Centos
後綴 tls 不讀取或查找密鑰
我在向我的伺服器發送郵件時遇到問題,並且有跡象表明 TLS 錯誤(主要來自郵件日誌)。我試過的:
- 確保 postfix / dovecot 可以讀取證書(創建新組“certs”)並進行測試(請參閱下面的 postfix 測試)
- 確保沒有 selinux 警報
openssl s_client -connect ${IP}:465
失敗但埠 443 工作nmap ${URL}
顯示埠25,53,80,110,139,143,443,445,993,995
全部打開nmap ${LOCALIP}
將埠顯示22,25,80,110,143,443,993,995
為打開和465,587
關閉。telnet ${IP} 25
並執行starttls
(失敗454 4.7.0 TLS not available due to local problem
)- letencrypt 證書是從工作中的 haproxy 伺服器複製的(全部
/etc/letsencrypt
複製)/etc/postfix/*.cf
通過將它們移動到 *.cf.bak 並重新安裝 postfix 來重置補充筆記:
- 我一直在伺服器上執行
ansible-hardening
。https://github.com/openstack/ansible-hardening
- 證書對 https 使用有效(使用 Firefox 驗證)
- 嘗試使用 gmail 和 Sharklasers 向伺服器發送電子郵件
日誌:
# cat /var/log/maillog postfix/postfix-script: starting the Postfix mail system postfix/master: daemon started -- version 2.10.1, configuration /etc/postfix postfix/smtpd: warning: No server certs available. TLS won't be enabled postfix/smtpd: connect from unknown[${IP}] # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = example.com myhostname = webserver1.example.com mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtpd_client_restrictions = permit_mynetworks, reject smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 # doveconf -n # 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-693.21.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core) xfs auth_mechanisms = plain login first_valid_uid = 1000 mail_location = maildir:/var/spool/mail/%u mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ssl = required ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem userdb { driver = passwd } # # Could replace cat/etc/postfix/main.cf with postconf -n # sudo -u postfix cat $(cat /etc/postfix/main.cf | grep -i smtp_tls_cert_file | cut --delimiter="=" --fields=2) -----BEGIN CERTIFICATE----- ...key text... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ...key text... -----END CERTIFICATE----- # sudo -u postfix cat $(cat /etc/postfix/main.cf | grep -i smtp_tls_key_file | cut --delimiter="=" --fields=2) -----BEGIN PRIVATE KEY----- ...private key text... -----END PRIVATE KEY----- # sealert -a /var/log/audit/audit.log 100% done found 0 alerts in /var/log/audit/audit.log
兩個 openssl 命令都給出了等效的響應(埠 443 有不同的響應,並且有效)。
$ openssl s_client -starttls smtp -connect ${IP}:587 $ openssl s_client -starttls smtp -connect ${IP/URL}:465 CONNECTED(00000003) 140495880024000:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1520878163 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- $ telnet ${IP} 25 Trying ${IP}... Connected to ${IP}. Escape character is '^]'. 220 webserver1.example.com ESMTP Postfix ehlo localhost 250-webserver1.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN starttls 454 4.7.0 TLS not available due to local problem
嘗試將
smtp_tls_cert
and的配置更改smtp_tls_key
為以下內容:smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
注意
d
在smtpd