把 SMTP 的 SSL certfiticate 弄起來...

網站的 SSL certificate 弄過很多次了,想說來測看看 MX host 的部份。弄好後就會像這樣,這是 Varnish 的 mailing list:

Received: from project.varnish-software.com (project.varnish-software.com [194.31.39.164])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (No client certificate requested)
        by home.gslin.org (Postfix) with ESMTPS id 9C2F568009A
        for ; Mon, 21 Sep 2015 08:46:30 +0800 (CST)

這是 nginx 的 mailing list 寄過來的信:

Received: from mail.nginx.com (mail.nginx.com [206.251.255.65])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by home.gslin.org (Postfix) with ESMTPS id 4A4F26801E0
        for ; Mon, 21 Sep 2015 08:25:37 +0800 (CST)

還有些 cipher 的細節晚點再看看有沒有辦法再調整好了... 因為 MX 這樣設定,這次也順便試著用 StartSSL 申請了好幾個 SSL certificate:

;; ANSWER SECTION:
gslin.org.              3600    IN      MX      20 mx20.gslin.org.
gslin.org.              3600    IN      MX      0 mx0.gslin.org.

因為有兩個 MX,所以申請了 mx0.gslin.orgmx20.gslin.org 的 SSL certificate。

接下來的設定主要是參考「Postfix TLS Support」裡面的文件,以及 Google 後找到的很多資料...

在申請到了 SSL certificate 之後要先把 intermediate certificate 合併,然後在 Postfixmain.cf 裡這樣設定:

#
smtpd_tls_cert_file = /etc/ssl/certs/mx0.gslin.org-intermediate.crt
smtpd_tls_key_file = /etc/ssl/private/mx0.gslin.org.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

設好後就可以用「TLS Receiver Test」這個工具測試,輸入 admin@gslin.org 可以看到兩台都過了。

然後是對外送信的部份,發現 msa.hinet.net 也有支援 STARTTLS,所以 smart relay 也可以用,這部份可以透過 tcpdump -n -vvvv -A -i ppp0 host 168.95.4.211 確認。寄出來的結果會是這樣:

Received: from home.gslin.org (114-32-152-63.HINET-IP.hinet.net [114.32.152.63])
	by msr9.hinet.net (8.14.9/8.14.9) with ESMTP id t8L2l1gU006249
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
	for ; Mon, 21 Sep 2015 10:47:01 +0800 (CST)

而 Postfix 的設定是這樣設的:

smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_use_tls = yes
This entry was posted in Computer, Mail, Murmuring, Network, Security and tagged , , , , , , , , . Bookmark the permalink.

2 Responses to 把 SMTP 的 SSL certfiticate 弄起來...

  1. littlecho says:

    smtp_tls_security_level這個參數如果用encrypt的話,沒有support TLS的話就不會送,建議在實務上可考慮改成"smtp_tls_security_level=may",會有比較好的相容性。

  2. Gea-Suan Lin says:

    我上面有提到 msa.hinet.net 有支援,我是全部 smart relay 進去...

Leave a Reply

Your email address will not be published. Required fields are marked *