Ssl

De drev
Aller à : navigation, rechercher

Configure Postfix

* make sure you replace "Full Name" with your name, and "user@gmail.com" with your actual gmail address. *

Create the CA

/usr/lib/ssl/misc/CA.pl -newca

  CA certificate filename (or enter to create)
  
  Making CA certificate ...
  Generating a 1024 bit RSA private key
  .............++++++
  ..++++++
  writing new private key to './demoCA/private/cakey.pem'
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]:North Carolina
  Locality Name (eg, city) []:
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxMCE
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:Full Name
  Email Address []:email@gmail.com
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  Using configuration from /usr/lib/ssl/openssl.cnf
  Enter pass phrase for ./demoCA/private/cakey.pem:
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number:
              9d:29:da:d3:76:20:17:10
          Validity
              Not Before: Mar 31 01:01:29 2009 GMT
              Not After : Mar 30 01:01:29 2012 GMT
          Subject:
             countryName               = US
             stateOrProvinceName       = North Carolina
              organizationName          = LinuxMCE
              commonName                = Full Name
              emailAddress              = usrer@gmail.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A0:79:00:CA:90:00:E4:81:12:00:2A:73:00:00:CA:BD:54:08:03:7B
            X509v3 Authority Key Identifier:
                keyid:A0:79:00:CA:90:00:E4:81:12:00:2A:73:00:00:CA:BD:54:08:03:7B
                DirName:/C=US/ST=North Carolina/O=LinuxMCE/CN=Full name/emailAddress=user@gmail.com
                serial:90:20:0A:03:06:00:17:10
  
            X509v3 Basic Constraints:
                CA:TRUE
  Certificate is to be certified until Mar 30 01:01:29 2012 GMT (1095 days)
  
  Write out database with 1 new entries
  Data Base Updated</nowiki>

Extend the key for 10 years

openssl x509 -in demoCA/cacert.pem -days 3650 -out cacert.pem -signkey demoCA/private/cakey.pem

Copy the extended key

cp cacert.pem demoCA

Generate private key

openssl req -new -nodes -subj '/CN=dcerouter/C=US/ST=North Carolina/O=LinuxMCE/CN=Full Name/emailAddress=user@gmail.com' -keyout key.pem -out req.pem -days 3650

Sign private key

openssl ca -out cert.pem -infiles req.pem

Copy to the postfix directory

cp demoCA/cacert.pem /etc/postfix
cp key.pem /etc/postfix
cp cert.pem /etc/postfix
chmod 644 /etc/postfix/cert.pem 
chmod 644 /etc/postfix/cacert.pem
chmod 400 /etc/postfix/key.pem

Install the CA Certificates

the following command install certificats of known agencies in /etc/ssl/certs </pre> apt-get install ca-certificates </pre>

Add Equifax certificate

cat /etc/ssl/certs/Equifax_Secure_CA.pem >> cacert.pem

Create transport file

# Contents of /etc/postfix/transport
#
# This sends mail to Gmail
*               smtp:[smtp.gmail.com]:587
#local mail delivered local
dcerouter       relay:[dcerouter]

Create generic file

touch /etc/postfix/generic

Create sasl_passwd file

# Contents of /etc/postfix/sasl_passwd
#
[smtp.gmail.com]:587             user@gmail.com:password

hash the files

postmap sasl_passwd
postmap transport
postmap generic

main.cf modifications

Add these lines to the bottom of /etc/postfix/main.cf 

## TLS Settings
smtp_tls_loglevel = 1
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
     
##  SASL Settings
smtpd_sasl_auth_enable = no
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
     
## Gmail Relay
relayhost = [smtp.gmail.com]:587
    
# Disable DNS Lookups
disable_dns_lookups = yes
#
# Great New feature Address Mapping 
#  for example may mchirico@localhost to mchirico@gmail.com
smtp_generic_maps = hash:/etc/postfix/generic
#
# 
transport_maps = hash:/etc/postfix/transport


restart postfix

 /etc/init.d/postfix restart

Bibliographie

http://wiki.linuxmce.org/index.php?title=Postfix_configured_with_Gmail_SMTP

Récupérée de « http://olivier.drevet.free.fr/wiki/index.php?title=Ssl&oldid=208 »