我已经设置了https://hub.docker.com/r/tvial/docker-mailserver/使用 Letsencrypt 证书,它似乎可以工作。
例如,使用 openssl,我可以连接:
openssl s_client -host test-mail.zedeler.dk -port 993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = test-mail.zedeler.dk
verify return:1
---
Certificate chain
0 s:/CN=test-mail.zedeler.dk
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCzCCA/OgAwIBAgISAxJ39Kupidovpu/Of4I2WSw9MA0GCSqGSIb3DQEBCwUA
[SNIP]
-----END CERTIFICATE-----
subject=/CN=test-mail.zedeler.dk
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3131 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 521C004DD2D234312D9AAF19C2CB985656676FCAE36088172CEE0064C299A990
Session-ID-ctx:
Master-Key: 68EC9097F387404A889745B92A39C7B6713FB0495DA52C486ABF88577CEF9FA4A5C8B15419B9AFC5EB817742C17CFC62
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - da bd 65 db bd 9f d7 c7-25 07 91 31 13 aa 2b 5a
[SNIP]
Start Time: 1505919651
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
1 capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
1 OK Pre-login capabilities listed, post-login capabilities have more.
2 id
* ID ("name" "Dovecot")
2 OK ID completed.
3 plain
3 BAD Error in IMAP command received by server.
4 authenticate plain
+
[SNIP]
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE
4 OK Logged in
5 list "" *
* LIST (\HasNoChildren \Trash) "." Trash
* LIST (\HasNoChildren \Sent) "." Sent
* LIST (\HasNoChildren \Drafts) "." Drafts
* LIST (\HasNoChildren) "." INBOX
5 OK List completed (0.000 + 0.000 secs).
看起来证书链正常工作:
https://ssl-tools.net/mailservers/test-mail.zedeler.dk
但是当我尝试在 Thunderbird 中设置帐户时,我收到了令人沮丧的消息“Thunderbird 无法找到您的电子邮件帐户的设置”。我从服务器日志中看到,Thunderbird 仅建立了 TLS 连接并再次断开连接。它不会尝试登录。
我尝试在 Thunderbird 中打开调试,但似乎帐户设置面板没有产生任何调试输出。
我已经用 Evolution 测试了相同的设置并且它开箱即用。
有什么建议么?
答案1
如果您在邮件服务器上启用提交端口 (587),Thuderbird 可能会更高兴。通常,这会配置为使用 STARTTLS 并要求在接受电子邮件之前进行身份验证。经过身份验证的用户通常可以向任何有效地址发送电子邮件。
ISP 很少会封锁提交端口的访问,而端口 25 则经常被封锁。使用端口 25 会限制您的漫游能力。
答案2
我发现我使用的设置只有 STARTSSL 可用的端口 25。Thunderbird 无法识别这一点,但当我明确指定它时,它就可以正常工作。