STLS/STARTTLSの導入

Ubuntu(10.04)の postfix(2.7.0)に STLS/STARTTLSを導入する手順。
※ Ubuntuのバージョンは「cat /etc/lsb-release」で取得できる。
  postfixのバージョンは「/usr/sbin/postconf | grep mail_version」で取得。

  1. postfixのSASLは設定済み(とする)
    [code]$ sudo nano /etc/postfix/main.cf[/code]
    [code]
    # SMTP-Auth setting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth-dovecot
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    broken_sasl_auth_clients = yes
    [/code]
  2. dovecot側のSASLも同様(設定済みとする)
    [code]$ sudo nano /etc/dovecot/dovecot.conf[/code]
    [code]
    socket listen {
    client {
    path = /var/spool/postfix/private/auth-dovecot
    mode = 0660
    user = postfix
    group = postfix
    }
    }
    [/code]
  3. TLS の設定。認証局を作成してくれるスクリプトの保存先を demoCAから postfixCAへ変更。
    [code]
    $ cd /usr/lib/ssl/misc
    $ sudo nano CA.pl
    [/code]
    [code]
    #$CATOP="./demoCA";
    $CATOP="./postfixCA";
    [/code]
    [code]
    $ sudo nano /usr/lib/ssl/openssl.cnf
    [/code]
    [code]
    #dir = ./demoCA # Where everything is kept
    dir = ./postfixCA # Where everything is kept
    [/code]
  4. private keyを作る。(一部伏字)
    [code]$ sudo ./CA.pl -newca[/code]
    [code]
    CA certificate filename (or enter to create) # 空Enterキー

    Making CA certificate …
    Generating a 1024 bit RSA private key
    ……………………….++++++
    …………………….++++++
    writing new private key to ‘./postfixCA/private/cakey.pem’
    Enter PEM pass phrase: # パスワードを入れる
    Verifying – Enter PEM pass phrase: # もう1回パスワード
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:JP
    State or Province Name (full name) [Some-State]:Kanagawa-ken
    Locality Name (eg, city) []:Yokosuka-shi
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Satake Studio,LPC.
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:Mamoru Satake
    Email Address []:mam@x-xx.jp

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []: # 入れなくてよい
    An optional company name []:
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./postfixCA/private/cakey.pem: # パスワードを入れる
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number:
    xx:ee:33:xx:6b:xx:59:xx
    Validity
    Not Before: Jul 11 21:43:17 2011 GMT
    Not After : Jul 10 21:43:17 2014 GMT
    Subject:
    countryName = JP
    stateOrProvinceName = Kanagawa-ken
    organizationName = Satake Studio,LPC.
    commonName = Mamoru Satake
    emailAddress = mam@x-xx.jp
    X509v3 extensions:
    X509v3 Subject Key Identifier:
    xx:20:xx:93:xx:86:xx:55:xx:9C:xx:6F:xx:2C:xx:C7:xx:E3:xx:15
    X509v3 Authority Key Identifier:
    keyid:xx:20:xx:93:xx:86:xx:55:xx:9C:xx:6F:xx:2C:xx:C7:xx:E3:xx:15
    DirName:/C=JP/ST=Kanagawa-ken/O=Satake Studio,LPC./CN=Mamoru Satake/emailAddress=mam@x-xx.jp
    serial:xx:EE:xx:AE:xx:F8:xx:F1

    X509v3 Basic Constraints:
    CA:TRUE
    Certificate is to be certified until Jul 10 21:43:17 2014 GMT (1095 days)

    Write out database with 1 new entries
    Data Base Updated
    [/code]

  5. もう1回 private keyを作る。(なんでだ?)
    [code]
    $ cd postfixCA/
    $ sudo openssl req -new -nodes -keyout postfix-key.pem -out postfix-req.pem -days 365
    [/code]
    [code]
    Generating a 1024 bit RSA private key
    ……….++++++
    …………..++++++
    writing new private key to ‘postfix-key.pem’
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:JP
    State or Province Name (full name) [Some-State]:Kanagawa-ken
    Locality Name (eg, city) []:Yokosuka-shi
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Satake Studio,LPC.
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:Mamoru Satake
    Email Address []:mam@x-xx.jp

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [/code]

  6. CSR に認証局の証明書で署名。
    [code]
    $ sudo sh -c "echo ’00’ > serial"
    $ cd /usr/lib/ssl/misc
    $ sudo rm postfixCA/index.txt* # 「TXT_DB error number 2」エラー対策
    $ sudo touch postfixCA/index.txt
    $ sudo openssl ca -out postfix-cert.pem -infiles postfixCA/postfix-req.pem
    [/code]
    [code]
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./postfixCA/private/cakey.pem: # パスワードを入れる
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 0 (0x0)
    Validity
    Not Before: Jul 12 00:02:50 2011 GMT
    Not After : Jul 11 00:02:50 2012 GMT
    Subject:
    countryName = JP
    stateOrProvinceName = Kanagawa-ken
    organizationName = Satake Studio,LPC.
    commonName = Mamoru Satake
    emailAddress = mam@x-xx.jp
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    xx:E3:xx:32:xx:D4:xx:EF:xx:2A:xx:35:xx:4C:xx:DC:xx:AD:xx:D5
    X509v3 Authority Key Identifier:
    keyid:xx:B2:xx:88:xx:4E:xx:B4:xx:73:xx:DF:xx:5A:xx:72:xx:55:xx:33

    Certificate is to be certified until Jul 11 00:02:50 2012 GMT (365 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [/code]

  7. ファイルの配置&postfixリスタート
    [code]
    $ sudo cp postfix-cert.pem /etc/ssl/certs/
    $ sudo cp postfixCA/postfix-key.pem /etc/ssl/private/
    $ sudo chmod 644 /etc/ssl/certs/postfix-cert.pem
    $ sudo chmod 400 /etc/ssl/private/postfix-key.pem
    $ sudo service postfix restart
    [/code]
    [code]
    * Stopping Postfix Mail Transport Agent postfix
    …done.
    * Starting Postfix Mail Transport Agent postfix
    …done.
    [/code]
  8. これでOK(のはず)
0 返信

返信を残す

Want to join the discussion?
Feel free to contribute!

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です