Postfix
拒絕反向主機名解析失敗的電子郵件
我的 Postfix 伺服器正在接收來自一組不斷變化的域名的垃圾郵件,但在日誌文件中以 line 開頭的模式一致
warning: hostname X does not resolve to address Y。沒有合法(火腿)電子郵件具有此模式,因此我想阻止與此消息關聯的電子郵件。有沒有辦法完全在 Postfix 配置中阻止這些電子郵件,例如在 main.cf 文件中?
以下是日誌文件的一部分,顯示垃圾郵件到達時出現的模式:
May 10 21:47:46 localhost postfix/smtpd[313324]: warning: hostname trojan.kringeas.co.uk does not resolve to address 104.129.30.93: Name or service not known May 10 21:47:46 localhost postfix/smtpd[313324]: connect from unknown[104.129.30.93] May 10 21:47:46 localhost postfix/smtpd[313324]: 2AF1D101825: client=unknown[104.129.30.93] May 10 21:47:46 localhost postfix/cleanup[313331]: 2AF1D101825: message-id=<dO7GXAfoNocg1hEkeyqMfulg7RZ0aamifKqrB8JpUH8.ofI9TFu7lSCnlxwicxT5GA@meansfolk.sa.com> May 10 21:47:46 localhost postfix/qmgr[294981]: 2AF1D101825: from=<info@meansfolk.sa.com>, size=4241, nrcpt=1 (queue active) May 10 21:47:46 localhost postfix/pipe[313333]: 2AF1D101825: to=<xx@xxxx.net>, orig_to=<hfew@xxxx.net>, relay=dovecot, delay=0.11, delays=0.08/0.01/0/0.02, dsn=2 .0.0, status=sent (delivered via dovecot service) May 10 21:47:46 localhost postfix/qmgr[294981]: 2AF1D101825: removed May 10 21:47:46 localhost postfix/smtpd[313324]: disconnect from unknown[104.129.30.93] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5這是我的 main.cf 文件:請注意,它包括: 我在閱讀這篇文章後
smtpd_client_restrictions = reject_unknown_reverse_client_hostname嘗試過的。queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix/sbin data_directory = /var/lib/postfix mail_owner = postfix inet_protocols = all mydestination = localhost, localhost.localdomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.10.1/samples readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES myhostname = xxxx.net mynetworks = 127.0.0.0/8 message_size_limit = 30720000 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/etc/postfix/virtual virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_client_restrictions = reject_unknown_reverse_client_hostname smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem virtual_create_maildirsize = yes virtual_maildir_extended = yes proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps virtual_transport = dovecot dovecot_destination_recipient_limit = 1 inet_interfaces = all smtp_tls_security_level = may disable_vrfy_command = yes smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept
只需更換
smtpd_client_restrictions = reject_unknown_reverse_client_hostname和
smtpd_client_restrictions = reject_unknown_client_hostname.reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client) Reject the request when 1) the client IP address->name mapping fails, or 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.但是,您的信念是錯誤的:
沒有合法(火腿)電子郵件具有此模式,因此我想阻止與此消息關聯的電子郵件。
我的客戶時常抱怨,有時會發生反向主機名不符合 HELO 地址,或者解析到其他地址或根本不解析,這完全是請求郵件。基本上,目前的 RFC 只要求HELO 主機名的 PTR 記錄的存在,而沒有說明它的值或該名稱下的 A 記錄或其值的存在。技術上合法的伺服器可以省略其他所有內容,但仍符合 RFC,而您使用此配置阻止它。為了解決這個問題,我將所有這些檢查放入
smtpd_recipient_restrictions,並check_sender_access hash://...在其之前添加,因此我可以通過發件人域名或完整的發件人電子郵件地址有選擇地從該檢查中排除一些郵件:smtpd_client_restrictions = [default] smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/spam_exceptions, reject_unknown_client_hostname, ...您不能在 中使用
check_sender_access,smtpd_client_restrictions因為您只能在階段獲取發件人信封地址以進行檢查MAIL From:。該
spam_exceptions文件具有簡單的結構:affected.domain OK ...當我解決投訴時,我只是將域添加到此文件中。我已經有一個相當大的收藏了!