我目前正在尝试启动并运行自己的邮件服务器。到目前为止一切似乎都很好,因为我能够使用 thunderbird 连接到此邮件服务器。我唯一要做的就是接受我自己的(自签名)证书。
现在一切似乎都正常了,我尝试将其集成到我的本地 fetchmailrc 中,以便自动将我的本地邮箱与邮件服务器同步。为此,我在 fetchmailrc 中添加了以下几行:
poll mail.rueckerlmail.com with proto IMAP uidl
user '[email protected]' there with password 'superSecretPassword' is 'sebastian' here with options keep sslproto TLS1
运行 fetchmail 服务出现以下错误消息:
Apr 2 13:59:40 sebastian-UX31A fetchmail[32760]: mail.rueckerlmail.com: upgrade to TLS failed.
Apr 2 13:59:40 sebastian-UX31A fetchmail[32760]: Unknown login or authentication error on [email protected]@mail.rueckerlmail.com
Apr 2 13:59:40 sebastian-UX31A fetchmail[32760]: socket error while fetching from [email protected]@mail.rueckerlmail.com
Apr 2 13:59:40 sebastian-UX31A fetchmail[32760]: Query status=2 (SOCKET)
在邮件服务器中,这会导致断开连接,因为无法建立 strattls:
Apr 2 11:47:58 guest-mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=91.23.79.47, lip=10.1.1.3, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<JIc9Z7wSpABbF08v>
使用 wireshark 查看连接建立情况,我发现在 fetchmail 发送了属于 strattls 握手的第一个数据包(第一个数据包有点神秘,人类无法读取)后,服务器发送了 RST、ACK。
我认为这是我的 fetchmail 配置的问题,因为我能够使用 openssl 手动连接:
$ openssl s_client -starttls imap -connect mail.rueckerlmail.com:143
CONNECTED(00000003)
depth=0 C = DE, ST = Bayern, O = sebastianrueckerl.com, OU = mail, CN = sebastianrueckerl.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Bayern, O = sebastianrueckerl.com, OU = mail, CN = sebastianrueckerl.com
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
i:/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGkDCCBHigAwIBAgIJAJHwjBRHNgfnMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
BAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xHjAcBgNVBAoMFXNlYmFzdGlhbnJ1ZWNr
ZXJsLmNvbTENMAsGA1UECwwEbWFpbDEeMBwGA1UEAwwVc2ViYXN0aWFucnVlY2tl
cmwuY29tMB4XDTE1MDMwMzE2NTcwMVoXDTE2MDMwMjE2NTcwMVowbTELMAkGA1UE
BhMCREUxDzANBgNVBAgMBkJheWVybjEeMBwGA1UECgwVc2ViYXN0aWFucnVlY2tl
cmwuY29tMQ0wCwYDVQQLDARtYWlsMR4wHAYDVQQDDBVzZWJhc3RpYW5ydWVja2Vy
bC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCYwTtLOuld1x9f
I2BSp3TkTllQSvIh7y82QuNCgyImv1Pa8PB0pcZTSjJvjETi0xNXt9UjpPU+488O
AfIWN/5A8FCg6RTgpas1HhzZkCXocVdQyNrhSpdl9v7+o7geftlrfKmwydq7/KVd
xpCglhXnVG4syr/K66/kWwD/l3zqLcJv+sewn9OPW6EGmG1AV3sls9sxlh+UFW++
/l6PUgzZ3kTJCWtUI16yPYs+vld5kGcxK8rvHKYq1mkOxYHiyuTOS9gcrfbBltol
x7mhMtF1d0qWzxj3JqtMtsUjmfByiMGpHRyEyef9V0nQCld9NKqY47Xcywb+ij01
9+fnldNgT+tunI464YtIZd+oR/JPF98FJQuZXvmQuHn7hnbSgeC1uK39gViOo4aS
OtiH8sXsnKcCboF6OIx7RDz33iWSHLflcRfULLqB7nd5cEu0F7D+lmqCbznEFBxQ
+S7Y8BxerMO8p3yikuyVKodkLP9GxcHeV5xg1xl2hI2Lh8HZDUlkRzAwbfDoNNe+
CH53Kk9eLaiW7GqIMNg2O76do53SWpjcOdDDrc3YDivkH5yun6ufCX42Q0Ma4a9t
b2OvvMyX1zpW+4z4J6xhmjMoiY4tla36mvsDTFjy6+7LgyCrJ5FtRRkd8kwOlx+w
yUmVpJgTNscG+7eugbLfADANZpWAGQIDAQABo4IBMTCCAS0wggEpBgNVHREEggEg
MIIBHIIVc2ViYXN0aWFucnVlY2tlcmwuY29tghptYWlsLnNlYmFzdGlhbnJ1ZWNr
ZXJsLmNvbYIWc2ViYXN0aWFuLXJ1ZWNrZXJsLmNvbYIbbWFpbC5zZWJhc3RpYW4t
cnVlY2tlcmwuY29tghRzZWJhc3RpYW5ydWVja2VybC5kZYIZbWFpbC5zZWJhc3Rp
YW5ydWVja2VybC5kZYIVc2ViYXN0aWFuLXJ1ZWNrZXJsLmRlghptYWlsLnNlYmFz
dGlhbi1ydWVja2VybC5kZYIPcnVlY2tlcmxtYWlsLmRlghRtYWlsLnJ1ZWNrZXJs
bWFpbC5kZYIQcnVlY2tlcmxtYWlsLmNvbYIVbWFpbC5ydWVja2VybG1haWwuY29t
MA0GCSqGSIb3DQEBCwUAA4ICAQBo7AAa4Ge6YyY/aoeaIO4RVPLXZq/GHiuj00Nr
71H+gElRhP/wF8u+0I3mSee89KUec7jrvILO4Xxa0ExGVk4QJyp/XYKvnxbvPV3B
7i/GIZ9q9n4UIQu0RfqyeVC/HgsK+9Gv2BGowVea53sx3KmsIrpMpNaVVb7IGg8w
/lNvQolwUllz5Q1C0fxbVYoGhh7I1JDaBzLXvrf/+A57J1fj8Pylm9rt+fDr6NoQ
