我正在尝试在 google cloud run 上部署 SMTP 服务器,到目前为止我还不知道如何将 TCP/UDP 负载均衡器连接到后端。
有没有办法让我的 Cloud Run 应用程序公开监听端口 25?
有没有办法只安装 sendmail 客户端,而不安装 sendmail MTA?
我的意思是提交外发电子邮件sendmail -t等进程经常使用的命令。cron大多数此类程序都希望调用某种与 sendmail API 兼容的程序,sendmail以便它们可以发送外发邮件。
目前在我的邮件服务器上,我没有任何sendmail二进制文件,因此我在 cron 中看到类似这样的内容:
(CRON) info (No MTA installed, discarding output)
事实上,我确实安装了一个 MTA - 我自己编写的一个(所以不是 Postfix、exim 等) - 但我没有sendmail编写任何程序来连接它。我想知道是否可以sendmail单独安装和使用该程序,只接收提供给它的任何内容,然后打开 SMTP 连接 localhost:25 并使用 SMTP 事务将其输入 MTA。这样,我不需要编写sendmail具有相同接口的自己的程序来执行此操作。
这可能吗?我认为这样的东西已经存在,所以我不想重新发明轮子。默认安装sendmail还安装了 sendmail MTA,这是我不想要的;我不想安装任何会破坏或干扰系统上已有的真实 MTA 的 MTA 软件包。
在我所做的研究中,两者之间似乎没有什么区别。所有教程似乎都假设您正在使用“标准”MTA 之一。如果答案是“否”,那么是否有关于sendmail需要实现程序兼容性的完整二进制 API 的文档?
我正在为大约 30 人运行一个邮件服务器。我对此的问题为零。但上周,一些用户开始报告他们的电子邮件客户端 Outlook 中出现错误:
检查错误发生前后的服务器邮件日志,我只能发现这些条目都在同一时间发生。我什至不确定这些条目是否与 Outlook 错误有关(似乎与 smtp 没有任何关系),但事实是连接几乎同时关闭,而且“等待输入”时间很长看起来很可疑:
81218 Jan 18 11:56:56 ip-172-30-0-131 dovecot: imap(t.olixxxx)<3739040></Z84+joPNhRsOgYu>: Connection closed (IDLE running for 0.001 + waiting input for 1175.376 secs, 2 B in + 10 B out, state=wait-input) in=182 out=172366 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
81219 Jan 18 11:56:56 ip-172-30-0-131 dovecot: imap(s.damxxxx)<3739037><iQY3+joPottsOgYu>: Connection closed (IDLE running for 0.001 + waiting input for 1174.763 secs, 2 B in + 10 B out, state=wait-input) in=182 out=799331 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
81220 Jan 18 11:56:59 ip-172-30-0-131 postfix/smtpd[3740240]: warning: hostname 179.hosted-by.198xd.com does not resolve to address 45.129.14.179: Name or service not known
81221 Jan 18 11:56:59 ip-172-30-0-131 postfix/smtpd[3740240]: connect from unknown[45.129.14.179]
81222 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap(j.pomexxxxx)<3739095><k7z3/zoPqLdsOgYu>: Connection closed (IDLE running for 0.001 + waiting input for 1078.221 secs, 2 B in + 10 B out, state=wait-input) in=165 out=801497 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count= 0 body_bytes=0
81223 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap(a.cerxxxxx)<3739042><JCXQ+joPu5JsOgYu>: Connection closed (IDLE running for 0.001 + waiting input for 1169.527 secs, 2 B in + 10 B out, state=wait-input) in=182 out=303618 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
81224 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap(h.foxxxxx)<3739034><kpEo+joP9g5sOgYu>: Connection closed (IDLE running for 0.001 + waiting input for 1180.675 secs, 2 B in + 10 B out, state=wait-input) in=194 out=1927 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 bo dy_bytes=0
81225 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap(dxxxxxx)<3739057><xljV/DoPPnZsOgYu>: Connection closed (IDLE running for 0.001 + waiting input for 1135.454 secs, 2 B in + 10 B out, state=wait-input) in=182 out=458253 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 bod y_bytes=0
对于用户来说,这些错误并不是一直发生,但常常足以令人烦恼。我在 Debian bullseye 上运行 dovecot 和 postfix。
Kubernetes 设置:
mailpit服务+部署(入口有效,我可以连接到UI)
---
apiVersion: v1
kind: Service
metadata:
name: desideria-crm-mailpit
namespace: desideria-crm
labels:
app: desideria-crm-mailpit
spec:
ports:
- port: 8025
name: http-sv
targetPort: http
protocol: TCP
- port: 1025
name: smtp-sv-tcp
targetPort: smtp-tcp
protocol: TCP
selector:
app: desideria-crm-mailpit
clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: desideria-crm-mailpit
namespace: desideria-crm
labels:
app: desideria-crm-mailpit
spec:
replicas: 1
selector:
matchLabels:
app: desideria-crm-mailpit
strategy:
type: Recreate
template:
metadata:
labels:
app: desideria-crm-mailpit
spec:
containers:
- image: axllent/mailpit:v1.9.8
name: desideria-crm-mailpit
env:
- name: MP_VERBOSE
value: "true"
ports:
- containerPort: 8025
name: http
protocol: TCP
- containerPort: 1025
name: smtp-tcp
protocol: TCP
在 pod 上创建了一个文件 email.txt:
From: [email protected]
To: [email protected]
Subject: Email Subject
This is the body of the email.
It can contain multiple lines of text.
然后从 mailpit pod 上的 shell 中:
来自 mailpit pod 的针对 localhost 的测试 #1
sendmail -v -w 5 -t -oLogLevel=1 -S localhost:1025 < email.txt
结果正常,邮件显示在 mailpit UI 中
sendmail: recv:'220 desideria-crm-mailpit-7cfbdb55d7-krdcw Mailpit ESMTP Service ready'
sendmail: send:'EHLO desideria-crm-mailpit-7cfbdb55d7-krdcw'
sendmail: recv:'250-desideria-crm-mailpit-7cfbdb55d7-krdcw greets desideria-crm-mailpit-7cfbdb55d7-krdcw'
sendmail: recv:'250-SIZE 0'
sendmail: recv:'250 ENHANCEDSTATUSCODES'
sendmail: send:'MAIL FROM:<root@desideria-crm-mailpit-7cfbdb55d7-krdcw>'
sendmail: recv:'250 2.1.0 Ok'
sendmail: send:'RCPT TO:<[email protected]>'
sendmail: recv:'250 2.1.5 Ok'
sendmail: send:'DATA'
sendmail: recv:'354 Start mail input; end with <CR><LF>.<CR><LF>'
sendmail: send:'From: [email protected]'
sendmail: send:'To: [email protected]'
sendmail: send:'Subject: Email Subject'
sendmail: send:''
sendmail: send:'This is the body of the email.'
sendmail: send:'It can contain multiple lines of text.'
sendmail: send:'.'
sendmail: recv:'250 2.0.0 Ok: queued'
sendmail: send:'QUIT'
sendmail: recv:'221 2.0.0 desideria-crm-mailpit-7cfbdb55d7-krdcw Mailpit ESMTP Service closing transmission channel'
测试#2 desideria-crm-mailpit(这次来自同一 kubernetes 命名空间内的另一个 pod)
sendmail -v -w 5 -t -oLogLevel=1 -S desideria-crm-mailpit:1025 < email.txt
5秒后超时,更高的超时也不起作用。
Alarm clock
测试#3 desideria-crm-mailpit(使用同一命名空间内另一个 pod 中的 java 应用程序)
旁注:
- 当在本地电脑上针对运行 mailpit docker 容器的本地主机进行测试时,这有效/没有 kubernetes)
- 该应用程序还可以与真正的 smtp 服务器身份验证等一起使用...
