Postfix 机会性 STARTTLS 的 SSL_accept 错误

Postfix 机会性 STARTTLS 的 SSL_accept 错误

我已在 centos 6 上将 postfix 2.6.6 配置为 Exchange 2010 服务器前的邮件服务器。一切正常。现在我想为收发邮件添加机会性加密。

至少对于传入邮件而言,这似乎适用于大多数客户端。但是,也有一些例外。某些主机会因“SSL_accept 错误”而失败,然后立即重试而不使用 STARTTLS。到目前为止一切顺利。但有些主机不会恢复,最明显的是我的 Exchange 服务器(以及我组织之外的几台服务器)。

我认为这基本上是一个客户端问题,对吗?如果是这样,那么我可以禁用某些主机的 STARTTLS 公告,根据 http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps

但是,这意味着我有时需要将主机添加到此列表中,以便组织外部配置错误的客户端也可以发送邮件。有没有更好的解决方案?

这是有关我的设置的一些信息。

我的main.cf

# Directory specification
alternate_config_directories = /etc/postfix
queue_directory = /opt/postfix/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/examples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

# Basic Mail Relay Setup
myhostname = mymailserver.acme.com
smtp_helo_name=mail.acme.com
mail_owner = postfix
setgid_group = postdrop
inet_interfaces = all
mynetworks = /etc/postfix/mynetworks
mydestination = $myhostname, localhost.$mydomain
unknown_local_recipient_reject_code = 550
soft_bounce = no
disable_vrfy_command = yes
message_size_limit = 32768000
bounce_size_limit = 65536
header_size_limit = 32768

# Mail Timing Seetings and alerting thereof
maximal_queue_lifetime = 3d
bounce_queue_lifetime = 3d
delay_warning_time = 3h
bounce_template_file = /etc/postfix/bounce.cf
# Domain specification
mydomain = acme.com
myorigin = $mydomain
relay_domains = foo.acme.com, bar.acme.com
virtual_alias_domains = acme.com, openacme.org

# Debug options
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5

# Command Path definition
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

# Map definition
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = regexp:/etc/postfix/virtual_domains hash:/etc/postfix/virtual

# Encryption
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/clearkey.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparams.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
smtpd_tls_eecdh_grade = strong
# also encrypt outgoing mail
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
# enable logging for debugging
smtpd_tls_loglevel = 2
smtp_tls_loglevel = 2

# SMTP Settings
smtpd_banner = $myhostname ESMTP

smtpd_data_restrictions =
    permit_mynetworks,
    reject_unauth_pipelining,
    permit

smtpd_client_restrictions =
    permit_mynetworks,
    reject_invalid_hostname,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit

smtpd_helo_required = yes

smtpd_helo_restrictions =
    permit_mynetworks,
    reject_unauth_pipelining,
    reject_invalid_hostname,
    permit

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_non_fqdn_sender,
    check_sender_access hash:/etc/postfix/access_domains,
    check_sender_access pcre:/etc/postfix/access_domains_pcre,
    reject_unknown_sender_domain,
    permit

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_multi_recipient_bounce,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unlisted_recipient,
    check_recipient_access hash:/etc/postfix/internal_recipient,
    check_sender_access hash:/etc/postfix/access_domains,
    check_sender_access pcre:/etc/postfix/access_domains_pcre

starttls 似乎被正确宣布了:

[hansolo@desk ~]$ telnet 1.2.3.4 25
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
220 **************************

EHLO test
250-mx.acme.com
250-PIPELINING
250-SIZE 32768000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

并且 SSL 配置对我来说看起来没问题(请纠正我):

[hansolo@desk ~]$ openssl s_client -starttls smtp -connect mail.acme.com:25
CONNECTED(00000003)
depth=2 C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2
verify return:1
depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Silver CA 2014 - G22
verify return:1
depth=0 OU = Domain Validated Only, CN = mail.acme.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Validated Only/CN=mail.acme.com
   i:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
   i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
 2 s:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
   i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
<server certificate removed for posting>
-----END CERTIFICATE-----
subject=/OU=Domain Validated Only/CN=mail.acme.com
issuer=/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5583 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0CE08FBFFEE1F856B84FF5D042E6FDB2D9A0A415565FCB04A04C565CA7EBC12C
    Session-ID-ctx:
    Master-Key: 4B215AFF8DEB9043F19346361EA98A617C1155E984C77C0B6FB74083897EAE6A502DB717CE249F81F2A19A1D31B38DEC
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 43 a8 9a 29 4e 52 05 78-60 eb 46 15 09 e8 21 f4   C..)NR.x`.F...!.
    0010 - 37 65 55 f8 8c 51 12 a7-37 14 29 41 1d 7b a0 fb   7eU..Q..7.)A.{..
    0020 - fb 6a d4 6e 49 c9 41 cd-1d cc ec a8 23 90 4f a3   .j.nI.A.....#.O.
    0030 - 5d 8d 73 6a 0e fc 69 df-58 63 1f c7 6b 43 13 39   ].sj..i.Xc..kC.9
    0040 - 5e ee 73 df 3a 80 8a d5-e3 bf 80 f5 47 c2 33 e1   ^.s.:.......G.3.
    0050 - f5 dc 2f 9e 12 15 7d 3a-ac 3c 27 e8 73 24 05 65   ../...}:.<'.s$.e
    0060 - 0c 5a da 9f 79 a2 a3 80-31 24 ea 22 1f 12 4e ea   .Z..y...1$."..N.
    0070 - e7 d5 0b a6 d9 0b 7f 55-fd a0 bb 2e aa 93 3e b8   .......U......>.
    0080 - c5 ff 46 6b 55 3e ff ee-00 e0 20 d1 2e fc d5 62   ..FkU>.... ....b
    0090 - 40 fe 9b 4e 38 ab 63 92-c3 41 48 28 71 48 06 91   @..N8.c..AH(qH..

    Start Time: 1458037878
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN

以下是日志:

Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: initializing the server-side TLS engine
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: connect from unknown[192.168.0.235]
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: setting up TLS connection from unknown[192.168.0.235]
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: unknown[192.168.0.235]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDB3-SHA:!KRB5-DES:!CBC3-SHA"
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept:before/accept initialization
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept:error in SSLv2/v3 read client hello A
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept error from unknown[192.168.0.235]: -1
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: warning: TLS library problem: 24499:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:644:
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: lost connection after STARTTLS from unknown[192.168.0.235]
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: disconnect from unknown[192.168.0.235]

此外,至少 Gmail 告诉我我的邮件未加密。

任何帮助或提示均值得赞赏。

编辑
事实证明,我们的防火墙 (Cisco ASA) 通过其协议检查搞乱了 ESMTP 协议。请参阅这篇博文了解详细信息和解决方案。至少 gmail 不再抱怨缺少加密。我需要进一步检查这是否是完整的解决方案。

相关内容