服务器 Gind.cn
  1. 服务器 Gind.cn
  3. ssl与dovecot的问题
Intereting Posts
确定nginx反向代理负载限制 安装程序启动服务; wim部署挂在这上面 为什么我无法使用Windows集成安全性login到SQL Server? 为什么他们在named.conf BINDconfiguration文件中没有跟踪点名? 在服务器上将驱动器作为NFS呈现给其他networking设备 Apache Auth指令级联到别名目录 Linux上超过65536个TCP连接 在不同的子网上正确configuration两个eth接口 从/ var / mysql目录恢复MySQL数据库 在Cisco IOS阻止Skype 我可以让nginx在几秒钟后重新发送请求到FastCGI吗? 即使安装了新的证书,Apache也似乎正在使用旧的过期证书 在小型私人networking上encryptionLAN和wifistream量 Openstack似乎没有正确地将内部IP映射到本地networking 在Grub 0.95 CLI中查找LVM根卷,而无需访问grub.conf文件

ssl与dovecot的问题

我有一个,显然是经常发生但未解决的问题,通过Gmail从外部邮箱中检索邮件时,Gmail。 看看错误的详细信息,它说:

服务器回应:“身份validation失败”。

这个邮件服务器是我自己的服务器,当我从terminal连接: 

~$ telnet mail.mydomain.com:995

我得到以下内容: 

 Trying xx.xx.xxx.xx... Connected to mail.mydomain.com. Escape character is '^]'.

然后在尝试login时: 

 user myuser Connection closed by foreign host.

在我的邮件日志中: 

 Mar 26 18:22:42 www dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 26 18:22:42 www dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 26 18:22:42 www dovecot: auth: Debug: auth client connected (pid=6554) Mar 26 18:23:20 www dovecot: pop3-login: Disconnected (no auth attempts): rip=xx.xx.xxx.xx, lip=xx.xx.xxx.xx, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

在testingssl时: 

 ~$ openssl s_client -connect mail.mydomain.com:995

我可以连接,但与此行(我购买了godaddy证书): 

 Verify return code: 19 (self signed certificate in certificate chain)

我可能做错了什么? 这是我的configuration文件: 

 # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 3.0.0-13-server x86_64 Ubuntu 11.10 ext4 log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:/home/vmail/%d/%n/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date namespace { inbox = yes location = prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } unix_listener auth-master { mode = 0600 user = vmail } user = root } ssl = required ssl_cert = </etc/ssl/certs/mail.mydomain.com_combined.crt ssl_key = </etc/ssl/private/mail.mydomain.key userdb { args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes driver = static } protocol lda { auth_socket_path = /var/run/dovecot/auth-master log_path = /home/vmail/dovecot-deliver.log mail_plugins = sieve postmaster_address = [email protected] } protocol pop3 { pop3_uidl_format = %08Xu%08Xv } disable_plaintext_auth = no auth_verbose = yes auth_debug = yes

后缀

 # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/mail.mydomain.com_combined.crt smtpd_tls_key_file = /etc/ssl/private/mail.mydomain.com.key smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.mydomain.com mydomain = mydomain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html message_size_limit = 30720000 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes # see under Spam smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # Spam disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_hostname, reject_rbl_client sbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, permit smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20

没有什么是错的。 您向我们显示的所有内容都与在端口995上运行的POP / S(SSLencryption)服务器一致。您的openssl s_client会话可能会抱怨,因为它的证书包中没有正确的CA.

为什么谷歌无法从您的服务器上获取电子邮件是一个合理的问题,但没有任何你发布的任何错误。 如果您可以通过从您的服务器检索邮件的行为来抓住Google,并发布这些 dovecot日志,那么我们可能会开始解决这个问题。

编辑Connection closed by foreign host发生的原因是,除非您本人可以说stream利的SSL并快速input奇数字符,否则不能使用telnet连接到SSL安全服务( nb :对于TLS安全的服务,但这不是一个)。 您input的“user myuser”(不是有效的SSL握手)会导致SSL23_GET_CLIENT_HELLO:unknown protocol错误。 对不起,它不“看起来不错”,但它是完全正确的。

如果您尝试从openssl s_client会话login,您可能会有更多的运气; 自签名证书警告对会话是信息性的,而不是致命的。

我想也许这个线程是旧的,但我会尽力而为,其他人可能会觉得它有用谷歌是非常奇特的,当涉及到连接到邮件服务器,除非邮件服务器使用由一个公认的权威机构颁发的真正的SSL证书作为“Starssl”等,谷歌甚至不会和你的服务器通话。

几个月前我也遇到了类似的问题,当我最终使用了一个非自签名证书时,我开始收到来自“Yahoo,Google等等的电子邮件”。所以,如果你得到了自签名证书或者没有捆绑的证书,从一个公认的权威机构颁发的证书,它仍然无法检查你有正确的处理。 注意最小的细节,任何事情都可能把它搞砸。 但是第一个罪魁祸首是CA. 祝你好运,我希望这个信息可以帮助别人。