我已经根据此设置设置了一个邮件服务器:https://thomas-leister.de/en/mailserver-debian-stretch/ 对我来说,文档本身看起来相当不错 - 解释得很好,而且似乎有用......几乎。
设置
服务器本身是一个运行于使用 KVM/libvirt 虚拟化和使用 iptables 规则对端口 25/993 进行端口转发的虚拟机。
虚拟的
- IP:10.0.42.170(NAT网络)
- Debian 9
- Postfix 3.1.12
- Dovecot 2.2.27
- rspamd 2.1
主持人
- IP:(公网IP)
- Debian 9
- 虚拟器
我的邮件服务器可以接收邮件,但是当我尝试以邮件用户之一(使用 Thunderbird)发送邮件时,遇到了这个问题:
- 发送邮件给另一个人自托管帐户:邮件被标记为垃圾邮件
- 发送邮件至外部的邮件帐户:邮件被拒绝
5.7.1 <[email protected]>: Relay access denied.
我已经为 SPF、dmarc 等设置了所有 DNS 记录,如文档中指出的那样,但仍然rspamd
将我的邮件标记为垃圾邮件,或者不允许将其发送到外部邮件帐户。
以下是一些相关的邮件标头。但实际的域/地址/IP 值已更改:mail.MYDOMAIN.TLD、CLIENT_IP、[电子邮件保护]
ARC-Authentication-Results: i=1;
mail.MYDOMAIN.TLD;
dkim=none;
spf=neutral (mail.MYDOMAIN.TLD: CLIENT_IP is neither permitted nor denied by domain of [email protected]) [email protected]
X-Spamd-Bar: ++++++
X-Spam-Level: ******
Authentication-Results: mail.MYDOMAIN.TLD;
dkim=none;
dmarc=fail reason="No valid SPF, No valid DKIM" header.from=MAILDOMAIN.TLD (policy=reject);
spf=neutral (mail.MYDOMAIN.TLD: CLIENT_IP is neither permitted nor denied by domain of [email protected]) [email protected]
X-Spam: Yes
在 serverfault 和 superuser.com 上搜索类似问题时,我发现一些帖子表明必须permit_sasl_authenticated
进行相应设置(请参阅https://superuser.com/questions/1395511/im-stuck-with-postfix-on-debian-554-5-7-1-relay-access-denied),但在我看来,这似乎是通过mua_client_restrictions
和实现的mua_relay_restrictions
DNS
主域名:
防晒指数:
MYDOMAIN.TLD. 3600 IN TXT "v=spf1 a:mail.MYDOMAIN.TLD ?all"
德马克:
_dmarc.MYDOMAIN.TLD. 3600 IN TXT "v=DMARC1\; p=reject\;"
域名密钥:
2019._domainkey.MYDOMAIN.TLD. 1417 IN TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyBjU5POfOMC0DdzxAeImIKYCWR3frj9jXD3IB7XWIYwV9CK3LP2s+gNxqffneygVPD+tvBZgHbG+kn7tQP1EtHpG0bg/KYrF09r5/f7/ilZflF9RE+t5GQkwAZCtgeZ1FWX8CEYq2kqHpGWhyhBd1l9idaqh97jk6NiuXOzrCZ9dIjoLQ2G8kAMdH7ade0/CT" "dEL4GX4Jzd8Jbb/eFXzM/2kCJ8v7lFUz5zLeMfdYvAto1U6yZ3cEYVjwpFQQZYJ77zq/eS8F/JAvJJWe5OzPnJe4V+i8hFVmsAYHpNysxUFW9KmR/LOYw8ouqpXoMMfOt3ilBLtZZO4n9Dms4iDNQIDAQAB"
邮件域名:
防晒指数:
MAILDOMAIN.TLD. 3600 IN TXT "v=spf1 include:MYDOMAIN.TLD ?all"
德马克:
_dmarc.MAILDOMAIN.TLD. 3600 IN TXT "v=DMARC1\; p=reject\;"
域名密钥:
2019._domainkey.MAILDOMAIN.TLD. 1417 IN TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyBjU5POfOMC0DdzxAeImIKYCWR3frj9jXD3IB7XWIYwV9CK3LP2s+gNxqffneygVPD+tvBZgHbG+kn7tQP1EtHpG0bg/KYrF09r5/f7/ilZflF9RE+t5GQkwAZCtgeZ1FWX8CEYq2kqHpGWhyhBd1l9idaqh97jk6NiuXOzrCZ9dIjoLQ2G8kAMdH7ade0/CT" "dEL4GX4Jzd8Jbb/eFXzM/2kCJ8v7lFUz5zLeMfdYvAto1U6yZ3cEYVjwpFQQZYJ77zq/eS8F/JAvJJWe5OzPnJe4V+i8hFVmsAYHpNysxUFW9KmR/LOYw8ouqpXoMMfOt3ilBLtZZO4n9Dms4iDNQIDAQAB"
配置
以下是一些相关的配置文件:
/etc/hosts
127.0.0.1 localhost
127.0.1.1 mail.MYDOMAIN.TLD mail
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/postfix/master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
/etc/postfix/main.cf
##
## Network settings
##
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, 10.0.42.170
myhostname = mail.MYDOMAIN.TLD
##
## Mail queue settings
##
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
##
## TLS settings
###
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
### Outbound SMTP connections (Postfix as sender)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
### Inbound SMTP connections
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.MYDOMAIN.TLD/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.MYDOMAIN.TLD/privkey.pem
##
## Local mail delivery to Dovecot via LMTP
##
virtual_transport = lmtp:unix:private/dovecot-lmtp
##
## Spam filter and DKIM signatures via Rspamd
##
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##
### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf
### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_ptr
reject_unknown_client_hostname
### Foreign mail servers must present a valid "HELO"
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
##
## Restrictions for MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
##
## Postscreen Filter
##
### Postscreen Whitelist / Blocklist
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2
zen.spamhaus.org*2
postscreen_dnsbl_action = drop
##
## MySQL queries
##
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps
##
## Miscellaneous
##
### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
### Do not notify system users on new e-mail
biff = no
### Users always have to provide full e-mail addresses
append_dot_mydomain = no
### Delimiter for "Address Tagging"
recipient_delimiter = +
大家请帮帮我吧。
干杯,亚历山大。
答案1
我修好了它。
解决方案非常简单,我在该帖子的德文版常见问题解答中找到了答案:https://thomas-leister.de/mailserver-debian-stretch/#wieso-port-587-und-143-mit-starttls遗憾的是,该常见问题解答项目未包含在文档的英文版本中。
连接服务器时,无论是通过端口 :25 还是端口 :587 连接,postfix 的行为都会有所不同。在端口 :587(提交端口)上,客户端已经通过身份验证 - 在 :25 上尚未通过身份验证。
所以我必须从主机到客户机打开另一个端口,以便 Thunderbird 可以连接到 STARTTLS 提交端口。