我正在尝试让 postfix 与邮件客户端(thunderbird / outlook)一起工作,但目前唯一能实现的方法是将邮件服务器变成开放中继,这显然非常糟糕。
当我将“mynetworks”参数设置为“127.0.0.0/8”时,服务器是安全的,但我只能通过 webmail 访问它。如果我尝试通过 thunderbird 连接到它,我会收到 5.7.1 中继访问被拒绝错误。
当我将“mynetworks”参数设置为“0.0.0.0/0”时,它可以与 thunderbird 一起工作,但也可以充当开放中继。
为了尝试修复此问题,我设置了 sasl auth,但无法使其正常工作。以下是我的 postconf 设置:
mynetworks = 0.0.0.0/0
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dnsbl.sorbs.net, permit
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_use_tls = yes
broken_sasl_auth_clients = yes
我尝试了很多不同的设置,但都无济于事。如果有人能给我指明正确的方向,我将不胜感激!
答案1
这对我有用:
# SASL support
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#RESTRICCIONES DEL REMITENTE
smtpd_sender_restrictions =
permit_mynetworks,
reject_unknown_sender_domain,
permit_sasl_authenticated,
reject_unlisted_sender
#RESTRICCIONES DEL DESTINO
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
warn_if_reject reject_unknown_client
# TLS Support
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/my.key
smtpd_tls_cert_file = /etc/ssl/mycert.pem
smtpd_tls_CAfile = /etc/ssl/cacert.pem
答案2
适用smtpd_client_restrictions
于全部连接到服务器的客户端,不仅仅是尝试通过邮件服务器中继邮件的客户端,还包括本地投递的客户端。要让邮件服务器接受所有客户端的邮件进行本地投递,但要求进行中继身份验证,您必须指定该smtpd_recipient_restrictions
选项。
我有以下配置:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.100.0.11/32 10.100.2.11/32 [2001:470:xxxx::11]/128 [2001:470:xxxx:4::11]/128
[...]
smtpd_recipient_restrictions = permit_mynetworks,
check_relay_domains,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client sbl-xbl.spamhaus.org,
check_policy_service unix:private/spfcheck,
permit
[...]
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_tls_auth_only = yes
broken_sasl_auth_clients = yes
(我没有smtpd_client_restrictions
部分)