Setup smtps(包含ipv4和ipv6的DNS配置)
2017-12-13 17:56
405 查看
1. 配置DNS(ipv4或者ipv6)1> cd /etc2> vim named.confoptions { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file"/var/named/data/named_stats.txt"; memstatistics-file"/var/named/data/named_mem_stats.txt"; allow-query { any;}; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file"/etc/named.iscdlv.key"; managed-keys-directory"/var/named/dynamic";}; logging { channel default_debug { file"data/named.run"; severity dynamic; };}; zone "."IN { type hint; file "named.ca";}; include"/etc/named.rfc1912.zones";include"/etc/named.root.key"; 3>vim /etc/named.rfc1912.zoneszone"ssltest.com" IN { type master; file "ssltest.com.db"; allow-update { none; };};#ipv6zone"smtpstest.com" IN { type master; file "smtpstest.com.db"; allow-update { none; }; }; 4>cd /var/named/5> cp -p named.localhost ssltest.com.db6> vim ssltest.com.db $TTL 1D@ INSOA ns.ssltest.com. root ( 0 ; serial 1D ; refresh 1H ; retry
4000
1W ;expire 3H) ; minimum@ IN NS ns.ssltest.com.ns IN A 192.168.168.200mail IN A 192.168.168.200pop3 IN CNAME mail #别名记录smtp IN CNAME mail@ IN MX 10 mail #邮件交换 vim smtpstest.com.db#ipv6 smtpstest.com.db$TTL 1D@ IN SOA smtpstest.com. root ( 20180307 ; serial 1D ;refresh 1H ;retry 1W ;expire 3H) ; minimum@ IN NS ns.ssltest.com.ns IN AAAA 2003:db93::100mail INAAAA 2003:db93::100pop3 IN CNAME mail smtp IN CNAME mail@ IN MX 10 mail service named restarthost -amail.smtpstest.comTrying"mail.smtpstest.com";;->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30164;; flags: qr aa rdra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTIONSECTION:;mail.smtpstest.com. IN ANY ;; ANSWER SECTION:mail.smtpstest.com. 86400 IN AAAA 2003:db93::100 ;; AUTHORITYSECTION:smtpstest.com. 86400 IN NS ns.ssltest.com. Received 89 bytesfrom 2003:db93::100#53 in 1 ms named-checkzonesmtpstest.com mail.smtpstest.com.db可以通过named-checkzone检测配置文件是否正确7> 修改主机的dns指向vim/etc/resolv.confsearchopenstacklocalnameserver192.168.168.200 #ipv6nameserver 2003:db93::100 8> 修改主机的名字(可跳过)vim/etc/sysconfig/networkNETWORKING=yesNETWORKING_IPV6=noHOSTNAME=mail.ssltest.comGATEWAYDEV=eth0NOZEROCONF=yes vim /etc/hosts9>在本机上建立两个用户[root@mail named]#useradd user1 [root@mail named]#echo "123" |passwd --stdin user1 [root@mail named]#useradd user2 [root@mail named]#echo "123" |passwd --stdin user2 10> 添加反向解析vim/etc/named.rfc1912.zoneszone"168.168.192.in-addr.arpa" IN { type master; file "168.168.192.db";};一定要去掉allow-update { none; };cp named.loopback168.168.192.dbvim 168.168.192.db $TTL 1D@ IN SOA ns.ssltest.com. root ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum@ IN NS ns.ssltest.com.200 IN PTR ns.ssltest.com.200 IN PTR mail.ssltest.com. 通过nslookup192.168.168.200进行反向解析:# nslookup192.168.168.200Server: 192.168.168.200Address: 192.168.168.200#53 200.168.168.192.in-addr.arpa name= ns.ssltest.com.200.168.168.192.in-addr.arpa name= mail.ssltest.com. 有可能会遇到*** Can'tfind 20.1.16.172.in-addr.arpa.: No answer的错误,修改权限:chmod 664 1.16.172.db2. 