我曾尝试设置自己的带有邮件服务器的 Web 服务器(我不是 Linux 专家,只是遵循一些教程),使用 Nginx、PHP-fpm 和 MySQL 设置 Web 服务器似乎成功了,然后我继续使用 postfix 和 dovecot 设置邮件服务器。这似乎也安装得很好。
当我检查旧服务器的 TLS 连接时,它telnet返回的回复与新服务器不同。旧服务器说18 自签名但新消息称21 第一个证书无法验证。
调试结果:
我运行的命令是针对正在运行的原始邮件服务器的
openssl s_client -connect mail.example.com:25 -starttls smtp
回复是
verify return:1
---
Certificate chain
0 s:/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]
i:/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDszCCApsCBFQW12QwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs
bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMB4X
DTE0MDkxNTEyMTExNloXDTE1MDkxNTEyMTExNlowgZ0xCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs
bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAur6FGm1GYj98XradW+dIwWip
6wvBUk5ePdSFCqzGink7+2MRyq4iKn/65Pc/YeUlToI8txUYc14M017VtCmb6Wd2
ohA0QtsRVMvX7n70nmflUVAzwzdBwtCE3+25ql4dA4ixe5zwI0XIWeYfqEoRtpyu
1ebUFBd8pRvvR0jA75cx4BIEvIGFIiSYZ9cTIp+Q/gGBesI/HBadUS8aEMf+6nTX
+iFdjgHNO/uPupqp8uU24QFQzphghvpy1y079QuqrsYoQWOKKf4QG/xbeFiYUgbp
rtaF9OvKD2ugzwdAVBFtuzdg8/2fcjB9YFBipm0DZygrbM9OG5TA9dQyh84oVwID
AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCtqyW6NGN3auoFEHKlcRHGP0GxAChhPMpB
NCUW+/ZHR4tXiiTI2xQcr1yfGmRkwipn9z+GAzL1bkkHpnOHSGAx+0G6CH645QkC
7YDqeRMnkCVrmYlJ73TB9WMczg8Zp/GxNU4lSSiYU+bthVOdbw0XHpnzhl02WckC
UZbJIXUI9V8NpWDq38R260Dxax4OOO3YVJ+pynqZMQjhUl7XMXLhT6o4GbmUHDtZ
jqgGti4M7YBPHY9l1nb9N2KZx9kgfS8i885DS5yhSjxMmeEfMMn3DIZlhc7lBEEX
N+btpue2vX+Q+gOAP/qEk8FqHxcyHquc89XGafuJ677LIEQlhOA1
-----END CERTIFICATE-----
subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]
issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1698 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2E011BE0124FA920C50F8A3D69198EED28F37EB096F9D7F9BF22389B72DEC01E
Session-ID-ctx:
Master-Key: 2B8AB37BDC5D7A5DF441E9599C39F20783802DC5F3258C284617DA01513E58DB961F56F451F2592AAA97188D6E9726BE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1427334041
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
我运行的命令是针对正在运行的原始邮件服务器的
openssl s_client -connect localhost:25 -starttls smtp
答复是
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = dc-career, emailAddress = root@dc-career
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = dc-career, emailAddress = root@dc-career
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID3jCCAsagAwIBAgICSkUwDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRIwEAYDVQQDDAlkYy1jYXJlZXIxHTAbBgkqhkiG9w0BCQEWDnJvb3RAZGMt
Y2FyZWVyMB4XDTE1MDMyNTA2MDQzN1oXDTE2MDMyNDA2MDQzN1owgaMxCzAJBgNV
BAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkw
FwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0
aW9uYWxVbml0MRIwEAYDVQQDDAlkYy1jYXJlZXIxHTAbBgkqhkiG9w0BCQEWDnJv
b3RAZGMtY2FyZWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4hcI
X+P16RbOp9eCFYN00Rw4sVFo/rtGAUJOVddGT43yJZ7oP94kED/kppQjrtTRIWE9
TJ1E+wOY5GAzkP2mGgoxwFZxRI5MCnJxhqieSIJKrduILKWUadWnfW/k6CKicrhv
tcYY6KVOq3THLpjyslblWenX7SRcMBQ1s5WDYT7f2dd9qgFFvE9l+NBHgeMvqZtc
KHF8nG6VVkOkYBnG4V6LlUppTKI1KYSPbbWrLfTuhamo1prlCn58DWcAjkyIBhmc
XYnlW0td8YiDaV7Gq28aefMOASjOXY0yWWSoKCACKagDnY01ZihMcLYfkhcKH7Hk
sN4wjbv8bAg2o99BFQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAN
BgkqhkiG9w0BAQsFAAOCAQEAUmQi8NMCsdqC85AVw5U0pkGW/VmWaA8mmmM2P+Gu
kzhCvx1wD3uoVqTC4lp9LDYR5Fk6BC929gYPz3J/WzaCjYtPAPvR0jXNPWy2Qq1C
MPavaMIkHwB0vgmM3AhxNSWohTVpJQTu+2niRpOMYMPtrVfgsGxbVsMrwPZpiBHH
xwR+syRCNWoe9T+TuaTV5uC9deQkuGiWNKCII34DMTtx/OIhxDIhDNRKqSgl/6Xg
nSrFnoZt2RA+XWBiuz3kK4F8Cs+9iOUvO3YG6a9u4B+I1o+KyoV68GWGnKafBP0p
gB6WYb2QUX1mwyj2Xg38HQao7zVhbShsg1XVnmRZU6yvng==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1886 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3B1E05F1518F27105F09F910C97E73847BEBA9BA98E479FE21CB8D827CA82F6D
Session-ID-ctx:
Master-Key: 34EC64A0AAE219BEBE181ED97692A0C5370F1B56FEE52B6E7B9A0E3480E26BFA243B06487FCA7B01ED5456BE9DC6E4E3
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 32 34 a9 c9 aa 9d 86 67-93 3c ab 32 fe 9a c7 aa 24.....g.<.2....
0010 - 32 18 5d 0c 74 7f 4a 3b-17 3f 51 6e d0 ac b0 59 2.].t.J;.?Qn...Y
0020 - a1 c7 76 36 43 18 39 bc-0b e7 fb a0 67 e5 e3 db ..v6C.9.....g...
0030 - b7 50 c3 a2 cf cc 82 4c-b4 45 d8 96 d6 6f 2e 3d .P.....L.E...o.=
0040 - 36 46 45 94 f4 6e 9f 84-f2 49 9c 56 25 51 53 34 6FE..n...I.V%QS4
0050 - fb ab 8c 4b 16 04 f7 68-0c f3 c3 be 66 38 da ee ...K...h....f8..
0060 - b7 35 bf c1 5b c0 02 43-4b 55 5c 0c d2 7d 66 62 .5..[..CKU\..}fb
0070 - 78 9f a8 d0 f2 b9 52 e0-3f 92 52 90 8f 2a a7 04 x.....R.?.R..*..
0080 - a6 af 4a 6a b1 ce ff 6c-4e b5 f6 90 0d 4e 05 a8 ..Jj...lN....N..
0090 - e5 53 8a 58 fc 75 fa 97-06 78 49 95 41 96 5d 05 .S.X.u...xI.A.].
Start Time: 1427334340
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 DSN
邮件安装有问题吗?如果是,该如何解决?
答案1
是的,我并不指望它们是相同的,只是为什么第二个会有错误,而如何修复它是个问题,我认为我的生成或分配给 dovecot/posfix 是错误的,因为我不知道如何在这个安装中使用 CA,我如何使用 CA crts ?在 postfix/dovecot 中?
要在 Postfix 中使用链式 SSL 证书,您可以参考本文档。
smtpd_tls_cert_file(默认值:空)
要使远程 SMTP 客户端能够验证 Postfix SMTP 服务器证书,必须向客户端提供颁发 CA 证书。您应该在服务器证书文件中包含所需的证书,首先是服务器证书,然后是颁发 CA(自下而上的顺序)。
例如:“server.example.com”的证书是由“中间 CA”颁发的,而“中间 CA”本身也拥有“根 CA”的证书。使用以下命令创建 server.pem 文件:cat 服务器证书.pem 中间CA.pem 根CA.pem > 服务器.pem。
如果您还想验证这些 CA 颁发的客户端证书,可以将 CA 证书添加到smtpd_tls_CA文件,在这种情况下,没有必要将它们放在smtpd_tls_cert_文件或者smtpd_tls_dcert_文件。
就是这样。您可以将两个证书连接起来并放入smtpd_tls_cert_file。