我有一个运行Postfix的电子邮件服务器,通常效果很好。 我正在尝试使用此服务器作为CRM / Marketing平台安装中的传出邮件的SMTP服务器。 我input了身份validation凭据,它工作正常。 不过,我只能使用我authentication的邮箱作为“发件人”地址。 如果我尝试在广告系列中使用不同的地址(在同一个域中),则无法发送并导致此错误:
由于以下原因,此消息在3次尝试之后无法传送:错误消息:来自服务器220 server.com的响应250-server.com 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 220 2.0.0准备启动TLS 250-server.com 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH = PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 334 VXNlcm5hbWU6 334 UGFzc3dvcmQ6 235 2.7.0authentication成功250 2.1.0确定553 5.7.1: 发件人地址被拒绝:不属于用户[email protected] 250 2.0.0好的。
有没有一种方法来configurationPostfix允许我从一个特定的域上的任何地址发送一个帐户进行身份validation后? 我可以分配地址给这个用户,我authentication与? 我不想在其他域上打开这个,只是我为这个CRM使用的这个特定的域。
谢谢!
–
这是postconf -n给我的:
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no bounce_queue_lifetime = 1d broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 maximal_backoff_time = 1800s maximal_queue_lifetime = 1d message_size_limit = 26214400 milter_default_action = accept milter_protocol = 6 minimal_backoff_time = 300s mydestination = mail1.mydomain.com, localhost.mydomain.com, localhost myhostname = mail1.mydomain.com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_bare_newline_enable = no postscreen_blacklist_action = drop postscreen_cache_cleanup_interval = 24h postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 postscreen_dnsbl_threshold = 8 postscreen_dnsbl_ttl = 5m postscreen_greet_action = enforce postscreen_greet_banner = $smtpd_banner postscreen_greet_ttl = 2d postscreen_greet_wait = 3s postscreen_non_smtp_command_enable = no postscreen_pipelining_enable = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps queue_run_delay = 300s readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf relayhost = smtp_header_checks = pcre:/etc/postfix/mailcow_anonymize_headers.pcre smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_cert_file = /etc/ssl/mail/mail.crt smtp_tls_key_file = /etc/ssl/mail/mail.key smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_error_sleep_time = 10s smtpd_hard_error_limit = ${stress?1}${stress:5} smtpd_helo_required = yes smtpd_proxy_timeout = 600s smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org smtpd_restriction_classes = z1_greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth_dovecot smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain smtpd_soft_error_limit = 3 smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/mail/mail.crt smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem smtpd_tls_eecdh_grade = strong smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA smtpd_tls_key_file = /etc/ssl/mail/mail.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail/ virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_minimum_uid = 104 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:5000 z1_greylisting = permit_dnswl_client list.dnswl.org, check_policy_service inet:127.0.0.1:10023
以下是mysql_virtual_sender_acl.cf :
# mysql_virtual_sender_acl.cf user = mailcow password = password hosts = localhost dbname = mailcow query = SELECT logged_in_as FROM sender_acl WHERE send_as='%s' #expansion_limit = 100
在mysql_virtual_alias_maps.cf :
# mysql_virtual_alias_maps.cf user = mailcow password = password hosts = localhost dbname = mailcow query = SELECT goto FROM alias WHERE address='%s' AND active = '1' #expansion_limit = 100
您可以使用reject_authenticated_sender_login_mismatch
让用户进行testing
# saslpasswd2 -c -u example.net user1 # saslpasswd2 -c -u example.com user2 # sasldblistusers2 [email protected]: userPassword [email protected]: userPassword
做一些基本的testing。 正如你可以看到没有reject_authenticated_sender_login_mismatch用户可以在MAIL中使用从他想要的任何东西
# echo "Hello world" | swaks -s 127.0.0.1 --from [email protected] --to [email protected] --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body - === Trying 127.0.0.1:25... === Connected to 127.0.0.1. <- 220 mail.example.net ESMTP Postfix -> EHLO svn.example.net <- 250-mail.example.net <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-AUTH LOGIN PLAIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> AUTH PLAIN AHVzZXIxADEyMzQ1Njc= <- 235 2.7.0 Authentication successful -> MAIL FROM:<[email protected]> <- 250 2.1.0 Ok -> RCPT TO:<[email protected]> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> Date: Thu, 25 Feb 2016 20:53:45 +0000 -> To: [email protected] -> From: [email protected] -> Subject: Test -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> Hello world -> -> -> . <- 250 2.0.0 Ok: queued as E1D3D406CC -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. # grep E1D3D406CC /var/log/maillog Feb 25 20:53:45 svn postfix/smtpd[56996]: E1D3D406CC: client=localhost[127.0.0.1], sasl_method=PLAIN, [email protected] Feb 25 20:53:45 svn postfix/cleanup[56999]: E1D3D406CC: message-id=<[email protected]> Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: from=<[email protected]>, size=416, nrcpt=1 (queue active) Feb 25 20:53:45 svn postfix/local[57000]: E1D3D406CC: to=<[email protected]>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: removed # echo "Hello world" | swaks -s 127.0.0.1 --from [email protected] --to [email protected] --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body - === Trying 127.0.0.1:25... === Connected to 127.0.0.1. <- 220 mail.example.net ESMTP Postfix -> EHLO svn.example.net <- 250-mail.example.net <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-AUTH LOGIN PLAIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> AUTH PLAIN AHVzZXIxADEyMzQ1Njc= <- 235 2.7.0 Authentication successful -> MAIL FROM:<[email protected]> <- 250 2.1.0 Ok -> RCPT TO:<[email protected]> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> Date: Thu, 25 Feb 2016 20:55:13 +0000 -> To: [email protected] -> From: [email protected] -> Subject: Test -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> Hello world -> -> -> . <- 250 2.0.0 Ok: queued as 94CBF4076C -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. # grep 94CBF4076C /var/log/maillog Feb 25 20:55:13 svn postfix/smtpd[56996]: 94CBF4076C: client=localhost[127.0.0.1], sasl_method=PLAIN, [email protected] Feb 25 20:55:13 svn postfix/cleanup[56999]: 94CBF4076C: message-id=<[email protected]> Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: from=<[email protected]>, size=424, nrcpt=1 (queue active) Feb 25 20:55:13 svn postfix/local[57000]: 94CBF4076C: to=<[email protected]>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox) Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: removed
但是,我们已经添加了以下几行
# /etc/postfix/main.cf smtpd_sender_login_maps = hash:/etc/postfix/sender_logins_maps smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
不要忘记创build地图并重新启动后缀
# postmap /etc/postfix/sender_logins_maps # service postfix restart # cat /etc/postfix/sender_logins_maps [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
用户不能使用任何他想要的
# echo "Hello world" | swaks -s 127.0.0.1 --from [email protected] --to [email protected] --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body - === Trying 127.0.0.1:25... === Connected to 127.0.0.1. <- 220 mail.example.net ESMTP Postfix -> EHLO svn.example.net <- 250-mail.example.net <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-AUTH LOGIN PLAIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> AUTH PLAIN AHVzZXIxADEyMzQ1Njc= <- 235 2.7.0 Authentication successful -> MAIL FROM:<[email protected]> <- 250 2.1.0 Ok -> RCPT TO:<[email protected]> <** 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user user1 -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host.
但是通过上面的设置[email protected]只能在MAIL FROM中使用:[email protected],[email protected]和[email protected]
# echo "Hello world" | swaks -s 127.0.0.1 --from [email protected] --to [email protected] --h-Subject "Test" --auth PLAIN --auth-user [email protected] --auth-password 1234567 --body - === Trying 127.0.0.1:25... === Connected to 127.0.0.1. <- 220 mail.example.net ESMTP Postfix -> EHLO svn.example.net <- 250-mail.example.net <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-AUTH LOGIN PLAIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> AUTH PLAIN AHVzZXIxQGV4YW1wbGUubmV0ADEyMzQ1Njc= <- 235 2.7.0 Authentication successful -> MAIL FROM:<[email protected]> <- 250 2.1.0 Ok -> RCPT TO:<[email protected]> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> Date: Thu, 25 Feb 2016 23:03:07 +0000 -> To: [email protected] -> From: [email protected] -> Subject: Test -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> Hello world -> -> -> . <- 250 2.0.0 Ok: queued as 9FE524068A -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. # grep 9FE524068A /var/log/maillog Feb 25 23:03:07 svn postfix/smtpd[19097]: 9FE524068A: client=localhost[127.0.0.1], sasl_method=PLAIN, [email protected] Feb 25 23:03:07 svn postfix/cleanup[19100]: 9FE524068A: message-id=<[email protected]> Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: from=<[email protected]>, size=419, nrcpt=1 (queue active) Feb 25 23:03:07 svn postfix/local[19101]: 9FE524068A: to=<[email protected]>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox) Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: removed
PS一个小窍门
如果不在/ etc / postfix / sender_logins_maps中为某个特定用户添加任何行,他将收到一封电子邮件,但不会发送。
我似乎无法运行saslauthd。 它说没有find命令。 那是一个单独的工具吗? 编辑:对不起,我打算说testsaslauthd。 既没有工作
这只是一个testing。 所以要快速设置testing环境,我select了sasldb。 因为我没有时间设置和configurationMySQL。 您正在使用MySQL来存储有关用户的所有信息。 而你在这里描述的限制
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
您应该添加mysql_virtual_sender_acl.cf/mysql_virtual_alias_maps.cf(当然没有密码)的内容到问题
有没有一种方法来configurationPostfix允许我从一个特定的域上的任何地址发送一个帐户进行身份validation后?
在/ etc / postfix / sender_logins_maps中,你应该有如下的东西
@example.net [email protected]
修改smtpd_sender_login_maps
smtpd_sender_login_maps = hash:/etc/postfix/sender_logins_maps, proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
文件/ etc / postfix / sender_logins_maps应该只包含一行
@example.net [email protected]
其中@ example.net – “一个特定的域”,[email protected] – “用一个账户进行身份validation”。 它必须是sasl_username!
sasl_method=PLAIN, [email protected]
不要忘记创build地图并重新启动后缀。
看来你已经设置了reject_sender_login_mismatch
您可以使用smtpd_sender_login_maps来configuration允许哪些用户从特定发件人或域发送。
后缀文档在此指出一个示例(请参阅信封发件人地址授权)。
更新1:
这是一个smtpd_sender_login_maps(hashmap)的例子。 这匹配映射时依赖于postfix的查找顺序。 迭代如下
因此,你需要注入一个哈希映射白名单帐户的域这将是
@server.com [email protected]
这只是表示,第二个查找后缀将会做(首先是与[email protected]完全匹配)将会在hashmap上。 重要如果有更多的地图(从评论中获得,有地图在MySQL中),首先击中,一个决定已经(首先匹配),没有第二次查找执行。
为了授予“发送任何@ server.com”权限的帐户[email protected]要么MySQL必须列出它允许的帐户(除了实际帐户)的所有者或MySQL已明确不列出此帐户(以便第二次查找迭代命中hashmap)。
不要忘了在修改内容之后,映射哈希映射(cd到文件的目录并映射文件)