服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Postfix的smtp拒绝未经authentication的用户
Intereting Posts
Apacheredirect规则不正确处理 如何使用或replace.htaccess文件? Windows Cross Forest信任会导致有关客户端“站点”关联的DC错误 Apache超时 为什么有些网站不能在URL中显示“www”? Server 2008 TS授权诊断未发现任何许可证服务器 login为“[email protected]:什么”的含义是什么 Linuxnetworking命名空间 – ping在特定veth失败 红帽Linux +时区configuration+时钟文件的细节 是否值得运行nessus以及OpenVAS? 允许用户'git'通过sudo运行'git pull'作为'www-data' 使用工作站的hyper-v父分区 Exchange 2010传出电子邮件到某些域名(不是)(据称)被收到 如何在FreeBSD 9中将补丁应用到phantomjs端口? 是否有速度限制,或在ubuntu 10.04中调用whois的任何限制?

Postfix的smtp拒绝未经authentication的用户

我已经configuration了一个邮件服务器与后缀,dovecot,…问题是:每个人都可以连接到我的服务器,发送电子邮件没有身份validation。 我如何configuration后缀,以便所有未经身份validation的连接将被拒绝。

我在main.cf中的configuration是: 

 ## ## TLS Einstellungen ### tls_ssl_options = NO_COMPRESSION tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA ### Ausgehende SMTP-Verbindungen (Postfix als Sender) smtp_tls_security_level = dane smtp_dns_support_level = dnssec smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_ciphers = high smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_sasl_auth_enable = yes ### Eingehende SMTP-Verbindungen smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = high smtpd_tls_dh1024_param_file = /etc/myssl/dh2048.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_cert_file=/etc/letsencrypt/live/xxxxx/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/xxxxx/privkey.pem ## ## Milter: DKIM-Signaturen durch OpenDKIM-Milter ## und Mail-Filter mit Amavis (via amavisd-milter) ## milter_default_action = accept milter_protocol = 2 smtpd_milters = unix:/var/run/amavis/amavisd-milter.sock, unix:/var/run/opendkim/opendkim.sock non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock ## ## Server Restrictions für Clients, Empfänger und Relaying ## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf im Submission-Bereich konfiguriert) ## ## Sender smtpd_sender_restrictions = permit_sasl_authenticated ### Bedingungen, damit Postfix als Relay arbeitet (für Clients) smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination ### check_recipient_access prüft, ob ein account sendonly ist smtpd_recipient_restrictions = permit_sasl_authenticated, #reject_unauth_destination, check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf ### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server) smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname # Clients blockieren, wenn sie versuchen zu früh zu senden smtpd_data_restrictions = reject_unauth_pipelining

master.cf中的邮件客户端configuration: 

 ### ### Postscreen-Service: Prüft eingehende SMTP-Verbindungen auf Spam-Server ### smtp inet n - n - 1 postscreen -o smtpd_sasl_auth_enable=no ### ### manual from me (viet) ### #smtps inet n - n - - smtpd # -o smtpd_sasl_auth_enable=yes ### ### SMTP-Daemon hinter Postscreen: Schleift E-Mails zur Filterung durch Amavis ### smtpd pass n - n - - smtpd -o smtpd_sasl_auth_enable=no ### ### dnsblog führt DNS-Abfragen für Blocklists durch ### dnsblog unix - - n - 0 dnsblog ### ### tlsproxy gibt Postscreen TLS support ### tlsproxy unix - - n - 0 tlsproxy ### ### Submission-Zugang für Clients: Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtpd_ in main.cf) ### submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf -o smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_helo_required=no -o smtpd_helo_restrictions= -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=submission-header-cleanup

在dovecot中,我已经configuration了一个authentication服务: 

 service auth { ### Auth socket für Postfix unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } ### Auth socket für LMTP-Dienst unix_listener auth-userdb { mode = 0660 user = vmail group = vmail } }

没有身份validation发送邮件时的日志如下所示: 

 Aug 23 11:25:15 mail postfix/postscreen[4014]: CONNECT from [xx.xxx.xxx.xxx]:xxxx to [xxxx]:25 Aug 23 11:25:15 mail postfix/postscreen[4014]: WHITELISTED [xxxx]:xxxx Aug 23 11:25:15 mail postfix/postscreen[4014]: warning: cannot connect to service private/smtpd: Connection refused Aug 23 11:34:36 mail postfix/submission/smtpd[4100]: connect from gate.xxxxx.xxxx.de[xxxx] Aug 23 11:34:36 mail postfix/submission/smtpd[4100]: 5A60B400CF: client=gate.xxxxx.xxxx.de[xxxx] Aug 23 11:34:36 mail postfix/cleanup[4103]: 5A60B400CF: message-id=<abcb10b6-96b1-06e9-0e25-2c477a9631ae@mydomain> Aug 23 11:34:36 mail amavis[3384]: (03384-02) Passed CLEAN {AcceptedOutbound}, AM.PDP-SOCK/ORIGINATING LOCAL [x.xx.xx] [xxxx] <myemail@mydomain> -> <receicer@email>, Queue-ID: 5A60B400CF, Message-ID: <[email protected]>, mail_id: 8qu_TyPN6ZBY, Hits: -, size: 516, 16 ms Aug 23 11:34:36 mail opendkim[2794]: 5A60B400CF: gate.xxxxx.xxxx.de [xxxx] not internal Aug 23 11:34:36 mail opendkim[2794]: 5A60B400CF: not authenticated Aug 23 11:34:36 mail postfix/qmgr[3371]: 5A60B400CF: from=<myemail@mydomain>, size=357, nrcpt=1 (queue active) Aug 23 11:34:36 mail postfix/submission/smtpd[4100]: disconnect from gate.xxxxx.xxxx.de[xxxx] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Aug 23 11:34:37 mail postfix/smtp[4105]: 5A60B400CF: to=<myemail@mydomain>, relay=receiver.server[xxxx]:25, delay=1.1, delays=0.16/0.03/0.36/0.54, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10035): 250 2.0.0 Ok: queued as 56FEC80008E) Aug 23 11:34:37 mail postfix/qmgr[3371]: 5A60B400CF: removed

UPDATE

它现在工作,当我删除-o smtpd_sender_restrictions permit_mynetworks不仅为localhost

执行postconf -d | grep mynetworks 我得到的postconf -d | grep mynetworks

 mynetworks = 127.0.0.0/8 172.31.16.0/20 [::1]/128 [fe80::]/64

问题是你还没有configurationpostfix的saslauthentication的用户后端。 

 smtpd_sasl_type = dovecot

这告诉postfix使用dovecot进行用户authentication。

在dovecot中,你必须为postfix启用一个新的服务监听器 

 # vim /etc/dovecot/conf.d/10-master.conf

并添加如下内容: 

 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } }

重新启动这两个服务并testing它