我想防止欺骗,所以我找到了这个后缀选项:
smtpd_sender_login_maps (default: empty)
Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
...
然后我找到了这个答案:https://serverfault.com/a/710235/371610这说明如何使用正则表达式,以便在具有多个虚拟域和许多用户的设置中无需编辑表来添加或删除:
在/etc/postfix/login_map中:
/^(.*)$/ ${1}
/etc/postfix/main.cf:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_relay_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination
错误同样如下:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_sender_login_mismatch
问题是,使用该正则表达式接收的邮件(例如来自 hotmail 或 gmail 的邮件)被拒绝并出现错误:
NOQUEUE: reject: RCPT from mail-oln040092064102.outbound.protection.outlook.com[40.92.64.102]: 553 5.7.1 [email protected]: Sender address rejected: not logged in; [email protected] [email protected] proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>
有什么方法可以做到这一点,而不必编写将每封电子邮件映射到其自身的表:
[email protected] [email protected]
[email protected] [email protected]
etc...
或者最好使用 sql,然后两次选择包含完整电子邮件地址的列?你怎么看?我即将将虚拟域/用户迁移到 sql。
编辑
reject_sender_login_mismatch我已按建议移动:
smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_sender_login_mismatch
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
但我仍然遇到同样的Sender address rejected: not logged in;错误。
这是我的配置:
# postconf -n
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = no
command_directory = /usr/bin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = localhost
myhostname = mail.domain.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /etc/postfix
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = HIGH
smtp_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1
smtp_tls_protocols = !SSLv2:!SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_enforce_tls = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_milters = unix:/run/opendkim/opendkim.sock
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK
smtpd_tls_key_file = /etc/letsencrypt/live/domain/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = HIGH
smtpd_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1
smtpd_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:73
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = domain.com another.com yetanother.com
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 50
virtual_uid_maps = static:73
和 /etc/postfix/login_maps:
[email protected] [email protected]
[email protected] [email protected]
etc...
这样,无论我将 放在哪里,它都能正常工作reject_sender_login_mismatch。同样,无论我将它放在哪里,如果我使用正则表达式,我都会收到错误。那么现在在 里面smtpd_sender_restrictions,难道不应该只针对传出(仅限虚拟域)邮件而不是传入邮件吗?
答案1
仅仅因为该选项听起来正确,并不意味着您可以将它用于预期目的。
两者之间是有区别的smtpd_relay_restrictions和smtpd_sender_restrictions为此reject_sender_login_mismatch限制是故意的。外部用户不会登录到您的服务器向您发送邮件,因此检查是否存在不匹配是没有意义的。
该检查是为了防止已登录的用户 A 将信封地址更改为除 中允许的地址之外的其他地址smtpd_sender_login_maps。该检查不会阻止您的用户进行欺骗(例如,A 仍然可以通过发送具有不同 from: 标头字段的消息来假装是另一个用户 B 之类的任何人)。
查看Postfix 会拒绝欺骗发件人吗?以获得关于该主题的更多指示。