Postfix

後綴:通過設置了 permit_sasl_authenticated 的 SASL 拒絕中繼訪問

  • March 4, 2015

我在 Ubuntu 10.04 LTS 中安裝了 Postfix 2.7。

當我嘗試從 Outlook(使用 smtp auth)向 gmail 帳戶(或其他帳戶)發送郵件時,中繼訪問被拒絕。

日誌(我偽造了電子郵件):

Feb 24 16:49:16 vm1613 imapd: Connection, ip=[::ffff:95.239.57.160]
Feb 24 16:49:16 vm1613 imapd: LOGIN, user=real.user@example.com, ip=[::ffff:95.239.57.160], port=[52330], protocol=IMAP
Feb 24 16:49:16 vm1613 imapd: Connection, ip=[::ffff:95.239.57.160]
Feb 24 16:49:16 vm1613 imapd: LOGIN, user=real.user@example.com, ip=[::ffff:95.239.57.160], port=[52331], protocol=IMAP
Feb 24 16:49:17 vm1613 imapd: Connection, ip=[::ffff:95.239.57.160]
Feb 24 16:49:17 vm1613 imapd: LOGIN, user=real.user@example.com, ip=[::ffff:95.239.57.160], port=[52332], protocol=IMAP
Feb 24 16:49:18 vm1613 imapd: Connection, ip=[::ffff:95.239.57.160]
Feb 24 16:49:18 vm1613 imapd: Connection, ip=[::ffff:95.239.57.160]
Feb 24 16:49:18 vm1613 imapd: LOGIN, user=real.user@example.com, ip=[::ffff:95.239.57.160], port=[52334], protocol=IMAP
Feb 24 16:49:18 vm1613 imapd: LOGIN, user=real.user@example.com, ip=[::ffff:95.239.57.160], port=[52335], protocol=IMAP
Feb 24 16:49:22 vm1613 postfix/smtpd[7157]: warning: 95.239.57.160: hostname host160-57-dynamic.239-95-r.retail.telecomitalia.it verification failed: Name or service not known
Feb 24 16:49:22 vm1613 postfix/smtpd[7157]: connect from unknown[95.239.57.160]
Feb 24 16:49:22 vm1613 postfix/smtpd[7157]: NOQUEUE: reject: RCPT from unknown[95.239.57.160]: 554 5.7.1 <real.user@gmail.com>: Relay access denied; from=<real.user@example.com> to=<real.user@gmail.com> proto=ESMTP helo=<AllePC>

為什麼會這樣?我已經permit_sasl_authenticatedsmtpd_recipient_restrictions

root@vm1613:/etc/postfix# postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

postconf -n輸出

root@vm1613:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 0
mydestination = $mydomain, $myhostname, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = /etc/mailname
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
smtpd_tls_cert_file = /etc/ssl/private/vm1613.cs17.seeweb.it.crt
smtpd_tls_key_file = /etc/ssl/private/vm1613.cs17.seeweb.it.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/maps/alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/maps/domain.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/maps/user.cf
virtual_uid_maps = static:5000

saslfinger -s輸出

saslfinger - postfix Cyrus sasl configuration Sun Feb 24 23:23:50 CET 2013
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.7.0
System: Ubuntu 10.04.4 LTS \n \l

-- smtpd is linked to --
 libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f66614f3000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/private/vm1613.cs17.seeweb.it.crt
smtpd_tls_key_file = /etc/ssl/private/vm1613.cs17.seeweb.it.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


