Re: verschlüsselter Austausch Server <-> Server

sebastian at debianfan.de sebastian at debianfan.de
Di Jun 14 21:45:58 CEST 2016


Moin zusammen,

postconf -n:

append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
config_directory = /etc/postfix
inet_interfaces = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
minimal_backoff_time = 5m
myhostname = mail.xn--deiner-dta.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
postscreen_access_list = permit_mynetworks 
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1, 
ix.dnsbl.manitu.net*2, zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_host_lookup = dns
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_cert_file = /etc/ssl/certs/xn--deiner-dta.de.cert
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, 
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtp_tls_fingerprint_digest = SHA256
smtp_tls_key_file = /etc/ssl/private/xn--deiner-dta.de.key.priv
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, 
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, 
CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks check_client_access 
hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname 
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = check_recipient_access 
mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient 
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/xn--deiner-dta.de.cert
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, 
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_fingerprint_digest = SHA256
smtpd_tls_key_file = /etc/ssl/private/xn--deiner-dta.de.key.priv
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, 
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, 
CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_daemon_random_bytes = 64
tls_high_cipherlist = 
EECDH+AESGCM:AES+EECDH:+ECDHE-RSA-AES256-SHA:+ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES:RSA+CAMELLIA:+AES256-SHA:+AES128-SHA:!EXPORT:!eNULL:!aNULL:!DES:!3DES:!RC4:!RC2:!MD5:!IDEA:!SEED:!EDH:!aECDH:!aECDSA:!kECDHe:!SRP:!PSK
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = no_ticket, no_compression
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp


master.cf:


smtp      inet  n       -       n       -       1       postscreen
     -o smtpd_sasl_auth_enable=no

smtpd     pass  -       -       n       -       -       smtpd
     -o smtpd_sasl_auth_enable=no
dnsblog   unix  -       -       n       -       0       dnsblog

tlsproxy  unix  -       -       n       -       0       tlsproxy

submission inet n       -       n       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_sasl_type=dovecot
     -o smtpd_sasl_path=private/auth
     -o smtpd_sasl_security_options=noanonymous
     -o 
smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
     -o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
     -o 
smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
     -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
     -o smtpd_helo_required=no
     -o smtpd_helo_restrictions=
     -o milter_macro_daemon_name=ORIGINATING
     -o cleanup_service_name=submission-header-cleanup

pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
submission-header-cleanup unix n - n    -       0       cleanup
     -o header_checks=regexp:/etc/postfix/submission_header_cleanup





mail.log:

Jun 14 21:29:11 debian postfix/postscreen[1352]: CONNECT from 
[83.149.68.26]:48803 to [91.143.93.143]:25
Jun 14 21:29:11 debian postfix/postscreen[1352]: PASS OLD 
[83.149.68.26]:48803
Jun 14 21:29:11 debian postfix/smtpd[1353]: initializing the server-side 
TLS engine
Jun 14 21:29:11 debian postfix/smtpd[1353]: warning: cannot get RSA 
private key from file /etc/ssl/private/xn--deiner-dta.de.key.priv: 
disabling TLS support
Jun 14 21:29:11 debian postfix/smtpd[1353]: warning: TLS library 
problem: error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch:x509_cmp.c:341:
Jun 14 21:29:11 debian postfix/smtpd[1353]: connect from 
mf01.wk-serv.net[83.149.68.26]
Jun 14 21:29:11 debian postfix/smtpd[1353]: 5BD8CC0F14: 
client=mf01.wk-serv.net[83.149.68.26]
Jun 14 21:29:11 debian postfix/cleanup[1359]: 5BD8CC0F14: 
message-id=<57605B09.1060404 at debianfan.de>
Jun 14 21:29:11 debian postfix/qmgr[1337]: 5BD8CC0F14: 
from=<sebastian at debianfan.de>, size=965, nrcpt=1 (queue active)
Jun 14 21:29:11 debian postfix/smtpd[1353]: disconnect from 
mf01.wk-serv.net[83.149.68.26]
Jun 14 21:29:11 debian postfix/lmtp[1361]: 5BD8CC0F14: 
to=<sebastain at xn--deiner-dta.de>, 
relay=mail.xn--deiner-dta.de[private/dovecot-lmtp], delay=0.08, 
delays=0.06/0.01/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 
<sebastian at xn--deiner-dta.de> QSGoAdRaYFevBAAAzzfKSg Saved)
Jun 14 21:29:11 debian postfix/qmgr[1337]: 5BD8CC0F14: removed


Die Datei xn--deiner-dta.de.key.priv fängt an mit:

-----BEGIN RSA PRIVATE KEY-----

Die Ausführung des Kommandos:

# openssl rsa -in /etc/ssl/private/xn--deiner-dta.de.key.priv -check -noout

sagt:

RSA key ok


Die Rechte der Datei sind auch i.O.

Die Datei /etc/ssl/certs/xn--deiner-dta.de.cert besteht aus dem von 
Startssl signierten Zertifikat und dem Intermediate Class 2 Zertifikat 
von Startssl.

gruß

Sebastian

Am 14.06.2016 um 07:12 schrieb Jens Adam:
> Guten Morgen allerseits.
>



Mehr Informationen über die Mailingliste Postfixbuch-users