Como lidar com remetentes de correio que falham em STARTTLS?

2

Eu tento usar meu servidor de e-mail richtercloud.de para assinaturas de listas de discussão do vger.kernel.org. Eu configurei o postfix 2.11 rodando no Ubuntu 14.04 e enviando e recebendo trabalhos. Eu configurei o postfix para entregar mensagens diretamente para vger.kernel.org. Quando enviei um e-mail para [email protected], o envio foi bem-sucedido (a fila de e-mails sai), mas a recepção falha porque o vger.kernel.org não emite o comando STARTTLS no SMTP ( /var/log/mail.log :

Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: connect from vger.kernel.org[209.132.180.67]
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: smtp_stream_setup: maxtime=300 enable_deadline=0
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 127.0.0.0/8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 127.0.0.0/8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::ffff:127.0.0.0]/104
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::ffff:127.0.0.0]/104
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::1]/128
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::1]/128
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23/32
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? richtercloud.de
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? richtercloud.de
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: vger.kernel.org: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: 209.132.180.67: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: auto_clnt_open: connected to private/anvil
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: send attr request = connect
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: send attr ident = smtp:209.132.180.67
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: status
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: status
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute value: 0
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: count
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: count
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute value: 1
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: rate
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: rate
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute value: 1
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: (list terminator)
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: input attribute name: (end)
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 220 richtercloud.de ESMTP Postfix (Debian/GNU)
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: EHLO vger.kernel.org
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: vger.kernel.org: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: match_list_match: 209.132.180.67: no match
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-richtercloud.de
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-PIPELINING
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-SIZE 10240000
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-VRFY
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-ETRN
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-STARTTLS
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-ENHANCEDSTATUSCODES
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250-8BITMIME
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250 DSN
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: MAIL From:<> BODY=8BITMIME SIZE=1778
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 530 5.7.0 Must issue a STARTTLS command first
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: RCPT To:<[email protected]> NOTIFY=FAILURE ORCPT=rfc822;[email protected]
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 530 5.7.0 Must issue a STARTTLS command first
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: DATA
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 530 5.7.0 Must issue a STARTTLS command first
Oct  5 12:55:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:58:24 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: NOOP
Oct  5 12:58:24 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 250 2.0.0 Ok
Oct  5 12:58:24 richtercloud postfix/smtpd[27539]: watchdog_pat: 0x2cbb60d8
Oct  5 12:58:41 richtercloud postfix/smtpd[28022]: connect from hermes.apache.org[140.211.11.3]
Oct  5 12:58:42 richtercloud postfix/smtpd[28022]: disconnect from hermes.apache.org[140.211.11.3]
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: < vger.kernel.org[209.132.180.67]: QUIT
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: > vger.kernel.org[209.132.180.67]: 221 2.0.0 Bye
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 127.0.0.0/8
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 127.0.0.0/8
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::ffff:127.0.0.0]/104
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::ffff:127.0.0.0]/104
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? [::1]/128
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? [::1]/128
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23/32
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.62
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.62
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? 192.168.178.23
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? 192.168.178.23
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostname: vger.kernel.org ~? richtercloud.de
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_hostaddr: 209.132.180.67 ~? richtercloud.de
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_list_match: vger.kernel.org: no match
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: match_list_match: 209.132.180.67: no match
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: send attr request = disconnect
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: send attr ident = smtp:209.132.180.67
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: status
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: input attribute name: status
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: input attribute value: 0
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: private/anvil: wanted attribute: (list terminator)
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: input attribute name: (end)
Oct  5 12:59:13 richtercloud postfix/smtpd[27539]: disconnect from vger.kernel.org[209.132.180.67]
Oct  5 13:02:33 richtercloud postfix/anvil[27581]: statistics: max connection rate 1/60s for (smtp:209.132.180.67) at Oct  5 12:55:24
Oct  5 13:02:33 richtercloud postfix/anvil[27581]: statistics: max connection count 1 for (smtp:209.132.180.67) at Oct  5 12:55:24
Oct  5 13:02:33 richtercloud postfix/anvil[27581]: statistics: max cache size 2 at Oct  5 12:58:41

). Eu acho que esse tipo de comportamento pode ser um problema para um número de remetentes.

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
debug_peer_list = vger.kernel.org
home_mailbox = .Maildir/
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mydestination = richtercloud.de, localhost, localhost.localdomain
myhostname = richtercloud.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.62/32 192.168.178.23/32 192.168.178.62 192.168.178.23 richtercloud.de
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter =
relayhost = smtp.elasticemail.com:2525
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_enforce_peername = no
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_enforce_tls = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated permit_tls_clientcerts
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport

telnet richtercloud.de 25 :

Trying 192.168.178.76...
Connected to richtercloud.de.
Escape character is '^]'.
220 richtercloud.de ESMTP Postfix (Debian/GNU)
ehlo richtercloud.de
250-richtercloud.de
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Eu suponho que tal comando tenha que ser emitido a fim de evitar que meu servidor se torne um retransmissor aberto e eu não entendo porque o vger.kernel.org não faz isso. Como posso impor a transmissão segura em SMTP, ou seja, receber uma repetição de uma mensagem para [email protected]?

    
por Karl Richter 05.10.2014 / 15:35

2 respostas

1

STARTTLS não tem nada a ver com retransmissão aberta:

  • Open Relay: aceita e entrega mensagens para destinatários que não estão nos domínios de correio locais. Isso pode ser usado para espalhar spam para destinatários externos e você geralmente fica rapidamente na lista negra.
  • STARTTLS: criptografa a conexão com o TLS para que ninguém possa escutar ou manipular o envio de dados.

Você pode restringir os destinatários aos seus próprios domínios de e-mail sem STARTTLS e pode ser um retransmissor aberto mesmo se você usar STARTTLS.

Como lidar com remetentes que não usam STARTTLS:

  • Se você quiser ter transporte criptografado, terá que aceitar que alguns não usarão criptografia e perderão esse tráfego. Mas, nesse caso, você também deve fazer isso da maneira correta e não usar um certificado autoassinado como agora, porque isso está aberto a ataques do tipo man-in-the-middle.
  • Ou considere a criptografia opcional, ou seja, não a imponha definindo smtpd_enforce_tls = yes .
por 05.10.2014 / 18:00
1

Apenas não imponha o TLS. Reforçar isso em um servidor SMTP público viola RFC 3207 , que define as regras sobre como usar a extensão STARTTLS :

A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally. This rule
prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP
server is an SMTP server which runs on port 25 of an Internet host
listed in the MX record (or A record if an MX record is not present)
for the domain name on the right hand side of an Internet mail
address.

    
por 06.10.2014 / 03:50