到目前为止,我已经在 raspberry pi (debian) 上使用 postfix / dovecot 设置了一个电子邮件服务器。我可以向外部和内部发送电子邮件,没有问题,但是只能从我的服务器内部接收电子邮件。
我认为这是因为我已经为 TLS 设置了一切,但还没有为我的服务器提供有效的证书,然而,为了获取有效的证书,我需要为我的服务器提供有效的电子邮件地址([电子邮件保护])。如果我需要证书的电子邮件地址,并且需要电子邮件地址的证书,我就会陷入一种循环!
因此,我如何才能暂时允许我的服务器接受不需要 TLS 的连接和电子邮件(在我获得证书之前基本上没有安全性)?这是正确的做法吗?也许我错了,但我只是想接收电子邮件……
以下是我的设置:
我的 main.cf 文件:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = finendale.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, finendale.com, localhost.finendale.com
smtp_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
relayhost = [relay.dynu.com]:2525
smtp_generic_maps = hash:/etc/postfix/generic
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_help_hostname
check_helo_access hash:/etc/postfix/helo_access
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#smtpd_tls_auth_only = yes
home_mailbox = Maildir/
我的master.cf文件:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
2525 inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
答案1
我认为这是因为我已经为 TLS 设置了一切,但还没有有效的证书
您应该首先检查 Postfix 日志和防火墙日志,以确保是问题。
因此,我如何暂时允许我的服务器接受不需要 TLS 的连接和电子邮件(在我获得证书之前基本上没有安全性)?
这取决于 Dynu 如何向您发送邮件。请注意,根据您的图表和 DNS 记录,您的服务器不应该接收来自邮件发件人的任何直接连接,仅有的来自 Dynu 继电器。
您的图表显示您已将 Dynu 配置为在端口 465 上将邮件转发到您的服务器。由于它是仅 TLS 端口,因此您必须首先检查 Dynu 的配置,以确保预计有效证书。根据其提供的选项,配置 Dynu 服务以接受无效证书(您已经拥有),或者在不同的端口上中继邮件(在您的配置中,端口 2525 是非 TLS)。
如果 Dynu 配置为将邮件传递到您服务器上的端口 465,则现有的自签名证书应该足够好以使用 TLS。
如果 Dynu 配置为将邮件发送到服务器上的 2525 端口,请删除您添加的“需要 TLS”参数,特别是
smtpd_use_tls。实际上,它不应该首先进行全局设置——不同的端口对于是否强制执行 TLS 有不同的要求。(请注意,“提交”和“smtps”服务已经有-o选项行来为每个端口强制执行 TLS。)
请注意,证书的名称需要与其他 SMTP 客户端连接的实际(子)域相匹配 -不是与您的电子邮件地址中的 @domain 进行比较。如果两者相同,则没有问题,但对于大多数人的域名而言,两者并不相同。
在直接交付中,证书需要与 MX 记录中的名称匹配。例如,如果您有MX 0 mail.finendale.com.,则需要“mail.finendale.com”的证书。
但是因为您只通过 Dynu 中继接收邮件,所以证书需要与 Dynu 配置中输入的任何主机名相匹配。
以下是我的设置
图中端口标签没有意义。您的域名不会在任何端口上接收邮件,也不会在任何其他端口上转发邮件。finendale.com 上的 MX 记录反而会告诉发件人直接地将入站邮件递送至mx1.dynu.com端口 25。