由于我找不到适合我的配置的解决方案,所以我依靠你们来帮助我解决这个问题。
我在 CentOS 服务器上安装了 postfix 和 dovecot。一切运行良好。但是当我尝试从 Outlook 向非 .com 的 tld 发送电子邮件时,服务器返回:中继访问被拒绝。
以下是后配置-n命令
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_protocols = all
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_loglevel = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/mailserver.pem
smtpd_tls_key_file = /etc/postfix/mailserver.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
这是邮件日志错误:
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: input: <mrm@website_name.com>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtpd_check_addr: addr=mrm@website_name.com
Nov 23 13:26:24 website_name postfix/smtpd[16391]: ctable_locate: move existing entry key mrm@website_name.com
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: in: <mrm@website_name.com>, result: mrm@website_name.com
Nov 23 13:26:24 website_name postfix/smtpd[16391]: fsspace: .: block size 4096, blocks free 23679665
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtpd_check_queue: blocks 4096 avail 23679665 min_free 0 msg_size_limit 20971520
Nov 23 13:26:24 website_name postfix/smtpd[16391]: > unknown[178.193.xxx.xxx]: 250 2.1.0 Ok
Nov 23 13:26:24 website_name postfix/smtpd[16391]: < unknown[178.193.xxx.xxx]: RCPT TO:<[email protected]>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: input: <[email protected]>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtpd_check_addr: [email protected]
Nov 23 13:26:24 website_name postfix/smtpd[16391]: ctable_locate: move existing entry key [email protected]
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: in: <[email protected]>, result: [email protected]
Nov 23 13:26:24 website_name postfix/smtpd[16391]: >>> START Recipient address RESTRICTIONS <<<
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=permit_sasl_authenticated
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=permit_sasl_authenticated status=0
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=reject_unauth_destination
Nov 23 13:26:24 website_name postfix/smtpd[16391]: reject_unauth_destination: [email protected]
Nov 23 13:26:24 website_name postfix/smtpd[16391]: permit_auth_destination: [email protected]
Nov 23 13:26:24 website_name postfix/smtpd[16391]: ctable_locate: leave existing entry key [email protected]
Nov 23 13:26:24 website_name postfix/smtpd[16391]: NOQUEUE: reject: RCPT from unknown[178.193.xxx.xxx]: 554 5.7.1 <[email protected]>: Relay access denied; from=<mrm@website_name.com> to=<[email protected]> proto=ESMTP helo=<[192.168.1.38]>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=reject_unauth_destination status=2
Nov 23 13:26:24 website_name postfix/smtpd[16391]: > unknown[178.193.xxx.xxx]: 554 5.7.1 <[email protected]>: Relay access denied
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtp_get: EOF
这有什么问题?
更新:已添加到 main.cf
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
更新:EHLO
EHLO mail.perflux.com
250-perflux.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
更新:日志
: connection established
: master_notify: status 0
: name_mask: resource
: name_mask: software
: connect from unknown[remoteIP]
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: match_hostname: unknown ~? 127.0.0.0/8
: match_hostaddr: remoteIP ~? 127.0.0.0/8
: match_hostname: unknown ~? 195.70.x.x/24
: match_hostaddr: remoteIP ~? 195.70.x.x/24
: match_hostname: unknown ~? [::1]/128
: match_hostaddr: remoteIP ~? [::1]/128
: match_hostname: unknown ~? [fe80::%eth0]/64
: match_hostaddr: remoteIP ~? [fe80::%eth0]/64
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: send attr request = connect
: send attr ident = smtp:remoteIP
: private/anvil: wanted attribute: status
: input attribute name: status
: input attribute value: 0
: private/anvil: wanted attribute: count
: input attribute name: count
: input attribute value: 1
: private/anvil: wanted attribute: rate
: input attribute name: rate
: input attribute value: 2
: private/anvil: wanted attribute: (list terminator)
: input attribute name: (end)
: > unknown[remoteIP]: 220 domain.com ESMTP Postfix
: < unknown[remoteIP]: EHLO [192.168.1.38]
: > unknown[remoteIP]: 250-domain.com
: > unknown[remoteIP]: 250-PIPELINING
: > unknown[remoteIP]: 250-SIZE 20971520
: > unknown[remoteIP]: 250-VRFY
: > unknown[remoteIP]: 250-ETRN
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: > unknown[remoteIP]: 250-STARTTLS
: > unknown[remoteIP]: 250-ENHANCEDSTATUSCODES
: > unknown[remoteIP]: 250-8BITMIME
: > unknown[remoteIP]: 250 DSN
: < unknown[remoteIP]: STARTTLS
: > unknown[remoteIP]: 220 2.0.0 Ready to start TLS
: setting up TLS connection from unknown[remoteIP]
: unknown[remoteIP]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
: auto_clnt_open: connected to private/tlsmgr
: send attr request = seed
: send attr size = 32
: private/tlsmgr: wanted attribute: status
: input attribute name: status
: input attribute value: 0
: private/tlsmgr: wanted attribute: seed
: input attribute name: seed
: input attribute value: 7FfGXFU+Rpalr27a4Gy4AcFT7UY0uKwxVopJXiqNiJQ=
: private/tlsmgr: wanted attribute: (list terminator)
: input attribute name: (end)
: SSL_accept:before/accept initialization […]
: SSL_accept:SSLv3 read client hello A
: SSL_accept:SSLv3 write server hello A
: SSL_accept:SSLv3 write certificate A
: SSL_accept:SSLv3 write server done A […]
: SSL_accept:SSLv3 flush data […]
: SSL_accept:SSLv3 read client key exchange A […]
: SSL_accept:SSLv3 read finished A
: SSL_accept:SSLv3 write change cipher spec A
: SSL_accept:SSLv3 write finished A […]
: SSL_accept:SSLv3 flush data
: Anonymous TLS connection established from unknown[remoteIP]: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
: name_mask: noanonymous
: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
: xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
: < unknown[remoteIP]: EHLO [192.168.1.38]
: > unknown[remoteIP]: 250-domain.com
: > unknown[remoteIP]: 250-PIPELINING
: > unknown[remoteIP]: 250-SIZE 20971520
然后它就停了下来……
答案1
除非这个系统是纯粹内部的,否则设置
smtpd_tls_security_level = encrypt
将确保它永远不会收到网络邮件。
如果你想要确保用户提交的安全,则需要配置提交服务已在 master.cf 文件中注释掉。
提交发生在端口 587 上,而不是端口 25,并且应始终按照以下要求进行安全保护和身份验证:RFC6409
答案2
首先,你可以将工作站的 IP 地址添加到mynetworks
。例如:
mynetworks = 127.0.0.0/8 178.193.xxx.xxx
如果一切正常,则尝试调试为什么 SASL 身份验证不起作用,如果您需要帮助,您应该在启用 SASL 后发布邮件日志。
答案3
尝试 #2:
我说得对,您的服务器拒绝身份验证。现在我发现问题有多个层次:
您还没有将发送主机添加到 $mynetworks(您可以使用 检查
postconf -d | grep mynetworks
),因此只有您通过身份验证,服务器才会接受来自您的邮件。正如您所指定的,
smtpd_tls_auth_only = yes
身份验证只能通过加密连接进行。您的客户端启动了加密连接,但是...您的日志结束了。接下来发生了什么?其他日志中是否有关于身份验证错误的信息?
我还知道 sasl 默认会向其内部数据库验证用户身份。但您还没有指定身份验证源。有关设置 Postfix/SASL/Dovecot 身份验证的良好指南位于http://www.postfix.org/SASL_README.html#server_dovecot_comm,尝试检查一下。