Postfix
帶有 CAcert 證書的 Dovecot,Outlook 無法連接到 IMAP
我在 Ubuntu 12.10 上安裝了相當標準的postfix和dovecot 。我生成了自己的證書並由cacert.org簽名。
創建證書的過程如下:
openssl genrsa -out mail.myhostname.key 4096 openssl req -new -key mail.myhostname.key -out mail.myhostname.csr wget http://www.cacert.org/certs/root.txt sudo cp root.txt /etc/ssl/certs/cacert.crt # here Submitting the CSR to CAcert takes place # placing result certificate from CAcert into /etc/postfix/ssl/mail.myhostname.crt這是我的鴿舍配置
sudo cat /etc/dovecot/conf.d/10-ssl.conf:## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/postfix/ssl/mail.myhostname.crt ssl_key = </etc/postfix/ssl/mail.myhostname.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) ssl_ca = </etc/postfix/ssl/cacert.crt # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. #ssl_parameters_regenerate = 168 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL我無法讓 Outlook 工作,在設置我自己的證書之前工作得很好(儘管有一些警告)。我聽說“Microsoft Mail”和 Outlook 可能存在一些問題,它們比 Thunderbird 更敏感,但這應該不是問題。
來自客戶端程序的螢幕:
這是 splunk 的 source="/var/log/mail.log" 的負責人並顯示了問題
6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.2XX.XXX, lip=37.23X.XX.XXX host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.2XX.XXX, lip=37.23X.XX.XXX, TLS handshaking: Disconnected host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog這是 openssl 測試的輸出
openssl s_client -connect mail.myhostname:995:CONNECTED(00000003) depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=*.myhostname i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org --- Server certificate -----BEGIN CERTIFICATE----- some certificate info.. -----END CERTIFICATE----- subject=/CN=*.myhostname issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org --- No client certificate CA names sent --- SSL handshake has read 4548 bytes and written 487 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 4EE9B3ED672B5989A52B5338C6173E5C525080C1D46D37A327E501ED70A73625 Session-ID-ctx: Master-Key: 5DD1ED05C32F5B0FE07F20FDEEE80D622D6873CE7E9D954F4CC6644ED0E86A6A30603A387651135D6F7CA792F2377901 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 4e 3f 50 2c 3f 61 47 9f-f0 61 b4 26 31 ce 2c 9f N?P,?aG..a.&1.,. 0010 - ce 83 1b b5 20 88 45 a9-71 cd 35 29 3e 4b 5c 29 .... .E.q.5)>K\) 0020 - d8 31 e0 3f 47 2b d3 05-d3 73 62 78 ac a9 91 f8 .1.?G+...sbx.... 0030 - 51 89 b5 cd 20 2a 92 7a-68 8f d7 ae 01 10 46 df Q... *.zh.....F. 0040 - 35 c9 4b 50 86 1a 1b bc-5f 66 b9 29 7a bd 41 be 5.KP...._f.)z.A. 0050 - a0 76 ba e3 95 2c 85 ef-cd 21 c5 be ee c1 4b e3 .v...,...!....K. 0060 - c7 9e e3 8a 63 6d a6 cb-9f be 25 d5 b6 61 c0 27 ....cm....%..a.' 0070 - b5 09 46 e5 79 e0 34 6f-8d 6b db 96 17 40 18 ea ..F.y.4o.k...@.. 0080 - 25 c2 b0 12 96 20 1a 25-e1 7a 22 3e 74 6c 9e e8 %.... .%.z">tl.. 0090 - 61 f0 24 e7 5f 8a 5d e1-ab 43 c0 a7 74 43 09 cf a.$._.]..C..tC.. Start Time: 1433543614 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- +OK The greatest mail program is ready我不明白驗證錯誤:num=19:證書鏈部分**中的自簽名證書。**如果我使用的是可信賴的 CAcert 機構,它以哪種方式自簽名?
我審查了 IP 和主機名,因為我的伺服器仍然很脆弱
還有關於為 Dovecot堆疊證書的事情(在連結http://wiki2.dovecot.org/SSL/DovecotConfiguration中)。表顯示此順序:
Dovecot 的公共證書- 這是什麼?
TDC SSL 伺服器 CA - 它是我來自 cacert 的公鑰嗎?
TDC Internet Root CA是 cacert root 嗎?
Globalsign Partners CA - 這是什麼?
就目前而言,
/etc/postfix/ssl/cacert.crt僅持有 CAcert root。這會導致問題並阻止 TLS 握手嗎?
更新:
Mail 可與 Thunderbird 一起使用,但仍要求使用者接受證書,這是一種不受歡迎的行為——我在擁有來自 cacert.org 的證書時並沒有預料到
來自 splunk 的日誌:
6/6/15 1:38:43.000 AM Jun 6 01:38:43 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:43.000 AM Jun 6 01:38:43 myhostname dovecot: imap(administrator@myhostname.pl): Disconnected: Logged out bytes=8/328 host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Login: user=<administrator@myhostname.pl>, method=PLAIN, rip=89.77.22X.XXX, lip=37.233.XX.XXX, mpid=13141, TLS host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: auth-worker: mysql(localhost): Connected to database postfix host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.22X.XXX, lip=37.233.XX.XXX, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48 host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=560: fatal unknown CA [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.22X.XXX]
我生成了自己的證書並由 cacert.org 簽名。
cacert.org 目前不受任何主要作業系統的信任。它曾經與 Debian 一起使用,但也在那裡被刪除。它可能仍在某些 *BSD 中。值得注意的是,沒有瀏覽器、沒有 Windows、Android、Mac OS ……會信任這個 CA。
我不明白驗證錯誤:num=19:證書鏈部分中的自簽名證書。如果我使用的是可信賴的 CAcert 機構,它以哪種方式自簽名?
即使你在本地安裝了 cacert
openssl s_client,預設情況下也不會使用任何 CA 來檢查,所以一切都是不可信的。並且給定輸出,您包含根證書,無論如何這是錯誤的。鏈中的根證書被忽略,因為受信任的根必須已經在系統上是本地的。