我有一个带有 Proxmox 的专用服务器(以前带有 VMWare)。有一个安装了 Mailcow-dockerized 的虚拟机。虚拟机管理程序上的接口虚拟机BR0已进行 NAT(子网 192.168.200.0/24 的物理 NIC 上的 NAT)。 Mailcow VM 的 LAN IP 为 192.168.200.4/24,来自 Internet 的流量正在使用启用了伪装的 Firewalld 规则转发
虚拟机管理程序上的操作系统:Debian 11 bullseye,手动配置网络:
iface enp9s0 inet static
address 65.21.XXX.XXX
netmask 255.255.255.192
gateway 65.21.XXX.XXX
# route 65.21.XXX.XXX/26 via 65.21.XXX.XXX
up route add -net 65.21.XXX.XXX netmask 255.255.255.192 gw 65.21.XXX.XXX dev enp9s0
auto vmbr0
iface vmbr0 inet static
address 192.168.200.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.200.0/24' -o enp9s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.200.0/24' -o enp9s0 -j MASQUERADE
Firewall-cmd 中的规则:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 8006/tcp
protocols:
forward: no
masquerade: yes
forward-ports:
port=25:proto=tcp:toport=25:toaddr=192.168.200.4
port=143:proto=tcp:toport=143:toaddr=192.168.200.4
port=465:proto=tcp:toport=465:toaddr=192.168.200.4
port=587:proto=tcp:toport=587:toaddr=192.168.200.4
port=993:proto=tcp:toport=993:toaddr=192.168.200.4
port=443:proto=tcp:toport=443:toaddr=192.168.200.4
source-ports:
icmp-blocks:
rich rules:
问题是mailcow(以及任何其他邮件服务器)无法发送电子邮件,但可以正确接收它们。我使用 telnet 连接到所有端口,并且所有端口均响应正确。邮件服务器中的路由(我怀疑路由有问题,但不确定):
root@mta01:~# ip r l
default via 192.168.200.1 dev ens18 onlink
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.22.1.0/24 dev br-mailcow proto kernel scope link src 172.22.1.1
192.168.200.0/24 dev ens18 proto kernel scope link src 192.168.200.4
root@mta01:~#
我认为路由有问题。但我也怀疑,问题是我对接口进行了 NAT。但不确定。在 DNS(仔细检查 A、MX、TXT、SPF、DMARC 和 DKIM)和 Mailcow 管理面板中启用并正确设置域。
还通过从邮件服务器到端口 25 上的 Google SMTP(IP:64.233.184.26)的 telneting 进行检查:成功
root@mta01:~# telnet mta01.X.dev 25
Trying 65.21.139.244...
Connected to mta01.X.dev.
Escape character is '^]'.
220 mta01.X.dev ESMTP Postcow
HELO mta01.X.dev
250 mta01.X.dev
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]>
554 5.7.1 <[email protected]>: Relay access denied
另一项检查 - 检查 DNS(对于中断,MTA02 具有更高的优先级,问题出在 MTA01):
root@mta01:~# dig +short MX X.dev
10 mta01.X.dev.
1 mta02.X.dev.
root@mta01:~# dig +short A mta01.X.dev
65.21.XXX.XXX
root@mta01:~# dig +short mx gmail.com
10 alt1.gmail-smtp-in.l.google.com.
20 alt2.gmail-smtp-in.l.google.com.
5 gmail-smtp-in.l.google.com.
40 alt4.gmail-smtp-in.l.google.com.
30 alt3.gmail-smtp-in.l.google.com.
所以看来解析器工作正常
日志中的错误:
32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:16 859ac05b9a6a postfix/smtp[2703]: connect to gmail-smtp-in.l.google.com[2a00:1450:4010:c08::1b]:25: Network is unreachable
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:16 859ac05b9a6a postfix/postscreen[2704]: CONNECT from [192.168.200.1]:60460 to [172.22.1.253]:25
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:16 859ac05b9a6a whitelist_forwardinghosts: Look up 192.168.200.1 on whitelist, result 200 DUNNO
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/postscreen[2704]: PASS OLD [192.168.200.1]:60460
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/smtpd[2724]: connect from unknown[192.168.200.1]
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/smtp[2703]: warning: host gmail-smtp-in.l.google.com[64.233.165.26]:25 greeted me with my own hostname mta01.stelmaszyk.dev
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/smtp[2703]: warning: host gmail-smtp-in.l.google.com[64.233.165.26]:25 replied to HELO/EHLO with my own hostname mta01.stelmaszyk.dev
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/smtp[2703]: 7EA791C0F9E: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.165.26]:25, delay=6.6, delays=2.9/0.01/3.7/0, dsn=5.4.6, status=bounced (mail for gmail.com loops back to myself)
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/smtpd[2724]: disconnect from unknown[192.168.200.1] ehlo=1 quit=1 commands=2
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/cleanup[2727]: 5FD1C1C10EB: message-id=<[email protected]>
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/bounce[2726]: 7EA791C0F9E: sender non-delivery notification: 5FD1C1C10EB
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/qmgr[353]: 5FD1C1C10EB: from=<>, size=3406, nrcpt=1 (queue active)
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/qmgr[353]: 7EA791C0F9E: removed
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/lmtp[2728]: 5FD1C1C10EB: to=<[email protected]>, relay=dovecot[fd4d:6169:6c63:6f77::12]:24, delay=0.04, delays=0.01/0.01/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> YEEeGI/qRmFqGgAAggiFYw Saved)
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:45:19 859ac05b9a6a postfix/qmgr[353]: 5FD1C1C10EB: removed
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:48:39 859ac05b9a6a postfix/anvil[2725]: statistics: max connection rate 1/60s for (smtpd:192.168.200.1) at Sep 19 09:45:19
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:48:39 859ac05b9a6a postfix/anvil[2725]: statistics: max connection count 1 for (smtpd:192.168.200.1) at Sep 19 09:45:19
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:48:39 859ac05b9a6a postfix/anvil[2725]: statistics: max cache size 1 at Sep 19 09:45:19
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:50:47 859ac05b9a6a postfix/smtps/smtpd[2741]: connect from unknown[192.168.200.1]
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:51:17 859ac05b9a6a postfix/smtps/smtpd[2741]: SSL_accept error from unknown[192.168.200.1]: lost connection
ESC[32mpostfix-mailcow_1 |ESC[0m Sep 19 09:51:17 859ac05b9a6a postfix/smtps/smtpd[2741]: lost connection after CONNECT from unknown[192.168.200.1
有人看到配置有什么问题吗?