问题[smtp-auth](server)

我有一个邮件服务器，如果滥用，它必须从 Postfix 配置文件（main.cf）中删除“permit_mynetworks”。我只将它设置为允许 SASL autheniented 中继。但是现在，postfix 会拒绝任何外国收件人。有人可以告诉我有什么问题吗？提前致谢！

以下是配置：[main.cf]

# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix

# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin

# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin

# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix

# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix

# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases

# full pathname of the Postfix mailq command.  This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq

# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop

# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

debug_peer_level = 2

# --------------------
# CUSTOM SETTINGS
#

# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550

# Do not notify local user.
biff = no

# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no

# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no

# Allow recipient address start with '-'.
allow_min_user = no

# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all

# Enable all network interfaces.
inet_interfaces = all

#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs

#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3

smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3

lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem

tls_random_source = dev:/dev/urandom

# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may

# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes

# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
#   - http://www.postfix.org/TLS_README.html#client_tls_may
#   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = may

# Use the same CA file as smtpd.
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes

# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
enable_long_queue_ids = yes

# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = no

# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre

# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre

# Relay restriction
smtpd_relay_restrictions =
        permit_sasl_authenticated,
        reject

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

# Sender restrictions
smtpd_sender_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject

# Recipient restrictions
smtpd_recipient_restrictions =
    check_policy_service inet:127.0.0.1:7777
    permit_sasl_authenticated
    permit_mynetworks
    check_policy_service inet:127.0.0.1:12340
    reject_unauth_destination

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

# SRS (Sender Rewriting Scheme) support
#sender_canonical_maps = tcp:127.0.0.1:7778
#sender_canonical_classes = envelope_sender
#recipient_canonical_maps = tcp:127.0.0.1:7779
#recipient_canonical_classes= envelope_recipient,header_recipient

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no

# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail

# Do not set virtual_alias_domains.
virtual_alias_domains =

#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
#          be forced to submit email through port 587 instead.
#
smtpd_sasl_auth_enable = yes
smtpd_delay_reject = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_client_restrictions = permit_sasl_authenticated
broken_sasl_auth_clients = yes

# hostname
myhostname = mail.ads-network.top
myorigin = mail.ads-network.top
mydomain = mail.ads-network.top

# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
#       for example:
#
#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1]

# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Default message_size_limit.
message_size_limit = 15728640

# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +

# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h

# Do not display the name of the recipient table in the "User unknown" responses.
# The extra detail makes trouble shooting easier but also reveals information
# that is nobody elses business.
show_user_unknown_table_name = no
compatibility_level = 2
#
# Lookup virtual mail accounts
#
transport_maps =
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

sender_dependent_relayhost_maps =
    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf

relay_domains =
    $mydestination
    proxy:mysql:/etc/postfix/mysql/relay_domains.cf

virtual_mailbox_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

virtual_alias_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf

sender_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

recipient_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

#
# Postscreen
#
postscreen_greet_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 2

# Attention:
#   - zen.spamhaus.org free tire has 3 limits
#     (https://www.spamhaus.org/organization/dnsblusage/):
#
#     1) Your use of the Spamhaus DNSBLs is non-commercial*, and
#     2) Your email traffic is less than 100,000 SMTP connections per day, and
#     3) Your DNSBL query volume is less than 300,000 queries per day.
#
#   - FAQ: "Your DNSBL blocks nothing at all!"
#     https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
# It's strongly recommended to use a local DNS server for cache.
postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2

#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

#
# mlmmj - mailing list manager
#
mlmmj_destination_recipient_limit = 1

#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024

# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1000
relayhost = 

[master.cf]

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
smtp      inet  n       -       -       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
#smtp       inet  n       -       -       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
    -o content_filter=smtp-amavis:[127.0.0.1]:10026
cleanup    unix  n       -       n       -       0       cleanup
#qmgr     unix  n       -       n       300     1       oqmgr
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
relay      unix  -       -       n       -       -       smtp
    -o syslog_name=postfix/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
postlog    unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# Other external delivery methods.
#
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}

mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}
# Submission, port 587, force TLS connection.
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

# smtps, port 465, force SSL connection.
465 inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

# Use dovecot's `deliver` program as LDA.
dovecot unix    -       n       n       -       -      pipe
    flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}

# mlmmj - mailing list manager
# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u')
mlmmj   unix  -       n       n       -       -       pipe
    flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}

# Amavisd integration.
smtp-amavis unix -  -   n   -   4  smtp
    -o syslog_name=postfix/amavis
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

# smtp port used by Amavisd to re-inject scanned email back to Postfix
127.0.0.1:10025 inet n  -   n   -   -  smtpd
    -o syslog_name=postfix/10025
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

# smtp port used by mlmmj to re-inject scanned email back to Postfix, with
# address mapping support
127.0.0.1:10028 inet n  -   n   -   -  smtpd
    -o syslog_name=postfix/10028
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

此外，这是后缀报告的 DIAG：

Diagnostic-Code: smtp; 554 5.7.1 id=17953-16 - Rejected by next-hop MTA on
    relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1
    <******@outlook.com>: Recipient address rejected: Access denied

我买了一个域名example.com和一个 VPS，我用 iRedMail 设置了一个邮件服务器。

不想让 iRedMail 搞乱我的 Nginx，我决定自己安装 Nginx 和 Roundcube。但是，它说 SMTP 服务器不支持身份验证。SMTP 没问题。

[02-Oct-2021 23:40:16 +0000]: <5gl20r7b> PHP Error: SMTP server does not support authentication (POST /?_task=mail&_unlock=loading1633218016462&_framed=1&_action=send)
[02-Oct-2021 23:40:16 +0000]: <5gl20r7b> SMTP Error: Authentication failure:   in /var/www/mail/program/lib/Roundcube/rcube.php on line 1702 (POST /?_task=mail&_unlock=loading1633218016462&_framed=1&_action=send)

和 postconf -n 输出。

root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailq_path = /usr/bin/mailq
message_size_limit = 15728640
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = example.com
myhostname = example.com
mynetworks = 127.0.0.1 [::1]
myorigin = example.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = drop
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12340
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

编辑：在一些问题之后，我启用了：

postconf | grep smtp_sasl_auth_enable
smtp_sasl_auth_enable = yes

但是使用 openssl s_client，我得到了：

503 5.5.1 Error: authentication not enabled

更新：

设置后smtpd_sasl_auth_enable = yes我有机会输入我的密码，但它说密码错误。我正在使用密码管理器，所以密码应该是正确的。此外，我可以使用凭据通过 imap 登录。

535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6

编辑：在 /var/log/maillog 上，我看到了这个致命的：通过 `smtp_sasl_password_maps' 配置参数指定密码表所以我使用了 postconf | grep smtp_sasl_password_maps smtp_sasl_password_maps = 也许这就是问题所在。但它不应该是空的，因为我使用了 iredmail，所以它应该是什么？

几个月以来，我在发送电子邮件时遇到了零星的问题。

根据源 IP，使用 tcpdump 我终于发现我从似乎是我的电子邮件提供商那里收到了“端口无法访问”的消息。但是我的电子邮件提供商说他们在他们的网络中找不到问题，并说它一定在我的网络中。为了排除防火墙的问题，我设置了端口镜像，并在连接到作为网桥运行的电缆调制解调器的端口上捕获了数据包。

我已经做了很多故障排除。我懂了：

• 当我通过 Wi-Fi 从 Android 手机或有线 PC 上的 Thunderbird 发送时，都会发生错误。
• 当我向电子邮件提供商发送到 SMTP 端口 465 或 587 时发生错误
• 它并不总是发生；经过一番尝试，邮件终于被发送了；或者在第一次尝试时发送
• 我刚刚看到，在接收 DNS 响应时，我的 DNS 解析器也将“端口不可达”发送到转发 DNS 服务器（1.1.1.1、1.0.0.1）。我想这与电子邮件问题无关，但谁知道呢？

这是我遇到的 ICMP 错误的一个示例。

Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 3 (Port unreachable)
    Checksum: 0x8c59 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: <my-ip>, Dst: <smtp-server-ip>
    Transmission Control Protocol, Src Port: 48624, Dst Port: 587, Seq: 3998125229
        Source Port: 48624
        Destination Port: 587
        Sequence number: 3998125229
        [Stream index: 0]
        Acknowledgment number: 0
        Acknowledgment number (raw): 0
        1010 .... = Header Length: 40 bytes (10)
        Flags: 0x002 (SYN)
        Window size value: 29200
        [Calculated window size: 29200]
        Checksum: 0x3680 [unverified]
        [Checksum Status: Unverified]
        Urgent pointer: 0
        Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
        [Timestamps]

