- 论坛徽章:
- 0
|
本帖最后由 zlj2208 于 2010-02-09 10:46 编辑
给你个CentOS的例子,希望对于你有帮助,有关邮件TLS的内容,建议你看一下《postfix权威指南》中文版的第十三章,论坛首页有电子版下载。
8.1 配置OpenSSL
8.1.1 制作root CA
1. 修改openssl配置文件
修改openssl配置文件:/etc/pki/tls/openssl.cnf
将
- dir = ../../CA # Where everything is kept
复制代码
改成
- dir = /etc/pki/CA # Where everything is kept
复制代码
2. 安装CA的脚本
- shell# yum install openssl-perl
复制代码
3. 生成Root CA
备份原有文件
- shell# cd /etc/pki
- shell# mv CA CA.bak
复制代码
生成Root CA
- shell# cd /etc/pki/tls/misc/
- shell# ./CA.pl -newca
复制代码
下面为脚本的输出
- CA certificate filename (or enter to create)
- Making CA certificate ...
- Generating a 1024 bit RSA private key
- .....++++++
- ...................................++++++
- writing new private key to '../../CA/private/cakey.pem'
- Enter PEM pass phrase:
- Verifying - Enter PEM pass phrase:
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:CN
- State or Province Name (full name) [Liaoning]:Liaoning
- Locality Name (eg, city) [Dalian]: Dalian
- Organization Name (eg, company) [My Company Ltd]:test dot com
- Organizational Unit Name (eg, section) []:test
- Common Name (eg, your name or your server's hostname) []:test
- Email Address []:postmaster@test.com
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- Using configuration from /etc/pki/tls/openssl.cnf
- Enter pass phrase for ../../CA/private/cakey.pem:
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number:
- f4:60:02:37:19:43:e5:5e
- Validity
- Not Before: Dec 2 13:23:11 2009 GMT
- Not After : Dec 1 13:23:11 2012 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = Liaoning
- organizationName = test dot com
- organizationalUnitName = test
- commonName = test
- emailAddress = postmaster@test.com
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- 77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
- X509v3 Authority Key Identifier:
- keyid:77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
- DirName:/C=CN/ST=Liaoning/O=test dot com/OU=test/CN=test/emailAddress=postmaster@test.com
- serial:F4:60:02:37:19:43:E5:5E
- X509v3 Basic Constraints:
- CA:TRUE
- Certificate is to be certified until Dec 1 13:23:11 2012 GMT (1095 days)
- Write out database with 1 new entries
- Data Base Updated
复制代码
8.1.2 生成私钥和req文件
1. 建立私钥目录
- shell# mkdir /etc/pki/myca
- shell# cd /etc/pki/myca
复制代码
2. 生成私钥和req文件
- shell# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650
复制代码
下面为输出内容:
- Generating a 1024 bit RSA private key
- ....++++++
- ....++++++
- writing new private key to 'mailkey.pem'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]: CN
- State or Province Name (full name) [Liaoning]: Liaoning
- Locality Name (eg, city) [Dalian]: Dalian
- Organization Name (eg, company) [My Company Ltd]:test dot com
- Organizational Unit Name (eg, section) []:test
- Common Name (eg, your name or your server's hostname) []:test
- Email Address []:postmaster@test.com
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
复制代码
查看文件是否生成:
- shell# cd /etc/pki/myca
- shell# ls -l
- total 8
- -rw-r--r-- 1 root root 887 Dec 2 21:28 mailkey.pem
- -rw-r--r-- 1 root root 700 Dec 2 21:28 mailreq.pem
复制代码
在上面文件中mailkey.pem为私钥 ,mailreq.pem为req文件。
8.1.3 签署req文件
- shell# openssl x509 -req -days 3650 -in mailreq.pem -signkey mailkey.pem -out mailcert.pem
复制代码
输出内容
- Signature ok
- subject=/C=CN/ST=Liaoning/L=Dalian/O=test dot com/OU=test/CN=test/emailAddress=postmaster@test.com
- Getting Private key
复制代码
将root CA 复制到私钥的目录中
- shell# cp /etc/pki/CA/cacert.pem /etc/pki/myca
复制代码
8.2 配置postfix
修改 /etc/postfix/main.cf 增加一下几行
- # tls setting for smtp server
- smtpd_use_tls = yes
- smtpd_tls_key_file = /etc/pki/myca/mailkey.pem
- smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
- smtpd_tls_CAfile = /etc/pki/myca/cacert.pem
- #smtpd_tls_security_level = encrypt
- smtpd_tls_received_header = yes
- smtpd_enforce_tls = yes
- smtpd_tls_loglevel = 2
- # tls setting for smtp client
- smtp_use_tls = yes
- smtp_tls_key_file = /etc/pki/myca/mailkey.pem
- smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
- smtp_tls_CAfile = /etc/pki/myca/cacert.pem
- #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
复制代码
修改/etc/postfix/master.cf文件
增加下面内容:
- smtps inet n - n - - smtpd
- -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
复制代码
重启动postfix |
|