邮件服务器的 SSL 证书无效
[英]Invalid SSL Certificate for Mail Server
问题描述
Though this question is in the context of a particular software (Discourse forum software), it is really about SSL certificates of mail servers.
虽然这个问题是在特定软件(Discourse 论坛软件)的上下文中,但它实际上是关于邮件服务器的 SSL 证书。
Here is my setup:这是我的设置:
Main Website: mydomain.com (Hosted on Hostgator)主网站: mydomain.com (托管在 Hostgator 上)
Forum Website (Discourse forum software): forum.mydomain.com (Hosted on DigitalOcean)论坛网站(Discourse 论坛软件): forum.mydomain.com (托管于 DigitalOcean)
Mail Server (used by Discourse to send email to members): mail.mydomain.com (Hosted on Hostgator)邮件服务器(由 Discourse 用于向成员发送电子邮件): mail.mydomain.com (托管在 Hostgator 上)
Discourse settings for SMTP: SMTP 的话语设置:
DISCOURSE_SMTP_ADDRESS: mail.mydomain.com
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-no-reply@mydomain.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
I have SSL certificates set up for mydomain.com and mail.mydomain.com on Hostgator (A single SSL certificate for mydomain.com as well as several subdomains (like mail.mydomain.com , webmail.mydomain.com , etc)).我在 Hostgator 上为mydomain.com和mail.mydomain.com设置了 SSL 证书( mydomain.com以及多个子域(如mail.mydomain.com 、 webmail.mydomain.com等)的单个 SSL 证书)。
When I try to send a test email from the Discourse admin interface using the above settings, it gives me an ' invalid certificate ' error.当我尝试使用上述设置从 Discourse 管理界面发送测试电子邮件时,它给我一个“无效证书”错误。
So, I tried to debug through openssl s_client with the following command:因此,我尝试使用以下命令通过 openssl s_client 进行调试:
openssl s_client -servername mail.mydomain.com -starttls smtp -crlf -connect mail.mydomain.com:587
It sends the SSL certificate of mydomain.com with CN as follows它使用 CN 发送mydomain.com的 SSL 证书,如下所示
subject=CN = mydomain.com
and establishes a SSL Session with TLS v1.2并使用 TLS v1.2 建立 SSL 会话
Here are the weird results of EHLO after that:以下是 EHLO 之后的奇怪结果:
EHLO mail.mydomain.com
250-xx-xx-xx.webhostbox.net Hello forum.mydomain.com [xx.xx.xx.xx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
As you can see with the second line in the above code, it responds from xx-xx-xx.webhostbox.net instead of mail.mydomain.com or mydomain.com正如您在上面代码中的第二行所看到的,它从xx-xx-xx.webhostbox.net而不是mail.mydomain.com或mydomain.com响应
I think this is why I'm getting a ' invalid certificate ' error.我认为这就是我收到“无效证书”错误的原因。
If I change the Discourse SMTP settings as below (just changing the first line)如果我更改 Discourse SMTP 设置如下(只更改第一行)
DISCOURSE_SMTP_ADDRESS: xx-xx-xx.webhostbox.net
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-no-reply@mydomain.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
then everything works fine and all emails gets sent.然后一切正常,所有电子邮件都被发送。
Could someone please let me know if this working solution is secure?有人可以让我知道这个工作解决方案是否安全吗? I think it's not secure since I am using xx-xx-xx.webhostbox.net as SMTP address (which could expose the emails to risks) instead of mail.mydomain.com .我认为它不安全,因为我使用xx-xx-xx.webhostbox.net作为 SMTP 地址(这可能会使电子邮件面临风险)而不是mail.mydomain.com 。 If this is not secure, how should I proceed to get a secure solution to this problem?如果这不安全,我应该如何继续获得此问题的安全解决方案?
1 个解决方案
解决方案1
1 已采纳 2019-12-26 09:26:24
As documented by Hostgator it is actually the correct setup to use the name of the hostgator server full.servername.com and NOT the name of your own domain example.com as the mail server.正如Hostgator所记录的那样,使用 hostgator 服务器的名称full.servername.com而不是您自己的域名example.com作为邮件服务器实际上是正确的设置。 This is because the mail server is not specific to your domain but is a common mail server for multiple domains.这是因为邮件服务器不是特定于您的域,而是多个域的公共邮件服务器。
Note that this is very similar to Can't seem to connect to FTPS via Atom editor Remote FTP but only for SMTP not FTP.请注意,这与无法通过 Atom 编辑器远程 FTP 连接到 FTPS但仅适用于 SMTP 而不是 FTP 非常相似。 My explanation there can be applied to SMTP too.我的解释也适用于 SMTP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.