忘记密码   免费注册 查看新帖 | 论坛精华区

ChinaUnix.net

  平台 论坛 博客 认证专区 大话IT HPC论坛 徽章 文库 沙龙 自测 下载 频道自动化运维 虚拟化 储存备份 C/C++ PHP MySQL 嵌入式 Linux系统
最近访问板块 发新帖
查看: 9410 | 回复: 7

[Mail] postfix如何设置才能开启SSL?pem文件如何生成?【已解决,感谢zlj2208】 [复制链接]

论坛徽章:
0
发表于 2010-02-09 09:15 |显示全部楼层
本帖最后由 mildyi0425 于 2010-02-09 15:14 编辑

Postfix想使用SSL连接,也就是希望能在Outlook的高级设置那里选上连接需要SSL,Google了下,找到了一篇文章:http://a-wei.net/archives/65
可进行到生成pem文件那一步时出了问题:
  1. [root@mail ~]# openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
  2. Generating a 1024 bit RSA private key
  3. .......................................................++++++
  4. ...............++++++
  5. writing new private key to 'smtpd.pem'
  6. -----
  7. You are about to be asked to enter information that will be incorporated
  8. into your certificate request.
  9. What you are about to enter is what is called a Distinguished Name or a DN.
  10. There are quite a few fields but you can leave some blank
  11. For some fields there will be a default value,
  12. If you enter '.', the field will be left blank.-----
  13. Country Name (2 letter code) [GB]:CN
  14. State or Province Name (full name) [Berkshire]:Shandong
  15. Locality Name (eg, city) [Newbury]:Qingdao
  16. Organization Name (eg, company) [My Company Ltd]:FBSE
  17. Organizational Unit Name (eg, section) []:Dev
  18. Common Name (eg, your name or your server's hostname) []:fbse
  19. Email Address []:
  20. [root@mail ~]#
复制代码
回车后直接退出,也没有找到smtpd.pem这个文件。对OpenSSL一点也不了解,目前正在看OpenSSL Command-Line HOWTO,有没有高手先帮忙解决一下?这个pem文件如何生成?拜谢!

论坛徽章:
0
发表于 2010-02-09 10:38 |显示全部楼层
本帖最后由 zlj2208 于 2010-02-09 10:46 编辑

给你个CentOS的例子,希望对于你有帮助,有关邮件TLS的内容,建议你看一下《postfix权威指南》中文版的第十三章,论坛首页有电子版下载。

8.1 配置OpenSSL

8.1.1 制作root CA

1. 修改openssl配置文件

修改openssl配置文件:/etc/pki/tls/openssl.cnf

  1. dir            = ../../CA              # Where everything is kept
复制代码

改成
  1. dir             = /etc/pki/CA           # Where everything is kept
复制代码


2. 安装CA的脚本

  1. shell# yum install openssl-perl
复制代码


3. 生成Root CA

备份原有文件

  1. shell# cd /etc/pki
  2. shell# mv CA CA.bak
复制代码


生成Root CA

  1. shell# cd /etc/pki/tls/misc/
  2. shell# ./CA.pl -newca
复制代码


下面为脚本的输出

  1. CA certificate filename (or enter to create)

  2. Making CA certificate ...
  3. Generating a 1024 bit RSA private key
  4. .....++++++
  5. ...................................++++++
  6. writing new private key to '../../CA/private/cakey.pem'
  7. Enter PEM pass phrase:
  8. Verifying - Enter PEM pass phrase:
  9. -----
  10. You are about to be asked to enter information that will be incorporated
  11. into your certificate request.
  12. What you are about to enter is what is called a Distinguished Name or a DN.
  13. There are quite a few fields but you can leave some blank
  14. For some fields there will be a default value,
  15. If you enter '.', the field will be left blank.
  16. -----
  17. Country Name (2 letter code) [CN]:CN
  18. State or Province Name (full name) [Liaoning]:Liaoning
  19. Locality Name (eg, city) [Dalian]: Dalian
  20. Organization Name (eg, company) [My Company Ltd]:test dot com
  21. Organizational Unit Name (eg, section) []:test   
  22. Common Name (eg, your name or your server's hostname) []:test
  23. Email Address []:postmaster@test.com

  24. Please enter the following 'extra' attributes
  25. to be sent with your certificate request
  26. A challenge password []:
  27. An optional company name []:
  28. Using configuration from /etc/pki/tls/openssl.cnf
  29. Enter pass phrase for ../../CA/private/cakey.pem:
  30. Check that the request matches the signature
  31. Signature ok
  32. Certificate Details:
  33.         Serial Number:
  34.             f4:60:02:37:19:43:e5:5e
  35.         Validity
  36.             Not Before: Dec  2 13:23:11 2009 GMT
  37.             Not After : Dec  1 13:23:11 2012 GMT
  38.         Subject:
  39.             countryName               = CN
  40.             stateOrProvinceName       = Liaoning
  41.             organizationName          = test dot com
  42.             organizationalUnitName    = test
  43.             commonName                = test
  44.             emailAddress              = postmaster@test.com
  45.         X509v3 extensions:
  46.             X509v3 Subject Key Identifier:
  47.                 77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
  48.             X509v3 Authority Key Identifier:
  49.                 keyid:77:21:CF:21:FA:CA:2E:92:D1:7D:9D:D8:F9:7C:05:A1:EE:57:4A:DC
  50.                 DirName:/C=CN/ST=Liaoning/O=test dot com/OU=test/CN=test/emailAddress=postmaster@test.com
  51.                 serial:F4:60:02:37:19:43:E5:5E

  52.             X509v3 Basic Constraints:
  53.                 CA:TRUE
  54. Certificate is to be certified until Dec  1 13:23:11 2012 GMT (1095 days)

