我正在尝试完善我的邮件服务器,以便所有 tls 证书都匹配,并且一切都尽可能完美地运行。我可以很好地接收电子邮件。我还可以发送电子邮件,但是当 mutt 检查 smtp 证书时,它告诉我主机名与证书不匹配。我〜可以〜禁用证书检查,但这似乎只是掩盖症状而不是解决问题。我的目的是强制 IMAP 接收和 SMTP 发送都使用 TLS。我根本不打算进行 POP 访问。
据我所知,服务器主机名设置正确,并且内核和后缀配置都报告了它。
我的服务器主机名在 DNS 中确实有一条指向正确 IP 的 A 记录。
- 可以使用以下方式访问服务器网络邮件https://webmail.poindexter.farm/ 用户名和密码如下
- SMTP(postfix) 和 IMAP(dovecot) 均位于 hwsrv690473.poindexter.farm
- 我创建了一个测试用户帐户来帮助你们,用户名和密码都是“test”
任何帮助将非常感激!
我被要求运行一个神奇的 ssl 命令...我不知道它是如何工作的。
brad@mini-odin:~ $ echo "" | openssl s_client -connect poindexter.farm:587 -starttls smtp | openssl x509 -noout -text | grep -1 'Alternative Name'
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
250 SMTPUTF8
DONE
X509v3 Subject Alternative Name:
DNS:hwsrv-690473.poindexter.farm
客户端计算机上的 muttrc
brad@mini-odin:~ $ cat .muttrc
# vi ~/.muttrc
# About Me
set from = "[email protected]"
set realname = "test account"
# My credentials
set smtp_url = "smtp://[email protected]:587/"
set smtp_pass = "test"
set imap_user = "test" #-This allows login when opening mutt
set imap_pass = "test"
#set smtp_authenticators="login"
set ssl_starttls = yes
set ssl_force_tls = yes
# My mailboxes
set folder = "imaps://hwsrv-690473.poindexter.farm:993"
set spoolfile = "+INBOX"
# Where to put the stuff
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"
set certificate_file = "~/.mutt/certificates"
# Etc
set mail_check = 30
set move = no
set imap_keepalive = 900
set sort = threads
set editor = "vim"
# GnuPG bootstrap
# source ~/.mutt/gpg.rc
brad@mini-odin:~ $
mutt 调试文件,从点击 y 发送一封撰写的电子邮件开始
brad@mini-odin:~ $ cat .muttdebug0
[2020-06-11 11:57:36] In mutt_reflow_windows
[2020-06-11 11:57:38] Sending message...
[2020-06-11 11:57:38] ../../sendlib.c:2782: mutt_mktemp returns "/tmp/mutt-mini-odin-1001-25828-368841125475337537".
[2020-06-11 11:57:38] mwoh: buf[Subject: test email] is short enough
[2020-06-11 11:57:38] ../../send.c:987: mutt_mktemp returns "/tmp/mutt-mini-odin-1001-25828-15718660201142318120".
[2020-06-11 11:57:38] mwoh: buf[Subject: test email] is short enough
[2020-06-11 11:57:38] Looking up poindexter.farm...
[2020-06-11 11:57:38] Connecting to poindexter.farm...
[2020-06-11 11:57:38] Connected to poindexter.farm:587 on fd=5
[2020-06-11 11:57:38] 5< 220 hwsrv-690473.poindexter.farm ESMTP Postfix (Debian/GNU)
[2020-06-11 11:57:38] 5> EHLO localhost
[2020-06-11 11:57:38] 5< 250-hwsrv-690473.poindexter.farm
[2020-06-11 11:57:38] 5< 250-PIPELINING
[2020-06-11 11:57:38] 5< 250-SIZE 10240000
[2020-06-11 11:57:38] 5< 250-VRFY
[2020-06-11 11:57:38] 5< 250-ETRN
[2020-06-11 11:57:38] 5< 250-STARTTLS
[2020-06-11 11:57:38] 5< 250-ENHANCEDSTATUSCODES
[2020-06-11 11:57:38] 5< 250-8BITMIME
[2020-06-11 11:57:38] 5< 250-DSN
[2020-06-11 11:57:38] 5< 250 SMTPUTF8
[2020-06-11 11:57:38] 5> STARTTLS
[2020-06-11 11:57:38] 5< 220 2.0.0 Ready to start TLS
[2020-06-11 11:57:57] SSL/TLS connection using TLS1.2 (ECDHE-RSA/AES-256-GCM/AEAD)
[2020-06-11 11:57:58] 5> EHLO localhost
[2020-06-11 11:57:58] 5< 250-hwsrv-690473.poindexter.farm
[2020-06-11 11:57:58] 5< 250-PIPELINING
[2020-06-11 11:57:58] 5< 250-SIZE 10240000
[2020-06-11 11:57:58] 5< 250-VRFY
[2020-06-11 11:57:58] 5< 250-ETRN
[2020-06-11 11:57:58] 5< 250-AUTH PLAIN LOGIN
[2020-06-11 11:57:58] 5< 250-ENHANCEDSTATUSCODES
[2020-06-11 11:57:58] 5< 250-8BITMIME
[2020-06-11 11:57:58] 5< 250-DSN
[2020-06-11 11:57:58] 5< 250 SMTPUTF8
[2020-06-11 11:57:58] SASL local ip: 192.168.1.10;55794, remote ip:192.119.74.117;587
[2020-06-11 11:57:58] External SSF: 256
[2020-06-11 11:57:58] External authentication name: test
[2020-06-11 11:57:58] Authenticating (LOGIN)...
[2020-06-11 11:57:58] 5> AUTH LOGIN
[2020-06-11 11:57:58] 5< 334 VXNlcm5hbWU6
[2020-06-11 11:57:58] mutt_sasl_cb_authname: getting authname for poindexter.farm:587
[2020-06-11 11:57:58] 5> dGVzdA==
[2020-06-11 11:57:58] 5< 334 UGFzc3dvcmQ6
[2020-06-11 11:57:58] mutt_sasl_cb_pass: getting password for [email protected]:587
[2020-06-11 11:57:58] 5> dGVzdA==
[2020-06-11 11:57:58] 5< 235 2.7.0 Authentication successful
[2020-06-11 11:57:58] SASL protection strength: 0
[2020-06-11 11:57:58] SASL protection buffer size: 65536
[2020-06-11 11:57:58] 5> MAIL FROM:<[email protected]>
[2020-06-11 11:57:58] 5< 250 2.1.0 Ok
[2020-06-11 11:57:58] 5> RCPT TO:<[email protected]>
[2020-06-11 11:57:58] 5< 250 2.1.5 Ok
[2020-06-11 11:57:58] 5> RCPT TO:<[email protected]>
[2020-06-11 11:57:58] 5< 250 2.1.5 Ok
[2020-06-11 11:57:58] updating progress: 0K
[2020-06-11 11:57:58] Sending message... 0K/0.4K (0%)
[2020-06-11 11:57:58] 5> DATA
[2020-06-11 11:57:58] 5< 354 End data with <CR><LF>.<CR><LF>
[2020-06-11 11:57:58] 5> Date: Thu, 11 Jun 2020 11:57:38 -0500
[2020-06-11 11:57:58] 5> From: test account <[email protected]>
[2020-06-11 11:57:58] 5> To: [email protected], [email protected]
[2020-06-11 11:57:58] 5> Subject: test email
[2020-06-11 11:57:58] 5> Message-ID: <20200611165738.GA25828@localhost>
[2020-06-11 11:57:58] 5> MIME-Version: 1.0
[2020-06-11 11:57:58] 5> Content-Type: text/plain; charset=us-ascii
[2020-06-11 11:57:58] 5> Content-Disposition: inline
[2020-06-11 11:57:58] 5> User-Agent: Mutt/1.10.1 (2018-07-13)
[2020-06-11 11:57:58] 5>
[2020-06-11 11:57:58] 5> sending a test email to check smtp certificate
[2020-06-11 11:57:58] 5> .
[2020-06-11 11:57:59] 5< 250 2.0.0 Ok: queued as CE28F82380
[2020-06-11 11:57:59] 5> QUIT
[2020-06-11 11:57:59] Mail sent.
[2020-06-11 11:57:59] mutt_free_body: unlinking /tmp/mutt-mini-odin-1001-25828-1671701897145424224.
[2020-06-11 11:59:08] mutt_index_menu[729]: Got op 151
[2020-06-11 11:59:08] Mailbox is unchanged.
[2020-06-11 11:59:08] Closing connection to hwsrv-690473.poindexter.farm...
[2020-06-11 11:59:08] 4> a0005 CLOSE
a0006 LOGOUT
[2020-06-11 11:59:08] 4< a0005 OK Close completed (0.000 + 0.000 secs).
