Postfix 實例偶爾處理其他實例傳入的電子郵件
我有一個伺服器,上面設置了 Postfix 多實例,每個實例都有自己的 IP:
- 實例 1:example.com(帶有用於退回/fbl ad-hoc 處理的郵箱的根域)
- 實例 2:unsub.eg.example.com(帶有用於取消子處理的郵箱的子域)
- 實例 3:out1.eg.example.com(僅限出站)
- 實例 4:out2.eg.example.com(僅限出站)
就發送電子郵件或在域 unsub.eg.example.com 上接收電子郵件而言,一切正常。
但是,當向 test@example.com 或bounce@example.com 發送電子郵件時……四個實例中的任何一個都可以處理它,而不僅僅是example.com 實例。當被 unsub、out1 或 out2 拾取時,一個 NOQUEUE:reject: RCPT from : 554 5.7.1 : Relay access denied; 錯誤由處理實例記錄。如果實例 1 碰巧撿到它,它就會被送到郵箱沒有問題。
所以這讓我發瘋了,為什麼其他實例會收到一封綁定到 example.com 的電子郵件
以下是 main.cf 實例的高亮配置,我認為這可能會導致問題:
smtp.example.com
queue_directory = /var/spool/postfix-smtp command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-smtp mail_owner=postfix syslog_name=pfix-smtp myhostname=smtp.example.com mydomain=example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination=localhost mynetworks_style=host relay_domains= relayhost= home_mailbox=Maildir/ disable_vrfy_command=yes virtual_mailbox_domains=$mydomain virtual_mailbox_maps=hash:/etc/postfix/vmailbox smtpd_sasl_auth_enable=yes broken_sasl_auth_clients=yes smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_security_options=noanonymous smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sender_restrictions=reject_unknown_sender_domain smtpd_sasl_local_domain local_recipient_maps=$alias_maps,$virtual_mailbox_maps
unsub.eg.example.com
queue_directory = /var/spool/postfix-unsub command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-unsub mail_owner=postfix syslog_name=pfix-unsub myhostname=unsub.eg.example.com mydomain=unsub.eg.example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination=localhost mynetworks_style=host relay_domains= relayhost= home_mailbox=Maildir/ disable_vrfy_command=yes virtual_mailbox_domains=$myhostname virtual_mailbox_maps=hash:/etc/postfix/vmailbox virtual_alias_maps=hash:/etc/postfix-unsub/virtual smtpd_sasl_auth_enable=yes broken_sasl_auth_clients=yes smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_security_options=noanonymous smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sender_restrictions=reject_unknown_sender_domain smtpd_sasl_local_domain= local_recipient_maps=$alias_maps,$virtual_mailbox_maps
out1.eg.example.com
queue_directory = /var/spool/postfix-ou1 command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-ou1 mail_owner=postfix syslog_name=pfix-out1 myhostname=out1.eg.example.com mydomain=out1.eg.example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination= mynetworks_style=host relay_domains= relayhost=
out2.eg.example.com
queue_directory = /var/spool/postfix-ou2 command_directory=/usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix-ou2 mail_owner=postfix syslog_name=pfix-out2 myhostname=out2.eg.example.com mydomain=out2.eg.example.com myorigin=$mydomain inet_interfaces=$myhostname inet_protocols=ipv4 mydestination= mynetworks_style=host relay_domains= relayhost=
注意:我還為所有實例生成了自簽名的 tls 證書和 dkim 簽名,但是看起來一切正常,我認為這不是罪魁禍首。
謝謝大家!
