postfix如何设置才能开启SSL？pem文件如何生成？【已解决，感谢zlj2208】

mildyi0425

Postfix想使用SSL连接，也就是希望能在Outlook的高级设置那里选上连接需要SSL，Google了下，找到了一篇文章：http://a-wei.net/archives/65
可进行到生成pem文件那一步时出了问题：

1. [root@mail ~]# openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
   
2. Generating a 1024 bit RSA private key
   
3. .......................................................++++++
   
4. ...............++++++
   
5. writing new private key to 'smtpd.pem'
   
6. -----
   
7. You are about to be asked to enter information that will be incorporated
   
8. into your certificate request.
   
9. What you are about to enter is what is called a Distinguished Name or a DN.
   
10. There are quite a few fields but you can leave some blank
    
11. For some fields there will be a default value,
    
12. If you enter '.', the field will be left blank.-----
    
13. Country Name (2 letter code) [GB]:CN
    
14. State or Province Name (full name) [Berkshire]:Shandong
    
15. Locality Name (eg, city) [Newbury]:Qingdao
    
16. Organization Name (eg, company) [My Company Ltd]:FBSE
    
17. Organizational Unit Name (eg, section) []:Dev
    
18. Common Name (eg, your name or your server's hostname) []:fbse
    
19. Email Address []:
    
20. [root@mail ~]#

复制代码

回车后直接退出，也没有找到smtpd.pem这个文件。对OpenSSL一点也不了解，目前正在看OpenSSL Command-Line HOWTO，有没有高手先帮忙解决一下？这个pem文件如何生成？拜谢！

zlj2208

给你个CentOS的例子,希望对于你有帮助，有关邮件TLS的内容，建议你看一下《postfix权威指南》中文版的第十三章，论坛首页有电子版下载。

8.1 配置OpenSSL

8.1.1 制作root CA

1. 修改openssl配置文件

修改openssl配置文件：/etc/pki/tls/openssl.cnf
将

1. dir            = ../../CA              # Where everything is kept

复制代码

改成

1. dir             = /etc/pki/CA           # Where everything is kept

复制代码

2. 安装CA的脚本

1. shell# yum install openssl-perl

复制代码

3. 生成Root CA

备份原有文件

1. shell# cd /etc/pki
   
2. shell# mv CA CA.bak

复制代码

生成Root CA

1. shell# cd /etc/pki/tls/misc/
   
2. shell# ./CA.pl -newca

复制代码

下面为脚本的输出

1. CA certificate filename (or enter to create)
   
2. 
   
3. Making CA certificate ...
   
4. Generating a 1024 bit RSA private key
   
5. .....++++++
   
6. ...................................++++++
   
7. writing new private key to '../../CA/private/cakey.pem'
   
8. Enter PEM pass phrase:
   
9. Verifying - Enter PEM pass phrase:
   
10. -----
    
11. You are about to be asked to enter information that will be incorporated
    
12. into your certificate request.
    
13. What you are about to enter is what is called a Distinguished Name or a DN.
    
14. There are quite a few fields but you can leave some blank
    
15. For some fields there will be a default value,
    
16. If you enter '.', the field will be left blank.
    
17. -----
    
18. Country Name (2 letter code) [CN]:CN
    
19. State or Province Name (full name) [Liaoning]:Liaoning
    
20. Locality Name (eg, city) [Dalian]: Dalian
    
21. Organization Name (eg, company) [My Company Ltd]:test dot com
    
22. Organizational Unit Name (eg, section) []:test   
    
23. Common Name (eg, your name or your server's hostname) []:test
    
24. Email Address []:postmaster@test.com
    
25. 
    
26. Please enter the following 'extra' attributes
    
27. to be sent with your certificate request
    
28. A challenge password []:
    
29. An optional company name []:
    
30. Using configuration from /etc/pki/tls/openssl.cnf
    
31. Enter pass phrase for ../../CA/private/cakey.pem:
    
32. Check that the request matches the signature
    
33. Signature ok
    
34. Certificate Details:
    
35.         Serial Number:
    
36.             f4:60:02:37:19:43:e5:5e
    
37.         Validity
    
38.             Not Before: Dec  2 13:23:11 2009 GMT
    
39.             Not After : Dec  1 13:23:11 2012 GMT
    
40.         Subject:
    
41.             countryName               = CN
    
42.             stateOrProvinceName       = Liaoning
    
43.             organizationName          = test dot com
    
44.             organizationalUnitName    = test
    
45.             commonName                = test
    
46.             emailAddress              = postmaster@test.com
    
47.         X509v3 extensions:
    
48.             X509v3 Subject Key Identifier:
    
49.                 77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
    
50.             X509v3 Authority Key Identifier:
    
51.                 keyid:77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
    
52.                 DirName:/C=CN/ST=Liaoning/O=test dot com/OU=test/CN=test/emailAddress=postmaster@test.com
    
53.                 serial:F4:60:02:37:19:43:E5:5E
    
54. 
    
