TommyPeanuts's questions

我们系统上的本地用户使用 procmail 通过 spamd 传递邮件。我们在 Ubuntu 22.04 上使用 Postfix。

Postfix 邮件条目首先显示邮件 ID，例如：

Jul 30 07:54:18 alice postfix/qmgr[235769]: 2C704BA328: from=<SRS0=RLoz=O6=mail.boots.com=bounce@ourdomainhere.com>, size=61699, nrcpt=1 (queue active)

日志中的 spamd 行如下所示，但未提及 ID：

Jul 30 07:54:18 alice spamd[1860392]: spamd: connection from ::1 [::1]:44212 to port 783, fd 5
Jul 30 07:54:18 alice spamd[1860392]: spamd: setuid to slucy succeeded
Jul 30 07:54:18 alice spamd[1860392]: spamd: processing message <NM63EC74D6C01FA8E1Fbootsuk_mid_prod1-Ym91bmNlQG1haWwuYm9vdHMuY29t@mail.boots.com> for sslucy:1832
Jul 30 07:54:20 alice spamd[2047327]: util: setuid: ruid=1832 euid=1832 rgid=1835 1951 egid=1835 1951 
Jul 30 07:54:23 alice spamd[1860392]: spamd: clean message (-3.1/7.8) for slucy:1832 in 5.0 seconds, 61039 bytes.
Jul 30 07:54:23 alice spamd[1860392]: spamd: result: . -3 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MAILING_LIST_MULTI,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,RCVD_IN_VALIDITY_SAFE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=5.0,size=61039,user=sslucy,uid=1832,required_score=7.8,rhost=::1,raddr=::1,rport=44212,mid=<NM63EC74D6C01FA8E1Fbootsuk_mid_prod1-Ym91bmNlQG1haWwuYm9vdHMuY29t@mail.boots.com>,autolearn=ham autolearn_force=no
Jul 30 07:54:23 alice spamd[1734900]: prefork: child states: II

如果我们仅搜索邮件 ID，我们会看到：

Jul 30 07:54:18 alice postfix/smtpd[2047298]: 2C704BA328: client=r105.mail.boots.com[130.248.198.105]
Jul 30 07:54:18 alice postfix/cleanup[2046192]: 2C704BA328: message-id=<NM63EC74D6C01FA8E1Fbootsuk_mid_prod1-Ym91bmNlQG1haWwuYm9vdHMuY29t@mail.boots.com>
Jul 30 07:54:18 alice opendmarc[411763]: 2C704BA328: SPF(mailfrom): mail.boots.com pass
Jul 30 07:54:18 alice opendmarc[411763]: 2C704BA328: mail.boots.com pass
Jul 30 07:54:18 alice postfix/qmgr[235769]: 2C704BA328: from=<SRS0=RLoz=O6=mail.boots.com=bounce@ourdomainhere.com>, size=61699, nrcpt=1 (queue active)
Jul 30 07:54:23 alice postfix/local[2046202]: 2C704BA328: to=<slucy@ourdomainhere.com>, orig_to=<boots@net-guardian.co.uk>, relay=local, delay=5.8, delays=0.74/0/0/5, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Jul 30 07:54:23 alice postfix/qmgr[235769]: 2C704BA328: removed

根据Spamassassin 文档，midspamd 日志中的字段表示邮件 ID，但它似乎仅在某些情况下对应于 Postfix 邮件 ID，但并非所有情况（据我所知）都如此。

有没有一种方法可以可靠地将 spamd 进程与给定的 Postfix 邮件 ID 关联起来，以便我们可以分析整个流程？

我似乎无法在所有情况下都满足 SPF 记录的 HELO 检查。我的域有一条这样的 SPF 记录：

"v=spf1 mx -all"

区域中的 MX 记录为：

mx0.mydomain.org.uk.          3600 IN A         1xx.xx.xx.59
mx0.mydomain.org.uk.          3600 IN AAAA      2001:xxx:x:xxx::3b
mx1.mydomain.org.uk.          3600 IN A         2xx.xx.xxx.201
mx1.mydomain.org.uk.          3600 IN AAAA      2a03:xxx:xx:xxx::2 

发送服务器的主机名（和 PTR）是mail.mydomain.org.uk。其 IP 与 相同mx0.mydomain.org.uk。HELO 名称是mydomain.org.uk。

我可以让 HELO 通过上述 SPF 记录：

SPF helo    header      Received-SPF: 

pass (mydomain.org.uk: 1xx.xx.xx.59 is authorized to use 'mydomain.org.uk' in 'helo' identity (mechanism 'mx' matched)) 

receiver=ts11-do.checktls.com; identity=helo; helo=mydomain.org.uk; client-ip=1xx.xx.xx.59

但是，有些检查器不喜欢这样，并说他们找不到发件人的 A 记录mydomain.org.uk。但如果我将 HELO 更改为，mx0.mydomain.org.uk则会因“没有可用的适用发件人策略”而失败：

SPF helo    header      Received-SPF: 

none (mx0.mydomain.org.uk: No applicable sender policy available) receiver=ts11-do.checktls.com; identity=helo; helo=mx0.mydomain.org.uk; client-ip=1xx.xx.xx.59

SPF helo    local       mx0.mydomain.org.uk: No applicable sender policy available

我怎样才能满足这两项检查？

我有一个带有两个 IP 地址的 Docker 主机（分别称为A和B）。Apache 绑定到A，解析为web.mydomain.com，而 Postfix 绑定B到mail.mydomain.com。

Docker 应用程序旨在通过 SMTP-AUTH 向 发送邮件mail.mydomain.com。它还有一个用于监听 的 Web UI localhost:3000（显示docker ps为127.0.0.1:3000->3000/tcp）。它通过 Apache 代理到 上的外部世界web.mydomain.com。

该容器似乎能够解析来自主机的A(.59) 和B(.83) 的正确 DNS 请求：

nextjs@5b3fccbf323a:/app$ getent hosts 182.xx.xx.59
182.xx.xx.59    mail.mydomain.com

nextjs@5b3fccbf323a:/app$ getent hosts 182.xx.xx.83
182.xx.xx.83    www.mydomain.com

但是当我尝试连接到邮件端口（从容器内部）时，什么也不会发生，直到超时：

openssl s_client -connect mail.mydomain.com:587 -starttls smtp

从主机连接没问题。运行其他应用程序的其他 Docker 容器可以以相同的方式发送邮件，没有问题。

我对 Docker 网络了解甚少。容器的端口 587 上的连接似乎转到 Web IP A，但我不确定。Web UIA正常运行。我如何说服容器连接到AWeb 接口和BSMTP 提交接口？

tcpdump 显示端口 587 上有来自容器的数据包，但没有从邮件服务器返回：

14:30:53.168711 br-36bedc370406 In  ifindex 102 02:42:ac:1f:00:02 ethertype IPv4 (0x0800), length 80: 172.31.0.2.55954 > 185.x.x.59.587: Flags [S], seq 1208255870, win 64240, options [mss 1460,sackOK,TS val 241634928 ecr 0,nop,wscale 7], length 0

iptables-save（省略fail2ban规则）：

# Generated by iptables-save v1.8.7 on Tue Jun 25 14:37:41 2024
*filter
:INPUT DROP [162608:8659146]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [31071143:38820437864]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i docker0 -p tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m geoip --source-country GB,UG,KE,ZA  -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 12000:13000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 12000:13000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 25,110,143,465,587,993,995,2525,2526 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 22,873 -m geoip --source-country GB  -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 8080,3100 -m geoip --source-country GB  -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-36bedc370406 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-36bedc370406 -j DOCKER
-A FORWARD -i br-36bedc370406 ! -o br-36bedc370406 -j ACCEPT
-A FORWARD -i br-36bedc370406 -o br-36bedc370406 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o docker0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m owner ! --uid-owner 117 -j LOGGING
-A OUTPUT -p tcp -m tcp --dport 443 -m owner ! --uid-owner 117 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 563 -m owner ! --uid-owner 117 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.31.0.2/32 ! -i br-36bedc370406 -o br-36bedc370406 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-36bedc370406 ! -o br-36bedc370406 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-36bedc370406 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
COMMIT
# Completed on Tue Jun 25 14:37:41 2024
# Generated by iptables-save v1.8.7 on Tue Jun 25 14:37:41 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner 117 -j REDIRECT --to-ports 8888
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.31.0.0/16 ! -o br-36bedc370406 -j MASQUERADE
-A POSTROUTING -s 172.31.0.2/32 -d 172.31.0.2/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-36bedc370406 -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-36bedc370406 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.31.0.2:3000
COMMIT

nft list ruleset显示：

table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                meta l4proto tcp tcp dport { 80,443} counter packets 1642563 bytes 190179301 jump f2b-apache-fakegooglebot
                meta l4proto tcp tcp dport { 80,443} counter packets 9116728 bytes 1069624630 jump f2b-apache-auth
                meta l4proto tcp tcp dport 22 counter packets 413620 bytes 31257328 jump f2b-sshd
                meta l4proto tcp tcp dport { 110,995,143,993,587,465,4190} counter packets 6304246 bytes 659133161 jump f2b-dovecot
                meta l4proto tcp tcp dport { 25,465,587} counter packets 1358308 bytes 1357726201 jump f2b-postfix
                meta l4proto tcp tcp dport { 80,443,25,587,110,995,143,993,4190} counter packets 15403400 bytes 2939709444 jump f2b-postfix
                iifname "lo" counter packets 45927262 bytes 22275943601 accept
                ct state related,established counter packets 23416790 bytes 5815553538 accept
                iifname "eth0" meta l4proto tcp tcp dport 53 counter packets 5885 bytes 340579 accept
                iifname "eth0" meta l4proto udp udp dport 53 counter packets 895484 bytes 69357764 accept
                iifname "docker0" meta l4proto tcp counter packets 3001 bytes 180060 accept
                meta l4proto tcp tcp dport 21 ct state new,established # -m geoip --source-country GB,UG,KE,ZA  counter packets 49 bytes 2480 accept
                meta l4proto tcp tcp dport 20 ct state related,established counter packets 0 bytes 0 accept
                meta l4proto tcp tcp sport 1024-65535 tcp dport 1024-65535 ct state established counter packets 0 bytes 0 accept
                meta l4proto tcp tcp dport 12000-13000 counter packets 2973 bytes 135532 accept
                meta l4proto tcp tcp dport 12000-13000 counter packets 0 bytes 0 accept
                iifname "eth0" meta l4proto tcp tcp dport { 25,110,143,465,587,993,995,2525,2526} counter packets 197174 bytes 11469412 accept
                iifname "eth0" meta l4proto tcp tcp dport { 80,443} counter packets 787414 bytes 46406299 accept
                iifname "eth0" meta l4proto tcp tcp dport { 22,873} # -m geoip --source-country GB  counter packets 275 bytes 15232 accept
                iifname "eth0" meta l4proto tcp tcp dport { 8080,3100} # -m geoip --source-country GB  counter packets 143 bytes 6132 accept
                iifname "eth0" meta l4proto icmp counter packets 29321 bytes 1823925 accept
                counter packets 205049 bytes 10393170 jump SpamhausIN
        }

