|
|
说明:Courier-IMAP用于实现 pop3、imap 接收邮件功能,支持TLS安全传输;
SMTP同样可以支持TLS安全传输,本文最后将列出配置;
Transport Layer Security (TLS, 原名SSL),能以加密技术来保证TCP通信的私密性(信息不外泄)与完整性。
一、实现POP3、IMAP基本功能
1、安装Courier-IMAP
1
2
3
4
5
6
7
8
| [iyunv@mail ~]# cd /usr/local/src
[iyunv@mail src]# wget http://ncu.dl.sourceforge.net/pr ... imap-4.15.1.tar.bz2
[iyunv@mail src]# tar -jxf courier-imap-4.15.1.tar.bz2
[iyunv@mail src]# cd courier-imap-4.15.1
[iyunv@mail courier-imap-4.15.1]# ./configure --enable-workarounds-for-imap-client-bugs --with-authchangepwdir --enable-unicode --with-trashquota --disable-root-check
[iyunv@mail courier-imap-4.15.1]# make
[iyunv@mail courier-imap-4.15.1]# make install
[iyunv@mail courier-imap-4.15.1]# make install-configure
|
查看安装说明:
1
| [iyunv@mail courier-imap-4.15.1]# more INSTALL
|
软件包已上传到以下链接:
http://down.iyunv.com/data/1955875
2、启动程序
1
2
3
4
5
6
7
8
9
| [iyunv@mail courier-imap-4.15.1]# cd /usr/lib/courier-imap/
[iyunv@mail courier-imap]# /usr/lib/courier-imap/libexec/imapd.rc start
[iyunv@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/imapd.rc start" >> /etc/rc.local
[iyunv@mail courier-imap]# ps aux|grep imapd
root 46134 0.0 0.0 4068 340 ? S 16:41 0:00 /usr/local/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
root 46135 0.1 0.0 8280 636 ? S 16:41 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
root 46137 0.0 0.0 103256 848 pts/1 S+ 16:41 0:00 grep imapd
[iyunv@mail courier-imap]# netstat -tnlp|grep 143
tcp6 0 0 :::143 :::* LISTEN 32666/couriertcpd
|
1
2
3
4
5
6
7
8
| [iyunv@mail courier-imap]# /usr/lib/courier-imap/libexec/pop3d.rc start
[iyunv@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/pop3d.rc start" >> /etc/rc.local
[iyunv@mail courier-imap]# ps aux|grep pop3d
root 46149 0.0 0.0 4068 344 ? S 16:42 0:00 /usr/local/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 46150 0.0 0.0 8280 632 ? S 16:42 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 46155 0.0 0.0 103256 848 pts/1 S+ 16:42 0:00 grep pop3d
[iyunv@mail courier-imap]# netstat -tnlp|grep 110
tcp6 0 0 :::110 :::* LISTEN 32761/couriertcpd
|
说明:以上分别启动了pop3d和imapd服务,端口使用110和143,通常在设置邮箱客户端(outlook等)时可以看到默认设置的端口号就是这两个。
3、设置imapd、pop3为启用状态
1
2
| [iyunv@mail courier-imap]# sed -i 's/IMAPDSTART=NO/IMAPDSTART=YES/g' etc/imapd
[iyunv@mail courier-imap]# sed -i 's/POP3DSTART=NO/POP3DSTART=YES/g' etc/pop3d
|
4、设置防火墙
1
2
| [iyunv@mail ~]# iptables -I INPUT -p tcp -m multiport --dport 110,143 -j ACCEPT
[iyunv@mail ~]# service iptables save
|
5、测试端口连接
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| [iyunv@mail courier-imap]# telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Hello there.
user postmaster@yourmail.com #输入用户账号
+OK Password required.
pass extmail #输入用户密码
+OK logged in.
list #显示邮件列表
+OK POP3 clients that break here, they violate STD53.
1 6
2 716
3 923
4 1197
.
quit #退出
+OK Bye-bye.
Connection closed by foreign host.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [iyunv@mail courier-imap]# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA
IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready.
Copyright 1998-2011 Double Precision, Inc.
