0

在安装和配置我的第一个Linux(邮件)服务器(Debian 9、Exim 4、Dovecot)一周后,与我的客户端的 TLS 加密通信正常工作。发送、接收和 DKIM 签名也可以工作。

除了这个问题,我在发送邮件时在我的日志中发现:

2017-07-22 20:56:08 1dYzZQ-0005fx-6J H=verifier.port25.com [38.95.177.125] TLS 连接错误(证书/密钥设置:cert=REMOTE_SMTP_/etc/exim4/exim.crt key= REMOTE_SMTP_/etc/exim4/exim.crt):读取文件时出错。
2017-07-22 20:56:08 1dYzZQ-0005fx-6J TLS 会话失败:将未加密的内容传送到 verifier.port25.com [38.95.177.125](不在 hosts_require_tls 中)

REMOTE_SMTP_部分似乎不属于那里。我猜key 也应该指向一个.key文件。

03_exim4-config_tlsoptions似乎很好。

编辑30_exim4-config_remote_smtp可能会解决第一个问题("REMOTE_SMTP_"),但它应该可以正常工作:

.ifdef REMOTE_SMTP_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif

错误来自哪里以及如何解决?

任何建议或解释将不胜感激。

额外的研究,没有发现任何东西:

我没有以错误的方式使用密钥和证书的完整路径:

root@example:/etc/exim4# grep -r exim4/exim /etc/exim4/
/etc/exim4/exim4.conf.template:# /etc/exim4/exim4.conf.template is only used with the non-split
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:# /etc/exim4/exim4.conf.template is only used with the non-split

Exim 可能默认为 CONFDIR/exim.crt

root@example:~# grep -r exim.crt /etc/exim4/
/etc/exim4/exim4.conf.template:#                          CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#                          CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt

当然还有 CONFDIR/exim.key

root@example:~# grep -r CONFDIR/exim /etc/exim4/
/etc/exim4/exim4.conf.template:#                          CONFDIR/exim.crt if unset
/etc/exim4/exim4.conf.template:#                          CONFDIR/exim.key if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#                          CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#                          CONFDIR/exim.key if unset

CONFDIR 在这里

/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:CONFDIR = /etc/exim4

第一个问题就这么多。关于第二个问题(使用 .crt 而不是 .key)我找不到 MAIN_TLS_CERTIFICATE 的滥用

root@example:~# grep -r MAIN_TLS_CERTIFICATE  /etc/exim4/
/etc/exim4/exim4.conf.template:#   MAIN_TLS_CERTIFICATE - path to certificate file,
/etc/exim4/exim4.conf.template:.ifndef MAIN_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/example.com/cert.pem
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:TLS_CERTIFICATE = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#   MAIN_TLS_CERTIFICATE - path to certificate file,
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:.ifndef MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTIFICATE

tls_certificate 也一样。

tls_certificate = MAIN_TLS_CERTKEY 看起来有点不对劲,但它是新安装中的默认值。

root@example:~# grep -r tls_certificate  /etc/exim4/
/etc/exim4/exim4.conf.template:MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTKEY
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTKEY
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE

搜索 REMOTE_SMTP_TLS_CERTIFICATE

root@example:/var/log/exim4# grep -r REMOTE_SMTP_TLS_CERTIFICATE /etc/exim4/
/etc/exim4/exim4.conf.template:.ifdef REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:.ifdef REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE

更新的权限

root@example:/etc/exim4# ls -l exim.crt exim.key
-rw-r----- 1 root Debian-exim 1066 Jul 21  2017 exim.crt
-rw-r----- 1 root Debian-exim 1708 Jul 21  2017 exim.key
4

1 回答 1

-1

exim4 证书和密钥文件需要严格设置所有者和模式,否则 exim 不会读取它,而是在证书/密钥设置阶段读取文件错误消息时给出此错误。确切的所有者和模式是:

root@hostname:/etc/exim4# ls -l exim.crt exim.key
-rw-r----- 1 root Debian-exim 2224 mag 30 17:13 exim.crt
-rw-r----- 1 root Debian-exim 1704 mag 30 17:12 exim.key

另一种选择是您的REMOTE_SMTP_/etc/exim4/exim.crt文件是一个损坏的宏。您是否有TLS_CERTIFICATE任何宏被替换为宏的第二部分REMOTE_SMTP_TLS_CERTIFICATE

于 2018-05-30T15:18:04.427 回答