我正在 master.cf 中配置一个包含三个服务的 Postfix。到目前为止,我从 @anx(非常感谢!)了解到 master.cf 中基于 smtpd 的服务不理解与传输相关的选项。只有基于 trivial-rewrite 的服务支持传输选项,因此需要创建自定义 trivial-rewrite 服务,然后可以使用选项 rewrite_service_name 将基于 smtpd 的服务绑定到它:
smtp inet n - n - - smtpd
-o syslog_name=postfix/smtp-in
-o content_filter=
-o mynetworks=/etc/postfix/exo_networks
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=reject_non_fqdn_sender,permit_mynetworks,reject
-o smtp_tls_security_level=encrypt
-o smtp_tls_mandatory_protocols=>=TLSv1.2
-o smtp_tls_mandatory_ciphers=high
-o rewrite_service_name=smtp-in-rewrite
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o content_filter=
-o smtp_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_tls_security_options=noanonymous
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o rewrite_service_name=submission-rewrite
2525 inet n - n - 100 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,10.10.10.0/24,10.10.20.0/24
-o smtpd_relay_restrictions=
-o rewrite_service_name=smtp-dmz-rewrite
smtp-in-rewrite unix - - y - - trivial-rewrite
[...]
submission-rewrite unix - - y - - trivial-rewrite
-o syslog_name=postfix/submission-rewrite
# default_transport was a mistake, should be transport_maps
# -o default_transport=hash:/etc/postfix/transport_to_exo_domains
-o transport_maps=hash:/etc/postfix/transport_to_exo_domains
-o sender_dependent_relayhost_maps=hash:/etc/postfix/transport_to_senders_relay
-o relayhost=[3.3.3.1]
smtp-dmz-rewrite unix - - y - - trivial-rewrite
[...]
在 main.cf 中我添加了一个通用的中继主机来检查在 master.cf 中覆盖它是否可以正常进行:
relayhost=[4.4.4.1]
# /etc/postfix/transport_to_exo_domains
mydomain.com relay:[1.1.1.1]
@mydomain.com relay:[1.1.1.2]
* relay:[1.1.1.3]
# /etc/postfix/transport_to_senders_relay
@mydomain.com relay:[2.2.2.1]
mydomain.com relay:[2.2.2.2]
* relay:[2.2.2.3]
如果我通过传输服务发送了一封电子邮件[电子邮件保护]到[电子邮件保护],我希望传输重写服务在 transport_to_exo_domains 中找到匹配项,因此返回 1.1.1.1 或 1.1.1.2 作为下一跳。这样就行了(现在,感谢 @anx)。但是,已经接近终点线,smtp 跳转并将电子邮件发送到 main.cf-relayhost 4.4.4.1,而不是使用重写的下一跳 1.1.1.1。为什么会发生这种情况,我如何可靠地覆盖 main.cf 的中继主机?据我阅读 smtp 命令的文档,它不支持中继主机选项,因此创建自定义 smtp 服务将不起作用。
Jul 7 23:49:38 localhost postfix/submission/smtpd[100828]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jul 7 23:49:38 localhost postfix/submission/smtpd[100828]: connect from me.dynamic.kabel-deutschland.de[188.194.X.Y]
Jul 7 23:49:38 localhost postfix/submission/smtpd[100828]: Anonymous TLS connection established from me.dynamic.kabel-deutschland.de[188.194.X.Y]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
Jul 7 23:49:40 localhost postfix/trivial-rewrite[100833]: name_mask: ipv4
Jul 7 23:49:40 localhost postfix/trivial-rewrite[100833]: inet_addr_local: configured 2 IPv4 addresses
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: process generation: 7 (7)
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: dict_open: hash:/etc/postfix/transport_to_exo_domains
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: dict_open: hash:/etc/postfix/transport_to_senders_relay
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: match_list_match: transport_maps: no match
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: transport_maps: hash:/etc/postfix/transport_to_exo_domains(0,lock|no_regsub|fold_fix|utf8_request): * = relay:[1.1.1.3]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: wildcard_{chan:hop}={relay:[1.1.1.3]}
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: address_verify_transport_maps: hash:/etc/postfix/transport_to_exo_domains(0,lock|no_regsub|fold_fix|utf8_request): * = relay:[1.1.1.3]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: wildcard_{chan:hop}={relay:[1.1.1.3]}
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr address = [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: sender
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: sender
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: (end)
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: match_list_match: mydomain.com: no match
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: sender_dependent_relayhost_maps: "<>": not found
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: sender_dependent_relayhost_maps: <>: not found
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: mail_addr_find: <> -> (not found)
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: transport_maps: [email protected]: not found
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: transport_maps: hash:/etc/postfix/transport_to_exo_domains(0,lock|no_regsub|fold_fix|utf8_request): mydomain.com = relay:[1.1.1.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: mail_addr_find: [email protected] -> relay:[1.1.1.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: `' -> `[email protected]' -> (`relay' `[1.1.1.1]' `[email protected]' `4096')
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr transport = relay
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr nexthop = [1.1.1.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr recipient = [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: double-bounce
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: (list terminator)
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: (end)
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: `local' `double-bounce' -> `[email protected]'
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr flags = 0
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr address = [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: `local' `[email protected]' -> `[email protected]'
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr flags = 0
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr address = [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: sender
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: sender
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: [email protected]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: submission-rewrite socket: wanted attribute: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute name: address
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: input attribute value: [email protected]
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: sender_dependent_relayhost_maps: [email protected]: not found
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: match_list_match: mydomain.com: no match
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: sender_dependent_relayhost_maps: hash:/etc/postfix/transport_to_senders_relay(0,lock|no_regsub|fold_fix|utf8_request): @mydomain.com = relay:[2.2.2.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: mail_addr_find: [email protected] -> relay:[2.2.2.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: transport_maps: [email protected]: not found
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: maps_find: transport_maps: hash:/etc/postfix/transport_to_exo_domains(0,lock|no_regsub|fold_fix|utf8_request): mydomain.com = relay:[1.1.1.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: mail_addr_find: [email protected] -> relay:[1.1.1.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: `[email protected]' -> `[email protected]' -> (`relay' `[1.1.1.1]' `[email protected]' `4096')
[...]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr transport = relay
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr nexthop = [1.1.1.1]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr recipient = [email protected]
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: send attr flags = 4096
Jul 7 23:49:40 localhost postfix/submission-rewrite/trivial-rewrite[100833]: master_notify: status 1
Jul 7 23:49:40 localhost postfix/submission/smtpd[100828]: 640A34A99A: client=me.dynamic.kabel-deutschland.de[188.194.X.Y], sasl_method=PLAIN, [email protected]
Jul 7 23:49:40 localhost postfix/cleanup[100834]: 640A34A99A: message-id=<[email protected]>
Jul 7 23:49:40 localhost postfix/qmgr[100822]: 640A34A99A: from=<[email protected]>, size=860, nrcpt=1 (queue active)
Jul 7 23:49:40 localhost postfix/submission/smtpd[100828]: disconnect from me.dynamic.kabel-deutschland.de[188.194.X.Y] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Jul 7 23:49:45 localhost postfix/submission-rewrite/trivial-rewrite[100833]: connection closed fd 128
#
# So far everything looks promising now, but then smtp uses the default relayhost from main.cf instead of the correct next hop 1.1.1.1
#
Jul 7 23:50:10 localhost postfix/smtp[100836]: connect to 4.4.4.1[4.4.4.1]:25: Connection timed out
Jul 7 23:50:10 localhost postfix/smtp[100836]: 640A34A99A: to=<[email protected]>, relay=none, delay=30, delays=0.14/0.01/30/0, dsn=4.4.1, status=deferred (connect to 4.4.4.1[4.4.4.1]:25: Connection timed out)
Jul 7 23:51:25 localhost postfix/submission-rewrite/trivial-rewrite[100833]: idle timeout -- exiting
Jul 7 23:53:00 localhost postfix/anvil[100831]: statistics: max connection rate 1/60s for (submission:188.194.X.Y) at Jul 7 23:49:38
Jul 7 23:53:00 localhost postfix/anvil[100831]: statistics: max connection count 1 for (submission:188.194.X.Y) at Jul 7 23:49:38
Jul 7 23:53:00 localhost postfix/anvil[100831]: statistics: max cache size 1 at Jul 7 23:49:38
Jul 7 23:59:04 localhost postfix/qmgr[100822]: 640A34A99A: from=<[email protected]>, size=860, nrcpt=1 (queue active)
Jul 7 23:59:34 localhost postfix/smtp[100852]: connect to 4.4.4.1[4.4.4.1]:25: Connection timed out
Jul 7 23:59:34 localhost postfix/smtp[100852]: 640A34A99A: to=<[email protected]>, relay=none, delay=595, delays=564/0.01/30/0, dsn=4.4.1, status=deferred (connect to 4.4.4.1[4.4.4.1]:25: Connection timed out)
一旦启动并运行,我们将通过 git-Ansible-process 部署进一步的更改,并将进行四人维护以避免配置错误。我们尚未决定所有监控指标、循环检测和弹跳方向。
谢谢你!
答案1
如果你想覆盖全局默认值master.cf,您必须为实际处理它们的服务指定选项。
请参阅各个服务的手册,了解哪些选项适用于哪些服务,在本例中为trivial-rewrite手册告诉我们sender_dependent_default_transport_maps和relayhost功能在那里处理。
您的 smtpd 服务正在忽略您的选项,就像它会忽略任何其他不适用于 smtpd 服务的全局选项一样:它正在与一个单独的服务对话,该服务已启动但未使用这些选项。请尝试进行以下修改:
# instead of overriding options for the smtpd service, reference a customized variant of the service
[.. ] smtpd
-o [..]
-o rewrite_service_name=local-custom-rewrite
# duplicate this service ..
rewrite unix - - y - - trivial-rewrite
# .. under a new name and add your options there
local-custom-rewrite unix - - y - - trivial-rewrite
-o sender_dependent_default_transport_maps=/etc/postfix/relay_transport_out
[..]
如果您搜索覆盖cleanup服务选项的示例,您会发现更多类似的配置,用于cleanup_service_name您想要覆盖特定 smtpd 实例的服务选项的情况。
Postfix 服务还接受选项 -v(或多个,以进一步增加详细程度),添加该选项(如 -o 选项;至少对于 smtpd 和 trivial-rewrite 而言)以查看获取的重写/解析结果。
建议您添加类似-o syslog_name=postfix/submission以多种变体启动的服务的选项,否则很难从日志中判断哪一个发送了给定的日志行。
如果您怀疑查找存在问题,请将其与整个 Postfix 服务配置隔离开来测试,请致电(请参阅postmap -q "[email protected]" hash:/etc/postfix/transport_to_senders_relay表格搜索顺序段落,man 5 transport针对该段落尝试进行查询)。
输入属性名称:transport 输入属性值:hash
我不能完全确定我理解了您希望最终结果如何表现,但您需要将transport:nexthop(或只是transport:)传递给_transport参数,并type:table查找*_maps参数。我理解日志行是类型混淆的结果,您必须尝试在需要直接传输规范的地方指定查找。