■postfixを自身で作成した自己署名証明書のSSL対応にする。
「ssl-cert-snakeoil.pem」や「ssl-cert-snakeoil.key」を
そのまま上書きする方法にも意図しないデーモンへの反映、上書きの可能性など、
メリット、デメリットが存在する。
■自己署名証明書の作り方は下記参照。
よく分からなくても、スクリプトをコピペで実行すれば出来る。
Wheezy+openssl+apache2で使える自己署名証明書を作成する
http://d.hatena.ne.jp/labunix/20130514
■postfixの自己署名証明書のデフォルトはapache2と同じsnakeoil。
$ grep snakeoil /etc/apache2/sites-available/default-ssl
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
$ grep "smtpd.*file" /etc/postfix/main.cf
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
■apach2と同じ自己署名証明書を参照するよう変更する。
apache2の参照先の設定は下記。
$ grep "SSLCert.*File" /etc/apache2/sites-available/vhost-ssl | grep -v "#"
SSLCertificateFile /etc/ssl/certs/lpic303.test.local.pem
SSLCertificateKeyFile /etc/ssl/private/lpic303.test.local.key
■main.cfの既存の設定をコメントアウト
$ sudo sed -i s/"smtpd.*file"/"#&"/ /etc/postfix/main.cf
■main.cfに新規参照先を挿入
$ sudo sed -i s%"smtpd_tls_key_file.*"%"&\nsmtpd_tls_cert_file=/etc/ssl/certs/lpic303.test.local.pem\n\
smtpd_tls_key_file=/etc/ssl/private/lpic303.test.local.key"% /etc/postfix/main.cf
■設定の再読み込み
$ sudo postfix check && sudo /etc/init.d/postfix reload
■設定の確認。
$ sudo postconf | grep "^smtpd.*file"
smtpd_tls_CAfile =
smtpd_tls_cert_file = /etc/ssl/certs/lpic303.test.local.pem
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_key_file = /etc/ssl/private/lpic303.test.local.key
■smtpsがコメントアウトされているので、まだ待ち受けていない。
$ grep smtps /etc/postfix/master.cf
$ grep smtp /etc/services
smtp 25/tcp mail
ssmtp 465/tcp smtps
$ netstat -an | grep "\:25\|\:465"
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp6 0 0 :::25 :::* LISTEN
■有効化
$ sudo cp -pi /etc/postfix/master.cf /etc/postfix/master.cf.before_ssl
$ diff /etc/postfix/master.cf /etc/postfix/master.cf.before_ssl
22,27c22,27
< smtps inet n - - - - smtpd
< -o syslog_name=postfix/smtps
< -o smtpd_tls_wrappermode=yes
< -o smtpd_sasl_auth_enable=yes
< -o smtpd_client_restrictions=permit_sasl_authenticated,reject
< -o milter_macro_daemon_name=ORIGINATING
---
>
>
>
>
>
>
■設定の再読み込みと確認
$ sudo postfix check && sudo /etc/init.d/postfix reload
$ netstat -an | grep "\:25\|\:465"
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp6 0 0 :::25 :::* LISTEN
tcp6 0 0 :::465 :::* LISTEN
■自己署名証明書の確認
■apache2の場合
「openssl s_client」コマンドはSSL版のtelnetのような動作をする。
$ openssl s_client -connect lpic303.test.local:443
...
Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 25 May 2013 05:52:34 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 12 May 2013 12:53:58 GMT
ETag: "40ce8-b1-4dc84e4bc76cc"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
$ openssl s_client -connect lpic303.test.local:443
...
Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 25 May 2013 05:52:34 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 12 May 2013 12:53:58 GMT
ETag: "40ce8-b1-4dc84e4bc76cc"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
closed
■Postfixの場合
$ openssl s_client -connect lpic303.test.local:465
CONNECTED(00000003)
depth=0 C = JP, ST = Tokyo, L = Virtual City, O = Paper Company, OU = Test Unit, CN = lpic303.test.local, emailAddress = root@lpic303.test.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Virtual City, O = Paper Company, OU = Test Unit, CN = lpic303.test.local, emailAddress = root@lpic303.test.local
verify return:1
---
Certificate chain
0 s:/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
i:/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyDCCArACCQCMUKblzsR84jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
SlAxDjAMBgNVBAgMBVRva3lvMRUwEwYDVQQHDAxWaXJ0dWFsIENpdHkxFjAUBgNV
BAoMDVBhcGVyIENvbXBhbnkxEjAQBgNVBAsMCVRlc3QgVW5pdDEbMBkGA1UEAwwS
bHBpYzMwMy50ZXN0LmxvY2FsMSYwJAYJKoZIhvcNAQkBFhdyb290QGxwaWMzMDMu
dGVzdC5sb2NhbDAeFw0xMzA1MTQwOTU2MzRaFw0xNDA1MTQwOTU2MzRaMIGlMQsw
CQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xFTATBgNVBAcMDFZpcnR1YWwgQ2l0
eTEWMBQGA1UECgwNUGFwZXIgQ29tcGFueTESMBAGA1UECwwJVGVzdCBVbml0MRsw
GQYDVQQDDBJscGljMzAzLnRlc3QubG9jYWwxJjAkBgkqhkiG9w0BCQEWF3Jvb3RA
bHBpYzMwMy50ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAz4a6mAY5sUoLJIVjkMtxGBDO+eolCaU74ruIqx5tloktyNUJZQ2z+yXkf0ZB
QkiC7x52Rp7scdH6iznnnWOeVBARsrsqm6syjgCPnxb9Kic+5ZEdcWlCMcSIGDf7
cDEkz2maTLsu1rcEaALJwM4KkNwtr2/J6j4Qh1Hh5gk0ePGSy4bPyGjOcK4pHGPH
Id9vat9EzvRPcmH+bPBqXubIJPSeO6X5hT/WOZxIfRxtHtyst39O1oIH25L3jfsK
Pwzv17C3NrCZSokjQb5m0Rab9Un6savTQ2ox30ZCeq2jZGIsW9ABb3jw3qwz1EYt
q413AOzKtcaU6oVTyk1w6J81oQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBj+ga+
ODBXTlhpNZwER86SFlySM/rHTeQ0jxcuZvIn/LgyEYTnXWOfhiage/ymBwWkmAVl
nMc5tlOHfj4B4chEV648ViHgUEtsSbefd8FUVKkv4NOCXCqXgfyKizkqi9N4kpdX
hSkdyJuRXk6nCDzdGnQcgsXpTIehllKM7NDf2zQPQFT4UOnFuLOSN/NDAcgBd8av
WcK6b1qMRLbynKAjk9PHav1hBwnEtZxyjpd9IACq9rq7eGI+CZQpV80h4/paxxfq
Ugpw508Mi41GMz+kj9MKmiKV96Ff0Gq0EuVx+ckThYRe5RfsRejQQnUMr0rJrJkl
1zBXdIl0sq2Dytej
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
issuer=/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
---
No client certificate CA names sent
---
SSL handshake has read 1655 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 54D06E9E00D40DA968A0C5777863631CDF90971861D435BAFC5960D738570FD9
Session-ID-ctx:
Master-Key: E264D8A18B91E3086BE181AF55982B6454E72730C14DFA03346AD9AAF24E0EE23EA81218E08BBA90DA6A4E87CF46C294
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 4c 83 ed 50 c4 1c da 62-e3 d1 b1 e3 8e 7e 4d 2c L..P...b.....~M,
0010 - 70 9a ae 05 03 ca 12 76-07 20 7c 0a 32 e1 7f a3 p......v. |.2...
0020 - c8 10 2c 31 d1 a6 10 e2-c5 a4 5d fe b5 00 f3 9f ..,1......].....
0030 - 0c e4 d2 7e 9c 21 cd 9a-fc 63 3b 47 3a 36 ea 65 ...~.!...c;G:6.e
0040 - e8 d5 eb a6 56 99 67 a2-b4 59 65 0f 1a d4 db 1b ....V.g..Ye.....
0050 - b4 30 1b 0c 75 59 28 58-60 64 08 aa 0d 2c f9 df .0..uY(X`d...,..
0060 - 7b 52 20 2c e7 31 e4 c0-bb 33 ca 12 c4 ea dd 84 {R ,.1...3......
0070 - bf 33 88 1f db fc fd e0-67 cf 4b ba ed 5b 10 52 .3......g.K..[.R
0080 - d4 dd f8 03 bf 4b a4 60-df c6 22 d9 fb 4b 1b 70 .....K.`.."..K.p
0090 - f4 29 07 1c 73 2b 72 49-f4 40 ab c0 a2 70 c8 84 .)..s+rI.@...p..
00a0 - bb bd 91 c1 4c ac 10 89-57 44 bc b3 96 51 a6 2a ....L...WD...Q.*
Compression: 1 (zlib compression)
Start Time: 1369461092
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 lpic303.test.local ESMTP Postfix (Debian/GNU)
ehlo localhost
250-lpic303.test.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
closed
