PPoossttffiixx TTLLSSݡ

-------------------------------------------------------------------------------

ٹ

PostfixTLSݡȤͭˤ뤳Ȥǡ᡼Ź沽ꥯ饤Ȥ
ФǧڤǤ褦ˤʤǤϤޤ󡣿Ԥˤ⤪ OpenSSL
饤֥ꥳɤͭˤƤޤΤǤOpenSSL  Wietse ȤΥɤ
Ʊ餤տ񤫤ƤȤȡ1000ԤȤ1ġ;ʬʥХ
Postfix˼Ƥ뤳Ȥˤʤޤ

PPoossttffiixx TTLLSSݡȤǤ뤳

ȥ󥹥ݡإƥ (Transport Layer Security/TLSSSL
ƤФƤޤ) Ͼ١ǧڤȰŹ沽å󶡤ޤ
åΰŹ沽ˤꡢSMTP᡼SASLǧڤݸޤ

PostfixС2.2ϡRFC 3207˵ҤƤTLSݡȤȤ߹ߤޤ
ŤСPostfixǤTLSݡȤϥɥѥåȤǤޤ
ʲ "Postfix < 2.2 TLSݡȤθߴ" Ǥμΰ㤤
ޤ

ΥɥȤСƤȥԥå:

  * Postfix TLSݡȤư
  * TLSݡդPostfixӥɤ
  * SMTPͭ
  * SMTP饤ͭ
  * TLSޥͭ͡
  * 
  * Postfix < 2.2 TLSݡȤθߴ
  * 쥸å

ʤȤ˺줿äʿͤΤ:

  * ¨ʤǻϤ

PPoossttffiixx TTLLSSݡȤưư

ʲοޤPostfix TLSƥμǤȤδطɽƤޤ
դ̾ν񤫤줿ĤȢPostfixǡץɽ
ޤ¾οĤȢϥȥ졼Ǥ򼨤Ƥޤ

  * smtpd(8) ФSMTP over TLSΥХɤƤޤ

  * smtp(8) 饤ȤSMTP over TLSΥ饤ȥɤƤޤ

  * tlsmgr(8) Ф smtpd(8) Ф smtp(8) 饤ȥץ
    Ϳ뵼 (pseudo-random number generator, PRNG) 
    ޤTLSå󥭡åեޤ

ͥå              <----              ---->                ͥå
 -> smtpd(8)                tlsmgr(8)                 smtp(8)  -> 
                   <-å->          <-å->        

                                     |    
                                       |
                                              

                      smtpd           PRNG         smtp
                    å               å
                  å    ե   å

TTLLSSݡդPPoossttffiixxӥɤ

TLSݡȤդPostfixӥɤˤϡޤɬפν񤫤줿 make(1)
եɬפޤPostfixȥåץ٥ǥ쥯ȥ
"make makefiles" ޥɤ˼˼ûդƸƤӽФȤޤ

  * OpenSSL 󥯥롼ɥե (ssl.h Τ褦)  /usr/include/openssl
    ǥ쥯ȥˤꡢOpenSSL 饤֥ (libssl.so  libcrypto.so Τ褦)
     /usr/lib ǥ쥯ȥˤ:

        % mmaakkee ttiiddyy # ΥӥɤǻĤäƤե뤬
        % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__TTLLSS"" AAUUXXLLIIBBSS==""--llssssll --llccrryyppttoo""

  * OpenSSL 󥯥롼ɥե (ssl.h Τ褦)  /usr/local/include/openssl
    ǥ쥯ȥˤꡢOpenSSL 饤֥ (libssl.so  libcrypto.so Τ褦)
     /usr/local/lib ǥ쥯ȥˤ:


        % mmaakkee ttiiddyy # ΥӥɤǻĤäƤե뤬
        % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__TTLLSS --II//uussrr//llooccaall//iinncclluuddee"" \\
            AAUUXXLLIIBBSS==""--LL//uussrr//llooccaall//lliibb --llssssll --llccrryyppttoo""

    SolarisǤϡʲ˼褦 -R ץꤷޤ:

        % mmaakkee ttiiddyy # ΥӥɤǻĤäƤե뤬
        % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__TTLLSS --II//uussrr//llooccaall//iinncclluuddee"" \\
            AAUUXXLLIIBBSS==""--RR//uussrr//llooccaall//lliibb --LL//uussrr//llooccaall//lliibb --llssssll --llccrryyppttoo""

¾Υޥ (Berkeley DBǡ١ MySQLPostgreSQLLDAPSASLʤ)
ŬѤɬפС줾Postfix READMEɥȤ򻲾Ȥ
 "make makefiles" λؼȾλؼȤ߹碌Ƥ:

        % mmaakkee ttiiddyy # ΥӥɤǻĤäƤե뤬
    % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__TTLLSS \\
        ((¾¾ --DD ޤ --II ץ))"" \\
        AAUUXXLLIIBBSS==""--llssssll --llccrryyppttoo \\
        ((//uussrr//lliibb ˤ¾¾Υ饤֥Ѥ --ll ץ)) \\
        ((¾¾Υ饤֥Ѥ --LL//ppaatthh//nnaammee ++ --ll ץ))""

ۥץλˤϡPostfix INSTALL λؼ򻲾ȤƤPostfix
ǥեȤTLSݡȤ̵ˤʤäƤ뤿ᡢ󥹥ȡ뤷餹
PostfixȤϤ뤳ȤǤޤ

SSMMTTPPͭͭ

Υ󤬥СƤ:

  * о̩
  * ¦TLSưΥ
  * Postfix SMTPФTLSͭˤ
  * 饤Ⱦθ
  * AUTH over TLSΤߤ򥵥ݡȤ
  * ХTLSå󥭥å
  * Х
  * ХɰŹ
  * ¾Υ

о̩̩

TLSѤ뤿ˡPostfix SMTPФϾ̩ɬפȤޤ
ɤ "pem" ǤʤФޤ̩Ź沽ƤϤޤ
Ĥޤ: ϥѥɤʤǥǤʤФޤ󡣾̩
ξȤƱեäƤ뤫⤷ޤ

RSADSAξԤݡȤƤޤƤϾCAˤä
ȯԤ줿RSAΤߤäƤ뤳ȤǤ礦ˡOpenSSLȤȤ
󶡤ġϥǥեȤRSAȯԤޤƱξȤĤȤ
ǤξˤϻȤŹˤäƤɤξ񤬽Ф뤫ޤޤ
NetscapeOpenSSL饤ȤǤä˰ŹФʤ¤ꡢRSA
ͥ褵ޤ