        chain LOGGING {
                limit rate 2/minute counter packets 24372 bytes 1259527 log prefix "IPTables-Dropped: "
        }
        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                counter packets 91 bytes 19822 jump DOCKER-USER
                counter packets 91 bytes 19822 jump DOCKER-ISOLATION-STAGE-1
                oifname "docker0" ct state related,established counter packets 6 bytes 636 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 6 bytes 390 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
                oifname "br-36bedc370406" ct state related,established counter packets 217 bytes 55250 accept
                oifname "br-36bedc370406" counter packets 6 bytes 360 jump DOCKER
                iifname "br-36bedc370406" oifname != "br-36bedc370406" counter packets 0 bytes 0 accept
                iifname "br-36bedc370406" oifname "br-36bedc370406" counter packets 6 bytes 360 accept
                counter packets 0 bytes 0 jump SpamhausIN
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                oifname "lo" counter packets 45927236 bytes 22275941960 accept
                oifname "docker0" counter packets 53070 bytes 13526184 accept
                meta l4proto tcp tcp dport 443 skuid != 117 counter packets 137554 bytes 6981510 jump LOGGING
                meta l4proto tcp tcp dport 443 skuid != 117 counter packets 137554 bytes 6981510 reject
                meta l4proto tcp tcp dport 563 skuid != 117 counter packets 6 bytes 312 reject
                meta l4proto tcp tcp dport 21 ct state new counter packets 0 bytes 0 reject
                counter packets 32097922 bytes 38886685465 jump SpamhausOUT
        }

        chain f2b-dovecot {
                counter packets 128626 bytes 13891673 return
        }

        chain DOCKER {
        }
      chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                iifname "br-36bedc370406" oifname != "br-36bedc370406" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 0 bytes 0 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                oifname "br-36bedc370406" counter packets 0 bytes 0 drop
                counter packets 0 bytes 0 return
        }

        chain DOCKER-USER {
                counter packets 0 bytes 0 return
        }
}
table ip nat {
        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                meta l4proto tcp tcp dport 80 skuid != 117 counter packets 2 bytes 120 redirect to :8888
                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 8 bytes 480 jump DOCKER
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 3 bytes 195 masquerade 
                oifname != "br-36bedc370406" ip saddr 172.31.0.0/16 counter packets 0 bytes 0 masquerade 
                meta l4proto tcp ip saddr 172.31.0.2 ip daddr 172.31.0.2 tcp dport 3000 counter packets 0 bytes 0 masquerade 
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 2221 bytes 148479 jump DOCKER
        }

        chain DOCKER {
                iifname "docker0" counter packets 3 bytes 180 return
                iifname "br-36bedc370406" counter packets 7 bytes 420 return
                iifname != "br-36bedc370406" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 3000 counter packets 0 bytes 0 dnat to 172.31.0.2:3000
        }
}
table ip6 nat {
        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                meta l4proto tcp tcp dport 80 skuid != 117 counter packets 35400 bytes 2832000 redirect to :8888
        }

        chain DOCKER {
        }
}

host:~$ ip route（ip不在容器上）的输出：

default via 185.x.x.1 dev eth0 proto static onlink 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.31.0.0/16 dev br-36bedc370406 proto kernel scope link src 172.31.0.1 
185.x.x.0/22 dev eth0 proto kernel scope link src 185.x.x.83 

~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 02:00:00:00:40:17 brd ff:ff:ff:ff:ff:ff
    inet 185.x.x.83/22 brd 185.x.x.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 185.x.x.59/22 brd 185.x.x.255 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet6 2001:xxx:x:xxx::3b/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 2001:xxx:x:xxx::53/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ff:fe00:4017/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:91:dc:5d:95 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:91ff:fedc:5d95/64 scope link 
       valid_lft forever preferred_lft forever
10: vethf05d58a@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 6a:7e:2f:5d:df:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::687e:2fff:fe5d:dff3/64 scope link 
       valid_lft forever preferred_lft forever
102: br-36bedc370406: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:da:79:75:ae brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.1/16 brd 172.31.255.255 scope global br-36bedc370406
       valid_lft forever preferred_lft forever
    inet6 fe80::42:daff:fe79:75ae/64 scope link 
       valid_lft forever preferred_lft forever
104: vetheec212b@if103: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-36bedc370406 state UP group default 
    link/ether 1e:4a:34:89:98:cf brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::1c4a:34ff:fe89:98cf/64 scope link 
       valid_lft forever preferred_lft forever
110: veth216a525@if109: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-36bedc370406 state UP group default 
    link/ether 4e:15:61:92:30:a0 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::4c15:61ff:fe92:30a0/64 scope link 
       valid_lft forever preferred_lft forever

host:~$ docker network ls显示如下：

NETWORK ID     NAME             DRIVER    SCOPE
1f2cb04b3b54   bridge           bridge    local
c9ea0692db1b   host             host      local
a91ee892376d   none             null      local
36bedc370406   rallly_default   bridge    local

