我有兩臺機器,一臺運行Ubuntu和一臺運行Debian,兩臺運行Postfix。其目的是讓機器#2成爲機器#1的SMTP中繼/智能主機。我創建了一個CA併爲這兩臺機器頒發了證書:#2的服務器證書和#1的客戶機證書。Postfix SMTP中繼:客戶端不向服務器提供TLS客戶端證書?
當從#1發送電子郵件時(通過讓MUA與localhost:25上的Postfix交談,意圖將電子郵件傳遞給#2),基本工作正常:機器可以與每個人交談其他和嘗試中繼實際上是作出。這個想法是,如果#1中提供了有效的客戶端SSL/TLS證書,則允許在#2上進行中繼。
#2的相關配置爲:
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/cert2.pem
smtpd_tls_key_file = /etc/ssl/private/key2-d.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_tls_all_clientcerts
在#1的配置是:
smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
smtp_tls_cert_file = /etc/ssl/private/cert1.pem
smtp_tls_key_file = /etc/ssl/private/key1-d.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = verify
smtp_tls_loglevel = 2
機#1連接到#2,使STARTTLS,日誌文件表明,成功驗證來自#2的證書,並嘗試中繼該消息。 但是,它似乎不會將客戶端證書發送到#2,#2拒絕中繼該消息。 #1
日誌條目:
Apr 17 01:18:14 mail1 postfix/smtp[30250]: Verified TLS connection established to mail2[x.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:14 mail1 postfix/smtp[30244]: 8A2328BDB4: to=<[email protected]>, relay=mail2[x.x.x.x]:25, delay=3488, delays=3486/0.41/0.85/0.19, dsn=4.7.1, status=deferred (host mail2[x.x.x.x] said: 454 4.7.1 <[email protected]>: Relay access denied (in reply to RCPT TO command))
日誌項#2:
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: Anonymous TLS connection established from unknown[y.y.y.y]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: NOQUEUE: reject: RCPT from unknown[y.y.y.y]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail1>
任何想法?我基於我的假設,即#1沒有在mail2的日誌中的「匿名TLS連接已建立」部分發送其客戶端證書。
請參閱[此答案](http://stackoverflow.com/a/23121297/207421)。 – EJP