delphij's Chaos

选择chaos这个词是因为~~实在很难找到一个更合适的词来形容这儿了……

06 Oct 2006

作弊条:如何为postfix配置TLS

以下内容为作弊条,仅供参考;只保证在FreeBSD下能用。

为postfix配置TLS的关键是产生自己的CA证书,并签署一年一续的服务证书。注意一定要保管好前者的私钥!

第一步,创建自签名CA:

mkdir /usr/local/etc/ca
cd /usr/local/etc/ca
mkdir certs crl newcerts private
echo “01” > serial
cp /dev/null index.txt
cp /etc/ssl/openssl.cnf openssl.cnf
vi openssl.cnf

把:
dir = ./demoCA # Where everything is kept

改为:
dir = /usr/local/etc/ca # Where everything is kept

接着生成根CA证书:

cd /usr/local/etc/ca
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \
-days 3652 -config openssl.cnf

注意:运气好的话,相当于10年。

接下来生成证书请求。

cd /usr/local/etc/ca
openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem \
-days 365 -config openssl.cnf
openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem

签署:
openssl ca -config openssl.cnf -policy policy_anything \
-out mycert.pem -infiles tmp.pem
rm -f tmp.pem

注意: /usr/local/etc/ca 这个目录需要严格限制访问。

接下来,复制证书到 /usr/local/etc/certs:

mkdir /usr/local/etc/certs
cp /usr/local/etc/ca/mykey.pem /usr/local/etc/certs/
cp /usr/local/etc/ca/mycert.pem /usr/local/etc/certs/

合并CA证书到服务器证书:
cat /usr/local/etc/ca/cacert.pem » /usr/local/etc/certs/mycert.pem

修正权限:
chmod og-rwx /usr/local/etc/certs/mykey.pem
chmod og=r /usr/local/etc/certs/mycert.pem

生成Diffie-Hellman参数:

openssl dhparam -out /usr/local/etc/postfix/dh_512.pem -2 512
openssl dhparam -out /usr/local/etc/postfix/dh_1024.pem -2 1024