecot restart
service MailScanner restart&&tail -f /var/log/maillog
#fc3
vi /etc/dovecot.conf
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
cd /usr/share/ssl/
openssl req -new -x509 -nodes -out certs/dovecot.pem -keyout private/dovecot.pem -days 3650
chmod 600 certs/dovecot.pem private/dovecot.pem
#fc5+
vi /etc/dovecot.conf
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
cd /etc/pki/dovecot
openssl req -new -x509 -nodes -out certs/dovecot.pem -keyout private/dovecot.pem -days 3650
chmod 600 certs/dovecot.pem private/dovecot.pem
前置安裝
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain
vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
vi /etc/postfix/master.cf
smtps inet n - n - - smtpd -v -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
vi /etc/postfix/main.cf
#smtpd_client_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
# check_policy_service unix:/var/spool/postfix/postgrey/socket
# reject_rbl_client opm.blitzed.org
# check_client_access regexp:/etc/postfix/dynip_check
check_helo_access regexp:/etc/postfix/helo_checks
reject_unauth_destination
permit
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_use_tls = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
initial_destination_concurrency = 25
default_destination_concurrency_limit = 50
smtpd_helo_required = yes
smtp_connect_timeout = 80s
fallback_relay =
smtp_destination_recipient_limit = 50
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 50
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
/etc/nat/nat.cfg
OPENPORT: 465 TCP (465/SMTP/SSL)
OPENPORT: 993 TCP (993/IMAP/SSL)
OPENPORT: 995 TCP (995/POP3/SSL)
service saslauthd restart
service dovecot restart
service MailScanner restart&&tail -f /var/log/maillog