我正在尝试解决我的 VPS 上的问题,也许你可以帮助我 :D
长话短说:这是我第一次在裸机 VPS 上操作,我正在尝试设置邮件服务器。
经过几次尝试,我设法设置了服务,但是,我只能在两个域之间发送电子邮件,并从这些域发送到外部邮件,但无法接收。(域 1 和域 2 在 VPS 上管理)
- 从域 1 到域 2 的邮件-确定
- 从域 2 到域 1 的邮件-确定
- 从这两个域名发送邮件到另一个邮箱(例如[电子邮件保护]) - 好的
- 来自外部域的邮件(例如[电子邮件保护]) 到域 1 或域 2 - 554 5.7.1 中继访问被拒绝
到目前为止,我已经了解(我认为就是这样) SASL Auth 存在问题,但我不知道如何解决这个问题。
我正在运行 Ubuntu 22.04,使用 Plesk(Postfix 和 Dovecot 作为邮件服务),Plesk 邮件服务器设置中的中继设置为使用 SMTP 进行身份验证
附件为配置文件(我没有做任何更改)
/etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
myhostname = vps-1032f104.vps.ovh.net
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.vps.ovh.net, localhost, localhost.localdomain
relayhost =
mynetworks =
mailbox_size_limit = 0
recipient_delimiter =
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
smtpd_use_tls = yes
smtp_use_tls = no
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
authorized_flush_users =
authorized_mailq_users =
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 10240000
virtual_mailbox_limit = 0
smtputf8_enable = no
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
tls_preempt_cipherlist = yes
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = TLSv1.2 TLSv1.3
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_ciphers = medium
等/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - y - - smtpd
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n - y - - smtpd
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
cleanup unix n - y - 0 cleanup
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames -q ${queue_id}
127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-srs
pickup fifo n - y 60 1 pickup
qmgr fifo n - n 1 1 qmgr
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db
plesk-51.83.43.67- unix - - n - - smtp -o smtp_bind_address=51.83.43.67 -o smtp_bind_address6= -o smtp_address_preference=ipv4
/var/log/maillog(用于我刚刚发送的最后一封测试邮件)
Sep 8 11:21:48 vps-1032f104 postfix/smtpd[1535575]: warning: hostname annoying.medyamol.com does not resolve to address 141.98.11.113: Name or service not known
Sep 8 11:21:48 vps-1032f104 postfix/smtpd[1535575]: connect from unknown[141.98.11.113]
Sep 8 11:21:49 vps-1032f104 plesk_saslauthd[1535682]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Sep 8 11:21:49 vps-1032f104 plesk_saslauthd[1535682]: privileges set to (113:122) (effective 113:122)
Sep 8 11:21:49 vps-1032f104 plesk_saslauthd[1535682]: failed mail authentication attempt for user 'admin' (password len=11)
Sep 8 11:21:49 vps-1032f104 postfix/smtpd[1535575]: warning: unknown[141.98.11.113]: SASL LOGIN authentication failed: authentication failure
Sep 8 11:21:50 vps-1032f104 postfix/smtpd[1535575]: disconnect from unknown[141.98.11.113] ehlo=1 auth=0/1 quit=1 commands=2/3
后配置-n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
append_dot_mydomain = no
authorized_flush_users =
authorized_mailq_users =
biff = no
compatibility_level = 3.6
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
message_size_limit = 10240000
mydestination = localhost.vps.ovh.net, localhost, localhost.localdomain
myhostname = vps-1032f104.vps.ovh.net
mynetworks =
myorigin = /etc/mailname
plesk_virtual_destination_recipient_limit = 1
readme_directory = no
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_delimiter =
relayhost =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
smtp_send_xforward_command = yes
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_milters = , inet:127.0.0.1:12768
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_protocols = TLSv1.2 TLSv1.3
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
transport_maps = , hash:/var/spool/postfix/plesk/transport
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30
Sasl 状态
● saslauthd.service - LSB: saslauthd startup script
Loaded: loaded (/etc/init.d/saslauthd; generated)
Active: active (exited) since Thu 2022-09-08 09:35:31 UTC; 1h 42min ago
Docs: man:systemd-sysv-generator(8)
CPU: 23ms
Sep 08 09:35:31 vps-1032f104 systemd[1]: Starting LSB: saslauthd startup script>
Sep 08 09:35:31 vps-1032f104 saslauthd[1530583]: * To enable saslauthd, edit />
Sep 08 09:35:31 vps-1032f104 systemd[1]: Started LSB: saslauthd startup script.
这些配置正确吗?
我只是一个进入服务器世界的前端开发人员,请帮助我度过这个难关:D
谢谢!
----更新----
postconf -d | grep 限制给我这个结果:
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps $local_login_sender_maps $postscreen_reject_footer_maps $smtpd_reject_footer_maps $tls_server_sni_maps
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
smtpd_relay_before_recipient_restrictions = ${{$compatibility_level} <level {3.6} ? {no} : {yes}}
smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
smtpd_sender_restrictions =
其他一些指令是否有可能覆盖限制协议?
答案1
问题不在于 SASL 身份验证。对于可以使用以下方式发送和接收邮件的基本邮件服务器设置当地的邮件客户端(本地==在服务器本身上运行,例如mutt或某些网络邮件),您根本不需要 SASL 身份验证。 SASL 身份验证用于邮件提交经过偏僻的通过 SMTP 连接到提交端口的邮件客户端。目前,您的 中已禁用提交服务master.cf,因此 SASL 身份验证对您无用。
您收到错误消息的原因是您没有将域(域 1 和域 2)定义为当地的到邮件服务器。邮件服务器需要知道它应该为哪些域处理邮件。您的virtual_mailbox_domains或virtual_mailbox_maps参数(或两者)有问题。由于您没有提供这些参数中引用的文件的内容,我无法确切地说出问题所在,但参数开头的逗号virtual_mailbox_maps对我来说似乎很可疑。应该将其删除。但是,这不一定是实际问题。
实际情况是,服务器不知道域 1 和域 2 是其本地域,并将它们视为外部域。因此,它假设外部发件人(来自 blabla.com)希望通过您的邮件服务器向外部域发送邮件,这称为中继,并且通常被邮件服务器配置禁止(除非您从预期使用此服务器提交邮件的受信任客户端发送邮件)。
请阅读很小心这两个参数的描述如下:http://www.postfix.org/postconf.5.html#virtual_mailbox_domains并根据该描述更正这些参数的值和/或这些参数引用的文件的内容。
除此之外,我发现您的配置文件还有其他问题。一般来说,它太长、太复杂,可能包含很多您根本不需要的功能(至少在开始时不需要)。我猜它们是 Plesk 添加的。我不喜欢使用任何自动化工具来配置邮件服务器。您只能使用自动化工具后您可以手动配置服务器,并可以验证该工具仅生成实际需要的配置语句,而不是一些随机垃圾(通常是这种情况)。
人们应该始终从(手动创建的)最简单的配置开始来获得有效的服务,然后再逐渐添加增强功能。
您使用
transport_maps和sender_dependent_default_transport_maps。传输图是一项高级功能,通常用于相当复杂的邮件服务器设置,您需要在其中发送邮件到通过不同的特定方法将不同的域连接到不同的服务器。在简单的邮件服务器设置中,它们通常是完全不必要的。我不知道两个参数中引用的文件的内容是什么,所以我很难确定它们是否真的被使用以及如何使用,但这似乎是您的设置过于复杂的地方之一。顺便说一句。transport_maps开头还有不必要的逗号,我建议去掉它。您使用的另一个高级功能是 中定义了一些 milter
smtpd_milters(此参数开头还有一个不必要的逗号,请将其删除)和 中定义了一些地址规范化服务recipient_canonical_maps- 后者是相当高级的功能。这些服务在做什么?您同时使用
smtp_tls_security_level和smtp_use_tls。两个参数都引用相同的功能,因此只需其中一个即可。此外,您在此处使用相互矛盾的值:smtp_tls_security_level告诉服务器在传出连接上使用 TLS,并告诉不要使用它。仅当另一个参数已过时且已弃用时才smtp_use_tls使用。smtp_tls_security_level同样适用于控制传入连接的
smtpd_tls_security_level和smtpd_use_tls(只有在这里对两者使用一致的值)。仅使用第一个。不在常规邮件服务器端口上使用 SASL 身份验证(删除该行
smtpd_sasl_auth_enable = yes或将其更改为no)。它应该仅在提交端口上明确启用(您未在 中启用master.cf)。此外,如果您计划使用 SASL 身份验证,您可能应该定义要使用的身份验证器服务(使用smtpd_sasl_type和smtpd_sasl_path)。另外,除非你真的知道自己在做什么,并且有真正的理由,不建议弄乱默认的 TLS 参数设置。尤其是要求传入和传出连接都只使用 TLSv1.2 和 TLSv1.3 协议可能会导致回退到发送完全不加密的邮件。删除
smtpd_tls_mandatory_ciphers、smtpd_tls_mandatory_protocols、smtpd_tls_protocols和tls_medium_cipherlist,tls_preempt_cipherlist让 Postfix 使用其默认值。它们是合理的。在当前版本的 Postfix 中也不建议使用smtp_tls_session_cache_database。
但您需要修复的主要问题是virtual_mailbox_domains和/或,virtual_mailbox_maps因为这就是您收到错误的原因。