-- listing of /usr/lib64/sasl2 --
total 1044
drwxr-xr-x  2 root root  4096 Nov 11 15:33 .
drwxr-xr-x 66 root root 20480 Feb 22 06:27 ..
-rw-r--r--  1 root root 20092 Mar 31  2010 libanonymous.a
-rw-r--r--  1 root root   990 Mar 31  2010 libanonymous.la
-rw-r--r--  1 root root 18528 Mar 31  2010 libanonymous.so
-rw-r--r--  1 root root 18528 Mar 31  2010 libanonymous.so.2
-rw-r--r--  1 root root 18528 Mar 31  2010 libanonymous.so.2.0.23
-rw-r--r--  1 root root 23802 Mar 31  2010 libcrammd5.a
-rw-r--r--  1 root root   976 Mar 31  2010 libcrammd5.la
-rw-r--r--  1 root root 22624 Mar 31  2010 libcrammd5.so
-rw-r--r--  1 root root 22624 Mar 31  2010 libcrammd5.so.2
-rw-r--r--  1 root root 22624 Mar 31  2010 libcrammd5.so.2.0.23
-rw-r--r--  1 root root 65912 Mar 31  2010 libdigestmd5.a
-rw-r--r--  1 root root   999 Mar 31  2010 libdigestmd5.la
-rw-r--r--  1 root root 51752 Mar 31  2010 libdigestmd5.so
-rw-r--r--  1 root root 51752 Mar 31  2010 libdigestmd5.so.2
-rw-r--r--  1 root root 51752 Mar 31  2010 libdigestmd5.so.2.0.23
-rw-r--r--  1 root root 20590 Mar 31  2010 liblogin.a
-rw-r--r--  1 root root   970 Mar 31  2010 liblogin.la
-rw-r--r--  1 root root 18520 Mar 31  2010 liblogin.so
-rw-r--r--  1 root root 18520 Mar 31  2010 liblogin.so.2
-rw-r--r--  1 root root 18520 Mar 31  2010 liblogin.so.2.0.23
-rw-r--r--  1 root root 42012 Mar 31  2010 libntlm.a
-rw-r--r--  1 root root   964 Mar 31  2010 libntlm.la
-rw-r--r--  1 root root 34904 Mar 31  2010 libntlm.so
-rw-r--r--  1 root root 34904 Mar 31  2010 libntlm.so.2
-rw-r--r--  1 root root 34904 Mar 31  2010 libntlm.so.2.0.23
-rw-r--r--  1 root root 20454 Mar 31  2010 libplain.a
-rw-r--r--  1 root root   970 Mar 31  2010 libplain.la
-rw-r--r--  1 root root 18520 Mar 31  2010 libplain.so
-rw-r--r--  1 root root 18520 Mar 31  2010 libplain.so.2
-rw-r--r--  1 root root 18520 Mar 31  2010 libplain.so.2.0.23
-rw-r--r--  1 root root 30332 Mar 31  2010 libsasldb.a
-rw-r--r--  1 root root  1001 Mar 31  2010 libsasldb.la
-rw-r--r--  1 root root 22464 Mar 31  2010 libsasldb.so
-rw-r--r--  1 root root 22464 Mar 31  2010 libsasldb.so.2
-rw-r--r--  1 root root 22464 Mar 31  2010 libsasldb.so.2.0.23
-rw-r--r--  1 root root 35984 Mar 31  2010 libsql.a
-rw-r--r--  1 root root  1099 Mar 31  2010 libsql.la
-rw-r--r--  1 root root 30736 Mar 31  2010 libsql.so
-rw-r--r--  1 root root 30736 Mar 31  2010 libsql.so.2
-rw-r--r--  1 root root 30736 Mar 31  2010 libsql.so.2.0.23
-rw-r--r--  1 root root 18712 Aug  1  2011 libsqlite.so

-- listing of /usr/lib/sasl2 --
total 1044
drwxr-xr-x  2 root root  4096 Nov 11 15:33 .
drwxr-xr-x 66 root root 20480 Feb 22 06:27 ..
-rw-r--r--  1 root root 20092 Mar 31  2010 libanonymous.a
-rw-r--r--  1 root root   990 Mar 31  2010 libanonymous.la
-rw-r--r--  1 root root 18528 Mar 31  2010 libanonymous.so
-rw-r--r--  1 root root 18528 Mar 31  2010 libanonymous.so.2
-rw-r--r--  1 root root 18528 Mar 31  2010 libanonymous.so.2.0.23
-rw-r--r--  1 root root 23802 Mar 31  2010 libcrammd5.a
-rw-r--r--  1 root root   976 Mar 31  2010 libcrammd5.la
-rw-r--r--  1 root root 22624 Mar 31  2010 libcrammd5.so
-rw-r--r--  1 root root 22624 Mar 31  2010 libcrammd5.so.2
-rw-r--r--  1 root root 22624 Mar 31  2010 libcrammd5.so.2.0.23
-rw-r--r--  1 root root 65912 Mar 31  2010 libdigestmd5.a
-rw-r--r--  1 root root   999 Mar 31  2010 libdigestmd5.la
-rw-r--r--  1 root root 51752 Mar 31  2010 libdigestmd5.so
-rw-r--r--  1 root root 51752 Mar 31  2010 libdigestmd5.so.2
-rw-r--r--  1 root root 51752 Mar 31  2010 libdigestmd5.so.2.0.23
-rw-r--r--  1 root root 20590 Mar 31  2010 liblogin.a
-rw-r--r--  1 root root   970 Mar 31  2010 liblogin.la
-rw-r--r--  1 root root 18520 Mar 31  2010 liblogin.so
-rw-r--r--  1 root root 18520 Mar 31  2010 liblogin.so.2
-rw-r--r--  1 root root 18520 Mar 31  2010 liblogin.so.2.0.23
-rw-r--r--  1 root root 42012 Mar 31  2010 libntlm.a
-rw-r--r--  1 root root   964 Mar 31  2010 libntlm.la
-rw-r--r--  1 root root 34904 Mar 31  2010 libntlm.so
-rw-r--r--  1 root root 34904 Mar 31  2010 libntlm.so.2
-rw-r--r--  1 root root 34904 Mar 31  2010 libntlm.so.2.0.23
-rw-r--r--  1 root root 20454 Mar 31  2010 libplain.a
-rw-r--r--  1 root root   970 Mar 31  2010 libplain.la
-rw-r--r--  1 root root 18520 Mar 31  2010 libplain.so
-rw-r--r--  1 root root 18520 Mar 31  2010 libplain.so.2
-rw-r--r--  1 root root 18520 Mar 31  2010 libplain.so.2.0.23
-rw-r--r--  1 root root 30332 Mar 31  2010 libsasldb.a
-rw-r--r--  1 root root  1001 Mar 31  2010 libsasldb.la
-rw-r--r--  1 root root 22464 Mar 31  2010 libsasldb.so
-rw-r--r--  1 root root 22464 Mar 31  2010 libsasldb.so.2
-rw-r--r--  1 root root 22464 Mar 31  2010 libsasldb.so.2.0.23
-rw-r--r--  1 root root 35984 Mar 31  2010 libsql.a
-rw-r--r--  1 root root  1099 Mar 31  2010 libsql.la
-rw-r--r--  1 root root 30736 Mar 31  2010 libsql.so
-rw-r--r--  1 root root 30736 Mar 31  2010 libsql.so.2
-rw-r--r--  1 root root 30736 Mar 31  2010 libsql.so.2.0.23
-rw-r--r--  1 root root 18712 Aug  1  2011 libsqlite.so

-- listing of /etc/postfix/sasl --
total 16
drwxr-xr-x 2 root root 4096 Nov 11 16:32 .
drwxr-xr-x 4 root root 4096 Feb 24 17:39 ..
-rwx------ 1 root root  243 Nov 11 16:32 smtpd.conf
-rw-r--r-- 1 root root  403 Nov 11 16:32 smtpd.conf.backup




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
auxprop_plugin: sql
mech_list: plain login
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: mail
sql_select: SELECT password FROM user WHERE email='%u@%r' AND enabled = 1

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
auxprop_plugin: sql
mech_list: plain login
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: mail
sql_select: SELECT password FROM user WHERE email='%u@%r' AND enabled = 1


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
submission inet n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
 -o content_filter=
 -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
   -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 ${nexthop} ${user}
amavis    unix -        -       -       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20
127.0.0.1:10025 inet n  -       -       -       -       smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o mynetworks=127.0.0.0/8
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN


-- end of saslfinger output --

我已按照本指南進行操作。

您的電子郵件客戶端實際上並未進行身份驗證。

您確定您已正確配置 Outlook 以連接到埠 587 並為其指定使用者名和密碼嗎?

引用自:https://serverfault.com/questions/482000