postfix 实现 tls smtps pop3s
先安装好 postfix openssl courier-imap
mkdir /etc/postfix/etc/tls
cd /etc/postfix/etc/tls
openssl req -new -x509 -nodes -out cert.pem
----------------------------------------------
Generating a 1024 bit RSA private key
........................................................................................++++++
......++++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN ←此处为国家名称代码
State or Province Name (full name) [Some-State]:GD ←此处为地域(省)名称
Locality Name (eg, city) []:SZ ←此处为城市名称
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test ←此处为单位名称
Organizational Unit Name (eg, section) []:IT ←此处为部分名称
Common Name (eg, YOUR name) []:test ←此处为你的名称或服务器名字或省略
Email Address []:test@test.com ←此处为管理邮件
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 ←输入密码
-----------------------------------
#chown root:postfix *
#chmod 640 *
cd ..
配置文件main.cf 添加
#smtpd-tls
smtpd_tls_cert_file = $config_directory/tls/cert.pem
smtpd_tls_key_file = $config_directory/tls/privkey.pem
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
启动smtps的守护进程
配置文件master.cf
#===================================================
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
注意“-o”前面的空格
重新加载Postfix配置文件
#postfix reload
检查并测试TLS是否启动成功
Smtp默认SSL端口是465
[root@mail ~]# netstat -nat |grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
#telnet localhost 25 #测试是否启动TLS加密
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 Welcome to our mail.test.com ESMTP,Warning:Version not Available!
ehlo lanexpert.local
250-mail.lanexpert.local
250-PIPELINING
250-SIZE 14336000
250-VRFY
250-ETRN
250-STARTTLS #多出一行
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Starttls #手动输入
220 2.0.0 Ready to start TLS #显示此字样为成功启用
quit
quit
Connection closed by foreign host.
二、启用POP3及IMAP加密功能
1.设置POP3s (Port:995)证书产生的配置文件
# vi /usr/local/courier-imap/etc/pop3d.cnf
根据自己的实据情况作出相应的修改:
RANDFILE = /usr/local/courier-imap/share/pop3d.rand
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=CN #国家代码
ST=GD #地域或省名称
L=SZ #城市名称
O=test #组织名称
OU=IT #单位名称
CN=localhost
emailAddress=test@test.com #管理邮件
[ cert_type ]
nsCertType = server
2.设置IMAPs(Port:993)证书产生的配置文件
# nano /usr/local/courier-imap/etc/imapd.cnf
RANDFILE = /usr/local/courier-imap/share/imapd.rand
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=CN
ST=GD
L=sz
O=test
OU=IT
CN=localhost
emailAddress=test@test.com
[ cert_type ]
nsCertType = server
3. 运行以下命令生成安全登陆认证的金钥imapd.pem和pop3d.pem文件,存放于/usr/local/courier-imap/share/目录下
#/usr/local/courier-imap/sbin/mkimapdcert
#/usr/local/courier-imap/sbin/mkpop3dcert
# ll /usr/local/courier-imap/share/*.pem
-rw------- 1 root root 1999 Jul 14 12:24 /usr/local/courier-imap/share/imapd.pem
-rw------- 1 root root 2003 Jul 14 12:24 /usr/local/courier-imap/share/pop3d.pem
4. 修改imapd-ssl及pop3d-ssl配置文件,启用imapd-ssl及pop3d-ssl
#vi /usr/local/courier-imap/etc/imapd-ssl
将 IMAPDSSLSTART=NO
改为:
IMAPDSSLSTART=YES
#vi /usr/local/courier-imap/etc/pop3d-ssl
将POP3_STARTTLS=NO
改为:
POP3_STARTTLS=YES
保存并退出,重启courier-imapd 服务
service courier-imapd restart
检查imapd-ssl及pop3d-ssl启动是否正常:
[root@mail ~]# netstat -nat |grep :99
tcp 0 0 :::993 :::* LISTEN
tcp 0 0 :::995 :::* LISTEN
pop3s服务可能会无法起动,j缺少文件,将couriertls 拷贝到/usr/local/courier-imap/bin下
风光坏家伙
134篇文章,31W+人气,0粉丝
1426
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
