Board logo

¼ÐÃD: [KnowHow]±z¬O§_¹J¨ì¹L¬ðµMµLªk³X°Ý¦Û¤v¤½¥q°ê¥~ªº¦øªA¾¹¡A¦ý¬O¯àping³q¡F [¥´¦L¥»­¶]

§@ªÌ: service.support    ®É¶¡: 2007-7-12 10:42     ¼ÐÃD: [KnowHow]±z¬O§_¹J¨ì¹L¬ðµMµLªk³X°Ý¦Û¤v¤½¥q°ê¥~ªº¦øªA¾¹¡A¦ý¬O¯àping³q¡F

¨Ï¥ÎPostfix TLS¬ð¯}GFW«ÊÂê

±z¬O§_¹J¨ì¹L¦bGoogle·j¯Á¬ðµM¥X²{¸Óºô­¶µLªkÅã¥Ü¡F
±z¬O§_¹J¨ì¹L¬ðµMµLªk³X°Ý¦Û¤v¤½¥q°ê¥~ªº¦øªA¾¹¡A¦ý¬O¯àping³q¡F
±z¬O¹J¨ì¹L¦b¨Ï¥ÎOutlook¦¬¨ú¶l¥ó·í¦¬¨ú¨ì¬Y¤@«Ê®ÉOutlook¬ðµM©ê¿ù¡J
¡§Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'XXX.com', Server: 'mail.XXX.com', Protocol: POP3, Port: 110, Secure(SSL): No, Socket Error: 10053, Error Number: 0x800CCC0F¡¨ µM«áµLªk³s±µ¡F
¡K¡K
³o¤@¤Áªº¤@¤Á¤j³¡¤À³£¬O¦]¬°GFW¤Þ°_ªº¡C

¤@¡B¤°¤\¬OGFW¡H     
GFW¬OThe Great Fire Wall of ChinaªºÂ²¼g¡A«ü¡§¤¤°êºô¸ô¨¾¤õÀð¡¨(¦r­±·N¬°¡§¤¤°ê¨¾¤õªø«°¡¨)¡A³o¬O¹ï¡§°ê®a¤½¦@ºô¸ôºÊ±±¨t²Î¡¨ªº«UºÙ¡A°ê¤ºÂ²ºÙ¡§¨¾¤õªø«°¡¨¡C
GFW¬O¡§ª÷¬Þ¤uµ{¡¨ªº¤@­Ó¤l¥\¯à¡C¡§ª÷¬Þ¤uµ{¡¨¬O¥H¤½¦w°T®§ºô¸ô¬°¥ý¾É¡A¥H¦U¶µ¤½¦w¤u§@°T®§¤Æ¬°¥D­n¤º®e¡A«Ø¥ß²Î¤@«ü´§¡B§Ö³t¦^À³¡B¨ó¦P§@¾Ô¾÷»s¡A¦b¥þ°ê½d³ò¤º¶}®i¤½¦w°T®§¤Æªº¤uµ{¡A¥D­n¥]¬A«Ø³]¤½¦wºî¦X·~°È³q«Hºô¡B¤½¦wºî¦X¸ê°T¨t²Î¡B¥þ°ê¤½¦w«ü´§½Õ«×¨t²Î¥H¤Î¥þ°ê¤½¦@ºô¸ôºÊ±±¤¤¤ßµ¥¡C¸Ó¶µ¥Ø2003¦~¶}©l¥Í®Ä¡C¤@¯ë©Ò»¡ªºGFW¡A¥D­n«ü¤½¦@ºô¸ôºÊ±±¨t²Î¡A¤×¨ä¬O«ü¹ï¹Ò¥~¯A¤Î±Ó·P¤º®eªººô¯¸¡BIP¦ì§}¡BÃöÁäµü¡Bºô§}µ¥ªº¹LÂo¡C