DEBUG: Jakarta Mail version 2.1.1
DEBUG: URL jar:file:/var/lib/jar/desideriacare-crm-api.jar!/BOOT-INF/lib/jakarta.mail-1.1.0.jar!/META-INF/javamail.providers
DEBUG: successfully loaded resource: jar:file:/var/lib/jar/desideriacare-crm-api.jar!/BOOT-INF/lib/jakarta.mail-1.1.0.jar!/META-INF/javamail.providers
DEBUG: successfully loaded resource: /META-INF/javamail.default.providers
DEBUG: Tables of loaded providers
DEBUG: Providers Listed By Class Name: {com.sun.mail.smtp.SMTPTransport=jakarta.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Oracle], com.sun.mail.pop3.POP3Store=jakarta.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Oracle], com.sun.mail.imap.IMAPSSLStore=jakarta.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Oracle], com.sun.mail.smtp.SMTPSSLTransport=jakarta.mail.Provider[TRANSPORT,smtps,com.sun.mail.smtp.SMTPSSLTransport,Oracle], com.sun.mail.pop3.POP3SSLStore=jakarta.mail.Provider[STORE,pop3s,com.sun.mail.pop3.POP3SSLStore,Oracle], com.sun.mail.imap.IMAPStore=jakarta.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]}
DEBUG: Providers Listed By Protocol: {imap=jakarta.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle], smtp=jakarta.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Oracle], pop3=jakarta.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Oracle], imaps=jakarta.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Oracle], smtps=jakarta.mail.Provider[TRANSPORT,smtps,com.sun.mail.smtp.SMTPSSLTransport,Oracle], pop3s=jakarta.mail.Provider[STORE,pop3s,com.sun.mail.pop3.POP3SSLStore,Oracle]}
DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map
DEBUG: URL jar:file:/var/lib/jar/desideriacare-crm-api.jar!/BOOT-INF/lib/jakarta.mail-1.1.0.jar!/META-INF/javamail.address.map
DEBUG: successfully loaded resource: jar:file:/var/lib/jar/desideriacare-crm-api.jar!/BOOT-INF/lib/jakarta.mail-1.1.0.jar!/META-INF/javamail.address.map
DEBUG: getProvider() returning jakarta.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Oracle]
DEBUG SMTP: useEhlo true, useAuth false
DEBUG SMTP: trying to connect to host "desideria-crm-mailpit", port 1025, isSSL false
DEBUG SMTP: exception reading response, THROW:
java.net.SocketTimeoutException: Read timed out
at java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:280)
at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:306)
..... shortened
测试 #4 desideria-crm-mailpit(使用与测试 #2 相同的 pod 中的 telnet)
telnet desideria-crm-mailpit 1025
结果有效——但为什么呢?
Connected to desideria-crm-mailpit
EHLO testingstuff
220 desideria-crm-mailpit-7cfbdb55d7-krdcw Mailpit ESMTP Service ready
250-desideria-crm-mailpit-7cfbdb55d7-krdcw greets testingstuff
250-SIZE 0
250 ENHANCEDSTATUSCODES
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 Start mail input; end with <CR><LF>.<CR><LF>
From: [email protected]
To: [email protected]
Subject: Email Subject
r1
r2
last row
.
250 2.0.0 Ok: queued
概括
- 从 mailpit pod 发送邮件 它可以自行工作
- 来自testpod A的 sendmail不起作用
- testpod B 中的 java 应用程序无法运行
- 来自testpod A的 telnet确实有效!
- ping
desideria-crm-mailpit/ IP 可在任何 pod 上使用。 - nslookup 检索正确的 pod 的 IP
- 还尝试了 mailhog pod 而不是 mailpit。相同的结果。
与 telnet 相比,sendmail/java 应用程序可能会做哪些不同的事情?
使用 Pod/服务 IP 而不是服务名称,desideria-crm-mailpit我得到相同的结果。
我真的很困惑,因为像 mariadb/mongodb 这样的数据库服务除了可以从 java 应用程序访问端口之外以相同的方式设置并且工作得很好。
我一直在使用 instantly.ai 发送电子邮件。我立即将 IONOS.ca 和 JustHost.com 邮箱连接到并且工作正常(预热、接收和发送 [是的,其他电子邮件接收发送的电子邮件,我的邮箱收件箱显示预热电子邮件正在进入])。但是,已发送的电子邮件永远不会显示在网络邮件(IONOS.ca 和 JustHost.com 邮箱)的已发送文件夹中。
我使用 SMTP/IMAP 设置。
我尝试与即时支持、IONOS.ca 支持和 JustHost.com 支持交谈,他们说这是其他人的问题……这令人沮丧,因为似乎没有人知道发生了什么。
我不知道该问什么。现在我陷入了僵局。我不知道必须更改或编辑哪些设置。
请帮我弄清楚如何自己解决这个问题,或者问支持的正确问题是什么,以便通过即时客户端发送的电子邮件显示在 IONOS 和 JustHost 邮箱的已发送文件夹中。
如果您能告诉我我需要告诉支持人员什么,那将大有帮助。
谢谢你。
ps 一切在谷歌邮箱和 Office365 邮箱上运行良好,但在 IONOS 和 JustHost 上运行不佳
pss 我与 JustHost 支持人员进行了交谈,他们更改了一些路由选项和 mx 记录,并表示这会有所帮助。它没有。
我搬起石头砸自己的脚了吗?
我主要用gmail收发邮件。支持等。我默认的“发送电子邮件为”配置文件不是 gmail 地址本身,而是我服务器上的地址(也是回复地址)。示例:“我的名字 <[email protected]>”
在我的服务器上,我对 SPF 和 DKIM 进行了最佳设置,因为我会不时地向我的用户群发送“批量”电子邮件(在我更新我的软件之后)。
SPF 包括 gmail ( +include:_spf.google.com )
一年来,所有这些都运行良好。昨天我还设置了 DMARC 以确保人们无法通过电子邮件冒充我。昨天之前没有DMARC记录。我将我的 DMARC 策略设置为拒绝 (p=reject) 以避免欺骗等。
今天我向其他 gmail 地址发送了几封电子邮件(通过 gmail),但由于政策原因它们被退回了。奇怪的是,发往 hotmail.com 的电子邮件(例如)到达了(我与收件人核实过)。我发送了一封电子邮件(通过 gmail)到https://www.learndmarc.com/(为测试生成的电子邮件地址),其中确认了问题
我想知道做什么最好?
- 再次删除 DMARC ?
- 保留 DMARC 但将政策更改为宽松 (p=none)
- 将 gmail 设置为通过我服务器的 SMTP 发送
理想情况下会有第四个选项(我不知道)保持原样但以某种方式“改进”DMARC 仍然 p=reject 但以某种方式接受 gmail 作为发件人?
您的意见表示赞赏
我在我的服务器上使用 DirectAdmin。我已经配置了 EXIM。我可以发送电子邮件,但无法接收电子邮件。例如,当我尝试通过 [email protected] 发送电子邮件时,我要么收到 550 verification required 错误返回,要么没有收到任何错误。我该如何解决这个问题。我在 GCP 上使用 2525 端口。
我的配置如下:
exim.authenticators.post.conf
mailjet_login:
driver = plaintext
public_name = LOGIN
hide client_send = : apikey:client
exim.routers.pre.conf
send_via_mailjet:
driver = manualroute
domains = ! +local_domains
transport = mailjet_smtp
route_list = "* in-v3.mailjet.com::2525 byname"
condition = "${perl{check_limits}}"
host_find_failed = defer
no_more
exim.transports.pre.conf
mailjet_smtp:
driver = smtp
port = 2525
hosts = in-v3.mailjet.com
hosts_require_auth = $host_address
这是一个不平凡的问题。我花了将近 3 个小时与 Google 支持人员聊天。这升级到第二级,然后是内部支持。它可能与 SMTP 服务器退回邮件有关。
我实际上并不期望从这条消息中得到解决。我希望一些 SMTP 管理员可以就如何获取更多信息来解决此问题提出建议。我可以用它来刺激 Google 内部支持团队。
我们有一个 Google Workspace for Business,并且正在使用多个群组。
我们会员组的问题摘要:
- 从某些用户那里收到的消息,比如我自己。
- 消息发布到组网站对话。
- 每个工作区中的电子邮件日志都会“退回”消息。
问题怪癖:
- 大多数用户的消息都会被处理到组成员。
- 在会员中反弹的用户的消息不会在其他组中反弹。
- 所有组的配置都相同。
- 消息内容,而不是用户,可能是问题,但我无法确定共同方面。尤其是在下一项中提到的跨多个域 SMTP 服务器。
- Google 建议退回邮件的是收件人用户电子邮件的域 SMTP 服务器。这可能是正确的,但电子邮件正在被 gmail.com、att.net、comcast.net 和其他一些服务器的服务器退回。这似乎很奇怪。没有关于为什么这些不同的服务器都会拒绝这些电子邮件的建议。
日志条目显示为:
Aug 19, 2022, 3:27:54 PM Forwarded from group: [email protected]
Aug 19, 2022, 3:27:54 PM Accepted from group forwarding
Aug 19, 2022, 3:27:54 PM Bounced Message rejected. See https://support.google.com/mail/answer/69585 for more information.
对于非反弹,第 3 行显示“已交付”。我对顺序的理解(猜想?)是:
'msg' >> [smtp servers] >> [group server] >>
[google smtp] >> [users smtp] >> user
^ {bounce}
我怀疑是涉及另一台 Google 服务器正在执行退回,而不是 [users smtp] 服务器。
我已将电子邮件日志转储到电子表格中,其中显示了有关处理顺序的更多详细信息。据我所知,它没有提供任何有用的信息。
有关解决此问题的任何建议?
更新:是否有在线 SMTP 服务器可以查看日志?我可以在组中为该服务器创建一个用户。如果邮件退回 SMTP 服务器上的日志应该显示原因。
2022 年 8 月 24 日更新:如评论中所述,将消息从组 Web 界面发送到 Mail Genius。它没有反弹。从我的个人帐户发送的一条消息显示 Google 邮件服务器的垃圾邮件已列入黑名单。将结果转发给 Google 支持。
因此,在 SES 中 - 如我所见,有两种方法可以验证身份:
- 电子邮件身份
- 域身份
使用域身份 - 更容易修复外发邮件中的“签名者”和“邮寄者”标题。如果 DKIM/SPF DNS 记录设置正确 - 它运行良好。
但是对于电子邮件身份 - AWS SES 添加了类似“通过 amazonses.com”的内容。现在我希望用我的应用程序的品牌来解决这个问题。因此,当我的客户只想验证电子邮件身份而不是整个域时 - 他们可以通过我的应用程序(以及通过 SES 在幕后)发送电子邮件,但是当电子邮件发出时 - 而不是说“通过 amazonses.com”,它应该将我的应用程序设置为“通过 example.com”,而不是电子邮件身份。
我怎样才能做到这一点?:)
编辑:
- 有人验证电子邮件身份 - [email protected] - 我希望它说“通过 mydomain.com”而不是“通过 amazonses.com”
- 有人验证 clientdomain.com - 我希望它说“签名者:clientdomain.com”,并且“via ....”将被删除
2 号很简单,我可以在 SES 中使用 EasyDKIM 实现这一点,但我无法弄清楚如何实现 1 号
我有一个邮件服务器,如果滥用,它必须从 Postfix 配置文件(main.cf)中删除“permit_mynetworks”。我只将它设置为允许 SASL autheniented 中继。但是现在,postfix 会拒绝任何外国收件人。有人可以告诉我有什么问题吗?提前致谢!
以下是配置:[main.cf]
# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix
# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin
# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin
# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix
# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases
# full pathname of the Postfix mailq command. This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq
# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop
# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
debug_peer_level = 2
# --------------------
# CUSTOM SETTINGS
#
# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550
# Do not notify local user.
biff = no
# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no
# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no
# Allow recipient address start with '-'.
allow_min_user = no
# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes
# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all
# Enable all network interfaces.
inet_interfaces = all
#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
tls_random_source = dev:/dev/urandom
# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may
# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes
# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
# - http://www.postfix.org/TLS_README.html#client_tls_may
# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = may
# Use the same CA file as smtpd.
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes
# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
enable_long_queue_ids = yes
# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = no
# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre
# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
# Relay restriction
smtpd_relay_restrictions =
permit_sasl_authenticated,
reject
# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Sender restrictions
smtpd_sender_restrictions =
permit_sasl_authenticated
permit_mynetworks
check_sender_access pcre:/etc/postfix/sender_access.pcre
reject
# Recipient restrictions
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:7777
permit_sasl_authenticated
permit_mynetworks
check_policy_service inet:127.0.0.1:12340
reject_unauth_destination
# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777
# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining
# SRS (Sender Rewriting Scheme) support
#sender_canonical_maps = tcp:127.0.0.1:7778
#sender_canonical_classes = envelope_sender
#recipient_canonical_maps = tcp:127.0.0.1:7779
#recipient_canonical_classes= envelope_recipient,header_recipient
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no
# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
# Do not set virtual_alias_domains.
virtual_alias_domains =
#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
# be forced to submit email through port 587 instead.
#
smtpd_sasl_auth_enable = yes
smtpd_delay_reject = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_client_restrictions = permit_sasl_authenticated
broken_sasl_auth_clients = yes
# hostname
myhostname = mail.ads-network.top
myorigin = mail.ads-network.top
mydomain = mail.ads-network.top
# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
# in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
# for example:
#
# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1]
# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# Default message_size_limit.
message_size_limit = 15728640
# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +
# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h
# Do not display the name of the recipient table in the "User unknown" responses.
# The extra detail makes trouble shooting easier but also reveals information
# that is nobody elses business.
show_user_unknown_table_name = no
compatibility_level = 2
#
# Lookup virtual mail accounts
#
transport_maps =
proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
sender_dependent_relayhost_maps =
proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
relay_domains =
$mydestination
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps =
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
#
# Postscreen
#
postscreen_greet_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 2
# Attention:
# - zen.spamhaus.org free tire has 3 limits
# (https://www.spamhaus.org/organization/dnsblusage/):
#
# 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
# 2) Your email traffic is less than 100,000 SMTP connections per day, and
# 3) Your DNSBL query volume is less than 300,000 queries per day.
#
# - FAQ: "Your DNSBL blocks nothing at all!"
# https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
# It's strongly recommended to use a local DNS server for cache.
postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[2..11]*3
b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#
# mlmmj - mailing list manager
#
mlmmj_destination_recipient_limit = 1
#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024
# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1000
relayhost =
[master.cf]
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
smtp inet n - - - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
#smtp inet n - - - - smtpd
pickup unix n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10026
cleanup unix n - n - 0 cleanup
#qmgr unix n - n 300 1 oqmgr
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# Other external delivery methods.
#
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
# Submission, port 587, force TLS connection.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
# smtps, port 465, force SSL connection.
465 inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
# Use dovecot's `deliver` program as LDA.
dovecot unix - n n - - pipe
flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}
# mlmmj - mailing list manager
# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u')
mlmmj unix - n n - - pipe
flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}
# Amavisd integration.
smtp-amavis unix - - n - 4 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
# smtp port used by Amavisd to re-inject scanned email back to Postfix
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix/10025
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
# smtp port used by mlmmj to re-inject scanned email back to Postfix, with
# address mapping support
127.0.0.1:10028 inet n - n - - smtpd
-o syslog_name=postfix/10028
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
此外,这是后缀报告的 DIAG:
Diagnostic-Code: smtp; 554 5.7.1 id=17953-16 - Rejected by next-hop MTA on
relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1
<******@outlook.com>: Recipient address rejected: Access denied