我目前正在使用 OpenSMTPd 设置一个有点独特的个人电子邮件服务器。我有一个本地服务器(Raspberry Pi)和一个远程服务器(VPS)。发送给我的电子邮件被发送到远程服务器,然后被转发到我的本地服务器。当我发送电子邮件时,它会从我的本地服务器发送到远程服务器,然后转发给收件人。目前我只测试入站邮件,它基本上可以正常工作,只有一个问题,即 tls。
如果我在本地服务器上设置了“tls-require”,我的远程服务器似乎能够连接,但随后会断开连接,并尝试降级为普通 (smtp+notls),这当然会失败。如果我只使用“tls”而不是“tls-require”,也会发生同样的事情,但 smtp+notls 尝试会成功。
错误消息似乎没什么帮助。在远程服务器上,我只收到“机会性 TLS 失败,降级为普通”。正如我之前所说,在本地服务器上,连接似乎成功了(至少我认为如此),但随后断开了连接:
smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
smtp disconnected reason=disconnect
如果我尝试使用 openssl(从远程服务器)发送电子邮件,我会收到更具信息性的错误消息。
openssl s_client -debug -starttls smtp -crlf -connect redacted.local.ip.address:25
在远程服务器上一切正常,直到我输入收件人,此时我收到 SSL 错误:
RCPT TO:<[email protected]>
RENEGOTIATING
17412933263728:error:1404C042:SSL routines:ST_OK:called a function you should not call:/usr/src/lib/libssl/ssl_lib.c:2529:
该错误似乎告诉了我更多信息,但我找不到任何相关信息。本地服务器显示的错误与之前完全相同。
我知道很多人不会在电子邮件中使用强制 TLS,但对于这种用例,我真的很想让它发挥作用。
我的本地服务器正在运行“Raspberry Pi OS 11 bullseye 64 位”和 OpenSMTPD 6.8.0p2(apt 上的最新版本)。
我的远程服务器正在运行“OpenBSD 7.0 GENERIC#224 amd64”和 OpenSMTPD 7.0.0。
任何建议都将不胜感激。如果您需要更多信息,请告诉我。
这是我的配置:
本地服务器 smtpd.conf:
table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
table passwds "/etc/smtpd/passwds"
table remote-servers "/etc/smtpd/remote-servers"
pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
# Do I want srs here, on the remote, or both?
srs key "redacted key"
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter "rspamd" proc-exec "/etc/smtpd/filter-rspamd"
# Inbound
listen on eth0 port 25 tls-require pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
#listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <aliases>
match from src <remote-servers> for domain <domains> action "RECV"
match !from src <remote-servers> for domain <domains> reject
# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
listen on eth0 port 587 tls-require pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
action "SEND" relay host mx1.mydomain.tld:465
match from any auth for any action "SEND"
远程服务器 smtpd.conf:
table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
# Do I want srs here, on the remote, or both?
srs key "same redacted key"
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
# Inbound
listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" }
action "RECV" relay host redacted.local.ip.address:25
match from any for domain <domains> action "RECV"
# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" mask-src
action "SEND" relay srs
match from src redacted.local.ip.address for any action "SEND"
match !from src redacted.local.ip.address for any reject
如果有的话,以下是邮件日志“tls-需要”放:
本地服务器邮件日志:
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp disconnected reason=disconnect
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp failed-command command="MAIL FROM:<[email protected]>" result="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr 3 11:57:43 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp disconnected reason=quit
远程服务器邮件日志:
Apr 3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp connected address=209.85.128.178 host=mail-yw1-f178.google.com
Apr 3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp message msgid=f8226363 size=2682 nrcpt=1 proto=ESMTP
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp envelope evpid=f822636342a8821f from=<[email protected]> to=<[email protected]>
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp disconnected reason=quit
Apr 3 11:57:20 RemoteHostname smtpd[94758]: smtp-out: Error on session 734956336de69e03: opportunistic TLS failed, downgrading to plain
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta delivery evpid=f822636342a8821f from=<[email protected]> to=<[email protected]> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=1s result="PermFail" stat="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp connected address=local host=mx1.mydomain.tld
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp failed-command command="RCPT TO: <[email protected]>" result="550 Invalid recipient: <[email protected]>"
Apr 3 11:57:22 RemoteHostname smtpd[11238]: warn: PermFail injecting failure report on message f8226363 to <[email protected]> for 1 envelope: 550 Invalid recipient: <[email protected]>
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp disconnected reason=quit
Apr 3 11:57:37 RemoteHostname smtpd[94758]: 734956336de69e03 mta disconnected reason=quit messages=0
这些是邮件日志,如果我有“tls”放:
本地服务器邮件日志:
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp disconnected reason=disconnect
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp message msgid=082c7a5e size=2850 nrcpt=1 proto=ESMTP
Apr 3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp envelope evpid=082c7a5e9dec905f from=<[email protected]> to=<[email protected]>
Apr 3 12:07:11 LocalHostname dovecot: lmtp(3967460): Connect from local
Apr 3 12:07:11 LocalHostname dovecot: lmtp([email protected])<3967460><hmVpIN9/SWLkiTwAmV7YnQ>: msgid=<CACebY1Hm4jdhjFKoZ2374zbEq1MZV-yTxsUauV4gzxXqNBVeaQ@mail.gmail.com>: saved mail to INBOX
Apr 3 12:07:11 LocalHostname dovecot: lmtp(3967460): Disconnect from local: Client has quit the connection (state=READY)
Apr 3 12:07:11 LocalHostname smtpd[3849290]: b981308066da2115 mda delivery evpid=082c7a5e9dec905f from=<[email protected]> to=<[email protected]> rcpt=<[email protected]> user=vmail delay=2s result=Ok stat=Delivered
Apr 3 12:07:27 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp disconnected reason=quit
远程服务器邮件日志:
Apr 3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp connected address=209.85.219.174 host=mail-yb1-f174.google.com
Apr 3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp message msgid=b912e335 size=2670 nrcpt=1 proto=ESMTP
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp envelope evpid=b912e33501250790 from=<[email protected]> to=<[email protected]>
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp disconnected reason=quit
Apr 3 12:07:00 RemoteHostname smtpd[94758]: smtp-out: Error on session 7349563834c66e1a: opportunistic TLS failed, downgrading to plain
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr 3 12:07:02 RemoteHostname smtpd[94758]: 7349563834c66e1a mta delivery evpid=b912e33501250790 from=<[email protected]> to=<[email protected]> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=2s result="Ok" stat="250 2.0.0 082c7a5e Message accepted for delivery"
Apr 3 12:07:19 RemoteHostname smtpd[94758]: 7349563834c66e1a mta disconnected reason=quit messages=1
远程服务器 pf.conf:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild