我试图设置一个我自己的networking服务器与邮件服务器,(我不是一个Linux导出只是下面的一些教程),与Nginx,PHP-FPM和MySQL的networking服务器设置似乎是成功的,然后我转移到邮件服务器设置与后缀和dovecot。 这似乎也安装好了。
当我检查与旧的服务器在telnet TLS连接返回比新的不同的答复。 老人说18个自签名但新的21个第一个证书无法validation 。
debugging结果:
我运行的命令是为正在工作的原始邮件服务器
openssl s_client -connect mail.example.com:25 -starttls smtp
回复是
verify return:1 --- Certificate chain 0 s:/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected] i:/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIDszCCApsCBFQW12QwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMB4X DTE0MDkxNTEyMTExNloXDTE1MDkxNTEyMTExNlowgZ0xCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAur6FGm1GYj98XradW+dIwWip 6wvBUk5ePdSFCqzGink7+2MRyq4iKn/65Pc/YeUlToI8txUYc14M017VtCmb6Wd2 ohA0QtsRVMvX7n70nmflUVAzwzdBwtCE3+25ql4dA4ixe5zwI0XIWeYfqEoRtpyu 1ebUFBd8pRvvR0jA75cx4BIEvIGFIiSYZ9cTIp+Q/gGBesI/HBadUS8aEMf+6nTX +iFdjgHNO/uPupqp8uU24QFQzphghvpy1y079QuqrsYoQWOKKf4QG/xbeFiYUgbp rtaF9OvKD2ugzwdAVBFtuzdg8/2fcjB9YFBipm0DZygrbM9OG5TA9dQyh84oVwID AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCtqyW6NGN3auoFEHKlcRHGP0GxAChhPMpB NCUW+/ZHR4tXiiTI2xQcr1yfGmRkwipn9z+GAzL1bkkHpnOHSGAx+0G6CH645QkC 7YDqeRMnkCVrmYlJ73TB9WMczg8Zp/GxNU4lSSiYU+bthVOdbw0XHpnzhl02WckC UZbJIXUI9V8NpWDq38R260Dxax4OOO3YVJ+pynqZMQjhUl7XMXLhT6o4GbmUHDtZ jqgGti4M7YBPHY9l1nb9N2KZx9kgfS8i885DS5yhSjxMmeEfMMn3DIZlhc7lBEEX N+btpue2vX+Q+gOAP/qEk8FqHxcyHquc89XGafuJ677LIEQlhOA1 -----END CERTIFICATE----- subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected] issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected] --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 1698 bytes and written 410 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2E011BE0124FA920C50F8A3D69198EED28F37EB096F9D7F9BF22389B72DEC01E Session-ID-ctx: Master-Key: 2B8AB37BDC5D7A5DF441E9599C39F20783802DC5F3258C284617DA01513E58DB961F56F451F2592AAA97188D6E9726BE Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1427334041 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 DSN
我运行的命令是为正在工作的原始邮件服务器
openssl s_client -connect localhost:25 -starttls smtp
答复是
CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = dc-career, emailAddress = root@dc-career verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = dc-career, emailAddress = root@dc-career verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career --- Server certificate -----BEGIN CERTIFICATE----- MIID3jCCAsagAwIBAgICSkUwDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAi0t MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV bml0MRIwEAYDVQQDDAlkYy1jYXJlZXIxHTAbBgkqhkiG9w0BCQEWDnJvb3RAZGMt Y2FyZWVyMB4XDTE1MDMyNTA2MDQzN1oXDTE2MDMyNDA2MDQzN1owgaMxCzAJBgNV BAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkw FwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0 aW9uYWxVbml0MRIwEAYDVQQDDAlkYy1jYXJlZXIxHTAbBgkqhkiG9w0BCQEWDnJv b3RAZGMtY2FyZWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4hcI X+P16RbOp9eCFYN00Rw4sVFo/rtGAUJOVddGT43yJZ7oP94kED/kppQjrtTRIWE9 TJ1E+wOY5GAzkP2mGgoxwFZxRI5MCnJxhqieSIJKrduILKWUadWnfW/k6CKicrhv tcYY6KVOq3THLpjyslblWenX7SRcMBQ1s5WDYT7f2dd9qgFFvE9l+NBHgeMvqZtc KHF8nG6VVkOkYBnG4V6LlUppTKI1KYSPbbWrLfTuhamo1prlCn58DWcAjkyIBhmc XYnlW0td8YiDaV7Gq28aefMOASjOXY0yWWSoKCACKagDnY01ZihMcLYfkhcKH7Hk sN4wjbv8bAg2o99BFQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAN BgkqhkiG9w0BAQsFAAOCAQEAUmQi8NMCsdqC85AVw5U0pkGW/VmWaA8mmmM2P+Gu kzhCvx1wD3uoVqTC4lp9LDYR5Fk6BC929gYPz3J/WzaCjYtPAPvR0jXNPWy2Qq1C MPavaMIkHwB0vgmM3AhxNSWohTVpJQTu+2niRpOMYMPtrVfgsGxbVsMrwPZpiBHH xwR+syRCNWoe9T+TuaTV5uC9deQkuGiWNKCII34DMTtx/OIhxDIhDNRKqSgl/6Xg nSrFnoZt2RA+XWBiuz3kK4F8Cs+9iOUvO3YG6a9u4B+I1o+KyoV68GWGnKafBP0p gB6WYb2QUX1mwyj2Xg38HQao7zVhbShsg1XVnmRZU6yvng== -----END CERTIFICATE----- subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 1886 bytes and written 410 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 3B1E05F1518F27105F09F910C97E73847BEBA9BA98E479FE21CB8D827CA82F6D Session-ID-ctx: Master-Key: 34EC64A0AAE219BEBE181ED97692A0C5370F1B56FEE52B6E7B9A0E3480E26BFA243B06487FCA7B01ED5456BE9DC6E4E3 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - 32 34 a9 c9 aa 9d 86 67-93 3c ab 32 fe 9a c7 aa 24.....g.<.2.... 0010 - 32 18 5d 0c 74 7f 4a 3b-17 3f 51 6e d0 ac b0 59 2.].tJ;.?Qn...Y 0020 - a1 c7 76 36 43 18 39 bc-0b e7 fb a0 67 e5 e3 db ..v6C.9.....g... 0030 - b7 50 c3 a2 cf cc 82 4c-b4 45 d8 96 d6 6f 2e 3d .P.....LE..o.= 0040 - 36 46 45 94 f4 6e 9f 84-f2 49 9c 56 25 51 53 34 6FE..n...IV%QS4 0050 - fb ab 8c 4b 16 04 f7 68-0c f3 c3 be 66 38 da ee ...K...h....f8.. 0060 - b7 35 bf c1 5b c0 02 43-4b 55 5c 0c d2 7d 66 62 .5..[..CKU\..}fb 0070 - 78 9f a8 d0 f2 b9 52 e0-3f 92 52 90 8f 2a a7 04 x.....R.?.R..*.. 0080 - a6 af 4a 6a b1 ce ff 6c-4e b5 f6 90 0d 4e 05 a8 ..Jj...lN....N.. 0090 - e5 53 8a 58 fc 75 fa 97-06 78 49 95 41 96 5d 05 .SXu..xI.A.]. Start Time: 1427334340 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 DSN
邮件安装有问题吗? 如果是这样怎么办?
是的,我不指望它是相同的,只是为什么在第二个错误,以及如何解决这个问题,我认为我的一代或分配给dovecot / posfix是错误的,因为我不知道如何使用进入这个安装的CA,我如何使用CA crts? 在后缀/ dovecot?
要在后缀中使用ssl证书,可以参考这个文档 。
smtpd_tls_cert_file(默认:空)
要使远程SMTP客户端能够validationPostfix SMTP服务器证书,颁发的CA证书必须可供客户端使用。 您应该在服务器证书文件中包含所需的证书,首先是服务器证书,然后是颁发的CA(自下而上的命令)。
例如:“server.example.com”的证书是由“中间CA”颁发的,其本身具有“root CA”的证书。 用cat server_cert.pem创buildserver.pem文件intermediate_CA.pem root_CA.pem> server.pem 。
如果您还想validation由这些CA颁发的客户端证书,则可以将CA证书添加到smtpd_tls_CAfile ,在这种情况下,不必将它们放在smtpd_tls_cert_file或smtpd_tls_dcert_file中 。
而已。 你可以连接两个证书,并把它放在smtpd_tls_cert_file 。
同样的'concat'方法可以应用于dovecot。 看到这个文档和这个邮件列表条目 。