SMTP over SSL/TLS


※自己証明書での送信です。
※Postfixです。

SSL証明書ディレクトリの作成

mkdir /etc/postfix/ssl/SERVER

CA局発行スクリプトの修正

cp /usr/lib/ssl/misc/CA.sh /etc/postfix/ssl/

vi /etc/postfix/ssl/CA.sh
if [ -z "$DAYS" ] ; then DAYS="-days 36500" ; fi        # 100 year
CADAYS="-days 36500"     # 100 years
if [ -z "$CATOP" ] ; then CATOP=/etc/postfix/ssl/CA ; fi

opensslスクリプトの修正

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
vi /etc/ssl/openssl.cnf
※2ヶ所のパス修正
[ CA_default ]
dir             = /etc/postfix/ssl/CA
[ tsa_config1 ]
dir             = /etc/postfix/ssl/CA

CA局の作成

CA秘密鍵の作成

sh /etc/postfix/ssl/CA.sh -newca

 ※cakey.pemのパスフレーズを入力
 ※Subject情報を入力
   Country Name (2 letter code) [AU]:JP
   State or Province Name (full name) [Some-State]:Fukuoka
   Locality Name (eg, city) []:Fukuoka-shi
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alterbooth Inc.
   Organizational Unit Name (eg, section) []:TechRoom
   Common Name (eg, YOUR name) []:FQDN
   Email Address []:設定不要

CA証明書の作成

openssl req -new -x509 -keyout /etc/postfix/ssl/CA/private/cakey.pem -out /etc/postfix/ssl/CA/cacert.pem -days 36500

サーバー証明書の作成

秘密鍵の作成

openssl genrsa -rand rand.dat -des3 2048 > /etc/postfix/ssl/SERVER/FQDN.key.pem

鍵パスフレーズの削除

openssl rsa -in /etc/postfix/ssl/SERVER/FQDN.key.pem -out /etc/postfix/ssl/SERVER/FQDN.key.pem

証明書要求(CSR)の作成

openssl req -new -days 36500 -key /etc/postfix/ssl/SERVER/FQDN.key.pem -out /etc/postfix/ssl/SERVER/FQDN.csr.pem

 Subject情報を入力
   Country Name (2 letter code) [AU]:JP
   State or Province Name (full name) [Some-State]:Fukuoka
   Locality Name (eg, city) []:Fukuoka-shi
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alterbooth Inc.
   Organizational Unit Name (eg, section) []:TechRoom
   Common Name (eg, YOUR name) []:FQDN
   Email Address []:設定不要

証明書の作成

openssl ca -in /etc/postfix/ssl/SERVER/FQDN.csr.pem -keyfile /etc/postfix/ssl/CA/private/cakey.pem -cert /etc/postfix/ssl/CA/cacert.pem -out /etc/postfix/ssl/SERVER/FQDN.crt.pem

Postfix設定変更

main.cf修正

vi /etc/postfix/main.cf
以下を追記
#-------------------------------------#
# TLS
#-------------------------------------#
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CAfile = /etc/postfix/ssl/CA/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/SERVER/FQDN.crt.pem
smtpd_tls_key_file = /etc/postfix/ssl/SERVER/FQDN.key.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtp_tls_loglevel = 2

master.cfの修正

vi /etc/postfix/master.cf
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

postfix 再起動

service postfix restart

送信テスト

openssl s_client -connect FQDN:465

MAIL FROM: 送信元メールアドレス
RCPT TO: 宛先メールアドレス
DATA
Subject:Mail Send Test
From:送信元メールアドレス
To:宛先メールアドレス
Test Mail
.