Postfix

具有多個 IP 的後綴 tls 配置

  • November 6, 2020

我正在嘗試將後綴配置為使用多個 IP 的不同密鑰加密傳出郵件。

main.cf postconf -n:

   alias_database = hash:/etc/aliases
   alias_maps = hash:/etc/aliases
   anvil_rate_time_unit = 86400s
   anvil_status_update_time = 120s
   append_dot_mydomain = no
   biff = no
   compatibility_level = 2
   inet_interfaces = all
   inet_protocols = ipv4
   mailbox_size_limit = 0
   milter_default_action = accept
   milter_protocol = 6
   mydestination = $myhostname, domain.com, localhost.localdomain, localhost.localdomain, localhost
   myhostname = domain.com
   mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
   myorigin = /etc/mailname
   non_smtpd_milters = inet:localhost:8891
   readme_directory = no
   recipient_delimiter = +
   relayhost =
   sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
   smtp_tls_mandatory_ciphers = high
   smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
   smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
   smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
   smtpd_client_event_limit_exceptions = $mynetworks
   smtpd_client_message_rate_limit = 200
   smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
   smtpd_milters = inet:localhost:8891
   smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
   smtpd_sasl_auth_enable = yes
   smtpd_sasl_local_domain = $myhostname
   smtpd_sasl_security_options = noanonymous
   smtpd_tls_mandatory_ciphers = high
   smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
   smtpd_tls_security_level = may
   smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
   smtpd_use_tls = yes
   tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

master.cf:

   smtp      inet  n       -       y       -       -       smtpd
   #smtp      inet  n       -       y       -       1       postscreen
   #smtpd     pass  -       -       y       -       -       smtpd
   #dnsblog   unix  -       -       y       -       0       dnsblog
   #tlsproxy  unix  -       -       y       -       0       tlsproxy
   #submission inet n       -       y       -       -       smtpd
   127.0.0.1:submission inet n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_sasl_security_options=noanonymous
     -o smtpd_reject_unlisted_recipient=no
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     -o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain.com/domain.com_chained.crt
     -o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain.com/domain.com.key

   # domain2.com
   111.1.1.222:submission inet n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_sasl_security_options=noanonymous
     -o smtpd_reject_unlisted_recipient=no
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     -o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain2.com/domain2.com.key
     -o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain2.com/domain2.com_chained.crt

郵件日誌:

   Oct 28 11:43:05 zipserver postfix/postfix-script[2239]: starting the Postfix mail system
   Oct 28 11:43:05 zipserver postfix/master[2241]: daemon started -- version 3.3.0, configuration /etc/postfix
   Oct 28 11:43:32 zipserver postfix/pickup[2242]: 0BFA8104115B: uid=1000 from=<test@domain.com>
   Oct 28 11:43:32 zipserver postfix/cleanup[2248]: 0BFA8104115B: message-id=<20201028104332.0BFA8104115B@domain.com>
   Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: from=<test@domain.com>, size=407, nrcpt=1 (queue active)
   Oct 28 11:43:32 zipserver postfix/smtp[2250]: 0BFA8104115B: to=<myaccount@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=0.46, delays=0.13/0.01/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0 OK  1603881812 s81si4271295wmf.188 - gsmtp)
   Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: removed

版本:

   postconf -d | grep mail_version
   mail_version = 3.3.0

但是電子郵件以紅色交叉鎖到達 gmail,而 gmail 說它沒有加密。我錯過了什麼?

從設置smtp_tls_security_level=may或更高開始。

您沒有設置任何選項來允許 postfix 偏離其不使用 TLS 發送郵件的預設設置。還有其他更細粒度的方法可以控制此行為 - 但這是允許使用所提供內容的最基本設置。用於man 5 postconf閱讀其他可能選項的具體含義。

為了幫助進一步調查,我還建議設置smtp_tls_log_level=1(在您的系統日誌中包含此資訊)和smtpd_tls_received_header=yes(在郵件標題中發布有關您的郵件送出的資訊)。

引用自:https://serverfault.com/questions/1040349