我有一个使用 Postfix 的服务器,在 Docker 中运行。该服务器应该只收到电子邮件,不发送。
我添加了以下 iptables 规则来尝试阻止从端口 25 传出的任何内容:
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
sudo iptables -I DOCKER-USER -o eth0 -p tcp --dport 25 -j REJECT
sudo iptables -I DOCKER-USER -o docker0 -p tcp --dport 25 -j REJECT
要获得以下内容iptables -L
:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:http
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:smtp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
这是我的 Postfixmain.cf
文件:
compatibility_level = 3.6
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix/readme
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
maillog_file = /dev/stdout
myhostname = mydomainmane.com
mydomain = mydomainmane.com
mydestination = mydomainmane.com, localhost.localdomain, localhost
myorigin = $mydomain
relayhost = [mail.xxxxx.xxx]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
always_add_missing_headers = yes
smtp_host_lookup = native,dns
transport_maps = lmdb:/dkvolume/transport
virtual_alias_maps = proxy:mysql:/dkvolume/mysql-virtual_email2email.cf
virtual_mailbox_maps = proxy:mysql:/dkvolume/mysql-virtual_mailboxes.cf
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
smtpd_relay_restrictions = defer_unauth_destination
default_transport = error:No outside emails
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomainmane.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomainmane.com/privkey.pem
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_received_header = yes
relay_domains = $mydomain
smtpd_banner = $mydomain
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 2097152
smtpd_recipient_limit = 5
disable_vrfy_command = yes
smtpd_helo_required = yes
mynetworks = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_client_message_rate_limit = 5
anvil_rate_time_unit = 120s
smtpd_client_recipient_rate_limit = 10
smtpd_tls_auth_only = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname
smtpd_error_sleep_time = 3s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
default_destination_rate_delay = 2s
smtpd_reject_unlisted_recipient = no
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit
smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
strict_rfc821_envelopes = yes
在经历了这一切之后,我仍然会收到发送到我域中的随机电子邮件地址的电子邮件,例如[email protected]
,主题为“邮件投递超时错误”、“未送达的邮件退回给发件人”或“系统退信”……
这意味着有人(主要是来自中国)正在使用我的服务器发送垃圾邮件,并且在接收过程中,其中一些垃圾邮件出现错误。
我如何才能阻止任何电子邮件离开我的服务器?我做错了什么?
答案1
Postfix 的 smtpd 访问控制仅适用于接收邮件会话。
如果您想接收邮件,它应该到达目的地。因此,如果您收到的邮件不是发往您的域名后缀,请尝试将其发送到目的地。
您不能明确拒绝 postfix 发送邮件,但您可以使用
smtpd_recipient_restrictions = permit_auth_destination, reject.
仅接收发往您的域的邮件,因此 Postfix 没有应该发送到其他地方的内容。
但是,如果使用相同的 smtpd 服务器接收来自您的用户和其他人的邮件,它也会停止接收从您的用户到其他域的邮件。
这意味着有人(主要是来自中国)正在使用我的服务器发送垃圾邮件,并且在接收过程中,其中一些垃圾邮件出现错误。
你permit
有
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit
因此,任何外部人员都可以向您的域发送邮件。替换为
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
也可能是:
您的网络中的某些(受感染的)计算机(mynetworks = 10.0.0.0/8、172.16.0.0/12、192.168.0.0/16)发送垃圾邮件,并且您会因此被退回
互联网上有人使用您的地址作为伪造的发件人地址向他人发送垃圾邮件。当然,所有错误和回复邮件都会被退回到您的服务器。因此,您无法通过阻止发送邮件来摆脱这些欺骗邮件。
使用防火墙阻止 postfix 发送邮件通常是错误的想法 - 您可能会阻止 postfix 队列中的合法电子邮件。
但使用中继主机就可以了。
但是有这样的规则
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
您有效地中断了所有的 Postfix 对话,而不仅仅是像您想象的那样发送,因为正常的客户端-服务器流量是双向的。
您应该使用状态检查来允许传入连接,但丢弃 Postfix 的传出连接,例如
iptables -A OUTPUT -p tcp --dport 25 -m state --state ESTABLISHED,RELATED -j DROP