openssl genrsa -out mail.key
Generating RSA private key, 2048 bit long modulus (2 primes)......................................................................................+++++
....................+++++
e is 65537(0x010001)
生成证书请求文件
openssl req -new -key mail.key -out mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code)[AU]:CN
State or Province Name (full name)[Some-State]:HN
Locality Name (eg, city)[]:ZZ
Organization Name (eg, company)[Internet Widgits Pty Ltd]:skills
Organizational Unit Name (eg, section)[]:system
Common Name (e.g. server FQDN or YOUR name)[]:skills.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
生成证书
openssl x509 -req -signkey mail.key -in mail.csr -out mail.crt -days 3650
Signature ok
subject=C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
Getting Private key
配置邮件()
postfix
/etc/postfix/
vim main.cf
# TLS parameterssmtpd_tls_cert_file=/etc/ssl/mail.crt
smtpd_tls_key_file=/etc/ssl/mail.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.skills.com #指定主机名字
mydomain = skills.com #指定域名
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =$myhostname, $mydomain#添加mydomain
relayhost =
mynetworks =127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.10.70.0/24 #允许网段
mailbox_size_limit =0
recipient_delimiter = +
inet_interfaces = all
vim master.cf
## Postfix master process configuration file. For details on the format# of the file, see the master(5) manual page (command: "man 5 master" or# on-line: http://www.postfix.org/master.5.html).## Do not forget to execute "postfix reload" after editing this file.## ==========================================================================# service type private unpriv chroot wakeup maxproc command + args# (yes) (yes) (no) (never) (100)# ==========================================================================#smtp inet n - y - - smtpd #注释#smtp inet n - y - 1 postscreen#smtpd pass - - y - - smtpd#dnsblog unix - - y - 0 dnsblog#tlsproxy unix - - y - 0 tlsproxy#submission inet n - y - - smtpd# -o syslog_name=postfix/submission# -o smtpd_tls_security_level=encrypt# -o smtpd_sasl_auth_enable=yes# -o smtpd_tls_auth_only=yes# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd #注释取消
-o syslog_name=postfix/smtps #注释取消
-o smtpd_tls_wrappermode=yes #注释取消# -o smtpd_sasl_auth_enable=yes# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING
本文介绍了如何为邮件服务器Postfix和Dovecot配置SSL证书,以增强邮件服务的安全性。首先,通过openssl生成私钥和证书请求文件,然后创建并签署证书。接着,配置Postfix的main.cf和master.cf文件,启用TLS并设置安全参数。最后,调整Dovecot的配置文件以使用新证书,并设置登录信任网络。整个过程确保了邮件传输的加密和服务器身份验证。
扫一扫
658
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
