后缀“建立了受信任的 TLS 连接”但“服务器证书未验证”

Jof*_*fre 6 postfix tls starttls

我正在使用 Postfix TLS 策略来强制外发电子邮件使用 TLS。不幸的是,在某些情况下,证书验证失败,我不知道为什么。

例如,这是我的 TLS 政策的摘录

#/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 
facebook.com    secure ciphers=high 
hearst.com      secure match=gslb.pphosted.com ciphers=high 
fastmail.fm     secure ciphers=high 
Run Code Online (Sandbox Code Playgroud)

所有这 3 个提供程序都使用相同的根 CA。我可以毫无问题地向 facebook.com 发送电子邮件。对于hearst.com,我必须指定一个CN 匹配项,因为证书没有正确的SAN 字段。我不明白的是为什么我还必须为 fastmail.fm 添加匹配 CN。否则证书验证失败。证书受信任,目标服务器名称为 smtp.messagingengine.com 并且证书具有与其匹配的 SAN 字段 (*.messagingengine.com)

Feb 25 21:57:22 mail postfix/smtp[25291]: Trusted TLS connection established to in1-smtp.messagingengine.com[66.111.4.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 
Feb 25 21:57:22 mail postfix/smtp[25291]: D33A02504112: to=<rttttxxxxxxxxxxx@fastmail.fm>, relay=in1-smtp.messagingengine.com[66.111.4.74]:25, delay=8.4, delays=0.02/0/8.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)
Run Code Online (Sandbox Code Playgroud)

有谁知道为什么证书不被接受?无需指定匹配规则即可强制执行“安全”TLS 策略的任何建议?

版本详情

root@mail:/etc/postfix# uname -a
Linux mail.EXAMPLE.com 3.13.0-65-generic #106-Ubuntu SMP Fri Oct 2 22:08:27 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@mail:/etc/postfix# postconf -d | grep mail_version
mail_version = 2.11.0
milter_macro_v = $mail_name $mail_version
Run Code Online (Sandbox Code Playgroud)

扩展日志

Feb 25 21:57:22 mail postfix/smtp[25291]: setting up TLS connection to in1-smtp.messagingengine.com[66.111.4.74]:25 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL" 
Feb 25 21:57:22 mail postfix/smtp[25291]: looking for session smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC in smtp cache 
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: lookup smtp session id=smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:before/connect initialization 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:unknown state 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server hello A 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=1 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=0 verify=1 subject=/C=AU/ST=Victoria/L=Melbourne/O=FastMail Pty Ltd/CN=*.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server certificate A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server key exchange A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server done A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write client key exchange A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write change cipher spec A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write finished A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 flush data 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server session ticket A 
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read finished A 
Feb 25 21:57:22 mail postfix/smtp[25291]: save session smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC to smtp cache 
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: put smtp session id=smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC [data 1788 bytes] 
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: write smtp TLS cache entry smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC: time=1456433842 [data 1788 bytes] 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: *.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: mail.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: dav.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: caldav.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: carddav.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25 CommonName *.messagingengine.com 
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subject_CN=*.messagingengine.com, issuer_CN=DigiCert SHA2 High Assurance Server CA, fingerprint=D8:F5:7E:43:A8:DA:29:22:6B:7E:90:A6:31:86:C8:CD, pkey_fingerprint=49:07:46:E5:F1:35:C2:96:75:09:67:BE:D9:FE:DB:46 
Feb 25 21:57:22 mail postfix/smtp[25291]: Trusted TLS connection established to in1-smtp.messagingengine.com[66.111.4.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 
Feb 25 21:57:22 mail postfix/smtp[25291]: D33A02504112: to=<rttttxxxxxxxxxxx@fastmail.fm>, relay=in1-smtp.messagingengine.com[66.111.4.74]:25, delay=8.4, delays=0.02/0/8.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)  
Run Code Online (Sandbox Code Playgroud)

主文件

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = mail.EXAMPLE.com ESMTP $mail_name (nou)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/EXAMPLE.com.crt
smtpd_tls_key_file = /etc/ssl/private/EXAMPLE.com.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL 
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL 
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL 
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_starttls_timeout = 300s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes

#smtp_tls_note_starttls_offer = yes
#smtp_tls_per_site = may

# Logging
smtp_tls_loglevel = 2 
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = mail.EXAMPLE.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.EXAMPLE.com, localhost.contabo.host, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Handing off local delivery to Dovecot's LMTP
virtual_transport = lmtp:unix:private/dovecot-lmtp

#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtp_tls_security_level = may
# Force TLS for outgoing server connection
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_CApath = /etc/postfix/rootcas/ 

#Virtual domains, users, and aliases
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
virtual_mailbox_base =  /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_alias_maps = hash:/etc/postfix/valias

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

content_filter = smtp-amavis:[127.0.0.1]:10024
message_size_limit = 0
Run Code Online (Sandbox Code Playgroud)

大师.cf

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=may
pickup    unix  n       -       -       60      1       pickup
   -o content_filter=
   -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

maildrop  unix  -       n       n       -       -       pipe
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Run Code Online (Sandbox Code Playgroud)

rog*_*ovo 4

secure级别上,您要求 postfix 验证收件人和服务器的关系,但以安全的方式(不依赖 DNS 数据)

它正确启动受信任的TLS 连接(证书由您知道/信任的 CA 签名)

然后,它会尝试安全地验证服务器/收件人(如果有任何 CN/SAN 与 fastmail.fm 匹配),但它们不匹配。因此消息在本地队列中被延迟。

messagesengine.com/gslb.pphosted.com的证书不为其接受的其他域提供担保。facebook.com验证了自己。

您修改secure后添加了matchMX - 这就是verify实际的作用。因此您可以下拉进行验证,或者继续添加匹配项。

smtp_tls_安全级别

  • may传输层安全?好的。没有 TLS?好的。
  • encrypt接受任何无效的服务器证书,要求加密。
  • verify接受受信任的服务器证书(我信任 CA 吗?CN 与 MX 匹配吗?),要求加密。
  • secure仅当 CN/SAN 与收件人域匹配时才接受受信任的证书 - 并忽略不安全 (MX) 信息进行验证。

postfix 文档在解释差异方面有点不清楚。