追踪 Postfix“收件人地址被拒绝:访问被拒绝”错误的原因

追踪 Postfix“收件人地址被拒绝:访问被拒绝”错误的原因

我们遇到这样一种情况:特定公司发送给合法收件人的电子邮件被退回,并显示“收件人地址被拒绝:访问被拒绝”:

Aug 23 09:15:27 extranet postfix/smtpd[20228]: NOQUEUE: reject: RCPT from sender.com[8.9.10.11]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mg01d1.sender.com>

postconf -d | grep mail_version

mail_version = 2.7.1

后配置-n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
allow_untrusted_routing = yes
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 24h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
maximal_queue_lifetime = 24h
mydestination = mail.example.com, extranet.example.com, localhost
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination
relayhost = 
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access,    reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access,    reject_non_fqdn_hostname, reject_invalid_hostname, check_helo_access hash:/etc/postfix/helo_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.example.com.2013.chain.pem
smtpd_tls_key_file = /etc/ssl/private/example.2013.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_use_tls = no
virtual_alias_domains = example.co.uk, example.co
virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap_virtual_alias_maps.cf, ldap:/etc/postfix/ldap_virtual_groups.cf
virtual_mailbox_domains = ldap:/etc/postfix/ldap_virtual_domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
virtual_transport = dovecot

现在,我们只使用 smtpd_recipient_restrictions,因为我们对客户端、helo、收件人限制的应用顺序非常讲究。但是,根据我(显然有限的)理解,其中唯一应该生成该错误的指令是该check_recipient_access hash:/etc/postfix/access指令,但该文件仅用于阻止我们虚拟别名域之一中的一些常见垃圾邮件地址:

[email protected]   REJECT Recipient address rejected. This domain name is only an alias. Please email postmaster @ the primary domain or the mail server hostname.
[email protected]        REJECT Recipient address rejected. This domain name is only an alias. Please email abuse @ the primary domain or the mail server hostname.
[email protected]  REJECT Recipient address rejected. This domain name is only an alias. Please email support @ the primary domain or the mail server hostname.

/etc/postfix/sender_access为空(处于等待状态)且helo_access仅包含:

extranet.example.com        REJECT You are not me
www.example.com     REJECT You are not me
mail.example.com        REJECT You are not me

所有其他指令似乎都得到正确执行,或者我至少会期待一个不同的错误,如,,,Helo command rejected等等。User unknown in virtual mailbox tableService unavailable; Client host [2.3.4.5] blocked using zen.spamhaus.org

我接下来应该在哪里查看为什么会出现“收件人地址被拒绝:访问被拒绝”?如果发生故障,smtpd_recipient_restrictions 中的其他任何指令都会发出该错误吗?

答案1

由于某种原因,发送邮件服务器在端口 465 上发送邮件,这调用了一组不同的 smtpd_recipient_restrictions,更简单:

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o broken_sasl_auth_clients=yes
  -o content_filter=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

当然,他们的 SMTP 服务器没有进行身份验证,因此收件人地址被拒绝访问。

我是否应该接受未经身份验证的 465 本地投递?我当然不这么认为。

答案2

您正在接收发给用户的邮件@example.com,但您尚未为该域配置 Postfix!在您的virtual_alias_domains唯一example.co.ukexample.co存在。因此 Postfix 认为它是不应接受该域名的邮件并将其视为接力情况(当然被拒绝)。

相关内容