你好!
我正在设置 postfix。
我想要实现的是所有内部各方之间可信的 TLS 连接。我们为所有内部证书部署了带有 Windows Server 2012 R2 CA 的 PKI 基础架构。
我们正在使用这些 Postfix 机器作为互联网中继,并且所有交换机器都通过这些 Postfix 机器发送出站电子邮件。
我们的 Exchange Server 2013 已分配来自内部 CA 的证书。CA 根证书已推广到 Postfix 机器。Postfix 机器本身具有由 comodo 颁发的证书。
我可以使用 openssl 验证 Exchange 和 Postfix:
openssl s_client -starttls smtp -connect XXXXXX:25 -CAfile /etc/ssl/certs/ca-certificates.crt
Exchange 的结果是:
-----END CERTIFICATE-----
subject=/C=DE/ST=NRW/L=XXX/O=XXX/OU=IT/CN=exdb04.XXX
issuer=/DC=XXX/DC=XXX/CN=XXX-AD05-CA
---
No client certificate CA names sent
---
SSL handshake has read 1955 bytes and written 553 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: E5180000ABE0F0824C152D04DF7CA7FB63835B573B06E9EBCA58D714852664E5
Session-ID-ctx:
Master-Key: B0E445A6DEF7E225CCC602EDC8FE21A023EC683EEC1BEF3DC57EE2914D47A19B2E0ADAD5D4794900AE21B4D401FD66B9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1393236731
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 XSHADOWREQUEST
对于后缀:
---
SSL handshake has read 24140 bytes and written 534 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2D9409D1C4B2E391B0C64007F93B54C4938120B167782025D4809FC1C8143D6E
Session-ID-ctx:
Master-Key: 61A5DF94DAF7047B9B4FD9A9DB9E5F9F23518FA7DF78A7989720B138F663292054CAA63648A31A93BCBBA5DDBDB2008A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - fb 0f bc 6b 17 f4 bc fb-61 20 dc 3d e1 b1 93 15 ...k....a .=....
0010 - 83 61 93 3e 4f c7 1c b7-3b 0c 4e 4b da 23 08 8e .a.>O...;.NK.#..
0020 - 4b 3c 19 2c c0 0d 6a 1d-69 2c d3 7c d9 20 8b 2b K<.,..j.i,.|. .+
0030 - 17 65 d2 d1 25 7d 26 7e-7b bd 76 f2 2a ae 3c 21 .e..%}&~{.v.*.<!
0040 - 33 4f c3 55 7e 6a fe 55-78 b9 fd 4e c1 f7 9b e2 3O.U~j.Ux..N....
0050 - e3 2f 78 2c 06 21 bb 0b-20 e2 93 6b dd 06 2f e6 ./x,.!.. ..k../.
0060 - 10 30 84 d2 02 c2 5a 36-4b f3 50 18 7f 28 62 ab .0....Z6K.P..(b.
0070 - cc 15 4c cc bc 64 a5 a5-2c 26 d1 95 3f 77 2c ee ..L..d..,&..?w,.
0080 - 36 4b a6 91 b0 05 68 28-8a 34 3c 27 04 7d 66 48 6K....h(.4<'.}fH
0090 - d5 19 2e c8 bb e2 c3 96-06 de 3d b1 6d 0b 79 58 ..........=.m.yX
00a0 - 37 89 4e 2d 95 44 24 39-39 00 8e f4 6c 1c 54 6a 7.N-.D$99...l.Tj
Compression: 1 (zlib compression)
Start Time: 1393236872
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN
到现在为止似乎都还好,但是:从 Exchange 向外部发送电子邮件时,我可以在日志中看到这些消息:
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: connect from exdb04.XXXX[10.20.3.10]
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: Untrusted TLS connection established from exdb04.XXXXXX[10.20.3.10]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: 4DD8613D8049: client=exdb04.XXXXXX[10.20.3.10]
Feb 24 11:05:54 mailout03 postfix/cleanup[5010]: 4DD8613D8049: message-id=<[email protected]>
Feb 24 11:05:54 mailout03 postfix/qmgr[4985]: 4DD8613D8049: from=<[email protected]>, size=2154, nrcpt=1 (queue active)
Feb 24 11:05:54 mailout03 postfix/smtpd[5006]: disconnect from exdb04.XXXXXX[10.20.3.10]
Feb 24 11:05:54 mailout03 postfix/smtp[5011]: connect to gmail-smtp-in.l.google.com[2a00:1450:4001:c02::1b]:25: Network is unreachable
Feb 24 11:05:54 mailout03 postfix/smtp[5011]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 11:05:55 mailout03 postfix/smtp[5011]: 4DD8613D8049: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=1.4, delays=0.03/0/0.29/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1393236355 gm5si14761594wjc.6 - gsmtp)
Feb 24 11:05:55 mailout03 postfix/qmgr[4985]: 4DD8613D8049: removed
请注意这部分:从 exdb04.XXXXXX[10.20.3.10] 建立不受信任的 TLS 连接:使用密码 ECDHE-RSA-AES256-SHA(256/256 位)的 TLSv1
为什么该连接不受信任,而与谷歌的连接是受信任且经过验证的。
我错过了什么?
谢谢 Tobias
This is the postfix config:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
myhostname = mailout03.XXXXXX.de
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP ready
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 2h
# basic configuration
readme_directory = no
mydestination = mailout03.XXXX.de
mynetworks = 127.0.0.0/8 127.0.0.2/32 [::1]/128 10.20.3.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# message routing configuration
sender_bcc_maps = hash:${config_directory}/sender_bcc
sender_dependent_relayhost_maps = hash:${config_directory}/sender_relay
alias_maps = hash:/etc/aliases
relayhost =
# message limit configuration
message_size_limit = 157286400
# queue configuration
queue_run_delay = 30s
# TLS server configuration
smtpd_tls_cert_file = ${config_directory}/certs/mailout03_XXXXX_de.pem
smtpd_tls_key_file = ${config_directory}/certs/mailout03_XXXXX_de.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_security_level = may
smtpd_starttls_timeout = 60s
smtpd_tls_protocols = !SSLv2
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 9
# TLS logging configuration
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
# TLS session cache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
# Perfect Forward Secrecy configuration
smtpd_tls_eecdh_grade = ultra
tls_preempt_cipherlist = yes
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh512.pem
# TLS client configuration
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_scert_verifydepth = 9
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtp_tls_CApath = /etc/ssl/certs
答案1
因此,我在您的日志文件中注意到的第一件事是来自 exdb04 的连接是传入的,而到 gmail 的连接是传出的。您是否已将 Exchange 计算机配置为在其出站连接上使用客户端证书?
如果像您所说的那样,只有发送的邮件通过这些 Postfix 机器,那么您唯一的传入连接应该来自您的交换机器,然后我还建议一些更严格的配置设置:
smtpd_tls_req_ccert = 是 smtpd_tls_security_level = 加密
但是,为了解决您的问题,我会将 smtpd_tls_loglevel 的日志记录提升到 2。
请记住,使用 s_client 测试时,您只在一个方向上进行测试。例如,Exchange 服务器向您的 Postfix 服务器提供哪个证书?您是否确定它与配置在其自己的服务器端口上使用的证书相同。
当您进行 s_client 测试并连接到您的 postfix 服务器时,日志文件会显示什么 - 受信任还是不受信任?当您使用 -cert 指定证书时会怎样?
我认为 Exchange 服务器没有提供客户端证书。
祝你好运