Postfix + TLS

編譯

   make tidy

   make makefiles CCARGS="-DUSE_TLS -I//usr/include/openssl/" AUXLIBS="-L/usr/lib -lssl -lcrypto"

已有 postfix的話只作更新即可

   make upgrade

find /usr/ -name ssl.*

/usr/include/openssl/ssl.h

/usr/lib/libssl.so

/usr/lib/libssl.a

[1.] vi /etc/postfix/main.cf

smtpd_use_tls = yes

　

# RSA
smtpd_tls_cert_file = /usr/share/ssl/certs/cyrus-imapd.pem
smtpd_tls_key_file = /usr/share/ssl/certs/cyrus-imapd.pem

　

# DSA

#smtpd_tls_dcert_file = /usr/share/ssl/certs/cyrus-imapd.pem
#smtpd_tls_dkey_file = /usr/share/ssl/certs/cyrus-imapd.pem

　

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

　

tls_random_source = dev:/dev/urandom

　

# debug，default = 0

smtpd_tls_loglevel = 2

　

# 如果要把tls資訊加入mail表頭的話

#smtpd_tls_received_header = yes

[2.] Server-side TLS activity logging

         vi /etc/postfix/main.cf

smtpd_tls_loglevel = 0

參數說明:

0 Disable logging of TLS activity.
1 Log TLS handshake and certificate information.
2 Log levels during TLS negotiation.
3 Log hexadecimal and ASCII dump of TLS negotiation process
4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS

[3.] vi /etc/postfix/master.cf

smtps inet n – n – – smtpd
    -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

[4.] Postfix reload

[5.] 測試 telnet localhost 25

ehlo xx
..
.

250-STARTTLS

      openssl s_client -starttls smtp -CApath /usr/share/ssl/certs -connect localhost:25

      只提供有TLS的smtp auth

smtpd_tls_auth_only =yes