{"id":6376,"date":"2016-10-13T05:48:45","date_gmt":"2016-10-12T21:48:45","guid":{"rendered":"http:\/\/rmohan.com\/?p=6376"},"modified":"2016-10-13T05:50:05","modified_gmt":"2016-10-12T21:50:05","slug":"postfix","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6376","title":{"rendered":"postfix"},"content":{"rendered":"<div class=\"table\">\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\">Biglobe is <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/office.biglobe.ne.jp\/service\/spam\/faq\/op25b_base.html&amp;usg=ALkJrhhq6J3LVnNTCuu6DD87TpV2BmKzPQ\">OP25B<\/a> because there are regulations, to set via the relay server of Biglobe.<\/span> <span class=\"notranslate\"> Thus <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/www.postfix-jp.info\/trans-2.1\/jhtml\/SASL_README.html&amp;usg=ALkJrhhz4rHaNwHPtubkzOuKJhNKC70sJQ\">SASL<\/a> to transmit authentication.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/e-words.jp\/w\/SPF.html&amp;usg=ALkJrhgjRghyaDQMcO2gkhIAmgzoLnnqqw\">SPF<\/a> perform the source domain authentication in.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/www.gabacho-net.jp\/anti-spam\/anti-spam-system.html&amp;usg=ALkJrhhH9YsRezZg2ZRhG25V7dHbzWhMVw\">S25R<\/a> , <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/d.hatena.ne.jp\/keyword\/Greylisting&amp;usg=ALkJrhi6y1KW1QaqjKbRtc0gUNRX-z-uCQ\">Greylisting<\/a> , <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/d.hatena.ne.jp\/keyword\/Tarpitting&amp;usg=ALkJrhizrWA57utuOF9QmddvzAi3K5Q-Aw\">Tarpitting<\/a> prevent access from suspicious server approach.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Because you do not want to do in the form of a patch to Postfix, the Debian package, plug-ins, the measures to be carried out in the setting change.<\/span><\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> Biglobe relay<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> Installation of SASL module.<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> #aptitude install libsasl2-modules sasl2-bin<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Relays Biglobe relay server, configured to use SASL at that time.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">main.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> # BIGLOBE transfer server relayhost = [#####. Biglobe.ne.jp]<\/span>\r\n\r\n<span class=\"notranslate\"> # To enable SASL authentication in the Postfix SMTP client.<\/span>\r\n<span class=\"notranslate\"> smtp_sasl_auth_enable = yes<\/span>\r\n\r\n<span class=\"notranslate\"> # Specify the SMTP client lookup tables smtp_sasl_password_maps = hash: \/ etc \/ postfix \/ isp_passwd<\/span>\r\n\r\n<span class=\"notranslate\"> # Since the SMTP server-side SASL mechanism and the home server-side SASL mechanism of the ISP might fail to # authentication it's a mismatch, to fix the mechanism to be used in the following.<\/span>\r\n<span class=\"notranslate\"> smtp_sasl_mechanism_filter = cram-md5, login, plain<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Describe the setting of the password to be used for transmission.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">isp_passwd<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> [#####. Biglobe.ne.jp] ***** @ bma.biglobe.ne.jp:*******<\/span>\r\n<\/pre>\n<pre class=\"commandline\"><span class=\"notranslate\"> #postmap isp_passwd<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Complete the setting of the relay to restart<\/span><\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> Setting of SMTP AUTH<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> Installation of the necessary modules<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> #aptitude install libsasl2-modules sasl2-bin<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Additional authentication user<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> # Saslpasswd2 -u [domain name] -c [user name]<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Set to read in Postfix<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> #chgrp postfix \/ etc \/ sasldb2<\/span>\r\n<span class=\"notranslate\"> #chmod 640 \/ etc \/ sasldb2<\/span>\r\n<span class=\"notranslate\"> #ln \/ etc \/ sasldb2 \/ var \/ spool \/ postfix \/ etc<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Postfix configuration of<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">main.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> smtpd_sasl_auth_enable = yes<\/span>\r\n<span class=\"notranslate\"> smtpd_sasl_local_domain = example.com<\/span>\r\n<span class=\"notranslate\"> smtpd_sasl_security_options = noanonymous, noplaintext<\/span>\r\n\r\n<span class=\"notranslate\"> smtpd_recipient_restrictions =<\/span>\r\n  <span class=\"notranslate\"> permit_mynetworks,<\/span>\r\n  <span class=\"notranslate\"> permit_sasl_authenticated,<\/span>\r\n  <span class=\"notranslate\"> reject_unauth_destination<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Completion SMTP AUTH settings restart<\/span><\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> Access regulations from suspicious server<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> Set the number of allowable error to prevent the account survey of brute force.<\/span> <span class=\"notranslate\"> 70 seconds of the response delay in the more than five times the error.<\/span> <span class=\"notranslate\"> Cut at 8 times error.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">main.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> smtpd_soft_error_limit = 5<\/span>\r\n<span class=\"notranslate\"> smtpd_hard_error_limit = 8<\/span>\r\n<span class=\"notranslate\"> smtpd_error_sleep_time = 70<\/span>\r\n\r\n<span class=\"notranslate\"> smtpd_delay_reject = yes<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Install the policy server for <span class=\"yellow\">Greylisting.<\/span><\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> # Apt-get install postgrey<\/span>\r\n<\/pre>\n<p><span class=\"notranslate\"> <span class=\"blue\">main.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> smtpd_restriction_classes = check_greylist<\/span>\r\n<span class=\"notranslate\"> check_greylist = check_policy_service inet: 60000<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> At the time of the RCPT command, things get caught in the <span class=\"yellow\">S25R<\/span> will prompt the retransmission <span class=\"yellow\">Greylisting.<\/span><\/span> <span class=\"notranslate\"> Things that have been retransmitted, multiplied by the response delay in further <span class=\"yellow\">Tarpitting.<\/span><\/span><br \/>\n<span class=\"notranslate\"> The methodological, screen out method in <span class=\"yellow\">Tarpitting<\/span> in addition to <span class=\"yellow\">Rgrey.<\/span><\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">main.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> # RCPT check (Greylisting) &amp; Terpit<\/span>\r\n<span class=\"notranslate\"> smtpd_recipient_restrictions =<\/span>\r\n                <span class=\"notranslate\"> permit_mynetworks<\/span>\r\n                <span class=\"notranslate\"> reject_unauth_destination<\/span>\r\n                <span class=\"notranslate\"> check_client_access regexp: \/ etc \/ postfix \/ check_client_fqdn_greylist ? ? 1<\/span>\r\n                <span class=\"notranslate\"> check_client_access regexp: \/ etc \/ postfix \/ check_client_fqdn_tarpit ? ? 2<\/span>\r\n                <span class=\"notranslate\"> check_recipient_access hash: \/ etc \/ postfix \/ recipient_restrictions<\/span>\r\n<\/pre>\n<p><span class=\"notranslate\"> <span class=\"blue\">check_client_fqdn_greylist<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> \/ ^ Unknown $ \/ check_greylist<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9][^0-9\\.]+[0-9]\/ Check_greylist<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9]{5}\/ Check_greylist<\/span>\r\n<span class=\"notranslate\"> \/^([^\\.]+\\.)?[0-9][^\\.]*\\.[^\\.]+\\..+\\.[az]\/ Check_greylist<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9]\\.