基于ssl/tls的postfix 服务配置笔记
环境:
OS:Centos 6.4 x64
packet:Postfix 2.6.6
cyrus-sasl-2.1.23
dovecot-2.0.9
openssl-1.0.0
Domain:vqiu.cn
hostname:mail.vqiu.cn
准备工作:
>>将DNS 的MX 解析并计算机名称配置好(略)
>>配置NTP 参照 linux 时间轧记
一、安装配置 cyrus-sasl
#安装cyrus-sasl认证机制
[[email protected] tls]# yum -y install cyrus-sasl-plain cyrus-sasl-devel
#加入log_level
[[email protected] tls]# vi /etc/sasl2/smtpd.conf(可跳)
-----------------------------------------------分割线-------------------------------------------------
log_level: 3 //也可以跳过
pwcheck_method: saslauthd
mech_list: plain login
-----------------------------------------------分割线-------------------------------------------------
#启动并加入到开机加载列表
[[email protected] tls]# service saslauthd start && chkconfig saslauthd on
二、 安装openssl 并创建**与证书
#yum 安装openssl 套件
[[email protected] ~]# yum -y install openssl openssl-devel
#建立**与证书存放目录
[[email protected] tls]# mkdir /etc/tls/ -p
#进入该创建目录
[[email protected] ~]# cd /etc/tls/
#生成**与证书,根据向导输入相关的信息,其中证书名称为mail_cert.pem
[[email protected] tls]# openssl req -new -x509 -nodes -out mail_cert.pem
-----------------------------------------------分割线-------------------------------------------------
Generating a 2048 bit RSA private key
................................+++
...........................+++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:dongguan
Organization Name (eg, company) [Default Company Ltd]:vqiu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:mail.vqiu.cn
Email Address []:[email protected]
-----------------------------------------------分割线-------------------------------------------------
[[email protected] tls]# ls -l
-rw-r--r-- 1 root root 1415 Nov 5 16:14 mail_cert.pem #< ======证书
-rw-r--r-- 1 root root 1704 Nov 5 16:14 privkey.pem #< ======私钥
#权限设定
[[email protected] tls]# chmod 0600 privkey.pem
#配置postfix
[[email protected] /]# vi /etc/postfix/main.cf
-----------------------------------------------分割线-------------------------------------------------
#SSL/TSL配置
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel=3
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_cert_file = /etc/tls/mail_cert.pem
smtpd_tls_key_file = /etc/tls/privkey.pem
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes #<=====强制启用TLS
#SMTP认证配置
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination
-----------------------------------------------分割线-------------------------------------------------
#配置master.cf
[[email protected] /]# vi /etc/postfix/master.cf
-----------------------------------------------分割线-------------------------------------------------
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-----------------------------------------------分割线-------------------------------------------------
#启动或重新启动postfix
[[email protected] /]# service postfix restart
#查看监听端口
[[email protected] tls]# netstat -tnlp | grep master
#客户端测试
三、 安装配置dovecot
[[email protected] /]# yum -y install dovecot
[[email protected] /]# vi /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = < /etc/tls/mail_cert.pem
ssl_key = < /etc/tls/privkey.pem
#配置收件目录
[[email protected] tls]# vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
#取消pop3s imaps注释信息
[[email protected] tls]# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------------分割线-------------------------------------------------
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener pop3s {
port = 995
ssl = yes
}
-----------------------------------------------分割线-------------------------------------------------
#启动dovecot 并加入开机列表
[[email protected] tls]# service dovecot start && chkconfig dovecot on
#查看监听端口
[[email protected] tls]# netstat -tnlp | grep dovecot
四、建立账号并测试
[[email protected] tls]# groupadd mail_users && useradd -s /sbin/nologin -g mail_users zhang3
[[email protected] tls]# echo "zhang3.." | passwd --stdin zhang3
[[email protected] tls]# useradd -s /sbin/nologin -g mail_users li4
[[email protected] tls]# echo "lisi.." | passwd --stdin li4
转载于:https://my.oschina.net/u/188924/blog/899479