德国有一家大型电子邮件托管商 (web.de),其邮件服务器无法将邮件发送到我的自托管 Postfix 服务器。我发现了类似的报告,但发布的解决方案总是配置错误的 TLSA 记录。不过,我确信我的 TLSA 记录没有问题。
如何解决该问题,以便我的 Postfix 服务器正确接收来自这些服务器的邮件?
- 后缀版本:3.8.5
- OpenSSL 版本:3.0.13-r2
我的 Postfix 日志:
May 08 12:05:37 server postfix/smtpd[90259]: initializing the server-side TLS engine
May 08 12:05:37 server postfix/smtpd[90259]: connect from mout.web.de[212.227.15.4]
May 08 12:05:38 server postfix/smtpd[90259]: setting up TLS connection from mout.web.de[212.227.15.4]
May 08 12:05:38 server postfix/smtpd[90259]: mout.web.de[212.227.15.4]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH"
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:before SSL initialization
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:before SSL initialization
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS read client hello
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS write server hello
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS write change cipher spec
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:TLSv1.3 write encrypted extensions
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS write certificate
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:TLSv1.3 write server certificate verify
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS write finished
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:TLSv1.3 early data
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:TLSv1.3 early data
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS read finished
May 08 12:05:38 server postfix/smtpd[90259]: mout.web.de[212.227.15.4]: Issuing session ticket, key expiration: 1715164537
May 08 12:05:38 server postfix/smtpd[90259]: SSL_accept:SSLv3/TLS write session ticket
May 08 12:05:38 server postfix/smtpd[90259]: Anonymous TLS connection established from mout.web.de[212.227.15.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256
May 08 12:05:38 server postfix/smtpd[90259]: SSL3 alert read:fatal:insufficient security
May 08 12:05:38 server postfix/smtpd[90259]: warning: TLS library problem: error:0A00042F:SSL routines::tlsv1 alert insufficient security:../openssl-3.0.13/ssl/record/rec_layer_s3.c:1590:SSL alert number 71:
May 08 12:05:38 server postfix/smtpd[90259]: lost connection after STARTTLS from mout.web.de[212.227.15.4]
May 08 12:05:38 server postfix/smtpd[90259]: disconnect from mout.web.de[212.227.15.4] ehlo=1 starttls=1 commands=2
May
我不确定哪一方在报告“安全保障不足”。我自己这边,即Postfix/TLS服务器?或者远程端,即 web.de 邮件服务器,它是 TLS 客户端?
我的服务器提供了两个 Letsencrypt 证书:
- 一份 EC 证书,
- 一份 RSA 证书。
我的 Postfix 中的相关 TLS 指令main.cf:
# TLS PARAMETERS
#
smtpd_tls_chain_files =
/etc/letsencrypt/live/server.my-domain.tld:smtps-ec/privkey.pem,
/etc/letsencrypt/live/server.my-domain.tld:smtps-ec/fullchain.pem,
/etc/letsencrypt/live/server.my-domain.tld:smtps-rsa/privkey.pem,
/etc/letsencrypt/live/server.my-domain.tld:smtps-rsa/fullchain.pem
smtpd_tls_CApath = /etc/ssl/certs
# note: for port 587, smtpd_tls_security_level is overwritten to `encrypt` in master.cf
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_loglevel = 0
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_ciphers = medium
smtp_tls_protocols = >=TLSv1.2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_loglevel = 0
在这两种情况下,信任锚都是“ISRG Root X1”。我的 TLSA 记录是
$ dig TLSA _25._tcp.server.my-domain.tld.
_25._tcp.server.my-domain.tld. 12340 IN CNAME letsencrypt._dane.my-domain.tld.
