Encontrei um problema que simplesmente não consigo resolver apenas pesquisando nele - preciso de ajuda especializada.
Minha empresa executa seu próprio servidor de email (postfix com zarafa groupware). Somos uma companhia de seguros, por isso, muitas vezes recebemos e-mails com informações pessoais que não devem ser lidas por outras pessoas. Então, um dos nossos parceiros só quer enviá-los criptografados, o que é totalmente razoável. Mas parece que não funciona para usuários externos. Eu realmente não sei como explicar isso, mas vou tentar:
Eles verificaram nosso servidor de e-mail via:
openssl s_client -host mx01.cevo.de -port 25 -starttls smtp -debug
Qual falha com esta saída:
CONNECTED(00000003)
read from 0xec56b0 [0xec57e0] (4096 bytes => 38 (0x26))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65 220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 53-65 72 76 69 63 65 20 72 ESMTP Service r
0020 - 65 61 64 79 0d 0a eady..
write to 0xec56b0 [0xec67f0] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net..
read from 0xec56b0 [0xec57e0] (4096 bytes => 94 (0x5E))
0000 - 32 35 30 2d 52 65 71 75-65 73 74 65 64 20 6d 61 250-Requested ma
0010 - 69 6c 20 61 63 74 69 6f-6e 20 6f 6b 61 79 2c 20 il action okay,
0020 - 63 6f 6d 70 6c 65 74 65-64 0d 0a 32 35 30 2d 53 completed..250-S
0030 - 49 5a 45 20 32 30 34 38-30 30 30 30 0d 0a 32 35 IZE 20480000..25
0040 - 30 2d 45 54 52 4e 0d 0a-32 35 30 2d 38 42 49 54 0-ETRN..250-8BIT
0050 - 4d 49 4d 45 0d 0a 32 35-30 20 4f 4b 0d 0a MIME..250 OK..
didn't found starttls in server response, try anyway...
write to 0xec56b0 [0x7fffd07d4ae0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 0xec56b0 [0xeb79b0] (8192 bytes => 30 (0x1E))
0000 - 35 30 33 20 42 61 64 20-73 65 71 75 65 6e 63 65 503 Bad sequence
0010 - 20 6f 66 20 63 6f 6d 6d-61 6e 64 73 0d 0a of commands..
write to 0xec56b0 [0xec5730] (317 bytes => 317 (0x13D))
0000 - 16 03 01 01 38 01 00 01-34 03 03 94 e2 69 f3 8f ....8...4....i..
0010 - cb a4 fd 61 49 3f 15 c4-5d a2 3f ca 4e f0 a9 eb ...aI?..].?.N...
0020 - 71 72 6b ce 65 00 b9 0c-e1 ee 9f 00 00 9e c0 30 qrk.e..........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!..
0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2
0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&.......=.5
0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d ................
0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#....
0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 [email protected]
0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .....E.D.1.-.).%
00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 .......<./...A..
00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 ................
00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6d ...............m
00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...........4.2..
00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 ................
00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 ................
0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................
0110 - 00 23 00 00 00 0d 00 20-00 1e 06 01 06 02 06 03 .#..... ........
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 ................
0130 - 03 03 02 01 02 02 02 03-00 0f 00 01 01 .............
^Tread from 0xec56b0 [0xecac90] (7 bytes => 7 (0x7))
0000 - 34 32 31 20 53 4d 54 421 SMT
139855938602656:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 169 bytes and written 352 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Aqui está a entrada de log de mail.log para essa solicitação:
Jan 21 15:09:58 mx01 postfix/smtpd[1401]: connect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: lost connection after EHLO from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: disconnect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Então eu tentei do meu laptop no trabalho com o mesmo comando e funcionou sem nenhum problema:
CONNECTED(00000003)
read from 0xbdef20 [0xbdf020] (4096 bytes => 32 (0x20))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65 220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 50-6f 73 74 66 69 78 0d 0a ESMTP Postfix..
write to 0xbdef20 [0xbe0030] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net..
read from 0xbdef20 [0xbdf020] (4096 bytes => 138 (0x8A))
0000 - 32 35 30 2d 6d 78 30 31-2e 63 65 76 6f 2e 6c 6f 250-mx01.cevo.lo
0010 - 63 61 6c 0d 0a 32 35 30-2d 50 49 50 45 4c 49 4e cal..250-PIPELIN
0020 - 49 4e 47 0d 0a 32 35 30-2d 53 49 5a 45 20 32 30 ING..250-SIZE 20
0030 - 39 37 31 35 32 30 0d 0a-32 35 30 2d 56 52 46 59 971520..250-VRFY
0040 - 0d 0a 32 35 30 2d 45 54-52 4e 0d 0a 32 35 30 2d ..250-ETRN..250-
0050 - 53 54 41 52 54 54 4c 53-0d 0a 32 35 30 2d 45 4e STARTTLS..250-EN
0060 - 48 41 4e 43 45 44 53 54-41 54 55 53 43 4f 44 45 HANCEDSTATUSCODE
0070 - 53 0d 0a 32 35 30 2d 38-42 49 54 4d 49 4d 45 0d S..250-8BITMIME.
