CentOS 7 ec2 smtpd-客户端主机被拒绝:访问被拒绝

tag-icon tag-icon postfix smtp sasl roundcube centos7
CentOS 7 ec2 smtpd-客户端主机被拒绝:访问被拒绝

我已经尝试解决这个问题好几个小时了,但还是无法完全理解。

我在运行 CentOS7 的 ec2 实例上有一个邮件服务器,该服务器配置了 postfix、courier(authlib 和 imap)、sasl、amavisd、spamassassin 和 roundcube。这样,我甚至telnet localhost 25可以成功发送电子邮件,即使超出了我的 ec2 实例。

我安装了 roundcube,以便用户更轻松地阅读/发送电子邮件。我可以毫无问题地登录,我可以看到我的电子邮件并可以阅读它们(因此 imap 工作正常)。然而,当我想从 roundcube 发送电子邮件时(通过 smtps 端口 465),问题就出现了。它弹出unable to set recipient以下错误消息:

NOQUEUE: reject: RCPT from unknown[127.0.0.1]: 554 5.7.1 <unknown[127.0.0.1]>: Client host rejected: Access denied;

电子邮件发送尝试的完整堆栈:

Nov  6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: connect from unknown[127.0.0.1]
Nov  6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: Anonymous TLS connection established from unknown[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: NOQUEUE: reject: RCPT from unknown[127.0.0.1]: 554 5.7.1 <unknown[127.0.0.1]>: Client host rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.mydomain.com>
Nov  6 08:11:26 ip-172-31-9-181 postfix/smtpd[5651]: disconnect from unknown[127.0.0.1]

这是我在 config.inc.php 中的 roundcube 配置

$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'LOGIN';
$config['image_force_ns'] = true;

$config['smtp_server'] = 'ssl://localhost';
$config['smtp_port'] = 465;
$config['smtp_helo_host'] = 'mail.mydomain.com';

我尝试过设置

$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';

但这会导致 SASL 错误:

Nov  6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: connect from unknown[127.0.0.1]
Nov  6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: Anonymous TLS connection established from unknown[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: warning: SASL authentication failure: client response doesn't match what we generated (tried bogus)
Nov  6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: warning: unknown[127.0.0.1]: SASL DIGEST-MD5 authentication failed: authentication failure
Nov  6 08:24:01 ip-172-31-9-181 postfix/smtpd[5705]: disconnect from unknown[127.0.0.1]

这让我很困惑,我甚至不知道是什么原因造成的?是 smtp、sasl 还是其他什么?所有需要的服务都已启用,并且启动没有问题。

这是我的输出postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
local_recipient_maps =
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = mail.mydomain.com mydomain.com
masquerade_exceptions = root
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
mime_header_checks = pcre:/etc/postfix/body_checks
minimal_backoff_time = 1000s
mydestination =
mydomain = mydomain.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/postfix/unime.cert
smtpd_tls_key_file = /etc/postfix/unime.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = static:5000

这是我的master.cf文件:

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated.reject_unauth_destination,reject
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
    -o smtpd_sasl_security_options=noanonymous,noplaintext
    -o smtpd_sasl_tls_security_options=noanonymous
smtps     inet  n       -       -       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sasl_security_options=noanonymous,noplaintext
    -o smtpd_sasl_tls_security_options=noanonymous
pickup    unix  n       -       n       60      1       pickup
    -o content_filter=
    -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
amavis    unix  -       -       -       -       2       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

这是我的sasl2/smtpd.conf文件:

pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
log_level: 7
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: xxxxx
sql_passwd: xxxxx
sql_database: xxxxx
sql_select: xxxxx

任何帮助都可以帮助我们找出问题所在。如果需要更多信息来找出原因,请告诉我。

答案1

正如@clement 已经指出的那样,master.cf 的 smtps 部分的以下配置与拒绝匹配:-o smtpd_client_restrictions=permit_sasl_authenticated,reject

因此配置 roundcube 来使用用户凭据进行身份验证。

或者允许本地主机发送邮件,例如在 master.cf 中使用 permit_mynetworkssmtpd_recipient_restrictions作为smtpd_client_restrictions第一个参数,如下所示:permit_mynetworks,permit_sasl_authenticated,reject

答案2

我认为你的以下内容有拼写错误master.cf

submission inet n       -       n       -       -       smtpd
...
    -o smtpd_recipient_restrictions=permit_sasl_authenticated.reject_unauth_destination,reject

注意.后面的permit_sasl_authenticated

应该

submission inet n       -       n       -       -       smtpd
...
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject

通常,端口 587 用于向经过身份验证的用户提交邮件:

$config['smtp_port'] = 587;

另外,使用smtp_auth_type参数:

$config['smtp_auth_type'] = '';
$config['smtp_auth_type'] = 'AUTH';  
$config['smtp_auth_type'] = 'LOGIN';

根据您的 Postfix-SASL 配置。

答案3

我有同样的问题,我将我的 IP 范围添加到目录mynetworks中的文件中/etc/postfix并解决了该问题,例如:

vim /etc/postfix/mynetworks

然后转到文件末尾并添加你的 IP 地址块 - 例如:91.0.0.0/8

然后保存并重新启动 postfix。

相关内容