廣告

2024 年 3 月
 123
45678910
11121314151617
18192021222324
25262728293031

彙整

Postfix-POP3_SMTP加入TLS加密傳輸

出處:

https://blog.xuite.net/magic20095/wretch/111940549

< POP3及IMAP 部分 >
編輯
[root@mail ~]# vi /etc/pki/dovecot/dovecot-openssl.cnf
[ req ]
default_bits = 2048   金鑰長度預設為1024 bits
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=TW     國家改為TW

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
L=Taipei   城市改為台北

# Organization (eg. company)
O=Flag  公司改為Flag

# Organizational Unit Name (eg. section)
OU=IMAP/POP3 server    #
# Common Name (*.example.com is also possible)
CN=mail.flag.com.tw    郵件主機

# E-mail contact
emailAddress=mis@flag.com.tw 管理者信箱

[ cert_type ]
nsCertType = server
接著檢視
[root@mail ~]# vi /etc/dovecot.conf  裡面會說明有關TLS憑證、金鑰檔存放路徑及檔案名稱 :
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem     憑證路徑
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem   金鑰路徑
接下來
[root@mail ~]# cd /etc/pki/dovecot/certs     切換到此目錄
[root@mail certs]# mv dovecot.pem dovecot.pem.old   備份舊的憑證
[root@mail certst]# cd ../private
[root@mail private]# mv dovecot.pem dovecot.pem.old  備份舊的金鑰
[root@mail private]# /usr/share/doc/dovecot-1.0/examples/mkcert.sh  產生新的憑證及金鑰
執行/etc/rc.d/init.d/dovecot restart  後即設定完成!!
PS : 防火牆記得要開啟995 Port

< SMTP部分 >
產生 certificate files for TLS
cd /etc/postfix
openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

編輯 /etc/postfix/main.cf 加入下列
# SASL
smtpd_sasl_auth_enable=yes
smtpd_recipient_restrictions=permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
# TLS
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
重新啟動 postfix 和 saslauthd
測試是否生效 :
telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 mail.flag.com.tw ESMTP Postfix
ehlo localhost
250-mail.flag.com.tw
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS     支援TLS加密了
250-AUTH CRAM-MD5 DIGEST-MD5 LOGIN PLAIN
250-AUTH=CRAM-MD5 DIGEST-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

讀者也會看的其它文章:

    Comments are closed.