我有一个可以使用的邮件服务器,为了方便使用,我使用 iRedMail 进行了设置。我一直尝试通过 Amazon SES 中继所有外发邮件。我发送的所有邮件都被退回,并收到以下回复:
6 月 23 日 19:24:20 邮件 postfix/smtp[3299]: 604EE416B2: to=, reply=email-smtp.eu-west-1.amazonaws.com[52.51.114.192]:25, delay=0.26, delays=0.15/0.02/0.09/0, dsn=5.0.0, status=bounced (host email-smtp.eu-west-1.amazonaws.com[52.51.114.192] 说: 530 需要身份验证 (回复 MAIL FROM 命令))
我按照亚马逊的指南通过 SES 进行中继,并按照他们对 SMTP 问题的建议进行操作,但无济于事。我还禁用了 amavis,试图让调试更容易一些。
我很乐意提供任何其他所需的日志或配置。如能提供任何帮助,我将不胜感激。
这是我尝试发送邮件时的日志内容:
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: initializing the server-side TLS engine
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: connect from 79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7]
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: setting up TLS connection from 79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7]
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: 79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDC3-SHA:!KRB5-DE5:!CBC3-SHA"
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: SSL_accept:before/accept initialization
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: SSL_accept:unknown state
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: message repeated 9 times: [ SSL_accept:unknown state]
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: 79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7]: Issuing session ticket, key expiration: 1498248942
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: SSL_accept:unknown state
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: message repeated 3 times: [ SSL_accept:unknown state]
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: Anonymous TLS connection established from 79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 23 19:45:43 mail postfix/submission/smtpd[3665]: B7AD8416BA: client=79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7], sasl_method=LOGIN, [email protected]
Jun 23 19:45:43 mail postfix/cleanup[3673]: B7AD8416BA: message-id=<[email protected]>
Jun 23 19:45:43 mail postfix/qmgr[3655]: B7AD8416BA: from=<[email protected]>, size=2807, nrcpt=1 (queue active)
Jun 23 19:45:43 mail postfix/smtp[3678]: initializing the client-side TLS engine
Jun 23 19:45:43 mail postfix/smtp[3678]: setting up TLS connection to email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25
Jun 23 19:45:43 mail postfix/smtp[3678]: email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Jun 23 19:45:43 mail postfix/smtp[3678]: SSL_connect:before/connect initialization
Jun 23 19:45:43 mail postfix/smtp[3678]: SSL_connect:SSLv2/v3 write client hello A
Jun 23 19:45:43 mail postfix/smtp[3678]: SSL_connect:unknown state
Jun 23 19:45:43 mail postfix/smtp[3678]: email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25: depth=2 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Jun 23 19:45:43 mail postfix/smtp[3678]: email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25: depth=1 verify=1 subject=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Jun 23 19:45:43 mail postfix/smtp[3678]: email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25: depth=0 verify=1 subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=email-smtp.eu-west-1.amazonaws.com
Jun 23 19:45:43 mail postfix/smtp[3678]: SSL_connect:unknown state
Jun 23 19:45:43 mail postfix/smtp[3678]: message repeated 7 times: [ SSL_connect:unknown state]
Jun 23 19:45:43 mail postfix/smtp[3678]: email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25: subject_CN=email-smtp.eu-west-1.amazonaws.com, issuer_CN=Symantec Class 3 Secure Server CA - G4, fingerprint=6E:5D:0D:26:7E:24:81:87:5E:41:8B:98:2C:FC:9E:AD, pkey_fingerprint=ED:7C:27:CE:7E:AB:FF:76:C0:3C:86:F3:3D:85:78:0F
Jun 23 19:45:43 mail postfix/smtp[3678]: Trusted TLS connection established to email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 23 19:45:43 mail postfix/smtp[3678]: B7AD8416BA: to=<[email protected]>, relay=email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:25, delay=0.28, delays=0.16/0.02/0.09/0, dsn=5.0.0, status=bounced (host email-smtp.eu-west-1.amazonaws.com[54.154.210.139] said: 530 Authentication required (in reply to MAIL FROM command))
Jun 23 19:45:43 mail postfix/cleanup[3673]: EEF71416BE: message-id=<[email protected]>
Jun 23 19:45:43 mail postfix/qmgr[3655]: EEF71416BE: from=<>, size=4904, nrcpt=1 (queue active)
Jun 23 19:45:43 mail postfix/bounce[3679]: B7AD8416BA: sender non-delivery notification: EEF71416BE
Jun 23 19:45:43 mail postfix/qmgr[3655]: B7AD8416BA: removed
