我在 Debian 服务器上使用 Exim4。
Debian:
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
Debian 内核:
uname -a
Linux mail.index3.ru 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux
进出口:
Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: GnuTLS: Compile: 3.7.1
Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
Runtime: 1.33
Library version: Cyrus SASL: Compile: 2.1.27
Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
Runtime: 8.39 2016-06-14
Library version: MySQL: Compile: 100510 10.5.10 [mariadb-10.5]
Runtime: 100519 10.5.19
Library version: SQLite: Compile: 3.34.1
Runtime: 3.34.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
Exim version 4.94.2 uid=0 gid=0 pid=2026121 D=10000000
configuration file is /etc/exim4/exim4.conf
log selectors = 0000cefe 39c05222 00000027
cwd=/var/log/exim4 3 args: exim -d-all+tls -bV
trusted user
admin user
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /etc/exim4/exim4.conf
Exim 配置从相当老旧的 FreeBSD 迁移而来。迁移后我注意到我无法收到某些电子邮件。例如来自 PayPal 的电子邮件。在日志中:
mainlog.1:2023-07-25 11:14:57 TLS error on connection from mx2.slc.paypal.com [173.0.84.227] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 11:26:29 TLS error on connection from mx0.slc.paypal.com [173.0.84.225] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 23:19:58 TLS error on connection from mx2.slc.paypal.com [173.0.84.227] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 23:32:09 TLS error on connection from mx0.slc.paypal.com [173.0.84.225] I=[95.216.245.186]:25 (gnutls_handshake): timed out
使用 GNU TLS CLI 连接时的证书验证看起来正常:
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=*.16v.ru', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0355b4c47d4aeae9f72ec986fa473c62d8e7, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-06-30 14:28:17 UTC', expires `2023-09-28 14:28:16 UTC', pin-sha256="lqZK5ULqmc7s6nOSMZAla/dLmvXa60THLdjSj9cjtKI="
Public Key ID:
sha1:40c67fa2db46d55c5b1518327068307db2417434
sha256:96a64ae542ea99ceecea73923190256bf74b9af5daeb44c72dd8d28fd723b4a2
Public Key PIN:
pin-sha256:lqZK5ULqmc7s6nOSMZAla/dLmvXa60THLdjSj9cjtKI=
- Certificate[1] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 12:33:A2:92:0E:48:E7:56:A0:20:BA:08:2A:F1:1A:D3:E3:86:F6:68:1E:51:7C:49:5E:85:70:C9:41:0F:24:E2
- Options:
Exim 配置:
.ifndef SYSTEM_ALIASES_PIPE_TRANSPORT
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
.endif
CONFIG_PREFIX=/etc/exim4
hide pgsql_servers = redacted
domainlist local_domains =${lookup pgsql{SELECT array_to_string(array(SELECT domain FROM local_domain), ':')}}
hostlist host_reject = ${lookup pgsql{SELECT array_to_string(array(SELECT domain FROM hostreject), ':')}}
domainlist relay_to_domains = ${lookup pgsql{SELECT array_to_string(array(SELECT hosts FROM relaytohosts), ':')}}
hostlist relay_from_hosts =${lookup pgsql{SELECT array_to_string(array(SELECT hosts FROM relayfromhosts), ':')}}
helo_try_verify_hosts = *
acl_smtp_connect = acl_check_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_mime = acl_check_mime
acl_smtp_data = acl_check_data
av_scanner = clamd:/var/run/clamav/clamd.ctl
spamd_address = 127.0.0.1 783
exim_user = Debian-exim
exim_group = Debian-exim
never_users = root
spool_directory = /var/spool/exim4
split_spool_directory
host_lookup = *
rfc1413_query_timeout = 0s
primary_hostname = mail.index3.ru
smtp_banner = "$smtp_active_hostname $primary_hostname, ESMTP EXIM $version_number"
smtp_accept_max = 100
smtp_accept_max_per_connection = 30
smtp_connect_backlog = 100
smtp_accept_max_per_host = 100
smtp_accept_queue = 200
smtp_accept_queue_per_connection = 100
recipients_max = 16
recipients_max_reject = true
remote_max_parallel = 10
message_size_limit = 20M
return_size_limit = 70k
accept_8bitmime = true
smtp_enforce_sync = true
ignore_bounce_errors_after = 1h
timeout_frozen_after = 3d
freeze_tell = redacted
trusted_users = www-data
keep_environment =
disable_ipv6 = true
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.key
DKIM_PRIVATE_KEY = ${lookup {DKIM_SELECTOR.DKIM_DOMAIN.key} dsearch,ret=full {/etc/exim4/dkim}}
DKIM_CANON = simple
log_selector = \
+all_parents \
+connection_reject \
+incoming_interface \
+lost_incoming_connection \
+received_sender \
+received_recipients \
+smtp_confirmation \
+smtp_syntax_error \
+smtp_protocol_error \
+smtp_mailauth \
+tls_sni \
-queue_run
syslog_timestamp = no
allow_mx_to_ip
tls_advertise_hosts = *
tls_privatekey = /etc/letsencrypt/live/16v.ru-0001/privkey.pem
tls_certificate = /etc/letsencrypt/live/16v.ru-0001/fullchain.pem
tls_require_ciphers = ${if =={$received_port}{25}\
{NORMAL:%COMPAT}\
{SECURE128}}
tls_on_connect_ports = 465
daemon_smtp_ports = 25 : 465 : 587
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
begin acl
acl_check_connect:
.include /etc/exim4/acl_connect.conf
acl_check_helo:
accept hosts = : +relay_from_hosts
.include /etc/exim4/acl_check_helo.conf
accept
acl_check_data:
accept
authenticated = *
.include /etc/exim4/acl_check_data.conf
accept
acl_check_rcpt:
accept
hosts = :
accept
authenticated = *
.include /etc/exim4/acl_check_rcpt.conf
accept
acl_check_mime:
warn decode = default
deny
message = Dont send binaries. Send sources instead.
condition = ${if eq\
{$mime_content_type}\
{application/x-msdos-program}\
{yes}{no}}
deny
message = Attachment has unsupported file format. Try text or PDF instead.
condition = ${if match\
{$mime_filename}\
{\N.+\.(bat|btm|cmd|com|cpl|dat|dll|exe|jar|lnk|msi|pif|prf|reg|scr|vb|vbs|wav)$\N}\
{yes}{no}}
deny message = Sorry, noone speaks chinese here
condition = ${if eq{$mime_charset}{gb2312}{1}{0}}
accept
begin routers
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup pgsql{select alias from aliases where mail ='$local_part@$domain'}{$value}fail}
user = dovecot
group = dovecot
file_transport = address_file
pipe_transport = address_pipe
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
local_delivery_spam_router:
driver = accept
domains = +local_domains
condition = ${if match{$h_X-Spam-Status:}{Yes}}
transport = local_delivery_spam_transport
no_more
localuser:
driver = accept
condition = ${lookup pgsql {select uid from accounts where login = '$local_part@$domain'}{yes}{no}}
#transport = local_delivery
transport = dovecot_delivery
cannot_route_message ="Unknown user"
begin transports
local_delivery_spam_transport:
driver = appendfile
check_string = ""
directory = ${lookup pgsql{select maildir||'/.Spam' from accounts where login = '$local_part@$domain'}{$value}fail}
create_directory
directory_mode = 0770
maildir_format
delivery_date_add
envelope_to_add
return_path_add
group = dovecot
user = dovecot
mode = 0660
no_mode_fail_narrower
quota = ${lookup pgsql{select mailquota from accounts where login = '$local_part@$domain'}{$value}fail}M
quota_warn_message = "\
To: $local_part@domain\n\
From: [email protected]\n\
Subject: Ваш почтовый ящик почти заполнен\n\
Это автоматическое сообщение почтового сервера.\n\
Ваш почтовый ящик заполнен на 75%. После заполнения почтового ящика\n\
новая почта не будет приходить.\n\"
quota_warn_threshold = 75%
remote_smtp:
driver = smtp
dkim_domain = DKIM_DOMAIN
dkim_selector = dkim
dkim_private_key = DKIM_PRIVATE_KEY
interface = 95.216.245.186
local_delivery:
driver = appendfile
directory = ${lookup pgsql{select maildir from accounts where login = '$local_part@$domain'}{$value}fail}
create_directory
directory_mode = 0770
maildir_format
delivery_date_add
envelope_to_add
return_path_add
group = dovecot
user = dovecot
mode = 0660
no_mode_fail_narrower
quota = ${lookup pgsql{select mailquota from accounts where login = '$local_part@$domain'}{$value}fail}M
quota_warn_message = "\
To: $local_part@domain\n\
From: [email protected]\n\
Subject: Ваш почтовый ящик почти заполнен\n\
Это автоматическое сообщение почтового сервера.\n\
Ваш почтовый ящик заполнен на 75%. После заполнения почтового ящика\n\
новая почта не будет приходить.\n\"
quota_warn_threshold = 75%
dovecot_delivery:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda -f $sender_address -d '$local_part@$domain'
message_prefix =
message_suffix =
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
log_output
#driver = lmtp
#socket = /var/run/dovecot/lmtp
#batch_max = 200
rcpt_include_affixes
delivery_date_add
envelope_to_add
return_path_add
group = dovecot
user = dovecot
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
auth_plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup pgsql {SELECT login FROM accounts WHERE login='${quote_pgsql:$2}' AND password='${quote_pgsql:$3}'}{yes}{no}}
server_prompts = Username:: : Password::
server_set_id = $2
auth_login:
driver = plaintext
public_name = LOGIN
server_condition = ${lookup pgsql {SELECT login FROM accounts WHERE login='${quote_pgsql:$2}' AND password='${quote_pgsql:$3}'}{yes}{no}}
server_prompts = Username:: : Password::
server_set_id = $2
auth_cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup pgsql {select password from accounts where login='$1'}{$value}fail}
server_set_id = $1
您知道 PayPal 不喜欢这种设置吗?
答案1
检查 DNS 配置是否存在非瞬时不一致。理想情况下,既包括包含服务器名称的区域,也包括电子邮件域的区域。我怀疑您的某个名称服务器没有按照您的要求运行,在我输入了你的证书进入尝试寻找不一致之处的通用工具,并看到旧的但不同的 SOA 序列和内容: