首頁>Server>source

我正在將服務器从Debian 8遷移到Debian10。現在,我正在尝試設置我们的郵件服務器(postfix-dovecot-mysql).虽然我可以這樣設置mysql(MariaDB 10.3)和Dovecot,而没有任何明顯的問题,但我仍然遇到与postfix(3.4.14)相同的問题:

所有通過SMTP从外部郵件服務器傳入的郵件均被拒绝: 554 Relay access denied

master.cf(用於smtp服務):

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd -v
  -o smtpd_sasl_auth_enable=no

main.cf中的允许/拒绝規則是:

#1 client
smtpd_client_restrictions = permit_mynetworks
                            permit_sasl_authenticated
                            reject_unknown_client_hostname
#2 helo
smtpd_helo_required     = yes
smtpd_helo_restrictions = permit_mynetworks
                          reject_invalid_helo_hostname
                          reject_non_fqdn_helo_hostname
                          reject_unknown_helo_hostname
                            
#3 sender
smtpd_sender_restrictions = permit_mynetworks
                            permit_sasl_authenticated
                            reject_non_fqdn_sender
                            reject_sender_login_mismatch
                            
#4 relay
smtpd_relay_restrictions = reject_non_fqdn_recipient
                           permit_mynetworks
                           permit_sasl_authenticated
                           permit_auth_destination
                           reject_unauth_destination
#5 recipient
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql/recipient_access.cf
#6 data
smtpd_data_restrictions = reject_unauth_pipelining

此外,我將mydestination設置為空以確保虛擬運輸

mydestination =

我已经確认reject_unauth_destination通過設置不同的狀態代碼来觸發拒绝:

relay_domains_reject_code = 564
access_map_reject_code    = 574
maps_rbl_reject_code      = 584

狀態代碼現在始终為 564 並且根据postfix手册,如果執行了reject_unauth_destination規則,則会觸發relay_domains_reject_code

我不理解的部分(即使经過數小時的反複試驗以及網際網路研究),後缀似乎忽略了我基於mysql的虛擬對映,因為mysql日志顯示没有查詢被執行.我可以看到的唯一查詢是来自smtpd_recipient_restrictions的查詢,该查詢返迴OK。

mail.log顯示以下內容: (我刚刚將電子郵件地址設為匿名,並屏蔽了IP地址):

postfix/smtpd[6963]: >>> START Recipient address RESTRICTIONS <<<
postfix/smtpd[6963]: generic_checks: name=reject_non_fqdn_recipient
postfix/smtpd[6963]: reject_non_fqdn_address: [email protected]
postfix/smtpd[6963]: generic_checks: name=reject_non_fqdn_recipient status=0
postfix/smtpd[6963]: generic_checks: name=permit_mynetworks
postfix/smtpd[6963]: generic_checks: name=permit_mynetworks status=0
postfix/smtpd[6963]: generic_checks: name=permit_sasl_authenticated
postfix/smtpd[6963]: generic_checks: name=permit_sasl_authenticated status=0
postfix/smtpd[6963]: generic_checks: name=permit_auth_destination
postfix/smtpd[6963]: permit_auth_destination: [email protected]
postfix/smtpd[6963]: ctable_locate: leave existing entry key [email protected][email protected]
postfix/smtpd[6963]: generic_checks: name=permit_auth_destination status=0
postfix/smtpd[6963]: generic_checks: name=reject_unauth_destination
postfix/smtpd[6963]: reject_unauth_destination: [email protected]
postfix/smtpd[6963]: permit_auth_destination: [email protected]
postfix/smtpd[6963]: ctable_locate: leave existing entry key [email protected][email protected]
postfix/smtpd[6963]: NOQUEUE: reject: RCPT from x.x.x.x[y.y.y.y]: 564 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<z.z.z.z>
postfix/smtpd[6963]: generic_checks: name=reject_unauth_destination status=2
postfix/smtpd[6963]: >>> END Recipient address RESTRICTIONS <<<

permit_auth_destination檢查不会啟動-尽管應该這樣做,因為(根据後缀手册)如果virtual_alias_domains中列出了收件人地址,它將啟動 或virtual_mailbox_domains.通過執行以下命令,我已经確认两種情况都是正確的:

[19:00:39][[email protected]:~]# postmap -q [email protected] proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
recipient.com
[19:00:39][[email protected]:~]# postmap -q [email protected] proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
recipient.com

permit_auth_destination不起作用後,reject_unauth_destination也会起作用-即使出於同樣的原因也不應這樣做。

如前所述,我可以从mysql日志中看到,postfix目前不執行任何查詢.我不知道postfix如何使目標不觸發permit_auth_destination而是觸發reject_unauth_destination

什麼可能匯致這種行為?

