我正在使用Postfix TLS策略来强制外发电子邮件的TLS。 不幸的是,在某些情况下,证书validation失败,我不知道为什么。
例如,这是我的TLS政策的摘录
#/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA facebook.com secure ciphers=high hearst.com secure match=gslb.pphosted.com ciphers=high fastmail.fm secure ciphers=high 所有这3个提供者使用相同的根CA. 我可以发送电子邮件到facebook.com没有任何问题。 在hearst.com的情况下,我必须指定CN匹配,因为证书没有适当的SAN字段。 我不明白的是为什么我还要为fastmail.fm添加一个匹配的CN。 否则,证书validation失败。 证书是可信的,目标服务器名称是smtp.messagingengine.com,并且证书具有与其匹配的SAN字段(* .messagingengine.com)
Feb 25 21:57:22 mail postfix/smtp[25291]: Trusted TLS connection established to in1-smtp.messagingengine.com[66.111.4.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 25 21:57:22 mail postfix/smtp[25291]: D33A02504112: to=<[email protected]>, relay=in1-smtp.messagingengine.com[66.111.4.74]:25, delay=8.4, delays=0.02/0/8.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)
有谁知道为什么证书不被接受? 任何强制执行“安全”TLS策略而不必指定匹配规则?
root@mail:/etc/postfix# uname -a Linux mail.EXAMPLE.com 3.13.0-65-generic #106-Ubuntu SMP Fri Oct 2 22:08:27 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux root@mail:/etc/postfix# postconf -d | grep mail_version mail_version = 2.11.0 milter_macro_v = $mail_name $mail_version
Feb 25 21:57:22 mail postfix/smtp[25291]: setting up TLS connection to in1-smtp.messagingengine.com[66.111.4.74]:25 Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL" Feb 25 21:57:22 mail postfix/smtp[25291]: looking for session smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC in smtp cache Feb 25 21:57:22 mail postfix/tlsmgr[25292]: lookup smtp session id=smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:before/connect initialization Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:unknown state Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server hello A Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=1 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=0 verify=1 subject=/C=AU/ST=Victoria/L=Melbourne/O=FastMail Pty Ltd/CN=*.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server certificate A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server key exchange A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server done A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write client key exchange A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write change cipher spec A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write finished A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 flush data Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server session ticket A Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read finished A Feb 25 21:57:22 mail postfix/smtp[25291]: save session smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC to smtp cache Feb 25 21:57:22 mail postfix/tlsmgr[25292]: put smtp session id=smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC [data 1788 bytes] Feb 25 21:57:22 mail postfix/tlsmgr[25292]: write smtp TLS cache entry smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC: time=1456433842 [data 1788 bytes] Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: *.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: mail.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: dav.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: caldav.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: carddav.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25 CommonName *.messagingengine.com Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subject_CN=*.messagingengine.com, issuer_CN=DigiCert SHA2 High Assurance Server CA, fingerprint=D8:F5:7E:43:A8:DA:29:22:6B:7E:90:A6:31:86:C8:CD, pkey_fingerprint=49:07:46:E5:F1:35:C2:96:75:09:67:BE:D9:FE:DB:46 Feb 25 21:57:22 mail postfix/smtp[25291]: Trusted TLS connection established to in1-smtp.messagingengine.com[66.111.4.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 25 21:57:22 mail postfix/smtp[25291]: D33A02504112: to=<[email protected]>, relay=in1-smtp.messagingengine.com[66.111.4.74]:25, delay=8.4, delays=0.02/0/8.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = mail.EXAMPLE.com ESMTP $mail_name (nou) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/EXAMPLE.com.crt smtpd_tls_key_file = /etc/ssl/private/EXAMPLE.com.key smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_security_level = may smtpd_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_starttls_timeout = 300s smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem smtpd_tls_eecdh_grade = strong tls_preempt_cipherlist = yes #smtp_tls_note_starttls_offer = yes #smtp_tls_per_site = may # Logging smtp_tls_loglevel = 2 smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = mail.EXAMPLE.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = mail.EXAMPLE.com, localhost.contabo.host, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # Handing off local delivery to Dovecot's LMTP virtual_transport = lmtp:unix:private/dovecot-lmtp #Enabling SMTP for authenticated users, and handing off authentication to Dovecot smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtp_tls_security_level = may # Force TLS for outgoing server connection smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_CApath = /etc/postfix/rootcas/ #Virtual domains, users, and aliases virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_uid_maps = static:1001 virtual_gid_maps = static:1001 virtual_alias_maps = hash:/etc/postfix/valias # DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 content_filter = smtp-amavis:[127.0.0.1]:10024 message_size_limit = 0
smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=may pickup unix n - - 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - nn - - pipe uucp unix - nn - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - nn - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - nn - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - nn - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - nn - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} smtp-amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
与secure水平,你要求后缀来validation收件人和服务器的关系,但以一种安全的方式(不依靠DNS数据)
它正确地启动受信任的 TLS连接(证书由您知道/信任的CA签名)
然后它试图安全地validation服务器/收件人,如果任何CN / SAN匹配fastmail.fm – 他们不。 所以这个消息被延迟到本地队列中。
messagingengine.com/gslb.pphosted.com的证书不保证他们接受的其他域名。 facebook.comvalidation自己。
你修改了与MX的添加match的secure – 这是实际verify 。 所以你可以下拉以validation,或只是继续添加匹配。
smtp_tls_security_level
may TLS? 好。 没有TLS? 好。 encrypt接受任何无效的服务器证书,要求encryption。 verify接受受信任的服务器证书(我信任CA吗?CN是否与MX匹配?),要求encryption。 后缀文件在解释差异方面有点不清楚。