这里会出现什么问题，以及网络的哪个部分？问题既不在我的网络也不在电子邮件提供商的网络中是否合理？

在我的基础架构中，我有几个邮件服务器（mailcow）为每个实例服务不同的域。我想在他们面前建立一个邮件代理，以减少每个服务使用的 IP 数量，并允许客户在他们的客户端预设中拥有自己的域名。

SMTP 作为 MTA 的处理方式不同。通过 Postfix 传入的消息由中央服务器处理（因为客户看不到 MX 记录）。所以这不是我的问题。

所以我在 Debian Buster 上配置了一个基于 Dovecot 的邮件代理，配置如下：

ssl_cert = </etc/dovecot/ssl/default.pem
ssl_key = </etc/dovecot/ssl/default.key

# just an example for different domains via SNI
local_name mail.domain1.tld {
  ssl_cert = </etc/dovecot/ssl/mail.domain1.tld.pem
  ssl_key = </etc/dovecot/ssl/mail.domain1.tld.key
}

# just an example for different domains via SNI
local_name mail.domain2.tld {
  ssl_cert = </etc/dovecot/ssl/mail.domain2.tld.pem
  ssl_key = </etc/dovecot/ssl/mail.domain2.tld.key
}

auth_cache_size = 4 k
disable_plaintext_auth = no

passdb {
  args = /etc/dovecot/sql.conf
  driver = sql
}
protocols = "imap pop3 submission"
service auth {
  user = root
}
userdb {
  args = static uid=5000 gid=5000 home=/dev/null
  driver = static
}

而 sql.conf 是

## SQL passdb configuration
driver = mysql

# Database options
connect = host=localhost dbname=dovecot user=dovecot password=dovecot

# Query
password_query = SELECT NULL AS password, NULL AS destuser, host, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS nopassword, 'Y' AS proxy, 'any-cert' AS `ssl` FROM proxy_domain WHERE domain = '%d'
# eof

该数据库包含：

CREATE TABLE `proxy_domain` (
  `domain` varchar(255) NOT NULL,
  `host` varchar(255) NOT NULL,
  PRIMARY KEY (`domain`)
);

insert into proxy_domain (domain, host) values ('domain1.tld','mailhost1');
insert into proxy_domain (domain, host) values ('domain2.tld','mailhost2');

这或多或少是一个例子

• 代理：https ://wiki1.dovecot.org/HowTo/ImapProxy （最后更新于 2011 年，配置参数非常旧）
• SNI：https ://wiki.dovecot.org/SSL/DovecotConfiguration

IMAP 和 POP3 服务已启动并与

openssl s_client -connect ac-hcn0002.acoby.net:993

我可以登录，而且 SNI 工作正常。后端可通过 SSL 访问。使用 starttls (110, 143, 587) 仅提供第一个证书。这是可以接受的，因为我不会向客户推荐。

但现在提交（和后来的筛子）。

问题一：

Dovecot 能够打开 587 进行提交。这只能通过 STARTTLS 获得。但是代理随后尝试在后端系统上直接与端口 587 上的 SSL 进行通信以提交（我认为这是不正确的 - 它应该以普通方式开始并生成 STARTTLS）。我认为，发生这种情况是因为 passdb 返回全局 SSL=any-cert。这是一个错误吗？我可以为 587 覆盖该行为吗？也许有没有办法用 STARTTLS 发送正确的证书（而不是默认/第一个）？

问题2：

然后是端口 465。Dovecot 还可以在我的情况下打开提交端口 465/SSL，以便将所有经过身份验证的消息转发到后端的 465 提交端口。但是我该如何配置呢？我找不到任何例子。

我知道带有 dovecot 代理的邮件基础设施和带有后缀的解决方案 - 但我不太确定，如果使用 dovecot-socket 的答案在这种情况下有效，并且我不想安装后缀仅用于提交，当Dovecot 可以开箱即用。

我正在尝试让 gmail 从我的虚域发送电子邮件 - 可以理解，它希望使用为该域设置的 SMTP 服务器。我尝试将 postfix 配置为我的虚域的 SMTP 服务器，但在 gmail 中我不断收到身份验证错误。我的经验似乎与Postfix 作为 Gmail 的 SMTP 服务器非常相似。（“以” google 选项发送邮件） 对于这个特定问题，我在网上几乎没有找到其他有用的信息。大多数其他似乎询问此问题的用户都会得到“这是如何将 gmail 用作 SMTP 服务器”的答案，这显然没有帮助。Gmail 无法从我的虚域发送，这就是我（和它）需要 SMTP 服务器的原因。