该容器使用的网络称为“rallly_default”。

host:~$ docker network inspect rallly_default

{
        "Name": "rallly_default",
        "Id": "36bedc3704069d8d2ad6cc02031296a5fadb95ca988ee1a0e9d461b5e6ba083b",
        "Created": "2024-06-24T20:59:40.356497842Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.31.0.0/16",
                    "Gateway": "172.31.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "4c41cdd942d82c1504804fbf94e3980ef96adaabbec43ae36ac8ec21c255d970": {
                "Name": "rallly-rallly_db-1",
                "EndpointID": "1f7352607a1062ddb6ae421b490bb12739a099476137396737a1a60b752e67d0",
                "MacAddress": "02:42:ac:1f:00:02",
                "IPv4Address": "172.31.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "default",
            "com.docker.compose.project": "rallly",
            "com.docker.compose.version": "2.27.1"
        }
    }
]

您发送邮件的邮件服务器的主机名是否应该始终具有相同名称的 rDNS（PTR 类型）？

我之所以问这个问题，是因为我注意到我的邮件服务器的名称与其 IP 地址的 PTR 记录的名称不同，而是 MX 记录主机名的名称。

在这种情况下，是最好更改我的邮件服务器的名称，还是要求我的 ISP 更改其地址的 PTR 以使它们相同？

我犹豫是否要问这个问题，因为我怀疑自己很愚蠢，但是......

在运行 bind 9.18.18 的 Ubuntu 服务器 22.04 上，当我运行 时ddns-confgen -k host.example.com，它会输出一些引用指定服务器配置所需的密钥和配置的指令。它还包括以下内容：

# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>

手册页指出：

密钥名称可以使用 -k 参数指定，默认为 ddns-key。生成的密钥附带配置文本和说明，可与 nsupdate 一起使用并在设置动态 DNS 时命名

它引用的“生成的密钥”在哪里（手册页中没有任何关于路径或任何选项的内容）？nsupdate它不会出现在我运行命令的目录中，但我需要在更新区域时将该密钥提供给命令。

使用标准的 Ubuntu postfix 设置（Ubuntu 22.04），我想按如下方式过滤邮件：

1. 传入提交和 smtps（绝大多数邮件）：SPF 和 RBL 检查（我使用的是policyd.pl），然后使用 Amavis 通过 spamassassin 和 clamav 检查。
2. 来自外部网络上的客户端的经过 Sasl 验证的邮件：速率限制/检查（我正在使用postfwd该功能），然后 Amavis 检查，但不检查 SPF 和 RBL（因为我们不想根据客户端的发送网络拒绝）。

我是否正确地认为，如果我让 Amavis 检查链中的最后一个，并且仅在 master.cf“重新进入”侦听器中具有许可选项，我可以确保来自 sasl 身份验证的用户的邮件不会收到和其他邮件一样的支票吗？例如：

smtpd_client_restrictions =
    permit_mynetworks,
    # Rate limiting with postfwd: 
    check_policy_service inet:127.0.0.1:10040,
    permit_sasl_authenticated,
    # RBLs, SPF with policyd.pl:
    check_policy_service unix:private/senderCheck

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    ...,
    [various reject_* lines here],
    ...,
    # Amavis checks last:
    content_filter = smtp-amavis:[127.0.0.1]:10024,
    permit

然后在 master.cf 中将 Amavis“重新进入”配置为：

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o syslog_name=amavis-reentry
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_data_restrictions=
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

编辑：作为参考，这是我目前在 master.cf 中的 smtpd 配置：

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=no
  -o smtpd_discard_ehlo_keywords=silent-discard,dsn

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_key_file=/etc/letsencrypt/live/smtp.xxx/privkey.pem
  -o smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.xxx/fullchain.pem
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_security_level=may
  -o smtpd_tls_key_file=/etc/letsencrypt/live/smtp.xxx/privkey.pem
  -o smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.xxx/fullchain.pem
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

我正在使用 Dovecot 2.2.33 运行 Ubuntu 邮件服务器，并且正在使用系统帐户：

passdb {
  driver = pam 

我有大约 100 个邮件用户。

我想强加每个用户的存储配额，但是 Dovecot docs on per-user quota configuration说：

Passwd userdb 不支持额外的字段。这就是为什么您不能直接将用户的配额限制设置为 passwd 文件。一种可能性是编写一个脚本，从另一个文件读取配额限制，将它们与 passwd 文件合并并生成另一个 passwd 文件，然后您可以将其与 Dovecot 的 Passwd 文件一起使用。

有没有人有这样一个脚本的例子？例如，我从文档中不清楚密码本身是如何处理的。或者是否有其他一些解决方法不需要迁移到虚拟用户设置来获得每个用户的配额？

我有少量的邮件用户（大约 100 个），有些人有相对较大的（10Gb+）邮箱。我正在使用 postfix 和 dovecot Maildir 格式运行 Ubuntu。

我可以继续添加存储，但也许更便宜的方法是提取比阈值更旧和更大的附件，然后在自动删除之前将它们放在供用户下载的地方（例如 S3）？不知道如何做到这一点。

别人做什么？

我也想过压缩超过一定年龄的邮件，但我不确定这是否会释放很多空间。

当我从浏览器查看站点的 SSL 证书时，它总是在“颁发给”部分显示该组织不是证书的一部分。

如果最终用户无法独立验证我的组织（我假设浏览器现在可以为他们验证），那么拥有 OV/EV 证书的实际价值是什么？是其他原因吗？如果是这样，是什么？

我看到在撰写本文时Comodo 说OV/EV 不仅在证书中显示组织详细信息，而且：

除了安全挂锁符号外，EV SSL 证书还通过在 Web 地址旁边以绿色显示经过身份验证的公司名称来激活选定 Web 浏览器中的“绿色地址栏”。

对于大多数浏览器，我认为这两种状态都不是真的已经有几年了。他们列出了一些其他好处，但这些似乎微不足道（“带有 ComodoCA 信任标志”——是否有很多证据表明最终用户知道或关心这一点？）。

