証明書を書き換えた後の処理
このときSSLサポートを有効にするをはずしたり、付けたりしないとうまく書き換わらない場合がる
Plesk10でPort25で認証を行うときはSSLを使用しなくてもいいが、サブミッションポートを利用する場合はすべてSSL認証を行う必要があるようだ
Plesk10でmailをSSLを通して行う場合はサーバとして一つの証明書で行う(WEBのようにドメインごとに必要なSNI対応ではない)
そこで、各バーチャルドメインのユーザのアクセスsmtp、pop、imapサーバをすべて同じサーバにする。つまりコモンネーム(CN)が異なるとSSLでアクセス時にCNが異なるとアラームでる。
以下のところに秘密鍵と証明書をデフォルトのものから変更する(postfix_default.pem,pop3d.pem,imapd.pemには同じ内容でOK)以下のようなファイルになる
-----BEGIN RSA PRIVATE KEY----- <==秘密鍵 MIIEpAIBAAKCAQEAsxs732n64hlWgaSPGpChvoTWx1dVJRSvht8N5EVuRFc9sejW 6Ju990+jyU6b6Q1p6X025qr2ZI/57GUWT4p482hQFG9ATqBNtjspL4dq2z/4QdxS (略) HV/InAAZZJyP7UutThaSo9ScYgdDP/OdeM6piccio8QqjAzxrqW5h2ZS4TPw8yJp z8F4Dl5TgV+WQMBjXmFzMMObpP4FJRj+cFZH6yudqO6pLnYUHhII6Q== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- <=証明書 MIIDszCCApsCBE6go70wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs (略) /2QlQqC11dnEqHF8Sf1FRrr7MpKQUW718XzliJADurHwObQtia/Yv+HKQYwInS1i lLt/Ihjbj6cQA7hmGEyQPQg+/5Z9OSVnbtJp4BNl0zJxxPlQ2j+REsu5fyTQi8oj 0YB1l3v7Qq66xt3WyfhTKjNhOzuvA8gAaw81Yp1P3sCL4bz4rS0i -----END CERTIFICATE-----
/etc/postfix/postfix_default.pem
/usr/share/courier-imap/pop3d.pem
/usr/share/courier-imap/imapd.pem
mail.meiwa-schoolに接続しているが証明書はwww.wesden.net
$ openssl s_client -connect mail.meiwa-school.jp:465 -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\ OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \ Validated - RapidSSL(R)/CN=www.wesden.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\ OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \ Validated - RapidSSL(R)/CN=www.wesden.net verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\ OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \ Validated - RapidSSL(R)/CN=www.wesden.net verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/OU\ =GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \ Validated - RapidSSL(R)/CN=www.wesden.net i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- Server certificate -----BEGIN CERTIFICATE----- MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT (略) r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKooQ== -----END CERTIFICATE----- subject=/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP/O=www.wesden.net/\ OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control \ Validated - RapidSSL(R)/CN=www.wesden.net issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- No client certificate CA names sent --- SSL handshake has read 1935 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 8646BCD2FDD15F8C86004874084E666A642802F85C31A9480500DD906D4D0D56 Session-ID-ctx: Master-Key: 3F80FD0143853FEA4C64910355ECB54B2D50BDDC8620742163C9982BA21F320295924ED796F127D17024BD1ACB26A236 Key-Arg : None Start Time: 1319698725 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 220 plesk10.stock-cube.net ESMTP Postfix quit <=終了コマンド 221 2.0.0 Bye read:errno=0 SSL3 alert write:warning:close notify
-----BEGIN CERTIFICATE----- MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT (略) r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKooQ== -----END CERTIFICATE-----
の部分をたとえばssl_2012.crtに保存
$ openssl x509 -in ssl_2012.crt -noout -dates notBefore=Oct 31 10:24:28 2012 GMT notAfter=Dec 4 09:07:29 2013 GMT
で確認
Postfix
/etc/postfix/main.cfには以下のようになっている
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_timeout = 3600s smtpd_proxy_timeout = 3600s
courier-imap
##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS # servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually # treated as confidential, and must not be world-readable. # TLS_CERTFILE=/usr/share/courier-imap/pop3d.pem ##NAME: TLS_TRUSTCERTS:0
# TLS_DHCERTFILE= ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS # servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually # treated as confidential, and must not be world-readable. # TLS_CERTFILE=/usr/share/courier-imap/imapd.pem ##NAME: TLS_TRUSTCERTS:0
送信ポートは465でも可能でSTARTTLSの通信になるみたい
587ではSSLの暗号化はされない?(未確認)
http://www.atmarkit.co.jp/fwin2k/win2ktips/1100mailssl/mailssl.html
「セキュリティで保護されたパスワード認証でログオンする」はMS固有の認証方式なのではずす