Postfix
Postfix + SASL = 從網路外部發送時“中繼訪問被拒絕”
我在 /etc/postfix/main.cf 中有:
smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
並且 SASL 似乎正在工作:
$ testsaslauthd -u yang -p ... -f /var/spool/postfix/var/run/saslauthd/mux -s smtpd 0: OK "Success."
但是從網路外部連接時出現“中繼訪問被拒絕”(例如 localhost 仍然可以正常工作):
$ telnet blah.com 25 auth plain ... 235 2.7.0 Authentication successful mail from:<yang@blah.com> 250 2.1.0 Ok rcpt to:<yang@dest.com> 554 5.7.1 <yang@dest.com>: Relay access denied
日誌:
Oct 18 21:10:19 blah postfix/smtpd[13882]: connect from unknown[x.x.x.x] Oct 18 21:10:19 blah postfix/smtpd[13882]: setting up TLS connection from unknown[x.x.x.x] Oct 18 21:10:19 blah postfix/smtpd[13882]: Anonymous TLS connection established from unknown[x.x.x.x]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Oct 18 21:10:19 blah postfix/smtpd[13882]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 554 5.7.1 <yang@dest.com>: Relay access denied; from=<yang@blah.com> to=<yang@dest.com> proto=ESMTP helo=<[y.y.y.y]> Oct 18 21:10:19 blah postfix/smtpd[13882]: disconnect from unknown [x.x.x.x]
現在被難住了一段時間。有什麼提示嗎?
我的完整配置如下;它基於https://help.ubuntu.com/community/Postfix。
/etc/default/saslauthd:
START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
/etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtp_tls_loglevel=1 smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_cert_file=/etc/ssl/certs/blah.crt smtpd_tls_key_file=/etc/ssl/private/blah.key smtpd_tls_loglevel=1 smtpd_tls_security_level=may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = blah.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost.blah.com, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all # From <http://www.postfix.org/VIRTUAL_README.html> virtual_mailbox_domains = blah.com invalid.invalid virtual_mailbox_base = /var/mail/blah virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_alias_maps = hash:/etc/postfix/valiases virtual_minimum_uid = 100 virtual_uid_maps = static:1001 virtual_gid_maps = static:1001 sender_bcc_maps = hash:/etc/postfix/bccmaps # DKIM smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 # Enforce SPF smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service unix:private/policyd-spf policyd-spf_time_limit = 3600
/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd mech_list: plain login
你有兩次 smtpd_recipient_restrictions,最後一個是正在使用的,它沒有 permit_sasl_authenticated