当尝试在本地和外部阻止特定用户的外发电子邮件时,我SMTPD_Recipient_Restrictions = Check_sender_access hash: /etc/postfix/sender_access
使用此文本在 main.cf 中输入了 Postfix 配置[email protected] Reject
,然后Postmap Sender_access
创建 .db 文件。
通过 Webmail 和 Thunderbird 或 Outlook 等邮件客户端,一切正常。使用端口 25 和 465 ssl/tls 发送被锁定,但如果客户端使用端口 587 和 STARTTLs,发送就会成功。
如何停止使用邮件客户端通过端口 587 发送?
后配置-n
alias_maps = hash:/etc/aliases, nis:mail.aliases, hash:/var/spool/postfix/plesk/aliases
authorized_flush_users =
authorized_mailq_users =
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 5
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10240000
meta_directory = /etc/postfix
mydestination = localhost.$mydomain, localhost, localhost.localdomain
myhostname = mydomain.my
mynetworks =
newaliases_path = /usr/bin/newaliases.postfix
plesk_virtual_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.5.9/README_FILES
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-3.5.9/samples
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_bind_address = xxx.xxx.xxx.xxx
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_milters = , inet:127.0.0.1:12768
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.2
smtpd_tls_protocols = TLSv1.2
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:30
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30
postconf-M
smtp inet n - n - - smtpd
cleanup unix n - n - 0 cleanup
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames -q ${queue_id}
127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
pickup fifo n - n 60 1 pickup
qmgr fifo n - n 1 1 qmgr
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db
Plesk Obsidian 18.0.40.1 操作系统版本:CentOS 7.9.2009 x86_64
答案1
check_sender_access
属于smtpd_sender_restrictions
,不属于smtpd_recipient_restrictions
。
答案2
您在两个端口上提供提交服务,并具有不同的选项覆盖:
- 端口 587 上的旧版 STARTTLS(
submission
在第一列中master.cf
) - SMTP 在端口 465 上封装在 TLS 中(
smtps
在第一列中master.cf
)
您当前不需要在这两个端口上进行身份验证,但只需覆盖一个端口的限制:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
我期望你想要的是这样的:要求在两个端口上进行身份验证,并且只覆盖发送方和客户端限制,同时仍然应用全局收件人限制:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
如果没有被覆盖,文件中的收件人限制main.cf
将适用于这两种服务。
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
(无关:您可能不想允许在端口 25 上进行身份验证 - 您允许在那里进行没有传输安全性的连接。当您为所有(2)个提交端口覆盖它时,请重新smtpd_sasl_auth_enable = yes
考虑main.cf
)