kn007 avatar

[Postfix进阶]SMTP TLS 加密

kn007

Published: 17 Sept 2016 › Updated: 17 Sept 2016[Postfix进阶]SMTP TLS 加密

[Postfix进阶]SMTP TLS 加密

2ebnf37892843gmef
这篇文章的基础在于之前几篇进阶文章上进行,可通过《进阶的Postfix小结》查看。

首先先要构建VPS的CA,最好能对根证书进行签名(利用Cacert或者StartSSL),我的只是单纯的自签名,反正凑个数,加个密。本来就是自用的。

那么先将默认CA删除,创建新的CA。
rm -rf /etc/pki/CA
/etc/pki/tls/misc/CA -newca
根据提示回答一些问题(注意不要乱写,有用的),会创建完整的CA目录,并创建自签名的根证书cacert.pem。cacert.pem的位置在/etc/pki/CA/cacert.pem。

接下来,利用命令openssl来创建公私钥,最大貌似只能365天。
mkdir -p /CA &&cd /CA/
openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 365
核发证书,进行签名:
openssl ca -out mail_signed_cert.pem -infiles mailreq.pemmail_signed_cert.pem就是CA核发的证书,私钥文件是mailkey.pem,注意要特别保护,而mailreq.pem是申请证书文件,已无作用。注意回答的问题,要与CA一致,hostname可为mx.kn007.net,而不需一定为kn007.net,请根据MX记录和其他实际情况设定,谢谢。

修改Postfix的配置文件,main.cf,添加:
#SSL/TLS
smtp_use_tls = yes
smtp_tls_cert_file = /CA/mail_signed_cert.pem
smtp_tls_key_file =/CA/mailkey.pem
smtp_tls_CAfile = /etc/pki/CA/cacert.pem
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_enforce_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 3
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_cert_file = /CA/mail_signed_cert.pem
smtpd_tls_key_file =/CA/mailkey.pem
smtpd_tls_CAfile = /etc/pki/CA/cacert.pem
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
tls_append_default_CA = yes
smtpd_tls_auth_only = yes
smtpd_tls_ask_cert = yes
smtpd_tls_received_header = yes
下面是master.cf,将配置中的几个“#”号去掉,如下所示。
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
最后重启下Postfix即可。

可通过https://ssl-tools.net/mailservers查看。

我的证书因为是自签名(Certificate is self-signed),并且没有通过国际认证,所以Root certificate unknown。但已经通过TLS检测。

苦逼,因为利用外部工具测试次数过多,居然上了Spamhaus XBL Blacklist中的CBL和ZEN。。。

貌似是被189举报的,189这傻叉用的又是21cn。。贱逼。

XBL通知说不能手动删除,原文如下。
IP Address 162.250.97.124 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-07-09 17:00 GMT (+/- 30 minutes), approximately 12 hours, 30 minutes ago.
These listings cannot be self-delisted. You will have to wait for it to expire. Expiration takes place 8-12 days after most recent listing.
另外添加了rDNS记录,解决发信出现“由xxx@xxx.xxx代发”字样。

其他测试等强烈建议看《进阶的Postfix小结》。

贴上专业SMTP测试结果,测试地址见上面帖子。
postfix-smtp-check

Leave [Postfix进阶]SMTP TLS 加密 to:

Written by

Read more #postfix posts


Best Posts From kn007

We have not curated any of kn007's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From kn007