Postfix/Dovecot 将 Apache 的默认 SSL 证书呈现给 Thunderbird 客户端

我已经为这个问题奋斗了一段时间了。

我想让 thunderbird 获取 mail.******.cl 的证书，但它似乎总是获取 ******.cl。

所以我做了几个测试，发现它获取的是 Apache 提供的默认证书，而不是 Postfix/Dovecot 提供的证书。禁用 Apache2 解决了这个问题。逐个禁用我的网站会让它按顺序为下一个网站提供证书。为 mail.****.cl 创建网站会让它提供证书，但 thunderbird 却说这是错误的网站，它总是尝试获取 ****.cl 的证书，即使它自动检测到 mail.*****.cl 进行发送和接收。

我尝试过其他邮件客户端，结果也类似。禁用 Apache 可以完全解决问题，并提供正确的证书。

我的 Apache SNI 似乎配置正确。我的 DNS 似乎没问题，mail.*****.cl 有一个指向机器 IP 的 A 记录，*****.cl 有一个 A 记录，它们工作正常。还有一个指向我的 droplet IP 的邮件反向 DNS

也许唯一的解决方案就是为 Apache 创建一个单独的 droplet，并将其留作邮件使用？

我尝试了很多次让这个东西工作，但似乎无法得到我想要的结果。

Thunderbird 获取错误证书

编辑：我尝试为 mi mail.domain.cl 创建一个 vhost，它看起来像这样：

<VirtualHost *:443>
    ServerName mail.domain.cl

    SSLEngine on
    SSLCertificateFile /home/domain/.certs/mail.domain.cl/mail.domain.cl.crt
    SSLCertificateKeyFile /home/domain/.certs/mail.domain.cl/mail.domain.cl.key
    SSLCertificateChainFile /home/domain/.certs/mail.domain.cl/mail.domain.cl.fullchain.crt

    Redirect 403 /
    ErrorDocument 403 "Acceso Denegado"
</VirtualHost>

但是 Thunderbird 仍在尝试从我的根域获取证书（在添加电子邮件帐户时），这确实很尴尬。邮件仍然可以正常工作，但当我尝试为客户创建新帐户时会出现问题。

它应该尝试从 mail.domain.cl 获取证书，而不是从 domain.cl 获取。此外，我在 apache 日志中发现了以下内容：

54.37.79.75 - - [29/Jan/2024:01:11:21 +0000] "POST / HTTP/1.1" 200 286 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
205.210.31.237 - - [29/Jan/2024:01:16:41 +0000] "\x16\x03\x01" 400 483 "-" "-"
205.210.31.237 - - [29/Jan/2024:01:16:42 +0000] "\x16\x03\x01" 400 483 "-" "-"
176.97.210.231 - - [29/Jan/2024:01:52:14 +0000] "GET / HTTP/1.1" 200 230 "-" "-"
45.142.182.85 - - [29/Jan/2024:01:52:57 +0000] "GET / HTTP/1.1" 200 230 "-" "-"
71.6.232.28 - - [29/Jan/2024:01:59:18 +0000] "GET / HTTP/1.1" 200 230 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
192.241.210.35 - - [29/Jan/2024:02:05:33 +0000] "MGLNDD_165.232.153.205_80\n" 400 483 "-" "-"
207.248.203.238 - - [29/Jan/2024:02:15:37 +0000] "GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=jairo%40domain.cl HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:115.0) Gecko/20100101 Thunderbird/115.7.0"
207.248.203.238 - - [29/Jan/2024:02:16:50 +0000] "GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=jairo%40domain.cl HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:115.0) Gecko/20100101 Thunderbird/115.7.0"
207.248.203.238 - - [29/Jan/2024:02:17:49 +0000] "GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=jairo%40domain.cl HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:115.0) Gecko/20100101 Thunderbird/115.7.0"

这表明它尝试获取自动配置 xml，但未找到。我不知道这是否与问题有关。

我的 DNS 记录如下： DNS

编辑2：

我的 postfix main.cf：

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/postfix.fullchain.crt
smtpd_tls_key_file=/etc/ssl/private/postfix.key
smtpd_use_tls = yes
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.domain.cl
mydomain = domain.cl
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain, ubuntu-intelsoft, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_sasl_authenticated, reject
mua_sender_restrictions = permit_sasl_authenticated, reject

# Milter configuration for OpenDKIM
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters

我的 dovecot conf.d/10-ssl.conf：

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/postfix.fullchain.crt
ssl_key = </etc/ssl/private/postfix.key

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =

# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
#
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
# version, and LATEST matches with the latest version supported by library.
#ssl_min_protocol = TLSv1.2

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   compression - Enable compression.
#   no_ticket - Disable SSL session tickets.
#ssl_options =

正如我之前提到的，禁用 apache 会为 Thunderbird 或任何邮件客户端提供正确的证书，不会出现任何错误。启用它会显示来自我的 domain.cl 的证书已过期。

我现在正在考虑创建另一个 droplet，并在我的 mail.domain.cl IP 上永久禁用 apache。

关于如何提供正确的证书还有其他更好的想法吗？

编辑3：doveconf -n输出：

# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 5.15.0-92-generic x86_64 Ubuntu 22.04.3 LTS
# Hostname: ubuntu-intelsoft
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
ssl_cert = </etc/ssl/certs/postfix.fullchain.crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}