4 231
modifications
« Proxmox et OpenVZ » : différence entre les versions
Aller à la navigation
Aller à la recherche
→Sécuriser et configurer le serveur mail de son host
| Ligne 324 : | Ligne 324 : | ||
Lors de l'installation de l'interface proxmox, <code>postfix</code> a été automatiquement installé. | Lors de l'installation de l'interface proxmox, <code>postfix</code> a été automatiquement installé. | ||
Modifiez la configuration de postfix dans <code>/etc/postfix/main.cf</code/ comme suit : | |||
<pre> | |||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version | |||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) | |||
biff = no | |||
# appending .domain is the MUA's job. | |||
append_dot_mydomain = no | |||
# Uncomment the next line to generate "delayed mail" warnings | |||
#delay_warning_time = 4h | |||
readme_directory = no | |||
# TLS parameters | |||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | |||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | |||
smtpd_use_tls=yes | |||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | |||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | |||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for | |||
# information on enabling SSL in the smtp client. | |||
myhostname = onyx.csnu.org | |||
mydomain = onyx.csnu.org | |||
alias_maps = hash:/etc/aliases | |||
alias_database = hash:/etc/aliases | |||
myorigin = /etc/mailname | |||
mydestination = onyx.csnu.org, localhost | |||
relayhost = | |||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 | |||
mailbox_size_limit = 0 | |||
recipient_delimiter = + | |||
inet_protocols = all | |||
inet_interfaces = 127.0.0.1, [::1], 192.168.0.1, 91.121.141.220, [2001:41d0:1:bcdc::220] | |||
smtpd_sender_restrictions = | |||
reject_unknown_sender_domain, | |||
reject_non_fqdn_sender | |||
smtpd_recipient_restrictions = | |||
permit_mynetworks, | |||
permit_sasl_authenticated, | |||
reject_non_fqdn_hostname, | |||
reject_non_fqdn_sender, | |||
reject_non_fqdn_recipient, | |||
reject_unauth_destination, | |||
reject_unauth_pipelining, | |||
reject_invalid_hostname | |||
</pre> | |||
==SSL== | |||
Si vous avez votre propre autorité ssl, vous pouvez générer votre propre certificat. | |||
Ajoutez les lignes suivantes dans <code>/etc/ssl/openssl.cnf</code> : | |||
<pre> | |||
[POSTFIX] | |||
nsComment = "SMTP Server Certificate" | |||
subjectKeyIdentifier = hash | |||
authorityKeyIdentifier = keyid,issuer:always | |||
issuerAltName = issuer:copy | |||
basicConstraints = critical,CA:FALSE | |||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment | |||
nsCertType = server | |||
extendedKeyUsage = serverAuth | |||
</pre> | |||
Puis générez la clé et le certificat : | |||
<pre> | |||
openssl req -config /etc/ssl/openssl.cnf -nodes -newkey rsa:2048 -keyout postfix.key -out postfix.req | |||
openssl ca -config /etc/ssl/openssl.cnf -name onyx_ca -extensions POSTFIX -in postfix.req -out postfix.pem | |||
</pre> | |||
<pre> | |||
mkdir /etc/postfix/ssl | |||
mv smtpd.key /etc/postfix/ssl/ | |||
mv smtpd.pem /etc/postfix/ssl/ | |||
chmod 600 /etc/postfix/ssl/* | |||
cat /etc/ssl/root_ca/root_ca.pem /etc/ssl/core_ca/core_ca.pem > /etc/postfix/ssl/ca_chain.pem | |||
</pre> | |||
Il faut encore modifier <code>/etc/postfix/main.cf</code> : | |||
<pre> | |||
smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.pem | |||
smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key | |||
smtpd_tls_CAfile=/etc/ssl/csnu.org/ca.pem | |||
smtp_tls_cert_file=/etc/postfix/ssl/smtpd.pem | |||
smtp_tls_key_file=/etc/postfix/ssl/smtpd.key | |||
smtp_tls_CAfile=/etc/postfix/ssl/ca_chain.pem | |||
</pre> | |||
=Créer et configurer un VE Debian 6.0= | =Créer et configurer un VE Debian 6.0= | ||