Email

沒有 smtp 連接的電子郵件伺服器

  • August 28, 2018

Google Compute Dovecot + postfix 上的 Ubuntu 18.04

我認為我應該能夠連接到 465/587 以外的埠,並且由於我可以通過 google 中繼所有電子郵件,因此這種方法對於電子郵件伺服器應該沒有問題。Google還說他們設置了一個允許連接到 465/587 的設置,所以我應該沒有任何問題

當我嘗試 telnet 到 2 個埠時,我有 postfix 監聽(5001 和 8080,8080 僅用於測試)這就是我在 tcpdump 中得到的

21:42:02.843771 IP h***-***-***-***.wtfrwi.dsl.dynamic.tds.net.46208 > mailserv1.c.enterprise-210914.internal.urd: Flags [S], seq 1961371525, win 29200, options [mss 1460,sackOK,TS val 240062507 ecr 0,nop,wscale 7], length 0
21:42:02.843831 IP mailserv1.c.enterprise-210914.internal.urd > h***.***.***.***.wtfrwi.dsl.dynamic.tds.net.46208: Flags [R.], seq 0, ack 1961371526, win 0, length 0

mail.log 沒有顯示任何一個埠上的 smtp 連接

伺服器可以發送郵件就好了,只是其他應用程序連接到這個伺服器通過中繼發送郵件

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
#587      inet  n       -       y       -       -       smtpd
8080     inet     n     -     y     -     -     smtpd
#smtps  inet    n       -       n       -       -       smtpd
5001    inet    n       -       n       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
5001    inet    n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
       -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 ${nexthop} ${user}

main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = webserver.com
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

### https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ ### Guide for below

smtpd_tls_cert_file=/etc/letsencrypt/live/webserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/webserver.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
       permit_sasl_authenticated,
       permit_mynetworks,
       reject_unauth_destination



# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = webserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = [smtp-relay.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
# Force ehlo behavior
smtp_always_send_ehlo = yes
smtp_helo_name = webserver.com
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
local_recipient_maps = $virtual_mailbox_maps

inet_interfaces 設置為僅環回,將其更改為 all 允許我通過成功連接遠端登錄到埠。現在嘗試在該埠上連接到我的伺服器超時。

ss -l 的輸出

udp   UNCONN  37632   0                                     127.0.0.53%lo:domain                     0.0.0.0:*     
udp   UNCONN  0       0                                   10.128.0.2%ens4:bootpc                     0.0.0.0:*     
udp   UNCONN  0       0                                         127.0.0.1:323                        0.0.0.0:*     
udp   UNCONN  0       0                                             [::1]:323                           [::]:*     
tcp   LISTEN  0       128                                         0.0.0.0:ssh                        0.0.0.0:*     
tcp   LISTEN  0       100                                         0.0.0.0:imaps                      0.0.0.0:*     
tcp   LISTEN  0       128                                       127.0.0.1:5572                       0.0.0.0:*     
tcp   LISTEN  0       100                                       127.0.0.1:smtp                       0.0.0.0:*     
tcp   LISTEN  0       80                                        127.0.0.1:mysql                      0.0.0.0:*     
tcp   LISTEN  0       100                                       127.0.0.1:http-alt                   0.0.0.0:*     
tcp   LISTEN  0       128                                   127.0.0.53%lo:domain                     0.0.0.0:*     
tcp   LISTEN  0       128                                            [::]:ssh                           [::]:*     
tcp   LISTEN  0       128                                               *:https                            *:*     
tcp   LISTEN  0       100                                            [::]:imaps                         [::]:*     
tcp   LISTEN  0       128                                               *:http                             *:*  

netstat -lpn -A inet

root@mail:~# netstat -lpn -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1060/sshd           
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      573/dovecot         
tcp        0      0 127.0.0.1:5572          0.0.0.0:*               LISTEN      623/rclone          
tcp        0      0 127.0.0.1:5001          0.0.0.0:*               LISTEN      954/master          
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      703/mysqld          
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      954/master          
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      424/systemd-resolve 
udp    40704      0 127.0.0.53:53           0.0.0.0:*                           424/systemd-resolve 
udp        0      0 10.128.0.2:68           0.0.0.0:*                           405/systemd-network 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           628/chronyd         

iptables

root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
sshguard   all  --  anywhere             anywhere            
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain sshguard (1 references)
target     prot opt source               destination

未安裝 UFW

我還能夠執行“telnet localhost 8080 或 5001”並且能夠連接,這最初讓我認為這是防火牆問題。雖然看到 tcpdump 在我對 telnet 或 nmap 的測試中收到了來自外界的數據包,但我認為防火牆不是問題。

雖然這是Google VPC 網路防火牆,但我確實有規則允許 465,587,5001,8080 用於 tcp 和 udp。我可以通過進入特定的防火牆規則來確認它會影響實例,以查看哪些實例受到該規則的影響。這是利用 smtp 標籤作為參考來完成的。防火牆規則如下

allow-smtp
Description
smtp ports
Network
default
Priority
1000
Direction
Ingress
Action on match
Allow
Targets
Target tags
smtp
Source filters
IP ranges
0.0.0.0/0
Protocols and ports
tcp:587
udp:587
tcp:465
udp:465
tcp:5001
udp:5001
tcp:8080
udp:8080
Enforcement
Enabled
Applicable to instances
Name    Internal IP Tags    Service accounts    Project Network details
mailserv1   10.128.0.2  http-server, https-server,      

任何幫助將不勝感激。看到數據包進來告訴我埠是打開的,即使 telnet 和 nmap 說它被阻止了。

似乎 ack 數據包無法返回,在這種情況下,我認為可能需要靜態路由,儘管我還沒有成功。感謝您的任何幫助。

編輯

將“inet_interfaces”更改為所有,允許我從外部世界遠端登錄並驗證埠是否打開。

現在通過 Outlook 連接到我的伺服器時,我收到 SSL_accept 錯誤。

編輯2

最後一個問題只是由於使用自動安全類型而不是 ssl/tls。這已解決

您的偵聽器僅偵聽來自本地主機的連接。

tcp        0      0 127.0.0.1:5001          0.0.0.0:*               LISTEN      954/master          
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      954/master          

這是因為 Postfix 已被專門配置為僅偵聽本地連接。

inet_interfaces = loopback-only

要解決此問題,請告訴 Postfix 接受外部連接。

inet_interfaces = all

引用自:https://serverfault.com/questions/928248