我有一台设置了 Postfix 多实例的服务器,每个实例都有自己的 IP:
- 实例 1:example.com(带有用于退回/fbl 临时处理的邮箱的根域)
- 实例 2:unsub.eg.example.com(用于取消订阅处理的带有邮箱的子域名)
- 实例 3:out1.eg.example.com(仅出站)
- 实例 4:out2.eg.example.com(仅限出站)
就发送电子邮件或在域名 unsub.eg.example.com 上接收电子邮件而言,一切正常。
然而,当发送电子邮件到[电子邮件保护]或者[电子邮件保护]四个实例中只有一个可以处理它,而不仅仅是 example.com 实例。当 unsub、out1 或 out2 拾取时,NOQUEUE:reject:RCPT from : 554 5.7.1:中继访问被拒绝;处理实例会记录错误。如果实例 1 恰好拾取它,它会毫无问题地传递到邮箱。
所以,其他实例为什么会接收发往 example.com 的电子邮件,这让我很抓狂
以下是实例的 main.cf 的重点配置,我认为这可能会导致问题:
smtp.example.com
queue_directory = /var/spool/postfix-smtp
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-smtp
mail_owner=postfix
syslog_name=pfix-smtp
myhostname=smtp.example.com
mydomain=example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=localhost
mynetworks_style=host
relay_domains=
relayhost=
home_mailbox=Maildir/
disable_vrfy_command=yes
virtual_mailbox_domains=$mydomain
virtual_mailbox_maps=hash:/etc/postfix/vmailbox
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_security_options=noanonymous
smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sender_restrictions=reject_unknown_sender_domain
smtpd_sasl_local_domain
local_recipient_maps=$alias_maps,$virtual_mailbox_maps
unsub.eg.example.com
queue_directory = /var/spool/postfix-unsub
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-unsub
mail_owner=postfix
syslog_name=pfix-unsub
myhostname=unsub.eg.example.com
mydomain=unsub.eg.example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=localhost
mynetworks_style=host
relay_domains=
relayhost=
home_mailbox=Maildir/
disable_vrfy_command=yes
virtual_mailbox_domains=$myhostname
virtual_mailbox_maps=hash:/etc/postfix/vmailbox
virtual_alias_maps=hash:/etc/postfix-unsub/virtual
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_security_options=noanonymous
smtpd_recipients_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sender_restrictions=reject_unknown_sender_domain
smtpd_sasl_local_domain=
local_recipient_maps=$alias_maps,$virtual_mailbox_maps
out1.eg.example.com
queue_directory = /var/spool/postfix-ou1
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-ou1
mail_owner=postfix
syslog_name=pfix-out1
myhostname=out1.eg.example.com
mydomain=out1.eg.example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=
mynetworks_style=host
relay_domains=
relayhost=
out2.eg.example.com
queue_directory = /var/spool/postfix-ou2
command_directory=/usr/sbin
daemon_directory=/usr/libexec/postfix
data_directory=/var/lib/postfix-ou2
mail_owner=postfix
syslog_name=pfix-out2
myhostname=out2.eg.example.com
mydomain=out2.eg.example.com
myorigin=$mydomain
inet_interfaces=$myhostname
inet_protocols=ipv4
mydestination=
mynetworks_style=host
relay_domains=
relayhost=
注意:我还为所有实例生成了自签名 tls 证书和 dkim 签名,但一切看起来都很好,我不认为这些可能是罪魁祸首。
谢谢大家!