安装配置 cyrus-sasl#安装cyrus-sasl认证机制yum -y installcyrus-sasl-plain cyrus-sasl-devel#加入log_levelvi/etc/sasl2/smtpd.conf(可跳)-----------------------------------------------分割线-------------------------------------------------log_level:3 //也可以跳过pwcheck_method:saslauthdmech_list:plain login-----------------------------------------------分割线-------------------------------------------------#启动并加入到开机加载列表service saslauthdstart && chkconfig saslauthd on 3. 接下来就对服务器颁发证书,对数据进行加密。1> yum -y install openssl openssl-devel2> mkdir /etc/tls/ -p3> cd /etc/tls/4> openssl req -new -x509 -nodes -out mail_cert.pem Generating a 2048bit RSA private key......................+++..................................+++writing newprivate key to 'privkey.pem'-----You are about tobe asked to enter information that will be incorporatedinto yourcertificate request.What you are aboutto enter is what is called a Distinguished Name or a DN.There are quite afew fields but you can leave some blankFor some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2letter code) [XX]:CNState or ProvinceName (full name) []:ShanghaiLocality Name (eg,city) [Default City]:ShanghaiOrganization Name(eg, company) [Default Company Ltd]:SNWLOrganizationalUnit Name (eg, section) []:AUTOCommon Name (eg,your name or your server's hostname) []:mail.ssltest.comEmail Address[]:auto@mial^C[root@VTB528-PC2tls]# openssl req -new -x509 -nodes -out mail_cert.pemGenerating a 2048bit RSA private key..........................................................................................................................+++..........................................................................................+++writing newprivate key to 'privkey.pem'-----You are about tobe asked to enter information that will be incorporatedinto yourcertificate request.What you are aboutto enter is what is called a Distinguished Name or a DN.There are quite afew fields but you can leave some blankFor some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2letter code) [XX]:CNState or ProvinceName (full name) []:SH^C[root@VTB528-PC2 tls]#openssl req -new -x509 -nodes -out mail_cert.pemGenerating a 2048bit RSA private key........+++.........................................+++writing newprivate key to 'privkey.pem'-----You are about tobe asked to enter information that will be incorporatedinto yourcertificate request.What you are aboutto enter is what is called a Distinguished Name or a DN.There are quite afew fields but you can leave some blankFor some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2letter code) [XX]:CNState or ProvinceName (full name) []:ShanghaiLocality Name (eg,city) [Default City]:ShanghaiOrganization Name(eg, company) [Default Company Ltd]:SNWLOrganizationalUnit Name (eg, section) []:AUTOCommon Name (eg,your name or your server's hostname) []:mail.ssltest.comEmail Address[]:auto@mail.ssltest.com 修改权限:5> # chmod 600 *4. 配置postfix和dovecot vi /etc/postfix/main.cfmyhostname =mail.ssltest.commydomain = ssltest.commyorigin =$mydomaininet_interfaces =allmydestination = $myhostname, $mydomain
