无需网络服务器,直接从 PostFix / Dovecot 向 Thunderbird 提供 SSL 证书

tag-icon tag-icon apache-http-server thunderbird postfix dovecot letsencrypt
无需网络服务器,直接从 PostFix / Dovecot 向 Thunderbird 提供 SSL 证书

Web 服务器主机:web.example.nl

邮件服务器主机:邮件.example.nl

邮件用户: [电子邮件保护] (为该域名颁发的 letsencrypt 证书)

我正在尝试在 mail.example.nl 上设置一个不使用 Apache 或任何其他 Web 服务器功能的新邮件服务器,以便邮件服务器保持“干净”。对于 SSL 证书,我使用基于 Letsencrypt DNS 的验证,效果很好。

我在 Virtualmin 中创建了第一个邮件用户([电子邮件保护]) 甚至使用 Virtualmin UI 在 PostFix / DoveCot(针对此特定主机)中安装了 SSL 证书。

但是当我尝试在 Thunderbird 中添加电子邮件帐户时,Thunderbird 会尝试从 web.example.nl 上的网络服务器获取证书,而不是从我的邮件服务器 mail.example.nl 获取证书。我猜这是因为 Thunderbird 无法在 mail.example.nl 上找到任何网络服务器,所以它会检查根域。(因此,我收到 SSL 不匹配错误,因为 web.example.nl 上的服务器没有 mail.example.nl 的证书)

现在我想知道;难道不能直接从 Dovecot 或 Postfix 向 Thunderbird 提供 SSL 证书吗?还是我总是需要一个 Web 服务器来实现这一点?

编辑:这是 open_ssl 的输出:

$: openssl s_client-showcerts-服务器名称 mail.user.nl-connect mail.user.nl:993

openssl s_client -showcerts -servername mail.user.nl -connect mail.user.nl:993

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.user.nl
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = mail.user.nl
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 19 14:11:02 2023 GMT; NotAfter: Apr 19 14:11:01 2023 GMT
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mail.user.nl
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4599 bytes and written 408 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

相关内容