ssl - 读取文件 cert=REMOTE_SMTP_/etc/exim4/exim.crt 时出现 Exim TLS 错误

Question

在安装和配置我的第一个 Linux(邮件)服务器(Debian 9、Exim 4、Dovecot)一周后，与我的客户端的 TLS 加密通信工作正常。发送、接收和 DKIM 签名也有效。

除了这个问题，我在发送邮件时在我的日志中发现:

2017-07-22 20:56:08 1dYzZQ-0005fx-6J H=verifier.port25.com [38.95.177.125] TLS error on connection (cert/key setup: cert=REMOTE_SMTP_/etc/exim4/exim.crt key=REMOTE_SMTP_/etc/exim4/exim.crt): Error while reading file.

2017-07-22 20:56:08 1dYzZQ-0005fx-6J TLS session failure: delivering unencrypted to verifier.port25.com [38.95.177.125] (not in hosts_require_tls)

REMOTE_SMTP_ 部分似乎不属于那里。我猜 key 也应该指向一个 .key 文件。

03_exim4-config_tlsoptions 似乎没问题。

编辑 30_exim4-config_remote_smtp 可能会解决第一个问题 ("REMOTE_SMTP_")，但无论如何它都应该工作:

.ifdef REMOTE_SMTP_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif

错误从何而来，如何解决？

如有任何建议或解释，我们将不胜感激。

进一步研究，没有发现任何东西:

我没有以错误的方式使用 key 和证书的完整路径:

root@example:/etc/exim4# grep -r exim4/exim /etc/exim4/
/etc/exim4/exim4.conf.template:# /etc/exim4/exim4.conf.template is only used with the non-split
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:# /etc/exim4/exim4.conf.template is only used with the non-split

Exim 可能默认为 CONFDIR/exim.crt

root@example:~# grep -r exim.crt /etc/exim4/
/etc/exim4/exim4.conf.template:#                          CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#                          CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt

当然还有 CONFDIR/exim.key

root@example:~# grep -r CONFDIR/exim /etc/exim4/
/etc/exim4/exim4.conf.template:#                          CONFDIR/exim.crt if unset
/etc/exim4/exim4.conf.template:#                          CONFDIR/exim.key if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#                          CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#                          CONFDIR/exim.key if unset

CONFDIR 在这里

/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:CONFDIR = /etc/exim4

第一期到此为止。关于第二个问题(使用 .crt 而不是 .key)，我找不到对 MAIN_TLS_CERTIFICATE 的误用

root@example:~# grep -r MAIN_TLS_CERTIFICATE  /etc/exim4/
/etc/exim4/exim4.conf.template:#   MAIN_TLS_CERTIFICATE - path to certificate file,
/etc/exim4/exim4.conf.template:.ifndef MAIN_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/example.com/cert.pem
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:TLS_CERTIFICATE = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:#   MAIN_TLS_CERTIFICATE - path to certificate file,
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:.ifndef MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTIFICATE

对于 tls_certificate 也是如此。

tls_certificate = MAIN_TLS_CERTKEY 看起来有点偏离，但它是新安装中的默认值。

root@example:~# grep -r tls_certificate  /etc/exim4/
/etc/exim4/exim4.conf.template:MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTKEY
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTKEY
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE

搜索 REMOTE_SMTP_TLS_CERTIFICATE

root@example:/var/log/exim4# grep -r REMOTE_SMTP_TLS_CERTIFICATE /etc/exim4/
/etc/exim4/exim4.conf.template:.ifdef REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:.ifdef REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE

更新权限

root@example:/etc/exim4# ls -l exim.crt exim.key
-rw-r----- 1 root Debian-exim 1066 Jul 21  2017 exim.crt
-rw-r----- 1 root Debian-exim 1708 Jul 21  2017 exim.key

Answer 1

exim4 证书和 key 文件需要以严格的方式设置所有者和模式，否则 exim 不会读取它，而是会在 证书/ key 设置阶段。确切的所有者和模式是:

root@hostname:/etc/exim4# ls -l exim.crt exim.key
-rw-r----- 1 root Debian-exim 2224 mag 30 17:13 exim.crt
-rw-r----- 1 root Debian-exim 1704 mag 30 17:12 exim.key

另一种选择是您的 REMOTE_SMTP_/etc/exim4/exim.crt 文件是一个损坏的宏。您是否有在 REMOTE_SMTP_TLS_CERTIFICATE 宏的第二部分中替换的任何 TLS_CERTIFICATE 宏？