我已经在运行 Debian 的小型 VPS 上进行了安装和配置sendmail,以便在出现问题时发送一些电子邮件通知。目前,该设置似乎工作正常,但由于这些通知可能包含一些敏感数据,我想对它们进行加密。
因此,运行几次该sendmailconfig命令,我注意到sendmail可以配置为使用 STARTTLS:
Everything you need to support STARTTLS (encrypted mail transmission
and user authentication via certificates) is installed and configured
but is *NOT* being used.
To enable sendmail to use STARTTLS, you need to:
1) Add this line to /etc/mail/sendmail.mc and optionally
to /etc/mail/submit.mc:
include(`/etc/mail/tls/starttls.m4')dnl
2) Run sendmailconfig
3) Restart sendmail
我已在适当的配置文件中添加了上述语句,一切似乎仍然有效。但是发送带有参数的测试电子邮件-v,控制台输出与之前的测试相比似乎没有什么不同(我看到类似050 250-STARTTLSor 的语句050 >>> STARTTLS,但它们也在设置 STARTTLS 之前打印)。
那么,我如何检查sendmail电子邮件是否真正加密?
问题更新 n.1
正如一些评论中所建议的,我将附上我在前几个小时所做的一些测试的对话内容。
模仿这对话,这是我用本地 SMTP 进行的对话:
$ netcat -Cw 60 localhost 25
220 mail.MYDOMAIN.com ESMTP Sendmail 8.15.2/8.15.2/Debian-14~deb10u1; Fri, 5 Jun 2020 14:40:15 GMT; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-mail.MYDOMAIN.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
MAIL FROM: <[email protected]>
250 2.1.0 <[email protected]>... Sender ok
RCPT TO: <[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: <[email protected]>
To: <[email protected]>
Subject: Sendmail test
.
250 2.0.0 055EeF7x000698 Message accepted for delivery
QUIT
221 2.0.0 mail.MYDOMAIN.com closing connection
但是,当尝试在 Outlook SMTP 服务器上执行相同操作时(因为上述通知的收件人是我的免费 Outlook 电子邮件),对话在第二步停止:
$ netcat -Cw 60 smtp-mail.outlook.com 25
220 LO2P265CA0139.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 5 Jun 2020 14:56:40 +0000
EHLO mail.MYDOMAIN.com
250-LO2P265CA0139.outlook.office365.com Hello [MYIP]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
MAIL FROM: <[email protected]>
530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM [LO2P265CA0139.GBRP265.PROD.OUTLOOK.COM]
我还尝试比较了分别在 STARTTLS 设置之前和之后发送的一些电子邮件的标头,我发现了一个有趣的差异:
Received: from mail.MYDOMAIN.com (localhost [127.0.0.1])
by mail.MYDOMAIN.com (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTPS id 054G4khN002213
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <[email protected]>; Thu, 4 Jun 2020 16:04:46 GMT
以前的电子邮件标头中不存在括号之间的加密信息。这是否可以作为 STARTTLS 实际使用的线索?
问题更新 n.2
如果它有用,我还会sendmail在发送测试电子邮件时以详细模式附加输出到控制台的内容:
$ echo 'Subject: Sendmail test' | sudo sendmail -v -f [email protected] [email protected]
[email protected]... Connecting to [127.0.0.1] via relay...
220 mail.MYDOMAIN.com ESMTP Sendmail 8.15.2/8.15.2/Debian-14~deb10u1; Sun, 7 Jun 2020 12:28:05 GMT; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
>>> EHLO mail.musnet.io
250-mail.MYDOMAIN.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> STARTTLS
220 2.0.0 Ready to start TLS
>>> EHLO mail.musnet.io
250-mail.MYDOMAIN.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<[email protected]> SIZE=23 [email protected]
250 2.1.0 <[email protected]>... Sender ok
>>> RCPT To:<[email protected]>
>>> DATA
250 2.1.5 <[email protected]>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
050 <[email protected]>... Connecting to outlook-com.olc.protection.outlook.com. via esmtp...
050 220 DM6NAM12FT067.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Sun, 7 Jun 2020 12:28:05 +0000
050 >>> EHLO mail.MYDOMAIN.com
050 250-DM6NAM12FT067.mail.protection.outlook.com Hello [MYIP]
050 250-SIZE 49283072
050 250-PIPELINING
050 250-DSN
050 250-ENHANCEDSTATUSCODES
050 250-STARTTLS
050 250-8BITMIME
050 250-BINARYMIME
050 250-CHUNKING
050 250 SMTPUTF8
050 >>> STARTTLS
050 220 2.0.0 SMTP server ready
050 >>> EHLO mail.MYDOMAIN.com
050 250-DM6NAM12FT067.mail.protection.outlook.com Hello [MYIP]
050 250-SIZE 49283072
050 250-PIPELINING
050 250-DSN
050 250-ENHANCEDSTATUSCODES
050 250-8BITMIME
050 250-BINARYMIME
050 250-CHUNKING
050 250 SMTPUTF8
050 >>> MAIL From:<[email protected]> SIZE=305
050 250 2.1.0 Sender OK
050 >>> RCPT To:<[email protected]>
050 >>> DATA
050 250 2.1.5 Recipient OK
050 354 Start mail input; end with <CRLF>.<CRLF>
050 >>> .
050 250 2.6.0 <[email protected]> [InternalId=29785598229520, Hostname=DM6NAM12HT069.eop-nam12.prod.protection.outlook.com] 7377 bytes in 0.217, 33.122 KB/sec Queued mail for delivery -> 250 2.1.5
050 <[email protected]>... Sent (<[email protected]> [InternalId=29785598229520, Hostname=DM6NAM12HT069.eop-nam12.prod.protection.outlook.com] 7377 bytes in 0.217, 33.122 KB/sec Queued mail for delivery -> 250 2.1.5)
250 2.0.0 057CS569006414 Message accepted for delivery
[email protected]... Sent (057CS569006414 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 mail.MYDOMAIN.com closing connection
答案1
您可以使用 SMTP 连接到端口 25 上的相关计算机nc并手动说出 SMTP。
维基百科给出了一个示例对话。如果您通过网络连接,您可能还需要进行身份验证。
MAIL FROM通常,如果您正确配置了 STARTTLS 并且需要它,如果客户端未完成 TLS 协商和握手,服务器将拒绝接受电子邮件(例如将失败)。
请注意,MTA 通常还允许配置可选的传输加密(接受 STARTTLS,但不是必需的)。
答案2
参考你问题中的三个例子,
- 您的服务器为传入消息提供 STARTTLS,但不需要它(
250-STARTTLS包含在初始响应中) - Exchange Online 为传入邮件提供 STARTTLS 并需要它(
250-STARTTLS包含在初始响应中) - 如果接收者提供(
STARTTLS在对话中使用),您的服务器将使用 STARTTLS 发送消息
没有显示如果您的服务器尝试发送到不提供 STARTTLS 的系统会发生什么