我目前正在使用 OpenSMTPd 設定一個有點獨特的個人電子郵件伺服器。我有一個本地伺服器(Raspberry Pi)和一個遠端伺服器(VPS)。發送給我的電子郵件將發送到遠端伺服器,然後轉發到我的本機伺服器。當我發送電子郵件時,它從本地伺服器發送到遠端伺服器,然後轉發給收件者。目前我只測試入站郵件,它基本上可以工作,只有一個問題,tls。
如果我在本地伺服器上設定了“tls-require”,我的遠端伺服器似乎能夠連接,但隨後會斷開連接,並嘗試降級為普通(smtp+notls),這當然會失敗。如果我只使用“tls”而不是“tls-require”,也會發生同樣的事情,但 smtp+notls 嘗試有效。
錯誤訊息似乎沒有那麼有幫助。在遠端伺服器上,我只是收到“機會主義 TLS 失敗,降級為普通”。正如我之前所說,在本地伺服器上,連接看起來成功(至少我這麼認為),但隨後斷開連接:
smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
smtp disconnected reason=disconnect
如果我嘗試使用 openssl(從遠端伺服器)發送電子郵件,我會收到一條更豐富的訊息錯誤訊息。
openssl s_client -debug -starttls smtp -crlf -connect redacted.local.ip.address:25
在遠端伺服器上一切正常,直到我輸入收件人,此時我收到 SSL 錯誤:
RCPT TO:<[email protected]>
RENEGOTIATING
17412933263728:error:1404C042:SSL routines:ST_OK:called a function you should not call:/usr/src/lib/libssl/ssl_lib.c:2529:
該錯誤似乎告訴了我更多信息,但我找不到任何相關內容。本機伺服器顯示與之前完全相同的錯誤。
我知道很多人不會在電子郵件中使用強制 TLS,但對於這個用例,我真的很想讓它發揮作用。
我的本機伺服器正在執行「Raspberry Pi OS 11 bullseye 64位元」和OpenSMTPD 6.8.0p2(apt上的最新版本)。
我的遠端伺服器正在運行“OpenBSD 7.0 GENERIC#224 amd64”和 OpenSMTPD 7.0.0。
任何建議將不勝感激。如果您需要更多信息,請告訴我。
這是我的配置:
本機伺服器 smtpd.conf:
table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
table passwds "/etc/smtpd/passwds"
table remote-servers "/etc/smtpd/remote-servers"
pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
# Do I want srs here, on the remote, or both?
srs key "redacted key"
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter "rspamd" proc-exec "/etc/smtpd/filter-rspamd"
# Inbound
listen on eth0 port 25 tls-require pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
#listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <aliases>
match from src <remote-servers> for domain <domains> action "RECV"
match !from src <remote-servers> for domain <domains> reject
# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
listen on eth0 port 587 tls-require pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
action "SEND" relay host mx1.mydomain.tld:465
match from any auth for any action "SEND"
遠端伺服器 smtpd.conf:
table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
# Do I want srs here, on the remote, or both?
srs key "same redacted key"
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
# Inbound
listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" }
action "RECV" relay host redacted.local.ip.address:25
match from any for domain <domains> action "RECV"
# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" mask-src
action "SEND" relay srs
match from src redacted.local.ip.address for any action "SEND"
match !from src redacted.local.ip.address for any reject
如果我有的話,這是郵件日誌“tls-要求”放:
本機伺服器郵件日誌:
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp disconnected reason=disconnect
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp failed-command command="MAIL FROM:<[email protected]>" result="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr 3 11:57:43 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp disconnected reason=quit
遠端伺服器郵件日誌:
Apr 3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp connected address=209.85.128.178 host=mail-yw1-f178.google.com
Apr 3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp message msgid=f8226363 size=2682 nrcpt=1 proto=ESMTP
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp envelope evpid=f822636342a8821f from=<[email protected]> to=<[email protected]>
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp disconnected reason=quit
Apr 3 11:57:20 RemoteHostname smtpd[94758]: smtp-out: Error on session 734956336de69e03: opportunistic TLS failed, downgrading to plain
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr 3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta delivery evpid=f822636342a8821f from=<[email protected]> to=<[email protected]> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=1s result="PermFail" stat="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp connected address=local host=mx1.mydomain.tld
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp failed-command command="RCPT TO: <[email protected]>" result="550 Invalid recipient: <[email protected]>"
Apr 3 11:57:22 RemoteHostname smtpd[11238]: warn: PermFail injecting failure report on message f8226363 to <[email protected]> for 1 envelope: 550 Invalid recipient: <[email protected]>
Apr 3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp disconnected reason=quit
Apr 3 11:57:37 RemoteHostname smtpd[94758]: 734956336de69e03 mta disconnected reason=quit messages=0
這些是郵件日誌,如果我有的話“tls”放:
本機伺服器郵件日誌:
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp disconnected reason=disconnect
Apr 3 12:07:09 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr 3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp message msgid=082c7a5e size=2850 nrcpt=1 proto=ESMTP
Apr 3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp envelope evpid=082c7a5e9dec905f from=<[email protected]> to=<[email protected]>
Apr 3 12:07:11 LocalHostname dovecot: lmtp(3967460): Connect from local
Apr 3 12:07:11 LocalHostname dovecot: lmtp([email protected])<3967460><hmVpIN9/SWLkiTwAmV7YnQ>: msgid=<CACebY1Hm4jdhjFKoZ2374zbEq1MZV-yTxsUauV4gzxXqNBVeaQ@mail.gmail.com>: saved mail to INBOX
Apr 3 12:07:11 LocalHostname dovecot: lmtp(3967460): Disconnect from local: Client has quit the connection (state=READY)
Apr 3 12:07:11 LocalHostname smtpd[3849290]: b981308066da2115 mda delivery evpid=082c7a5e9dec905f from=<[email protected]> to=<[email protected]> rcpt=<[email protected]> user=vmail delay=2s result=Ok stat=Delivered
Apr 3 12:07:27 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp disconnected reason=quit
遠端伺服器郵件日誌:
Apr 3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp connected address=209.85.219.174 host=mail-yb1-f174.google.com
Apr 3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp message msgid=b912e335 size=2670 nrcpt=1 proto=ESMTP
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp envelope evpid=b912e33501250790 from=<[email protected]> to=<[email protected]>
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp disconnected reason=quit
Apr 3 12:07:00 RemoteHostname smtpd[94758]: smtp-out: Error on session 7349563834c66e1a: opportunistic TLS failed, downgrading to plain
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr 3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr 3 12:07:02 RemoteHostname smtpd[94758]: 7349563834c66e1a mta delivery evpid=b912e33501250790 from=<[email protected]> to=<[email protected]> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=2s result="Ok" stat="250 2.0.0 082c7a5e Message accepted for delivery"
Apr 3 12:07:19 RemoteHostname smtpd[94758]: 7349563834c66e1a mta disconnected reason=quit messages=1
遠端伺服器 pf.conf:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild