Mail and email service (III): POP3 authentication mechanism and relay rules
We use Mago's "Create an existing Mail System based on the virtual user's mail system architecture" to implement the POP3 authentication mechanism.
If you do not have an email service system that can be used, you can follow the instructions provided by magio and proceed step by step. I believe you can do this.
Enter the subject:
POP3 authentication mechanism:
1. Create a CA Service to prepare for certificate issuance
# Cd/etc/pki/CA
# Vim ../tls/OpenSSL. CNF modify the default configuration path and default options
Dir =/etc/pki/CA
Countryname_default = Cn
Stateorprovincename_default = Henan
Localityname_default = ZZ
0. organizationname_default = Linux
Organizationalunitname_default = tech
# OpenSSL genrsa 2048> private/cakey. pem
# Opsenssl req-New-X509-key private/cakey. pem-out cacert. pem-days 3650
# Chmod 600 private/cakey. pem
# Mkdir certs newcerts CRL
# Touch index.txt serial
# Echo 01> serial
# Ll
2. issue a certificate to Dovecot
# Mkdir/etc/Dovecot
# Mkdir/etc/Dovecot/SSL
# Cd/etc/Dovecot/SSL
# (Umask 077; OpenSSL genrsa 1024> Dovecot. Key)
Generate a certificate issuance request
# OpenSSL req-New-key Dovecot. Key-out Dovecot. CSR
The server name is very important: pop3.a.org)
# OpenSSL ca-In Dovecot. CSR-out Dovecot. CRT-days 3650
# Rm Dovecot. CSR
Now, both the certificate and private key are available.
# Dovecot also uses the CA certificate, so we copy
# Cp/etc/pki/CA/cacert. pem ./
# Mv cacert. pem cacert. CRT
# Ll
3. Configure Dovecot to support the authentication mechanism
# Vim/etc/Dovecot. conf
Modify
Ssl_cert_file =/etc/Dovecot/SSL/Dovecot. CRT
Ssl_key_file =/etc/Dovecot/SSL/Dovecot. Key
Ssl_ca_file =/etc/Dovecot/SSL/cacert. CRT
Enable
Protocols = IMAP IMAPs POP3 pop3s
# Service Dovecot restart
# Vim/var/named/a.org. Zone
Add the IP corresponding to positive POP3.
# Service named reload
# Mutt-F POPs: // weiyan@weiyan.org @ pop3.weiyan.org
Press R to reject and press o to enter. You need to enter the password.
At this time, our emails are encrypted.
Detection:
Enable the packet capture tool:
# Tshark-Ni eth0-R "TCP. srcport EQ 995 or TCP. dstport EQ 995"
To another host
# Mutt-F POPs: // gentoo@a.org @ 172.16.100.1
We can see that all the captured results are displayed as encrypted information.
Relay rule restrictions:
Define the relay rules in Main. Cf. We use a virtual domain as an example:
1. restrict one or more IP addresses in an open CIDR Block
Smtpd_client_restrictions = File
File: You can customize the file content as long as it is written
172.16.100.100 reject
This format indicates that 172.16.100.100 cannot be forwarded, and reject information can be added after reject.
After the definition is complete, use the postmap command to convert it to the *. DB binary file.
# Postmap File
Edit main. Cf Modification
Smtpd_client_restrictions = hash:/filename
At this time, we try to send an email to the host with the specified IP address, which should be rejected.
However, we can use other IP addresses.
2. Restrict the rejection of a specific email address
Smtpd_sender_restrictions = File
We also need to create a new file to define
Centos@a.org reject
@ A.org reject
Gentoo @ reject
The first meaning is to reject the centos@a.org
The second line means to reject all a.org domain forwarding.
The third line is to reject all Gentoo users' forwarding in whatever region
# Postmap File
Vim/etc/Postfix/Main. cf
Smtpd_sender_restrictions = hash:/etc/Postfix/sender