自从几天/每周我有这个奇怪的问题:越来越多的人在SSL模式下报告连接到邮件服务器(Dovecot IMAP和POP3以及Postfix SMTP)的问题。 他们运行在两个独立的Debian6.ß挤压服务器上,具有相同的configuration和相同的SSL证书,它们是RapidSSL通配符证书。 configuration工作了两年多,最近一直没有改变。 唯一可以说的是,在十二月底我更新了SSL证书。 当然,我保持所有的Debian软件包是最新的。
我一直无法find一个常见的情况来重现这个问题,它发生在各种客户端(Mozilla Thunderbird,Windows Live Mail,Apple Mail),而且发生得非常随机,只有一些用户。 基本上,客户端报告服务器意外终止连接。 如果几秒钟后重试,则可以使用。 奇怪的是,这会影响到Postfix和Dovecot,但是Apache似乎可以在相同的证书下正常运行。
在其中一台服务器上只有我的邮箱,所以我可以排除任何服务器超载或限制达到。
所以我启用了Postfix和Dovecot的debugging日志。
Mar 5 20:15:24 mercury postfix/smtpd[24551]: connect from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:15:24 mercury postfix/smtpd[24551]: setting up TLS connection from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:15:24 mercury postfix/smtpd[24551]: xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx]: TLS cipher list "ALL:+RC4:@STRENGTH" Mar 5 20:15:24 mercury postfix/smtpd[24551]: SSL_accept:before/accept initialization Mar 5 20:15:24 mercury postfix/smtpd[24551]: SSL_accept:SSLv3 read client hello B Mar 5 20:15:24 mercury postfix/smtpd[24551]: SSL_accept:SSLv3 write server hello A Mar 5 20:15:24 mercury postfix/smtpd[24551]: SSL_accept:SSLv3 write certificate A Mar 5 20:15:24 mercury postfix/smtpd[24551]: SSL_accept:SSLv3 write server done A Mar 5 20:15:24 mercury postfix/smtpd[24551]: SSL_accept:SSLv3 flush data Mar 5 20:15:24 mercury postfix/smtpd[24551]: **SSL_accept error** from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx]: -1 Mar 5 20:15:24 mercury postfix/smtpd[24551]: lost connection after STARTTLS from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:15:24 mercury postfix/smtpd[24551]: disconnect from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:15:24 mercury postfix/smtpd[24551]: connect from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:15:24 mercury postfix/smtpd[24551]: lost connection after MAIL from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:15:24 mercury postfix/smtpd[24551]: disconnect from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] 几分钟后,一个成功的沟通。 同一个客户。
Mar 5 20:18:53 mercury postfix/smtpd[24710]: initializing the server-side TLS engine Mar 5 20:18:53 mercury postfix/smtpd[24710]: connect from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:18:53 mercury postfix/smtpd[24710]: setting up TLS connection from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:18:53 mercury postfix/smtpd[24710]: xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx]: TLS cipher list "ALL:+RC4:@STRENGTH" Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:before/accept initialization Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 read client hello B Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 write server hello A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 write certificate A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 write server done A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 flush data Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 read client key exchange A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 read finished A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 write session ticket A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 write change cipher spec A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 write finished A Mar 5 20:18:53 mercury postfix/smtpd[24710]: SSL_accept:SSLv3 flush data Mar 5 20:18:53 mercury postfix/smtpd[24710]: Anonymous TLS connection established from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx]: TLSv1 with cipher AES128-SHA (128/128 bits) Mar 5 20:18:53 mercury postfix/smtpd[24710]: 9B3C93FA2C: client=xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=xxx Mar 5 20:18:53 mercury postfix/cleanup[24712]: 9B3C93FA2C: message-id=<A1DEE5BBBD1F4E4CB5BF9AD0D3B1F98F@Angus> Mar 5 20:18:53 mercury postfix/qmgr[24412]: 9B3C93FA2C: from=<[email protected]>, size=1303, nrcpt=1 (queue active) Mar 5 20:18:53 mercury postfix/smtpd[24710]: disconnect from xxx.kabel-badenwuerttemberg.de[46.xxx.xxx.xxx] Mar 5 20:18:53 mercury postfix/smtp[24713]: 9B3C93FA2C: to=<[email protected]>, relay=xxx.xxx.xxx[188.xxx.xxx.xxx]:25, delay=0.38, delays=0.19/0.01/0.12/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E8FC024534) Mar 5 20:18:53 mercury postfix/qmgr[24412]: 9B3C93FA2C: remove
Dovecot不是很交际,这就是失败时所说的:
Mar 5 22:18:23 mercury dovecot: imap-login: Disconnected (no auth attempts): rip=46.xxx.xxx.xxx, lip=188.xxx.xxx.xxx, TLS: Disconnected Mar 5 22:18:25 mercury dovecot: imap-login: Disconnected (no auth attempts): rip=46.xxx.xxx.xxx, lip=188.xxx.xxx.xxx, TLS handshaking: Disconnected
我正竭力想明白发生了什么事情。 这是从我的新证书派生的问题吗? 是从debian最新的安全更新的openssl库的问题? 我重新启动机器,仔细检查证书的正确性,禁用防火墙,这一切都没有帮助……最奇怪的是这种行为的完全随机性:只有一些用户/客户端展示了问题,另外有时适用于他们也是。 真奇怪…
到目前为止,所有的证据都指出了客户端的问题,所以我就把它留在那里。
附加信息:
根据这个页面 ,build立安全通道有9个步骤
Step 1: Client sends ClientHello message proposing SSL options. Step 2: Server responds with ServerHello message selecting the SSL options. Step 3: Server sends its public key information in ServerKeyExchange message. Step 4: Server concludes its part of the negotiation with ServerHelloDone message. Step 5: Client sends session key information (encrypted with server's public key) in ClientKeyExchange message. Step 6: Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. Step 7: Client sends Finished message to let the server check the newly activated options. Step 8: Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. Step 9: Server sends Finished message to let the client check the newly activated options.
根据maillog,这个“仪式”在第四步之后被客户端中止。
为了让洞察真正发生的事情,你应该在服务器端启动tcpdump,并比较成功的案例和不成功的案例。
另一个额外的步骤是在postfix main.cf 启用SSL详细程度 。 看一下参数smtpd_tls_loglevel 。 日志级别表在这里给出
level | information 0 Disable logging of TLS activity. 1 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate verification is not required. 2 Also log levels during TLS negotiation. 3 Also log hexadecimal and ASCII dump of TLS negotiation process. 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.TTLS.
将此参数设置为> 3将转储您需要的一切。