继续阅读完整内容
支持我们的网站,请点击查看下方广告
🔐完整SSL SMTP配置
#!/bin/bashecho "=== 配置Postfix使用SSL和465端口 ==="
# 1. 安装必要的工具echo "1. 安装SSL工具..."sudo apt-get updatesudo apt-get install -y openssl ssl-cert
# 2. 生成自签名SSL证书(如果已经有证书可以跳过)echo "2. 生成SSL证书..."sudo mkdir -p /etc/postfix/sslcd /etc/postfix/ssl
# 生成私钥和证书sudo openssl req -new -x509 -days 3650 -nodes -out /etc/postfix/ssl/smtpd.cert \-keyout /etc/postfix/ssl/smtpd.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=$(hostname)"
# 设置正确的权限sudo chmod 600 /etc/postfix/ssl/smtpd.keysudo chmod 644 /etc/postfix/ssl/smtpd.cert
# 3. 配置Postfix使用SSLecho "3. 配置Postfix SSL设置..."sudo tee -a /etc/postfix/main.cf << 'EOF'
# ========== SSL/TLS配置 ==========# 启用TLS支持smtpd_tls_security_level = maysmtp_tls_security_level = maysmtpd_tls_auth_only = yes
# SSL证书路径smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.certsmtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
# TLS协议版本smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
# 加密套件smtpd_tls_ciphers = mediumsmtpd_tls_mandatory_ciphers = medium
# TLS会话缓存smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# 启用465端口(SMTPS)smtpd_tls_wrappermode = yessmtpd_tls_received_header = yes
# ========== 认证配置 ==========# 启用SASL认证smtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_local_domain = $myhostnamesmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yes
# 认证限制smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
# 允许通过认证的用户使用任意发件人smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain
# ========== 端口配置 ==========# 监听465端口smtps inet n - y - - smtpd-o syslog_name=postfix/smtps-o smtpd_tls_wrappermode=yes-o smtpd_sasl_auth_enable=yes-o smtpd_reject_unlisted_recipient=no-o smtpd_client_restrictions=$mua_client_restrictions-o smtpd_helo_restrictions=$mua_helo_restrictions-o smtpd_sender_restrictions=$mua_sender_restrictions-o smtpd_recipient_restrictions=-o smtpd_relay_restrictions=permit_sasl_authenticated,reject-o milter_macro_daemon_name=ORIGINATINGEOF
# 4. 配置master.cf以启用465端口echo "4. 配置master.cf启用465端口..."sudo tee -a /etc/postfix/master.cf << 'EOF'
# ========== SMTPS (465端口) ==========smtps inet n - y - - smtpd-o syslog_name=postfix/smtps-o smtpd_tls_wrappermode=yes-o smtpd_sasl_auth_enable=yes-o smtpd_client_restrictions=-o smtpd_helo_restrictions=-o smtpd_sender_restrictions=-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject-o smtpd_relay_restrictions=permit_sasl_authenticated,reject-o milter_macro_daemon_name=ORIGINATINGEOF
# 5. 安装并配置SASL认证echo "5. 配置SASL认证..."sudo apt-get install -y dovecot-core dovecot-imapd dovecot-pop3d sasl2-bin
# 配置dovecot用于SASL认证sudo tee /etc/dovecot/conf.d/10-master.conf << 'EOF'service auth {unix_listener /var/spool/postfix/private/auth {mode = 0660user = postfixgroup = postfix}}EOF
sudo tee /etc/dovecot/conf.d/10-auth.conf << 'EOF'disable_plaintext_auth = yesauth_mechanisms = plain login!include auth-system.conf.extEOF
# 6. 创建SMTP用户echo "6. 创建SMTP用户..."echo -n "请输入SMTP用户名(默认:smtpuser): "read smtp_usersmtp_user=${smtp_user:-smtpuser}
echo -n "请输入SMTP密码: "read -s smtp_passecho
# 创建系统用户(如果不存在)if ! id "$smtp_user" &>/dev/null; thensudo useradd -m -s /bin/false "$smtp_user"fi
# 设置密码echo "$smtp_user:$smtp_pass" | sudo chpasswd
# 7. 重启服务echo "7. 重启服务..."sudo systemctl restart postfixsudo systemctl restart dovecot
# 8. 开放防火墙端口echo "8. 配置防火墙..."if command -v ufw &>/dev/null; thensudo ufw allow 25/tcpsudo ufw allow 465/tcpsudo ufw allow 587/tcpsudo ufw reloadfi
# 9. 测试配置echo "9. 测试SSL SMTP配置..."echo "正在测试465端口SSL连接..."
# 测试SSL连接sudo netstat -tlnp | grep :465
# 测试SSL证书echo "检查SSL证书:"sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -text -noout | grep -E "Subject:|Not |Issuer:"
echo "=== 配置完成 ==="echo "SMTP SSL配置信息:"echo "服务器: $(hostname)"echo "端口: 465 (SSL/TLS)"echo "用户名: $smtp_user"echo "SSL证书: /etc/postfix/ssl/smtpd.cert"echo ""echo "测试命令:"echo "openssl s_client -connect localhost:465 -starttls smtp"echo "telnet localhost 465"
测试SSL SMTP连接
#!/bin/bashecho "=== SSL SMTP连接测试 ==="
# 测试465端口是否监听echo "1. 检查465端口监听状态:"sudo netstat -tlnp | grep :465
# 测试SSL连接echo -e "\n2. 测试SSL连接(使用openssl):"cat > /tmp/test_smtps.sh << 'EOF'#!/bin/bashecho "测试SSL SMTP连接..."echo "按Ctrl+C退出"
# 方法1: 使用openssl s_client测试echo -e "\n方法1: openssl s_client测试"openssl s_client -connect localhost:465 -starttls smtp << 'SSL_TEST'EHLO localhostQUITSSL_TEST
# 方法2: 测试邮件发送(如果配置了认证)echo -e "\n方法2: 测试认证邮件发送"echo "这需要已配置SMTP用户"read -p "SMTP用户名: " usernameread -sp "密码: " passwordecho
cat > /tmp/email.txt << 'EMAIL'From: $username@$(hostname)To: root@$(hostname)Subject: SSL SMTP测试邮件Date: $(date)
这是一封通过SSL SMTP发送的测试邮件。
如果收到此邮件,说明SSL SMTP配置成功!EMAIL
# 使用swaks或其他工具测试if command -v swaks >/dev/null; thenswaks --to root --from $username@$(hostname) \--server localhost --port 465 \--auth LOGIN --auth-user $username --auth-pass "$password" \--tlsc --body "SSL SMTP测试" \--h-Subject "SSL SMTP测试"elseecho "安装swaks进行更全面的测试: sudo apt-get install swaks"fiEOF
chmod +x /tmp/test_smtps.sh/tmp/test_smtps.sh
# 3. 检查SSL证书信息echo -e "\n3. 检查SSL证书信息:"if [ -f /etc/postfix/ssl/smtpd.cert ]; thensudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -text -noout | head -20elif [ -f /etc/letsencrypt/live/*/fullchain.pem ]; thensudo find /etc/letsencrypt/live -name "fullchain.pem" -exec openssl x509 -in {} -text -noout \; | head -20fi
# 4. 测试PHP使用SSL SMTPecho -e "\n4. PHP SSL SMTP测试脚本:"cat > /tmp/test_php_smtps.php << 'PHP'echo "PHP SSL SMTP测试\n";echo "================\n\n";
// 测试PHPMailer样式的SSL SMTP$host = 'localhost';$port = 465;$username = 'smtpuser'; // 更改为您的用户名$password = 'password'; // 更改为您的密码
echo "测试连接到: $host:$port\n";
// 尝试建立SSL连接$socket = fsockopen("ssl://$host", $port, $errno, $errstr, 10);if (!$socket) {echo "❌ SSL连接失败: $errstr ($errno)\n";} else {echo "✅ SSL连接成功\n";// 读取欢迎消息$response = fgets($socket, 512);echo "服务器响应: $response";// 发送EHLOfwrite($socket, "EHLO localhost\r\n");$response = fgets($socket, 512);echo "EHLO响应: $response";fclose($socket);echo "连接测试完成\n";}
// 测试使用mail()函数(应该仍然工作)echo "\n测试mail()函数: ";if (mail('root', 'PHP SSL测试', '测试内容', 'From: test@localhost')) {echo "✅ 成功\n";} else {echo "❌ 失败\n";}
// 如果需要真实的SSL SMTP发送,建议使用PHPMailer或SwiftMailerecho "\n对于生产环境,建议使用:\n";echo "1. PHPMailer (https://github.com/PHPMailer/PHPMailer)\n";echo "2. SwiftMailer (https://swiftmailer.symfony.com/)\n";?>PHP
echo "PHP测试脚本已创建: /tmp/test_php_smtps.php"echo "运行: php /tmp/test_php_smtps.php"
SSL SMTP配置检查和故障排除
#!/bin/bashecho "=== SSL SMTP配置检查 ==="
# 1. 检查端口监听echo "1. 端口监听状态:"echo "端口25 (SMTP):"sudo netstat -tlnp | grep :25echo -e "\n端口465 (SMTPS):"sudo netstat -tlnp | grep :465echo -e "\n端口587 (Submission):"sudo netstat -tlnp | grep :587
# 2. 检查Postfix配置echo -e "\n2. Postfix SSL配置:"sudo postconf | grep -i tls | head -20
# 3. 检查证书echo -e "\n3. SSL证书检查:"if [ -f /etc/postfix/ssl/smtpd.cert ]; thenecho "自签名证书: /etc/postfix/ssl/smtpd.cert"sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -text | grep -E "Subject:|Not |Issuer:"elif [ -d /etc/letsencrypt/live ]; thenecho "Let's Encrypt证书:"sudo find /etc/letsencrypt/live -name "fullchain.pem" -exec sh -c 'echo "证书: $1"; openssl x509 -in "$1" -noout -subject -dates' _ {} \;elseecho "未找到SSL证书"fi
# 4. 测试SSL连接echo -e "\n4. SSL连接测试:"echo "测试465端口SSL连接..."timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | head -5
# 5. 检查SASL认证echo -e "\n5. SASL认证检查:"if [ -f /etc/dovecot/conf.d/10-auth.conf ]; thenecho "Dovecot配置:"grep -i "auth\|sasl" /etc/dovecot/conf.d/10-auth.conffi
# 6. 检查防火墙echo -e "\n6. 防火墙检查:"if command -v ufw >/dev/null; thensudo ufw status | grep -E "(25|465|587)/tcp"fi
# 7. 测试邮件发送echo -e "\n7. 邮件发送测试:"echo "发送测试邮件到root..."TEST_ID="ssl_test_$(date +%s)"echo "SSL测试 $TEST_ID" | mail -s "SSL配置测试 $TEST_ID" root
sleep 2
echo "检查邮件日志:"sudo tail -10 /var/log/mail.log | grep -i "$TEST_ID\|ssl\|tls"
# 8. 生成配置报告echo -e "\n8. 生成SSL SMTP配置报告..."cat > /tmp/smtp_ssl_report.txt << 'EOF'SSL SMTP配置报告================生成时间: $(date)主机名: $(hostname)
端口监听状态:$(sudo netstat -tlnp | grep -E ":25|:465|:587")
Postfix TLS配置:$(sudo postconf | grep -i tls)
SSL证书信息:$(if [ -f /etc/postfix/ssl/smtpd.cert ]; thensudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -subject -datesfi)
最后10条邮件日志:$(sudo tail -10 /var/log/mail.log)
建议:1. 确保端口465在防火墙中开放2. 使用有效SSL证书以获得更好的兼容性3. 定期更新SSL证书4. 考虑启用SPF、DKIM和DMARC记录EOF
echo "报告已生成: /tmp/smtp_ssl_report.txt"cat /tmp/smtp_ssl_report.txt
🔧 常用SSL SMTP命令:
# 1. 生成自签名证书sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/mail.crt -keyout /etc/ssl/private/mail.key
# 2. 检查证书sudo openssl x509 -in /etc/ssl/certs/mail.crt -text -noout
# 3. 测试SSL连接openssl s_client -connect localhost:465 -starttls smtp
# 4. 查看SSL配置sudo postconf | grep tls
# 5. 重新加载Postfix配置sudo systemctl reload postfix
# 6. 检查端口状态sudo netstat -tlnp | grep :465
# 7. 测试邮件发送(使用SSL)echo "测试" | mail -s "测试"
# 8. 查看SSL相关日志sudo grep -i ssl /var/log/mail.logsudo grep -i tls /var/log/mail.log