为什么 Postfix 拒绝一个特定的有效 DNS 映射发件人?

为什么 Postfix 拒绝一个特定的有效 DNS 映射发件人?

我在 Debian 11 下运行 postfix 3.5.18。除一个发件人外,其他所有发件人的邮件服务器都运行正常。

我经常收到来自一个发件人且只有一个发件人的电子邮件中的此消息(我将服务器上的有效电子邮件地址更改为“[电子邮件保护]“在消息中,我将该消息中的服务器名称更改为MYEXAMPLE)...

Jul 15 17:05:45 MYEXAMPLE postfix/smtpd[350738]: Anonymous TLS connection established from smtp3.earlywarning.com[199.47.137.176]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 15 17:05:46 MYEXAMPLE postfix/smtpd[350738]: NOQUEUE: reject: RCPT from smtp3.earlywarning.com[199.47.137.176]: 450 4.7.1 <a7283cpov.earlywarning.com>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<a7283cpov.earlywarning.com>
Jul 15 17:06:02 MYEXAMPLE postfix/smtpd[350738]: timeout after RSET from smtp3.earlywarning.com[199.47.137.176]
Jul 15 17:06:02 MYEXAMPLE postfix/smtpd[350738]: disconnect from smtp3.earlywarning.com[199.47.137.176] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 commands=5/7

“earlywarning.com”和“smtp3.earlywarning.com”主机名在 DNS 中有效映射。

以下是“postconf -n”的输出,其中我的主机名更改为MYEXAMPLE.COM,我的 IP 地址更改为 AAA.BBB.CCC.DDD ...

address_verify_poll_count = ${stress?1}${stress:3}
address_verify_sender = postmaster@$myhostname
address_verify_sender_ttl = 1342s
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
command_directory = /usr/sbin
compatibility_level = 2
data_directory = /var/lib/postfix
disable_dns_lookups = no
double_bounce_sender = double-bounce
hippomda_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
lmtp_host_lookup = dns
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
message_size_limit = 199999999
milter_command_timeout = 20s
milter_connect_macros = j {daemon_name} v {client_name} {client_addr} {client_port}
milter_connect_timeout = 10s
milter_mail_macros = {auth_author} {auth_type} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 60s
mydestination = localhost
myhostname = MYEXAMPLE.COM
mynetworks = AAA.BBB.CCC.DDD/32
myorigin = MYEXAMPLE.COM
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
queue_run_delay = 60s
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relay_domains =
relayhost =
sendmail_path = /usr/sbin/sendmail
smtp_host_lookup = dns
smtp_skip_5xx_greeting = no
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_block_early_mail_reply = yes
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls-control
smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_banner = Abandon hope, all ye who enter here.
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ok-host-control check_helo_access hash:/etc/postfix/helo-control reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = ${stress?2}${stress:4}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/ok-host-control check_helo_access hash:/etc/postfix/helo-control permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_junk_command_limit = ${stress?3}${stress:50}
smtpd_milters = inet:localhost:20002,local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
smtpd_per_record_deadline = ${stress?yes}${stress:no}
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 100
smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/reject-impossible-address.pcre reject_unknown_recipient_domain reject_unverified_recipient permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] permit_sasl_authenticated reject_non_fqdn_recipient
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender check_client_access hash:/etc/postfix/ok-host-control reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_soft_error_limit = 2
smtpd_starttls_timeout = ${stress?5}${stress:12}s
smtpd_timeout = ${stress?5}${stress:12}s
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/MYEXAMPLE.COM/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/MYEXAMPLE.COM/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = low
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
tls_preempt_cipherlist = yes
transport_maps = hash:/etc/postfix/transport-control
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1003
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1000
virtual_transport = hippomda
virtual_uid_maps = static:1003

以下是“helo-control”文件的内容:

earlywarning.com    OK
.earlywarning.com   OK
199.47.137.176      OK
104.18.100.92       OK
104.18.99.92        OK

以下是“ok-host-control”文件的内容……

earlywarning.com    OK
.earlywarning.com   OK
199.47.137.176      OK
104.18.100.92       OK
104.18.99.92        OK

通过“postconf -f”,“helo-control”和“ok-host-control”分别正确映射到“helo-control.db”和“ok-host-control.db”。

我做错了什么导致来自“smtp3.earlywarning.com[199.47.137.176]”的连接被拒绝?

先感谢您。

更新:

Postmap 测试...

# postmap -v -q 'a7283cpov.earlywarning.com' ./ok-host-control; echo rc=$?
postmap: name_mask: all
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: inet_addr_local: configured 3 IPv6 addresses
postmap: Compiled against Berkeley DB: 5.3.28?
postmap: Run-time linked against Berkeley DB: 5.3.28?
postmap: dict_open: hash:./ok-host-control
rc=1

# postmap -v -q 'a7283cpov.earlywarning.com' ./helo-control; echo rc=$?
postmap: name_mask: all
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: inet_addr_local: configured 3 IPv6 addresses
postmap: Compiled against Berkeley DB: 5.3.28?
postmap: Run-time linked against Berkeley DB: 5.3.28?
postmap: dict_open: hash:./helo-control
rc=1

答案1

被拒绝的是 HELO 主机名a7283cpov.earlywarning.com。服务器将不存在的主机名作为其 HELO 主机名。

您尝试将其列入白名单.earlywarning.com失败check_helo_access hash:/etc/postfix/helo-control,因为hash:没有将其视为您假设的通配符。

这可以通过PCRE 表不过。在 Debian 11 中,您需要postfix-pcre安装软件包才能支持 PCRE 表。使用check_helo_access pcre:/etc/postfix/helo-control文件内容:

/(\.|^)earlywarning\.com$/   OK

答案2

您尝试使用前导点.domain.tld语法的功能在默认的 Postfix 安装中并未以这种方式设置。

如果您想使用它,您可以通过调用postconf -d parent_domain_matches_subdomains并覆盖该设置来获取默认值,其中不包括区分域和子域的smtpd_access_maps条目。请参阅check_helo_accessman 5 访问, 部分主机名/地址模式


该文件包含两个条目(带前导 do 和不带前导 do),无论有没有该设置,都会匹配有问题的 helo 名称,但由于您引用了postconf -f用于更新其查找表的命令,因此您可能尚未成功更新它们。使用 重试postmap /path/to/ok-host-control,然后重新加载 Postfix 并查看启动时发出的警告。

相关内容