我正在尝试通过运行 Postfix 的服务器 B 从运行 SSMTP 的服务器 A 发送邮件。 Postfix 服务器运行良好,并且已经投入生产一段时间,没有出现任何问题。它使用 Dovecot 运行 Postfix。
我可以使用我的 Gmail 帐户从 SSMTP 发送邮件,这可以工作,但是我想使用我自己的 Postfix 服务器,因为我想要对整个邮件过程有更多的控制。
在接下来的日志和代码中,我用 example.com 替换了我自己的公共域。
以下是 SSMTP 产生的错误:
root@N40L:/etc/ssmtp# echo "test" | mailx -vvv -s "test" [email protected]
[<-] 220 h******.stratoserver.net ESMTP Postfix (Debian/GNU)
[->] EHLO example.com
[<-] 250 DSN
[->] AUTH LOGIN
[<-] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism
send-mail: Server didn't like our AUTH LOGIN (535 5.7.8 Error: authentication failed: Invalid authentication mechanism)
我在两台机器上运行 Debian 8。
这是我的 ssmtp.conf:
[email protected]
mailhub=example.com:465
rewriteDomain=example.com
hostname=example.com
FromLineOverride=YES
UseTLS=YES
[email protected]
AuthPass=correctpassword
我知道 SSMTP 有时无法处理非字母数字密码,因此密码是一串字母和数字。我已经使用 Mutt 对其进行了验证,并且我确信它是正确的密码、正确的用户名和正确的端口。
后缀main.cf:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ********.stratoserver.net
myorigin = /etc/mailname
mydestination = localhost.stratoserver.net, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
message_size_limit=20480000
virtual_mailbox_domains = a.bunch.of names.here.and example.com
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_gid_maps = static:5000
virtual_uid_maps = static:5000
virtual_minimum_uid = 5000
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = scan:127.0.0.1:10026
receive_override_options = no_address_mappings
LetsEncrypt 证书显示了正确的名称,并且许多手机(Android 和 iPhone)以及许多不同的邮件客户端及其网络邮件都对此感到满意。我确信证书是有序的。
master.cf,虽然我不确定它是否相关:
smtp inet n - - - - smtpd -v
-o content_filter=spamassassin
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Dovecot中的相关配置部分:
# 2.2.13: /etc/dovecot/dovecot.conf
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
mail_debug = yes
mail_plugins = " quota"
mail_privileged_group = vmail
managesieve_notify_capability = mailto
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocols = " imap lmtp sieve"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0666
user = postfix
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt//live/example.com/privkey.pem
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
verbose_ssl = yes
protocol lmtp {
mail_plugins = " quota sieve"
postmaster_address = [email protected]
}
如果我尝试从服务器 A 发送邮件,并且它生成上述错误,服务器 B 会将其记录在 /var/mail/mail.log 中:
Jan 16 10:29:54 postfix/smtps/smtpd[13601]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jan 16 10:29:54 postfix/smtps/smtpd[13601]: connect from ******.upc-h.chello.nl[62.194.***.***]
Jan 16 10:29:54 dovecot: auth: Debug: auth client connected (pid=0)
Jan 16 10:29:54 postfix/smtps/smtpd[13601]: warning: ******.upc-h.chello.nl[62.194.***.***]: SASL LOGIN authentication failed: Invalid authentication mechanism
Jan 16 10:29:54 postfix/smtps/smtpd[13601]: lost connection after AUTH from ******.upc-h.chello.nl[62.194.***.***]
Jan 16 10:29:54 postfix/smtps/smtpd[13601]: disconnect from ******.upc-h.chello.nl[62.194.***.***]
如果我将AuthMechanism=LOGINor AuthMechanism=CRAM-MD5(根据 SSMTP 的手册页,这是唯一可用的机制)添加到 ssmtp.conf ,情况也是如此,所以我再次删除了它。
因为互联网非常坚持将 Gmail 与 SSMTP 一起使用,所以我尝试了一点,并尝试了 UseSTARTTLS。然后这会发生在服务器 A 上:
send-mail: Cannot open example.com:465
Can't send mail: sendmail process failed with error code 1
...这是在服务器 B 上登录的:
Jan 16 10:46:01 postfix/smtps/smtpd[14047]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jan 16 10:46:01 postfix/smtps/smtpd[14047]: connect from ******.upc-h.chello.nl[62.194.***.***]
Jan 16 10:46:12 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jan 16 10:46:12 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jan 16 10:46:12 dovecot: auth: Debug: auth client connected (pid=14049)
Jan 16 10:46:12 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=***************AAAAAAAAAAB#011lip=::1#011rip=::1#011lport=143#011rport=60112#011resp=AG40MGxAd*****************QzE3MDE= (previous base64 data may contain sensitive data)
