我正在尝试为位于反向代理(http(s)、SMTP)后面的自托管 discourse 实例设置入站电子邮件。公共域名:public.example.com,反向代理后面的主机:internal.example.com。我遵循了此手册,但可能由于证书错误而卡住了。我正在使用自签名证书在反向代理和 discourse 容器之间进行内部加密。邮件容器似乎无法处理 discourse 容器提供的自签名证书,尽管它是一个链式证书。我哪里做错了,或者如何进一步调试这个问题?
邮件入站容器(./launcher logs mail-receiver)的相关日志输出是:
May 21 15:34:06 internal-mail-receiver postfix/qmgr[101]: BA3E16FDE7: from=<foo@example.com>, size=3836, nrcpt=1 (queue active)
<23>May 21 15:34:06 receive-mail[113]: Recipient: nobody@public.example.com<19>May 21 15:34:06 receive-mail[113]: Failed to POST the e-mail to https://internal.example.com/admin/email/handle_mail: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)<19>May 21 15:34:06 receive-mail[113]: /usr/lib/ruby/2.7.0/net/protocol.rb:44:in `connect_nonblock'
/usr/lib/ruby/2.7.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.7.0/net/http.rb:1009:in `connect'
/usr/lib/ruby/2.7.0/net/http.rb:943:in `do_start'
/usr/lib/ruby/2.7.0/net/http.rb:932:in `start'
/usr/lib/ruby/2.7.0/net/http.rb:1483:in `request'
/usr/local/lib/site_ruby/mail_receiver/internal_mail_receiver.rb:43:in `process'
/usr/local/bin/receive-mail:13:in `<main>'May 21 15:34:06 internal-mail-receiver postfix/pipe[112]: BA3E16FDE7: to=<nobody@public.example.com>, relay=discourse, delay=0.39, delays=0.19/0.01/0/0.2, dsn=4.3.0, status=deferred (temporary failure)
邮件容器的 mail-receiver.yml 配置文件(相关部分)是:
env:
POSTCONF_smtpd_tls_key_file: /ssl/ssl.key
POSTCONF_smtpd_tls_cert_file: /ssl/ssl.crt
POSTCONF_smtpd_tls_security_level: may
DISCOURSE_MAIL_ENDPOINT: 'https://internal.example.com/admin/email/handle_mail'
volumes:
- volume:
host: /var/discourse/shared/standalone/ssl
guest: /ssl
私钥 ssl.key 包含(内部)服务器的私钥。链式证书 ssl.crt 包含:服务器证书 + CA 证书(作为新用户,我无法上传文件,因此目前无法提供 ssl.crt)。