55.             X509v3 Basic Constraints:
    
56.                 CA:TRUE
    
57. Certificate is to be certified until Dec  1 13:23:11 2012 GMT (1095 days)
    
58. 
    
59. Write out database with 1 new entries
    
60. Data Base Updated

复制代码

8.1.2 生成私钥和req文件

1. 建立私钥目录

1. shell# mkdir /etc/pki/myca
   
2. shell# cd /etc/pki/myca

复制代码

2. 生成私钥和req文件

1. shell# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650

复制代码

下面为输出内容：

1. Generating a 1024 bit RSA private key
   
2. ....++++++
   
3. ....++++++
   
4. writing new private key to 'mailkey.pem'
   
5. -----
   
6. You are about to be asked to enter information that will be incorporated
   
7. into your certificate request.
   
8. What you are about to enter is what is called a Distinguished Name or a DN.
   
9. There are quite a few fields but you can leave some blank
   
10. For some fields there will be a default value,
    
11. If you enter '.', the field will be left blank.
    
12. -----
    
13. Country Name (2 letter code) [CN]: CN
    
14. State or Province Name (full name) [Liaoning]: Liaoning
    
15. Locality Name (eg, city) [Dalian]: Dalian
    
16. Organization Name (eg, company) [My Company Ltd]:test dot com
    
17. Organizational Unit Name (eg, section) []:test
    
18. Common Name (eg, your name or your server's hostname) []:test
    
19. Email Address []:postmaster@test.com
    
20. 
    
21. Please enter the following 'extra' attributes
    
22. to be sent with your certificate request
    
23. A challenge password []:
    
24. An optional company name []:

复制代码

查看文件是否生成：

1. shell# cd /etc/pki/myca
   
2. shell# ls -l
   
3. total 8
   
4. -rw-r--r-- 1 root root 887 Dec  2 21:28 mailkey.pem
   
5. -rw-r--r-- 1 root root 700 Dec  2 21:28 mailreq.pem

复制代码

在上面文件中mailkey.pem为私钥 ，mailreq.pem为req文件。

8.1.3 签署req文件

1. shell# openssl x509 -req -days 3650 -in mailreq.pem -signkey mailkey.pem -out mailcert.pem

复制代码

输出内容

1. Signature ok
   
2. subject=/C=CN/ST=Liaoning/L=Dalian/O=test dot com/OU=test/CN=test/emailAddress=postmaster@test.com
   
3. Getting Private key

复制代码

将root CA 复制到私钥的目录中

1. shell# cp /etc/pki/CA/cacert.pem /etc/pki/myca

复制代码

8.2 配置postfix

修改 /etc/postfix/main.cf 增加一下几行

1. # tls setting for smtp server
   
2. smtpd_use_tls       = yes
   
3. smtpd_tls_key_file  = /etc/pki/myca/mailkey.pem
   
4. smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
   
5. smtpd_tls_CAfile    = /etc/pki/myca/cacert.pem
   
6. #smtpd_tls_security_level = encrypt
   
7. smtpd_tls_received_header = yes
   
8. smtpd_enforce_tls = yes
   
9. smtpd_tls_loglevel = 2
   
10. 
    
11. # tls setting for smtp client
    
12. smtp_use_tls       = yes
    
13. smtp_tls_key_file  = /etc/pki/myca/mailkey.pem
    
14. smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
    
15. smtp_tls_CAfile    = /etc/pki/myca/cacert.pem
    
16. #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps

复制代码

修改/etc/postfix/master.cf文件

增加下面内容：

1. smtps     inet     n     -     n     -     -     smtpd
   
2.   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

复制代码

重启动postfix

scyzxp

回复 1# mildyi0425


    http://www.postfix.cn/postfix-master/TLS_README.html

mildyi0425

回复 2# zlj2208

太感谢了！！很详尽，已经一步步的照着进行了，可最后在Outlook端勾上SSL连接时报错误454：

454 TLS not available due to temporary reason

是不是我的端口也需要改？通过SSL连接的话端口就不能是25了？这是防火墙的问题？边Google边期待解答……   

再次谢谢~~可以当教程了~~

mildyi0425

回复 3# scyzxp

感谢版主，目前正在学习中~

mildyi0425

回复  zlj2208

太感谢了！！很详尽，已经一步步的照着进行了，可最后在Outlook端勾上SSL连接时报错误45 ...
mildyi0425 发表于 2010-02-09 13:36

开启SSL后就不是25端口了，而是465，pop3的端口是995.问题已经初步解决，但现在有个小小的疑问，请高手帮忙解答下：

既然我在防火墙上已经开启了SSL的465和995端口，那原先的25端口和110端口我是不是可以关闭了？关闭了有什么其他的影响吗？

上班期间不能试，晚上下班了试试……

ruochen

25端口最好保留
110好像可以关闭

你在fw上测试下就知道了