我有一个基于 centos 的 vps,使用 webmin 进行管理,每隔一段时间我就会收到几百封这样的电子邮件:
From: MAILER-DAEMON@mail.<redacted>.com
To: postmaster@<redacted>.com
Subject: Postfix SMTP server: errors from unknown[20.229.210.160]
Transcript of session follows.
Out: 220 mail.<redacted>.com ESMTP Postfix
In: EHLO yupk81.domain
Out: 250-mail.<redacted>.com
Out: 250-PIPELINING
Out: 250-SIZE 30720000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
Out: 421 4.4.2 mail.<redacted>.com Error: timeout exceeded
会话中止,原因:超时
有关其他详细信息,请参阅本地邮件日志文件
以下是我认为与此类电子邮件相关的日志条目:
Jun 10 19:20:46 fla postfix/qmgr[931]: 9CFCD40033: removed
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: connect from unknown[20.229.210.160]
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: timeout after STARTTLS from unknown[20.229.210.160]
Jun 10 19:22:07 fla postfix/cleanup[30329]: E0A0840033: message-id=<20220610232207.E0A0840033@mail.<redacted>.com>
Jun 10 19:22:07 fla postfix/qmgr[931]: E0A0840033: from=<double-bounce@mail.<redacted>.com>, size=914, nrcpt=1 (queue active)
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: disconnect from unknown[20.229.210.160]
Jun 10 19:22:09 fla postfix/smtp[30336]: E0A0840033: to=<my_personal_email>, orig_to=<postmaster>, relay=mail.<redacted>.com [<IP address redacted>]:25, delay=2, delays=0.01/0/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4LKcS06tJyz9vNQY)
Jun 10 19:22:09 fla postfix/qmgr[931]: E0A0840033: removed
Jun 10 19:22:18 fla postfix/postfix-script[30470]: warning: not owned by root: /etc/postfix/dump
Jun 10 19:22:18 fla postfix/postfix-script[30471]: warning: not owned by root: /etc/postfix/dump.txt
我将 Linux IPTables 防火墙设置为丢弃来自上述 IP 地址的数据包,但 postfix 仍从 postmaster 帐户向我发送这些电子邮件,因此这些尝试仍会到达 postfix。这让我很抓狂。防火墙不是应该阻止来自该 IP 地址的流量吗?为什么它没有发挥作用?
谢谢!
编辑 2022-06-10 21:25 - 在此处添加 iptables(不清楚为什么文件中列出的日期都是 2015 年的,因为它显示了我今天所做的更改):
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*security
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*raw
:PREROUTING ACCEPT [28036:5505542]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*nat
:PREROUTING ACCEPT [1490:86220]
:INPUT ACCEPT [1490:86220]
:OUTPUT ACCEPT [4732:332455]
:POSTROUTING ACCEPT [4732:332455]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*mangle
:PREROUTING ACCEPT [28036:5505542]
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
:POSTROUTING ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Drop packets from 31.210.20.235
-A INPUT -s 20.229.210.160 -j DROP
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m state -m icmp --icmp-type 8 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT
# test
-A INPUT
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
编辑 2022-06-10 22:05 - 关闭并重新启动 postfix 后 /var/log/maillog:
Jun 10 22:03:23 fla postfix/postfix-script[4257]: stopping the Postfix mail system
Jun 10 22:03:23 fla postfix/master[3818]: terminating on signal 15
Jun 10 22:03:24 fla postfix/postfix-script[4321]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:03:24 fla postfix/postfix-script[4322]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:03:24 fla postfix/postfix-script[4323]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:03:24 fla postfix/postqueue[4341]: warning: Mail system is down -- accessing queue directly
Jun 10 22:03:36 fla dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=<redacted_ip_address>, lip=<redacted_ip_address>, session=<itN0diLhLABqS77J>
Jun 10 22:04:00 fla postfix/postfix-script[4488]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:00 fla postfix/postfix-script[4489]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:00 fla postfix/postfix-script[4490]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:04:00 fla postfix/postfix-script[4507]: starting the Postfix mail system
Jun 10 22:04:00 fla postfix/master[4509]: daemon started -- version 2.10.1, configuration /etc/postfix
Jun 10 22:04:01 fla postfix/postfix-script[4567]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:01 fla postfix/postfix-script[4568]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:01 fla postfix/postfix-script[4569]: warning: not owned by root: /etc/postfix/<redacted>.pem
答案1
您已配置 Milter,但无法确保其正在运行且可访问,Postfix 抱怨无法连接
connect to Milter service inet:127.0.0.1:8891: Connection refused
。这可以您的防火墙配置也可能有错误,因为与 Milter 的连接需要经过数据包过滤。您没有设置规则来限制可用于访问您的提交服务。这可能是因为您错误地仅限制了对第一个 smtp 端口 (25) 的访问,而错过了您正在公开其他 SMTP 服务的其他端口(最有可能是 465 和/或 587)。
您已选择接收错误通知到邮政信箱,但似乎重点关注联系尝试。我不会太担心有人连接(而且通常情况下,他们可能会因为未经授权而被拒绝服务),因为我担心那次尝试恰好是 Postfix 注意到配置问题的机会。这可能是分离(来自 1.)Postfix 配置中的问题,Postfix 可能会出现已记录启动时。重新启动 Postfix 并读取日志。
答案2
时间过去了好久,尽管我尝试提供被问到的信息,但除了用户 anx 之外,似乎没有人认为我的问题值得提供帮助。我希望给它投了 -1 分的人能体面地解释一下原因,但现在这已经没有意义了。
每隔一段时间就会有几百次的弹跳问题继续发生,今天我遇到了一个我很乐意砍掉自己手指的人(他们的 IP 是 20.168.57.26),他试图使用我的服务器作为中继千次,这给我带来了一些其他问题,所以我通过从系统中删除邮政局长帐户来强制解决这个问题。