这是我的配置文件，我使用 host.example.com 作为运行后缀的服务器的完整主机和域名。- 我已将 vanity.domain 用作我试图以不同用户身份使用 gmail 和 user1 等的虚荣域名。

我添加了 Letsencrypt 证书，因为有人建议 gmail 可能会拒绝自签名证书。我不知道这是否正确，或者我是否做得正确——我在 host.domain.com 上使用了 certbot --apache——证书在 host.exmaple.com 的浏览器中确实有效。

顺便说一句，我还没有设法让后缀使用端口 587 - 所以我从配置中的 [vanity.domain]:587 中删除了 :587 。

main.cf（由于不同指南建议添加的所有内容，它变得很长）

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/host.example.com/fullchain.pem
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/letsencrypt/live/host.example.com/privkey.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = host.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, host.example.com, host, localhost.localdomain, localhost
#relayhost =[vanity.domain]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

virtual_alias_domains = vanity.domain
virtual_alias_maps = hash:/etc/postfix/virtual
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext,noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

#smtp_tls_security_level = may
#smtp_tls_protocols = !SSLv2, !SSLv3
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
#smtp_tls_mandatory_ciphers = high
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_loglevel = 1 
sender_canonical_maps = tcp:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes = envelope_recipient

等/后缀/虚拟：

[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]
@vanity.domain [email protected]

我尝试连接时的日志（已删除 ips、日期和时间）：

connect from mail-ua1-f41.google.com
Anonymous TLS connection established from mail-ua1-f41.google.com: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
warning: mail-ua1-f41.google.com: SASL PLAIN authentication failed:
lost connection after AUTH from mail-ua1-f41.google.com
disconnect from mail-ua1-f41.google.com ehlo=2 starttls=1 auth=0/1 commands=3/4

sasl_passwd

[vanity.domain] user1:longpassword

最后，在 gmail 的 SMTP 设置中，我填写以下内容：

smtp 服务器：host.example.com 用户：user1（我也试过 [email protected] 和 [email protected] - 我不确定应该是哪个） 密码：longpassword 端口：25（试过 587 和 465太）安全性：TLS（尝试过 SSL 并且不安全）

我一直在尝试将 Postfix 配置为使用 SMTP 身份验证。当我在端口 587 上 telnet 时，我的身份验证似乎正确，但邮件未能到达其目的地，而是返回为 553 被 Spamhaus 拒绝，因为我的 IP 在 PBL 上。当我阅读有关 Spamhaus 的文档时，我被告知在 PBL 上并不是一个障碍，我只需要确保我正确地进行身份验证（https://www.spamhaus.org/faq/section/Spamhaus%20PBL#253）。

我进行了广泛的搜索，但没有找到确保从该服务器成功发送邮件的方法。

有人知道我在这里可能会错过什么吗？

这是我的 telnet 测试的结果：

ubuntu@dev-server:~$ telnet api.mijnvitalefuncties.com 587
Trying 192.168.0.11...
Connected to api.mijnvitalefuncties.com.
Escape character is '^]'.
220 dev-server ESMTP Postfix (Ubuntu)
ehlo api.mijnvitalefuncties.com
250-dev-server
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
***
334 UGFzc3dvcmQ6
***
235 2.7.0 Authentication successful
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
.
250 2.0.0 Ok: queued as B70A764235
quit
221 2.0.0 Bye
Connection closed by foreign host.

这是我收到的电子邮件，通知我邮件无法投递：

This is the mail system at host dev-server.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

               The mail system

<[email protected]>: host cluster5.eu.messagelabs.com[193.109.255.99]
said: 553-mail rejected because your IP is in the PBL. See 553
http://www.spamhaus.org/pbl (in reply to RCPT TO command) 

这是我尝试禁用端口 25 以强制邮件通过提交（端口 587）时遇到的错误。

Jan 27 11:53:26 dev-server postfix/qmgr[16821]: warning: connect to transport private/smtp: Connection refused
Jan 27 11:53:26 dev-server postfix/error[16841]: 5137E64232: to=<[email protected]>, relay=none, delay=19, delays=19/0/0/0.01, dsn=4.3.0, status=deferred (mail transport unavailable)

为了让我的 Postfix 配置与我的 Zoho 电子邮件帐户一起工作，我需要一些支持。我想要做的是从我在http://www.g3eo.com/#!/page_Contacts的联系表格中向我的 Zoho 电子邮件帐户发送一条消息。为此，我以这种方式在我的 ubuntu 框中配置了 Postfix（基于http://emanuelesantanche.com/configuring-postfix-to-relay-email-through-zoho-mail/）：