[2020-06-11 11:59:08] 4< * BYE Logging out
[2020-06-11 11:59:08] Handling BYE
[2020-06-11 11:59:08] 4< a0006 OK Logout completed (0.000 + 0.000 secs).
[2020-06-11 11:59:08] IMAP queue drained
brad@mini-odin:~ $
postfix 主机名配置
brad@hwsrv-690473:/home/brad$ sudo postconf -d myhostname
[sudo] password for brad:
myhostname = hwsrv-690473.poindexter.farm
brad@hwsrv-690473:/home/brad$
服务器主机名
brad@hwsrv-690473:/home/brad$ hostname
hwsrv-690473.poindexter.farm
brad@hwsrv-690473:/home/brad$ hostnamectl
Static hostname: hwsrv-690473.poindexter.farm
Icon name: computer-vm
Chassis: vm
Machine ID: a945a3535aa8484399fd888f61e31e6d
Boot ID: 4e25349837c340e280e1060eff314f7c
Virtualization: kvm
Operating System: Debian GNU/Linux 9 (stretch)
Kernel: Linux 4.9.0-3-amd64
Architecture: x86-64
brad@hwsrv-690473:/home/brad$ cat /proc/sys/kernel/hostname
hwsrv-690473.poindexter.farm
brad@hwsrv-690473:/home/brad$
服务器/etx/postfix/main.cf
brad@hwsrv-690473:/home/brad$cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 1h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/hwsrv-690473.poindexter.farm/fullchain.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_key_file=/etc/letsencrypt/live/hwsrv-690473.poindexter.farm/privkey.pem
smtpd_use_tls=yes
smtp_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = hwsrv-690473.poindexter.farm
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, poindexter.farm, localhost.farm, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Mail will be stored in users' ~/Maildir directories
#
# NB: make sure to enforce this setting as well in the `mail_location`
# of /etc/dovecot/conf.d/10-mail.conf (thanks to Markus Hoffmann for
# pointing this out):
#
# mail_location = maildir:~/Maildir
#
home_mailbox = Maildir/
mailbox_command =
# From http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# SPF stuff
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policy-spf,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/recipient_access,
permit
policy-spf_time_limit = 3600s
#
# DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
brad@hwsrv-690473:/home/brad$
答案1
我知道 garethTheRed 走在正确的道路上,这是合乎逻辑的某处主机名不同。
更改服务器上的主机名不是一个选项,因为我在其上运行其他服务。
然而,我决定对 .muttrc 进行更多实验,并找到了解决方案!
.muttrc 行
#set smtp_url = "smtp://[email protected]:587/" # this did not work
set smtp_url = "smtp://[email protected]:587/" # this works
第一行,基本上是 username@域名: 端口不起作用。
第二行,用户名@服务器主机名:port 很有魅力!
谢谢,加雷斯红!
答案2
您的 mutt 客户端正在连接到位于 的 SMTP 服务器,因此主机名是。但是,您的 Lets Encrypt 证书有一个主题备用名称 (SAN) 扩展名,其中包含 dnsName 。您可以通过以下方式查看:smtp://[email protected]:587/poidexter.farmhwsrv-690473.poindexter.farm
echo "" | openssl s_client -connect poindexter.farm:587 -starttls smtp | openssl x509 -noout -text | grep -1 'Alternative Name'
上面的命令使用 OpenSSL 充当客户端 ( openssl s_client -connect poindexter.farm:587 -starttls smtp) 并连接到您的服务器,此时poindexter.farm:587它假装是 SMTPS 客户端 ( -starttls smtp)。作为握手的一部分,您的服务器会返回其证书,该命令会在大量其他信息中输出该证书。该数据通过管道 ( ) 传输|到另一个 OpenSSL 命令 ( openssl x509 -noout -text) 中,该命令接受证书(方便地采用前一个命令输出的 PEM 格式),对其进行解码并将其输出为人类可读的文本。最后,此文本输出通过管道 ( |) 传送到 grep ( grep -1 'Alternative Name'),后者过滤短语备用名称并输出该行和下一行(由于-1)。您可以通过删除最后一个管道和 grep 来查看整个证书。
如您所见,您正在访问的主机名与证书中的名称不匹配,因此出现该hostname does not match消息。
您需要配置 DNS,以便 mutt 使用 SAN 访问服务器hwsrv-690473.poindexter.farm,或者获取 SAN 的新证书poidexter.farm。也就是说,它们应该匹配。