構建反病毒反垃圾郵件系統(四)

來源:互聯網
上載者:User
4、TLS支援

  通過修改/usr/lib/ssl/misc/CA.pll指令碼實現,以下修改後CA1.pl和未修改CA.pl之間的對比:

  *** CA.pl
  --- CA1.pl
  ***************
  *** 59,69 ****
  } elsif (/^-newcert$/) {
  # create a certificate
  ! system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
  $RET=$?;
  print "Certificate (and private key) is in newreq.pem\n"
  } elsif (/^-newreq$/) {
  # create a certificate request
  ! system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
  $RET=$?;
  print "Request (and private key) is in newreq.pem\n";
  } elsif (/^-newca$/) {
  --- 59,69 ----
  } elsif (/^-newcert$/) {
  # create a certificate
  ! system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
  $RET=$?;
  print "Certificate (and private key) is in newreq.pem\n"
  } elsif (/^-newreq$/) {
  # create a certificate request
  ! system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
  $RET=$?;
  print "Request (and private key) is in newreq.pem\n";
  } elsif (/^-newca$/) {

  現在就可以使用修改的CA1.pl來簽發認證:

  # cd /usr/local/ssl/misc
  # ./CA1.pl -newca
  # ./CA1.pl -newreq
  # ./CA1.pl -sign
  # cp demoCA/cacert.pem /etc/postfix/CAcert.pem
  # cp newcert.pem /etc/postfix/cert.pem
  # cp newreq.pem /etc/postfix/key.pem

  修改main.cf,添加:

  smtpd_tls_cert_file = /etc/postfix/cert.pem
  smtpd_tls_key_file = /etc/postfix/privkey.pem
  smtpd_use_tls = yes
  tls_random_source = dev:/dev/urandom
  tls_daemon_random_source = dev:/dev/urandom

  重起postfix後就可以看到250-STARTTLS

  很多郵件用戶端對TLS的支援並不是非常好,建議使用stunnel來實現相應的smtp和pop3加密。

  # apt-get install stunnel

  認證:

  # openssl req -new -x509 -days 365 -nodes -config /etc/ssl/openssl.cnf -out stunnel.pem -keyout stunnel.pem
  # openssl gendh 512 >> stunnel.pem

  服務端:
  # stunnel -d 60025 -r 25 -s nobody -g nogroup
  # stunnel -d 60110 -r 110 -s nobody -g nogroup

  如果使用-n pop3等參數就只能用郵件用戶端收信。

  用戶端:
  建一個stunnel.conf檔案:

  client = yes

  [pop3]
  accept = 127.0.0.1:110
  connect = 192.168.7.144:60110

  [smtp]
  accept = 127.0.0.1:25
  connect = 192.168.7.144:60025

  然後啟動stunnel.exe,在郵件用戶端的smtp和pop3的伺服器都填127.0.0.1就可以了,這樣從你到郵件伺服器端的資料轉送就讓stunnel給你加密了。

  5、測試使用者

  # mkdir -p /home/vmail/test.org/san/
  # chown -R nobody.nogroup /home/vmail
  # chmod -R 700 /home/vmail

  mysql> use postfix
  mysql> insert into transport set domain='test.org', destination='
virtual:';
  mysql> insert into users set email='san@test.org',clear='test',name='',uid='65534',gid='65534',
homedir='home/vmail',maildir='test.org/san/';

  然後就可以使用用戶端收發郵件,記得使用者名稱是email地址。



相關文章

Beyond APAC's No.1 Cloud

19.6% IaaS Market Share in Asia Pacific - Gartner IT Service report, 2018

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。