🔐完整SSL SMTP配置

 

#!/bin/bash
echo "=== 配置Postfix使用SSL和465端口 ==="

# 1. 安装必要的工具
echo "1. 安装SSL工具..."
sudo apt-get update
sudo apt-get install -y openssl ssl-cert

# 2. 生成自签名SSL证书(如果已经有证书可以跳过)
echo "2. 生成SSL证书..."
sudo mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl

# 生成私钥和证书
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/postfix/ssl/smtpd.cert \
-keyout /etc/postfix/ssl/smtpd.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=$(hostname)"

# 设置正确的权限
sudo chmod 600 /etc/postfix/ssl/smtpd.key
sudo chmod 644 /etc/postfix/ssl/smtpd.cert

# 3. 配置Postfix使用SSL
echo "3. 配置Postfix SSL设置..."
sudo tee -a /etc/postfix/main.cf << 'EOF'

# ========== SSL/TLS配置 ==========
# 启用TLS支持
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_auth_only = yes

# SSL证书路径
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.cert
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

# TLS协议版本
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1

# 加密套件
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium

# TLS会话缓存
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# 启用465端口(SMTPS)
smtpd_tls_wrappermode = yes
smtpd_tls_received_header = yes

# ========== 认证配置 ==========
# 启用SASL认证
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

# 认证限制
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

# 允许通过认证的用户使用任意发件人
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain

# ========== 端口配置 ==========
# 监听465端口
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
EOF

# 4. 配置master.cf以启用465端口
echo "4. 配置master.cf启用465端口..."
sudo tee -a /etc/postfix/master.cf << 'EOF'

# ========== SMTPS (465端口) ==========
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
EOF

# 5. 安装并配置SASL认证
echo "5. 配置SASL认证..."
sudo apt-get install -y dovecot-core dovecot-imapd dovecot-pop3d sasl2-bin

# 配置dovecot用于SASL认证
sudo tee /etc/dovecot/conf.d/10-master.conf << 'EOF'
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
EOF

sudo tee /etc/dovecot/conf.d/10-auth.conf << 'EOF'
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
EOF

# 6. 创建SMTP用户
echo "6. 创建SMTP用户..."
echo -n "请输入SMTP用户名(默认:smtpuser): "
read smtp_user
smtp_user=${smtp_user:-smtpuser}

echo -n "请输入SMTP密码: "
read -s smtp_pass
echo

# 创建系统用户(如果不存在)
if ! id "$smtp_user" &>/dev/null; then
sudo useradd -m -s /bin/false "$smtp_user"
fi

# 设置密码
echo "$smtp_user:$smtp_pass" | sudo chpasswd

# 7. 重启服务
echo "7. 重启服务..."
sudo systemctl restart postfix
sudo systemctl restart dovecot

# 8. 开放防火墙端口
echo "8. 配置防火墙..."
if command -v ufw &>/dev/null; then
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp
sudo ufw reload
fi

# 9. 测试配置
echo "9. 测试SSL SMTP配置..."
echo "正在测试465端口SSL连接..."

# 测试SSL连接
sudo netstat -tlnp | grep :465

# 测试SSL证书
echo "检查SSL证书:"
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -text -noout | grep -E "Subject:|Not |Issuer:"

echo "=== 配置完成 ==="
echo "SMTP SSL配置信息:"
echo "服务器: $(hostname)"
echo "端口: 465 (SSL/TLS)"
echo "用户名: $smtp_user"
echo "SSL证书: /etc/postfix/ssl/smtpd.cert"
echo ""
echo "测试命令:"
echo "openssl s_client -connect localhost:465 -starttls smtp"
echo "telnet localhost 465"

测试SSL SMTP连接

#!/bin/bash
echo "=== SSL SMTP连接测试 ==="

# 测试465端口是否监听
echo "1. 检查465端口监听状态:"
sudo netstat -tlnp | grep :465

# 测试SSL连接
echo -e "\n2. 测试SSL连接(使用openssl):"
cat > /tmp/test_smtps.sh << 'EOF'
#!/bin/bash
echo "测试SSL SMTP连接..."
echo "按Ctrl+C退出"

