LoginSignup
6
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@ma3ki

postfix の starttls 通信を TLSv1.3 に対応させる

Last updated at Posted at 2018-09-16

openssl-1.1.1 がリリースされたので postfix の starttls 通信を TLSv1.3 に対応し、メール送信で TLSv1.3 が使用されるか確認します。

#環境

  • OS
    • CentOS 7.5

openssl-1.1.1 のインストール

1. 必要パッケージのアップデートとインストール

# yum update -y
# yum -y groupinstall development
# yum -y install perl-core zlib-devel
# shutdown -r now

2. openssl のインストール

# curl -O -L https://www.openssl.org/source/openssl-1.1.1.tar.gz
# tar xvzf openssl-1.1.1.tar.gz
# cd openssl-1.1.1
# ./config --prefix=/usr/local/openssl-1.1.1 shared zlib
# make
# make install

# echo /usr/local/openssl-1.1.1/lib >> /etc/ld.so.conf.d/openssl.conf
# ldconfig

postfix-3.3.1 のインストール

1. 必要パッケージのインストール

# yum install -y {cyrus-sasl,openldap,pcre,mysql,libdb}-devel

2. ユニットファイルのバックアップとOS標準のpostfixの削除

# cp -p /usr/lib/systemd/system/postfix.service /var/tmp
# yum remove -y postfix

3. postfix のインストール

# curl -O http://www.ftp.saix.net/MTA/postfix/official/postfix-3.3.1.tar.gz
# tar xvzf postfix-3.3.1.tar.gz
# cd postfix-3.3.1
# CCARGS="-Wmissing-prototypes -Wformat -Wno-comment -fPIC \
-DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre \
-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl -DUSE_TLS -I/usr/local/openssl-1.1.1/include \
-DDEF_CONFIG_DIR=\\\"/etc/postfix\\\""
# AUXLIBS="-lldap -llber -lpcre -L/usr/lib64/mysql -lmysqlclient \
-lm -L/usr/lib64/sasl2 -lsasl2 -L/usr/local/openssl-1.1.1/lib -lssl \
-lcrypto  -pie -Wl,-z,relro,-z,now"
# make -f Makefile.init makefiles CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}"
# make
# make install
* インストール先は全てデフォルト

4. SSL証明書の取得

# firewall-cmd --permanent --add-port={25,80}/tcp
# firewall-cmd --reload
# git clone https://github.com/certbot/certbot
# cd certbot
# git checkout $(git tag | sort -t . -k +2 -n | tail -1)

# ./certbot-auto -n certonly --standalone -d example.com \
-m root@example.com --agree-tos --server https://acme-v02.api.letsencrypt.org/directory
  • 事前に example.com の Aレコードを登録しておくこと

5. postfix に SSL/TLS関連設定を追加して起動

# cat <<_EOL_>> /etc/postfix/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtp_tls_key_file  = /etc/letsencrypt/live/example.com/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls =yes
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file  = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_high_cipherlist  = EECDH+AESGCM
tls_preempt_cipherlist = yes
_EOL_

# cp -p /var/tmp/postfix.service /usr/lib/systemd/system/
# systemctl enable postfix
# systemctl start postfix
# postconf -e "alias_maps = hash:/etc/aliases"

#テスト

1. Gmail からセットアップしたサーバにメールを送信

Sep 16 07:46:09 tls13 postfix/smtpd[2861]: connect from mail-pf1-f179.google.com[209.85.210.179]
Sep 16 07:46:10 tls13 postfix/smtpd[2861]: Trusted TLS connection established from mail-pf1-f179.google.com[209.85.210.179]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 16 07:46:10 tls13 postfix/smtpd[2861]: 5BD7B30FCEA0: client=mail-pf1-f179.google.com[209.85.210.179]
Sep 16 07:46:10 tls13 postfix/cleanup[2866]: 5BD7B30FCEA0: message-id=<8716c9e9-32be-07db-209c-6177ebebcb56@gmail.com>
Sep 16 07:46:10 tls13 postfix/qmgr[2853]: 5BD7B30FCEA0: from=<example@gmail.com>, size=3087, nrcpt=1 (queue active)
Sep 16 07:46:10 tls13 postfix/local[2867]: 5BD7B30FCEA0: to=<root@example.com>, relay=local, delay=0.24, delays=0.22/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 16 07:46:10 tls13 postfix/qmgr[2853]: 5BD7B30FCEA0: removed
Sep 16 07:46:10 tls13 postfix/smtpd[2861]: disconnect from mail-pf1-f179.google.com[209.85.210.179] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
  • 結果
    • Gmail は TLSv1.3 での送信に対応していないため、TLSv1.2 が使用された

2. セットアップしたサーバから Gmail にメールを送信

Sep 16 22:32:28 tls13 postfix/smtp[20848]: Trusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
  • 結果
    • Gmail は TLSv1.3 での受信に対応していないため、TLSv1.2 が使用された

3. サーバを2台(AとB)セットアップして、サーバAからサーバBにメールを送信

サーバA の送信ログ

Sep 16 20:51:11 tls13a postfix/smtpd[21805]: connect from tls13a.example.com[163.43.108.217]
Sep 16 20:51:11 tls13a postfix/smtpd[21805]: Anonymous TLS connection established from tls13a.example.com[163.43.108.217]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Sep 16 20:51:38 tls13a postfix/smtpd[21805]: 5B6992069003: client=tls13a.example.com[163.43.108.217]
Sep 16 20:52:10 tls13a postfix/cleanup[21813]: 5B6992069003: message-id=<20180916115138.5B6992069003@tls13a.example.com>
Sep 16 20:52:10 tls13a postfix/qmgr[21791]: 5B6992069003: from=<root@tls13a.example.com>, size=535, nrcpt=1 (queue active)
Sep 16 20:52:10 tls13a postfix/smtp[21830]: Trusted TLS connection established to tls13b.example.com[163.43.104.68]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Sep 16 20:52:10 tls13a postfix/smtp[21830]: 5B6992069003: to=<root@tls13b.example.com>, relay=tls13b.ma3ki.net[163.43.104.68]:25, delay=43, delays=43/0.03/0.03/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 6D6DF30FCEA0)
Sep 16 20:52:10 tls13a postfix/qmgr[21791]: 5B6992069003: removed

サーバBの受信ログ

Sep 16 20:52:10 tls13b postfix/smtpd[2926]: connect from unknown[163.43.108.217]
Sep 16 20:52:10 tls13b postfix/smtpd[2926]: Trusted TLS connection established from unknown[163.43.108.217]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Sep 16 20:52:10 tls13b postfix/smtpd[2926]: 6D6DF30FCEA0: client=unknown[163.43.108.217]
Sep 16 20:52:10 tls13b postfix/cleanup[2929]: 6D6DF30FCEA0: message-id=<20180916115138.5B6992069003@tls13a.example.com>
Sep 16 20:52:10 tls13b postfix/qmgr[2853]: 6D6DF30FCEA0: from=<root@tls13a.example.com>, size=884, nrcpt=1 (queue active)
Sep 16 20:52:10 tls13b postfix/smtpd[2926]: disconnect from unknown[163.43.108.217] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 16 20:52:10 tls13b postfix/local[2930]: 6D6DF30FCEA0: to=<root@tls13b.example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 16 20:52:10 tls13b postfix/qmgr[2853]: 6D6DF30FCEA0: removed
  • 結果
    • メールの送受信で TLSv1.3 が使用された

テストに使ったコマンド

starttls でのメール送信テスト
# /usr/local/openssl-1.1.1/bin/openssl s_client -connect example.com:25 -starttls smtp -tls1_3

ssl/tls の脆弱性テスト
# ./testssl.sh --starttls smtp example.com:25
6
8
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
6
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?