Dovecot 证书是空的

Dovecot 证书是空的

我根据文档使用 postfix、dovecot 和 mysql 配置了邮件服务器。

当我在 Outlook 中添加邮件地址时,它拒绝了。

我尝试了所有能找到的方法,但没有任何帮助。

有人能帮助我并给我一个简单而好的指导吗?

多谢。

/etc/dovecot/dovecot.conf

auth_mechanisms = plain login
mail_gid = vmail
mail_home = /var/vmail/mailboxes/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
mail_privileged_group = vmail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacat>
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
 }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Spam
 imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  quota = maildir:User quota
  quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. />
  sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/act>
  sieve_before = /var/vmail/sieve/global/spam-global.sieve
  sieve_global_extensions = +vnd.dovecot.pipe
  sieve_pipe_bin_dir = /usr/bin
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap pop3 imaps pop3s lmtp sieve
ssl_disable = no
service anvil {
  unix_listener anvil {
    group = vmail
    mode = 0666
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = vmail
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
#service stats {
 # unix_listener stats-reader {
  #  group = vmail
   # mode = 0666
   # user = vmail
 # }
#}
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert_file = </etc/ssl.crt/domain.crt
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECD>
ssl_key = </etc/ssl/private/dovecot.pem
ssl_dh = </etc/dovecot/dh.pem
#ssl_key_file = </etc/ssl.key/domain.key
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
stats_writer_socket_path =
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
verbose_ssl = yes
version_ignore = yes
protocol imap {
  imap_idle_notify_interval = 29 mins
  mail_max_userip_connections = 20
  mail_plugins = " quota imap_quota imap_sieve"
}
protocol lmtp {
  mail_plugins = " sieve notify push_notification"
  postmaster_address = admin@domain
}
!include conf.d/*.conf

/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes

/etc/dovecot/conf.d/10-ssl.conf

Letsencypt 是空的,所以我按照文档添加了 dovecot.pem。

#ssl_dh_parameters_length = 2048
ssl_dh=</etc/dovecot/dh.pem
ssl = required
ssl_prefer_server_ciphers = yes
verbose_ssl = yes
# Preferred permissions: root:root 0444
ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem
# Preferred permissions: root:root 0400ssl_key = </etc/ssl/private/dovecot.pem
#ssl_key = </etc/letsencrypt/live/domaine/privkey.pem
ssl_cipher_list = HIGH:!DH:!aNULL

/etc/postfix/main.cf

##
## Netzwerkeinstellungen
##

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, ip
myhostname = mail.domain


##
## Mail-Queue Einstellungen
##

maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m


##
## TLS Einstellungen
## Quelle: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=>
##

### Allgemein
tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA2>

### Ausgehende SMTP-Verbindungen (Postfix als Sender)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_ciphers = medium
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

### Eingehende SMTP-Verbindungen
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.2 !TLSv1.3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/acme.sh/mail.domain/fullchain.pem
smtpd_tls_key_file=/etc/acme.sh/mail.domain/privkey.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem


##
## Lokale Mailzustellung an Dovecot
##

virtual_transport = lmtp:unix:private/dovecot-lmtp

##
## Spamfilter und DKIM-Signaturen via Rspamd
##

smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept



##
## Server Restrictions für Clients, Empfänger und Relaying
## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf >
##
### Bedingungen, damit Postfix als Relay arbeitet (für Clients)
smtpd_relay_restrictions =      reject_non_fqdn_recipient
                                reject_unknown_recipient_domain
                                permit_mynetworks
                                reject_unauth_destination


### Bedingungen, damit Postfix ankommende E-Mails als Empfängerserver entgegenn>
### check_recipient_access prüft, ob ein account sendonly ist
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/>


### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server)
smtpd_client_restrictions =     permit_mynetworks
                                check_client_access hash:/etc/postfix/without_p>
                                reject_unknown_client_hostname


### Wenn fremde Server eine Verbindung herstellen, müssen sie einen gültigen Ho>
smtpd_helo_required = yes
smtpd_helo_restrictions =   permit_mynetworks
                            reject_invalid_helo_hostname
                            reject_non_fqdn_helo_hostname
                            reject_unknown_helo_hostname

# Clients blockieren, wenn sie versuchen zu früh zu senden
smtpd_data_restrictions = reject_unauth_pipelining


##
## Restrictions für MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_dom>
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sende>
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject


##
## MySQL Abfragen
##

proxy_read_maps =       proxy:mysql:/etc/postfix/sql/aliases.cf
                        proxy:mysql:/etc/postfix/sql/accounts.cf
                        proxy:mysql:/etc/postfix/sql/domains.cf
                        proxy:mysql:/etc/postfix/sql/recipient-access.cf
                        proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
                        proxy:mysql:/etc/postfix/sql/tls-policy.cf

virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps


##
## Sonstiges
##

### Maximale Größe der gesamten Mailbox (soll von Dovecot festgelegt werden, 0 >
mailbox_size_limit = 0

### Maximale Größe eingehender E-Mails in Bytes (50 MB)
message_size_limit = 52428800

### Keine System-Benachrichtigung für Benutzer bei neuer E-Mail
biff = no

### Nutzer müssen immer volle E-Mail Adresse angeben - nicht nur Hostname
append_dot_mydomain = no

### Trenn-Zeichen für "Address Tagging"
recipient_delimiter = +

### Keine Rückschlüsse auf benutzte Mailadressen zulassen
disable_vrfy_command = yes

/etc/postfix/master.cf

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
###
### SMTP-Serverbindungen aus dem Internet
### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!)
smtp      inet  n       -       y       -       1       smtpd
    -o smtpd_sasl_auth_enable=no
###
### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465
### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtp>
###
smtps     inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
###
### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) >
###
submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
###
### Weitere wichtige Dienste für den Serverbetrieb
###
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
###
### Cleanup-Service um MUA header zu entfernen
###
submission-header-cleanup unix n - n    -       0       cleanup
    -o header_checks=regexp:/etc/postfix/submission_header_cleanup

对于 dh.pem 我使用了这个

openssl dhparam 4096 > /etc/dovecot/dh.pem

dovecot.pem 由 dovecot 生成。

    file /etc/acme.sh/mail.domain/fullchain.pem
/etc/acme.sh/mail.domain/fullchain.pem: ASCII text
ls -la /etc/acme.sh/mail.domain/fullchain.pem
-rw-r--r-- 1 root root 769 Nov 4 15:59 /etc/acme.sh/mail.domain/fullchain.pem

罗吉尔:

Nov 05 12:17:59 mail systemd[1]: Started Dovecot IMAP/POP3 email server.
Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'pop3s' protocol is no longer necessary, remove it
Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:55: ssl_disable has been renamed to ssl
Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:113: ssl_dh_parameters_length is no longer needed
Nov 05 12:17:59 mail dovecot[845]: config: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf
Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'imaps' protocol is no longer necessary, remove it
Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'pop3s' protocol is no longer necessary, remove it
Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:55: ssl_disable has been renamed to ssl
Nov 05 12:18:00 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:113: ssl_dh_parameters_length is no longer needed
Nov 05 12:24:32 mail dovecot[845]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<hmbf0WYJm3AoY55F>


Nov 05 13:23:01 mail dovecot[845]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<2i39omcJm+0oY55F>

fullchain.pem 有 1kb,privkey.pem 也有。我删除并更改了第 54 行和第 55 行的 nessercery 部分。但另一个错误仍然出现。

我尝试了另一件事:

     openssl s_client -crlf -connect mail.domain:993
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

我忘了取消注释一件事。

  GNU nano 5.4             /etc/dovecot/conf.d/10-ssl.conf

#ssl_dh_parameters_length = 2048
#ssl_dh=</etc/dovecot/dh.pem
ssl = required
ssl_prefer_server_ciphers = yes
verbose_ssl = yes
ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem
ssl_key = </etc/acme.sh/mail.domain/privkey.pem
ssl_dh = </etc/postfix/dh2048.pem
# Preferred permissions: root:root 0444
#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem
# Preferred permissions: root:root 0400
#ssl_key = </etc/ssl/private/dovecot.pem
#ssl_key = </etc/letsencrypt/live/domain/privkey.pem
ssl_cipher_list = HIGH:!DH:!aNULL


Nov  5 12:09:22 mail dhclient[695]: XMT: Solicit on ens192, interval 115870ms.
Nov  5 12:09:22 mail dhclient[695]: RCV: Advertise message on ens192 from fe80::250:56ff:fea8:3303.
Nov  5 12:09:22 mail dhclient[695]: RCV: Advertise message on ens192 from fe80::250:56ff:fe8b:ad44.
Nov  5 12:09:32 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<b8o6nGYJ6wooY55F>
Nov  5 12:10:01 mail CRON[36330]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/revisium-antivirus/scripts/ra_executor_run.php')
Nov  5 12:10:03 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<v50LnmYJy0MoY55F>
Nov  5 12:10:33 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<WMPhn2YJ6cAoY55F>
Nov  5 12:10:45 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.98.222.141, lip=ip, session=<q2OOoGYJsfI0Yt6N>
Nov  5 12:10:47 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.101.83.53, lip=ip, session=<xuavoGYJz2IoZVM1>
Nov  5 12:10:51 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.154.205, lip=ip, session=<J/fvoGYJ7Dg0YZrN>
Nov  5 12:11:04 mail dovecot: imap-login: Error: Failed to initialize SSL servermpty: user=<>, rip=40.99.158.69, lip=ip, session=<mW26oWYJnXUoY55F>

感谢您的回答。

我编辑配置文件

  GNU nano 5.4             /etc/dovecot/conf.d/10-ssl.conf
#ssl_dh_parameters_length = 2048
ssl_dh=</etc/dovecot/dh.pem
ssl = required
ssl_prefer_server_ciphers = yes
verbose_ssl = yes
ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem
ssl_key = </etc/acme.sh/mail.domain/privkey.pem
ssl_dh = </etc/postfix/dh2048.pem
# Preferred permissions: root:root 0444
#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem
# Preferred permissions: root:root 0400
#ssl_key = </etc/ssl/private/dovecot.pem
#ssl_key = </etc/letsencrypt/live/domain/privkey.pem
ssl_cipher_list = HIGH:!DH:!aNULL

但我仍然收到错误:

Nov  5 11:59:46 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<IpxHeWYJXSooY55F>
Nov  5 12:00:01 mail CRON[36176]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Nov  5 12:00:01 mail CRON[36177]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/monitoring/scripts/cloud-alerts.php')
Nov  5 12:00:16 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<nC4We2YJYsMoY55F>
Nov  5 12:00:25 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.145.245, lip=ip, session=<qu+ae2YJ1vw0YZH1>
Nov  5 12:00:27 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.174.221, lip=ip, session=<4+y7e2YJSVc0Ya7d>
Nov  5 12:00:31 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.98.144.213, lip=ip, session=<G078e2YJNvA0YpDV>
Nov  5 12:00:47 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<MNjlfGYJR7MoY55F>

答案1

ssl_cert = </etc/ssl/certs/dovecot.pem [...] dovecot.pem 由 dovecot 生成。

这是你的问题。Dovecot 不会生成证书;这毫无意义。它会创建一个空文件。你的错误消息告诉你证书是空的。

使用相同的证书与后缀相同:

ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem
ssl_key = </etc/acme.sh/mail.domain/privkey.pem
ssl_dh = </etc/postfix/dh2048.pem

Lets Encrypt 文件夹为空的原因是您似乎正在使用 acme.sh。

相关内容