我正在尝试为我的postfix邮件服务器设置出站TLS加密。 我创建了一个CSR,它具有以下属性:
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F5:B0:EC:DF:81:32:10:12:DC:60:86:54:D2:03:77:5C:21:C2:EA:2B
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
Netscape Cert Type:
SSL Client, SSL Server, S/MIME, Object Signing
我将此CSR发送到证书颁发机构(GoDaddy),并且返回的证书具有以下属性:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
对于我的postfix main.cf文件:
### Client Side:
smtp_tls_security_level = may
smtp_use_tls = yes
smtp_tls_key_file = /etc/postfix/ca/mykey.pem
smtp_tls_cert_file = /etc/postfix/ca/mycert.pem
smtp_tls_CAfile = /etc/postfix/ca/gd_cacert.crt.pem
smtp_tls_loglevel = 3
但是,当我发送邮件并查看收到的邮件的来源时,标题看起来不像是有任何TLS加密:
Received: from ZZZZZZ by YYYYY with Microsoft SMTP Server (TLS) via Mailbox Transport;
Received: from YYYYY by XXXXXX with Microsoft SMTP Server (TLS) ;
Received: from XXXXX by office365 with Microsoft SMTP Server (TLS) id via Frontend Transport;
Authentication-Results: spf=none (sender IP is 000000 )
smtp.mailfrom=postfixserver; dkim=none (message not signed) dmarc=none action=none header.from= postfixserver;
Received-SPF: None (postfix server does not designate permitted sender hosts)
Received: from postfixserver by office365 (1.1.1.1) with Microsoft SMTP Server (TLS) via Frontend Transport;
Received: by postfixserver (Postfix, from userid 0)
我是否缺少任何可以使此功能正常工作的证书/配置设置?
答案 0 :(得分:1)
你的Postfix main.cf配置看起来是正确的。很可能你已经通过TLS发送邮件,但你的下一跳没有在邮件标题中显示它。 发送给Microsoft(office365),gmail和yahoo时,我遇到了类似的问题,邮件标题并不表示我是通过TLS发送的,这是因为我与我的ssl证书不匹配。为了验证我还发送邮件给邮件服务器是内部部署的朋友。由于他们的邮件服务器未配置为从发件人中删除TLS,因此我使用TLS加密发送的标题显示但无法验证我的证书真实性。 我建议您确保您的证书通用名称与您的邮件服务器域名相匹配。