在 sendmail 8.13 版中,SMTP 可以使用传输层安全 (Transport Layer Security, TLS)。此服务面向 SMTP 服务器和客户机,通过 Internet 提供专用的、认证的通信,并且可保护系统免受窃听者和攻击者的侵害。请注意,缺省情况下不会启用此服务。
以下过程使用样例数据说明如何设置证书,以便 sendmail 使用 TLS。有关更多信息,请参见sendmail 版本 8.13 支持运行 SMTP 时使用 TLS。
# svcadm disable -t network/smtp:sendmail
# cd /etc/mail # mkdir -p certs/CA # cd certs/CA # mkdir certs crl newcerts private # echo "01" > serial # cp /dev/null index.txt # cp /etc/openssl/openssl.cnf .
请注意,以下命令行会生成交互式文本。
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 \ -config openssl.cnf Generating a 1024 bit RSA private key .....................................++++++ .....................................++++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Menlo Park Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Oracle Organizational Unit Name (eg, section) []:Solaris Common Name (eg, YOUR name) []:somehost.somedomain.example.com Email Address []:someuser@example.com
此命令用于创建和处理证书请求。
此 req 选项用于生成一个新的证书请求。
此 req 选项用于创建一个自签名证书。
此 req 选项允许将 private/cakey.pem 指定为新建的私钥的文件名。
此 req 选项允许将 cacert.pem 指定为输出文件。
此 req 选项允许确保证书有效期为 365 天。缺省值为 30。
此 req 选项允许将 openssl.cnf 指定为配置文件。
请注意,此命令要求您提供以下信息:
Country Name,如 US。
State or Province Name,如 California。
Locality Name,如 Menlo Park。
Organization Name,如 Oracle。
Organizational Unit Name,如 Solaris。
Common Name,该名称是计算机的全限定主机名。有关更多信息,请参见 check-hostname(1M) 手册页。
Email Address,如 someuser@example.com。
# cd /etc/mail/certs/CA # openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 \ -config openssl.cnf Generating a 1024 bit RSA private key ..............++++++ ..............++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Menlo Park Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Oracle Organizational Unit Name (eg, section) []:Solaris Common Name (eg, YOUR name) []:somehost.somedomain.example.com Email Address []:someuser@example.com
此命令要求您提供的信息与步骤 3c 中提供的信息相同。
请注意,在此示例中,证书和私钥位于文件 newreq.pem 中。
# cd /etc/mail/certs/CA
# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
Getting request Private Key
Generating certificate request
# openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/mail/certs/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 23 18:44:38 2005 GMT
Not After : Jun 23 18:44:38 2006 GMT
Subject:
countryName = US
stateOrProvinceName = California
localityName = Menlo Park
organizationName = Oracle
organizationalUnitName = Solaris
commonName = somehost.somedomain.example.com
emailAddress = someuser@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:D4:1F:C3:36:50:C5:97:D7:5E:01:E4:E3:4B:5D:0B:1F:96:9C:E2
X509v3 Authority Key Identifier:
keyid:99:47:F7:17:CF:52:2A:74:A2:C0:13:38:20:6B:F1:B3:89:84:CC:68
DirName:/C=US/ST=California/L=Menlo Park/O=Oracle/OU=Solaris/\
CN=someuser@example.com/emailAddress=someuser@example.com
serial:00
Certificate is to be certified until Jun 23 18:44:38 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# rm -f tmp.pem在此示例中,文件 newreq.pem 包含未签名证书和私钥。文件 newcert.pem 包含已签名证书。
显示证书信息、将证书转换为各种格式以及对证书请求进行签名
用于对各种格式的证书请求进行签名以及生成 CRL(certificate revocation list,证书撤销列表)
define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl
有关更多信息,请参见用于在运行 SMTP 时使用 TLS 的配置文件选项。
有关详细说明,请参见更改 sendmail 配置。
# cd /etc/mail/certs # ln -s CA/cacert.pem CAcert.pem # ln -s CA/newcert.pem MYcert.pem # ln -s CA/newreq.pem MYkey.pem
# chmod go-r MYkey.pem
# C=CAcert.pem # ln -s $C `openssl x509 -noout -hash < $C`.0
将 host.domain 替换为其他主机的全限定主机名。
# C=host.domain.cert.pem # ln -s $C `openssl x509 -noout -hash < $C`.0
将 host.domain 替换为其他主机的全限定主机名。
# svcadm enable network/smtp:sendmail
以下是使用 TLS 的安全邮件的 Received: 头示例。
Received: from his.example.com ([IPv6:2001:db8:3c4d:15::1a2f:1a2b])
by her.example.com (8.13.4+Sun/8.13.4) with ESMTP id j2TNUB8i242496
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <janepc@her.example.com>; Tue, 29 Mar 2005 15:30:11 -0800 (PST)
Received: from her.example.com (her.city.example.com [192.168.0.0])
by his.example.com (8.13.4+Sun/8.13.4) with ESMTP id j2TNU7cl571102
version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <janepc@her.example.com>; Tue, 29 Mar 2005 15:30:07 -0800 (PST)请注意,verify 的值为 OK,这表明验证成功。有关更多信息,请参见用于在运行 SMTP 时使用 TLS 的宏。
另请参见
以下 OpenSSL 手册页: