8
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

SMTP over SSL/TLS

Posted at

※自己証明書での送信です。
※Postfixです。

SSL証明書ディレクトリの作成

mkdir /etc/postfix/ssl/SERVER

CA局発行スクリプトの修正

cp /usr/lib/ssl/misc/CA.sh /etc/postfix/ssl/

vi /etc/postfix/ssl/CA.sh
if [ -z "$DAYS" ] ; then DAYS="-days 36500" ; fi        # 100 year
CADAYS="-days 36500"     # 100 years
if [ -z "$CATOP" ] ; then CATOP=/etc/postfix/ssl/CA ; fi

opensslスクリプトの修正

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
vi /etc/ssl/openssl.cnf
※2ヶ所のパス修正
[ CA_default ]
dir             = /etc/postfix/ssl/CA
[ tsa_config1 ]
dir             = /etc/postfix/ssl/CA

CA局の作成

CA秘密鍵の作成

sh /etc/postfix/ssl/CA.sh -newca

 ※cakey.pemのパスフレーズを入力
 ※Subject情報を入力
   Country Name (2 letter code) [AU]:JP
   State or Province Name (full name) [Some-State]:Fukuoka
   Locality Name (eg, city) []:Fukuoka-shi
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alterbooth Inc.
   Organizational Unit Name (eg, section) []:TechRoom
   Common Name (eg, YOUR name) []:FQDN
   Email Address []:設定不要

CA証明書の作成

openssl req -new -x509 -keyout /etc/postfix/ssl/CA/private/cakey.pem -out /etc/postfix/ssl/CA/cacert.pem -days 36500

サーバー証明書の作成

秘密鍵の作成

openssl genrsa -rand rand.dat -des3 2048 > /etc/postfix/ssl/SERVER/FQDN.key.pem

鍵パスフレーズの削除

openssl rsa -in /etc/postfix/ssl/SERVER/FQDN.key.pem -out /etc/postfix/ssl/SERVER/FQDN.key.pem

証明書要求(CSR)の作成

openssl req -new -days 36500 -key /etc/postfix/ssl/SERVER/FQDN.key.pem -out /etc/postfix/ssl/SERVER/FQDN.csr.pem

 Subject情報を入力
   Country Name (2 letter code) [AU]:JP
   State or Province Name (full name) [Some-State]:Fukuoka
   Locality Name (eg, city) []:Fukuoka-shi
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alterbooth Inc.
   Organizational Unit Name (eg, section) []:TechRoom
   Common Name (eg, YOUR name) []:FQDN
   Email Address []:設定不要

証明書の作成

openssl ca -in /etc/postfix/ssl/SERVER/FQDN.csr.pem -keyfile /etc/postfix/ssl/CA/private/cakey.pem -cert /etc/postfix/ssl/CA/cacert.pem -out /etc/postfix/ssl/SERVER/FQDN.crt.pem

Postfix設定変更

main.cf修正

vi /etc/postfix/main.cf
以下を追記
#-------------------------------------#
# TLS
#-------------------------------------#
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CAfile = /etc/postfix/ssl/CA/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/SERVER/FQDN.crt.pem
smtpd_tls_key_file = /etc/postfix/ssl/SERVER/FQDN.key.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtp_tls_loglevel = 2

master.cfの修正

vi /etc/postfix/master.cf
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

postfix 再起動

service postfix restart

送信テスト

openssl s_client -connect FQDN:465

MAIL FROM: 送信元メールアドレス
RCPT TO: 宛先メールアドレス
DATA
Subject:Mail Send Test
From:送信元メールアドレス
To:宛先メールアドレス
Test Mail
.
8
5
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
8
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?