Postfix Integrated Solution | ||
---|---|---|
<<< Previous | Next >>> |
OpenSSL + Stunnel + Iptable + 數字證書 PGP/GPG..
通過Stunnel 實現SSL連接
安裝
AS3,Redhat 9預設已經安裝
需要下面兩個包:
openssl
stunnel
[root@linuxas3 root]# rpm -qa |grep openssl openssl-0.9.7a-22.1 openssl-devel-0.9.7a-22.1 [root@linuxas3 root]# rpm -qa |grep stunnel stunnel-4.04-4 [root@linuxas3 root]# cd /etc/stunnel/ [root@linuxas3 stunnel]# ls stunnel.conf-sample stunnel.pem |
配置
[root@linuxas3 stunnel]# cp stunnel.conf-sample stunnel.conf [root@linuxas3 stunnel]# mv stunnel.pem stunnel.pem.old [root@linuxas3 stunnel]# vi stunnel.conf |
Example 1. stunnel.conf
# Sample stunnel configuration file # Copyright by Michal Trojnara 2002 # Comment it out on Win32 cert = /etc/stunnel/stunnel.pem # chroot = /usr/var/run/stunnel/ # PID is created inside chroot jail pid = /stunnel.pid #setuid = nobody #setgid = nogroup setuid = root setgid = root # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS # Authentication stuff #verify = 2 # don't forget about c_rehash CApath # it is located inside chroot jail: #CApath = /certs # or simply use CAfile instead: #CAfile = /usr/etc/stunnel/certs.pem # Some debugging stuff debug = 7 output = stunnel.log # Use it for client mode #client = yes # Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [s1] accept = 5000 connect = mail.osw.pl:110 # delay = yes [s2] accept = 5001 connect = mail.osw.pl:25 #[https] #accept = 443 #connect = 80 #TIMEOUTclose = 0 [nntps] accept = 563 connect = 119 |
配置/運行 Stunnel
stunnel 預設配置檔案是 /etc/stunnel/stunnel.conf 下面是最小的服務方式配置檔案內容示範: key = stunnel.pem [http2ssl] accept = 443 connect = 127.0.0.1:80 含義:使用 stunnel.pem 證書,將 127.0.0.1: 80 的連接埠加密映射成本機443連接埠,“ http2ssl ”是名稱,可以改成其它的標識。 配置檔案檔案還有其它內容,詳情請看幫助。 直接運行stunnel,就可以啟動 Stunnel 了。 |
創建伺服器證書
[root@linuxas3 stunnel]# cp /usr/share/ssl/openssl.cnf /etc/openssl.cnf [root@linuxas3 stunnel]# nano -w /etc/openssl.cnf [root@linuxas3 stunnel]# openssl req -new -x509 -days 365 -nodes -config /etc/openssl.cnf -out stunnel.pem -keyout stunnel.pem Generating a 1024 bit RSA private key ....................++++++ .......................++++++ writing new private key to 'stunnel.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:GD Locality Name (eg, city) [Newbury]:Shen Zhen Organization Name (eg, company) [My Company Ltd]:none Organizational Unit Name (eg, section) []:postfix Common Name (eg, your name or your server's hostname) []:netkiller Email Address []:openunix@163.com [root@linuxas3 stunnel]# openssl gendh 512 >> stunnel.pem [root@linuxas3 stunnel]# openssl x509 -subject -dates -fingerprint -in stunnel.pem [root@linuxas3 stunnel]# chmod 600 /etc/stunnel/stunnel.pem |
Stunnel 客戶方式不需要證書。Stunnel 服務方式需要一個證書檔案。 Stunnel 在 SSL Http Proxy 伺服器是以服務方式運行的,所以必須要有一個證書。通過 openssl.exe 創建伺服器證書。下面我將 Stunnel 關於創建證書的翻譯如下: “...運行下面的命令 openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem 這將會創建一個自己給自己簽名的證書。參數的含義: -days 365 使這個證書的有效期是1年,之後它將不能再用。 -new 創建一個新的證書 -x509 創建一個 X509 證書(自己簽名的) -nodes 這個證書沒有密碼 -config openssl.cnf OpenSSL 使用的配置檔案 (可能需要修改的有[CA_default]和[req_distinguished_name]這兩個 section,譯者) -out stunnel.pem 把 SSL 證書寫到哪裡 -keyout stunnel.pem 把 SSL 證書放到這個檔案中 這個命令將會問你以下問題: 問題的回答示範 Country name 國家代碼 PL, UK, US, CA...我國是CN,HK,TW State or Province name 省 Locality Name 市 Organization Name 公司、組織名稱 Organizational Unit Name 部門名稱 Common Name (FQDN) www.example.com 注意:Common Name (FQDN) 應該是運行 stunnel 機器的主機名。如果你能通過不同的主機名訪問這台機器,有些 SSL 客戶會警告這個主機的證書有問題,所以最好是使它和用戶訪問的主機名匹配。 openssl gendh 512>> stunnel.pem 這將生成 Diffie-Hellman 部分, 追加到 pem 檔案中。 openssl x509 -subject -dates -fingerprint -in stunnel.pem 這個命令是將你的證書信息在屏幕顯示出來。” |
運行
[root@linuxas3 stunnel]# stunnel [root@linuxas3 stunnel]# ps ax |grep stunnel 20733 ? S 0:00 stunnel |
查看連接埠
[root@linuxas3 stunnel]# nmap localhost Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on linuxas3.9812.net (127.0.0.1): (The 1582 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 119/tcp open nntp 143/tcp open imap2 443/tcp open https 465/tcp open smtps 563/tcp open snews 631/tcp open ipp 783/tcp open hp-alarm-mgr 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 5000/tcp open UPnP 5001/tcp open commplex-link 8009/tcp open ajp13 8080/tcp open http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds [root@linuxas3 stunnel]# |
測試
詳細請看Outlook使用幫助
查看iptables -L
# SMTP /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTPS /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT # POP3 /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP3S /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT # IMAP /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAPS /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT |
<<< Previous | Home | Next >>> |
wget + tar + xxzip 備份方案 | 數字簽名、加密與證書頒發機構 |