基於ssl/tls的postfix 服務配置筆記

環境：
OS：Centos 6.4 x64
packet:Postfix 2.6.6
cyrus-sasl-2.1.23
dovecot-2.0.9
openssl-1.0.0
Domain:vqiu.cn
hostname:mail.vqiu.cn

 

 

 

 

 

準備工做：

         >>將DNS 的MX 解析並計算機名稱配置好（略）

         >>配置NTP  參照　linux 時間軋記  

 

1、安裝配置 cyrus-sasl

#安裝cyrus-sasl認證機制
[root@vqiu tls]# yum -y install cyrus-sasl-plain cyrus-sasl-devel

#加入log_level
[root@vqiu tls]# vi /etc/sasl2/smtpd.conf（可跳）

-----------------------------------------------分割線-------------------------------------------------
log_level: 3 //也能夠跳過

pwcheck_method: saslauthd

mech_list: plain login
-----------------------------------------------分割線-------------------------------------------------

#啓動並加入到開機加載列表

[root@vqiu tls]# service saslauthd start && chkconfig saslauthd on

 

2、 安裝openssl 並建立密鑰與證書

#yum 安裝openssl 套件

[root@vqiu ~]# yum -y install openssl openssl-devel

#創建密鑰與證書存放目錄

[root@vqiu tls]# mkdir /etc/tls/ -p

#進入該建立目錄

[root@vqiu ~]# cd /etc/tls/

#生成密鑰與證書，根據嚮導輸入相關的信息，其中證書名稱爲mail_cert.pem

[root@vqiu tls]# openssl req -new -x509 -nodes -out mail_cert.pem

-----------------------------------------------分割線-------------------------------------------------

Generating a 2048 bit RSA private key

................................+++

...........................+++

writing new private key to 'privkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Guangdong

Locality Name (eg, city) [Default City]:dongguan

Organization Name (eg, company) [Default Company Ltd]:vqiu

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:mail.vqiu.cn

Email Address []:IT@vqiu.cn

-----------------------------------------------分割線-------------------------------------------------

 

[root@vqiu tls]# ls -l

-rw-r--r-- 1 root root 1415 Nov  5 16:14 mail_cert.pem #< ======證書

-rw-r--r-- 1 root root 1704 Nov  5 16:14 privkey.pem  #< ======私鑰

 

#權限設定

[root@vqiu tls]# chmod 0600 privkey.pem

#配置postfix

[root@vqiu /]# vi /etc/postfix/main.cf

-----------------------------------------------分割線-------------------------------------------------

 

#SSL/TSL配置

smtpd_use_tls = yes

smtpd_tls_security_level = may

smtpd_tls_loglevel=3

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

smtpd_tls_cert_file = /etc/tls/mail_cert.pem

smtpd_tls_key_file =  /etc/tls/privkey.pem

tls_random_source = dev:/dev/urandom

tls_daemon_random_source = dev:/dev/urandom

smtpd_tls_auth_only = yes #<=====強制啓用TLS

 

#SMTP認證配置

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =

     permit_mynetworks,

     permit_sasl_authenticated,

     reject_unknown_sender_domain,

     reject_unknown_recipient_domain,

     reject_unauth_destination

-----------------------------------------------分割線-------------------------------------------------

#配置master.cf

[root@vqiu /]# vi /etc/postfix/master.cf

-----------------------------------------------分割線-------------------------------------------------

smtps     inet  n       -       n       -       -       smtpd

  -o smtpd_tls_wrappermode=yes

  -o smtpd_sasl_auth_enable=yes

-----------------------------------------------分割線-------------------------------------------------

#啓動或從新啓動postfix

[root@vqiu /]# service postfix restart

#查看監聽端口
[root@vqiu tls]# netstat -tnlp | grep master

 

 #客戶端測試

 

3、 安裝配置dovecot

[root@vqiu /]# yum -y install dovecot

      [root@vqiu /]# vi /etc/dovecot/conf.d/10-ssl.conf

ssl = required                             

ssl_cert = < /etc/tls/mail_cert.pem

ssl_key = < /etc/tls/privkey.pem

#配置收件目錄

[root@vqiu tls]# vi /etc/dovecot/conf.d/10-mail.conf

   mail_location = maildir:~/Maildir

#取消pop3s imaps註釋信息

[root@vqiu tls]# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------------分割線-------------------------------------------------

  inet_listener imaps {

    port = 993

    ssl = yes

  }

  inet_listener pop3s {

    port = 995

    ssl = yes

  }
-----------------------------------------------分割線-------------------------------------------------

#啓動dovecot 並加入開機列表

[root@vqiu tls]# service dovecot start && chkconfig dovecot on

         #查看監聽端口

[root@vqiu tls]# netstat -tnlp | grep dovecot

 

 

4、創建帳號並測試

[root@vqiu tls]# groupadd mail_users && useradd -s /sbin/nologin -g mail_users zhang3

[root@vqiu tls]# echo "zhang3.." | passwd --stdin zhang3

[root@vqiu tls]# useradd -s /sbin/nologin -g mail_users li4

[root@vqiu tls]# echo "lisi.." | passwd --stdin li4