我正在尝试设置 postfix 以将本地计算机上生成的所有邮件通过 SMTP 中继到 mailgun 中继。我之前曾在 ubuntu 服务器上成功使用过 mailgun 中继,但我正在迁移到 Centos 7 服务器,该服务器将以 FIPS 模式运行。下面有错误日志,稍加清理。我有一个足够小的网络,我选择让每台机器单独连接到 mailgun(这是仅环回,127.0.0.0/8 限制),并且没有防火墙打开允许 smtp 进入机器的端口。
我假设 FIPS 模式(以及禁用 MD5)导致了问题,但我不知道如何克服它,或者 tls_fprint 是否有可能使用一些受支持的哈希,例如 sha256 或 sha512。然而,relay=none 有点令人担忧,因为我设置了中继主机,但这也许是因为 smtp 进程失败?
任何帮助,将不胜感激!
后会议-n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = loopback-only
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost = [smtp.mailgun.org]:587
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_header_checks = regexp:/etc/postfix/header_check
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_mandatory_ciphers = high
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt
unknown_local_recipient_reject_code = 550
/var/log/邮件日志:
Apr 28 20:04:15 HOSTNAME postfix/pickup[85556]: SOME_ID_NUMBER: uid=0 from=<root>
Apr 28 20:04:15 HOSTNAME postfix/cleanup[85583]: SOME_ID_NUMBER: message-id=<20180429000415.SOME_ID_NUMBER@FQDN>
Apr 28 20:04:15 HOSTNAME postfix/qmgr[85557]: SOME_ID_NUMBER: from=<root@FQDN>, size=2261, nrcpt=1 (queue active)
Apr 28 20:04:16 HOSTNAME postfix/smtp[85585]: fatal: tls_fprint: error computing md5 message digest
Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: private/smtp socket: malformed response
Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: process /usr/libexec/postfix/smtp pid 85585 exit status 1
Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
Apr 28 20:04:17 HOSTNAME postfix/error[85587]: SOME_ID_NUMBER: to=<[email protected]>, relay=none, delay=1.7, delays=0.05/1.6/0/0.02, dsn=4.3.0, status=deferred (unknown mail transport error)
答案1
经过几个小时的尝试找出答案,包括在 master.cf 中打开 smtp 和 tlsmgr 进程的调试,我能够确定 FIPS 禁用 md5 确实是问题所在。将以下内容添加到 master.cf 修复了该问题:
smtp_tls_fingerprint_digest=sha256
设置为 sha1 和 sha512 也有效。请注意,postfix 文档警告有关设置为 sha1 或 md5 以外的任何内容(md5 是默认值)。从文档中:
While additional digest algorithms are often available with OpenSSL's libcrypto, only those used by libssl in SSL cipher suites are available to Postfix. For now this means just md5 or sha1.
然而,对于我的需要,sha256 似乎工作得很好。
答案2
如果您只想配置中继主机,那么您必须将 /etc/postfix/postfix.conf 的默认条目更改为所需的中继主机。我希望这个链接对您有帮助
https://serverfault.com/questions/878841/cant-relay-on-postfix-accessing-it-from-external-ip