• MailSSL
    • ssl
  • ssl_certificate
  • ssl_certificate_key
  • ssl_ciphers
  • ssl_prefer_server_ciphers
  • ssl_protocols
  • ssl_session_cache
  • ssl_session_timeout
  • starttls

    MailSSL

    This module ensures SSL/TLS support for POP3/IMAP/SMTP. Configuration is practically identical to the configuration of the HTTP SSL module, but checking client certificates is not supported. 这个模块使得POP3/IMAP/SMTP可以使用SSL/TLS.配置已经定义了HTTP SSL模块,但是不支持客户端证书检测。

    ssl

    syntax:*ssl*on | off

    default:*ssl off*

    context:*mail, server*

    Enables SSL/TLS for this virtual server. 在虚拟服务器中启用SSL/TLS

    ssl_certificate

    syntax:*sslcertificate**file_*

    default:*cert.pem*

    context:*mail, server*

    Indicates file with the certificate in PEM format for this virtual server. The same file can contain other certificates, and also secret key in PEM format. 显示虚拟服务器上的PEM格式的证书文件。同一文件可以包含其他的证书和包含PEM格式的安全码。

    ssl_certificate_key

    syntax:*sslcertificate_key**file_*

    default:*cert.pem*

    context:*mail, server*

    Indicates file with the secret key in PEM format for this virtual server. 显示虚拟服务器中PEM格式的安全码文件

    ssl_ciphers

    syntax:*sslciphers file**ciphers_*

    default:*ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP*

    context:*mail, server*

    Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL. 指令描述了容许的SSL chiphers.chiphers都被使用了OpenSSL支持的格式.

    ssl_prefer_server_ciphers

    syntax:*sslprefer_server_ciphers**on | off_*

    default:*off*

    context:*mail, server*

    Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers. 需要SSLv3协议,TLSv1 服务器端米阿么优先于客户端密码

    ssl_protocols

    syntax:*sslprotocols**[SSLv2] [SSLv3] [TLSv1]_*

    default:*SSLv2 SSLv3 TLSv1*

    context:*mail, server*

    Directive enables the protocols indicated. 指令显示协议

    ssl_session_cache

    syntax:*sslsession_cache**[builtin[:size [shared:name:size]_*

    default:*builtin:20480*

    context:*mail, server*

    The directive sets the types and sizes of caches to store the SSL sessions. 指令设置了类型和存储SSL 会话的缓存的大小. The cache types are: 缓存类型为:

    • builtin — the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions.builtin — OpenSSL内部缓存,这个只在内部工作进程中被使用.这个缓存大小等同于会话的个数。
    • shared — the cache is shared between all worker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache with the same name can be used in several virtual servers.shared — 这个缓存被所有工作进程共享.这个缓存大小用字节标识,1M缓存可以包含大约4000个会话。每个共享缓存都有专有的名称。相同名称的缓存可以被多个服务器使用。
      It is possible to use both types of cache simultaneously, for example: 可能同时使用2中类型的缓存,例如
    1. ssl_session_cache builtin:1000 shared:SSL:10m;

    However, the only shared cache usage without that builtin should be more effective. 然而,共享缓存只有在内部缓存之外使用才能产生更好的效果。

    ssl_session_timeout

    syntax:*sslsession_timeout**time_*

    default:*5m*

    context:*mail, server*

    Assigns the time during which the client can repeatedly use the parameters of the session, which is stored in the cache. 在使用中客户端重复使用的会话参数被存储在缓存中。

    starttls

    syntax:*starttls on | off | only*

    default:*off*

    context:*mail, server*

    • on - permit the use of commands STLS for POP3 and STARTTLS for IMAP/SMTPon - 容许在POP3中的STLS命令和IMAP/SMPT中的STARTTLS命令
    • off - do not allow command STLS/STARTTLS不容许 STLS/STARTTLS命令
    • only - announce STLS/STARTTLS support and require that clients use TLS encryptiononly - 宣布支持 STLS/STARTTLS但是需要客户端使用TLS加密

    原文: https://wizardforcel.gitbooks.io/nginx-doc/content/Text/5.4_mailssl.html