Help us understand the problem. What is going on with this article?

postfix の starttls 通信を TLSv1.3 に対応させる

More than 1 year has passed since last update.

openssl-1.1.1 がリリースされたので postfix の starttls 通信を TLSv1.3 に対応し、メール送信で TLSv1.3 が使用されるか確認します。

環境

  • OS
    • CentOS 7.5

openssl-1.1.1 のインストール

1. 必要パッケージのアップデートとインストール

# yum update -y
# yum -y groupinstall development
# yum -y install perl-core zlib-devel
# shutdown -r now

2. openssl のインストール

# curl -O -L https://www.openssl.org/source/openssl-1.1.1.tar.gz
# tar xvzf openssl-1.1.1.tar.gz
# cd openssl-1.1.1
# ./config --prefix=/usr/local/openssl-1.1.1 shared zlib
# make
# make install

# echo /usr/local/openssl-1.1.1/lib >> /etc/ld.so.conf.d/openssl.conf
# ldconfig

postfix-3.3.1 のインストール

1. 必要パッケージのインストール

# yum install -y {cyrus-sasl,openldap,pcre,mysql,libdb}-devel

2. ユニットファイルのバックアップとOS標準のpostfixの削除

# cp -p /usr/lib/systemd/system/postfix.service /var/tmp
# yum remove -y postfix

3. postfix のインストール

# curl -O http://www.ftp.saix.net/MTA/postfix/official/postfix-3.3.1.tar.gz
# tar xvzf postfix-3.3.1.tar.gz
# cd postfix-3.3.1
# CCARGS="-Wmissing-prototypes -Wformat -Wno-comment -fPIC \
-DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre \
-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl -DUSE_TLS -I/usr/local/openssl-1.1.1/include \
-DDEF_CONFIG_DIR=\\\"/etc/postfix\\\""
# AUXLIBS="-lldap -llber -lpcre -L/usr/lib64/mysql -lmysqlclient \
-lm -L/usr/lib64/sasl2 -lsasl2 -L/usr/local/openssl-1.1.1/lib -lssl \
-lcrypto  -pie -Wl,-z,relro,-z,now"
# make -f Makefile.init makefiles CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}"
# make
# make install
* インストール先は全てデフォルト

4. SSL証明書の取得

# firewall-cmd --permanent --add-port={25,80}/tcp
# firewall-cmd --reload
# git clone https://github.com/certbot/certbot
# cd certbot
# git checkout $(git tag | sort -t . -k +2 -n | tail -1)

# ./certbot-auto -n certonly --standalone -d example.com \
-m root@example.com --agree-tos --server https://acme-v02.api.letsencrypt.org/directory
  • 事前に example.com の Aレコードを登録しておくこと

5. postfix に SSL/TLS関連設定を追加して起動

# cat <<_EOL_>> /etc/postfix/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtp_tls_key_file  = /etc/letsencrypt/live/example.com/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls =yes
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file  = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_high_cipherlist  = EECDH+AESGCM
tls_preempt_cipherlist = yes
_EOL_

# cp -p /var/tmp/postfix.service /usr/lib/systemd/system/
# systemctl enable postfix
# systemctl start postfix
# postconf -e "alias_maps = hash:/etc/aliases"

テスト

1. Gmail からセットアップしたサーバにメールを送信

Sep 16 07:46:09 tls13 postfix/smtpd[2861]: connect from mail-pf1-f179.google.com[209.85.210.179]
Sep 16 07:46:10 tls13 postfix/smtpd[2861]: Trusted TLS connection established from mail-pf1-f179.google.com[209.85.210.179]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 16 07:46:10 tls13 postfix/smtpd[2861]: 5BD7B30FCEA0: client=mail-pf1-f179.google.com[209.85.210.179]
Sep 16 07:46:10 tls13 postfix/cleanup[2866]: 5BD7B30FCEA0: message-id=<8716c9e9-32be-07db-209c-6177ebebcb56@gmail.com>
Sep 16 07:46:10 tls13 postfix/qmgr[2853]: 5BD7B30FCEA0: from=<example@gmail.com>, size=3087, nrcpt=1 (queue active)
Sep 16 07:46:10 tls13 postfix/local[2867]: 5BD7B30FCEA0: to=<root@example.com>, relay=local, delay=0.24, delays=0.22/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 16 07:46:10 tls13 postfix/qmgr[2853]: 5BD7B30FCEA0: removed
Sep 16 07:46:10 tls13 postfix/smtpd[2861]: disconnect from mail-pf1-f179.google.com[209.85.210.179] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
  • 結果
    • Gmail は TLSv1.3 での送信に対応していないため、TLSv1.2 が使用された

2. セットアップしたサーバから Gmail にメールを送信

Sep 16 22:32:28 tls13 postfix/smtp[20848]: Trusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
  • 結果
    • Gmail は TLSv1.3 での受信に対応していないため、TLSv1.2 が使用された

3. サーバを2台(AとB)セットアップして、サーバAからサーバBにメールを送信

サーバA の送信ログ

Sep 16 20:51:11 tls13a postfix/smtpd[21805]: connect from tls13a.example.com[163.43.108.217]
Sep 16 20:51:11 tls13a postfix/smtpd[21805]: Anonymous TLS connection established from tls13a.example.com[163.43.108.217]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Sep 16 20:51:38 tls13a postfix/smtpd[21805]: 5B6992069003: client=tls13a.example.com[163.43.108.217]
Sep 16 20:52:10 tls13a postfix/cleanup[21813]: 5B6992069003: message-id=<20180916115138.5B6992069003@tls13a.example.com>
Sep 16 20:52:10 tls13a postfix/qmgr[21791]: 5B6992069003: from=<root@tls13a.example.com>, size=535, nrcpt=1 (queue active)
Sep 16 20:52:10 tls13a postfix/smtp[21830]: Trusted TLS connection established to tls13b.example.com[163.43.104.68]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Sep 16 20:52:10 tls13a postfix/smtp[21830]: 5B6992069003: to=<root@tls13b.example.com>, relay=tls13b.ma3ki.net[163.43.104.68]:25, delay=43, delays=43/0.03/0.03/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 6D6DF30FCEA0)
Sep 16 20:52:10 tls13a postfix/qmgr[21791]: 5B6992069003: removed

サーバBの受信ログ

Sep 16 20:52:10 tls13b postfix/smtpd[2926]: connect from unknown[163.43.108.217]
Sep 16 20:52:10 tls13b postfix/smtpd[2926]: Trusted TLS connection established from unknown[163.43.108.217]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Sep 16 20:52:10 tls13b postfix/smtpd[2926]: 6D6DF30FCEA0: client=unknown[163.43.108.217]
Sep 16 20:52:10 tls13b postfix/cleanup[2929]: 6D6DF30FCEA0: message-id=<20180916115138.5B6992069003@tls13a.example.com>
Sep 16 20:52:10 tls13b postfix/qmgr[2853]: 6D6DF30FCEA0: from=<root@tls13a.example.com>, size=884, nrcpt=1 (queue active)
Sep 16 20:52:10 tls13b postfix/smtpd[2926]: disconnect from unknown[163.43.108.217] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 16 20:52:10 tls13b postfix/local[2930]: 6D6DF30FCEA0: to=<root@tls13b.example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 16 20:52:10 tls13b postfix/qmgr[2853]: 6D6DF30FCEA0: removed
  • 結果
    • メールの送受信で TLSv1.3 が使用された

テストに使ったコマンド

starttls でのメール送信テスト
# /usr/local/openssl-1.1.1/bin/openssl s_client -connect example.com:25 -starttls smtp -tls1_3

ssl/tls の脆弱性テスト
# ./testssl.sh --starttls smtp example.com:25
ma3ki
主にOSSを利用したシステム構築をしています。
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした