我不是郵件伺服器配置方面的專家,而且我不太熟悉使電子郵件正常工作所需的一切(主要是配置 DNS 記錄以與電子郵件傳送一起使用),就像一個沒有問題的魅力。因此,我很高興收到一些精彩視頻的鏈接,解釋它是如何工作的,我需要執行哪些步驟才能根據一些通用準則或有關我的配置問題的信息來配置所有內容,因為我嘗試了不同的事情並且沒有運氣解決我的問題。
我有自己的 Linux 伺服器,運行 Ubuntu 17.04,並且為我的公司電子郵件設定了 postfix 和 dovecot。
問題是,每當我向 Gmail 帳戶發送電子郵件時,在訊息中,您都可以看到紅色圖示 (http://puu.sh/x8ses/9c1a5fef89.png)並且它說“bisart.eu 沒有加密此訊息”。
原始訊息:
Delivered-To: [email protected]
Received: by 10.12.169.5 with SMTP id y5csp2584881qva;
Sat, 12 Aug 2017 13:07:14 -0700 (PDT)
X-Received: by 10.223.151.212 with SMTP id t20mr12538728wrb.233.1502568434417;
Sat, 12 Aug 2017 13:07:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1502568434; cv=none;
d=google.com; s=arc-20160816;
b=izg+I4FrioYQ9iZXkCeJMpZwi8bNCUbQjzsQgGKxLXdaSnp9KcpLNNKhbPKBep5vnG
JIoPaEX/mh1NiwI8ptQJJERxUT168OldzKgUZ7+EVL545Yk0EWBnRCNtdtSZa0yjr88O
8fRnGzp93bn5NR/RE22Fvaw13QMvA4xVFc7m6J+BW7pOSmMwB976UoMw6s0jtUCHYkPR
CxITyX7Wy8G2rR9Px5INQeH+PsKSOQQQAQoMl88Dcy9DOvF6yo8XR/g7tic8jExKO/BT
Cn49sfI3Eg4S8Rs1DatWwp/lw7EViKwHEhZPVqRkxTXP0z3gKhNPdlFnABvUGdDG3Id4
Ly+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-language:content-transfer-encoding:mime-version:user-agent
:date:message-id:subject:from:to:arc-authentication-results;
bh=QgRLF+6w7sye7fqLzlu3qDfNO47+yGPgui7mTGt5S7Y=;
b=bPF5SMjoQhKivKP4wLWgg9uOkDudgfg/BLWiWycB9kmKxB7Eox9jMrJGSu+1wwHYMw
HadoG0fdXLRFUj3D+/Ur2pWxIfREALH+zHGMIErkTUAN8H6rXZoQrsdrmAFvXYqKMKdq
hk3JyUNoIED2whYzcb1lbS8ANks7hYSXwf0gTKUuzrAoCrRPoIcwWmyXMZEhZeNKhQBW
cGmwbCnwijOSk8iAB/aX/C6cyE4OZ+K9uXbTzbwpL9u/rF83FC54JlTOSd0jpQ3MFv6Y
sCduxKIhz9doud9ebsuB5WqKXXy7m2DlpWbzRsCozbbiKsnT0zZ0+a2UukTu+IZ87mYW
HZ7g==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates 185.160.111.248 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from mail.moowdesign.eu (moowdesign.bisart.eu. [185.160.111.248])
by mx.google.com with ESMTP id k16si2937045wrk.226.2017.08.12.13.07.13
for <[email protected]>;
Sat, 12 Aug 2017 13:07:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 185.160.111.248 as permitted sender) client-ip=185.160.111.248;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 185.160.111.248 as permitted sender) [email protected]
Received: from [192.168.1.69] (unknown [84.245.121.111]) by mail.moowdesign.eu (Postfix) with ESMTPSA id 19378121987 for <[email protected]>; Sat, 12 Aug 2017 22:07:12 +0200 (CEST)
To: [email protected]
From: Dominik Dancs <[email protected]>
Subject: dsadas
Message-ID: <[email protected]>
Date: Sat, 12 Aug 2017 22:07:10 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
事情是這樣的我有多個網域指向同一主機和同一郵件伺服器使用(moowdesign.eu、moow.info、fenixportal.eu 等),我需要它們都具有 SSL 電子郵件加密。
每個網域都指向 IP,mail.domain.tld 被設定為 MX DNS 記錄(也指向伺服器 IP)。
我的連接埠已轉發,因此所有郵件流量都可以傳遞到伺服器。
我使用 Let'sEncrypt 的 acme.sh (https://github.com/Neilpang/acme.sh) 用戶端為一個憑證中的所有網域建立通配符證書,然後在 dovecot 和 postfix 中使用它。
問題:
因此,Gmail 用戶端要求電子郵件簽名“bisart.eu”,但該網域名稱與我的伺服器無關,除了 moowdesign.bisart.eu 指向我的服務器並且它有反向記錄之外。我無法使用該網域/伺服器簽署憑證。
我該怎麼辦?我知道這不是最好的選擇,因為人們會看到紅色圖示並認為這是詐騙電子郵件或其他內容,最有可能的是,所有電子郵件都會直接進入垃圾郵件。我希望有某種解決方案。
另外,我所有網域的 DNS 記錄分別為:
3600 IN MX 10 mail
@ 3600 IN A 185.160.111.248
moow.info. 3600 IN TXT "v=spf1 mx a ptr ip4:185.160.111.248/32 a:mail.moow.info a:moowdesign.bisart.eu ~all"
