Ssl

後綴 - 接收電子郵件時出現 TLS/SSL 錯誤

  • October 12, 2015

我可以接收來自 gmail 的電子郵件,但是某些其他伺服器在嘗試向我的伺服器發送電子郵件時被拒絕

以下是我嘗試從startcom.org以及其他一些伺服器嘗試在前一天向我發送一些東西時獲得身份驗證的日誌。

Oct 11 05:26:54 snw postfix/smtpd[2342]: connect from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 05:26:55 snw postfix/smtpd[2342]: NOQUEUE: reject: RCPT from 118-161-77-187.dynamic.hinet.net[118.161.77.187]: 454 4.7.1 <support@microsoft.com>: Relay access denied; from=<support@microsoft.com> to=<support@microsoft.com> proto=SMTP helo=<159.8.48.206>
Oct 11 05:26:56 snw postfix/smtpd[2342]: lost connection after RCPT from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 05:26:56 snw postfix/smtpd[2342]: disconnect from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 05:30:16 snw postfix/anvil[2344]: statistics: max connection rate 1/60s for (smtp:118.161.77.187) at Oct 11 05:26:54
Oct 11 05:30:16 snw postfix/anvil[2344]: statistics: max connection count 1 for (smtp:118.161.77.187) at Oct 11 05:26:54
Oct 11 05:30:16 snw postfix/anvil[2344]: statistics: max cache size 1 at Oct 11 05:26:54
Oct 11 12:31:05 snw postfix/smtpd[2613]: connect from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 12:31:06 snw postfix/smtpd[2613]: NOQUEUE: reject: RCPT from 118-161-77-187.dynamic.hinet.net[118.161.77.187]: 454 4.7.1 <support@microsoft.com>: Relay access denied; from=<support@microsoft.com> to=<support@microsoft.com> proto=SMTP helo=<159.8.48.206>
Oct 11 12:31:07 snw postfix/smtpd[2613]: lost connection after RCPT from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 12:31:07 snw postfix/smtpd[2613]: disconnect from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 12:34:27 snw postfix/anvil[2615]: statistics: max connection rate 1/60s for (smtp:118.161.77.187) at Oct 11 12:31:05
Oct 11 12:34:27 snw postfix/anvil[2615]: statistics: max connection count 1 for (smtp:118.161.77.187) at Oct 11 12:31:05
Oct 11 12:34:27 snw postfix/anvil[2615]: statistics: max cache size 1 at Oct 11 12:31:05
Oct 11 13:45:07 snw dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=141.212.122.112, lip=159.8.48.206, TLS: Disconnected, session=<pGIDxtch6QCN1Hpw>
Oct 11 23:42:31 snw postfix/smtpd[3020]: connect from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 23:42:32 snw postfix/smtpd[3020]: NOQUEUE: reject: RCPT from 118-161-77-187.dynamic.hinet.net[118.161.77.187]: 454 4.7.1 <support@microsoft.com>: Relay access denied; from=<support@microsoft.com> to=<support@microsoft.com> proto=SMTP helo=<159.8.48.206>
Oct 11 23:42:33 snw postfix/smtpd[3020]: lost connection after RCPT from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 23:42:33 snw postfix/smtpd[3020]: disconnect from 118-161-77-187.dynamic.hinet.net[118.161.77.187]
Oct 11 23:45:53 snw postfix/anvil[3022]: statistics: max connection rate 1/60s for (smtp:118.161.77.187) at Oct 11 23:42:31
Oct 11 23:45:53 snw postfix/anvil[3022]: statistics: max connection count 1 for (smtp:118.161.77.187) at Oct 11 23:42:31
Oct 11 23:45:53 snw postfix/anvil[3022]: statistics: max cache size 1 at Oct 11 23:42:31
Oct 12 17:28:53 snw postfix/smtpd[3682]: connect from gateway.startcom.org[212.117.158.94]
Oct 12 17:28:55 snw postfix/smtpd[3682]: 12EE9DA2954: client=gateway.startcom.org[212.117.158.94]
Oct 12 17:28:55 snw postfix/smtpd[3682]: lost connection after RCPT from gateway.startcom.org[212.117.158.94]
Oct 12 17:28:55 snw postfix/smtpd[3682]: disconnect from gateway.startcom.org[212.117.158.94]
Oct 12 17:29:01 snw postfix/smtpd[3682]: connect from apache-7.startcom.org[192.116.242.7]
Oct 12 17:29:01 snw postfix/smtpd[3682]: SSL_accept error from apache-7.startcom.org[192.116.242.7]: -1
Oct 12 17:29:01 snw postfix/smtpd[3682]: warning: TLS library problem: 3682:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Oct 12 17:29:01 snw postfix/smtpd[3682]: lost connection after STARTTLS from apache-7.startcom.org[192.116.242.7]
Oct 12 17:29:01 snw postfix/smtpd[3682]: disconnect from apache-7.startcom.org[192.116.242.7]

