继续阅读完整内容
支持我们的网站,请点击查看下方广告
步骤1:首先检查SSL证书
echo "=== 检查SSL证书 ==="
# 1. 检查证书是否存在if [ -f /etc/postfix/ssl/smtpd.cert ] && [ -f /etc/postfix/ssl/smtpd.key ]; thenecho "✅ SSL证书已存在"echo "证书文件:"ls -la /etc/postfix/ssl/echo -e "\n证书信息:"sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -subject -dateselseecho "⚠️ SSL证书不存在,重新生成..."sudo mkdir -p /etc/postfix/sslsudo openssl req -new -x509 -days 3650 -nodes \-out /etc/postfix/ssl/smtpd.cert \-keyout /etc/postfix/ssl/smtpd.key \-subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=localhost" \-addext "subjectAltName = DNS:localhost, IP:127.0.0.1"sudo chmod 600 /etc/postfix/ssl/smtpd.keysudo chmod 644 /etc/postfix/ssl/smtpd.certfi
步骤2:启用SSL配置
#!/bin/bashecho "=== 启用Postfix SSL配置 ==="
# 1. 备份当前配置echo "1. 备份当前配置..."sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.backup.before_sslsudo cp /etc/postfix/master.cf /etc/postfix/master.cf.backup.before_ssl
# 2. 在main.cf中添加SSL配置echo "2. 添加SSL配置到main.cf..."sudo tee -a /etc/postfix/main.cf << 'EOF'
# ========== SSL/TLS 配置 ==========# 启用TLS支持smtpd_use_tls = yessmtpd_tls_security_level = maysmtp_tls_security_level = may
# SSL证书路径smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.certsmtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
# TLS协议和加密设置smtpd_tls_protocols = !SSLv2, !SSLv3smtpd_tls_ciphers = medium
# 启用465端口(SMTPS)smtpd_tls_wrappermode = yessmtpd_tls_received_header = yes
# 会话缓存smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scacheEOF
# 3. 在master.cf中启用smtps服务echo "3. 在master.cf中启用smtps服务..."# 首先删除现有的smtps配置(如果有)sudo sed -i '/^smtps/d' /etc/postfix/master.cf
# 添加smtps服务配置sudo tee -a /etc/postfix/master.cf << 'EOF'
# SMTPS (SSL on port 465)smtps inet n - y - - smtpd-o syslog_name=postfix/smtps-o smtpd_tls_wrappermode=yes-o smtpd_tls_auth_only=yes-o smtpd_client_restrictions=-o smtpd_helo_restrictions=-o smtpd_sender_restrictions=-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination-o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destinationEOF
# 4. 检查配置语法echo "4. 检查配置语法..."if sudo postfix check; thenecho "✅ 配置文件语法正确"elseecho "❌ 配置文件有错误"sudo postfix checkexit 1fi
# 5. 重新加载Postfix配置echo "5. 重新加载Postfix..."sudo postfix reloadsudo systemctl reload postfix
# 6. 检查端口监听echo "6. 检查端口监听状态..."sleep 2echo "端口25 (SMTP):"sudo netstat -tlnp | grep :25echo -e "\n端口465 (SMTPS):"sudo netstat -tlnp | grep :465 || echo "端口465未监听"
# 7. 测试SSL连接echo "7. 测试SSL连接..."echo "使用openssl测试SSL连接:"timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | head -10 || echo "SSL连接测试失败"
echo "=== SSL配置完成 ==="
步骤3:测试SSL邮件发送
#!/bin/bashecho "=== 测试SSL邮件功能 ==="
# 1. 测试普通邮件(25端口)echo "1. 测试普通SMTP (25端口)..."echo "普通邮件测试 $(date)" | mail -s "普通SMTP测试" root 2>&1if [ $? -eq 0 ]; thenecho "✅ 普通邮件发送成功"elseecho "❌ 普通邮件发送失败"fi
# 2. 测试SSL邮件发送(使用mail命令)echo -e "\n2. 测试SSL邮件发送..."# mail命令默认使用25端口,我们需要测试465端口# 创建一个测试脚本cat > /tmp/test_ssl_mail.sh << 'EOF'#!/bin/bash# 测试SSL邮件发送的几种方法
echo "方法1: 使用telnet测试SSL连接"echo "QUIT" | timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | head -5
echo -e "\n方法2: 使用sendmail命令测试"cat > /tmp/test_ssl_email.txt << 'MAIL'To: rootSubject: SSL邮件测试 via sendmailFrom: ssl-test@localhost>
这是一封通过SSL邮件系统发送的测试邮件。
如果收到此邮件,说明SSL配置正常工作。
时间: $(date)
服务器: $(hostname)
MAIL
# 使用sendmail发送
if /usr/sbin/sendmail -t < /tmp/test_ssl_email.txt 2>&1; then
echo "sendmail命令执行成功"
else
echo "sendmail命令执行失败"
fi
echo -e "\n方法3: 检查邮件日志"
sudo tail -5 /var/log/mail.log
EOF
chmod +x /tmp/test_ssl_mail.sh
/tmp/test_ssl_mail.sh
# 3. 测试PHP SSL邮件
echo -e "\n3. 测试PHP SSL邮件发送..."
