Postfix 配置使用 TLSv1.2

tag-icon tag-icon postfix starttls
Postfix 配置使用 TLSv1.2

我开始构建我的第一个云服务器:带有 postfix 的 Ubuntu 16.04。

问题是,当我从我的网上商店发送邮件时,如何配置 postfix 以使用 TLSv1.2?

当我的网店向我的 postfix 服务器发送邮件时,它使用 TLSv1 以下是日志:

postfix/submission/smtpd[19111]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)

在我的网店中,我在配置中设置:使用:TLS 端口:587

谢谢J

My server info:
Ubuntu 16.04
postfix:
  Installed: 3.1.0-3

openssl:
  Installed: 1.0.2h-1+deb.sury.org~xenial+1

这是来自 postfix 的日志:可以看到邮件通过 TLSv1 发来... :(

Sep 19 19:10:56 ubuntu postfix/master[6992]: daemon started -- version 3.1.0, configuration /etc/postfix
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: connect from domainname.com[xxx.xxx.xxx.xxx]
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: 803AB41C0A: client=domainname.com[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=raitis
Sep 19 19:11:04 ubuntu postfix/cleanup[7131]: 803AB41C0A: message-id=<[email protected]>
Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: from=<[email protected]>, size=694, nrcpt=1 (queue active)
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: disconnect from domainname.com[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Sep 19 19:11:04 ubuntu postfix/smtp[7133]: Trusted TLS connection established to gmail-smtp-in.l.google.com[66.102.1.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 19 19:11:04 ubuntu postfix/smtp[7133]: 803AB41C0A: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[66.102.1.26]:25, delay=0.43, delays=0.06/0.04/0.2/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1474305064 14si1756669wmn.119 - gsmtp)
Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: removed

主配置文件

smtp        inet  n       -       -       -       -       smtpd
smtpd       pass  n       -       -       -       -       smtpd
submission  inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtp_tls_mandatory_protocols=TLSv1

#628        inet  n       -       y       -       -       qmqpd
pickup      unix  n       -       y       60      1       pickup
cleanup     unix  n       -       y       -       0       cleanup
qmgr        unix  n       -       n       300     1       qmgr
#qmgr       unix  n       -       n       300     1       oqmgr
tlsmgr      unix  -       -       y       1000?   1       tlsmgr
rewrite     unix  -       -       y       -       -       trivial-rewrite
bounce      unix  -       -       y       -       0       bounce
defer       unix  -       -       y       -       0       bounce
trace       unix  -       -       y       -       0       bounce
verify      unix  -       -       y       -       1       verify
flush       unix  n       -       y       1000?   0       flush
proxymap    unix  -       -       n       -       -       proxymap
proxywrite  unix -       -       n       -       1       proxymap
smtp        unix  -       -       y       -       -       smtp
relay       unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq       unix  n       -       y       -       -       showq
error       unix  -       -       y       -       -       error
retry       unix  -       -       y       -       -       error
discard     unix  -       -       y       -       -       discard
local       unix  -       n       n       -       -       local
virtual     unix  -       n       n       -       -       virtual
lmtp        unix  -       -       y       -       -       lmtp
anvil       unix  -       -       y       -       1       anvil
scache      unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

答案1

TLS 1.0 版通常被认为是不安全的,这就是为什么要求您将其关闭的原因。有两个潜在错误影响了 TLS v1.0:BEAST 和 POODLE。TLS 1.0 的问题稍后才被发现,与 SSL v3 略有不同(请参阅这次讨论),但它们常常被视为相同。

不过,为了使 Postfix 兼容,我所做的就是通过以下方式防止使用 SSL v2/3 和 TLS v1.0 main.cf

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1

我没有改变任何东西master.cf

我也阻止基本的加密协议:

smtpd_tls_exclude_ciphers = RC4, aNULL

根据以下评论,完整的排除列表应更新为更长的列表,如下所示:

smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
                            DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
                            RSA+AES, eNULL

附注:您还需要使用以下两行强制某种形式的加密:

smtpd_tls_security_level = encrypt
smtp_tls_security_level  = encrypt

这可能会产生各种副作用,因此您可能需要在永久更改之前测试任何此类更改。例如,mailman似乎根本不支持加密。

答案2

人5 postconf:

smtp_tls_mandatory_protocols (default: !SSLv2)
   List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.  In main.cf the values are separated by whitespace, commas or colons. In the policy table "protocols" attribute (see smtp_tls_policy_maps) the only  valid
   separator is colon. An empty value means allow all protocols. The valid protocol names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

   Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1 or later, these, or any other new protocol versions, are unconditionally enabled.

   With Postfix >= 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2,
   !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely matches the behaviour when the OpenSSL library is newer than Postfix.

   Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2".  This means that by default, SSL version 2 will not be used at the "encrypt" security level and higher.

   See the documentation of the smtp_tls_policy_maps parameter and TLS_README for more information about security levels.

   Example:

   # Preferred form with Postfix >= 2.5:
   smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
   # Alternative form.
   smtp_tls_mandatory_protocols = TLSv1

   This feature is available in Postfix 2.3 and later.

答案3

首先,请确保您拥有 OpenSSL 1.0.1 或更新版本,以及至少 Postfix 2.3 或更新版本(因为只有此组合才能支持 TLSv1.1 和 TLSv1.2)。较旧的 OpenSSL 不支持 TLSv1.2,较旧的 Postfix 版本仅提供非常基本的 SSL/TLS 支持或根本不提供 SSL/TLS 支持。

如果您的 Postfix 版本早于 2.5,而 OpenSSL 版本为 1.0.1 或更新版本,则 TLSv1.1 和 TLSv1.2 协议将无条件启用,正如 @rudimeier 所提到的。在这种情况下,您无需执行任何操作,Postfix 会自动为您检测哪个协议最适合您的连接。如果这不符合您的期望,那么您应该考虑将 Postfix 升级到较新的版本(不仅仅是因为这个问题,还因为 Postfix 现在是 2.11,而 2.5 已经很旧了)。

如果你有 Postfix 2.5.0 或更新版本,则需要进行以下修改/etc/postfix/master.cf

submission inet n - - - - smtpd
  -o smtp_tls_mandatory_protocols=TLSv1

请记住:如果你在该submission行下面定义了其他选项,那么你应该不是删除它们,只需添加下面的这个新选项。如果该smtp_tls_mandatory_protocols选项已经存在于选项列表中,则不要再次添加,而是调整将值添加到上述内容中TLSv1。切勿重复输入submission,否则会导致 Postfix 拒绝启动。

相关内容