Postfix 邮件服务器充当开放中继

Postfix 邮件服务器充当开放中继

我正在尝试让 postfix 与邮件客户端(thunderbird / outlook)一起工作,但目前唯一能实现的方法是将邮件服务器变成开放中继,这显然非常糟糕。

当我将“mynetworks”参数设置为“127.0.0.0/8”时,服务器是安全的,但我只能通过 webmail 访问它。如果我尝试通过 thunderbird 连接到它,我会收到 5.7.1 中继访问被拒绝错误。

当我将“mynetworks”参数设置为“0.0.0.0/0”时,它可以与 thunderbird 一起工作,但也可以充当开放中继。

为了尝试修复此问题,我设置了 sasl auth,但无法使其正常工作。以下是我的 postconf 设置:

mynetworks = 0.0.0.0/0
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
   reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org,
   reject_rbl_client dnsbl.sorbs.net, permit
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_use_tls = yes
broken_sasl_auth_clients = yes

我尝试了很多不同的设置,但都无济于事。如果有人能给我指明正确的方向,我将不胜感激!

答案1

这对我有用:

# SASL support
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

#RESTRICCIONES DEL REMITENTE
smtpd_sender_restrictions =
     permit_mynetworks,
     reject_unknown_sender_domain,
     permit_sasl_authenticated,
     reject_unlisted_sender

#RESTRICCIONES DEL DESTINO 
smtpd_recipient_restrictions =
     permit_mynetworks, 
     permit_sasl_authenticated,
     reject_unauth_destination,
     reject_unlisted_recipient,
     warn_if_reject reject_unknown_client

# TLS Support
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/my.key
smtpd_tls_cert_file = /etc/ssl/mycert.pem
smtpd_tls_CAfile = /etc/ssl/cacert.pem

答案2

适用smtpd_client_restrictions全部连接到服务器的客户端,不仅仅是尝试通过邮件服务器中继邮件的客户端,还包括本地投递的客户端。要让邮件服务器接受所有客户端的邮件进行本地投递,但要求进行中继身份验证,您必须指定该smtpd_recipient_restrictions选项。

我有以下配置:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.100.0.11/32 10.100.2.11/32 [2001:470:xxxx::11]/128 [2001:470:xxxx:4::11]/128
[...]
smtpd_recipient_restrictions = permit_mynetworks,
                               check_relay_domains,
                               reject_unauth_pipelining,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               reject_rbl_client sbl-xbl.spamhaus.org,
                               check_policy_service unix:private/spfcheck,
                               permit
[...]
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_tls_auth_only = yes
broken_sasl_auth_clients = yes

(我没有smtpd_client_restrictions部分)

相关内容