我目前正在我们的服务器上推出 Postfix/Dovecot 配置来替换我们的单片邮件服务器。
在测试环境中,我已设置好一切,一切正常。现在,我正在另外 5 台服务器上推广配置,但不幸的是,这里没有任何功能如预期般正常工作。
当我尝试从合法邮件地址向外部(例如 gmail)发送电子邮件时,收到以下错误消息:
中继访问被拒绝
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: match_list_match: 已删除:无匹配
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: generic_checks: name=permit_mynetworks status=0
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: generic_checks: name=reject_unauth_destination
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: rejection_unauth_destination:[电子邮件保护]
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: permit_auth_destination:[电子邮件保护]
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: ctable_locate: 保留现有条目密钥[电子邮件保护][电子邮件保护]
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: NOQUEUE: 拒绝: RCPT 来自 REMOVED[REMOVED]: 554 5.7.1[电子邮件保护]: 中继访问被拒绝;[电子邮件保护] [电子邮件保护]proto=ESMTP helo=<[192.168.10.39]>
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: generic_checks: name=reject_unauth_destination status=2
9 月 14 日 10:23:51 px-10042 postfix/smtpd[21569]: >>> END 收件人地址限制 <<<
如果我将邮件发送到内部地址或我自己的地址(我也从该地址发送),它可以正常工作。
邮件服务器应将其收到的所有邮件转发到我们的三个 proxmox 邮件网关之一。同样,传入的电子邮件也仅由 Proxmox 邮件网关接受。这在 DNS 设置中配置,并且在我们的整体式系统以及第一个测试环境中运行良好。
以下是 postconf -n 的输出:
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
inet_interfaces = 127.0.0.1, ::1, REMOVED
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mydomain = REMOVED
myhostname = REMOVED
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
queue_run_delay = 5m
recipient_delimiter = +
relayhost = [REMOVED.de]:26
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/px_network.crt
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/px_network.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
这就是 master.cf:
###
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
###
###
smtpd pass - - y - - smtpd
###
###
dnsblog unix - - y - 0 dnsblog
###
###
tlsproxy unix - - y - 0 tlsproxy
###
###
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
###
###
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
###
###
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
这是 postconf -P 的输出:
smtp/inet/smtpd_sasl_auth_enable = no
submission/inet/cleanup_service_name = submission-header-cleanup
submission/inet/milter_macro_daemon_name = ORIGINATING
submission/inet/smtpd_client_restrictions = $mua_client_restrictions
submission/inet/smtpd_helo_required = no
submission/inet/smtpd_helo_restrictions =
submission/inet/smtpd_relay_restrictions = $mua_relay_restrictions
submission/inet/smtpd_sasl_auth_enable = yes
submission/inet/smtpd_sasl_path = private/auth
submission/inet/smtpd_sasl_security_options = noanonymous
submission/inet/smtpd_sasl_type = dovecot
submission/inet/smtpd_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
submission/inet/smtpd_sender_restrictions = $mua_sender_restrictions
submission/inet/smtpd_tls_security_level = encrypt
submission/inet/syslog_name = postfix/submission
smtps/inet/cleanup_service_name = submission-header-cleanup
smtps/inet/milter_macro_daemon_name = ORIGINATING
smtps/inet/smtpd_client_restrictions = $mua_client_restrictions
smtps/inet/smtpd_helo_required = no
smtps/inet/smtpd_helo_restrictions =
smtps/inet/smtpd_relay_restrictions = $mua_relay_restrictions
smtps/inet/smtpd_sasl_auth_enable = yes
smtps/inet/smtpd_sasl_path = private/auth
smtps/inet/smtpd_sasl_security_options = noanonymous
smtps/inet/smtpd_sasl_type = dovecot
smtps/inet/smtpd_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
smtps/inet/smtpd_sender_restrictions = $mua_sender_restrictions
smtps/inet/smtpd_tls_wrappermode = yes
smtps/inet/syslog_name = postfix/smtps
submission-header-cleanup/unix/header_checks = regexp:/etc/postfix/submission_header_cleanup
先感谢您。
答案1
在您测试的场景中,端口 25 未经授权,postfix 拒绝正如它应该。否则,您将成为一个开放中继。
postfix/smtpd
@gmail.com:中继访问被拒绝
连接到端口 465 并进行身份验证,然后您就可以提交邮件转发给 Google。
(从日志行来看,我可以看出您没有通过用于 MUA 提交的端口进行连接,因为您的提交端口指定-o syslog_name=区分来自端口 25 的日志行)