sendmail問題:日誌中記錄N多STARTTLS: read error=generic SSL error (0)
Jan 12 05:14:32 hyron sendmail: STARTTLS: read error=generic SSL error (0)
Jan 12 05:14:32 hyron last message repeated 2490 times
我現在sendmail的記錄中出現N多這樣的記錄,導致日誌變的異常的大,現在日誌一般每天至少3G以上,有時候多的時候達到9G以上,過去正常的時候最多也就600M左右了,這個問題的出現在1月1日左右,也就是台灣大地震的後幾天!
如果直接restart sendmail無法解決這個問題,所以我重新啟動了郵件伺服器,重新啟動完郵件日誌會恢復正常但是一段時間後有出現大量如上的記錄,郵件日誌依然會變的龐大無比!
也許在sendmail.mc中開啟STARTTLS功能會好,我的步驟是:
說明:我採用的是Red Hat Linux AS3中默認安裝的sendmail-8.12.11-3
openssl-0.9.7a-33.4也是默認安裝
修改sendmail.mc為如下
define(`CERT_DIR',`/usr/share/ssl/certs')
define(`confCACERT_PATH',`CERT_DIR')
define(`confCACERT',`CERT_DIR/cacert.pem')
define(`confSERVER_CERT',`CERT_DIR/cert.pem')
define(`confSERVER_KEY',`CERT_DIR/key.pem')
define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
define(`confCLIENT_KEY',`CERT_DIR/key.pem')
cd /usr/share/ssl/certs
make cacert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -o
$PEM2 ; \
cat $PEM1 > cacert.pem ; \
echo "" >> cacert.pem ; \
cat $PEM2 >> cacert.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..........++++++
........++++++
writing new private key to '/tmp/openssl.1ArCQM'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
說明:以上的需要輸入的內容我採用了直接回車(不知道是否妥當)
make cert.pem
make key.pem
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
service sendmail restart
telnet localhost 25
Escape character is '^]'.
220 hyron.com ESMTP Sendmail 8.12.11/8.12.11; Fri, 12 Jan 2007 10:25:57 +0800
ehlo localhost
250-hyron.com Hello localhost.localdomain , pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI LOGIN PLAIN
250-DELIVERBY
250 HELP
這當中沒有看到250-STARTTLS這條驗證內容
OE中選擇「此伺服器要求安全連接(ssl)」
發送郵件的時候提示錯誤:
「伺服器響應:「250 HELP」。(帳號:wujie,SMTP伺服器:210.22.128.203",出錯編號:0x800ccc7d)。
不知道在配置STARTTLS的過程中有什麼錯誤請各位大大多多提示啊!
還有各位大大幫我分析下是什麼情況造成的如此的郵件日誌記錄啊??
在此謝謝各位大大了!
《解決方案》
我查看了sendmail.org,根據它的做法重新設置了mc配置文件
vi sendmail.mc
define(`CERT_DIR',`/usr/share/ssl/certs')
define(`confCACERT_PATH',`CERT_DIR')
define(`confCACERT',`CERT_DIR/CAcert.pem')
define(`confSERVER_CERT',`CERT_DIR/MYcert.pem')
define(`confSERVER_KEY',`CERT_DIR/MYcert.pem')
define(`confCLIENT_CERT',`CERT_DIR/MYcert.pem')
define(`confCLIENT_KEY',`CERT_DIR/MYcert.pem')
cd /usr/share/ssl/certs
make CAcert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out
$PEM2 ; \
cat $PEM1 > kkk.pem ; \
echo "" >> kkk.pem ; \
cat $PEM2 >> kkk.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
...............++++++
...............++++++
writing new private key to '/tmp/openssl.yjzveK'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :shanghai
Locality Name (eg, city) :shanghai
Organization Name (eg, company) :hyron
Organizational Unit Name (eg, section) []:china
Common Name (eg, your name or your server's hostname) []:testiptables
Email Address []:202.2.244.154
make MYcert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out
$PEM2 ; \
cat $PEM1 > kkk.pem ; \
echo "" >> kkk.pem ; \
cat $PEM2 >> kkk.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
...............++++++
...............++++++
writing new private key to '/tmp/openssl.yjzveK'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :shanghai
Locality Name (eg, city) :shanghai
Organization Name (eg, company) :hyron
Organizational Unit Name (eg, section) []:china
Common Name (eg, your name or your server's hostname) []:testiptables
Email Address []:202.2.244.154
m4 /etc/mail/sendmail.mc > /etc/sendmail.mc
service sendmail restart
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 testiptables.com ESMTP Sendmail 8.12.11/8.12.11; Fri, 12 Jan 2007 13:17:36 +
0800
ehlo localhost
250-testiptables.com Hello localhost.localdomain , pleased to meet yo
u
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
出現了所要求的250-STARTTLS
並且在outlook上的「發送郵件(SMTP)(0):25 下選擇了複選項「此伺服器要求安全連接(SSL)」
但是outlook在發送郵件的時候會出現如下的警告對話框:
Internet安全性警告
您連接到的伺服器正在使用一個無法驗證的安全證書。
證書鏈已正確處理,但是在不受信任提供程序信任的根證書中終止。
您項繼續使用這個伺服器嗎?
是 否
點擊「是」按鈕郵件可以正常發送,以後發送郵件這個警告對話框不會再出現了。但是關閉outlook,然後再開啟outlook,發送郵件,第一次同樣出現這個警告對話框,第二次以後又都不會出現!
請教各位大大,這是什麼原因那?
《解決方案》
這是憑證的問題,主要在於你的 CRT 沒有經過 Root CA 加簽,
所以你需要手動匯入個人的憑證,如果你不了解
就把這篇好好的看一下
http://aput.net/~jheiss/sendmail/tlsandrelay.shtml
