回答
最好的答案是在 postfix-users邮件列表中,为了方便 serverfault 的用户,这里对其进行了总结。
- 我忘记了
soft_bounce = yes。no在验证配置后始终将其切换回 - 在寻求有关 Postfix 配置的帮助时,请始终包括完整的输出
postconf -n - 停止接受来自没有 PTR 记录的 IP 的邮件。添加
reject_unknown_reverse_client_hostname到smtpd_recipient_restrictions之后permit_mynetworks和permit_sasl_authenticated
如果回复码是 4xx,它会邀请其他邮件服务器重试。IP 地址似乎被“雪鞋式”垃圾邮件发送者使用,使得检测更加困难。这些 IP 地址在黑名单中进出,因为黑名单运营商(在本例中为 Spamhaus)正在努力对抗雪鞋行走者的策略。这是一场持续的全球军备竞赛。拒绝来自没有 PTR 记录的 IP 的邮件会显着减小本地战场的规模。
原始问题
这是在低使用率的个人 Postfix 服务器上记录的。我认为根据下面的标题拒绝电子邮件应该有两个原因,但结果是发送到收件箱。以下是相关 Postfix 配置的摘录,我的问题在最后。
日志摘录
Jun 5 09:58:37 x2 postfix/smtpd[8440]: connect from unknown[157.52.162.99]
Jun 5 09:58:37 x2 postfix/smtpd[8440]: NOQUEUE: reject: RCPT from unknown[157.52.162.99]: 454 4.7.1 Service unavailable; Client host [157.52.162.99] blocked using zen.spamhaus.org; from=<[email protected]> to=<XXX@XXX> proto=ESMTP helo=<mr99.dgnmkt.com>
Jun 5 09:58:37 x2 postfix/smtpd[8440]: disconnect from unknown[157.52.162.99]
Jun 5 10:01:57 x2 postfix/anvil[8394]: statistics: max connection rate 1/60s for (smtp:198.2.130.200) at Jun 5 09:51:57
Jun 5 10:01:57 x2 postfix/anvil[8394]: statistics: max connection count 1 for (smtp:198.2.130.200) at Jun 5 09:51:57
Jun 5 10:01:57 x2 postfix/anvil[8394]: statistics: max cache size 2 at Jun 5 09:55:18
Jun 5 10:06:39 x2 postfix/smtpd[8507]: connect from unknown[157.52.162.99]
Jun 5 10:06:40 x2 policyd-spf[8513]: None; identity=helo; client-ip=157.52.162.99; helo=mr99.dgnmkt.com; [email protected]; receiver=XXX@XXX
Jun 5 10:06:40 x2 policyd-spf[8513]: Pass; identity=mailfrom; client-ip=157.52.162.99; helo=mr99.dgnmkt.com; [email protected]; receiver=XXX@XXX
Jun 5 10:06:40 x2 postfix/smtpd[8507]: 49D01C1EDE: client=unknown[157.52.162.99]
Jun 5 10:06:40 x2 postfix/cleanup[8514]: 49D01C1EDE: message-id=messageid-3-M3w1NDIzfDU4fDM3ODk3OTR8eWxlYmF5Y2EwNEBzZmluYS5jb218U2F0LCAwNCBKdW4gMjAxNiAwNToxNDowNyAtMDcwMA==
Jun 5 10:06:40 x2 opendkim[1220]: 49D01C1EDE: [157.52.162.99] [157.52.162.99] not internal
Jun 5 10:06:40 x2 opendkim[1220]: 49D01C1EDE: not authenticated
Jun 5 10:06:43 x2 opendkim[1220]: 49D01C1EDE: no signature data
Jun 5 10:06:43 x2 postfix/qmgr[1337]: 49D01C1EDE: from=<[email protected]>, size=91945, nrcpt=1 (queue active)
Jun 5 10:06:43 x2 postfix/smtpd[8507]: disconnect from unknown[157.52.162.99]
Jun 5 10:06:43 x2 dovecot: lmtp(8516): Connect from local
Jun 5 10:06:43 x2 dovecot: lmtp(8516, YYY@XXX): nhVjEfMxVFdEIQAAzX/GXw: msgid=messageid-3-M3w1NDIzfDU4fDM3ODk3OTR8eWxlYmF5Y2EwNEBzZmluYS5jb218U2F0LCAwNCBKdW4gMjAxNiAwNToxNDowNyAtMDcwMA==: saved mail to INBOX
Jun 5 10:06:43 x2 postfix/lmtp[8515]: 49D01C1EDE: to=<YYY@XXX>, orig_to=<XXX@XXX>, relay=XXX[private/dovecot-lmtp], delay=3.6, delays=3.5/0.01/0.02/0.05, dsn=2.0.0, status=sent (250 2.0.0 <YYY@XXX> nhVjEfMxVFdEIQAAzX/GXw Saved)
Jun 5 10:06:43 x2 dovecot: lmtp(8516): Disconnect from local: Successful quit
Jun 5 10:06:43 x2 postfix/qmgr[1337]: 49D01C1EDE: removed
关于日志的注释
- @XXX 是我的域名
- XXX@XXX 是别名
- YYY@XXX 是邮箱
- 我的理解是,基于 zen.spamhaus.org 的错误发件人 [157.52.162.99] 已在 9:58:37 被阻止,但 8 分钟后它重新连接并成功发送了不应通过的内容。
应该被拒绝的邮件标题
Return-Path: <[email protected]>
Delivered-To: <YYY@XXX>
Received: from XXX
by XXX (Dovecot) with LMTP id nhVjEfMxVFdEIQAAzX/GXw
for <YYY@XXX>; Sun, 05 Jun 2016 10:06:43 -0400
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=157.52.162.99; helo=mr99.dgnmkt.com; [email protected]; receiver=XXX@XXX
Received: from mr99.dgnmkt.com (unknown [157.52.162.99])
by XXX (Postfix) with ESMTP id 49D01C1EDE
for <XXX@XXX>; Sun, 5 Jun 2016 10:06:39 -0400 (EDT)
Received: from stormmta (unknown [157.52.162.99])
by mr99.dgnmkt.com (Postfix) with ESMTP id DD84AE61F8A
for <XXX@XXX>; Sun, 5 Jun 2016 08:16:33 -0700 (PDT)
From:=?UTF-8?B?VG1hcnQuY29t?=<[email protected]>
To:XXX@XXX
后缀配置
相关的 main.cf 选项
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_recipient_access hash:/etc/postfix/recipients
# used to have Postgrey here
# check_policy_service inet:127.0.0.1:10023
reject_rbl_client zen.spamhaus.org
check_policy_service unix:private/policy-spf
permit
smtpd_restriction_classes =
ebay
ebay =
check_reverse_client_hostname_mx_access pcre:/etc/postfix/ebay.pcre
/etc/postfix/收件人
XXX@XXX ebay
易趣网
/.ebay.com$/ DUNNO
/(.*)/ REJECT Not allowed to relay from $1. Please use eBay's contact form if you have legit communication for this email address.
我的意见和问题
我分配别名来隔离邮件来源。一个这样的别名被分配给 eBay。eBay 将买家的电子邮件地址泄露给商家。并非所有商家都尊重买家的沟通偏好。我的解决方案是将 eBay 别名上接受的电子邮件限制为来自 eBay 的电子邮件,并拒绝所有噪音。
首先,我认为这封电子邮件应该被以下人员拒绝:
check_recipient_access hash:/etc/postfix/recipients
因为遵循/etc/postfix/recipients易趣限制适用并且
ebay.pcre会在第二行抓住它。
其次,我认为这封电子邮件应该被以下人员拒绝:
reject_rbl_client zen.spamhaus.org
就像几分钟前的尝试一样。
显然我所期望的并没有发生。为什么?我该如何解决?
