正確的 postfix smtp 限制處理順序

正確的 postfix smtp 限制處理順序

我在 postfix 設定檔中有這個 smtp 限制:

smtpd_sender_restrictions = permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031,permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unauth_pipelining, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain

據我所知,如果permit_sasl_authenticated說特定用戶已通過身份驗證,那麼其餘限制不會被檢查?

如果我想確保並且permit_sasl_authenticatedcheck_policy_service inet:127.0.0.1:10031如果他們都說“是”,那麼電子郵件應該被傳遞,否則該怎麼辦?

實際上,我正在嘗試設定線索帶來者,但遇到了它所說的問題Sender address rejected,即使在寄件者透過 SASL 正確驗證之後也是如此。

這是我的postconf -n輸出:

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = 91.91.98.67, localhost
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = mauth.fdomain.co.uk, localhost
myhostname = mauth.fdomain.co.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/relaydomains.cf
relayhost =
smtp_bind_address = 91.91.9.7
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = mysql:/etc/postfix/authsmtp.conf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname Freezone Internet ESMTP
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = permit_sasl_authenticated, reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031,permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unauth_pipelining, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/postfix/ssl/freezonewc.ca
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/freezonewc.crt
smtpd_tls_key_file = /etc/postfix/ssl/freezonewc.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = mysql:/etc/postfix/transport.cf
unknown_local_recipient_reject_code = 450

答案1

說實話,你現在的限制有點亂。 postfix 使用者郵件清單通常建議收集smtpd_recipient_restrictions或下的所有限制smtpd_relay_restrictions(僅限 Postfix 2.10)。這樣做的原因是它增強了可讀性,並且與smtpd_delay_reject=yes.

此外,策略服務應該很少回覆接受/確定語句,而應該回覆「不知道」。因此,就您的情況而言,首先詢問保單服務,給它一個機會說“拒絕”,然後檢查 SASL 似乎是更好的方法,除非您的保單服務在某些情況下確實返回“正常”。

在不了解您的保單服務的確切性質或您的要求的情況下,我會從以下內容開始:

smtpd_relay_restrictions =
  # subject even authenticated users and trusted networks
  # to the policy check
  check_policy_service inet:127.0.0.1:10031
  permit_mynetworks
  reject_unknown_sender_domain
  permit_sasl_authenticated
  defer_unauth_destination

smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  # we exclude our networks and SASL authenticated users
  # from all further checks.
  # since I don't know if the policy service is relevant
  # for unauthenticated mail, I commented it out here
  # check_policy_service inet:127.0.0.1:10031
  warn_if_reject reject_non_fqdn_hostname
  warn_if_reject reject_non_fqdn_sender
  reject_invalid_hostname
  reject_unknown_sender_domain

smtpd_data_restrictions = reject_unauth_pipelining

請參閱我的配置片段中的註釋以了解一些注意事項。

答案2

據我所知,如果permit_sasl_authenticated表示特定使用者已通過身份驗證,則不會檢查其餘限制。

你是對的,但僅限於目前的 smtpd_xxx_restrictions

只需從 smtpd_sender_restrictions 中刪除 allowed_sasl_authenticated 並將所有驗證移至政策服務

smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031, ...

將有以下選項可用

sasl_method
sasl_username
sasl_sender

如果沒有 SASL 身份驗證,這些屬性將為空。在邏輯層面上,它可能類似於以下內容

if [ policy_service_return_code == OK && sasl_username not empty ]
   return OK
else
   return REJECT

相關內容