Linux

Postfix 實例偶爾處理其他實例傳入的電子郵件

  • September 28, 2019

我有一個伺服器,上面設置了 Postfix 多實例,每個實例都有自己的 IP:

  1. 實例 1:example.com(帶有用於退回/fbl ad-hoc 處理的郵箱的根域)
  2. 實例 2:unsub.eg.example.com(帶有用於取消子處理的郵箱的子域)
  3. 實例 3:out1.eg.example.com(僅限出站)
  4. 實例 4:out2.eg.example.com(僅限出站)

就發送電子郵件或在域 unsub.eg.example.com 上接收電子郵件而言,一切正常。

但是,當向 test@example.com 或bounce@example.com 發送電子郵件時……四個實例中的任何一個都可以處理它,而不僅僅是example.com 實例。當被 unsub、out1 或 out2 拾取時,一個 NOQUEUE:reject: RCPT from : 554 5.7.1 : Relay access denied; 錯誤由處理實例記錄。如果實例 1 碰巧撿到它,它就會被送到郵箱沒有問題。

所以這讓我發瘋了,為什麼其他實例會收到一封綁定到 example.com 的電子郵件

以下是 main.cf 實例的高亮配置,我認為這可能會導致問題:

smtp.example.com

queue_directory = /var/spool/postfix-smtp
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-smtp
mail_owner=postfix
syslog_name=pfix-smtp

myhostname=smtp.example.com
mydomain=example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=localhost
mynetworks_style=host
relay_domains=
relayhost=

home_mailbox=Maildir/
disable_vrfy_command=yes
virtual_mailbox_domains=$mydomain
virtual_mailbox_maps=hash:/etc/postfix/vmailbox

smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_security_options=noanonymous
smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sender_restrictions=reject_unknown_sender_domain
smtpd_sasl_local_domain
local_recipient_maps=$alias_maps,$virtual_mailbox_maps

unsub.eg.example.com

queue_directory = /var/spool/postfix-unsub
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-unsub
mail_owner=postfix
syslog_name=pfix-unsub

myhostname=unsub.eg.example.com
mydomain=unsub.eg.example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=localhost
mynetworks_style=host
relay_domains=
relayhost=

home_mailbox=Maildir/
disable_vrfy_command=yes
virtual_mailbox_domains=$myhostname
virtual_mailbox_maps=hash:/etc/postfix/vmailbox
virtual_alias_maps=hash:/etc/postfix-unsub/virtual

smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_security_options=noanonymous
smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sender_restrictions=reject_unknown_sender_domain
smtpd_sasl_local_domain=
local_recipient_maps=$alias_maps,$virtual_mailbox_maps

out1.eg.example.com

queue_directory = /var/spool/postfix-ou1
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-ou1
mail_owner=postfix
syslog_name=pfix-out1

myhostname=out1.eg.example.com
mydomain=out1.eg.example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=
mynetworks_style=host
relay_domains=
relayhost=

out2.eg.example.com

queue_directory = /var/spool/postfix-ou2
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-ou2
mail_owner=postfix
syslog_name=pfix-out2

myhostname=out2.eg.example.com
mydomain=out2.eg.example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=
mynetworks_style=host
relay_domains=
relayhost=

注意:我還為所有實例生成了自簽名的 tls 證書和 dkim 簽名,但是看起來一切正常,我認為這不是罪魁禍首。

謝謝大家!

**2014 年 9 月 25 日日誌:**這些是我今天使用 Outlook 客戶端測試發送電子郵件時得到的日誌:

Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max cache size 1 at Sep 25 06:01:01
Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21
Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21
Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max cache size 1 at Sep 25 06:02:10
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <fbl@example.com>: Relay access denied; from=<m.mokhtar@sender.com> to=<fbl@example.com> proto=ESMTP helo=<sender.com>
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: D91BB3060289: client=mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/cleanup[11260]: D91BB3060289: message-id=<004001cfd886$d01b96c0$7052c440$@mokhtar@sender.com>
Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: mail.sender.com [XXX.XXX.XXX.250] not internal
Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: not authenticated
Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: no signature data
Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: from=<m.mokhtar@sender.com>, size=11502, nrcpt=1 (queue active)
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/virtual[11261]: D91BB3060289: to=<bounce@example.com>, relay=virtual, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: removed
Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23
Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23
Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max cache size 2 at Sep 25 06:02:12
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: 8FC143060289: client=mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/cleanup[11260]: 8FC143060289: message-id=<004601cfd886$f873f540$e95bdfc0$@alrazy@sender.com>
Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: mail.sender.com [XXX.XXX.XXX.250] not internal
Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: not authenticated
Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: no signature data
Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: from=<g.alrazy@sender.com>, size=11431, nrcpt=1 (queue active)
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/virtual[11261]: 8FC143060289: to=<fbl@example.com>, relay=virtual, delay=0.05, delays=0.04/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: removed
Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26
Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26
Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max cache size 1 at Sep 25 06:03:15
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <fbl@example.com>: Relay access denied; from=<m.mokhtar@sender.com> to=<fbl@example.com> proto=ESMTP helo=<sender.com>
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: disconnect from mail.sender.com[XXX.XXX.XXX.250]

注意,那

  • 發送到 fbl@example.com 的第一個測試由 pfix-unsub 處理:中繼訪問被拒絕
  • 發送到bounce@example.com 的第二個測試由正確的實例pfix-smtp“正確”處理
  • 發送到 fbl@example.com 的第三個測試由正確的實例 pfix-smtp “正確”處理
  • 發送到 fbl@example.com 的第 4 個測試由 pfix-out2 處理:中繼訪問被拒絕

DNS 設置

IN      MX      10      smtp
IN      MX      10      unsub.eg
IN      MX      10      out1.eg
IN      MX      10      out2.eg

;A Records
example.com.                    IN      A       YYY.YYY.YYY.3
subdomain1                      IN      A       YYY.YYY.YYY.3
smtp                            IN      A       XXX.XXX.XXX.123
unsub.eg                        IN      A       XXX.XXX.XXX.124
out1.eg                         IN      A       XXX.XXX.XXX.125
out2.eg                         IN      A       XXX.XXX.XXX.126

;SPF TXT RR
example.com.                   IN      TXT     "v=spf1 mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all"

example.com.                   IN      TXT     "spf2.0/pra mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all"
;DKIM TXT RR
default._domainkey              IN      TXT     "v=DKIM1; k=rsa; p=**key**"

您已將所有後綴實例列為域的 MX,並且具有相同的權重。這意味著發送郵件伺服器可以選擇他們想要的任何一個。

由於您只想smtp.example.com處理傳入的郵件,您應該刪除所有 MX 行,除了

IN      MX      10      smtp

針對評論進行編輯: MX 記錄特別適用於example.com- 它實際上是在說“如果您想向任何以@example.com.

對於unsub.eg.example.com,您有 A 記錄。當發送郵件伺服器查找如何將郵件路由到該地址時,它將首先查找unsub.eg.example.com. 如果沒有找到,它會尋找 A 記錄。由於unsub.eg.example.com存在 A 記錄,因此消息將直接發送到該伺服器。因此,您不需要 MX 記錄。(如果您確實想使用 MX 記錄,則應將其設置為unsub.eg.example.com,而不是example.com!)

至於 SFP 記錄,這些記錄專門用於傳出流量。MX 專門用於傳入流量。這是一種常見的做法,特別是對於較大的域,為傳出流量和傳入流量分別設置伺服器。在這些情況下,出站伺服器應僅列在 SFP 中,而傳入伺服器應僅列為 MX。

可以將 SPF 記錄設置為包括所有 MX。但同樣可以簡單地列出允許發送郵件的伺服器的 IP 地址或 A 記錄,無論這些伺服器是否也用作 MX。有關語法的更多資訊,請訪問OpenSPF.org

**編輯 2:**這是對新 SPF 記錄的建議:

;SPF TXT RR
example.com.                   IN      TXT     "v=spf1 a:out2.eg.example.com a:out1.eg.example.com ~all"

引用自:https://serverfault.com/questions/630921