我想扩展我的 postfix 配置以便能够接收我的域名的邮件。
目前,我已将 postfix 设置为智能主机,它在身份验证后接受邮件,并根据发件人将其转发到不同的服务器(如 gmail)。到目前为止,效果很好。我想扩展配置,以便我的域(mydomain.com)的邮件也能被接受,但不需要身份验证(每个人都应该被允许向该域上的用户发送邮件)。智能主机功能应该保留。因此,Postfix 应该承担以下 2 项任务:
- 客户端身份验证成功后,充当智能主机并向任意收件人转发邮件
- 接收来自任意发件人的邮件,无需身份验证,但收件人在本地域
当前配置(main.cf)附在下面。我想我需要做的是更改“smtpd_client_restrictions”和“smtpd_receipient_restrictions”的参数,但我对此不确定。如果有人能证实这一点,那对我有很大帮助。
主文件:
[...]
myhostname = mydomain.com
mynetworks = 127.0.0.0/8
mydestination = mydomain.com localhost localhost.mydomain.com
canonical_maps = regexp:/etc/postfix/canonical-redirect
home_mailbox = Mail/
# POSTFIX SERVER AUTHENTICATION
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_client_restrictions = permit_sasl_authenticated, reject
smtpd_recipient_restrictions = permit_sasl_authenticated, reject
smtpd_tls_security_level = encrypt
# SENDER DEPENDENT RELAYs
# relays
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
# auth
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = GSSAPI, DIGEST-MD5, CRAM-MD5, login, plain
smtp_tls_security_level = encrypt
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noplaintext, noanonymous
#TLS
smtpd_tls_cert_file=/etc/ssl/cert.pem
smtpd_tls_key_file=/etc/ssl/cert.key
[...]
编辑:根据NickW的评论,我修改了权限
smtpd_client_restrictions = smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_recipient_domain, permit
据我了解,此规则首先允许所有经过身份验证的用户发送邮件,拒绝不属于我的域的收件人的邮件,最后允许这些邮件。到目前为止,这是正确的吗?
但是,postfix 随后会抱怨“致命参数“smtpd_recipient_restrictions”:请指定以下至少一个工作实例:check_relay_domains、reject_unauth_destination、reject、defer 或 defer_if_permit”。如果我在“permit”之后放置“reject”,postfix 只会显示警告(“忽略“permit”之后的限制“reject”),但不会显示错误...
答案1
因为你已经设定好了mydomain.com
,mydestination
那么你就可以放允许_授权_目的地在你的限制中。
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_auth_destination, reject
正如 NickW 所说,smtpd_client_restrictions
这是多余的。您可以删除该行。
答案2
我将其作为答案发布,以便保持评论的等宽格式,这是我当前对域名的设置。
# === Incoming mail restriction ================================================
#smtpd_client_restrictions =
# check_client_access hash:/etc/postfix/access
smtpd_recipient_restrictions =
# Whitelisting or blacklisting:
# check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
# Mails from our users:
permit_mynetworks,
# Greylist
check_policy_service unix:private/postgray,
# Everyone should play by the rules:
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_unauth_pipelining,
# Allow authenticated users / 587 TLS/465 SSL
permit_sasl_authenticated,
# This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam.
# reject_unknown_reverse_client_hostname,
# Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule.
# Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
# reject_non_fqdn_hostname,
# reject_invalid_helo_hostname,
# Reject everything you're not responsible for:
reject_unauth_destination,
# Only take mails for existing accounts:
reject_unverified_recipient,
# DNS lookups are "expensive", therefore should be at bottom
# reject_rbl_client zen.spamhaus.org