我根据文档使用 postfix、dovecot 和 mysql 配置了邮件服务器。
当我在 Outlook 中添加邮件地址时,它拒绝了。
我尝试了所有能找到的方法,但没有任何帮助。
有人能帮助我并给我一个简单而好的指导吗?
多谢。
/etc/dovecot/dovecot.conf
auth_mechanisms = plain login
mail_gid = vmail
mail_home = /var/vmail/mailboxes/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
mail_privileged_group = vmail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacat>
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
quota = maildir:User quota
quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. />
sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/act>
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /usr/bin
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap pop3 imaps pop3s lmtp sieve
ssl_disable = no
service anvil {
unix_listener anvil {
group = vmail
mode = 0666
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service imap-login {
inet_listener imap {
port = 143
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
user = vmail
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
#service stats {
# unix_listener stats-reader {
# group = vmail
# mode = 0666
# user = vmail
# }
#}
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert_file = </etc/ssl.crt/domain.crt
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECD>
ssl_key = </etc/ssl/private/dovecot.pem
ssl_dh = </etc/dovecot/dh.pem
#ssl_key_file = </etc/ssl.key/domain.key
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
stats_writer_socket_path =
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
verbose_ssl = yes
version_ignore = yes
protocol imap {
imap_idle_notify_interval = 29 mins
mail_max_userip_connections = 20
mail_plugins = " quota imap_quota imap_sieve"
}
protocol lmtp {
mail_plugins = " sieve notify push_notification"
postmaster_address = admin@domain
}
!include conf.d/*.conf
/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
/etc/dovecot/conf.d/10-ssl.conf
Letsencypt 是空的,所以我按照文档添加了 dovecot.pem。
#ssl_dh_parameters_length = 2048
ssl_dh=</etc/dovecot/dh.pem
ssl = required
ssl_prefer_server_ciphers = yes
verbose_ssl = yes
# Preferred permissions: root:root 0444
ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem
# Preferred permissions: root:root 0400ssl_key = </etc/ssl/private/dovecot.pem
#ssl_key = </etc/letsencrypt/live/domaine/privkey.pem
ssl_cipher_list = HIGH:!DH:!aNULL
/etc/postfix/main.cf
##
## Netzwerkeinstellungen
##
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, ip
myhostname = mail.domain
##
## Mail-Queue Einstellungen
##
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
##
## TLS Einstellungen
## Quelle: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=>
##
### Allgemein
tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA2>
### Ausgehende SMTP-Verbindungen (Postfix als Sender)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_ciphers = medium
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
### Eingehende SMTP-Verbindungen
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.2 !TLSv1.3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/acme.sh/mail.domain/fullchain.pem
smtpd_tls_key_file=/etc/acme.sh/mail.domain/privkey.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
##
## Lokale Mailzustellung an Dovecot
##
virtual_transport = lmtp:unix:private/dovecot-lmtp
##
## Spamfilter und DKIM-Signaturen via Rspamd
##
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
##
## Server Restrictions für Clients, Empfänger und Relaying
## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf >
##
### Bedingungen, damit Postfix als Relay arbeitet (für Clients)
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
### Bedingungen, damit Postfix ankommende E-Mails als Empfängerserver entgegenn>
### check_recipient_access prüft, ob ein account sendonly ist
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/>
### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server)
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_p>
reject_unknown_client_hostname
### Wenn fremde Server eine Verbindung herstellen, müssen sie einen gültigen Ho>
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Clients blockieren, wenn sie versuchen zu früh zu senden
smtpd_data_restrictions = reject_unauth_pipelining
##
## Restrictions für MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_dom>
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sende>
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
##
## MySQL Abfragen
##
proxy_read_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
proxy:mysql:/etc/postfix/sql/accounts.cf
proxy:mysql:/etc/postfix/sql/domains.cf
proxy:mysql:/etc/postfix/sql/recipient-access.cf
proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
proxy:mysql:/etc/postfix/sql/tls-policy.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps
##
## Sonstiges
##
### Maximale Größe der gesamten Mailbox (soll von Dovecot festgelegt werden, 0 >
mailbox_size_limit = 0
### Maximale Größe eingehender E-Mails in Bytes (50 MB)
message_size_limit = 52428800
### Keine System-Benachrichtigung für Benutzer bei neuer E-Mail
biff = no
### Nutzer müssen immer volle E-Mail Adresse angeben - nicht nur Hostname
append_dot_mydomain = no
### Trenn-Zeichen für "Address Tagging"
recipient_delimiter = +
### Keine Rückschlüsse auf benutzte Mailadressen zulassen
disable_vrfy_command = yes
/etc/postfix/master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
###
### SMTP-Serverbindungen aus dem Internet
### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!)
smtp inet n - y - 1 smtpd
-o smtpd_sasl_auth_enable=no
###
### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465
### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtp>
###
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
###
### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) >
###
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
###
### Weitere wichtige Dienste für den Serverbetrieb
###
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
###
### Cleanup-Service um MUA header zu entfernen
###
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
对于 dh.pem 我使用了这个
openssl dhparam 4096 > /etc/dovecot/dh.pem
dovecot.pem 由 dovecot 生成。
file /etc/acme.sh/mail.domain/fullchain.pem
/etc/acme.sh/mail.domain/fullchain.pem: ASCII text
ls -la /etc/acme.sh/mail.domain/fullchain.pem
-rw-r--r-- 1 root root 769 Nov 4 15:59 /etc/acme.sh/mail.domain/fullchain.pem
罗吉尔:
Nov 05 12:17:59 mail systemd[1]: Started Dovecot IMAP/POP3 email server.
Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'pop3s' protocol is no longer necessary, remove it
Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:55: ssl_disable has been renamed to ssl
Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:113: ssl_dh_parameters_length is no longer needed
Nov 05 12:17:59 mail dovecot[845]: config: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf
Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'imaps' protocol is no longer necessary, remove it
Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'pop3s' protocol is no longer necessary, remove it
Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:55: ssl_disable has been renamed to ssl
Nov 05 12:18:00 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:113: ssl_dh_parameters_length is no longer needed
Nov 05 12:24:32 mail dovecot[845]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<hmbf0WYJm3AoY55F>
Nov 05 13:23:01 mail dovecot[845]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<2i39omcJm+0oY55F>
fullchain.pem 有 1kb,privkey.pem 也有。我删除并更改了第 54 行和第 55 行的 nessercery 部分。但另一个错误仍然出现。
我尝试了另一件事:
openssl s_client -crlf -connect mail.domain:993
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
我忘了取消注释一件事。
GNU nano 5.4 /etc/dovecot/conf.d/10-ssl.conf
#ssl_dh_parameters_length = 2048
#ssl_dh=</etc/dovecot/dh.pem
ssl = required
ssl_prefer_server_ciphers = yes
verbose_ssl = yes
ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem
ssl_key = </etc/acme.sh/mail.domain/privkey.pem
ssl_dh = </etc/postfix/dh2048.pem
# Preferred permissions: root:root 0444
#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem
# Preferred permissions: root:root 0400
#ssl_key = </etc/ssl/private/dovecot.pem
#ssl_key = </etc/letsencrypt/live/domain/privkey.pem
ssl_cipher_list = HIGH:!DH:!aNULL
Nov 5 12:09:22 mail dhclient[695]: XMT: Solicit on ens192, interval 115870ms.
Nov 5 12:09:22 mail dhclient[695]: RCV: Advertise message on ens192 from fe80::250:56ff:fea8:3303.
Nov 5 12:09:22 mail dhclient[695]: RCV: Advertise message on ens192 from fe80::250:56ff:fe8b:ad44.
Nov 5 12:09:32 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<b8o6nGYJ6wooY55F>
Nov 5 12:10:01 mail CRON[36330]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/revisium-antivirus/scripts/ra_executor_run.php')
Nov 5 12:10:03 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<v50LnmYJy0MoY55F>
Nov 5 12:10:33 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<WMPhn2YJ6cAoY55F>
Nov 5 12:10:45 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.98.222.141, lip=ip, session=<q2OOoGYJsfI0Yt6N>
Nov 5 12:10:47 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.101.83.53, lip=ip, session=<xuavoGYJz2IoZVM1>
Nov 5 12:10:51 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.154.205, lip=ip, session=<J/fvoGYJ7Dg0YZrN>
Nov 5 12:11:04 mail dovecot: imap-login: Error: Failed to initialize SSL servermpty: user=<>, rip=40.99.158.69, lip=ip, session=<mW26oWYJnXUoY55F>
感谢您的回答。
我编辑配置文件
GNU nano 5.4 /etc/dovecot/conf.d/10-ssl.conf
#ssl_dh_parameters_length = 2048
ssl_dh=</etc/dovecot/dh.pem
ssl = required
ssl_prefer_server_ciphers = yes
verbose_ssl = yes
ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem
ssl_key = </etc/acme.sh/mail.domain/privkey.pem
ssl_dh = </etc/postfix/dh2048.pem
# Preferred permissions: root:root 0444
#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem
# Preferred permissions: root:root 0400
#ssl_key = </etc/ssl/private/dovecot.pem
#ssl_key = </etc/letsencrypt/live/domain/privkey.pem
ssl_cipher_list = HIGH:!DH:!aNULL
但我仍然收到错误:
Nov 5 11:59:46 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<IpxHeWYJXSooY55F>
Nov 5 12:00:01 mail CRON[36176]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Nov 5 12:00:01 mail CRON[36177]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/monitoring/scripts/cloud-alerts.php')
Nov 5 12:00:16 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<nC4We2YJYsMoY55F>
Nov 5 12:00:25 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.145.245, lip=ip, session=<qu+ae2YJ1vw0YZH1>
Nov 5 12:00:27 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.174.221, lip=ip, session=<4+y7e2YJSVc0Ya7d>
Nov 5 12:00:31 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.98.144.213, lip=ip, session=<G078e2YJNvA0YpDV>
Nov 5 12:00:47 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<MNjlfGYJR7MoY55F>
答案1
ssl_cert = </etc/ssl/certs/dovecot.pem
[...] dovecot.pem 由 dovecot 生成。
这是你的问题。Dovecot 不会生成证书;这毫无意义。它会创建一个空文件。你的错误消息告诉你证书是空的。
使用相同的证书与后缀相同:
ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem
ssl_key = </etc/acme.sh/mail.domain/privkey.pem
ssl_dh = </etc/postfix/dh2048.pem
Lets Encrypt 文件夹为空的原因是您似乎正在使用 acme.sh。