Linux

Exim TLS 和安全 SMTP

  • May 16, 2017

我正在為我們的客戶轉換現有的郵件伺服器以支持加密的 SMTP,但我遇到了這堵磚牆,幾乎沒有有用的日誌數據來幫助我轉發。使用正常未加密 SMTP 時一切正常;只有在嘗試使用加密的 SMTP 時,事情才會變成梨形。

我的 exim 配置文件包含以下內容:

# Allow any client to use TLS
tls_advertise_hosts                       =  *

# Specify the location of the Exim server's TLS certificate and private key.
tls_certificate                           =  /etc/exim/exim.crt
tls_privatekey                            =  /etc/exim/exim.key 

最初,Exim似乎按預期工作,我能夠安全地連接到郵件伺服器並進行身份驗證,但是在我進入 SMTP 會話中的收件人部分之後,連接就斷開了。使用未加密連接時不會出現此問題。

要測試安全 SMTP,我使用以下命令:

openssl s_client -starttls smtp -crlf -connect localhost:25

這是我得到的輸出:

CONNECTED(00000003)
depth=0 C = ZA, etc, etc
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ZA, etc, etc
verify return:1
---
Certificate chain
0 s:/C=ZA/etc,etc
  i:/C=ZA/etc,etc
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXX==
-----END CERTIFICATE-----
subject=/C=ZA/etc,etc
---
No client certificate CA names sent
---
SSL handshake has read 1275 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
   Protocol  : TLSv1
   Cipher    : AES256-SHA
   Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   Session-ID-ctx: 
   Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   TLS session ticket:
   0000 - d0 cd ff b6 0c a2 fb 6c-f6 69 dc 0b a7 aa f3 1a   .......l.i......
   0010 - 10 76 75 05 15 d8 8c 21-cb eb b8 ae ec 34 7d b3   .vu....!.....4}.
   0020 - 7a bf f0 d6 7d df 26 27-41 1e d1 2a 35 bf 2f 0c   z...}.&'A..*5./.
   0030 - 25 6a 32 15 6e 53 d2 30-31 1b d9 60 e6 11 20 73   %j2.nS.01..`.. s
   0040 - 57 e3 76 96 e7 7e dc da-98 f2 cc a7 e5 58 62 b2   W.v..~.......Xb.
   0050 - ec db 58 91 16 14 18 ff-15 64 d6 66 1f 75 92 96   ..X......d.f.u..
   0060 - 65 43 f8 2c 4a 42 81 41-0c 2f 46 84 38 0c c5 e0   eC.,JB.A./F.8...
   0070 - 8d 7b d7 7e 12 0e 28 ca-f0 f9 b5 d0 b2 a6 ab 66   .{.~..(........f
   0080 - f8 c5 33 e3 cb 16 f5 76-8f e7 49 0c 49 69 31 43   ..3....v..I.Ii1C
   0090 - 05 25 dc 75 3a 07 13 91-63 ff 13 fd b0 2c 9f 8b   .%.u:...c....,..

   Compression: 1 (zlib compression)
   Start Time: 1315250595
   Timeout   : 300 (sec)
   Verify return code: 18 (self signed certificate)
---
250 HELP
HELO localhost
250 OK
MAIL FROM:someone@somewhere.com
250 OK
RCPT TO:anyone@nowhere.com
RENEGOTIATING
depth=0 C = ZA, etc, etc
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ZA, etc, etc
verify return:1
421 lost input connection
read:errno=0

我在上面的輸出中用垃圾數據替換了電子郵件地址和組織樹,因為它是無關緊要的,因為我在使用正常 SMTP 時沒有同樣的問題。無論我是嘗試從本地主機還是從外部源進行連接,都會發生上述事務。我還應該注意,我使用的是使用 OpenSSL 生成的自簽名證書。此外,在上面的範例中,沒有身份驗證數據,因為我從 localhost 執行測試,這允許所有郵件無需身份驗證。

正如您在上面的輸出中看到的那樣,Exim 似乎在發出字元串“RENEGOTIATING”期間/之後中斷。

由於我在 SMTP 會話期間收到的輸出沒有太大幫助,我還嘗試在調試 + 全部模式下執行 Exim。為簡潔起見,我不會發布完整的 SMTP 事務,因為整個會話非常正常,直到我指定收件人地址為止。這是我在輸入收件人地址並按下輸入後獲得的 Exim 調試數據的確切片段:

21:42:10  7425 SSL info: before accept initialization
21:42:10  7425 SSL info: before accept initialization
21:42:10  7425 SSL info: SSLv3 read client hello A
21:42:10  7425 SSL info: SSLv3 write server hello A
21:42:10  7425 SSL info: SSLv3 write certificate A
21:42:10  7425 SSL info: SSLv3 write server done A
21:42:10  7425 SSL info: SSLv3 flush data
21:42:10  7425 SSL info: SSLv3 read client key exchange A
21:42:10  7425 SSL info: SSLv3 read finished A
21:42:10  7425 SSL info: SSLv3 write session ticket A
21:42:10  7425 SSL info: SSLv3 write change cipher spec A
21:42:10  7425 SSL info: SSLv3 write finished A
21:42:10  7425 SSL info: SSLv3 flush data
21:42:10  7425 SSL info: SSL negotiation finished successfully
21:42:10  7425 SSL info: SSL negotiation finished successfully
21:42:10  7425 Got SSL error 2
21:42:10  7425 SMTP>> 421 lost input connection
21:42:10  7425 tls_do_write(1db4020, 48)
21:42:10  7425 SSL_write(SSL, 1db4020, 48)
21:42:10  7425 outbytes=48 error=0
21:42:10  7425 LOG: lost_incoming_connection MAIN
21:42:10  7425   unexpected disconnection while reading SMTP command from (localhost) [127.0.0.1]
21:42:10  7425 search_tidyup called
21:42:10  7194 child 7425 ended: status=0x100
21:42:10  7194 0 SMTP accept processes now running
21:42:10  7194 Listening...

我通過Google搜尋“openssl s_client RENEGOTIATING”在 30 秒內找到了這個: s_client’s R“feature”

總之 - 在 s_client 會話中按“R”會導致 openssl 重新協商。嘗試輸入“rcpt to:”而不是“RCPT TO”。

您還可以嘗試更適合 SMTP 特定測試的工具,例如Tony Finch 的 smtpcswaks

exim要在我設置的身份驗證中要求加密/etc/exim/exim.conf

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

我也強迫tls 1.2

openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

在兩台相同的exim伺服器之間,我注意到一台使用AES-GCM,另一台ChaCha20-Poly1305用於加密,不知道為什麼。使用的加密方案取決於 cpuhost``AES` .

引用自:https://serverfault.com/questions/308385