Google Compute Dovecot + postfix 上的 Ubuntu 18.04
我认为我应该能够连接到 465/587 以外的端口,而且由于我可以通过 Google 转发所有电子邮件,因此这种方法对于电子邮件服务器来说应该没有问题。此外,Google 表示他们设置了允许连接到 465/587 的设置,所以我应该不会遇到任何问题
当我尝试 telnet 到我有 postfix 监听的 2 个端口(5001 和 8080,8080 仅用于测试)时,这是我在 tcpdump 中得到的结果
21:42:02.843771 IP h***-***-***-***.wtfrwi.dsl.dynamic.tds.net.46208 > mailserv1.c.enterprise-210914.internal.urd: Flags [S], seq 1961371525, win 29200, options [mss 1460,sackOK,TS val 240062507 ecr 0,nop,wscale 7], length 0
21:42:02.843831 IP mailserv1.c.enterprise-210914.internal.urd > h***.***.***.***.wtfrwi.dsl.dynamic.tds.net.46208: Flags [R.], seq 0, ack 1961371526, win 0, length 0
mail.log 没有显示任何有关任一端口上的 smtp 连接的信息
该服务器可以正常发送电子邮件,只需其他应用程序连接到该服务器,通过中继发送电子邮件即可
主配置文件
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#587 inet n - y - - smtpd
8080 inet n - y - - smtpd
#smtps inet n - n - - smtpd
5001 inet n - n - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
5001 inet n - n - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
主配置文件
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = webserver.com
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
### https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ ### Guide for below
smtpd_tls_cert_file=/etc/letsencrypt/live/webserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/webserver.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = webserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = [smtp-relay.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
# Force ehlo behavior
smtp_always_send_ehlo = yes
smtp_helo_name = webserver.com
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
local_recipient_maps = $virtual_mailbox_maps
inet_interfaces 设置为仅环回,将其更改为全部允许我远程登录到端口并成功连接。现在尝试通过该端口连接到我的服务器会超时。
ss -l 的输出
udp UNCONN 37632 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 10.128.0.2%ens4:bootpc 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 0 100 0.0.0.0:imaps 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5572 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:http-alt 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 [::]:ssh [::]:*
tcp LISTEN 0 128 *:https *:*
tcp LISTEN 0 100 [::]:imaps [::]:*
tcp LISTEN 0 128 *:http *:*
netstat -lpn -A inet
root@mail:~# netstat -lpn -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1060/sshd
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 573/dovecot
tcp 0 0 127.0.0.1:5572 0.0.0.0:* LISTEN 623/rclone
tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 703/mysqld
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 424/systemd-resolve
udp 40704 0 127.0.0.53:53 0.0.0.0:* 424/systemd-resolve
udp 0 0 10.128.0.2:68 0.0.0.0:* 405/systemd-network
udp 0 0 127.0.0.1:323 0.0.0.0:* 628/chronyd
iptables
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
sshguard all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sshguard (1 references)
target prot opt source destination
UFW 未安装
我还可以执行“telnet localhost 8080 或 5001”,并且能够连接,这让我最初以为是防火墙问题。虽然看到 tcpdump 在我的测试中从外部世界接收到 telnet 或 nmap 的数据包,这让我认为防火墙不是问题。
虽然这是 Google VPC 网络防火墙,但我确实有规则允许 465,587,5001,8080 用于 tcp 和 udp。我可以通过进入特定防火墙规则来查看哪些实例受到该规则的影响,从而确认它会影响实例。这是利用 smtp 标签作为参考完成的。防火墙规则如下
allow-smtp
Description
smtp ports
Network
default
Priority
1000
Direction
Ingress
Action on match
Allow
Targets
Target tags
smtp
Source filters
IP ranges
0.0.0.0/0
Protocols and ports
tcp:587
udp:587
tcp:465
udp:465
tcp:5001
udp:5001
tcp:8080
udp:8080
Enforcement
Enabled
Applicable to instances
Name Internal IP Tags Service accounts Project Network details
mailserv1 10.128.0.2 http-server, https-server,
任何帮助都将不胜感激。看到数据包进来,我就知道端口是开放的,尽管 telnet 和 nmap 说端口被阻止了。
看来 ack 数据包无法返回,在这种情况下,我认为可能需要静态路由,尽管我目前还没有成功。感谢您的帮助。
编辑
将“inet_interfaces”更改为全部,允许我从外部世界进行 telnet 并验证端口是否打开。
现在,当通过 Outlook 连接到我的服务器时,我收到 SSL_accept 错误。
编辑2
上一个问题只是由于使用自动安全类型而不是 ssl/tls 造成的。此问题已解决
答案1
您的听众只监听来自本地主机的连接。
tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master
这是因为 Postfix 已被专门配置为仅监听本地连接。
inet_interfaces = loopback-only
为了解决这个问题,告诉 Postfix 接受外部连接。
inet_interfaces = all