服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Postfix TLS连接未validation
Intereting Posts
RPM Dist标签的行为不如文件logging traceroute6 connect:networking不可达 Exchange 2013 – > 2016移动请求被阻止 发件人地址被拒绝:未find域 – 在Route 53(Amazon AWS)更改之后 如何pipe理cachingExchange模式的带宽 将驱动器添加到没有实现驱动器底板的Dell R710仅支持四个驱动器 为什么这些反向查询DNS容器变灰? Linux绑定服务器提供DHCP Windows客户端的地址,但不提供DHCP Linux客户端的地址 如何从备份中encryption大(20Gb +)压缩文件? SFTP:closures选美强制密码,而不是公钥 运行和访问多个JBoss实例 让我们encryption自动redirect到HTTPS不起作用 升级可信平台模块(TPM)? Nginx地图caching规则不起作用 对Active Directory升级的Sharepoint安装的影响

Postfix TLS连接未validation

嗨!

我正在设置postfix的过程中。

我想实现的是所有内部方之间可信任的TLS连接。 我们为所有内部证书部署了具有Windows Server 2012 R2 CA的PKI基础结构。

我们使用这些后缀机器作为互联网中继,所有交换机都通过这些后缀机器发送他们的出站电子邮件。

我们的Exchange Server 2013具有来自内部CA分配的证书。 CA根证书被转出到后缀机器。 后缀机器本身拥有comodo颁发的证书。

我可以使用opensslvalidationExchange和Postfix: 

openssl s_client -starttls smtp -connect XXXXXX:25 -CAfile /etc/ssl/certs/ca-certificates.crt

Exchange的结果是: 

 -----END CERTIFICATE----- subject=/C=DE/ST=NRW/L=XXX/O=XXX/OU=IT/CN=exdb04.XXX issuer=/DC=XXX/DC=XXX/CN=XXX-AD05-CA --- No client certificate CA names sent --- SSL handshake has read 1955 bytes and written 553 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: E5180000ABE0F0824C152D04DF7CA7FB63835B573B06E9EBCA58D714852664E5 Session-ID-ctx: Master-Key: B0E445A6DEF7E225CCC602EDC8FE21A023EC683EEC1BEF3DC57EE2914D47A19B2E0ADAD5D4794900AE21B4D401FD66B9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1393236731 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 XSHADOWREQUEST

而对于后缀: 

 --- SSL handshake has read 24140 bytes and written 534 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2D9409D1C4B2E391B0C64007F93B54C4938120B167782025D4809FC1C8143D6E Session-ID-ctx: Master-Key: 61A5DF94DAF7047B9B4FD9A9DB9E5F9F23518FA7DF78A7989720B138F663292054CAA63648A31A93BCBBA5DDBDB2008A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - fb 0f bc 6b 17 f4 bc fb-61 20 dc 3d e1 b1 93 15 ...k....a .=.... 0010 - 83 61 93 3e 4f c7 1c b7-3b 0c 4e 4b da 23 08 8e .a.>O...;.NK.#.. 0020 - 4b 3c 19 2c c0 0d 6a 1d-69 2c d3 7c d9 20 8b 2b K<.,..ji,.|. .+ 0030 - 17 65 d2 d1 25 7d 26 7e-7b bd 76 f2 2a ae 3c 21 .e..%}&~{.v.*.<! 0040 - 33 4f c3 55 7e 6a fe 55-78 b9 fd 4e c1 f7 9b e2 3O.U~j.Ux..N.... 0050 - e3 2f 78 2c 06 21 bb 0b-20 e2 93 6b dd 06 2f e6 ./x,.!.. ..k../. 0060 - 10 30 84 d2 02 c2 5a 36-4b f3 50 18 7f 28 62 ab .0....Z6K.P..(b. 0070 - cc 15 4c cc bc 64 a5 a5-2c 26 d1 95 3f 77 2c ee ..L..d..,&..?w,. 0080 - 36 4b a6 91 b0 05 68 28-8a 34 3c 27 04 7d 66 48 6K....h(.4<'.}fH 0090 - d5 19 2e c8 bb e2 c3 96-06 de 3d b1 6d 0b 79 58 ..........=.m.yX 00a0 - 37 89 4e 2d 95 44 24 39-39 00 8e f4 6c 1c 54 6a 7.N-.D$99...l.Tj Compression: 1 (zlib compression) Start Time: 1393236872 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN

似乎是好的,直到这里,但:从Exchange发送电子邮件到外面,我可以在日志中看到这些消息: 

 Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: connect from exdb04.XXXX[10.20.3.10] Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: Untrusted TLS connection established from exdb04.XXXXXX[10.20.3.10]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: 4DD8613D8049: client=exdb04.XXXXXX[10.20.3.10] Feb 24 11:05:54 mailout03 postfix/cleanup[5010]: 4DD8613D8049: message-id=<[email protected]> Feb 24 11:05:54 mailout03 postfix/qmgr[4985]: 4DD8613D8049: from=<[email protected]>, size=2154, nrcpt=1 (queue active) Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: disconnect from exdb04.XXXXXX[10.20.3.10] Feb 24 11:05:54 mailout03 postfix/smtp[5011]: connect to gmail-smtp-in.l.google.com[2a00:1450:4001:c02::1b]:25: Network is unreachable Feb 24 11:05:54 mailout03 postfix/smtp[5011]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Feb 24 11:05:55 mailout03 postfix/smtp[5011]: 4DD8613D8049: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=1.4, delays=0.03/0/0.29/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1393236355 gm5si14761594wjc.6 - gsmtp) Feb 24 11:05:55 mailout03 postfix/qmgr[4985]: 4DD8613D8049: removed

请注意这部分:从exdb04.XXXXXX [10.20.3.10]:带密码ECDHE-RSA-AES256-SHA(256/256位)的TLSv1build立的不受信任的TLS连接

为什么这个连接不可信,而连接到谷歌是信任和validation。

我错过了什么?

感谢Tobias 

 This is the postfix config: # See /usr/share/postfix/main.cf.dist for a commented, more complete version myhostname = mailout03.XXXXXX.de myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP ready biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings delay_warning_time = 2h # basic configuration readme_directory = no mydestination = mailout03.XXXX.de mynetworks = 127.0.0.0/8 127.0.0.2/32 [::1]/128 10.20.3.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # message routing configuration sender_bcc_maps = hash:${config_directory}/sender_bcc sender_dependent_relayhost_maps = hash:${config_directory}/sender_relay alias_maps = hash:/etc/aliases relayhost = # message limit configuration message_size_limit = 157286400 # queue configuration queue_run_delay = 30s # TLS server configuration smtpd_tls_cert_file = ${config_directory}/certs/mailout03_XXXXX_de.pem smtpd_tls_key_file = ${config_directory}/certs/mailout03_XXXXX_de.key smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_security_level = may smtpd_starttls_timeout = 60s smtpd_tls_protocols = !SSLv2 smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 9 # TLS logging configuration smtpd_tls_received_header = yes smtpd_tls_loglevel = 1 # TLS session cache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s # Perfect Forward Secrecy configuration smtpd_tls_eecdh_grade = ultra tls_preempt_cipherlist = yes smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/certs/dh512.pem # TLS client configuration smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_scert_verifydepth = 9 smtp_tls_note_starttls_offer = yes smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtp_tls_CApath = /etc/ssl/certs

所以,我在你的日志文件中注意到的第一件事是来自exdb04的连接是传入的,并且连接到gmail是外出的。 您是否configuration交换机在其出站连接上使用客户端证书?

如果如你所说,只有传出的邮件通过这些后缀的机器,那么你的唯一传入的连接应该来自你的交换机,那么我也build议一些更严格的configuration设置:

smtpd_tls_req_ccert =是smtpd_tls_security_level =encryption

但是,为了解决你的问题,我想把smtpd_tls_loglevel的日志logging提高到2。

请记住,通过s_clienttesting,您只能testing一个方向。 例如,哪个证书是交换服务器提供给您的后缀服务器? 你确定它和它自己的服务器端口上的configuration一样吗?

当你进行s_clienttesting并连接到你的postfix服务器时,日志文件会说什么 – 可信或不可信? 如何使用-cert指定证书?

我相信交换服务器不提供客户端证书。

祝你好运