说明:Courier-IMAP用于实现 pop3、imap 接收邮件功能,支持TLS安全传输;
SMTP同样可以支持TLS安全传输,本文最后将列出配置;
Transport Layer Security (TLS, 原名SSL),能以加密技术来保证TCP通信的私密性(信息不外泄)与完整性。
一、实现POP3、IMAP基本功能
1、安装Courier-IMAP
[root@mail ~]# cd /usr/local/src [root@mail src]# wget http://ncu.dl.sourceforge.net/project/courier/imap/4.15.1/courier-imap-4.15.1.tar.bz2 [root@mail src]# tar -jxf courier-imap-4.15.1.tar.bz2 [root@mail src]# cd courier-imap-4.15.1 [root@mail courier-imap-4.15.1]# ./configure --enable-workarounds-for-imap-client-bugs --with-authchangepwdir --enable-unicode --with-trashquota --disable-root-check [root@mail courier-imap-4.15.1]# make [root@mail courier-imap-4.15.1]# make install [root@mail courier-imap-4.15.1]# make install-configure
查看安装说明:
[root@mail courier-imap-4.15.1]# more INSTALL
软件包已上传到以下链接:
http://down.51cto.com/data/1955875
2、启动程序
[root@mail courier-imap-4.15.1]# cd /usr/lib/courier-imap/ [root@mail courier-imap]# /usr/lib/courier-imap/libexec/imapd.rc start [root@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/imapd.rc start" >> /etc/rc.local [root@mail courier-imap]# ps aux|grep imapd root 46134 0.0 0.0 4068 340 ? S 16:41 0:00 /usr/local/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir root 46135 0.1 0.0 8280 636 ? S 16:41 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir root 46137 0.0 0.0 103256 848 pts/1 S+ 16:41 0:00 grep imapd [root@mail courier-imap]# netstat -tnlp|grep 143 tcp6 0 0 :::143 :::* LISTEN 32666/couriertcpd
[root@mail courier-imap]# /usr/lib/courier-imap/libexec/pop3d.rc start [root@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/pop3d.rc start" >> /etc/rc.local [root@mail courier-imap]# ps aux|grep pop3d root 46149 0.0 0.0 4068 344 ? S 16:42 0:00 /usr/local/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir root 46150 0.0 0.0 8280 632 ? S 16:42 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir root 46155 0.0 0.0 103256 848 pts/1 S+ 16:42 0:00 grep pop3d [root@mail courier-imap]# netstat -tnlp|grep 110 tcp6 0 0 :::110 :::* LISTEN 32761/couriertcpd
说明:以上分别启动了pop3d和imapd服务,端口使用110和143,通常在设置邮箱客户端(outlook等)时可以看到默认设置的端口号就是这两个。
3、设置imapd、pop3为启用状态
[root@mail courier-imap]# sed -i 's/IMAPDSTART=NO/IMAPDSTART=YES/g' etc/imapd [root@mail courier-imap]# sed -i 's/POP3DSTART=NO/POP3DSTART=YES/g' etc/pop3d
4、设置防火墙
[root@mail ~]# iptables -I INPUT -p tcp -m multiport --dport 110,143 -j ACCEPT [root@mail ~]# service iptables save
5、测试端口连接
[root@mail courier-imap]# telnet localhost 110 Trying ::1... Connected to localhost. Escape character is '^]'. +OK Hello there. user [email protected] #输入用户账号 +OK Password required. pass extmail #输入用户密码 +OK logged in. list #显示邮件列表 +OK POP3 clients that break here, they violate STD53. 1 6 2 716 3 923 4 1197 . quit #退出 +OK Bye-bye. Connection closed by foreign host.
[root@mail courier-imap]# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information. tag login [email protected] extmail #输入登陆账号、密码 tag OK LOGIN Ok. #显示登陆成功 tag logout #退出 * BYE Courier-IMAP server shutting down tag OK LOGOUT completed Connection closed by foreign host.
说明:POP3和IMAP功能正常
二、增加SSL支持
1、安装OpenSSL
安装httpd时已自动安装上了OpenSSL:
[root@mail courier-imap]# rpm -aq|grep openssl openssl-1.0.1e-30.el6_6.4.x86_64 openssl-devel-1.0.1e-30.el6_6.4.x86_64
2、配置Courier-IMAP支持SSL
[root@mail courier-imap]# sed -i 's/IMAPDSSLSTART=NO/IMAPDSSLSTART=YES/g' etc/imapd-ssl [root@mail courier-imap]# sed -i 's/POP3DSSLSTART=NO/POP3DSSLSTART=YES/g' etc/pop3d-ssl
3、启动Courier-IMAP的ssl程序
[root@mail courier-imap]# /usr/lib/courier-imap/libexec/imapd-ssl.rc start [root@mail courier-imap]# /usr/lib/courier-imap/libexec/pop3d-ssl.rc start [root@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/imapd-ssl.rc start" >> /etc/rc.local [root@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/pop3d-ssl.rc start" >> /etc/rc.local [root@mail courier-imap]# netstat -tlnp |grep 99 tcp 0 0 :::993 :::* LISTEN 46228/couriertcpd tcp 0 0 :::995 :::* LISTEN 46236/couriertcpd
说明:POP3-SSL使用995端口,IMAP-SSL使用993端口
4、创建证书
(1)创建IMAP证书文件:
[root@mail courier-imap]# /usr/lib/courier-imap/share/mkimapdcert Generating a 4096 bit RSA private key ......................++ ..........................++ writing new private key to '/usr/lib/courier-imap/share/imapd.pem' ----- subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/[email protected] notBefore=Nov 27 06:15:20 2014 GMT notAfter=Nov 27 06:15:20 2015 GMT SHA1 Fingerprint=B8:E2:AC:54:27:90:BA:20:33:92:89:DE:AB:EA:1B:2D:DC:11:8A:37
(2)创建POP3证书文件:
[root@mail courier-imap]# /usr/lib/courier-imap/share/mkpop3dcert Generating a 4096 bit RSA private key .......................................++ ......................................++ writing new private key to '/usr/lib/courier-imap/share/pop3d.pem' ----- subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/[email protected] notBefore=Nov 27 06:22:05 2014 GMT notAfter=Nov 27 06:22:05 2015 GMT SHA1 Fingerprint=48:21:D9:4D:DE:A7:64:7F:CD:A0:68:79:E4:2A:2F:59:62:BE:9D:E6
(3)创建DH参数集文件:
[root@mail courier-imap]# /usr/lib/courier-imap/share/mkdhparams 512 semi-random bytes loaded Generating DH parameters, 768 bit long safe prime, generator 2 This is going to take a long time ..............++*++*++*++*
(4)查看证书文件和DH参数集文件:
[root@mail courier-imap]# ls /usr/lib/courier-imap/share/ dhparams.pem imapd.pem pop3d.pem
5、加密连接
添加一个月计划任务,运行mkdhparams,以定期生成一个新的DH参数集,用于设置加密连接:
[root@mail courier-imap]# crontab -e 0 0 1 1 * /usr/lib/courier-imap/share/mkdhparams
6、设置防火墙
[root@mail ~]# iptables -I INPUT -p tcp -m multiport --dport 993,995 -j ACCEPT [root@mail ~]# service iptables save
7、测试pop3d-ssl
在客户端PC(或者本地DNS服务器)设置本地解析:
C:\Windows\System32\drivers\etc\hosts 10.188.1.83 pop3.yourmail.com 10.188.1.83 smtp.yourmail.com 10.188.1.83 imap.yourmail.com 10.188.1.83 mail.yourmail.com
在Foxmail邮箱客户端添加test账号,选择POP3类型,勾上SSL端口995,SMTP保持默认25端口
给test自己发送一封邮件并接收,成功表示pop3d-ssl成功
查看日志:
[root@mail courier-imap]# tailf /var/log/maillog Dec 2 09:10:02 mail postfix/smtpd[4051]: connect from unknown[10.188.1.172] Dec 2 09:10:02 mail postfix/smtpd[4051]: 583221A1BCC: client=unknown[10.188.1.172], sasl_method=LOGIN, [email protected] Dec 2 09:10:02 mail postfix/cleanup[4061]: 583221A1BCC: message-id=<[email protected]> Dec 2 09:10:02 mail postfix/qmgr[64225]: 583221A1BCC: from=<[email protected]>, size=1470, nrcpt=1 (queue active) Dec 2 09:10:02 mail postfix/smtpd[4051]: disconnect from unknown[10.188.1.172] Dec 2 09:10:02 mail postfix/pipe[4063]: 583221A1BCC: to=<[email protected]>, relay=maildrop, delay=0.16, delays=0.11/0.02/0/0.03, dsn=2.0.0, status=sent (delivered via maildrop service) Dec 2 09:10:02 mail postfix/qmgr[64225]: 583221A1BCC: removed Dec 2 09:10:04 mail pop3d-ssl: Connection, ip=[::ffff:10.188.1.172] Dec 2 09:10:04 mail pop3d-ssl: LOGIN, [email protected], ip=[::ffff:10.188.1.172], port=[50258] Dec 2 09:10:04 mail pop3d-ssl: LOGOUT, [email protected], ip=[::ffff:10.188.1.172], port=[50258], top=0, retr=1497, rcvd=32, sent=1769, time=0, stls=1
说明:邮件发送仍然使用SMTP的25端口,邮件接收可以看到使用的是pop3d-ssl进行的连接。
查看邮件头:
8、测试imap-ssl
在Foxmail邮箱客户端添加test账号,选择IMAP类型,勾上SSL 端口993,SMTP保持默认25端口
给test自己发送一封邮件并接收,成功表示imap-ssl成功
查看日志:
[root@mail courier-imap]# tailf /var/log/maillog Dec 2 09:54:34 mail postfix/smtpd[4206]: connect from unknown[10.188.1.172] Dec 2 09:54:34 mail postfix/smtpd[4206]: 8F37D1A1BAC: client=unknown[10.188.1.172], sasl_method=LOGIN, [email protected] Dec 2 09:54:34 mail postfix/cleanup[4216]: 8F37D1A1BAC: message-id=<[email protected]> Dec 2 09:54:34 mail postfix/qmgr[64225]: 8F37D1A1BAC: from=<[email protected]>, size=1516, nrcpt=1 (queue active) Dec 2 09:54:34 mail postfix/smtpd[4206]: disconnect from unknown[10.188.1.172] Dec 2 09:54:34 mail postfix/pipe[4218]: 8F37D1A1BAC: to=<[email protected]>, relay=maildrop, delay=0.18, delays=0.11/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via maildrop service) Dec 2 09:54:34 mail postfix/qmgr[64225]: 8F37D1A1BAC: removed Dec 2 09:55:47 mail imapd-ssl: Connection, ip=[::ffff:10.188.1.172] Dec 2 09:55:47 mail imapd-ssl: LOGIN, [email protected], ip=[::ffff:10.188.1.172], port=[52061], protocol=IMAP
说明:可以看到邮件接收使用的是imapd-ssl。
问题:日志出中现错误
[root@mail ~]# tail /var/log/httpd/ssl_error.log
Prototype mismatch: sub Encode::IMAPUTF7::decode ($$;$) vs none at /var/www/extsuite/extman/libs/Encode/IMAPUTF7.pm line 76
/var/www/extsuite/extman/libs/Encode/IMAPUTF7.pm
解决:将“no warnings 'redefine';^M”那一行修改成“no warnings;”或“no warnings qw(prototype redefine);”
三、配置Postfix(SMTP)支持SSL
参考:
http://www.postfix.org/TLS_README.html
1、安装OpenSSL-Perl
[root@mail ~]# rpm -aq|grep openssl openssl-1.0.1e-30.el6_6.4.x86_64 openssl-devel-1.0.1e-30.el6_6.4.x86_64 [root@mail ~]# yum install -y openssl-perl
会在/etc/pki/tls/misc/目录下生成CA.pl脚本,
让你可以自己开设 CA,自己签署自己的证书。
2、生成服务器根证书
[root@mail ~]# cd /etc/pki/tls/misc/ [root@mail misc]# ./CA.pl -newca CA certificate filename (or enter to create) #按回车开始 #在下面的设置过程中,输错了可以按ctrl+backspce进行删除 Making CA certificate ... Generating a 2048 bit RSA private key ..............................+++ ................+++ writing new private key to '/etc/pki/CA/private/cakey.pem' Enter PEM pass phrase:123456 #输入密码,至少4个字符 Verifying - Enter PEM pass phrase:123456 #重复输入密码 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #输入国家 State or Province Name (full name) []:zhejiang #输入省份 Locality Name (eg, city) [Default City]:hangzhou #输入城市 Organization Name (eg, company) [Default Company Ltd]:yourmail #输入公司名 Organizational Unit Name (eg, section) []:it #输入部门名 Common Name (eg, your name or your server s hostname) []:root #输入你的名字或服务器名 Email Address []: #输入邮箱账号(可不填) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #输入证书请求密码(可不填) An optional company name []: #输入可选公司名(可不填) Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 #输入前面设的密码123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14986867786496351857 (0xcffc0cd915dc1e71) Validity Not Before: Nov 28 02:06:59 2014 GMT Not After : Nov 27 02:06:59 2017 GMT Subject: countryName = CN stateOrProvinceName = zhejiang organizationName = yourmail organizationalUnitName = it commonName = root X509v3 extensions: X509v3 Subject Key Identifier: 12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69 X509v3 Authority Key Identifier: keyid:12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Nov 27 02:06:59 2017 GMT (1095 days) Write out database with 1 new entries Data Base Updated
说明:显示上面资料表示成功,否则失败;失败时删除cakey.pem后重新执行CA.pl:
[root@mail misc]# rm -f /etc/pki/CA/private/cakey.pem [root@mail misc]# ./CA.pl -newca
创建证书目录,将生成的根证书复制进去(也可以复制到/etc/postfix目录下):
[root@mail misc]# mkdir /etc/pki/myca [root@mail misc]# cp /etc/pki/CA/cacert.pem /etc/pki/myca
3、生成私钥和CSR证书签署请求文件
[root@mail misc]# cd /etc/pki/myca [root@mail myca]# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650 Generating a 2048 bit RSA private key ...................................+++ ....................+++ writing new private key to 'mailkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:zhejiang Locality Name (eg, city) [Default City]:hangzhou Organization Name (eg, company) [Default Company Ltd]:yourmail Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server s hostname) []:root Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
参数说明:-new表示你想产生公私钥与CSR,-nodes表示不加密,-keyout指出私钥文件,
-out指出CSR文件的名称,-days指出证书的有效期限是10年。
查看生成的文件:
[root@mail myca]# ll 总用量 16 -rw-r--r--. 1 root root 4291 12月 2 14:08 cacert.pem #根证书 -rw-r--r--. 1 root root 1704 12月 2 14:09 mailkey.pem #私钥 -rw-r--r--. 1 root root 997 12月 2 14:09 mailreq.pem #CSR文件
修改私钥权限保证安全(只有root用户可读):
[root@mail myca]# chown root mailkey.pem [root@mail myca]# chmod 400 mailkey.pem
4、签署CSR文件
[root@mail myca]# openssl ca -out mailcert.pem -infiles mailreq.pem failed to update database TXT_DB error number 2
产生的原因是:证书的设置相同,导致subject值相同
解决方法:将"主题唯一"设为不必须
[root@mail myca]# vi /etc/pki/CA/index.txt.attr unique_subject = no
[root@mail myca]# openssl ca -out mailcert.pem -infiles mailreq.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14986867786496351859 (0xcffc0cd915dc1e73) Validity Not Before: Dec 2 05:27:44 2014 GMT Not After : Dec 2 05:27:44 2015 GMT Subject: #主题参数 countryName = CN stateOrProvinceName = zhejiang organizationName = yourmail organizationalUnitName = it commonName = root X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 17:71:C5:65:AA:7D:56:BF:3A:6F:9D:84:3B:E2:12:57:58:B6:32:04 X509v3 Authority Key Identifier: keyid:9C:7C:C0:ED:30:2A:FE:0C:E7:0D:C3:F8:9E:E0:35:41:8E:25:2C:48 Certificate is to be certified until Dev 2 05:27:44 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
查看生成的文件:
[root@mail myca]# ll 总用量 24 -rw-r--r--. 1 root root 4291 12月 2 14:08 cacert.pem #根证书 -rw-r--r--. 1 root root 4430 12月 2 14:11 mailcert.pem #公钥 -r--------. 1 root root 1704 12月 2 14:09 mailkey.pem #私钥 -rw-r--r--. 1 root root 997 12月 2 14:09 mailreq.pem #CSR文件
5、配置postfix
[root@mail myca]# vi /etc/postfix/main.cf # Postfix作为SMTP服务端的TLS配置 smtpd_use_tls = yes smtpd_tls_key_file = /etc/pki/myca/mailkey.pem smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem smtpd_tls_CAfile = /etc/pki/myca/cacert.pem # smtpd_tls_security_level = encrypt # 表示强制使用TLS加密,不建议,会导致丢失courier-authlib认证 smtpd_tls_security_level = may smtpd_tls_received_header = yes smtpd_enforce_tls = yes smtpd_tls_loglevel = 2 # Postfix作为SMTP客户端的TLS配置 smtp_use_tls = yes smtp_tls_key_file = /etc/pki/myca/mailkey.pem smtp_tls_cert_file = /etc/pki/myca/mailcert.pem smtp_tls_CAfile = /etc/pki/myca/cacert.pem #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps #TLS限制策略,有需要的百度下如何设置
[root@mail myca]# vi /etc/postfix/master.cf smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
[root@mail myca]# service postfix reload [root@mail myca]# netstat -tnlp|grep 465 tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 64222/master tcp 0 0 :::465 :::* LISTEN 64222/master
6、设置防火墙
[root@mail ~]# iptables -I INPUT -p tcp --dport 465 -j ACCEPT [root@mail ~]# service iptables save
7、本地端口测试
[root@mail ~]# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 mail.eplantstore.com ESMTP Postfix - by eplantstore.com ehlo localhost #输入hello内容 250-mail.eplantstore.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-STARTTLS #表示TLS运行了 250-AUTH PLAIN LOGIN #如果没有出现这两行 250-AUTH=PLAIN LOGIN #修改smtpd_tls_security_level = may不强制使用TLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN starttls #输入TLS命令 220 2.0.0 Ready to start TLS #出现这行表示成功
查看日志:
[root@mail myca]# tailf /var/log/maillog Dec 2 14:42:21 mail postfix/smtpd[5315]: connect from localhost[::1] Dec 2 14:45:50 mail postfix/smtpd[5315]: setting up TLS connection from localhost[::1] Dec 2 14:45:50 mail postfix/smtpd[5315]: localhost[::1]: TLS cipher list "ALL:+RC4:@STRENGTH" Dec 2 14:45:50 mail postfix/smtpd[5315]: SSL_accept:before/accept initialization
8、客户端发送邮件测试
在Foxmail邮箱客户端修改test账号,勾上SMTP的SSL:465
给test自己发送一封邮件,查看日志:
[root@mail myca]# tailf /var/log/maillog Dec 2 14:18:45 mail postfix/smtpd[5103]: initializing the server-side TLS engine Dec 2 14:18:45 mail postfix/smtpd[5103]: connect from unknown[10.188.1.172] Dec 2 14:18:45 mail postfix/smtpd[5103]: setting up TLS connection from unknown[10.188.1.172] Dec 2 14:18:45 mail postfix/smtpd[5103]: unknown[10.188.1.172]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:before/accept initialization Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 read client hello A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write server hello A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write certificate A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write key exchange A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write server done A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 flush data Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 read client key exchange A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 read finished A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write change cipher spec A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write finished A Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 flush data Dec 2 14:18:45 mail postfix/smtpd[5103]: Anonymous TLS connection established from unknown[10.188.1.172]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 2 14:18:45 mail postfix/smtpd[5103]: 9B5791A1BCE: client=unknown[10.188.1.172], sasl_method=LOGIN, [email protected] Dec 2 14:18:45 mail postfix/cleanup[5113]: 9B5791A1BCE: message-id=<[email protected]> Dec 2 14:18:45 mail postfix/qmgr[5059]: 9B5791A1BCE: from=<[email protected]>, size=1578, nrcpt=1 (queue active) Dec 2 14:18:45 mail postfix/pipe[5115]: 9B5791A1BCE: to=<[email protected]>, relay=maildrop, delay=0.18, delays=0.12/0.02/0/0.04, dsn=2.0.0, status=sent (delivered via maildrop service) Dec 2 14:18:45 mail postfix/qmgr[5059]: 9B5791A1BCE: removed
接收下邮件,查看邮件头信息;
结论:Postfix成功支持TLS发送邮件。