Есть почтовый сервер Postfix+Dovecot2+MySQL. Авторизация через Dovecot SASL. Потребовалось прикрутить TLS.
Сертификаты делал так:
самоподписанный сертификат
Код: Выделить всё
openssl req -new -newkey rsa:4096 -nodes -keyout ./ca/ca.key -x509 -days 3650 -subj /C=RU/O=IP/CN=mail.home.local/emailAddress=test@home.local -out ./ca/ca.crt
Код: Выделить всё
openssl req -new -newkey rsa:4096 -nodes -keyout ./clients/client_test.key -subj /C=RU/O=IP/CN=test/emailAddress=test@home.local -out ./clients/client_test.csr;
openssl ca -config ca.config -in ./clients/client_test.csr -out ./clients/client_test.crt -batch;
openssl pkcs12 -export -in ./clients/client_test.crt -inkey ./clients/client_test.key -certfile ./ca/ca.crt -out ./clients/client_test.p12 -passout pass:test
Код: Выделить всё
# doveconf -n
ssl_ca = </etc/ssl/cert/ca/ca.crt
ssl_cert = </etc/ssl/cert/ca/ca.crt
ssl_key = </etc/ssl/cert/ca/ca.key
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
# postconf -n
smtpd_enforce_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/cert/ca/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/cert/ca/ca.crt
smtpd_tls_key_file = /etc/ssl/cert/ca/ca.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
Код: Выделить всё
# tail /var/log/maillog
Feb 27 21:46:11 mail postfix/smtpd[8779]: connect from 192.168.2.101[192.168.2.101]
Feb 27 21:46:11 mail postfix/smtpd[8779]: setting up TLS connection from 192.168.2.101[192.168.2.101]
Feb 27 21:46:11 mail postfix/smtpd[8779]: Anonymous TLS connection established from 192.168.2.101[192.168.2.101]: TLSv1 with cipher AES256-SHA (256/256 bits)
Feb 27 21:46:11 mail postfix/smtpd[8779]: warning: 192.168.2.101[192.168.2.101]: SASL PLAIN authentication failed: Client didn't present valid SSL certificate
Feb 27 21:46:11 mail postfix/smtpd[8779]: warning: 192.168.2.101[192.168.2.101]: SASL LOGIN authentication failed: Client didn't present valid SSL certificate
Feb 27 21:46:11 mail postfix/smtpd[8779]: NOQUEUE: reject: RCPT from 192.168.2.101[192.168.2.101]: 554 5.7.1 <192.168.2.101[192.168.2.101]>: Client host rejected: Access denied; from=<test@home.local> to=<test@home.local> proto=ESMTP helo=<192.168.2.101>
Feb 27 21:46:11 mail postfix/smtpd[8779]: disconnect from 192.168.2.101[192.168.2.101]