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no

append_dot_mydomain = no

readme_directory = no

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

# TLS parameters
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks

myhostname = xxxxxxxxxx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = xxxxxxxxxx, localhost.com, localhost
relayhost = smtp.zoho.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/password
#smtp_sasl_security_options =
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_security_options = noanonymous
smtp_always_send_ehlo = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

在我的网站联系表单中，事情似乎运行良好，您可以通过在“网络”选项卡中打开 Firebug（按 F12）发送消息来测试它。发送电子邮件后，它会在回复选项卡中显示此消息“已发送邮件”。但是，该消息没有到达我在 Zoho 电子邮件帐户中的电子邮件地址。检查后/var/log/mail.log显示：

7 月 4 日 21:46:42 xxxxxxxxxx postfix/qmgr[9100]: D9B2E5E0292: from=, size=549, nrcpt=1 (queue active)

7 月 4 日 21:46:45 xxxxxxxxxx postfix/smtp[27824]: D9B2E5E0292: to=, relay=smtp.zoho.com[165.254.168.48]:587, delay=114224, delays=114222/0.01/2.6/0, dsn =4.0.0, status=deferred (SASL 认证失败；服务器 smtp.zoho.com[165.254.168.48] 说: 535 Authentication Failed)

我了解身份验证问题是因为我的消息可能会进入 Zoho smtp 服务器，所以它被拒绝了，不确定是不是这样。如果有人可以帮助了解这里发生了什么以及如何解决它，我将不胜感激。

我的联系表格使用以下文件： - http://www.g3eo.com/extras/js/forms.js

和http://www.g3eo.com/extras/bin/MailHandler.php（见下文）

  if($_POST['name']!='nope'){
      $messageBody .= '<p>Visitor: ' . $_POST["name"] . '</p>' . "\n";
      $messageBody .= '<br>' . "\n";
  }
  if($_POST['email']!='nope'){
      $messageBody .= '<p>Email Address: ' . $_POST['email'] . '</p>' . "\n";
      $messageBody .= '<br>' . "\n";
  }else{
      $headers = '';
  }
  if($_POST['state']!='nope'){        
      $messageBody .= '<p>State: ' . $_POST['state'] . '</p>' . "\n";
      $messageBody .= '<br>' . "\n";
  }
  if($_POST['phone']!='nope'){        
      $messageBody .= '<p>Phone Number: ' . $_POST['phone'] . '</p>' . "\n";
      $messageBody .= '<br>' . "\n";
  }   
  if($_POST['fax']!='nope'){      
      $messageBody .= '<p>Fax Number: ' . $_POST['fax'] . '</p>' . "\n";
      $messageBody .= '<br>' . "\n";
  }
  if($_POST['message']!='nope'){
      $messageBody .= '<p>Message: ' . $_POST['message'] . '</p>' . "\n";
  }

  if($_POST["stripHTML"] == 'true'){
      $messageBody = strip_tags($messageBody);
  }

  try{
      if(!mail($owner_email, $subject, $messageBody, $headers)){
          throw new Exception('mail failed');
      }else{
          echo 'mail sent';
      }
  }catch(Exception $e){
      echo $e->getMessage() ."\n";
  }

编辑＃1：

/etc/postfix/password从更改为 后smtp.zoho.com:587，[smtp.zoho.com]我收到了/var/log/mail.log：

7 月 4 日 23:46:24 xxxxxxxxxx 后缀/拾取 [2926]: 8BC545E0261: uid=33 from= Jul 4 23:46:24 xxxxxxxxxx 后缀/清理[2933]: 8BC545E0261: message-id=<20160705044624.8BC545E0261@xxxxxxxxxx>

7 月 4 日 23:46:24 xxxxxxxxxx postfix/qmgr[2927]: 8BC545E0261: from=, size=588, nrcpt=1 (queue active)

7 月 4 日 23:46:26 xxxxxxxxxx postfix/smtp[2930]: 8BC545E0261: to=, relay=smtp.zoho.com[165.254.168.48]:587, delay=2.1, delays=0.13/0/1.8/0.16, dsn =5.5.1，status=bounced（主机 smtp.zoho.com[165.254.168.48] 说：530 5.5.1 Authentication Required。（回复 MAIL FROM 命令））

