Iptables

臨時身份驗證失敗 454 4.7.1 <email>:中繼訪問被拒絕

  • November 15, 2017

我可以在 Squirrelmail 中接收郵件,但不能發送到外部世界。

Message not sent. Server replied:

   Temporary authentication failure
   454 4.7.1 &lt;email@somemail.com&gt;: Relay access denied

我仔細檢查了 postfix 是否有效,即能夠通過 mail.domain.com 和 smtp.domain.com 遠端登錄。Dovecot 也可以。似乎 Squirrelmail 是個嫌疑犯。玩配置,不確定是什麼導致了問題。

日誌顯示此資訊:

mail.domain.com postfix/smtpd[4443]: connect from mail.domain.com[XXX.XXX.XXX.XXX]
mail.domain.com postfix/smtpd[4443]: NOQUEUE: reject: RCPT from mail.domain.com[XXX.XXX.XXX.XXX]: 454 4.7.1 &lt;email@somemail.com&gt;: Relay access denied; from=&lt;user@domain.com&gt; to=&lt;email@somemail.com&gt; proto=ESMTP helo=&lt;mail.domain.com&gt;
mail.domain.com postfix/smtpd[4443]: lost connection after RCPT from mail.domain.com[XXX.XXX.XXX.XXX]
mail.domain.com postfix/smtpd[4443]: disconnect from mail.domain.com[XXX.XXX.XXX.XXX] ehlo=1 mail=1 rcpt=0/1 commands=2/3

網路統計-plntu

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      940/dovecot         
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      940/dovecot         
tcp        0      0 192.168.124.1:53        0.0.0.0:*               LISTEN      1107/dnsmasq        
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1905/cupsd          
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      937/master          
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      940/dovecot         
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      940/dovecot         
tcp6       0      0 :::110                  :::*                    LISTEN      940/dovecot         
tcp6       0      0 :::143                  :::*                    LISTEN      940/dovecot         
tcp6       0      0 :::80                   :::*                    LISTEN      3521/httpd          
tcp6       0      0 ::1:631                 :::*                    LISTEN      1905/cupsd          
tcp6       0      0 :::993                  :::*                    LISTEN      940/dovecot         
tcp6       0      0 :::995                  :::*                    LISTEN      940/dovecot         
udp        0      0 127.0.0.1:323           0.0.0.0:*                           736/chronyd         
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           722/avahi-daemon: r 
udp        0      0 0.0.0.0:55024           0.0.0.0:*                           722/avahi-daemon: r 
udp        0      0 192.168.124.1:53        0.0.0.0:*                           1107/dnsmasq        
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1107/dnsmasq        
udp6       0      0 :::41119                :::*                                722/avahi-daemon: r 
udp6       0      0 ::1:323                 :::*                                736/chronyd         
udp6       0      0 :::5353                 :::*                                722/avahi-daemon: r  

iptables如下:

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.124.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.124.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

iptables -L

   Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.124.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.124.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

iptables-保存

*mangle
:PREROUTING ACCEPT [9985:4365661]
:INPUT ACCEPT [9969:4364853]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10509:2272775]
:POSTROUTING ACCEPT [10545:2275457]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
*nat
:PREROUTING ACCEPT [78:6056]
:INPUT ACCEPT [62:5248]
:OUTPUT ACCEPT [1057:68220]
:POSTROUTING ACCEPT [1057:68220]
-A POSTROUTING -s 192.168.124.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.124.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.124.0/24 ! -d 192.168.124.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.124.0/24 ! -d 192.168.124.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.124.0/24 ! -d 192.168.124.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [9969:4364853]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10509:2272775]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.124.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.124.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT

15.11.2017 更新:此問題已通過更改 Squirrelmail 中的配置得到解決。跑

/usr/share/squirrelmail/config/conf.pl

轉到:伺服器設置 -> 更新 IMAP 設置 -> imap.domain.com 和更新 SMTP 設置 -> smtp.domain.com。它曾經只是本地主機。

14.11.2017 更新:禁用防火牆並能夠再次發送郵件。但是,iptables 的問題仍然存在。我也在 SELinux 中嘗試過:

setsebool -P httpd_can_network_connect 1

更新 13.11.2017 啟用防火牆並打開埠 80/443、25/143 後,無法在 Squirrelmail 上發送電子郵件。請幫忙!

錯誤:消息未發送。伺服器回复:

Connection refused
111 Can't open SMTP stream.

這個問題來自以下執行緒。 Postfix、dovecot、squirrelmail 伺服器能夠發送但不能接收電子郵件

通過編輯 Squirrelamil 配置文件,我終於能夠發送電子郵件。基本上我從 SMTP 切換到 Sendmail。在 /etc/squirrelmail/config.php 更改

$useSendmail            = true;

然後重啟apache

systemctl restart httpd

然後允許 Selinux 使用 sendmail

setsebool -P httpd_can_sendmail=1

我懷疑 Squirrelmail 的這種配置會持續很長時間。我肯定會玩它。目前,不知道為什麼 SMTP 不起作用,但 sendmail 起作用了。希望通過弄亂 SELinux 來解決。同時,有人對 SMTP 還是 Sendmail 是最好用的有意見嗎?

引用自:https://serverfault.com/questions/883344