openssl req -new -x509 -days 3650 -nodes -out /opt/ssl/certs/postfix.pem -keyout /opt/ssl/private/postfix.pem
第一个是证书,第二个是key(私钥)
可以应用在很多程序上。
下面举两个例子:
server {
listen 443;
server_name _;
ssl on;
ssl_certificate /opt/ssl/certs/postfix.pem;
ssl_certificate_key /opt/ssl/private/postfix.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}nginx -t 测试无误即可。当然这个证书自己做的浏览器会报一个不受信任的警告。
vim /etc/postfix/main.cf
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_key_file = /opt/ssl/private/postfix.pem
smtpd_tls_cert_file = /opt/ssl/certs/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes发邮件,看maillog的日志是是否有tls的类似记录即表示ssl。
postfix/smtpd[29635]: setting up TLS connection from unknown[114。。]另外,可以telnet localhost 25
ehlo localhost
250-mail.gqdw.xyz
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSNstarttls 表示已经开启ssl会话加密 。
原文地址:http://blog.csdn.net/aca_jingru/article/details/43637643