cat > /tmp/test_php_ssl.php << 'PHP'
<?php
echo "PHP SSL邮件测试\n";
echo "================\n\n";
// 测试1: 普通mail()函数
echo "测试1: 普通mail()函数\n";
$test1 = mail('root', 'PHP SSL测试 ' . date('H:i:s'),
'如果收到此邮件,说明PHP的mail()函数正常。\nSSL配置不影响普通邮件发送。',
'From: php-ssl-test@localhost');echo "结果: " . ($test1 ? "✅ 成功" : "❌ 失败") . "\n\n";
// 测试2: 使用SSL连接的SMTP(需要stream_socket_client)echo "测试2: 测试SSL连接\n";$context = stream_context_create(['ssl' => ['verify_peer' => false,'verify_peer_name' => false,'allow_self_signed' => true,]]);
try {$socket = stream_socket_client('ssl://localhost:465',$errno,$errstr,5,STREAM_CLIENT_CONNECT,$context);if ($socket) {echo "✅ SSL连接成功\n";// 读取欢迎消息$welcome = fread($socket, 512);echo "服务器欢迎: $welcome";// 发送EHLOfwrite($socket, "EHLO localhost\r\n");sleep(1);$response = fread($socket, 1024);echo "EHLO响应: $response\n";fwrite($socket, "QUIT\r\n");fclose($socket);} else {echo "❌ SSL连接失败: $errstr ($errno)\n";}} catch (Exception $e) {echo "❌ 异常: " . $e->getMessage() . "\n";}
// 测试3: 发送HTML邮件测试SSLecho "\n测试3: HTML邮件测试\n";$html_message = "<html><body>";$html_message .= "<h1>SSL HTML邮件测试</h1>";$html_message .= "<p>这是一封通过SSL发送的HTML格式测试邮件。</p>";$html_message .= "<ul>";$html_message .= "<li>时间: " . date('Y-m-d H:i:s') . "</li>";$html_message .= "<li>服务器: " . php_uname('n') . "</li>";$html_message .= "<li>PHP版本: " . phpversion() . "</li>";$html_message .= "</ul>";$html_message .= "<p>如果收到此邮件,说明您的邮件系统支持SSL和HTML。</p>";$html_message .= "</body></html>";
$headers = "From: html-test@localhost\r\n";$headers .= "MIME-Version: 1.0\r\n";$headers .= "Content-Type: text/html; charset=UTF-8\r\n";
$test3 = mail('root', 'SSL HTML邮件测试', $html_message, $headers);echo "结果: " . ($test3 ? "✅ 成功" : "❌ 失败") . "\n\n";
echo "=== 测试总结 ===\n";echo "如果所有测试都成功,您的SSL邮件系统已完全配置好!\n";?>PHP
echo "运行PHP SSL测试..."php /tmp/test_php_ssl.php
# 4. 查看邮件日志echo -e "\n4. 查看邮件日志..."sudo tail -10 /var/log/mail.log 2>/dev/null | grep -i "ssl\|tls\|465\|sent\|delivered"
# 5. 查看收到的邮件echo -e "\n5. 查看最新的邮件..."echo "等待邮件处理..."sleep 3echo "最新的几封邮件主题:"grep "^Subject: " /var/mail/root 2>/dev/null | tail -5 || echo "没有找到邮件"
echo "=== 测试完成 ==="
步骤4:完整的SSL配置优化
#!/bin/bashecho "=== 完整的SSL邮件系统配置 ==="
# 1. 确保Postfix正在运行echo "1. 检查Postfix状态..."sudo systemctl is-active postfix
# 2. 配置防火墙开放465端口echo "2. 配置防火墙..."if command -v ufw >/dev/null; thenecho "使用ufw配置防火墙..."sudo ufw allow 25/tcpsudo ufw allow 465/tcpsudo ufw reloadsudo ufw status | grep -E "(25|465)/tcp"elif command -v iptables >/dev/null; thenecho "使用iptables配置防火墙..."sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPTsudo iptables -A INPUT -p tcp --dport 465 -j ACCEPTecho "防火墙规则已添加"elseecho "未找到防火墙工具,请手动开放25和465端口"fi
# 3. 创建SSL测试证书(如果需要)echo "3. 确保SSL证书有效..."CERT_FILE="/etc/postfix/ssl/smtpd.cert"KEY_FILE="/etc/postfix/ssl/smtpd.key"
if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; thenecho "生成SSL证书..."sudo mkdir -p /etc/postfix/sslsudo openssl req -new -x509 -days 3650 -nodes -newkey rsa:2048 \-out "$CERT_FILE" \-keyout "$KEY_FILE" \-subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=$(hostname)" \-addext "subjectAltName = DNS:localhost, DNS:$(hostname), IP:127.0.0.1"sudo chmod 600 "$KEY_FILE"sudo chmod 644 "$CERT_FILE"fi
