我正在将我们的服务器从 Debian 8 迁移到 Debian 10。现在,我正在尝试设置我们的邮件服务器 (postfix-dovecot-mysql)。虽然我能够像这样设置 mysql (MariaDB 10.3) 和 Dovecot 而没有任何重大问题,但我在 postfix (3.4.14) 上一直遇到同样的问题:
通过 SMTP 从外部邮件服务器传入的所有邮件都被拒绝:554 中继访问被拒绝
master.cf(用于 smtp 服务):
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd -v
-o smtpd_sasl_auth_enable=no
我在 main.cf 中的允许/拒绝规则是:
#1 client
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unknown_client_hostname
#2 helo
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
#3 sender
smtpd_sender_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_sender
reject_sender_login_mismatch
#4 relay
smtpd_relay_restrictions = reject_non_fqdn_recipient
permit_mynetworks
permit_sasl_authenticated
permit_auth_destination
reject_unauth_destination
#5 recipient
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql/recipient_access.cf
#6 data
smtpd_data_restrictions = reject_unauth_pipelining
另外,我设置我的目的地清空以确保虚拟运输
mydestination =
我已经确认拒绝未授权目的地通过设置不同的状态代码来触发拒绝:
relay_domains_reject_code = 564
access_map_reject_code = 574
maps_rbl_reject_code = 584
状态代码现在始终是564根据 Postfix 手册拒绝代码被解雇,如果拒绝未授权目的地规则开始生效。
我不明白的是(即使经过几个小时的反复试验和互联网研究)postfix 似乎忽略了我的基于 mysql 的虚拟映射,因为 mysql 日志显示没有执行任何查询。我能看到的唯一查询是来自smtpd_recipient_restrictions返回 OK。
这邮件日志显示以下内容:(我刚刚将电子邮件地址匿名化,并屏蔽了 IP 地址):
postfix/smtpd[6963]: >>> START Recipient address RESTRICTIONS <<<
postfix/smtpd[6963]: generic_checks: name=reject_non_fqdn_recipient
postfix/smtpd[6963]: reject_non_fqdn_address: [email protected]
postfix/smtpd[6963]: generic_checks: name=reject_non_fqdn_recipient status=0
postfix/smtpd[6963]: generic_checks: name=permit_mynetworks
postfix/smtpd[6963]: generic_checks: name=permit_mynetworks status=0
postfix/smtpd[6963]: generic_checks: name=permit_sasl_authenticated
postfix/smtpd[6963]: generic_checks: name=permit_sasl_authenticated status=0
postfix/smtpd[6963]: generic_checks: name=permit_auth_destination
postfix/smtpd[6963]: permit_auth_destination: [email protected]
postfix/smtpd[6963]: ctable_locate: leave existing entry key [email protected][email protected]
postfix/smtpd[6963]: generic_checks: name=permit_auth_destination status=0
postfix/smtpd[6963]: generic_checks: name=reject_unauth_destination
postfix/smtpd[6963]: reject_unauth_destination: [email protected]
postfix/smtpd[6963]: permit_auth_destination: [email protected]
postfix/smtpd[6963]: ctable_locate: leave existing entry key [email protected][email protected]
postfix/smtpd[6963]: NOQUEUE: reject: RCPT from x.x.x.x[y.y.y.y]: 564 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<z.z.z.z>
postfix/smtpd[6963]: generic_checks: name=reject_unauth_destination status=2
postfix/smtpd[6963]: >>> END Recipient address RESTRICTIONS <<<
这允许_授权_目的地检查没有启动 - 尽管它应该启动,因为(根据 Postfix 手册)如果收件人地址列在以下任一位置,它就会启动虚拟别名域或者虚拟邮箱域名。我已经通过运行以下命令确认了两者在我的情况下都是正确的:
[19:00:39][me@server:~]# postmap -q [email protected] proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
recipient.com
[19:00:39][me@server:~]# postmap -q [email protected] proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
recipient.com
就在允许_授权_目的地没有踢,拒绝未授权目的地确实会起作用 - 尽管由于同样的原因它不应该起作用。
如前所述,我可以从 mysql 日志中看到,此时 postfix 没有执行任何查询。我不知道 postfix 是如何决定不触发允许_授权_目的地但触发拒绝未授权目的地。
什么原因导致了这种现象?
