使用 TLS/certficates 和用户名密码的 Postfix 中继服务器
Postfix relay server with TLS/certficates and username password
我负责设置 SMTP 中继服务器,将所有邮件中继到第 3 方安全 SMTP 服务器。此第 3 方服务器需要与证书和 username/password 登录的安全连接,然后才会接受来自我的 SMTP 中继服务器的邮件。
我已经配置了证书
# TLS settings
postconf -e "smtp_tls_security_level=verify"
postconf -e "smtp_tls_note_starttls_offer=yes"
postconf -e "smtp_tls_CApath=/etc/ssl/certs"
postconf -e "smtp_tls_cert_file=/etc/postfix/company.crt"
postconf -e "smtp_tls_key_file=/etc/postfix/company.pem"
这似乎工作正常
2019-05-05T08:37:25.729903-07:00 smtp-relays-test-1 postfix/smtp[119]: SSL_connect:SSLv3/TLS read change cipher spec
2019-05-05T08:37:25.729962-07:00 smtp-relays-test-1 postfix/smtp[119]: SSL_connect:SSLv3/TLS read finished
2019-05-05T08:37:25.730036-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587: Matched subjectAltName: smtp.secureprovider.com
2019-05-05T08:37:25.730287-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587 CommonName smtp.secureprovider.com
2019-05-05T08:37:25.730355-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587: subject_CN=smtp.secureprovider.com, issuer_CN=RapidSSL RSA CA 2018, fingerprint=1D:13:48:BB:92:E6:4E:AF:AC:6A:14:66:D8:F5:08:9F, pkey_fingerprint=CA:67:37:87:5F:47:51:0B:E5:7A:4A:4E:63:E0:75:CC
2019-05-05T08:37:25.730384-07:00 smtp-relays-test-1 postfix/smtp[119]: Verified TLS connection established to smtp.secureprovider.com[10.254.253.192]:587: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
已验证与 smtp.secureprovider.com[10.254.253.192]:587 的 TLS 连接:TLSv1.2 密码为 DHE-RSA-AES256-GCM-SHA384(256/256 位)
接下来应该启动密码验证。我可以在日志中看到使用了正确的 username/password :
2019-05-05T08:37:25.753993-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-smtp.secureprovider.com
2019-05-05T08:37:25.754015-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-PIPELINING
2019-05-05T08:37:25.754033-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-SIZE 52428800
2019-05-05T08:37:25.754052-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-VRFY
2019-05-05T08:37:25.754071-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-ETRN
2019-05-05T08:37:25.754089-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-AUTH PLAIN LOGIN
2019-05-05T08:37:25.754108-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-AUTH=PLAIN LOGIN
2019-05-05T08:37:25.754127-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-ENHANCEDSTATUSCODES
2019-05-05T08:37:25.754145-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-8BITMIME
2019-05-05T08:37:25.754163-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250 DSN
2019-05-05T08:37:25.754193-07:00 smtp-relays-test-1 postfix/smtp[119]: server features: 0x902f size 52428800
2019-05-05T08:37:25.754215-07:00 smtp-relays-test-1 postfix/smtp[119]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
2019-05-05T08:37:25.754286-07:00 smtp-relays-test-1 postfix/smtp[119]: maps_find: smtp_sasl_password_maps: smtp.secureprovider.com: not found
2019-05-05T08:37:25.754743-07:00 smtp-relays-test-1 postfix/smtp[119]: maps_find: smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix|utf8_request): smtp.secureprovider.com:587 = username@secureprovider.com:XXXXXXXXXXX
2019-05-05T08:37:25.754780-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp_sasl_passwd_lookup: host `smtp.secureprovider.com' user `username@secureprovider.com' pass `XXXXXXXXXXX'
2019-05-05T08:37:25.754803-07:00 smtp-relays-test-1 postfix/smtp[119]: starting new SASL client
2019-05-05T08:37:25.761839-07:00 smtp-relays-test-1 postfix/smtp[119]: name_mask: noanonymous
2019-05-05T08:37:25.762428-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp_sasl_authenticate: smtp.secureprovider.com[10.254.253.192]:587: SASL mechanisms PLAIN LOGIN
2019-05-05T08:37:25.762493-07:00 smtp-relays-test-1 postfix/smtp[119]: warning: SASL authentication failure: No worthy mechs found
所以 username@secureprovider.com:XXXXXXXXXXX(混淆),我在日志中看到了正确的值。
但是最后几行是:
SASL 机制普通登录
警告:SASL 身份验证失败:找不到有价值的机甲
它失败了。
任何帮助表示赞赏!
这个错误导致了这个问题:https://bugs.alpinelinux.org/issues/9987
修复是安装额外的 sasl 包:
apk 添加--no-cache--升级cyrus-saslcyrus-sasl-普通cyrus-sasl-登录
我负责设置 SMTP 中继服务器,将所有邮件中继到第 3 方安全 SMTP 服务器。此第 3 方服务器需要与证书和 username/password 登录的安全连接,然后才会接受来自我的 SMTP 中继服务器的邮件。
我已经配置了证书
# TLS settings
postconf -e "smtp_tls_security_level=verify"
postconf -e "smtp_tls_note_starttls_offer=yes"
postconf -e "smtp_tls_CApath=/etc/ssl/certs"
postconf -e "smtp_tls_cert_file=/etc/postfix/company.crt"
postconf -e "smtp_tls_key_file=/etc/postfix/company.pem"
这似乎工作正常
2019-05-05T08:37:25.729903-07:00 smtp-relays-test-1 postfix/smtp[119]: SSL_connect:SSLv3/TLS read change cipher spec
2019-05-05T08:37:25.729962-07:00 smtp-relays-test-1 postfix/smtp[119]: SSL_connect:SSLv3/TLS read finished
2019-05-05T08:37:25.730036-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587: Matched subjectAltName: smtp.secureprovider.com
2019-05-05T08:37:25.730287-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587 CommonName smtp.secureprovider.com
2019-05-05T08:37:25.730355-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp.secureprovider.com[10.254.253.192]:587: subject_CN=smtp.secureprovider.com, issuer_CN=RapidSSL RSA CA 2018, fingerprint=1D:13:48:BB:92:E6:4E:AF:AC:6A:14:66:D8:F5:08:9F, pkey_fingerprint=CA:67:37:87:5F:47:51:0B:E5:7A:4A:4E:63:E0:75:CC
2019-05-05T08:37:25.730384-07:00 smtp-relays-test-1 postfix/smtp[119]: Verified TLS connection established to smtp.secureprovider.com[10.254.253.192]:587: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
已验证与 smtp.secureprovider.com[10.254.253.192]:587 的 TLS 连接:TLSv1.2 密码为 DHE-RSA-AES256-GCM-SHA384(256/256 位)
接下来应该启动密码验证。我可以在日志中看到使用了正确的 username/password :
2019-05-05T08:37:25.753993-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-smtp.secureprovider.com
2019-05-05T08:37:25.754015-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-PIPELINING
2019-05-05T08:37:25.754033-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-SIZE 52428800
2019-05-05T08:37:25.754052-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-VRFY
2019-05-05T08:37:25.754071-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-ETRN
2019-05-05T08:37:25.754089-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-AUTH PLAIN LOGIN
2019-05-05T08:37:25.754108-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-AUTH=PLAIN LOGIN
2019-05-05T08:37:25.754127-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-ENHANCEDSTATUSCODES
2019-05-05T08:37:25.754145-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250-8BITMIME
2019-05-05T08:37:25.754163-07:00 smtp-relays-test-1 postfix/smtp[119]: < smtp.secureprovider.com[10.254.253.192]:587: 250 DSN
2019-05-05T08:37:25.754193-07:00 smtp-relays-test-1 postfix/smtp[119]: server features: 0x902f size 52428800
2019-05-05T08:37:25.754215-07:00 smtp-relays-test-1 postfix/smtp[119]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
2019-05-05T08:37:25.754286-07:00 smtp-relays-test-1 postfix/smtp[119]: maps_find: smtp_sasl_password_maps: smtp.secureprovider.com: not found
2019-05-05T08:37:25.754743-07:00 smtp-relays-test-1 postfix/smtp[119]: maps_find: smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix|utf8_request): smtp.secureprovider.com:587 = username@secureprovider.com:XXXXXXXXXXX
2019-05-05T08:37:25.754780-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp_sasl_passwd_lookup: host `smtp.secureprovider.com' user `username@secureprovider.com' pass `XXXXXXXXXXX'
2019-05-05T08:37:25.754803-07:00 smtp-relays-test-1 postfix/smtp[119]: starting new SASL client
2019-05-05T08:37:25.761839-07:00 smtp-relays-test-1 postfix/smtp[119]: name_mask: noanonymous
2019-05-05T08:37:25.762428-07:00 smtp-relays-test-1 postfix/smtp[119]: smtp_sasl_authenticate: smtp.secureprovider.com[10.254.253.192]:587: SASL mechanisms PLAIN LOGIN
2019-05-05T08:37:25.762493-07:00 smtp-relays-test-1 postfix/smtp[119]: warning: SASL authentication failure: No worthy mechs found
所以 username@secureprovider.com:XXXXXXXXXXX(混淆),我在日志中看到了正确的值。
但是最后几行是:
SASL 机制普通登录 警告:SASL 身份验证失败:找不到有价值的机甲
它失败了。 任何帮助表示赞赏!
这个错误导致了这个问题:https://bugs.alpinelinux.org/issues/9987
修复是安装额外的 sasl 包:
apk 添加--no-cache--升级cyrus-saslcyrus-sasl-普通cyrus-sasl-登录