Postfix - 出站 SMTP 流量從錯誤的介面流出

我有一個執行良好的後綴伺服器（入站和出站），直到我進行了一些網路更改。我添加了一個介面（對於第二個公共 IP 地址，通過 VPN 隧道。我打算執行多個後綴伺服器，以支持不同 IP 地址、證書等上的不同域）

更改後，postfix 可以正常接收入站郵件，但出站流量從錯誤的介面發出，因此無法傳遞郵件（該介面上的埠 25 被阻止。） mail.log對任何外部 SMTP 顯示“連接被拒絕”或“網路無法訪問”伺服器。

範例錯誤消息來自mail.log：

Oct 18 17:13:10 vox postfix/smtp[22694]: connect to mx-asp.jvlicenses.com[198.199.107.159]:25: Connection timed out
Oct 18 17:13:10 vox postfix/smtp[22694]: 39DCBA6227: to=<alissandra@jvlicenses.com>, relay=none, delay=1096, delays=1066/0.02/30/0, dsn=4.4.1, status=deferred (connect to mx-asp.jvlicenses.com[198.199.107.159]:25: Connection timed out)

我使用smtp_bind_address參數master.cf來指定 Postfix 應該使用的源地址。我也嘗試過使用inet_addressesin master.cf，但這似乎也不起作用。流量總是從預設網關傳出，而不是從所需的介面傳出。（當所有這些都起作用時，我認為預設路由可能是所需的路由，但我無法確定。）

我想要的是 postfix 發送帶有源 IP的郵件10.8.0.8，根據我的路由規則，它應該發出介面tun45。相反，據我所知，postfix 是192.168.122.185在設備上使用 IP 發送的enp1s0——這是主機上的預設路由。

我3.4.14在 Debian 上執行 postfix 版本4.19.118-2 (2020-04-24)。

下面是一些額外的配置細節，以及我用來測試的步驟。

Postfix 綁定到10.8.0.8，如 netstat 所示：

# netstat -ntlp|grep master
tcp        0      0 10.8.0.8:25             0.0.0.0:*               LISTEN      22293/master        
tcp        0      0 10.8.0.8:587            0.0.0.0:*               LISTEN      22293/master        
tcp        0      0 10.8.0.8:465            0.0.0.0:*               LISTEN      22293/master

該地址是tun45主機上的設備：

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   link/ether 52:54:00:4b:2c:5b brd ff:ff:ff:ff:ff:ff
   inet 192.168.122.185/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
      valid_lft 2672sec preferred_lft 2672sec
   inet6 fe80::5054:ff:fe4b:2c5b/64 scope link noprefixroute 
      valid_lft forever preferred_lft forever
9: tun45: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
   link/none 
   inet 10.8.0.8/24 brd 10.8.0.255 scope global tun45
      valid_lft forever preferred_lft forever
   inet6 fe80::e401:70cf:ba68:88b1/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever
11: tun66: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
   link/none 
   inet 10.8.0.7/24 brd 10.8.0.255 scope global tun66
      valid_lft forever preferred_lft forever
   inet6 fe80::41d:c2e1:9428:5630/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever

從 IP 路由到任何外部地址（在本例中為 jvlicenses.com 的 MTA）10.8.0.8，應通過設備tun45：

# ip route get 198.199.107.159 from 10.8.0.8
198.199.107.159 from 10.8.0.8 dev tun45 table t1 uid 0 
   cache 

路由表t1只有一項：

# ip route show table t1
default dev tun45 scope link

我可以使用相同的源地址使用 netcat 連接到外部伺服器 post 25：

# nc -s 10.8.0.8 198.199.107.159 25
220 mx-asp.jvlicenses.com ESMTP Postfix
QUIT
221 2.0.0 Bye

tcpdump 顯示 netcat 連接具有正確的源地址等：

# tcpdump -ni tun45 dst port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun45, link-type RAW (Raw IP), capture size 262144 bytes
16:27:02.522570 IP 10.8.0.8.42427 > 198.199.107.159.25: Flags [S], seq 4118387792, win 64240, options [mss 1460,sackOK,TS val 2496426612 ecr 0,nop,wscale 8], length 0
16:27:02.689912 IP 10.8.0.8.42427 > 198.199.107.159.25: Flags [.], ack 1806817019, win 251, options [nop,nop,TS val 2496426779 ecr 75983973], length 0
16:27:02.857545 IP 10.8.0.8.42427 > 198.199.107.159.25: Flags [.], ack 42, win 251, options [nop,nop,TS val 2496426947 ecr 75984142], length 0
16:27:14.393645 IP 10.8.0.8.42427 > 198.199.107.159.25: Flags [P.], seq 0:5, ack 42, win 251, options [nop,nop,TS val 2496438483 ecr 75984142], length 5: SMTP: QUIT
16:27:14.650912 IP 10.8.0.8.42427 > 198.199.107.159.25: Flags [.], ack 57, win 251, options [nop,nop,TS val 2496438740 ecr 75995841], length 0
16:27:14.651089 IP 10.8.0.8.42427 > 198.199.107.159.25: Flags [F.], seq 5, ack 58, win 251, options [nop,nop,TS val 2496438740 ecr 75995842], length 0

