저는 현재 OpenSMTPd를 사용하여 다소 독특한 개인 이메일 서버를 설정하고 있습니다. 로컬 서버(Raspberry Pi)와 원격 서버(VPS)가 있습니다. 나에게 보낸 이메일은 원격 서버로 전송된 다음 내 로컬 서버로 중계됩니다. 이메일을 보내면 내 로컬 서버에서 원격 서버로 이동한 다음 수신자에게 전달됩니다. 현재 저는 인바운드 메일만 테스트하고 있으며 tls라는 한 가지 문제만 제외하면 대부분 작동합니다.
로컬 서버에 "tls-require"가 설정되어 있으면 원격 서버가 연결할 수 있는 것처럼 보이지만 연결이 끊어지고 일반(smtp+notls)로 다운그레이드를 시도하지만 당연히 실패합니다. "tls-require" 대신 "tls"를 사용하면 같은 일이 발생하지만 smtp+notls 시도는 작동합니다.
오류 메시지는 그다지 도움이 되지 않는 것 같습니다. 원격 서버에서는 "기회적 TLS 실패, 일반으로 다운그레이드 중"이라는 메시지가 표시됩니다. 이전에 말했듯이 로컬 서버에서는 연결이 성공한 것처럼 보이지만(적어도 내 생각에는) 연결이 끊어집니다.
smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
smtp disconnected reason=disconnect
(원격 서버에서) openssl을 사용하여 이메일을 보내려고 하면 좀 더 유익한 오류 메시지가 나타납니다.
openssl s_client -debug -starttls smtp -crlf -connect redacted.local.ip.address:25
원격 서버에서는 수신자를 입력할 때까지 모든 것이 잘 진행되는데, 이때 SSL 오류가 발생합니다.
RCPT TO:<[email protected]>
RENEGOTIATING
17412933263728:error:1404C042:SSL routines:ST_OK:called a function you should not call:/usr/src/lib/libssl/ssl_lib.c:2529:
해당 오류가 더 많은 정보를 제공하는 것 같지만 관련 내용을 찾을 수 없습니다. 로컬 서버에서는 이전과 똑같은 오류가 표시됩니다.
많은 사람들이 이메일에 강제 TLS를 사용하지 않는다는 것을 알고 있지만 이 사용 사례에서는 실제로 작동시키고 싶습니다.
내 로컬 서버는 "Raspberry Pi OS 11 Bullseye 64-bit" 및 OpenSMTPD 6.8.0p2(apt의 최신 버전)를 실행하고 있습니다.
내 원격 서버는 "OpenBSD 7.0 GENERIC#224 amd64" 및 OpenSMTPD 7.0.0을 실행하고 있습니다.
어떤 조언이라도 대단히 감사하겠습니다. 더 많은 정보가 필요하면 알려주시기 바랍니다.
내 구성은 다음과 같습니다.
로컬 서버 smtpd.conf:
table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
table passwds "/etc/smtpd/passwds"
table remote-servers "/etc/smtpd/remote-servers"
pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
# Do I want srs here, on the remote, or both?
srs key "redacted key"
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter "rspamd" proc-exec "/etc/smtpd/filter-rspamd"
# Inbound
listen on eth0 port 25 tls-require pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
#listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <aliases>
match from src <remote-servers> for domain <domains> action "RECV"
match !from src <remote-servers> for domain <domains> reject
# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
listen on eth0 port 587 tls-require pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
action "SEND" relay host mx1.mydomain.tld:465
match from any auth for any action "SEND"
원격 서버 smtpd.conf:
table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
# Do I want srs here, on the remote, or both?
srs key "same redacted key"
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
# Inbound
listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" }
action "RECV" relay host redacted.local.ip.address:25
match from any for domain <domains> action "RECV"
# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" mask-src
action "SEND" relay srs
match from src redacted.local.ip.address for any action "SEND"
match !from src redacted.local.ip.address for any reject
여기에 메일로그가 있습니다."tls-요구"세트:
로컬 서버 메일로그:
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp disconnected reason=disconnect
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp failed-command command="MAIL FROM:<[email protected]>" result="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr 3 11:57:43 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp disconnected reason=quit
원격 서버 메일로그:
Apr 3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp connected address=209.85.128.178 host=mail-yw1-f178.google.com
Apr 3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp message msgid=f8226363 size=2682 nrcpt=1 proto=ESMTP
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp envelope evpid=f822636342a8821f from=<[email protected]> to=<[email protected]>
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp disconnected reason=quit
Apr 3 11:57:20 RemoteHostname smtpd[94758]: smtp-out: Error on session 734956336de69e03: opportunistic TLS failed, downgrading to plain
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta delivery evpid=f822636342a8821f from=<[email protected]> to=<[email protected]> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=1s result="PermFail" stat="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp connected address=local host=mx1.mydomain.tld
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp failed-command command="RCPT TO: <[email protected]>" result="550 Invalid recipient: <[email protected]>"
Apr 3 11:57:22 RemoteHostname smtpd[11238]: warn: PermFail injecting failure report on message f8226363 to <[email protected]> for 1 envelope: 550 Invalid recipient: <[email protected]>
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp disconnected reason=quit
Apr 3 11:57:37 RemoteHostname smtpd[94758]: 734956336de69e03 mta disconnected reason=quit messages=0
방금 받은 메일로그는 다음과 같습니다."tls"세트:
로컬 서버 메일로그:
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp disconnected reason=disconnect
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp message msgid=082c7a5e size=2850 nrcpt=1 proto=ESMTP
Apr 3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp envelope evpid=082c7a5e9dec905f from=<[email protected]> to=<[email protected]>
Apr 3 12:07:11 LocalHostname dovecot: lmtp(3967460): Connect from local
Apr 3 12:07:11 LocalHostname dovecot: lmtp([email protected])<3967460><hmVpIN9/SWLkiTwAmV7YnQ>: msgid=<CACebY1Hm4jdhjFKoZ2374zbEq1MZV-yTxsUauV4gzxXqNBVeaQ@mail.gmail.com>: saved mail to INBOX
Apr 3 12:07:11 LocalHostname dovecot: lmtp(3967460): Disconnect from local: Client has quit the connection (state=READY)
Apr 3 12:07:11 LocalHostname smtpd[3849290]: b981308066da2115 mda delivery evpid=082c7a5e9dec905f from=<[email protected]> to=<[email protected]> rcpt=<[email protected]> user=vmail delay=2s result=Ok stat=Delivered
Apr 3 12:07:27 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp disconnected reason=quit
원격 서버 메일로그:
Apr 3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp connected address=209.85.219.174 host=mail-yb1-f174.google.com
Apr 3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp message msgid=b912e335 size=2670 nrcpt=1 proto=ESMTP
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp envelope evpid=b912e33501250790 from=<[email protected]> to=<[email protected]>
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp disconnected reason=quit
Apr 3 12:07:00 RemoteHostname smtpd[94758]: smtp-out: Error on session 7349563834c66e1a: opportunistic TLS failed, downgrading to plain
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr 3 12:07:02 RemoteHostname smtpd[94758]: 7349563834c66e1a mta delivery evpid=b912e33501250790 from=<[email protected]> to=<[email protected]> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=2s result="Ok" stat="250 2.0.0 082c7a5e Message accepted for delivery"
Apr 3 12:07:19 RemoteHostname smtpd[94758]: 7349563834c66e1a mta disconnected reason=quit messages=1
원격 서버 pf.conf:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild