Re: verschlüsselter Austausch Server <-> Server
sebastian at debianfan.de
sebastian at debianfan.de
Di Jun 14 21:45:58 CEST 2016
Moin zusammen,
postconf -n:
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
config_directory = /etc/postfix
inet_interfaces = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
minimal_backoff_time = 5m
myhostname = mail.xn--deiner-dta.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1,
ix.dnsbl.manitu.net*2, zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_host_lookup = dns
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_cert_file = /etc/ssl/certs/xn--deiner-dta.de.cert
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtp_tls_fingerprint_digest = SHA256
smtp_tls_key_file = /etc/ssl/private/xn--deiner-dta.de.key.priv
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES,
CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = check_recipient_access
mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/xn--deiner-dta.de.cert
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_fingerprint_digest = SHA256
smtpd_tls_key_file = /etc/ssl/private/xn--deiner-dta.de.key.priv
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES,
CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_daemon_random_bytes = 64
tls_high_cipherlist =
EECDH+AESGCM:AES+EECDH:+ECDHE-RSA-AES256-SHA:+ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES:RSA+CAMELLIA:+AES256-SHA:+AES128-SHA:!EXPORT:!eNULL:!aNULL:!DES:!3DES:!RC4:!RC2:!MD5:!IDEA:!SEED:!EDH:!aECDH:!aECDSA:!kECDHe:!SRP:!PSK
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = no_ticket, no_compression
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
master.cf:
smtp inet n - n - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - n - - smtpd
-o smtpd_sasl_auth_enable=no
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o
smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o
smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o cleanup_service_name=submission-header-cleanup
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
mail.log:
Jun 14 21:29:11 debian postfix/postscreen[1352]: CONNECT from
[83.149.68.26]:48803 to [91.143.93.143]:25
Jun 14 21:29:11 debian postfix/postscreen[1352]: PASS OLD
[83.149.68.26]:48803
Jun 14 21:29:11 debian postfix/smtpd[1353]: initializing the server-side
TLS engine
Jun 14 21:29:11 debian postfix/smtpd[1353]: warning: cannot get RSA
private key from file /etc/ssl/private/xn--deiner-dta.de.key.priv:
disabling TLS support
Jun 14 21:29:11 debian postfix/smtpd[1353]: warning: TLS library
problem: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch:x509_cmp.c:341:
Jun 14 21:29:11 debian postfix/smtpd[1353]: connect from
mf01.wk-serv.net[83.149.68.26]
Jun 14 21:29:11 debian postfix/smtpd[1353]: 5BD8CC0F14:
client=mf01.wk-serv.net[83.149.68.26]
Jun 14 21:29:11 debian postfix/cleanup[1359]: 5BD8CC0F14:
message-id=<57605B09.1060404 at debianfan.de>
Jun 14 21:29:11 debian postfix/qmgr[1337]: 5BD8CC0F14:
from=<sebastian at debianfan.de>, size=965, nrcpt=1 (queue active)
Jun 14 21:29:11 debian postfix/smtpd[1353]: disconnect from
mf01.wk-serv.net[83.149.68.26]
Jun 14 21:29:11 debian postfix/lmtp[1361]: 5BD8CC0F14:
to=<sebastain at xn--deiner-dta.de>,
relay=mail.xn--deiner-dta.de[private/dovecot-lmtp], delay=0.08,
delays=0.06/0.01/0/0.01, dsn=2.0.0, status=sent (250 2.0.0
<sebastian at xn--deiner-dta.de> QSGoAdRaYFevBAAAzzfKSg Saved)
Jun 14 21:29:11 debian postfix/qmgr[1337]: 5BD8CC0F14: removed
Die Datei xn--deiner-dta.de.key.priv fängt an mit:
-----BEGIN RSA PRIVATE KEY-----
Die Ausführung des Kommandos:
# openssl rsa -in /etc/ssl/private/xn--deiner-dta.de.key.priv -check -noout
sagt:
RSA key ok
Die Rechte der Datei sind auch i.O.
Die Datei /etc/ssl/certs/xn--deiner-dta.de.cert besteht aus dem von
Startssl signierten Zertifikat und dem Intermediate Class 2 Zertifikat
von Startssl.
gruß
Sebastian
Am 14.06.2016 um 07:12 schrieb Jens Adam:
> Guten Morgen allerseits.
>
Mehr Informationen über die Mailingliste Postfixbuch-users