⡼SMTP饤ȤPostfix SMTPоåˤϡ
CA (ξϤ٤ƤCA) ǽǤʤ
ޤ󡣤ξ򥵡о˲äȤ褤Ǥ礦ξ
оǽˤơ줫ȯCAΤΤȤޤ

: "server.dom.ain" ξ "intermediate CA" ˤȯԤ졢켫Ȥ
"root CA" ˤȯԤ줿äƤȤޤΤ褦 server.pem
եޤ:

    % ccaatt sseerrvveerr__cceerrtt..ppeemm iinntteerrmmeeddiiaattee__CCAA..ppeemm >> sseerrvveerr..ppeemm

ͿPostfix SMTPоSSLоȤƻȤʤ
ʤޤ󡣤Ĥޤ "openssl verify -purpose sslserver ..." ƥȤ̤ʤ
ޤ

롼CAꤷƤ륯饤Ȥϥ롼CAΥ륳ԡ
äƤ뤿ᡢ˥롼CAޤƤɬפϤޤ
"server.pem" 餽ƤȡTLS򴹤ΥСإåɤ򸺤餻ޤ

CAˤäȯԤ줿⡼SMTP饤ȾPostfix SMTP
Фդ褦ˤС롼Ⱦ $smtpd_tls_CAfile 
ɵ뤫$smtpd_tls_CApath ǥ쥯ȥ˥󥹥ȡ뤷ޤ롼CA
ꤹȡ$smtpd_tls_verify_depth ܤ륯饤Ȥؤξ
ˤCAο⾮ʤС롼CAˤäƽ̾줿
CAŪ˿ꤹɬפϤޤ󡣸ڤο1Ȥȡꤹ
CAˤäľܽ̾줿Τߤ򸡾ڤޤ2ǤС롼CA
⤷ľܤCA ˤäƽ̾줿饤Ȥ򸡾ڤǤޤ
(饤ȤCA󶡤褦ꤵƤ¤)

RSAȾ:

    /etc/postfix/main.cf:
        smtpd_tls_cert_file = /etc/postfix/server.pem
        smtpd_tls_key_file = $smtpd_tls_cert_file

DSAб:

    /etc/postfix/main.cf:
        smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
        smtpd_tls_dkey_file = $smtpd_tls_dcert_file

⡼SMTP饤Ⱦ򸡾ڤˤϡPostfix SMTPФȯԾ
ؤξꤹɬפޤ "pem" ξñ
ե $smtpd_tls_CAfile Ȥݴɤ뤫CA Ȥ1եȤ
ʣե $smtpd_tls_CApath ǥ쥯ȥ¸Ǥޤǥ쥯ȥ
ȤΤǤСʲΥޥɤ "hash" 󥯤Τ˺ʤǤ:

    # $$OOPPEENNSSSSLL__HHOOMMEE//bbiinn//cc__rreehhaasshh //ppaatthh//ttoo//ddiirreeccttoorryy

$smtpd_tls_CAfile 1İʾοꤷCACAޤǤޤ
եPostfixץchrootƹ (root¤) 뤿ᡢ
chrootƹ饢ǤɬפϤޤ

ꤵ줿¾CA $smtpd_tls_CApath ǥ쥯ȥ̤ƻǤޤ
ξ ($mail_owner ¤) ɬפʤȤˤΥǥ쥯ȥ
ե뤫ɤ߹ޤޤΤᡢ$smtpd_tls_CApath ǥ쥯ȥ
ץchrootƹǥǤɬפޤ

饤Ⱦ׵᤹褦Postfix ($smtpd_tls_asck_ccert = yes 
åȤ) ꤹ硢ʤꤷƤCAˤäƽ̾줿
٤褦ˡ$smtpd_tls_CAfile Τ񤬥饤Ȥޤ
$smtpd_tls_CAfile ꤵƤʤȡͥCAꥹȤ줺饤Ȥ
줫CAˤäƽ̾줿ͳӤޤ¿Υ饤Ȥ
ͥCAꥹȤ˴طʤޤäΤǡ饤CA
ۤɤɤ⤷Ϥ٤Ƥ $smtpd_tls_CApath ˥󥹥ȡ뤹뤳ȤǡTLS
ͥΥСإåɤ򸺤餹ȤǤǤ礦Ԥξ硢
$smtpd_tls_CAfile ꤹɬפϤޤ

: ¿TLSǧڤ줿饤ȤΤ˥饤Ⱦ
ȤʤΤǤС饤ȾʤΤ褤Ǥ礦
СإåɤΤ˲äơ饤Ⱦ׵ᤵ
TLSϥɥλǤʤ饤 (ä˰qmail) ⤢뤿Ǥ

:

    /etc/postfix/main.cf:
        smtpd_tls_CAfile = /etc/postfix/CAcert.pem
        smtpd_tls_CApath = /etc/postfix/certs

¦¦TTLLSSưưΥ

Postfix SMTPФTLSư˴ؤƤʤ뤿ˡ٥
04ޤä뤳ȤǤޤ줾Υ٥ϲ̤Υ٥
Ͽޤߤޤ

    0 TLSư˴ؤϿ̵ˤޤ

    1 TLSϥɥȾξ˵Ͽޤ

    2 TLSͥδ֤Υ٥˵Ͽޤ

    3 TLSͥץ16ʿASCIIפ˵Ͽޤ

    4 STARTTLSʹߤ̿16ʿASCIIפ˥˵Ͽޤ

꤬äȤΤߥ٥3ȤäƤ٥4ϻȤʤȤ
ᤷޤ

:

    /etc/postfix/main.cf:
        smtpd_tls_loglevel = 0

饤ȤȯԼԤCommonNameƱͤˡѤƤץȥ뤪
Ź˴ؤ "Received:" åإå˴ޤˤϡ
smtpd_tls_received_header ѿ true ˥åȤޤǥեȤ no ǡ
ϾɬʤǤإå֥ФˤäѹǤ
ޤᡢǽǵϿ줿ΤߤǤޤ