YK/BE1/lYh2hjC6CeAtHo4+gHOzCyEaKQUOqqZV5gbwoFxmdxgUfxwrweIwOwavX
vGlE4vnUO1Vw86FFGrhoVFSdLlF8N3y15uEMIlADpxD4XOnw4cSyZEA/XtkkVG56
sABs1a+bixS3oN24tU06ZtXiwepBiaAD/ZcFwrYabwIIxTlqLRWhfsiEuvq4eEF6
nG1Z5t3zv00CxCFiMJefgREHh4F067i7dGJF/M/RD7bBm38lg5/+Oob32vMvS5jO
3Us1Mu8p2qZ+BbdSR8/vVe5JkYc4n3/gb7fivjB71c9vbbuIVrkQdU6/9dDwC1Qy
WYu2Z95yoAX4VAQJR7ONsPKeKnhsS0N60Muf4pfwL2WsLnBbbx4X4Z3u5hmtJLrg
vq+ZUGX/FlSbWf++Basxa365pejEK+rfkGeWfxOtRxhRou9MetvnkQVByDtfD/IZ
yN/oPA==
-----END CERTIFICATE-----
subject=/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
issuer=/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
---
No client certificate CA names sent
---
SSL handshake has read 3100 bytes and written 521 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: A3B45487475A4919A25987354D59EF4FBBC0AA6F93F56FB00B770AB20DE6CB21
Session-ID-ctx:
Master-Key: B9906033114E2F90F1E2084E4BCFCE642E6E552829FC5104184BD87A979274D4F2E683154162E6E1F01BF1C421E8D2B0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ed 48 27 9b a3 4a 82 06-7c 3c 10 92 7e 41 42 e9 .H'..J..|<..~AB.
0010 - 63 d9 8d 84 2e 94 4f 3d-fd 19 91 82 7b df 8c f8 c.....O=....{...
0020 - dc 18 5a 2d 22 be be f7-d9 7c de 4b e2 e6 73 ae ..Z-"....|.K..s.
0030 - 19 87 bd b3 5e 0f c0 1b-b1 13 b6 bd 99 de 5b 81 ....^.........[.
0040 - 23 c7 c2 2a ac 86 85 ef-66 cd 7b c0 b0 92 ae 6d #..*....f.{....m
0050 - ee 96 87 d5 d8 88 45 f9-03 59 ab af fa 06 cd bc ......E..Y......
0060 - fc 36 16 13 f1 4b 57 df-6e ac 49 d0 bd 9a 53 03 .6...KW.n.I...S.
0070 - 16 8d c6 86 70 e0 36 b8-61 dc 16 8d 97 dc 9c b0 ....p.6.a.......
0080 - 7f 7e ae 34 5e a5 89 51-4a 1c 36 c1 46 dd 70 5e .~.4^..QJ.6.F.p^
0090 - 81 3b 19 bd f7 11 50 c0-58 eb 54 b4 f2 bf 4e a6 .;....P.X.T...N.
Start Time: 1427976380
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
. OK Pre-login capabilities listed, post-login capabilities have more.
建立连接后,一切正常,我能够按预期登录:
A0003 login [email protected] superSecretPassword
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE
A0003 OK Logged in
我不知道我还能尝试什么来让它运行,但这似乎是与 fetchmail 相关的问题。如果您知道该尝试什么,我很乐意这样做,并为您提供所有需要的输出/日志数据/信息。感谢您的帮助。
编辑:
根据要求输出dovecot -n
:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.18.6-vs2.3.7.3-beng x86_64 Debian 7.8
auth_mechanisms = plain login
listen = 10.1.1.3
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = [email protected]
protocols = " imap sieve"
service auth {
unix_listener /var/spool/postfix/private/auth_dovecot {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0600
user = vmail
}
}
ssl_cert = </etc/postfix/ssl/ssl.crt
ssl_cipher_list = ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNull:@STRENGTH
ssl_key = </etc/postfix/ssl/ssl.key
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
答案1
您正在使用的 fetchmail 版本可能尚不支持 TLSv1.1 或更高版本。
Dovecot 配置中的以下行不允许 TLSv1 服务器端:
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
客户端,你至少需要 Fetchmail 6.4 (目前尚未发布):
Fetchmail 现在可以使用 SSLv3、TLSv1.1 或更新的 TLS 版本以及 STLS/STARTTLS(以前会强制使用 TLSv1.0 和 STARTTLS)。
--https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS
如果您使用的是 Debian,您也可以尝试他们的 fetchmail 包 6.3.23-2(目前仅处于测试/不稳定状态,我自己没有尝试过):
fetchmail (6.3.26-2) 不稳定;紧急程度=低
[...]
- 版本 OpenSSL 构建依赖项以支持 TLSv1.2。
--http://metadata.ftp-master.debian.org/changelogs/main/f/fetchmail/unstable_changelog
有关 Dovecot 给出的错误消息的更多信息:
SSL23_GET_SERVER_HELLO:unknown protocol
如果服务器仅支持 TLS 1.2 等协议,而客户端无法理解该协议版本,也会出现此错误 [...]。通常,服务器至少向后兼容 SSL 3.0 / TLS 1.0,但此特定服务器可能并非如此(通过实施或配置)。