当我使用来自证书颁发机构的签名SSL证书时,Postfix无法正常运行,并在/var/log/mail.log出现此错误:
Sep 8 12:43:03 mail postfix/master[15557]: daemon started -- version 3.1.0, configuration /etc/postfix Sep 8 12:43:11 mail postfix/smtpd[15560]: fatal: bad boolean configuration: smtpd_sasl_authenticated_header = yes? smtpd_tls_cert_file=/etc/ssl/certs/mail_centralcloudmanager_com.crt? smtpd_tls_key_file=/etc/ssl/private/mail.centralcloudmanager.com.key Sep 8 12:43:12 mail postfix/master[15557]: warning: process /usr/lib/postfix/sbin/smtpd pid 15560 exit status 1 Sep 8 12:43:12 mail postfix/master[15557]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
/etc/postfix/main.cf SSL相关部分:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = smtpd_sasl_authenticated_header = yes #UNCOMMENTING THESE TWO AND COMMENTING THE SIGNED ONES ALLOWS POSTFIX TO WORK. #smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_cert_file=/etc/ssl/certs/mail_centralcloudmanager_com.crt smtpd_tls_key_file=/etc/ssl/private/mail.centralcloudmanager.com.key smtpd_tls_CAfile=/etc/ssl/certs/mail_centralcloudmanager_com.ca-bundle smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_security_level = may smtp_tls_security_level = may smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
当我使用默认的蛇形证书时,Postfix运行正常,我可以发送/接收邮件。 当切换到我的CA签名的证书,那么我得到/var/log/mail.log所述的错误。
我为Dovecot使用了相同的CA签名证书,它工作得很好(甚至在使用蛇尾的证书时也是如此)。
/etc/dovecot/conf.d/10-ssl.conf :
ssl = yes ssl_cert = </etc/ssl/certs/mail_centralcloudmanager_com.crt ssl_key = </etc/ssl/private/mail.centralcloudmanager.com.key ssl_ca = </etc/ssl/certs/mail_centralcloudmanager_com.ca-bundle ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes
我正在使用这些签署的证书的服务器托pipe的Apache部分也。
我想这是因为你正在使用CERT密钥和密码,所以你可以像这样删除它:
openssl rsa -in myCertKey.key -out myCertKey.key.nopass