Jun 23 19:45:44 mail postfix/pipe[3680]: EEF71416BE: to=<[email protected]>, relay=dovecot, delay=0.07, delays=0/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
Jun 23 19:45:44 mail postfix/qmgr[3655]: EEF71416BE: removed
Jun 23 19:45:46 mail postfix/submission/smtpd[3665]: disconnect from 79-76-219-7.dynamic.dsl.as9105.com[79.76.219.7] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
我的 main.cf 配置文件如下:
# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix
# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin
# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin
# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix
# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases
# full pathname of the Postfix mailq command. This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq
# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop
# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
debug_peer_level = 10
# --------------------
# CUSTOM SETTINGS
#
# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550
# Do not notify local user.
biff = no
# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no
# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no
# Allow recipient address start with '-'.
allow_min_user = no
# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes
# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all
# Enable all network interfaces.
inet_interfaces = all
#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/ssl/lec/mydomain.com/mydomain.com.key
smtpd_tls_cert_file = /etc/ssl/lec/mydomain.com/mydomain.com.cer
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
tls_random_source = dev:/dev/urandom
# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may
# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes
# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
# - http://www.postfix.org/TLS_README.html#client_tls_may
# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
# Use the same CA file as smtpd.
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes
# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
#enable_long_queue_ids = yes
# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre
# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
check_helo_access pcre:/etc/postfix/helo_access.pcre
# Sender restrictions
smtpd_sender_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unlisted_sender
permit_mynetworks
permit_sasl_authenticated
check_sender_access pcre:/etc/postfix/sender_access.pcre
# Recipient restrictions
smtpd_recipient_restrictions =
reject_unknown_recipient_domain
reject_non_fqdn_recipient
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:7777
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777
# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no
# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
# Do not set virtual_alias_domains.
virtual_alias_domains =
#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
# be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes
# hostname
myhostname = mail.mydomain.com
myorigin = mail.mydomain.com
mydomain = mail.mydomain.com
# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
# in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
# for example:
#
# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1
# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# Default message_size_limit.
message_size_limit = 15728640
# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +
# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h
compatibility_level = 2
#
# Lookup virtual mail accounts
#
transport_maps =
proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
sender_dependent_relayhost_maps =
proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
relay_domains =
$mydestination
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps =
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
#
# Postscreen
#
postscreen_greet_action = enforce
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[2..11]*3
b.barracudacentral.org=127.0.0.[2..11]*2
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#
# Amavisd + SpamAssassin + ClamAV
#
#content_filter = smtp-amavis:[127.0.0.1]:10024
# Concurrency per recipient limit.
#smtp-amavis_destination_recipient_limit = 1
relayhost = [email-smtp.eu-west-1.amazonaws.com]:25
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_sasl_mechanism_filter = login, plain
sasl_passwd 的内容如下:
[email.eu-west-1.amazonaws.com]:25 USER:PASSWORD
ses-smtp-eu-west-1-prod-345515633.eu-west-1.elb.amazonaws.com:25 USER:PASSWORD
答案1
事实证明,我在 sasl_passwd 文件中输入了错误的域。我使用email.eu-west-1.amazonaws.com
了email-smtp.eu-west-1.amazonaws.com