我的 Postfix 服务器直到前几天都运行良好,但现在,我无法接收来自外部的电子邮件(我的意思是使用不同域名的电子邮件,例如 gmail)。我必须注意,我可以从服务器向 gmail 发送电子邮件。
据我所见,我认为问题可能出在我的 iptables 规则上:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
REJECT tcp -- anywhere anywhere reject-with tcp-reset
内容如下/etc/iptables/rules.v4
:
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*filter
:INPUT DROP [4:160]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8850:1128793]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*mangle
:PREROUTING ACCEPT [7537:917236]
:INPUT ACCEPT [7537:917236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16961:1999319]
:POSTROUTING ACCEPT [16961:1999319]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*nat
:PREROUTING ACCEPT [357:19884]
:POSTROUTING ACCEPT [9413:566093]
:OUTPUT ACCEPT [9344:563333]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
此外,我的服务器似乎在监听 25 端口:
# netstat -an |grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp6 0 0 :::25 :::* LISTEN
unix 2 [ ] DGRAM 4255589627 /var/spool/postfix/dev/log
unix 15 [ ] DGRAM 4255589625 /dev/log
unix 2 [ ACC ] STREAM LISTENING 4255652970 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 4255590038 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711673 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711672
unix 3 [ ] STREAM CONNECTED 4255711663 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711662
unix 2 [ ] DGRAM 4255711642
unix 3 [ ] STREAM CONNECTED 4255711639 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711638
unix 2 [ ] DGRAM 4255711627
unix 2 [ ] DGRAM 4255594798
unix 2 [ ] DGRAM 4255590141
unix 3 [ ] STREAM CONNECTED 4255590098
unix 3 [ ] STREAM CONNECTED 4255590097
并且我的服务器上的 nmap (从外部) 返回:
Host is up (0.065s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds
最后,这是我的/etc/postfix/master.cf
:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
# spf postfix
policy unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
以下是我从 gmail 发送到我的 postfix 服务器时 gmail 收到的电子邮件的答复:
This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has been delayed:
[email protected]
Message will be retried for 1 more day(s)
Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[domain.com 239.178.123.80: socket error]
我不明白为什么netstat
告诉我它监听端口 25 并nmap
指示该端口未打开。
如果有人能看出哪里出了问题,那就没问题了。
提前致谢。
答案1
跑步
iptables -I 输入 5 -p tcp -m tcp --dport 25 -j 接受
立即应用该规则。
同时编辑你的规则/etc/iptables/rules.v4
,并在 443 端口规则后面添加
-A 输入-p tcp -m tcp --dport 25 -j 接受