# 检查证书有效期echo "证书有效期:"sudo openssl x509 -in "$CERT_FILE" -noout -dates
# 4. 优化Postfix SSL配置echo "4. 优化SSL配置..."sudo tee -a /etc/postfix/main.cf << 'EOF'
# ========== SSL优化配置 ==========# 强制使用TLSv1.2+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# 更安全的加密套件smtpd_tls_ciphers = highsmtpd_tls_exclude_ciphers = aNULL, MD5, DES, RC4, PSK, 3DES, eNULL
# 启用TLS日志smtpd_tls_loglevel = 1smtp_tls_loglevel = 1
# 会话缓存优化smtpd_tls_session_cache_timeout = 3600ssmtp_tls_session_cache_timeout = 3600s
# DH参数增强(可选)smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pemEOF
# 5. 生成DH参数(增强安全性)echo "5. 生成DH参数..."if [ ! -f /etc/postfix/ssl/dhparam.pem ]; thenecho "生成DH参数(这可能需要几分钟)..."sudo openssl dhparam -out /etc/postfix/ssl/dhparam.pem 2048 2>/dev/null &echo "DH参数生成中...请稍后"fi
# 6. 重新加载配置echo "6. 重新加载Postfix配置..."sudo postfix reloadsudo systemctl reload postfix
# 7. 创建SSL测试脚本echo "7. 创建SSL测试脚本..."cat > /tmp/ssl_mail_final_test.sh << 'EOF'#!/bin/bashecho "=== 最终SSL邮件系统测试 ==="echo "测试时间: $(date)"echo "============================"
echo -e "\n1. 端口检查:"echo "端口25 (SMTP):"sudo netstat -tlnp | grep :25echo -e "\n端口465 (SMTPS):"sudo netstat -tlnp | grep :465
echo -e "\n2. SSL证书检查:"if [ -f /etc/postfix/ssl/smtpd.cert ]; thensudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -text | grep -E "Subject:|Not |Issuer:|DNS:|IP:" | head -10elseecho "SSL证书未找到"fi
echo -e "\n3. SSL连接测试:"echo "测试1: 基本SSL连接"timeout 5 openssl s_client -connect localhost:465 -quiet <<< "QUIT" 2>&1 | head -5
echo -e "\n测试2: 详细SSL信息"timeout 5 openssl s_client -connect localhost:465 -state -debug 2>&1 | grep -E "SSL_connect|Cipher|Protocol|Certificate" | head -10
echo -e "\n4. 邮件发送测试:"echo "发送测试邮件..."TEST_ID="ssl_final_$(date +%s)"echo "SSL最终测试 $TEST_ID" | mail -s "SSL最终测试 $TEST_ID" root
sleep 2
echo -e "\n5. 检查邮件日志:"sudo tail -5 /var/log/mail.log | grep -i "$TEST_ID\|ssl\|tls\|465"
echo -e "\n6. PHP邮件测试:"php -r "echo 'PHP SSL邮件测试...\n';\$result = mail('root', 'PHP SSL最终测试', 'PHP邮件功能测试', 'From: test@localhost');echo '结果: ' . (\$result ? '✅ 成功' : '❌ 失败') . '\n';"
echo -e "\n=== 测试完成 ==="if sudo netstat -tlnp | grep -q :465; thenecho "🎉 SSL邮件系统配置成功!"echo "服务器: localhost"echo "SSL端口: 465"echo "证书: /etc/postfix/ssl/smtpd.cert"echo "现在您可以使用SSL发送加密邮件了!"elseecho "⚠️ SSL配置可能有问题,465端口未监听"fiEOF
chmod +x /tmp/ssl_mail_final_test.sh/tmp/ssl_mail_final_test.sh
echo "=== 配置完成 ==="
步骤5:验证和故障排除
echo "=== SSL邮件系统验证和故障排除 ==="
# 1. 运行诊断echo "1. 运行SSL诊断..."sudo postconf | grep -i tls | head -20
# 2. 检查服务状态echo -e "\n2. 服务状态:"sudo systemctl status postfix --no-pager | grep -E "Active:|Loaded:"
# 3. 检查错误日志echo -e "\n3. 错误日志检查:"sudo grep -i "error\|fatal\|warning" /var/log/mail.log | tail -10
# 4. 测试连接echo -e "\n4. 连接测试:"echo "测试SSL连接:"if timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | grep -q "220"; thenecho "✅ SSL连接正常"elseecho "❌ SSL连接失败"# 检查端口是否被占用echo "检查端口冲突:"sudo lsof -i :465fi
# 5. 如果SSL有问题,回退到普通配置echo -e "\n5. 如果SSL配置有问题,可以临时禁用:"cat << 'EOF'临时禁用SSL命令:sudo sed -i '/^smtps/d' /etc/postfix/master.cfsudo postfix reloadsudo systemctl reload postfix
重新启用SSL命令:重新运行SSL配置脚本EOF
echo "=== 验证完成 ==="