2014 年 9 月 25 日日志:这些是我今天使用 Outlook 客户端测试发送电子邮件时获得的日志:
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:01:12
Sep 25 06:04:37 bm1 pfix-out2/anvil[11131]: statistics: max cache size 1 at Sep 25 06:01:01
Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21
Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:21
Sep 25 06:05:46 bm1 pfix-out1/anvil[11191]: statistics: max cache size 1 at Sep 25 06:02:10
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<sender.com>
Sep 25 06:06:11 bm1 pfix-unsub/smtpd[11239]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: D91BB3060289: client=mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/cleanup[11260]: D91BB3060289: message-id=<004001cfd886$d01b96c0$7052c440$@[email protected]>
Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: mail.sender.com [XXX.XXX.XXX.250] not internal
Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: not authenticated
Sep 25 06:07:02 bm1 opendkim[18460]: D91BB3060289: no signature data
Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: from=<[email protected]>, size=11502, nrcpt=1 (queue active)
Sep 25 06:07:02 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:07:02 bm1 pfix-smtp/virtual[11261]: D91BB3060289: to=<[email protected]>, relay=virtual, delay=0.09, delays=0.06/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Sep 25 06:07:02 bm1 pfix-smtp/qmgr[7018]: D91BB3060289: removed
Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23
Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:02:23
Sep 25 06:07:46 bm1 pfix-smtp/anvil[11102]: statistics: max cache size 2 at Sep 25 06:02:12
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: 8FC143060289: client=mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/cleanup[11260]: 8FC143060289: message-id=<004601cfd886$f873f540$e95bdfc0$@[email protected]>
Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: mail.sender.com [XXX.XXX.XXX.250] not internal
Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: not authenticated
Sep 25 06:08:10 bm1 opendkim[18460]: 8FC143060289: no signature data
Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: from=<[email protected]>, size=11431, nrcpt=1 (queue active)
Sep 25 06:08:10 bm1 pfix-smtp/smtpd[11257]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:08:10 bm1 pfix-smtp/virtual[11261]: 8FC143060289: to=<[email protected]>, relay=virtual, delay=0.05, delays=0.04/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Sep 25 06:08:10 bm1 pfix-smtp/qmgr[7018]: 8FC143060289: removed
Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection rate 3/60s for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26
Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max connection count 3 for (smtp:XXX.XXX.XXX.42) at Sep 25 06:03:26
Sep 25 06:09:31 bm1 pfix-unsub/anvil[11219]: statistics: max cache size 1 at Sep 25 06:03:15
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: connect from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: setting up TLS connection from mail.sender.com[XXX.XXX.XXX.250]
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: Anonymous TLS connection established from mail.sender.com[XXX.XXX.XXX.250]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: NOQUEUE: reject: RCPT from mail.sender.com[XXX.XXX.XXX.250]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<sender.com>
Sep 25 06:10:33 bm1 pfix-out2/smtpd[11289]: disconnect from mail.sender.com[XXX.XXX.XXX.250]
请注意,
- 第一次测试发送至[电子邮件保护]由 pfix-unsub 处理:中继访问被拒绝
- 第二次测试发送至[电子邮件保护]由正确的实例 pfix-smtp “正确”处理
- 第三次测试发送至[电子邮件保护]被正确的实例 pfix-smtp “正确”处理
- 第四次测试发送至[电子邮件保护]由 pfix-out2 处理:中继访问被拒绝
DNS 设置
IN MX 10 smtp
IN MX 10 unsub.eg
IN MX 10 out1.eg
IN MX 10 out2.eg
;A Records
example.com. IN A YYY.YYY.YYY.3
subdomain1 IN A YYY.YYY.YYY.3
smtp IN A XXX.XXX.XXX.123
unsub.eg IN A XXX.XXX.XXX.124
out1.eg IN A XXX.XXX.XXX.125
out2.eg IN A XXX.XXX.XXX.126
;SPF TXT RR
example.com. IN TXT "v=spf1 mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all"
example.com. IN TXT "spf2.0/pra mx:smtp.example.com mx:out1.eg.example.com mx:out2.eg.example.com ~all"
;DKIM TXT RR
default._domainkey IN TXT "v=DKIM1; k=rsa; p=**key**"
答案1
您已将所有后缀实例列为域的 MX,并且具有相同的权重。这意味着发送邮件服务器可以选择其中任何一个。
由于您只想smtp.example.com处理收到的邮件,因此您应该删除除以下之外的所有 MX 行:
IN MX 10 smtp
根据评论进行编辑:MX 记录专门适用于example.com- 它的意思是“如果您想向以 结尾的任何地址发送电子邮件@example.com,则可以使用列为 MX 的任何一个服务器。
对于unsub.eg.example.com,您有一个 A 记录。当发送邮件服务器查找如何将邮件路由到该地址时,它将首先查找 的 MX 记录unsub.eg.example.com。如果找不到,它将查找 A 记录。并且由于 的 A 记录unsub.eg.example.com存在,因此邮件将直接发送到该服务器。因此,您不需要为其设置 MX 记录。(如果您确实想使用 MX 记录,则应为 而unsub.eg.example.com不是进行设置example.com!)
至于 SFP 记录,这些记录专门用于传出流量。MX 专门用于传入流量。对于较大的域,通常的做法是为传出流量和传入流量设置单独的服务器。在这些情况下,传出服务器仅应在 SFP 中列出,而传入服务器仅应列为 MX。
可以将 SPF 记录设置为包含所有 MX。但同样可以简单地列出允许发送邮件的服务器的 IP 地址或 A 记录,无论这些服务器是否也用作 MX。有关语法的更多信息,请访问OpenSPF网站
编辑2:以下是针对新 SPF 记录的建议:
;SPF TXT RR
example.com. IN TXT "v=spf1 a:out2.eg.example.com a:out1.eg.example.com ~all"