Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to send and receive Postfix Mail based on SSL under Linux

2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to send and receive email based on Postfix under Linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Among them, in the whole set of mail servers, the default information transmission is plaintext transmission, so this is not so good in terms of security. But it is also difficult to encrypt an email from occurrence to acceptance. Because it is difficult to encrypt an email from one domain to another, it belongs to different domains and is managed by different people, for example, sending an email from 163to QQ Mail.

But what if you guarantee the security of sending and receiving messages in the same domain? In fact, there is also a mechanism called S/MIME, which provides user-to-user email security. It can ensure that the mail is encrypted while the mail is stored on the mail server, and it can not be viewed until the user takes it back to the local area for decryption. During this period, anyone intercepting the mail can not be seen, which can be said to be very secure. But this mechanism generally provides commercial support.

In addition to the S/MIME mechanism, we can encrypt mail when sending and receiving messages within our control. For example, smtps is the smtp protocol for encrypted transmission, which works on the TCP/465 port; POP3s is the pop3 protocol for encrypted transmission, which works on the TCP/995 port; and IMAP4s is the imap4 protocol for encrypted transmission, which works on the TCP/993 port. Of course, this only ensures that the mail from the mailbox to the local is encrypted, such as mail sending and storage can not be encrypted. Webmail can also be transmitted by https, which can be encrypted to a certain extent.

OpenSSL implements private CA

The CA server generates a pair of keys and saves them

[root@localhost ~] # openssl genrsa 1024 > / etc/pki/CA/private/cakey.pem

CA server generates self-signed certificate

[root@localjost] # openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 365 enter the country name 2-digit code: cn enter the name of the province: shanghai enter the name of the city: shanghai enter the name of the company: ywnds input department: tech enter the name of the host: ca.ywnds.com (this hostname should be consistent with the server hostname When the client accesses the host, it must use this host name to establish a connection. Otherwise, the certificate cannot be trusted.) enter E-mail:admin@ywnds.com.

Create some directories and files for CA

[root@localhost ~] # mkdir / etc/pki/CA/ {certs,newcerts,crl} [root@localhost ~] # touch / etc/pki/CA/ {index.txt,serial} [root@localhost ~] # echo 01 > / etc/pki/CA/serial

The mail server generates a certificate

[root@localhost ~] # mkdir / etc/dovecot/ssl [root@localhost ~] # openssl genrsa-out / etc/dovecot/ssl/dovecot.key 1024 [root@localhost ~] # opensslreq-new-key / etc/dovecot/ssl/dovecot.key-out / etc/dovecot/ssl/dovecot.csr [the information entered must be consistent with the information entered by CA, because the private CA we created] enter the country name 2-digit code: cn enter the name of the province Say: shanghai enter the name of the city: shanghai enter the name of the company: ywnds enter the department: tech enter the name of the host: mail.ywnds.com (this host name should be consistent with the host name of the server When the client accesses the host, it must use this hostname to establish a connection. Otherwise, the certificate cannot be trusted.) enter the E-mail:admin@ywnds.com certificate password:

Sign the certificate at the CA server and send it back to the mail server

[root@localhost] # openssl ca-in / etc/dovecot/ssl/dovecot.csr-out / etc/dovecot/ssl/dovecot.crt-days 365

View the changes in files under / etc/pki/CA after signing on the CA server

[root@localhost ~] # cat / etc/pki/CA/index.txt [root@localhost ~] # cat / etc/pki/CA/serialDovecot Open SSL [root@localhost ~] # vim / etc/dovecot.confprotocols pop pop3 imap imap4 [root@localhost ~] # vim / etc/dovecot/conf.d/10-ssl.confssl = yesssl_cert = / etc/dovecot/ssl/dovecot.crtssl_key = / etc/dovecot/ssl/dovecot.key [root@localhost ~] # service dovecot restart

Considerations for MUA to connect to the mail server:

1. Download the certificate cacert.pem of CA to the client and rename it cacert.crt and install it into the root trust domain.

two。 When the client connects to the pop3s server, the POP3s will send the certificate, and at this time, the CA certificate cacert.crt will verify the POP3 certificate, and the mail can be transferred without any problems.

3.MUA should use the domain name when connecting to the POP3s server, not the IP address, because it should correspond to the hostname in the certificate, otherwise it will still be untrusted, and the client should be able to resolve the domain name.

This is the end of this article on "how to send and receive email based on Postfix under Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 206

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report