#SSL/TSL配置#上半部分的配置是系统作为服务端,接收客户端和其他邮件服务器时如何启用tls;下版半部分服务器作为客户端对外发送邮件也启用tls ###############SSL/TLS config, added by Cathy ###################smtpd_use_tls =yessmtpd_tls_security_level= maysmtpd_tls_loglevel=3smtpd_tls_session_cache_timeout= 3600ssmtpd_tls_session_cache_database= btree:/var/spool/postfix/smtpd_tls_cachesmtpd_tls_cert_file= /etc/tls/mail_cert.pemsmtpd_tls_key_file= /etc/tls/privkey.pemtls_random_source= dev:/dev/urandomtls_daemon_random_source= dev:/dev/urandomsmtpd_tls_auth_only= yes###SMTPauthenticationsmtpd_sasl_auth_enable= yessmtpd_sasl_security_options= noanonymousbroken_sasl_auth_clients= yes#smtpd_sasl_type =dovecot#smtpd_sasl_path =private/authsmtpd_recipient_restrictions= permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination##################SSL/TLS config, added by Cathy ################ vi/etc/postfix/master.cfsmtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -osmtpd_sasl_auth_enable=yes service postfixrestart certs]# netstat-tnlp | grep mastertcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10146/master tcp 0 0 127.0.0.1:465 0.0.0.0:* LISTEN 10146/master5. 安装配置dovecot 1> yum -y installdovecot 2>vi/etc/dovecot/conf.d/10-ssl.confssl =required ssl_cert= < /etc/tls/mail_cert.pemssl_key= < /etc/tls/privkey.pem#配置收件目录3> vi /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:~/Maildir4> #取消pop3s imaps注释信息 vi /etc/dovecot/conf.d/10-master.conf-----------------------------------------------分割线------------------------------------------------- inet_listener imaps { port = 993 ssl = yes } inet_listener pop3s { port = 995 ssl = yes }-----------------------------------------------分割线-------------------------------------------------5> #启动dovecot 并加入开机列表 service dovecot start && chkconfig dovecot on6> #查看监听端口 netstat-tnlp | grep dovecot 6. 测试:[root@VTB511-PC1certs]# telnet 192.168.168.200 25Trying192.168.168.200...Connected to192.168.168.200.Escape characteris '^]'.220mail.ssltest.com ESMTP PostfixEHLOmail.ssltest.com250-mail.ssltest.com250-PIPELINING250-SIZE 10240000250-VRFY250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNmail from:<user1@mail.ssltest.com>250 2.1.0 Okrcptto:<user2@mail.ssltest.com>250 2.1.5 Okdata354 End data with<CR><LF>.<CR><LF>From:user1@mail.ssltest.comTO:user2@mail.ssltest.comSubject:test1test1.250 2.0.0 Ok:queued as 5C1E8A403^]telnet> q 对于SSL/TLS的加密的连接测试,如SMTPS,POP3S等,都要用openssl 连接,如下:1> 在连接之前先把账号密码的encode_base64计算出来,下面auth login时要用:~]#perl -MMIME::Base64 -e "print encode_base64('user1@mail.ssltest.com');"
dXNlcjFAbWFpbC5zc2x0ZXN0LmNvbQ==
~]# perl -MMIME::Base64 -e "print encode_base64('123');"
MTIz
或者执行命令:
~]# echo -n user1@mail.ssltest.com | base64
dXNlcjFAbWFpbC5zc2x0ZXN0LmNvbQ==
~]# echo-n 123 | base64
MTIz
2> openssls_client -connect mail.ssltest.com:465CONNECTED(00000003)depth=0 C = CN, ST= Shanghai, L = Shanghai, O = SNWL, OU = AUTO, CN = mail.ssltest.com,emailAddress = auto@mail.ssltest.comverifyerror:num=18:self signed certificateverify return:1depth=0 C = CN, ST= Shanghai, L = Shanghai, O = SNWL, OU = AUTO, CN = mail.ssltest.com,emailAddress = auto@mail.ssltest.comverify return:1---Certificate chain 0s:/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.com i:/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.com---Server certificate-----BEGINCERTIFICATE-----MIID+TCCAuGgAwIBAgIJAKdQAdrvaCNzMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxETAPBgNVBAcMCFNoYW5naGFpMQ0wCwYDVQQKDARTTldMMQ0wCwYDVQQLDARBVVRPMRkwFwYDVQQDDBBtYWlsLnNzbHRlc3QuY29tMSQwIgYJKoZIhvcNAQkBFhVhdXRvQG1haWwuc3NsdGVzdC5jb20wHhcNMTgwMzA1MDcxNDM3WhcNMTgwNDA0MDcxNDM3WjCBkjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhTaGFuZ2hhaTENMAsGA1UECgwEU05XTDENMAsGA1UECwwEQVVUTzEZMBcGA1UEAwwQbWFpbC5zc2x0ZXN0LmNvbTEkMCIGCSqGSIb3DQEJARYVYXV0b0BtYWlsLnNzbHRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA13+qU7DLQB/XdQTcQ5rdTBTkjkbH988Xvct86BZbpOW0oFAaBOZQufehZgFktePdOaH+kTZ/0Qm+oTcaDIC3WOChOA3A/q71ajrAeOa74DS29dj/BibEK+S41Bhgfhwp5UQ33y4Qoz9DaW0lK7OCZ1cKoC+X2PcbbnBzOqF8RqHQ47HjYInRCrXI8o0iL5VsnfJ8NJktL3nvhwQ84YObhVkSRzDtABMAJY45dVaKGNfhcRfezAeeD3Tg7+hvnQKrJtFyWw6ADe3FRy/AFBezdzXhdMt4Fa430Ph+dMogeZKO+D8uVT4F1k5d0goZBjrRZ5z6RDt2+6pt7l+rAiyC/QIDAQABo1AwTjAdBgNVHQ4EFgQU5ys8e/8UG95kfVHDjZHoJ+L0qckwHwYDVR0jBBgwFoAU5ys8e/8UG95kfVHDjZHoJ+L0qckwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAFV5pk8z8gvN63jyHD8syxN8EhrW2xP53ZV09baFh42Tl7/PQJcFQjdp7JUuR+TsnUBr/KcFeow5kB6dM3197QYgQANaLzrmhlf8oUclzIqmhGRu7McrUkT02CRn64v3dCHfUAVBznXNqVzd2pBLN2EKQf+T6A29XkdugnCKAx1OBNpsvIdDXISkJWzSsfKq5hSe0k3gWp9Aps4IQ3yMOftk0u9BdEW4XLqctm38HFApxNug3qbkpB3csdbLXnmZg/oNJaO/gmshoWdmjRTkZwDjs0QMbpyJPX+nIgyY2WzNOBnVVWxZHChaEP+HjZpdpzQFV5bct4Tuisn3bY/v38w==-----ENDCERTIFICATE-----subject=/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.comissuer=/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.com---No clientcertificate CA names sentServer Temp Key:DH, 1024 bits---SSL handshake hasread 1872 bytes and written 447 bytes---New, TLSv1/SSLv3,Cipher is DHE-RSA-AES256-SHAServer public keyis 2048 bitSecureRenegotiation IS supportedCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID:477EC39DAC110AAD6C18EE22D7D950AA1AE4D39FEB5ACF902ACCFE8FBB847F57 Session-ID-ctx: Master-Key:F2546AC6D931BA9ABF738486BEFAF4F3C3AA85CC88C4EE64808DD878268217AB5712DC10B302BABE3CFE03AABC890698 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 3600(seconds) TLS session ticket: 0000 - dd d1 4e 3d f1 e1 38 30-30 69 32 a8a6 3c a8 7a ..N=..800i2..<.z 0010 - 94 f1 46 4f ce 33 02 33-0f 29 53 6ed6 c8 6d f9 ..FO.3.3.)Sn..m. 0020 - 61 e7 fb eb 1e d1 ce 75-91 fc c5 631b cd 8d fc a......u...c.... 0030 - 52 16 46 fd 45 e4 8b f5-31 4c cb d04c 48 fc c7 R.F.E...1L..LH.. 0040 - 73 a7 a1 fa b2 a6 4d 00-26 e6 24 d535 07 90 e7 s.....M.&.$.5... 0050 - 73 2f 8f 5a 95 31 6e d7-a3 c5 76 8edd 32 84 9c s/.Z.1n...v..2.. 0060 - f2 52 cb ed f2 c7 af 52-4c 0b ce 2e95 17 82 b1 .R.....RL....... 0070 - 5a 0a c3 e2 9e 15 1c 31-55 64 42 374f de 59 d8 Z......1UdB7O.Y. 0080 - b7 4f a5 32 e1 66 53 5a-da 3a 33 01be c7 ec 1b .O.2.fSZ.:3..... 0090 - c8 9d d8 4b 18 d2 72 5c-53 7d d4 50fc 6e 76 10 ...K..r\S}.P.nv. Start Time: 1520240363 Timeout : 300 (sec) Verify return code: 18 (self signedcertificate)---220mail.ssltest.com ESMTP Postfix (出现这个之后再执行)EHLO localhost250-mail.ssltest.com250-PIPELINING250-SIZE 10240000250-VRFY250-ETRN250-AUTH PLAINLOGIN250-AUTH=PLAINLOGIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNauth login334 VXNlcm5hbWU6emhhbmczQG1haWwuc3NsdGVzdC5jb20= (前面encode_base64计算出的)
334 UGFzc3dvcmQ6emhhbmcz235 2.7.0Authentication successfulmailfrom:<zhang3@mail.ssltest.com>250 2.1.0 Okrcptto:<li4@mail.ssltest.com>250 2.1.5 Okdata354 End data with<CR><LF>.<CR><LF>From:zhang3@mail.ssltest.comTO:li4@mail.ssltest.comSubject:test1test1. (这个点号必须有,输入邮件内容结束,然后按下Enter)