[^\\.]*[0-9]-[0-9]\/ Check_greylist<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9]\\.[^\\.]*[0-9]\\.[^\\.]+\\..+\\.\/ Check_greylist<\/span>\r\n<span class=\"notranslate\"> \/^(dhcp|dialup|ppp|adsl)[^\\.]*[0-9]\/ check_greylist<\/span>\r\n<\/pre>\n<p><span class=\"notranslate\"> <span class=\"blue\">check_client_fqdn_tarpit<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> \/ ^ Unknown $ \/ sleep 70<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9][^0-9\\.]+[0-9]\/ Sleep 70<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9]{5}\/ Sleep 70<\/span>\r\n<span class=\"notranslate\"> \/^([^\\.]+\\.)?[0-9][^\\.]*\\.[^\\.]+\\..+\\.[az]\/ Sleep 70<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9]\\.[^\\.]*[0-9]-[0-9]\/ Sleep 70<\/span>\r\n<span class=\"notranslate\"> \/^[^\\.]*[0-9]\\.[^\\.]*[0-9]\\.[^\\.]+\\..+\\.\/ Sleep 70<\/span>\r\n<span class=\"notranslate\"> \/^(dhcp|dialup|ppp|adsl)[^\\.]*[0-9]\/ sleep 70<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> The check_client_fqdn_greylist and check_client_fqdn_tarpit to postmap, complete if you restart Postfix.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/d.hatena.ne.jp\/stealthinu\/20061206\/p1&amp;usg=ALkJrhhqfy2BcSvfXKkBhgQh-qf24ABloA\">taRgrey<\/a> If you find the things that implement in Postfix, the place that you want to migrate to over there.<\/span> <span class=\"notranslate\"> There is only a patch is now?<\/span><\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> Sent in SPF original domain authentication<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> To get the script to perform the SPF.<\/span> <span class=\"notranslate\"> <a href=\"http:\/\/translate.googleusercontent.com\/translate_c?depth=1&amp;hl=en&amp;rurl=translate.google.com&amp;sl=auto&amp;tl=en&amp;u=http:\/\/www.openspf.org\/source\/software\/postfix-policyd-spf-perl\/tags\/&amp;usg=ALkJrhj6-406EeOHgWavJF5dzl5QvTAqZg\">SPF Project<\/a> get the <span class=\"red\">postfix-policyd-spf<\/span> from the page.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Installation since the script uses the Perl of <span class=\"yellow\">Mail :: SPF :: Query library.<\/span><\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> apt-get install libmail-spf-perl libmail-spf-query-perl<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> It registered as a service to use a script in Postfix.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">master.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> policy unix - nn - - spawn user = nobody argv = \/ usr \/ bin \/ perl [location of the script that was placed above]<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Set to perform a check of SPF at the time of connection.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">main.cf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> # Connection check<\/span>\r\n<span class=\"notranslate\"> smtpd_client_restrictions =<\/span>\r\n                <span class=\"notranslate\"> permit_mynetworks<\/span>\r\n                <span class=\"notranslate\"> reject_rbl_client spamcop.net<\/span>\r\n                <span class=\"notranslate\"> reject_rbl_client all.rbl.jp<\/span>\r\n                <span class=\"notranslate\"> check_policy_service unix: private \/ policy ? ?<\/span>\r\n                <span class=\"notranslate\"> check_client_access hash: \/ etc \/ postfix \/ client_restrictions<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Server <span class=\"yellow\">Received-SPF<\/span> is when you have new <span class=\"yellow\">mail:<\/span> completion if so as to grant the header.<\/span><\/li>\n<\/ul>\n<div class=\"table\">\n<h3><span class=\"notranslate\">Premise<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> Making the CA&#8217;s self-signed, make a server certificate by signing of the CA.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Import the CA certificate to the Trusted or something USB memory, to verify the certificate chain.<\/span><\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Said that even if, quite appropriate.