无法通过 SSL SSL_CTX_set_default_verify_paths 将 Postfix 连接到 AWS MySQL RDS

无法通过 SSL SSL_CTX_set_default_verify_paths 将 Postfix 连接到 AWS MySQL RDS

我正在尝试使用带有虚拟域的 Postfix (3.3.0) 设置邮件服务器,针对 Amazon RDS MySQL (8.0.11) 实例进行查询,并在邮件服务器和 RDS 实例之间使用 SSL。

我刚刚开始设置,所以还没有打开任何高级服务;我刚刚启动并运行了 Postfix 和 Dovecot,并尝试通过 telnet 从本地向邮件服务器发送邮件。这失败了(这没关系,这就是测试的目的),但我无法确定失败的原因。特别是,postfix 无法工作,但 postmap 似乎工作正常!

通过 postfix 完成操作后返回的核心错误似乎是“SSL_CTX_set_default_verify_paths”。环顾四周,我只能找到两个真正相关的问题,其中一个问题由配置文件中的简单拼写错误回答;另一个问题似乎与 postfix 对 CA 文件的读取权限有关。我没有(至少没有那个特定的)拼写错误,而且我很确定这不是文件权限问题,但也许我错了。

Postfix 失败的情况如下:

$telnet localhost 25
EHLO <my.working.mailserver>
MAIL FROM: <[email protected]>
RCPT TO: postmaster@localhost

邮件日志的内容如下:

Nov  2 11:09:31 ip-172-31-7-179 postfix/smtpd[11883]: connect from localhost[127.0.0.1]
Nov  2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: connect to mysql server <my.rds.endpoint>:<myport>: SSL connection error: SSL_CTX_set_default_verify_paths failed
Nov  2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains: mysql:/etc/postfix/mysql_alias.cf: table lookup problem
Nov  2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains lookup failure
Nov  2 11:09:58 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains: mysql:/etc/postfix/mysql_alias.cf: table lookup problem
Nov  2 11:09:58 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains lookup failure
Nov  2 11:09:58 ip-172-31-7-179 postfix/smtpd[11883]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <postmaster@localhost>: Temporary lookup failure; from=<[email protected]> to=<postmaster@localhost> proto=ESMTP helo=<my.working.mailserver>

但是,如果我尝试使用 postmap 查找 postmaster@localhost,它似乎工作正常:

$sudo -upostfix postmap -q postmaster@localhost mysql:/etc/postfix/mysql_alias.cf  
root@localhost

并且有些冗长:

$sudo -upostfix postmap -v -q postmaster@localhost mysql:/etc/postfix/mysql_alias.cf
postmap: name_mask: all
postmap: inet_addr_local: configured 2 IPv4 addresses
postmap: inet_addr_local: configured 2 IPv6 addresses
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: user = postfix
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: password = <password>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: dbname = <db_name>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: result_format = %s
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: option_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: option_group = client
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_key_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_cert_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_CAfile = /etc/mysql/ssl/rds-combined-ca-bundle.pem
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_CApath = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_ciphers = <NULL>
postmap: cfg_get_bool: /etc/postfix/mysql_alias.cf: tls_verify_cert = on
postmap: cfg_get_bool: /etc/postfix/mysql_alias.cf: require_result_set = on
postmap: cfg_get_int: /etc/postfix/mysql_alias.cf: expansion_limit = 0
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: query = SELECT destination FROM aliases WHERE mail = '%s' AND enabled=1
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: domain = 
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: hosts = <my.rds.endpoint>:<myport>
postmap: dict_open: mysql:/etc/postfix/mysql_alias.cf
postmap: dict_mysql_get_active: attempting to connect to host <my.rds.endpoint>:<myport>
postmap: dict_mysql: successful connection to host <my.rds.endpoint>:<myport>
postmap: mysql:/etc/postfix/mysql_alias.cf: successful query result from host <my.rds.endpoint>:<myport>
postmap: dict_mysql_lookup: retrieved 1 rows
root@localhost

正如我所说,我不认为这是一个文件权限问题,因为我以 postfix 身份使用 sudo,并且除 master 之外的所有 postfix 服务都以该用户身份运行

$ps -auxw | grep postfix
root     11864  0.0  0.4  67376  4100 ?        Ss   11:09   0:00 /usr/lib/postfix/sbin/master -w
postfix  11874  0.0  0.5  73808  5172 ?        S    11:09   0:00 pickup -l -t unix -u -c
postfix  11875  0.0  0.5  73856  5428 ?        S    11:09   0:00 qmgr -l -t unix -u
postfix  11877  0.0  0.6  88668  6608 ?        S    11:09   0:00 cleanup -z -t unix -u -c
postfix  11879  0.0  0.6  88500  6288 ?        S    11:09   0:00 trivial-rewrite -n rewrite -t unix -u -c
postfix  11884  0.0  0.7  87248  7988 ?        S    11:09   0:00 tlsmgr -l -t unix -u -c
postfix  11972  0.0  0.6  88668  6496 ?        S    11:51   0:00 cleanup -z -t unix -u -c
cwr      11974  0.0  0.1  14856  1080 pts/1    S+   11:53   0:00 grep postfix

我是不是忽略了一些简单的东西?为什么以 postfix 用户身份运行的 postmap 在读取与 postfix 本身相同的配置时可以正常工作,而 postfix 却无法工作?

为了完整起见,请注意 postmap 命令正在读取mysql:/etc/postfix/mysql_alias.cf。以下是 main.cf 的关键部分:

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

我认为这三个文件都相当简单:

$sudo cat /etc/postfix/mysql_alias.cf 
hosts = <my.rds.endpoint>:<myport>
user = <postfix_db_user>
password = <postfix_db_user_pass>
dbname = <db_name>
query = SELECT destination FROM aliases WHERE mail = '%s' AND enabled=1
tls_CAfile = /etc/mysql/ssl/rds-combined-ca-bundle.pem
tls_verify_cert = yes

如果您能提供任何关于如何修复或进一步调试此问题的想法,我们将不胜感激。

答案1

我遇到了类似的问题,但我发现,如果我使用 RDS 的本地 IPv4,一切都会按预期运行。我想知道您是否成功解决了这个问题?

对于我的具体问题,我不会讲太多细节,但只介绍一下背景:auth 从 dovecot 的角度来说有效,但是当我尝试发送电子邮件时,收到以下错误:

451 4.3.0 <[email protected]>: Temporary lookup failure

我得到/var/log/maillog

Jan 22 13:15:27 ip-1-1-1-1 postfix/submission/smtpd[4726]: dict_mysql_get_active: attempting to connect to host rds-test.us-east-1.rds.amazonaws.com
Jan 22 13:15:27 ip-10-1-1-1 postfix/submission/smtpd[4726]: warning: connect to mysql server rds-test.us-east-1.rds.amazonaws.com: Unknown MySQL server host 'rds-test.us-east-1.rds.amazonaws.com' (16)
Jan 22 13:15:27 ip-10-1-1-1 postfix/submission/smtpd[4726]: warning: mysql:/etc/postfix/mysql-email2email.cf lookup error for "[email protected]"

哦,我忘了说了,当我从 Postfix 机器本身连接而不是从某个远程机器连接时,使用$ openssl s_client -connect 127.0.0.1:25 -starttls smtpRDS 就不再Unknown MySQL能够发送电子邮件了。

相关内容