peris's questions

编辑 Nextcloud 构建了自己的 Webdav 实现 Sabredav。

会不会是以下 nginx 模块在干扰？--with-http_dav_module --add-module=/var/tmp/nginx-dav-ext-module

有人知道我应该如何动态编译它们？所以我能够在每个虚拟主机配置的运行时加载/卸载？

谢谢 :) 编辑结束

我Ubuntu server 20.04在个人服务器上运行，在该服务器上部署了手动安装，Nextcloud除了webdav.

整个事情在nginx 1.19.3,php-8.0和下运行FPM。

尝试通过davfs挂载nextcloud私有目录：

# mount -t davfs https://drive.example.com/remote.php/dav/files/myuser/ /mnt
Please enter the username to authenticate with server
https://drive.example.com/remote.php/dav/files/myuser/ or hit enter for none.
  Username: myuser
Please enter the password to authenticate user myuser with server
https://drive.example.com/remote.php/dav/files/myuser/ or hit enter for none.
  Password:
/sbin/mount.davfs: Mounting failed.
Could not authenticate to server: rejected Basic challenge

Nextcloud 与上一条mount命令相关的日志：

# cat /home/nginx/Tools/nextcloud_data/nextcloud.log
{"reqId":"gf8ZgEQVDV7AoHp667YG","level":2,"time":"2022-04-05T17:50:58+00:00","remoteAddr":"x.y.z.w","user":"--","app":"core","method":"OPTIONS","url":"/remote.php/dav/files/myuser/","message":"Login failed: 'myuser' (Remote IP: 'x.y.z.w')","userAgent":"davfs2/1.5.5 neon/0.30.2","version":"23.0.3.2"}

上一条命令相关的Nginx日志mount：

# cat /var/log/nginx/nextcloud.log
x.y.z.w drive.example.com - [05/Apr/2022:13:53:31 -0400] "OPTIONS /remote.php/dav/files/myuser/ HTTP/1.1" 401 569 "-" "davfs2/1.5.5 neon/0.30.2" "-" "-"
x.y.z.w drive.example.com myuser [05/Apr/2022:13:53:57 -0400] "OPTIONS /remote.php/dav/files/myuser/ HTTP/1.1" 401 427 "-" "davfs2/1.5.5 neon/0.30.2" "-" "Basic CRYPTED_PASSWORD"

一些不相​​关的 Ubuntu 信息：

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:    20.04
Codename:   focal

# uname -a
Linux host.example.com 5.4.0-107-generic #121-Ubuntu SMP Thu Mar 24 16:04:27 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Nginx 已经从 nginx 官方 repo 的源代码和通过 apt 下载和编译：

# apt source nginx
# cd nginx-0.8.54
# edit debian/rules
# dpkg-buildpackage -b nginx

Nginx版本、特性和编译参数：

# nginx -vV
nginx version: nginx/1.19.3
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2)
built with OpenSSL 1.1.1g  21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/var/tmp/nginx-1.19.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-dynamic-module=/var/tmp/ngx_http_geoip2_module --with-http_geoip_module --with-http_dav_module --add-module=/var/tmp/nginx-dav-ext-module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --without-http_limit_conn_module --add-module=/var/tmp/incubator-pagespeed-ngx-1.13.35.2-stable/ --add-module=/home/nginx/Tools/openproject/.rbenv/versions/2.6.1//lib/ruby/gems/2.6.0//gems/passenger-6.0.6/src/nginx_module/

PHP信息：

# php8.0 --version
PHP 8.0.15 (cli) (built: Jan 29 2022 07:24:52) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.15, Copyright (c), by Zend Technologies


# php8.0 -m
[PHP Modules]
apcu
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
FFI
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
igbinary
imagick
intl
json
libxml
mbstring
memcache
mongodb
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
pspell
readline
redis
Reflection
session
shmop
SimpleXML
soap
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
xml
xmlreader
xmlrpc
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

Nextcloud信息：

# sudo -u nginx php8.0 /home/nginx/Tools/nextcloud/occ status
  - installed: true
  - version: 23.0.3.2
  - versionstring: 23.0.3
  - edition:
  - maintenance: false
  - needsDbUpgrade: false
  - productname: Nextcloud
  - extendedSupport: false

