Email
沒有 smtp 連接的電子郵件伺服器
Google Compute Dovecot + postfix 上的 Ubuntu 18.04
我認為我應該能夠連接到 465/587 以外的埠,並且由於我可以通過 google 中繼所有電子郵件,因此這種方法對於電子郵件伺服器應該沒有問題。Google還說他們設置了一個允許連接到 465/587 的設置,所以我應該沒有任何問題
當我嘗試 telnet 到 2 個埠時,我有 postfix 監聽(5001 和 8080,8080 僅用於測試)這就是我在 tcpdump 中得到的
21:42:02.843771 IP h***-***-***-***.wtfrwi.dsl.dynamic.tds.net.46208 > mailserv1.c.enterprise-210914.internal.urd: Flags [S], seq 1961371525, win 29200, options [mss 1460,sackOK,TS val 240062507 ecr 0,nop,wscale 7], length 0 21:42:02.843831 IP mailserv1.c.enterprise-210914.internal.urd > h***.***.***.***.wtfrwi.dsl.dynamic.tds.net.46208: Flags [R.], seq 0, ack 1961371526, win 0, length 0mail.log 沒有顯示任何一個埠上的 smtp 連接
伺服器可以發送郵件就好了,只是其他應用程序連接到這個伺服器通過中繼發送郵件
master.cf
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== #587 inet n - y - - smtpd 8080 inet n - y - - smtpd #smtps inet n - n - - smtpd 5001 inet n - n - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd 5001 inet n - n - - smtpd # -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = webserver.com biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 # TLS parameters #smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key #smtpd_use_tls=yes #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache ### https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ ### Guide for below smtpd_tls_cert_file=/etc/letsencrypt/live/webserver.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/webserver.com/privkey.pem smtpd_use_tls=yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtp_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = webserver.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost relayhost = [smtp-relay.gmail.com]:587 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 # Force ehlo behavior smtp_always_send_ehlo = yes smtp_helo_name = webserver.com virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf local_recipient_maps = $virtual_mailbox_mapsinet_interfaces 設置為僅環回,將其更改為 all 允許我通過成功連接遠端登錄到埠。現在嘗試在該埠上連接到我的伺服器超時。
ss -l 的輸出
udp UNCONN 37632 0 127.0.0.53%lo:domain 0.0.0.0:* udp UNCONN 0 0 10.128.0.2%ens4:bootpc 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* tcp LISTEN 0 100 0.0.0.0:imaps 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:5572 0.0.0.0:* tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* tcp LISTEN 0 100 127.0.0.1:http-alt 0.0.0.0:* tcp LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:* tcp LISTEN 0 128 [::]:ssh [::]:* tcp LISTEN 0 128 *:https *:* tcp LISTEN 0 100 [::]:imaps [::]:* tcp LISTEN 0 128 *:http *:*netstat -lpn -A inet
root@mail:~# netstat -lpn -A inet Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1060/sshd tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 573/dovecot tcp 0 0 127.0.0.1:5572 0.0.0.0:* LISTEN 623/rclone tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 703/mysqld tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 424/systemd-resolve udp 40704 0 127.0.0.53:53 0.0.0.0:* 424/systemd-resolve udp 0 0 10.128.0.2:68 0.0.0.0:* 405/systemd-network udp 0 0 127.0.0.1:323 0.0.0.0:* 628/chronydiptables
root@mail:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination sshguard all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain sshguard (1 references) target prot opt source destination未安裝 UFW
我還能夠執行“telnet localhost 8080 或 5001”並且能夠連接,這最初讓我認為這是防火牆問題。雖然看到 tcpdump 在我對 telnet 或 nmap 的測試中收到了來自外界的數據包,但我認為防火牆不是問題。
雖然這是Google VPC 網路防火牆,但我確實有規則允許 465,587,5001,8080 用於 tcp 和 udp。我可以通過進入特定的防火牆規則來確認它會影響實例,以查看哪些實例受到該規則的影響。這是利用 smtp 標籤作為參考來完成的。防火牆規則如下
allow-smtp Description smtp ports Network default Priority 1000 Direction Ingress Action on match Allow Targets Target tags smtp Source filters IP ranges 0.0.0.0/0 Protocols and ports tcp:587 udp:587 tcp:465 udp:465 tcp:5001 udp:5001 tcp:8080 udp:8080 Enforcement Enabled Applicable to instances Name Internal IP Tags Service accounts Project Network details mailserv1 10.128.0.2 http-server, https-server,任何幫助將不勝感激。看到數據包進來告訴我埠是打開的,即使 telnet 和 nmap 說它被阻止了。
似乎 ack 數據包無法返回,在這種情況下,我認為可能需要靜態路由,儘管我還沒有成功。感謝您的任何幫助。
編輯
將“inet_interfaces”更改為所有,允許我從外部世界遠端登錄並驗證埠是否打開。
現在通過 Outlook 連接到我的伺服器時,我收到 SSL_accept 錯誤。
編輯2
最後一個問題只是由於使用自動安全類型而不是 ssl/tls。這已解決
您的偵聽器僅偵聽來自本地主機的連接。
tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master這是因為 Postfix 已被專門配置為僅偵聽本地連接。
inet_interfaces = loopback-only要解決此問題,請告訴 Postfix 接受外部連接。
inet_interfaces = all