外部轉信主機設定
GoDaddy SMTP
GoDaddy Setup: Office 365 Email: Enable SMTP Authentication
Sign in Email & Office Dashboard > Select one email account created (your@domain.name) > Advanced Settings > SMTP Authentication: ON
main.cf:
## for GoDaddy SMTP with Office 365
relayhost = [smtp.office365.com]:587
# SASL
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd_godaddy
smtp_sasl_security_options = noanonymous
# TLS
smtpd_tls_key_file = /etc/postfix/tls/godaddy.key
smtpd_tls_cert_file = /etc/postfix/tls/godaddy.crt
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_randome_source = dev:/dev/urandom
# Fix for MAIL-FROM
smtp_generic_maps = hash:/etc/postfix/generic
測試 TLS 連線
openssl s_client -quiet -starttls smtp -connect smtp.office365.com:587
depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
verify return:1
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
verify return:1
depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
verify return:1
250 SMTPUTF8
Ctrl + c 離開。
建立密碼檔 saslpasswd_godaddy,內容格式如下:
smtp.office365.com your@domain.name:thisispass
chmod 0600 saslpasswd_godaddy
postmap hash:/etc/postfix/saslpasswd_godaddy
建立憑證檔
cd /etc/postfix
mkdir tls
cd tls
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout godaddy.key -out godaddy.crt
指定 MAIL-FROM 位址
編輯 /etc/postfix/generic
root@freepbx.sangoma.local your@sender.email.address
root your@sender.email.address
asterisk your@sender.email.address
轉換 generic
cd /etc/postfix
postmap generic
Domino Notes SMTP
測試 TLS 連線
openssl s_client -quiet -starttls smtp -connect 10.14.26.18:587
depth=0 C = TW, ST = Taiwan, L = Taoyuan, O = WIN Semiconductors Corp., OU = IT, CN = tpemissp01.winfoundry.com, emailAddress = dominooa@winfoundry.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = TW, ST = Taiwan, L = Taoyuan, O = WIN Semiconductors Corp., OU = IT, CN = tpemissp01.winfoundry.com, emailAddress = dominooa@winfoundry.com
verify error:num=21:unable to verify the first certificate
verify return:1
250 PIPELINING
SMTP 不需要帳密認證
postconf -e "relayhost = [10.14.26.18]:587"
postconf -e "smtp_use_tls = yes"
Q & A
STARTTLS is required to send mail
Jul 27 02:41:51 freepbx postfix/smtp[20403]: B56021017FB13: to=<alang.hsu@gmail.com>, relay=smtp.office365.com[52.96.165.34]:587, delay=10, delays=0.02/0.01/5.3/5.1, dsn=4.0.0, status=deferr
ed (host smtp.office365.com[52.96.165.34] said: 451 5.7.3 STARTTLS is required to send mail [BN9PR03CA0153.namprd03.prod.outlook.com] (in reply to MAIL FROM command))
Solution:
- 檢查 main.cf 的 TLS 參數
- 憑證檔成功建立
XXX not allowed to send as asterisk@freepbx.sangoma.local
Jul 27 04:11:53 freepbx postfix/smtp[31670]: warning: smtp.office365.com[52.96.28.178]:587: response longer than 2048: 554 5.2.252 SendAsDenied; info...
Jul 27 04:11:53 freepbx postfix/smtp[31670]: E0E4010176933: to=<info@mediasystemsfl.com>, relay=smtp.office365.com[52.96.28.178]:587, delay=313418, delays=313416/0.01/1.1/0.26, dsn=5.2.252,
status=bounced (host smtp.office365.com[52.96.28.178] said: 554 5.2.252 SendAsDenied; info@mediasystemsfl.com not allowed to send as asterisk@freepbx.sangoma.local; STOREDRV.Submission.Excep
tion:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message [BeginDiagnosticData]Cannot submit message. 0.35250:14350000, 1.3667
4:0A000000, 1.61250:00000000, 1.45378:02000000, 1.44866:EC2D0000, 1.36674:0E000000, 1.61250:00000000, 1.45378:F12D0000, 1.44866:CA010000, 16.55847:9A120000, 17.43559:000000002402000000000000
0000000000000000, 20.52176:140F52951900103100000000, 20.50032:140F52958917000000000000, 0.35180:140F5295, 255.23226:0A000000, 255.27962:0A000000, 255.27962:0E000000, 255.31418:19000000, 0.35
250:1F001336, 1.36674:0A000000, 1.61250:00000000, 1.45378:02000000, 1.44866:58000000, 1.36674:32000000, 1.61250:00000000, 1.45378:5D000000, 1.44866:01000000, 16.55847:D3000000, 17.43559:0000
000098030000000000000F00000000000000, 20.52176:140F52951900101062000000, 20.50032:140F5295891700001F001A00, 0.35180:67000000, 255.23226:0A001380, 255.27962:0A000000, 255.27962:32000000, 255.
17082:DC040000, 0.27745:0B002900, 4.21921:DC040000, 255.27962:FA000000, 255.1494:03003600, 0.38698:0F010480, 1.41134:46000000, 7.36354:010000000000010B01000000, 0.37692:01000000, 0.37948:860
00000, 5.33852:00000000534D545000000000, 7.36354:010000000000010907000000, 4.56248:DC040000, 7.40748:010000000000010B0A000000, 7.57132:000000000000000003000000, 4.39640:DC040000, 1.63016:320
00000, 8.45434:EAFEADFEA5E644438592F8B9E718580F00000000, 1.46798:04000000, 5.10786:0000000031352E32302E353435382E3032353A424C30505231364D42323333383A39333261363135642D616239372D346165312D623
030362D3234323361383536363439313A3332323631360093001000000000, 7.51330:2A6B5D23866FDA0800000000, 0.39570:07000000, 1.55954:0A000000, 0.49266:0200
Jul 27 04:11:53 freepbx postfix/cleanup[31676]: AC9D41016F023: message-id=<20220727041153.AC9D41016F023@freepbx.sangoma.local>
Jul 27 04:11:53 freepbx postfix/bounce[31675]: E0E4010176933: sender non-delivery notification: AC9D41016F023
Jul 27 04:11:53 freepbx postfix/qmgr[27367]: AC9D41016F023: from=<>, size=8634, nrcpt=1 (queue active)
Jul 27 04:11:53 freepbx postfix/qmgr[27367]: E0E4010176933: removed
Jul 27 04:11:53 freepbx postfix/local[31678]: AC9D41016F023: to=<asterisk@freepbx.sangoma.local>, relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Jul 27 04:11:53 freepbx postfix/qmgr[27367]: AC9D41016F023: removed
Solution:
GoDaddy SMTP 服務會檢查 sender 的地址是否有效。讓 postfix 將特定無效的地址轉換成其他指定的有效地址。使用檔案 generic 編輯要對應的郵件地址。
openssl 測試連線不成功
執行測試連線時,如果只有見到以下 1 ~ 2 行輸出,表示 TLS 連線失敗
write:errno=104
連線成功的訊息如下
depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
verify return:1
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
verify return:1
depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
verify return:1
250 SMTPUTF8
certificate verification failed
postfix/smtp[17989]: certificate verification failed for 10.14.26.18[10.14.26.18]:587: untrusted issuer /DC=com/DC=winfoundry/CN=win-root
要連線的 SMTP Server,可能使用了自簽的憑證,這個不會影響信件的寄送,可直接忽略。
如果不想讓這訊息出現,必須取的遠端 SMTP Server 所用憑證的 CA 根憑證檔,然後設定 postfix 讀取這個 CA 檔。
TLS handshake failed
STARTTLS=client, error: connect failed=-1, SSL_error=5, errno=104, retry=-1
ruleset=tls_server, arg1=SOFTWARE, relay=tpemissp01.winfoundry.com, reject=403 4.7.0 TLS handshake failed.
...relay=tpemissp01.winfoundry.com. [10.14.26.18], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.
使用 openssl 測試與 SMTP 主機的 TLS 連線是否成功。
No Comments