123201
Goto Top

Mailserver spinnt

Hallo,

mein Mailserver will nicht so wie er soll.

Hier die Configs:

Postfix:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job. 
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings 
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/mail.moddry.de.pem
smtpd_tls_CAfile = /etc/postfix/ssl/root.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.moddry.de.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.moddry.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.moddry.de, localhost.moddry.de, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 31.172.83.59 
# a bit more spam protection
disable_vrfy_command = yes


# Auth
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth_dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-sender-login-maps.cf

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
        reject_unknown_sender_domain

smtpd_recipient_restrictions = permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination


# Virtual mailboxes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual-domains-maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 104
virtual_transport = dovecot
local_transport = virtual
virtual_uid_maps = static:6000
virtual_gid_maps = static:6000
dovecot_destination_recipient_limit = 1
inet_protocols = ipv4

Dovecot:

## Dovecot configuration file

# If you're in a hurry, see http:{{comment_single_line_double_slash:0}}

# "doveconf -n" command gives a clean output of the changed settings. Use it 
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces 
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  " 

# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }

# Default values are shown for each setting, it's not required to uncomment 
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples. 
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. 
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = 31.172.83.59

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here. 
#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 

# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do 
# proxying. This isn't necessary normally, but may be useful if the destination 
# IP is e.g. a load balancer's IP. 
#auth_proxy_self =

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without 
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ

##
## Dictionary server settings
##

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>". 

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found: 
!include_try local.conf

auth_mechanisms = plain login
log_timestamp = "%Y-%m-%d %H:%M:%S "  
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth_dovecot {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    mode = 0600
    user = vmail
  }
  user = root
}
ssl = required
ssl_cert = </etc/postfix/ssl/mail.moddry.de.pem
ssl_key = </etc/postfix/ssl/mail.moddry.de.pem
ssl_ca = </etc/postfix/ssl/root.crt
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
  pop3_client_workarounds = oe-ns-eoh
#   pop3_uidl_format = %v.%u
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address = mail@moddry.de
}

Senden/Empfangen geht, aber laut dieser Seite Hier und hier kommen die Mails nicht verschlüsselt an, wenn ich jedoch hier einen Test mache ist alles in Ordnung.

Checking mail@moddry.de
looking up MX hosts on domain "moddry.de"  
mail.moddry.de (preference:1)
Trying TLS on mail.moddry.de[31.172.83.59] (1):
seconds		test stage and result
[000.129]		Connected to server
[000.438]	<--	220 mail.moddry.de ESMTP Postfix (Debian/GNU)
[000.438]		We are allowed to connect
[000.438]	-->	EHLO checktls.com
[000.566]	<--	250-mail.moddry.de
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.567]		We can use this server
[000.567]		TLS is an option on this server
[000.567]	-->	STARTTLS
[000.695]	<--	220 2.0.0 Ready to start TLS
[000.695]		STARTTLS command works on this server
[000.971]		SSLVersion in use: TLSv1.2
[000.971]		Cipher in use: ECDHE-RSA-AES128-SHA256
[000.972]		Connection converted to SSL
[000.995]		
Certificate 1 of 3 in chain:
subject= /C=DE/CN=mail.moddry.de
issuer= /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA                                              
[001.016]		
Certificate 2 of 3 in chain:
subject= /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority                                                
[001.037]		
Certificate 3 of 3 in chain:
subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority                                                  
[001.037]		Cert VALIDATED: ok
[001.037]		Cert Hostname VERIFIED (mail.moddry.de = mail.moddry.de)
[001.038]	~~>	EHLO checktls.com
[001.167]	<~~	250-mail.moddry.de
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.167]		TLS successfully started on this server
[001.167]	~~>	MAIL FROM:<test@checktls.com>
[001.303]	<~~	250 2.1.0 Ok
[001.304]		Sender is OK
[001.304]	~~>	RCPT TO:<mail@moddry.de>
[001.445]	<~~	250 2.1.5 Ok
[001.445]		Recipient OK, E-mail address proofed
[001.446]	~~>	QUIT
[001.575]	<~~	221 2.0.0 Bye

Und hier auch noch das Bild von der Seite:

mail

Ich weiß wirklich nicht weiter.. An sich sollte die Config stimmen und wie gesagt Outlook und Co. melden auch keinen SSL Fehler. Da geht alles. Nur mich irritiert es, dass mir die andere Seite sagt, dass die Testmails bei denen unverschlüsselt ankommen.


Grüße Moddry

Edit: Das Zertifikat ist ein kostenloses Class1 SSL Cert. von StartSSL.

Content-Key: 311541

Url: https://administrator.de/contentid/311541

Ausgedruckt am: 19.03.2024 um 03:03 Uhr

Mitglied: ashnod
ashnod 03.08.2016 um 13:14:43 Uhr
Goto Top
Moin ....

Was ist jetzt dein Problem .... die verschlüsselte Verbindung oder geht es um verschlüsselte Mails?

VG

Ashnod
Mitglied: 123201
123201 03.08.2016 um 13:17:44 Uhr
Goto Top
Die Verbindung. Mit den Zertifikaten stimmt ja alles und die Config sage ja auch dass eine verschlüsselte Verbindung erzwungen wird.
Mitglied: adminst
Lösung adminst 03.08.2016 aktualisiert um 14:44:51 Uhr
Goto Top
Hi Moddry
Wir wollen nicht unsere Glaskugel zu Hilfe nehmen.
Bitte schreibe konkret was nicht funktioniert. Nur mit "Verbindung" sagt nichts aus.

Das Log ist Inbound. Ist es sichergestellt, dass die Gegenseite TLS + die Ciphers unterstützt?
Nur am Rande: Ich würde die smtpd_recipient_restrictions noch tunen. (Postfix Konfiguration

Evtl. habe ich es übersehen, aber ich fand folgende Konfiguration nicht:
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/myssl/public-combined.pem
smtp_tls_key_file=/etc/myssl/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers=high

Die Pfade müssten auf dich umgeschrieben werden.

Gruss
adminst
Mitglied: SlainteMhath
Lösung SlainteMhath 03.08.2016 aktualisiert um 15:34:38 Uhr
Goto Top
Moin,

du hast nur den Mail Eingang (VOM Internet) smtpd_* konfiguriert, der Mail Ausgang (ZUM internet) smtp_* fehlt - siehe Post von @adminst

Edit: Dovecot hat "damit" übrigens gar nichts zu tun, der macht nur POP und IMAP

lg,
Slainte