Linux(Centos6)上架设认证加密邮件服务器之加密
2013年12月26日
在阅读本文之前,请先阅读第一步CentOS6上架设认证加密邮件服务器之收发邮件与第二步:Centos6上架设认证加密邮件服务器之认证
当我们使用outlook,thunderbird等软件从外部连接服务器时,用户名与密码有可能被盗,所以给他们加密是有必要的。这里的加密只是在使用客户端与服务器之间,与别人的服务器之间的通信并没有加密。
1 制作SSL证书
[root@srv certs]# cd /etc/pki/tls/certs/ ← 跳转到certs
[root@srv certs]# make dragreen.pem ← 服务器证书生成
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > dragreen.pem ; \
echo "" >> dragreen.pem ; \
cat $PEM2 >> dragreen.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.............+++
....+++
writing new private key to '/tmp/openssl.EhqMMH'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN ← 国家名
State or Province Name (full name) []:Shanghai ← 省份
Locality Name (eg, city) [Default City]:Gaoxinqu ← 市区
Organization Name (eg, company) [Default Company Ltd]:Dragreen ← 公司名
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:srv.dragreen.com ← 主机域名
Email Address []:admin@dragreen.com ← 管理者邮箱地址
[root@srv certs]# ls -lh dragreen.pem ← 查看是否生成了证书
-rw------- 1 root root 3.1K 11月 30 16:27 2013 dragreen.pem
[root@srv certs]#
2 修改配置文件
修改/etc/postfix/main.cf 文件的最后面添加SSL加密功能
[root@srv certs]# vim /etc/postfix/main.cf # sample_directory = /usr/share/doc/postfix-2.6.6/samples # readme_directory: The location of the Postfix README files. # readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination message_size_limit = 10485760 smtpd_use_tls = yes ← 添加 smtpd_tls_cert_file = /etc/pki/tls/certs/dragreen.pem ← 添加 smtpd_tls_key_file = /etc/pki/tls/certs/dragreen.pem ← 添加 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache ← 添加
修改 /etc/postfix/master.cf
vi /etc/postfix/master.cf # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd ← 去掉头部的# -o smtpd_tls_wrappermode=yes ← 去掉头部的# -o smtpd_sasl_auth_enable=yes ← 去掉头部的# # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr ← 去掉头部的# rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp
修改 /etc/dovecot/conf.d/10-ssl.conf
[root@srv certs]# vim /etc/dovecot/conf.d/10-ssl.conf ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes ← 去掉#,使ssl有效 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/pki/tls/certs/dragreen.pem ← 指定证明书 ssl_key = </etc/pki/tls/certs/dragreen.pem ← 指定证明书 # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password =
修改 /etc/dovecot/dovcot.conf
## Dovecot configuration file
# If you're in a hurry, see http://wiki.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Protocols we want to be serving.
protocols = imap pop3 ← 虽然我们使用imaps和pop3s,但是dovecot设置不用加上这两个,否则反而在重启时发生错误。
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
listen = * ← 添加这一行
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Greeting message for clients.
#login_greeting = Dovecot ready.
修改 /etc/dovecot/conf.d/10-master.conf
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
port = 143 ← 打开imap端口
}
inet_listener imaps { ← 允许imaps,允许ssl
port = 993
ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
service pop3-login { ← 允许pop3,使ssl设置为yes,打开995端口
inet_listener pop3 {
port = 110
}
inet_listener pop3s { ← 允许pop3s
port = 995
ssl = yes
}
}
注意,使imaps与pop3s有效,ssl前面的#去掉,不然dovecot有可能重启重启不了。
3 设置防火墙,打开 995,465,993,143端口
[root@srv certs]# vim /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 20022 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 11211 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
确认143,995,993,465端口被开放。
4 重新启动postfix,dovecot
[root@srv ~]# /etc/rc.d/init.d/postfix restart postfix を停止中: [ OK ] postfix を起動中: [ OK ] [root@srv ~]# /etc/rc.d/init.d/dovecot restart Dovecot Imap を停止中: [ OK ] Dovecot Imap を起動中: [ OK ] [root@srv ~]#
结束,谢谢阅读!!