我使用Postfix作为MTA和中继。 希望从远程系统发送电子邮件的用户authentication和Postfix到达福科特的手,这很好。 但是,如何限制哪些用户可以使用SMTP +validation,而不限制对POP或IMAP的访问?
对于我来说,如果该块在Dovecot的SASLauthentication中,或者由Postfix在表格中查找,这并不重要。
使用Postfix 2.9.6 for SMTP,Dovecot 2.0.19用于POP,IMAP和SASL。 虚拟用户存储在MySQL 5.5.40中。
root@mx1:~# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 51200000 mydestination = localhost, mx1.mydomain.tld myhostname = virtmx.mydomain.tld mynetworks = /etc/postfix/mynetworks myorigin = /etc/mailname policy-spf_time_limit = 3600s readme_directory = no recipient_delimiter = + relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf setgid_group = vmail smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, check_policy_service unix:private/policy-spf, reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/mydomain.tld-virtmx.pem smtpd_tls_key_file = /etc/postfix/mydomain.tld-virtmx.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_medium_cipherlist = AES128+EECDH:AES128+EDH transport_maps = proxy:mysql:/etc/postfix/mysql_transports_maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:88 virtual_mailbox_base = /srv/mailbox virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 999 virtual_transport = virtual virtual_uid_maps = proxy:mysql:/etc/postfix/mysql_virtual_uid_maps.cf 如果有帮助,这些是使用的SQL查询:
mysql_mynetworks.cf query = SELECT address FROM mailnetworks WHERE address='%s' and active='Y' mysql_relay_domains_maps.cf query = SELECT domain FROM maildomains WHERE domain='%s' AND backupmx = 1 AND active = 1 mysql_sender_maps.cf query = SELECT address FROM mailsender WHERE username='%s' mysql_transports_maps.cf query = SELECT transport FROM maildomains WHERE domain='%s' AND transport != '' AND active=1 mysql_virtual_alias_maps.cf query = SELECT goto FROM mailaliases AS a LEFT JOIN maildomains AS dom ON dom.domain=a.domain WHERE address='%s' AND dom.active=1 and a.active=1 mysql_virtual_domains_maps.cf query = SELECT domain FROM maildomains WHERE domain='%s' AND backupmx='0' AND active=1 mysql_virtual_mailbox_maps.cf query = SELECT maildir FROM mailboxes AS box LEFT JOIN maildomains AS dom ON dom.domain=box.domain WHERE username='%s' AND dom.active=1 AND box.active=1 mysql_virtual_uid_maps.cf query = SELECT uid FROM mailboxes AS box LEFT JOIN maildomains AS dom ON box.domain=dom.domain WHERE username='%s' AND box.active=1 and dom.active=1
此function可用于后缀版本2.11 。
您可以使用check_sasl_access参数来执行基于SASL用户名的限制。 当然你需要把它放在permit_sasl_authenticated 。 完整的文档请参阅man 5 postconf 。
configuration示例,取自Postfix SASL Howto
# main.cf smtpd_relay_restrictions = ..., check_sasl_access hash:/etc/postfix/sasl_blacklist, permit_sasl_authenticated, ...
和
# sasl_blacklist # Use this when smtpd_sasl_local_domain is empty. username REJECT # Use this when smtpd_sasl_local_domain=example.com. [email protected] REJECT
Postfix <2.11的一些解决方法
作者build议你需要结合reject_sender_login_mismatch和check_sender_access 。
参数reject_sender_login_mismatch将拒绝发件人是否未在其允许的用户名中定义。 看起来你已经在mysql_sender_maps.cf查询了这个。
参数check_sender_access将拒绝基于发件人的电子邮件。
所以,你需要类似的东西
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_maps.cf smtpd_relay_restriction = ... ... reject_sender_login_mismatch check_sender_access hash:/etc/postfix/sasl_reject ...
和
#sasl_reject [email protected] REJECT
另一种方法是使用轻量级postfwd对SASL用户名执行某种限制。 您可以使用sasl_username参数来控制此行为。 有关更多信息,请参阅postfwd的此文档页面 。