但是當我向該伺服器發送電子郵件時，tun45 上沒有流量。相反，我看到它走出了設備上的預設路線enp1s0：

# tcpdump -n dst port 25 -vv
tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:37.321194 IP (tos 0x0, ttl 64, id 1567, offset 0, flags [DF], proto TCP (6), length 60)
   192.168.122.185.34050 > 198.199.107.159.25: Flags [S], cksum 0x6df7 (incorrect -> 0xc5e2), seq 3824536030, win 64240, options [mss 1460,sackOK,TS val 17622374 ecr 0,nop,wscale 8], length 0

確認這實際上是主機的預設路由，即當源 IP 不是時觸發10.8.0.8路由表：t1

# ip route
default via 192.168.122.1 dev enp1s0 proto dhcp metric 100 
10.8.0.0/24 dev tun45 proto kernel scope link src 10.8.0.8 
10.8.0.0/24 dev tun66 proto kernel scope link src 10.8.0.7
<...elided entries...>

# ip route get 198.199.107.159
198.199.107.159 via 192.168.122.1 dev enp1s0 src 192.168.122.185 uid 0 
   cache 

master.cf配置：

10.8.0.8:smtp      inet  n       -       y       -       -       smtpd -v
 -o smtpd_tls_key_file=/etc/letsencrypt/live/<domain>/privkey.pem
 -o smtpd_tls_cert_file=/etc/letsencrypt/live/<domain>/fullchain.pem
 -o smtp_bind_address=10.8.0.8
 -o myhostname=<host.domain>

10.8.0.8:submission inet n       -       y       -       -       smtpd -v
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_reject_unlisted_recipient=no
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_tls_key_file=/etc/letsencrypt/live/<domain>/privkey.pem
 -o smtpd_tls_cert_file=/etc/letsencrypt/live/<domain>/fullchain.pem
 -o smtp_bind_address=10.8.0.8
 -o myhostname=<host.domain>

10.8.0.8:smtps     inet  n       -       y       -       -       smtpd -v
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_tls_key_file=/etc/letsencrypt/live/<domain>/privkey.pem
 -o smtpd_tls_cert_file=/etc/letsencrypt/live/<domain>/fullchain.pem
 -o smtp_bind_address=10.8.0.8
 -o myhostname=<host.domain>

並postconf -n輸出：

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
debug_peer_list = 81.3.6.165, 45.55.104.203, 34.209.113.130
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 550
mailbox_size_limit = 0
maximal_backoff_time = 3h
milter_default_action = accept
milter_protocol = 6
minimal_backoff_time = 180s
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_fqdn_reject_code = 550
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_always_send_ehlo = yes
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_milters = local:opendkim/opendkim.sock
smtpd_recipient_limit = 40
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination, check_policy_service unix:private/policyd-spf
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname
smtpd_timeout = 30s
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

我在這台主機上沒有做 SNATing、偽裝或其他 iptables 的東西。（這一切都發生在 VPN 隧道的另一端。）

我在這裡想念什麼？為什麼出站 postfix 流量會繼續enp1s0而不是tun45？為什麼它沒有設置的源IP smtp_bind_address？

這是master.cf. 上面顯示的配置（在我的問題中）僅設置smtp_bind_address入站流量，這意味著監聽守護程序。

對於出站流量，這意味著當 postfix 守護程序將郵件發送到其他伺服器時，以下行master.cf也必須指定綁定地址。在預設/範例master.cf中，該行如下所示：

smtp      unix  -       -       y       -       -       smtp

它隱藏在許多其他參數之下，很容易錯過。

更改它以添加綁定地址，例如：

smtp      unix  -       -       y       -       -       smtp
 -o smtp_bind_address=10.8.0.9

由於我在同一台伺服器上執行多個後綴守護程序，以便為具有不同公共 IP 和證書的多個域提供服務，因此我將我的更改為：

outbound_domain1.com unix  -       -       y       -       -       smtp
 -o smtp_bind_address=10.8.0.8
 -o smtp_helo_name=domain1.com

…然後添加一行/etc/postfix/sender_transport以將此出站守護程序映射到它所服務的電子郵件域：

@domain1.com outbound_domain1.com

當然，您還必須告訴 postfix 使用該傳輸圖，在main.cf：

sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport

然後執行postmap以生成 postfix 用於這些查找的雜湊文件。

引用自：https://serverfault.com/questions/1039222