我已按照此处的指南配置了 Postfix、Dovecot、Roundcube、Fail2Ban,并在 Apache 和 MySQL 上运行: https://www.linuxbabe.com/mail-server/ubuntu-16-04-iredmail-server-installation 我在 Ubuntu Server 16.04 上安装了软件包集合。
主机名:mail.mydomain.com
IP:10.10.10.11
我完全按照指南操作,但尚未将系统配置为接收多个域的邮件(我只需要一个)。此服务器位于 pfSense 防火墙后面,必要的端口从我的 WAN IP 转发到邮件服务器。
公共许可证 IP 地址 -> 10.10.10.11
简而言之:我可以正常地发送邮件,但无法接收来自组织外部的邮件。我尝试过:
我的 DNS 已正确配置,具有 A、MX、PTR、SPF 和 TXT 记录,表明我的发件人域是值得信赖的,并且互联网可以成功找到正确的邮件服务器(在与根域相同的 IP 上接收)并且那里没有问题(这似乎是人们在论坛上发布的第二个建议)。
我可以从 LAN 10.10.10.10 -> 10.10.10.11:25 通过 telnet 端口 25 进入服务器
我无法从域外通过端口 25 远程登录到我的服务器。我知道论坛上每个人建议的第一件事是“您的 ISP 一定阻止了端口 25”,但对我来说情况并非如此... 我可以更改 pfSense 上的 NAT 设置以将 WAN 端口 25 转发到 LAN 端口 587,通过端口 25 从 WAN 远程登录并成功收到响应。
我附加了修改后的 main.cf(出于安全考虑删除了自定义 IP 和域名),您可以在配置中看到我完成了以下操作:
我已对其进行修改,以包含我的 10.10.10.0/24 子网
我已将推荐的设置添加到 mydestination =
我还找到了对代理/nat 外部网络地址的引用,并将其添加到我的 main.cf 中,没有任何变化: http://www.postfix.org/BASIC_CONFIGURATION_README.html#proxy_interfaces
enter # location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix
# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
debug_peer_level = 2
# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550
# Do not notify local user.
biff = no
# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no
# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no
# Allow recipient address start with '-'.
allow_min_user = no
disable_vrfy_command = yes
# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all
# Enable all network interfaces.
inet_interfaces = all
#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
tls_random_source = dev:/dev/urandom
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes
smtp_tls_security_level = may
# Use the same CA file as smtpd.
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes
#enable_long_queue_ids = yes
# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre
#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Sender restrictions
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unlisted_sender
check_sender_access pcre:/etc/postfix/sender_access.pcre
# Recipient restrictions
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unlisted_sender
check_sender_access pcre:/etc/postfix/sender_access.pcre
# Recipient restrictions
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_recipient_domain
reject_non_fqdn_recipient
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:7777
reject_unauth_destination
# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777
# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no
# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
# Do not set virtual_alias_domains.
virtual_alias_domains =
#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
# be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes
# hostname
myhostname = mail.mydomain.com
myorigin = mail.mydomain.com
mydomain = mail.mydomain.com
# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 10.10.10.0/24, 127.0.0.0/8, [::1]
proxy_interfaces = My.Public.IP.ADDRESS
# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain, localhost.mydomain.com, mail.mydomain.com, mydomain.com
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# Default message_size_limit.
message_size_limit = 15728640
recipient_delimiter = +
compatibility_level = 2
transport_maps =
proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
sender_dependent_relayhost_maps =
proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
relay_domains =
$mydestination
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps =
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
#
# Postscreen
#
postscreen_greet_action = enforce
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[2..11]*3
b.barracudacentral.org=127.0.0.[2..11]*2
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024
# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1
/var/log/mail.log显示:
“BlahBlah 守护进程正在运行”,并且只在我发送时报告更改(再次说明,工作正常)。缺少日志条目使我相信有什么东西阻止了向 postfix 的传递(fail2ban?)或 postfix 由于配置错误而立即拒绝 SMTP 尝试。
除非万不得已,否则我不喜欢在论坛上发帖,而现在,我完全不知所措。出于某种原因,我的网络之外的任何地方都无法访问端口 25。
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
f2b-roundcube tcp -- anywhere anywhere multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
f2b-postfix tcp -- anywhere anywhere multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
f2b-dovecot tcp -- anywhere anywhere multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
f2b-postfix tcp -- anywhere anywhere multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
f2b-nginx tcp -- anywhere anywhere multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
f2b-sshd-ddos tcp -- anywhere anywhere multiport dports ssh
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-dovecot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-nginx (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain f2b-roundcube (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
我在 pfSense 上的 NAT 翻译如下:
我可以将红色突出显示的规则更改为 WAN_IP:25 -> LAN_IP:587,此时我成功地通过端口 25 进行 telnet 并收到响应。
答案1
我可以从 LAN 10.10.10.10 -> 10.10.10.11:25 通过 telnet 端口 25 进入服务器
您是否仔细检查过 pfSense 防火墙规则?
您是否尝试过在 pfSense 防火墙上运行 tcpdump 来检查从传入数据包到传出数据包,您要应用的 NAT 规则是否能完成工作(将目标端口设置为 25 还是 587)?
我建议在测试期间在防火墙和服务器上运行 tcpdump,以实时查看两次测试之间的差异。