当我使用由证书颁发机构签名的 SSL 证书时,Postfix 无法正常运行,并且出现以下错误/var/log/mail.log:
Sep 8 12:43:03 mail postfix/master[15557]: daemon started -- version 3.1.0, configuration /etc/postfix
Sep 8 12:43:11 mail postfix/smtpd[15560]: fatal: bad boolean configuration: smtpd_sasl_authenticated_header = yes? smtpd_tls_cert_file=/etc/ssl/certs/mail_centralcloudmanager_com.crt? smtpd_tls_key_file=/etc/ssl/private/mail.centralcloudmanager.com.key
Sep 8 12:43:12 mail postfix/master[15557]: warning: process /usr/lib/postfix/sbin/smtpd pid 15560 exit status 1
Sep 8 12:43:12 mail postfix/master[15557]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
SSL 相关部分/etc/postfix/main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes
#UNCOMMENTING THESE TWO AND COMMENTING THE SIGNED ONES ALLOWS POSTFIX TO WORK.
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/etc/ssl/certs/mail_centralcloudmanager_com.crt
smtpd_tls_key_file=/etc/ssl/private/mail.centralcloudmanager.com.key
smtpd_tls_CAfile=/etc/ssl/certs/mail_centralcloudmanager_com.ca-bundle
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
当我使用默认的 Snakeoil 证书时,Postfix 运行良好,我可以发送/接收邮件。当切换到我的 CA 签名证书时,我收到 中所述的错误/var/log/mail.log。
我对 Dovecot 使用相同的 CA 签名证书,并且它运行良好(即使使用 snakeoil 证书)。
/etc/dovecot/conf.d/10-ssl.conf:
ssl = yes
ssl_cert = </etc/ssl/certs/mail_centralcloudmanager_com.crt
ssl_key = </etc/ssl/private/mail.centralcloudmanager.com.key
ssl_ca = </etc/ssl/certs/mail_centralcloudmanager_com.ca-bundle
ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
我也将那些签名的证书用于服务器的托管 Apache 部分。
答案1
我认为发生这种情况是因为您正在使用带有密码的 CERT 密钥,因此您可以像这样将其删除:
openssl rsa -in myCertKey.key -out myCertKey.key.nopass