在Name.com注册域名时,看到可以免费激活Google Apps,将MX记录指向Gmail服务器,就可以通过Gmail收发以自己域名为后缀的邮件。接下来,为了让我的主机可以方便的发送邮件,配置Postfix通过Gmail SMTP Relay转发邮件。
Gmail SMTP服务器转发邮件需要SASL认证和TLS加密,在安装Postfix时,USE参数中需要包括" sasl ssl"。
创建自己的CA文件,如下所示:
$ /etc/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)Making CA certificate ...
Enter PEM pass phrase:CAPASSWORD
Verifying - Enter PEM pass phrase:CAPASSWORDCountry Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LiaoJL.com
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:LiaoJL
Email Address []:liaojl@liaojl.com
... ...
默认密钥的有效期为一年,为了避免麻烦,将有效期更新为三年
$ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem
$ cp cacert.pem demoCA
建议编辑/etc/ssl/openssl.cnf文件,修改默认有效期为十年:
default_days=3650
接下来,通过CA生成服务器证书文件,"-nodes"参数用于避免服务器每次重启时要求输入密码的问题。
openssl req -new -nodes \
-subj '/CN=LiaoJL/O=LiaoJL.com/C=CN/ST=Shanghai/L=Shanghai' \
-keyout FOO-key.pem -out FOO-req.pem -days 3650
注意:"/0=LiaoJL.com"必须和证书文件完全吻合。
为刚才生成的证书添加签名:
openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Postfix需要的证书和密钥文件都准备好了,将它们复制到Postfix配置文件目录中
$ cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
$ chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
$ chmod 400 /etc/postfix/FOO-key.pem
我的配置文件如下:
## TLS Settings
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
## SASL Settings
# This is going into THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
## Gmail Relay
relayhost = [smtp.gmail.com]
# Disable DNS Lookups
disable_dns_lookups = yes
#
transport_maps = hash:/etc/postfix/transport
更多详细内容,可以参考手册:http://www.postfix.com/TLS_README.html
依照上面的配置,Postfix从Berkeley DB或者说Hash文件中读取SASL验证时的用户名和密码信息,在/etc/postfix/saslpass文件中添加:
smtp.gmail.com liaojl@liaojl.com:secret
然后,执行postmap命令,生成saslpass.db文件。
$ postmap saslpass
新建/etc/postfix/transport文件,指定所有邮件通过Gmail即smtp.gmail.com转发。
liaojl.com smtp:[smtp.gmail.com]
重启Postfix使配置文件生效,从主机上发送邮件可以通过Gmail转发,如下所示:
Oct 23 23:02:39 liaojl postfix/qmgr[7838]: 1BAE8A506: from=<root@liaojl.com>, size=274, nrcpt=1 (queue active)
Oct 23 23:02:42 liaojl postfix/qmgr[7838]: 1BAE8A506: removed
Oct 23 23:02:42 liaojl postfix/smtp[7897]: 1BAE8A506: to=<daniel.liao@live.cn>, relay=smtp.gmail.com[209.85.143.109]:25, delay=3.1, delays=0.05/0.04/1.5/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK 1224774161 b4sm470754tic.2)