如何防止我的(经过身份validation的)用户使用错误或彻底伪造的电子邮件地址发送电子邮件?
我的邮件服务是后缀,我已经设置发件人和收件人的限制,如reject_unlisted account或reject non fqdn domains或主机名,但没有工作!
我怎样才能解决这个问题在我的企业邮件服务?
readme_directory = /usr/share/doc/postfix-2.11.5/README_FILES virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox transport_maps = , hash:/var/spool/postfix/plesk/transport smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_timeout = 3600s smtpd_proxy_timeout = 3600s disable_vrfy_command = yes mynetworks = , hash:/var/spool/postfix/plesk-pop/poplock smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unauthenticated_sender_login_mismatch,reject_known_sender_login_mismatch,hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access, pcre:/var/spool/postfix/plesk/non_auth.re, check_sender_access hash:/var/spool/postfix/plesk/blacklists smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated smtp_send_xforward_command = yes smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128 smtpd_sasl_auth_enable = yes smtpd_relay_restrictions =permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination, reject_unlisted_sender smtpd_recipient_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination, reject_unauth_destination, defer_unauth_destination,reject_unverified_recipient,reject_unknown_recipient_domain virtual_mailbox_base = /var/qmail/mailnames virtual_uid_maps = static:30 virtual_gid_maps = static:31 smtpd_milters = , inet:127.0.0.1:12768 non_smtpd_milters = sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps virtual_transport = plesk_virtual plesk_virtual_destination_recipient_limit = 1 mailman_destination_recipient_limit = 1 mailbox_size_limit = 0 virtual_mailbox_limit = 0 myhostname = host.com smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2 smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2 smtpd_tls_ciphers = medium smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = HIGH:!aNULL:!MD5 message_size_limit = 102400000 smtpd_sasl_authenticated_header = yes disable_vrfy_command = yes smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous
当我格式化smtpd_sender_restrictions ,使它变得更可读:
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unauthenticated_sender_login_mismatch, reject_known_sender_login_mismatch, hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access, pcre:/var/spool/postfix/plesk/non_auth.re, check_sender_access hash:/var/spool/postfix/plesk/blacklists
您会看到reject_unauthenticated_sender_login_mismatch选项。 该设置仅强制执行reject_sender_login_mismatch限制(强制已authentication的发件人正在使用特定的MAIL FROM地址),但仅限于未经身份validation的客户端 。 当你进行身份validation时,你仍然可以使用你想要的任何FROM地址。
对于经过身份validation的客户端,下一个选项将变为相关: reject_known_sender_login_mismatch
该选项适用于reject_sender_login_mismatch但仅适用于reject_sender_login_mismatch 中已知的smtpd_sender_login_maps 。
您的configuration没有提及smtpd_sender_login_maps这样有效的限制不适用于任何用户/电子邮件地址。
解决scheme,要应用reject_sender_login_mismatch来强制已validation的发件人正在使用特定的MAIL FROM地址,则需要使用拥有发件人(MAIL FROM)地址的SASLlogin名设置smtpd_sender_login_maps ,以用于所有用户和电子邮件地址正在使用中。
查看更多的这个问答 。