我无法从 Gmail 向我的 Postfix 服务器发送安全电子邮件。
以下是 main.cf 中的 TLS 选项:
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/cert.pem
smtpd_tls_key_file=/etc/ssl/private/cert.key
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
以下是来自 mail.log 的示例日志:
Feb 24 21:06:05 myserver postfix/smtpd[31346]: Anonymous TLS connection established from mail-yw0-f170.google.com[209.85.161.170]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 21:10:07 myserver postfix/smtpd[31289]: Anonymous TLS connection established from mail-wr0-f179.google.com[209.85.128.179]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 21:14:48 myserver postfix/smtpd[31346]: Anonymous TLS connection established from mail-oi0-f48.google.com[209.85.218.48]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
以下是 telnet 输出:
telnet myserver 25
Trying XXX.XXX.XXX.XXX...
Connected to myserver.
Escape character is '^]'.
220 myserver ESMTP Postfix
ehlo domain
250-myserver
250-PIPELINING
250-SIZE 36800000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
来自 checktls.com 的 TestReceiver:
CheckTLS Confidence Factor for "adress@myserver": 100
MXServer Pref Connect Allowed CanUse TLSAdv CertOK TLSNeg SndrOK RcvrOK
20 OK OK OK OK OK OK OK OK
Average 100% 100% 100% 100% 100% 100% 100% 100%
但当我必须在 Gmail 中创建邮件时,仍然看到红色挂锁。这是怎么回事?
更新:
以下是来自 Gmail 的邮件标题:
Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK))
by myserver (Postfix) with ESMTPS id 30B65866EDB
for <address@myserver>; Sun, 26 Feb 2017 14:57:36 +0100 (CET)
它显示 TLS 正在运行?为什么我仍然看到红色挂锁?我还能做什么?
答案1
红色挂锁表示邮件未加密发送。您可以通过在 main.cf 中配置 tls 设置(证书、私钥)来启用加密。
如果您已经配置了这些,只需添加这些参数(注意是 smtp,而不是 smtpd):
smtp_use_tls = yes
smtp_tls_security_level = may