See COPYING for distribution information.
tag login postmaster@yourmail.com extmail #输入登陆账号、密码
tag OK LOGIN Ok. #显示登陆成功
tag logout #退出
* BYE Courier-IMAP server shutting down
tag OK LOGOUT completed
Connection closed by foreign host.
|
说明:POP3和IMAP功能正常
二、增加SSL支持
1、安装OpenSSL
安装httpd时已自动安装上了OpenSSL:
1
2
3
| [iyunv@mail courier-imap]# rpm -aq|grep openssl
openssl-1.0.1e-30.el6_6.4.x86_64
openssl-devel-1.0.1e-30.el6_6.4.x86_64
|
2、配置Courier-IMAP支持SSL
1
2
| [iyunv@mail courier-imap]# sed -i 's/IMAPDSSLSTART=NO/IMAPDSSLSTART=YES/g' etc/imapd-ssl
[iyunv@mail courier-imap]# sed -i 's/POP3DSSLSTART=NO/POP3DSSLSTART=YES/g' etc/pop3d-ssl
|
3、启动Courier-IMAP的ssl程序
1
2
3
4
5
6
7
| [iyunv@mail courier-imap]# /usr/lib/courier-imap/libexec/imapd-ssl.rc start
[iyunv@mail courier-imap]# /usr/lib/courier-imap/libexec/pop3d-ssl.rc start
[iyunv@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/imapd-ssl.rc start" >> /etc/rc.local
[iyunv@mail courier-imap]# echo "/usr/lib/courier-imap/libexec/pop3d-ssl.rc start" >> /etc/rc.local
[iyunv@mail courier-imap]# netstat -tlnp |grep 99
tcp 0 0 :::993 :::* LISTEN 46228/couriertcpd
tcp 0 0 :::995 :::* LISTEN 46236/couriertcpd
|
说明:POP3-SSL使用995端口,IMAP-SSL使用993端口
4、创建证书
(1)创建IMAP证书文件:
1
2
3
4
5
6
7
8
9
10
| [iyunv@mail courier-imap]# /usr/lib/courier-imap/share/mkimapdcert
Generating a 4096 bit RSA private key
......................++
..........................++
writing new private key to '/usr/lib/courier-imap/share/imapd.pem'
-----
subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
notBefore=Nov 27 06:15:20 2014 GMT
notAfter=Nov 27 06:15:20 2015 GMT
SHA1 Fingerprint=B8:E2:AC:54:27:90:BA:20:33:92:89:DE:AB:EA:1B:2D:DC:11:8A:37
|
(2)创建POP3证书文件:
1
2
3
4
5
6
7
8
9
10
| [iyunv@mail courier-imap]# /usr/lib/courier-imap/share/mkpop3dcert
Generating a 4096 bit RSA private key
.......................................++
......................................++
writing new private key to '/usr/lib/courier-imap/share/pop3d.pem'
-----
subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
notBefore=Nov 27 06:22:05 2014 GMT
notAfter=Nov 27 06:22:05 2015 GMT
SHA1 Fingerprint=48:21:D9:4D:DE:A7:64:7F:CD:A0:68:79:E4:2A:2F:59:62:BE:9D:E6
|
(3)创建DH参数集文件:
1
2
3
4
5
| [iyunv@mail courier-imap]# /usr/lib/courier-imap/share/mkdhparams
512 semi-random bytes loaded
Generating DH parameters, 768 bit long safe prime, generator 2
This is going to take a long time
..............++*++*++*++*
|
(4)查看证书文件和DH参数集文件:
1
2
| [iyunv@mail courier-imap]# ls /usr/lib/courier-imap/share/
dhparams.pem imapd.pem pop3d.pem
|
5、加密连接
添加一个月计划任务,运行mkdhparams,以定期生成一个新的DH参数集,用于设置加密连接:
1
2
| [iyunv@mail courier-imap]# crontab -e
0 0 1 1 * /usr/lib/courier-imap/share/mkdhparams
|
6、设置防火墙
1
2
| [iyunv@mail ~]# iptables -I INPUT -p tcp -m multiport --dport 993,995 -j ACCEPT
[iyunv@mail ~]# service iptables save
|
7、测试pop3d-ssl
在客户端PC(或者本地DNS服务器)设置本地解析:
1
2
3
4
5
| C:WindowsSystem32driversetchosts
10.188.1.83 pop3.yourmail.com
10.188.1.83 smtp.yourmail.com
10.188.1.83 imap.yourmail.com
10.188.1.83 mail.yourmail.com
|
在Foxmail邮箱客户端添加test账号,选择POP3类型,勾上SSL端口995,SMTP保持默认25端口
给test自己发送一封邮件并接收,成功表示pop3d-ssl成功
查看日志:
1
2
3
4
5
6
7
8