7 月 4 日 23:46:27 xxxxxxxxxx 后缀/清理 [2933]: 098835E026E: message-id=<20160705044627.098835E026E@xxxxxxxxxx>

7 月 4 日 23:46:27 xxxxxxxxxx 后缀/退回 [2932]：8BC545E0261：发件人未送达通知：098835E026E

7 月 4 日 23:46:27 xxxxxxxxxx postfix/qmgr[2927]: 098835E026E: from=<>, size=2494, nrcpt=1 (queue active)

7 月 4 日 23:46:27 xxxxxxxxxx 后缀/qmgr[2927]：8BC545E0261：已删除

Jul 4 23:46:27 xxxxxxxxxx postfix/local[2934]: 098835E026E: to=, relay=local, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (发送到邮箱）

7 月 4 日 23:46:27 xxxxxxxxxx 后缀/qmgr[2927]：098835E026E：已删除

问题587在这里吗？

因此，我阅读了各种教程和操作方法，并且正在努力了解如何让 SMTP 身份验证在 Postfix 中使用虚拟邮箱。我使用此Ubuntu 教程进行设置。我正在使用 Courier-IMAP 和 POP3 阅读邮件，这似乎没有问题。

但是，用于读取邮箱的凭据不适用于 SMTP。/var/log/auth.log从正在使用的 PAM可以看出，这是否需要 UNIX 用户帐户才能工作？因为我使用虚拟邮箱来避免创建用户帐户。

li305-246 saslauthd[22856]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
li305-246 saslauthd[22856]: do_auth         : auth failure: [user=fred] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

/var/log/mail.log

li305-246 postfix/smtpd[27091]: setting up TLS connection from mail-pb0-f43.google.com[209.85.160.43]
li305-246 postfix/smtpd[27091]: Anonymous TLS connection established from mail-pb0-f43.google.com[209.85.160.43]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
li305-246 postfix/smtpd[27091]: warning: SASL authentication failure: Password verification failed
li305-246 postfix/smtpd[27091]: warning: mail-pb0-f43.google.com[209.85.160.43]: SASL PLAIN authentication failed: authentication failure

我已经按照本教程在 userdb 中创建了帐户。Postfix 是否也使用 authuserdb？

需要哪些调试信息来帮助诊断我的问题？

main.cf:

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# SMTP parameters

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/default/saslauthd

START=yes

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

/etc/courier/authdaemonrc

authmodulelist="authuserdb"

我只修改了一行authdaemonrc并按照本教程重新启动了服务。我已经按照教程将帐户添加到/etc/courier/userdbviauserdb并userdbpw运行。makeuserdb

解决了

感谢 Jenny D 建议rimap对本地主机 IMAP 服务器（读取 userdb 凭证）使用 to auth。

我更新/etc/default/saslauthd以正确启动 saslauthd（此页面很有用）

MECHANISMS="rimap"
MECH_OPTIONS="localhost"
THREADS=0
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

执行此操作后，我收到以下错误/var/log/auth.log：

li305-246 saslauthd[28093]: auth_rimap: unexpected response to auth request: * BYE [ALERT] Fatal error: Account's mailbox directory is not owned by the correct uid or gid: 
li305-246 saslauthd[28093]: do_auth         : auth failure: [user=fred] [service=smtp] [realm=] [mech=rimap] [reason=[ALERT] Unexpected response from remote authentication server]

这篇博文通过IMAP_MAILBOX_SANITY_CHECK=0在/etc/courier/imapd.

然后重启你的 courier 和 saslauthd 守护进程以使配置更改生效。

sudo /etc/init.d/courier-imap restart
sudo /etc/init.d/courier-authdaemon restart
sudo /etc/init.d/saslauthd restart

/var/log/auth.log尝试发送电子邮件时观看。希望你一切都好！

我想强制系统用户仅使用提交端口（例如 587）发送电子邮件，然后禁用端口 25 上的身份验证，因此我没有用户尝试使用纯文本进行身份验证。

我需要进行哪些配置更改才能禁用 25 上的身份验证，以便用户必须使用提交端口进行中继？

我目前只允许来自邮件过滤服务 IP 的端口 25 上的连接。

我让 Exim 在备用端口上运行以进行 SMTP 提交。这个端口现在需要允许非加密连接，所以我不能依赖在端口上强制 TLS。

我想将 Exim 配置为在备用端口上丢弃未经身份验证的 SMTP 连接，以防止垃圾邮件发送者直接连接并向用户发送垃圾邮件。

我将如何配置此 ACL？