防火墙不阻止中继尝试到达 Postfix

我有一个基于 centos 的 vps，使用 webmin 进行管理，每隔一段时间我就会收到几百封这样的电子邮件：

From: MAILER-DAEMON@mail.<redacted>.com
To: postmaster@<redacted>.com
Subject: Postfix SMTP server: errors from unknown[20.229.210.160]

Transcript of session follows.

 Out: 220 mail.<redacted>.com ESMTP Postfix
 In:  EHLO yupk81.domain
 Out: 250-mail.<redacted>.com
 Out: 250-PIPELINING
 Out: 250-SIZE 30720000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 454 4.7.0 TLS not available due to local problem
 Out: 421 4.4.2 mail.<redacted>.com Error: timeout exceeded

会话中止，原因：超时

有关其他详细信息，请参阅本地邮件日志文件

以下是我认为与此类电子邮件相关的日志条目：

Jun 10 19:20:46 fla postfix/qmgr[931]: 9CFCD40033: removed
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: connect from unknown[20.229.210.160]
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: timeout after STARTTLS from unknown[20.229.210.160]
Jun 10 19:22:07 fla postfix/cleanup[30329]: E0A0840033: message-id=<20220610232207.E0A0840033@mail.<redacted>.com>
Jun 10 19:22:07 fla postfix/qmgr[931]: E0A0840033: from=<double-bounce@mail.<redacted>.com>, size=914, nrcpt=1 (queue active)
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: disconnect from unknown[20.229.210.160]
Jun 10 19:22:09 fla postfix/smtp[30336]: E0A0840033: to=<my_personal_email>, orig_to=<postmaster>, relay=mail.<redacted>.com [<IP address redacted>]:25, delay=2, delays=0.01/0/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4LKcS06tJyz9vNQY)
Jun 10 19:22:09 fla postfix/qmgr[931]: E0A0840033: removed
Jun 10 19:22:18 fla postfix/postfix-script[30470]: warning: not owned by root: /etc/postfix/dump
Jun 10 19:22:18 fla postfix/postfix-script[30471]: warning: not owned by root: /etc/postfix/dump.txt

我将 Linux IPTables 防火墙设置为丢弃来自上述 IP 地址的数据包，但 postfix 仍从 postmaster 帐户向我发送这些电子邮件，因此这些尝试仍会到达 postfix。这让我很抓狂。防火墙不是应该阻止来自该 IP 地址的流量吗？为什么它没有发挥作用？

谢谢！

编辑 2022-06-10 21:25 - 在此处添加 iptables（不清楚为什么文件中列出的日期都是 2015 年的，因为它显示了我今天所做的更改）：

# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*security
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*raw
:PREROUTING ACCEPT [28036:5505542]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*nat
:PREROUTING ACCEPT [1490:86220]
:INPUT ACCEPT [1490:86220]
:OUTPUT ACCEPT [4732:332455]
:POSTROUTING ACCEPT [4732:332455]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*mangle
:PREROUTING ACCEPT [28036:5505542]
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
:POSTROUTING ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Drop packets from 31.210.20.235
-A INPUT -s 20.229.210.160 -j DROP
-A INPUT -i eth0 -j LOG  --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m state -m icmp --icmp-type 8 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -j LOG  --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG  --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -m limit --limit 5/min -j LOG  --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A OUTPUT -o eth0 -j LOG  --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A INPUT -m limit --limit 5/min -j LOG  --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT
# test
-A INPUT
COMMIT
# Completed on Sat Nov 28 22:24:57 2015

编辑 2022-06-10 22:05 - 关闭并重新启动 postfix 后 /var/log/maillog：

Jun 10 22:03:23 fla postfix/postfix-script[4257]: stopping the Postfix mail system
Jun 10 22:03:23 fla postfix/master[3818]: terminating on signal 15
Jun 10 22:03:24 fla postfix/postfix-script[4321]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:03:24 fla postfix/postfix-script[4322]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:03:24 fla postfix/postfix-script[4323]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:03:24 fla postfix/postqueue[4341]: warning: Mail system is down -- accessing queue directly
Jun 10 22:03:36 fla dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=<redacted_ip_address>, lip=<redacted_ip_address>, session=<itN0diLhLABqS77J>
Jun 10 22:04:00 fla postfix/postfix-script[4488]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:00 fla postfix/postfix-script[4489]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:00 fla postfix/postfix-script[4490]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:04:00 fla postfix/postfix-script[4507]: starting the Postfix mail system
Jun 10 22:04:00 fla postfix/master[4509]: daemon started -- version 2.10.1, configuration /etc/postfix
Jun 10 22:04:01 fla postfix/postfix-script[4567]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:01 fla postfix/postfix-script[4568]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:01 fla postfix/postfix-script[4569]: warning: not owned by root: /etc/postfix/<redacted>.pem