agregue tls/ssl para postfix con múltiples dominios y múltiples ips

Question

El certificado SSL/TLS y la clave son para el dominio/IP del servidor de correo por el que pasan todos los demás dominios, por lo que el servidor de correo seguro cubre todos los dominios que lo utilizan; las IP dedicadas no tienen importancia. Para obtener mejores resultados y máxima seguridad, utilice las opciones de configuración que están disponibles para usted. Si planea usar smtpd_tls_security_level=encrypt, tenga en cuenta que algunos servidores de correo no aceptarán conexiones porque no aceptan conexiones solo TLS. Si insiste en cifrar, verifique su registro de correo y vea si hay algún host que lo rechace por este motivo. Puede crear /etc/postfix/tls_policy y agregar los hosts allí y designarlos para que el correo se entregue, IE:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

En ese archivo puedes agregar hosts como a continuación

live.co.uk             may
live.com               may
charter.net            may
mx.west.cox.net        may
bigpond.com            may
cox.net                may

Sí, live.com rechazará si se fuerza TLS. No olvide ejecutar postmap después de editar el archivo.

Ejemplo:

# TLS parameters
# ---------------------------------

# The default snakeoil certificate. Comment if using a purchased
# SSL certificate.
#smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
#smtpd_tls_key_file = /etc/ssl/private/postfix.pem

# Uncomment if using a custom SSL certificate.
smtpd_tls_cert_file=/path/to/ssl/example.com/cert.pem
smtpd_tls_key_file=/path/to/ssl/example.com/key.pem

# The snakeoil self-signed certificate has no need for a CA file. But
# if you are using your own SSL certificate, then you probably have
# a CA certificate bundle from your provider. The path to that goes here.
smtp_tls_CAfile=/path/to/ssl/example.com/chain.pem
smtpd_tls_CAfile=/path/to/ssl/example.com/chain.pem

# trusted CA path, where your server has the trust store of commercial certs
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

smtpd_use_tls = yes
smtp_use_tls = yes
#enable ECDH
smtpd_tls_eecdh_grade = strong
#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3
#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high
#allowed ciphers for smtpd_tls_security_level=may
smtpd_tls_ciphers = high
#enforce the server cipher preference
tls_preempt_cipherlist = yes
#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
#disable following ciphers for smtpd_tls_security_level=may
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = 1
#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_dh1024_param_file = /etc/ssl/certs/dhparam.pem

# Note that forcing use of TLS is going to cause breakage - most mail servers
# don't offer it and so delivery will fail, both incoming and outgoing. This is
# unfortunate given what various governmental agencies are up to these days.
#

# For MTAs that reject based on encrypt TLS setting, lets do 'may' to get the mail delivered
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

# AUTH only must be enabled when using smtpd encrypt
smtpd_tls_auth_only = yes
# Enable and force all incoming smtpd connections to use TLS.
#smtpd_tls_security_level = encrypt
# Enable and force all outgoing smtp connections to use TLS.
#smtp_tls_security_level = encrypt
# Enable (but don't force all incoming smtpd connections to use TLS.
smtpd_tls_security_level = may
# Enable (but don't force) all outgoing smtp connections to use TLS.
smtp_tls_security_level = may

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

Answer 1

El certificado SSL/TLS y la clave son para el dominio/IP del servidor de correo por el que pasan todos los demás dominios, por lo que el servidor de correo seguro cubre todos los dominios que lo utilizan; las IP dedicadas no tienen importancia. Para obtener mejores resultados y máxima seguridad, utilice las opciones de configuración que están disponibles para usted. Si planea usar smtpd_tls_security_level=encrypt, tenga en cuenta que algunos servidores de correo no aceptarán conexiones porque no aceptan conexiones solo TLS. Si insiste en cifrar, verifique su registro de correo y vea si hay algún host que lo rechace por este motivo. Puede crear /etc/postfix/tls_policy y agregar los hosts allí y designarlos para que el correo se entregue, IE:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

En ese archivo puedes agregar hosts como a continuación

live.co.uk             may
live.com               may
charter.net            may
mx.west.cox.net        may
bigpond.com            may
cox.net                may

Sí, live.com rechazará si se fuerza TLS. No olvide ejecutar postmap después de editar el archivo.

Ejemplo:

# TLS parameters
# ---------------------------------

# The default snakeoil certificate. Comment if using a purchased
# SSL certificate.
#smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
#smtpd_tls_key_file = /etc/ssl/private/postfix.pem

# Uncomment if using a custom SSL certificate.
smtpd_tls_cert_file=/path/to/ssl/example.com/cert.pem
smtpd_tls_key_file=/path/to/ssl/example.com/key.pem

# The snakeoil self-signed certificate has no need for a CA file. But
# if you are using your own SSL certificate, then you probably have
# a CA certificate bundle from your provider. The path to that goes here.
smtp_tls_CAfile=/path/to/ssl/example.com/chain.pem
smtpd_tls_CAfile=/path/to/ssl/example.com/chain.pem

# trusted CA path, where your server has the trust store of commercial certs
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

smtpd_use_tls = yes
smtp_use_tls = yes
#enable ECDH
smtpd_tls_eecdh_grade = strong
#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3
#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high
#allowed ciphers for smtpd_tls_security_level=may
smtpd_tls_ciphers = high
#enforce the server cipher preference
tls_preempt_cipherlist = yes
#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
#disable following ciphers for smtpd_tls_security_level=may
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = 1
#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_dh1024_param_file = /etc/ssl/certs/dhparam.pem

# Note that forcing use of TLS is going to cause breakage - most mail servers
# don't offer it and so delivery will fail, both incoming and outgoing. This is
# unfortunate given what various governmental agencies are up to these days.
#

# For MTAs that reject based on encrypt TLS setting, lets do 'may' to get the mail delivered
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

# AUTH only must be enabled when using smtpd encrypt
smtpd_tls_auth_only = yes
# Enable and force all incoming smtpd connections to use TLS.
#smtpd_tls_security_level = encrypt
# Enable and force all outgoing smtp connections to use TLS.
#smtp_tls_security_level = encrypt
# Enable (but don't force all incoming smtpd connections to use TLS.
smtpd_tls_security_level = may
# Enable (but don't force) all outgoing smtp connections to use TLS.
smtp_tls_security_level = may

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

agregue tls/ssl para postfix con múltiples dominios y múltiples ips

Respuesta1

información relacionada