我在后缀配置文件中有这个 smtp 限制:
smtpd_sender_restrictions = permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031,permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unauth_pipelining, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain
据我所知,如果permit_sasl_authenticated说特定用户已通过身份验证,那么其余的限制不会被检查?
如果我想确保permit_sasl_authenticated并且check_policy_service inet:127.0.0.1:10031,如果他们都说是,那么只有这样才能通过电子邮件,否则不会?
实际上,我正在尝试设置线索使者,但Sender address rejected即使在发件人从 SASL 正确验证后,也遇到了问题。
这是我的postconf -n输出:
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = 91.91.98.67, localhost
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = mauth.fdomain.co.uk, localhost
myhostname = mauth.fdomain.co.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/relaydomains.cf
relayhost =
smtp_bind_address = 91.91.9.7
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = mysql:/etc/postfix/authsmtp.conf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname Freezone Internet ESMTP
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = permit_sasl_authenticated, reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031,permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unauth_pipelining, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/postfix/ssl/freezonewc.ca
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/freezonewc.crt
smtpd_tls_key_file = /etc/postfix/ssl/freezonewc.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = mysql:/etc/postfix/transport.cf
unknown_local_recipient_reject_code = 450
老实说,你的限制现在有点乱。postfix-users 邮件列表通常建议在
smtpd_recipient_restrictionsor下收集所有限制smtpd_relay_restrictions(仅限 Postfix 2.10)。这样做的原因是它增强了可读性,并且与smtpd_delay_reject=yes.此外,策略服务应该很少回复接受/确定语句,而是回复 DUNNO。因此,在您的情况下,首先询问政策服务,给它一个机会说 REJECT 然后检查 SASL 似乎是一种更好的方法,除非您的政策服务在某些情况下确实返回 OK。
在不知道您的保单服务的确切性质和您的要求的情况下,我将从以下内容开始:
有关一些注意事项,请参阅我的配置片段中的注释。
你是对的,但仅限于当前的 smtpd_xxx_restrictions
只需从 smtpd_sender_restrictions 中删除 permit_sasl_authenticated 并将所有验证移至策略服务
将提供以下选项
如果没有 SASL 身份验证,这些属性将为空。在逻辑层面上,它可能类似于以下内容