后缀配置:
~ # postconf -n | grep mynetworks
mynetworks = 127.0.0.0/8
mynetworks_style = host
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unknown_sender_domain, reject_unauth_pipelining, reject
但与我的期望相反,postfix 服务器接受来自不存在域、错误域的所有内容,它绝对不负责,因此是一个开放中继。
{} ~ telnet SERVER 25
Trying IP...
Connected to SERVER.
Escape character is '^]'.
220 SERVER ESMTP Postfix (Debian/GNU)
HELO google.de
250 SERVER
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test
.
250 2.0.0 Ok: queued as 4AB737C1039
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
正如您所看到的,这显然违反了后缀配置中定义的多个规则。
问:为什么以及如何解决这个问题?
完整的后缀配置:
~ # postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
home_mailbox = Mail/Inbox/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, SERVER, localhost.DOMAIN, localhost
myhostname = SERVER
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
readme_directory = no
recipient_delimiter = +
smtp_tls_CAfile = /etc/letsencrypt/live/SERVER/cert.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname SOOS ESMTP $mail_name (Debian/GNU)
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unknown_sender_domain, reject_unauth_pipelining, reject
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/SERVER/fullchain.pem
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_key_file = /etc/letsencrypt/live/SERVER/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
答案1
您的收听界面不受限制lo/127.0.0.1
inet_interfaces = all
答案2
我建议您在进行 telnet 测试时跟踪 mail.log,以确认明显的您连接的 IP 地址实际上不在您的网络中。如果是,中继限制中的第一条规则将允许流量。
例如,我们防火墙上的配置更改屏蔽了对等连接的源 IP。这个使全部连接似乎是在网络内。 postfix 配置中没有任何改变。邮件日志显示所有流量均源自防火墙本身。对每个人来说都是糟糕的一天。
关于将接口设置为本地主机,这意味着您也从本地主机进行连接。根据指定的规则,中继会在这种情况下是被允许的。