<\/span><\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> X.509 v3 configuration file for the extension<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> Creating a file to set the extension properties of version 3.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">ext.cnf<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> # ? default value used at the time of the certificate request (CSR) [req]<\/span>\r\n  <span class=\"notranslate\"> default_bits = 2048<\/span>\r\n  <span class=\"notranslate\"> distinguished_name = req_distinguished_name<\/span>\r\n  <span class=\"notranslate\"> attributes = req_attributes<\/span>\r\n  <span class=\"notranslate\"> default_md = sha1<\/span>\r\n  <span class=\"notranslate\"> string_mask = nombstr<\/span>\r\n\r\n<span class=\"notranslate\"> # ? default value of the contents described in the certificate request (CSR) [req_distinguished_name]<\/span>\r\n  <span class=\"notranslate\"> countryName = Country Name (2 letter code)<\/span>\r\n  <span class=\"notranslate\"> countryName_default = JP<\/span>\r\n  <span class=\"notranslate\"> stateOrProvinceName = State or Province Name (full name)<\/span>\r\n  <span class=\"notranslate\"> stateOrProvinceName_default =<\/span> \r\n  <span class=\"notranslate\"> localityName = Locality Name (eg, city)<\/span>\r\n  <span class=\"notranslate\"> localityName_default =<\/span> \r\n  <span class=\"notranslate\"> 0.organizationName = Organization Name (eg, company)<\/span>\r\n  <span class=\"notranslate\"> 0.organizationName_default =<\/span> \r\n  <span class=\"notranslate\"> organizationalUnitName = Organizational Unit Name (eg, section)<\/span>\r\n  <span class=\"notranslate\"> commonName = Common Name (*** IMPORTANT ***)<\/span>\r\n  <span class=\"notranslate\"> commonName_default =<\/span>\r\n  <span class=\"notranslate\"> emailAddress = Email Address<\/span>\r\n  <span class=\"notranslate\"> emailAddress_default =<\/span>\r\n\r\n<span class=\"notranslate\"> # ? I heard use at the time of the certificate request (CSR), I do not know well [req_attributes]<\/span>\r\n  <span class=\"notranslate\"> challengePassword = A challenge password<\/span>\r\n  <span class=\"notranslate\"> challengePassword_min = 4<\/span>\r\n  <span class=\"notranslate\"> challengePassword_max = 20<\/span>\r\n  <span class=\"notranslate\"> unstructuredName = An optional company name<\/span>\r\n\r\n<span class=\"notranslate\"> # V3 extensions for CA [v3_ca]<\/span>\r\n  <span class=\"notranslate\"> basicConstraints = CA: true<\/span>\r\n  <span class=\"notranslate\"> subjectKeyIdentifier = hash<\/span>\r\n  <span class=\"notranslate\"> authorityKeyIdentifier = keyid: always, issuer: always<\/span>\r\n  <span class=\"notranslate\"> keyUsage = cRLSign, keyCertSign<\/span>\r\n  <span class=\"notranslate\"> nsCertType = sslCA, emailCA<\/span>\r\n  <span class=\"notranslate\"> # ? here suspicious extendedKeyUsage = 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.4<\/span>\r\n\r\n<span class=\"notranslate\"> # V3 extensions for server certificate [cert_server]<\/span>\r\n  <span class=\"notranslate\"> basicConstraints = CA: FALSE<\/span>\r\n  <span class=\"notranslate\"> subjectKeyIdentifier = hash<\/span>\r\n  <span class=\"notranslate\"> authorityKeyIdentifier = keyid: always, issuer: always<\/span>\r\n  <span class=\"notranslate\"> keyUsage = digitalSignature, keyEncipherment<\/span>\r\n  <span class=\"notranslate\"> nsCertType = server<\/span>\r\n  <span class=\"notranslate\"> # ? here suspicious extendedKeyUsage = 1.3.6.1.5.5.7.3.1<\/span>\r\n<\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> Task Command<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> Creating a private key for the CA.<\/span> <span class=\"notranslate\"> 2048-bit RSA.<\/span> <span class=\"notranslate\"> Encrypt the key itself in 192-bit AES.<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> $ Openssl genrsa -aes192 -out ca.key 2048<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Creating a CA certificate.<\/span> <span class=\"notranslate\"> Create a certificate of X.509 v3.<\/span> <span class=\"notranslate\"> Period is suitably 10 years.<\/span> <span class=\"notranslate\"> In addition to the easy-to-understand PEM format as also output in the TEXT format.<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> $ Openssl req -new -x509 -days 3652 \\<\/span>\r\n    <span class=\"notranslate\"> -key ca.key -out ca.crt \\<\/span>\r\n    <span class=\"notranslate\"> -config ext.cnf -extensions v3_ca -text<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Create a file describing the serial No of the certificate to be managed by the CA.<\/span> <span class=\"notranslate\"> Error in the following and this is not.<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> $ Echo \"00\"&gt; ca.srl<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Creating a private key for the server.<\/span> <span class=\"notranslate\"> 2048-bit RSA.<\/span> <span class=\"notranslate\"> Encryption key itself is no.<\/span> <span class=\"notranslate\"> (Asked passphrase to Apache startup if there)<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> $ Openssl genrsa -out server.key 2048<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Create a certificate request for the server.<\/span> <span class=\"notranslate\"> Easy-to-understand way, in addition to the PEM also TEXT format output.<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> $ Openssl req -new \\<\/span>\r\n    <span class=\"notranslate\"> -key server.key -out server.csr \\<\/span>\r\n    <span class=\"notranslate\"> -config ext.cnf -text<\/span>\r\n<\/pre>\n<\/li>\n<li class=\"tableitem\"><span class=\"notranslate\"> Create a server certificate of X.509 v3 signed with the CA key.<\/span> <span class=\"notranslate\"> Period is suitably 700 days.<\/span>\n<pre class=\"commandline\"><span class=\"notranslate\"> $ Openssl x509 -req -days 700 \\<\/span>\r\n    <span class=\"notranslate\"> -in server.csr -out server.crt \\<\/span>\r\n    <span class=\"notranslate\"> -CA Ca.crt -CAkey ca.key \\<\/span>\r\n    <span class=\"notranslate\"> -extfile ext.cnf -extensions cert_server -CAserial ca.srl<\/span>\r\n<\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<div class=\"table\">\n<h3><span class=\"notranslate\"> Apache built-in<\/span><\/h3>\n<ul class=\"tablelist\">\n<li class=\"tableitem\"><span class=\"notranslate\"> After suitably incorporated in the Apache.<\/span><br \/>\n<span class=\"notranslate\"> <span class=\"blue\">Add the following to the appropriate VirtualHost setting<\/span><\/span><\/p>\n<pre><span class=\"notranslate\"> Listen 443<\/span>\r\n\r\n<span class=\"notranslate\"> ## SSL Virtual Host Context<\/span>\r\n<span class=\"notranslate\"> &lt;VirtualHost *: 443&gt;<\/span>\r\n  <span class=\"notranslate\"> SSLEngine on<\/span>\r\n\r\n  <span class=\"notranslate\"> SSLCertificateFile server.crt<\/span>\r\n  <span class=\"notranslate\"> SSLCertificateKeyFile server.key<\/span>\r\n  <span class=\"notranslate\"> SSLCACertificateFile ca.crt<\/span>\r\n  \r\n  <span class=\"notranslate\"> DocumentRoot ************<\/span>\r\n  \r\n  <span class=\"notranslate\"> ~ ~ ~ ~ ~ ~ Suitable below<\/span>\r\n<span class=\"notranslate\"> &lt;\/ VirtualHost&gt;<\/span>\r\n<\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p> Biglobe is OP25B because there are regulations, to set via the relay server of Biglobe. Thus SASL to transmit authentication. SPF perform the source domain authentication in. S25R , Greylisting , Tarpitting prevent access from suspicious server approach. Because you do not want to do in the form of a patch to Postfix, the [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73,33],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6376"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6376"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6376\/revisions"}],"predecessor-version":[{"id":6378,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6376\/revisions\/6378"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}