Postfix

如果我使用 dovecot 送出,我應該拒絕所有通過 postfix 發送的電子郵件嗎?

  • April 20, 2019

我在 587 埠上配置了 dovecot 送出服務,中繼是 postfix 伺服器。它們位於兩個不同的 IP 地址/機器上。

我希望發送電子郵件的唯一方法是通過埠 587,這意味著 dovecot 將處理它並將其中繼到 postfix。我不希望連接到埠 25 的人或任何東西創建新電子郵件並將它們發送給任何人。一切都必須通過 dovecot,因此所有郵件都針對 SASL/mysql 數據庫進行身份驗證。

這是否意味著在後綴中,我應該設置:

smtpd_sender_restrictions = 拒絕

因此,任何發件人都會立即被拒絕而無需任何處理,或者這會阻止 dovecot 也發送?

postconf -n

access_map_reject_code = 554
alias_maps =
compatibility_level = 2
debug_peer_level = 100
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
lmtp_host_lookup = native
mailbox_size_limit = 0
maps_rbl_reject_code = 554
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
multi_recipient_bounce_reject_code = 554
mydestination =
mydomain = s2.__SNIP__.com
myhostname = s2.__SNIP__.com
mynetworks = 127.0.0.1/32 [::1]/128 10.0.0.0/8
myorigin = $mydomain
mysql = mysql:${config_directory}
non_fqdn_reject_code = 554
non_smtpd_milters = inet:opendkim.mail-server:8891
plaintext_reject_code = 554
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 10s
readme_directory = no
recipient_delimiter = +
reject_code = 554
relay_domains_reject_code = 554
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_error_sleep_time = 20
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_unknown_helo_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_junk_command_limit = 2
smtpd_milters = inet:opendkim.mail-server:8891
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unknown_reverse_client_hostname reject_unknown_client_hostname permit
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sasl_path = inet:dovecot.mail-server:24
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/certs/tls.crt
smtpd_tls_key_file = /etc/certs/tls.key
smtpd_tls_security_level = may
unknown_address_reject_code = 554
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_recipient_reject_reason = Address lookup failure
unverified_sender_reject_code = 554
virtual_alias_maps = ${mysql}/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = ${mysql}/mysql_virtual_mailbox_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = ${mysql}/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:inet:dovecot.mail-server:24

鴿子會議 -n

# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.9.0-8-amd64 x86_64 Debian buster/sid ext4
# Hostname: dovecot-0.dovecot.mail-server.svc.cluster.local
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
disable_plaintext_auth = no
first_valid_gid = 8
first_valid_uid = 8
haproxy_timeout = 5 secs
haproxy_trusted_networks = 10.0.0.0/8
hostname = s2.__SNIP__.com
log_path = /dev/stderr
mail_access_groups = mail
mail_debug = yes
mail_gid = mail
mail_home = /mail/%d/%n
mail_location = maildir:/mail/%d/%n
mail_privileged_group = mail
mail_uid = mail
maildir_stat_dirs = yes
namespace inbox {
 inbox = yes
 location =
 mailbox Drafts {
   auto = subscribe
   special_use = \Drafts
 }
 mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }
 prefix =
}
passdb {
 args = /etc/dovecot/dovecot-sql.conf.ext
 driver = sql
}
postmaster_address = info@__SNIP__.com
protocols = " imap lmtp pop3 submission"
service auth-worker {
 unix_listener auth-worker {
   group = mail
   mode = 0660
   user = $default_internal_user
 }
 user = mail
}
service auth {
 user = $default_internal_user
}
service dict {
 unix_listener dict {
   group = mail
   mode = 0660
 }
}
service imap-login {
 inet_listener imap {
   haproxy = yes
   port = 143
 }
 inet_listener imaps {
   haproxy = yes
   port = 993
   ssl = yes
 }
}
service lmtp {
 inet_listener lmtp {
   haproxy = no
   port = 24
 }
}
service pop3-login {
 inet_listener pop3 {
   haproxy = yes
   port = 110
 }
 inet_listener pop3s {
   haproxy = yes
   port = 995
   ssl = yes
 }
}
service submission-login {
 inet_listener submission {
   haproxy = no
   port = 587
 }
}
ssl_cert = </certs/tls.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
submission_relay_host = postfix.mail-server
submission_relay_port = 587
userdb {
 driver = prefetch
}
userdb {
 args = /etc/dovecot/dovecot-sql.conf.ext
 driver = sql
}
verbose_ssl = yes
protocol !indexer-worker {
 mail_vsize_bg_after_count = 100
}
protocol lda {
 mail_plugins =
}
protocol imap {
 mail_plugins =
}
protocol lmtp {
 mail_plugins =
 recipient_delimiter = +
}
protocol pop3 {
 mail_plugins =
}

答案是不。如果您拒絕所有發件人,則來自 dovecot 的中繼電子郵件也會被拒絕。中繼就是發送。所以這只會阻止您的伺服器完全正常執行

引用自:https://serverfault.com/questions/962371