Postfix、TLS 和 StartSSL 證書

January 16, 2014

我最近更改了我的 postfix 安裝以使用帶有 StartSSL 頒發的證書的 TLS。然後我執行SMTP和TLS檢查，沒有錯誤或警告。一切似乎都執行良好。

我現在的問題是，接收郵件似乎並非在每種情況下都有效。似乎有郵件伺服器我無法接收來自的郵件。例如亞馬遜或暴雪。在亞馬遜的情況下，我的後綴日誌是這樣說的：

Jan 16 13:57:51 myhost postfix/smtpd[31551]: connect from mm-notify-out-127-214.amazon.com[176.32.127.214]
Jan 16 13:57:51 myhost postfix/smtpd[31551]: lost connection after EHLO from mm-notify-out-127-214.amazon.com[176.32.127.214]
Jan 16 13:57:51 myhost postfix/smtpd[31551]: disconnect from mm-notify-out-127-214.amazon.com[176.32.127.214]

當收到來自暴雪的郵件時，日誌看起來是一樣的，只是缺少“失去的連接”行。

我懷疑這兩家（可能還有更多）公司可能不信任 StartSSL 證書，我必須從一個“值得信賴的”大型 CA 購買證書。

誰能告訴我我的懷疑是否正確，或者我的後綴配置是否有任何錯誤？

非常感謝您的幫助。

編輯： 這是我從 telnet 會話的輸出：

telnet host 587
Trying ip...
Connected to host.
Escape character is '^]'.
220 host ESMTP Postfix (Debian/GNU)
ehlo host
250-host
250-PIPELINING
250-SIZE 134217728
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

編輯： 啟用了 debug_peer_list 的後綴日誌：

Jan 16 16:52:21 myhost postfix/smtpd[5712]: initializing the server-side TLS engine
Jan 16 16:52:21 myhost postfix/tlsmgr[5714]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache
Jan 16 16:52:21 myhost postfix/tlsmgr[5714]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Jan 16 16:52:21 myhost postfix/smtpd[5712]: connect from smtp-out-127-108.amazon.com[176.32.127.108]
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: smtp-out-127-108.amazon.com: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: 176.32.127.108: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: auto_clnt_open: connected to private/anvil
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr request = connect
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr ident = smtp:176.32.127.108
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: count
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: count
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 1
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: rate
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: rate
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 1
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: (list terminator)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: (end)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 220 mail.myhost ESMTP Postfix (Debian/GNU)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &lt; smtp-out-127-108.amazon.com[176.32.127.108]: EHLO smtp-out-127-108.amazon.com
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-mail.myhost
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-PIPELINING
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-SIZE 134217728
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-VRFY
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-ETRN
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: smtp-out-127-108.amazon.com: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: 176.32.127.108: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-STARTTLS
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-ENHANCEDSTATUSCODES
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250-8BITMIME
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 250 DSN
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &lt; smtp-out-127-108.amazon.com[176.32.127.108]: MAIL FROM:&lt;20140116155221ae18abe030864bbfaaa9b8af73986be6@bounces.amazon.de&gt; SIZE=27930
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 530 5.7.0 Must issue a STARTTLS command first
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &lt; smtp-out-127-108.amazon.com[176.32.127.108]: RSET
Jan 16 16:52:21 myhost postfix/smtpd[5712]: &gt; smtp-out-127-108.amazon.com[176.32.127.108]: 530 5.7.0 Must issue a STARTTLS command first
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: smtp_get: EOF
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: smtp-out-127-108.amazon.com: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: 176.32.127.108: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr request = disconnect
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr ident = smtp:176.32.127.108
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: (list terminator)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: (end)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: lost connection after EHLO from smtp-out-127-108.amazon.com[176.32.127.108]
Jan 16 16:52:21 myhost postfix/smtpd[5712]: disconnect from smtp-out-127-108.amazon.com[176.32.127.108]

正如您記錄顯示的那樣，您提供的是 STARTTLS，並且正如您所指定的，smtp_tls_security_level=encrypt您的伺服器將不接受未加密的郵件連接。
後綴手冊證實了這一點：
在“加密”TLS 安全級別，消息僅通過 TLS 加密會話發送。除非遠端 SMTP 伺服器支持 STARTTLS ESMTP 功能，否則 SMTP 事務將被中止。

後綴：調試傳入的 SMTP 連接
這是如何獲取有關該問題的更多資訊的秘訣
嘗試獲取有關導致問題的傳入 SMTP 連接的更多調試資訊。使用debug_peer_list配置選項：
debug_peer_list = amazon.com
http://www.postfix.org/postconf.5.html#debug_peer_list

引用自：https://serverfault.com/questions/567695

Postfix、TLS 和 StartSSL 證書

後綴：調試傳入的 SMTP 連接

相關問答

如何在 Postfix 2.11 中強制使用自己的一組密碼？

Postfix & Gmail: Authentication Required 錯誤

不發送加密消息

STARTTLS 後失去連接：後綴

POSTFIX 無法使用 TLS 從 SMTP 連接

OpenSSL 未提供客戶端證書（SMTP、Postfix）