web-dev-qa-db-ja.com

Zarafaを使用してPostfixですべてのSTARTTLSを有効にする

グーグルだけでは解決できない問題に遭遇しました。専門家の助けが必要です。私の会社は独自のメールサーバー(zarafaグループウェアのpostfix)を実行しています。私たちは保険会社であるため、他人に読まれるべきではない個人情報が記載されたメールを受け取ることがよくあります。したがって、パートナーの1つは、暗号化されたもののみを送信したいと考えています。これは完全に合理的です。しかし、それは外部ユーザーには機能していないようです。私はそれを説明する方法を本当に知りませんが、私は試してみます:

彼らは私たちのメールサーバーを次の方法でチェックしました。

openssl s_client -Host mx01.cevo.de -port 25 -starttls smtp -debug

これはこの出力で失敗します:

CONNECTED(00000003)
read from 0xec56b0 [0xec57e0] (4096 bytes => 38 (0x26))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65   220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 53-65 72 76 69 63 65 20 72    ESMTP Service r
0020 - 65 61 64 79 0d 0a                                 eady..
write to 0xec56b0 [0xec67f0] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69   EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a                        ent.net..
read from 0xec56b0 [0xec57e0] (4096 bytes => 94 (0x5E))
0000 - 32 35 30 2d 52 65 71 75-65 73 74 65 64 20 6d 61   250-Requested ma
0010 - 69 6c 20 61 63 74 69 6f-6e 20 6f 6b 61 79 2c 20   il action okay, 
0020 - 63 6f 6d 70 6c 65 74 65-64 0d 0a 32 35 30 2d 53   completed..250-S
0030 - 49 5a 45 20 32 30 34 38-30 30 30 30 0d 0a 32 35   IZE 20480000..25
0040 - 30 2d 45 54 52 4e 0d 0a-32 35 30 2d 38 42 49 54   0-ETRN..250-8BIT
0050 - 4d 49 4d 45 0d 0a 32 35-30 20 4f 4b 0d 0a         MIME..250 OK..
didn't found starttls in server response, try anyway...
write to 0xec56b0 [0x7fffd07d4ae0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0xec56b0 [0xeb79b0] (8192 bytes => 30 (0x1E))
0000 - 35 30 33 20 42 61 64 20-73 65 71 75 65 6e 63 65   503 Bad sequence
0010 - 20 6f 66 20 63 6f 6d 6d-61 6e 64 73 0d 0a          of commands..
write to 0xec56b0 [0xec5730] (317 bytes => 317 (0x13D))
0000 - 16 03 01 01 38 01 00 01-34 03 03 94 e2 69 f3 8f   ....8...4....i..
0010 - cb a4 fd 61 49 3f 15 c4-5d a2 3f ca 4e f0 a9 eb   ...aI?..].?.N...
0020 - 71 72 6b ce 65 00 b9 0c-e1 ee 9f 00 00 9e c0 30   qrk.e..........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3   .,.(.$.....".!..
0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32   ...k.j.9.8.....2
0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35   ...*.&.......=.5
0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d   ................
0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09   ...../.+.'.#....
0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32   [email protected]
0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25   .....E.D.1.-.).%
00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11   .......<./...A..
00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09   ................
00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6d   ...............m
00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e   ...........4.2..
00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16   ................
00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05   ................
0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11   ................
0110 - 00 23 00 00 00 0d 00 20-00 1e 06 01 06 02 06 03   .#..... ........
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02   ................
0130 - 03 03 02 01 02 02 02 03-00 0f 00 01 01            .............
^Tread from 0xec56b0 [0xecac90] (7 bytes => 7 (0x7))
0000 - 34 32 31 20 53 4d 54                              421 SMT
139855938602656:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 169 bytes and written 352 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

そのリクエストのmail.logからのログエントリは次のとおりです。

Jan 21 15:09:58 mx01 postfix/smtpd[1401]: connect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: lost connection after EHLO from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: disconnect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]

だから私は同じコマンドで仕事中のラップトップからそれを試しました、そしてそれは問題なく動作しました:

