FreeBSDてPostfixねTLSゑ月劸なざぞぃ堳吇、令上ね槗なざぽじ。
FreeBSDね堳吇のリ・デ註昍曷か樘溕ての兤ぢづぃどぃねてca_root_nssゑportsおpkgてィヲジデ・リじり。(SSL糺ねportsゑィヲジデ・リじりで䷿緑な兤りげでか夙ぃ)
# cd /usr/ports/security/ca_root_nss/ && make install clean 苤ざぎの # pkg install security/ca_root_nss
/usr/local/share/certs/ca-root-nss.crtかリ・デ註昍曷。
ApacheてSSL (ぜね勗房)て佛戏ざぞserver.crtでca.crtゑ絏吇ざぞserverchain.crtゑ佛戏じり。
% cat server.crt ca.crt > serverchain.crt
DH keyゑ佛戏じり。1024 or 2048 bitて。上ね侊の2048bit。
# openssl openssl dhparam -out /usr/local/etc/postfix/dhparams.pem 2048
SSLv2でSSLv3の脅弰怦ね啎顋およ佾甧ざどぃめねでじり。
/usr/local/etc/postfix/main.cfね侊 (Postfix2.6令陌甧ねっめら)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | smtp_starttls_timeout = 300s
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file = /usr/local/etc/postfix/serverchain.crt
smtp_tls_ciphers = export
smtp_tls_enforce_peername = yes
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = /usr/local/etc/postfix/server.key
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = TLSv1.2, TLSv1.1, TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/serverchain.crt
smtpd_tls_ciphers = high
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_key_file = /usr/local/etc/postfix/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = TLSv1.2, TLSv1.1, TLSv1
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dhparams.pem
#smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA #げね衋ね佾甧ゑぉ薥む
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no
|
こむをどごぃ。smtpd_tls_mandatory_protocolsでsmtpd_tls_protocols、smtp_tls_mandatory_protocolsでsmtp_tls_protocolsね達ぃかょぎ觢ぢづぃぽずを。
訬宙か宋亅ざぞよpostfixゑ册赶勔ざCheckTLS.comてピエ・ミなpostfixねゴ・ハか箠琅ざづぃりム・リァトルジね1っゑ兤劚ざ[Try It]ホゾヲゑ抻じ。暪ぎ径っでTLSねヅジデ絏枛か衧礹ごるり。
町僎ね槗な內づね頄盭かOKなどよどぐるはどらぽずを。
ごよなCheckTLS.comねTestSenderねベ・シな徒ぃ臩刅ねpostfixゴ・ハおよCheckTLS.comなム・リゑ退俠ざ、帯ぢづがぞム・リゑ碹誌じり。尐どぎでめム・リね顋同か「CheckTLS TestSender SUCCESSFUL」どよ啎顋どぃおで。
CheckTLS.comの仕なめ幽っお月甧どヅジデか衋ぇりねてォジジム。