Postfix Ssl
Páginas: 7 (1576 palabras)
Publicado: 16 de enero de 2013
Postfix SSL HOWTO
Postfix SSL HOWTO
Justin Davies
v1.0, December 2002
This is an introduction to the use of TLS/SSL with the Postfix MTA. Using TLS can provide the user with a
means to encrypt the mail connection, to encrypt plaintext authentication. Using TLS, you can also
authenticate a user based on a private key to allow mail relaying.
1. Introduction
2. Postfix as a TLS Server• 2.1 Configuration paramaters
• 2.2 Testing TLS
3. Postfix as a TLS client
• 3.1 Configuring the client
• 3.2 Generating the fingerprint
4. Setting up the server to relay based on fingerprints
• 4.1 Server relay configuration
5. Finishing Up
6. Links
Next Previous Contents Next Previous Contents
1. Introduction
Postfix and SSL Postfix is one of the most popular e−mail serversafter Sendmail. It benefits from most of
Sendmail's features, but is a lot easier to install and maintain. Where Sendmail uses m4 files for configuration,
Postfix uses the familiar key=value configuration files. SSL provides a way to encrypt a connection based on
certificates. For more information on SSL and certificates, make sure you read Introduction to SSL on the site.
Postfix and SSL canprovide a way to allow relaying from dynamic IP addresses (road warriors). It bases its
decision on whether to allow the client to relay if the certificate offered by the client is registered in a Postfix
hash table. It also encrypts the channel between the client and the server, providing that little bit of extra
security.
Next Previous Contents Next Previous Contents
Postfix SSL HOWTO
1 Postfix SSL HOWTO
2. Postfix as a TLS Server
Postfix on SuSE comes built with support for SSL/TLS, so all that is needed is configuration of the server to
allow SSL connections. The first thing you need to do is create the server certificate as detailed in the
Introduction to SSL. You need to copy the server key and the server certificate to the /etc/postfix directory. It
is veryimportant that you change the permissions on the server private key:
chown root.root server.key
chmod 400 server.key
2.1 Configuration paramaters
Edit the /etc/postfix/main.cf
Add the following lines to the end of the document...
# Other configurable parameters.
smtpd_tls_key_file = /etc/postfix/zen.key
smtpd_tls_cert_file = /etc/postfix/zen.pem
smtpd_tls_CAfile = /etc/postfix/CAcert.pemsmtpd_use_tls = yes
smtpd_tls_key_file is the location of the server private key.
smtpd_tls_cert_file is the location of the server certificate.
smtpd_tls_CAfile is the location of the Certificate Authority certificate (needed to verify the certificates).
smtpd_use_tls TLS is not active by default. You need to specifically tell the Postfix server that it should
support TLS.
2.2 Testing TLSOnce the server configuration is complete, restart Postfix and check that TLS has been activated:
justin@zen:~> telnet mail.suse.co.uk 25
Trying 10.32.0.1...
Connected to mail.suse.co.uk.Escape character is ^]
220 mail.suse.co.uk
ESMTP Postfix
EHLO zen.suse.co.uk
250−mail.suse.co.uk
250−PIPELINING
250−SIZE 10240000250−ETRN
250−STARTTLS
250 8BITMIME
STARTTLS
220 Ready to start TLSThe server response of "220 Ready to start TLS" after issuing the STARTTLS signifies that the server is
willing to communicate over TLS.
At this point, look at /var/log/mail to see if there are any errors.
TLS will warn you if a certificate can not be loaded, or if TLS cannot be started for some reason.
2. Postfix as a TLS Server
2
Postfix SSL HOWTO
Next Previous Contents NextPrevious Contents
3. Postfix as a TLS client
Postfix can act as a client to a master mail server. This is where SSL/TLS becomes really useful...
In a large domain, many mail servers may be used for each department. Linking these servers up can be
accomplished by giving the Postfix system a default host to relay mail to. You can then force the Postfix
client to authenticate against the master...
