I am indebted to the work had plenty of manure to the self-signed SSL- certificate: it is different, and the control panel, and mail and application servers. Of course you can teach users to import them, but a lot nicer when nothing happens as described above. On the other hand the certificate to buy not cheap, at least 15 bucks if you search, it's always stopped me, as the critical need for a signed certificate and there seems to be, and give their money do not want to. So here I lived in self-signed certificates from time immemorial.
Just here recently I came across a service. https://startssl. com. In short, the service allows you to get a valid SSL-certificate free of charge, this certificate is recognized by browsers, email clients and even mobile devices ( not personally tested).
As I said, you can issue certificates for free, but there are some limitations, for example, such certificates can not be used for financial transactions and e-commerce. Also, review the certificate will cost you money. You can not create a wildcard certificate as well as certificates valid for multiple domains / subdomains.
At the same time and paid services are available, after paying a certain amount ( $ 49) and passing the verification of identity, these restrictions will be removed (except for the payment of revocation ), and you can still receive certificates for free, and they have to be referred to your data.
How to use the website to tell them I will not, since everything is quite simple.
Only add that the installation of certificates are sometimes not trivial, but it 's worth it.
If anyone need help with installation of postfix, dovecot will be glad to help, write to the PM.
Describes how to install certificates in Apache and IIS are on their website.
Installing StartSSL certificates - Postfix / Dovecot / Nginx.
In. previous topic. I was told about a service where you can get free ssl- certificate. And as if in the course decided to describe how to install them on a particular software.
I will consider the following software:.
Postfix.
Dovecot.
Nginx.
All of the above installed on CentOS 5. 5.
Postfix.
With postfix I am the most hardship. It would seem that there is documentation that a lot of examples, etc., should be simple, but not having tried a bunch of options simultaneously reading the documentation I have killed quite a few times until all work has been.
Pogdotovka.
It is assumed that you already have a private key and certificate for a domain.
mail. example. com. key.
mail. example. com. crt. You also need to download a file from an intermediate CA certificate required class.
They can be found. here.
For a free certificate. sub. class1. server. ca. pem.
In this example I'm using a private key without passfrazy.
And so we have 3 files.
mail. example. com. key.
mail. example. com. crt.
sub. class1. server. ca. pem. Create a file that eats postfix.
>cat mail. example. com. key mail. example. com. crt sub. class1. server. ca. pem mail. example. com. pem. copy the file to the right place, I put it in your / etc / pki / postfix /.
Of course, not hammering set ownership and permissions, as our key file.
in / etc / postfix / main. cf add:.
smtpd_tls_CAfile = / etc / pki / tls / certs / ca-bundle. crt.
smtpd_tls_cert_file = / etc / pki / postfix / mail. example. com. pem.
smtpd_tls_key_file = / etc / pki / postfix / mail. example. com. pem.
smtpd_tls_session_cache_database = btree:/ var / lib / postfix / smtpd_tls_session_cache.
smtpd_use_tls = yes.
smtp_tls_CAfile = / etc / pki / tls / certs / ca-bundle. crt.
smtp_tls_cert_file = / etc / pki / postfix / mail. example. com. pem.
smtp_tls_key_file = / etc / pki / postfix / mail. example. com. pem.
smtp_tls_session_cache_database = btree:/ var / lib / postfix / smtp_tls_session_cache.
smtp_use_tls = yes.
smtpd_tls_security_level = may.
smtpd_tls_received_header = yes.
smtpd_tls_loglevel = 1.
smtpd_tls_auth_only = no.
tls_random_source = dev:/ dev / urandom.
What does each option and what he says can be found in the documentation for Postifx.
to verify that all the okay, you can use the following command:.
openssl s_client-starttls smtp-showcerts-connect localhost: 25. As a result, should return something like:.
SSL handshake has read 4760 bytes and written 354 bytes.
---.
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA.
Server public key is 4096 bit.
Secure Renegotiation IS supported.
Compression: NONE.
Expansion: NONE.
SSL-Session:.
Protocol: TLSv1.
Cipher: DHE-RSA-AES256-SHA.
Session-ID: 418AA0ED7BA85B2B9301FA127D05DCAFABCEDC192101A6E75DD872FA3E528366.
Session-ID-ctx:.
Master-Key: 498FB41D5810A9768710936351DC92169B6D7DEFAHTEDBDUO60DE9349DA7EB5536F975A8BC4AF190466B637CC129A93E.
Key-Arg: None.
Krb5 Principal: None.
Start Time: 1287331961.
Timeout: 300 (sec).
Verify return code: 0 (ok).
---.
DSN 250.
in / etc / postfix / master. cf uncomment the following lines:.
smtps inet n - n - smtpd.
-o smtpd_tls_wrappermode = yes.
-o smtpd_sasl_auth_enable = yes. At this all the postfix.
Dovecot.
With Dovecot everything was much easier and I have everything worked the first time.
Pogdotovka.
You already have 3 files.
mail. example. com. key.
mail. example. com. crt.
sub. class1. server. ca. pem. Copy the key, create a certificate that eats dovecot.
cp mail. example. com. key / etc / pki / dovecot / private /.
>cat mail. example. com. crt sub. class1. server. ca. pem / etc / pki / dovecot / certs / mail. example. com. pem.
In dovecot. conf must prescribe:.
ssl_cert_file = / etc / pki / dovecot / certs / mail. example. com. pem.
ssl_key_file = / etc / pki / dovecot / private / mail. example. com. key. and of course, enable SSL.
ssl_listen = *.
ssl = yes. And add to the list of protocols necessary for you personally.
protocols = pop3 pop3s imap imaps.
Nginx.
With him, too, is very simple and the whole procedure is no different from dovecot'ovskoy.
Pogdotovka.
You already have 3 files.
mail. example. com. key.
mail. example. com. crt.
sub. class1. server. ca. pem. Copy the key, create a certificate that eats nginx.
cp mail. example. com. key / etc / pki / nginx / private /.
>cat mail. example. com. crt sub. class1. server. ca. pem / etc / pki / nignx / certs / mail. example. com. pem.
configuration for a host that nginx should be like this:.
server {.
listen 443;.
server_name mail. example. com;.
ssl on;.
ssl_certificate / etc / pki / nignx / certs / mail. example. com. pem;.
ssl_certificate_key / etc / pki / nginx / private / mail. example. com. key;.
ssl_session_timeout 5m;.
ssl_protocols SSLv2 SSLv3 TLSv1;.
ssl_ciphers ALL:! ADH:! EXPORT56: RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP;.
ssl_prefer_server_ciphers on;.
location / {.
root / srv / www / htdocs /;.
index index. html index. htm;.
}.
}. 
No comments:
Post a Comment