我正在尝试使用 postfix + policyd2 来限制外发电子邮件的数量。但是在实施 policyd2 策略时,我被拒绝访问 - 无论我做什么,我都会被拒绝。
- 后缀版本 2.11.4
- PolicyD2 (cluebringer) 版本 2.0.14-1
来自电子邮件客户端的错误框:
发送邮件时出错。邮件服务器响应:4.7.1 <[email protected]>:收件人地址被拒绝:访问被拒绝。请检查邮件收件人 [email protected] 并重试。
当我在 postfix 中关闭 policyd2 时,/etc/postfix/main.cf
一切正常:
smtpd_end_of_data_restrictions=check_policy_service inet:127.0.0.1:10031
smtpd_recipient_restrictions=check_policy_service inet:127.0.0.1:10031,
如果我重新打开它,这就是我得到的/var/log/maillog
:
postfix/smtpd[3228]: >>> START Helo command RESTRICTIONS <<<
postfix/smtpd[3228]: generic_checks: name=reject_invalid_helo_hostname
postfix/smtpd[3228]: reject_invalid_hostaddr: [192.168.0.10]
postfix/smtpd[3228]: generic_checks: name=reject_invalid_helo_hostname status=0
postfix/smtpd[3228]: >>> END Helo command RESTRICTIONS <<<
postfix/smtpd[3228]: >>> START Recipient address RESTRICTIONS <<<
postfix/smtpd[3228]: generic_checks: name=check_policy_service
postfix/smtpd[3228]: trying... [127.0.0.1]
postfix/smtpd[3228]: auto_clnt_open: connected to 127.0.0.1:10031
postfix/smtpd[3228]: send attr request = smtpd_access_policy
postfix/smtpd[3228]: send attr protocol_state = RCPT
postfix/smtpd[3228]: send attr protocol_name = ESMTP
postfix/smtpd[3228]: send attr client_address = 88.88.88.88
postfix/smtpd[3228]: send attr client_name = example.pl
postfix/smtpd[3228]: send attr reverse_client_name = example.pl
postfix/smtpd[3228]: send attr helo_name = [192.168.0.10]
postfix/smtpd[3228]: send attr sender = [email protected]
postfix/smtpd[3228]: send attr recipient = [email protected]
postfix/smtpd[3228]: send attr recipient_count = 0
postfix/smtpd[3228]: send attr queue_id =
postfix/smtpd[3228]: send attr instance = c9c.5584b989.ab0c0.0
postfix/smtpd[3228]: send attr size = 368
postfix/smtpd[3228]: send attr etrn_domain =
postfix/smtpd[3228]: send attr stress =
postfix/smtpd[3228]: send attr sasl_method = PLAIN
postfix/smtpd[3228]: send attr sasl_username = [email protected]
postfix/smtpd[3228]: send attr sasl_sender =
postfix/smtpd[3228]: send attr ccert_subject =
postfix/smtpd[3228]: send attr ccert_issuer =
postfix/smtpd[3228]: send attr ccert_fingerprint =
postfix/smtpd[3228]: send attr ccert_pubkey_fingerprint =
postfix/smtpd[3228]: send attr encryption_protocol = TLSv1
postfix/smtpd[3228]: send attr encryption_cipher = ECDHE-RSA-AES256-SHA
postfix/smtpd[3228]: send attr encryption_keysize = 256
postfix/smtpd[3228]: 127.0.0.1:10031: wanted attribute: action
postfix/smtpd[3228]: input attribute name: action
postfix/smtpd[3228]: input attribute value: DEFER
postfix/smtpd[3228]: 127.0.0.1:10031: wanted attribute: (list terminator)
postfix/smtpd[3228]: input attribute name: (end)
postfix/smtpd[3228]: check_table_result: inet:127.0.0.1:10031 DEFER policy query
postfix/smtpd[3228]: NOQUEUE: reject: RCPT from example.pl[88.88.88.88]: 450 4.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.10]>
postfix/smtpd[3228]: generic_checks: name=check_policy_service status=2
postfix/smtpd[3228]: >>> END Recipient address RESTRICTIONS <<<
postfix/smtpd[3228]: > example.pl[88.88.88.88]: 450 4.7.1 <[email protected]>: Recipient address rejected: Access denied
postfix/smtpd[3228]: watchdog_pat: 0x83b23a8
政策示例。
创建策略:
INSERT INTO policies VALUES (1, 'In Out', 10, 'In Out Policy', 0);
INSERT INTO policy_members VALUES (1, 1, 'any', 'any', '' ,0);
添加配额 - 操作:
INSERT INTO quotas (PolicyID,Name,Track,Period,Verdict,Data) VALUES (1,'Sender:user@domain', 'Sender:user@domain', 60, 'DEFER', 'Deferring: To many messages from sender in last 60s.');
INSERT INTO quotas (PolicyID,Name,Track,Period,Verdict,Data) VALUES (1,'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT', 'Quota limit reached.');
添加配额限制:
INSERT INTO quotas_limits (QuotasID, Type, CounterLimit) VALUES (1,'MessageCount', 12);
INSERT INTO quotas_limits (QuotasID, Type, CounterLimit) VALUES (2,'MessageCount', 20);
不能使用 web gui(没有 PHP)——所以我不确定它是否正确。正在搜索并尝试不同的策略示例,但错误仍然完全相同。
policyd2 sqlite3 数据库文件的权限错误。
PolicyD2 能够以特定用户身份运行守护进程,在我的例子中:
对数据库的权限是 root:root。
更改为 policyd:policyd 后,我可以发送电子邮件。
现在访问被拒绝错误是有道理的。