我在 Ubuntu Server 16.04 上设置了 Postfix 作为卫星系统,它只监听本地主机并将外发电子邮件发送到中继服务器(通过端口 465 上的 TLS 和密码验证)。如果我不使用防火墙(iptables),一切正常(我可以发送电子邮件),但只要我激活防火墙,发送电子邮件就会超时。
我找不到要更改什么,欢迎提出任何建议。
这是我的设置:
Postfix 主配置文件
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
sender_canonical_maps = hash:/etc/postfix/generic
smtp_generic_maps = hash:/etc/postfix/generic
smtpd_sasl_auth_enable = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtpd_sasl_path = smtpd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = login
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = example.com, $myhostname, localhost
relayhost = [smtps.relay.server]:465
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#loop back
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
#APT
-A OUTPUT -p tcp --dport 80 --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --dport 53 --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 80 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 53 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
#MAIL
-A INPUT -p tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp --sport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A OUTPUT -p tcp --sport 587 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --sport 25 -j ACCEPT
COMMIT
答案1
iptables 规则有误。目标端口和源端口混淆。工作规则如下:
iptables.规则:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#loop back
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
#APT
-A OUTPUT -p tcp --dport 80 --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --dport 53 --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 80 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 53 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
#MAIL
-A INPUT -p tcp --sport 465 -j ACCEPT
-A OUTPUT -p tcp --dport 465 -j ACCEPT
#below not required in my use case
#-A INPUT -p tcp --sport 587 -j ACCEPT
#-A OUTPUT -p tcp --dport 587 -j ACCEPT
#-A INPUT -p tcp --sport 25 -j ACCEPT
#-A OUTPUT -p tcp --dport 25 -j ACCEPT
COMMIT