postfix 的 SNI 支持与 gmail 的兼容问题
今天在家里的票务系统上修改某个票的状态(该操作会出发点一封邮件)时, 我正好另一个窗口开着邮件服务器的日志,观察到一些奇怪的现象: Mar 19 20:17:12 XXXXXX postfix/smtp[XXXXX]: certificate verification failed for gmail-smtp-in.l.google.com[2607:f8b0:4023:1c03::1a]:25: self-signed certificate Mar 19 20:17:12 XXXXXX postfix/smtp[XXXXX]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:4023:1c03::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Mar 19 20:17:12 XXXXXX postfix/smtp[XXXXX]: XXXXXXXXXX: Server certificate not verified Mar 19 20:17:13 XXXXXX postfix/smtp[XXXXX]: certificate verification failed for gmail-smtp-in.l.google.com[142.250.142.26]:25: self-signed certificate Mar 19 20:17:13 XXXXXX postfix/smtp[XXXXX]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[142.250.142.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Mar 19 20:17:13 XXXXXX postfix/smtp[XXXXX]: XXXXXXXXXX: Server certificate not verified Mar 19 20:17:13 XXXXXX postfix/smtp[XXXXX]: certificate verification failed for alt1.gmail-smtp-in.l.google.com[142.250.115.27]:25: self-signed certificate Mar 19 20:17:13 XXXXXX postfix/smtp[XXXXX]: Untrusted TLS connection established to alt1.gmail-smtp-in.l.google.com[142.250.115.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Mar 19 20:17:13 XXXXXX postfix/smtp[XXXXX]: XXXXXXXXXX: Server certificate not verified Mar 19 20:17:14 XXXXXX postfix/smtp[XXXXX]: certificate verification failed for alt1.gmail-smtp-in.l.google.com[2607:f8b0:4023:1004::1b]:25: self-signed certificate Mar 19 20:17:14 XXXXXX postfix/smtp[XXXXX]: Untrusted TLS connection established to alt1.gmail-smtp-in.l.google.com[2607:f8b0:4023:1004::1b]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Mar 19 20:17:14 XXXXXX postfix/smtp[XXXXX]: XXXXXXXXXX: Server certificate not verified Mar 19 20:17:14 XXXXXX postfix/smtp[XXXXX]: Verified TLS connection established to alt2.gmail-smtp-in.l.google.com[2607:f8b0:4003:c15::1b]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256 Mar 19 20:17:15 XXXXXX postfix/smtp[XXXXX]: XXXXXXXXXX: to=<XXXXXXX@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[2607:f8b0:4003:c15::1b]:25, delay=2.8, delays=0.06/0.1/2/0.66, dsn=2.0.0, status=sent (250 2.0.0 OK XXXXXXXXXX XXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.XX - gsmtp)
这篇文章讨论了Postfix的SNI支持与Gmail的兼容性问题。作者在修改票务系统时观察到邮件服务器日志中出现了一些奇怪的现象。通过分析日志,作者发现问题出在没有正确告知对方自己尝试连接的SNI名字。解决方法是让Postfix在verify的时候提供一个SNI名字,并重建tls_policy的hash db。这样就能正常发送邮件到Gmail了。作者还提到Gmail在部署新变动时会在TLS握手时送出一个自签名证书,但作者暂时还不理解这么做的好处是什么。