:

    /etc/postfix/main.cf:
        smtpd_tls_received_header = yes

PPoossttffiixx SSMMTTPPФTTLLSSͭͭˤ

ǥեȤǤPostfix SMTPФTLS̵ˤʤäƤꡢܤˤϤΤޤޤ
PostfixȰ㤤ϤޤŪ "smtpd_use_tls = yes" Ȥäͭ
ڤؤƤ

:

    /etc/postfix/main.cf:
        smtpd_use_tls = yes

ꤹȡPostfix SMTPФSMTP饤ȤSTARTTLSݡȤ
⤷ޤ饤ȤTLSŹ沽ȤȤ׵᤹櫓ǤϤޤ

: ¤Τʤ桼 "sendmail -bs" ƤӽФ硢̩
븢¤ʤᡢSTARTTLS󶡤ޤ󡣤ϰտޤưǤ

"smtpd_enforce_tls = yes" ꤹ뤳ȤTLSλѤֶפ뤳ȤǤ
Postfix SMTPФSTARTTLS⤷TLSǰŹ沽Ƥʤ
᡼ϼդޤRFC 2487˽ȡϸ˻Ȥ Postfix
SMTPФˤŬѤƤϡ֤ޤסΥץϥǥեȤ̵
ʤäƤꡢۤȤɻȤ뤳ȤϤʤǤ礦

:

    /etc/postfix/main.cf:
        smtpd_enforce_tls = yes

TLSϻSTARTTLSݡȤ򥢥ʥ󥹤ƥ饤ȤTLSӥ
׵᤹ΤǤϤʤФTLSȤɸ "åѡ" ⡼ɤ
Ȥ뤳ȤޤΥ饤ȡϤä Outlook [Express] 
"åѡ" ⡼ɤͥ褷ޤ OE (ݡ25ʳưWin32 < 5.0 
Win32 >=5.0) ȡOE (ݡȤ˴طʤ 5.01 Mac) ƤϤޤޤ

main.cf 餳Υ⡼ɤȤΤᤷޤ󡣤Υӥ򥵥ݡ
ΤǤСmaster.cf ̤ʥݡȤͭˤsmtpd(8) Υޥ
饤󥪥ץȤ "-o smtpd_tls_wrappermode = yes" ꤷƤ
εǽΤ˥ݡ465 (smtps) ĤФƤޤ

:

    /etc/postfix/master.cf:
        smtps    inet  n       -       n       -       -       smtpd
          -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

饤Ⱦθ

⡼ȤSMTP饤ȾˤϡPostfix SMTPФŪ
׵ᤷʤФޤ (ŬڤCA֥ҥȤȤ
$smtpd_tls_CAfile Ƥ⥯饤Ȥޤ)ǰʤ顢Netscape
饤Ȥϥޥå륯饤Ⱦʤʸ
桼饤Ȥ򤹤뤿ξΥꥹȤ󼨤뤫Τɤ餫Ǥ
ˡMTA (ä˰ΥСqmail) ϥ饤Ⱦ
׵ᤵTLSͥλǤSMTPåǤ
ޤޤΤᡢΥץϥǥեȤǤ "off" ˤʤäƤޤ
㤨 permit_tls_clientcerts ǽȤäƾ١Ѥ
СɬפȤʤǤ礦

:

    /etc/postfix/main.cf:
        smtpd_tls_ask_ccert = no

TLS³Ĥ˥⡼SMTP饤Ⱦ׵᤹פȷ
ȤǤޤεǽϴ˴ޤޤƤꡢ
"smtpd_tls_ask_ccert = yes" Ȥ̣ޤߤޤ

饤ȾʤǤTLS³ػߤȤȤȡTLS
ȡ̵ˤƤ (smtpd_enforce_tls = yes) ˤΤ̣߰ʤȤȤ
դƤʤȡ饤ȤSTARTTLSȤʤ
¤ǤƤޤޤ

TLSƤʤȡ³ "smtpd_tls_ask_ccert = yes" ꤵ
Τ褦˰졢ٹ𤬥˵Ͽޤ

:

    /etc/postfix/main.cf:
        smtpd_tls_req_ccert = no

CAե󤵤줿CAˤäľȯԤ줿ξ硢饤
θڤο1ǽʬǤǥե (5) ϤĹǤ
ʬͤǤ (롼CAϼºݤ˾ȯԤ̤CAȯԤ...)

:

    /etc/postfix/main.cf:
        smtpd_tls_ccert_verifydepth = 5

AAUUTTHH oovveerr TTLLSSΤߤݡȤ

AUTHǡŹ沽Ƥʤͥۤ뤳Ȥϥƥꥹ
⤿餹ȤˤʤޤTLS쥤ΰŹ沽׵ᤵ
(smtpd_enforce_tls = yes)Postfix SMTPФTLS쥤䤬STARTTLSư
ФƤΤAUTH⤷ޤդޤTLS쥤ΰŹ沽ץ
 (smtpd_enforce_tls = no) ǤäƤ⡢TLSưƤȤΤAUTH
󶡤ǤTLS饤ȤȤθߴݻ뤿ˡ
ǥեȤǤϰŹ沽ʤǤAUTHդޤο񤤤ѹˤϡ
"smtpd_tls_auth_only = yes" ꤷƤ

:

    /etc/postfix/main.cf:
        smtpd_tls_auth_only = no

ХTTLLSSåå

Postfix SMTPФӥ⡼ȤSMTP饤Ȥå
ͥ򤪤ʤȡ餫׻֤ȥͥåȥΥХ
񤷤ޤǥեȤǤϡΥåºݤ˻ȤäƤ smtpd(8)
ץǥåϥå夵졢ץλȥå
ޤåʣ smtpd(8) ץǶͭ뤿ˡ
³å󥭥å夬ȤޤХȤΥ֥Ȥ¸Ǥ
Ϣ³򥵥ݡȤƤ롢ɤʥǡ١Ǥꤹ뤳Ȥ
ǤޤDBMǡ١Ͼʥ֥Ȥ¸Ǥʤᡢˤ
Ŭޤ󡣥å tlsmgr(8) ץˤäƴ뤿ᡢ
Ǥꤢޤ

