在已经使用 sasl 的现有 postfix 服务器上将 mailgun 配置为中继主机

在已经使用 sasl 的现有 postfix 服务器上将 mailgun 配置为中继主机

我可能完全问错了对象,但我还是会问。

我关注了教程使用 postfix、dovecot 和 mysql 在 ubuntu 14.04 上设置邮件服务器。

我现在有设置 mailgun 来处理电子邮件的发送(又名中继主机)以安全/可靠的方式。

我遇到的问题是,我现有电子邮件帐户的用户/密码由于某种原因已停止工作(在服务器上仍然可以通过 CLI 发送电子邮件),我想知道是否可以以不干扰现有用户/密码的方式配置 mailgun 凭据。

这是我的 master.cf 中继前的模型

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version

    # The first text sent to a connecting process.
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    readme_directory = no

    # ---------------------------------
    # SASL parameters
    # ---------------------------------

    # Use Dovecot to authenticate.
    smtpd_sasl_type = dovecot
    # Referring to /var/spool/postfix/private/auth
    smtpd_sasl_path = private/auth
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    smtpd_sasl_authenticated_header = yes

    # ---------------------------------
    # TLS parameters
    # ---------------------------------

    # The default snakeoil certificate. Comment if using a purchased
    # SSL certificate.
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

    # Uncomment if using a purchased SSL certificate.
    # smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt
    # smtpd_tls_key_file=/etc/ssl/private/example.com.key

    # The snakeoil self-signed certificate has no need for a CA file. But
    # if you are using your own SSL certificate, then you probably have
    # a CA certificate bundle from your provider. The path to that goes
    # here.
    # smtpd_tls_CAfile=/etc/ssl/certs/ca-bundle.crt

    # Ensure we're not using no-longer-secure protocols.
    smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

    smtp_tls_note_starttls_offer = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # Note that forcing use of TLS is going to cause breakage - most mail servers
    # don't offer it and so delivery will fail, both incoming and outgoing. This is
    # unfortunate given what various governmental agencies are up to these days.
    #
    # Enable (but don't force) all incoming smtp connections to use TLS.
    smtpd_tls_security_level = may
    # Enable (but don't force) all outgoing smtp connections to use TLS.
    smtp_tls_security_level = may

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    # ---------------------------------
    # TLS Updates relating to Logjam SSL attacks.
    # See: https://weakdh.org/sysadmin.html
    # ---------------------------------

    smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-        SHA
    smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem

    # ---------------------------------
    # SMTPD parameters
    # ---------------------------------

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    # will it be a permanent error or temporary
    unknown_local_recipient_reject_code = 450
    # how long to keep message on queue before return as failed.
    # some have 3 days, I have 16 days as I am backup server for some people
    # whom go on holiday with their server switched off.
    maximal_queue_lifetime = 7d
    # max and min time in seconds between retries if connection failed
    minimal_backoff_time = 1000s
    maximal_backoff_time = 8000s
    # how long to wait when servers connect before receiving rest of data
    smtp_helo_timeout = 60s
    # how many address can be used in one message.
    # effective stopper to mass spammers, accidental copy in whole address list
    # but may restrict intentional mail shots.
    smtpd_recipient_limit = 16
    # how many error before back off.
    smtpd_soft_error_limit = 3
    # how many max errors before blocking it.
    smtpd_hard_error_limit = 12

    # This next set are important for determining who can send mail and relay mail
    # to other servers. It is very important to get this right - accidentally producing
    # an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
    #
    # You are encouraged to read up on what exactly each of these options accomplish.

    # Requirements for the HELO statement
    smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
    # Requirements for the sender details
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender,         reject_unknown_sender_domain, reject_unauth_pipelining, permit
    # Requirements for the connecting server
    smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
    # Requirement for the recipient address. Note that the entry for
    # "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
    smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient,         reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
    smtpd_data_restrictions = reject_unauth_pipelining
    # This is a new option as of Postfix 2.10, and is required in addition to
    # smtpd_recipient_restrictions for things to work properly in this setup.
    smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient,         reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit

    # require proper helo at connections
    smtpd_helo_required = yes
    # waste spammers time before rejecting them
    smtpd_delay_reject = yes
    disable_vrfy_command = yes

    # ---------------------------------
    # General host and delivery info
    # ----------------------------------

    myhostname = mail.example.com
    myorigin = /etc/hostname
    # Some people see issues when setting mydestination explicitly to the server
    # subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
    # mydestination = mail.example.com, localhost
    mydestination =
    # If you have a separate web server that sends outgoing mail through this
    # mailserver, you may want to add its IP address to the space-delimited list in
    # mynetworks, e.g. as 10.10.10.10/32.
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    mynetworks_style = host

    # This specifies where the virtual mailbox folders will be located.
    virtual_mailbox_base = /var/vmail
    # This is for the mailbox location for each user. The domainaliases
    # map allows us to make use of Postfix Admin's domain alias feature.
    virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
    # and their user id
    virtual_uid_maps = static:150
    # and group id
    virtual_gid_maps = static:8
    # This is for aliases. The domainaliases map allows us to make
    # use of Postfix Admin's domain alias feature.
    virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
    # This is for domain lookups.
    virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf

    # ---------------------------------
    # Integration with other packages
    # ---------------------------------------

    # Tell postfix to hand off mail to the definition for dovecot in master.cf
    virtual_transport = dovecot
    dovecot_destination_recipient_limit = 1

    # Use amavis for virus and spam scanning
    content_filter = amavis:[127.0.0.1]:10024

    # ---------------------------------
    # Header manipulation
    # --------------------------------------

    # Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
    header_checks = regexp:/etc/postfix/header_checks
    # getting rid of x-original-to
    enable_original_recipient = no

这是我添加到 postfix 的 master.cf 中以通过 mailgun 进行中继的内容

relayhost = smtp.mailgun.org
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:[email protected]:password
smtp_sasl_security_options = noanonymous

我唯一改变的是通过 letsencrypt.org 生成的证书

总结一下:有没有办法可以按用户维护凭据并使用 mailgun 发送邮件?(无需通过 CLI 创建每个帐户)

在此先感谢您的帮助,如果有任何不清楚的地方或需要更多信息,请告诉我。

更新添加错误消息

Dec 14 19:24:47 mail dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=190.18.x.x, lip=172.31.x.x, mpid=24023, TLS, session=<ak1PoOAmqQC+EoSW>
Dec 14 19:24:48 mail postfix/smtpd[24014]: Anonymous TLS connection established from unknown[190.18.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Dec 14 19:24:50 mail postfix/smtpd[24014]: warning: unknown[190.18.x.x]: SASL PLAIN authentication failed:
Dec 14 19:24:50 mail postfix/smtpd[24014]: lost connection after AUTH from unknown[190.18.x.x]
Dec 14 19:24:50 mail postfix/smtpd[24014]: disconnect from unknown[190.18.x.x]

在我添加 smtp 中继之前,用户可以使用 imap/smtp 及其生成的凭据。我最好的猜测是 postfix 正在尝试使用为中继配置的 user:pass。

相关内容