這是我使用 gmail 發送到我的伺服器時的日誌

Oct 12 17:58:05 snw postfix/smtpd[3968]: connect from mail-io0-f174.google.com[209.85.223.174]
Oct 12 17:58:05 snw postfix/smtpd[3968]: E3E54DA0A51: client=mail-io0-f174.google.com[209.85.223.174]
Oct 12 17:58:06 snw postfix/cleanup[3977]: E3E54DA0A51: message-id=<CADZik+Vnys--dh_dhOqTSE2ZePWZiBKVp9-EqnYAyJRfk+hQGA@mail.gmail.com>
Oct 12 17:58:06 snw postfix/qmgr[5644]: E3E54DA0A51: from=<bnguyen170@gmail.com>, size=1931, nrcpt=1 (queue active)
Oct 12 17:58:06 snw postfix/smtpd[3968]: disconnect from mail-io0-f174.google.com[209.85.223.174]
Oct 12 17:58:06 snw postfix/pipe[3980]: E3E54DA0A51: to=<admin@phantastyc.tk>, relay=dovecot, delay=0.77, delays=0.38/0.1/0/0.29, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 12 17:58:06 snw postfix/qmgr[5644]: E3E54DA0A51: removed

我用:

  • Roundcube 作為 IMAP 客戶端(可能不相關)
  • Dovecot 與 MySQL 上的虛擬使用者進行身份驗證
  • Postfix 作為郵件軟體(在此處postconf輸出)

我懷疑這與我的伺服器對 SSL/TLS 身份驗證的限制有關,但是如何配置我的伺服器以便它幾乎可以接受任何東西

問題在這些日誌行中很明顯:

Oct 12 17:29:01 snw postfix/smtpd[3682]: SSL_accept error from apache-7.startcom.org[192.116.242.7]: -1
Oct 12 17:29:01 snw postfix/smtpd[3682]: warning: TLS library problem: 3682:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:

apache7-startcom.org 嘗試建立 SSL/TLS 連接但失敗,可能是因為它嘗試使用您的伺服器不接受的 SSL/TLS 協議。

您應該真正發布 just 的輸出,postconf -n以便它僅顯示與預設值不同的配置參數。您的postconf輸出包含太多噪音,無法真正有用。

這在您的要點的第 713 行postconf中說,您似乎禁止除 TLSv1.2 之外的所有 TLS 協議。對於應該能夠接受傳入郵件的郵件伺服器來說,這是非常嚴格的並且可能太多了。我會像這樣設置相關的 TLS 配置參數:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

這樣,您就可以禁用 SSLv2 和 SSLv3,它們都已損壞且不安全,並使 TLSv1、TLSv1.1 和 TLSv1.2 可用。添加或更改這些參數後重新啟動 Postfix /etc/postfix/main.cf

引用自:https://serverfault.com/questions/728479