Postfix
在 (postfix + policyd2) 中實施策略時訪問被拒絕
我正在嘗試使用 postfix + policyd2 來限制外發電子郵件的數量。但是在實施 policyd2 策略時,我被拒絕訪問 - 無論我做什麼,我都會被拒絕。
- 後綴版本 2.11.4
- PolicyD2 (cluebringer) 版本 2.0.14-1
來自電子郵件客戶端的錯誤框:
發送郵件時出錯。郵件伺服器響應:4.7.1 <22222@gmail.com>:收件人地址被拒絕:訪問被拒絕。請檢查郵件收件人 22222@gmail.com 並重試。
當我在 postfix 中關閉 policyd2 時,
/etc/postfix/main.cf
一切正常:smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031 smtpd_recipient_restrictions=check_policy_service inet:127.0.0.1:10031,
如果我重新打開它,這就是我得到的
/var/log/maillog
:postfix/smtpd[3228]: >>> START Helo command RESTRICTIONS <<< postfix/smtpd[3228]: generic_checks: name=reject_invalid_helo_hostname postfix/smtpd[3228]: reject_invalid_hostaddr: [192.168.0.10] postfix/smtpd[3228]: generic_checks: name=reject_invalid_helo_hostname status=0 postfix/smtpd[3228]: >>> END Helo command RESTRICTIONS <<< postfix/smtpd[3228]: >>> START Recipient address RESTRICTIONS <<< postfix/smtpd[3228]: generic_checks: name=check_policy_service postfix/smtpd[3228]: trying... [127.0.0.1] postfix/smtpd[3228]: auto_clnt_open: connected to 127.0.0.1:10031 postfix/smtpd[3228]: send attr request = smtpd_access_policy postfix/smtpd[3228]: send attr protocol_state = RCPT postfix/smtpd[3228]: send attr protocol_name = ESMTP postfix/smtpd[3228]: send attr client_address = 88.88.88.88 postfix/smtpd[3228]: send attr client_name = example.pl postfix/smtpd[3228]: send attr reverse_client_name = example.pl postfix/smtpd[3228]: send attr helo_name = [192.168.0.10] postfix/smtpd[3228]: send attr sender = guest@example.pl postfix/smtpd[3228]: send attr recipient = 22222@gmail.com postfix/smtpd[3228]: send attr recipient_count = 0 postfix/smtpd[3228]: send attr queue_id = postfix/smtpd[3228]: send attr instance = c9c.5584b989.ab0c0.0 postfix/smtpd[3228]: send attr size = 368 postfix/smtpd[3228]: send attr etrn_domain = postfix/smtpd[3228]: send attr stress = postfix/smtpd[3228]: send attr sasl_method = PLAIN postfix/smtpd[3228]: send attr sasl_username = guest@example.pl postfix/smtpd[3228]: send attr sasl_sender = postfix/smtpd[3228]: send attr ccert_subject = postfix/smtpd[3228]: send attr ccert_issuer = postfix/smtpd[3228]: send attr ccert_fingerprint = postfix/smtpd[3228]: send attr ccert_pubkey_fingerprint = postfix/smtpd[3228]: send attr encryption_protocol = TLSv1 postfix/smtpd[3228]: send attr encryption_cipher = ECDHE-RSA-AES256-SHA postfix/smtpd[3228]: send attr encryption_keysize = 256 postfix/smtpd[3228]: 127.0.0.1:10031: wanted attribute: action postfix/smtpd[3228]: input attribute name: action postfix/smtpd[3228]: input attribute value: DEFER postfix/smtpd[3228]: 127.0.0.1:10031: wanted attribute: (list terminator) postfix/smtpd[3228]: input attribute name: (end) postfix/smtpd[3228]: check_table_result: inet:127.0.0.1:10031 DEFER policy query postfix/smtpd[3228]: NOQUEUE: reject: RCPT from example.pl[88.88.88.88]: 450 4.7.1 <22222@gmail.com>: Recipient address rejected: Access denied; from=<guest@example.pl> to=<22222@gmail.com> proto=ESMTP helo=<[192.168.0.10]> postfix/smtpd[3228]: generic_checks: name=check_policy_service status=2 postfix/smtpd[3228]: >>> END Recipient address RESTRICTIONS <<< postfix/smtpd[3228]: > example.pl[88.88.88.88]: 450 4.7.1 <22222@gmail.com>: Recipient address rejected: Access denied postfix/smtpd[3228]: watchdog_pat: 0x83b23a8
政策範例。
創建策略:
INSERT INTO policies VALUES (1, 'In Out', 10, 'In Out Policy', 0); INSERT INTO policy_members VALUES (1, 1, 'any', 'any', '' ,0);
添加配額 - 操作:
INSERT INTO quotas (PolicyID,Name,Track,Period,Verdict,Data) VALUES (1,'Sender:user@domain', 'Sender:user@domain', 60, 'DEFER', 'Deferring: To many messages from sender in last 60s.'); INSERT INTO quotas (PolicyID,Name,Track,Period,Verdict,Data) VALUES (1,'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT', 'Quota limit reached.');
添加配額限制:
INSERT INTO quotas_limits (QuotasID, Type, CounterLimit) VALUES (1,'MessageCount', 12); INSERT INTO quotas_limits (QuotasID, Type, CounterLimit) VALUES (2,'MessageCount', 20);
不能使用 web gui(沒有 PHP)——所以我不確定它是否正確。正在搜尋並嘗試不同的策略範例,但錯誤仍然完全相同。
policyd2 sqlite3 數據庫文件的權限錯誤。
PolicyD2 能夠以特定使用者身份執行守護程序,在我的例子中:
/etc/policyd.conf # User to run this daemon as user=policyd group=policyd
對數據庫的權限是 root:root。
-rw-r--r-- root root policyd2.db
更改為 policyd:policyd 後,我可以發送電子郵件。
-rw-r--r-- policyd policyd policyd2.db
現在訪問被拒絕錯誤是有道理的。