Ssl
De drev
Sommaire
- 1 Configure Postfix
- 1.1 Create the CA
- 1.2 Extend the key for 10 years
- 1.3 Copy the extended key
- 1.4 Generate private key
- 1.5 Sign private key
- 1.6 Copy to the postfix directory
- 1.7 Install the CA Certificates
- 1.8 Add Equifax certificate
- 1.9 Create transport file
- 1.10 Create generic file
- 1.11 Create sasl_passwd file
- 1.12 hash the files
- 1.13 main.cf modifications
- 1.14 restart postfix
- 2 Bibliographie
Configure Postfix
* make sure you replace "Full Name" with your name, and "user@gmail.com" with your actual gmail address. *
Create the CA
/usr/lib/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .............++++++ ..++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:North Carolina Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxMCE Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Full Name Email Address []:email@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 9d:29:da:d3:76:20:17:10 Validity Not Before: Mar 31 01:01:29 2009 GMT Not After : Mar 30 01:01:29 2012 GMT Subject: countryName = US stateOrProvinceName = North Carolina organizationName = LinuxMCE commonName = Full Name emailAddress = usrer@gmail.com X509v3 extensions: X509v3 Subject Key Identifier: A0:79:00:CA:90:00:E4:81:12:00:2A:73:00:00:CA:BD:54:08:03:7B X509v3 Authority Key Identifier: keyid:A0:79:00:CA:90:00:E4:81:12:00:2A:73:00:00:CA:BD:54:08:03:7B DirName:/C=US/ST=North Carolina/O=LinuxMCE/CN=Full name/emailAddress=user@gmail.com serial:90:20:0A:03:06:00:17:10 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Mar 30 01:01:29 2012 GMT (1095 days) Write out database with 1 new entries Data Base Updated</nowiki>
Extend the key for 10 years
openssl x509 -in demoCA/cacert.pem -days 3650 -out cacert.pem -signkey demoCA/private/cakey.pem
Copy the extended key
cp cacert.pem demoCA
Generate private key
openssl req -new -nodes -subj '/CN=dcerouter/C=US/ST=North Carolina/O=LinuxMCE/CN=Full Name/emailAddress=user@gmail.com' -keyout key.pem -out req.pem -days 3650
Sign private key
openssl ca -out cert.pem -infiles req.pem
Copy to the postfix directory
cp demoCA/cacert.pem /etc/postfix cp key.pem /etc/postfix cp cert.pem /etc/postfix chmod 644 /etc/postfix/cert.pem chmod 644 /etc/postfix/cacert.pem chmod 400 /etc/postfix/key.pem
Install the CA Certificates
the following command install certificats of known agencies in /etc/ssl/certs </pre> apt-get install ca-certificates </pre>
Add Equifax certificate
cat /etc/ssl/certs/Equifax_Secure_CA.pem >> cacert.pem
Create transport file
# Contents of /etc/postfix/transport # # This sends mail to Gmail * smtp:[smtp.gmail.com]:587 #local mail delivered local dcerouter relay:[dcerouter]
Create generic file
touch /etc/postfix/generic
Create sasl_passwd file
# Contents of /etc/postfix/sasl_passwd # [smtp.gmail.com]:587 user@gmail.com:password
hash the files
postmap sasl_passwd postmap transport postmap generic
main.cf modifications
Add these lines to the bottom of /etc/postfix/main.cf
## TLS Settings smtp_tls_loglevel = 1 smtp_enforce_tls = yes smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_cert_file = /etc/postfix/cert.pem smtp_tls_key_file = /etc/postfix/key.pem smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_use_tls = yes smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_key_file = /etc/postfix/key.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom ## SASL Settings smtpd_sasl_auth_enable = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtpd_sasl_application_name = smtpd ## Gmail Relay relayhost = [smtp.gmail.com]:587 # Disable DNS Lookups disable_dns_lookups = yes # # Great New feature Address Mapping # for example may mchirico@localhost to mchirico@gmail.com smtp_generic_maps = hash:/etc/postfix/generic # # transport_maps = hash:/etc/postfix/transport
restart postfix
/etc/init.d/postfix restart
Bibliographie
http://wiki.linuxmce.org/index.php?title=Postfix_configured_with_Gmail_SMTP