Postfix
後綴收件人地址被拒絕:刪除 permit_mynetworks 後訪問被拒絕錯誤
我有一個郵件伺服器,如果濫用,它必須從 Postfix 配置文件(main.cf)中刪除“permit_mynetworks”。我只將它設置為允許 SASL autheniented 中繼。但是現在,postfix 會拒絕任何外國收件人。有人可以告訴我有什麼問題嗎?提前致謝!
以下是配置:
$$ main.cf $$
# -------------------- # INSTALL-TIME CONFIGURATION INFORMATION # # location of the Postfix queue. Default is /var/spool/postfix. queue_directory = /var/spool/postfix # location of all postXXX commands. Default is /usr/sbin. command_directory = /usr/sbin # location of all Postfix daemon programs (i.e. programs listed in the # master.cf file). This directory must be owned by root. # Default is /usr/libexec/postfix daemon_directory = /usr/lib/postfix/sbin # location of Postfix-writable data files (caches, random numbers). # This directory must be owned by the mail_owner account (see below). # Default is /var/lib/postfix. data_directory = /var/lib/postfix # owner of the Postfix queue and of most Postfix daemon processes. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER. # Default is postfix. mail_owner = postfix # The following parameters are used when installing a new Postfix version. # # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. # sendmail_path = /usr/sbin/sendmail # newaliases_path: The full pathname of the Postfix newaliases command. # This is the Sendmail-compatible command to build alias databases. # newaliases_path = /usr/bin/newaliases # full pathname of the Postfix mailq command. This is the Sendmail-compatible # mail queue listing command. mailq_path = /usr/bin/mailq # group for mail submission and queue management commands. # This must be a group name with a numerical group ID that is not shared with # other accounts, not even with the Postfix account. setgid_group = postdrop # external command that is executed when a Postfix daemon program is run with # the -D option. # # Use "command .. & sleep 5" so that the debugger can attach before # the process marches on. If you use an X-based debugger, be sure to # set up your XAUTHORITY environment variable before starting Postfix. # debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 debug_peer_level = 2 # -------------------- # CUSTOM SETTINGS # # SMTP server response code when recipient or domain not found. unknown_local_recipient_reject_code = 550 # Do not notify local user. biff = no # Disable the rewriting of "site!user" into "user@site". swap_bangpath = no # Disable the rewriting of the form "user%domain" to "user@domain". allow_percent_hack = no # Allow recipient address start with '-'. allow_min_user = no # Disable the SMTP VRFY command. This stops some techniques used to # harvest email addresses. disable_vrfy_command = yes # Enable both IPv4 and/or IPv6: ipv4, ipv6, all. inet_protocols = all # Enable all network interfaces. inet_interfaces = all # # TLS settings. # # SSL key, certificate, CA # smtpd_tls_key_file = /etc/ssl/private/iRedMail.key smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt smtpd_tls_CApath = /etc/ssl/certs # # Disable SSLv2, SSLv3 # smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 # # Fix 'The Logjam Attack'. # smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem tls_random_source = dev:/dev/urandom # Log only a summary message on TLS handshake completion — no logging of client # certificate trust-chain verification errors if client certificate # verification is not required. With Postfix 2.8 and earlier, log the summary # message, peer certificate summary information and unconditionally log # trust-chain verification errors. smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do # not require that clients use TLS encryption. smtpd_tls_security_level = may # Produce `Received:` message headers that include information about the # protocol and cipher used, as well as the remote SMTP client CommonName and # client certificate issuer CommonName. # This is disabled by default, as the information may be modified in transit # through other mail servers. Only information that was recorded by the final # destination can be trusted. #smtpd_tls_received_header = yes # Opportunistic TLS, used when Postfix sends email to remote SMTP server. # Use TLS if this is supported by the remote SMTP server, otherwise use # plaintext. # References: # - http://www.postfix.org/TLS_README.html#client_tls_may # - http://www.postfix.org/postconf.5.html#smtp_tls_security_level smtp_tls_security_level = may # Use the same CA file as smtpd. smtp_tls_CApath = /etc/ssl/certs smtp_tls_CAfile = $smtpd_tls_CAfile smtp_tls_note_starttls_offer = yes # Enable long, non-repeating, queue IDs (queue file names). # The benefit of non-repeating names is simpler logfile analysis and easier # queue migration (there is no need to run "postsuper" to change queue file # names that don't match their message file inode number). enable_long_queue_ids = yes # Reject unlisted sender and recipient smtpd_reject_unlisted_recipient = no smtpd_reject_unlisted_sender = no # Header and body checks with PCRE table header_checks = pcre:/etc/postfix/header_checks body_checks = pcre:/etc/postfix/body_checks.pcre # A mechanism to transform commands from remote SMTP clients. # This is a last-resort tool to work around client commands that break # interoperability with the Postfix SMTP server. Other uses involve fault # injection to test Postfix's handling of invalid commands. # Requires Postfix-2.7+. smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre # Relay restriction smtpd_relay_restrictions = permit_sasl_authenticated, reject # HELO restriction smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname # Sender restrictions smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks check_sender_access pcre:/etc/postfix/sender_access.pcre reject # Recipient restrictions smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:7777 permit_sasl_authenticated permit_mynetworks check_policy_service inet:127.0.0.1:12340 reject_unauth_destination # END-OF-MESSAGE restrictions smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777 # Data restrictions smtpd_data_restrictions = reject_unauth_pipelining # SRS (Sender Rewriting Scheme) support #sender_canonical_maps = tcp:127.0.0.1:7778 #sender_canonical_classes = envelope_sender #recipient_canonical_maps = tcp:127.0.0.1:7779 #recipient_canonical_classes= envelope_recipient,header_recipient proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps # Avoid duplicate recipient messages. Default is 'yes'. enable_original_recipient = no # Virtual support. virtual_minimum_uid = 2000 virtual_uid_maps = static:2000 virtual_gid_maps = static:2000 virtual_mailbox_base = /var/vmail # Do not set virtual_alias_domains. virtual_alias_domains = # # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should # be forced to submit email through port 587 instead. # smtpd_sasl_auth_enable = yes smtpd_delay_reject = yes smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = no smtpd_client_restrictions = permit_sasl_authenticated broken_sasl_auth_clients = yes # hostname myhostname = mail.ads-network.top myorigin = mail.ads-network.top mydomain = mail.ads-network.top # trusted SMTP clients which are allowed to relay mail through Postfix. # # Note: additional IP addresses/networks listed in mynetworks should be listed # in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too. # for example: # # MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...] # mynetworks = 127.0.0.1 [::1] # Accepted local emails mydestination = $myhostname, localhost, localhost.localdomain alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # Default message_size_limit. message_size_limit = 15728640 # The set of characters that can separate a user name from its extension # (example: user+foo), or a .forward file name from its extension (example: # .forward+foo). # Postfix 2.11 and later supports multiple characters. recipient_delimiter = + # The time after which the sender receives a copy of the message headers of # mail that is still queued. Default setting is disabled (0h) by Postfix. #delay_warning_time = 1h # Do not display the name of the recipient table in the "User unknown" responses. # The extra detail makes trouble shooting easier but also reveals information # that is nobody elses business. show_user_unknown_table_name = no compatibility_level = 2 # # Lookup virtual mail accounts # transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf # Lookup table with the SASL login names that own the sender (MAIL FROM) addresses. smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf # # Postscreen # postscreen_greet_action = drop postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_threshold = 2 # Attention: # - zen.spamhaus.org free tire has 3 limits # (https://www.spamhaus.org/organization/dnsblusage/): # # 1) Your use of the Spamhaus DNSBLs is non-commercial*, and # 2) Your email traffic is less than 100,000 SMTP connections per day, and # 3) Your DNSBL query volume is less than 300,000 queries per day. # # - FAQ: "Your DNSBL blocks nothing at all!" # https://www.spamhaus.org/faq/section/DNSBL%20Usage#261 # # It's strongly recommended to use a local DNS server for cache. postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2 postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr # Require Postfix-2.11+ postscreen_dnsbl_whitelist_threshold = -2 # # Dovecot SASL support. # smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # # mlmmj - mailing list manager # mlmmj_destination_recipient_limit = 1 # # Amavisd + SpamAssassin + ClamAV # content_filter = smtp-amavis:[127.0.0.1]:10024 # Concurrency per recipient limit. smtp-amavis_destination_recipient_limit = 1000 relayhost =
$$ master.cf $$
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd smtp inet n - - - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd #smtp inet n - - - - smtpd pickup unix n - n 60 1 pickup -o content_filter=smtp-amavis:[127.0.0.1]:10026 cleanup unix n - n - 0 cleanup #qmgr unix n - n 300 1 oqmgr qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # postlog unix-dgram n - n - 1 postlogd # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # Other external delivery methods. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} # Submission, port 587, force TLS connection. submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026 # smtps, port 465, force SSL connection. 465 inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026 # Use dovecot's `deliver` program as LDA. dovecot unix - n n - - pipe flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension} # mlmmj - mailing list manager # ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u') mlmmj unix - n n - - pipe flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop} # Amavisd integration. smtp-amavis unix - - n - 4 smtp -o syslog_name=postfix/amavis -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 # smtp port used by Amavisd to re-inject scanned email back to Postfix 127.0.0.1:10025 inet n - n - - smtpd -o syslog_name=postfix/10025 -o content_filter= -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings # smtp port used by mlmmj to re-inject scanned email back to Postfix, with # address mapping support 127.0.0.1:10028 inet n - n - - smtpd -o syslog_name=postfix/10028 -o content_filter= -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
此外,這是後綴報告的 DIAG:
Diagnostic-Code: smtp; 554 5.7.1 id=17953-16 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <******@outlook.com>: Recipient address rejected: Access denied
通過您的 master.cf 的外觀,您有一個 smtpd 守護程序在埠 10025 上偵聽以檢索 amavis 掃描的電子郵件:
# smtp port used by mlmmj to re-inject scanned email back to Postfix, with # address mapping support 127.0.0.1:10028 inet n - n - - smtpd
正如您所描述的以及您的日誌告訴我們的那樣,埠 10025 上的此守護程序需要 SASL:
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
你的日誌:
Diagnostic-Code: smtp; 554 5.7.1 id=17953-16 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <******@outlook.com>: Recipient address rejected: Access denied
話雖如此,amavis 不使用 SASL,因此被拒絕。
我建議您至少允許該特定守護程序的環回 IP 地址 127.0.0.1。這樣做不會造成太大的風險。
此外,由於您在與 postfix 相同的伺服器上執行 amavis,因此您可以改用 linux 套接字來優化事物。