最近我尝试使用 postfix SNI 为多个域设置多个 SSL。(Dovecot 保持不变)。现在我收到 TLS 错误(var/etc/mail.log):
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: connect from unknown[46.39.58.24]
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: warning: table hash:/etc/postfix/vmail_ssl.map.db: key history.tor: malformed BASE64 value: /FakeSSL/history.tor/history.t
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: warning: tls_server_sni_maps: history.tor map lookup problem
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: SSL_accept error from unknown[46.39.58.24]: -1
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: warning: TLS library problem: error:0A0000EA:SSL routines::callback failed:../ssl/statem/extensions.c:1000:
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: lost connection after STARTTLS from unknown[46.39.58.24]
Jan 22 22:06:17 2099047-cg00264 postfix/smtpd[138223]: disconnect from unknown[46.39.58.24] ehlo=1 starttls=0/1 commands=1/2
我的 postfix main.conf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
smtpd_use_tls = yes
# TLS parameters
smtpd_tls_cert_file=/OtherSSL/mishkin.ml/mishkin.ml.chain.pem
smtpd_tls_key_file=/OtherSSL/mishkin.ml/mishkin.ml.priv.key
smtpd_tls_security_level=may
#smtp_tls_CApath=/OtherSSL/CA
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = yes
smtpd_tls_wrappermode = no
smtpd_tls_mandatory_ciphers = high
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mishkin.ml
mydomain = mishkin.ml
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mishkin.ml, 2099047-cg00264.twc1.net, localhost.twc1.net, localhost, history.tor
virtual_alias_domains = mishkin.ml, history.tor
virtual_alias_maps = hash:/etc/postfix/virtual
relayhost =
mynetworks = 90.156.226.142/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
vmail_ssl.映射:
mishkin.ml /OtherSSL/mishkin.ml/mishkin.ml.chain.pem /OtherSSL/mishkin.ml/mishkin.ml.priv.key
history.tor /FakeSSL/history.tor/history.tor.chain.pem /FakeSSL/history.tor/history.tor.priv.key
SSL 是使用https://github.com/Vinalti/Self-Signed-Certificates-Generator创建的
- 尝试将两个 smtpd_tls 文件替换为 smtpd_tls_chain_files 参数
- 将 Postfix 移至 25 端口(是的,从 587 移至 25)
- 遵循其他 SNI 设置说明
- 尝试通过 openssl 获取证书,而不是那个脚本
执行 postmap 命令时可能缺少“-F”参数,您必须运行:postmap -F /etc/postfix/vmail_ssl.map,然后运行以下命令重新启动 postfix 服务:systemctl restart postfix