主页 / server / 问题 / 912627
Accepted
I Coetzee
Asked: 2018-05-17 22:38:12 +0800 CST

Stunnel - SMTP 身份验证失败

  • 772

嗨 ServerFault 社区,

我已于 2018 年 4 月 30 日和 2018 年 5 月 16 日将其发布到 stunnel-users 邮件列表,网址为https://www.stunnel.org/pipermail/stunnel-users/2018-April/006000.html,不幸的是那里没有人似乎知道答案,所以现在我正在和这里的专家一起试试运气。

以下是从邮件到邮件列表的逐字引用。

嗨列表,

我刚刚加入了 stunnel 社区。

出于 PCI 合规性的原因,我正在将我们的邮件服务器的面向公众的端口迁移到 stunnel。

到目前为止,我已经设法开始工作:

  • 带有 starttls 的 imap (143/tcp)
  • imaps (993/tcp)
  • 带有 starttls 的 pop3 (110/tcp)
  • pop3s (995/tcp)

我的麻烦在于带有 starttls 的 smtp(25/tcp,587/tcp)。

我现在尝试了几个不同的邮件客户端,每个人都告诉我服务器不支持身份验证协议。

我已经安装了 stunnel 5.44。在我的配置中设置相关部分:

[mail2-imap]
protocol = imap
accept = 143
connect = <mail-fqdn>:143

[mail2-imaps]
accept = 993
connect = <mail-fqdn>:143

[mail2-pop3]
protocol = pop3
accept = 110
connect = <mail-fqdn>:110
[mail2-pop3s]
accept = 995
connect = <mail-fqdn>:110

[mail2-smtp]
protocol = smtp
accept = 25
connect = <mail-fqdn>:25

[mail2-smtps]
accept = 465
connect = <mail-fqdn>:465

[mail2-smtps-submission]
debug = 7
protocol = smtp
accept = 587
connect = <mail-fqdn>:587

在日志文件中,我在连接时有以下条目

2018.04.30 09:20:50 LOG7[5]: Service [mail2-smtps-submission] started
2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on local socket
2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] accepted connection from 41.13.8.49:56890
2018.04.30 09:20:50 LOG6[5]: s_connect: connecting 10.10.11.2:587
2018.04.30 09:20:50 LOG7[5]: s_connect: s_poll_wait 10.10.11.2:587: waiting 10 seconds
2018.04.30 09:20:50 LOG5[5]: s_connect: connected 10.10.11.2:587
2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] connected remote server from 10.10.11.11:42466
2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on remote socket
2018.04.30 09:20:50 LOG7[5]: Remote descriptor (FD=23) initialized
2018.04.30 09:20:50 LOG7[5]: RFC 2487 detected
2018.04.30 09:20:50 LOG7[5]:  <- 220 <mail-fqdn> ESMTP Postfix
2018.04.30 09:20:50 LOG7[5]:  -> 220 <mail-fqdn> stunnel for ESMTP Postfix
2018.04.30 09:20:51 LOG7[5]:  <- EHLO [100.125.153.220]
2018.04.30 09:20:51 LOG7[5]:  -> 250-<mail-fqdn>
2018.04.30 09:20:51 LOG7[5]:  -> 250 STARTTLS
2018.04.30 09:20:51 LOG7[5]:  <- STARTTLS
2018.04.30 09:20:51 LOG7[5]:  -> 220 Go ahead
2018.04.30 09:20:51 LOG6[5]: Peer certificate not required
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): before/accept initialization
2018.04.30 09:20:51 LOG7[5]: SNI: no virtual services defined
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client hello A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server hello A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write certificate A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write key exchange A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server done A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 flush data
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client certificate A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read client key exchange A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read certificate verify A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read finished A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write change cipher spec A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write finished A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 flush data
2018.04.30 09:20:52 LOG7[5]: New session callback
2018.04.30 09:20:52 LOG7[5]:      2 server accept(s) requested
2018.04.30 09:20:52 LOG7[5]:      2 server accept(s) succeeded
2018.04.30 09:20:52 LOG7[5]:      0 server renegotiation(s) requested
2018.04.30 09:20:52 LOG7[5]:      0 session reuse(s)
2018.04.30 09:20:52 LOG7[5]:      2 internal session cache item(s)
2018.04.30 09:20:52 LOG7[5]:      0 internal session cache fill-up(s)
2018.04.30 09:20:52 LOG7[5]:      0 internal session cache miss(es)
2018.04.30 09:20:52 LOG7[5]:      0 external session cache hit(s)
2018.04.30 09:20:52 LOG7[5]:      0 expired session(s) retrieved
2018.04.30 09:20:52 LOG6[5]: TLS accepted: new session negotiated
2018.04.30 09:20:52 LOG6[5]: No peer certificate received
2018.04.30 09:20:52 LOG6[5]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2018.04.30 09:20:52 LOG7[5]: Compression: null, expansion: null
2018.04.30 09:20:52 LOG6[5]: Read socket closed (read hangup)
2018.04.30 09:20:52 LOG7[5]: Sending close_notify alert
2018.04.30 09:20:52 LOG7[5]: TLS alert (write): warning: close notify
2018.04.30 09:20:52 LOG6[5]: SSL_shutdown successfully sent close_notify alert
2018.04.30 09:20:52 LOG6[5]: TLS fd: Connection reset by peer (104)
2018.04.30 09:20:52 LOG6[5]: TLS socket closed (SSL_read)
2018.04.30 09:20:52 LOG7[5]: Sent socket write shutdown
2018.04.30 09:20:52 LOG5[5]: Connection closed: 156 byte(s) sent to TLS, 30 byte(s) sent to socket
2018.04.30 09:20:52 LOG7[5]: Remote descriptor (FD=23) closed
2018.04.30 09:20:52 LOG7[5]: Local descriptor (FD=22) closed
2018.04.30 09:20:52 LOG7[5]: Service [mail2-smtps-submission] finished (4 left)

这是我从 K9-Mail K9-Mail 错误中得到的错误

谷歌邮件应用程序只是告诉我: 谷歌邮件错误

Alpine(linux命令行smtp客户端) Alpine客户端错误

大师有什么建议吗?

亲切的问候

stunnel

2 个回答

  1. Best Answer

    从您的评论中:

    问题是您的邮件服务器已经配置了 SSL 证书,因此只有在检测到安全加密连接时才允许 SMTP 身份验证。

    据我所知,您的 stunnel 服务器终止了客户端建立的安全连接,并与您的邮件服务器建立了第二个未加密的明文 smtp 连接。

    然后,邮件服务器拒绝接受客户端发出的任何身份验证请求,因为据它可以确定,否则客户端将通过不安全的连接发送其用户名和密码。

    问题是 stunnel 旨在将明文协议转换为 SSL 安全协议,反之亦然,但您想要做的需要一个“中间人”设置,您可以在其中获取传入 SSL 连接并创建传出 SSL 连接,这需要一些技巧

    https://serverfault.com/a/247967/37681

    • 0

  2. 感谢 HBruijn 为我指明了正确的方向。

    我最终做了以下,从我的配置中提取:

    [mail2-smtp]
protocol = smtp
accept = 25
connect = localhost:26

[mail2-smtps]
accept = 465
connect = localhost:26

[mail2-smtp-submission]
protocol = smtp
accept = 587
connect = localhost:26

[mail2-smtp-ssl-client]
protocol = smtp
accept = 26
client = yes
connect = <mail-fqdn>:587

    密钥是与邮件服务器建立安全连接的最后一部分。

    • 0

相关问题