基于ssl/tls的postfix 服务配置笔记

环境：
OS：Centos 6.4 x64
packet:Postfix 2.6.6
cyrus-sasl-2.1.23
dovecot-2.0.9
openssl-1.0.0
Domain:vqiu.cn
hostname:mail.vqiu.cn

 

 

 

 

 

准备工做：

         >>将DNS 的MX 解析并计算机名称配置好（略）

         >>配置NTP  参照　linux 时间轧记  

 

1、安装配置 cyrus-sasl

#安装cyrus-sasl认证机制
[root@vqiu tls]# yum -y install cyrus-sasl-plain cyrus-sasl-devel

#加入log_level
[root@vqiu tls]# vi /etc/sasl2/smtpd.conf（可跳）

-----------------------------------------------分割线-------------------------------------------------
log_level: 3 //也能够跳过

pwcheck_method: saslauthd

mech_list: plain login
-----------------------------------------------分割线-------------------------------------------------

#启动并加入到开机加载列表

[root@vqiu tls]# service saslauthd start && chkconfig saslauthd on

 

2、 安装openssl 并建立密钥与证书

#yum 安装openssl 套件

[root@vqiu ~]# yum -y install openssl openssl-devel

#创建密钥与证书存放目录

[root@vqiu tls]# mkdir /etc/tls/ -p

#进入该建立目录

[root@vqiu ~]# cd /etc/tls/

#生成密钥与证书，根据向导输入相关的信息，其中证书名称为mail_cert.pem

[root@vqiu tls]# openssl req -new -x509 -nodes -out mail_cert.pem

-----------------------------------------------分割线-------------------------------------------------

Generating a 2048 bit RSA private key

................................+++

...........................+++

writing new private key to 'privkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Guangdong

Locality Name (eg, city) [Default City]:dongguan

Organization Name (eg, company) [Default Company Ltd]:vqiu

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:mail.vqiu.cn

Email Address []:IT@vqiu.cn

-----------------------------------------------分割线-------------------------------------------------

 

[root@vqiu tls]# ls -l

-rw-r--r-- 1 root root 1415 Nov  5 16:14 mail_cert.pem #< ======证书

-rw-r--r-- 1 root root 1704 Nov  5 16:14 privkey.pem  #< ======私钥

 

#权限设定

[root@vqiu tls]# chmod 0600 privkey.pem

#配置postfix

[root@vqiu /]# vi /etc/postfix/main.cf

-----------------------------------------------分割线-------------------------------------------------

 

#SSL/TSL配置

smtpd_use_tls = yes

smtpd_tls_security_level = may

smtpd_tls_loglevel=3

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

smtpd_tls_cert_file = /etc/tls/mail_cert.pem

smtpd_tls_key_file =  /etc/tls/privkey.pem

tls_random_source = dev:/dev/urandom

tls_daemon_random_source = dev:/dev/urandom

smtpd_tls_auth_only = yes #<=====强制启用TLS

 

#SMTP认证配置

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =

     permit_mynetworks,

     permit_sasl_authenticated,

     reject_unknown_sender_domain,

     reject_unknown_recipient_domain,

     reject_unauth_destination

-----------------------------------------------分割线-------------------------------------------------

#配置master.cf

[root@vqiu /]# vi /etc/postfix/master.cf

-----------------------------------------------分割线-------------------------------------------------

smtps     inet  n       -       n       -       -       smtpd

  -o smtpd_tls_wrappermode=yes

  -o smtpd_sasl_auth_enable=yes

-----------------------------------------------分割线-------------------------------------------------

#启动或从新启动postfix

[root@vqiu /]# service postfix restart

#查看监听端口
[root@vqiu tls]# netstat -tnlp | grep master

 

 #客户端测试

 

3、 安装配置dovecot

[root@vqiu /]# yum -y install dovecot

      [root@vqiu /]# vi /etc/dovecot/conf.d/10-ssl.conf

ssl = required                             

ssl_cert = < /etc/tls/mail_cert.pem

ssl_key = < /etc/tls/privkey.pem

#配置收件目录

[root@vqiu tls]# vi /etc/dovecot/conf.d/10-mail.conf

   mail_location = maildir:~/Maildir

#取消pop3s imaps注释信息

[root@vqiu tls]# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------------分割线-------------------------------------------------

  inet_listener imaps {

    port = 993

    ssl = yes

  }

  inet_listener pop3s {

    port = 995

    ssl = yes

  }
-----------------------------------------------分割线-------------------------------------------------

#启动dovecot 并加入开机列表

[root@vqiu tls]# service dovecot start && chkconfig dovecot on

         #查看监听端口

[root@vqiu tls]# netstat -tnlp | grep dovecot

 

 

4、创建帐号并测试

[root@vqiu tls]# groupadd mail_users && useradd -s /sbin/nologin -g mail_users zhang3

[root@vqiu tls]# echo "zhang3.." | passwd --stdin zhang3

[root@vqiu tls]# useradd -s /sbin/nologin -g mail_users li4

[root@vqiu tls]# echo "lisi.." | passwd --stdin li4