七、配置Postfix使用SSL/TLS和465端口

🔐完整SSL SMTP配置

#!/bin/bash
echo "=== 配置Postfix使用SSL和465端口 ==="

# 1. 安装必要的工具
echo "1. 安装SSL工具..."
sudo apt-get update
sudo apt-get install -y openssl ssl-cert

# 2. 生成自签名SSL证书（如果已经有证书可以跳过）
echo "2. 生成SSL证书..."
sudo mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl

# 生成私钥和证书
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/postfix/ssl/smtpd.cert \
-keyout /etc/postfix/ssl/smtpd.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=$(hostname)"

# 设置正确的权限
sudo chmod 600 /etc/postfix/ssl/smtpd.key
sudo chmod 644 /etc/postfix/ssl/smtpd.cert

# 3. 配置Postfix使用SSL
echo "3. 配置Postfix SSL设置..."
sudo tee -a /etc/postfix/main.cf << 'EOF'

# ========== SSL/TLS配置 ==========
# 启用TLS支持
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_auth_only = yes

# SSL证书路径
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.cert
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

# TLS协议版本
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1

# 加密套件
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium

# TLS会话缓存
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# 启用465端口（SMTPS）
smtpd_tls_wrappermode = yes
smtpd_tls_received_header = yes

# ========== 认证配置 ==========
# 启用SASL认证
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

# 认证限制
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

# 允许通过认证的用户使用任意发件人
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain

# ========== 端口配置 ==========
# 监听465端口
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
EOF

# 4. 配置master.cf以启用465端口
echo "4. 配置master.cf启用465端口..."
sudo tee -a /etc/postfix/master.cf << 'EOF'

# ========== SMTPS (465端口) ==========
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
EOF

# 5. 安装并配置SASL认证
echo "5. 配置SASL认证..."
sudo apt-get install -y dovecot-core dovecot-imapd dovecot-pop3d sasl2-bin

# 配置dovecot用于SASL认证
sudo tee /etc/dovecot/conf.d/10-master.conf << 'EOF'
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
EOF

sudo tee /etc/dovecot/conf.d/10-auth.conf << 'EOF'
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
EOF

# 6. 创建SMTP用户
echo "6. 创建SMTP用户..."
echo -n "请输入SMTP用户名（默认：smtpuser）: "
read smtp_user
smtp_user=${smtp_user:-smtpuser}

echo -n "请输入SMTP密码: "
read -s smtp_pass
echo

# 创建系统用户（如果不存在）
if ! id "$smtp_user" &>/dev/null; then
sudo useradd -m -s /bin/false "$smtp_user"
fi

# 设置密码
echo "$smtp_user:$smtp_pass" | sudo chpasswd

# 7. 重启服务
echo "7. 重启服务..."
sudo systemctl restart postfix
sudo systemctl restart dovecot

# 8. 开放防火墙端口
echo "8. 配置防火墙..."
if command -v ufw &>/dev/null; then
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp
sudo ufw reload
fi

# 9. 测试配置
echo "9. 测试SSL SMTP配置..."
echo "正在测试465端口SSL连接..."

# 测试SSL连接
sudo netstat -tlnp | grep :465

# 测试SSL证书
echo "检查SSL证书:"
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -text -noout | grep -E "Subject:|Not |Issuer:"

echo "=== 配置完成 ==="
echo "SMTP SSL配置信息:"
echo "服务器: $(hostname)"
echo "端口: 465 (SSL/TLS)"
echo "用户名: $smtp_user"
echo "SSL证书: /etc/postfix/ssl/smtpd.cert"
echo ""
echo "测试命令:"
echo "openssl s_client -connect localhost:465 -starttls smtp"
echo "telnet localhost 465"

测试SSL SMTP连接

#!/bin/bash
echo "=== SSL SMTP连接测试 ==="

# 测试465端口是否监听
echo "1. 检查465端口监听状态:"
sudo netstat -tlnp | grep :465

# 测试SSL连接
echo -e "\n2. 测试SSL连接（使用openssl）:"
cat > /tmp/test_smtps.sh << 'EOF'
#!/bin/bash
echo "测试SSL SMTP连接..."
echo "按Ctrl+C退出"

# 方法1: 使用openssl s_client测试
echo -e "\n方法1: openssl s_client测试"
openssl s_client -connect localhost:465 -starttls smtp << 'SSL_TEST'
EHLO localhost
QUIT
SSL_TEST

# 方法2: 测试邮件发送（如果配置了认证）
echo -e "\n方法2: 测试认证邮件发送"
echo "这需要已配置SMTP用户"
read -p "SMTP用户名: " username
read -sp "密码: " password
echo

cat > /tmp/email.txt << 'EMAIL'
From: $username@$(hostname)
To: root@$(hostname)
Subject: SSL SMTP测试邮件
Date: $(date)

这是一封通过SSL SMTP发送的测试邮件。

如果收到此邮件，说明SSL SMTP配置成功！
EMAIL

# 使用swaks或其他工具测试
if command -v swaks >/dev/null; then
swaks --to root --from $username@$(hostname) \
--server localhost --port 465 \
--auth LOGIN --auth-user $username --auth-pass "$password" \
--tlsc --body "SSL SMTP测试" \
--h-Subject "SSL SMTP测试"
else
echo "安装swaks进行更全面的测试: sudo apt-get install swaks"
fi
EOF

chmod +x /tmp/test_smtps.sh
/tmp/test_smtps.sh

# 3. 检查SSL证书信息
echo -e "\n3. 检查SSL证书信息:"
if [ -f /etc/postfix/ssl/smtpd.cert ]; then
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -text -noout | head -20
elif [ -f /etc/letsencrypt/live/*/fullchain.pem ]; then
sudo find /etc/letsencrypt/live -name "fullchain.pem" -exec openssl x509 -in {} -text -noout \; | head -20
fi

# 4. 测试PHP使用SSL SMTP
echo -e "\n4. PHP SSL SMTP测试脚本:"
cat > /tmp/test_php_smtps.php << 'PHP'

echo "PHP SSL SMTP测试\n";
echo "================\n\n";