我正在转换现有的邮件服务器,以支持我们的客户端encryption的SMTP,但我已经跑进了这个砖墙,用很less有用的日志数据来帮助我转发。 当使用普通的未encryption的SMTP时,一切工作正常; 只有在尝试使用encryption的SMTP时才会变成梨形。
我的eximconfiguration文件包含以下内容:
# Allow any client to use TLS tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. tls_certificate = /etc/exim/exim.crt tls_privatekey = /etc/exim/exim.key 最初,Exim 似乎按预期工作,我能够安全地连接到邮件服务器并进行身份validation,但是在SMTP会话中input收件人部分之后,连接就会被删除。 使用未encryption的连接时不会发生此问题。
要testing安全SMTP我使用以下命令:
openssl s_client -starttls smtp -crlf -connect localhost:25
这是我得到的输出:
CONNECTED(00000003) depth=0 C = ZA, etc, etc verify error:num=18:self signed certificate verify return:1 depth=0 C = ZA, etc, etc verify return:1 --- Certificate chain 0 s:/C=ZA/etc,etc i:/C=ZA/etc,etc --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX== -----END CERTIFICATE----- subject=/C=ZA/etc,etc --- No client certificate CA names sent --- SSL handshake has read 1275 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - d0 cd ff b6 0c a2 fb 6c-f6 69 dc 0b a7 aa f3 1a .......li..... 0010 - 10 76 75 05 15 d8 8c 21-cb eb b8 ae ec 34 7d b3 .vu....!.....4}. 0020 - 7a bf f0 d6 7d df 26 27-41 1e d1 2a 35 bf 2f 0c z...}.&'A..*5./. 0030 - 25 6a 32 15 6e 53 d2 30-31 1b d9 60 e6 11 20 73 %j2.nS.01..`.. s 0040 - 57 e3 76 96 e7 7e dc da-98 f2 cc a7 e5 58 62 b2 Wv.~.......Xb. 0050 - ec db 58 91 16 14 18 ff-15 64 d6 66 1f 75 92 96 ..X......dfu. 0060 - 65 43 f8 2c 4a 42 81 41-0c 2f 46 84 38 0c c5 e0 eC.,JB.A./F.8... 0070 - 8d 7b d7 7e 12 0e 28 ca-f0 f9 b5 d0 b2 a6 ab 66 .{.~..(........f 0080 - f8 c5 33 e3 cb 16 f5 76-8f e7 49 0c 49 69 31 43 ..3....v..I.Ii1C 0090 - 05 25 dc 75 3a 07 13 91-63 ff 13 fd b0 2c 9f 8b .%.u:...c....,.. Compression: 1 (zlib compression) Start Time: 1315250595 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 HELP HELO localhost 250 OK MAIL FROM:[email protected] 250 OK RCPT TO:[email protected] RENEGOTIATING depth=0 C = ZA, etc, etc verify error:num=18:self signed certificate verify return:1 depth=0 C = ZA, etc, etc verify return:1 421 lost input connection read:errno=0
我已经用上面的输出中的垃圾数据replace了电子邮件地址和组织树,因为它没有关系,因为我在使用普通SMTP时没有这个相同的问题。 无论是从本地主机还是从外部源尝试连接,都会发生上述事务。 我还应该注意到,我正在使用使用OpenSSL生成的自签名证书。 另外,在上面的例子中,没有validation数据,因为我正在执行本地主机的testing,它允许所有的邮件不需要validation。
正如你在上面的输出中看到的,Exim似乎在发出string“RENEGOTIATING”期间/之后中断。
由于我在SMTP会话期间收到的输出没有多大的帮助,我也尝试在debug + all模式下运行Exim。 为了简洁起见,我不会发布完整的SMTP事务,因为整个会话是非常正常的,直到我指定收件人地址。 这是我在input收件人地址并按下回车键后得到的Eximdebugging数据的确切片段:
21:42:10 7425 SSL info: before accept initialization 21:42:10 7425 SSL info: before accept initialization 21:42:10 7425 SSL info: SSLv3 read client hello A 21:42:10 7425 SSL info: SSLv3 write server hello A 21:42:10 7425 SSL info: SSLv3 write certificate A 21:42:10 7425 SSL info: SSLv3 write server done A 21:42:10 7425 SSL info: SSLv3 flush data 21:42:10 7425 SSL info: SSLv3 read client key exchange A 21:42:10 7425 SSL info: SSLv3 read finished A 21:42:10 7425 SSL info: SSLv3 write session ticket A 21:42:10 7425 SSL info: SSLv3 write change cipher spec A 21:42:10 7425 SSL info: SSLv3 write finished A 21:42:10 7425 SSL info: SSLv3 flush data 21:42:10 7425 SSL info: SSL negotiation finished successfully 21:42:10 7425 SSL info: SSL negotiation finished successfully 21:42:10 7425 Got SSL error 2 21:42:10 7425 SMTP>> 421 lost input connection 21:42:10 7425 tls_do_write(1db4020, 48) 21:42:10 7425 SSL_write(SSL, 1db4020, 48) 21:42:10 7425 outbytes=48 error=0 21:42:10 7425 LOG: lost_incoming_connection MAIN 21:42:10 7425 unexpected disconnection while reading SMTP command from (localhost) [127.0.0.1] 21:42:10 7425 search_tidyup called 21:42:10 7194 child 7425 ended: status=0x100 21:42:10 7194 0 SMTP accept processes now running 21:42:10 7194 Listening...
我在30秒内通过谷歌search“openssl s_client RENEGOTIATING”发现了这个: s_client's R“feature”
总之 – 在s_client会话中按“R”会导致openssl重新协商。 尝试input“rcpt to:”而不是“RCPT TO”。
您也可以尝试更适合SMTP特定testing的工具,例如Tony Finch的smtpc或swaks 。
为了要求在exim进行身份validation的encryption,我在/etc/exim/exim.conf设置了:
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
我也强制tls 1.2 :
openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
在两个相同的exim服务器之间,我注意到了一个使用AES-GCM和另一个使用ChaCha20-Poly1305进行encryption,不知道为什么。 所使用的encryptionscheme取决于host是否在 cpu中具有AES硬件加速 。