目前的Postfix(2.9)configuration非常简单:MXlogging指向运行Postfix的服务器,Postfix将邮件传递给用户的maildir。 用户通过dovecot通过IMAP获得他们的邮件,然后通过端口465上的TLS通过Postfix转发出站邮件,并进行身份validation。 这里是/etc/postfix/main.cf :
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. myorigin = /etc/mailname mydomain = example.net smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings delay_warning_time = 4h readme_directory = no # SASL smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sasl_auth_enable = yes # Anti-spam disable_vrfy_command = yes smtpd_helo_required = yes header_checks = regexp:/etc/postfix/header_checks smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, check_helo_access pcre:/etc/postfix/helo_checks.pcre check_policy_service unix:private/policy-spf reject_rbl_client zen.spamhaus.org, # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/figaro.example.net.crt smtpd_tls_key_file=/etc/ssl/private/figaro.example.net.key smtpd_tls_CAfile=/etc/ssl/certs/sub.class1.server.ca.pem smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # different EHLO response for localhost # (we speed up roundcube by disabling STARTTLS) smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo myhostname = figaro.example.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = figaro.example.net, localhost.example.net, example.net, localhost mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = . inet_interfaces = all home_mailbox = Maildir/ policy-spf_time_limit = 3600s
这一段时间以来运行良好,但我们遇到了垃圾邮件问题,并决定与外部垃圾邮件过滤服务签订合同。 它是如何工作的,我们把他们的SMTP服务器放在我们域名的MXlogging中,他们把(表面上)合法的邮件转发给我们的服务器。
但是我在configurationPostfix方面遇到困难:
所有其他尝试交付或中继应该被拒绝。 垃圾邮件过滤服务将其外发IP列为给定主机的DNS Alogging。 比方说,delivery.example.com。 我创build/etc/postfix/access如下(记住后来运行postmap /etc/postfix/access ):
delivery.example.com OK
然后修改/etc/postfix/main.cf并将smtp_recipient_restrictionsreplace为:
smtpd_client_restrictions = hash:/etc/postfix/access permit_sasl_authenticated permit_mynetworks reject
这种方式的工作原理是,从delivery.example.com接受邮件,并从其他地方拒绝邮件,问题在于尝试从Thunderbird等普通邮件客户端通过服务器发送邮件的用户拒绝中继访问:
Aug 29 13:37:36 figaro postfix/smtpd[24703]: connect from <censored> Aug 29 13:37:37 figaro postfix/smtpd[24703]: Anonymous TLS connection established from <censored>: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Aug 29 13:37:38 figaro postfix/smtpd[24703]: NOQUEUE: reject: RCPT from <censored>: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.1]> Aug 29 13:37:44 figaro postfix/smtpd[24703]: disconnect from <censored>
我会想(甚至在阅读文档之后)permit_sasl_authenticated应该允许用户通过服务器发送邮件,但是这似乎不起作用。 (它在上面的当前configuration下工作,而且在任何情况下服务器都不是开放的中继。)有什么build议吗?
您的configuration修订版的问题是您更换了smtpd_recipient_restrictions (与smtpd_client_restrictions ),而不是添加check_client_access哈希:/ etc / postfix /访问 smtpd_recipient_restrictions 。 在这里你的修改后的postfix限制
smtpd_client_restrictions = hash:/etc/postfix/access permit_sasl_authenticated permit_mynetworks reject smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
等等… smtpd_recipient_acccess从哪里来?
如果您没有指定参数
smtpd_recipient_restrictions,则postfix将为其分配一个默认值。 您可以通过命令postconf -d smtpd_recipient_restrictions查看默认configuration
根据postfix apply的限制 ,经过身份validation的客户端可以绕过smtpd_client_restrictions,但被smtpd_recipient_restrictions拒绝。
对于解决scheme,我build议你在smtpd_recipient_restrictions上加上hash:/etc/postfix/access和check_client_access 。 所以,用当前的smtpd_client_restrictionsreplace
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/access permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject