我不是邮件服务器配置方面的专家,也不太熟悉如何让电子邮件正常工作(主要是配置 DNS 记录以配合电子邮件传递),而且没有任何问题。因此,如果能收到一些精彩视频的链接,解释其工作原理,以及我需要采取哪些步骤才能根据一些常见准则或有关我的配置存在哪些问题的信息来配置所有内容,我会非常高兴,因为我尝试了不同的方法,但都无法解决我的问题。
我有自己的运行 Ubuntu 17.04 的 Linux 服务器,并且为公司电子邮件设置了 postfix 和 dovecot。
问题是,每当我向 Gmail 帐户发送电子邮件时,在信息中,您都会看到红色图标(http://puu.sh/x8ses/9c1a5fef89.png) 并且它显示“bisart.eu 没有加密此消息”。
原始信息:
Delivered-To: [email protected]
Received: by 10.12.169.5 with SMTP id y5csp2584881qva;
Sat, 12 Aug 2017 13:07:14 -0700 (PDT)
X-Received: by 10.223.151.212 with SMTP id t20mr12538728wrb.233.1502568434417;
Sat, 12 Aug 2017 13:07:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1502568434; cv=none;
d=google.com; s=arc-20160816;
b=izg+I4FrioYQ9iZXkCeJMpZwi8bNCUbQjzsQgGKxLXdaSnp9KcpLNNKhbPKBep5vnG
JIoPaEX/mh1NiwI8ptQJJERxUT168OldzKgUZ7+EVL545Yk0EWBnRCNtdtSZa0yjr88O
8fRnGzp93bn5NR/RE22Fvaw13QMvA4xVFc7m6J+BW7pOSmMwB976UoMw6s0jtUCHYkPR
CxITyX7Wy8G2rR9Px5INQeH+PsKSOQQQAQoMl88Dcy9DOvF6yo8XR/g7tic8jExKO/BT
Cn49sfI3Eg4S8Rs1DatWwp/lw7EViKwHEhZPVqRkxTXP0z3gKhNPdlFnABvUGdDG3Id4
Ly+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-language:content-transfer-encoding:mime-version:user-agent
:date:message-id:subject:from:to:arc-authentication-results;
bh=QgRLF+6w7sye7fqLzlu3qDfNO47+yGPgui7mTGt5S7Y=;
b=bPF5SMjoQhKivKP4wLWgg9uOkDudgfg/BLWiWycB9kmKxB7Eox9jMrJGSu+1wwHYMw
HadoG0fdXLRFUj3D+/Ur2pWxIfREALH+zHGMIErkTUAN8H6rXZoQrsdrmAFvXYqKMKdq
hk3JyUNoIED2whYzcb1lbS8ANks7hYSXwf0gTKUuzrAoCrRPoIcwWmyXMZEhZeNKhQBW
cGmwbCnwijOSk8iAB/aX/C6cyE4OZ+K9uXbTzbwpL9u/rF83FC54JlTOSd0jpQ3MFv6Y
sCduxKIhz9doud9ebsuB5WqKXXy7m2DlpWbzRsCozbbiKsnT0zZ0+a2UukTu+IZ87mYW
HZ7g==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates 185.160.111.248 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from mail.moowdesign.eu (moowdesign.bisart.eu. [185.160.111.248])
by mx.google.com with ESMTP id k16si2937045wrk.226.2017.08.12.13.07.13
for <[email protected]>;
Sat, 12 Aug 2017 13:07:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 185.160.111.248 as permitted sender) client-ip=185.160.111.248;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 185.160.111.248 as permitted sender) [email protected]
Received: from [192.168.1.69] (unknown [84.245.121.111]) by mail.moowdesign.eu (Postfix) with ESMTPSA id 19378121987 for <[email protected]>; Sat, 12 Aug 2017 22:07:12 +0200 (CEST)
To: [email protected]
From: Dominik Dancs <[email protected]>
Subject: dsadas
Message-ID: <[email protected]>
Date: Sat, 12 Aug 2017 22:07:10 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
事实是,我有多个域指向同一主机和同一邮件服务器被使用(moowdesign.eu、moow.info、fenixportal.eu 等)并且我需要它们都具有 SSL 电子邮件加密。
每个域名都指向 IP,并且 mail.domain.tld 被设置为 MX DNS 记录(也指向服务器 IP)。
我的端口已转发,因此所有邮件流量都可以传递到服务器。
我使用 Let'sEncrypt 的 acme.sh (https://github.com/Neilpang/acme.sh)客户端在一个证书中为所有域创建通配符证书,然后在dovecot和postfix中使用它。
问题:
因此,Gmail 客户端要求电子邮件由“bisart.eu”但该域名与我的服务器无关,除了 moowdesign.bisart.eu 指向我的服务器并且它有反向记录之外。但是我无法使用该域/服务器签署证书。
我该怎么办?我知道最好不要这样,因为人们看到红色图标会认为这是诈骗邮件之类的,而且很可能所有邮件都会直接变成垃圾邮件。我希望有某种解决方案。
此外,我所有域的 DNS 记录分别是:
3600 IN MX 10 mail
@ 3600 IN A 185.160.111.248
moow.info. 3600 IN TXT "v=spf1 mx a ptr ip4:185.160.111.248/32 a:mail.moow.info a:moowdesign.bisart.eu ~all"
mail 3600 IN A 185.160.111.248
我的 main.cf(Postfix 配置文件)
compatibility_level = 2
debug_peer_level = 2
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
#daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
default_privs = nobody
myhostname = mail.moowdesign.eu
mydomain = moowdesign.eu
myorigin = $mydomain
mydestination = localhost
append_dot_mydomain = no
unknown_local_recipient_reject_code = 550
mynetworks_style = host
relay_domains = *
alias_maps = hash:/etc/aliases
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = vmail
inet_protocols = ipv4
inet_interfaces = all
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
html_directory = /usr/doc/postfix-3.1.2/html
manpage_directory = /usr/man
sample_directory = /etc/postfix
readme_directory = no
smtpd_tls_cert_file = /etc/dovecot/letsencrypt.crt
smtpd_tls_CAfile = /etc/dovecot/letsencrypt.chain
smtpd_tls_key_file = /etc/dovecot/letsencrypt.key
#smtpd_tls_cert_file = /etc/dovecot/private/mail.crt
#smtpd_tls_key_file = /etc/dovecot/private/mail.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_reverse_client_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client barracudacentral.org
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_alias_maps =
mysql:/etc/postfix/mysql/virtual_alias_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps =
mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_mailbox_maps.cf
virtual_transport = lmtp:unix:/var/spool/postfix/private/dovecot-lmtp
alias_database = hash:/etc/aliases
发送电子邮件的日志:
Aug 13 13:03:26 production postfix/smtps/smtpd[8768]: warning: hostname 84-245-121-111.dynamic.swanmobile.sk does not resolve to address 84.245.121.111: Name or service not known
Aug 13 13:03:26 production postfix/smtps/smtpd[8768]: connect from unknown[84.245.121.111]
Aug 13 13:03:27 production postfix/smtps/smtpd[8768]: 472971201BC: client=unknown[84.245.121.111], sasl_method=PLAIN, [email protected]
Aug 13 13:03:27 production postfix/cleanup[8772]: 472971201BC: message-id=<[email protected]>
Aug 13 13:03:27 production postfix/qmgr[29192]: 472971201BC: from=<[email protected]>, size=627, nrcpt=1 (queue active)
Aug 13 13:03:27 production postfix/smtps/smtpd[8768]: disconnect from unknown[84.245.121.111] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Aug 13 13:03:29 production postfix/smtp[8775]: 472971201BC: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=1.9, delays=0.17/0/0.87/0.89, dsn=2.0.0, status=sent (250 2.0.0 OK 1502622209 y42si3780413wrd.170 - gsmtp)
Aug 13 13:03:29 production postfix/qmgr[29192]: 472971201BC: removed
为了解决这个问题,我还需要提供其他信息吗?
我试过:
- 在 bisart.eu 服务器上创建一个自签名证书,然后在我的服务器上与 dovecot 和 postfix 一起使用它(没有帮助,仍然显示:“bisart.eu 未加密此消息”)
- 在我的服务器上创建自签名证书(没有帮助)
- 在 postfix 配置中的 main.cf 中更改 myhostname 和 mydomain 属性
- 将 spf 记录添加到我的 DNS
先感谢您。
答案1
传出流量的加密与上述内容没有太大关系。
什么时候发送邮件,你的 Postfix 连接到Gmail(因此不涉及端口转发或 MX 记录),其行为类似于 TLS 客户端(即类似于 Web 浏览器,而不是 Web 服务器);它能提供自己的证书但不需要。
smtpd_tls_*此外,Postfix 在服务器和客户端模式下分别在和下对 TLS 有单独的设置smtp_tls_*。不要混淆这两者。
确保您已启用以下设置:
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
调整smtp_tls_CAfile以适合您的操作系统。此smtp_tls_loglevel设置不是必需的,但在读取日志时很有用。
设置smtp_tls_cert_file并不是smtp_tls_key_file必需的(许多邮件服务器要么忽略客户端证书,要么仅将其用于日志记录目的)。