250 2.0.0 Ok: queuedas 55EDBA404
4000
1W ;expire 3H) ; minimum@ IN NS ns.ssltest.com.ns IN A 192.168.168.200mail IN A 192.168.168.200pop3 IN CNAME mail #别名记录smtp IN CNAME mail@ IN MX 10 mail #邮件交换 vim smtpstest.com.db#ipv6 smtpstest.com.db$TTL 1D@ IN SOA smtpstest.com. root ( 20180307 ; serial 1D ;refresh 1H ;retry 1W ;expire 3H) ; minimum@ IN NS ns.ssltest.com.ns IN AAAA 2003:db93::100mail INAAAA 2003:db93::100pop3 IN CNAME mail smtp IN CNAME mail@ IN MX 10 mail service named restarthost -amail.smtpstest.comTrying"mail.smtpstest.com";;->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30164;; flags: qr aa rdra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTIONSECTION:;mail.smtpstest.com. IN ANY ;; ANSWER SECTION:mail.smtpstest.com. 86400 IN AAAA 2003:db93::100 ;; AUTHORITYSECTION:smtpstest.com. 86400 IN NS ns.ssltest.com. Received 89 bytesfrom 2003:db93::100#53 in 1 ms named-checkzonesmtpstest.com mail.smtpstest.com.db可以通过named-checkzone检测配置文件是否正确7> 修改主机的dns指向vim/etc/resolv.confsearchopenstacklocalnameserver192.168.168.200 #ipv6nameserver 2003:db93::100 8> 修改主机的名字(可跳过)vim/etc/sysconfig/networkNETWORKING=yesNETWORKING_IPV6=noHOSTNAME=mail.ssltest.comGATEWAYDEV=eth0NOZEROCONF=yes vim /etc/hosts9>在本机上建立两个用户[root@mail named]#useradd user1 [root@mail named]#echo "123" |passwd --stdin user1 [root@mail named]#useradd user2 [root@mail named]#echo "123" |passwd --stdin user2 10> 添加反向解析vim/etc/named.rfc1912.zoneszone"168.168.192.in-addr.arpa" IN { type master; file "168.168.192.db";};一定要去掉allow-update { none; };cp named.loopback168.168.192.dbvim 168.168.192.db $TTL 1D@ IN SOA ns.ssltest.com. root ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum@ IN NS ns.ssltest.com.200 IN PTR ns.ssltest.com.200 IN PTR mail.ssltest.com. 通过nslookup192.168.168.200进行反向解析:# nslookup192.168.168.200Server: 192.168.168.200Address: 192.168.168.200#53 200.168.168.192.in-addr.arpa name= ns.ssltest.com.200.168.168.192.in-addr.arpa name= mail.ssltest.com. 有可能会遇到*** Can'tfind 20.1.16.172.in-addr.arpa.: No answer的错误,修改权限:chmod 664 1.16.172.db2. 安装配置 cyrus-sasl#安装cyrus-sasl认证机制yum -y installcyrus-sasl-plain cyrus-sasl-devel#加入log_levelvi/etc/sasl2/smtpd.conf(可跳)-----------------------------------------------分割线-------------------------------------------------log_level:3 //也可以跳过pwcheck_method:saslauthdmech_list:plain login-----------------------------------------------分割线-------------------------------------------------#启动并加入到开机加载列表service saslauthdstart && chkconfig saslauthd on 3. 接下来就对服务器颁发证书,对数据进行加密。1> yum -y install openssl openssl-devel2> mkdir /etc/tls/ -p3> cd /etc/tls/4> openssl req -new -x509 -nodes -out mail_cert.pem Generating a 2048bit RSA private key......................+++..................................