大家好,ServerFault 社区,
我已于 2018 年 4 月 30 日将此内容发布到 stunnel-users 邮件列表,并于 2018 年 5 月 16 日再次发布https://www.stunnel.org/pipermail/stunnel-users/2018-April/006000.html,不幸的是那里似乎没有人知道答案,所以现在我正向这里的专家求助。
以下是发往邮件列表的邮件的逐字引用。
嗨,List,
我刚刚加入了 stunnel 社区。
出于 PCI 合规原因,我正在将我们邮件服务器的面向公众的端口迁移到 stunnel。
到目前为止我已经成功开始工作:
- imap (143/tcp) 带 starttls
- imap(993/tcp)
- pop3 (110/tcp) 带 starttls
- pop3s (995/tcp)
我的问题在于 smtp(25/tcp,587/tcp) 和 starttls。
我现在已经尝试了几个不同的邮件客户端,每个客户端都告诉我服务器不支持身份验证协议。
我已经安装了 stunnel 5.44。我的配置中 Tee 相关部分:
[mail2-imap] protocol = imap accept = 143 connect = <mail-fqdn>:143 [mail2-imaps] accept = 993 connect = <mail-fqdn>:143 [mail2-pop3] protocol = pop3 accept = 110 connect = <mail-fqdn>:110 [mail2-pop3s] accept = 995 connect = <mail-fqdn>:110 [mail2-smtp] protocol = smtp accept = 25 connect = <mail-fqdn>:25 [mail2-smtps] accept = 465 connect = <mail-fqdn>:465 [mail2-smtps-submission] debug = 7 protocol = smtp accept = 587 connect = <mail-fqdn>:587在日志文件中,连接时我有以下条目
2018.04.30 09:20:50 LOG7[5]: Service [mail2-smtps-submission] started 2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on local socket 2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] accepted connection from 41.13.8.49:56890 2018.04.30 09:20:50 LOG6[5]: s_connect: connecting 10.10.11.2:587 2018.04.30 09:20:50 LOG7[5]: s_connect: s_poll_wait 10.10.11.2:587: waiting 10 seconds 2018.04.30 09:20:50 LOG5[5]: s_connect: connected 10.10.11.2:587 2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] connected remote server from 10.10.11.11:42466 2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on remote socket 2018.04.30 09:20:50 LOG7[5]: Remote descriptor (FD=23) initialized 2018.04.30 09:20:50 LOG7[5]: RFC 2487 detected 2018.04.30 09:20:50 LOG7[5]: <- 220 <mail-fqdn> ESMTP Postfix 2018.04.30 09:20:50 LOG7[5]: -> 220 <mail-fqdn> stunnel for ESMTP Postfix 2018.04.30 09:20:51 LOG7[5]: <- EHLO [100.125.153.220] 2018.04.30 09:20:51 LOG7[5]: -> 250-<mail-fqdn> 2018.04.30 09:20:51 LOG7[5]: -> 250 STARTTLS 2018.04.30 09:20:51 LOG7[5]: <- STARTTLS 2018.04.30 09:20:51 LOG7[5]: -> 220 Go ahead 2018.04.30 09:20:51 LOG6[5]: Peer certificate not required 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): before/accept initialization 2018.04.30 09:20:51 LOG7[5]: SNI: no virtual services defined 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client hello A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server hello A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write certificate A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write key exchange A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server done A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 flush data 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client certificate A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read client key exchange A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read certificate verify A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read finished A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write change cipher spec A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write finished A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 flush data 2018.04.30 09:20:52 LOG7[5]: New session callback 2018.04.30 09:20:52 LOG7[5]: 2 server accept(s) requested 2018.04.30 09:20:52 LOG7[5]: 2 server accept(s) succeeded 2018.04.30 09:20:52 LOG7[5]: 0 server renegotiation(s) requested 2018.04.30 09:20:52 LOG7[5]: 0 session reuse(s) 2018.04.30 09:20:52 LOG7[5]: 2 internal session cache item(s) 2018.04.30 09:20:52 LOG7[5]: 0 internal session cache fill-up(s) 2018.04.30 09:20:52 LOG7[5]: 0 internal session cache miss(es) 2018.04.30 09:20:52 LOG7[5]: 0 external session cache hit(s) 2018.04.30 09:20:52 LOG7[5]: 0 expired session(s) retrieved 2018.04.30 09:20:52 LOG6[5]: TLS accepted: new session negotiated 2018.04.30 09:20:52 LOG6[5]: No peer certificate received 2018.04.30 09:20:52 LOG6[5]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2018.04.30 09:20:52 LOG7[5]: Compression: null, expansion: null 2018.04.30 09:20:52 LOG6[5]: Read socket closed (read hangup) 2018.04.30 09:20:52 LOG7[5]: Sending close_notify alert 2018.04.30 09:20:52 LOG7[5]: TLS alert (write): warning: close notify 2018.04.30 09:20:52 LOG6[5]: SSL_shutdown successfully sent close_notify alert 2018.04.30 09:20:52 LOG6[5]: TLS fd: Connection reset by peer (104) 2018.04.30 09:20:52 LOG6[5]: TLS socket closed (SSL_read) 2018.04.30 09:20:52 LOG7[5]: Sent socket write shutdown 2018.04.30 09:20:52 LOG5[5]: Connection closed: 156 byte(s) sent to TLS, 30 byte(s) sent to socket 2018.04.30 09:20:52 LOG7[5]: Remote descriptor (FD=23) closed 2018.04.30 09:20:52 LOG7[5]: Local descriptor (FD=22) closed 2018.04.30 09:20:52 LOG7[5]: Service [mail2-smtps-submission] finished (4 left)这是我从 K9-Mail 收到的错误 K9-邮件错误
谷歌邮件应用程序只是告诉我: Google 邮件错误
Alpine(Linux 命令行 smtp 客户端) Alpine 客户端错误
有专家给出什么建议吗?
亲切的问候
答案1
从您的评论中:
问题是您的邮件服务器已经配置了 SSL 证书,因此仅在检测到安全加密连接时才允许 SMTP 身份验证。
据我所知,您的 stunnel 服务器终止客户端建立的安全连接,并与您的邮件服务器建立第二个未加密的明文 smtp 连接。
然后,邮件服务器拒绝接受客户端发出的任何身份验证请求,因为据它判断,否则客户端将通过不安全的连接发送其用户名和密码。
问题在于,stunnel 的设计目的是将明文协议转换为 SSL 安全协议,反之亦然,但你想要做的事情需要一个“中间人”设置,你需要接受传入的 SSL 连接并创建传出的 SSL 连接,这需要一些技巧
答案2
感谢 HBruijn 为我指明正确的方向。
我最终从我的配置中提取了以下内容:
[mail2-smtp]
protocol = smtp
accept = 25
connect = localhost:26
[mail2-smtps]
accept = 465
connect = localhost:26
[mail2-smtp-submission]
protocol = smtp
accept = 587
connect = localhost:26
[mail2-smtp-ssl-client]
protocol = smtp
accept = 26
client = yes
connect = <mail-fqdn>:587
密钥是与邮件服务器建立安全连接的最后一部分。