Ubuntu(10.04)の postfix(2.7.0)に STLS/STARTTLSを導入する手順。
※ Ubuntuのバージョンは「cat /etc/lsb-release」で取得できる。
postfixのバージョンは「/usr/sbin/postconf | grep mail_version」で取得。
- postfixのSASLは設定済み(とする)
$ sudo nano /etc/postfix/main.cf
# SMTP-Auth setting smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-dovecot smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination broken_sasl_auth_clients = yes
- dovecot側のSASLも同様(設定済みとする)
$ sudo nano /etc/dovecot/dovecot.conf
socket listen { client { path = /var/spool/postfix/private/auth-dovecot mode = 0660 user = postfix group = postfix } } - TLS の設定。認証局を作成してくれるスクリプトの保存先を demoCAから postfixCAへ変更。
$ cd /usr/lib/ssl/misc $ sudo nano CA.pl
#$CATOP="./demoCA"; $CATOP="./postfixCA";
$ sudo nano /usr/lib/ssl/openssl.cnf
#dir = ./demoCA # Where everything is kept dir = ./postfixCA # Where everything is kept
- private keyを作る。(一部伏字)
$ sudo ./CA.pl -newca
CA certificate filename (or enter to create) # 空Enterキー Making CA certificate ... Generating a 1024 bit RSA private key ............................++++++ .........................++++++ writing new private key to './postfixCA/private/cakey.pem' Enter PEM pass phrase: # パスワードを入れる Verifying - Enter PEM pass phrase: # もう1回パスワード ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa-ken Locality Name (eg, city) []:Yokosuka-shi Organization Name (eg, company) [Internet Widgits Pty Ltd]:Satake Studio,LPC. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Mamoru Satake Email Address []:mam@x-xx.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: # 入れなくてよい An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./postfixCA/private/cakey.pem: # パスワードを入れる Check that the request matches the signature Signature ok Certificate Details: Serial Number: xx:ee:33:xx:6b:xx:59:xx Validity Not Before: Jul 11 21:43:17 2011 GMT Not After : Jul 10 21:43:17 2014 GMT Subject: countryName = JP stateOrProvinceName = Kanagawa-ken organizationName = Satake Studio,LPC. commonName = Mamoru Satake emailAddress = mam@x-xx.jp X509v3 extensions: X509v3 Subject Key Identifier: xx:20:xx:93:xx:86:xx:55:xx:9C:xx:6F:xx:2C:xx:C7:xx:E3:xx:15 X509v3 Authority Key Identifier: keyid:xx:20:xx:93:xx:86:xx:55:xx:9C:xx:6F:xx:2C:xx:C7:xx:E3:xx:15 DirName:/C=JP/ST=Kanagawa-ken/O=Satake Studio,LPC./CN=Mamoru Satake/emailAddress=mam@x-xx.jp serial:xx:EE:xx:AE:xx:F8:xx:F1 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jul 10 21:43:17 2014 GMT (1095 days) Write out database with 1 new entries Data Base Updated - もう1回 private keyを作る。(なんでだ?)
$ cd postfixCA/ $ sudo openssl req -new -nodes -keyout postfix-key.pem -out postfix-req.pem -days 365
Generating a 1024 bit RSA private key ..........++++++ ..............++++++ writing new private key to 'postfix-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa-ken Locality Name (eg, city) []:Yokosuka-shi Organization Name (eg, company) [Internet Widgits Pty Ltd]:Satake Studio,LPC. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Mamoru Satake Email Address []:mam@x-xx.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- CSR に認証局の証明書で署名。
$ sudo sh -c "echo '00' > serial" $ cd /usr/lib/ssl/misc $ sudo rm postfixCA/index.txt* # 「TXT_DB error number 2」エラー対策 $ sudo touch postfixCA/index.txt $ sudo openssl ca -out postfix-cert.pem -infiles postfixCA/postfix-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./postfixCA/private/cakey.pem: # パスワードを入れる Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jul 12 00:02:50 2011 GMT Not After : Jul 11 00:02:50 2012 GMT Subject: countryName = JP stateOrProvinceName = Kanagawa-ken organizationName = Satake Studio,LPC. commonName = Mamoru Satake emailAddress = mam@x-xx.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: xx:E3:xx:32:xx:D4:xx:EF:xx:2A:xx:35:xx:4C:xx:DC:xx:AD:xx:D5 X509v3 Authority Key Identifier: keyid:xx:B2:xx:88:xx:4E:xx:B4:xx:73:xx:DF:xx:5A:xx:72:xx:55:xx:33 Certificate is to be certified until Jul 11 00:02:50 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - ファイルの配置&postfixリスタート
$ sudo cp postfix-cert.pem /etc/ssl/certs/ $ sudo cp postfixCA/postfix-key.pem /etc/ssl/private/ $ sudo chmod 644 /etc/ssl/certs/postfix-cert.pem $ sudo chmod 400 /etc/ssl/private/postfix-key.pem $ sudo service postfix restart
* Stopping Postfix Mail Transport Agent postfix ...done. * Starting Postfix Mail Transport Agent postfix ...done.
- これでOK(のはず)