如何讓 Postfix 監聽少數具有正確憑證的 IP 位址?

tag-icon tag-icon linux debian email postfix smtp
如何讓 Postfix 監聽少數具有正確憑證的 IP 位址?

我在設定 postfix 使用正確的 SSL 憑證在連接埠 25 上偵聽幾個(實際上是 3 個)IP 位址時遇到問題。

背景:我使用 Debian 11,使用 Postfix(來自 repo 的 v 3.5.6)/Dovecot 和 ISPConfig 作為託管面板。我有幾個工作正常的 IP 位址,有記錄 A 指向 IP 的域名,以及每個 IP 的正確 revDNS。每個網域都產生了正確的憑證以供使用。防火牆配置正確,幾乎一切都按我的預期運作。

我目前的狀態是 Postfix 在所有定義的 IP 位址(包括 127.0.0.1)上正確偵聽連接埠 465 和 587 - 並且還在該連接埠上以正確的憑證進行回應。但在連接埠 25 上,它始終使用第一個網域的憑證 - 即使連接到其他 IP(網域)時也是如此。 Dovecot 也使用憑證(但配置 Dovecot 非常容易,而且它的運作方式與 IMAP 和 POP3 的工作方式類似)。我不知道我在哪裡配置 Postfix 時出錯了。我唯一不想做的一件事是 postfix“多個實例” - 因為 ISPConfig 根本不支援它們(它甚至根本不支援 Dovecot/Postfix 的多個 IP,或者它們的任何一種 SNI) 。

我目前的配置如下所示:main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
# 
# smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = domain1.com, localhost, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
# OEYG inet_interfaces = all
inet_interfaces = 127.0.0.1 xx.xx.xx.x1 xx.xx.xx.x2 xx.xx.xx.x3
# ORYG inet_protocols = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, permit_dnswl_client swl.spamhaus.org, permit_dnswl_client ip4.white.polspam.pl, permit_dnswl_client ip6.white.polspam.pl, reject_rbl_client spam.spamrats.com, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client all.s5h.net, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users = 
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 0

我的主人.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# smtp      inet  n       -       y       -       -       smtpd
127.0.0.1:smtp inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-local
 -o smtp_helo_name=localhost
 -o myhostname=localhost
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtp inet n       -       y      -       -       smtpd
 -o syslog_name=postfix/smtp-d1
 -o smtp_helo_name=domain1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x2:smtps inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-d2
 -o smtp_helo_name=domain2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
xx.xx.xx.x3:smtps inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-d3
 -o smtp_helo_name=domain3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#
127.0.0.1:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=localhost
 -o smtp_bind_address=127.0.0.1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o myhostname=localhost
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x1:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain1
 -o smtp_bind_address=xx.xx.xx.x1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain2
 -o smtp_bind_address=xx.xx.xx.x2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain3
 -o smtp_bind_address=xx.xx.xx.x3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
## smtps     inet  n       -       y       -       -       smtpd
## -o syslog_name=postfix/smtps
## -o smtpd_tls_wrappermode=yes
## -o smtpd_sasl_auth_enable=yes
## -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
127.0.0.1:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtp_helo_name=localhost
 -o myhostname=localhost
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d1/smtps
 -o smtp_helo_name=domain1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d2/smtps
 -o smtp_helo_name=domain2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d3/smtps
 -o smtp_helo_name=domain3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
domain1-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x1
    -o smtp_helo_name=domain1
    -o syslog_name=postfix-domain1
    -o smtpd_tls_cert_file=/etc/domain1.crt
    -o smtpd_tls_key_file=/etc/domain1.key
domain2-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x2
    -o smtp_helo_name=domain2
    -o syslog_name=postfix-domain2
    -o smtpd_tls_cert_file=/etc/domain2.crt
    -o smtpd_tls_key_file=/etc/domain2.key
domain3-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x3
    -o smtp_helo_name=domain3
    -o syslog_name=postfix-domain3
    -o smtpd_tls_cert_file=/etc/domain3.crt
    -o smtpd_tls_key_file=/etc/domain3.key
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

當在 /var/log/mail.log 中啟動 postfix 時,有:

postfix/postfix-script[2714262]: starting the Postfix mail system
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x2:smtps" ([xx.xx.xx.x2]:465) -- using the last ent
ry
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x3:smtps" ([xx.xx.xx.x3]:465) -- using the last ent
ry
postfix/master[2714264]: daemon started -- version 3.5.6, configuration /etc/postfix

這個日誌對我來說很奇怪,因為連接埠 465 在每個網域上都工作正常。

為了進行測試,我使用其他伺服器和以下指令:
openssl s_client -starttls smtp -showcerts -connect domainX:25 -servername domainX
openssl s_client -starttls smtp -showcerts -connect domainX:587 -client -starttls
smtp -showcerts -connect domainX :587 -servername 4第465章

答案1

您的master.cf內容包含錯字。

看起來您打算smtpd在連接埠提交(587)上設定(伺服器)服務,在連接埠 smtps(465)上設定 smtpd,在連接埠 smtp(25)上設定 smtpd 以及smtp每個網域的(客戶端)傳輸。

但 的第一次出現xx.xx.xx.x2:smtps和 的第一次出現與xx.xx.xx.x3:smtps該方案不符。看來你打算寫smtp在那裡。每個的第二次出現看起來都像預期的那樣smtps(如 smtpd_tls_wrappermode 選項所證明)。

修復此問題並重新啟動 postfix 後,呼叫ss -tulpn以驗證 postfix 實際上正在偵聽哪些 IP/連接埠組合。我希望看到連接埠 25、連接埠 587 和連接埠 465 中的每一個都在四個 IPv4 位址上提供(包括環回)。

順便說一下,smtpd_*在服務上指定選項smtp是沒有效果的。您的網域*-out smtp(客戶端!)服務在交付時不提供憑證。

而且,整個努力似乎……很麻煩,卻沒有任何收穫。明明是一台伺服器,為什麼要裝成三台呢?透過在不同的地方接受傳入的郵件,只會使診斷變得更加困難。

答案2

透過 ISP 配置..

你可以更容易做到這一點..

在網站中建立一個「基本」郵件主機。 *(我將這個用於我的所有客戶的網路郵件。所以我建立了mail.my-hosting-domain.tld。

添加 LetsEncrypt 到它,以便您獲得正確的證書。現在新增一個新的郵件主機名稱。

LetsEncrypt 將產生一個多主機憑證。完畢。

當然,將所需的 DNS 記錄與此相符。任何客戶都可以前往 mail.there-domain.tld,postfix 會顯示憑證中所有正確的主機名稱。

相關內容