9
10
11
| [iyunv@mail courier-imap]# tailf /var/log/maillog
Dec 2 09:10:02 mail postfix/smtpd[4051]: connect from unknown[10.188.1.172]
Dec 2 09:10:02 mail postfix/smtpd[4051]: 583221A1BCC: client=unknown[10.188.1.172], sasl_method=LOGIN, sasl_username=test@yourmail.com
Dec 2 09:10:02 mail postfix/cleanup[4061]: 583221A1BCC: message-id=<201412020909527054540@yourmail.com>
Dec 2 09:10:02 mail postfix/qmgr[64225]: 583221A1BCC: from=, size=1470, nrcpt=1 (queue active)
Dec 2 09:10:02 mail postfix/smtpd[4051]: disconnect from unknown[10.188.1.172]
Dec 2 09:10:02 mail postfix/pipe[4063]: 583221A1BCC: to=, relay=maildrop, delay=0.16, delays=0.11/0.02/0/0.03, dsn=2.0.0, status=sent (delivered via maildrop service)
Dec 2 09:10:02 mail postfix/qmgr[64225]: 583221A1BCC: removed
Dec 2 09:10:04 mail pop3d-ssl: Connection, ip=[::ffff:10.188.1.172]
Dec 2 09:10:04 mail pop3d-ssl: LOGIN, user=test@yourmail.com, ip=[::ffff:10.188.1.172], port=[50258]
Dec 2 09:10:04 mail pop3d-ssl: LOGOUT, user=test@yourmail.com, ip=[::ffff:10.188.1.172], port=[50258], top=0, retr=1497, rcvd=32, sent=1769, time=0, stls=1
|
说明:邮件发送仍然使用SMTP的25端口,邮件接收可以看到使用的是pop3d-ssl进行的连接。
查看邮件头:
8、测试imap-ssl
在Foxmail邮箱客户端添加test账号,选择IMAP类型,勾上SSL 端口993,SMTP保持默认25端口
给test自己发送一封邮件并接收,成功表示imap-ssl成功
查看日志:
1
2
3
4
5
6
7
8
9
10
| [iyunv@mail courier-imap]# tailf /var/log/maillog
Dec 2 09:54:34 mail postfix/smtpd[4206]: connect from unknown[10.188.1.172]
Dec 2 09:54:34 mail postfix/smtpd[4206]: 8F37D1A1BAC: client=unknown[10.188.1.172], sasl_method=LOGIN, sasl_username=test@yourmail.com
Dec 2 09:54:34 mail postfix/cleanup[4216]: 8F37D1A1BAC: message-id=<201412020954270473792@yourmail.com>
Dec 2 09:54:34 mail postfix/qmgr[64225]: 8F37D1A1BAC: from=, size=1516, nrcpt=1 (queue active)
Dec 2 09:54:34 mail postfix/smtpd[4206]: disconnect from unknown[10.188.1.172]
Dec 2 09:54:34 mail postfix/pipe[4218]: 8F37D1A1BAC: to=, relay=maildrop, delay=0.18, delays=0.11/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via maildrop service)
Dec 2 09:54:34 mail postfix/qmgr[64225]: 8F37D1A1BAC: removed
Dec 2 09:55:47 mail imapd-ssl: Connection, ip=[::ffff:10.188.1.172]
Dec 2 09:55:47 mail imapd-ssl: LOGIN, user=test@yourmail.com, ip=[::ffff:10.188.1.172], port=[52061], protocol=IMAP
|
说明:可以看到邮件接收使用的是imapd-ssl。
问题:日志出中现错误
[iyunv@mail ~]# tail /var/log/httpd/ssl_error.log
Prototype mismatch: sub Encode::IMAPUTF7::decode ($$;$) vs none at /var/www/extsuite/extman/libs/Encode/IMAPUTF7.pm line 76
/var/www/extsuite/extman/libs/Encode/IMAPUTF7.pm
解决:将“no warnings 'redefine';^M”那一行修改成“no warnings;”或“no warnings qw(prototype redefine);”
三、配置Postfix(SMTP)支持SSL
参考:
http://www.postfix.org/TLS_README.html
1、安装OpenSSL-Perl
1
2
3
4
| [iyunv@mail ~]# rpm -aq|grep openssl
openssl-1.0.1e-30.el6_6.4.x86_64
openssl-devel-1.0.1e-30.el6_6.4.x86_64
[iyunv@mail ~]# yum install -y openssl-perl
|
会在/etc/pki/tls/misc/目录下生成CA.pl脚本,
让你可以自己开设 CA,自己签署自己的证书。
2、生成服务器根证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| [iyunv@mail ~]# cd /etc/pki/tls/misc/
[iyunv@mail misc]# ./CA.pl -newca
CA certificate filename (or enter to create) #按回车开始
#在下面的设置过程中,输错了可以按ctrl+backspce进行删除
Making CA certificate ...
Generating a 2048 bit RSA private key
..............................+++
................+++
writing new private key to '/etc/pki/CA/private/cakey.pem'
Enter PEM pass phrase:123456 #输入密码,至少4个字符
Verifying - Enter PEM pass phrase:123456 #重复输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #输入国家
State or Province Name (full name) []:zhejiang #输入省份
Locality Name (eg, city) [Default City]:hangzhou #输入城市
Organization Name (eg, company) [Default Company Ltd]:yourmail #输入公司名
Organizational Unit Name (eg, section) []:it #输入部门名
Common Name (eg, your name or your server s hostname) []:root #输入你的名字或服务器名
Email Address []: #输入邮箱账号(可不填)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #输入证书请求密码(可不填)
An optional company name []: #输入可选公司名(可不填)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 #输入前面设的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14986867786496351857 (0xcffc0cd915dc1e71)
Validity
Not Before: Nov 28 02:06:59 2014 GMT
Not After : Nov 27 02:06:59 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = zhejiang
organizationName = yourmail
organizationalUnitName = it
commonName = root
X509v3 extensions:
X509v3 Subject Key Identifier:
12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69
X509v3 Authority Key Identifier:
keyid:12:6E:1A:A9:98:79:E1:A6:82:7E:A4:D8:FD:44:5D:57:FF:4B:46:69
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 27 02:06:59 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
|
说明:显示上面资料表示成功,否则失败;失败时删除cakey.pem后重新执行CA.pl:
1
2
| [iyunv@mail misc]# rm -f /etc/pki/CA/private/cakey.pem
[iyunv@mail misc]# ./CA.pl -newca
|
创建证书目录,将生成的根证书复制进去(也可以复制到/etc/postfix目录下):
1
2
| [iyunv@mail misc]# mkdir /etc/pki/myca
[iyunv@mail misc]# cp /etc/pki/CA/cacert.pem /etc/pki/myca
|
3、生成私钥和CSR证书签署请求文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| [iyunv@mail misc]# cd /etc/pki/myca
[iyunv@mail myca]# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 3650
Generating a 2048 bit RSA private key
...................................+++
....................+++
writing new private key to 'mailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:yourmail
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server s hostname) []:root
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
参数说明:-new表示你想产生公私钥与CSR,-nodes表示不加密,-keyout指出私钥文件,
-out指出CSR文件的名称,-days指出证书的有效期限是10年。
查看生成的文件:
1
2
3
4
5
| [iyunv@mail myca]# ll
总用量 16
-rw-r--r--. 1 root root 4291 12月 2 14:08 cacert.pem #根证书
-rw-r--r--. 1 root root 1704 12月 2 14:09 mailkey.pem #私钥
-rw-r--r--. 1 root root 997 12月 2 14:09 mailreq.pem #CSR文件
|
修改私钥权限保证安全(只有root用户可读):
1
2
| [iyunv@mail myca]# chown root mailkey.pem
[iyunv@mail myca]# chmod 400 mailkey.pem
|
4、签署CSR文件
1
2
3
| [iyunv@mail myca]# openssl ca -out mailcert.pem -infiles mailreq.pem
failed to update database
TXT_DB error number 2
|
产生的原因是:证书的设置相同,导致subject值相同
解决方法:将"主题唯一"设为不必须
1
2
| [iyunv@mail myca]# vi /etc/pki/CA/index.txt.attr
unique_subject = no
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| [iyunv@mail myca]# openssl ca -out mailcert.pem -infiles mailreq.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14986867786496351859 (0xcffc0cd915dc1e73)
Validity
Not Before: Dec 2 05:27:44 2014 GMT
Not After : Dec 2 05:27:44 2015 GMT
Subject: #主题参数
countryName = CN
stateOrProvinceName = zhejiang
organizationName = yourmail
organizationalUnitName = it
commonName = root
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
17:71:C5:65:AA:7D:56:BF:3A:6F:9D:84:3B:E2:12:57:58:B6:32:04
X509v3 Authority Key Identifier:
keyid:9C:7C:C0:ED:30:2A:FE:0C:E7:0D:C3:F8:9E:E0:35:41:8E:25:2C:48
Certificate is to be certified until Dev 2 05:27:44 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
查看生成的文件:
1
2
3
4
5
6
| [iyunv@mail myca]# ll
总用量 24
-rw-r--r--. 1 root root 4291 12月 2 14:08 cacert.pem #根证书
-rw-r--r--. 1 root root 4430 12月 2 14:11 mailcert.pem #公钥
-r--------. 1 root root 1704 12月 2 14:09 mailkey.pem #私钥
-rw-r--r--. 1 root root 997 12月 2 14:09 mailreq.pem #CSR文件
|
5、配置postfix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| [iyunv@mail myca]# vi /etc/postfix/main.cf
# Postfix作为SMTP服务端的TLS配置
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/myca/mailkey.pem
smtpd_tls_cert_file = /etc/pki/myca/mailcert.pem
smtpd_tls_CAfile = /etc/pki/myca/cacert.pem
# smtpd_tls_security_level = encrypt
# 表示强制使用TLS加密,不建议,会导致丢失courier-authlib认证
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 2
# Postfix作为SMTP客户端的TLS配置
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/myca/mailkey.pem
smtp_tls_cert_file = /etc/pki/myca/mailcert.pem
smtp_tls_CAfile = /etc/pki/myca/cacert.pem
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
#TLS限制策略,有需要的百度下如何设置
|
1
2
3
4
| [iyunv@mail myca]# vi /etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
|
1
2
3
4
| [iyunv@mail myca]# service postfix reload
[iyunv@mail myca]# netstat -tnlp|grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 64222/master
tcp 0 0 :::465 :::* LISTEN 64222/master
|
6、设置防火墙
1
2
| [iyunv@mail ~]# iptables -I INPUT -p tcp --dport 465 -j ACCEPT
[iyunv@mail ~]# service iptables save
|
7、本地端口测试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| [iyunv@mail ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.eplantstore.com ESMTP Postfix - by eplantstore.com
ehlo localhost #输入hello内容
250-mail.eplantstore.com
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS #表示TLS运行了
250-AUTH PLAIN LOGIN #如果没有出现这两行
250-AUTH=PLAIN LOGIN #修改smtpd_tls_security_level = may不强制使用TLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls #输入TLS命令
220 2.0.0 Ready to start TLS #出现这行表示成功
|
查看日志:
1
2
3
4
5
| [iyunv@mail myca]# tailf /var/log/maillog
Dec 2 14:42:21 mail postfix/smtpd[5315]: connect from localhost[::1]
Dec 2 14:45:50 mail postfix/smtpd[5315]: setting up TLS connection from localhost[::1]
Dec 2 14:45:50 mail postfix/smtpd[5315]: localhost[::1]: TLS cipher list "ALL:+RC4:@STRENGTH"
Dec 2 14:45:50 mail postfix/smtpd[5315]: SSL_accept:before/accept initialization
|
8、客户端发送邮件测试
在Foxmail邮箱客户端修改test账号,勾上SMTP的SSL:465
给test自己发送一封邮件,查看日志:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| [iyunv@mail myca]# tailf /var/log/maillog
Dec 2 14:18:45 mail postfix/smtpd[5103]: initializing the server-side TLS engine
Dec 2 14:18:45 mail postfix/smtpd[5103]: connect from unknown[10.188.1.172]
Dec 2 14:18:45 mail postfix/smtpd[5103]: setting up TLS connection from unknown[10.188.1.172]
Dec 2 14:18:45 mail postfix/smtpd[5103]: unknown[10.188.1.172]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:before/accept initialization
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 read client hello A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write server hello A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write certificate A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write key exchange A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write server done A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 flush data
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 read client key exchange A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 read finished A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write change cipher spec A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 write finished A
Dec 2 14:18:45 mail postfix/smtpd[5103]: SSL_accept:SSLv3 flush data
Dec 2 14:18:45 mail postfix/smtpd[5103]: Anonymous TLS connection established from unknown[10.188.1.172]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 2 14:18:45 mail postfix/smtpd[5103]: 9B5791A1BCE: client=unknown[10.188.1.172], sasl_method=LOGIN, sasl_username=test@yourmail.com
Dec 2 14:18:45 mail postfix/cleanup[5113]: 9B5791A1BCE: message-id=<201412021416537923991@yourmail.com>
Dec 2 14:18:45 mail postfix/qmgr[5059]: 9B5791A1BCE: from=, size=1578, nrcpt=1 (queue active)
Dec 2 14:18:45 mail postfix/pipe[5115]: 9B5791A1BCE: to=, relay=maildrop, delay=0.18, delays=0.12/0.02/0/0.04, dsn=2.0.0, status=sent (delivered via maildrop service)
Dec 2 14:18:45 mail postfix/qmgr[5059]: 9B5791A1BCE: removed
|
接收下邮件,查看邮件头信息;
结论:Postfix成功支持TLS发送邮件。
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2014-12-18 08:17:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