:

    /etc/postfix/main.cf:
        smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

å夵줿Postfix SMTPХåϰλ֤в᤹
ޤPostfix/TLSOpenSSLΥǥեȤǤ300äϻȤ鷺ä
Ĺ֤3600 (=1) ȤޤRFC2246Ϻ24֤侩Ƥޤ

:

    /etc/postfix/main.cf:
        smtpd_tls_session_cache_timeout = 3600s

Х

Postfix TLSݡȤˤäPostfix SMTPХ3Ĥεǽ
ɲäޤ:

    permit_tls_clientcerts
        饤Ⱦ񤬸ڤ̤ꡢΥե󥬡ץȤ饤
        ΥꥹȤ˥ꥹȥåפƤˡ⡼ȤSMTP
        饤ȤSMTP׵ФȤĤޤ (ʲ relay_clientcerts
        ε򻲾)

    permit_tls_all_clientcerts
        饤Ⱦ񤬸ڤ̤äˡ⡼ȥ饤ȤSMTP
        ׵ФȤĤޤ

    check_ccert_access type:table
        饤Ⱦ񤬸ڤ̤äˡꤵ줿 access(5) ơ֥
        ȤƤΥե󥬡ץȤȤޤ

permit_tls_all_clientcerts ǽդƻȤʤФޤ󡣤ȤΤϡ
¤¿ʤꤹ뤫⤷ʤǤ̤CA饤
ȯԤCAꤵ줿CAȤƥꥹȥåפƤˤΤߡ
εǽȤäƤ¾CAꤵƤȡͭʥ饤Ⱦ
ͭԤϤߤǧڤƤޤޤpermit_tls_all_clientcerts ǽ
̤˺줿E᡼졼ФˤϼŪ⤷ޤ

񤬻ȤʤʤäȤ (㤨нȰ࿦ʤ) ˤ
permit_tls_all_clientcerts ʤĤʤᡢ
permit_tls_clientcerts ǽˤȤɤޤä $relay_clientcerts ̤Ƥ٤Ƥ
ꥹȥåפΤǤ

:

    /etc/postfix/main.cf:
        smtpd_recipient_restrictions =
            ...
            permit_tls_clientcerts
            reject_unauth_destination
            ...

PostfixΥꥹ롼϶䤽¾ʸ̰뤿ᡢ
̾λѤϼŪǤϤޤ󡣤˵¤Ǹ
Ȥ䤹Υե󥬡ץȤȤޤPostfixơ֥
(, ) ڥηǤɬפʤΤǡͤϼͳ֤ȤǤޤ
㤨Х桼̾ۥ̾ʤɡ

:

    /etc/postfix/main.cf:
        relay_clientcerts = hash:/etc/postfix/relay_clientcerts

    /etc/postfix/relay_clientcerts:
        D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home

ХɰŹ

Postfix SMTPФΰŹ򥹥˱ƶͿ뤿ᡢŹ沽
ꥹȤͿ뤳ȤǤޤܤҤϤ󤤤Ȥˤޤ;
OpenSSLΥɥȤ򻲾ȤƤǤɤФ褤狼ʤС
ñˤˤϤդ줺 (openssl) ǥեȤǥѥ뤷ޤޤˤƤ


ʸΤ " ֻȤʤǡסʸꤷƤ!!!

:

    /etc/postfix/main.cf:
        smtpd_tls_cipherlist = DEFAULT

EDH ǰŹѤСDH ѥ᡼ɬפǤ1024bit512bitѤ
ӥȥDHѥ᡼Ȥˡ"ȼ" ѥ᡼Τ
褤Ǥ礦ʤȡŪʹԤߤʤȤäƤѥ᡼
Фƥ֥롼ȥեϤ뤳Ȥ˲ͤФƤޤޤΤᡢ
ФƤѥ᡼ϡ¾TLSѥåۤΤȤϤǤ˰ۤʤä
ޤ

ʬȤ DH ѥ᡼ΥåȤˤϼΥޥɤȤޤ:

    % ooppeennssssll ggeennddhh --oouutt //eettcc//ppoossttffiixx//ddhh__11002244..ppeemm --22 --rraanndd //vvaarr//rruunn//eeggdd--ppooooll
    11002244
    % ooppeennssssll ggeennddhh --oouutt //eettcc//ppoossttffiixx//ddhh__551122..ppeemm --22 --rraanndd //vvaarr//rruunn//eeggdd--ppooooll 551122

:

    /etc/postfix/main.cf:
        smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
        smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

¾¾Υ

smtpd_starttls_timeout ѥ᡼TLSΥϥɥγϤ
λޤǤδ֤Postfix SMTPФɤ߽񤭤Ǥ֤¤ޤ

:

    /etc/postfix/main.cf:
        smtpd_starttls_timeout = 300s

SSMMTTPP饤ͭͭ

ΥǥС:

  * 饤ȥɤξ̩
  * 饤ȥTLSưΥ
  * 饤ȥTLSå󥭥å
  * Postfix SMTP饤ȤTLSͭˤ
  * оθ
  * 饤¦ΰŹ
  * ¾Υ饤

饤ȥɤξ̩̩

TLSưͥδ֤ˡPostfix SMTP饤ȤϾ⡼Ȥ
SMTPФϤȤǤޤNetscape饤ȤϤ긭
⡼ȤSMTPФ鼨줿CA˥ޥå륯饤Ⱦ
椫桼򤵤ޤPostfix SMTP饤ȤOpenSSLѥå
"SSL_connect()" ؿȤ᤽Τ褦ưԲǽǤꡢĤ
ɬפޤΤᡢŪ˻ꤵʤ
¤ꡢΤȤǥեȤǤϾ丰_Ȥޤ_

RSADSAξԤݡȤƤޤƱξĤȤǤ
ξˤϻȤŹˤäƤɤξ񤬽Ф뤫ޤޤ

Postfix SMTP饤ȤPostfix SMTPФƱ/ڥȤȤ
ǤޤФˤϡ"pem" եޥåȤǤɬפޤ
̩Ź沽ƤϤޤ󡣤Ĥޤ: ѥɤʤǥǤʤ
ޤξ (̩) Ʊե뤳ȤǤޤ

