用SSL对邮件加密的支持 Postfix+SSL配备
用SSL对邮件加密的支持 Postfix+SSL配置
在postfix启用配置SSL,启用加密传输,如下是配置过程,一~三是使用openssl签发证书的过程,如果自行购买了证书,即可略过
一. 运行CA.pl命令来生成根证书。
cd /usr/share/ssl/misc
./CA -newca
CA certificate filename (or enter to create)
直接回车,确认。
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
......................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
输入ca证书的密码,一定要牢记。
Verifying - Enter PEM pass phrase:
校验密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
输入国家的名字,CN
State or Province Name (full name) [Berkshire]:
输入省份,hebei
Locality Name (eg, city) [Newbury]:
输入城市,shijiazhuang
Organization Name (eg, company) [My Company Ltd]:
输入公司:anymacro
Organizational Unit Name (eg, section) []:
输入部门:tech
Common Name (eg, your name or your server's hostname) []:
输入你的名字:admin
Email Address []:
输入email地址
这样,就在demoCA目录下创建了CA的根证书。
二. 下面就生成一个SMTP服务器用的证书请求。
[root@mail misc]# openssl req -new -nodes -keyout mailkey.pem -out mailreg.pem -days 365
Generating a 1024 bit RSA private key
..++++++
..............................++++++
writing new private key to 'mailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:shandong
Locality Name (eg, city) [Newbury]:jinan
Organization Name (eg, company) [My Company Ltd]:test
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:admin
Email Address []:admin@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
三. 用mailreg.pem签发SMTP服务器用证书
[root@mail misc]# openssl ca -out mail_signed_cert.pem -infiles mailreg.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 21 13:52:13 2010 GMT
Not After : Apr 21 13:52:13 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = shandong
organizationName = test
organizationalUnitName = tech
commonName = admin
emailAddress = admin@test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F5:7E:E0:B8:7B:98:63:078:59:B5:89:98:AA:AF:78:F9:45:3F:6C
X509v3 Authority Key Identifier:
keyid:17:F3:17:64:4A:AE:0C:CE:79:FB:96:24:61:E4:EE:00:40:9D:39:38
DirName:/C=CN/ST=shandong/L=jinan/O=anymacro/OU=tech/CN=admin/emailAddress=admin@test.com
serial:00
Certificate is to be certified until Apr 21 13:52:13 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
四. 安装证书到postfix,并配置postfix
cp demoCA/cacert.pem /etc/postfix/
cp mailkey.pem /etc/postfix/
cp mail_signed_cert.pem /etc/postfix/
vi /etc/postfix/main.cf
增加如下几行:
上半部分的配置是系统作为服务端,接收客户端和其他邮件服务器时如何启用tls;下版半部分服务器作为客户端对外发送邮件也启用tls
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/mailkey.pem
smtpd_tls_cert_file = /etc/postfix/mail_signed_cert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /etc/postfix/mailkey.pem
smtp_tls_cert_file = /etc/postfix/mail_signed_cert.pem
smtp_tls_CAfile = /etc/postfix/cacert.pem
五. 重启postfix服务,就可以了。
service postfix restart
六. 如果需要打开465(smtps)端口,则需要进行进行如下操作
修改/etc/postfix/master.cf文件
在smtp inet n - n - - smtpd行下,加入如下一行:
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
七. 强制使用TLS发信
通过以上的配置启用了tls发信设置,那麽系统发信时会检查对方服务器是否支持tls,如果支持则使用tls传输,否则采用正常的邮件发送。postfix可以设置向某些域发送强制使用TLS,如果对方不支持则邮件将延迟发送,如下是操作方法:
1. 创建/etc/postfix/tls_policy文件,加入如下一行
test.com encrypt
2. 执行postmap tls_policy
3. 修改main.cf文件,增加如下行
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
注:该选项会忽略smtp_use_tls,即无论smtp_use_tls是yes还是no,都会启用smtp_tls_policy_maps
4. 重启postfix服务
在postfix启用配置SSL,启用加密传输,如下是配置过程,一~三是使用openssl签发证书的过程,如果自行购买了证书,即可略过
一. 运行CA.pl命令来生成根证书。
cd /usr/share/ssl/misc
./CA -newca
CA certificate filename (or enter to create)
直接回车,确认。
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
......................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
输入ca证书的密码,一定要牢记。
Verifying - Enter PEM pass phrase:
校验密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
输入国家的名字,CN
State or Province Name (full name) [Berkshire]:
输入省份,hebei
Locality Name (eg, city) [Newbury]:
输入城市,shijiazhuang
Organization Name (eg, company) [My Company Ltd]:
输入公司:anymacro
Organizational Unit Name (eg, section) []:
输入部门:tech
Common Name (eg, your name or your server's hostname) []:
输入你的名字:admin
Email Address []:
输入email地址
这样,就在demoCA目录下创建了CA的根证书。
二. 下面就生成一个SMTP服务器用的证书请求。
[root@mail misc]# openssl req -new -nodes -keyout mailkey.pem -out mailreg.pem -days 365
Generating a 1024 bit RSA private key
..++++++
..............................++++++
writing new private key to 'mailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:shandong
Locality Name (eg, city) [Newbury]:jinan
Organization Name (eg, company) [My Company Ltd]:test
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:admin
Email Address []:admin@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
三. 用mailreg.pem签发SMTP服务器用证书
[root@mail misc]# openssl ca -out mail_signed_cert.pem -infiles mailreg.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 21 13:52:13 2010 GMT
Not After : Apr 21 13:52:13 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = shandong
organizationName = test
organizationalUnitName = tech
commonName = admin
emailAddress = admin@test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F5:7E:E0:B8:7B:98:63:078:59:B5:89:98:AA:AF:78:F9:45:3F:6C
X509v3 Authority Key Identifier:
keyid:17:F3:17:64:4A:AE:0C:CE:79:FB:96:24:61:E4:EE:00:40:9D:39:38
DirName:/C=CN/ST=shandong/L=jinan/O=anymacro/OU=tech/CN=admin/emailAddress=admin@test.com
serial:00
Certificate is to be certified until Apr 21 13:52:13 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
四. 安装证书到postfix,并配置postfix
cp demoCA/cacert.pem /etc/postfix/
cp mailkey.pem /etc/postfix/
cp mail_signed_cert.pem /etc/postfix/
vi /etc/postfix/main.cf
增加如下几行:
上半部分的配置是系统作为服务端,接收客户端和其他邮件服务器时如何启用tls;下版半部分服务器作为客户端对外发送邮件也启用tls
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/mailkey.pem
smtpd_tls_cert_file = /etc/postfix/mail_signed_cert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /etc/postfix/mailkey.pem
smtp_tls_cert_file = /etc/postfix/mail_signed_cert.pem
smtp_tls_CAfile = /etc/postfix/cacert.pem
五. 重启postfix服务,就可以了。
service postfix restart
六. 如果需要打开465(smtps)端口,则需要进行进行如下操作
修改/etc/postfix/master.cf文件
在smtp inet n - n - - smtpd行下,加入如下一行:
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
七. 强制使用TLS发信
通过以上的配置启用了tls发信设置,那麽系统发信时会检查对方服务器是否支持tls,如果支持则使用tls传输,否则采用正常的邮件发送。postfix可以设置向某些域发送强制使用TLS,如果对方不支持则邮件将延迟发送,如下是操作方法:
1. 创建/etc/postfix/tls_policy文件,加入如下一行
test.com encrypt
2. 执行postmap tls_policy
3. 修改main.cf文件,增加如下行
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
注:该选项会忽略smtp_use_tls,即无论smtp_use_tls是yes还是no,都会启用smtp_tls_policy_maps
4. 重启postfix服务