CONNECTED(00000003)
read from 0xbdef20 [0xbdf020] (4096 bytes => 32 (0x20))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65   220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 50-6f 73 74 66 69 78 0d 0a    ESMTP Postfix..
write to 0xbdef20 [0xbe0030] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69   EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a                        ent.net..
read from 0xbdef20 [0xbdf020] (4096 bytes => 138 (0x8A))
0000 - 32 35 30 2d 6d 78 30 31-2e 63 65 76 6f 2e 6c 6f   250-mx01.cevo.lo
0010 - 63 61 6c 0d 0a 32 35 30-2d 50 49 50 45 4c 49 4e   cal..250-PIPELIN
0020 - 49 4e 47 0d 0a 32 35 30-2d 53 49 5a 45 20 32 30   ING..250-SIZE 20
0030 - 39 37 31 35 32 30 0d 0a-32 35 30 2d 56 52 46 59   971520..250-VRFY
0040 - 0d 0a 32 35 30 2d 45 54-52 4e 0d 0a 32 35 30 2d   ..250-ETRN..250-
0050 - 53 54 41 52 54 54 4c 53-0d 0a 32 35 30 2d 45 4e   STARTTLS..250-EN
0060 - 48 41 4e 43 45 44 53 54-41 54 55 53 43 4f 44 45   HANCEDSTATUSCODE
0070 - 53 0d 0a 32 35 30 2d 38-42 49 54 4d 49 4d 45 0d   S..250-8BITMIME.
0080 - 0a 32 35 30 20 44 53 4e-0d 0a                     .250 DSN..
write to 0xbdef20 [0x7ffdc4723d90] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0xbdef20 [0xad1c10] (8192 bytes => 30 (0x1E))
0000 - 32 32 30 20 32 2e 30 2e-30 20 52 65 61 64 79 20   220 2.0.0 Ready 
0010 - 74 6f 20 73 74 61 72 74-20 54 4c 53 0d 0a         to start TLS..
write to 0xbdef20 [0xbdefa0] (318 bytes => 318 (0x13E))
...
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cevo.de
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5189 bytes and written 488 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 244534A357837835FF9B28366E16DAA71E7D71C53AA9C0C5BBA8A2CFE065AA5A
    Session-ID-ctx: 
    Master-Key: 9E8041FD2EC1DD4D3F9FDCEC2D920FA35EA403356DC7498767A43CC650314B0378D73BC7E786C29881BAB7EEE123DF6B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 12 89 a5 2e e9 2a 80 e0-29 9a e8 71 41 96 27 ef   .....*..)..qA.'.
    0010 - 58 29 f0 f7 c1 56 66 9a-9e 9e 7b 0f 47 8f 97 06   X)...Vf...{.G...
    0020 - 47 bd 53 50 75 dd 8e 41-4f ea 52 f9 21 fc 30 1a   G.SPu..AO.R.!.0.
    0030 - 68 55 29 29 3c 33 80 f7-b4 af d6 32 21 80 78 24   hU))<3.....2!.x$
    0040 - e7 37 e9 24 77 71 72 58-0e c9 fb 23 2f b8 3c 4d   .7.$wqrX...#/.<M
    0050 - 31 1b bb 8d bf ca b5 cd-ec 24 81 be e4 4f 00 d4   1........$...O..
    0060 - 14 3f e5 68 5b 58 6c 19-b4 a2 03 a7 71 9e f7 58   .?.h[Xl.....q..X
    0070 - 7a 0d b8 dc a6 0e 2c b5-24 5f 8e 33 2c 64 c2 82   z.....,.$_.3,d..
    0080 - d2 25 ed bd e0 17 90 4a-29 a6 b1 4e f7 19 be d6   .%.....J)..N....
    0090 - b0 4d 3f c3 83 29 ec c4-24 e9 5e e0 48 b2 b7 12   .M?..)..$.^.H...
    00a0 - 8a 64 02 71 fe c3 42 e0-2b d7 99 da d3 04 7e 60   .d.q..B.+.....~`

    Compression: 1 (zlib compression)
    Start Time: 1453385327
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN

そして、リクエストのログエントリ:

Jan 21 15:11:49 mx01 postfix/smtpd[1401]: connect from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: setting up TLS connection from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: unknown[172.19.5.135]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:before/accept initialization
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write certificate A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server done A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write session ticket A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write change cipher spec A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: Anonymous TLS connection established from unknown[172.19.5.135]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

これがmain.cfgです(すべてのコメントと不要な空白行を削除しました):

message_size_limit = 20971520
# mailbox_size_limit = 51200000
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
myhostname = mx01.cevo.local
myorigin = mx01.cevo.local
smtp_helo_name = mx01.cevo.de
append_dot_mydomain = no
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 172.19.3.29 172.19.3.36 172.19.3.41 172.19.3.50 172.19.3.123 192.168.100.28 172.19.3.18
masquerade_domains = $mydomain
masquerade_exceptions = root 
transport_maps = hash:/etc/postfix/transport
disable_vrfy_command = no
smtpd_banner = mx01.cevo.de ESMTP $mail_name
local_header_rewrite_clients =
virtual_alias_domains = 
virtual_alias_maps = hash:/etc/postfix/virtual,
        ldap:/etc/postfix/ldap.groups,
        ldap:/etc/postfix/ldap.distlist,
        ldap:/etc/postfix/ldap.sharedfolderremote,
        ldap:/etc/postfix/ldap.sharedfolderlocal,
        ldap:/etc/postfix/ldap.virtual    
virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains    
virtual_mailbox_maps = hash:/etc/postfix/virtual,
        ldap:/etc/postfix/ldap.groups,
        ldap:/etc/postfix/ldap.distlist,
        ldap:/etc/postfix/ldap.sharedfolderremote,
        ldap:/etc/postfix/ldap.sharedfolderlocal,
        ldap:/etc/postfix/ldap.virtual
virtual_transport = lmtp:127.0.0.1:2003
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unlisted_recipient
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_cert_file = /etc/ssl/certs/star_cevo_de.pem
smtpd_tls_key_file = /etc/ssl/private/star_cevo_de.key
smtpd_tls_CAfile = /etc/ssl/certs/star_cevo_de.cabundle   
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes   
smtpd_sasl_local_domain =    
smtpd_sasl_security_options = noanonymous    
smtp_tls_security_level = may
broken_sasl_auth_clients = yes
smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
tls_preempt_cipherlist = yes
smtpd_tls_eecdh_grade = strong

master.cfg:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (50)
# ==========================================================================
25      inet  n       -       n       -       -       smtpd
465       inet  n       -       n       -       -       smtpd  -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes

#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
smtp      unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
#virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
#587      inet  n       -       n       -       -       smtpd -v -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
relay    unix  -       -       n       -       -       smtp
trace    unix  -       -       n       -       0       bounce
proxymap  unix -       -       n       -       -       proxymap
anvil    unix  -       -       n       -       1       anvil
scache   unix  -       -       -       -       1       scache
discard          unix  -       -       n       -       -       discard
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

ご覧のとおり、SSLは自分のマシンから(「内部」などから)使用できますが、外部からは機能しません。私は私の知識の終わりにいます、それは接尾辞とメールtbhに関してはかなり低いです。私はすでに地獄のようにググったが、問題を解決する解決策が見つからなかった。

1
user333222

少なくとも外部から見た場合は、TLSを提供していません。

[me@risby ~]$ telnet mx01.cevo.de 25
Trying 195.244.228.205...
Connected to mx01.cevo.de.
Escape character is '^]'.
220 mx01.cevo.de ESMTP Service ready
ehlo me
250-Requested mail action okay, completed
250-SIZE 20480000
250-ETRN
250-8BITMIME
250 OK

私の推測では、この方法で適応ファイアウォール(Cisco PIXなど)があります。これは、SMTPストリームを「便利に」修正してTLSバナーを削除することで有名です。

SMTPデータをいじるのをやめるようにファイアウォールに指示するか、それでもウィンドウからデータを捨ててiptablesを使用すると、外部クライアントもTLSの恩恵を受けることができるはずです。

1
MadHatter