This documentation is for Dovecot v2.x,
for v1.x documentation.
More Actions:
Print View
Render as Docbook
Delete Cache
------------------------
Check Spelling
Like Pages
Local Site Map
------------------------
Rename Page
Delete Page
------------------------
Subscribe User
------------------------
Remove Spam
Revert to this revision
Package Pages
------------------------
Dovecot SSL configuration
The most important SSL settings are (in conf.d/10-ssl.conf): ssl = yes
# Preferred permissions: root:root 0444
ssl_cert = &/etc/ssl/certs/dovecot.pem
# Preferred permissions: root:root 0400
ssl_key = &/etc/ssl/private/dovecot.pemThe certificate file can be world-readable, since it doesn't contain anything sensitive (in fact it's sent to each connecting SSL client). The key file's permissions should be restricted to only root (and possibly ssl-certs group or similar if your OS uses such). Dovecot opens both of these files while still running as root, so you don't need to give Dovecot any special permissions to read them (in fact: do not give dovecot user any permissions to the key file). It's possible to keep the certificate and the key both in the same file: # Preferred permissions: root:root 0400
ssl_cert = &/etc/ssl/dovecot.pem
ssl_key = &/etc/ssl/dovecot.pemIt's also possible to use different certificates for IMAP and POP3. However its important to note that "ssl = yes" must be set globally if you require SSL for any protocol (or dovecot will not listen on the SSL ports), which in turn requires that a certificate and key are specified globally even if you intent to specify certificates per protocol. The per protocol certificate settings override the global setting.: protocol imap {
ssl_cert = &/etc/ssl/certs/imap.pem
ssl_key = &/etc/ssl/private/imap.pem
protocol pop3 {
ssl_cert = &/etc/ssl/certs/pop3.pem
ssl_key = &/etc/ssl/private/pop3.pem
}There are a couple of different ways to specify when SSL/TLS is required: ssl=no: SSL/TLS is completely disabled. ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. The client is allowed to login with plaintext authentication even when SSL/TLS isn't enabled on the connection. This is insecure, because the plaintext password is exposed to the internet. ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the client, but the client isn't required to use it. The client isn't allowed to use plaintext authentication, unless SSL/TLS is enabled first. However, if
are enabled they are still allowed even without SSL/TLS. Depending on how secure they are, the authentication is either fully secure or it could have some ways for it to be attacked. ssl=required: SSL/TLS is always required, even if non-plaintext authentication mechanisms are used. Any attempt to authenticate before SSL/TLS is enabled will cause an authentication failure. NOTE: If you have only plaintext mechanisms enabled (e.g. auth&{&mechanisms&=&plain&login&}&), ssl=yes and ssl=required are completely equivalent because in either case the authentication will fail unless SSL/TLS is enabled first. NOTE2: With both ssl=yes and ssl=required it's still possible that the client attempts to do a plaintext authentication before enabling SSL/TLS, which exposes the plaintext password to the internet. Dovecot attempts to indicate this to the IMAP clients via the LOGINDISABLED capability, but many clients still ignore it and send the password anyway. There is unfortunately no way for Dovecot to prevent this behavior. The POP3 standard doesn't have an equivalent capability at all, so the POP3 clients can't even know if the server would accept a plaintext authentication. The main difference between ssl=required and disable_plaintext_auth=yes is that if ssl=required, it guarantees that the entire connection is protected against eavesdropping (SSL/TLS encrypts the rest of the connection), while disable_plaintext_auth=yes only guarantees that the password is protected against eavesdropping (SASL mechanism is encrypted, but no SSL/TLS is necessarily used). Nowadays you most likely should be using SSL/TLS anyway for the entire connection, since the cost of SSL/TLS is cheap enough. Using both SSL/TLS and non-plaintext authentication would be the ideal situation since it protects the plaintext password even against man-in-the-middle attacks. Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they're assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.