0080 - 0a 32 35 30 20 44 53 4e-0d 0a .250 DSN..
write to 0xbdef20 [0x7ffdc4723d90] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 0xbdef20 [0xad1c10] (8192 bytes => 30 (0x1E))
0000 - 32 32 30 20 32 2e 30 2e-30 20 52 65 61 64 79 20 220 2.0.0 Ready
0010 - 74 6f 20 73 74 61 72 74-20 54 4c 53 0d 0a to start TLS..
write to 0xbdef20 [0xbdefa0] (318 bytes => 318 (0x13E))
...
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cevo.de
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5189 bytes and written 488 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 244534A357837835FF9B28366E16DAA71E7D71C53AA9C0C5BBA8A2CFE065AA5A
Session-ID-ctx:
Master-Key: 9E8041FD2EC1DD4D3F9FDCEC2D920FA35EA403356DC7498767A43CC650314B0378D73BC7E786C29881BAB7EEE123DF6B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 12 89 a5 2e e9 2a 80 e0-29 9a e8 71 41 96 27 ef .....*..)..qA.'.
0010 - 58 29 f0 f7 c1 56 66 9a-9e 9e 7b 0f 47 8f 97 06 X)...Vf...{.G...
0020 - 47 bd 53 50 75 dd 8e 41-4f ea 52 f9 21 fc 30 1a G.SPu..AO.R.!.0.
0030 - 68 55 29 29 3c 33 80 f7-b4 af d6 32 21 80 78 24 hU))<3.....2!.x$
0040 - e7 37 e9 24 77 71 72 58-0e c9 fb 23 2f b8 3c 4d .7.$wqrX...#/.<M
0050 - 31 1b bb 8d bf ca b5 cd-ec 24 81 be e4 4f 00 d4 1........$...O..
0060 - 14 3f e5 68 5b 58 6c 19-b4 a2 03 a7 71 9e f7 58 .?.h[Xl.....q..X
0070 - 7a 0d b8 dc a6 0e 2c b5-24 5f 8e 33 2c 64 c2 82 z.....,.$_.3,d..
0080 - d2 25 ed bd e0 17 90 4a-29 a6 b1 4e f7 19 be d6 .%.....J)..N....
0090 - b0 4d 3f c3 83 29 ec c4-24 e9 5e e0 48 b2 b7 12 .M?..)..$.^.H...
00a0 - 8a 64 02 71 fe c3 42 e0-2b d7 99 da d3 04 7e 60 .d.q..B.+.....~'
Compression: 1 (zlib compression)
Start Time: 1453385327
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN
E a entrada de registro da solicitação:
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: connect from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: setting up TLS connection from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: unknown[172.19.5.135]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:before/accept initialization
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write certificate A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server done A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write session ticket A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write change cipher spec A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: Anonymous TLS connection established from unknown[172.19.5.135]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aqui está o main.cfg (removi todos os comentários e linhas em branco desnecessárias):
message_size_limit = 20971520
# mailbox_size_limit = 51200000
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
myhostname = mx01.cevo.local
myorigin = mx01.cevo.local
smtp_helo_name = mx01.cevo.de
append_dot_mydomain = no
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 172.19.3.29 172.19.3.36 172.19.3.41 172.19.3.50 172.19.3.123 192.168.100.28 172.19.3.18
masquerade_domains = $mydomain
masquerade_exceptions = root
transport_maps = hash:/etc/postfix/transport
disable_vrfy_command = no
smtpd_banner = mx01.cevo.de ESMTP $mail_name
local_header_rewrite_clients =
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual,
ldap:/etc/postfix/ldap.groups,
ldap:/etc/postfix/ldap.distlist,
ldap:/etc/postfix/ldap.sharedfolderremote,
ldap:/etc/postfix/ldap.sharedfolderlocal,
ldap:/etc/postfix/ldap.virtual
virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains
virtual_mailbox_maps = hash:/etc/postfix/virtual,
ldap:/etc/postfix/ldap.groups,
ldap:/etc/postfix/ldap.distlist,
ldap:/etc/postfix/ldap.sharedfolderremote,
ldap:/etc/postfix/ldap.sharedfolderlocal,
ldap:/etc/postfix/ldap.virtual
virtual_transport = lmtp:127.0.0.1:2003
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_cert_file = /etc/ssl/certs/star_cevo_de.pem
smtpd_tls_key_file = /etc/ssl/private/star_cevo_de.key
smtpd_tls_CAfile = /etc/ssl/certs/star_cevo_de.cabundle
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtp_tls_security_level = may
broken_sasl_auth_clients = yes
smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
tls_preempt_cipherlist = yes
smtpd_tls_eecdh_grade = strong
master.cfg:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
25 inet n - n - - smtpd
465 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 nqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
smtp unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
#virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
#587 inet n - n - - smtpd -v -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
relay unix - - n - - smtp
trace unix - - n - 0 bounce
proxymap unix - - n - - proxymap
anvil unix - - n - 1 anvil
scache unix - - - - 1 scache
discard unix - - n - - discard
tlsmgr unix - - n 1000? 1 tlsmgr
Então, como você pode ver, eu posso usar o SSL da minha máquina (como do "dentro"), mas de fora não funciona. Estou no final do meu conhecimento, que é bastante baixo quando se trata de postfix e mail tbh. Eu já pesquisei como o inferno, mas não encontrei uma solução que resolvesse meu problema.