Postfix

SMTP auth 未登錄中繼伺服器

  • August 14, 2014

我正在嘗試配置輔助後綴以針對我的主後綴伺服器啟用 SMTP AUTH (postfix + ldap auth + cyrus)

我已經按照http://www.postfix.org/SASL_README.html#client_sasl添加:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous 
relayhost = [192.168.66.98]

輔助後綴的配置文件是:

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost, 192.168.66.85
inet_protocols = all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = ddol-test.com
mynetworks = 192.168.66.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination
relayhost = [192.168.66.98]
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
transport_maps =
unknown_local_recipient_reject_code = 550

# cat /etc/postfix/sasl_passwd
[192.168.66.98]         666mgimeno@pre.ddol.es:1234

當我發送郵件時,它會正確重定向到 .66.98,但它不會對其進行身份驗證,並且電子郵件的行為就像未經身份驗證的使用者一樣。

這是我的主要後綴配置:

# cat main.cf

...
...
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd

smtpd_helo_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_non_fqdn_helo_hostname,
       reject_invalid_helo_hostname,
       permit

smtpd_sender_restrictions =
       reject_authenticated_sender_login_mismatch,
       permit

smtpd_recipient_restrictions =
       reject_unauth_pipelining,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       check_policy_service inet:127.0.0.1:10031,
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unauth_destination,
       reject_unverified_recipient,
       check_policy_service inet:127.0.0.1:10045,
       reject_rbl_client bl.spamcop.net,
       reject_rbl_client psbl.surriel.com,
       reject_rbl_client sbl.spamhaus.org,
       reject_rbl_client xbl.spamhaus.org,
       reject_rbl_client zen.spamhaus.org,
       reject_rbl_client combined.rbl.msrbl.net,
       reject_rbl_client relays.ordb.org,
       reject_rbl_client list.dsbl.org,
       reject_rbl_client sbl-xbl.spamhaus.org,
       reject_rbl_client dnsbl.njabl.org,
       permit

header_checks = pcre:/etc/postfix/header_checks

smtpd_end_of_data_restrictions =
       check_policy_service inet:127.0.0.1:10031

soft_bounce = no

smtpd_helo_required = yes

smtpd_delay_reject = yes
disable_vrfy_command = yes

smtpd_sender_login_maps = ldap:/etc/postfix/sender_maps

amavisd-new_destination_concurrency_limit = 20

virtual_alias_maps = ldap:/etc/postfix/mailRedirect ldap:/etc/postfix/virtual ldap:/etc/postfix/catch-all

smtpd_sasl_local_domain =

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

message_size_limit=15728640

現在,從輔助後綴發送的任何郵件都會中繼到主後綴,但它通過了所有檢查,因為它是針對未經過身份驗證的使用者的,但我不希望這樣。我希望電子郵件的行為與經過身份驗證的使用者相同,並在 smtpd_recipient_restrictions 中的“permit_sasl_authenticated”中停止。

你的問題在這裡:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
relayhost = [192.168.66.98]

請注意,您使用的是“smtpd”而不是“smtp”。這意味著您正在為偵聽守護程序而不是發送代理設置 sasl。

這是我在我的使用:

# use authentication
relayhost = [mail.messagingengine.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous

它工作正常。

哦 - saslpass 的內容是:

mail.messagingengine.com myuser@my.domain:mypass

注意冒號和空格。我猜你需要在那裡輸入 IP 地址,或者在 /etc/hosts 中輸入一個條目並使用一個名稱。@my.domain 是因為消息傳遞引擎使用完全限定的電子郵件地址進行登錄。您可能只需要一個使用者名。

引用自:https://serverfault.com/questions/410688