我想防止欺骗,所以我发现这个后缀选项:
smtpd_sender_login_maps (default: empty) Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses. ... 然后我find了这个答案: https : //serverfault.com/a/710235/371610 ,说如何使用正则expression式,以便在具有多个虚拟域和许多用户的设置中,不需要编辑表来添加或删除:
/等/后缀/ login_map:
/^(.*)$/ ${1}
/etc/postfix/main.cf文件:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps smtpd_relay_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination
同样的错误与:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch
问题是,正则expression式传入邮件(例如从Hotmail或Gmail)被拒绝的错误:
NOQUEUE: reject: RCPT from mail-oln040092064102.outbound.protection.outlook.com[40.92.64.102]: 553 5.7.1 [email protected]: Sender address rejected: not logged in; [email protected] [email protected] proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>
有没有办法做到这一点,而不必写一个表映射到自己的每个电子邮件:
[email protected] [email protected] [email protected] [email protected] etc...
或者,最好是使用sql,然后select具有完整电子邮件地址的列的两倍? 你怎么看? 我即将把虚拟域/用户迁移到sql。
编辑
我已经按照build议移动了reject_sender_login_mismatch :
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
但我仍然得到相同的Sender address rejected: not logged in; 错误。
这是我的configuration:
# postconf -n alias_database = $alias_maps alias_maps = hash:/etc/postfix/aliases broken_sasl_auth_clients = no command_directory = /usr/bin compatibility_level = 2 daemon_directory = /usr/lib/postfix/bin data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no inet_protocols = ipv4 mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man meta_directory = /etc/postfix milter_default_action = accept mydestination = localhost myhostname = mail.domain.com mynetworks_style = host newaliases_path = /usr/bin/newaliases non_smtpd_milters = $smtpd_milters queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix sample_directory = /etc/postfix sendmail_path = /usr/bin/sendmail setgid_group = postdrop shlib_directory = /usr/lib/postfix smtp_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK smtp_tls_loglevel = 1 smtp_tls_mandatory_ciphers = HIGH smtp_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1 smtp_tls_protocols = !SSLv2:!SSLv3 smtp_tls_security_level = may smtp_use_tls = yes smtpd_enforce_tls = yes smtpd_helo_restrictions = reject_unknown_helo_hostname smtpd_milters = unix:/run/opendkim/opendkim.sock smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noplaintext, noanonymous smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/login_maps smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem smtpd_tls_eecdh_grade = ultra smtpd_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK smtpd_tls_key_file = /etc/letsencrypt/live/domain/privkey.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = HIGH smtpd_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1 smtpd_tls_protocols = !SSLv2:!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_ssl_options = NO_COMPRESSION unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_gid_maps = static:73 virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = domain.com another.com yetanother.com virtual_mailbox_limit = 0 virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 50 virtual_uid_maps = static:73
和/ etc / postfix / login_maps:
[email protected] [email protected] [email protected] [email protected] etc...
这样,它的工作,无论我放在reject_sender_login_mismatch 。 再次,不pipe我把它放在哪里,如果我使用正则expression式,我得到的错误。 那么现在是在smtpd_sender_restrictions里面,不仅应该只针对传出(仅限虚拟域)邮件而不是传入呢?
只是因为选项听起来正确,并不意味着你可以使用它的目的。
smtpd_relay_restrictions和smtpd_sender_restrictions之间的区别是reject_sender_login_mismatch限制的意思。 外部用户不会login到您的服务器发送邮件给你,所以检查是否有不匹配是没有意义的。
该检查旨在防止login用户A将信封地址更改为smtpd_sender_login_maps允许的smtpd_sender_login_maps 。 这个检查并不能阻止你的用户欺骗(例如,通过发送一个不同于:头域的消息,A仍然可以伪装成另一个用户B的任何人)。
退房后缀拒绝欺骗发件人? 为了进一步指出这个话题。