一、搭建Postfix
1.1 匿名SMTP
匿名SMTP可以隨意命名郵件名稱前綴進行發送郵件,但會出現郵件被block的問題.后續只能case by case去解決報錯.
~]$ cat main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
transport_maps = hash:/etc/postfix/transport
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
inet_interfaces = all
mynetworks = 127.0.0.0/8,robin.cn,10.0.0.0/8
myhostname = hostname.robintest.cn #替換成對應自己的發件域
inet_protocols = ipv4
myorigin = robintest.cn #替換成對應自己的發件域
mydestination = hostname.robintest.cn #替換成對應自己的發件域
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
message_size_limit = 71900000
maximal_queue_lifetime = 10000s
~]# psotfix reload
1.2 認證方式SMTP
認證SMTP使用的郵箱必須是真實存在的郵箱,郵箱密碼在SMTP上配置,只有匹配發件人匹配才可發送郵件.對於客戶端使用上和匿名郵箱一樣,不需要配置郵箱密碼.
~]$ cat main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
inet_interfaces = all
mynetworks = 127.0.0.0/8,robin.cn,10.0.0.0/8
myhostname = hostname.robintest.cn #替換成對應自己的發件域
inet_protocols = ipv4
myorigin = $myhostname
mydestination = robintest.cn #替換成對應自己的發件域
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
queue_run_delay = 30s
minimal_backoff_time= 30s
maximal_backoff_time= 180s
message_size_limit = 71900000
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = may
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
~]# cat /etc/postfix/sender_relay
A@robintest.cn [smtp.robintest.cn]:25 #對應中繼的SMTP地址,為A@robin.cn的SMTP地址.
~]# cat /etc/postfix/sasl_passwd
A@robintest.cn A@robintest.cn:Password234
~]# postmap /etc/postfix/sasl_passwd
~]# postmap etc/postfix/sender_relay
~]# psotfix reload
二、Postfix參數優化
2.1 修改postfix郵件重試間隔參數
背景:公司所有report郵件,告警郵件,使用postfix轉發郵件到office365進行發送郵件,但是postfix發送郵件失敗后,進入隊列,默認過5分鍾后再次發送,時間間隔太久,希望調整默認間隔時間
現象:
SMTP日志中出現‘432 4.3.2 STOREDRV.ClientSubmit; sender thread limit exceeded’,當第一次郵件發送失敗后,隔短時間(300s~4000s)后postfix再次嘗試發送成功。
postfix相關參數:
參數:queue_run_delay
說明:用於設定隊列處理程序對拖延郵件的掃描周期。缺省為1000秒。
例 如:queue_run_delay = 1000
最長隊列生命期
參數:maximal_queue_lifetime
說 明:用於設定隊列處理程序對滯留郵件的最長保存期。缺省為5天。
例如:maximal_queue_lifetime = 5
最小投遞失 敗周期
參數:minimal_backoff_time
說明:用於設定隊列處理程序對無法投遞的郵件的最短巡回時間。缺省為300秒。
例 如:minimal_backoff_time= 1000
最長投遞失敗周期
參數:maximal_backoff_time
說 明:用於設定隊列處理程序對無法投遞的郵件的最長巡回時間。缺省為4000秒。
例如:maximal_backoff_time= 4000
個人理解解釋:默認300s掃描一次隊列,隊列郵件中上次發送失敗時間大於300s,小於4000s的,再次嘗試發送(根據投遞失敗次數,失敗次數越多,匹配到的值越大,最大不超過4000s),如果距離開始發送失敗已經超過5天,則退信
比如:第一次失敗:延遲300s,第二次延遲800s,第三次延遲1000s,第四次2000s。
建議修改配置為:
queue_run_delay = 30s; # 每30s會掃描一次delay的郵件
minimal_backoff_time= 30s; # 在30s內不會重發delay的郵件
maximal_backoff_time= 180s; # 如果超過180s則一定會重發郵件
maximal_queue_lifetime = 2400s; #郵件超過2400s沒有發出去則退信
預期效果為:
每30s掃描一次隊列,隊列郵件上次發送大於30s,小於180s的,再次嘗試發送,如果距離開始發送失敗已經2400s(最多重發20次),則退信。
參考鏈接:https://www.cnblogs.com/bethal/p/5377565.html
2.2 配置Postfix黑白名單
#(1)收件人黑名單
~]# vim /etc/postfix/main.cf
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access #默認全部允許
~]# cat recipient_access
user@aaa.com REJECT
~]# postmap /etc/postfix/recipient_access
~]# postfix reload
#(2)發件人黑名單
~]# vim /etc/postfix/main.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
~]# cat sender_access
user@aaa.com REJECT
~]# postmap /etc/postfix/sender_access
~]# postfix reload
#(3)收發件人白名單,收件人白名單同理
~]# vim /etc/postfix/main.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access reject #默認全部拒絕
~]# cat sender_access
user@aaa.com OK
~]# postmap /etc/postfix/sender_access
~]# postfix reload
#(4)指定發件人A發給指定收件人B 黑名單
~]# vim /etc/postfix/main.cf
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/policy/recipient_access
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/policy/senders_access,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname
~]# cat policy/recipient_access
B@robin.cn REJECT #local_only 規則定義黑名單
~]# cat policy/senders_access
A@robin.cn local_only #指定發件人應用local_only 規則
參考連接:https://blog.51cto.com/jasonyong/318262
2.3 Postfix日志顯示subject
~]# vim /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
~]# cat /etc/postfix/header_checks
/^Subject:/ WARN
~]# postfix reload
日志顯示如下:
~]# echo "test mail to osa account." | mail -s 'test' B@robin.cn
~]# cat /var/log/maillog
Sep 9 11:40:58 SAS-SH1LPSMTP5 postfix/cleanup[14175]: C3C8B20005: warning: header Subject: test from unknown[192.0.0.1]; from=<A@robin.cn> to=<B@robin.cn> proto=SMTP helo=<sas-sh1lpyum1>