mail 3600 IN A 185.160.111.248
我的 main.cf (Postfix 設定檔)
compatibility_level = 2
debug_peer_level = 2
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
#daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
default_privs = nobody
myhostname = mail.moowdesign.eu
mydomain = moowdesign.eu
myorigin = $mydomain
mydestination = localhost
append_dot_mydomain = no
unknown_local_recipient_reject_code = 550
mynetworks_style = host
relay_domains = *
alias_maps = hash:/etc/aliases
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = vmail
inet_protocols = ipv4
inet_interfaces = all
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
html_directory = /usr/doc/postfix-3.1.2/html
manpage_directory = /usr/man
sample_directory = /etc/postfix
readme_directory = no
smtpd_tls_cert_file = /etc/dovecot/letsencrypt.crt
smtpd_tls_CAfile = /etc/dovecot/letsencrypt.chain
smtpd_tls_key_file = /etc/dovecot/letsencrypt.key
#smtpd_tls_cert_file = /etc/dovecot/private/mail.crt
#smtpd_tls_key_file = /etc/dovecot/private/mail.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_reverse_client_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client barracudacentral.org
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_alias_maps =
mysql:/etc/postfix/mysql/virtual_alias_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps =
mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_mailbox_maps.cf
virtual_transport = lmtp:unix:/var/spool/postfix/private/dovecot-lmtp
alias_database = hash:/etc/aliases
發送電子郵件的日誌:
Aug 13 13:03:26 production postfix/smtps/smtpd[8768]: warning: hostname 84-245-121-111.dynamic.swanmobile.sk does not resolve to address 84.245.121.111: Name or service not known
Aug 13 13:03:26 production postfix/smtps/smtpd[8768]: connect from unknown[84.245.121.111]
Aug 13 13:03:27 production postfix/smtps/smtpd[8768]: 472971201BC: client=unknown[84.245.121.111], sasl_method=PLAIN, [email protected]
Aug 13 13:03:27 production postfix/cleanup[8772]: 472971201BC: message-id=<[email protected]>
Aug 13 13:03:27 production postfix/qmgr[29192]: 472971201BC: from=<[email protected]>, size=627, nrcpt=1 (queue active)
Aug 13 13:03:27 production postfix/smtps/smtpd[8768]: disconnect from unknown[84.245.121.111] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Aug 13 13:03:29 production postfix/smtp[8775]: 472971201BC: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=1.9, delays=0.17/0/0.87/0.89, dsn=2.0.0, status=sent (250 2.0.0 OK 1502622209 y42si3780413wrd.170 - gsmtp)
Aug 13 13:03:29 production postfix/qmgr[29192]: 472971201BC: removed
我還需要提供其他資訊才能解決此問題嗎?
我試過:
- 在 bisart.eu 伺服器上建立自簽名證書,然後在我的伺服器上透過 dovecot 和 postfix 使用它(沒有幫助,仍然說:「bisart.eu 沒有加密此訊息」)
- 在我的伺服器上建立自簽名憑證(沒有幫助)
- 在 postfix 設定中變更 main.cf 中的 myhostname 和 mydomain 屬性
- 將 spf 記錄新增至我的 DNS
先感謝您。
答案1
傳出流量的加密與上述任何內容都沒有太大關係。
什麼時候傳送郵件,您的 Postfix 連接到Gmail(因此既不涉及連接埠轉送也不涉及 MX 記錄)並且充當 TLS 用戶端(即像網頁瀏覽器,而不是網頁伺服器);它能提供自己的證書,但不需要。
此外,Postfix 在伺服器和用戶端模式下分別在smtpd_tls_*和下對 TLS 進行了單獨的設定smtp_tls_*。不要混淆兩者。
確保您啟用了這些設定:
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
進行調整smtp_tls_CAfile以適合您的作業系統。該smtp_tls_loglevel設定不是必需的,但在讀取日誌時會很有用。
設定smtp_tls_cert_file和smtp_tls_key_file不是必需的(許多郵件伺服器要么忽略客戶端證書,要么僅將其用於日誌記錄目的)。