環境:
OS:Centos 6.4 x64
packet:Postfix 2.6.6
cyrus-sasl-2.1.23
dovecot-2.0.9
openssl-1.0.0
Domain:vqiu.cn
hostname:mail.vqiu.cnnode
準備工做:linux
>>將DNS 的MX 解析並計算機名稱配置好(略)session
>>配置NTP 參照 linux 時間軋記 app
1、安裝配置 cyrus-sasldom
#安裝cyrus-sasl認證機制
[root@vqiu tls]# yum -y install cyrus-sasl-plain cyrus-sasl-develpost
#加入log_level
[root@vqiu tls]# vi /etc/sasl2/smtpd.conf(可跳)測試
-----------------------------------------------分割線-------------------------------------------------
log_level: 3 //也能夠跳過ui
pwcheck_method: saslauthdrest
mech_list: plain login
-----------------------------------------------分割線-------------------------------------------------code
#啓動並加入到開機加載列表
[root@vqiu tls]# service saslauthd start && chkconfig saslauthd on
2、 安裝openssl 並建立密鑰與證書
#yum 安裝openssl 套件
[root@vqiu ~]# yum -y install openssl openssl-devel
#創建密鑰與證書存放目錄
[root@vqiu tls]# mkdir /etc/tls/ -p
#進入該建立目錄
[root@vqiu ~]# cd /etc/tls/
#生成密鑰與證書,根據嚮導輸入相關的信息,其中證書名稱爲mail_cert.pem
[root@vqiu tls]# openssl req -new -x509 -nodes -out mail_cert.pem
-----------------------------------------------分割線-------------------------------------------------
Generating a 2048 bit RSA private key
................................+++
...........................+++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:dongguan
Organization Name (eg, company) [Default Company Ltd]:vqiu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:mail.vqiu.cn
Email Address []:IT@vqiu.cn
-----------------------------------------------分割線-------------------------------------------------
[root@vqiu tls]# ls -l
-rw-r--r-- 1 root root 1415 Nov 5 16:14 mail_cert.pem #< ======證書
-rw-r--r-- 1 root root 1704 Nov 5 16:14 privkey.pem #< ======私鑰
#權限設定
[root@vqiu tls]# chmod 0600 privkey.pem
#配置postfix
[root@vqiu /]# vi /etc/postfix/main.cf
-----------------------------------------------分割線-------------------------------------------------
#SSL/TSL配置
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel=3
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_cert_file = /etc/tls/mail_cert.pem
smtpd_tls_key_file = /etc/tls/privkey.pem
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes #<=====強制啓用TLS
#SMTP認證配置
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination
-----------------------------------------------分割線-------------------------------------------------
#配置master.cf
[root@vqiu /]# vi /etc/postfix/master.cf
-----------------------------------------------分割線-------------------------------------------------
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-----------------------------------------------分割線-------------------------------------------------
#啓動或從新啓動postfix
[root@vqiu /]# service postfix restart
#查看監聽端口
[root@vqiu tls]# netstat -tnlp | grep master
#客戶端測試
3、 安裝配置dovecot
[root@vqiu /]# yum -y install dovecot
[root@vqiu /]# vi /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = < /etc/tls/mail_cert.pem
ssl_key = < /etc/tls/privkey.pem
#配置收件目錄
[root@vqiu tls]# vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
#取消pop3s imaps註釋信息
[root@vqiu tls]# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------------分割線-------------------------------------------------
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener pop3s {
port = 995
ssl = yes
}
-----------------------------------------------分割線-------------------------------------------------
#啓動dovecot 並加入開機列表
[root@vqiu tls]# service dovecot start && chkconfig dovecot on
#查看監聽端口
[root@vqiu tls]# netstat -tnlp | grep dovecot
4、創建帳號並測試
[root@vqiu tls]# groupadd mail_users && useradd -s /sbin/nologin -g mail_users zhang3
[root@vqiu tls]# echo "zhang3.." | passwd --stdin zhang3
[root@vqiu tls]# useradd -s /sbin/nologin -g mail_users li4
[root@vqiu tls]# echo "lisi.." | passwd --stdin li4