POSTFIX ͷ TLS ԽͰࠔͬͨ࿩ ͱ͋Δ Πϯϑϥ԰ ͕ 2017-02-03 21Caffe @ intra_security#2 LT 

TEXT ࣗݾ঺հ ▸ ໊લ: Hirofumi Hida ▸ ΠϯϑϥΤϯδχΞ(UnixΛओʹ) ▸ SI ͷݱ৔ʹ์Γࠐ·ΕͨΓ (ࠓ೔ͷ࿩) ▸ Ops ΋΍ͬͨΓ(ͲͪΒ͔ͱ͍͏ͱ͍·͸͕ͬͪ͜޷͖) ▸ Twitter: @gekko_qv ▸ Qiita: http://qiita.com/hirofumihida 

TEXT ·͓͖͑ ▸ Postfix ͱ͸ ▸ MTA mail transfer agent ▸ smtpd αʔόʔͰϝʔϧΛड͚औͬͯ ▸ smtp ΫϥΠΞϯτͰྡͷ MTA ʹϝʔϧΛసૹ ▸ TLS ͱ͸ ▸ ௨৴ͷ҉߸Խ Transport Layer Security ▸ ࠓճ͸ ྡͷMTA΋͘͠͸ϝʔϥʔ ͔Β smtpd αʔόʔ ·ͰͱɺsmtpΫϥΠ Ξϯτ ͔Β ྡͷsmtpdαʔόʔ ͕ؒ TLS (҉߸)Խର৅ 

TEXT ࠔͬͨ͜ͱ 1/4 ▸ ࣗ෼͕ postfix ΋ ϝʔϧηΩϡϦςΟ ΋Α͘஌Βͳ͍ ▸ ͳΜͰͦΜͳਓؒΛϝΠϯͰΞαΠϯʁ ▸ ׬શʹձ͔ࣾΒແ஡ৼΓ͞Εͨײ…Ͱ΋ ▸ Ғ͍ਓʮࣄલௐࠪ(?)͸ऴΘͬͯΔ͔Βେৎ෉ʯ w w w w w w w w w w w w w w w ▸ ࢲʮྑ͔ͬͨɻָͳ࢓ࣄʹͳΓͦ͏ͩͳɻɻʯ ▸ ࢲʮͰ͸ɺݱঢ়ͷ֬ೝΛͯ͠ΈΑ͏͔ɻʯ 

TEXT ࠔͬͨ͜ͱ 2/4 ▸ OpenSSL ͕ݹ͗͢Δʂ ▸ Heart Bleed Ͳ͜ΖͰ͸ͳ͍ ▸ TLS1.2 ͢Β஻Εͳ͍ʂ ▸ ͕͢͞ʹ͜Ε͸όʔδϣϯ্͛ͯ΋Β͑ͨɻ 

TEXT ࠔͬͨ͜ͱ 3/4 ▸ ΍ͬͨͱݴΘΕͨࣄલௐࠪ ▸ ࣮ػΑΓݹ͍όʔδϣϯͷ೔ຊޠυΩϡϝϯτ͔֬͠ೝ͠ ͯͳ͔ͬͨɻɻ ▸ ݁ہઃఆύϥϝʔλʔݟ௚͠ɻɻ ▸ ݕূ΋΍Γ௚͠ɻɻ ▸ ͦͷ͓͋ΓͰɻɻ 

TEXT ࠔͬͨ͜ͱ 4/4 ▸ ΤΠδϯάظ͕ؒͳ͍ɻɻ ▸ TLS Ωϟογϡ DB ͕ංେԽ͢Δ৚݅΍܏޲͕͋΍; ΍ɻɻ ▸ ͷͪʹ RFC5077 ͷଘࡏΛ஌Δ΋࣌͢Ͱʹ஗͠ ▸ TLS1.2 ಉ࢜ͳΒ૿͑ͳ͍͕ɺSSLv3 ͱ௨৴͢Δͱ૿͑ ΔͬΆ͍ʁ 

TEXT RFC5077 ͱ͸ʁ ▸ Transport Layer Security (TLS) Session Resumption without Server-Side State ▸ https://tools.ietf.org/html/rfc5077 ▸ ৄ͘͠͸ https://techblog.yahoo.co.jp/infrastructure/ssl-session- resumption/ 

TEXT ڭ܇ ▸ૉਓ͚ͩͰηΩϡϦςΟҊ݅ʹؔΘΒͳ͍ํ͕ྑ͍ ▸Postfix ؚΊɺιϑτ΢ΣΞ͸ग़དྷΔ͚ͩ࠷৽൛Λ࢖͓͏ ▸Postfix ͸ݹͯ͘΋ RFC5077 ରԠͷ 2.11 Ҏ߱Λ࢖͓͏ ▸࣮ػͱಉҰόʔδϣϯͷΦϦδφϧυΩϡϝϯτ(Ұ࣍৘ ใ)Λ֬ೝ͠Α͏ ▸ͦΕ͕ӳޠ൛͔͠ͳͯ͘΋ 

TEXT ͓ΘΓ ▸ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ :)