十一、启用Postfix SSL配置

步骤1：首先检查SSL证书

echo "=== 检查SSL证书 ==="

# 1. 检查证书是否存在
if [ -f /etc/postfix/ssl/smtpd.cert ] && [ -f /etc/postfix/ssl/smtpd.key ]; then
echo "✅ SSL证书已存在"
echo "证书文件:"
ls -la /etc/postfix/ssl/

echo -e "\n证书信息:"
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -subject -dates
else
echo "⚠️ SSL证书不存在，重新生成..."
sudo mkdir -p /etc/postfix/ssl
sudo openssl req -new -x509 -days 3650 -nodes \
-out /etc/postfix/ssl/smtpd.cert \
-keyout /etc/postfix/ssl/smtpd.key \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=localhost" \
-addext "subjectAltName = DNS:localhost, IP:127.0.0.1"
sudo chmod 600 /etc/postfix/ssl/smtpd.key
sudo chmod 644 /etc/postfix/ssl/smtpd.cert
fi

步骤2：启用SSL配置

#!/bin/bash
echo "=== 启用Postfix SSL配置 ==="

# 1. 备份当前配置
echo "1. 备份当前配置..."
sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.backup.before_ssl
sudo cp /etc/postfix/master.cf /etc/postfix/master.cf.backup.before_ssl

# 2. 在main.cf中添加SSL配置
echo "2. 添加SSL配置到main.cf..."
sudo tee -a /etc/postfix/main.cf << 'EOF'

# ========== SSL/TLS 配置 ==========
# 启用TLS支持
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtp_tls_security_level = may

# SSL证书路径
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.cert
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

# TLS协议和加密设置
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium

# 启用465端口（SMTPS）
smtpd_tls_wrappermode = yes
smtpd_tls_received_header = yes

# 会话缓存
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
EOF

# 3. 在master.cf中启用smtps服务
echo "3. 在master.cf中启用smtps服务..."
# 首先删除现有的smtps配置（如果有）
sudo sed -i '/^smtps/d' /etc/postfix/master.cf

# 添加smtps服务配置
sudo tee -a /etc/postfix/master.cf << 'EOF'

# SMTPS (SSL on port 465)
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
EOF

# 4. 检查配置语法
echo "4. 检查配置语法..."
if sudo postfix check; then
echo "✅ 配置文件语法正确"
else
echo "❌ 配置文件有错误"
sudo postfix check
exit 1
fi

# 5. 重新加载Postfix配置
echo "5. 重新加载Postfix..."
sudo postfix reload
sudo systemctl reload postfix

# 6. 检查端口监听
echo "6. 检查端口监听状态..."
sleep 2
echo "端口25 (SMTP):"
sudo netstat -tlnp | grep :25
echo -e "\n端口465 (SMTPS):"
sudo netstat -tlnp | grep :465 || echo "端口465未监听"

# 7. 测试SSL连接
echo "7. 测试SSL连接..."
echo "使用openssl测试SSL连接:"
timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | head -10 || echo "SSL连接测试失败"

echo "=== SSL配置完成 ==="

步骤3：测试SSL邮件发送

#!/bin/bash
echo "=== 测试SSL邮件功能 ==="

# 1. 测试普通邮件（25端口）
echo "1. 测试普通SMTP (25端口)..."
echo "普通邮件测试 $(date)" | mail -s "普通SMTP测试" root 2>&1
if [ $? -eq 0 ]; then
echo "✅ 普通邮件发送成功"
else
echo "❌ 普通邮件发送失败"
fi

# 2. 测试SSL邮件发送（使用mail命令）
echo -e "\n2. 测试SSL邮件发送..."
# mail命令默认使用25端口，我们需要测试465端口
# 创建一个测试脚本
cat > /tmp/test_ssl_mail.sh << 'EOF'
#!/bin/bash
# 测试SSL邮件发送的几种方法

echo "方法1: 使用telnet测试SSL连接"
echo "QUIT" | timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | head -5

echo -e "\n方法2: 使用sendmail命令测试"
cat > /tmp/test_ssl_email.txt << 'MAIL'
To: root
Subject: SSL邮件测试 via sendmail
From: ssl-test@localhost>

这是一封通过SSL邮件系统发送的测试邮件。
如果收到此邮件，说明SSL配置正常工作。

时间: $(date)
服务器: $(hostname)
MAIL

# 使用sendmail发送
if /usr/sbin/sendmail -t < /tmp/test_ssl_email.txt 2>&1; then
echo "sendmail命令执行成功"
else
echo "sendmail命令执行失败"
fi

echo -e "\n方法3: 检查邮件日志"
sudo tail -5 /var/log/mail.log
EOF

chmod +x /tmp/test_ssl_mail.sh
/tmp/test_ssl_mail.sh

# 3. 测试PHP SSL邮件
echo -e "\n3. 测试PHP SSL邮件发送..."
cat > /tmp/test_php_ssl.php << 'PHP'
<?php
echo "PHP SSL邮件测试\n";
echo "================\n\n";