¤G¡BGFW¤u§@¼Ò¦¡
GFW¬O±Mªù¥Î¨Ó¹ï¥I°ê¥~ºô¯¸ªº¡A¦ý¨Ã¤£¬O¥þ³¡°ê¥~ªººô¯¸³£·|³Q«ÊÂê¡C¨º¤°»ò¼Ëªººô¯¸·|³QGFW«ÊÂê¡HGFW±Ä¥Î¤°»ò¤èªk«ÊÂê¡H
GFW¥D­nªº¤u§@¼Ò¦¡¦³¥H¤U¤TºØ¡J
°ì¦W§T«ù
¥þ²y¤@¦@¦³13²Õ®Ú¡]Root¡^¯Å§OªºDNS¦øªA¾¹¡A¥Ø«e¤¤°ê¤j³°¤w¦³¦h¥xDNSÃè¹³¡C¦ý¨S¦³¤@²Õ¨ü¤¤°ê¤j³°ª½±µ±±¨î¡A©Ò¥H¤¤°ê¤j³°¤è­±¥¼¯à±q®Ú¥»¤W±±¨îºô¯¸°ì¦W¡C¤_¬O¡A¤¤°ê¤j³°±Ä¨ú°ì¦W§T«ù¤â¬q¨Ó¶i¦æ«ÊÂꤤ°ê¤j³°¥H¥~ªº¡§¤£¦X³W®æ¡¨ªº¯¸ÂI¡C°ì¦W§T«ù´N¬O¦b§T«ùªººô¸ô½d³ò¤ºÄdºI°ì¦W¸ÑªRªº½Ð¨D¡A¤ÀªR½Ð¨Dªº°ì¦W¡A§â¼f¬d½d³ò¥H¥~ªº½Ð¨D©ñ¦æ¡A§_«hª½±µªð¦^°²ªºIP¦ì§}©ÎªÌ¤°»ò¤]¤£°µ¨Ï±o½Ð¨D¥¢¥hªþÀ³¡A¨ä®ÄªG´N¬O¹ï¯S©wªººô§}¤£¯à³X°Ý©Î³X°Ýªº¬O°²ºô§}¡C
²³æªº»¡¡A°ì¦W§T«ù¬Oªý¤î¤H­Ìª½±µ³X°Ý¬Y­Ó°ì¦W©Ò¸j©wªººô¯¸¡CGFW±Ä¥Î³oºØ¤â¬q¨Óªý¤î¤¤°ê¤j³°ºô¥Á³X°Ý³¡¤À¤¤°ê¤j³°¥H¥~ªººô¯¸¡C¨Ò¦p说¡A¤@个¤Ï对¤¤国¦@产ÐÞªºÊI¯¸¦a§}为www.fg.com¡A­Ywww.fg.com³Q§T«ù¤F¡A¨º¤\www.fg.com将无ªk访问¡C
°ê®a¤J¤f³q°T¹hªºIP«ÊÂê
³o­Ó§Þ³N©M¤W­±ªº°ì¦W§T«ù¦³ÂI¬Û¦ü¡A¥u¤£¹L°ì¦W§T«ù«ÊÂꪺ¬O°ì¦W¡A¦ýIP«ÊÂê¬Oª½±µ«ÊÂêºô¯¸©Ò¦b¦øªA¾¹ªºIP¦ì§}¡C«Ü¦h¹ï¹q¸£¤ñ¸û¤F¸Ñªººô¥Á¶}©l±Ä¨ú¥N²z¦øªA¾¹ªº¼Ò¦¡³X°Ý³Q«ÊÂꪺ¯¸ÂI¡A©Ò¥HGFW¤]«ÊÂê¤Fºô¥Á±`¥Îªº¤@³¡¥÷¥N²z¦øªA¾¹ªºIP¦ì§}¡C
¥D¤z¸ô¥Ñ¾¹ÃöÁä¦r¹LÂoªýÂ_
³o­Ó§Þ³N¦³ÂI½ÆÂø¡A¨º¤\§Ú­Ì¨ÓÁ|­Ó¨Ò¤l§a¡J
·í§A°µ­¸¾÷ªº®É­Ô¡A­n¶i¦æ¦w¥þÀˬd¡A­Y§Aªº¦æ§õ¸Ì¦³¹H¸Tª««~ªº¸Ü¡A±NµLªk³z¹L¦wÀË¡C
GFW¬Û·í¤_¦w¥þÀˬd¾÷¾¹¡C·í§A³X°Ý¤@­Ó°ê¥~ºô¯¸ªº®É­Ô¡A¥²¶·¸g¹LGFW¡CGFW·|Àˬd¥Ø¼Ðºô¯¸ªº¤º®e¡A­Y¥Ø¼Ðºô¯¸¤º§t¦³±Ó·Pªºµü»yªº¸Ü¡AGFW±N·|¤ÁÂ_§A©M¥Ø¼Ðºô¯¸ªºÃì±µ¡C·í§A¨Ï¥Î®ü¥~ªº·j¯Á¤ÞÀºªº®É­Ô¡AGFW·|¹ï§A¿é¤J¶i·j¯Á¤ÞÀºªºÃöÁäµü¶i¦æ¼f¬d¡A­Y§A¿é¤J¤F±Ó·PªºÃöÁäµüªº¸Ü¡AGFW±N·|¤ÁÂ_§A©M·j¯Á¤ÞÀºªºÃì±µ¡C
¹ï¤_¶l¥ó¨ãÅéªí²{¬°¡J
¦pªG¶l¥ó¼ÐÃD©Î¤º®e¦³³QGFW»{¬°¬O©Ò¿×ªº±Ó·P¦r²Å¡A·|³QGFW±N¼Æ¾Ú¥]ºIÀò¨Ã¦Û°Ê©ß±ó¡AÀH§YÂ_¶}·½IP»P¥Ø¼ÐIPªº³s±µ¡AÂ_¶}®É¶¡ÀH±Ó·P¦r²ÅªºÄY­«©Ê¤£µ¥¡C´«¦Ó¨¥¤§¦pªG¤½¥q±Ä¥ÎNAT¤Wºô¡A¨Ï¥Îpop3¦Û°Ê¦¬¨ú¶l¥ó¡A¨Ã¥B¶l¥ó¦øªA¾¹¦b°ê¥~¡A¥u­n¦³¤@­Ó³QGFW»{¬°±a±Ó·P¦r²Åªº¶l¥ó¡A¨º¤\¾ã­Ó¤½¥q³£±N¦A¤]µLªk©M³o­ÓserverÁpô¡C