编辑：自从我发布我的问题后，我现在看到一些网站的证书中有一个组织：uk.yahoo.com（尽管显示为“Oath Inc”）和www.bankofengland.co.uk。这显然否定了我最初的观点。但我认为我的主要问题仍然存在。奇怪的是谷歌不使用电动汽车。

尽管我已经找到了两个 答案，但我无法弄清楚如何实际实施它们，并且至少其中一个并没有真正回答这个问题。因此，如果有人有任何经验可以分享，我将非常感激。

我有一台运行 Postfix 的服务器（Ubuntu 18.04）。我已经使用 postfwd 对 SASL 发件人进行速率限制，并使用 Amavis 和其他东西来扫描来自本地机器/网络（例如来自 Web 服务器）的传出邮件。没关系，在 main.cf 中看起来像这样：

smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/internal_clients_filter,
    permit_mynetworks, 
    reject_unknown_sender_domain

在 master.cf 中

senderCheck  unix  -       n       n       -       15       spawn
  user=nobody argv=/opt/policyd/src/policyd.pl  max_idle=30 max_use=50 daemon_timeout=50

127.0.0.1:10025 inet    n    -    n    -    -    smtpd
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

如何以与本地发件人相同的方式将 SASL 发件人（根据定义不在我的网络上）通过垃圾邮件和恶意软件扫描？

我们有一个网络服务器，它通过 LAN 连接通过我们的 Postfix 中继发送邮件。来自我们网络外部的用户也通过 SMTP AUTH 发送邮件。

但是，我们在 Web 服务器上有一个 Web 邮件应用程序 (Roundcube)，它无法通过 LAN 端口 587 上的中继发送邮件。它因一些 TLS 错误而失败。有没有人知道从哪里开始调试这个？

主文件

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
debug_peer_list = 10.10.10.102
biff = no
relay_domains = $mydestination
compatibility_level = 2
mail_owner = postfix
append_dot_mydomain = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_key_file = /etc/letsencrypt/live/smtp.xxxx.xx.uk/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.xxxx.xx.uk/fullchain.pem
myhostname = mx0.xxxx.xx.uk
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_maps = hash:/etc/postfix/virtusertable
transport_maps = hash:/etc/postfix/transport
myorigin = $mydomain
mydestination = $myhostname, lorina.$mydomain, alice.$mydomain, localhost.$mydomain, localhost, lists.xxxx.xxxx.uk, /etc/postfix/hatters/localdomains
relayhost =
mynetworks = 127.0.0.1/32 185.x.x.x/32 10.10.10.0/24 [::1]/128 [2001:xxxx::3c]/128 [fe80::xxx:c90f]/128 [fe80::xxx:6181]/128
home_mailbox = Maildir/
message_size_limit = 262144000
mailbox_size_limit = 0
mailbox_command = procmail -a "$EXTENSION"
recipient_delimiter = +
owner_request_special = no
unknown_local_recipient_reject_code = 550
smtpd_client_restrictions =
    check_client_access hash:/etc/postfix/blacklist,
    permit_mynetworks
smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/internal_clients_filter,
    permit_mynetworks,
    reject_unknown_sender_domain
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
        permit_mynetworks,
        check_policy_service inet:127.0.0.1:10040,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_unknown_recipient_domain,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unlisted_recipient,
        reject_unauth_destination,
        check_policy_service unix:private/senderCheck,
        permit_mx_backup,
        permit
smtpd_data_restrictions =
    reject_unauth_pipelining,
    permit

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
bounce_queue_lifetime = 0
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_client_connection_count_limit = 60
smtpd_client_connection_rate_limit = 200
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

master.cf 的 SMTP 部分

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=no
  -o smtpd_discard_ehlo_keywords=silent-discard,dsn
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_key_file=/etc/letsencrypt/live/smtp.xxxx.xx.uk/privkey.pem
  -o smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.xxxx.xx.uk/fullchain.pem
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_security_level=may
  -o smtpd_tls_key_file=/etc/letsencrypt/live/smtp.xxx.xxx.uk/privkey.pem
  -o smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.xxx.xxx.uk/fullchain.pem
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

在网络邮件日志中，它说：

    [05-Nov-2019 11:13:21 UTC] ERROR: STARTTLS failed ()
    [05-Nov-2019 11:13:21 UTC] ERROR: Invalid response code received from server (-1)
    [05-Nov-2019 11:13:21 UTC] ERROR: Failed to write to socket: unknown error ()
    [05-Nov-2019 11:13:21 +0000]: <h6hj0vtt> SMTP Error: Authentication failure: STARTTLS failed (Code: ) in /usr/share/roundcube/program/lib/Roundcube/rcube.php on line 1667 (POST /roundcube/?_task=mail&_unlock=loading1572952401252&_lang=undefined&_framed=1&_action=send)

在 Postfix 方面（打开调试），它说：

Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: connect from lan-host[10.10.10.102]
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostname: smtpd_client_event_limit_exceptions: lan-host ~? 127.0.0.1/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.10.102 ~? 127.0.0.1/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostname: smtpd_client_event_limit_exceptions: lan-host ~? 185.73.44.60/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.10.102 ~? 185.73.44.60/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostname: smtpd_client_event_limit_exceptions: lan-host ~? 10.10.10.0/24
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.10.102 ~? 10.10.10.0/24
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: report connect to all milters
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "j"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: result "mx0.xxxxx.org.uk"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "{daemon_name}"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: result "ORIGINATING"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "v"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: result "Postfix 3.1.0"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: non-protocol events for protocol version 6:
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: transport=inet endpoint=localhost:8891
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: trying... [::1]
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: Connection refused
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: trying... [127.0.0.1]
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: vstream_tweak_tcp: TCP_MAXSEG 21845
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: fd=22: stream buffer size old=0 new=43690
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: my_version=0x6
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: my_actions=0x1ff SMFIF_ADDHDRS SMFIF_CHGBODY SMFIF_ADDRCPT SMFIF_DELRCPT SMFIF_CHGHDRS SMFIF_QUARANTINE SMFIF_CHGFROM SMFIF_ADDRCPT_PAR SMFIF_SETSYMLIST
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: my_events=0x1fffff SMFIP_NOCONNECT SMFIP_NOHELO SMFIP_NOMAIL SMFIP_NORCPT SMFIP_NOBODY SMFIP_NOHDRS SMFIP_NOEOH SMFIP_NR_HDR SMFIP_NOUNKNOWN SMFIP_NODATA SMFIP_SKIP SMFIP_RCPT_REJ SMFIP_NR_CONN SMFIP_NR_HELO SMFIP_NR_MAIL SMFIP_NR_RCPT SMFIP_NR_DATA SMFIP_NR_UNKN SMFIP_NR_EOH SMFIP_NR_BODY SMFIP_HDR_LEADSPC
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: milter inet:localhost:8891 version 6
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: events SMFIP_NOHELO SMFIP_NOUNKNOWN SMFIP_NODATA SMFIP_SKIP SMFIP_HDR_LEADSPC
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_connect: requests SMFIF_ADDHDRS SMFIF_CHGHDRS SMFIF_SETSYMLIST
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_conn_event: milter inet:localhost:8891: connect lan-host/10.10.10.102
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: event: SMFIC_CONNECT; macros: {j}=mx0.xxxxx.org.uk {daemon_name}=ORIGINATING {v}=Postfix 3.1.0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: reply: SMFIR_CONTINUE data 0 bytes
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 220 mx0.xxxxx.org.uk ESMTP Postfix (Debian/GNU)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: watchdog_pat: 0x5565d5a3eca0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: < lan-host[10.10.10.102]: EHLO www.xxxxx.org.uk
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: report helo to all milters
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "{tls_version}"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "{cipher}"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "{cipher_bits}"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "{cert_subject}"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter_macro_lookup: "{cert_issuer}"
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_helo_event: milter inet:localhost:8891: helo www.xxxxx.org.uk
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: event: SMFIC_HELO; macros: (none)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: skipping event SMFIC_HELO for milter inet:localhost:8891
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_list_match: lan-host: no match
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_list_match: 10.10.10.102: no match
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-mx0.xxxxx.org.uk
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-PIPELINING
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-SIZE 262144000
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-ETRN
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-STARTTLS
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-ENHANCEDSTATUSCODES
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-8BITMIME
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250-DSN
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 250 SMTPUTF8
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: watchdog_pat: 0x5565d5a3eca0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: < lan-host[10.10.10.102]: STARTTLS
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: query milter states for other event
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_other_event: milter inet:localhost:8891
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: > lan-host[10.10.10.102]: 220 2.0.0 Ready to start TLS
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: abort all milters
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_abort: abort milter inet:localhost:8891
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: send attr request = seed
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: send attr size = 32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: private/tlsmgr: wanted attribute: status
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute name: status
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute value: 0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: private/tlsmgr: wanted attribute: seed
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute name: seed
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute value: olrmf0HDZWe9eEMY4alXsy2Cg/Np2qUD3JOAnPfejf0=
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: private/tlsmgr: wanted attribute: (list terminator)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute name: (end)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: send attr request = tktkey
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: send attr keyname = [data 0 bytes]
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: private/tlsmgr: wanted attribute: status
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute name: status
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute value: 0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: private/tlsmgr: wanted attribute: keybuf
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute name: keybuf
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute value: 0KfXUorb0BaA3xpE3ACqMX4PjMBEX3Dmal1Uz0sVl1ODyCLQTdBwVTf3u8DbqnwRIxttyY9Di/TXl9Ph45lpnqxkIObdN3JOMJAAGrjtrg2TPMFdAAAAAA==
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: private/tlsmgr: wanted attribute: (list terminator)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: input attribute name: (end)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: name_mask: noanonymous
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: Connecting
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: name_mask: plaintext
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: name_mask: plaintext
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: SPID?12321
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: CUID?378
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: COOKIE?78955ca7ca16619ba44cdfbbce08a84d
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_connect: auth reply: DONE
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: watchdog_pat: 0x5565d5a3eca0
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: smtp_get: EOF
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostname: smtpd_client_event_limit_exceptions: lan-host ~? 127.0.0.1/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.10.102 ~? 127.0.0.1/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostname: smtpd_client_event_limit_exceptions: lan-host ~? 185.73.44.60/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.10.102 ~? 185.73.44.60/32
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostname: smtpd_client_event_limit_exceptions: lan-host ~? 10.10.10.0/24
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.10.102 ~? 10.10.10.0/24
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: lost connection after STARTTLS from lan-host[10.10.10.102]
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: disconnect event to all milters
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: milter8_disc_event: quit milter inet:localhost:8891
Nov  5 08:40:44 lorina postfix/submission/smtpd[17200]: disconnect from lan-host[10.10.10.102] ehlo=1 starttls=1 commands=2