這是完整的main.cf:

###########
# Network #
###########
mynetworks              = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin                = /etc/mailname
#mydomain                =
myhostname              = mail.server.com
mydestination           =
inet_interfaces         = all
inet_protocols          = ipv4, ipv6
smtp_address_preference = ipv4
smtpd_banner            = $myhostname ESMTP $mail_name

#########
# Local #
#########
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

###########
# Virtual #
###########
proxy_read_maps         = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
                          proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
                          proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
                          proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
                          proxy:mysql:/etc/postfix/mysql/recipient_access.cf
virtual_mailbox_base    = /home/vmail/mailboxes
virtual_alias_maps      = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_alias_domains   = proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
virtual_mailbox_maps    = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_uid_maps        = static:5000
virtual_gid_maps        = static:5000
virtual_minimum_uid     = 5000
local_recipient_maps    = $virtual_mailbox_maps

################
# TLS settings #
################
tls_ssl_options     = NO_COMPRESSION

################
# TLS outbound #
################
smtp_dns_support_level          = dnssec
smtp_tls_security_level         = may
proxy:mysql:/etc/postfix/msql/smtp_tls_policy_maps.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols              = !SSLv3, TLSv1.3
smtp_tls_ciphers                = high
smtp_tls_CAfile                 = /etc/ssl/certs/ca-certificates.crt

###############
# TLS inbound #
###############
smtpd_use_tls                    = yes
smtpd_tls_security_level         = may
smtpd_tls_protocols              = !SSLv3, TLSv1.3
smtpd_tls_ciphers                = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file              = /etc/letsencrypt/getssl-certs/mail.server.com/chain.pem
smtpd_tls_key_file               = /etc/letsencrypt/getssl-certs/mail.server.com/key.pem

###################################
# Local mail delivery via Dovecot #
###################################
virtual_transport = lmtp:unix:private/dovecot-lmtp

#############
# SASL auth # 
#############
smtpd_sasl_type        = dovecot
smtpd_sasl_path        = private/auth
smtpd_sasl_auth_enable = yes

#########
# Relay #
#########
#1 client
smtpd_client_restrictions = permit_mynetworks
                            permit_sasl_authenticated
                            reject_unknown_client_hostname
#2 helo
smtpd_helo_required     = yes
smtpd_helo_restrictions = permit_mynetworks
                          reject_invalid_helo_hostname
                          reject_non_fqdn_helo_hostname
                          reject_unknown_helo_hostname
                            
#3 sender
smtpd_sender_restrictions = permit_mynetworks
                            permit_sasl_authenticated
                            reject_non_fqdn_sender
                            reject_sender_login_mismatch
                            
#4 relay
smtpd_relay_restrictions = reject_non_fqdn_recipient
                           permit_mynetworks
                           permit_sasl_authenticated
                           permit_auth_destination
                           reject_unauth_destination
#5 recipient
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql/recipient_access.cf
#6 data
smtpd_data_restrictions = reject_unauth_pipelining
#7 end-of-data
relay_domains_reject_code = 564
access_map_reject_code    = 574
maps_rbl_reject_code      = 584

#################
# Miscellaneous #
#################
mail_owner          = postfix
mailbox_command     = procmail -a "$EXTENSION"
mailbox_size_limit  = 0
recipient_delimiter = +
biff                = no
append_dot_mydomain = no
readme_directory    = no
compatibility_level = 2
更新

如果將我的virtual_mailbox_domains設置从proxy:mysql查詢更改為靜態值(接收者的域),則一切正常:

virtual_mailbox_domains = static:recipient.com

看起来是通過mysql进行的特定查詢。 這特別奇怪,因為問题似乎只存在於smtpd_relay_restrictions(不執行mysql查詢).對於smtpd_recipient_restrictions

最新回復
  • 5月前
    1 #

    ,它工作正常(執行mysql查詢),终於可以通過查看proxymap的详细日志来解決此問题。

    移交给mysql查詢的键實際上只是收件人的域,而不是整个電子郵件地址:

    postfix/proxymap[23555]: master_notify: status 0
    postfix/proxymap[23555]: proxymap socket: wanted attribute: request
    postfix/proxymap[23555]: input attribute name: request
    postfix/proxymap[23555]: input attribute value: lookup
    postfix/proxymap[23555]: proxymap socket: wanted attribute: table
    postfix/proxymap[23555]: input attribute name: table
    postfix/proxymap[23555]: input attribute value: mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
    postfix/proxymap[23555]: proxymap socket: wanted attribute: flags
    postfix/proxymap[23555]: input attribute name: flags
    postfix/proxymap[23555]: input attribute value: 524352
    postfix/proxymap[23555]: proxymap socket: wanted attribute: key
    postfix/proxymap[23555]: input attribute name: key
    postfix/proxymap[23555]: input attribute value: recipient.com
    postfix/proxymap[23555]: proxymap socket: wanted attribute: (list terminator)
    postfix/proxymap[23555]: input attribute name: (end)
    postfix/proxymap[23555]: proxy_map_find: mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf:
    postfix/proxymap[23555]: send attr status = 1
    postfix/proxymap[23555]: send attr value =
    postfix/proxymap[23555]: master_notify: status 1
    

    在這種情况下,似乎%d引數(實際上應该帶有域名)不能用於mysql查詢.使用%s(帶有原始輸入键)终於可以了。

    我實際上只通過使用域執行postmap却没有任何結果来發現%d為空:

    [[email protected]:~]# postmap -q [email protected] proxy:mysql:/etc/postfix/mysql/virtual_alias_domains.cf
    recipient.com
    [[email protected]:~]# postmap -q recipient.com proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
    [[email protected]:~]#
    

  • domain:在租用的云服務器中上傳網站
  • amazon web services:使用AwS wAF阻止到我的Lightail例項的流量