Nginx 虚拟主机文件：

# cat /etc/nginx/sites-enabled/nextcloud.conf

cat /etc/nginx/sites-enabled/nextcloud.conf
upstream php-handler {
    server unix:/var/run/php/php8.0-fpm.sock;
}

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

server {
    listen 80;
    listen [::]:80;
    server_name drive.foobar.es drive.foobar.com cloud.foobar.es cloud.foobar.com cloud.example.es cloud.example.com cloud.example.net cloud.example.org cloud.example.info drive.example.es drive.example.com drive.example.org drive.example.net drive.example.info drive.example.cat cloud.example.cat;

    access_log  /var/log/nginx/nextcloud.access.log main;
    error_log   /var/log/nginx/nextcloud.error.log crit;

    return 301 https://$host$request_uri;
#    return 302 https://$host$request_uri;
}

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name     drive.foobar.es drive.foobar.com cloud.foobar.es cloud.foobar.com cloud.example.es cloud.example.com cloud.example.net cloud.example.org cloud.example.info drive.example.es drive.example.com drive.example.org drive.example.net drive.example.info drive.example.cat cloud.example.cat;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
    include         /etc/nginx/conf.d-enabled/ssl-security.conf;
    ssl_trusted_certificate /etc/letsencrypt/live/example.es/cert.pem;

    access_log          /var/log/nginx/nextcloud_ssl.access.log main;
    error_log           /var/log/nginx/nextcloud_ssl.error.log crit;

    # Codi per habilitar la renovació dels certificats Letsencrypt
    include /etc/nginx/snippets/letsencrypt-cert-renewal-dir.conf;

    if ($http_host != "drive.example.com" ) {
    rewrite ^ https://drive.example.com$request_uri permanent;
    break;
    }

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in hstspreload.org. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

#location ^~ / {
    # set max upload size and increase upload timeout:
    client_max_body_size 50G;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    client_body_temp_path /home/nginx/Tools/nextcloud_data/tmp/;
    fastcgi_param PHP_VALUE "upload_tmp_dir=/home/nginx/Tools/nextcloud_data/tmp/;";
    fastcgi_param PHP_VALUE "output_buffering=0;";
    add_header X-Accel-Buffering no;

    # Because php-fpm can’t read PHP settings in .htaccess these settings
    # must be set in the nextcloud/.user.ini
    # fastcgi_param PHP_VALUE "upload_max_filesize=5M;\n error_reporting=E_ALL;";
    fastcgi_param PHP_VALUE "upload_max_filesize=50G;";
    fastcgi_param PHP_VALUE "post_max_size=50G;";
    fastcgi_param PHP_VALUE "max_input_time=4600;";
    fastcgi_param PHP_VALUE "max_execution_time=3600;";
    fastcgi_param PHP_VALUE "request_terminate_timeout=3600;";
    fastcgi_read_timeout 3600;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    pagespeed off;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /home/nginx/Tools/nextcloud/;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

   location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Suppressing log messages
    # If you’re seeing meaningless messages in your logfile, for example client denied by server configuration: /var/www/data/htaccesstest.txt, add this section to your nginx configuration to suppress them:
    location = /data/htaccesstest.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
#}
}

Nginx SSL 配置文件包含在nginx virtual host config file：

# cat /etc/nginx/conf.d-enabled/ssl-security.conf
  # enable session resumption to improve https performance
  # vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  #ssl_dhparam /etc/ssl/certs/dhparam.pem;
  # openssl dhparam -dsaparam -out /etc/ssl/private/dhparam.pem 4096
  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

  # enables server-side protection from BEAST attacks
  # blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
  ssl_prefer_server_ciphers on;

  # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
  # Disabled protocols: TLSv1 TLSv1.1
  ssl_protocols SSLv3 TLSv1.2 TLSv1.3;
#  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # ciphers chosen for forward secrecy and compatibility
  # blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

  # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
  # blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  resolver 8.8.8.8 8.8.4.4;
  ssl_stapling on;
  ssl_stapling_verify on;
#  ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

  # config to enable HSTS(HTTP Strict Transport Security) developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  # to avoid ssl stripping en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  # also hstspreload.org/
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

# cat /etc/nginx/fastcgi
fastcgi.conf              fastcgi_params            fastcgi_params.dpkg-dist
root@we:~# cat /etc/nginx/fastcgi_params
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

非常感谢你。

希望有人可以提供帮助:)

该命令dig +nocmd pop3.pauperis.org aaaa +noall +answer在我的笔记本电脑中返回以下内容：

pop3.pauperis.org.  3111    IN  CNAME   pauperis.org.
pauperis.org.       3111    IN  AAAA    2001:41d0:1:8ade::1

但是我的服务器上的相同命令，突然，在没有明显的配置更改后什么都不返回：

# dig +nocmd pop3.pauperis.org aaaa +noall +answer
#

这是我服务器上的响应，但有+trace选项：

dig +nocmd pop3.pauperis.org aaaa +noall +answer +trace
.           44679   IN  NS  e.root-servers.net.
.           44679   IN  NS  m.root-servers.net.
.           44679   IN  NS  l.root-servers.net.
.           44679   IN  NS  b.root-servers.net.
.           44679   IN  NS  g.root-servers.net.
.           44679   IN  NS  i.root-servers.net.
.           44679   IN  NS  a.root-servers.net.
.           44679   IN  NS  d.root-servers.net.
.           44679   IN  NS  h.root-servers.net.
.           44679   IN  NS  f.root-servers.net.
.           44679   IN  NS  j.root-servers.net.
.           44679   IN  NS  k.root-servers.net.
.           44679   IN  NS  c.root-servers.net.
.           44679   IN  RRSIG   NS 8 0 518400 20220316050000 20220303040000 9799 . WHZ//zKcRc0aFze+haFiC5a0GwaCwCsopDkMLzMZrOTTvejeb96R01h+ 2mlnsd4qivrbop0a7fBz+Vs/m+YVOPku+vCO/fnZ+NW/KgrtXpHoPopE WayXrfwtEC+Iu/G7gD1bePIhXqeEMSYlfLD84g7ezASeXc4q3Yrfw3+s SnKkG/vwlZ3IFcSw90bqyYoV597fRLZYdEoUzDjp9onU/NcwqmWJ6muV Ms2IO7kHTaUfMO7z6mgf5PGC2ylTywz+4WZLFd6t8QvZypEMGFwPSxJ2 W86Sdh2QJSDznW3V5CFW3tW+59ZzKsJHuGlHTwqem+egipZMXoMW9y+F 08ZVlg==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.            172800  IN  NS  b2.org.afilias-nst.org.
org.            172800  IN  NS  a2.org.afilias-nst.info.
org.            172800  IN  NS  d0.org.afilias-nst.org.
org.            172800  IN  NS  a0.org.afilias-nst.info.
org.            172800  IN  NS  b0.org.afilias-nst.org.
org.            172800  IN  NS  c0.org.afilias-nst.info.
org.            86400   IN  DS  26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org.            86400   IN  RRSIG   DS 8 1 86400 20220321170000 20220308160000 9799 . m3lulShGydigMRJiRixpAFeO9YBBkntgr2Gk42/sts9JLeGVavWmrAyd 5uFDMPf+DqWjgz65BCR1kipEpJAbETmqiwf17rrk9yDIXYGDfrdv04tg w5+4LjANeRzCqr9CH2FFokRt5cl2AdCSn2kNonndSM72Zfhots5ggn8G nTXyt3Aj3Hg4xagS1ZqPhodM15r95NVWw4ozPywSt76vI/oOgEBF6ckw Hz9AEg5i4MdSoLTwiT9fLE51KfiJQO6Xfp8ZANUFtwrydLb0pqJtXMbC BoJnhXjyjWzlOA5/ze5PR3nCh7tbtbTdxdowiB2Jrc3j5Cirfw7dAske TAjiiQ==
;; Received 817 bytes from 192.36.148.17#53(i.root-servers.net) in 3 ms

pauperis.org.       86400   IN  NS  ns111.ovh.net.
pauperis.org.       86400   IN  NS  dns111.ovh.net.
pauperis.org.       86400   IN  DS  18975 7 2 9CE6DA2D7883298D589BDBD5DFD29BB76FB24329C12B453A055F06F6 4EEC0C0C
pauperis.org.       86400   IN  RRSIG   DS 8 2 86400 20220322152315 20220301142315 30573 org. mE8EiULvqr8ZBCDb6rQnXHlxVoZtaTzbLjMtRi9w2jyGYYcKbX0m8N7R +b4NmqrsiQa7nz3DBbDDwt8IbXZfEIqVmGLJrx7Gp+uMDECa54mz06kG Xz1LWb6j/B6CA+1+fa+MyDBJt7A6inBLZQix8Fr9xkWRYznsQqyeeHnW YYo=
;; Received 305 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 83 ms

