Shulou(Shulou.com)06/01 Report--

This article is about how to use SSL/TLS to protect your Linux email service. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Protect your Linux mail service by understanding security certificates.

In general, whether you send or receive mail through simple Mail transfer Protocol Simple Mail Transport Protocol (SMTP) or Internet message access Protocol Internet Message Access Protocol (IMAP) or Post Office Protocol Post Office Protocol (POP), the mail service transmits data in unprotected plaintext by default. Recently, as data encryption has become a consensus among more and more programs, you need a secure socket layer Secure Sockets Layer/ Transport layer Security Transport Layer Security (SSL/TLS) security certificate to protect your mail service.

First, take a quick look at the basic processes of mail services and protocols. The message is sent through SMTP from TCP port 25. This protocol relies on address information recorded by the DNS mail exchange server Mail eXchanger (MX) to transmit messages. When a message arrives at the mail server, it can be retrieved by either of the following two services: IMAP using TCP port 143or POP3 using TCP port 110( Post Office Protocol version 3). However, all of the above services use clear text to transmit mail and authentication information by default. This is very unsafe!

To protect email data and authentication, these services have added a security feature that allows them to encrypt data streams and communications using SSL/TLS certificates. Details of how SSL/TLS encrypts data are beyond the scope of this article. If you are interested, you can read Bryant Son's article on Internet security for more details. Generally speaking, SSL/TLS encryption is an algorithm based on public key and private key.

By adding these security features, these services will listen on the new TCP port:

Service default TCP port SSL/TLS port SMTP25587IMAP143993POP3110995 generates SSL/TLS certificate

OpenSSL can generate a free SSL/TLS certificate, or you can buy it from the public certification authority Certificate Authoritie (CA). In the past, generating self-issued certificates was very simple and generic, but due to the increasing emphasis on security, most mail clients do not trust self-issued certificates unless manually set.

If you are only using it yourself or doing tests, use self-issued certificates to save some money. But if many people or customers also need to use it, it's best to buy it from a trusted certification authority.

In either case, the process of starting a request for a new certificate is to use the OpenSSL tool on the Linux system to create a certificate issuance request Certificate Signing Request mail.mydomain.pem

It is worth mentioning that the .pem file suffix stands for privacy enhanced mail Privacy-Enhanced Mail.

Now you have all the files you need to set up mail service security: the private key file mail.mydomain.key and the combined public certificate file mail.mydomain.pem.

Generate a secure folder for your files

Whether your certificate is self-issued or purchased from an organization, you need to generate a secure, administrator-owned folder to save these two files. You can use the following command to generate:

$mkdir / etc/pki/tls$ chown root:root / etc/pki/tls$ chmod 700 / etc/pki/tls

After copying the files to / etc/pki/tls, set the permissions for those files again:

Chmod 600 / etc/pki/tls/* configure your SMTP and IMAP services

Next, let the SMTP and IMAP services use the new security certificate. Let's use postfix and dovecot as examples.

Use your handy editor to edit the / etc/postfix/main.cf file. Add the following lines:

Smtpd_use_tls = yessmtpd_tls_cert_file = / etc/pki/tls/mail.mydomain.pemsmtpd_tls_key_file = / etc/pki/tls/mail.mydomain.key Custom option

The following options enable or disable various encryption algorithms, protocols, and so on:

Smtpd_tls_eecdh_grade = strongsmtpd_tls_protocols=! SSLv2,! SSLv3,! TLSv1,! TLSv1.1smtpd_tls_mandatory_protocols=! SSLv2,! SSLv3,! TLSv1,! TLSv1.1smtpd_tls_mandatory_ciphers = highsmtpd_tls_security_level=maysmtpd_tls_ciphers = hightls_preempt_cipherlist = yessmtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULLsmtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, PSD, SRP, 3DES ENULLsmtp_tls_mandatory_protocols =! SSLv2,! SSLv3! TLSv1,! TLSv1.1smtp_tls_protocols =! SSLv2,! SSLv3,! TLSv1,! TLSv1.1

Edit the / etc/dovecot/dovecot.conf file and add the following three lines:

Ssl = requiredssl_cert =

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.