我正在使用 ubuntu 16.04 Xenial 在 EC2 虚拟机上设置使用 Dovecot SASL 身份验证的 Postfix 服务器。我可以向我的 Gmail 帐户发送邮件,但无法接收邮件。它应该将邮件存储在“usr/Maildir”中。如果我从 telnet 会话发送邮件,我也可以接收邮件。
我的设置如下:
在 /etc/postfix/main.cf 中
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/mycrt.crt
smtpd_tls_key_file = /etc/postfix/ssl/mymail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydomain = domain.com
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
relay_domains = $mydestination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = mydomain.com
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_CAfile = /etc/ssl/certs/mycert.pem
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command =
smtp_use_tls = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_auth_only = no
在 /etc/dovecot/10-master.conf 中
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
在 /conf.d/10-auth.conf 中
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
/var/log/mail.err 中的错误消息
Jul 3 19:29:46 ip-172-31-0-124 dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Jul 3 19:29:46 ip-172-31-0-124 dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
和 /var/log/mail.log
Jul 3 22:41:38 ip-172-31-0-124 postfix/smtpd[18851]: connect from unknown[45.13.39.19]
Jul 3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: connect from mail-vs1-f46.google.com[209.85.217.46]
Jul 3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: lost connection after STARTTLS from mail-vs1-f46.google.com[209.85.217.46]
Jul 3 22:41:40 ip-172-31-0-124 postfix/cleanup[19071]: A305E4651D: message-id=<[email protected]>
Jul 3 22:41:40 ip-172-31-0-124 postfix/qmgr[18850]: A305E4651D: from=<[email protected]>, size=920, nrcpt=1 (queue active)
Jul 3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: disconnect from mail-vs1-f46.google.com[209.85.217.46] ehlo=1 starttls=0/1 commands=1/2
Jul 3 22:41:40 ip-172-31-0-124 postfix/local[19073]: A305E4651D: to=<[email protected]>, orig_to=<postmaster>, relay=local, delay=0.01, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Jul 3 22:41:40 ip-172-31-0-124 postfix/qmgr[18850]: A305E4651D: removed
Jul 3 22:41:46 ip-172-31-0-124 postfix/smtpd[18851]: warning: unknown[45.13.39.19]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 3 22:41:47 ip-172-31-0-124 postfix/smtpd[18851]: disconnect from unknown[45.13.39.19] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
执行“openssl s_client -connect mydomain:25 -starttls smtp”输出:
CONNECTED(00000003)
139707798795928:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 285 bytes and written 340 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1562190493
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
我已经检查了 MX 注册表,一切正常。我花了很多时间解决这个问题。希望你能帮忙
答案1
这里的基本问题是您宣布使用starttls:
smtp_use_tls = yes
但您尚未配置有效的证书。这意味着 starttls 实际上会失败。
您必须禁用 TLS(设置smtp_use_tls = no)或安装适当的证书。Let's encrypt 证书非常适合此目的。
#Install certbot
sudo apt install certbot
#Get certificate
sudo certbot certonly --domain example.org
编辑以下参数main.cf:
smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
注释掉该smtpd_tls_CAfile行,因为 CA 证书与服务器证书捆绑在一起fullchain.pem。