这是完整的 main.cf:
###########
# Network #
###########
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
#mydomain =
myhostname = mail.server.com
mydestination =
inet_interfaces = all
inet_protocols = ipv4, ipv6
smtp_address_preference = ipv4
smtpd_banner = $myhostname ESMTP $mail_name
#########
# Local #
#########
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
###########
# Virtual #
###########
proxy_read_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
proxy:mysql:/etc/postfix/mysql/recipient_access.cf
virtual_mailbox_base = /home/vmail/mailboxes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_minimum_uid = 5000
local_recipient_maps = $virtual_mailbox_maps
################
# TLS settings #
################
tls_ssl_options = NO_COMPRESSION
################
# TLS outbound #
################
smtp_dns_support_level = dnssec
smtp_tls_security_level = may
proxy:mysql:/etc/postfix/msql/smtp_tls_policy_maps.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv3, TLSv1.3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
###############
# TLS inbound #
###############
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv3, TLSv1.3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file = /etc/letsencrypt/getssl-certs/mail.server.com/chain.pem
smtpd_tls_key_file = /etc/letsencrypt/getssl-certs/mail.server.com/key.pem
###################################
# Local mail delivery via Dovecot #
###################################
virtual_transport = lmtp:unix:private/dovecot-lmtp
#############
# SASL auth #
#############
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#########
# Relay #
#########
#1 client
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unknown_client_hostname
#2 helo
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
#3 sender
smtpd_sender_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_sender
reject_sender_login_mismatch
#4 relay
smtpd_relay_restrictions = reject_non_fqdn_recipient
permit_mynetworks
permit_sasl_authenticated
permit_auth_destination
reject_unauth_destination
#5 recipient
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql/recipient_access.cf
#6 data
smtpd_data_restrictions = reject_unauth_pipelining
#7 end-of-data
relay_domains_reject_code = 564
access_map_reject_code = 574
maps_rbl_reject_code = 584
#################
# Miscellaneous #
#################
mail_owner = postfix
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
更新
如果我改变我的虚拟邮箱域名从代理设置:mysql 查找为静态值(收件人的域)一切都按预期工作:
virtual_mailbox_domains = static:recipient.com
看起来问题出在通过 mysql 进行的特定查找上。这特别奇怪,因为问题似乎存在于smtpd_relay_restrictions仅(不执行 mysql 查询)。它工作正常(执行 mysql 查询)smtpd_recipient_restrictions
答案1
我最终能够通过查看 proxymap 的详细日志来理清这个问题。
交给mysql查询的密钥实际上只是收件人的域,而不是整个电子邮件地址:
postfix/proxymap[23555]: master_notify: status 0
postfix/proxymap[23555]: proxymap socket: wanted attribute: request
postfix/proxymap[23555]: input attribute name: request
postfix/proxymap[23555]: input attribute value: lookup
postfix/proxymap[23555]: proxymap socket: wanted attribute: table
postfix/proxymap[23555]: input attribute name: table
postfix/proxymap[23555]: input attribute value: mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
postfix/proxymap[23555]: proxymap socket: wanted attribute: flags
postfix/proxymap[23555]: input attribute name: flags
postfix/proxymap[23555]: input attribute value: 524352
postfix/proxymap[23555]: proxymap socket: wanted attribute: key
postfix/proxymap[23555]: input attribute name: key
postfix/proxymap[23555]: input attribute value: recipient.com
postfix/proxymap[23555]: proxymap socket: wanted attribute: (list terminator)
postfix/proxymap[23555]: input attribute name: (end)
postfix/proxymap[23555]: proxy_map_find: mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf:
postfix/proxymap[23555]: send attr status = 1
postfix/proxymap[23555]: send attr value =
postfix/proxymap[23555]: master_notify: status 1
在这种情况下,%日参数(实际上应该携带域名)不能用于 mysql 查询。使用%s(带有原始输入键)终于工作了。
我确实意识到%日通过运行为空后图仅使用域名而没有得到结果:
[me@server:~]# postmap -q [email protected] proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
recipient.com
[me@server:~]# postmap -q recipient.com proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
[me@server:~]#