我遇到了一个我只是用googlesearch就无法解决的问题 – 我需要一些专家的帮助。 我的公司运行它自己的mailserver(与zarafa组件的后缀)。 我们是一家保险公司,所以我们经常收到不应该被他人阅读的个人信息的邮件。 所以我们的一个合作伙伴只想把它们encryption,这是完全合理的。 但它似乎不适合外部用户。 我真的不知道如何解释,但我会尝试:
他们通过以下方式检查了我们的邮件服务器:
openssl s_client -host mx01.cevo.de -port 25 -starttls smtp -debug 这个输出失败了:
CONNECTED(00000003) read from 0xec56b0 [0xec57e0] (4096 bytes => 38 (0x26)) 0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65 220 mx01.cevo.de 0010 - 20 45 53 4d 54 50 20 53-65 72 76 69 63 65 20 72 ESMTP Service r 0020 - 65 61 64 79 0d 0a eady.. write to 0xec56b0 [0xec67f0] (25 bytes => 25 (0x19)) 0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli 0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net.. read from 0xec56b0 [0xec57e0] (4096 bytes => 94 (0x5E)) 0000 - 32 35 30 2d 52 65 71 75-65 73 74 65 64 20 6d 61 250-Requested ma 0010 - 69 6c 20 61 63 74 69 6f-6e 20 6f 6b 61 79 2c 20 il action okay, 0020 - 63 6f 6d 70 6c 65 74 65-64 0d 0a 32 35 30 2d 53 completed..250-S 0030 - 49 5a 45 20 32 30 34 38-30 30 30 30 0d 0a 32 35 IZE 20480000..25 0040 - 30 2d 45 54 52 4e 0d 0a-32 35 30 2d 38 42 49 54 0-ETRN..250-8BIT 0050 - 4d 49 4d 45 0d 0a 32 35-30 20 4f 4b 0d 0a MIME..250 OK.. didn't found starttls in server response, try anyway... write to 0xec56b0 [0x7fffd07d4ae0] (10 bytes => 10 (0xA)) 0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS.. read from 0xec56b0 [0xeb79b0] (8192 bytes => 30 (0x1E)) 0000 - 35 30 33 20 42 61 64 20-73 65 71 75 65 6e 63 65 503 Bad sequence 0010 - 20 6f 66 20 63 6f 6d 6d-61 6e 64 73 0d 0a of commands.. write to 0xec56b0 [0xec5730] (317 bytes => 317 (0x13D)) 0000 - 16 03 01 01 38 01 00 01-34 03 03 94 e2 69 f3 8f ....8...4....i.. 0010 - cb a4 fd 61 49 3f 15 c4-5d a2 3f ca 4e f0 a9 eb ...aI?..].?.N... 0020 - 71 72 6b ce 65 00 b9 0c-e1 ee 9f 00 00 9e c0 30 qrk.e..........0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...kj9.8.....2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&.......=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d ................ 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#.... 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 [email protected] 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .....ED1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 .......<./...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 ................ 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6d ...............m 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...........4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 ................ 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 ................ 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................ 0110 - 00 23 00 00 00 0d 00 20-00 1e 06 01 06 02 06 03 .#..... ........ 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 ................ 0130 - 03 03 02 01 02 02 02 03-00 0f 00 01 01 ............. ^Tread from 0xec56b0 [0xecac90] (7 bytes => 7 (0x7)) 0000 - 34 32 31 20 53 4d 54 421 SMT 139855938602656:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 169 bytes and written 352 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
这是来自mail.log的日志条目:
Jan 21 15:09:58 mx01 postfix/smtpd[1401]: connect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162] Jan 21 15:10:10 mx01 postfix/smtpd[1401]: lost connection after EHLO from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162] Jan 21 15:10:10 mx01 postfix/smtpd[1401]: disconnect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
所以我用我的笔记本电脑在同一个命令工作,它没有任何问题的工作:
CONNECTED(00000003) read from 0xbdef20 [0xbdf020] (4096 bytes => 32 (0x20)) 0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65 220 mx01.cevo.de 0010 - 20 45 53 4d 54 50 20 50-6f 73 74 66 69 78 0d 0a ESMTP Postfix.. write to 0xbdef20 [0xbe0030] (25 bytes => 25 (0x19)) 0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli 0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net.. read from 0xbdef20 [0xbdf020] (4096 bytes => 138 (0x8A)) 0000 - 32 35 30 2d 6d 78 30 31-2e 63 65 76 6f 2e 6c 6f 250-mx01.cevo.lo 0010 - 63 61 6c 0d 0a 32 35 30-2d 50 49 50 45 4c 49 4e cal..250-PIPELIN 0020 - 49 4e 47 0d 0a 32 35 30-2d 53 49 5a 45 20 32 30 ING..250-SIZE 20 0030 - 39 37 31 35 32 30 0d 0a-32 35 30 2d 56 52 46 59 971520..250-VRFY 0040 - 0d 0a 32 35 30 2d 45 54-52 4e 0d 0a 32 35 30 2d ..250-ETRN..250- 0050 - 53 54 41 52 54 54 4c 53-0d 0a 32 35 30 2d 45 4e STARTTLS..250-EN 0060 - 48 41 4e 43 45 44 53 54-41 54 55 53 43 4f 44 45 HANCEDSTATUSCODE 0070 - 53 0d 0a 32 35 30 2d 38-42 49 54 4d 49 4d 45 0d S..250-8BITMIME. 0080 - 0a 32 35 30 20 44 53 4e-0d 0a .250 DSN.. write to 0xbdef20 [0x7ffdc4723d90] (10 bytes => 10 (0xA)) 0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS.. read from 0xbdef20 [0xad1c10] (8192 bytes => 30 (0x1E)) 0000 - 32 32 30 20 32 2e 30 2e-30 20 52 65 61 64 79 20 220 2.0.0 Ready 0010 - 74 6f 20 73 74 61 72 74-20 54 4c 53 0d 0a to start TLS.. write to 0xbdef20 [0xbdefa0] (318 bytes => 318 (0x13E)) ... subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cevo.de issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5189 bytes and written 488 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 244534A357837835FF9B28366E16DAA71E7D71C53AA9C0C5BBA8A2CFE065AA5A Session-ID-ctx: Master-Key: 9E8041FD2EC1DD4D3F9FDCEC2D920FA35EA403356DC7498767A43CC650314B0378D73BC7E786C29881BAB7EEE123DF6B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - 12 89 a5 2e e9 2a 80 e0-29 9a e8 71 41 96 27 ef .....*..)..qA.'. 0010 - 58 29 f0 f7 c1 56 66 9a-9e 9e 7b 0f 47 8f 97 06 X)...Vf...{.G... 0020 - 47 bd 53 50 75 dd 8e 41-4f ea 52 f9 21 fc 30 1a G.SPu..AO.R.!.0. 0030 - 68 55 29 29 3c 33 80 f7-b4 af d6 32 21 80 78 24 hU))<3.....2!.x$ 0040 - e7 37 e9 24 77 71 72 58-0e c9 fb 23 2f b8 3c 4d .7.$wqrX...#/.<M 0050 - 31 1b bb 8d bf ca b5 cd-ec 24 81 be e4 4f 00 d4 1........$...O.. 0060 - 14 3f e5 68 5b 58 6c 19-b4 a2 03 a7 71 9e f7 58 .?.h[Xl.....q..X 0070 - 7a 0d b8 dc a6 0e 2c b5-24 5f 8e 33 2c 64 c2 82 z.....,.$_.3,d.. 0080 - d2 25 ed bd e0 17 90 4a-29 a6 b1 4e f7 19 be d6 .%.....J)..N.... 0090 - b0 4d 3f c3 83 29 ec c4-24 e9 5e e0 48 b2 b7 12 .M?..)..$.^.H... 00a0 - 8a 64 02 71 fe c3 42 e0-2b d7 99 da d3 04 7e 60 .dq.B.+.....~` Compression: 1 (zlib compression) Start Time: 1453385327 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN
和请求的日志条目:
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: connect from unknown[172.19.5.135] Jan 21 15:11:49 mx01 postfix/smtpd[1401]: setting up TLS connection from unknown[172.19.5.135] Jan 21 15:11:49 mx01 postfix/smtpd[1401]: unknown[172.19.5.135]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:before/accept initialization Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client hello A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server hello A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write certificate A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write key exchange A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server done A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client key exchange A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read finished A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write session ticket A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write change cipher spec A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write finished A Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data Jan 21 15:11:49 mx01 postfix/smtpd[1401]: Anonymous TLS connection established from unknown[172.19.5.135]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
这是main.cfg(我删除了所有注释和不必要的空白行):
message_size_limit = 20971520 # mailbox_size_limit = 51200000 command_directory = /usr/sbin daemon_directory = /usr/lib/postfix myhostname = mx01.cevo.local myorigin = mx01.cevo.local smtp_helo_name = mx01.cevo.de append_dot_mydomain = no inet_interfaces = all inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost mynetworks = 127.0.0.0/8 172.19.3.29 172.19.3.36 172.19.3.41 172.19.3.50 172.19.3.123 192.168.100.28 172.19.3.18 masquerade_domains = $mydomain masquerade_exceptions = root transport_maps = hash:/etc/postfix/transport disable_vrfy_command = no smtpd_banner = mx01.cevo.de ESMTP $mail_name local_header_rewrite_clients = virtual_alias_domains = virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap.groups, ldap:/etc/postfix/ldap.distlist, ldap:/etc/postfix/ldap.sharedfolderremote, ldap:/etc/postfix/ldap.sharedfolderlocal, ldap:/etc/postfix/ldap.virtual virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains virtual_mailbox_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap.groups, ldap:/etc/postfix/ldap.distlist, ldap:/etc/postfix/ldap.sharedfolderremote, ldap:/etc/postfix/ldap.sharedfolderlocal, ldap:/etc/postfix/ldap.virtual virtual_transport = lmtp:127.0.0.1:2003 canonical_maps = hash:/etc/postfix/canonical relocated_maps = hash:/etc/postfix/relocated alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_starttls_timeout = 300s smtpd_timeout = 300s smtpd_tls_cert_file = /etc/ssl/certs/star_cevo_de.pem smtpd_tls_key_file = /etc/ssl/private/star_cevo_de.key smtpd_tls_CAfile = /etc/ssl/certs/star_cevo_de.cabundle smtpd_tls_received_header = no smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtp_tls_security_level = may broken_sasl_auth_clients = yes smtp_tls_loglevel = 2 smtpd_tls_loglevel = 2 smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem tls_preempt_cipherlist = yes smtpd_tls_eecdh_grade = strong
Master.cfg中:
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== 25 inet n - n - - smtpd 465 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 nqmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush smtp unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error local unix - nn - - local #virtual unix - nn - - virtual lmtp unix - - n - - lmtp #587 inet n - n - - smtpd -v -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes relay unix - - n - - smtp trace unix - - n - 0 bounce proxymap unix - - n - - proxymap anvil unix - - n - 1 anvil scache unix - - - - 1 scache discard unix - - n - - discard tlsmgr unix - - n 1000? 1 tlsmgr
所以,正如你所看到的,我可以使用我的机器上的SSL(比如从“内部”),但是从外部不起作用。 我在我的知识结束,这是非常低的,当涉及到后缀和邮件tbh。 我已经像地狱一样Googlesearch,但是我没有find解决scheme来解决我的问题。
你不提供TLS,至less不能从外面看:
[me@risby ~]$ telnet mx01.cevo.de 25 Trying 195.244.228.205... Connected to mx01.cevo.de. Escape character is '^]'. 220 mx01.cevo.de ESMTP Service ready ehlo me 250-Requested mail action okay, completed 250-SIZE 20480000 250-ETRN 250-8BITMIME 250 OK
我的猜测是,你有一个自适应的防火墙(像但不限于CISCO PIX),这是着名的“帮助”修复SMTPstream删除TLS横幅。
告诉防火墙停止使用SMTP数据,或者更好地将其扔出窗口并使用iptables ,外部客户端也应该能够从TLS中受益。