我在centos 6上configuration了postfix 2.6.6,作为exchange 2010服务器前的mailrealy。 事情工作。 现在我想添加oportunisticencryptioninput和输出邮件。
至less对于邮件来说,这似乎适用于大多数客户。 但是,有一些执行这个。 某些主机将失败并显示“SSL_accept错误”,然后立即重试,而不使用STARTTLS。 到现在为止还挺好。 但是有些主机不会回来,最主要的是我的交换服务器(加上我的组织之外的几台服务器)。
我是否认为这基本上是一个客户问题? 如果是这样,那么我可以禁用某些主机的STARTTLS公告,根据http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
但是,这意味着我不时需要将主机添加到此列表中,以便组织外部的客户端也可以发送邮件。 有更好的解决办法吗?
这里是关于我的设置的一些信息。
我的main.cf
# Directory specification alternate_config_directories = /etc/postfix queue_directory = /opt/postfix/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/examples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES # Basic Mail Relay Setup myhostname = mymailserver.acme.com smtp_helo_name=mail.acme.com mail_owner = postfix setgid_group = postdrop inet_interfaces = all mynetworks = /etc/postfix/mynetworks mydestination = $myhostname, localhost.$mydomain unknown_local_recipient_reject_code = 550 soft_bounce = no disable_vrfy_command = yes message_size_limit = 32768000 bounce_size_limit = 65536 header_size_limit = 32768 # Mail Timing Seetings and alerting thereof maximal_queue_lifetime = 3d bounce_queue_lifetime = 3d delay_warning_time = 3h bounce_template_file = /etc/postfix/bounce.cf # Domain specification mydomain = acme.com myorigin = $mydomain relay_domains = foo.acme.com, bar.acme.com virtual_alias_domains = acme.com, openacme.org # Debug options debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 # Command Path definition sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq # Map definition alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases transport_maps = hash:/etc/postfix/transport virtual_alias_maps = regexp:/etc/postfix/virtual_domains hash:/etc/postfix/virtual # Encryption smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem smtpd_tls_key_file=/etc/postfix/ssl/clearkey.pem smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparams.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1 smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = AES128+EECDH:AES128+EDH smtpd_tls_eecdh_grade = strong # also encrypt outgoing mail smtp_tls_security_level = may smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt # enable logging for debugging smtpd_tls_loglevel = 2 smtp_tls_loglevel = 2 # SMTP Settings smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, permit smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_invalid_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/access_domains, check_sender_access pcre:/etc/postfix/access_domains_pcre, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_multi_recipient_bounce, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access hash:/etc/postfix/internal_recipient, check_sender_access hash:/etc/postfix/access_domains, check_sender_access pcre:/etc/postfix/access_domains_pcre starttls似乎正确地宣布:
[hansolo@desk ~]$ telnet 1.2.3.4 25 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. 220 ************************** EHLO test 250-mx.acme.com 250-PIPELINING 250-SIZE 32768000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
而且sslconfiguration看起来对我好(请纠正我):
[hansolo@desk ~]$ openssl s_client -starttls smtp -connect mail.acme.com:25 CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Silver CA 2014 - G22 verify return:1 depth=0 OU = Domain Validated Only, CN = mail.acme.com verify return:1 --- Certificate chain 0 s:/OU=Domain Validated Only/CN=mail.acme.com i:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22 i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 2 s:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 --- Server certificate -----BEGIN CERTIFICATE----- <server certificate removed for posting> -----END CERTIFICATE----- subject=/OU=Domain Validated Only/CN=mail.acme.com issuer=/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5583 bytes and written 362 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 0CE08FBFFEE1F856B84FF5D042E6FDB2D9A0A415565FCB04A04C565CA7EBC12C Session-ID-ctx: Master-Key: 4B215AFF8DEB9043F19346361EA98A617C1155E984C77C0B6FB74083897EAE6A502DB717CE249F81F2A19A1D31B38DEC Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - 43 a8 9a 29 4e 52 05 78-60 eb 46 15 09 e8 21 f4 C..)NR.x`.F...!. 0010 - 37 65 55 f8 8c 51 12 a7-37 14 29 41 1d 7b a0 fb 7eU..Q..7.)A.{.. 0020 - fb 6a d4 6e 49 c9 41 cd-1d cc ec a8 23 90 4f a3 .j.nI.A.....#.O. 0030 - 5d 8d 73 6a 0e fc 69 df-58 63 1f c7 6b 43 13 39 ].sj..i.Xc..kC.9 0040 - 5e ee 73 df 3a 80 8a d5-e3 bf 80 f5 47 c2 33 e1 ^.s.:.......G.3. 0050 - f5 dc 2f 9e 12 15 7d 3a-ac 3c 27 e8 73 24 05 65 ../...}:.<'.s$.e 0060 - 0c 5a da 9f 79 a2 a3 80-31 24 ea 22 1f 12 4e ea .Z..y...1$."..N. 0070 - e7 d5 0b a6 d9 0b 7f 55-fd a0 bb 2e aa 93 3e b8 .......U......>. 0080 - c5 ff 46 6b 55 3e ff ee-00 e0 20 d1 2e fc d5 62 ..FkU>.... ....b 0090 - 40 fe 9b 4e 38 ab 63 92-c3 41 48 28 71 48 06 91 @..N8.c..AH(qH.. Start Time: 1458037878 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN
这里是日志:
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: initializing the server-side TLS engine Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: connect from unknown[192.168.0.235] Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: setting up TLS connection from unknown[192.168.0.235] Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: unknown[192.168.0.235]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDB3-SHA:!KRB5-DES:!CBC3-SHA" Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept:before/accept initialization Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept:error in SSLv2/v3 read client hello A Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept error from unknown[192.168.0.235]: -1 Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: warning: TLS library problem: 24499:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:644: Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: lost connection after STARTTLS from unknown[192.168.0.235] Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: disconnect from unknown[192.168.0.235]
另外,至lessgmail告诉我,我的邮件没有encryption。
任何帮助或提示表示赞赏。
编辑
事实certificate,我们的防火墙(Cisco ASA)通过协议检查来混淆ESMTP协议。 看到这个博客文章的细节和决议。 至lessgmail不会抱怨缺lessencryption。 我需要进一步检查这是否是完整的解决scheme。