POSTFIX 無法使用 TLS 從 SMTP 連接
謝謝大家幫助我:),我正在處理一個直接批量郵件發件人項目,我的程序執行正常然後它給了我一個錯誤然後我花了太多時間從我調試過的文章中進行大量搜尋(非常低水平)在過去 2 天(我睡著了)。由小東西“str(email)”導致此問題的電子郵件代表發件人列表(用於批量處理不同的帳戶),它應該是一個列表而不是 str :/,它需要很長時間,但在這個旅程中我學到了很多很酷的東西 :) 很快:不要害怕犯小錯誤
我可以連接外部 openssl 但無法使用 telnet(在 mail.example.com:587 上)
openssl s_client -starttls smtp -connect mail.example.com:587
在我在被外國主機關閉的 smtp 連接中執行 starttls 之後
郵件日誌
Dec 6 15:45:45 example postfix/submission/smtpd[5149]: connect from unknown[********] Dec 6 15:45:57 example postfix/submission/smtpd[5149]: SSL_accept error from unknown[********]: -1 Dec 6 15:45:57 example postfix/submission/smtpd[5149]: warning: TLS **library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:** Dec 6 15:45:57 example postfix/submission/smtpd[5149]: lost connection after STARTTLS from unknown[*******] Dec 6 15:45:57 example postfix/submission/smtpd[5149]: disconnect from unknown[*********] ehlo=1 starttls=0/1 commands=1/2
postconf -n
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/lib/postfix/sbin data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ inet_interfaces = all inet_protocols = all local_recipient_maps = unix:passwd.byname $alias_maps mailbox_size_limit = 0 milter_default_action = accept milter_protocol = 2 mydestination = mail.example.com,example.com, localhost,localhost.localdomain mydomain = example.com myhostname = mail.example.com mynetworks = 168.100.189.0/28, 127.0.0.0/8,***.**.***.**/25 myorigin = /etc/mailname newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:12301 recipient_delimiter = + sendmail_path = /usr/sbin/postfix setgid_group = postdrop smtp_tls_ciphers = high smtp_tls_protocols = !SSLv2, !SSLv3 smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_milters = inet:localhost:12301 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = auth/dovecot smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/postfix/cert-20181202-231932.pem smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/postfix/key-20181202-231932.pem smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtputf8_enable = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual
master.cf
smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no #-o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot # -o smtpd_sasl_path = auth/dovecot -o smtpd_sasl_path=private/auth # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= permit_mynetworks,permit_sasl_authenticated,reject # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
dovecot.conf
disable_plaintext_auth = no mail_privileged_group = mail mail_location = maildir:~/Maildir auth_mechanisms = plain auth_username_format ="%Ln" userdb { driver = passwd } passdb { args = %s driver = pam } protocols = " imap" protocol imap { mail_plugins = " auto" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } listen = * ssl=yes ssl_cert = </etc/postfix/cert-20181202-231932.pem ssl_key = </etc/postfix/key-20181202-231932.pem
網路統計
netstat --proto=inet -pnl | grep 587 tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 5073/master
openssl s_client -starttls smtp -connect mail.example.com:587
CONNECTED(00000003) depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd --- Server certificate -----BEGIN CERTIFICATE----- ****************************** -----END CERTIFICATE----- subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2531 bytes and written 302 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: E34DC2BC95BF207D4B5E38C6FABD2A25AC43290A994C50C7AEC183CA224A31D2 Session-ID-ctx: Master-Key: 0413A1112B664D6FA2EA348D70F6614AF5567338F0C61FDDC62030DC24A9C7719332CE322960AC5DD1D84A1205E2B0B9 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 97 4c 40 cf ae aa cc f3-32 80 52 0d fe 9f c0 da .L@.....2.R..... 0010 - a5 b8 3f 3c 0d ae 29 a7-88 b4 c1 6b 65 bf 38 e0 ..?<..)....ke.8. 0020 - cc f9 05 93 43 4f 60 d4-a2 0f 3e 27 88 3e 13 1b ....CO`...>'.>.. 0030 - 6a 31 01 86 5a 83 4c 80-a4 c4 5f 6b 6c bb ee e6 j1..Z.L..._kl... 0040 - 5c 02 71 e1 2f 1e 96 38-4c 58 65 02 2e 89 78 96 \.q./..8LXe...x. 0050 - 45 a6 b5 0c b4 b5 b6 61-65 c5 43 37 8d 4c 82 99 E......ae.C7.L.. 0060 - 88 2f 48 98 ce 9a 68 35-d8 1a b8 86 ff 3b ce 15 ./H...h5.....;.. 0070 - 0e e2 fd 02 60 07 1b 2a-2c 6d 0d 3b 32 25 f9 0d ....`..*,m.;2%.. 0080 - d6 f8 31 2f 04 88 84 c9-bb 98 b3 fa ee 72 bd c1 ..1/.........r.. 0090 - 75 29 31 29 cb 68 99 36-49 77 4e 4a 07 71 ed 6c u)1).h.6IwNJ.q.l 00a0 - 20 88 c3 4d f3 d1 1c 3e-a4 16 7a 53 53 8b 51 17 ..M...>..zSS.Q. Start Time: 1544115275 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes --- 250
遠端登錄 mail.example.com 587
Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ESMTP Postfix (Ubuntu) ehlo mail.example.com 250-mail.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 starttls 220 2.0.0 Ready to start TLS auth plain AHJvb3QAZXhhbXBsZXBhc3M= Connection closed by foreign host.
STARTTLS 命令表明客戶端想要將連接升級到 TLS。在伺服器成功響應後,客戶端現在應該將連接升級到 TLS。
openssl s_client ... -starttls smtp
正是這樣做的,即啟動與伺服器的 TLS 握手,並讓使用者在握手完成後使用現在加密的連接與伺服器交談。相反,您嘗試執行此
telnet
操作不會升級到 TLS。telnet
不知道應該如何進行 TLS 握手以及何時進行。這意味著即使伺服器期望開始 TLS 握手,您也只需繼續與伺服器進行簡單的對話。這就是為什麼您的伺服器嘗試將您解釋auth plain ...
為 TLS ClientHello 並且由於它不是 TLS 無法繼續並發出您看到的錯誤消息。簡而言之:您不能
telnet
為此使用。