我正在尝试配置 2 个 Postfix 2.10.1 实例,每个实例位于不同的 CentOS 7 系统上,以允许从一个系统(我们称之为客户端.example.com) 至另一方 (服务器.example.com),但我遇到了一个问题。服务器完全拒绝接受基于客户端证书指纹的中继。
以下是我正在处理的内容:
postconf -n 的输出服务器:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost
mydomain = example.com
myhostname = server.example.com
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
relayhost = [192.168.1.3]
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_tls_clientcerts, reject_unauth_destination
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.example.com.crt
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/pki/tls/private/server.example.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
postconf -n 的输出客户:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost = [server.example.com]
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtp_tls_cert_file = /etc/pki/tls/certs/client.example.com.crt
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/pki/tls/private/client.example.com.key
smtp_tls_loglevel = 3
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
服务器上的relay_clientcerts的内容(这与日志中的指纹和openssl x509 -fingerprint ...命令的输出完全匹配):
12:34:56:78:90:AB:CD:EF:FE:DC:BA:09:87:65:43:21:C0:DE:BE:EF client.example.com
客户端通过以下方式发起出站邮件邮件:
mail -s "Hello world" [email protected]
hello world
.
服务器的日志输出:
Nov 30 21:40:39 server postfix/smtpd[7859]: client.example.com[192.168.1.1]: subject_CN=client.example.com, issuer=ca.example.com, fingerprint=12:34:56:78:90:AB:CD:EF:FE:DC:BA:09:87:65:43:21:C0:DE:BE:EF, pkey_fingerprint=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Nov 30 21:40:39 server postfix/smtpd[7859]: Trusted TLS connection established from client.example.com[192.168.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 30 21:40:39 server postfix/smtpd[7859]: NOQUEUE: reject: RCPT from client.example.com[192.168.1.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<client.example.com>
Nov 30 21:40:39 server postfix/smtpd[7859]: disconnect from client.example.com[192.168.1.1]
客户端的日志输出:
Nov 30 21:40:39 client postfix/smtp[15525]: server.example.com[192.168.1.2]:25: subject_CN=server.example.com, issuer_CN=ca.example.com, fingerprint=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX, pkey_fingerprint=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Nov 30 21:40:39 client postfix/smtp[15525]: Trusted TLS connection established to server.example.com[192.168.1.2]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 30 21:40:39 client postfix/smtp[15525]: 563502306537: to=<[email protected]>, relay=server.example.com[192.168.1.2]:25, delay=431, delays=430/0.02/0.07/0.11, dsn=4.7.1, status=deferred (host server.example.com[192.168.1.2] said: 454 4.7.1 <[email protected]>: Relay access denied (in reply to RCPT TO command))
额外细节:
- 两个系统都有由我的内部 CA 签名的有效证书
- 两个系统都有有效的 A 和 PTR 记录
- 我可以使用以下命令成功查询relay_clientcerts数据库中的指纹
postmap -q smtpd_recipient_restrictions = permit_tls_clientcerts, permit_mynetworks, reject_unauth_destination在mynetworks = 127.0.0.0/8, 192.168.1.0/24服务器上指定做允许客户端顺利通过服务器中继邮件
我仔细阅读了 Postfix 文档、postfix-users 邮件列表存档和 Google,我的配置对我来说似乎是正确的(至少足够正确)。我的理解是,permit_tls_clientcerts 和relay_clientcerts 的组合应该足以允许中继。显然,我要么错了,要么就是没看到。
我遗漏了什么导致服务器无法允许基于客户端的指纹进行中继?
答案1
我继续在 Postfix 文档中挖掘并偶然发现了答案:
在 Postfix 2.10 中,有一个名为smtpd_relay_restrictions是为了解决垃圾邮件拦截政策过于宽松的问题smtpd_recipient_restrictions导致了宽松的中继策略。根据文档(http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions),此参数接受相同的值,并且“最好”用于配置中继策略:
从 Postfix 2.10 开始,中继权限规则最好使用 smtpd_relay_restrictions 来实现,这样 smtpd_recipient_restrictions 下的宽松垃圾邮件阻止策略将不再导致宽松的邮件中继策略。
...
指定限制列表,以逗号和/或空格分隔。通过在下一行以空格开头来继续较长的行。smtpd_recipient_restrictions 下记录了相同的限制。
至少对我来说,没有立即意识到的是,smtpd_relay_restrictions参数具有默认值(通过不带选项permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination运行显示),并覆盖postconfsmtpd_recipient_restrictions当它具有非空值时,完全。来自文档:
为了向后兼容,从 Postfix 2.10 之前的版本迁移的站点可以将 smtpd_relay_restrictions 设置为空值,并像以前一样使用 smtpd_recipient_restrictions。
因此,解决方案是设置smtpd_relay_restrictions到 main.cf 中的空值并利用smtpd_recipient_restrictions与以前的版本一样,或者使用新参数配置中继策略。我选择了后者,基于证书的中继现在按预期工作。