+++writing newprivate key to 'privkey.pem'-----You are about tobe asked to enter information that will be incorporatedinto yourcertificate request.What you are aboutto enter is what is called a Distinguished Name or a DN.There are quite afew fields but you can leave some blankFor some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2letter code) [XX]:CNState or ProvinceName (full name) []:ShanghaiLocality Name (eg,city) [Default City]:ShanghaiOrganization Name(eg, company) [Default Company Ltd]:SNWLOrganizationalUnit Name (eg, section) []:AUTOCommon Name (eg,your name or your server's hostname) []:mail.ssltest.comEmail Address[]:auto@mial^C[root@VTB528-PC2tls]# openssl req -new -x509 -nodes -out mail_cert.pemGenerating a 2048bit RSA private key..........................................................................................................................+++..........................................................................................+++writing newprivate key to 'privkey.pem'-----You are about tobe asked to enter information that will be incorporatedinto yourcertificate request.What you are aboutto enter is what is called a Distinguished Name or a DN.There are quite afew fields but you can leave some blankFor some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2letter code) [XX]:CNState or ProvinceName (full name) []:SH^C[root@VTB528-PC2 tls]#openssl req -new -x509 -nodes -out mail_cert.pemGenerating a 2048bit RSA private key........+++.........................................+++writing newprivate key to 'privkey.pem'-----You are about tobe asked to enter information that will be incorporatedinto yourcertificate request.What you are aboutto enter is what is called a Distinguished Name or a DN.There are quite afew fields but you can leave some blankFor some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2letter code) [XX]:CNState or ProvinceName (full name) []:ShanghaiLocality Name (eg,city) [Default City]:ShanghaiOrganization Name(eg, company) [Default Company Ltd]:SNWLOrganizationalUnit Name (eg, section) []:AUTOCommon Name (eg,your name or your server's hostname) []:mail.ssltest.comEmail Address[]:auto@mail.ssltest.com 修改权限:5> # chmod 600 *4. 配置postfix和dovecot vi /etc/postfix/main.cfmyhostname =mail.ssltest.commydomain = ssltest.commyorigin =$mydomaininet_interfaces =allmydestination = $myhostname, $mydomain
# 419行: 取消注释,邮件保存目录 home_mailbox = Maildir/# 添加到最后
#SSL/TSL配置#上半部分的配置是系统作为服务端,接收客户端和其他邮件服务器时如何启用tls;下版半部分服务器作为客户端对外发送邮件也启用tls ###############SSL/TLS config, added by Cathy ###################smtpd_use_tls =yessmtpd_tls_security_level= maysmtpd_tls_loglevel=3smtpd_tls_session_cache_timeout= 3600ssmtpd_tls_session_cache_database= btree:/var/spool/postfix/smtpd_tls_cachesmtpd_tls_cert_file= /etc/tls/mail_cert.pemsmtpd_tls_key_file= /etc/tls/privkey.pemtls_random_source= dev:/dev/urandomtls_daemon_random_source= dev:/dev/urandomsmtpd_tls_auth_only= yes###SMTPauthenticationsmtpd_sasl_auth_enable= yessmtpd_sasl_security_options= noanonymousbroken_sasl_auth_clients= yes#smtpd_sasl_type =dovecot#smtpd_sasl_path =private/authsmtpd_recipient_restrictions= permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination##################SSL/TLS config, added by Cathy ################ vi/etc/postfix/master.cfsmtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -osmtpd_sasl_auth_enable=yes service postfixrestart certs]# netstat-tnlp | grep mastertcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10146/master tcp 0 0 127.0.0.1:465 0.0.0.0:* LISTEN 10146/master5. 安装配置dovecot 1> yum -y installdovecot 2>vi/etc/dovecot/conf.d/10-ssl.confssl =required ssl_cert= < /etc/tls/mail_cert.pemssl_key= < /etc/tls/privkey.pem#配置收件目录3> vi /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:~/Maildir4> #取消pop3s imaps注释信息 vi /etc/dovecot/conf.d/10-master.conf-----------------------------------------------分割线------------------------------------------------- inet_listener imaps { port = 993 ssl = yes } inet_listener pop3s { port = 995 ssl = yes }-----------------------------------------------分割线-------------------------------------------------5> #启动dovecot 并加入开机列表 service dovecot start && chkconfig dovecot on6> #查看监听端口 netstat-tnlp | grep dovecot 6. 测试:[root@VTB511-PC1certs]# telnet 192.168.168.200 25Trying192.168.168.200...Connected to192.168.168.200.Escape characteris '^]'.220mail.ssltest.com ESMTP PostfixEHLOmail.ssltest.com250-mail.ssltest.com250-PIPELINING250-SIZE 10240000250-VRFY250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNmail from:<user1@mail.ssltest.com>250 2.1.0 Okrcptto:<user2@mail.ssltest.com>250 2.1.5 Okdata354 End data with<CR><LF>.<CR><LF>From:user1@mail.ssltest.comTO:user2@mail.ssltest.comSubject:test1test1.250 2.0.0 Ok:queued as 5C1E8A403^]telnet> q 对于SSL/TLS的加密的连接测试,如SMTPS,POP3S等,都要用openssl 连接,如下:1> 在连接之前先把账号密码的encode_base64计算出来,下面auth login时要用:~]#perl -MMIME::Base64 -e "print encode_base64('user1@mail.ssltest.com');"
dXNlcjFAbWFpbC5zc2x0ZXN0LmNvbQ==
~]# perl -MMIME::Base64 -e "print encode_base64('123');"
MTIz
或者执行命令:
~]# echo -n user1@mail.ssltest.com | base64
dXNlcjFAbWFpbC5zc2x0ZXN0LmNvbQ==
~]# echo-n 123 | base64
MTIz
2> openssls_client -connect mail.ssltest.com:465CONNECTED(00000003)depth=0 C = CN, ST= Shanghai, L = Shanghai, O = SNWL, OU = AUTO, CN = mail.ssltest.com,emailAddress = auto@mail.ssltest.comverifyerror:num=18:self signed certificateverify return:1depth=0 C = CN, ST= Shanghai, L = Shanghai, O = SNWL, OU = AUTO, CN = mail.ssltest.com,emailAddress = auto@mail.ssltest.comverify return:1---Certificate chain 0s:/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.com i:/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.com---Server certificate-----BEGINCERTIFICATE-----MIID+TCCAuGgAwIBAgIJAKdQAdrvaCNzMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxETAPBgNVBAcMCFNoYW5naGFpMQ0wCwYDVQQKDARTTldMMQ0wCwYDVQQLDARBVVRPMRkwFwYDVQQDDBBtYWlsLnNzbHRlc3QuY29tMSQwIgYJKoZIhvcNAQkBFhVhdXRvQG1haWwuc3NsdGVzdC5jb20wHhcNMTgwMzA1MDcxNDM3WhcNMTgwNDA0MDcxNDM3WjCBkjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhTaGFuZ2hhaTENMAsGA1UECgwEU05XTDENMAsGA1UECwwEQVVUTzEZMBcGA1UEAwwQbWFpbC5zc2x0ZXN0LmNvbTEkMCIGCSqGSIb3DQEJARYVYXV0b0BtYWlsLnNzbHRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA13+qU7DLQB/XdQTcQ5rdTBTkjkbH988Xvct86BZbpOW0oFAaBOZQufehZgFktePdOaH+kTZ/0Qm+oTcaDIC3WOChOA3A/q71ajrAeOa74DS29dj/BibEK+S41Bhgfhwp5UQ33y4Qoz9DaW0lK7OCZ1cKoC+X2PcbbnBzOqF8RqHQ47HjYInRCrXI8o0iL5VsnfJ8NJktL3nvhwQ84YObhVkSRzDtABMAJY45dVaKGNfhcRfezAeeD3Tg7+hvnQKrJtFyWw6ADe3FRy/AFBezdzXhdMt4Fa430Ph+dMogeZKO+D8uVT4F1k5d0goZBjrRZ5z6RDt2+6pt7l+rAiyC/QIDAQABo1AwTjAdBgNVHQ4EFgQU5ys8e/8UG95kfVHDjZHoJ+L0qckwHwYDVR0jBBgwFoAU5ys8e/8UG95kfVHDjZHoJ+L0qckwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAFV5pk8z8gvN63jyHD8syxN8EhrW2xP53ZV09baFh42Tl7/PQJcFQjdp7JUuR+TsnUBr/KcFeow5kB6dM3197QYgQANaLzrmhlf8oUclzIqmhGRu7McrUkT02CRn64v3dCHfUAVBznXNqVzd2pBLN2EKQf+T6A29XkdugnCKAx1OBNpsvIdDXISkJWzSsfKq5hSe0k3gWp9Aps4IQ3yMOftk0u9BdEW4XLqctm38HFApxNug3qbkpB3csdbLXnmZg/oNJaO/gmshoWdmjRTkZwDjs0QMbpyJPX+nIgyY2WzNOBnVVWxZHChaEP+HjZpdpzQFV5bct4Tuisn3bY/v38w==-----ENDCERTIFICATE-----subject=/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.comissuer=/C=CN/ST=Shanghai/L=Shanghai/O=SNWL/OU=AUTO/CN=mail.ssltest.com/emailAddress=auto@mail.ssltest.com---No clientcertificate CA names sentServer Temp Key:DH, 1024 bits---SSL handshake hasread 1872 bytes and written 447 bytes---New, TLSv1/SSLv3,Cipher is DHE-RSA-AES256-SHAServer public keyis 2048 bitSecureRenegotiation IS supportedCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID:477EC39DAC110AAD6C18EE22D7D950AA1AE4D39FEB5ACF902ACCFE8FBB847F57 Session-ID-ctx: Master-Key:F2546AC6D931BA9ABF738486BEFAF4F3C3AA85CC88C4EE64808DD878268217AB5712DC10B302BABE3CFE03AABC890698 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 3600(seconds) TLS session ticket: 0000 - dd d1 4e 3d f1 e1 38 30-30 69 32 a8a6 3c a8 7a ..N=..800i2..<.z 0010 - 94 f1 46 4f ce 33 02 33-0f 29 53 6ed6 c8 6d f9 ..FO.3.3.)Sn..m. 0020 - 61 e7 fb eb 1e d1 ce 75-91 fc c5 631b cd 8d fc a......u...c.... 0030 - 52 16 46 fd 45 e4 8b f5-31 4c cb d04c 48 fc c7 R.F.E...1L..LH.. 0040 - 73 a7 a1 fa b2 a6 4d 00-26 e6 24 d535 07 90 e7 s.....M.&.$.5... 0050 - 73 2f 8f 5a 95 31 6e d7-a3 c5 76 8edd 32 84 9c s/.Z.1n...v..2.. 0060 - f2 52 cb ed f2 c7 af 52-4c 0b ce 2e95 17 82 b1 .R.....RL....... 0070 - 5a 0a c3 e2 9e 15 1c 31-55 64 42 374f de 59 d8 Z......1UdB7O.Y. 0080 - b7 4f a5 32 e1 66 53 5a-da 3a 33 01be c7 ec 1b .O.2.fSZ.:3..... 0090 - c8 9d d8 4b 18 d2 72 5c-53 7d d4 50fc 6e 76 10 ...K..r\S}.P.nv. Start Time: 1520240363 Timeout : 300 (sec) Verify return code: 18 (self signedcertificate)---220mail.ssltest.com ESMTP Postfix (出现这个之后再执行)EHLO localhost250-mail.ssltest.com250-PIPELINING250-SIZE 10240000250-VRFY250-ETRN250-AUTH PLAINLOGIN250-AUTH=PLAINLOGIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNauth login334 VXNlcm5hbWU6emhhbmczQG1haWwuc3NsdGVzdC5jb20= (前面encode_base64计算出的)
334 UGFzc3dvcmQ6emhhbmcz235 2.7.0Authentication successfulmailfrom:<zhang3@mail.ssltest.com>250 2.1.0 Okrcptto:<li4@mail.ssltest.com>250 2.1.5 Okdata354 End data with<CR><LF>.<CR><LF>From:zhang3@mail.ssltest.comTO:li4@mail.ssltest.comSubject:test1test1. (这个点号必须有,输入邮件内容结束,然后按下Enter)
250 2.0.0 Ok: queuedas 55EDBA404
相关文章推荐
- IP 地址的划分 IPV4 IPV6的配置
- ipv6-ipv4双栈配置.JPG
- JBoss7配置-支持IPv4和IPv6双栈环境
- windows server 2008 DNS ,DHCP 服务器的配置(支持IPv6) :
- Centos下网卡配置文件详细参数IPV6 和 IPV4
- 搭建spark cluster网络设置,ipv6关闭,ipv4设置,DNS设置
- IPv4 over IPv6 的配置
- 网络基础――DNS、IP、IPV4、IPV6
- 在路由器上配置IPV6(下)--配置GRE使IPV6在IPV4环境下通信 推荐
- "IPv4 和 IPv6 高级 DNS"选项卡
- IPv4下通过DNS64 NAT64访问IPv6
- 在华为路由器上配置IPv6 over IPv4隧道
- 通过IPv4网络访问IPv6网络 ISATAP隧道配置方法
- 配置IPv4/IPv6 BGP双栈动态路由
- WindowsXP如何把32位IPv4配置成IPv6
- postgresql配置连接参数,使得ipv4、ipv6网段通用
- DNS 和 IPv6 配置攻略
- nmcli配置ipv4、ipv6
- 通过IPv4网络访问IPv6网络 ISATAP隧道配置方法