pop3.pauperis.org.  3600    IN  CNAME   pauperis.org.
pop3.pauperis.org.  3600    IN  RRSIG   CNAME 8 3 3600 20220403112323 20220304112323 37698 pauperis.org. OhXaHFQ1xfLU2T3zjUIBpKsW6k62NZVlnCf4aQKUhbtDcVTGbWDNbwo7 MkpsDh2zpwG3vIqzqdw9t0Uuq7A1U+TDH0SetnBDVvlR1dNNZRbEiWBd C1dJiNuItE37iDNexAebRBvSnM/9hfjDUwDaX7Q78iQS836gxkTSV/g7 Bys=
pauperis.org.       3600    IN  AAAA    2001:41d0:1:8ade::1
pauperis.org.       3600    IN  RRSIG   AAAA 8 2 3600 20220403112323 20220304112323 37698 pauperis.org. dZP/Vxls3u1x8lMQ4A4NULX/UMrf7M+YkBNim4pJ/O9qkHCHn3N19Fku JciU5LCsWd4dw856ejt6CLBDy1c5RSADfrP+q3O3x9kstsgrH+Wf0pP8 cU2y/mTJRSQWPp+6jBUITshXJvcuV+XFpHeA931570XelUGN7ZuEStzD COc=
;; Received 432 bytes from 2001:41d0:1:4a9b::1#53(dns111.ovh.net) in 3 ms

有人能告诉我可能出了什么问题吗？

非常感谢你在高级:)

我刚刚实现了通过和脚本的Autodiscover功能。虽然设置工作起来很有魅力，但我想对 nginx 服务器块做一些改进，但我没有成功。MS Outlook ClientsNginxPHP

当前的 nginx 服务器块如下所示，正如您所见，当/autodiscover/autodiscover.xml加载位置时，客户端被重定向到/autodiscover/autodiscover.php，然后 nginx 执行 PHP 脚本并将结果返回给客户端。

        location = /autodiscover/autodiscover.xml
        {
            rewrite .* /autodiscover/autodiscover.php redirect;
        }

        location ~ \.php$ {
          fastcgi_pass          php-fpm73;
          fastcgi_split_path_info ^(.+\.php)(/.*)$;
          include               /etc/nginx/fastcgi_params;
          fastcgi_param         SCRIPT_FILENAME    $document_root$fastcgi_script_name;
          fastcgi_param         HTTPS              on;
       }

我想修改 nginx 服务器块，以便在/autodiscover/autodiscover.xml请求时/autodiscover/autodiscover.php执行 PHP 脚本，然后将结果返回给客户端而不进行重定向，因此客户端的 URL 保持不变，/autodiscover/autodiscover.xml.

希望可以有人帮帮我。

先谢谢了，

我已经使用 postfix、postfix-saslauth、courier（mysqlauthd、imap、pop）以及 SPF、DKIM 和 DMARC 等一些良好实践设置了个人邮件服务器。

这种设置在过去 10 年中一直运行良好，今天，我第一次尝试通过需要有效 POP3 服务的 GMail 添加其中一个帐户的访问权限。我可以通过端口 110 上的 POP3 服务（无安全性和/或加密）成功添加帐户。

当我尝试将 GMail 配置为通过 995 端口上的 POP3 服务访问帐户时出现问题，使用安全性。这样做时，我从 GMAIL 收到以下错误：

SSL error: No path found from the leaf certificate to any root. Maybe an intermediate certificate is missing

我已经下载了 Mozilla Thunderbird，我可以通过 POP3 服务在端口 995 上毫无问题地下载电子邮件，所以我的问题是：有谁知道如何用 GMail 解决这个问题？

以下是我的 courier-pop3d-ssl 配置：

SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/run/courier/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=YES
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
TLS_CERTFILE=/etc/courier/certificates/certificate.pem
TLS_PRIVATE_KEYFILE=/etc/courier/certificates/tls_private_keyfile.pem
TLS_DHPARAMS=/etc/courier/certificates/dhparams.pem
TLS_TRUSTCERTS=/etc/ssl/certs/ca-certificates.crt
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslimapcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

这是一些 SSL 证书信息：

## Letsencrypt CRT + Key cert files
cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/privkey.pem >> /etc/courier/certificates/letsencrypt-mydomain_com_crt_key.pem

ls -la /etc/courier/certificates/certificate.pem
lrwxrwxrwx 1 root courier 60 Oct  2 20:24 /etc/courier/certificates/certificate.pem -> /etc/courier/certificates/letsencrypt-mydomain_com_key.pem

ls -la /etc/courier/certificates/tls_private_keyfile.pem
lrwxrwxrwx 1 root courier 47 Oct  1 17:45 /etc/courier/certificates/tls_private_keyfile.pem -> /etc/letsencrypt/live/mydomain.com/privkey.pem

我的 SSL 证书是通过 Letsencrypt 生成的：

ls -la /etc/letsencrypt/live/mydomain.com/
total 12
drwxr-xr-x 2 root root 4096 Oct  2 14:35 .
drwx------ 8 root root 4096 Oct  2 14:35 ..
lrwxrwxrwx 1 root root   37 Oct  2 14:35 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx 1 root root   38 Oct  2 14:35 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root   42 Oct  2 14:35 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root   40 Oct  2 14:35 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
-rw-r--r-- 1 root root  692 Oct  2 14:35 README

这是我在/var/log/mail.logGMail 尝试通过端口 995 上的 POP3 服务连接时看到的错误：

Oct  2 21:12:15 we pop3d-ssl: Connection, ip=[::ffff:74.120.14.35]
Oct  2 21:12:16 we pop3d-ssl: ip=[::ffff:74.120.14.35], Unexpected SSL connection shutdown.
Oct  2 21:12:16 we pop3d-ssl: Disconnected, ip=[::ffff:74.120.14.35]

我应该在某处连接中间体和叶（服务器）证书吗？如何？按什么顺序？

先谢谢了

解决方案：

根据 courier-mta.org，生成的 TLS_CERTFILE 包括证书和私钥。文件名不能是世界可读的，并且必须在没有密码的情况下可以访问，即它不能被加密。

所以要解决这个问题，我必须按照这个严格的顺序连接 Letsencrypt CRT + CHAIN + KEY：

cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/chain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem >> /etc/courier/certificates/certificate.pem.mydomain.com

机器通过 Postfix 2.11mail.domain.com发送电子邮件，但今天查看文件我注意到机器上有一些 Wordpress，并 通过发件人地址和. 显然，他们将 Wordpress 配置为进行身份验证并将电子邮件发送到.domain.commail.logwordpress.domain.comblog.domain.commail.domain.com[email protected][email protected]mail.domain.com

这里的问题mail.domain.com是负责发送电子邮件，domain.com但不是*.domain.com，因此后者没有经过 DKIM 签名，显然不是有效的收件人地址，因为这些域无法接收电子邮件，所以我想拒绝使用来自域地址的客户不是能够接收电子邮件之类的*.domain.com。

我一直在查看文档http://www.postfix.org/postconf.5.html，但找不到一个简洁的解决方案。有谁知道我怎么能做到这一点？

非常感谢

当发生以下情况时，我希望 Postfix 生成并通过 Mailer-Daemon 联系发件人收件人Bad recipient address syntax。

我一直在阅读 Postfix 文档，但没有找到正确的指令，请问有什么建议吗？

会议记录如下。

 输出：220 mail.mydomain.es ESMTP Postfix
 在：EHLO mail.mydomain.es
 输出：250-mail.mydomain.es
 输出：250-流水线
 输出：250 尺寸 10240000
 输出：250-ETRN
 输出：250-AUTH 普通登录 CRAM-MD5 DIGEST-MD5
 输出：250 个增强状态代码
 输出：250-8BITMIME
 输出：250 DSN
 在：授权登录
 输出：334 VXNlcm5hbWU6
 在：a2FpLm5pZWh1ZXNAY3YtY29hY2guY29t
 输出：334 UGFzc3dvcmQ6
 在：YmFyY2Vsb25hY3Zjb2FjaA==
 Out: 235 2.7.0 认证成功
 在：邮件发件人：<[email protected]>
 输出：250 2.1.0 好
 在：RCPT 收件人：<[email protected]>
 输出：250 2.1.5 好
 在：RCPT TO:<"Foo - Bar <[email protected]>FooBar FB">
 输出：501 5.1.3 错误的收件人地址语法
 在：RSET
 输出：250 2.0.0 好
 在：退出
 出局：221 2.0.0 再见

