

  1. 案例1:OpenSSL及证书服务
  2. 案例2:邮件TLS/SSL加密通信

1 案例1:OpenSSL及证书服务

1.1 问题


  1. 使用OpenSSL加密/解密文件
  2. 搭建企业自有的CA服务器,为颁发数字证书提供基础环境

1.2 方案


1.3 步骤




创建一个明文的文本文件f1.txt,使用openssl进行加密,选用des3加密算法,输出的加密文件为f1.txt.enc 。

  1. [root@svr7 ~]# rpm -qi openssl > f1.txt                 //建立明文的测试文件
  2. [root@svr7 ~]# head -2 f1.txt
  3. Name        : openssl                      Relocations: (not relocatable)
  4. Version     : 1.0.0                             Vendor: Red Hat, Inc.
  5. [root@svr7 ~]# openssl enc -des3 -e -in f1.txt -out f1.txt.enc
  6. enter des-ede3-cbc encryption password:                  //设置一个密码
  7. Verifying - enter des-ede3-cbc encryption password:      //再次输入设置的密码
  8. [root@svr7 ~]# file f1.txt*
  9. f1.txt:     UTF-8 Unicode English text
  10. f1.txt.enc: data                                      //加密后变成非ASCII格式



  1. [root@svr7 ~]# head -2 f1.txt.enc
  2. Salted__▒▒▒▒C̏▒x▒6Q▒
  3. .O▒l▒g▒)▒▒▒{▒▒G▒▒t▒▒!▒▒▒Cc0▒▒▒c▒V▒Dp▒▒9▒▒▒[▒▒▒X▒f▒ڍ▒j@▒▒▒▒▒▒▒=@▒.ɮP▒1e▒▒▒"M`▒W▒=▒▒▒-a,▒▒j7▒M▒▒b▒+▒▒   0▒▒▒k▒▒z▒Zʢ
  4. [root@svr7 ~]# openssl enc -des3 -d -in f1.txt.enc -out f1-new.txt
  5. enter des-ede3-cbc decryption password:                  //输入解密口令
  6. [root@svr7 ~]# head -2 f1-new.txt                      //查看解密后的文本
  7. Name        : openssl                      Relocations: (not relocatable)
  8. Version     : 1.0.0                             Vendor: Red Hat, Inc.




  1. [root@svr7 ~]# vim /etc/pki/tls/openssl.cnf
  2. .. ..
  3. [ CA_default ]
  4. dir             = /etc/pki/CA                  //CA相关文件的默认目录
  5. certs           = $dir/certs                  //为用户颁发证书的存放位置
  6. crl_dir         = $dir/crl                  //证书废止列表(CRL)文件的存放位置
  7. database        = $dir/index.txt              //证书数据的索引文件,需手动建立
  8. certificate     = $dir/my-ca.crt              //CA服务器根证书文件
  9. serial          = $dir/serial                  //序号记录文件,需手动建立
  10. .. ..
  11. private_key     = $dir/private/my-ca.key      //CA服务器私钥文件
  12. [ req_distinguished_name ]              //证书请求的识别信息
  13. countryName                     = Country Name (2 letter code)
  14. countryName_default             = CN                          //国家名缩写
  15. stateOrProvinceName             = State or Province Name (full name)
  16. stateOrProvinceName_default     = Beijing                      //所在省份
  17. localityName                    = Locality Name (eg, city)
  18. localityName_default    = Beijing                              //所在城市
  19. 0.organizationName              = Organization Name (eg, company)
  20. 0.organizationName_default      = Tedu Technology Ltd      //所在单位/组织


  1. [root@svr7 ~]# cd /etc/pki/CA
  2. [root@svr7 CA]# touch index.txt                      //建立数据索引文件
  3. [root@svr7 CA]# echo 01 > serial                      //建立序号文件



