Ssl
Postfix 收到“需要 TLS,但主機未提供”
我已經搜尋了每個論壇、每篇文章、每個 serverfault.com 文章以查找此問題。我正在使用全新的 Postfix 設置。它由 Virtualmin 管理。每當我嘗試通過 TLS 發送郵件時,都會收到錯誤消息(已刪除可辨識資訊):
Sep 7 21:58:37 mail postfix/smtp[220916]: initializing the client-side TLS engine Sep 7 21:58:37 mail postfix/tlsmgr[220917]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache Sep 7 21:58:38 mail postfix/tlsmgr[220917]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache Sep 7 21:58:38 mail postfix/tlsmgr[220917]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup Sep 7 21:58:38 mail postfix/tlsmgr[220917]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup Sep 7 21:58:38 mail postfix/smtp[220918]: initializing the client-side TLS engine Sep 7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host gmail-smtp-in.l.google.com[173.194.219.27] Sep 7 21:58:38 mail postfix/smtp[220916]: E9C5637920: to=<test@TestSender.CheckTLS.com>, relay=ts11-do.checktls.com[165.227.190.238]:25, delay=3768, delays=3768/0.67/0.11/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host ts11-do.checktls.com[165.227.190.238]) Sep 7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt1.gmail-smtp-in.l.google.com[172.217.197.27] Sep 7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[108.177.12.27] Sep 7 21:58:39 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[64.233.186.27] Sep 7 21:58:39 mail postfix/smtp[220918]: 536A837552: to=<myemail@gmail.com>, relay=alt4.gmail-smtp-in.l.google.com[209.85.202.27]:25, delay=3819, delays=3817/0.67/1.2/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com[209.85.202.27]) Sep 7 22:00:01 mail postfix/pickup[220911]: A9D8537D1D: uid=33 from=<www-data> Sep 7 22:00:01 mail postfix/cleanup[221006]: A9D8537D1D: message-id=<20210908020001.A9D8537D1D@mail.mydomain.com>
我正在為我的證書使用letsencrypt(使用Virtualmin提取)。它將證書放在 /home/user/ssl。* 這是我的 main.cf(域替換為 example.com):
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes home_mailbox = Maildir/ inet_protocols = ipv4 mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 milter_default_action = accept mydomain = EXAMPLE.com myhostname = mail.EXAMPLE.com mynetworks_style = subnet non_smtpd_milters = inet:localhost:8891 recipient_delimiter = + sender_bcc_maps = hash:/etc/postfix/bcc sender_dependent_default_transport_maps = hash:/etc/postfix/dependent smtp_dns_support_level = dnssec smtp_host_lookup = dns smtp_tls_ciphers = high smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtp_tls_loglevel = 4 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtp_tls_mandatory_protocols = TLSv1.3,TLSv1.2,TLSv1.1,!TLSv1,!SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_security_level = encrypt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks permit_sasl_authenticated defer_unauth_destination}} smtpd_sasl_auth_enable = yes smtpd_tls_ask_ccert = yes smtpd_tls_cert_file=/home/EXAMPLE/ssl.cert smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtpd_tls_key_file=/home/EXAMPLE/ssl.key smtpd_tls_loglevel = 4 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = encrypt smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/sni_map virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_domains = $mydomain
我知道 ENCRYPT 強制 TLS - 使用 MAY 回退到非 TLS 連接,這是為了測試
這是我的master.cf
smtp inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd
*** 我將配置恢復為預設值,希望有所幫助,但沒有改變。
當我遠端登錄到我的伺服器時,我得到了 starttls 的選項:
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mail.EXAMPLE.com ESMTP Postfix EHLO example.com 250-mail.EXAMPLE.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
我正在為我的防火牆使用 opnsense。我認為它不會通過 SMTP 檢查阻止 TLS。
將設置設置為 MAY 而不是 ENCRYPT,我可以很好地發送和接收電子郵件。將其設置為 MAY,Google 和 checktls.com 報告說 TLS 沒有被使用。
dmarc、spf 等的所有測試都恢復正常。這是在 Ubuntu 伺服器 20 上執行的後綴(最新)。
我的環境:
- 數據中心中的託管伺服器(對它們沒有限制)
- Proxmox,截至 21 年 9 月 8 日是最新的
- 容器在 LXC、Ubuntu 20 中執行
- 容器位於 OPNSense 防火牆後面
- 基於 Web 的測試顯示伺服器提供 starttls
- 從伺服器執行 telnet > 另一台伺服器確實顯示 starttls 作為選項
非常感謝任何幫助,謝謝。
在 serverfault 的每個人的幫助下,我深入研究了這個問題,發現我的主機確實阻止了 TLS。在與我的主人交談並被告知他們不過濾 SMTP 後,他們終於承認過濾了 SMTP。
我通過在另一台主機上設置 VPS 中繼伺服器解決了這個問題。我的主伺服器現在通過非標準埠上的中繼發送郵件。使用此設置,我無需主機過濾即可發送安全電子郵件。
再次感謝您的幫助。