編譯

   make tidy

   make makefiles CCARGS="-DUSE_TLS -I//usr/include/openssl/" AUXLIBS="-L/usr/lib -lssl -lcrypto"

 

已有 postfix的話只作更新即可

   make upgrade

 

find /usr/ -name ssl.*

/usr/include/openssl/ssl.h

/usr/lib/libssl.so

/usr/lib/libssl.a

[1.] vi /etc/postfix/main.cf

smtpd_use_tls = yes

 

# RSA
smtpd_tls_cert_file = /usr/share/ssl/certs/cyrus-imapd.pem
smtpd_tls_key_file = /usr/share/ssl/certs/cyrus-imapd.pem

 

# DSA

#smtpd_tls_dcert_file = /usr/share/ssl/certs/cyrus-imapd.pem
#smtpd_tls_dkey_file = /usr/share/ssl/certs/cyrus-imapd.pem

 

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

 

tls_random_source = dev:/dev/urandom

 

# debug,default = 0

smtpd_tls_loglevel = 2

 

# 如果要把tls資訊加入mail表頭的話

#smtpd_tls_received_header = yes

[2.] Server-side TLS activity logging

         vi /etc/postfix/main.cf

smtpd_tls_loglevel = 0

參數說明:

0 Disable logging of TLS activity.
1 Log TLS handshake and certificate information.
2 Log levels during TLS negotiation.
3 Log hexadecimal and ASCII dump of TLS negotiation process
4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS

[3.] vi /etc/postfix/master.cf

smtps inet n – n – – smtpd
    -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

[4.] Postfix reload

 

[5.] 測試 telnet localhost 25

ehlo xx
..
.

250-STARTTLS

      openssl s_client -starttls smtp -CApath /usr/share/ssl/certs -connect localhost:25

 

      只提供有TLS的smtp auth

smtpd_tls_auth_only =yes

Related posts 相關文章
用 DNSSEC 是為了安全,但如果憑證過期了怎麼辦
More...
使用 dehydrated 安裝 Let’s Encrypt SSL 憑證
More...
使用 certbot 安裝 Let’s Encrypt SSL 憑證
More...
安裝 Let’s Encrypt SSL 憑證的工具
More...

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。