¤T¡B¨ãÅé¯gª¬
Queue¤º¥X²{¤j¶qµLªkµo°e¦Ü°ê¥~¡BHK¤ÎTWªº¶l¥ó¡Amaillog¿ù»~¦p¤U¡J
conversation with 111.111.0.0[111.111.0.0] timed out while sending MAIL FROM
lost connection with 111.111.0.0[111.111.0.0] while sending message body
host 111.111.0.0[111.111.0.0] said: 500 error (in reply to MAIL FROM command)
„«
¦Ó¥¼¯à¦¬¨ì¶l¥óªº¹ï¤è«o©¹©¹·|¦¬¨ì¤@«Ê©Î¦h«Ê¤º®e¬°¡§aaazzzaaazzzaaazzzaaazzzaaazzz¡¨ªºµL¥DÃD¶l¥ó

°ê¥~¡BHK¤ÎTWµo©¹°ê¤ºªº¶l¥ó¤]·|¦]¬°GFW¦ÓµLªk§ë»¼¡A°h«HÅã¥Ü¦p¤U¿ù»~:
Remote host said: not local; please try <forward-path>
551 User not local; please try <forward-path>

¥|¡B¸Ñ¨M¤è®×
A. Mail Server»PMUA¤£¦b¦P¤@°ê®a
¹ï¤_¦øªA¾¹»PMUA¤£¦b¦P¤@°ê®a³y¦¨µLªk¥¿±`¨Ï¥ÎPOP3¡BSMTP¦¬¨ú¶l¥óªº±¡ªp¥i¥H±Ä¥Î¥[±KªºWebmail (https)©ÎPOP3s¡BSMTPS¸Ñ¨M¡C

B.°ê¤ºMTA µo°e¶l¥ó¦Ü°ê¥~¡BHK¤Î¥xÆW¦a°ÏMTA
1).¨Ï¥Î°ê¥~ªº¶l¥óªA°È¡A¤ñ¦photmail¡Agmail¨Óµo°e;
2).¶¶}GFW¡A©ÎªÌ¥[±K³q«H³q¹D¡C¤ñ¦p¨Ï¥ÎSSL¥[±K¡A³s±µ¨ì®ü¥~¶l¥ó¦øªA¾¹¡A¦AÂàµoemail¡C©ÎªÌ¨Ï¥ÎVPN³s±µ¨ì®ü¥~¡A¤Z¬Oµo¥X¥hªºemali¥þ³¡¨«vpn³q¹D¡C
  
¥»¦¸±Ä¥ÎPostfixªºTLS¹ê²{SSL¥[±K³s±µ¨ì®ü¥~¶l¥ó¦øªA¾¹¡A¦AÂàµoemailªº¤è®×¬ð¯}GFWªº«ÊÂê¡A¸g¹ê»ÚÀô¹Ò´ú¸Õ®ÄªG«D±`¦n¡C

1.TLS§t¸q
Transport Layer Security (TLS, formerly called SSL) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication.

