我正在转换现有的邮件服务器以支持我们客户的加密SMTP,但我遇到了这个砖墙,只有非常少的有用日志数据来帮助我前进.使用常规未加密的SMTP时,一切正常;只有在尝试使用加密的SMTP时,事情就会变成梨状.
我的exim配置文件包含以下内容:
# Allow any client to use TLS tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. tls_certificate = /etc/exim/exim.crt tls_privatekey = /etc/exim/exim.key
最初,Exim似乎按预期工作,我能够安全地连接到邮件服务器并对自己进行身份验证,但是在我进入SMTP会话中的收件人部分后,连接就被删除了.使用未加密的连接时不会发生此问题.
要测试安全SMTP,请使用以下命令:
openssl s_client -starttls smtp -crlf -connect localhost:25
这是我得到的输出:
CONNECTED(00000003)
depth=0 C = ZA,etc,etc
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ZA,etc
verify return:1
---
Certificate chain
0 s:/C=ZA/etc,etc
i:/C=ZA/etc,etc
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXX==
-----END CERTIFICATE-----
subject=/C=ZA/etc,etc
---
No client certificate CA names sent
---
SSL handshake has read 1275 bytes and written 444 bytes
---
New,TLSv1/SSLv3,Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - d0 cd ff b6 0c a2 fb 6c-f6 69 dc 0b a7 aa f3 1a .......l.i......
0010 - 10 76 75 05 15 d8 8c 21-cb eb b8 ae ec 34 7d b3 .vu....!.....4}.
0020 - 7a bf f0 d6 7d df 26 27-41 1e d1 2a 35 bf 2f 0c z...}.&'A..*5./.
0030 - 25 6a 32 15 6e 53 d2 30-31 1b d9 60 e6 11 20 73 %j2.nS.01..`.. s
0040 - 57 e3 76 96 e7 7e dc da-98 f2 cc a7 e5 58 62 b2 W.v..~.......Xb.
0050 - ec db 58 91 16 14 18 ff-15 64 d6 66 1f 75 92 96 ..X......d.f.u..
0060 - 65 43 f8 2c 4a 42 81 41-0c 2f 46 84 38 0c c5 e0 eC.,JB.A./F.8...
0070 - 8d 7b d7 7e 12 0e 28 ca-f0 f9 b5 d0 b2 a6 ab 66 .{.~..(........f
0080 - f8 c5 33 e3 cb 16 f5 76-8f e7 49 0c 49 69 31 43 ..3....v..I.Ii1C
0090 - 05 25 dc 75 3a 07 13 91-63 ff 13 fd b0 2c 9f 8b .%.u:...c....,..
Compression: 1 (zlib compression)
Start Time: 1315250595
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 HELP
HELO localhost
250 OK
MAIL FROM:someone@somewhere.com
250 OK
RCPT TO:anyone@nowhere.com
RENEGOTIATING
depth=0 C = ZA,etc
verify return:1
421 lost input connection
read:errno=0
我已经用上面的输出中的垃圾数据替换了电子邮件地址和组织树,因为它不相关,因为我在使用常规SMTP时没有同样的问题.无论我是尝试从localhost连接还是从外部源连接,都会发生上述事务.我还应该注意,我使用的是使用OpenSSL生成的自签名证书.此外,在上面的示例中没有身份验证数据,因为我从localhost执行测试,这允许所有邮件无需身份验证.
正如您在上面的输出中所看到的,Exim似乎在发出字符串“RENEGOTIATING”期间/之后中断.
由于我在SMTP会话期间收到的输出没有多大帮助,我还尝试在调试所有模式下运行Exim.为简洁起见,我不会发布完整的SMTP事务,因为整个会话都很正常,直到我指定收件人地址为止.这是我在输入收件人地址并输入后输入的Exim调试数据的确切片段:
21:42:10 7425 SSL info: before accept initialization 21:42:10 7425 SSL info: before accept initialization 21:42:10 7425 SSL info: SSLv3 read client hello A 21:42:10 7425 SSL info: SSLv3 write server hello A 21:42:10 7425 SSL info: SSLv3 write certificate A 21:42:10 7425 SSL info: SSLv3 write server done A 21:42:10 7425 SSL info: SSLv3 flush data 21:42:10 7425 SSL info: SSLv3 read client key exchange A 21:42:10 7425 SSL info: SSLv3 read finished A 21:42:10 7425 SSL info: SSLv3 write session ticket A 21:42:10 7425 SSL info: SSLv3 write change cipher spec A 21:42:10 7425 SSL info: SSLv3 write finished A 21:42:10 7425 SSL info: SSLv3 flush data 21:42:10 7425 SSL info: SSL negotiation finished successfully 21:42:10 7425 SSL info: SSL negotiation finished successfully 21:42:10 7425 Got SSL error 2 21:42:10 7425 SMTP>> 421 lost input connection 21:42:10 7425 tls_do_write(1db4020,48) 21:42:10 7425 SSL_write(SSL,1db4020,48) 21:42:10 7425 outbytes=48 error=0 21:42:10 7425 LOG: lost_incoming_connection MAIN 21:42:10 7425 unexpected disconnection while reading SMTP command from (localhost) [127.0.0.1] 21:42:10 7425 search_tidyup called 21:42:10 7194 child 7425 ended: status=0x100 21:42:10 7194 0 SMTP accept processes now running 21:42:10 7194 Listening...
解决方法
我用Googling
“openssl s_client RENEGOTIATING”:
s_client’s R “feature”在30秒内找到了这个
总之 – 在s_client会话中按“R”会导致openssl重新协商.尝试输入“rcpt to:”而不是“RCPT TO”.
您还可以尝试更适合特定于SMTP的测试的工具,例如Tony Finch’s smtpc或swaks.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
