邮件系列3 --- 安全传输
root@mail ~]# cd /etc/pki/CA/ [root@mail CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..............................................................................+++ ......................................+++ e is 65537 (0x10001)
[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36560
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHENG
Organization Name (eg, company) [Default Company Ltd]:deo
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.deo.com
Email Address []:caadmin@deo.com
[root@mail CA]# mkdir /etc/dovecot/ssl [root@mail CA]# cd /etc/dovecot/ssl/ [root@mail ssl]# (umask 077;openssl genrsa 1024 > dovecot.key) Generating RSA private key, 1024 bit long modulus ..++++++ ..........................++++++ e is 65537 (0x10001)
[root@mail CA]# touch index.txt
[root@mail CA]# echo 01 > serial
[root@mail ssl]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHENG
Organization Name (eg, company) [Default Company Ltd]:deo
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.deo.com
Email Address []:caadmin.deo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail ssl]# openssl ca -in dovecot.csr -out dovecot.crt -days 36560
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 10 13:54:10 2018 GMT
Not After : Aug 15 13:54:10 2118 GMT
Subject:
countryName = CN
stateOrProvinceName = GUANGDONG
organizationName = deo
organizationalUnitName = Tech
commonName = ca.deo.com
emailAddress = caadmin.deo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2D:93:84:20:03:F2:06:1D:32:75:C9:E1:A6:9E:5B:2F:6E:52:84:DF
X509v3 Authority Key Identifier:
keyid:FD:F0:C5:B0:26:02:1A:13:EE:01:39:4A:65:73:5F:E9:70:C2:F3:C5
Certificate is to be certified until Aug 15 13:54:10 2118 GMT (36560 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail ssl]# ll
total 12
-rw-r--r-- 1 root root 3841 Jul 10 21:54 dovecot.crt
-rw-r--r-- 1 root root 696 Jul 10 21:51 dovecot.csr
-rw------- 1 root root 887 Jul 10 21:48 dovecot.key
[root@mail ssl]# vim /etc/dovecot/dovecot.conf protocols = imap pop3 pop3s
[root@mail ssl]# vim /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/dovecot/ssl/dovecot.crt
ssl_key = </etc/dovecot/ssl/dovecot.key
连接测试
[root@mail ssl]# openssl s_client -connect mail.deo.com:995 CONNECTED(00000003) depth=0 C = CN, ST = GUANGDONG, O = deo, OU = Tech, CN = ca.deo.com, emailAddress = caadmin.deo.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = CN, ST = GUANGDONG, O = deo, OU = Tech, CN = ca.deo.com, emailAddress = caadmin.deo.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = CN, ST = GUANGDONG, O = deo, OU = Tech, CN = ca.deo.com, emailAddress = caadmin.deo.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=CN/ST=GUANGDONG/O=deo/OU=Tech/CN=ca.deo.com/emailAddress=caadmin.deo.com i:/C=CN/ST=GUANGDONG/L=SHENZHENG/O=deo/OU=Tech/CN=ca.deo.com/emailAddress=caadmin@deo.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUdVQU5HRE9ORzESMBAGA1UEBwwJU0hFTlpIRU5HMQwwCgYDVQQK DANkZW8xDTALBgNVBAsMBFRlY2gxEzARBgNVBAMMCmNhLmRlby5jb20xHjAcBgkq hkiG9w0BCQEWD2NhYWRtaW5AZGVvLmNvbTAgFw0xODA3MTAxMzU0MTBaGA8yMTE4 MDgxNTEzNTQxMFowczELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUdVQU5HRE9ORzEM MAoGA1UECgwDZGVvMQ0wCwYDVQQLDARUZWNoMRMwEQYDVQQDDApjYS5kZW8uY29t MR4wHAYJKoZIhvcNAQkBFg9jYWFkbWluLmRlby5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAJ0DoNfRTWpU6cS0wcb8+qAW70SkgSoaxwcg9z90VaH6JGw1 fRiAmmYYHkQ7LboLpBh5twrPbRSKne49/Miz5lMtL95D90SSPKwsiGu7R7GDB9OV qsF1Dqnj9NF0Y1Gwaf00GwkOrx6DLf2Qbp94Bk4KN1Ot0h0en6smdpwwLg2NAgMB AAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQtk4QgA/IGHTJ1yeGmnlsvblKE3zAf BgNVHSMEGDAWgBT98MWwJgIaE+4BOUplc1/pcMLzxTANBgkqhkiG9w0BAQUFAAOC AQEAkrOK8MtXYvcfb/trjObIO2L063TTwGjKuvu+hyfp0PMBuvAxQciZo2kinveJ z/9S/Q/75AysFFxP6ZFxTpqtsHaA0Bk2Kr6Hy+JzKP5K7JU4lLlx6OMVi/0156yB 9LLBLK+M5EMyu8tPtjq5Z0JMRFty8eFTOx6/IIfF3192YrpVa8rFLyQT8fUZNt6g p2uZoguRgSs5DAqgYZjQ8+GbrlWmRiEfb9F7Q+LWT1K4eOuZIDNejUAY6wgTBGsa HAbvjaohrjf7Smhr4EgA8Johi7hjyB2g7+iSdd4Jfnq1xP0hxHi/EPY61CVd7RJ6 HWJmLEVdkEjRM2VVI6tQ4EIL8Q== -----END CERTIFICATE----- subject=/C=CN/ST=GUANGDONG/O=deo/OU=Tech/CN=ca.deo.com/emailAddress=caadmin.deo.com issuer=/C=CN/ST=GUANGDONG/L=SHENZHENG/O=deo/OU=Tech/CN=ca.deo.com/emailAddress=caadmin@deo.com --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 1600 bytes and written 437 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 741F66C28D72CA6E2CA3DBCEA7DC26AFFB282330B07DFBC6900ED4710AE58055 Session-ID-ctx: Master-Key: CC95160B5BF3915EF8C1CA04F29AB4A0ECC392D4C7F1B70EC852BCD1989953DD8D89D562BE9B8C0E0007F9413D15566E Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5f a9 b2 2c 89 30 0c 5d-08 3f 0c 79 c4 03 2b 96 _..,.0.].?.y..+. 0010 - ea 72 ab 3a 05 eb b7 6b-e8 7e e5 46 c4 72 d0 aa .r.:...k.~.F.r.. 0020 - fc 31 fc 5f ad f4 0d 10-dd 5c 86 21 63 59 be 31 .1._.....\.!cY.1 0030 - d6 44 a2 88 37 b6 0c da-6d d6 9a bc a2 0a 1a 78 .D..7...m......x 0040 - 3b 60 ef a5 24 4e 18 76-57 d4 06 21 f3 da 50 5b ;`..$N.vW..!..P[ 0050 - c2 b2 51 dc 93 69 e7 b3-b7 7b c0 3f 6e ad b4 dc ..Q..i...{.?n... 0060 - 05 88 92 eb cc cd a3 53-2b ad a6 6f a7 74 c1 05 .......S+..o.t.. 0070 - c3 23 87 2e c6 4c 64 be-ed 81 c3 a0 23 0e fa 83 .#...Ld.....#... 0080 - f6 74 d1 90 ea 8a 01 4f-30 a1 74 71 71 ab d6 23 .t.....O0.tqq..# 0090 - b3 23 39 ad be bd 92 46-f8 39 73 6a c3 d1 d3 ab .#9....F.9sj.... Start Time: 1531231854 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- +OK Dovecot ready. USER b1@deo.com +OK PASS 123456 +OK Logged in. LIST +OK 4 messages: 1 624 2 2499 3 2770 4 2770 . quit +OK Logging out. closed [root@mail ssl]#
能接受邮件说明安全生效
smpt 配置安全认证
[root@mail ~]# vim /etc/postfix/main.cf
smtputf8_enable = no ########################################cyrus-sasl################################################# broken_sasl_auth_clients = yes smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,r eject_unauth_pipelining,reject_unauth_destination smtpd_sasl_auth_enable = yes #smtpd_sasl_local_domain = '' smtpd_sasl_local_domain = $myhostname smtpd_client_restrictions = permit_sasl_authenticated smtpd_sasl_security_options = noanonymous smtpd_sasl_path = smtpd #smtpd_sasl_type = cyrus #smtpd_sasl_path = smtpd smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available! ###############################ssl################################## smtpd_use_tls = yes #Postfix作为SMTP服务端的TLS配置 smtpd_tls_auth_only = no smtpd_sasl_type = cyrus smtpd_tls_security_level = may smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_starttls_timeout = 60s smtpd_helo_required = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_tls_cert_file = /etc/dovecot/ssl/dovecot.crt smtpd_tls_key_file = /etc/dovecot/ssl/dovecot.key
smtp_use_tls = yes #Postfix作为SMTP客户端的TLS配置
smtp_tls_cert_file = /etc/dovecot/ssl/dovecot.crt
smtp_tls_key_file = /etc/dovecot/ssl/dovecot.key
[root@mail ~]# vim /etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
发送测试邮件验证
发往外网邮箱测试
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步