我最近注意到我们的日志中有大量这样的行（其中 ourdomain.com 是我们控制的域，14.242.xx 是我们网络外部的 IP）：

Oct 27 20:59:38 server postfix/smtpd[26781]: NOQUEUE: reject: RCPT from unknown[14.242.x.x]: 454 4.7.1 <xxxx@yahoo.com>: Relay access denied; from=<a-user@ourdomain.com> to=<xxxx@yahoo.com> proto=ESMTP helo=<[127.0.0.1]>

它们似乎是从本地主机发送的。如何追踪这些尝试的来源？

我正在运行运行 pure-ftpd 1.0.46 的 Ubuntu 18.04，配置如下：

AltLog clf:/var/log/pure-ftpd/transfer.log
Daemonize yes
FSCharset UTF-8
PAMAuthentication no
TLS 1
VerboseLog yes
ChrootEveryone yes
DisplayDotFiles yes
MinUID 30 
PassivePortRange 12000 13000
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
CustomerProof yes
ForcePassiveIP 185.73.xx.xx
NoAnonymous yes
PureDB /etc/pure-ftpd/pureftpd.pdb
UnixAuthentication no

被动端口范围 (TCP) 在防火墙上打开，我们的 ISP 确认上游没有 NATing 或其他网络配置。

使用（例如）GNU ftp 客户端，服务器在来自我们网络外部的测试中接受普通 FTP 没有问题。

但是，我们收到了一些客户端无法连接的报告，并出现超时等各种错误。https://ftptest.net上的测试确认了以下内容（在显式 TLS 模式下，但也在其他模式下：

Command: CLNT https://ftptest.net on behalf of 88.202.156.157
Reply: 530 You aren't logged in
Command: AUTH TLS
Reply: 234 AUTH TLS OK.
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.

Status: cert[0]: [cert info here]
Command: USER oddjob
Error: Could not read from socket: Error in the pull function.

有谁知道从哪里开始诊断这个？

编辑

在隐式模式下，来自 ftptest 的错误如下所示：

Status: Connecting to 2001:ba8:0:xxxxx
Status: Connected, performing TLS handshake...
Error: TLS handshake failed: An unexpected TLS packet was received.

在运行 Apache 2.4 的 Ubuntu 服务器 18.04 上，我想将所有 Apache 的传出请求传递给转发代理，以便出于安全原因（使用Tinyproxy）过滤掉一些 URL。

似乎我的 Vhost 配置中的 Apache 的ProxyRemote指令应该这样做，所以我使用了以下内容：

ProxyRequests Off
ProxyRemote * http://localhost:8888

我还尝试将环境变量添加到 /etc/environment，如下所示：

http_proxy="http://localhost:8888/"
https_proxy="http://localhost:8888/"

然后我可以看到现在使用代理的其他应用程序，例如（来自 Tinyproxy 的日志）：

CONNECT   Jul 28 17:26:58 [2318]: Request (file descriptor 7): CONNECT api.snapcraft.io:443 HTTP/1.1
CONNECT   Jul 28 17:26:58 [2315]: Request (file descriptor 7): CONNECT api.snapcraft.io:443 HTTP/1.1

但不是阿帕奇。它仍然将所有出站请求直接传递到端口 80 和 443。如何让 Apache 使用代理？

编辑：我刚刚在 Stack Overflow 上看到了这个重复的问题，所以我认为我正在尝试做正确的事情。但是怎么做？

我正在使用 duplicity 0.7.06 进行备份，使用 0.7.17 来恢复 duplicity 备份。但是在尝试从中还原目录时出现错误“未找到备份链”。

我不确定那个错误意味着什么。

备份是这样进行的（并且没有错误）：

duplicity --no-encryption --full-if-older-than 10D /path/to/dir s3+http://my-s3-bucket/duplicity/dir

如果我列出它们，我可以看到重复档案：

~$ s3cmd ls s3://my-s3-bucket/duplicity/dir/
2019-05-12 15:51     19505   s3://my-s3-bucket/duplicity/dir/duplicity-full-signatures.20190512T155147Z.sigtar.gz
2019-05-12 15:51       724   s3://my-s3-bucket/duplicity/dir/duplicity-full.20190512T155147Z.manifest
2019-05-12 15:51    728333   s3://my-s3-bucket/duplicity/dir/duplicity-full.20190512T155147Z.vol1.difftar.gz

我正在尝试像这样恢复它：

duplicity --file-to-restore path/to/dir s3+http://my-s3-bucket/duplicity /home/restored/dir

我得到的错误是：

duplicity 0.7.17 (February 26, 2018)
Args: /usr/bin/duplicity --file-to-restore path/to/dir s3+http://my-s3-bucket/duplicity /home/restored/dir
Linux machinename 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64
/usr/bin/python2 2.7.15rc1 (default, Nov 12 2018, 14:31:15) 
[GCC 7.3.0]
================================================================================
Using temporary directory /tmp/duplicity-Zu29z3-tempdir
Temp has 30699757568 available, backup will use approx 272629760.
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
Traceback (innermost last):
  File "/usr/bin/duplicity", line 1555, in <module>
    with_tempdir(main)
  File "/usr/bin/duplicity", line 1541, in with_tempdir
    fn()
  File "/usr/bin/duplicity", line 1393, in main
    do_backup(action)
  File "/usr/bin/duplicity", line 1472, in do_backup
    restore(col_stats)
  File "/usr/bin/duplicity", line 728, in restore
    restore_get_patched_rop_iter(col_stats)):
  File "/usr/bin/duplicity", line 750, in restore_get_patched_rop_iter
    backup_chain = col_stats.get_backup_chain_at_time(time)
  File "/usr/lib/python2.7/dist-packages/duplicity/collections.py", line 974, in get_backup_chain_at_time
    raise CollectionsError("No backup chains found")
 CollectionsError: No backup chains found

