Ssl certificate generation, ssl Certificate
Ssl certificate generation
openssl req -new -x509 -days 3650 -nodes -out /opt/ssl/certs/postfix.pem -keyout /opt/ssl/private/postfix.pem
The first is the certificate, and the second is the key (Private key)
It can be applied to many programs.
The following are two examples:
Nginx ssl
server { listen 443; server_name _; ssl on; ssl_certificate /opt/ssl/certs/postfix.pem; ssl_certificate_key /opt/ssl/private/postfix.pem; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; }}
Nginx-tThe test is correct. Of course, this certificate's own browser will report an untrusted warning.
Postfix ssl
Vim/etc/postfix/main. cf
smtpd_tls_security_level = may#smtpd_tls_security_level = encryptsmtpd_tls_key_file = /opt/ssl/private/postfix.pemsmtpd_tls_cert_file = /opt/ssl/certs/postfix.pemsmtpd_tls_loglevel = 1smtpd_tls_session_cache_timeout = 3600ssmtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cachetls_random_source = dev:/dev/urandomsmtpd_tls_auth_only = yes
Send an email to check whether the maillog log contains a tls record, which indicates ssl.
postfix/smtpd[29635]: setting up TLS connection from unknown[114。。]
In addition, you can telnet localhost 25
ehlo localhost250-mail.gqdw.xyz250-PIPELINING250-SIZE 10240000250-VRFY250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250 DSN
StarttlsIndicates that ssl session encryption is enabled.