我已经在网上读了数百篇帖子,但找不到任何能解决我的问题的方法。所以我决定写这篇文章,希望有人能帮助我。首先我要为我的糟糕英语道歉,希望你能明白我的意思,如果不明白就别再问问题了。
问题:
我在限制 sasl 认证用户仅从 postfix 配置发送邮件时遇到了问题。我知道这可以通过在 postfix main.cf 中使用“reject_sender_login_mismatch”和“smtpd_sender_login_maps”标签来实现。
但问题似乎是 Postfix 不会将 FROM 邮件字段与 smtpd_sender_login_maps 进行匹配,而是匹配 sasl 用户名(在我的情况下也是电子邮件地址)。很明显,这种情况始终成立,因为 sasl 用户名存在,而不管 FROM 字段中实际写了什么。
当我打开调试时我注意到了这一点(debug_peer_list =客户端 IP)并使用 Thunderbird 从伪造的地址 any_other@any_other.xy 发送邮件至[电子邮件保护]。我没有在 mail.log 中看到真正的 FROM 字段,而是看到了 sasl login ([电子邮件保护]) 被解释为 FROM 地址。
从 /var/log/mail.log 中提取:
....
postfix/smtps/smtpd[3525]: watchdog_pat: 0xXXXXXXXXX
postfix/smtps/smtpd[3525]: < unknown[XXXXXXXXX]: AUTH PLAIN XXXXXXXXX
postfix/smtps/smtpd[3525]: query milter states for other event
postfix/smtps/smtpd[3525]: milter8_other_event: milter local:/opendkim/opendkim.sock
postfix/smtps/smtpd[3525]: xsasl_dovecot_server_first: sasl_method PLAIN, init_response XXXXXXXXX
postfix/smtps/smtpd[3525]: xsasl_dovecot_handle_reply: auth reply: [email protected]?
postfix/smtps/smtpd[3525]: > unknown[XXXXXXXXX]: 235 2.7.0 Authentication successful
postfix/smtps/smtpd[3525]: watchdog_pat: 0xXXXXXXXXX
postfix/smtps/smtpd[3525]: < unknown[XXXXXXXXX]: MAIL FROM:<[email protected]> BODY=8BITMIME SIZE=443
postfix/smtps/smtpd[3525]: extract_addr: input: <[email protected]>
postfix/smtps/smtpd[3525]: smtpd_check_addr: [email protected]
postfix/smtps/smtpd[3525]: connect to subsystem private/rewrite
postfix/smtps/smtpd[3525]: send attr request = rewrite
postfix/smtps/smtpd[3525]: send attr rule = local
postfix/smtps/smtpd[3525]: send attr address = ""
....
当我在 syslog 和 mail.log 中查找真实的发件人地址时,没有找到任何内容:
root@XXXXXX:/etc/postfix# cat /var/log/syslog /var/log/mail.log |grep -i any_other@any_other.xy
配置:
root@XXXXXX:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps =
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 3h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_transport = error:Local Transport Disabled
luser_relay = webmaster@XXXXXX
mailbox_size_limit = 0
message_size_limit = 20480000
milter_default_action = accept
milter_protocol = 6
mydestination = XXXXXX, localhost, localhost.localdomain, localhost, autoreply.XXXXXX
mydomain = XXXXXX
myhostname = XXXXXX
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 XXXXXX/24
myorigin = /etc/mailname
non_smtpd_milters = local:/opendkim/opendkim.sock
policyd-spf_time_limit = 3600
postscreen_greet_action = enforce
readme_directory = no
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP XXXXXX (Linux)
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_milters = local:/opendkim/opendkim.sock
smtpd_recipient_restrictions = reject_sender_login_mismatch permit_mynetworks reject_unknown_recipient_domain check_policy_service inet:127.0.0.1:12340 reject_unauth_destination check_policy_service unix:private/policyd-spf permit_sasl_authenticated check_sender_ns_access cidr:/etc/postfix/drop.cidr check_sender_mx_access cidr:/etc/postfix/drop.cidr check_policy_service inet:127.0.0.1:10023 reject_rbl_client ix.dnsbl.manitu.net reject_rbl_client bl.spamcop.net reject_rbl_client pbl.spamhaus.org reject_rbl_client xbl.spamhaus.org reject_rbl_client zen.spamhaus.org reject_rbl_client sbl.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcannibal.org permit
smtpd_reject_footer = For assistance, write webmaster@XXXXXX. Please provide the following information in your problem report: time ($localtime), client ($client_address) client Port ($client_port) and server ($server_name).
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_authenticated_sender_login_mismatch reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated check_sender_ns_access cidr:/etc/postfix/drop.cidr check_sender_mx_access cidr:/etc/postfix/drop.cidr check_policy_service inet:127.0.0.1:10023 reject_rbl_client ix.dnsbl.manitu.net reject_unauth_destination permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_user_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_authenticated_sender_login_mismatch, reject_unlisted_sender, reject_unauth_pipelining,
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/sslcert/server.crt
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/sslcert/server.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_session_cache
smtpd_use_tls = yes
soft_bounce = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transports
virtual_alias_maps = ldap:/etc/postfix/ldap_virtual_alias_maps-vacation.cf ldap:/etc/postfix/ldap-virtual_alias_maps-forward.cf proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf ldap:/etc/postfix/ldap_virtual_mail_distribution.cf ldap:/etc/postfix/ldap_virtual_mail_redirect.cf
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
virtual_transport = dovecot
猫/etc/postfix/master.cf
...
...
smtp inet n - - - - smtpd
-o smtpd_tls_security_level=may
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
...
猫/etc/postfix/ldap_user_maps.cf
bind = yes
bind_dn = xxxx
bind_pw = xxxx
server_host = ldaps://domain.xy:636
search_base = dc=xxxx,dc=xxxx
query_filter = (&(mail=%s))
result_attribute = mail, uid, AlternateAddress
欺骗邮件中的源代码
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (XXXXXXXXXXXXXXX [127.0.0.1])
by XXXXXXXXXXXXXXX (Postfix) with ESMTP id XXXXXXXXXXXXXXX
for <[email protected]>; Thu, 10 Aug 2017 20:15:39 +0000 (UTC)
Received: from XXXXXXXXXXXXXXX ([127.0.0.1])
by localhost (XXXXXXXXXXXXXXX [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XXXXXX-XXXXXX for <[email protected]>;
Thu, 10 Aug 2017 20:15:39 +0000 (UTC)
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=XXXXXXXXXXXXXXX; helo=[XXXXXXXXXXXXXXX]; [email protected]; receiver=<UNKNOWN>
Received: from [XXXXXXXXXXXXXXX] (unknown [XXXXXXXXXXXXXXX])
(Authenticated sender: [email protected])
by XXXXXXXXXXXXXXX (Postfix) with ESMTPSA id XXXXXXXX
for <[email protected]>; Thu, 10 Aug 2017 20:15:38 +0000 (UTC)
To: Recipient <[email protected]>
From: Any other user <any_other@any_other.xy>
Subject: sdfsdf
Message-ID: <6xxx5ab6-7x1c-4x3b-55x6-ab8ba3xxxx1@XXXXXXXXXXXXXXX>
Date: Thu, 10 Aug 2017 22:15:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.2) Gecko/20100101
Thunderbird/51.8.16
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
如果你需要更多信息,就别问了。谢谢你的帮助
答案1
标题字段之间有区别从:和 MAIL FROM: 命令。
正如您在标题字段的示例中看到的那样返回路径:它是从 发送的,Postfix 已检查过。<[email protected]>
虽然可以让 Postfix 检查 From: 字段是否对应于 MAIL FROM: - 但这可能并不总是有利的(参见SMTP“MAIL FROM:”与数据中的“From:”标头不匹配的合理原因)。
另外,为了确保真实性,最好让您的用户通过 S/MIME 或 OpenPGP 使用邮件加密/签名。(参见https://technet.microsoft.com/en-us/library/aa995740(v=exchg.65).aspx)