我有一个运行 Ubuntu 16.04 的服务器，它的应用程序只需要传出连接来进行包更新和 NTP 时间同步。为此，它在单独的网络接口上具有动态 IPv6 地址。所有其他连接都通过另一个接口上的 LAN，该接口没有通往 WAN 的网关。

我想通过禁止除包更新和 NTP 时间同步之外的任何传出连接来保护这台机器。

但是，当我尝试以下规则时，没有任何内容被阻止：

ip6tables -A OUTPUT -o lo -p all -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m owner --uid-owner systemd-timesync -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT

while read p; do
        ip6tables -A OUTPUT -d $p -j ACCEPT
done < firewall/hosts-to-allow.list

ip6tables -A OUTPUT -o ens18 -j REJECT

请注意，允许传入的 icmpv6 请求，但会阻止所有其他传入端口。

请注意，在此问题的先前状态中，我在记录所有数据包后首先错误地丢弃了所有数据包。

应用规则如下：

Chain INPUT (policy ACCEPT 70 packets, 126K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0                
    8   536 ACCEPT     icmpv6    *      *       ::/0                 ::/0                
   67  6405 ACCEPT     all      *      *       ::/0                 ::/0                 state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:53
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:53
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 owner UID match 100
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1560:8001::14 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1360:8001::17 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1360:8001::21 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1560:8001::11 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1560:8001::14 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1360:8001::17 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1360:8001::21 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1560:8001::11 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1562::19   
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1560:8001::14 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1562::16   
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1360:8001::21 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1360:8001::17 
    0     0 ACCEPT     tcp      *      *       ::/0                 2001:67c:1560:8001::11 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1562::19   
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1560:8001::14 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1562::16   
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1360:8001::21 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1360:8001::17 
    0     0 ACCEPT     udp      *      *       ::/0                 2001:67c:1560:8001::11 
    0     0 REJECT     all      *      ens18   ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain LOGGING (0 references)
 pkts bytes target     prot opt in     out     source               destination  

我有一个在 Ubuntu 18.04 下运行的重复备份脚本，它备份了我的 /etc 目录的内容，如下所示：

duplicity --archive-dir=/home/bkp/.cache /etc rsync://backup.host::/bkp/etc

我现在想从中恢复 /etc/postfix 目录。但是当我尝试使用以下方法恢复它时：

duplicity restore rsync://backup.host::/bkp/etc/postfix ./postfix.restored

它说：

rsync: change_dir "/etc/postfix" (in bkp) failed: No such file or directory (2)

如果我在 /etc 备份上做 duplicity list-current-files 我可以看到它在那里。不过，我在手册页中看不到任何关于此的内容。

我有一个在 KVM 下运行的 Ubuntu 客户机，它有几个相同大小的分区，每个分区在主机上使用不同的 virtio RAW 磁盘文件。

如何判断来宾上的哪个分区正在使用主机上的哪个文件？

请注意：我已经阅读了所有类似的问题。cron、路径、环境变量等，但没有找到可以解决我的特定问题的方法。

我有一个脚本可以进行一些 MySQL 转储，然后像这样删除旧的转储：

/usr/bin/find "/home/bkp/dbdump" -name "*.gz" -mtime +5 -delete

（上面的命令已根据评论的建议从我原来的命令中修改）

但是，当 cron 运行此脚本时，这些文件永远不会被删除。cron 用户是 root。

调试说明

• 如果我手动运行出现命令的脚本，它会按预期删除它们。

• 如果我以 root 身份从命令行自行运行上述 find 命令，它会按预期删除它们（并且使用 -print 它会按预期返回超过 5 天的文件列表）

• 我还在 root 的 crontab 中添加了一个显式路径语句，但这
  并没有改变任何东西。

• Cron 不发送错误，如果我将查找操作通过管道传输到日志文件，
  则该文件为空或根本没有创建。

• 我正在使用 Ubuntu 服务器 14.04.03 LTS。

我正在将 Ubuntu 14.04 postfix 邮件安装从一台机器移动到另一台机器。当前设置与 Ubuntu 的默认 postfix 和 dovecot 设置配合得很好，因此用户可以使用 SMTP auth 等。

因此，我将相关配置文件复制到新机器（也运行 Ubuntu 14.04）并在进行必要的 DNS 更改后在那里启动 postfix。

但是我在新机器的邮件日志中得到了这个：

10 月 28 日 14:18:50 lorina postfix/smtpd[13445]：警告：SASL：连接到私有/身份验证失败：没有这样的文件或目录

10 月 28 日 14:18:50 lorina postfix/smtpd[13445]：致命：没有 SASL 身份验证机制

10 月 28 日 14:18:51 lorina postfix/master[13440]：警告：进程 /usr/lib/postfix/smtpd pid 13445 退出状态 1

10 月 28 日 14:18:51 lorina postfix/master[13440]：警告：/usr/lib/postfix/smtpd：错误的命令启动 -- 节流

Postfix 设置为使用以下内容：

smtpd_sasl_type = dovecot
smtpd_sasl_path = 私有/授权

在 dovecot 配置中我有：

  # 后缀 smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    模式 = 0666
  }

但是，我看到 /var/spool/postfix/private/auth 在新机器上不存在。

我已尝试重新启动机器，以防任何服务无法正常工作。这个文件什么时候制作？我怎样才能把它装箱？