我如何防止我的(已经过身份验证的)用户发送带有不正确或完全伪造的发件人地址的电子邮件?
我的邮件服务是 postfix,并且我已经设置了发件人和收件人限制,例如reject_unlisted account或reject non fqdn domains或主机名,但这不起作用!
我该如何解决企业邮件服务中的这个问题?
readme_directory = /usr/share/doc/postfix-2.11.5/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , hash:/var/spool/postfix/plesk-pop/poplock
smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unauthenticated_sender_login_mismatch,reject_known_sender_login_mismatch,hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access, pcre:/var/spool/postfix/plesk/non_auth.re, check_sender_access hash:/var/spool/postfix/plesk/blacklists
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions =permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination, reject_unlisted_sender
smtpd_recipient_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination, reject_unauth_destination, defer_unauth_destination,reject_unverified_recipient,reject_unknown_recipient_domain
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
myhostname = host.com
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
message_size_limit = 102400000
smtpd_sasl_authenticated_header = yes
disable_vrfy_command = yes
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
答案1
当我格式化它时,smtpd_sender_restrictions它变得更易读一些:
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_unauthenticated_sender_login_mismatch,
reject_known_sender_login_mismatch,
hash:/var/spool/postfix/plesk/blacklists,
permit_sasl_authenticated,
check_client_access,
pcre:/var/spool/postfix/plesk/non_auth.re,
check_sender_access hash:/var/spool/postfix/plesk/blacklists
你看reject_unauthenticated_sender_login_mismatch选项。该设置仅强制执行
reject_sender_login_mismatch 限制(强制经过身份验证的发件人使用特定的 MAIL FROM 地址),但只有对于未经身份验证的客户端。当您进行身份验证时,您仍然可以使用您想要的任何发件人地址。
对于经过身份验证的客户端,下一个选项变得相关:reject_known_sender_login_mismatch
该选项适用于reject_sender_login_mismatch 但仅限已知地址在里面smtpd_sender_login_maps。
您的配置并未提及smtpd_sender_login_maps如此有效的限制,以致于不适用于任何用户/电子邮件地址。
解决方案,有reject_sender_login_mismatch 应用于强制经过身份验证的发件人使用特定的 MAIL FROM 地址,您需要设置smtpd_sender_login_maps对于所有正在使用的用户和电子邮件地址,使用拥有发件人(MAIL FROM)地址的 SASL 登录名。
查看此问答了解更多信息。