2

Thunderbird 无法连接到 Postfix/Dovecot。
我的网络邮件界面适用于登录(name@domain.tld + 密码)、
传入(SSL/TLS,端口 993)和传出消息(STARTTLS,端口 587)。
我做了一些调试,知道这一定是证书错误。
请问这里有人知道怎么解决吗?

这是我的带有 SSL 调试的 mail.log:

Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=560: fatal unknown CA [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=192.x.x.x, lip=85.x.x.x, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<NDYo2aEUWQAfBhbN>

这是我的 Dovecot ssl-config 文件(/etc/dovecot/conf.d/10-ssl.conf):

# Log SSL problems
verbose_ssl = yes

ssl = required

ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem

ssl_protocols = !SSLv3 !SSLv2

ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+
                  SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+
                  CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:
                  !EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:
                  AES256-SHA:CAMELLIA128-SHA:AES128-SHA

ssl_prefer_server_ciphers = yes

Dovecot 的 SSL 证书是为 localhost 设置的。
当我尝试将我的根 ca 和域证书集成到 dovecot 证书中时,问题仍然存在:
dovecot.pem 证书= dovecot 证书内容 + 域证书内容 + 根 ca 证书内容(完全按照从上到下的顺序)
dovecot.pem密钥= dovecot 证书密钥 + 域证书密钥 + 根 ca 证书密钥(完全按照从上到下的顺序)

4

1 回答 1

2

Thunderbird 期望 dovecot 为其提供验证连接所需的证书(中间证书或自签名 CA 证书)。查看http://wiki2.dovecot.org/SSL/DovecotConfiguration中的“链式 SSL 证书” 。

您可以通过将中间证书添加到您的 SSL 证书文件(/etc/ssl/certs/imap.pem或您的ssl_cert)指向的任何位置来解决此问题。如果您从供应商处获得 SSL 证书,他们应该有关于如何获得中间证书的说明。

于 2015-04-21T20:57:01.770 回答