配置Postfix(SMTP)支持SSL
安装OpenSSL-Perl
yum install -y openssl-perl
会在/etc/pki/tls/misc/目录下生成CA.pl脚本,让你可以自己开设 CA,自己签署自己的证书。
生成服务器根证书
# cd /etc/pki/tls/misc/
# ./CA -newca
CA certificate filename (or enter to create) #按回车开始
#在下面的设置过程中,输错了可以按ctrl+backspce进行删除
Making CA certificate ...
Generating a 2048 bit RSA private key
..............................+++
................+++
writing new private key to ‘/etc/pki/CA/private/cakey.pem‘
Enter PEM pass phrase:123456 #输入密码,至少4个字符
Verifying - Enter PEM pass phrase:123456 #重复输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #输入国家
State or Province Name (full name) []:Guangdong #输入省份
Locality Name (eg, city) [Default City]:Guangzhou #输入城市
Organization Name (eg, company) [Default Company Ltd]:gzydt #输入公司名
Organizational Unit Name (eg, section) []:tect #输入部门名
Common Name (eg, your name or your server s hostname) []:admin #输入你的名字或服务器名
Email Address []: #输入邮箱账号(可不填)
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: #输入证书请求密码(可不填)
An optional company name []: #输入可选公司名(可不填)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 #输入前面设的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14986867786496351857 (0xcffc0cd915dc1e71)
Validity
Not Before: Nov 28 02:06:59 2014 GMT
Not After : Nov 27 02:06:59 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = zhejiang
organizationName = yourmail
organizationalUnitName = it
commonName = root
X509v3 extensions:
X509v3 Subject Key Identifier:
12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69
X509v3 Authority Key Identifier:
keyid:12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 27 02:06:59 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
说明:显示上面资料表示成功,否则失败;失败时删除cakey.pem后重新执行CA
# rm -f /etc/pki/CA/private/cakey.pem
# cd /etc/pki/tls/misc/
# ./CA -newca
创建证书目录,将生成的根证书复制进去
# mkdir /etc/pki/myca
# cp /etc/pki/CA/cacert.pem /etc/pki/myca
生成私钥和CSR证书签署请求文件
# cd /etc/pki/myca
# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650
Generating a 2048 bit RSA private key
...................................+++
....................+++
writing new private key to ‘mailkey.pem‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Guangzhou
Organization Name (eg, company) [Default Company Ltd]:gzydt
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server s hostname) []:admin
Email Address []: # 不填,直接回车
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: # 不填,直接回车
An optional company name []: # 不填,直接回车
参数说明
- -new表示你想产生公私钥与CSR
- -nodes表示不加密
- -keyout指出私钥文件
- -out指出CSR文件的名称
- -days指出证书的有效期限是10年
查看生成的文件:
# cd /etc/pki/myca
# ll
总用量 16
-rw-r--r--. 1 root root 4291 12月 2 14:08 cacert.pem #根证书
-rw-r--r--. 1 root root 1704 12月 2 14:09 mailkey.pem #私钥
-rw-r--r--. 1 root root 997 12月 2 14:09 mailreq.pem #CSR文件
签署CSR文件
# cd /etc/pki/myca
# openssl ca -out mailcert.pem -infiles mailreq.pem
...
failed to update database
TXT_DB error number 2
产生的原因是:证书的设置相同,导致subject值相同
解决方法:
将“唯一主题”设置为不必须:# vim /etc/pki/CA/index.txt.attr
unique_subject = no # yes改为no
再次执行:openssl ca -out mailcert.pem -infiles mailreq.pem
查看生成文件:ll /etc/pki/myca
-rw-r--r--. 1 root root 4291 12月 2 14:08 cacert.pem #根证书
-rw-r--r--. 1 root root 4430 12月 2 14:11 mailcert.pem #公钥
-r--------. 1 root root 1704 12月 2 14:09 mailkey.pem #私钥
-rw-r--r--. 1 root root 997 12月 2 14:09 mailreq.pem #CSR文件
配置postfix
添加main.cf配置
#vim /etc/postfix/main.cf
在末尾加入下面配置
# Postfix作为SMTP服务端的TLS配置
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/myca/mailkey.pem
smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
smtpd_tls_CAfile = /etc/pki/myca/cacert.pem
# smtpd_tls_security_level = encrypt
# 表示强制使用TLS加密,不建议,会导致丢失courier-authlib认证
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 2
# Postfix作为SMTP客户端的TLS配置
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/myca/mailkey.pem
smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
smtp_tls_CAfile = /etc/pki/myca/cacert.pem
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
#TLS限制策略,有需要的百度下如何设置
开启smtps
#vim /etc/postfix/master.cf
打开下面的注释
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
重新加载postfix并查看结果
# service postfix reload
# netstat -tnlp|grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 64222/master
tcp 0 0 :::465 :::* LISTEN 64222/master
注意防火墙
根据自身系统,添加放行规则
检查当前smtp是否支持TLS
使用telnet命令,访问25端口
# telnet localhsot 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.某域名.com ESMTP Jobkoo mail system (version:1.0)
ehlo mail.xxx.com # 这里随便输入欢迎语
250-mail.某域名.cn
250-PIPELINING
250-SIZE 20000000
250-VRFY
250-ETRN
250-STARTTLS # 这里很关键
250-AUTH PLAIN LOGIN # 如果没有出现这两行
250-AUTH=PLAIN LOGIN # 修改smtpd_tls_security_level = may不强制使用TLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls # 输入TLS命令
220 2.0.0 Ready to start TLS# 出现这行表示成功
如上面的output,若是有STARTTLS,则说明postfix支持TLS,否则可能需要重装。
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ 重装请看分割线以下的内容 ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
使用源码安装
源码可以自行百度Postfix下载,版本均可
解压之后,执行如下命令:
make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl -DUSE_TLS ' 'AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm -L/usr/lib/sasl2 -lsasl2 -lssl -lcrypto'
释义
- CCARGS:指明头文件位置
- -DHAS_MYSQL:指定启用mysql的连接能
- -I/usr/local/mysql/include/mysql:指定mysql的头文件位置
- -DUSE_SASL_AUTH启用SASL认证
- -I/usr/local/include/sasl:指定SASL头文件位置
- -DUSE_TLS:使SMTP支持smtps协议(就是缺少这个)
- AUXLIBS:指定库文件位置
- -L/usr/local/mysql/lib:指定MySQL库文件位置
- -lmysqlclient:指定MySQL客户端库文件
- -lz:压缩库文件
- -lm:模块库文件
- -lssl:ssl的库文件
接着执行:make && make install
若编译失败,尝试安装一下lib:
yum -y install openssl-devel
yum install db*-devel