**2014 年 9 月 25 日日誌:**這些是我今天使用 Outlook 客戶端測試發送電子郵件時得到的日誌:
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12 Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12 Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max cache size 1 at Sep 25 06:01:01 Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21 Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21 Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max cache size 1 at Sep 25 06:02:10 Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <fbl@example.com>: Relay access denied; from=<m.mokhtar@sender.com> to=<fbl@example.com> proto=ESMTP helo=<sender.com> Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: disconnect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: D91BB3060289: client=mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/cleanup[11260]: D91BB3060289: message-id=<004001cfd886$d01b96c0$7052c440$@mokhtar@sender.com> Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: mail.sender.com [XXX.XXX.XXX.250] not internal Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: not authenticated Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: no signature data Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: from=<m.mokhtar@sender.com>, size=11502, nrcpt=1 (queue active) Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:07:02 bm1 pfix-smtp/virtual[11261]: D91BB3060289: to=<bounce@example.com>, relay=virtual, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir) Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: removed Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23 Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23 Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max cache size 2 at Sep 25 06:02:12 Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: 8FC143060289: client=mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/cleanup[11260]: 8FC143060289: message-id=<004601cfd886$f873f540$e95bdfc0$@alrazy@sender.com> Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: mail.sender.com [XXX.XXX.XXX.250] not internal Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: not authenticated Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: no signature data Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: from=<g.alrazy@sender.com>, size=11431, nrcpt=1 (queue active) Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:08:10 bm1 pfix-smtp/virtual[11261]: 8FC143060289: to=<fbl@example.com>, relay=virtual, delay=0.05, delays=0.04/0/0/0, dsn=2.0.0, status=sent (delivered to maildir) Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: removed Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26 Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26 Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max cache size 1 at Sep 25 06:03:15 Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: connect from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250] Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <fbl@example.com>: Relay access denied; from=<m.mokhtar@sender.com> to=<fbl@example.com> proto=ESMTP helo=<sender.com> Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
注意,那
- 發送到 fbl@example.com 的第一個測試由 pfix-unsub 處理:中繼訪問被拒絕
- 發送到bounce@example.com 的第二個測試由正確的實例pfix-smtp“正確”處理
- 發送到 fbl@example.com 的第三個測試由正確的實例 pfix-smtp “正確”處理
- 發送到 fbl@example.com 的第 4 個測試由 pfix-out2 處理:中繼訪問被拒絕
DNS 設置
IN MX 10 smtp IN MX 10 unsub.eg IN MX 10 out1.eg IN MX 10 out2.eg ;A Records example.com. IN A YYY.YYY.YYY.3 subdomain1 IN A YYY.YYY.YYY.3 smtp IN A XXX.XXX.XXX.123 unsub.eg IN A XXX.XXX.XXX.124 out1.eg IN A XXX.XXX.XXX.125 out2.eg IN A XXX.XXX.XXX.126 ;SPF TXT RR example.com. IN TXT "v=spf1 mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all" example.com. IN TXT "spf2.0/pra mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all" ;DKIM TXT RR default._domainkey IN TXT "v=DKIM1; k=rsa; p=**key**"
您已將所有後綴實例列為域的 MX,並且具有相同的權重。這意味著發送郵件伺服器可以選擇他們想要的任何一個。
由於您只想
smtp.example.com
處理傳入的郵件,您應該刪除所有 MX 行,除了IN MX 10 smtp
針對評論進行編輯: MX 記錄特別適用於
example.com
- 它實際上是在說“如果您想向任何以@example.com
.對於
unsub.eg.example.com
,您有 A 記錄。當發送郵件伺服器查找如何將郵件路由到該地址時,它將首先查找unsub.eg.example.com
. 如果沒有找到,它會尋找 A 記錄。由於unsub.eg.example.com
存在 A 記錄,因此消息將直接發送到該伺服器。因此,您不需要 MX 記錄。(如果您確實想使用 MX 記錄,則應將其設置為unsub.eg.example.com
,而不是example.com
!)至於 SFP 記錄,這些記錄專門用於傳出流量。MX 專門用於傳入流量。這是一種常見的做法,特別是對於較大的域,為傳出流量和傳入流量分別設置伺服器。在這些情況下,出站伺服器應僅列在 SFP 中,而傳入伺服器應僅列為 MX。
可以將 SPF 記錄設置為包括所有 MX。但同樣可以簡單地列出允許發送郵件的伺服器的 IP 地址或 A 記錄,無論這些伺服器是否也用作 MX。有關語法的更多資訊,請訪問OpenSPF.org
**編輯 2:**這是對新 SPF 記錄的建議:
;SPF TXT RR example.com. IN TXT "v=spf1 a:out2.eg.example.com a:out1.eg.example.com ~all"