Postfix SSL 证书验证失败问题

Postfix SSL 证书验证失败问题

多年来,我们一直在 Ubuntu 12.04 服务器上使用 Postfix 通过提交注册表单来发送邮件。直到 2017 年 3 月,它仍然有效。

然而,postfix 突然遇到“证书验证失败”错误(根据 mail.log),对于许多域(虽然不是所有域)都是如此。例如,它拒绝发送到 gmail 地址的任何邮件,但会发送到几个 .edu 域。我检查了 SSL 证书,以确保它们根据一些在线指南是最新的,并且有一个正确的 ca-bundle.srt 文件,并且 main.cf 指向正确的文件。一切似乎都检查过了。同样,2017 年 3 月之前没有出现过这样的问题。

如果有帮助,请提供 .edu 邮件服务器的日志描述示例;

Oct  3 19:20:39 server postfix/pickup[27108]: 7A1BA5E02FB: uid=33 from=<www-data>
Oct  3 19:20:39 server postfix/cleanup[27114]: 7A1BA5E02FB: message-id=<07e5de6389f1ee1f0db978687a2a701c@server>
Oct  3 19:20:39 server postfix/qmgr[27109]: 7A1BA5E02FB: from=<www-data@server>, size=2354, nrcpt=1 (queue active)
Oct  3 19:20:39 server postfix/smtp[27116]: certificate verification failed for mailgateway[ip]:25: untrusted issuer /C=SE/O=AddTrust AB/OU=AddTrust Externa$
Oct  3 19:20:39 server postfix/pickup[27108]: C25FB5E02FC: uid=33 from=<www-data>
Oct  3 19:20:39 server postfix/cleanup[27114]: C25FB5E02FC: message-id=<839ec587b4d3c56ecb8be082fa36e626@server>
Oct  3 19:20:39 server postfix/qmgr[27109]: C25FB5E02FC: from=<www-data@server>, size=2354, nrcpt=1 (queue active)
Oct  3 19:20:40 server postfix/smtp[27116]: 7A1BA5E02FB: to=<email>, relay=mailgateway06[ip]:25, delay=0.62, delays=0.05/0.04/0.22/0.31, dsn=2.$
Oct  3 19:20:40 server postfix/qmgr[27109]: 7A1BA5E02FB: removed
Oct  3 19:20:40 server postfix/smtp[27121]: certificate verification failed for mailgateway04[ip]:25: untrusted issuer /C=SE/O=AddTrust AB/OU=AddTrust Externa$
Oct  3 19:20:41 server postfix/smtp[27121]: C25FB5E02FC: to=<email>, relay=mailgateway04[ip]:25, delay=1.4, delays=0.01/0.02/1/0.35, dsn=2.0.0,$
Oct  3 19:20:41 server postfix/qmgr[27109]: C25FB5E02FC: removed

或者获取 Google 地址,

Oct  3 19:00:32 server postfix/pickup[25780]: C0B5E5E02FB: uid=33 from=<www-data>
Oct  3 19:00:32 server postfix/cleanup[25788]: C0B5E5E02FB: message-id=<502b3fe5d32d82faca381ef6f18939f8@server>
Oct  3 19:00:32 server postfix/qmgr[25781]: C0B5E5E02FB: from=<www-data@server>, size=2353, nrcpt=2 (queue active)
Oct  3 19:00:32 server postfix/smtp[25790]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4001:c14::1b]:25: Network is unreachable
Oct  3 19:00:33 server postfix/pickup[25780]: 0542A5E02FC: uid=33 from=<www-data>
Oct  3 19:00:33 server postfix/cleanup[25788]: 0542A5E02FC: message-id=<893ee1fe8af389833686860025d71966@server>
Oct  3 19:00:33 server postfix/qmgr[25781]: 0542A5E02FC: from=<www-data@server>, size=2353, nrcpt=2 (queue active)
Oct  3 19:00:33 server postfix/smtp[25790]: certificate verification failed for gmail-smtp-in.l.google.com[74.125.202.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certifi$
Oct  3 19:00:33 server postfix/smtp[25796]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4001:c14::1b]:25: Network is unreachable
Oct  3 19:00:33 server postfix/smtp[25796]: certificate verification failed for gmail-smtp-in.l.google.com[173.194.196.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certif$
Oct  3 19:00:34 server postfix/smtp[25796]: 0542A5E02FC: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.196.26]:25, delay=1.1, delays=0.01/0.02/0.11/0.95, dsn=2.0.0$

可能是什么原因?

如果有帮助的话,这是我的 main.cf 文件;

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = [SERVER_NAME_OMITTED]
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = [SERVER_NAME_OMITTED], localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy-spf
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#content_filter = smtp-amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
mailbox_command =
spf-policyd_time_limit = 3600s

更新:我现在也尝试按照许多网页生成 cacert.pem 文件,并设置 smtp_tls_CAfile 和 smtpd_tls_CAfile 以使用该文件。这会导致不同的错误(并且不会发送邮件);

Oct  4 01:51:51 server postfix/pickup[6816]: 969E15E02FB: uid=1000 from=<admin>
Oct  4 01:51:51 server postfix/cleanup[6841]: 969E15E02FB: message-id=<20171004015151.969E15E02FB@server>
Oct  4 01:51:51 server postfix/qmgr[6817]: 969E15E02FB: from=<admin@server>, size=291, nrcpt=1 (queue active)
Oct  4 01:51:51 server postfix/smtp[6848]: CA certificate verification failed for gmail-smtp-in.l.google.com[74.125.129.26]:25: num=7:certificate signature failure
Oct  4 01:51:52 server postfix/smtp[6848]: 969E15E02FB: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.129.26]:25, delay=0.45, delays=0.06/0.07/$
Oct  4 01:51:52 server postfix/qmgr[6817]: 969E15E02FB: removed

答案1

您的 Ubuntu 太旧了。您的 ca 证书似乎已过期。

如果您发送邮件,则不使用您自己的证书。它仅用于使用 smtpd 接收邮件。

smtp 使用 ca-certificates 包提供的证书进行验证。您可以尝试安装 backport 来修复日志中的错误。

例如ca-证书-反向移植

更新:你的配置应该包括smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt

答案2

您需要输入CA 捆绑文件的正确路径

Postfix TLS 支持

$smtpd_tls_CAfile 包含一个或多个受信任 CA 的 CA 证书。该文件在 Postfix 进入可选的 chroot jail 之前打开(具有 root 权限),因此无需从 chroot jail 内部访问。

注意,postfix 可以在 chroot jail 中运行,无法访问 CA 文件

您可以在 Postfix 目录中输入其他路径,例如(在我的基础架构中):

smtpd_tls_CAfile = /var/spool/postfix/etc/ssl/certs/ca-certificates.crt

文件/etc/ssl/certs/ca-certificates.crt存在吗?

如果您找不到 CA 文件并且不知道它放在哪里,您可以使用此命令查找所有类似 CA 的文件:

find / \( -name "*.crt" -o -name "*.ca-bundle" -o -name "*.pem" \) -type f -size +100k

我使用的方法是 CA 文件的大小大于 100Kb(我的文件大约是 270Kb)

或者,您可以找到所有证书文件并按大小排序,然后仅获取输出查找命令的前 10 行:

find / \( -name "*.crt" -o -name "*.ca-bundle" -o -name "*.pem" \) -type f -exec du -sh {} \; | sort -r -h | head

相关内容