Postfix 问题:iptables 规则无法接收来自外部的电子邮件

Postfix 问题:iptables 规则无法接收来自外部的电子邮件

我的 Postfix 服务器直到前几天都运行良好,但现在,我无法接收来自外部的电子邮件(我的意思是使用不同域名的电子邮件,例如 gmail)。我必须注意,我可以从服务器向 gmail 发送电子邮件。

据我所见,我认为问题可能出在我的 iptables 规则上:

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset

内容如下/etc/iptables/rules.v4

# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*filter
:INPUT DROP [4:160]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8850:1128793]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*mangle
:PREROUTING ACCEPT [7537:917236]
:INPUT ACCEPT [7537:917236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16961:1999319]
:POSTROUTING ACCEPT [16961:1999319]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*nat
:PREROUTING ACCEPT [357:19884]
:POSTROUTING ACCEPT [9413:566093]
:OUTPUT ACCEPT [9344:563333]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016

此外,我的服务器似乎在监听 25 端口:

# netstat -an |grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
unix  2      [ ]         DGRAM                    4255589627 /var/spool/postfix/dev/log
unix  15     [ ]         DGRAM                    4255589625 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     4255652970 /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     4255590038 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711673 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711672 
unix  3      [ ]         STREAM     CONNECTED     4255711663 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711662 
unix  2      [ ]         DGRAM                    4255711642 
unix  3      [ ]         STREAM     CONNECTED     4255711639 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711638 
unix  2      [ ]         DGRAM                    4255711627 
unix  2      [ ]         DGRAM                    4255594798 
unix  2      [ ]         DGRAM                    4255590141 
unix  3      [ ]         STREAM     CONNECTED     4255590098 
unix  3      [ ]         STREAM     CONNECTED     4255590097 

并且我的服务器上的 nmap (从外部) 返回:

Host is up (0.065s latency).
Not shown: 994 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

最后,这是我的/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
  -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

# spf postfix
policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

以下是我从 gmail 发送到我的 postfix 服务器时 gmail 收到的电子邮件的答复:

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

     [email protected]

Message will be retried for 1 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[domain.com 239.178.123.80: socket error]

我不明白为什么netstat告诉我它监听端口 25 并nmap指示该端口未打开。

如果有人能看出哪里出了问题,那就没问题了。

提前致谢。

答案1

跑步

iptables -I 输入 5 -p tcp -m tcp --dport 25 -j 接受

立即应用该规则。

同时编辑你的规则/etc/iptables/rules.v4,并在 443 端口规则后面添加

-A 输入-p tcp -m tcp --dport 25 -j 接受

相关内容