Postfix TLS SMTP

配置Postfix(SMTP)支持SSL

安装OpenSSL-Perl

yum install -y openssl-perl

会在/etc/pki/tls/misc/目录下生成CA.pl脚本，让你可以自己开设 CA，自己签署自己的证书。

生成服务器根证书

# cd /etc/pki/tls/misc/
# ./CA -newca
CA certificate filename (or enter to create)      #按回车开始
#在下面的设置过程中，输错了可以按ctrl+backspce进行删除
Making CA certificate ...
Generating a 2048 bit RSA private key
..............................+++
................+++
writing new private key to ‘/etc/pki/CA/private/cakey.pem‘
Enter PEM pass phrase:123456                      #输入密码，至少4个字符
Verifying - Enter PEM pass phrase:123456          #重复输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                #输入国家
State or Province Name (full name) []:Guangdong     #输入省份
Locality Name (eg, city) [Default City]:Guangzhou   #输入城市
Organization Name (eg, company) [Default Company Ltd]:gzydt  #输入公司名
Organizational Unit Name (eg, section) []:tect      #输入部门名
Common Name (eg, your name or your server s hostname) []:admin   #输入你的名字或服务器名
Email Address []:                                  #输入邮箱账号（可不填）
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:                           #输入证书请求密码（可不填）
An optional company name []:                       #输入可选公司名（可不填）
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 #输入前面设的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 14986867786496351857 (0xcffc0cd915dc1e71)
        Validity
            Not Before: Nov 28 02:06:59 2014 GMT
            Not After : Nov 27 02:06:59 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = zhejiang
            organizationName          = yourmail
            organizationalUnitName    = it
            commonName                = root
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69
            X509v3 Authority Key Identifier: 
                keyid:12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Nov 27 02:06:59 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated

说明：显示上面资料表示成功，否则失败；失败时删除cakey.pem后重新执行CA

# rm -f /etc/pki/CA/private/cakey.pem 
# cd /etc/pki/tls/misc/
# ./CA -newca

创建证书目录，将生成的根证书复制进去

# mkdir /etc/pki/myca
# cp /etc/pki/CA/cacert.pem /etc/pki/myca

生成私钥和CSR证书签署请求文件

# cd /etc/pki/myca
# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650
Generating a 2048 bit RSA private key
...................................+++
....................+++
writing new private key to ‘mailkey.pem‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Guangzhou
Organization Name (eg, company) [Default Company Ltd]:gzydt
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server s hostname) []:admin
Email Address []:                                   # 不填，直接回车
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:                            # 不填，直接回车
An optional company name []:                        # 不填，直接回车

参数说明

• -new表示你想产生公私钥与CSR
• -nodes表示不加密
• -keyout指出私钥文件
• -out指出CSR文件的名称
• -days指出证书的有效期限是10年

查看生成的文件：

# cd /etc/pki/myca
# ll
总用量 16
-rw-r--r--. 1 root root 4291 12月  2 14:08 cacert.pem  #根证书
-rw-r--r--. 1 root root 1704 12月  2 14:09 mailkey.pem #私钥
-rw-r--r--. 1 root root  997 12月  2 14:09 mailreq.pem #CSR文件

签署CSR文件

# cd /etc/pki/myca
# openssl ca -out mailcert.pem -infiles mailreq.pem
...
failed to update database
TXT_DB error number 2

产生的原因是：证书的设置相同，导致subject值相同

解决方法：
将“唯一主题”设置为不必须：# vim /etc/pki/CA/index.txt.attr

unique_subject = no   # yes改为no

再次执行：openssl ca -out mailcert.pem -infiles mailreq.pem

查看生成文件：ll /etc/pki/myca

-rw-r--r--. 1 root root 4291 12月  2 14:08 cacert.pem   #根证书
-rw-r--r--. 1 root root 4430 12月  2 14:11 mailcert.pem #公钥
-r--------. 1 root root 1704 12月  2 14:09 mailkey.pem  #私钥
-rw-r--r--. 1 root root  997 12月  2 14:09 mailreq.pem  #CSR文件

配置postfix

添加main.cf配置

#vim /etc/postfix/main.cf

在末尾加入下面配置

# Postfix作为SMTP服务端的TLS配置
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/myca/mailkey.pem
smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
smtpd_tls_CAfile = /etc/pki/myca/cacert.pem
# smtpd_tls_security_level = encrypt
# 表示强制使用TLS加密，不建议，会导致丢失courier-authlib认证
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 2
# Postfix作为SMTP客户端的TLS配置
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/myca/mailkey.pem
smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
smtp_tls_CAfile = /etc/pki/myca/cacert.pem
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
#TLS限制策略，有需要的百度下如何设置

开启smtps

#vim /etc/postfix/master.cf

打开下面的注释

smtps    inet    n    -    n    -    -    smtpd
  -o smtpd_tls_wrappermode=yes 
  -o smtpd_sasl_auth_enable=yes

重新加载postfix并查看结果

# service postfix reload
# netstat -tnlp|grep 465
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      64222/master        
tcp        0      0 :::465                      :::*                        LISTEN      64222/master

注意防火墙

根据自身系统，添加放行规则

检查当前smtp是否支持TLS

使用telnet命令，访问25端口

# telnet localhsot 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.某域名.com ESMTP Jobkoo mail system (version:1.0)
ehlo mail.xxx.com          # 这里随便输入欢迎语
250-mail.某域名.cn
250-PIPELINING
250-SIZE 20000000
250-VRFY
250-ETRN
250-STARTTLS                # 这里很关键
250-AUTH PLAIN LOGIN        # 如果没有出现这两行
250-AUTH=PLAIN LOGIN        # 修改smtpd_tls_security_level = may不强制使用TLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls                    # 输入TLS命令
220 2.0.0 Ready to start TLS# 出现这行表示成功

如上面的output，若是有STARTTLS，则说明postfix支持TLS，否则可能需要重装。

↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ 重装请看分割线以下的内容 ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓

---

使用源码安装

源码可以自行百度Postfix下载，版本均可
解压之后，执行如下命令：

make makefiles 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl  -DUSE_TLS ' 'AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm -L/usr/lib/sasl2 -lsasl2  -lssl -lcrypto'

释义

• CCARGS：指明头文件位置
• -DHAS_MYSQL：指定启用mysql的连接能
• -I/usr/local/mysql/include/mysql：指定mysql的头文件位置
• -DUSE_SASL_AUTH启用SASL认证
• -I/usr/local/include/sasl：指定SASL头文件位置
• -DUSE_TLS：使SMTP支持smtps协议(就是缺少这个)
• AUXLIBS：指定库文件位置
• -L/usr/local/mysql/lib：指定MySQL库文件位置
• -lmysqlclient：指定MySQL客户端库文件
• -lz：压缩库文件
• -lm：模块库文件
• -lssl：ssl的库文件

接着执行：make && make install
若编译失败，尝试安装一下lib：

yum -y install openssl-devel
yum install db*-devel