POP over SSL / smtp over SSL

更新日 2016-02-07 (日) 17:19:04

POP over SSL / smtp over SSL

Plesk10でPort25で認証を行うときはSSLを使用しなくてもいいが、サブミッションポートを利用する場合はすべてSSL認証を行う必要があるようだ Plesk10でmailをSSLを通して行う場合はサーバとして一つの証明書で行う(WEBのようにドメインごとに必要なSNI対応ではない)
そこで、各バーチャルドメインのユーザのアクセスsmtp、pop、imapサーバをすべて同じサーバにする。つまりコモンネーム(CN)が異なるとSSLでアクセス時にCNが異なるとアラームでる。

以下のところに秘密鍵と証明書をデフォルトのものから変更する(postfix_default.pem,pop3d.pem,imapd.pemには同じ内容でOK)以下のようなファイルになる

-----BEGIN RSA PRIVATE KEY-----  <==秘密鍵
MIIEpAIBAAKCAQEAsxs732n64hlWgaSPGpChvoTWx1dVJRSvht8N5EVuRFc9sejW
6Ju990+jyU6b6Q1p6X025qr2ZI/57GUWT4p482hQFG9ATqBNtjspL4dq2z/4QdxS
(略)
HV/InAAZZJyP7UutThaSo9ScYgdDP/OdeM6piccio8QqjAzxrqW5h2ZS4TPw8yJp
z8F4Dl5TgV+WQMBjXmFzMMObpP4FJRj+cFZH6yudqO6pLnYUHhII6Q==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----      <=証明書
MIIDszCCApsCBE6go70wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs
(略)
/2QlQqC11dnEqHF8Sf1FRrr7MpKQUW718XzliJADurHwObQtia/Yv+HKQYwInS1i
lLt/Ihjbj6cQA7hmGEyQPQg+/5Z9OSVnbtJp4BNl0zJxxPlQ2j+REsu5fyTQi8oj
0YB1l3v7Qq66xt3WyfhTKjNhOzuvA8gAaw81Yp1P3sCL4bz4rS0i
-----END CERTIFICATE-----

変更場所

/etc/postfix/postfix_default.pem

/usr/share/courier-imap/pop3d.pem

/usr/share/courier-imap/imapd.pem

確認

mail.meiwa-schoolに接続しているが証明書はwww.wesden.net

$ openssl s_client -connect mail.meiwa-school.jp:465 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/OU\
=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \
Validated - RapidSSL(R)/CN=www.wesden.net
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT

(略)

r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKooQ==
-----END CERTIFICATE-----
subject=/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \ 
Validated - RapidSSL(R)/CN=www.wesden.net
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1935 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 8646BCD2FDD15F8C86004874084E666A642802F85C31A9480500DD906D4D0D56
    Session-ID-ctx:
    Master-Key: 3F80FD0143853FEA4C64910355ECB54B2D50BDDC8620742163C9982BA21F320295924ED796F127D17024BD1ACB26A236
    Key-Arg   : None
    Start Time: 1319698725
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
220 plesk10.stock-cube.net ESMTP Postfix
quit <=終了コマンド
221 2.0.0 Bye
read:errno=0
SSL3 alert write:warning:close notify

設定箇所

Postfix

/etc/postfix/main.cfには以下のようになっている

smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s

courier-imap

##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/pop3d.pem

##NAME: TLS_TRUSTCERTS:0
# TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/imapd.pem

##NAME: TLS_TRUSTCERTS:0

トップ   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS