turboLinux_White Box Enterprise Linux_Fedora Core_Red Hat Memo/POP over SSL / smtp over SSL
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
]
開始行:
*POP over SSL / smtp over SSL [#qbcc0adb]
RIGHT:更新日 &lastmod();
**Webの証明書変更 [#h1059493]
証明書を書き換えた後の処理
-「ウェブサイトとドメイン」メニューの一番下で、ドメインを...
-「○○のホスティング設定」で「OK」を押す
&color(red){このときSSLサポートを有効にするをはずしたり、...
**POP over SSL / smtp over SSL [#b1b3220a]
Plesk10でPort25で認証を行うときはSSLを使用しなくてもいい...
Plesk10でmailをSSLを通して行う場合はサーバとして一つの証...
&color(red){そこで、各バーチャルドメインのユーザのアクセ...
以下のところに秘密鍵と証明書をデフォルトのものから変更す...
-----BEGIN RSA PRIVATE KEY----- <==秘密鍵
MIIEpAIBAAKCAQEAsxs732n64hlWgaSPGpChvoTWx1dVJRSvht8N5EVu...
6Ju990+jyU6b6Q1p6X025qr2ZI/57GUWT4p482hQFG9ATqBNtjspL4dq...
(略)
HV/InAAZZJyP7UutThaSo9ScYgdDP/OdeM6piccio8QqjAzxrqW5h2ZS...
z8F4Dl5TgV+WQMBjXmFzMMObpP4FJRj+cFZH6yudqO6pLnYUHhII6Q==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- <=証明書
MIIDszCCApsCBE6go70wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYT...
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UE...
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMT...
(略)
/2QlQqC11dnEqHF8Sf1FRrr7MpKQUW718XzliJADurHwObQtia/Yv+HK...
lLt/Ihjbj6cQA7hmGEyQPQg+/5Z9OSVnbtJp4BNl0zJxxPlQ2j+REsu5...
0YB1l3v7Qq66xt3WyfhTKjNhOzuvA8gAaw81Yp1P3sCL4bz4rS0i
-----END CERTIFICATE-----
***変更場所 [#bdc0aad7]
-Postfix(SMTP)
/etc/postfix/postfix_default.pem
-POP3
/usr/share/courier-imap/pop3d.pem
-IMAP
/usr/share/courier-imap/imapd.pem
***確認 [#uaf29b36]
サーバに設定された証明書を確認する~
''SMTP over SSL:465''(同じように POP over SSLはport995で...
- -statusの代わりに-showcertsでもOK
$ openssl s_client -connect mail.meiwa-school.jp:465 -st...
CONNECTED(00000003)
OCSP response: no response sent
depth=0 /CN=mail.ssl-mail.info
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=mail.ssl-mail.info
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=mail.ssl-mail.info
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=mail.ssl-mail.info
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIDCer+MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV...
(略)
PQ3Sv1RC9IhEDHB6x4PBygM=
-----END CERTIFICATE-----
subject=/CN=mail.ssl-mail.info
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 1772 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: E8803F20A83554EF5DC690484D9875AAB2777935...
Session-ID-ctx:
Master-Key: 84BA4CADB65170CBECCCB1114C05FC09DAA72397...
Key-Arg : None
Start Time: 1454830396
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first c...
---
220 plesk10.stock-cube.net ESMTP Postfix
quit <=終了コマンド
221 2.0.0 Bye
read:errno=0
SSL3 alert write:warning:close notify
***有効期限の確認 [#ka79121a]
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNV...
(略)
r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKo...
-----END CERTIFICATE-----
の部分をたとえばssl_2012.crtに保存
$ openssl x509 -in ssl_2012.crt -noout -dates
notBefore=Oct 31 10:24:28 2012 GMT
notAfter=Dec 4 09:07:29 2013 GMT
で確認
***設定箇所 [#ga8a4e08]
''Postfix''
/etc/postfix/main.cfには以下のようになっている
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
''courier-imap''
-/etc/courier-imap/pop3d-ssl <=pleskで使用
-/etc/courier-imap/imapd-ssl.saved_by_plesk <=オリジナル
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is re...
# servers, and is optional for SSL/TLS clients. TLS_CER...
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/pop3d.pem
##NAME: TLS_TRUSTCERTS:0
-/etc/courier-imap/imapd-ssl <=pleskで使用
-/etc/courier-imap/imapd-ssl.saved_by_plesk <=オリジナル
# TLS_DHCERTFILE=
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is re...
# servers, and is optional for SSL/TLS clients. TLS_CER...
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
##NAME: TLS_TRUSTCERTS:0
***メールの設定 [#ce873811]
送信ポートは465でも可能でSTARTTLSの通信になるみたい~
587ではSSLの暗号化はされない→$ openssl s_client -connect ...
''%%outlook2010では送信は587ポート TSL(SSL不可)だった%%''
''outlook2010,2013でも送信は 465 SSLを指定する(TSL,SSLの...
認証についても、送信も受信と同じ設定を行うようにする
http://www.atmarkit.co.jp/fwin2k/win2ktips/1100mailssl/ma...
&ref("./Outlookexpress.png");
&color(red){「セキュリティで保護されたパスワード認証でロ...
***以前の確認方法 [#rc506ae9]
mail.meiwa-schoolに接続しているが証明書はwww.wesden.net
$ openssl s_client -connect mail.meiwa-school.jp:465 -st...
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP...
=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/...
Validated - RapidSSL(R)/CN=www.wesden.net
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNV...
(略)
r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKo...
-----END CERTIFICATE-----
subject=/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1935 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8646BCD2FDD15F8C86004874084E666A642802F8...
Session-ID-ctx:
Master-Key: 3F80FD0143853FEA4C64910355ECB54B2D50BDDC...
Key-Arg : None
Start Time: 1319698725
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first c...
---
220 plesk10.stock-cube.net ESMTP Postfix
quit <=終了コマンド
221 2.0.0 Bye
read:errno=0
SSL3 alert write:warning:close notify
終了行:
*POP over SSL / smtp over SSL [#qbcc0adb]
RIGHT:更新日 &lastmod();
**Webの証明書変更 [#h1059493]
証明書を書き換えた後の処理
-「ウェブサイトとドメイン」メニューの一番下で、ドメインを...
-「○○のホスティング設定」で「OK」を押す
&color(red){このときSSLサポートを有効にするをはずしたり、...
**POP over SSL / smtp over SSL [#b1b3220a]
Plesk10でPort25で認証を行うときはSSLを使用しなくてもいい...
Plesk10でmailをSSLを通して行う場合はサーバとして一つの証...
&color(red){そこで、各バーチャルドメインのユーザのアクセ...
以下のところに秘密鍵と証明書をデフォルトのものから変更す...
-----BEGIN RSA PRIVATE KEY----- <==秘密鍵
MIIEpAIBAAKCAQEAsxs732n64hlWgaSPGpChvoTWx1dVJRSvht8N5EVu...
6Ju990+jyU6b6Q1p6X025qr2ZI/57GUWT4p482hQFG9ATqBNtjspL4dq...
(略)
HV/InAAZZJyP7UutThaSo9ScYgdDP/OdeM6piccio8QqjAzxrqW5h2ZS...
z8F4Dl5TgV+WQMBjXmFzMMObpP4FJRj+cFZH6yudqO6pLnYUHhII6Q==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- <=証明書
MIIDszCCApsCBE6go70wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYT...
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UE...
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMT...
(略)
/2QlQqC11dnEqHF8Sf1FRrr7MpKQUW718XzliJADurHwObQtia/Yv+HK...
lLt/Ihjbj6cQA7hmGEyQPQg+/5Z9OSVnbtJp4BNl0zJxxPlQ2j+REsu5...
0YB1l3v7Qq66xt3WyfhTKjNhOzuvA8gAaw81Yp1P3sCL4bz4rS0i
-----END CERTIFICATE-----
***変更場所 [#bdc0aad7]
-Postfix(SMTP)
/etc/postfix/postfix_default.pem
-POP3
/usr/share/courier-imap/pop3d.pem
-IMAP
/usr/share/courier-imap/imapd.pem
***確認 [#uaf29b36]
サーバに設定された証明書を確認する~
''SMTP over SSL:465''(同じように POP over SSLはport995で...
- -statusの代わりに-showcertsでもOK
$ openssl s_client -connect mail.meiwa-school.jp:465 -st...
CONNECTED(00000003)
OCSP response: no response sent
depth=0 /CN=mail.ssl-mail.info
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=mail.ssl-mail.info
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=mail.ssl-mail.info
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=mail.ssl-mail.info
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIDCer+MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV...
(略)
PQ3Sv1RC9IhEDHB6x4PBygM=
-----END CERTIFICATE-----
subject=/CN=mail.ssl-mail.info
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 1772 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: E8803F20A83554EF5DC690484D9875AAB2777935...
Session-ID-ctx:
Master-Key: 84BA4CADB65170CBECCCB1114C05FC09DAA72397...
Key-Arg : None
Start Time: 1454830396
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first c...
---
220 plesk10.stock-cube.net ESMTP Postfix
quit <=終了コマンド
221 2.0.0 Bye
read:errno=0
SSL3 alert write:warning:close notify
***有効期限の確認 [#ka79121a]
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNV...
(略)
r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKo...
-----END CERTIFICATE-----
の部分をたとえばssl_2012.crtに保存
$ openssl x509 -in ssl_2012.crt -noout -dates
notBefore=Oct 31 10:24:28 2012 GMT
notAfter=Dec 4 09:07:29 2013 GMT
で確認
***設定箇所 [#ga8a4e08]
''Postfix''
/etc/postfix/main.cfには以下のようになっている
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
''courier-imap''
-/etc/courier-imap/pop3d-ssl <=pleskで使用
-/etc/courier-imap/imapd-ssl.saved_by_plesk <=オリジナル
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is re...
# servers, and is optional for SSL/TLS clients. TLS_CER...
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/pop3d.pem
##NAME: TLS_TRUSTCERTS:0
-/etc/courier-imap/imapd-ssl <=pleskで使用
-/etc/courier-imap/imapd-ssl.saved_by_plesk <=オリジナル
# TLS_DHCERTFILE=
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is re...
# servers, and is optional for SSL/TLS clients. TLS_CER...
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
##NAME: TLS_TRUSTCERTS:0
***メールの設定 [#ce873811]
送信ポートは465でも可能でSTARTTLSの通信になるみたい~
587ではSSLの暗号化はされない→$ openssl s_client -connect ...
''%%outlook2010では送信は587ポート TSL(SSL不可)だった%%''
''outlook2010,2013でも送信は 465 SSLを指定する(TSL,SSLの...
認証についても、送信も受信と同じ設定を行うようにする
http://www.atmarkit.co.jp/fwin2k/win2ktips/1100mailssl/ma...
&ref("./Outlookexpress.png");
&color(red){「セキュリティで保護されたパスワード認証でロ...
***以前の確認方法 [#rc506ae9]
mail.meiwa-schoolに接続しているが証明書はwww.wesden.net
$ openssl s_client -connect mail.meiwa-school.jp:465 -st...
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C=JP...
=GT70829167/OU=See www.rapidssl.com/resources/cps (c)11/...
Validated - RapidSSL(R)/CN=www.wesden.net
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1zCCA7+gAwIBAgIDA7MVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNV...
(略)
r2jiWAbvQe5Tu9vWfZPUqqpodha1kCWo60RxkNtxKtCN4q+owAMeIzKo...
-----END CERTIFICATE-----
subject=/serialNumber=mCsiVxo7NM8ovhEf1DaWqoq-5VQtBiMM/C...
OU=GT70829167/OU=See www.rapidssl.com/resources/cps (c)1...
Validated - RapidSSL(R)/CN=www.wesden.net
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1935 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8646BCD2FDD15F8C86004874084E666A642802F8...
Session-ID-ctx:
Master-Key: 3F80FD0143853FEA4C64910355ECB54B2D50BDDC...
Key-Arg : None
Start Time: 1319698725
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first c...
---
220 plesk10.stock-cube.net ESMTP Postfix
quit <=終了コマンド
221 2.0.0 Bye
read:errno=0
SSL3 alert write:warning:close notify
ページ名:
![[PukiWiki]](image/../localimages/Atom.gif "[PukiWiki]")
