拒绝反向主机名解析失败的电子邮件

拒绝反向主机名解析失败的电子邮件

我的 Postfix 服务器不断收到来自不断变化的域名的垃圾邮件,但日志文件中以第 行开头的模式保持一致warning: hostname X does not resolve to address Y。没有合法(普通)电子邮件具有这种模式,因此我想阻止与此消息相关的电子邮件。

有没有办法在 Postfix 配置中完全阻止这些电子邮件,例如在 main.cf 文件中?

以下是日志文件的一部分,显示了垃圾邮件到达时的模式:

May 10 21:47:46 localhost postfix/smtpd[313324]: warning: hostname trojan.kringeas.co.uk does not resolve to address 104.129.30.93: Name or service not known
May 10 21:47:46 localhost postfix/smtpd[313324]: connect from unknown[104.129.30.93]
May 10 21:47:46 localhost postfix/smtpd[313324]: 2AF1D101825: client=unknown[104.129.30.93]
May 10 21:47:46 localhost postfix/cleanup[313331]: 2AF1D101825: message-id=<dO7GXAfoNocg1hEkeyqMfulg7RZ0aamifKqrB8JpUH8.ofI9TFu7lSCnlxwicxT5GA@meansfolk.sa.com>
May 10 21:47:46 localhost postfix/qmgr[294981]: 2AF1D101825: from=<[email protected]>, size=4241, nrcpt=1 (queue active)
May 10 21:47:46 localhost postfix/pipe[313333]: 2AF1D101825: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.11, delays=0.08/0.01/0/0.02, dsn=2     .0.0, status=sent (delivered via dovecot service)
May 10 21:47:46 localhost postfix/qmgr[294981]: 2AF1D101825: removed
May 10 21:47:46 localhost postfix/smtpd[313324]: disconnect from unknown[104.129.30.93] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

这是我的 main.cf 文件:请注意,它包含: smtpd_client_restrictions = reject_unknown_reverse_client_hostname阅读后我尝试了这个帖子

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES


myhostname = xxxx.net
mynetworks = 127.0.0.0/8
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/etc/postfix/virtual
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_client_restrictions = reject_unknown_reverse_client_hostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may
disable_vrfy_command = yes
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

答案1

只需更换

smtpd_client_restrictions = reject_unknown_reverse_client_hostname

smtpd_client_restrictions = reject_unknown_client_hostname

来自Postfix 手册

reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    Reject the request when 
      1) the client IP address->name mapping fails, or 
      2) the name->address mapping fails, or
      3) the name->address mapping does not match the client IP address.
    This is a stronger restriction than the reject_unknown_reverse_client_hostname 
    feature, which triggers only under condition 1) above.
    The unknown_client_reject_code parameter specifies the response code for
    rejected requests (default: 450). The reply is always 450 in case the
    address->name or name->address lookup failed due to a temporary problem. 

然而,你的这种看法是错误的:

没有合法的电子邮件具有这种模式,所以我想阻止与此消息相关的电子邮件。

我的客户时不时会抱怨,有时反向主机名不符合 HELO 地址,或者解析为其他地址,或者根本不解析,这完全是请求邮件。基本上,当前的 RFC 仅要求存在HELO 主机名的 PTR 记录,而没有说明其值或该名称下的 A 记录的存在或其值。从技术上讲,合法的服务器可以忽略其他所有内容,并且仍然遵守 RFC,而您使用此配置阻止它。为了解决这个问题,我将所有这些检查都放入了 中smtpd_recipient_restrictions,并在其前面立即添加check_sender_access hash://...,这样我就可以通过发件人域名或完整发件人电子邮件地址有选择地从此检查中排除一些邮件:

smtpd_client_restrictions = [default]
smtpd_recipient_restrictions = 
...
    check_sender_access hash:/etc/postfix/spam_exceptions,
    reject_unknown_client_hostname,
...

您不能使用check_sender_accesssmtpd_client_restrictions因为您在阶段期间仅获取发件人信封地址来进行检查MAIL From:

spam_exceptions文件的结构很简单:

affected.domain OK
...

当我解决投诉时,我只需将域名添加到此文件中。我已经收集了相当多的域名!

相关内容