Jan 16 10:46:12 dovecot: auth-worker(14017): Debug: sql([email protected],::1): query: SELECT email as username, pwd AS password FROM addresses WHERE email = '[email protected]'
Jan 16 10:46:12 dovecot: auth: Debug: client passdb out: OK#0111#[email protected]
Jan 16 10:46:12 dovecot: auth: Debug: master in: REQUEST#011154140673#01114049#0111#0114d206d2a85468af9af75b8538aab7485#011session_pid=14050#011request_auth_token
Jan 16 10:46:12 dovecot: auth-worker(14017): Debug: sql([email protected],::1): SELECT 5000 AS uid, 5000 as gid, email, '/var/mail/vmail/example.com/n40l' AS home FROM addresses WHERE email = '[email protected]'
Jan 16 10:46:12 dovecot: auth: Debug: master userdb out: USER#011154140673#[email protected]#011uid=5000#011gid=5000#[email protected]#011home=/var/mail/vmail/example.com/n40l#011auth_token=ff5b12*****************aedf315ac08e
Jan 16 10:46:12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=14050, secured, session=<0pDTDTNG0AAAAAAAAAAAAAAAAAAAAAAB>
Jan 16 10:46:12 dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules
Jan 16 10:46:12 dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Jan 16 10:46:12 dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
Jan 16 10:46:12 dovecot: imap: Debug: Added userdb setting: plugin/[email protected]
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: Effective uid=5000, gid=5000, home=/var/mail/vmail/example.com/n40l
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: Quota root: name=User quota backend=maildir args=
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: Quota rule: root=User quota mailbox=* bytes=10737418240 messages=0
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: Quota rule: root=User quota mailbox=Trash bytes=+104857600 messages=0
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: Quota grace: root=User quota bytes=536870912 (5%)
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/vmail/example.com/n40l
Jan 16 10:46:12 dovecot: imap([email protected]): Debug: maildir++: root=/var/mail/vmail/example.com/n40l, index=, indexpvt=, control=, inbox=/var/mail/vmail/example.com/n40l, alt=
Jan 16 10:46:12 dovecot: imap([email protected]): Disconnected: Logged out in=50 out=475
我可以毫无问题地登录服务器 B 的网络邮件,并使用我正在使用的地址发送和接收邮件,因此帐户本身是正常的。我尝试了其他帐户,它们产生了相同的错误。
我不知所措。 SSMTP 应该能够通过 Postfix 发送邮件。即使打开所有调试和详细选项,我也找不到问题的根源。任何帮助是极大的赞赏。
答案1
root@N40L:/etc/ssmtp# echo "test" | mailx -vvv -s "test" [email protected]
[<-] 220 h******.stratoserver.net ESMTP Postfix (Debian/GNU)
[->] EHLO example.com
[<-] 250 DSN
该命令连接到 Postfix ath******.stratoserver.net并发送其EHLO简介。但收到的响应只是250 DSN表明该 Postfix 此时不愿意接受身份验证。如果它接受身份验证,响应可能看起来更像这样:
[<-] 250-AUTH PLAIN LOGIN CRAM-MD5
[<-] 250 DSN
本质上,服务器对客户端的答复EHLO将告知客户端该特定服务器愿意接受的 SMTP 协议功能。对于身份验证,应该有一行包含该单词AUTH和可接受的身份验证机制的列表。多行响应将在除最后一行之外的每行开头处包含客户端上一个命令的结果代码和减号(250-此处):答案的最后一行将包含结果代码和空格字符。
您ssmtp.conf表示它将使用端口 465,该端口对应于服务名称smtps:
mailhub=example.com:465
所以相关的 Postfixmaster.cf条目将是这个:
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
这对我来说看起来不完整。
要仅在经过身份验证时允许通过此端口发送邮件,您还需要-o smtpd_client_restrictions=permit_sasl_authenticated,reject此处,就像之前的服务一样submission(submission是在端口 587 中运行的服务)。您还需要-o smtpd_sasl_security_options=noanonymous.
要专门将 Dovecot SASL 与 Postfix 一起使用,您需要-o smtpd_sasl_type=dovecot在其中添加一行。您可能还需要-o smtpd_sasl_path=private/auth:当将 Dovecot SASL 与 Postfix 一起使用时,这将识别 Dovecot SASL 身份验证套接字的位置,该位置在 Dovecot 配置中指定为
unix_listener /var/spool/postfix/private/auth
但由于smtpdPostfix 进程将用作/var/spool/postfix其工作目录(并且实际上可能在那里进行 chroot),smtpd因此只需要private/auth该路径的一部分。
为了使用 STARTTLS,您必须改用端口 587,并且作为诊断,Postfix 在该端口上的 EHLO 响应必须包含250-STARTTLS.
STARTTLS 的典型事件顺序是:
- 客户端与端口 587 建立未加密的连接并发送
EHLO - 服务器响应包含
STARTTLS但不包含AUTH,至少不包含PLAIN或LOGIN机制,因为发送不加密的身份验证数据不是很聪明。 - 客户端发送
STARTTLS命令,双方立即开始 TLS 握手。 - 当 TLS 生效时,客户端将发送另一个
EHLO - 现在服务器的响应将包括
AUTH服务器管理员允许的所有身份验证机制。
我知道这对OP来说是一个很晚的答案,但这也许会帮助其他人弄清楚各个配置部分如何组合在一起。 (这对我来说无疑是对 Postfix 身份验证知识的刷新。)
答案2
ssmtp 似乎模拟 Outlook 客户端,因为它使用损坏的身份验证机制。
broken_sasl_auth_clients = yes在 postfix main.cf 中将“修复”这个问题。