Ubuntu服务器Postfix+Dovecot(SSL/993/465端口、虚拟邮箱、CRAM-MD5认证)配置故障排查与正确配置请求
2026-4-22
Ubuntu服务器Postfix+Dovecot(SSL/993/465端口、虚拟邮箱、CRAM-MD5认证)配置故障排查与正确配置请求
大家好,我正在Ubuntu服务器上配置Postfix+Dovecot邮件服务器,目标是仅在993(IMAPS)和465(SMTPS)端口启用CRAM-MD5认证,杜绝明文密码传输,同时保证配置的安全性。目前遇到了几个棘手的问题,自己折腾了很久也没解决,希望社区的大佬们能帮忙排查,也希望最终整理出的正确配置能帮到其他有同样需求的朋友。
我的核心需求
- 仅开放993(IMAPS)和465(SMTPS)端口提供邮件服务
- 禁用所有明文密码认证方式,仅使用CRAM-MD5进行身份验证
- 配置虚拟邮箱,复用现有Web服务器的SSL证书(邮件服务器和Web服务器是同一台主机)
- 确保所有配置文件的权限、用户组设置符合安全规范
遇到的具体问题
问题1:Outlook无法通过CRAM-MD5连接IMAPS,仅支持明文密码
- 我已经用
doveadm pw -s CRAM-MD5生成了CRAM-MD5哈希,并写入了/etc/dovecot/users文件 - 使用
openssl s_client -connect localhost:993测试时,用明文密码可以登录,但无法触发CRAM-MD5认证流程;Outlook客户端也只能选择明文密码方式连接,完全达不到安全要求
问题2:SMTPS(465端口)CRAM-MD5认证失败
- 安装了
sasl2-bin工具,用gen-auth CRAM-MD5生成了认证响应字符串 - 在
openssl s_client -connect localhost:465会话中执行AUTH CRAM-MD5,提交生成的Base64响应后,服务器返回535 5.7.8 Error: authentication failed,查看mail.log显示SASL CRAM-MD5 authentication failed,完全找不到失败原因
问题3:IMAPS(993端口)SSL证书验证报错
- 我用的是和Web服务器相同的SSL证书,但执行
openssl s_client -connect localhost:993时出现两个错误:Can't use SSL_get_servername:这个我知道是因为用localhost连接而非域名,但实际用域名访问时会不会有问题?verify error:num=20:unable to get local issuer certificate和verify error:num=21:unable to verify the first certificate:即使指定了CA bundle文件-CAfile /var/www/security/SSL/MY_DOMAIN.ca-bundle,还是会报这个错误
当前配置文件
Postfix配置(路径:/etc/postfix/)
main.cf(权限:root:root 655)
biff = no append_dot_mydomain = no readme_directory = no compatibility_level = 3.6 mydomain = MY_DOMAIN.COM myhostname = web-p3.$mydomain smtpd_banner = $myhostname ESMTP $mail_name myorigin = $mydomain mydestination = $myhostname, mail.$mydomain, web-p3.$mydomain, localhost.$mydomain, localhost # old settings mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 relayhost = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # Virtual Domain Einstellungen virtual_mailbox_domains = $mydomain #virtual_mailbox_domains = hash:/etc/postfix/virtual_domains #virtual_mailbox_base = /home/vmail #virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox #virtual_alias_domains = #virtual_alias_maps = hash:/etc/postfix/virtual_aliases virtual_transport = lmtp:unix:private/dovecot-lmtp # SSL Einstellungen smtpd_use_tls = yes smtpd_tls_key_file = /var/www/ssl/MY_DOMAIN.pem smtpd_tls_cert_file = /var/www/ssl/MY_DOMAIN.crt smtpd_tls_CAfile = /var/www/ssl/MY_DOMAIN.ca-bundle smtpd_tls_auth_only = yes smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = encrypt smtp_tls_security_level = encrypt smtp_tls_wrappermode = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtp_sasl_password_maps = static:office@$mydomain:999999999-000000000000-9999999 #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtpd_sasl_type = dovecot #smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_path = private/auth #smtpd_sasl_path = smtpd smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous,noplaintext smtpd_sasl_tls_security_options = $smtpd_sasl_security_options broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtp_sasl_mechanism_filter = login
master.cf(权限:root:root 644)
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd maildrop unix - n n - - pipe flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
virtual-mailbox(权限:root:root 644)
office@MY_DOMAIN.COM MY_DOMAIN.COM/office/Maildir/
Dovecot配置(路径:/etc/dovecot/)
dovecot.conf(权限:root:root 644)
!include_try /usr/share/dovecot/protocols.d/*.protocol protocols = imap lmtp listen = *, :: dict {} !include conf.d/*.conf !include_try local.conf
dovecot-dict-auth.conf.ext(权限:root:dovecot 640)
default_pass_scheme = CRAM-MD5 #default_pass_scheme = MD5 iterate_prefix = userdb/ key passdb { key = passdb/%u format = json } key userdb { key = userdb/%u format = json } key quota { key = userdb/%u/quota default_value = 100M } passdb_objects = passdb userdb_objects = userdb userdb_fields { quota_rule = *:storage=%{dict:quota} mail = maildir:%{dict:userdb.home}/Maildir }
users(权限:root:root 644)
office@MY_DOMAIN.COM:{CRAM-MD5}aaaabbbbcccccddddeeeeffffggggghhhhiiiiijjjjjkkkkklllllmmmmmnnnnn
conf.d/10-auth.conf(权限:root:root 644)
disable_plaintext_auth = yes auth_username_format = %Lu auth_master_user_separator = * auth_mechanisms = cram-md5 plain login #!include auth-system.conf.ext !include auth-passwdfile.conf.ext !include auth-static.conf.ext
conf.d/10-mail.conf(权限:root:root 644)
mail_location = maildir:/var/mail/vhosts/%d/%n namespace inbox { inbox = yes } mail_privileged_group = mail protocol !indexer-worker {} mail_uid = vmail mail_gid = vmail mbox_write_locks = fcntl
conf.d/10-master.conf(权限:root:root 644)
service imap-login { inet_listener imap {} inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 {} inet_listener pop3s {} } service submission-login { inet_listener submission {} } service lmtp { unix_listener lmtp {} } service imap {} service pop3 {} service submission {} service auth { unix_listener auth-userdb {} unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } service auth-worker {} service dict { unix_listener dict {} }
conf.d/10-ssl.conf(权限:root:root 644)
ssl = yes ssl_cert = </var/www/ssl/MY_DOMAIN.crt ssl_key = </var/www/ssl/MY_DOMAIN.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = </usr/share/dovecot/dh.pem
conf.d/auth-passwdfile.conf.ext(权限:root:root 644)
passdb { driver = passwd-file args = scheme=CRAM-MD5 username_format=%u /etc/dovecot/users } userdb { driver = static args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n }
安全权限相关疑问
另外,我不确定当前的文件权限和用户组设置是否安全,比如Dovecot的用户文件、SSL证书文件这些敏感文件,需要调整哪些chmod或chown设置来提升安全性?
真心感谢大家的帮助,我会不断更新这个帖子,把最终能用的配置整理出来,希望能帮到更多人!
备注:内容来源于stack exchange,提问作者trash2
