我的邮件服务器配置相当严格,有时来自合法服务器的传入邮件会被拒绝,因为远程端存在配置问题,常见的问题是 HELO 主机名。
我有一个具体的例子,来自意大利最重要的电力公司 ENEL,该公司显然发送了带有无法解析的 HELO 主机名的交易电子邮件:
Feb 20 18:31:10 MYHOST postfix/smtpd[1748649]: NOQUEUE: reject: RCPT from mxrelay6.enel.com[146.133.127.102]: 450 4.7.1 <smtprelay.enel.com>: Helo command rejected: Host not found; from=<[email protected]> to=<MY CLIENT EMAIL> proto=ESMTP helo=<smtprelay.enel.com>
我正在尝试将其列入白名单,SMTP 服务器的 IP 或主机名似乎是合乎逻辑的步骤(我观察到两个,但我可以使用正则表达式)。无论如何,我目前无法做到这一点,我尝试的任何方法都不起作用,这些电子邮件总是被拒绝。(我还有其他类似的情况)。
##
# Helo restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
warn_if_reject check_helo_access hash:/etc/postfix/helo_whitelist,
warn_if_reject reject_invalid_hostname,
warn_if_reject reject_unknown_hostname,
warn_if_reject reject_non_fqdn_helo_hostname,
warn_if_reject reject_unknown_helo_hostname,
warn_if_reject reject_invalid_helo_hostname,
permit
##
# Sender restrictions
smtpd_sender_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/sender_whitelist,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
permit
##
# Recipient restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_pipelining,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_hostname,
reject_unknown_reverse_client_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
check_sender_access hash:/etc/postfix/sender_access,
#check_client_access hash:/etc/postfix/rbl_whitelist,
check_policy_service unix:private/policyd-spf,
#check_client_access hash:/etc/postfix/rbl_override
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
#reject_rbl_client cbl.abuseat.org
#reject_rbl_client b.barracudacentral.org,
#reject_rbl_client bl.spamcop.net,
#reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
#reject_rbl_client b.barracudacentral.org=127.0.0.[2..11],
#check_policy_service unix:/var/spool/postfix/postgrey/socket,
permit
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
##
# Data restrictions
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
helo_白名单
mxrelay7.enel.com OK
mxrelay6.enel.com OK
我尝试将实际的 HELO 主机名放入 helo_whitelist 中smtprelay.enel.com,但没有成功。我在文档中也看到使用 PERMIT 而不是 OK,但查看调试消息(我使用了 debug_peer_list)后发现它似乎不正确。
通过调试我可以看到拒绝发生在收件人地址限制中:
Feb 20 18:41:12 alice postfix/smtpd[1749156]: reject_invalid_hostname: smtprelay.enel.com
Feb 20 18:41:12 alice postfix/smtpd[1749156]: generic_checks: name=reject_invalid_hostname status=0
Feb 20 18:41:12 alice postfix/smtpd[1749156]: generic_checks: name=reject_unknown_hostname
Feb 20 18:41:12 alice postfix/smtpd[1749156]: reject_unknown_hostname: smtprelay.enel.com
Feb 20 18:41:12 alice postfix/smtpd[1749156]: lookup smtprelay.enel.com type A flags
Feb 20 18:41:12 alice postfix/smtpd[1749156]: dns_query: smtprelay.enel.com (A): Host not found
Feb 20 18:41:12 alice postfix/smtpd[1749156]: lookup smtprelay.enel.com type AAAA flags
Feb 20 18:41:12 alice postfix/smtpd[1749156]: dns_query: smtprelay.enel.com (AAAA): Host not found
Feb 20 18:41:12 alice postfix/smtpd[1749156]: lookup smtprelay.enel.com type MX flags
Feb 20 18:41:12 alice postfix/smtpd[1749156]: dns_query: smtprelay.enel.com (MX): Host not found
Feb 20 18:41:12 MYHOST postfix/smtpd[1749156]: NOQUEUE: reject: RCPT from mxrelay6.enel.com[146.133.127.102]: 450 4.7.1 <smtprelay.enel.com>: Helo command rejected: Host not found; from=<[email protected]> to=<MY CLIENT EMAIL> proto=ESMTP helo=<smtprelay.enel.com>
Feb 20 18:41:12 alice postfix/smtpd[1749156]: generic_checks: name=reject_unknown_hostname status=2
Feb 20 18:41:12 alice postfix/smtpd[1749156]: >>> END Recipient address RESTRICTIONS <<<
问题是 smtpd_recipient_restrictions 部分为什么应该检查 helo 主机名?或者这只是由于 smtpd_delay_reject 而延迟的检查?
基本上,我应该把白名单中的 helo 消息放在哪里以及如何放?
谢谢!
答案1
您可以删除重复的reject_unknown_hostname/reject_unknown_hostname检查,因为只要您保留,您的 helo/ehlo 限制无论如何都会适用smtpd_helo_required=yes。
然后将您的列表改回来,无论使用 check_ 配置了什么嘿洛_access 需要包含嘿洛值 - 故意不允许将(未经验证的)主机名列入白名单。
顺便说一句,这些都是不推荐使用的别名,请始终使用当前的别名,以更清楚地说明正在检查的内容:
reject_unknown_hostname => reject_unknown_helo_hostname
reject_invalid_hostname => reject_invalid_helo_hostname