为什么 Postfix 在 EHLO 期间不宣布 AUTH?

tag-icon tag-icon ubuntu postfix smtp
为什么 Postfix 在 EHLO 期间不宣布 AUTH?

我已经设置好postfixdovecot,我甚至可以使用 Thunderbird 客户端通过 IMAP 连接远程接收电子邮件并接收它们

但是,我无法使用 Smtp 服务器发送,当我使用本地 telnet 连接到我的服务器telnet mail.mydomain.com 25然后执行时,ehlo mail.mydomain.com没有250-授权线 - 这是问题吗?我该如何解决它?

smtpd_sasl_auth_enable = yes主配置文件

答案1

smtpd_tls_auth_only = yes

需要将其更改为

smtpd_tls_auth_only = no

答案2

是 的输出吗postconf smtpd_tls_auth_only smtpd_tls_auth_only = yes
如果是,则需要在身份验证之前使用 starttls。
可以禁用设置以允许未加密的身份验证(不建议)。

可以使用 starttls 进行调试:
openssl s_client -connect $YOUR_SMTP_SERVER:25 -starttls smtp -CApath $PATH_TO_CA_DIR

答案3

这有点牵强,但是你是否已经验证它正在使用 lsof 监听 TCP 25?

答案4

如果您的smtpd_tls_auth_only设置为yes

# postconf smtpd_tls_auth_only
smtpd_tls_auth_only = yes

然后,您就已将smtpd_tls_security_level设置为encrypt

# postconf smtpd_tls_security_level
smtpd_tls_security_level = encrypt

这导致将端口 25 设置为永不提供 STARTTLS,并完美地解释了为什么以下测试 TLS 练习显示不提供加密:

# openssl s_client -connect $YOUR_SMTP_SERVER:25 -starttls smtp -CApath /etc/ssl/certs
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 230 bytes and written 334 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

您仍然可以使用仅提供该选项的端口 25 encrypt(您已将其设置为该选项),但这样一来,您将彻底改变 Internet 其余部分可以与之互操作的端口 25 的性质。

这意味着您的服务器在互联网荒野中永远无法使用。

要修复此问题,您必须设置以下内容/etc/postfix/main.cf

# smtpd_tls_security_level (empty)
#   The  SMTP TLS security level for the Postfix SMTP server; when a
#   non-empty value is specified, this overrides the obsolete param-
#   eters smtpd_use_tls and smtpd_enforce_tls.
#   Specify one of the following security levels:
#
#     none
#         TLS will not be used. 
#     may
#         Opportunistic TLS: announce STARTTLS support 
#         to remote SMTP clients, but do not require that 
#         clients use TLS encryption. 
#     encrypt
#         Mandatory TLS encryption: announce STARTTLS 
#         support to remote SMTP clients, and require 
#         that clients use TLS encryption. According to 
#         RFC 2487 this MUST NOT be applied in case of 
#         a publicly-referenced SMTP server. Instead, 
#         this option should be used only on dedicated
#          servers. 
#     
#     Note 1: the "fingerprint", "verify" and "secure" levels 
#     are not supported here. The Postfix SMTP server logs a 
#     warning and uses "encrypt" instead. To verify remote 
#     SMTP client certificates, see TLS_README for a 
#     discussion of the smtpd_tls_ask_ccert, 
#     smtpd_tls_req_ccert, and permit_tls_clientcerts 
#     features.
#     
#     Note 2: The parameter setting 
#     "smtpd_tls_security_level = encrypt" implies 
#     "smtpd_tls_auth_only = yes".
#     
#     Note 3: when invoked via "sendmail -bs", Postfix will 
#     never offer STARTTLS due to insufficient privileges to 
#     access the server private key. This is intended behavior.
smtpd_tls_security_level = may

简而言之,encrypt该设置仅对私有网络内的某些邮件中继和邮件堡垒主机有实际用途。将其更改为may

相关内容