我有一个Postfix的configuration问题,让我头脑痒痒的几天,我正在向你伸出援助之手,找出问题所在,请在我解释我的设置的同时裸露在身上。
我有一个服务器上设置了Postfix多实例,每个实例都有自己的IP:
一切工作正常发送电子邮件,或接收域名unsub.eg.example.com电子邮件。
但是,发送电子邮件到[email protected]或[email protected]时,这四个实例中的任何一个都可以处理它,而不仅仅是example.com实例。 当由unsub,out1或out2select时,NOQUEUE:拒绝:RCPT来自:554 5.7.1:中继访问被拒绝; 错误由处理实例logging。 如果实例1碰巧拾起它,它被传递到邮箱没有问题。
因此,为什么其他实例正在挑选一个绑定到example.com的电子邮件呢?
以下是main.cf对于实例的高亮configuration,我认为这可能会导致问题:
smtp.example.com
queue_directory = /var/spool/postfix-smtp command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-smtp mail_owner=postfix syslog_name=pfix-smtp myhostname=smtp.example.com mydomain=example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination=localhost mynetworks_style=host relay_domains= relayhost= home_mailbox=Maildir/ disable_vrfy_command=yes virtual_mailbox_domains=$mydomain virtual_mailbox_maps=hash:/etc/postfix/vmailbox smtpd_sasl_auth_enable=yes broken_sasl_auth_clients=yes smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_security_options=noanonymous smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sender_restrictions=reject_unknown_sender_domain smtpd_sasl_local_domain local_recipient_maps=$alias_maps,$virtual_mailbox_maps unsub.eg.example.com
queue_directory = /var/spool/postfix-unsub command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-unsub mail_owner=postfix syslog_name=pfix-unsub myhostname=unsub.eg.example.com mydomain=unsub.eg.example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination=localhost mynetworks_style=host relay_domains= relayhost= home_mailbox=Maildir/ disable_vrfy_command=yes virtual_mailbox_domains=$myhostname virtual_mailbox_maps=hash:/etc/postfix/vmailbox virtual_alias_maps=hash:/etc/postfix-unsub/virtual smtpd_sasl_auth_enable=yes broken_sasl_auth_clients=yes smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_security_options=noanonymous smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sender_restrictions=reject_unknown_sender_domain smtpd_sasl_local_domain= local_recipient_maps=$alias_maps,$virtual_mailbox_maps
out1.eg.example.com
queue_directory = /var/spool/postfix-ou1 command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-ou1 mail_owner=postfix syslog_name=pfix-out1 myhostname=out1.eg.example.com mydomain=out1.eg.example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination= mynetworks_style=host relay_domains= relayhost=
out2.eg.example.com
queue_directory = /var/spool/postfix-ou2 command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-ou2 mail_owner=postfix syslog_name=pfix-out2 myhostname=out2.eg.example.com mydomain=out2.eg.example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination= mynetworks_style=host relay_domains= relayhost=
注意:我也为所有实例生成了自签名的tls证书和dkim签名,但事情看起来不错,我不认为这些可能是罪魁祸首。
感谢大家!
9/25/2014日志:这是我使用Outlook客户端testing发送电子邮件的日志:
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12 Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12 Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max cache size 1 at Sep 25 06:01:01 Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21 Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21 Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max cache size 1 at Sep 25 06:02:10 Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<sender.com> Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: disconnect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: D91BB3060289: client=mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/cleanup[11260]: D91BB3060289: message-id=<004001cfd886$d01b96c0$7052c440$@[email protected]> Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: mail.sender.com [XXX.XXX.XXX.250] not internal Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: not authenticated Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: no signature data Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: from=<[email protected]>, size=11502, nrcpt=1 (queue active) Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/virtual[11261]: D91BB3060289: to=<[email protected]>, relay=virtual, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir) Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: removed Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23 Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23 Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max cache size 2 at Sep 25 06:02:12 Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: 8FC143060289: client=mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/cleanup[11260]: 8FC143060289: message-id=<004601cfd886$f873f540$e95bdfc0$@[email protected]> Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: mail.sender.com [XXX.XXX.XXX.250] not internal Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: not authenticated Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: no signature data Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: from=<[email protected]>, size=11431, nrcpt=1 (queue active) Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/virtual[11261]: 8FC143060289: to=<[email protected]>, relay=virtual, delay=0.05, delays=0.04/0/0/0, dsn=2.0.0, status=sent (delivered to maildir) Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: removed Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26 Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26 Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max cache size 1 at Sep 25 06:03:15 Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<sender.com> Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
请注意,
DNS设置
IN MX 10 smtp IN MX 10 unsub.eg IN MX 10 out1.eg IN MX 10 out2.eg ;A Records example.com. IN A YYY.YYY.YYY.3 subdomain1 IN A YYY.YYY.YYY.3 smtp IN A XXX.XXX.XXX.123 unsub.eg IN A XXX.XXX.XXX.124 out1.eg IN A XXX.XXX.XXX.125 out2.eg IN A XXX.XXX.XXX.126 ;SPF TXT RR example.com. IN TXT "v=spf1 mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all" example.com. IN TXT "spf2.0/pra mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all" ;DKIM TXT RR default._domainkey IN TXT "v=DKIM1; k=rsa; p=**key**"
你已经把所有的postfix实例都列为MX的域名,并且具有相同的权重。 这意味着发送邮件服务器可以select他们想要的任何一个。
由于您只希望smtp.example.com处理传入的邮件,因此您应该除去所有的MX行
IN MX 10 smtp
编辑回应评论: MXlogging特别适用于example.com – 它有效地说:“如果您想发送电子邮件到以@example.com结尾的任何地址,您可以使用列为MX的任何一台服务器。
对于unsub.eg.example.com ,您有一个Alogging。 当发送邮件服务器查找如何将邮件路由到该地址时,它将首先查找unsub.eg.example.com的MXlogging。 如果没有find,它会查找Alogging。 而且由于unsub.eg.example.com的Alogging存在,消息将直接发送到该服务器。 因此,您不需要MXlogging。 (如果您确实想要使用MXlogging,则应将其设置为unsub.eg.example.com ,而不是example.com !)
至于SFPlogging,这些logging专门用于传出stream量。 MX专门用于传入stream量。 通常情况下,特别是对于较大的域,具有用于传出stream量与传入stream量的单独服务器。 在这种情况下,出站服务器只应在SFP中列出,而传入服务器只应列为MX。
可以将SPFlogging设置为包含所有MX。 但是也可以简单地列出允许发送邮件的服务器的IP地址或Alogging,而不pipe这些服务器是否也用作MX。 有关语法的更多信息,请参阅OpenSPF.org
编辑2:这是一个新的SPFlogging的build议:
;SPF TXT RR example.com. IN TXT "v=spf1 a:out2.eg.example.com a:out1.eg.example.com ~all"