我在 587 端口上配置了 dovecot 提交服务,中继是 postfix 服务器。它们位于两个不同的 IP 地址/机器上。
我希望发送电子邮件的唯一方法是通过端口 587,这意味着 dovecot 将处理它并将其中继到 postfix。我不希望连接到端口 25 的人或任何东西创建新电子邮件并将它们发送给任何人。一切都必须通过 dovecot,因此所有邮件都针对 SASL/mysql 数据库进行身份验证。
这是否意味着在后缀中,我应该设置:
smtpd_sender_restrictions = 拒绝
因此,任何发件人都会立即被拒绝而无需任何处理,或者这会阻止 dovecot 也发送?
postconf -n
access_map_reject_code = 554
alias_maps =
compatibility_level = 2
debug_peer_level = 100
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
lmtp_host_lookup = native
mailbox_size_limit = 0
maps_rbl_reject_code = 554
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
multi_recipient_bounce_reject_code = 554
mydestination =
mydomain = s2.__SNIP__.com
myhostname = s2.__SNIP__.com
mynetworks = 127.0.0.1/32 [::1]/128 10.0.0.0/8
myorigin = $mydomain
mysql = mysql:${config_directory}
non_fqdn_reject_code = 554
non_smtpd_milters = inet:opendkim.mail-server:8891
plaintext_reject_code = 554
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 10s
readme_directory = no
recipient_delimiter = +
reject_code = 554
relay_domains_reject_code = 554
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_error_sleep_time = 20
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_unknown_helo_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_junk_command_limit = 2
smtpd_milters = inet:opendkim.mail-server:8891
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unknown_reverse_client_hostname reject_unknown_client_hostname permit
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sasl_path = inet:dovecot.mail-server:24
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/certs/tls.crt
smtpd_tls_key_file = /etc/certs/tls.key
smtpd_tls_security_level = may
unknown_address_reject_code = 554
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_recipient_reject_reason = Address lookup failure
unverified_sender_reject_code = 554
virtual_alias_maps = ${mysql}/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = ${mysql}/mysql_virtual_mailbox_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = ${mysql}/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:inet:dovecot.mail-server:24
鸽子会议 -n
# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.9.0-8-amd64 x86_64 Debian buster/sid ext4
# Hostname: dovecot-0.dovecot.mail-server.svc.cluster.local
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
disable_plaintext_auth = no
first_valid_gid = 8
first_valid_uid = 8
haproxy_timeout = 5 secs
haproxy_trusted_networks = 10.0.0.0/8
hostname = s2.__SNIP__.com
log_path = /dev/stderr
mail_access_groups = mail
mail_debug = yes
mail_gid = mail
mail_home = /mail/%d/%n
mail_location = maildir:/mail/%d/%n
mail_privileged_group = mail
mail_uid = mail
maildir_stat_dirs = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = info@__SNIP__.com
protocols = " imap lmtp pop3 submission"
service auth-worker {
unix_listener auth-worker {
group = mail
mode = 0660
user = $default_internal_user
}
user = mail
}
service auth {
user = $default_internal_user
}
service dict {
unix_listener dict {
group = mail
mode = 0660
}
}
service imap-login {
inet_listener imap {
haproxy = yes
port = 143
}
inet_listener imaps {
haproxy = yes
port = 993
ssl = yes
}
}
service lmtp {
inet_listener lmtp {
haproxy = no
port = 24
}
}
service pop3-login {
inet_listener pop3 {
haproxy = yes
port = 110
}
inet_listener pop3s {
haproxy = yes
port = 995
ssl = yes
}
}
service submission-login {
inet_listener submission {
haproxy = no
port = 587
}
}
ssl_cert = </certs/tls.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
submission_relay_host = postfix.mail-server
submission_relay_port = 587
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
verbose_ssl = yes
protocol !indexer-worker {
mail_vsize_bg_after_count = 100
}
protocol lda {
mail_plugins =
}
protocol imap {
mail_plugins =
}
protocol lmtp {
mail_plugins =
recipient_delimiter = +
}
protocol pop3 {
mail_plugins =
}
答案是不。如果您拒绝所有发件人,则来自 dovecot 的中继电子邮件也会被拒绝。中继就是发送。所以这只会阻止您的服务器完全正常运行