postfix 安全與不安全連接

tag-icon tag-icon postfix sasl saslauthd
postfix 安全與不安全連接

我僅使用以下配置配置了 postfix SMTP 伺服器用於郵件發送,我使用 cyrus-sasl 透過 openLDAP 進行身份驗證,我想實現 SMTP 連接埠 25 以使用不安全連接,同時在連接埠 587 上建立安全 TLS 連接

這是我的 master.cf 檔案片段

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp       inet  n       -       n       -       -       smtpd -v
587        inet  n       -       n       -       -       smtpd -v
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes

這是 main.cf 片段:

# USER SPECIFIC SETTINGS - 

transport_maps = hash:/etc/postfix/transport

# STMP FOR SENDING
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /certs/private/server.key
smtp_tls_cert_file = /certs/server.cer
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtp_tls_ciphers = high

smtp_tls_security_level = encrypt
smtp_sasl_path = /etc/sasl2/smtpd.conf
smtp_sasl_type = cyrus
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login


# SMTPD FOR RECEIVING
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /certs/private/server.key
smtpd_tls_cert_file = /certs/server.cer
smtpd_tls_CAfile = /certs/local-ca.cer
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_loglevel = 2
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_ciphers = high
tls_random_source = dev:/dev/urandom
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
cyrus_sasl_config_path = /etc/sasl2/
broken_sasl_auth_clients = yes
smtpd_tls_security_level = encrypt
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

如果我更改 main.cf 它將影響整個伺服器,任何人都可以指導我如何實現上述場景。

相關內容