Postfix SSL HOWTO
Justin Davies
v1.0, December 2002
This is an introduction to the use of TLS/SSL with the Postfix MTA. Using TLS can provide the user with a
means to encrypt the mail connection, to encrypt plaintext authentication. Using TLS, you can also
authenticate a user based on a private key to allow mail relaying.
1. Introduction
2. Postfix as a TLS Server• 2.1 Configuration paramaters
• 2.2 Testing TLS
3. Postfix as a TLS client
• 3.1 Configuring the client
• 3.2 Generating the fingerprint
4. Setting up the server to relay based on fingerprints
• 4.1 Server relay configuration
5. Finishing Up
6. Links
Next Previous Contents Next Previous Contents
1. Introduction
Postfix and SSL Postfix is one of the most popular e−mail serversafter Sendmail. It benefits from most of
Sendmail's features, but is a lot easier to install and maintain. Where Sendmail uses m4 files for configuration,
Postfix uses the familiar key=value configuration files. SSL provides a way to encrypt a connection based on
certificates. For more information on SSL and certificates, make sure you read Introduction to SSL on the site.
Postfix and SSL canprovide a way to allow relaying from dynamic IP addresses (road warriors). It bases its
decision on whether to allow the client to relay if the certificate offered by the client is registered in a Postfix
hash table. It also encrypts the channel between the client and the server, providing that little bit of extra
security.
Next Previous Contents Next Previous Contents
Postfix SSL HOWTO
1 Postfix SSL HOWTO
2. Postfix as a TLS Server
Postfix on SuSE comes built with support for SSL/TLS, so all that is needed is configuration of the server to
allow SSL connections. The first thing you need to do is create the server certificate as detailed in the
Introduction to SSL. You need to copy the server key and the server certificate to the /etc/postfix directory. It
is veryimportant that you change the permissions on the server private key:
chown root.root server.key
chmod 400 server.key
2.1 Configuration paramaters
Edit the /etc/postfix/main.cf
Add the following lines to the end of the document...
# Other configurable parameters.
smtpd_tls_key_file = /etc/postfix/zen.key
smtpd_tls_cert_file = /etc/postfix/zen.pem
smtpd_tls_CAfile = /etc/postfix/CAcert.pemsmtpd_use_tls = yes
smtpd_tls_key_file is the location of the server private key.
smtpd_tls_cert_file is the location of the server certificate.
smtpd_tls_CAfile is the location of the Certificate Authority certificate (needed to verify the certificates).
smtpd_use_tls TLS is not active by default. You need to specifically tell the Postfix server that it should
support TLS.
2.2 Testing TLSOnce the server configuration is complete, restart Postfix and check that TLS has been activated:
justin@zen:~> telnet mail.suse.co.uk 25
Trying 10.32.0.1...
Connected to mail.suse.co.uk.Escape character is ^]
220 mail.suse.co.uk
ESMTP Postfix
EHLO zen.suse.co.uk
250−mail.suse.co.uk
250−PIPELINING
250−SIZE 10240000250−ETRN
250−STARTTLS
250 8BITMIME
STARTTLS
220 Ready to start TLSThe server response of "220 Ready to start TLS" after issuing the STARTTLS signifies that the server is
willing to communicate over TLS.
At this point, look at /var/log/mail to see if there are any errors.
TLS will warn you if a certificate can not be loaded, or if TLS cannot be started for some reason.
2. Postfix as a TLS Server
2
Postfix SSL HOWTO
Next Previous Contents NextPrevious Contents
3. Postfix as a TLS client
Postfix can act as a client to a master mail server. This is where SSL/TLS becomes really useful...
In a large domain, many mail servers may be used for each department. Linking these servers up can be
accomplished by giving the Postfix system a default host to relay mail to. You can then force the Postfix
client to authenticate against the master...
Leer documento completo
Regístrate para leer el documento completo.