Google Compute Dovecot 上的 Ubuntu 18.04 + postfix
我認為我應該能夠連接到 465/587 以外的端口,並且由於我可以通過 google 中繼所有電子郵件,因此對於電子郵件伺服器來說,這種方法應該沒有問題。 Google 也表示他們設置了允許連接到 465/587 的設置,所以我應該沒有任何問題
當我嘗試遠端登入到我有 postfix 監聽的 2 個連接埠時(5001 和 8080,8080 僅用於測試),這就是我在 tcpdump 中得到的
21:42:02.843771 IP h***-***-***-***.wtfrwi.dsl.dynamic.tds.net.46208 > mailserv1.c.enterprise-210914.internal.urd: Flags [S], seq 1961371525, win 29200, options [mss 1460,sackOK,TS val 240062507 ecr 0,nop,wscale 7], length 0
21:42:02.843831 IP mailserv1.c.enterprise-210914.internal.urd > h***.***.***.***.wtfrwi.dsl.dynamic.tds.net.46208: Flags [R.], seq 0, ack 1961371526, win 0, length 0
mail.log 在任一連接埠上均未顯示任何 smtp 連線訊息
伺服器可以很好地發送電子郵件,只需連接到該伺服器的其他應用程式透過中繼發送電子郵件即可
大師.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#587 inet n - y - - smtpd
8080 inet n - y - - smtpd
#smtps inet n - n - - smtpd
5001 inet n - n - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
5001 inet n - n - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
主文件
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = webserver.com
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
### https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ ### Guide for below
smtpd_tls_cert_file=/etc/letsencrypt/live/webserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/webserver.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = webserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = [smtp-relay.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
# Force ehlo behavior
smtp_always_send_ehlo = yes
smtp_helo_name = webserver.com
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
local_recipient_maps = $virtual_mailbox_maps
inet_interfaces 設定為僅環回,將其變更為 all 允許我透過 telnet 成功連接到連接埠。嘗試在該連接埠連接到我的伺服器現在逾時。
ss -l 的輸出
udp UNCONN 37632 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 10.128.0.2%ens4:bootpc 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 0 100 0.0.0.0:imaps 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5572 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:http-alt 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 [::]:ssh [::]:*
tcp LISTEN 0 128 *:https *:*
tcp LISTEN 0 100 [::]:imaps [::]:*
tcp LISTEN 0 128 *:http *:*
netstat -lpn -A inet
root@mail:~# netstat -lpn -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1060/sshd
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 573/dovecot
tcp 0 0 127.0.0.1:5572 0.0.0.0:* LISTEN 623/rclone
tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 703/mysqld
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 424/systemd-resolve
udp 40704 0 127.0.0.53:53 0.0.0.0:* 424/systemd-resolve
udp 0 0 10.128.0.2:68 0.0.0.0:* 405/systemd-network
udp 0 0 127.0.0.1:323 0.0.0.0:* 628/chronyd
iptables
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
sshguard all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sshguard (1 references)
target prot opt source destination
UFW未安裝
我還可以執行“telnet localhost 8080 或 5001”並且能夠連接,這最初讓我認為這是防火牆問題。儘管在我的 telnet 或 nmap 測試中看到 tcpdump 從外部世界接收到封包讓我認為防火牆不是問題。
雖然這是 google VPC 網路防火牆,但我確實有規則允許 465,587,5001,8080 用於 tcp 和 udp。我可以透過進入特定的防火牆規則來查看哪些實例受到該規則的影響來確認它是否會影響實例。這是利用 smtp 標籤來完成的,以供參考。防火牆規則如下
allow-smtp
Description
smtp ports
Network
default
Priority
1000
Direction
Ingress
Action on match
Allow
Targets
Target tags
smtp
Source filters
IP ranges
0.0.0.0/0
Protocols and ports
tcp:587
udp:587
tcp:465
udp:465
tcp:5001
udp:5001
tcp:8080
udp:8080
Enforcement
Enabled
Applicable to instances
Name Internal IP Tags Service accounts Project Network details
mailserv1 10.128.0.2 http-server, https-server,
任何幫助將不勝感激。看到傳入的資料包告訴我連接埠是開放的,儘管 telnet 和 nmap 說連接埠已被阻止。
看來 ack 封包無法返回,在這種情況下,我認為可能需要靜態路由,儘管我還沒有成功。感謝您的任何幫助。
編輯
將“inet_interfaces”更改為 all,允許我從外部世界遠端登入並驗證連接埠是否開啟。
現在,當透過 Outlook 連接到我的伺服器時,我收到 SSL_accept 錯誤。
編輯2
最後一個問題只是由於使用自動作為安全類型而不是 ssl/tls。這已解決
答案1
您的偵聽器僅偵聽來自本機的連線。
tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master
這是因為 Postfix 已被專門設定為僅偵聽本地連線。
inet_interfaces = loopback-only
要解決該問題,請告訴 Postfix 接受外部連線。
inet_interfaces = all