主页 / server / 问题 / 1147448
Accepted
William Seligman
Asked: 2023-11-09 00:37:37 +0800 CST

将 access 文件从 sendmail 转换为 postfix

  • 772

我希望将已有两年历史的高度配置的 sendmail 安装(当前在 AlmaLinux 9 上运行)转换为 postfix。其中的转换是将现有/etc/mail/access文件调整为/etc/postfix/access.

有些语句看起来可以直接复制,但如果可以的话请确认这一点:

# by default we allow relaying from localhost...
Connect:127.0.0.1               RELAY

# Allow systems on our DMZ to use this server.
Connect:123.44.55               RELAY

# Allow systems on our NAT network to use this server as well.
Connect:10.44                   RELAY

# Accept mail sent to our  domain.
To:company.example.com          OK

# Forward any mail sent to our mailing-list server.
mailinglist.company.example.com     RELAY

# Reject commonly-used non-existent addresses
From:[email protected]   ERROR:5.7.1:550 Fake source address
From:[email protected]              ERROR:5.7.1:550 Fake source address
From:[email protected]            ERROR:5.7.1:550 Fake source address
From:[email protected]            ERROR:5.7.1:550 Fake source address

# 28-Nov-2005: Too much spam is being relayed by these guys, and bounced to us.
Connect:66.155.233.70               ERROR:5.7.1:550 Your mail server is a spam relay

# 09-Jun-2016: Uber-bad domain list. There are almost no servers in these domains that do
# not send spam. 
accountants                     ERROR:5.7.1:550 Domain used to send spam
bid                             ERROR:5.7.1:550 Domain used to send spam

# 09-Jun-2016: We've got a problem: When an unknown user receives
# email on our mail server, our mail server will reject mail
# to these users with "DSN: User unknown". This sounds fine, except
# that for aliases it sends a new email with that message back to the server
# that sent it. This results in "backscatter": our mail server starts
# sending mail from spammers back to bogus servers or forged
# addresses. The following is a list of user names completely retired
# from our mail server. It may not solve this problem, but it will
# hopefully reduce it. 

To:aaron@                    ERROR:550 No such user 
To:betsy@                    ERROR:550 No such user

我遇到困难的地方:Sendmail 允许我在每个系统或每个域的基础上设置邮件延迟和连接限制。我搜索了 postfix 文档,但我不知道如何做到这一点。

具体来说,如果我在 中包含以下语句/etc/mail/sendmail.mc

FEATURE(`greet_pause', `500')  dnl 
FEATURE(`ratecontrol', `nodelay', `terminate') dnl
define(`confCONNECTION_RATE_THROTTLE',`200') dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`60s') dnl
FEATURE(`conncontrol', `nodelay', `terminate') dnl

然后在 中/etc/mail/access,我可以包含如下语句:

GreetPause:batchmanager.company.example.com    400
GreetPause:company.example.com   0
GreetPause:mailinglist.company.example.com  0
GreetPause:127.0.0.1            0
GreetPause:friend.other.com     20
GreetPause:friendly.other.gov   20
GreetPause:10.44                0

ClientRate:123.44.55.66         6000    # mailinglist
ClientRate:123.44.55.77         60      # batchmanager
ClientRate:127.0.0.1            0
ClientRate:123.44.55            60

ClientConn:123.44.55.77         5       # batchmanager
ClientConn:123.44.55.66       500       # mailinglist

还有一些远程站点的 TLS 配置似乎存在问题。或者也许是我们有问题,但只有这些网站选择检测并拒绝它。我在以下位置解决这个问题/etc/mail/access

Try_TLS:yetanother.different.com NO

我已经做过 RTFM,但没有运气。关于如何在 postfix 中实现这些功能有什么想法吗?

postfix

1 个回答

  1. Best Answer

    经过大量研究,并诅咒所有告诉我 postfix 比 sendmail 更容易配置的人的命运,我想我已经找到了自己问题的答案。

    请注意,我还没有机会测试这些限制是否有效。我已经实现了代码,没有错误消息,并且我的测试配置有效。但是,在将配置投入生产并且互联网的全部重量都落在服务器上之前,我将无法完全测试反垃圾邮件代码。

    简短的版本:postfix 不支持将 sendmail 中的所有潜在语句/etc/mail/access放入单个文件中。相反,这些函数必须分成与postfix/etc/postfix/main.cf.

    另请注意:我将大部分新的外部文件放入哈希表中。这主要是因为从后缀文档中并不清楚纯文本文件是否可以在以下某些main.cf语句中使用,但哈希表总是可以。无论您在哪里看到下面类似的选项hash:/etc/postfix/my-table,都意味着我创建了/etc/postfix/my-table然后执行了:

    postmap /etc/postfix/my-table
postfix reload

    我不确定是否postfix reload总是需要,但我谨慎行事。

    继电器

    在原著中/etc/mail/access,我有:

    Connect:127.0.0.1                   RELAY
Connect:123.44.55                   RELAY
Connect:10.44                       RELAY
mailinglist.company.example.com     RELAY

    在 中/etc/postfix/main.cf,我输入:

    mynetworks = 123.44.55.0/24, 127.0.0.0/8, 10.44.0.0/16
mydomain = company.example.com
mydestination = $myhostname,
       localhost.$mydomain,
       localhost,
       $mydomain,
       hash:/etc/postfix/local-host-names
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination
relay_domains = $mydestination, hash:/etc/postfix/relay_recipients

    在 中/etc/postfix/relay_recipients,我输入:

    mailinglist.company.example.com     RELAY

    /etc/postfix/local-host-names的邮件服务器有多种备用名称,由 DNS 记录中的 CNAME 定义,以防万一:

    mail.company.example.com
smtp.company.example.com

    拒绝“发件人”地址

    在我的原始access文件中,我有:

    From:[email protected]   ERROR:5.7.1:550 Fake source address
From:[email protected]              ERROR:5.7.1:550 Fake source address
From:[email protected]            ERROR:5.7.1:550 Fake source address
From:[email protected]            ERROR:5.7.1:550 Fake source address

accountants                     ERROR:5.7.1:550 Domain used to send spam
bid                             ERROR:5.7.1:550 Domain used to send spam

    在 中main.cf,我有:

    smtpd_helo_restrictions = reject_unknown_helo_hostname,
  check_helo_access hash:/etc/postfix/from_restrictions

    其中/etc/postfix/from_restrictions包含:

    [email protected]   550 Fake source address typical of viruses
[email protected]              550 Fake source address typical of viruses
[email protected]            550 Fake source address typical of viruses
[email protected]            550 Fake source address typical of viruses

accountants                    550 Domain used to send spam
bid                            550 Domain used to send spam

    拒绝 TLD 的行可以/etc/mail/access在 postfix 中工作吗?postfix access 手册页有点含糊。我看看会发生什么。

    拒绝“收件人”地址

    access我有:

    To:aaron@                    550 No such user 
To:betsy@                    550 No such user

    main.cf

    smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  check_policy_service inet:127.0.0.1:10040,
  check_recipient_access hash:/etc/postfix/to_restrictions

    包含etc/postfix/to_restrictions

    aaron@                    550 No such user 
betsy@                    550 No such user

    check_policy_service与 postfwd 有关;我会在下面提到这一点。

    连接速率和连接数量

    Postfix 不允许您为这些参数设置简单的每个 IP 或每个域的值,如下所示/etc/mail/access

    ClientRate:123.44.55.66         6000    # mailinglist
ClientRate:123.44.55.77         60      # batchmanager
ClientRate:127.0.0.1            0
ClientRate:123.44.55            60

ClientConn:123.44.55.77         5       # batchmanager
ClientConn:123.44.55.66       500       # mailinglist

    相反,我所做的是为大多数连接设置总体限制,然后在以下位置定义例外main.cf

    anvil_rate_time_unit = 60s
smtpd_client_auth_rate_limit = 60
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 100
smtpd_client_event_limit_exceptions =
   $mynetworks,
   4.56.78.0/24,   # friend.other.com
   5.67.89.0/24.   # friendly.other.gov

    这很接近,但不完全是我想要的。特别是,batchmanager.company.example.com如果用户不小心提交了一组作业,并且每个作业都开始生成报告错误的电子邮件,那么我调用的机器可能会开始生成数千封电子邮件。使用 sendmail,我可以在邮件服务器上限制它。我决定尝试使用postfwd来做到这一点。

    我最终离开/etc/postfwd/postfwd.cf了:

    id=RATE_UNKNOWN
   client_name==unknown
   action=rate(client_address/3/300/450 4.7.1 Deferred, max 3 requests in 5 mins from $$client_name at $$client_address)

id=THROTTLE_BATCH
   sender_localpart==batchmanager
   action=rate(client_address/20/60/450 4.7.1 Deferred, max 20 emails per minute from $$sender)

id=DEFAULT; action=DUNNO

    这也限制了那些没有客户姓名的垃圾邮件发送者,但现在这意义不大。

    问候暂停

    postfix 中没有直接等效的东西。我不成熟的解决方案是为我不认识的系统引入延迟。在main.cf

    smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_client_access hash:/etc/postfix/friendly_sites,
  reject_unknown_reverse_client_hostname,
  sleep 1,
  reject_unauth_pipelining

    其中/etc/postfix/friendly_sites包含:

    friend.other.com     OK
friendly.other.gov   OK

    我的印象是我也许可以使用postscreen引入可选的延迟,但我没有找到一种方法来做到这一点。我将这些行包含在main.cf

    postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_greet_action = enforce

    cidr:/etc/postfix/postscreen_access.cidr

    123.44.55.66/32  permit    # mail server IP address

    充其量,这只是消除了某些形式的垃圾邮件发送者攻击,但不会造成任何延迟。

    关闭某些网站的 TLS

    正如我在评论中指出的,我可以在 postfix 中做到这一点。在/etc/mail/access我有一行:

    Try_TLS:yetanother.different.com   NO

    在 中/etc/postfix/main.cf,我有:

    smtp_tls_per_site = hash:/etc/postfix/tls_per_site

    在 中/etc/postfix/tls_per_site,我有:

    yetanother.different.com   NONE

    包起来

    我认识到我可能会在上述某些内容中重叠反垃圾邮件功能。我决定宁愿安全也不要后悔。如果您发现我的转换有任何问题,请告诉我。

    • 1

相关问题