クライアント・サーバー間暗号化(SSL暗号化)
概要: † メールサーバーとクライアント間の通信をSSLにより暗号化し、セキュリティーを向上させます。SSLサーバー証明書を作成し、PostfixとDovecotのSSL化設定します。 前提: †1. サーバー証明書作成(自己証明書の場合) † ApacheのSSL作成と同様にしてサーバー証明書を作成します。 # cd /etc/pki/tls/certs/ ← ディレクトリ移動 ↓ Apacheのところで実行していない場合以下を実行してサーバー証明書有効期限を1年から10年に変更 # sed -i 's/365/3650/g' Makefile # make dovecot.pem ← サーバー証明書作成.ファイル名のdovecot部分は任意だが dovecotの10-ssl.confでdovecotがDefaultで設定されている。拡張子はpem umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 3650 -out $PEM2 -set_serial 0 ; \ ← 証明書を作成 cat $PEM1 > dovecot.pem ; \ echo "" >> dovecot.pem ; \ cat $PEM2 >> dovecot.pem ; \ rm -f $PEM1 $PEM2 Generating a 2048 bit RSA private key .................+++ .+++ writing new private key to '/tmp/openssl.U6m67T' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Chuo-Ku Organization Name (eg, company) [Default Company Ltd]:Exampel Inc. Organizational Unit Name (eg, section) []:Exampel Section ← 空Enterでもよい。 Common Name (eg, your name or your server's hostname) []:mail.example.com Email Address []:postmaster@example.com ← 管理者のメールアドレス 自己証明書なのでCommon Name以外は適当でいいと思います。 2. Postfixの設定 †2.1 設定ファイル † SSL化の設定は、以下の2ファイルを編集します。
2.2 main.cf †# vi /etc/postfix/main.cf 以下を追加します。smtpd_tls_cert_fileとsmtpd_tls_key_fileに上記で作成したサーバー証明書のファイルを指定します。 smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/tls/certs/dovecot.pem smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache 2.3 master.cf †# vi /etc/postfix/master.cf 以下の修正を加えます。 # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== # smtp inet n - n - - smtpd submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING # 以下以下の3行のコメントを外してsmtpsのセクションを設定します。 smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # The Cyrus deliver program has changed incompatibly, multiple times. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} 2.4 Postfix再読み込 †設定後に設定情報を反映させます。 # service postfix reload ← Postfix再読み込 postfix を再読み込み中: [ OK ] 2.5 ポート465番のOPEN †ネットワーク上でTCP/IPの465番ポートが開いていること。(サーバー、クライアント、ルーターなどのファイヤーウォールやセキュリティー設定で OPENされていること。) 3.Dovecotの設定 †3.1 設定ファイル † SSL化の設定は、以下の1ファイルを編集します。
3.2 10-auth.conf †# vi /etc/dovecot/conf.d/10-ssl.conf ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> #ssl = yes ↓コメントを外します ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ↓以下のファイルが作成したサーバー証明書と一致しているかか確認します。異なる場合は変更します。 ssl_cert = </etc/pki/tls/certs/dovecot.pem ssl_key = </etc/pki/tls/certs/dovecot.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem) #ssl_ca = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. #ssl_parameters_regenerate = 168 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL 3.3 Dovecot再読込み †# service dovecot reload ← Dovecot再読込み Dovecot Imap を再読み込み中: [ OK ] 3.4 ポート995番(POPの場合)または993番(IMAPの場合)のOPEN †ネットワーク上でTCP/IPの995番と993番ポートが開いていること。(サーバー、クライアント、ルーターなどのファイヤーウォールやセキュリティー設定で OPENされていること。) 編集中 Last-modified: 2014-03-11 (火) 02:00:03 (3700d)
|