使用 Letsencrypt 配置的 Postfix TLS

使用 Letsencrypt 配置的 Postfix TLS

我在 docker 容器内运行 Postfix。证书是使用 certbot 生成的。

采用以下配置:

smtpd_tls_cert_file=/var/keys/fullchain.pem
smtpd_tls_key_file=/var/keys/privkey.pem
smtpd_use_tls=yes
smtp_tls_security_level = encrypt

每次尝试向 Gmail 发送电子邮件都会得到以下结果:

status=deferred (TLS is required but was not offered by host alt1.aspmx.l.google.co

当我更改smtp_tls_security_level为时may,电子邮件就会发出;但是,没有 TLS,它根本无法解决问题。

当我执行 openssl tls 检查时,一切似乎都很好;它没有将其附加到电子邮件中。

有人知道我做错了什么吗?

禁用 ipv6 并添加 debug_peer_list 后的日志:

Feb  8 10:50:24 92d95fdf2397 postfix/cleanup[489]: 2910E1667CE: message-id=<[email protected]>
Feb  8 10:50:24 92d95fdf2397 postfix/qmgr[481]: 2910E1667CE: from=<[email protected]>, size=6181, nrcpt=1 (queue active)
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: initializing the client-side TLS engine
Feb  8 10:50:24 92d95fdf2397 postfix/smtpd[485]: disconnect from ec2-54-154-126-37.eu-west-1.compute.amazonaws.com[54.154.126.37]
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for aspmx.l.google.com[66.102.1.26]:25
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host aspmx.l.google.com[66.102.1.26]
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt1.aspmx.l.google.com[142.250.153.27]:25
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host alt1.aspmx.l.google.com[142.250.153.27]
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt2.aspmx.l.google.com[142.251.9.27]:25
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host alt2.aspmx.l.google.com[142.251.9.27]
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: smtp_stream_setup: maxtime=300 enable_deadline=0
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: < aspmx3.googlemail.com[142.251.9.27]:25: 220 ********************************************************************************
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: disable_esmtp
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: delay_dotcrlf
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for aspmx3.googlemail.com[142.251.9.27]:25
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: > aspmx3.googlemail.com[142.251.9.27]:25: HELO mail.example.net
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: < aspmx3.googlemail.com[142.251.9.27]:25: 250 mx.google.com at your service
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: server features: 0x30000 size 0
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: TLS is required, but was not offered by host aspmx3.googlemail.com[142.251.9.27]
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: smtp_stream_setup: maxtime=300 enable_deadline=0
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: > aspmx3.googlemail.com[142.251.9.27]:25: QUIT
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: resource
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: name_mask: software
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: enabling PIX workarounds: disable_esmtp delay_dotcrlf for aspmx2.googlemail.com[142.250.153.27]:25
Feb  8 10:50:24 92d95fdf2397 postfix/smtp[490]: 2910E1667CE: to=<[email protected]>, relay=aspmx2.googlemail.com[142.250.153.27]:25, delay=0.37, delays=0.05/0.01/0.31/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host aspmx2.googlemail.com[142.250.153.27])

答案1

尝试设置smtp_pix_workarounds=delay_dotcrlf。默认设置为smtp_pix_解决方法 包括disable_esmtp禁用EHLO,因此您的 SMTP 客户端将不会收到STARTTLS响应。

答案2

smtp_tls_security_level = encrypt 意味着您需要客户端证书验证,因此最佳做法是将其保留在可能

smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_auth_only = yes
# Enable Opportunistic TLS
smtp_tls_security_level = may
    smtp_tls_cert_file=/var/keys/fullchain.pem
smtp_tls_key_file=/var/keys/privkey.pem

smtpd 用于传入连接 https://blog.matrixpost.net/enable-tls-for-postfix-on-ubuntu/

相关内容