Postfix 外发电子邮件身份验证

Postfix 外发电子邮件身份验证

我有一个 VPS,用作网络服务器和电子邮件服务器。我遇到了 Postfix 问题。它不会在发送来自未经授权域的电子邮件时要求输入密码。

这是从不存在的域到我的本地电子邮件的 telnet 调用:

telnet smtp.mydomain.com 25
Trying XXX.XXX.XXX.XXX...
Connected to smtp.mydomain.com.
Escape character is '^]'.
220 smtp.mydomain.com ESMTP Postfix
EHLO smtp.mydomain.com
250-smtp.mydomain.com
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250 8BITMIME
mail from:<[email protected]>
250 2.1.0 Ok
rcpt to:<[email protected]>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: test

Hello

.
250 2.0.0 Ok: queued as 94DC2150BCA
quit
221 2.0.0 Bye

另一方面,如果我通过 telnet 从现有的内部地址向另一个现有的内部地址发送电子邮件,postfix 将停止发送,因为它需要身份验证。

telnet smtp.mydomain.com 25
Trying XXX.XXX.XXX.XXX...
Connected to smtp.mydomain.com.
Escape character is '^]'.
220 smtp.mydomain.com ESMTP Postfix
EHLO smtp.mydomain.com
250-smtp.mydomain.com
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250 8BITMIME
mail from:<[email protected]>
250 2.1.0 Ok
rcpt to:<[email protected]>
453 4.7.1 <[email protected]>: Sender address rejected: not logged in
quit
Connection closed by foreign host.

这是我的 postfix 配置文件:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/postfix/virtual
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 4
disable_vrfy_command = no
dovecot_destination_recipient_limit = 1
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 52428800
milter_default_action = accept
milter_protocol = 2
mydomain = smtp.mydomain.com
myhostname = smtp.mydomain.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/zpanel/configs/postfix/mysql-relay_domains_maps.cf
relayhost =
sample_directory = /usr/share/doc/postfix-2.2.2/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/zpanel/configs/postfix/mysql-virtual_sender_login_maps
smtpd_sender_restrictions = reject_sender_login_mismatch, reject_unknown_sender_domain, reject_unlisted_sender, reject_unauthenticated_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_unverified_sender
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/smtp.mydomain.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/zpanel/configs/postfix/mysql-virtual_alias_maps.cf, regexp:/etc/zpanel/configs/postfix/virtual_regexp, hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/zpanel/vmail
virtual_mailbox_domains = proxy:mysql:/etc/zpanel/configs/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/zpanel/configs/postfix/mysql-virtual_mailbox_maps.cf
virtual_minimum_uid = 150
virtual_transport = dovecot
virtual_uid_maps = static:5000

我希望当有人通过 telnet 发送电子邮件时,postfix 总是要求输入密码。

我哪里做错了?这个问题最近变得非常令人沮丧。

答案1

端口 25 上的 telnet 模拟了实际邮件服务器发送消息的行为,因此通常邮件服务器会接受发送到在邮件服务器上配置为“本地”的域的地址的电子邮件,这解释了您描述的第一种情况......

... 基于此,您可能希望服务器只接受发送到本地域的电子邮件,就像您的第二种情况一样,但它要求进行身份验证。这取决于您的特定配置...

我建议通过 Postfix 的地址验证文档,这应该有助于理解正在发生的事情(也可能SAS 连接层文档)。还请考虑和中的配置main.cfmaster.cf正确使用这些配置可让您对不同的端口进行不同的配置。邮件服务器的现代最佳实践是让端口 25 专用于接收电子邮件,端口 587 专用于“提交”(发送)电子邮件。对这些端口进行不同的配置意味着您可以更轻松地将端口 25 的配置重点放在“MX”电子邮件(本地域的邮件)上,将端口 587 的配置重点放在邮件提交上(还要注意使用 TLS 加密)。

至于具体设置,这将根据您的具体要求而有所不同。值得注意的是,各种_restrictions设置都是按顺序测试的列表,因此在您当前的设置中main.cf(重新格式化以便于阅读),

smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    reject_unknown_sender_domain
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated
smtpd_sender_restrictions =
    reject_sender_login_mismatch,
    reject_unknown_sender_domain,
    reject_unlisted_sender,
    reject_unauthenticated_sender_login_mismatch,
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unverified_sender

我建议仔细检查这些内容以及选项的顺序;我还建议在每个列表中进行最后的明确说明,permit这样reject如果先前的测试都不匹配会发生什么情况就会非常清楚。

然后看看master.cf这些选项可以在何处被覆盖,例如对于邮件提交,你可能有特定的_restrictions

submission inet n       -       -       -       - smtpd
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

将此与您的陈述“我希望当有人通过 telnet 发送电子邮件时,postfix 总是要求输入密码”进行比较 - 上述示例master.cf行将要求对邮件提交进行身份验证。

相关内容