如何处理邮件发件人在 STARTTLS 上失败?

tag-icon tag-icon linux email ssl smtp postfix
如何处理邮件发件人在 STARTTLS 上失败?

我尝试使用我的邮件服务器 richtercloud.de 订阅 vger.kernel.org 邮件列表。我设置了在 Ubuntu 14.04 上运行的 postfix 2.11,发送和接收都可以正常工作。我设置了 postfix 以直接将邮件发送到 vger.kernel.org。当我将邮件发送到[电子邮件保护]发送成功(邮件离开队列),但接收失败,因为 vger.kernel.org 没有STARTTLS在 SMTP 中发出命令(相关/var/log/mail.log

Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: connect from vger.kernel.org[209.132.180.67]
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: smtp_stream_setup: maxtime=300 enable_deadline=0
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 127.0.0.0/8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 127.0.0.0/8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::ffff:127.0.0.0]/104
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::ffff:127.0.0.0]/104
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::1]/128
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::1]/128
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? richtercloud.de
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? richtercloud.de
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: vger.kernel.org: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: 209.132.180.67: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: auto_clnt_open: connected to private/anvil
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: send attr request = connect
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: send attr ident = smtp:209.132.180.67
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: status
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: status
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute value: 0
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: count
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: count
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute value: 1
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: rate
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: rate
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute value: 1
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: (list terminator)
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: (end)
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 220 richtercloud.de ESMTP Postfix (Debian/GNU)
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: EHLO vger.kernel.org
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: vger.kernel.org: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: 209.132.180.67: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-richtercloud.de
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-PIPELINING
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-SIZE 10240000
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-VRFY
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-ETRN
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-STARTTLS
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-ENHANCEDSTATUSCODES
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-8BITMIME
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250 DSN
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: MAIL From:<> BODY=8BITMIME SIZE=1778
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 530 5.7.0 Must issue a STARTTLS command first
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: RCPT To:<[email protected]> NOTIFY=FAILURE ORCPT=rfc822;[email protected]
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 530 5.7.0 Must issue a STARTTLS command first
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: DATA
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 530 5.7.0 Must issue a STARTTLS command first
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:58:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: NOOP
Oct  5 12:58:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250 2.0.0 Ok
Oct  5 12:58:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:58:41 richtercloud postfix/smtpd[28022]: connect from hermes.apache.org[140.211.11.3]
Oct  5 12:58:42 richtercloud postfix/smtpd[28022]: disconnect from hermes.apache.org[140.211.11.3]
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: QUIT
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 221 2.0.0 Bye
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 127.0.0.0/8
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 127.0.0.0/8
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::ffff:127.0.0.0]/104
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::ffff:127.0.0.0]/104
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::1]/128
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::1]/128
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? richtercloud.de
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? richtercloud.de
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_list_match: vger.kernel.org: no match
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_list_match: 209.132.180.67: no match
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: send attr request = disconnect
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: send attr ident = smtp:209.132.180.67
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: status
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: input attribute name: status
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: input attribute value: 0
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: (list terminator)
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: input attribute name: (end)
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: disconnect from vger.kernel.org[209.132.180.67]
Oct  5 13:02:33 richtercloud postfix/anvil[27581]: statistics: max connection rate 1/60s for (smtp:209.132.180.67) at Oct  5 12:55:24
Oct  5 13:02:33 richtercloud postfix/anvil[27581]: statistics: max connection count 1 for (smtp:209.132.180.67) at Oct  5 12:55:24
Oct  5 13:02:33 richtercloud postfix/anvil[27581]: statistics: max cache size 2 at Oct  5 12:58:41

)。我猜这种行为对于很多发件人来说可能都是一个问题。

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
debug_peer_list = vger.kernel.org
home_mailbox = .Maildir/
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mydestination = richtercloud.de, localhost, localhost.localdomain
myhostname = richtercloud.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.62/32 192.168.178.23/32 192.168.178.62 192.168.178.23 richtercloud.de
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter =
relayhost = smtp.elasticemail.com:2525
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_enforce_peername = no
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_enforce_tls = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated permit_tls_clientcerts
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport

telnet richtercloud.de 25

Trying 192.168.178.76...
Connected to richtercloud.de.
Escape character is '^]'.
220 richtercloud.de ESMTP Postfix (Debian/GNU)
ehlo richtercloud.de
250-richtercloud.de
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

我认为必须发出这样的命令才能避免我的服务器成为开放中继,我不明白为什么 vger.kernel.org 不这样做。我如何在 SMTP 中强制执行安全传输,即接收对消息的回复[电子邮件保护]

答案1

STARTTLS 与开放中继无关:

  • 开放中继:接受并向不在本地邮件域中的收件人发送邮件。这可用于向外部收件人传播垃圾邮件,并且您通常会很快被列入黑名单。
  • STARTTLS:使用 TLS 加密连接,以便没有人可以监听或操纵发送的数据。

您可以将收件人限制在您自己的邮件域中,而无需使用 STARTTLS,即使使用 STARTTLS,您也可以成为开放中继。

如何处理不使用 STARTTLS 的发件人:

  • 如果您想要加密传输,您必须接受某些人不会使用加密并丢失此流量。但在这种情况下,您也应该正确执行,不要像现在这样使用自签名证书,因为这很容易受到中间人攻击。
  • 或者将加密视为可选的,即不要通过设置来强制执行它smtpd_enforce_tls = yes

答案2

不要强制执行 TLS。在公共 SMTP 服务器上强制执行 TLS 违反了RFC 3207,它规定了如何使用扩展的规则STARTTLS

公开引用的 SMTP 服务器不得要求使用
STARTTLS 扩展来本地传递邮件。此规则
可防止 STARTTLS 扩展破坏 Internet SMTP 基础架构的互操作性。公开引用的 SMTP
服务器是在 Internet 邮件 地址右侧域名的
MX 记录(或 A 记录,如果不存在 MX 记录)中列出的Internet 主机的端口 25 上运行的 SMTP 服务器 。

相关内容