我正在尝试配置 postfix 以使用针对多个 IP 的不同密钥加密发送的邮件。
主配置文件postconf -n
:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 86400s
anvil_status_update_time = 120s
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, domain.com, localhost.localdomain, localhost.localdomain, localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_message_rate_limit = 200
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
master.cf:
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
127.0.0.1:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain.com/domain.com_chained.crt
-o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain.com/domain.com.key
# domain2.com
111.1.1.222:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain2.com/domain2.com.key
-o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain2.com/domain2.com_chained.crt
邮件日志:
Oct 28 11:43:05 zipserver postfix/postfix-script[2239]: starting the Postfix mail system
Oct 28 11:43:05 zipserver postfix/master[2241]: daemon started -- version 3.3.0, configuration /etc/postfix
Oct 28 11:43:32 zipserver postfix/pickup[2242]: 0BFA8104115B: uid=1000 from=<[email protected]>
Oct 28 11:43:32 zipserver postfix/cleanup[2248]: 0BFA8104115B: message-id=<[email protected]>
Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: from=<[email protected]>, size=407, nrcpt=1 (queue active)
Oct 28 11:43:32 zipserver postfix/smtp[2250]: 0BFA8104115B: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=0.46, delays=0.13/0.01/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0 OK 1603881812 s81si4271295wmf.188 - gsmtp)
Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: removed
版本:
postconf -d | grep mail_version
mail_version = 3.3.0
但电子邮件到达 Gmail 时带有红色交叉锁,并且 Gmail 表示未加密。我遗漏了什么?
答案1
从设置smtp_tls_security_level=may
或更高级别开始。
您没有设置任何允许 postfix 偏离其默认设置(不使用 TLS 发送邮件)的选项。还有其他更精细的方法来控制此行为 - 但这是允许使用所提供的设置的最基本设置。使用man 5 postconf
以了解其他可能选项的具体含义。
为了帮助进一步调查,我建议还设置smtp_tls_log_level=1
(将此信息包含在您的系统日志中)和smtpd_tls_received_header=yes
(在邮件头内发布有关您的邮件提交的信息)。