为特定客户端禁用Postfix服务器TLS

分享于 

2分钟阅读

互联网

  繁體

问题:

这是来自Postfix的日志,smtpd_tls_loglevel =2


belette64 postfix/smtpd[145475]: connect from smtp.misconfigured.fr[XX.XX.XX.XX]


belette64 postfix/smtpd[145475]: setting up TLS connection from smtp.misconfigured.fr[XX.XX.XX.XX]


belette64 postfix/smtpd[145475]: smtp.misconfigured.fr[XX.XX.XX.XX]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"


belette64 postfix/smtpd[145475]: SSL_accept:before SSL initialization


belette64 postfix/smtpd[145475]: SSL_accept:before SSL initialization


belette64 postfix/smtpd[145475]: SSL3 alert write:fatal:handshake failure


belette64 postfix/smtpd[145475]: SSL_accept:error in error


belette64 postfix/smtpd[145475]: SSL_accept error from smtp.misconfigured.fr[XX.XX.XX.XX]: -1


belette64 postfix/smtpd[145475]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2282:


belette64 postfix/smtpd[145475]: lost connection after STARTTLS from smtp.misconfigured.fr[XX.XX.XX.XX]




答案1:

你可以添加一个单独的TLS-ignorant服务器,


smtp inet n - y - - smtpd


10025 inet n - y - - smtpd


 -o syslog_name=postfix/smtpd/badstarttls


 -o smtpd_tls_security_level=none


 -o smtpd_helo_required=yes


 -o smtpd_helo_restrictions=pcre:/etc/postfix/helo_badstarttls_allow.pcre,reject



  • 重定向到其他端口通过-A PREROUTING .. -j REDIRECT --to-port .. 在iptables中;或者在nftables中:

tcp dport 25 ip protocol tcp ip saddr { XX.XX.XX.XX } redirect to :10025





相关文章