Postfix:发件人相关中继和主机邮件

Postfix:发件人相关中继和主机邮件

我想扩展我的 postfix 配置以便能够接收我的域名的邮件。

目前,我已将 postfix 设置为智能主机,它在身份验证后接受邮件,并根据发件人将其转发到不同的服务器(如 gmail)。到目前为止,效果很好。我想扩展配置,以便我的域(mydomain.com)的邮件也能被接受,但不需要身份验证(每个人都应该被允许向该域上的用户发送邮件)。智能主机功能应该保留。因此,Postfix 应该承担以下 2 项任务:

  1. 客户端身份验证成功后,充当智能主机并向任意收件人转发邮件
  2. 接收来自任意发件人的邮件,无需身份验证,但收件人在本地域

当前配置(main.cf)附在下面。我想我需要做的是更改“smtpd_client_restrictions”和“smtpd_receipient_restrictions”的参数,但我对此不确定。如果有人能证实这一点,那对我有很大帮助。


主文件:

    [...]
    myhostname = mydomain.com
    mynetworks = 127.0.0.0/8
    mydestination = mydomain.com localhost localhost.mydomain.com
    canonical_maps = regexp:/etc/postfix/canonical-redirect
    home_mailbox = Mail/

    # POSTFIX SERVER AUTHENTICATION
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noplaintext, noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_client_restrictions = permit_sasl_authenticated, reject
    smtpd_recipient_restrictions = permit_sasl_authenticated, reject
    smtpd_tls_security_level = encrypt

    # SENDER DEPENDENT RELAYs
    # relays
    smtp_sender_dependent_authentication = yes
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
    # auth
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_mechanism_filter = GSSAPI, DIGEST-MD5, CRAM-MD5, login, plain
    smtp_tls_security_level = encrypt
    smtp_sasl_security_options = noplaintext, noanonymous
    smtp_sasl_tls_security_options = noplaintext, noanonymous

    #TLS
    smtpd_tls_cert_file=/etc/ssl/cert.pem
    smtpd_tls_key_file=/etc/ssl/cert.key
    [...]

  • 编辑:根据NickW的评论,我修改了权限

    smtpd_client_restrictions = 
    smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_recipient_domain, permit
    

据我了解,此规则首先允许所有经过身份验证的用户发送邮件,拒绝不属于我的域的收件人的邮件,最后允许这些邮件。到目前为止,这是正确的吗?

但是,postfix 随后会抱怨“致命参数“smtpd_recipient_restrictions”:请指定以下至少一个工作实例:check_relay_domains、reject_unauth_destination、reject、defer 或 defer_if_permit”。如果我在“permit”之后放置“reject”,postfix 只会显示警告(“忽略“permit”之后的限制“reject”),但不会显示错误...

答案1

因为你已经设定好了mydomain.commydestination那么你就可以放允许_授权_目的地在你的限制中。

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_auth_destination, reject

正如 NickW 所说,smtpd_client_restrictions这是多余的。您可以删除该行。

答案2

我将其作为答案发布,以便保持评论的等宽格式,这是我当前对域名的设置。

# === Incoming mail restriction ================================================

#smtpd_client_restrictions    =
#                               check_client_access hash:/etc/postfix/access

smtpd_recipient_restrictions =
# Whitelisting or blacklisting:
#                                check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
# Mails from our users:
                                permit_mynetworks,
# Greylist
                                check_policy_service unix:private/postgray,
# Everyone should play by the rules:
                                reject_non_fqdn_recipient,
                                reject_non_fqdn_sender,
                                reject_unknown_recipient_domain,
                                reject_unknown_sender_domain,
                                reject_unauth_pipelining,
# Allow authenticated users / 587 TLS/465 SSL
                                permit_sasl_authenticated,
# This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam.
#                                reject_unknown_reverse_client_hostname,

# Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
# Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
#                                reject_non_fqdn_hostname,
#                                reject_invalid_helo_hostname,
# Reject everything you're not responsible for:
                                reject_unauth_destination,
# Only take mails for existing accounts:
                                reject_unverified_recipient,
# DNS lookups are "expensive", therefore should be at bottom
#                                reject_rbl_client zen.spamhaus.org

相关内容