添加证书后,SMTP 服务器 (Exchange 2003) 在客户端执行 STARTTLS 命令后挂断

tag-icon tag-icon smtp exchange-2003 starttls
添加证书后,SMTP 服务器 (Exchange 2003) 在客户端执行 STARTTLS 命令后挂断

我对此感到困惑。我仍在使用 Exchange Server 2003。我创建了一个有效的 LetsEncrypt SSL 证书,并成功将 pfx 导入到我的默认 SMTP 虚拟服务器属性的“访问”选项卡中。现在,发送 EHLO 的客户端被告知 STARTTLS 可用。但我的几个电子邮件客户端(必须设置为使用 STARTTLS(如果可用))无法发送邮件。我使用 Wireshark 观察了在添加证书之前(执行身份验证)和添加证书之后成功发送的电子邮件。添加证书后,EHLO 表示 STARTTLS 可用。客户端发送 STARTLS。服务器响应“2.0.0 SMTP 服务器就绪”。客户端发送 SSL 客户端 Hello,10 毫秒后,SMTP 服务器关闭连接(FIN、ACK 数据包发送回客户端)。就这样结束了。

不确定如何诊断。事件日志中没有任何内容。我确实在 Windows LogFIles SMTPSvc1 文件夹中有一个日志。以下是指定 STARTTLS 且服务器挂断时显示的内容:

 2017-10-28 14:20:01 192.168.5.80 localhost 250 0 110
 2017-10-28 14:20:01 192.168.5.80 localhost 220 0 0
 2017-10-28 14:20:01 192.168.5.80 localhost 220 0 0
 2017-10-28 14:20:01 192.168.5.80 localhost 503 2148074248 31
 2017-10-28 14:20:01 192.168.5.80 localhost 240 203 31

作为参考,当我删除证书时,不会发送 STARTTLS,客户端会进行身份验证然后成功发送,以下是日志条目:

 2017-10-28 13:43:26 192.168.5.80 localhost 250 0 0
 2017-10-28 13:43:26 192.168.5.80 localhost 250 0 0
 2017-10-28 13:43:26 192.168.5.80 localhost 250 0 0
 2017-10-28 13:43:26 192.168.5.80 localhost 250 0 281
 2017-10-28 13:43:26 192.168.5.80 localhost 240 703 0

如果有人知道这里的内容并且它可能会有所帮助,这里是最后跟踪的两个数据包 - 客户端 Hello 和 RST 挂断...

No.     Time                          Source                Destination           Protocol Length Info
     17 2017-10-28 09:41:05.669172000 192.168.5.80          192.168.1.11          SSL      583    Client Hello

Frame 17: 583 bytes on wire (4664 bits), 583 bytes captured (4664 bits) on interface 0
Internet Protocol Version 4, Src: 192.168.5.80 (192.168.5.80), Dst: 192.168.1.11 (192.168.1.11)
Transmission Control Protocol, Src Port: 48022 (48022), Dst Port: 25 (25), Seq: 27, Ack: 485, Len: 517
    Source Port: 48022 (48022)
    Destination Port: 25 (25)
    [Stream index: 1]
    [TCP Segment Len: 517]
    Sequence number: 27    (relative sequence number)
    [Next sequence number: 544    (relative sequence number)]
    Acknowledgment number: 485    (relative ack number)
    Header Length: 32 bytes
    .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
    Window size value: 237
    [Calculated window size: 30336]
    [Window size scaling factor: 128]
    Checksum: 0x87d7 [validation disabled]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [SEQ/ACK analysis]
Secure Sockets Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random
            Session ID Length: 0
            Cipher Suites Length: 124
            Cipher Suites (62 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 343
            Extension: server_name
                Type: server_name (0x0000)
                Length: 17
                Server Name Indication extension
                    Server Name list length: 15
                    Server Name Type: host_name (0)
                    Server Name length: 12
                    Server Name: 192.168.1.11
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 10
                Elliptic Curves Length: 8
                Elliptic curves (4 curves)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 32
                Signature Hash Algorithms Length: 30
                Signature Hash Algorithms (15 algorithms)
            Extension: Unknown 22
                Type: Unknown (0x0016)
                Length: 0
                Data (0 bytes)
            Extension: Unknown 23
                Type: Unknown (0x0017)
                Length: 0
                Data (0 bytes)
            Extension: Padding
                Type: Padding (0x0015)
                Length: 248
                Padding Data: 000000000000000000000000000000000000000000000000...

No.     Time                          Source                Destination           Protocol Length Info
     18 2017-10-28 09:41:05.675195000 192.168.1.11          192.168.5.80          TCP      66     25→48022 [FIN, ACK] Seq=485 Ack=544 Win=64992 Len=0 TSval=52648030 TSecr=1233339601

Frame 18: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Internet Protocol Version 4, Src: 192.168.1.11 (192.168.1.11), Dst: 192.168.5.80 (192.168.5.80)
Transmission Control Protocol, Src Port: 25 (25), Dst Port: 48022 (48022), Seq: 485, Ack: 544, Len: 0
    Source Port: 25 (25)
    Destination Port: 48022 (48022)
    [Stream index: 1]
    [TCP Segment Len: 0]
    Sequence number: 485    (relative sequence number)
    Acknowledgment number: 544    (relative ack number)
    Header Length: 32 bytes
    .... 0000 0001 0001 = Flags: 0x011 (FIN, ACK)
    Window size value: 64992
    [Calculated window size: 64992]
    [Window size scaling factor: 1]
    Checksum: 0x9699 [validation disabled]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [SEQ/ACK analysis]

答案1

我很确定问题在于 Exchange Server 2003 SMTP 服务器,它很旧,仅支持 TLS 1.0,而 TLS 1.0 不再被认为那么安全。而且显然它不支持任何较新的密码。因此,同样没有证据,我很确定另一端挂断了,因为 STARTTLS / Client Hello 消息表明服务器提供的协议和/或密码与客户端上可用的协议和/或密码没有重叠。我通过在 Exchange Server 2003 和世界其他地方之间放置一个更现代的 SMTP 服务器(来自 hMailServer)解决了我的问题。这解决了我的问题。更好的长期方法是从环境中删除 Exchange 2003 Server。

相关内容