阻止用户帐户通过 Postfix 发送电子邮件的问题

tag-icon tag-icon postfix
阻止用户帐户通过 Postfix 发送电子邮件的问题

当尝试在本地和外部阻止特定用户的外发电子邮件时,我SMTPD_Recipient_Restrictions = Check_sender_access hash: /etc/postfix/sender_access使用此文本在 main.cf 中输入了 Postfix 配置[email protected] Reject,然后Postmap Sender_access创建 .db 文件。

通过 Webmail 和 Thunderbird 或 Outlook 等邮件客户端,一切正常。使用端口 25 和 465 ssl/tls 发送被锁定,但如果客户端使用端口 587 和 STARTTLs,发送就会成功。

如何停止使用邮件客户端通过端口 587 发送?

后配置-n

alias_maps = hash:/etc/aliases, nis:mail.aliases, hash:/var/spool/postfix/plesk/aliases
authorized_flush_users =
authorized_mailq_users =
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 5
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10240000
meta_directory = /etc/postfix
mydestination = localhost.$mydomain, localhost, localhost.localdomain
myhostname = mydomain.my
mynetworks =
newaliases_path = /usr/bin/newaliases.postfix
plesk_virtual_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.5.9/README_FILES
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-3.5.9/samples
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_bind_address = xxx.xxx.xxx.xxx
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_milters = , inet:127.0.0.1:12768
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.2
smtpd_tls_protocols = TLSv1.2
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:30
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30

postconf-M

smtp       inet  n       -       n       -       -       smtpd
cleanup    unix  n       -       n       -       0       cleanup
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o syslog_name=postfix/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
plesk_virtual unix -     n       n       -       -       pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames -q ${queue_id}
127.0.0.1:12346 inet n   n       n       -       -       spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs
mailman    unix  -       n       n       -       -       pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
pickup     fifo  n       -       n       60      1       pickup
qmgr       fifo  n       -       n       1       1       qmgr
smtps      inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
submission inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
plesk_saslauthd unix y   y       n       -       1       plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

Plesk Obsidian 18.0.40.1 操作系统版本:CentOS 7.9.2009 x86_64

答案1

check_sender_access属于smtpd_sender_restrictions,不属于smtpd_recipient_restrictions

答案2

您在两个端口上提供提交服务,并具有不同的选项覆盖:

  1. 端口 587 上的旧版 STARTTLS(submission在第一列中master.cf
  2. SMTP 在端口 465 上封装在 TLS 中(smtps在第一列中master.cf

您当前不需要在这两个端口上进行身份验证,但只需覆盖一个端口的限制:

smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

我期望你想要的是这样的:要求在两个端口上进行身份验证,并且只覆盖发送方和客户端限制,同时仍然应用全局收件人限制:

smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=

如果没有被覆盖,文件中的收件人限制main.cf将适用于这两种服务。

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

(无关:您可能不想允许在端口 25 上进行身份验证 - 您允许在那里进行没有传输安全性的连接。当您为所有(2)个提交端口覆盖它时,请重新smtpd_sasl_auth_enable = yes考虑main.cf

相关内容