Multiple SSL certificates
Different certificates per IP and protocol
If you have multiple IPs available, this method is guaranteed to work with all clients. local 192.0.2.10 { # instead of IP you can also use hostname, which will be resolved
protocol imap {
ssl_cert = &/etc/ssl/dovecot/imap-.cert.pem
= &/etc/ssl/dovecot/imap-.key.pem
protocol pop3 {
ssl_cert = &/etc/ssl/dovecot/pop-.cert.pem
= &/etc/ssl/dovecot/pop-.key.pem
local 192.0.2.20 {
protocol imap {
ssl_cert = &/etc/ssl/dovecot/imap-.cert.pem
= &/etc/ssl/dovecot/imap-.key.pem
protocol pop3 {
ssl_cert = &/etc/ssl/dovecot/pop-.cert.pem
= &/etc/ssl/dovecot/pop-.key.pem
}Note that you will still need a top-level "default" ssl_key and ssl_cert as well, or you will receive errors. # doveconf -n
doveconf: Error: ssl enabled, but ssl_cert not set
With client TLS SNI (Server Name Indication) support
It is important to note that having multiple SSL certificates per IP will not be compatible with all clients, especially mobile ones. It is a TLS SNI limitation. See
for list of clients known to (not) support SNI. local_name imap.example.org {
ssl_cert = &/etc/ssl/certs/imap.example.org.crt
ssl_key = &/etc/ssl/private/imap.example.org.key
local_name imap.example2.org {
ssl_cert = &/etc/ssl/certs/imap.example2.org.crt
ssl_key = &/etc/ssl/private/imap.example2.org.key
Password protected key files
SSL key files may be password protected. There are two ways to provide Dovecot with the password: Starting Dovecot with dovecot&-p asks the password. It's not stored anywhere, so this method prevents Dovecot from starting automatically at startup. ssl_key_password setting. Note that dovecot.conf is by default world-readable, so you probably shouldn't place it there directly. Instead you could store it in a different file, such as /etc/dovecot-private.conf containing:
ssl_key_password = secretand then use !include_try&/etc/dovecot-private.conf in the main dovecot.conf.
Chained SSL certificates
Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is: Dovecot's public certificate TDC SSL Server CA TDC Internet Root CA Globalsign Partners CA
SSL security settings
When Dovecot starts up for the first time, it generates new 512bit and 1024bit Diffie Hellman parameters and saves them into &prefix&/var/lib/dovecot/ssl-parameters.dat. Dovecot v2.1.x and older regenerated them every week by default, but because the extra security gained by the regeneration is quite small, Dovecot v2.2 disabled the regeneration feature completely. From and up to version 2.2, you can specify the wanted DH parameters length using: ssl_dh_parameters_length = 2048From version 2.3, you must specify path to DH parameters file using: ssl_dh=&/path/to/dh.pemTo generate new parameters file, you can use openssl gendh 4096 (this will take very long time, run it on machine with sufficient entropy). You can also convert old parameters file v2.2 with command
dd if=/path/to/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform derThis should work most of the times. If not, generate new file. By default Dovecot's allowed ciphers list contains: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULLDisallowing more won't really gain any security for those using better ciphers, but it does prevent people from accidentally using insecure ciphers. See
for a list of the ciphers.
SSL verbosity
verbose_ssl = yesThis will make Dovecot log all the problems it sees with SSL connections. Some errors might be caused by dropped connections, so it could be quite noisy.
Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate, you'll need these settings: ssl_ca = &/etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
#auth_ssl_username_from_cert = yesThe CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL The certificates and the CRLs have to be in PEM format. To convert a DER format CRL (e.g. ) into PEM format, use: openssl crl -in class3-revoke.crl -inform DER -outform PEM & class3-revoke.pemWith the above settings if a client connects which doesn't present a certificate signed by one of the CAs in the ssl_ca file, Dovecot won't let the user log in. This could present a problem if you're using Dovecot to provide SASL authentication for an MTA (such as Postfix) which is not capable of supplying client certificates for SASL authentication. If you need Dovecot to provide SASL authentication to an MTA without requiring client certificates and simultaneously provide IMAP service to clients while requiring client certificates, you can put auth_ssl_require_client_cert&=&yes inside of a protocol block as shown below to make an exemption for SMTP SASL clients (such as Postfix). protocol !smtp {
auth_ssl_require_client_cert = yes
}You may also force the username to be taken from the certificate by setting auth_ssl_username_from_cert&=&yes. The text is looked up from subject DN's specified field using OpenSSL's X509_NAME_get_text_by_NID() function. By default the CommonName field is used. You can change the field with ssl_cert_username_field&=&name setting (parsed using OpenSSL's OBJ_txt2nid() function). x500UniqueIdentifier is a common choice. You may also want to disable the password checking completely. Doing this currently circumvents Dovecot's security model so it's not recommended to use it, but it is possible by making the
allow logins using any password (typically requiring
to be returned).
Try out your new setup: openssl s_client -connect :pop3sYou should see something like this: CONNECTED()
depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
2 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1DCCArygAwIBAgIDAMBPMA0GCSqGSIb3DQEBBAUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTAxMjIwMTM1NDQ1WhcNMTIxMjE5
MTM1NDQ1WjAmMSQwIgYDjksadnjkasndjksandjksandjksandj5YXJlYS5vcmcw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3jOX3FC8wVqnb2r65Sfvk
cYUpJhlbhCfqPdN41c3WS0y1Jwwum1q4oMAJvdRnD5TMff1+fqTFy3lS1sYxIXiD
kBRo478eNqzXHMpBOqbvKjYp/UZgWUNA9ebI1nQtwd7rnjmm/GrtyItjahCsgzDS
qPAie+mXYzuT49ZoG+Glg7/R/jDcLMcJY0d5eJ7kufB1RLhvRitZD4FEbJVehqhY
aevf5bLk1BNFhzRBfLXmv6u/kfvWf2HjGAf0aFhaQyiAldDgnZrvaZOFjkToJk27
p9MguvwGmbciao0DmMjcJhQ0smclFwy8Kj98Tz+nTkfAlU8jJdb1J/tIatJdpSRh
AgMBAAGjgdwwgdkwDAYDVR0TAQH/BAIwADA0BgNVHSUELTArBggrBgEFBQcDAgYI
KwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoDAzALBgNVHQ8EBAMCBaAwMwYI
KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhadodHRwOi8vb2NzcC5jYWNlcnQub3Jn
LzBRBgNVknsadkjasnjdksandjksandjsnNlY3VyaXR5YXJlYS5vcmegKQYIKwYB
BQUHCAWgHQwbbWFpbC5qb2ludC5zZWN1cml0eWFyZWEub3JnMA0GCSqGSIb3DQEB
BQUAA4ICAQAX8ceObvUZNKYTlNQ/cv0BiA1XweRsVNca1ILACNLdVPR9mvf+aXCh
ODkHaZAmGngj1DfD4fJsTbaydGWSPeVH91Qi9F+Pi6szhsxylI83NKbuXihcenuG
twnte8aIb5FelVHttLQPSKRR62E8YmDWk3KYivuFAuZqDaGnWc5yeneTBpsGter/
4awqsgymBK2YEg1HIWMPaRBvwzCVN/yUyWhFH9Nj11f/xgZE87VXrjLHWT/73i2Z
S4uIZ2KHQUYuxMGldgpXm+QxFM8DGA6z1T1oPCVfW85cezlfr8QVvX6SXZrAUNL0
3D5YPzQuevW+5CrqnGA+F5ff4mBMl8R8Sg0+0LoLqt5PbpGyTt9vS1INZCdfvtIA
/d7Ae7Xp9W8FVRqd7tvNMIy3ZA0/wNMDUczkhC/YtvHfMELpjtMJAGF15OtO7Vik
V+FZnBP1Yd7760dtEmd6bF8vjcXCvDdxwGtcAehAUpIgAWvkHHOt8+H56tkFENAP
/ZpJ+Wr+K3lxkkG+BN1bucxMuAdVyTpFyZfKDHRXIO/5e0hpPOaTO+obD3kifzdh
yy7KmdKvDclHTiPuonJBzEXeM3JQBjcDHbMSyA6+38yBcso27h9VqCQJB2cZmSlW
ArS/9wt2X21KgeuGHlTZ/8z9gXAjQKXhDYECWWd6LkWl98ZDBihslQ==
-----END CERTIFICATE-----
subject=/CN=
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
No client certificate CA names sent
SSL handshake has read 5497 bytes and written 293 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
: DHE-RSA-AES256-SHA
Session-ID: 114A22BE3124ACF640AE9E90B3B9A20ADF7FA691F3
Session-ID-ctx:
Master-Key: B8A55EC91A060575CFB29503FBFBCBFE02D20A7FD8DCE5CCC4B94A492F43ED8F
TLS session ticket:
0000 - 86 c7 46 63 a5 b6 48 74-16 d8 e0 a7 e2 64 e8 89
..Fc..Ht.....d..
0010 - 97 90 59 4b 57 f3 e2 b3-e2 d2 88 90 a8 aa b4 44
..YKW..........D
0020 - ea 24 08 5e b4 14 7f e1-2a 1a 1c 40 ca 85 e7 41
.$.^....*..@...A
0030 - 9d 0d a8 4c f7 e3 db 1e-ef da 53 9c fe 43 cc 62
...L......S..C.b
0040 - 79 b6 ad ea 9d cf ca b2-37 41 b7 0f ea 7d 59 e8
y.......7A...}Y.
0050 - 10 01 a0 eb dc c2 63 66-56 54 6a e8 3a 4b 93 49
......cfVTj.:K.I
0060 - 77 da e4 4b 21 e8 30 7e-bf 10 91 3a 2c f9 59 80
w..K!.0~...:,.Y.
0070 - 01 1f 36 0b 92 85 67 55-c8 86 1d 44 b1 6f 0d ae
..6...gU...D.o..
0080 - 15 36 b6 49 3a ef 94 9a-ef 6d 27 f0 80 20 43 09
.6.I:....m'.. C.
0090 - be 70 c5 30 15 3b 93 c6-c1 4c e9 7f 5c 34 98 dd
.p.0.;...L..\4..
Compression: 1 (zlib compression)
Start Time:
: 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
+OK Dovecot ready.
Testing CA
The above test procedure returns:
Verify return code: 19 (self signed certificate in certificate chain)which is expected result since test command omits option to verify CA root certificate.
The following commands will enable CA root certificate validation.
Testing CA On Debian
On Debian derived distributions try: openssl s_client -CApath /etc/ssl/certs -connect :pop3s
Testing CA On RHEL
On Red Hat Enterprise Linux derived distributions try: openssl s_client -CAfile /etc/pki/tls/cert.pem -connect :pop3s
Testing CA Success
Verify return code: 0 (ok)当前【全部】
全部安卓手机安卓平板安卓电视iPhoneiPad其他
当前位置：>>>华为U8660一键获取ROOT权限详细教程及工具下载
华为U8660一键获取ROOT权限详细教程及工具下载
浏览：3万+
华为u8660要如何获取ROOT权限呢？很多机友都知道ROOT后就能删除系统自带的软件了。那么华为u8660到底要怎么样一键ROOT呢？废话少说，直接来看华为U8660一键获取ROOT权限详细图文教程！一、ROOT准备工作：1.下载，然后在电脑上解压出来。2.下载！（之前***过的绕过）二、ROOT开始：1、开机、设置→应用程式、关闭快速启动、打开未知来源、→点开发、打开USB调式2、进到拨号界面、输入*#*#2846579#*#*、→点ProjectMenu→后台设置→LOG设置、点LOG开关→LOG打开、点LOG级别设置→选VERBOSE、　&返回键返回键一直退到系统、3、手机连接电脑、用***华为手机USB驱动、能用豌豆荚管理你的手机后&就说明驱动***成功了。&4、将附件解压后得到的tools这个目录复制到C盘、打开tools目录.&确认目录是C:tools&然后执行Root.bat。5按电脑上Dos提示框操作、每次出现&"请按任意键继续"&的时候稍等一下、注意看手机、如果出现手机重启、请等手机重启完再按任意键。6、拔掉USB、然后把手机重新启动、如果程序列表多了一个Superuser就算ROOT成功！&好了，华为U8660一键获取ROOT权限详细图文教程已跟大家分享了，希望能帮到有需要的机友！
扫码关注历趣官方微信随时随地获取最新资讯
附件网址在哪
不行啊//怎么办呀/
驱动压缩包打不开??zenggao
附件是什么东西呀
弄了两遍成功了
热门小游戏排行
15万+人在玩171万+人在玩236万+人在玩47万+人在玩2380+人在玩3万+人在玩421+人在玩9577+人在玩
版权所有 京ICP备号-5
京公网安备 50 备您所在位置： &
 &  & 
大兴安岭低质林造后土壤肥力质量评价.pdf57页
本文档一共被下载：
次 ,您可全文免费在线阅读后下载本文档。
文档加载中...广告还剩秒
需要金币：180 &&
大兴安岭低质林造后土壤肥力质量评价
你可能关注的文档：
??????????
??????????
Code：10225 University Code：$13589 Register UI 1IlllI I
IlllllllI I IIII for ofMaster Dissertationthe Degree Evaluationonsoil of fertilityquality aftertransformationinGreater forest Mountains Hinggan Candidate： JiHao Supervisor： Xibin Prof．Dong Associate Supervisor： Academic for：Master DegreeApplied Forest Speciality： Engineering Dateof0ralExamination： June，2013 Northeast University： ForestryUniversity
万方数据 摘要 摘要 由于多次过伐及自然灾害，大兴安岭林区形成大面积郁闭度低、林相衰败、出材率
低、林下土壤严重侵蚀的低质林。为了改善低质林分质量、恢复原有森林结构和功能，
对大面积低质林林分改造已刻不容缓。本研究针对大兴安岭地区阔叶混交次生林和白桦
种植西伯利亚红松、樟子松、落叶松。以改造后林地内土壤理化性质、土壤碳通量为研
究对象，探讨不同改造方式对土壤理化性质和土壤碳通量的影响。运用改进层次分析
法，对低质林改造后土壤肥力质量进行综合评价。主要研究结果如下： 1 在两类低质林的不同改造中，与对照样地相比，除土壤容重有不同程度的降
低外，土壤毛管持水量、最大持水量、毛管孔隙度、总孔隙度均有一定程度升高，但方
差不显著。实验区土壤属弱酸性，pH在6．0左右。不同改造方式林地土壤有机质的含量
基本保持平衡。在阔叶混交次生林改造中，土壤全氮、水解氮、速效钾含量有一定程度 的升高，而全磷、有效磷含量有不同程度的降低；在白桦萌生低质林改造中，土壤全
氮、有效磷含量有不同程度的降低，全磷、水解氮含量有所升高。不同效应带带宽土壤
DH值、有机质、全氮、水解氮、全钾、速效钾含量改造目的树种西伯利亚红松的变异
系数最大。经多重比较，鉴于对低质林所有改造方式
正在加载中，请稍后...