当电子邮件发送到不存在的域或收件人时，我希望发件人立即收到来自 mailer-daemon 的电子邮件，通知收件人不存在。

实际上，在我的系统上发生的事情是电子邮件进入延迟队列并在配置中指定的时间停留在那里。正如我 delay_warning_time = 30m在队列中 30 分钟后设置的那样，发件人会收到通知，但这不是我想要的不存在的地址。我想要的是立即拒绝电子邮件并通知发件人。

有谁知道我做错了什么？多谢

目前，不存在的收件人电子邮件站在后缀队列中：

# 邮件
-Queue ID---Size-- ----到达时间---- -Sender/Recipient-----
AA6CA48DCC 1496 2 月 12 日星期三 12:56:36 [email protected]
         （连接到 mx.email-srv.com[199.231.85.98]:25：连接超时）
                                         [email protected]

6FF9948DFF 1498 2 月 12 日星期三 13:07:04 [email protected]
         （连接到 mx.email-srv.com[199.231.85.98]:25：连接超时）
                                         [email protected]

这是我的后缀配置：

2bounce_notice_recipient = $delay_notice_recipient
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = 否
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
delay_notice_recipient = 管理员
delay_warning_time = 30m
disable_vrfy_command = 是
header_checks = 正则表达式：/etc/postfix/header_checks
html_directory = 否
inet_interfaces = 所有
inet_protocols = 所有
local_recipient_maps =
mail_owner = 后缀
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = mail.domain.es mail.domain.com hostname.domain.es hostname.domain.com
最大退避时间 = 8000 秒
maximal_queue_lifetime = 5d
milter_default_action = 接受
milter_protocol = 2
minimum_backoff_time = 1000s
我的目的地 =
mydomain = domain.es
我的主机名 = mail.domain.es
mynetworks_style = 主机
myorigin = domain.es
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
自述目录 = /usr/share/doc/postfix-2.6.6/README_FILES
中继主机 =
relocated_maps = mysql:/etc/postfix/mysql_relocated.cf
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/ssl/certs/sf_bundle.crt
smtp_tls_note_starttls_offer = 是
smtp_tls_security_level = 可能
smtp_use_tls = 是
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org，reject_rbl_client blackholes.easynet.nl，reject_rbl_client dnsbl.njabl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = 是
smtpd_hard_error_limit = 12
smtpd_helo_required = 是
smtpd_helo_restrictions = permit_mynetworks、permit_sasl_authenticated、warn_if_reject reject_non_fqdn_hostname、reject_invalid_hostname、permit
smtpd_milters = inet:localhost:8891
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining、permit_mynetworks、reject_non_fqdn_recipient、reject_unknown_recipient_domain、reject_unauth_destination、reject_unknown_helo_hostname、permit_sasl_authenticated、permit
smtpd_sasl_auth_enable = 是
smtpd_sasl_local_domain =
smtpd_sasl_security_options = 匿名
smtpd_sender_restrictions = permit_sasl_authenticated、permit_mynetworks、warn_if_reject reject_non_fqdn_sender、reject_unknown_sender_domain、reject_unauth_pipelining、permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/ssl/certs/domain.es.crt
smtpd_tls_key_file = /etc/ssl/private/domain.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = 是
smtpd_tls_security_level = 可能
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/mysql_transport.cf
transport_retry_time = 30s
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = 静态：5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = 静态：5000

当我安装 OpenLDAP 时，我被要求为管理员用户创建密码，但现在我意识到还有另一个管理员用户cn=config的密码我不知道。有谁知道我应该如何继续更改或获取该管理员密码？我正在安装全新的 Ubuntu 13.10。

我需要那个密码，因为我正在尝试设置 sudo-ldap。