構建反病毒反垃圾郵件系統(四)_Mail服務器教程
      
編輯Tag賺U幣
      


      教程Tag:暫無Tag,歡迎添加,賺取U幣!
      


      
4、TLS支持 

      

        通過修改/usr/lib/ssl/misc/CA.pll腳本實現,以下修改后CA1.pl和未修改CA.pl之間的對比:
      

        *** CA.pl
        --- CA1.pl
        ***************
        *** 59,69 ****
        } elsif (/^-newcert$/) {
        # create a certificate
        ! system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
        $RET=$?;
        print "Certificate (and private key) is in newreq.pem\n"
        } elsif (/^-newreq$/) {
        # create a certificate request
        ! system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
        $RET=$?;
        print "Request (and private key) is in newreq.pem\n";
        } elsif (/^-newca$/) {
        --- 59,69 ----
        } elsif (/^-newcert$/) {
        # create a certificate
        ! system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
        $RET=$?;
        print "Certificate (and private key) is in newreq.pem\n"
        } elsif (/^-newreq$/) {
        # create a certificate request
        ! system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
        $RET=$?;
        print "Request (and private key) is in newreq.pem\n";
        } elsif (/^-newca$/) {
      

        現在就可以使用修改的CA1.pl來簽發證書:
      

        # cd /usr/local/ssl/misc
        # ./CA1.pl -newca
        # ./CA1.pl -newreq
        # ./CA1.pl -sign
        # cp demoCA/cacert.pem /etc/postfix/CAcert.pem
        # cp newcert.pem /etc/postfix/cert.pem
        # cp newreq.pem /etc/postfix/key.pem
      

        修改main.cf,添加:
      

        smtpd_tls_cert_file = /etc/postfix/cert.pem
        smtpd_tls_key_file = /etc/postfix/privkey.pem
        smtpd_use_tls = yes
        tls_random_source = dev:/dev/urandom
        tls_daemon_random_source = dev:/dev/urandom
      

        重起postfix后就可以看到250-STARTTLS
      

        很多郵件客戶端對TLS的支持并不是非常好,建議使用stunnel來實現相應的smtp和pop3加密。
      

        # apt-get install stunnel
      

        證書:
      

        # openssl req -new -x509 -days 365 -nodes -config /etc/ssl/openssl.cnf -out stunnel.pem -keyout stunnel.pem
        # openssl gendh 512 >> stunnel.pem
      

        服務端:
        # stunnel -d 60025 -r 25 -s nobody -g nogroup
        # stunnel -d 60110 -r 110 -s nobody -g nogroup
      

        如果使用-n pop3等參數就只能用郵件客戶端收信。
      

        客戶端:
        建一個stunnel.conf文件:
      

        client = yes
      

        [pop3]
        accept = 127.0.0.1:110
        connect = 192.168.7.144:60110
      

        [smtp]
        accept = 127.0.0.1:25
        connect = 192.168.7.144:60025
      

        然后啟動stunnel.exe,在郵件客戶端的smtp和pop3的服務器都填127.0.0.1就可以了,這樣從你到郵件服務器端的數據傳輸就讓stunnel給你加密了。
      

        5、測試用戶
      

        # mkdir -p /home/vmail/test.org/san/
        # chown -R nobody.nogroup /home/vmail
        # chmod -R 700 /home/vmail
      

        mysql> use postfix
        mysql> insert into transport set domain='test.org', destination='
      virtual:';
        mysql> insert into users set email='san@test.org',clear='test',name='',uid='65534',gid='65534',
      homedir='home/vmail',maildir='test.org/san/';
      

        然后就可以使用客戶端收發郵件,記得用戶名是email地址。
      



      

      


      來源:網絡搜集//所屬分類:Mail服務器教程/更新時間:2013-04-15


      


      



      


      



      相關Mail服務器教程