即使我在 Cyber panel 中發布了郵件伺服器 SSL,IMAP 和 SMTP 仍然使用自簽名 SSL
我在 CentOS 7 上使用了cyberpanel,並為我的 postfix 和 dovecot 設置了 SSL。但是即使我使用 Lets Encrypt 配置了 SSL,我仍然得到“SSL 無效”導致自簽名 SSL。
這是 /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.net/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.net/privkey.pem
這是 /etc/dovecot/dovecot.conf
ssl_cert = </etc/letsencrypt/live/mail.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.domain.net/privkey.pem .... local_name mail.domain.net { ssl_cert = </etc/letsencrypt/live/mail.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.domain.net/privkey.pem } local_name mail.sub.domain.net { ssl_cert = </etc/letsencrypt/live/mail.sub.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.sub.domain.net/privkey.pem }
這是 /etc/dovecot/conf.d/10-ssl.conf
ssl = required ssl_cert = </etc/letsencrypt/live/mail.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.domain.net/privkey.pem
所有文件都指向正確的 SSL 文件。但是,當我嘗試使用 SSL 登錄 IMAP 和 SMTP 時,出現錯誤:SSL 無效導致自簽名證書www.example.com(不是 mail.domain.net)。
當我使用命令檢查時: openssl s_client -servername mail.domain.net -connect mail.domain.net:993
CONNECTED(00000003) depth=0 C = US, ST = Denial, L = Springfield, O = Dis, CN = www.example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = Denial, L = Springfield, O = Dis, CN = www.example.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com i:/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDizCCAnOgAwIBAgIJAJDbjRXJistMMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0yMTA2Mjcx NzI0MDBaFw0zMTA2MjUxNzI0MDBaMFwxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZE ZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQKDANEaXMxGDAWBgNV BAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMlprp3IA+Hbl43gIyiv0VQ/8DGKI3hH1E2GnVCuZKHbiwQr/j1vtnJIsFUt r6AVwW+LAvDVT723CgivZMiXtrO1ItsOoU9ifV6w+nak8cFsFJZKaprXgU6dlQk8 K0xVMvqTEJa29v1igusmpl9Kv80cPjUCEMfcIjxvo51Ob0rV3Eyale+yXImj9Va/ YU7aICSvuLlHkPGf8VRtu+HZOyhzBerROikUN6p2hqMIjK2SUh0uUzbBFRwZHL6O e2E9Bq2QQ0Cr5Fpid/XPwDPdxnGdnGcjNWv14vqeRDwErGpjGzn3FyiXQdAoB3wG jJauwCAm680NMuH/mTVvUcal1CcCAwEAAaNQME4wHQYDVR0OBBYEFLAfEGhJad43 w9Pf90yeZg3i/AYtMB8GA1UdIwQYMBaAFLAfEGhJad43w9Pf90yeZg3i/AYtMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJifYgBsDverQjQ+3x8GWbmz T4qw4uxlPLal8+wZrmuFxkTdXBixtd7xT3J7NPpXK1I/i9SUMsT9EqwMpvtz8Ybi 409QvsCb/LyADPI4eorbGIByYZa+wTHNbLtMa+PybwoHsLANGvwVf35tuXWhV2u7 /PxxvwZwPRXyDiNZYl6CXm282eqUu2iVU7j5+Mon5OCWN82Z5rUU67DFKyhyE6MC j4tsWO5ylBKhhZ7A5EJd0gqSSIo495XnaNazXr2KeTOfwrBPOj2dHO1CnMnkubJm wd31QwGht2wX/yGBtRNk+fxrA4ObKgva/bRLYpcZr6axva+vMFmJ2bVC1W3pUmU= -----END CERTIFICATE----- subject=/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com issuer=/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1590 bytes and written 441 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 88F2CCFDE63FE391E9824F596E0C8300E44CB306F969E2A1C0AFE3B75E5A4D74 Session-ID-ctx: Master-Key: E22198E25F15AA193B9E73446CB934276DF90987DFC75B1B74DDAF3247CA8436CDB93B3274102188B3470DF1A4EFB0D1 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e6 78 ae 14 e1 04 0d b4-64 82 65 9e 14 ad 32 9c .x......d.e...2. 0010 - f3 f0 c2 fd f9 12 5b bf-0f 50 75 79 64 5c bb ba ......[..Puyd\.. 0020 - 31 f6 37 bd 1c b2 e7 dc-d9 02 c7 53 f4 f9 0c a6 1.7........S.... 0030 - d4 51 6a 60 6b 34 04 41-fd b3 7d 53 14 ff 1d b4 .Qj`k4.A..}S.... 0040 - a2 82 67 6e da d7 80 02-b0 9f 6d 82 b4 17 72 cf ..gn......m...r. 0050 - 30 05 54 fc 8c be 60 6d-e5 0f b8 25 04 f3 43 6d 0.T...`m...%..Cm 0060 - 7e 13 f1 85 02 03 90 a2-50 82 64 43 aa 79 b8 ee ~.......P.dC.y.. 0070 - 86 08 ef 7a ac 4b c7 86-57 bc 09 a4 9a bb 23 92 ...z.K..W.....#. 0080 - cb 18 74 a4 90 c5 b1 8b-39 3c cc 69 ee e8 fb 08 ..t.....9<.i.... 0090 - 60 93 ea 17 35 d5 58 0d-ee 1b 68 c2 98 d0 e9 9c `...5.X...h..... 00a0 - f5 a7 24 9b 29 0a 48 6b-70 f8 a5 9a 7c e5 e8 88 ..$.).Hkp...|... Start Time: 1624855926 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- +OK Dovecot ready.
這是登錄郵件伺服器。systemctl 狀態後綴 -l
230, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<RLYR5sLFeh62/Xx7> Jun 28 00:42:37 mail-domain-net dovecot[574952]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=182.253.XXX.XXX, lip=10.5.224.230, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<WF4U5sLFlym2/Xx7> Jun 28 00:42:38 mail-domain-net dovecot[574952]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=182.253.XXX.XXX, lip=10.5.224.230, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<nasX5sLFoim2/Xx7> Jun 28 00:42:38 mail-domain-net dovecot[574952]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=182.253.XXX.XXX, lip=10.5.224.230, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<BFYY5sLFrCm2/Xx7> Jun 28 00:42:38 mail-domain-net dovecot[574952]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=182.253.XXX.XXX, lip=10.5.224.230, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<YQkZ5sLFrSm2/Xx7>
請幫助我,我應該檢查哪個文件或配置。
我通過執行以下操作解決了這個問題:
1. 配置 PTR 記錄 我請求伺服器提供商為我的 IP 地址添加 PTR 記錄。因此,當您查找 IP 時,它將返回:
$ nslookup 116.193.250.253 130 ⨯ 253.250.193.116.in-addr.arpa name = mail.yourprimarymailserverdomain.com. 253.250.193.116.in-addr.arpa name = mail.yoursecondarymailserverdomain.com.
好的,我為我的電子郵件伺服器使用了兩個域。如果您仍然獲得自簽名 SSL,請轉到第二步。
2. 手動配置 Postfix 和 Dovecot。
假設您使用的是舊版本的 CyberPanel,或者您在升級到 v1.9.4 之前已經創建了一個網站。您可以繼續創建 mail.domain.com 作為主域的子域,同時確保為該域頒發 SSL。
第 1 步:使用任何編輯器打開文件 /etc/postfix/main.cf
sudo nano /etc/postfix/main.cf
第 2 步:通過在開頭添加 # 符號來註釋該文件中的以下兩行。
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
第3步:更改後添加以下行。請記住將 YourPrimaryMailServerDomain 替換為您自己的域。
# provide the primary certificate for the server, to be used for outgoing connections smtpd_tls_chain_files = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem, /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
第 4 步:為了支持 SNI,您需要在末尾添加以下行
# provide the map to be used when SNI support is enabled tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
完成上述所有步驟後,您的文件應如下所示
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem # provide the primary certificate for the server, to be used for outgoing connections smtpd_tls_chain_files = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem, /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem # provide the map to be used when SNI support is enabled tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
第 5 步:在 /etc/postfix 中創建一個名為 vmail_ssl.map 的新文件
sudo touch /etc/postfix/vmail_ssl.map
第 6 步:編輯文件以將您的域的 SSL 證書添加到列表中,如下所示
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
第 7 步(可選):如果您有多個要支持的域,則每行添加一個。生成的文件應如下所示
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating # One host per line mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem # add more domains with keys and certs as needed
第 8 步:打開 /etc/dovecot/dovecot.conf
sudo nano /etc/dovecot/dovecot.conf
第 9 步:將以下內容附加到文件末尾,將 domain.com 替換為您自己的域。
local_name mail.domain.com { ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem }
第 10 步:使用以下命令重新編譯帶有 SNI 的 postmap
postmap -F hash:/etc/postfix/vmail_ssl.map
第 11 步:重新啟動 Postfix。
systemctl restart postfix
第 12 步:重新啟動 Dovecot
systemctl restart dovecot
使用郵件客戶端再次連接,您應該不會看到錯誤。
參考:https ://cyberpanel.net/docs/6-self-signed-ssl-error-on-outlook-thunderbird/
祝你好運。:)