一、问题
先说一下问题,我们公司有两台邮件服务器,分别是不同的域名但是用的是同一个用户认证,最近老有人反应说,有匿名邮件就是通过类似这种网站,进行使用你们公司的SMTP邮件服务器进行发送垃圾邮件
http://tool.chacuo.net/mailserversend
咱们也可以自己测试一下,按照里面说到的要求填写你们公司的发件服务器IP加端口看看不验证不登录的情况下是否可以发送,如果可以发送那么恭喜你,别人可以利用你们的发件服务进行伪造了,然后发送垃圾邮件了
后来我在网上找了好多资料,设置SPF 呀 设置发送验证呀,反正该开的都开了,不知道是我设置的问题还是本身对这个不起作用,直到我用了下面这个发件策略,才组织了不登录的情况下进行发件。
大概意思就是,
拒绝不是正常的hostna的主机 拒绝不是fqdn的主机 拒绝没有登录的用户名发送邮件。
smtpd_sender_restrictions = reject_invalid_hostname reject_non_fqdn_sender permit_sasl_authenticated reject_sender_login_mismatch
就是添加了最后一条 reject_sender_login_mismatch
导致我另外一台域名发送的时候出现了报错 Sender address rejected: not logged in
我就百度呀 google 呀搜索了好多,但是大部分都没有说明白就不了了只了,虽然不知道别人是怎么解决的,但是我要解决这个问题呀。
二、解决思路
首先呢,我们用的是一个ldap 做的同步验证,三台服务器其中有两台用的是邮件服务器,根据他的报错信息可以了解到,是用户没有登录,就进行发信,但是我登录了呀,后来发现,采用的是别名的方式创建另一个域名,然后真实验证方法还是ldap,所以他认为你没有登录,
后面改了别名的认证方式就好了,后端认证还是使用的ldap。
A 邮件服务器配置文件
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail
mydomain =
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
recipient_delimiter = +
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
smtpd_banner = $myhostname ESMTP
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
message_size_limit = 40480000
mailbox_size_limit = 40480000
#邮件转发
sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
#smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination permit_sasl_authenticated check_policy_service unix:postgrey/socket reject
#发件人过滤
smtpd_recipient_restrictions = permit_auth_destination permit_sasl_authenticated check_policy_service unix:postgrey/socket reject reject_unknown_sender_domain reject_sender_login_mismatch
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
#新添SASL认证
smtpd_sasl_security_options = noanonymous
##########################
virtual_alias_maps = hash:/etc/postfix/virtual.ultra-ts.com.cn
recipient_bcc_maps = hash:/etc/postfix/bcc_map
smtpd_tls_security_level = may
content_filter = scan:127.0.0.1:10025
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
####添加邮件队列处理时间设置
queue_run_delay = 300s
maximal_queue_lifetime = 2d
bounce_queue_lifetime = 2d
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
#设置队列发送限制
#anvil_rate_time_unit = 120s
#smtpd_client_connection_rate_limit = 80
#发件人过滤
#mynetworks = 172.16.0.*/24
smtpd_sender_restrictions = reject_invalid_hostname reject_non_fqdn_sender permit_sasl_authenticated reject_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/sender_login_maps.cf
smtpd_reject_unlisted_sender = yes
################
relay_domains = $mydomain
B邮件服务器配置文件
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.
mydomain =
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
smtpd_banner = $myhostname ESMTP
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
message_size_limit = 50000000
mailbox_size_limit = 5000000000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_security_level = may
virtual_alias_maps = hash:/etc/postfix/virtual
recipient_bcc_maps = hash:/etc/postfix/bcc_map
#新加发件认证
broken_sasl_auth_clients = yes
#用于识别本地主机
smtpd_sasl_security_options = noanonymous
#不支持匿名用户
相关资料
postfix手册 中文版 https://max.book118.com/html/2016/0825/52839914.shtm
postfix 手册 官方版本 http://www.postfix.org/documentation.html