letsencrypt._dane.my-domain.tld. 13104 IN TLSA 0 1 1 0B9FA5A59EED715C26C1020C711B4F6EC42D58B0015E14337A39DAD3 01C5AFC3
对我自己的 Postfix 服务器运行 SSL Scan 会产生:
# sslscan --verbose --starttls-smtp server.my-domain.tld:25
Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023
Some servers will fail to response to SSLv3 ciphers over STARTTLS
If your scan hangs, try using the --tlsall option
Testing SSL server server.my-domain.tld on port 25 using SNI name server.my-domain.tld
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
OpenSSL OpenSSL 3.0.12 24 Oct 2023 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
OpenSSL OpenSSL 3.0.12 24 Oct 2023 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Server supports TLS Fallback SCSV
TLS renegotiation:
OpenSSL OpenSSL 3.0.12 24 Oct 2023 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
use_unsafe_renegotiation_op
Session renegotiation not supported
TLS Compression:
OpenSSL OpenSSL 3.0.12 24 Oct 2023 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
SSL_connect() returned: 1
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
SSL_connect() returned: -1
SSL_get_current_cipher() returned NULL; this indicates that the server did not choose a cipher from our list (TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256)
SSL_connect() returned: 1
Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-CCM8 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-CCM Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM8 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-ARIA256-GCM-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ARIA256-GCM-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-ARIA256-GCM-SHA384 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ADH-AES256-GCM-SHA384 DHE 3072 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-CCM8 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-CCM Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM8 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-ARIA128-GCM-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ARIA128-GCM-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-ARIA128-GCM-SHA256 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ADH-AES128-GCM-SHA256 DHE 1024 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-CAMELLIA256-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA256 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ADH-AES256-SHA256 DHE 3072 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ADH-CAMELLIA256-SHA256 DHE 3072 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-CAMELLIA128-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA256 DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ADH-AES128-SHA256 DHE 1024 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ADH-CAMELLIA128-SHA256 DHE 1024 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits AECDH-AES256-SHA Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ADH-AES256-SHA DHE 3072 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ADH-CAMELLIA256-SHA DHE 3072 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits AECDH-AES128-SHA Curve 25519 DHE 253
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ADH-AES128-SHA DHE 1024 bits
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ADH-CAMELLIA128-SHA DHE 1024 bits
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits AES256-CCM8
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits AES256-CCM
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits ARIA256-GCM-SHA384
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits AES128-CCM8
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits AES128-CCM
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits ARIA128-GCM-SHA256
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits AES256-SHA256
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits CAMELLIA256-SHA256
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits AES128-SHA256
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits CAMELLIA128-SHA256
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits AES256-SHA
SSL_connect() returned: 1
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits AES128-SHA
SSL_connect() returned: 1
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
SSL_connect() returned: -1
SSL_get_current_cipher() returned NULL; this indicates that the server did not choose a cipher from our list (ALL:COMPLEMENTOFALL:!ECDHE-ECDSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-GCM-SHA384:!ECDHE-ECDSA-CHACHA20-POLY1305:!ECDHE-RSA-CHACHA20-POLY1305:!DHE-RSA-CHACHA20-POLY1305:!ECDHE-ECDSA-AES256-CCM8:!ECDHE-ECDSA-AES256-CCM:!DHE-RSA-AES256-CCM8:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-ARIA256-GCM-SHA384:!ECDHE-ARIA256-GCM-SHA384:!DHE-RSA-ARIA256-GCM-SHA384:!ADH-AES256-GCM-SHA384:!ECDHE-ECDSA-AES128-GCM-SHA256:!ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-CCM8:!ECDHE-ECDSA-AES128-CCM:!DHE-RSA-AES128-CCM8:!DHE-RSA-AES128-CCM:!ECDHE-ECDSA-ARIA128-GCM-SHA256:!ECDHE-ARIA128-GCM-SHA256:!DHE-RSA-ARIA128-GCM-SHA256:!ADH-AES128-GCM-SHA256:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!DHE-RSA-CAMELLIA256-SHA256:!ADH-AES256-SHA256:!ADH-CAMELLIA256-SHA256:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA128-SHA256:!ADH-AES128-SHA256:!ADH-CAMELLIA128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!AECDH-AES256-SHA:!ADH-AES256-SHA:!ADH-CAMELLIA256-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AECDH-AES128-SHA:!ADH-AES128-SHA:!ADH-CAMELLIA128-SHA:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!ARIA256-GCM-SHA384:!AES128-GCM-SHA256:!AES128-CCM8:!AES128-CCM:!ARIA128-GCM-SHA256:!AES256-SHA256:!CAMELLIA256-SHA256:!AES128-SHA256:!CAMELLIA128-SHA256:!AES256-SHA:!CAMELLIA256-SHA:!AES128-SHA:!CAMELLIA128-SHA)
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 112 bits ffdhe2048
TLSv1.3 128 bits ffdhe3072
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
ECC Curve Name: secp384r1
ECC Key Strength: 192
Subject: server.my-domain.tld
Altnames: DNS:server.my-domain.tld
Issuer: R3
Not valid before: Mar 11 19:44:07 2024 GMT
Not valid after: Jun 9 19:44:06 2024 GMT
知道为什么 web.de 邮件服务器不向我的 Postfix 服务器发送邮件吗?
我找到了解决方案。看来 web.de(和 gmx.de)仅支持 TLSA 证书使用 2 (DANE-TA) 和 3 (DANE-EE),请参阅RFC 6698,秒。2.1.1 . 因此,TLSA 记录必须是
或者
RFC 7672,秒。3.1.1规定用于 MTA 到 MTA 通信的 DANE 不应使用 TLSA 证书用途 0 (PKIX-TA) 和 1 (PKIX-EE),因为可能会发生远程不信任(或不知道)所引用的 TA MTA。奇怪的是,web.de 安装了 Letsencrypt“ISRG Root X1”并信任它作为 TA,因为当我完全禁用 TLSA 时,web.de 能够建立 TLS 连接。因此,似乎 web.de 明确禁止证书使用 0 或 1。
由于与终端实体证书相比其有效期更长,我决定将 Letscrypt 的中间证书“R3”声明为 DANE-TA 并添加 TLSA 记录
除了现有的 TLSA 记录之外
笔记: