作弊条:如何为postfix配置TLS
以下内容为作弊条,仅供参考;只保证在FreeBSD下能用。
为postfix配置TLS的关键是产生自己的CA证书,并签署一年一续的服务证书。注意一定要保管好前者的私钥!
第一步,创建自签名CA:
mkdir /usr/local/etc/ca
cd /usr/local/etc/ca
mkdir certs crl newcerts private
echo 「01」 > serial
cp /dev/null index.txt
cp /etc/ssl/openssl.cnf openssl.cnf
vi openssl.cnf
把:
dir = ./demoCA # Where everything is kept
改为:
dir = /usr/local/etc/ca # Where everything is kept
接着生成根CA证书:
cd /usr/local/etc/ca
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \
-days 3652 -config openssl.cnf
注意:运气好的话,相当于10年。
接下来生成证书请求。
cd /usr/local/etc/ca
openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem \
-days 365 -config openssl.cnf
openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
签署:
openssl ca -config openssl.cnf -policy policy_anything \
-out mycert.pem -infiles tmp.pem
rm -f tmp.pem
注意: /usr/local/etc/ca 这个目录需要严格限制访问。
接下来,复制证书到 /usr/local/etc/certs:
mkdir /usr/local/etc/certs
cp /usr/local/etc/ca/mykey.pem /usr/local/etc/certs/
cp /usr/local/etc/ca/mycert.pem /usr/local/etc/certs/
合并CA证书到服务器证书:
cat /usr/local/etc/ca/cacert.pem » /usr/local/etc/certs/mycert.pem
修正权限:
chmod og-rwx /usr/local/etc/certs/mykey.pem
chmod og=r /usr/local/etc/certs/mycert.pem
生成Diffie-Hellman参数:
openssl dhparam -out /usr/local/etc/postfix/dh_512.pem -2 512
openssl dhparam -out /usr/local/etc/postfix/dh_1024.pem -2 1024