我在 docker 容器内运行 Postfix。证书是使用 certbot 生成的。
采用以下配置:
smtpd_tls_cert_file=/var/keys/fullchain.pem
smtpd_tls_key_file=/var/keys/privkey.pem
smtpd_use_tls=yes
smtp_tls_security_level = encrypt
每次尝试向 Gmail 发送电子邮件都会得到以下结果:
status=deferred (TLS is required but was not offered by host alt1.aspmx.l.google.co
当我更改smtp_tls_security_level
为时may
,电子邮件就会发出;但是,没有 TLS,它根本无法解决问题。
当我执行 openssl tls 检查时,一切似乎都很好;它没有将其附加到电子邮件中。
有人知道我做错了什么吗?
禁用 ipv6 并添加 debug_peer_list 后的日志:
Feb 8 10:50:24 92d95fdf2397 postfix/cleanup[489]: 2910E1667CE: message-id=<[email protected]>
Feb 8 10:50:24 92d95fdf2397 postfix/qmgr[481]: 2910E1667CE: from=<[email protected]>, size=6181, nrcpt=1 (queue active)
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: initializing the client-side TLS engine
Feb 8 10:50:24 92d95fdf2397 postfix/smtpd[485]: disconnect from ec2-54-154-126-37.eu-west-1.compute.amazonaws.com[54.154.126.37]
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for aspmx.l.google.com[66.102.1.26]:25
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host aspmx.l.google.com[66.102.1.26]
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt1.aspmx.l.google.com[142.250.153.27]:25
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host alt1.aspmx.l.google.com[142.250.153.27]
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt2.aspmx.l.google.com[142.251.9.27]:25
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host alt2.aspmx.l.google.com[142.251.9.27]
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: smtp_stream_setup: maxtime=300 enable_deadline=0
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: < aspmx3.googlemail.com[142.251.9.27]:25: 220 ********************************************************************************
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: disable_esmtp
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: delay_dotcrlf
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for aspmx3.googlemail.com[142.251.9.27]:25
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: > aspmx3.googlemail.com[142.251.9.27]:25: HELO mail.example.net
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: < aspmx3.googlemail.com[142.251.9.27]:25: 250 mx.google.com at your service
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: server features: 0x30000 size 0
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host aspmx3.googlemail.com[142.251.9.27]
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: smtp_stream_setup: maxtime=300 enable_deadline=0
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: > aspmx3.googlemail.com[142.251.9.27]:25: QUIT
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: resource
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: software
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for aspmx2.googlemail.com[142.250.153.27]:25
Feb 8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: to=<[email protected]>, relay=aspmx2.googlemail.com[142.250.153.27]:25, delay=0.37, delays=0.05/0.01/0.31/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host aspmx2.googlemail.com[142.250.153.27])
答案1
尝试设置smtp_pix_workarounds=delay_dotcrlf
。默认设置为smtp_pix_解决方法 包括disable_esmtp
禁用EHLO
,因此您的 SMTP 客户端将不会收到STARTTLS
响应。
答案2
smtp_tls_security_level = encrypt 意味着您需要客户端证书验证,因此最佳做法是将其保留在可能
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_auth_only = yes
# Enable Opportunistic TLS
smtp_tls_security_level = may
smtp_tls_cert_file=/var/keys/fullchain.pem
smtp_tls_key_file=/var/keys/privkey.pem
smtpd 用于传入连接 https://blog.matrixpost.net/enable-tls-for-postfix-on-ubuntu/