Postfix
後綴 TLS 與未知斷開連接
我用 sasl 和 TLS 我的 postconf -e 安裝 centos 6.4 posttfix
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = itzena.cz myhostname = server.itzena.cz myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_received_header = yes smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550
/etc/postfix/main.cf
[root@server postfix]# cat /etc/postfix/master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # The Cyrus deliver program has changed incompatibly, multiple times. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user}
遠端登錄本地主機 25
[root@server postfix]# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 server.itzena.cz ESMTP Postfix ehlo localhost 250-server.itzena.cz 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
似乎配置了 TLS 和 SASL
現在我嘗試使用 thundebird 從我的 PC 連接到郵件伺服器,但在 /var/log/maillog 我看到
Jul 11 21:12:17 server postfix/smtpd[2444]: connect from unknown[88.146.132.31] Jul 11 21:12:17 server postfix/smtpd[2441]: improper command pipelining after EHLO from unknown[88.146.132.31] Jul 11 21:12:17 server postfix/smtpd[2441]: disconnect from unknown[88.146.132.31] Jul 11 21:12:17 server postfix/smtpd[2444]: improper command pipelining after EHLO from unknown[88.146.132.31] Jul 11 21:12:17 server postfix/smtpd[2444]: disconnect from unknown[88.146.132.31]
在雷鳥中,我無法連接到郵件伺服器以發送電子郵件
swaks -s localhost --to mardon@itzena.cz --from postmaster@itzena.cz -tls -p 25 === Trying localhost:25... === Connected to localhost. <- 220 server.itzena.cz ESMTP Postfix -> EHLO server.itzena.cz <- 250-server.itzena.cz <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-STARTTLS <- 250-AUTH LOGIN PLAIN <- 250-AUTH=LOGIN PLAIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> STARTTLS <- 220 2.0.0 Ready to start TLS === TLS started w/ cipher DHE-RSA-AES256-SHA === TLS peer subject DN="/C=cz/L=valmez/O=itzena/OU=admin/CN=server.itzena.cz/emailAddress=admin@itzena.cz" ~> EHLO server.itzena.cz <~ 250-server.itzena.cz <~ 250-PIPELINING <~ 250-SIZE 10240000 <~ 250-VRFY <~ 250-ETRN <~ 250-AUTH LOGIN PLAIN <~ 250-AUTH=LOGIN PLAIN <~ 250-ENHANCEDSTATUSCODES <~ 250-8BITMIME <~ 250 DSN ~> MAIL FROM:<postmaster@itzena.cz> <~ 250 2.1.0 Ok ~> RCPT TO:<mardon@itzena.cz> <~ 250 2.1.5 Ok ~> DATA <~ 354 End data with <CR><LF>.<CR><LF> ~> Date: Fri, 12 Jul 2013 06:35:27 +0200 ~> To: mardon@itzena.cz ~> From: postmaster@itzena.cz ~> Subject: test Fri, 12 Jul 2013 06:35:27 +0200 ~> X-Mailer: swaks v20111230.0 jetmore.org/john/code/swaks/ ~> ~> This is a test mailing ~> ~> . <~ 250 2.0.0 Ok: queued as 7A820184A ~> QUIT
在雷鳥自動連接中沒有任何檢測,比我手動設置但沒有任何功能
在 master.cf 我取消註釋
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
在 iptables 上允許埠 465,現在是功能
通過 SSL 的 Postfix 不使用埠 25?