  55. Write out database with 1 new entries
  56. Data Base Updated
复制代码


8.1.2 生成私钥和req文件

1. 建立私钥目录

  1. shell# mkdir /etc/pki/myca
  2. shell# cd /etc/pki/myca
复制代码


2. 生成私钥和req文件

  1. shell# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650
复制代码


下面为输出内容:

  1. Generating a 1024 bit RSA private key
  2. ....++++++
  3. ....++++++
  4. writing new private key to 'mailkey.pem'
  5. -----
  6. You are about to be asked to enter information that will be incorporated
  7. into your certificate request.
  8. What you are about to enter is what is called a Distinguished Name or a DN.
  9. There are quite a few fields but you can leave some blank
  10. For some fields there will be a default value,
  11. If you enter '.', the field will be left blank.
  12. -----
  13. Country Name (2 letter code) [CN]: CN
  14. State or Province Name (full name) [Liaoning]: Liaoning
  15. Locality Name (eg, city) [Dalian]: Dalian
  16. Organization Name (eg, company) [My Company Ltd]:test dot com
  17. Organizational Unit Name (eg, section) []:test
  18. Common Name (eg, your name or your server's hostname) []:test
  19. Email Address []:postmaster@test.com

  20. Please enter the following 'extra' attributes
  21. to be sent with your certificate request
  22. A challenge password []:
  23. An optional company name []:
复制代码


查看文件是否生成:

  1. shell# cd /etc/pki/myca
  2. shell# ls -l
  3. total 8
  4. -rw-r--r-- 1 root root 887 Dec  2 21:28 mailkey.pem
  5. -rw-r--r-- 1 root root 700 Dec  2 21:28 mailreq.pem
复制代码


在上面文件中mailkey.pem为私钥 ,mailreq.pem为req文件。

8.1.3 签署req文件

  1. shell# openssl x509 -req -days 3650 -in mailreq.pem -signkey mailkey.pem -out mailcert.pem
复制代码


输出内容

  1. Signature ok
  2. subject=/C=CN/ST=Liaoning/L=Dalian/O=test dot com/OU=test/CN=test/emailAddress=postmaster@test.com
  3. Getting Private key
复制代码



将root CA 复制到私钥的目录中

  1. shell# cp /etc/pki/CA/cacert.pem /etc/pki/myca
复制代码


8.2 配置postfix

修改 /etc/postfix/main.cf 增加一下几行

  1. # tls setting for smtp server
  2. smtpd_use_tls       = yes
  3. smtpd_tls_key_file  = /etc/pki/myca/mailkey.pem
  4. smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
  5. smtpd_tls_CAfile    = /etc/pki/myca/cacert.pem
  6. #smtpd_tls_security_level = encrypt
  7. smtpd_tls_received_header = yes
  8. smtpd_enforce_tls = yes
  9. smtpd_tls_loglevel = 2

  10. # tls setting for smtp client
  11. smtp_use_tls       = yes
  12. smtp_tls_key_file  = /etc/pki/myca/mailkey.pem
  13. smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
  14. smtp_tls_CAfile    = /etc/pki/myca/cacert.pem
  15. #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
复制代码



修改/etc/postfix/master.cf文件

增加下面内容:

  1. smtps     inet     n     -     n     -     -     smtpd
  2.   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
复制代码


重启动postfix

论坛徽章:
0
发表于 2010-02-09 10:39 |显示全部楼层

论坛徽章:
0
发表于 2010-02-09 13:36 |显示全部楼层
回复 2# zlj2208

太感谢了!!很详尽,已经一步步的照着进行了,可最后在Outlook端勾上SSL连接时报错误454:

454 TLS not available due to temporary reason


是不是我的端口也需要改?通过SSL连接的话端口就不能是25了?这是防火墙的问题?边Google边期待解答……   

再次谢谢~~可以当教程了~~

论坛徽章:
0
发表于 2010-02-09 13:37 |显示全部楼层
回复 3# scyzxp

感谢版主,目前正在学习中~

论坛徽章:
0
发表于 2010-02-09 15:13 |显示全部楼层
回复  zlj2208

太感谢了!!很详尽,已经一步步的照着进行了,可最后在Outlook端勾上SSL连接时报错误45 ...
mildyi0425 发表于 2010-02-09 13:36


开启SSL后就不是25端口了,而是465,pop3的端口是995.问题已经初步解决,但现在有个小小的疑问,请高手帮忙解答下:

既然我在防火墙上已经开启了SSL的465和995端口,那原先的25端口和110端口我是不是可以关闭了?关闭了有什么其他的影响吗?

上班期间不能试,晚上下班了试试……

论坛徽章:
8
综合交流区版块每周发帖之星
日期:2015-12-02 15:03:53数据库技术版块每日发帖之星
日期:2015-10-02 06:20:00IT运维版块每日发帖之星
日期:2015-10-02 06:20:00IT运维版块每日发帖之星
日期:2015-09-14 06:20:00金牛座
日期:2014-10-10 11:23:34CU十二周年纪念徽章
日期:2013-10-24 15:41:34酉鸡
日期:2013-10-19 10:17:1315-16赛季CBA联赛之北京
日期:2017-03-06 15:12:44
发表于 2010-02-20 18:09 |显示全部楼层
25端口最好保留
110好像可以关闭

你在fw上测试下就知道了

论坛徽章:
0
发表于 2010-04-10 10:16 |显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
您需要登录后才可以回帖 登录 | 注册

本版积分规则

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号 北京市公安局海淀分局网监中心备案编号:11010802020122
广播电视节目制作经营许可证(京) 字第1234号 中国互联网协会会员  联系我们:
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP