我运行自己的 postfix/dovecot 电子邮件服务器。最近,大量垃圾邮件涌入我的收件箱,其中的发件人和收件人字段与我的电子邮件地址相同。我添加了check_policy_service unix:private/policy
,smtpd_recipient_restrictions
但这并没有阻止以我自己的电子邮件地址为发件人的垃圾邮件大量涌入。我查看了其他类似的问题,但都没有帮助。我想知道在 postfix 配置中是否还有其他需要注意的地方。
我在 DNS 中设置了 spf:
$ nslookup -type=txt mydomain.com
mydomain.com text = "v=spf1 mx a ptr include:mail.myemaildomain.com -all"
下面是从其中一封垃圾邮件中截取的邮件头示例,其中删除了一些很长的编码邮件头。假设我的电子邮件是[email protected]
,我的邮件服务器是mail.myemaildomain.com
。
Return-Path: <>
Delivered-To: [email protected]
Received: from mail.myemaildomain.com
by mail.myemaildomain.com with LMTP
id 0KJAM+e2oGM0TgAAheIUKw
(envelope-from <>)
for <[email protected]>; Mon, 19 Dec 2022 19:09:27 +0000
Received: by mail.myemaildomain.com (Postfix, from userid 182)
id CEFE8C6409; Mon, 19 Dec 2022 19:09:27 +0000 (UTC)
Received-SPF: none (qwwj.em.jennycraig.com: No applicable sender policy available) receiver=mail.myemaildomain.com; identity=helo; helo=qwwj.em.jennycraig.com; client-ip=103.198.26.226
Received: from qwwj.em.jennycraig.com (unknown [103.198.26.226])
by mail.myemaildomain.com (Postfix) with ESMTP id 42098C6407
for <[email protected]>; Mon, 19 Dec 2022 19:09:27 +0000 (UTC)
Received: from 10.226.14.104
by atlas114.aol.mail.ne1.yahoo.com pod-id NONE with HTTPS; Thu, 15 Dec 2030 13:36:39 +0000
X-Originating-Ip: [209.85.218.45]
Received-SPF: pass (domain of gmail.com designates 209.85.218.45 as permitted sender)
Authentication-Results: atlas114.aol.mail.ne1.yahoo.com;
dkim=pass [email protected] header.s=20210112;
spf=pass smtp.mailfrom=gmail.com;
dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
X-Apparently-To: [email protected]; Thu, 15 Dec 2030 13:36:39 +0000
Received: from 209.85.218.45 (EHLO mail-ej1-f45.google.com)
by 10.226.14.104 with SMTPs
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
Thu, 15 Dec 2030 13:36:39 +0000
Received: by mail-ej1-f45.google.com with SMTP id n20so52313294ejh.0
for <[email protected]>; Thu, 15 Dec 2030 05:36:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=TJRpkbHmfqiYQcSzQM9QyAcKyxwfgZJL1vLIP4WWyzY=;
b=PU/nv5+QLQUtFFhUFU6EkFLDEIAN0MjTP0TDPeoWc6O/rXu53+DCp7cua72BLe3k8Y
SpiPuVwH02uo87V3rs+L6KMLQaqA8V1D7vjU+3K5T9yP35DOf/bgtp3Nrb2d0Ejik0Bv
U9ePCaf7UM8R1Gze97qvGeJv5o3nhtNuvCAFqcuHZVC14JxQMLALg2wyPF68X/CP6vUu
EBMTPaudBc4bafJ8bJEkZgHCHIICpI9ZRYujIHcMxcm9EPlK+xTwhHDELRK8hwRPz1CC
JdtoPMWBl6NY3if9ZiV2O9NuvAJdeht/PezOU3kJPmbul8jRATFI/aJfA4eaUu7SisJr
FL8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=TJRpkbHmfqiYQcSzQM9QyAcKyxwfgZJL1vLIP4WWyzY=;
b=Xpo6Y73U27SLGh/HdXMGsR4X+ieN29ZLuTsnzxhavjS0nXbm8HuTIcZr4cni14HL7h
qWXZLePK0vYJUHMHb2R57WgKNWJnBFBH9lmiJSf35OusIK2Z5iSk6BmmHVjl8niG9EmD
XOL6EqVwmTl2BS9V80osHuJ7wIXzcAoq4Y+yZnVxPZogv2FjJ2tET9I9wQPVxM4ugXS3
9KKQgBoFPHUfergCHZxWt5mESf1Ie7VLsH1nztjHRkyipCAaZ3rvb6aHz3TogId5QuaS
yfOgSZQkCmStFywDTgxNuYwmYuOl+LBllaaB60bulStuwNKfkXU+vOAp9M8XcyTVhngV
xGcw==
X-Gm-Message-State: ANoB5plygnE1J5uqPqvPqvpUDDb3uZ/3D5Q4+2HkJz9l2WUbBA1VD+OM
48tFT8K/KxTy/bIun6chTilzwv3waaMeJ5EOu4SyvL3C
X-Google-Smtp-Source: AA0mqf6T7Vhk2yyHuKIYdn3h79y5dlZlN2Ix0VIGDvfU1s3z9grZ7sF2CkltwXmtFE8dsR3mTX53KHhoFnxtStqiZSs=
X-Received: by 2002:a17:906:f14:b0:7c1:4e5d:5543 with SMTP id
z20-20020a1709060f1400b007c14e5d5543mr2799821eji.654.1671111399150; Thu, 15
Dec 2030 05:36:39 -0800 (PST)
List-Unsubscribe: <https://rdir-agn.freenet.de/uq.html?uid=5ZQLJGH67TVWNMOX1LEGP4PK7PH1CI>,<mailto:[email protected]?subject=unsubscribe:5ZQLJGH67TVWNMOX1LEGP4PK7PH1CI>
X-tdResult: [email protected]
MIME-Version: 1.0
From: SAMS CLUB Stores<[email protected]>
Date: Thu, 15 Dec 2030 14:36:30 +0100
Message-ID: <q1RHyAoOuu2eraF=2mdqDgli8XJ5uM9dQNV6ANEdZER-DpL8i13n@mail.gmail.com>
Subject: Surprise in your inbox (for Shoppers Only)
To: me <[email protected]>
答案1
完全在 Postfix 的配置中
如果您已将电子邮件提交配置为单独的 SMTP 实例,则应该,你可以使用header_checks
. 这需要 Postfix 的PCRE 支持待安装。
由于您只希望将其运行在端口 25 上,因此您应该在文件中输入master.cf
:
smtp inet n - y - - smtpd
-o header_checks=pcre:/etc/postfix/access/header_checks
PCRE 映射(到该文件)用于拒绝标题example.com
中使用的消息From
:
/^From: .*@example\.com/ REJECT You are not me; example.com in From header.
但是,考虑到电子邮件转发、邮件列表等,这可能过于严格。因此,我建议使用下面更好的替代方案。
实施 DMARC 和 DKIM
更好、更标准的方法是为您的域和传入邮件实施 DMARC、DKIM 和 SPF。这样,从您允许的任何邮件基础设施(在您的 SPF 策略中或由您域的 DNS 中找到的 DKIM 密钥签名)发送的邮件都可以到达您的 SMTP 服务器。
- 使用 OpenDKIM 过滤器检查 DKIM 签名。
- 使用 postfix-policyd-spf-python 检查 SPF:
check_policy_service
unix:private/policy-spf
- 使用 OpenDMARC 过滤器检查 DMARC 策略。
- 使用 OpenDKIM 过滤器签署您的消息。
~all
使用(或)发布 SPF 策略-all
。- 使用 发布 DMARC 策略
p=reject
。