⡼SMTPФPostfix SMTP饤Ⱦ򸡾ڤ뤿ˡ
CA (ξϤ٤ƤCA) ǽǤʤ
ޤ󡣤ξ򥵡о˲äȤ褤Ǥ礦ξ
饤Ⱦǽˤơ줫ȯCAΤΤȤޤ

: "client.example.com" ξ񤬤켫 "롼CA" Ǥ "intermediate
CA" ˤäȯԤޤΤ褦 client.pem եޤ:

    % ccaatt cclliieenntt__cceerrtt..ppeemm iinntteerrmmeeddiiaattee__CCAA..ppeemm >> cclliieenntt..ppeemm

ͿPostfix SMTP饤ȾSSL饤ȾȤ
ȤʤФʤޤ󡣤Ĥޤ "openssl verify -purpose sslclient ..." ƥȤ
̤ʤФޤ

롼CAꤷƤ륵Фϥ롼CAΥ륳ԡäƤ뤿ᡢ
˥롼CAޤƤɬפϤޤ"client.pem" 餽
ƤȡTLS򴹤ΥСإåɤ򸺤餻ޤ

CAˤäȯԤ줿⡼SMTPоPostfix SMTP
饤Ȥդ褦ˤС롼Ⱦ $smtp_tls_CAfile 
ɵ뤫$smtp_tls_CApath ǥ쥯ȥ˥󥹥ȡ뤷ޤ롼CA
ꤹȡ$smtp_tls_verify_depth ܤ륵Фؤξ
CAο⾮ʤС롼CAˤäƽ̾줿CAŪ
ꤹɬפϤޤ󡣸ڤο1ȤȡꤹCAˤäľ
̾줿Τߤ򸡾ڤޤ2ǤС롼CA⤷ľܤ
CA ˤäƽ̾줿Ф򸡾ڤǤޤ (ФCA
褦ꤵƤ¤)

RSAȾ:

    /etc/postfix/main.cf:
        smtp_tls_cert_file = /etc/postfix/client.pem
        smtp_tls_key_file = $smtp_tls_cert_file

DSAб:

    /etc/postfix/main.cf:
        smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
        smtp_tls_dkey_file = $smtpd_tls_cert_file

⡼SMTPо򸡾ڤˤϡPostfix SMTP饤ȤȯԾ
ؤξꤹɬפޤ "pem" ξñ
ե $smtpd_tls_CAfile Ȥݴɤ뤫CA Ȥ1եȤ
ʣե $smtp_tls_CApath ǥ쥯ȥ¸Ǥޤǥ쥯ȥ
ȤΤǤСʲΥޥɤ "hash" 󥯤Τ˺ʤǤ:

    # $$OOPPEENNSSSSLL__HHOOMMEE//bbiinn//cc__rreehhaasshh //ppaatthh//ttoo//ddiirreeccttoorryy

$smtp_tls_CAfile 1İʾοꤷCACAޤǤޤΥե
Postfixץchrootƹ (root¤) 뤿ᡢ
chrootƹ饢ǤɬפϤޤ

ꤵ줿¾CA $smtp_tls_CApath ǥ쥯ȥ̤ƻǤޤ
ξ ($mail_owner ¤) ɬפʤȤˤΥǥ쥯ȥ
ե뤫ɤ߹ޤޤΤᡢ$smtp_tls_CApath ǥ쥯ȥ
ץchrootƹǥǤɬפޤ

$smtp_tls_CAfile  $smtpd_tls_CApath Ȥ϶֤Ȼ֤Υȥ졼ɥդǤ
ꤵ줿CA󤢤硢٤Ƥ򤢤餫ɤ߹ॳȤ
ɬפȤʤäȤΥ֤äƤʤ⤷ޤ

:

    /etc/postfix/main.cf:
        smtp_tls_CAfile = /etc/postfix/CAcert.pem
        smtp_tls_CApath = /etc/postfix/certs

饤ȥTTLLSSưưΥ

Postfix SMTP饤ȤTLSư˴ؤƤʤ뤿ˡ٥
04ޤä뤳ȤǤޤ줾Υ٥ϲ̤Υ٥
Ͽޤߤޤ

    0 TLSư˴ؤϿ̵ˤޤ

    1 TLSϥɥȾξ˵Ͽޤ

    2 TLSͥδ֤Υ٥˵Ͽޤ

    3 TLSͥץ16ʿASCIIפ˵Ͽޤ

    4 STARTTLSʹߤ̿16ʿASCIIפ˥˵Ͽޤ

:

    /etc/postfix/main.cf:
        smtp_tls_loglevel = 0

饤ȥTTLLSSåå

⡼ȤSMTPФPostfix SMTP饤Ȥå
ͥ򤪤ʤȡ餫׻֤ȥͥåȥΥХ
񤷤ޤǥեȤǤϡΥåºݤ˻ȤäƤ smtp(8)
ץǥåϥå夵졢ץλȥå
ޤåʣ smtp(8) ץǶͭ뤿ˡ³
å󥭥å夬ȤޤХȤΥ֥Ȥ¸Ǥ
Ϣ³򥵥ݡȤƤ롢ɤʥǡ١Ǥꤹ뤳ȤǤޤ
DBMǡ١Ͼʥ֥Ȥ¸ǤʤᡢˤŬޤ
å tlsmgr(8) ץˤäƴ뤿ᡢ󥢥Ǥ
ꤢޤ

:

    /etc/postfix/main.cf:
        smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache

å夵줿Postfix SMTP饤ȥåϰλ֤в᤹
ޤPostfix/TLSOpenSSLΥǥեȤǤ300äϻȤ鷺ä
Ĺ֤3600 (=1) ȤޤRFC2246Ϻ24֤侩Ƥޤ

:

    /etc/postfix/main.cf:
        smtp_tls_session_cache_timeout = 3600s

PPoossttffiixx SSMMTTPP饤ȤTTLLSSͭͭˤ

ǥեȤǤPostfix SMTP饤ȤTLS̵ˤʤäƤꡢܤˤ
ΤޤޤPostfixȰ㤤ϤޤTLSͭˤȡ⡼ȤSMTPФ
äTLSݡȤ⤵줿ȤPostfix SMTP饤ȤSTARTTLS
ޤ

ٹ: MS Exchange ServerTLSӥꤵƤʤƤSTARTTLSݡȤ
⤹뤿ᡢTLSϥɥԤƤޤޤ餫᤽Τ褦
ۥȤ³뤫ɤ狼ʤСΥץϥ󥿡᡼ϥ֤Ǥ
ȤʤΤ⤷ޤˡ/ͭ
smtp_tls_per_site ץȤäƤ

TLSϥɥ˼Ԥ¾ΥФȤʤϡPostfix SMTP
饤ȤԤٱ䤷᡼ϥ塼˻Ĥޤ

:

    /etc/postfix/main.cf:
        smtp_use_tls = yes

TLSλѤֶפȤǤޤPostfix SMTP饤Ȥ
Ź沽Ƥʤ³Ǥϥ᡼ޤ󡣤Υ⡼ɤǤϥ⡼
SMTPХۥ̾ϥ⡼ȥоξ˥ޥåʤФʤ餺
ΥоPostfix SMTP饤ȤꤷCAˤäȯԤ
ʤФޤ󡣥⡼ȥо񤬸ڤǤʤä⡼SMTP
Хۥ̾ޥå¾˻Ȥ륵ФʤСԤٱ䤵졢
塼˻Ĥ³ޤ

å˻Ȥ⡼SMTPХۥ̾ϼȤʤۥ̾Ǥʤ
ʤʤ (CNAMEϻȤʤ) ᡢ餫Ǥå
SubjectAlternativeName  dNSNames ȤͿ뤹٤Ƥ̾Ф
ʤޤdNSNames ꤵƤʤȡCommonName åޤ
ʲǵ smtp_tls_enforce_peername ץǿ񤤤Ѥ뤳Ȥ
Ǥޤ

RFC 2487 򥵥ݡȤ__׵˹礦оФФˤΤ
³뤳Ȥ狼äƤˤΤߡΥץǤȤƤϡ
ɬפ STARTTLS ݡȤ󶡤롢Υ᡼ϥ֤ˤΤߡ饤Ȥ
E᡼Ǥ

:

    /etc/postfix/main.cf:
        smtp_enforce_tls = no

RFC 2487ǤϡMTA饤Ȥۥ̾Υå򤪤ʤȤ׵ᤵ
ޤTLS׵ᤵ (smtp_enforce_tls = yes)ʤʥ⡼SMTP
Хۥ̾å̵ˤ뤿˥ץ smtp_tls_enforce_peername 
"no" ˥åȤޤξ硢᡼Ͼ˥ꥹȥåפ줿
CommonName ʤɤȤϴطʤʤޤ

: smtp_tls_enforce_peername  smtp_tls_per_site ơ֥椵
륻åˤϱƶͿޤ

̤CA륯ɤʴĶǤϡ⡼SMTPХۥ̾θڤ
̵ˤ뤳Ȥ˰̣Ǥ礦դƻȤʤȡΥץ
man-in-the-middle åδ򳫤ƤޤȤˤʤޤ (Ū
Ԥ CommonName ˵Ͽޤ)

:

    /etc/postfix/main.cf:
        smtp_tls_enforce_peername = yes

ŪˤϡSTARTTLS󶡤ΤΥͥ˼Ԥͽʤ
㳲ˤĤʤ륵Ф뤿ᡢTLSȤϰͤ⤷ޤ
ˡ³μԤ⤷ϥ᡼ϥ֤˴ŤTLSѥݥꥷ֤Τ
褤Ǥ礦

ԤȤTLSѥݥꥷΤ񤷤⤷ޤ󡣤ȤΤϡ
ĤE᡼ԤˤʣμԤޤǤ뤫⤷ʤǤ
ꡢTLSѤPostfix next-hopɥᥤ̾⡼SMTP
ۥ̾椷ޤΤɤ餫 smtp_tls_per_site ơ֥Υȥ
ޥå顢Ŭڤʥ󤬼ޤ

⡼SMTPХۥ̾ñPostfix SMTP饤Ȥ³褦Ȥ
ФDNS̾Ǥnext-hopPostfixͭΤΤǤǥեȤǤϡ
ϼԥɥ쥹Υɥᥤ̾Ǥξ transport(5) ơ֥
relayhost ѥ᡼ˤäƾ񤭤Ǥޤξ硢relayhost ʤɤ
ԥɥᥤ̾ smtp_tls_per_site ơ֥˥ꥹȥåפ
ʤФޤ

ơ֥ν: ɥᥤޤϥۥ̾Ϻ¦ʬ˻ꤷޤ; 磻ɥɤ
Ȥޤ󡣱¦ʬˤϰʲΥɤΤ줫ꤷޤ:

    NONE
        TLSȤޤ
    MAY
        󶡤ƤˤSTARTTLSλѤ󶡤ʤ
        Ź沽Ƥʤ³Ȥޤ
    MUST
        STARTTLSѤ׵ᤷޤ⡼SMTPХۥ̾⡼
        SMTPоξ˥ޥå⡼SMTPо
        ꤹCAˤäȯԤƤʤФޤ
    MUST_NOPEERMATCH
        STARTTLSѤ׵ᤷޤ⡼SMTPХۥ̾⡼
        SMTPоξ˥ޥå뤳Ȥ䡢⡼SMTPо
        ꤹCAˤäȯԤƤ뤳Ȥϵޤ

ºݤTLSѥݥꥷnext-hop⡼SMTPХۥ̾
smtp_tls_per_site ơ֥˸Ĥ뤫ɤǤϤʤsmtp_enforce_tls
ˤ¸ޤ:

  * ޥåΤĤʤȡݥꥷ smtp_enforce_tls 
    ꤵ줿ΤŬѤޤ

  * ޥåΤĤꡢsmtp_enforce_tls ݥꥷ "enforce" ξ硢
    NONE ŪˤϤ̵ˤޤ; ʤȥȥ꤬ MAY ˤʤä
    Ƥ "enforce" ⡼ɤȤƤޤޤ

