服务器 Gind.cn
  1. 服务器 Gind.cn
  3. CentOS 7 ec2 smtpd – 客户端主机被拒绝:访问被拒绝
Intereting Posts
如何configurationSPFlogging以允许我的域下的所有主机名(Alogging)? 在/etc/rcX.d/中没有“K”链接的守护进程会发生什么 如何在pfSense只读文件系统上安装组件? 远程桌面在LAN中工作,但不在WAN上 有没有一个后缀mysql的virtual_maps append_at_origin解决方法,所以我可以pipe道外部脚本? 为没有主目录的用户设置永久性env var 如何限制login用户的语言? 如果公有IP被固定在一个AS上,BGP选播如何工作? Apache作为OS X 10.6下的哪个用户,组运行? Powershell查询lastlogondate(lastlogontimestamp)返回大多数空值(不匹配对应的用户属性的ADSIedit值) Nginx的子目录Drupal +其他应用程序 如何为域Windows机器的所有用户设置桌面背景颜色? 使未使用的ssh密钥失效 任何人都可以推荐一个小型组织(25资产)的轻量级资产pipe理工具吗? 问题与工作站和文件服务器共享

CentOS 7 ec2 smtpd – 客户端主机被拒绝:访问被拒绝

我一直试图弄清楚这个好几个小时,不能把我的头围绕在里面。

我在运行CentOS7的ec2实例上有一个邮件服务器,它configuration了postfix,courier(authlib和imap),sasl,amavisd,spamassassin和roundcube。 当我telnet localhost 25然后我可以成功地发送电子邮件甚至我的EC2实例。

我安装了roundcube,使用户更容易阅读/发送电子邮件。 我可以login没有问题,我可以看到我的电子邮件,并可以阅读(所以imap工作正常)。 然而,我的问题是,当我想从roundcube(通过smtps端口465)发送电子邮件。 它popup与unable to set recipient和以下错误信息: 

 NOQUEUE: reject: RCPT from unknown[127.0.0.1]: 554 5.7.1 <unknown[127.0.0.1]>: Client host rejected: Access denied;

全堆电子邮件发送尝试: 

 Nov 6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: connect from unknown[127.0.0.1] Nov 6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: Anonymous TLS connection established from unknown[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Nov 6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: NOQUEUE: reject: RCPT from unknown[127.0.0.1]: 554 5.7.1 <unknown[127.0.0.1]>: Client host rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.mydomain.com> Nov 6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: disconnect from unknown[127.0.0.1]

这是我在config.inc.php中的roundcubeconfiguration 

 $config['default_host'] = 'ssl://localhost'; $config['default_port'] = 993; $config['imap_auth_type'] = 'LOGIN'; $config['image_force_ns'] = true; $config['smtp_server'] = 'ssl://localhost'; $config['smtp_port'] = 465; $config['smtp_helo_host'] = 'mail.mydomain.com';

我试过设置 

 $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p';

但是,这会导致SASL错误: 

 Nov 6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: connect from unknown[127.0.0.1] Nov 6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: Anonymous TLS connection established from unknown[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Nov 6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: warning: SASL authentication failure: client response doesn't match what we generated (tried bogus) Nov 6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: warning: unknown[127.0.0.1]: SASL DIGEST-MD5 authentication failed: authentication failure Nov 6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: disconnect from unknown[127.0.0.1]

这让我感到非常困惑,我无法弄清楚甚至是什么造成的? 是smtp,sasl还是别的? 所有需要的服务都被启用并且没有问题地启动。

这是我的postconf -n输出 

 alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 local_destination_concurrency_limit = 5 local_destination_recipient_limit = 300 local_recipient_maps = mail_owner = postfix mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = mail.mydomain.com mydomain.com masquerade_exceptions = root maximal_backoff_time = 8000s maximal_queue_lifetime = 7d mime_header_checks = pcre:/etc/postfix/body_checks minimal_backoff_time = 1000s mydestination = mydomain = mydomain.com mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_helo_timeout = 60s smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 16 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /etc/postfix/unime.cert smtpd_tls_key_file = /etc/postfix/unime.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 450 virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/mail/virtual virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf virtual_uid_maps = static:5000

这是我的master.cf文件: 

 smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated.reject_unauth_destination,reject -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous pickup unix n - n 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

这是我的sasl2/smtpd.conf文件: 

 pwcheck_method: saslauthd mech_list: plain login cram-md5 digest-md5 log_level: 7 allow_plaintext: true auxprop_plugin: sql sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: xxxxx sql_passwd: xxxxx sql_database: xxxxx sql_select: xxxxx

任何帮助将不胜感激找出背后的问题。 如果需要更多信息来找出原因,请告诉我。

正如@clement已经指出,master.cf的smtps部分的以下configuration与拒绝匹配: -o smtpd_client_restrictions=permit_sasl_authenticated,reject

因此,configurationroundcube以使用用户凭证进行身份validation。

或者允许本地主机发送邮件,例如在master.cf中,将smtpd_recipient_restrictionssmtpd_client_restrictions作为第一个参数,例如: permit_mynetworks,permit_sasl_authenticated,reject

我想你的master.cf有一个错字: 

 submission inet n - n - - smtpd ... -o smtpd_recipient_restrictions=permit_sasl_authenticated.reject_unauth_destination,reject

注意.permit_sasl_authenticated之后。

应该 

 submission inet n - n - - smtpd ... -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject

也通常使用端口587来提交邮件authentication的用户: 

 $config['smtp_port'] = 587;

另外,玩smtp_auth_type参数: 

 $config['smtp_auth_type'] = ''; $config['smtp_auth_type'] = 'AUTH'; $config['smtp_auth_type'] = 'LOGIN';

根据你的Postfix-SASLconfiguration。

我有同样的问题,我把我的IP范围添加到/etc/postfix目录中的mynetworks文件,它解决了这个问题,例如: 

 vim /etc/postfix/mynetworks

然后转到文件的末尾并添加您的IP地址块 – 例如: 91.0.0.0/8

然后保存并重新启动postfix。