我最近在 vps 上安装并配置了自己的 postfix 邮件服务器。它使用 LetsEncrypt 通配符证书,具有 PTR DNS 记录,其中 vps 的 IP 地址指向我的邮件服务器的主机名,并配置了 SPF 和 DKIM(但尚未配置 DMARC),并ufw配置为允许端口上的传入连接25,80,443,587,993。
一切似乎都运行正常:邮件服务器接收几乎所有人的来信,除了来自 Google 的邮件,正如我今天发现的:
我今天多次尝试用自己的邮箱地址创建 Google 帐户,但每次都收不到验证码,尽管 Google 告诉我他们会发送验证码。事实上:/var/log/mail.log甚至没有列出来自 Google 的任何连接尝试。
然后,我测试使用知名网络邮件提供商提供的临时电子邮件地址创建一个 Google 帐户,验证码顺利通过。
所以,这一切都让我相信我的邮件服务器存在一些配置错误。
我的假设是,Google 有非常严格的安全措施来验证邮件地址和/或邮件服务器的真实性,但我了解不够,不知道具体在哪里查看。
这是我的/etc/postfix/main.cf(域名已删除为<mydomain>):
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/<mydomain>/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/<mydomain>/privkey.pem
smtpd_tls_security_level=may
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_recipient_restrictions=reject_unknown_client_hostname,check_policy_service unix:private/policyd-spf
# Host parameters
myhostname = mail.<mydomain>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
masquerade_domains = $mydomain
mydestination = $myhostname, <mydomain>, vps.<mydomain>, localhost.<mydomain>, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Connect to Postgres for mailboxes, transports and aliases
local_recipient_maps =
virtual_uid_maps = static:997
virtual_gid_maps = static:998
virtual_mailbox_base = /var/mail/vmail/
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/mailboxes.cf
virtual_alias_maps = pgsql:/etc/postfix/pgsql/aliases.cf
transport_maps = pgsql:/etc/postfix/pgsql/transports.cf
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8892
non_smtpd_milters = $smtpd_milters
...这是我的/etc/postfix/master.cf:
smtp inet n - y - - smtpd
-o disable_vrfy_command=yes
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o disable_vrfy_command=yes
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
-o header_checks=regexp:/etc/postfix/header_checks
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
你知道为什么 Google 无法将邮件发送到我的邮件服务器吗?可能是因为缺少 DMARC 吗?或者 Google 可能试图通过 25 以外的其他端口发送邮件?有这样的事吗?通过 25 以外的其他端口接收邮件?
针对 glts 的回答,以下是一些可能相关的附加信息:
我做有一个指向我的邮件服务器的 MX 记录:
| 姓名 | 生存时间 | 类型 | 价值 |
|---|---|---|---|
| @ | 15分钟 | 墨西哥 | 10 邮件。<我的域名> |
/etc/hostname但是,我的 vps主机名 ( ) 是vps.<mydomain>。只有 postfix 配置为监听mail.<mydomain>(如 中所示main.cf)。这可能是个问题吗?
答案1
如果您在日志中没有看到如下内容,则表明 Google 服务器确实没有尝试联系您。
postfix/smtpd[90034]: connect from mail-oa1-x2a.google.com[2001:4860:4864:20::2a]
发件人如何知道要连接哪个邮件服务器?通过查看邮件域的 MX 记录。
因此,如果您希望在以下地址收到邮件[电子邮件保护],则发送 MTA 将查看 example.com 的 MX 记录以查找正确的服务器。然后它将查找邮件服务器的 IP 地址,因此请确保也为 mail.<mydomain> 设置了 A 和 AAAA 记录。
如果您没有为邮件域 example.com 配置指向您的邮件服务器的 MX 记录,那么 Google 当然找不到您。除此之外,在我看来,Google 是一个普通的发件人,没有特殊的隐藏要求。