TLS⡼ɤФ̥ҥ: DNSᥫ˥बȤʤᡢ
᡼ϴְä⡼SMTPФ뤫⤷ޤ󡣤 next-hop
ɥᥤ̾MUST ꤷƤɤޤ󡣿侩:  transport(5)
ơ֥륨ȥǡդ٤ɥᥤŪ smtp:[mailhost] 
ꤷ (DNSȤϰäơΥơ֥ΰݾڤǤ뤿)
smtp_tls_per_site ơ֥ǤΥ᡼ۥȤФ MUST ꤷޤ

:

    /etc/postfix/main.cf:
        smtp_tls_per_site = hash:/etc/postfix/tls_per_site

TLSȤȤʤ˴ؤ餺 "ñ" ١Ȥ뤳Ȥ˷᤿ᡢ
"STARTTLS" 󶡤륵ȤΥꥹȤĤΤŬƤޤΥץ
ʬȤǽ뤳ȤǤޤ

smtp_tls_note_starttls_offer ǽͭˤʤäƤƥФ STARTTLS 
󶡤ƤꡢΥФФƤǤTLSͭˤʤäƤΤǤʤС
Postfix SMTP饤ȤϰʲΤ褦ʹԤ˻Ĥޤ:

    postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]

:

    /etc/postfix/main.cf:
        smtp_tls_note_starttls_offer = yes

оθ

⡼SMTPо򸡾ڤݡsmtp_tls_CAfile ޤ smtp_tls_CApath 
ꤵ줿CAˤäľȯԤ줿ξ硢ڤο1ǽʬǤ
ǥե (5) ϤĹǤ⽽ʬͤǤ (롼CAϼºݤ˾
ȯԤ̤CAȯԤ...)

:

    /etc/postfix/main.cf:
        smtp_tls_scert_verifydepth = 5

饤¦¦ΰŹ

Postfix SMTP饤ȤΰŹ򥹥˱ƶͿ뤿ᡢŹ沽
ꥹȤͿ뤳ȤǤޤܤҤϤ󤤤Ȥˤޤ;
OpenSSLΥɥȤ򻲾ȤƤǤɤФ褤狼ʤС
ñˤˤϤդ줺 (openssl) ǥեȤǥѥ뤷ޤޤˤƤ


ʸΤ " ֻȤʤǡסʸꤷƤ!!!

:

    /etc/postfix/main.cf:
        smtp_tls_cipherlist = DEFAULT

¾¾Υ饤

smtp_starttls_timeout ѥ᡼TLSΥϥɥγϤ
λޤǤδ֤Postfix SMTP饤Ȥɤ߽񤭤Ǥ֤¤ޤ
꤬ȡPostfix SMTP饤Ȥϥ᡼򴹵ꥹȤˤ뼡
ͥåȥɥ쥹ΥФȤʤٱ䤵ޤ

:

    /etc/postfix/main.cf:
        smtp_starttls_timeout = 300s

TTLLSSޥ͡ͭͭ

TLSΤ褦ʰŹ楽եȥΥƥϡ䤽¾ξФ
ͽǤʤͤǽϤ̿Ū˰¸ޤŪΤˡtlsmgr(8)
ץϵ (Pseudo Random Number Generator, PRNG) ס
ޤ smtp(8)  smtpd(8) ץνκݤ䤤碌
ޤǥեȤǤϡΥǡ32ХȡĤޤ256ӥåȤ
׵ᤷޤ128ӥå (⤷168ӥå) Υå󥭡Τ
ʬޤ

:

    /etc/postfix/main.cf:
        tls_daemon_random_bytes = 32

PRNGס뤿ᡢtlsmgr(8) ϵưưƤ֤˳
饨ȥԡɤ߹ߤޤEGD /dev/urandom Τ褦ʤ褤
ȥԡꤷƤ; non-blockingȤ褦
դƤ (OpenBSD tlsmgr(8)  /dev/urandom ΥॢȤ
ʸˤϡ/dev/arandom ȤäƤ)ȥԡ
̾ΥեǤϤʤ硢̾˥դʤФޤ:
ǥХڥեˤ "dev:" EGDߴåȥ󥿡ե
ˤ "egd:" դޤ

 (main.cf ǰĤꤷޤ):

    /etc/postfix/main.cf:
        tls_random_source = dev:/dev/urandom
        tls_random_source = egd:/var/run/egd-pool

ǥեȤǤϡtlsmgr(8) ϥɤꤹ륤٥ȤΤӤ˳
32ХȤɤ߹ߤޤ (256ӥå) 128ӥåȤζ̸Τ
ʬ̤ǤEGDӥǥХȥԡǤϡtlsmgr(8) 
٤ɤ߹ǡ̤255ХȤ¤ޤ̾Υե򥨥ȥԡ
Ȥƻꤷϡ¿Υǡɤ߹ळȤǤޤ

:

    /etc/postfix/main.cf:
        tls_random_bytes = 32

PRNGס򹹿뤿ˡtlsmgr(8) ϵˤ֤вᤷ
Ƥӳȥԡ䤤碌ޤλ֤PRNGȤäƷ׻졢
0 tls_random_reseed_period ǻꤵ֤δ֤λ֤Ǥ
ǥեȤκֳִ֤1֤Ǥ

:

    /etc/postfix/main.cf:
        tls_random_reseed_period = 3600s

tlsmgr(8) ץϼưPRNG֤Ǥ褦ˤ뤿ᡢ
вȥץλPRNG֤³򴹥ե¸ޤΥե뤬
¸ߤʤˤϺޤǥեȤξPostfixǥ쥯ȥ
ǤPostfixˤäƲѤ줿֤ˤϤդ路ޤ
˥եξ /var ѡƥ (chrootƹʳ)
֤Τ褤Ǥ礦

:

    /etc/postfix/main.cf:
        tls_random_exchange_name = /etc/postfix/prng_exch
        tls_random_prng_update_period = 3600s

¨¨ʤǻϤ

ʲΥƥåפǤ˻ϤǤ礦ʬȤPostfix
̾뤿ᡢTLSŹ沽ϻȤޤTLSǧڤϤǤޤ󡣥ƥȤ修ط
ǤʤȤȤE᡼θ򴹤ˤϤǽʬǤºݤǧڤˤϡ
Postfix⡼ȥۥȤθ򸡾ڤǤ褦ˡPostfix
ǧǧڶʤˤäƽ̾Ƥ餤PostfixǧڶɤθĤ褦
ꤹɬפޤ

ʲǤϡ桼ϤեȤǼƤꡢޤ
"#" ץץȤϥѡ桼Υ򼨤Ƥޤ

  * ʬȤθ˽̾Ǥ褦ˡʬȤǧڶɤˤʤޤǤ
    OpenSSLդƤ CA.pl ץȤȤޤǥեȤǤϡ
    OpenSSLϤ /usr/local/ssl/misc/CA.pl ˥󥹥ȡ뤷ޤ
    ˤäưۤʤޤΥץȤ̩ ./demoCA/private/cakey.pem
    ˡ ./demoCA/cacert.pem ˺ޤ

        % //uussrr//llooccaall//ssssll//mmiisscc//CCAA..ppll --nneewwccaa
        CA certificate filename (or enter to create)

        Making CA certificate ...
        Using configuration from /etc/ssl/openssl.cnf
        Generating a 1024 bit RSA private key
        ....................++++++
        .....++++++
        writing new private key to './demoCA/private/cakey.pem'
        Enter PEM pass phrase:wwhhaatteevveerr

  * ۥ FOO Ф롢ѥɤΤäƤʤ̩ȡ̾Ƥʤ
    ޤ 

        % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt FFOOOO--kkeeyy..ppeemm --oouutt FFOOOO--rreeqq..ppeemm --ddaayyss
        336655
        Using configuration from /etc/ssl/openssl.cnf
        Generating a 1024 bit RSA private key
        ........................................++++++
        ....++++++
        writing new private key to 'FOO-key.pem'
        -----
        You are about to be asked to enter information that will be
        incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a
        DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [AU]:UUSS
        State or Province Name (full name) [Some-State]:NNeeww YYoorrkk
        Locality Name (eg, city) []:WWeessttcchheesstteerr
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:PPoorrccuuppiinnee
        Organizational Unit Name (eg, section) []:
        Common Name (eg, YOUR name) []:FFOOOO
        Email Address []:wwiieettssee@@ppoorrccuuppiinnee..oorrgg

        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:wwhhaatteevveerr
        An optional company name []:

  * ƥå˺äǧڶ̩ǥۥ FOO θ˽̾ޤ

        % ooppeennssssll ccaa --oouutt FFOOOO--cceerrtt..ppeemm --iinnffiilleess FFOOOO--rreeqq..ppeemm
        Uing configuration from /etc/ssl/openssl.cnf
        Enter PEM pass phrase:wwhhaatteevveerr
        Check that the request matches the signature
        Signature ok
        The Subjects Distinguished Name is as follows
        countryName           :PRINTABLE:'US'
        stateOrProvinceName   :PRINTABLE:'New York'
        localityName          :PRINTABLE:'Westchester'
        organizationName      :PRINTABLE:'Porcupine'
        commonName            :PRINTABLE:'FOO'
        emailAddress          :IA5STRING:'wietse@porcupine.org'
        Certificate is to be certified until Nov 21 19:40:56 2005 GMT (365
        days)
        Sign the certificate? [y/n]:yy

        1 out of 1 certificate requests certified, commit? [y/n]yy
        Write out database with 1 new entries
        Data Base Updated

  * ۥȤ̩ۥȤθ񡢤ǧڶɾե
    󥹥ȡ뤷ޤˤϥѡ桼θ¤ɬפǤ

        # ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm FFOOOO--kkeeyy..ppeemm FFOOOO--cceerrtt..ppeemm //eettcc//ppoossttffiixx
        # cchhmmoodd 664444 //eettcc//ppoossttffiixx//FFOOOO--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm
        # cchhmmoodd 440000 //eettcc//ppoossttffiixx//FFOOOO--kkeeyy..ppeemm

  * ʲιԤ /etc/postfix/main.cf ɲäơPostfixꤷޤ

        smtp_tls_CAfile = /etc/postfix/cacert.pem
        smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
        smtp_tls_key_file = /etc/postfix/FOO-key.pem
        smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
        smtp_use_tls = yes
        smtpd_tls_CAfile = /etc/postfix/cacert.pem
        smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
        smtpd_tls_key_file = /etc/postfix/FOO-key.pem
        smtpd_tls_received_header = yes
        smtpd_tls_session_cache_database = btree:/var/run/
        smtpd_tls_session_cache
        smtpd_use_tls = yes
        tls_random_source = dev:/dev/urandom



𤹤ݤˤϡܺ٤񤤤ƤǽǤСѥå
ޤޤ

Ǥ¤ꡢʲ̤Ƥ:

  * TLSɤ: <postfix_tls@aet.tu-cottbus.de>
  * ɸPostfix: <postfix-users@postfix.org>

PPoossttffiixx <<22..22 TTLLSSݡȤθߴ

Postfix version 2.2 TLSݡȤLutz JickeˤPostfix/TLSѥå
Ƥޤ٤ǤĤۤʤޤ

  * main.cf: TLSå󥭥åǡ١ˤ "sdbm"  "btree"
    ꤷޤ

    TLSå󥭥åǡ١ tlsmgr(8) ץΤ
    뤿ᡢ⤦ϤޤPostfixˤsdbm饤Ȥ
    ޤsdbm饤֥(1000ԤΥ)Postfix˴ޤޤƤޤ

    TLSå󥭥åϿХȰʾΥ֥Ȥ¸Ǥ
    Ϣ³򥵥ݡȤƤ롢ɤʥǡ١ǤȤޤۤȤɤ
    硢btreeǡ١ŬڤǤ礦

    : dbmǡ١ϻȤޤTLSå󥪥֥Ȥ礭ޤ

  * master.cf: tlsmgr ӥμȤ "fifo" ǤϤʤ "unix" 
    ޤ

     smtp(8)  smtpd(8) ץ tlsmgr(8)  (PRNG)
    ס˥TLSå󥭥åǡ١˥Τ
    饤-ХץȥȤޤΤ褦ʥץȥ fifo 
    ȤȤϤǤޤ

쥸å

  * PostfixTLSݡȤϸȥ֥ؤ Lutz Jicke ˤäƳȯ
    ޤ
  * Wietse Venema ɤѤƺƹLutz ΥɥȤ
    ɥȤΤʬԽޤ

