一、問題
先說一下問題,我們公司有兩台郵件服務器,分別是不同的域名但是用的是同一個用戶認證,最近老有人反應說,有匿名郵件就是通過類似這種網站,進行使用你們公司的SMTP郵件服務器進行發送垃圾郵件
http://tool.chacuo.net/mailserversend
咱們也可以自己測試一下,按照里面說到的要求填寫你們公司的發件服務器IP加端口看看不驗證不登錄的情況下是否可以發送,如果可以發送那么恭喜你,別人可以利用你們的發件服務進行偽造了,然后發送垃圾郵件了
后來我在網上找了好多資料,設置SPF 呀 設置發送驗證呀,反正該開的都開了,不知道是我設置的問題還是本身對這個不起作用,直到我用了下面這個發件策略,才組織了不登錄的情況下進行發件。
大概意思就是,
拒絕不是正常的hostna的主機 拒絕不是fqdn的主機 拒絕沒有登錄的用戶名發送郵件。
smtpd_sender_restrictions = reject_invalid_hostname reject_non_fqdn_sender permit_sasl_authenticated reject_sender_login_mismatch
就是添加了最后一條 reject_sender_login_mismatch
導致我另外一台域名發送的時候出現了報錯 Sender address rejected: not logged in
我就百度呀 google 呀搜索了好多,但是大部分都沒有說明白就不了了只了,雖然不知道別人是怎么解決的,但是我要解決這個問題呀。
二、解決思路
首先呢,我們用的是一個ldap 做的同步驗證,三台服務器其中有兩台用的是郵件服務器,根據他的報錯信息可以了解到,是用戶沒有登錄,就進行發信,但是我登錄了呀,后來發現,采用的是別名的方式創建另一個域名,然后真實驗證方法還是ldap,所以他認為你沒有登錄,
后面改了別名的認證方式就好了,后端認證還是使用的ldap。
A 郵件服務器配置文件
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mail mydomain = myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases recipient_delimiter = + home_mailbox = Maildir/ mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks smtpd_banner = $myhostname ESMTP debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES message_size_limit = 40480000 mailbox_size_limit = 40480000 #郵件轉發 sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps recipient_bcc_maps = hash:/etc/postfix/recipient_bcc smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname #smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination permit_sasl_authenticated check_policy_service unix:postgrey/socket reject #發件人過濾 smtpd_recipient_restrictions = permit_auth_destination permit_sasl_authenticated check_policy_service unix:postgrey/socket reject reject_unknown_sender_domain reject_sender_login_mismatch smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt smtpd_tls_key_file = /etc/pki/tls/certs/server.key smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache #新添SASL認證 smtpd_sasl_security_options = noanonymous ########################## virtual_alias_maps = hash:/etc/postfix/virtual.ultra-ts.com.cn recipient_bcc_maps = hash:/etc/postfix/bcc_map smtpd_tls_security_level = may content_filter = scan:127.0.0.1:10025 smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept ####添加郵件隊列處理時間設置 queue_run_delay = 300s maximal_queue_lifetime = 2d bounce_queue_lifetime = 2d minimal_backoff_time = 300s maximal_backoff_time = 4000s #設置隊列發送限制 #anvil_rate_time_unit = 120s #smtpd_client_connection_rate_limit = 80 #發件人過濾 #mynetworks = 172.16.0.*/24 smtpd_sender_restrictions = reject_invalid_hostname reject_non_fqdn_sender permit_sasl_authenticated reject_sender_login_mismatch smtpd_sender_login_maps = ldap:/etc/postfix/sender_login_maps.cf smtpd_reject_unlisted_sender = yes ################ relay_domains = $mydomain
B郵件服務器配置文件
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mail. mydomain = myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases home_mailbox = Maildir/ header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks smtpd_banner = $myhostname ESMTP debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES message_size_limit = 50000000 mailbox_size_limit = 5000000000 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_client_restrictions = permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt smtpd_tls_key_file = /etc/pki/tls/certs/server.key smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_security_level = may virtual_alias_maps = hash:/etc/postfix/virtual recipient_bcc_maps = hash:/etc/postfix/bcc_map #新加發件認證 broken_sasl_auth_clients = yes #用於識別本地主機 smtpd_sasl_security_options = noanonymous #不支持匿名用戶
相關資料
postfix手冊 中文版 https://max.book118.com/html/2016/0825/52839914.shtm
postfix 手冊 官方版本 http://www.postfix.org/documentation.html
有不足之處歡迎 大家指出來謝謝