我在 Postfix、Dovecot 或两者的配置上遇到了问题。
一切正常,但在日志中我注意到多个不同的 IP 正在使用 root 帐户发送邮件,它们试图从[电子邮件保护]到[电子邮件保护]。
我在 Debian 9 上,使用以下命令删除了我的 root 登录名:
sudo 密码-d root
并禁用该帐户:
sudo 密码-l root
服务器上还有一个帐户,我注意到它也被访问了!当我检查 auth.log 时,没有暴力破解尝试。我在不同的端口上运行 ssh,使用密钥,而且 iptables 在该端口上设置了 hitcount。
我的 Postfix 版本是:3.1.12,Dovecot:2.2.27
来自 mail.log 的示例日志
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5029]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: lost connection after CONNECT from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: disconnect from unknown[122.228.19.79] commands=0/0
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: lost connection after UNKNOWN from unknown[122.228.19.79]
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: disconnect from unknown[122.228.19.79] ehlo=1 unknown=0/1 commands=1/2
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection rate 2/60s for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection count 2 for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max cache size 1 at Jan 20 18:37:50
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: warning: hostname ip-38-56.ZervDNS does not resolve to address 92.118.38.56: Name or service not known
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: connect from unknown[92.118.38.56]
Jan 20 19:54:52 vps22525 postfix/smtpd[5172]: disconnect from unknown[92.118.38.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection rate 1/60s for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection count 1 for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max cache size 1 at Jan 20 19:54:48
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: connect from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: SSL_accept error from unknown[164.68.112.178]: lost connection
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: lost connection after STARTTLS from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: disconnect from unknown[164.68.112.178] ehlo=1 starttls=0/1 commands=1/2
Jan 20 21:25:08 vps22525 dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=122.228.19.79, lip=127.127.127.127, TLS, session=<NdzXP5ech3d65BNP>
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection rate 1/60s for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection count 1 for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max cache size 1 at Jan 20 21:24:32
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: warning: hostname zg-0911b-52.stretchoid.com does not resolve to address 159.203.193.36: Name or service not known
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: connect from unknown[159.203.193.36]
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: disconnect from unknown[159.203.193.36] ehlo=1 quit=1 commands=2
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection rate 1/60s for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection count 1 for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max cache size 1 at Jan 21 00:33:07
Jan 21 03:09:01 vps22525 postfix/pickup[5713]: 557E6201DE: uid=0 from=<root>
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 557E6201DE: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: from=<[email protected]>, size=1048, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/local[5849]: 557E6201DE: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.05, delays=0.02/0.01/0/0.02, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 5F945209B4: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: from=<>, size=3179, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/bounce[5850]: 557E6201DE: sender non-delivery notification: 5F945209B4
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: removed
Jan 21 03:09:01 vps22525 postfix/local[5849]: 5F945209B4: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579568941.P5849.vps$
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: removed
Postfix 主配置文件
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
mydomain = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
masquerade_domains = $mydomain
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access reject_unknown_recipient_domain permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_restriction_classes = mua_sender_restrictions,
mua_client_restrictions,
mua_helo_restrictions
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
我该如何防止这种情况发生?我的配置中遗漏了什么
编辑
谢谢大家的帮助。正如@Piotr P. Karwasz 提到的,它是一个 cron 守护进程...
答案1
他们试图通过您的邮件系统发送邮件。但从提供的日志来看,邮件没有通过。这是件好事!
您通常不想为其他域转发邮件,因为这主要是垃圾邮件发送者使用的,并且通常会使您的邮件服务器被列入黑名单。请参阅https://en.wikipedia.org/wiki/Open_mail_relay了解更多信息。
总而言之,你可以忽略这一点。或者,如果你真的想要,你可以屏蔽他们。有关更多信息,请参阅 Google。
答案2
这些消息由运行为根:
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
可能是CRON守护进程的问题。邮件和退回邮件无法投递,因为根没有邮箱。添加别名从根用户登录您的帐户即可/etc/aliases接收这些电子邮件。