  1. [root@svr7 ~]# cd /etc/pki/CA/private
  2. [root@svr7 private]# openssl genrsa -des3 2048 > my-ca.key
  3. Generating RSA private key, 2048 bit long modulus
  4. ...............................+++
  5. ............+++
  6. e is 65537 (0x10001)
  7. Enter pass phrase:                                  //设置一个私钥口令
  8. Verifying - Enter pass phrase:                      //再次输入设置的私钥口令
  9. [root@svr7 private]# chmod  600  my-ca.key
  10. [root@svr7 private]# ls  -l  my-ca.key
  11. -rw-------. 1 root root 1751 8   6 14:12 my-ca.key



  1. [root@svr7 private]# openssl req \
  2. > -new -x509 -key my-ca.key -days 365 > ../my-ca.crt
  3. Enter pass phrase for my-ca.key:                      //验证私钥口令
  4. You are about to be asked to enter information that will be incorporated
  5. into your certificate request.
  6. What you are about to enter is what is called a Distinguished Name or a DN.
  7. There are quite a few fields but you can leave some blank
  8. For some fields there will be a default value,
  9. If you enter '.', the field will be left blank.
  10. -----
  11. Country Name (2 letter code) [CN]:
  12. State or Province Name (full name) [Beijing]:
  13. Locality Name (eg, city) [Beijing]:
  14. Organization Name (eg, company) [Tedu Technology Ltd]:
  15. Organizational Unit Name (eg, section) []:
  16. Common Name (eg, your name or your server's hostname) []:Tedu CA Server
  17. Email Address []:zengye@tedu.cn



  1. [root@svr7 private]# mkdir /var/www/html/certs/
  2. [root@svr7 private]# cp  ../my-ca.crt  /var/www/html/certs/TARENA-CA.CRT
  3. [root@svr7 private]# service httpd start
  4. 正在启动 httpdhttpd: Could not reliably determine the server's fully qualified domain name, using svr7.tedu.cn for ServerName
  5. [确定]


  1. [root@pc207 ~]# wget
  2. .. ..
  3. 2017-08-17 23:36:51 (49.5 MB/s) - 已保存 “TARENA-CA.CRT” [1436/1436])




2.1 问题


  1. SMTP服务(postfix)添加TLS/SSL加密通信支持
  2. 基于dovecot配置POP3s+IMAPS加密通信支持
  3. 客户端收发信测试,确保加密的邮件通信可用

2.2 方案

使用两台RHEL7虚拟机,其中svr7作为CA服务器,而mail作为测试用的Postfix+Dovecot邮件服务器。另外可准备一台pc120作为收发邮件的Windows测试机,安装邮件客户端软件或Outlook 2010。

2.3 步骤



1) 快速安装邮件相关软件、添加邮箱账号


  1. [root@www ~]# yum -y install postfix dovecot cyrus-sasl
  2. .. ..
  3. [root@www ~]# vim /etc/sasl2/smtpd.conf
  4. pwcheck_method: saslauthd
  5. mech_list: plain login
  6. [root@www ~]# service saslauthd start ; chkconfig saslauthd on
  7. 正在启动 saslauthd:                           [确定]


  1. [root@www ~]# useradd mickey
  2. [root@www ~]# echo 123456 | passwd --stdin mickeyy
  3. 更改用户 mickeyy 的密码 。
  4. passwd: 所有的身份验证令牌已经成功更新。
  5. [root@www ~]# useradd minnie
  6. [root@www ~]# echo 123456 | passwd --stdin minnie
  7. 更改用户 minnie 的密码 。
  8. passwd: 所有的身份验证令牌已经成功更新。

2) 配置并启动postfix服务

  1. [root@mail ~]# cd /etc/postfix/
  2. [root@mail postfix]# cp main.cf main.cf.origin
  3. [root@mail postfix]# vim main.cf
  4. .. ..
  5. myhostname = mail.tedu.cn
  6. mydomain = tedu.cn
  7. myorigin = $mydomain
  8. inet_interfaces = all
  9. mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
  10. mynetworks =
  11. home_mailbox = Maildir/                                  //设置邮箱路径
  12. smtpd_sasl_auth_enable = yes
  13. smtpd_sasl_security_options = noanonymous
  14. smtpd_recipient_restrictions =
  15. permit_mynetworks,
  16. permit_sasl_authenticated,
  17. reject_unauth_destination
  18. [root@mail postfix]# systemctl restart  postfix
  19. [root@mail postfix]# netstat -anpt | grep master
  20. tcp        0      0*       LISTEN      32120/master

3) 配置并启动dovecot服务

  1. [root@mail dovecot]# vim /etc/dovecot/conf.d/10-mail.conf
  2. mail_location = maildir:~/Maildir                       //设置邮箱路径
  3. .. ..
  4. [root@mail dovecot]# vim /etc/dovecot/conf.d/10-ssl.conf
  5. .. ..
  6. ssl = no                                              //先禁用SSL
  7. #ssl_cert = </etc/pki/dovecot/certs/dovecot.pem          //注释掉此处两行内容
  8. #ssl_key = </etc/pki/dovecot/private/dovecot.pem
  9. [root@mail postfix]# systemctl restart  dovecot
  10. 正在启动 Dovecot Imap:                        [确定]
  11. [root@mail postfix]# netstat -anpt | grep dovecot
  12. tcp        0      0*       LISTEN      32243/dovecot
  13. tcp        0      0*       LISTEN      32243/dovecot

4) 简单测试一下,确认未作TLS/SSL加密时邮件收发可用


  1. [root@mail ~]# echo "Hello Mickey" | mail -s "Test Mail XXXX" mickey@tedu.cn
  2. [root@mail ~]# cat /home/mickey/Maildir/new/137690..        //找最新的一封邮件
  3. Return-Path: <root@tedu.cn>
  4. X-Original-To: mickey@tedu.cn
  5. Delivered-To: mickey@tedu.cn
  6. Received: by mail.tedu.cn (Postfix, from userid 0)
  7. id 28846836EA; Mon, 19 Aug 2017 17:36:58 +0800 (CST)
  8. Date: Mon, 19 Aug 2017 17:36:58 +0800
  9. To: mickey@tedu.cn
  10. Subject: Test Mail XXXX
  11. User-Agent: Heirloom mailx 12.4 7/29/08
  12. MIME-Version: 1.0
  13. Content-Type: text/plain; charset=us-ascii
  14. Content-Transfer-Encoding: 7bit
  15. Message-Id: <20130819093658.28846836EA@mail.tedu.cn>
  16. From: root@tedu.cn (root)
  17. Hello Mickey


1) 在mail服务器上,创建服务私钥

由于此例中的私钥主要用于加密的邮件通信,为了方便服务控制,不要设置私钥口令(在postfix中也不好配置) 。

  1. [root@mail ~]# cd /etc/pki/tls/private/
  2. [root@mail private]# openssl  genrsa  2048 > mail.key          //不设置私钥口令
  3. Generating RSA private key, 2048 bit long modulus
  4. ............................................................+++
  5. ................+++
  6. e is 65537 (0x10001)
  7. [root@mail private]# chmod 600 mail.key



  1. [root@mail private]# openssl req -new -key mail.key > ~/mail.csr
  2. You are about to be asked to enter information that will be incorporated
  3. into your certificate request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will be a default value,
  7. If you enter '.', the field will be left blank.
  8. -----
  9. Country Name (2 letter code) [XX]:CN
  10. State or Province Name (full name) []:Beijing
  11. Locality Name (eg, city) [Default City]:Beijing
  12. Organization Name (eg, company) [Default Company Ltd]:Tedu Technology Ltd
  13. Organizational Unit Name (eg, section) []:
  14. Common Name (eg, your name or your server's hostname) []:mail.tedu.cn
  15. Email Address []:postmaster@tedu.cn
  16. Please enter the following 'extra' attributes
  17. to be sent with your certificate request
  18. A challenge password []:
  19. An optional company name []:



  1. [root@svr7 ~]# scp ./
  2. root@'s password:
  3. mail.csr                                 100% 1062     1.0KB/s   00:00
  4. [root@svr7 ~]# cd /etc/pki/CA/certs/
  5. [root@svr7 certs]# openssl ca -in ~/mail.csr > mail.crt      //签署证书
  6. Using configuration from /etc/pki/tls/openssl.cnf
  7. Enter pass phrase for /etc/pki/CA/private/my-ca.key:          //验证私钥口令
  8. Check that the request matches the signature
  9. Signature ok
  10. Certificate Details:
  11. .. ..
  12. Certificate is to be certified until Aug 19 08:31:12 2014 GMT (365 days)
  13. Sign the certificate? [y/n]:y
  14. 1 out of 1 certificate requests certified, commit? [y/n]y
  15. Write out database with 1 new entries
  16. Data Base Updated
  17. [root@svr7 certs]# cp mail.crt /var/www/html/certs/      //复制到Web下载目录


  1. [root@mail ~]# cd /etc/pki/tls/certs/
  2. [root@mail certs]# wget
  3. .. ..
  4. 2017-05-17 16:35:27 (300 MB/s) - 已保存 “mail.crt” [4633/4633])
  5. [root@mail certs]# ls -lh /etc/pki/tls/certs/mail.crt
  6. -rw-r--r--. 1 root root 4.6K 8  19 16:32 /etc/pki/tls/certs/mail.crt
  7. [root@mail certs]# ls -lh /etc/pki/tls/private/mail.key
  8. -rw-------. 1 root root 1.7K 8  19 16:22 /etc/pki/tls/private/mail.key


大多数情况下,加密的和非加密的服务会同时提供,允许邮箱用户自行选择 。当然,如果确实有需要,可以只提供加密的收发信服务,禁用非TLS/SSL加密的收发信服务。

1) 修改postfix服务配置,启用SSL加密通信

  1. [root@svr7 ~]# vim
  2. .. ..
  3. smtpd_use_tls = yes
  4. #smtpd_tls_auth_only = yes              //若启用此项,则非TLSSMTP通信将被阻止
  5. smtpd_tls_key_file = /etc/pki/tls/private/mail.key
  6. smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
  7. #smtpd_tls_loglevel = 1                  //排错阶段可启用此配置
  8. [root@mail ~]# service postfix reload
  9. 重新载入postfix:                                          [确定]


  1. [root@mail ~]# vim /etc/dovecot/conf.d/10-ssl.conf
  2. .. ..
  3. ssl = yes
  4. #ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
  5. #ssl_key = </etc/pki/dovecot/private/dovecot.pem
  6. ssl_cert = </etc/pki/tls/certs/mailsvr.crt
  7. ssl_key = </etc/pki/tls/private/mailsvr.key
  8. [root@mail ~]# netstat -anpt | grep dovecot
  9. tcp        0      0*       LISTEN      32243/dovecot
  10. tcp        0      0*       LISTEN      32243/dovecot
  11. tcp        0      0*       LISTEN      32243/dovecot
  12. tcp        0      0*       LISTEN      32243/dovecot


  1. [root@mail ~]# vim /etc/dovecot/conf.d/10-master.conf
  2. inet_listener imap {  
  3. port = 0                                    //停用非加密的imap服务
  4. }  
  5. inet_listener pop3 {  
  6. port = 0                                    //停用非加密的pop3服务
  7. }

步骤四:在邮件客户端(比如Outlook Express)验证加密的邮件通信


设置好电子邮件地址、用户账号密码、收发信服务器等属性。接收邮件选POP3或IMAP,勾选安全连接(SSL) ,如图-1所示。












