如何防止未经授权的邮件从我的邮件服务器发送?

如何防止未经授权的邮件从我的邮件服务器发送?

我有 Postfix 服务器,它为多个域名提供服务,SPF、DMARC、DKIM 都已正确设置并多次测试。因此,没有发生欺骗。然而,尽管我尽了最大努力调整 Postfix 配置,但像下面这样的外发垃圾邮件仍然会定期从服务器中溜走:

Aug  5 08:37:38 mail postfix/error[9631]: BC96418C10: to=<[email protected]>, relay=none, delay=161913, delays=161238/676/0/0.04, dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation with mx1.comcast.net[96.114.157.80] timed out while receiving the initial server greeting)
Aug  5 10:07:45 mail postfix/error[31924]: BC96418C10: to=<[email protected]>, relay=none, delay=167320, delays=166039/1281/0/0.04, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=comcast.net type=MX: Host not found, try again)
Aug  5 11:23:43 mail postfix/error[18751]: BC96418C10: to=<[email protected]>, relay=none, delay=171878, delays=171438/440/0/0.12, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.comcast.net[2001:558:fe21:2a::6]:25: Network is unreachable)
Aug  5 12:54:11 mail postfix/error[8920]: BC96418C10: to=<[email protected]>, relay=none, delay=177306, delays=175938/1367/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx1.comcast.net[2001:558:fe16:1b::15]:25: Network is unreachable)
Aug  5 14:07:22 mail postfix/error[27186]: BC96418C10: to=<[email protected]>, relay=none, delay=181697, delays=181338/359/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.comcast.net[2001:558:fe21:2a::6]:25: Network is unreachable)

以下是一些可能相关的 Postfix 设置:

virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = encrypt
smtp_tls_security_level = may
mailbox_size_limit = 0
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /ssl/ssl.key
smtpd_tls_CAfile = /ssl/ssl.ca
smtpd_tls_cert_file = /ssl/ssl.crt
smtp_use_tls = yes
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:/var/spool/postfix/postgrey/socket permit_inet_interfaces

smtpd_sender_restrictions = reject_unknown_sender_domain,
    check_sender_access hash:/etc/postfix/access

所有合法的电子邮件帐户都已列出/etc/postfix/virtual,理想情况下只有他们才可以发送邮件,其他人则不行。我还添加了这些域名实际托管的所有 IP 地址,因此应该能够通过此邮件服务器发送邮件mynetworks =

所以如果我输入:

smtpd_relay_restrictions = permit_mynetworks, reject

那么垃圾邮件就被有效地阻止了。但是,在这种情况下,合法用户无法从手机等电子邮件客户端程序连接到他们的邮件帐户。所以我必须稍微放宽上述规则,如下所示:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

谁能告诉我如何允许合法用户使用该邮件服务器,同时阻止所有其他方从该邮件服务器发送任何内容?

编辑#1:

感谢 anx 的指针,我采取了进一步的措施,以下是使用该postcat -vq 3825218E12命令提取的元数据。消息的 ID 不同,但问题相同:

postcat: name_mask: all
postcat: inet_addr_local: configured 2 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS deferred/3/3825218E12 ***
message_size:            8340             682               1               0            8340
message_arrival_time: Thu Aug 12 18:31:08 2021
create_time: Thu Aug 12 18:31:08 2021
named_attribute: log_ident=3825218E12
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
sender: [email protected]
named_attribute: log_client_name=unknown
named_attribute: log_client_address=93.122.252.5
named_attribute: log_client_port=8529
named_attribute: log_message_origin=unknown[93.122.252.5]
named_attribute: log_helo_name=213.233.88.90
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=93.122.252.5
named_attribute: client_port=8529
named_attribute: helo_name=213.233.88.90
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]
pointer_record:               0
*** MESSAGE CONTENTS deferred/3/3825218E12 ***
regular_text: Received: from 213.233.88.90 (unknown [93.122.252.5])
regular_text:   by mail.mydomain.tld (Postfix) with ESMTPSA id 3825218E12
regular_text:   for <[email protected]>; Thu, 12 Aug 2021 18:31:08 +0000 (UTC)
pointer_record:            9682
regular_text: DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 3825218E12
pointer_record:            9043
regular_text: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thebriefguy.com;
regular_text:   s=default; t=1628793068;
regular_text:   bh=2YMB5PSTO3RHAXFabkN43xdUCrxjEQOw0Xw/uLJ1zX8=;
regular_text:   h=From:To:Subject:Date:From;
regular_text:   b=edi8WNplYs2gx/aYmKl9vbY1OE3jfVZ284faDviyICbDTm51y5CgBXg3QzcSHuaL6
regular_text:    PsxGqHaqqXnF32EsA0UnqQ2q71Z8DVeEnQVp1njnqA3ECE3hiWj8UUeobRClZw7eEP
regular_text:    z2PK95dI6kfHlCcBnEgJph2pr5ilxDv4Brl9s02s7Q/2ikwHHGWh+8Gwr24CQfnBJK
regular_text:    lXrkBZVgmi65/6b6kVxmto+3oqV9avsd/9ja+CcMRs7+CsKjeHz7GA/9P3yB24/fNT
regular_text:    sAjWFvQA14zkcEjFpPmZFm/6ZjLkf0pi53vx+JamwdB5C4KzhDSKkgX6rXNYYwMu+o
regular_text:    jcADLvrnBCDtQ==
regular_text: Message-ID: <[email protected]>
pointer_record:             936
regular_text: From: Xfinity <[email protected]>
regular_text: To: [email protected]
regular_text: Subject: Important Update
regular_text: Date: Thu, 12 Aug 2021 11:31:06 -0700
regular_text: Organization: Xfinity
regular_text: MIME-Version: 1.0
regular_text: Content-Type: text/html; charset="utf-8"
regular_text: Content-Transfer-Encoding: quoted-printable
pointer_record:               0
regular_text:

我担心的是这些特定的线条:

named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root

我已经使用以下命令更改了 root 的密码:

saslpasswd2 root

但是,我不确定如何解释上述代码,以及他们究竟是如何以 root 身份登录的。邮件服务器是新配置的,我root以前从未接触过 sasl 用户,所以我想知道它是否带有某种默认密码,是否总是需要更改?此外,我想知道采取的步骤是否足以解决问题,或者是否建议采取其他一些步骤?

编辑#2:

以下是命令的输出postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 1
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
initial_destination_concurrency = 1
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = mail.mydomain.tld, mail, localhost
mydomain = mydomain.tld
myhostname = mail.mydomain.tld
mynetworks = REDACTED IP ADDRESS BLOCKS
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname check_helo_access hash:/etc/postfix/helo_access
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_unknown_reverse_client_hostname reject_rbl_client bl.spamcop.net reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client zen.spamhaus.org permit_dnswl_client swl.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client sbl.spamhaus.org permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_soft_error_limit = 5
smtpd_tls_CAfile = /ssl/ssl.ca
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /ssl/ssl.crt
smtpd_tls_key_file = /ssl/ssl.key
smtpd_tls_security_level = encrypt
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

输出如下postconf -M

smtp       inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
submission inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
smtps      inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may -o smtpd_tls_wrappermode=yes

答案1

从您发布的任何内容来看,您的服务器尝试中继此消息的原因似乎并不明显,但您的下一步应该是:

查找此消息的来源。该十六进制代码 ( BC96418C10) 称为队列 ID是您在日志中查找的关键字,用于查看谁向您的服务器提交了此消息。您还应该使用 来postcat显示该消息及其相关元数据。

以上两者都应该有助于弄清此消息何时以及如何到达您的服务器,以及您是否有滥用用户、泄露用户凭据、限制设置存在漏洞或服务器完全被泄露。


现在关于您的更新:root对于邮件系统进行身份验证来说,用户名有点奇怪。但如果没有人搞错,这些就是用于将此消息提交到您的服务器的 SASL 凭据。

named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root

通过查看您的 postfix 配置(尝试postconf -npostconf -M),您可能会更清楚哪个程序接受了该登录(cyrus?dovecot?)以及在哪里查找以禁用该用户。您可能希望收集有关 sasl 用户数据库的信息,并发布有关该部分的新问题和问题。

如果root系统用户确实有密码,并且用它来发送邮件,那么它可能也被用于登录服务器在许多系统上,用户也不会root 密码设置,密码也不应成为获取远程 shell 的有效机制,因此这种泄露可能仅限于邮件。

相关内容