Postfix / Dovecot SSL配置

时间:2015-05-28 08:44:26

标签: email ssl postfix-mta dovecot

我已经配置了Ubuntu 14.04服务器并且运行正常一段时间了。安装了web,ftp和邮件服务器,并在其上正常运行。一周前,我用来连接管理控制台和邮件的SSL证书已过期,我继续从StartSSL获得一个新证书。

新证书适用于mail.mydomain.com。 Postfix(main.cf)配置包含以下内容:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/mail.crt
smtpd_tls_key_file = /etc/postfix/mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail.mysite.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = mail.mysite.eu, localhost, localhost.localdomain

Dovecot.conf 

protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
postmaster_address = postmaster@saturn13.eu
ssl_cert = </etc/postfix/mail.crt
ssl_key = </etc/postfix/mail.key
ssl_protocols = !SSLv2 !SSLv3

达夫科特/ conf.d / 10-ssl.conf中 

ssl = yes
ssl_cert = </etc/postix/mail.crt
ssl_key = </etc/postfix/mail.key

我读到StartSSL需要安装中间和根CA,所以我尝试将它们连接成 mail.pem 文件,然后我继续在Postfix和Dovecot中设置。尽我所能,每次运行openSSL测试时,结果如下:

root@server:/etc/dovecot# openssl s_client -connect mail.mysite.com:465
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

对我来说更令人费解的是,当我尝试使用Thunderbird连接到帐户时,会出现一个弹出窗口,要求确认 www.mysite.com:443 的安全例外。

那么,你能帮我弄清楚这个配置有什么问题吗?当我在Windows中打开mail.crt文件时,一切正常。那么为什么我不能连接到服务器?为什么Thunderbird试图连接 www 和端口 443

谢谢!

1 个答案:

答案 0 :(得分:0)

使用startssl证书需要等待一天,否则ocsp验证将失败。

firefox和thunderbird启用了ocsp。也许这是结核病的原因......

对于openssl错误,也许你使用的是错误的密码?点击此处:https://weakdh.org/sysadmin.html

你的mail.crt看起来像是:

----- BEGIN CERTIFICATE -----

.. .. XXX

----- END CERTIFICATE -----

和你的mail.key一样

-----开始RSA私钥-----

... XXX ...

----- END RSA私钥-----

您不需要安装startssl root cert,因为它安装在所有浏览器中...... 只是中间人:

for postfix i&#39; m using

smtpd_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem

为dovecot

ssl_ca = </etc/ssl/private/sub.class1.server.ca.pem

和apache

SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem

相关问题
最新问题