// 测试1: 普通mail()函数
echo "测试1: 普通mail()函数\n";
$test1 = mail('root', 'PHP SSL测试 ' . date('H:i:s'),
'如果收到此邮件，说明PHP的mail()函数正常。\nSSL配置不影响普通邮件发送。',
'From: php-ssl-test@localhost');
echo "结果: " . ($test1 ? "✅ 成功" : "❌ 失败") . "\n\n";

// 测试2: 使用SSL连接的SMTP（需要stream_socket_client）
echo "测试2: 测试SSL连接\n";
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true,
]
]);

try {
$socket = stream_socket_client(
'ssl://localhost:465',
$errno,
$errstr,
5,
STREAM_CLIENT_CONNECT,
$context
);

if ($socket) {
echo "✅ SSL连接成功\n";

// 读取欢迎消息
$welcome = fread($socket, 512);
echo "服务器欢迎: $welcome";

// 发送EHLO
fwrite($socket, "EHLO localhost\r\n");
sleep(1);
$response = fread($socket, 1024);
echo "EHLO响应: $response\n";

fwrite($socket, "QUIT\r\n");
fclose($socket);
} else {
echo "❌ SSL连接失败: $errstr ($errno)\n";
}
} catch (Exception $e) {
echo "❌ 异常: " . $e->getMessage() . "\n";
}

// 测试3: 发送HTML邮件测试SSL
echo "\n测试3: HTML邮件测试\n";
$html_message = "<html><body>";
$html_message .= "<h1>SSL HTML邮件测试</h1>";
$html_message .= "<p>这是一封通过SSL发送的HTML格式测试邮件。</p>";
$html_message .= "<ul>";
$html_message .= "<li>时间: " . date('Y-m-d H:i:s') . "</li>";
$html_message .= "<li>服务器: " . php_uname('n') . "</li>";
$html_message .= "<li>PHP版本: " . phpversion() . "</li>";
$html_message .= "</ul>";
$html_message .= "<p>如果收到此邮件，说明您的邮件系统支持SSL和HTML。</p>";
$html_message .= "</body></html>";

$headers = "From: html-test@localhost\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=UTF-8\r\n";

$test3 = mail('root', 'SSL HTML邮件测试', $html_message, $headers);
echo "结果: " . ($test3 ? "✅ 成功" : "❌ 失败") . "\n\n";

echo "=== 测试总结 ===\n";
echo "如果所有测试都成功，您的SSL邮件系统已完全配置好！\n";
?>
PHP

echo "运行PHP SSL测试..."
php /tmp/test_php_ssl.php

# 4. 查看邮件日志
echo -e "\n4. 查看邮件日志..."
sudo tail -10 /var/log/mail.log 2>/dev/null | grep -i "ssl\|tls\|465\|sent\|delivered"

# 5. 查看收到的邮件
echo -e "\n5. 查看最新的邮件..."
echo "等待邮件处理..."
sleep 3
echo "最新的几封邮件主题:"
grep "^Subject: " /var/mail/root 2>/dev/null | tail -5 || echo "没有找到邮件"

echo "=== 测试完成 ==="

步骤4：完整的SSL配置优化

#!/bin/bash
echo "=== 完整的SSL邮件系统配置 ==="

# 1. 确保Postfix正在运行
echo "1. 检查Postfix状态..."
sudo systemctl is-active postfix

# 2. 配置防火墙开放465端口
echo "2. 配置防火墙..."
if command -v ufw >/dev/null; then
echo "使用ufw配置防火墙..."
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw reload
sudo ufw status | grep -E "(25|465)/tcp"
elif command -v iptables >/dev/null; then
echo "使用iptables配置防火墙..."
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT
echo "防火墙规则已添加"
else
echo "未找到防火墙工具，请手动开放25和465端口"
fi

# 3. 创建SSL测试证书（如果需要）
echo "3. 确保SSL证书有效..."
CERT_FILE="/etc/postfix/ssl/smtpd.cert"
KEY_FILE="/etc/postfix/ssl/smtpd.key"

if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then
echo "生成SSL证书..."
sudo mkdir -p /etc/postfix/ssl
sudo openssl req -new -x509 -days 3650 -nodes -newkey rsa:2048 \
-out "$CERT_FILE" \
-keyout "$KEY_FILE" \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=$(hostname)" \
-addext "subjectAltName = DNS:localhost, DNS:$(hostname), IP:127.0.0.1"
sudo chmod 600 "$KEY_FILE"
sudo chmod 644 "$CERT_FILE"
fi

