一、问题
先说一下问题,我们公司有两台邮件服务器,分别是不同的域名但是用的是同一个用户认证,最近老有人反应说,有匿名邮件就是通过类似这种网站,进行使用你们公司的SMTP邮件服务器进行发送垃圾邮件
http://tool.chacuo.net/mailserversend
咱们也可以自己测试一下,按照里面说到的要求填写你们公司的发件服务器IP加端口看看不验证不登录的情况下是否可以发送,如果可以发送那么恭喜你,别人可以利用你们的发件服务进行伪造了,然后发送垃圾邮件了
后来我在网上找了好多资料,设置SPF 呀 设置发送验证呀,反正该开的都开了,不知道是我设置的问题还是本身对这个不起作用,直到我用了下面这个发件策略,才组织了不登录的情况下进行发件。
大概意思就是,
拒绝不是正常的hostna的主机 拒绝不是fqdn的主机 拒绝没有登录的用户名发送邮件。
smtpd_sender_restrictions = reject_invalid_hostname reject_non_fqdn_sender permit_sasl_authenticated reject_sender_login_mismatch
就是添加了最后一条 reject_sender_login_mismatch
导致我另外一台域名发送的时候出现了报错 Sender address rejected: not logged in
我就百度呀 google 呀搜索了好多,但是大部分都没有说明白就不了了只了,虽然不知道别人是怎么解决的,但是我要解决这个问题呀。
二、解决思路
首先呢,我们用的是一个ldap 做的同步验证,三台服务器其中有两台用的是邮件服务器,根据他的报错信息可以了解到,是用户没有登录,就进行发信,但是我登录了呀,后来发现,采用的是别名的方式创建另一个域名,然后真实验证方法还是ldap,所以他认为你没有登录,
后面改了别名的认证方式就好了,后端认证还是使用的ldap。
A 邮件服务器配置文件
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mail mydomain = myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases recipient_delimiter = + home_mailbox = Maildir/ mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks smtpd_banner = $myhostname ESMTP debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES message_size_limit = 40480000 mailbox_size_limit = 40480000 #邮件转发 sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps recipient_bcc_maps = hash:/etc/postfix/recipient_bcc smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname #smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination permit_sasl_authenticated check_policy_service unix:postgrey/socket reject #发件人过滤 smtpd_recipient_restrictions = permit_auth_destination permit_sasl_authenticated check_policy_service unix:postgrey/socket reject reject_unknown_sender_domain reject_sender_login_mismatch smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt smtpd_tls_key_file = /etc/pki/tls/certs/server.key smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache #新添SASL认证 smtpd_sasl_security_options = noanonymous ########################## virtual_alias_maps = hash:/etc/postfix/virtual.ultra-ts.com.cn recipient_bcc_maps = hash:/etc/postfix/bcc_map smtpd_tls_security_level = may content_filter = scan:127.0.0.1:10025 smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept ####添加邮件队列处理时间设置 queue_run_delay = 300s maximal_queue_lifetime = 2d bounce_queue_lifetime = 2d minimal_backoff_time = 300s maximal_backoff_time = 4000s #设置队列发送限制 #anvil_rate_time_unit = 120s #smtpd_client_connection_rate_limit = 80 #发件人过滤 #mynetworks = 172.16.0.*/24 smtpd_sender_restrictions = reject_invalid_hostname reject_non_fqdn_sender permit_sasl_authenticated reject_sender_login_mismatch smtpd_sender_login_maps = ldap:/etc/postfix/sender_login_maps.cf smtpd_reject_unlisted_sender = yes ################ relay_domains = $mydomain
B邮件服务器配置文件
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mail. mydomain = myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases home_mailbox = Maildir/ header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks smtpd_banner = $myhostname ESMTP debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES message_size_limit = 50000000 mailbox_size_limit = 5000000000 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_client_restrictions = permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt smtpd_tls_key_file = /etc/pki/tls/certs/server.key smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_security_level = may virtual_alias_maps = hash:/etc/postfix/virtual recipient_bcc_maps = hash:/etc/postfix/bcc_map #新加发件认证 broken_sasl_auth_clients = yes #用于识别本地主机 smtpd_sasl_security_options = noanonymous #不支持匿名用户
相关资料
postfix手册 中文版 https://max.book118.com/html/2016/0825/52839914.shtm
postfix 手册 官方版本 http://www.postfix.org/documentation.html
有不足之处欢迎 大家指出来谢谢