2.¨t²Î­n¨D
Postfix 2.3¥H¤W¨Ã¥B½sĶ¤ä«ùTLS

3.¨ãÅé¹ê²{
°²³]²{¦³¨â¥x¦w¸ËpostfixªºMail Server, ¥D¦øªA¾¹¦b°ê¤º (²ºÙCN)¦³°·¥þªº¶l¥ó¦¬µo¥\¯à¡AÂàµoªA°È¦b¥[®³¤j(²ºÙCA)¡A¥B¦U¦Û¾Ö¦³MX°O¿ý»PInternet©TIP¡C

1). Mail flow:
Mail (CN) => yahoo.com => postfix transport_maps (CN) => TLS => postfix (CA) => yahoo.com

2). CN¥D¾÷°t¸m

main.cf:
# relay setting via TLS
transport_maps = hash:/etc/postfix/transport_maps
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps

transport_maps¡J
yahoo.com     smtp:[CA¥D¾÷°ì¦W]

tls_policy_maps¡J
[CA¥D¾÷°ì¦W]     encrypt

postmap /etc/postfix/transport_maps
postmap /etc/postfix/tls_policy_maps


3). CA¥D¾÷°t¸m

main.cf:
# TLS relay config
mydestination = $mynetworks
smtpd_banner = $myhostname TLS enabled $mail_name - by extmail.org
smtpd_tls_security_level = encrypt
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem
smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtp_tls_key_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 0
smtpd_starttls_timeout = 60s
mynetworks = 127.0.0.1 111.111.0.0 (CA¥D¾÷IP)

4). TLS cert generation (CA)

mkdir /etc/postfix/tls
«Ø¥ßmkcert©Msmtpd.cnf¤å¥ó¡A¤º®e¦p¤U:

mkcert:
# package installation routine.
test -x /usr/bin/openssl || exit 0
prefix="/etc/postfix/tls"
if test -f /etc/postfix/tls/smtpd.pem
then
    echo "$prefix/smtpd.pem already exists."
    exit 1
fi
umask 077
cp /dev/null $prefix/smtpd.pem
chmod 600 $prefix/smtpd.pem
chown root $prefix/smtpd.pem
cleanup() {
    rm -f $prefix/smtpd.pem
    rm -f $prefix/smtpd.rand
    exit 1
}
dd if=/dev/urandom of=$prefix/smtpd.rand count=1 2>/dev/null
/usr/bin/openssl req -new -x509 -days 365 -nodes \
    -config $prefix/smtpd.cnf -out $prefix/smtpd.pem -keyout $prefix/smtpd.pem || cleanup
/usr/bin/openssl gendh -rand $prefix/smtpd.rand 512 >>$prefix/smtpd.pem || cleanup
/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $prefix/smtpd.pem || cleanup
rm -f $prefix/smtpd.rand


smtpd.cnf:
RANDFILE = /etc/postfix/tls/smtpd.rand
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=CN
ST=SH
L=ShangHai
O=ExtMail Server
OU=Automatically-generated SMTPD SSL key
CN=localhost
emailAddress=postmaster@extmail.org
[ cert_type ]
nsCertType = server


chmod 755 /etc/postfix/tls/mkcert
./mkcert


¥»°t¸m¸g¹ê»ÚÀô¹Ò´ú¸Õ®ÄªG«D±`¨}¦n,¥»¤¶²Ð¤£¥]§t¶l¥óµo°eªº°ò¥»°t¸m¡A¦p¦³»Ý­n½Ð¬d¾\½×¾Â¬ÛÃö¤å³¹¡C±z¥i¥H¥ô·N¨Ï¥Î»PÂà¸ü¡A¦ý½Ðª`©ú¥X³B:extmail.org¡C
«D±`·PÁÂHZQBBC¦b¾ã­Ó°t¸m¹Lµ{¤¤µ¹»P§Þ³N¤ä«ù¡C




Åwªï¥úÁ{ HGIGA Service Docs (http://docs.hgiga.com/Discuz4/) Powered by Discuz! 4.1.0