# 检查证书有效期
echo "证书有效期:"
sudo openssl x509 -in "$CERT_FILE" -noout -dates

# 4. 优化Postfix SSL配置
echo "4. 优化SSL配置..."
sudo tee -a /etc/postfix/main.cf << 'EOF'

# ========== SSL优化配置 ==========
# 强制使用TLSv1.2+
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# 更安全的加密套件
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, DES, RC4, PSK, 3DES, eNULL

# 启用TLS日志
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

# 会话缓存优化
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_timeout = 3600s

# DH参数增强（可选）
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pem
EOF

# 5. 生成DH参数（增强安全性）
echo "5. 生成DH参数..."
if [ ! -f /etc/postfix/ssl/dhparam.pem ]; then
echo "生成DH参数（这可能需要几分钟）..."
sudo openssl dhparam -out /etc/postfix/ssl/dhparam.pem 2048 2>/dev/null &
echo "DH参数生成中...请稍后"
fi

# 6. 重新加载配置
echo "6. 重新加载Postfix配置..."
sudo postfix reload
sudo systemctl reload postfix

# 7. 创建SSL测试脚本
echo "7. 创建SSL测试脚本..."
cat > /tmp/ssl_mail_final_test.sh << 'EOF'
#!/bin/bash
echo "=== 最终SSL邮件系统测试 ==="
echo "测试时间: $(date)"
echo "============================"

echo -e "\n1. 端口检查:"
echo "端口25 (SMTP):"
sudo netstat -tlnp | grep :25
echo -e "\n端口465 (SMTPS):"
sudo netstat -tlnp | grep :465

echo -e "\n2. SSL证书检查:"
if [ -f /etc/postfix/ssl/smtpd.cert ]; then
sudo openssl x509 -in /etc/postfix/ssl/smtpd.cert -noout -text | grep -E "Subject:|Not |Issuer:|DNS:|IP:" | head -10
else
echo "SSL证书未找到"
fi

echo -e "\n3. SSL连接测试:"
echo "测试1: 基本SSL连接"
timeout 5 openssl s_client -connect localhost:465 -quiet <<< "QUIT" 2>&1 | head -5

echo -e "\n测试2: 详细SSL信息"
timeout 5 openssl s_client -connect localhost:465 -state -debug 2>&1 | grep -E "SSL_connect|Cipher|Protocol|Certificate" | head -10

echo -e "\n4. 邮件发送测试:"
echo "发送测试邮件..."
TEST_ID="ssl_final_$(date +%s)"
echo "SSL最终测试 $TEST_ID" | mail -s "SSL最终测试 $TEST_ID" root

sleep 2

echo -e "\n5. 检查邮件日志:"
sudo tail -5 /var/log/mail.log | grep -i "$TEST_ID\|ssl\|tls\|465"

echo -e "\n6. PHP邮件测试:"
php -r "
echo 'PHP SSL邮件测试...\n';
\$result = mail('root', 'PHP SSL最终测试', 'PHP邮件功能测试', 'From: test@localhost');
echo '结果: ' . (\$result ? '✅ 成功' : '❌ 失败') . '\n';
"

echo -e "\n=== 测试完成 ==="
if sudo netstat -tlnp | grep -q :465; then
echo "🎉 SSL邮件系统配置成功！"
echo "服务器: localhost"
echo "SSL端口: 465"
echo "证书: /etc/postfix/ssl/smtpd.cert"
echo "现在您可以使用SSL发送加密邮件了！"
else
echo "⚠️ SSL配置可能有问题，465端口未监听"
fi
EOF

chmod +x /tmp/ssl_mail_final_test.sh
/tmp/ssl_mail_final_test.sh

echo "=== 配置完成 ==="

步骤5：验证和故障排除

echo "=== SSL邮件系统验证和故障排除 ==="

# 1. 运行诊断
echo "1. 运行SSL诊断..."
sudo postconf | grep -i tls | head -20

# 2. 检查服务状态
echo -e "\n2. 服务状态:"
sudo systemctl status postfix --no-pager | grep -E "Active:|Loaded:"

# 3. 检查错误日志
echo -e "\n3. 错误日志检查:"
sudo grep -i "error\|fatal\|warning" /var/log/mail.log | tail -10

# 4. 测试连接
echo -e "\n4. 连接测试:"
echo "测试SSL连接:"
if timeout 5 openssl s_client -connect localhost:465 -quiet 2>&1 | grep -q "220"; then
echo "✅ SSL连接正常"
else
echo "❌ SSL连接失败"

# 检查端口是否被占用
echo "检查端口冲突:"
sudo lsof -i :465
fi

# 5. 如果SSL有问题，回退到普通配置
echo -e "\n5. 如果SSL配置有问题，可以临时禁用:"
cat << 'EOF'
临时禁用SSL命令:
sudo sed -i '/^smtps/d' /etc/postfix/master.cf
sudo postfix reload
sudo systemctl reload postfix

重新启用SSL命令:
重新运行SSL配置脚本
EOF

echo "=== 验证完成 ==="