用例:我们有几个不支持 SSL/TLS 身份验证的伊顿 PDU/PSU。我的任务是构建一个 SMTP 中继服务器,它可以接收基本的 SMTP/25 电子邮件并通过 SSL 将它们转发给我们的电子邮件提供商。
注意:中继主机使用 stunnel 在 465 上建立 smtps 连接。
我的 SMTP Postfix 中继服务器能够通过我们的电子邮件提供商 alimail 成功发送邮件。但我无法让它中继来自我们网络上其他主机的电子邮件。
/etc/postfix/main.cf
smtpd_banner = mail01v-la ESMTP
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8, 10.96.80.0/24
relayhost = [127.0.0.1]:5000
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = no
smtp_generic_maps = regexp:/etc/postfix/generic
/etc/postfix/sasl_passwd
[127.0.0.1]:5000 [email protected]:notifypwd
/etc/后缀/通用
/^root@(.*)$/ [email protected]
/etc/stunnel/stunnel.conf
client = yes
foreground = no
[smtps]
accept = 5000
connect = smtp.mxhichina.com:smtps
SMTP Telnet 到提供商
[root@mail01v-la ~]# telnet smtp.mxhichina.com smtp
Trying 205.204.101.152...
Connected to smtp.mxhichina.com.
Escape character is '^]'.
220 smtp.aliyun-inc.com MX AliMail Server
ehlo google.come
250-smtp.aliyun-inc.com
250-STARTTLS
250-8BITMIME
250-AUTH=PLAIN LOGIN XALIOAUTH
250-AUTH PLAIN LOGIN XALIOAUTH
250-PIPELINING
250 DSN
检查通道连接
[root@mail01v-la ~]# telnet 127.0.0.1 5000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 smtp.aliyun-inc.com MX AliMail Server
从中继服务器发送电子邮件
echo "Stack Body" | mail -s "Test Subject for Stack" [email protected]
结果
Feb 14 18:30:29 mail01v-la postfix/pickup[4812]: 3194940DE2: uid=0 from=<root>
Feb 14 18:30:29 mail01v-la postfix/cleanup[4865]: 3194940DE2: message-id=<[email protected]>
Feb 14 18:30:29 mail01v-la postfix/qmgr[2606]: 3194940DE2: from=<[email protected]>, size=481, nrcpt=1 (queue active)
Feb 14 18:30:30 mail01v-la postfix/smtp[4867]: 3194940DE2: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:5000, delay=1.3, delays=0.01/0.01/0.85/0.46, dsn=2.0.0, status=sent (250 Data Ok: queued as freedom)
Feb 14 18:30:30 mail01v-la postfix/qmgr[2606]: 3194940DE2: removed
与其他主机一起测试
随机 CentOS 服务器
/etc/postfix/main.cf
relayhost = [10.96.80.126]:5000
结果
Feb 14 18:06:52 test01v-la postfix/pickup[1247]: BB87C305A42F: uid=0 from=<root>
Feb 14 18:06:52 test01v-la postfix/cleanup[1387]: BB87C305A42F: message-id=<[email protected]>
Feb 14 18:06:52 test01v-la postfix/qmgr[1248]: BB87C305A42F: from=<[email protected]>, size=477, nrcpt=1 (queue active)
Feb 14 18:06:53 test01v-la postfix/smtp[1389]: BB87C305A42F: to=<[email protected]>, relay=10.96.80.126[10.96.80.126]:5000, delay=0.78, delays=0.01/0.01/0.61/0.15, dsn=5.0.0, status=bounced (host 10.96.80.126[10.96.80.126] said: 553 authentication is required (in reply to MAIL FROM command))
伊顿电源
伊顿结果
email[17131]: message error -110 in function smtp_start_session test - (Connection timed out) retrying smtp_start_session test email[17131]: Failed to connect to SMTP server 10.96.80.126:5000 with username [email protected]
__
这是我第一次做这样的设置。我的知识中可能有很多漏洞让我感到悲伤。
在正确的设置中,您是否甚至需要为想要使用中继服务器的任何主机重新键入凭据?例如,在eaton smtp 配置中,它应该是sasl 文件中使用的电子邮件的凭据吗?还是允许使用后缀转发的系统帐户?或者后缀/通用文件中定义的帐户名称?有点失落。
stunnel 甚至是我应该通过 ssl/tls 连接的正确方式吗?我在 smtp.mxhichina.com 的 telnet 提示符中看到了 starttls。
老实说,我认为我过于复杂了,或者遗漏了一些明显的东西。如果有人有更好的设置来适应我的用例,也将不胜感激。
仅将 SSL 连接从 Stunnel 切换到 Postfix
结果
Feb 20 11:27:22 mail01v-la postfix/qmgr[1537]: 6B38AE5EE: from=<[email protected]>, size=479, nrcpt=1 (queue active)
Feb 20 11:27:22 mail01v-la postfix/smtp[1558]: CLIENT wrappermode (port smtps/465) is unimplemented
Feb 20 11:27:22 mail01v-la postfix/smtp[1558]: instead, send to (port submission/587) with STARTTLS
Feb 20 11:27:40 mail01v-la postfix/smtp[1558]: 6B38AE5EE: to=<[email protected]>, relay=smtp.mxhichina.com[205.204.101.152]:465, delay=613, delays=595/0.02/19/0, dsn=4.4.2, status=deferred (lost connection with smtp.mxhichina.com[205.204.101.152] while receiving the initial server greeting)
Feb 20 11:32:22 mail01v-la postfix/qmgr[1537]: A3F736B2: from=<[email protected]>, size=477, nrcpt=1 (queue active)
主文件
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8, 10.96.80.0/24
relayhost = [smtp.mxhichina.com]:465
smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_wrappermode = yes
soft_bounce = yes
smtp_sasl_auth_soft_bounce = yes
/etc/postfix/sasl_passwd
smtp.mxhichina.com [email protected]:notifypwd