# 方法1: 使用openssl s_client测试
echo -e "\n方法1: openssl s_client测试"
openssl s_client -connect localhost:465 -starttls smtp << 'SSL_TEST'
EHLO localhost
QUIT
SSL_TEST

# 方法2: 测试邮件发送(如果配置了认证)
echo -e "\n方法2: 测试认证邮件发送"
echo "这需要已配置SMTP用户"
read -p "SMTP用户名: " username
read -sp "密码: " password
echo

cat > /tmp/email.txt << 'EMAIL'
From: $username@$(hostname)
To: root@$(hostname)
Subject: SSL SMTP测试邮件
Date: $(date)

这是一封通过SSL SMTP发送的测试邮件。

如果收到此邮件,说明SSL SMTP配置成功!
EMAIL

# 使用swaks或其他工具测试
if command -v swaks >/dev/null; then
swaks --to root --from $username@$(hostname) \
--server localhost --port 465 \
--auth LOGIN --auth-user $username --auth-pass "$password" \
--tlsc --body "SSL SMTP测试" \
--h-Subject "SSL SMTP测试"
else
echo "安装swaks进行更全面的测试: sudo apt-get install swaks"
fi
EOF

chmod +x /tmp/test_smtps.sh
/tmp/test_smtps.sh

# 3. 检查SSL证书信息
echo -e "\n3. 检查SSL证书信息:"
if [ -f /etc/postfix/ssl/smtpd.cert ]; then
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -text -noout | head -20
elif [ -f /etc/letsencrypt/live/*/fullchain.pem ]; then
sudo find /etc/letsencrypt/live -name "fullchain.pem" -exec openssl x509 -in {} -text -noout \; | head -20
fi

# 4. 测试PHP使用SSL SMTP
echo -e "\n4. PHP SSL SMTP测试脚本:"
cat > /tmp/test_php_smtps.php << 'PHP'

echo "PHP SSL SMTP测试\n";
echo "================\n\n";

// 测试PHPMailer样式的SSL SMTP
$host = 'localhost';
$port = 465;
$username = 'smtpuser'; // 更改为您的用户名
$password = 'password'; // 更改为您的密码

echo "测试连接到: $host:$port\n";

// 尝试建立SSL连接
$socket = fsockopen("ssl://$host", $port, $errno, $errstr, 10);
if (!$socket) {
echo "❌ SSL连接失败: $errstr ($errno)\n";
} else {
echo "✅ SSL连接成功\n";

// 读取欢迎消息
$response = fgets($socket, 512);
echo "服务器响应: $response";

// 发送EHLO
fwrite($socket, "EHLO localhost\r\n");
$response = fgets($socket, 512);
echo "EHLO响应: $response";

fclose($socket);
echo "连接测试完成\n";
}

// 测试使用mail()函数(应该仍然工作)
echo "\n测试mail()函数: ";
if (mail('root', 'PHP SSL测试', '测试内容', 'From: test@localhost')) {
echo "✅ 成功\n";
} else {
echo "❌ 失败\n";
}

// 如果需要真实的SSL SMTP发送,建议使用PHPMailer或SwiftMailer
echo "\n对于生产环境,建议使用:\n";
echo "1. PHPMailer (https://github.com/PHPMailer/PHPMailer)\n";
echo "2. SwiftMailer (https://swiftmailer.symfony.com/)\n";
?>
PHP

echo "PHP测试脚本已创建: /tmp/test_php_smtps.php"
echo "运行: php /tmp/test_php_smtps.php"

SSL SMTP配置检查和故障排除

#!/bin/bash
echo "=== SSL SMTP配置检查 ==="

# 1. 检查端口监听
echo "1. 端口监听状态:"
echo "端口25 (SMTP):"
sudo netstat -tlnp | grep :25
echo -e "\n端口465 (SMTPS):"
sudo netstat -tlnp | grep :465
echo -e "\n端口587 (Submission):"
sudo netstat -tlnp | grep :587

# 2. 检查Postfix配置
echo -e "\n2. Postfix SSL配置:"
sudo postconf | grep -i tls | head -20

# 3. 检查证书
echo -e "\n3. SSL证书检查:"
if [ -f /etc/postfix/ssl/smtpd.cert ]; then
echo "自签名证书: /etc/postfix/ssl/smtpd.cert"
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -text | grep -E "Subject:|Not |Issuer:"
elif [ -d /etc/letsencrypt/live ]; then
echo "Let's Encrypt证书:"
sudo find /etc/letsencrypt/live -name "fullchain.pem" -exec sh -c 'echo "证书: $1"; openssl x509 -in "$1" -noout -subject -dates' _ {} \;
else
echo "未找到SSL证书"
fi

# 4. 测试SSL连接
echo -e "\n4. SSL连接测试:"
echo "测试465端口SSL连接..."
timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | head -5

# 5. 检查SASL认证
echo -e "\n5. SASL认证检查:"
if [ -f /etc/dovecot/conf.d/10-auth.conf ]; then
echo "Dovecot配置:"
grep -i "auth\|sasl" /etc/dovecot/conf.d/10-auth.conf
fi

# 6. 检查防火墙
echo -e "\n6. 防火墙检查:"
if command -v ufw >/dev/null; then
sudo ufw status | grep -E "(25|465|587)/tcp"
fi

# 7. 测试邮件发送
echo -e "\n7. 邮件发送测试:"
echo "发送测试邮件到root..."
TEST_ID="ssl_test_$(date +%s)"
echo "SSL测试 $TEST_ID" | mail -s "SSL配置测试 $TEST_ID" root

sleep 2

echo "检查邮件日志:"
sudo tail -10 /var/log/mail.log | grep -i "$TEST_ID\|ssl\|tls"

# 8. 生成配置报告
echo -e "\n8. 生成SSL SMTP配置报告..."
cat > /tmp/smtp_ssl_report.txt << 'EOF'
SSL SMTP配置报告
================
生成时间: $(date)
主机名: $(hostname)

端口监听状态:
$(sudo netstat -tlnp | grep -E ":25|:465|:587")

Postfix TLS配置:
$(sudo postconf | grep -i tls)

SSL证书信息:
$(if [ -f /etc/postfix/ssl/smtpd.cert ]; then
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -subject -dates
fi)

最后10条邮件日志:
$(sudo tail -10 /var/log/mail.log)

建议:
1. 确保端口465在防火墙中开放
2. 使用有效SSL证书以获得更好的兼容性
3. 定期更新SSL证书
4. 考虑启用SPF、DKIM和DMARC记录
EOF

echo "报告已生成: /tmp/smtp_ssl_report.txt"
cat /tmp/smtp_ssl_report.txt

🔧 常用SSL SMTP命令:

# 1. 生成自签名证书
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/mail.crt -keyout /etc/ssl/private/mail.key

# 2. 检查证书
sudo openssl x509 -in /etc/ssl/certs/mail.crt -text -noout

# 3. 测试SSL连接
openssl s_client -connect localhost:465 -starttls smtp

# 4. 查看SSL配置
sudo postconf | grep tls

# 5. 重新加载Postfix配置
sudo systemctl reload postfix

# 6. 检查端口状态
sudo netstat -tlnp | grep :465

# 7. 测试邮件发送(使用SSL)
echo "测试" | mail -s "测试" 该 Email 地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。

# 8. 查看SSL相关日志
sudo grep -i ssl /var/log/mail.log
sudo grep -i tls /var/log/mail.log

 

Postfix

登陆

Room 210,Floor 2, Building 7,Hengdaweilaicheng, No.25 yard,Xinyuan Street, Daxing District, Beijing, China

Beijing Ruichi Sifang Automotive Technology Co., Ltd.  Email:sale@bluetooth.com.cn,  Tel:+86 18519213808

京ICP备19003900号-5