PostfixのTLS対応

PostfixのTLS対応

サーバー証明書を作成

メールサーバー間通信内容暗号化(OpenSSL+Postfix+Dovecot) - CentOSで自宅サーバー構築 を参考にサーバー証明書を作成

# cd /etc/pki/tls/certs/
# make mail.pem
umask 77 ; \
	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
	/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
	cat $PEM1 >  mail.pem ; \
	echo ""    >> mail.pem ; \
	cat $PEM2 >> mail.pem ; \
	rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
......................................................................................................+++
............+++
writing new private key to '/tmp/openssl.h27273'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Gunma
Locality Name (eg, city) [Newbury]:Maebashi
Organization Name (eg, company) [My Company Ltd]:clicktxcloud.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:mail.clicktxcloud.com
Email Address []:mail@clicktxcloud.com   

Postfixの設定

main.cf
smtpd_use_tls = yes
#最終行に追記
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.pem
smtpd_tls_key_file = /etc/pki/tls/certs/mail.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
master.cf
submission inet n       -       n       -       -       smtpd  ←コメント削除
  -o smtpd_enforce_tls=yes  ←コメント削除
  -o smtpd_sasl_auth_enable=yes  ←コメント削除
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject  ←コメント削除
smtps     inet  n       -       n       -       -       smtpd  ←コメント削除
  -o smtpd_tls_wrappermode=yes  ←コメント削除
  -o smtpd_sasl_auth_enable=yes  ←コメント削除
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr   ←コメント削除
コマンドラインで接続テストしてみる
$ openssl s_client -starttls smtp -crlf -connect xxx.xxx.xxx.xxx:587
CONNECTED(00000003)

...

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 9AE082BD79AE4029D5AD48BCCA63C3E6970FE3D3617C2EE98586AB7B331A4332
    Session-ID-ctx: 
    Master-Key: 64F761C1EA5B4261A67DDBB625A2D04AD88586CD21B0D35F4E62C06C1FDE481EA21BEED6EDCD5548B4DCBEF0A6399881
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Compression: 1 (zlib compression)
    Start Time: 1394449493
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
250 DSN

dovecotの設定

# Disable SSL/TLS support.
ssl_disable = no ←コメント削除

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
#ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
ssl_cert_file = /etc/pki/tls/certs/mail.pem ←追記
ssl_key_file = /etc/pki/tls/certs/mail.pem  ←追記

Postfix TLS サポート
Postfix+MySQL+Postfix AdminによるバーチャルSMTPサーバの構築(CentOS4.x編)