我的 Postfix、Dovecot 或兩者配置都有問題。
一切都按預期工作,但在日誌中我注意到多個不同的 ip 正在使用 root 帳戶發送郵件,他們試圖從[電子郵件受保護]到[電子郵件受保護]。
我使用的是 Debian 9,刪除了我的 root 登入資訊:
sudo passwd -d 根
並禁用該帳戶:
sudo passwd -l 根
伺服器上還有一個帳戶,我注意到該帳戶也被存取了!當我檢查 auth.log 時,沒有暴力嘗試。我在不同的連接埠上執行 ssh,使用金鑰,並且 iptables 在該連接埠上設定了 hitcount。
我的 Postfix 版本是:3.1.12,Dovecot:2.2.27
來自 mail.log 的範例日誌
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5029]: connect from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: lost connection after CONNECT from unknown[122.228.19.79]
Jan 20 18:37:50 vps22525 postfix/submission/smtpd[5026]: disconnect from unknown[122.228.19.79] commands=0/0
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: lost connection after UNKNOWN from unknown[122.228.19.79]
Jan 20 18:37:51 vps22525 postfix/submission/smtpd[5029]: disconnect from unknown[122.228.19.79] ehlo=1 unknown=0/1 commands=1/2
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection rate 2/60s for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max connection count 2 for (submission:122.228.19.79) at Jan 20 18:37:50
Jan 20 18:41:11 vps22525 postfix/anvil[5028]: statistics: max cache size 1 at Jan 20 18:37:50
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: warning: hostname ip-38-56.ZervDNS does not resolve to address 92.118.38.56: Name or service not known
Jan 20 19:54:48 vps22525 postfix/smtpd[5172]: connect from unknown[92.118.38.56]
Jan 20 19:54:52 vps22525 postfix/smtpd[5172]: disconnect from unknown[92.118.38.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection rate 1/60s for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max connection count 1 for (smtp:92.118.38.56) at Jan 20 19:54:48
Jan 20 19:58:12 vps22525 postfix/anvil[5174]: statistics: max cache size 1 at Jan 20 19:54:48
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known
Jan 20 21:24:32 vps22525 postfix/submission/smtpd[5303]: connect from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: SSL_accept error from unknown[164.68.112.178]: lost connection
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: lost connection after STARTTLS from unknown[164.68.112.178]
Jan 20 21:24:33 vps22525 postfix/submission/smtpd[5303]: disconnect from unknown[164.68.112.178] ehlo=1 starttls=0/1 commands=1/2
Jan 20 21:25:08 vps22525 dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=122.228.19.79, lip=127.127.127.127, TLS, session=<NdzXP5ech3d65BNP>
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection rate 1/60s for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max connection count 1 for (submission:164.68.112.178) at Jan 20 21:24:32
Jan 20 21:27:53 vps22525 postfix/anvil[5305]: statistics: max cache size 1 at Jan 20 21:24:32
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: warning: hostname zg-0911b-52.stretchoid.com does not resolve to address 159.203.193.36: Name or service not known
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: connect from unknown[159.203.193.36]
Jan 21 00:33:07 vps22525 postfix/submission/smtpd[5582]: disconnect from unknown[159.203.193.36] ehlo=1 quit=1 commands=2
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection rate 1/60s for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max connection count 1 for (submission:159.203.193.36) at Jan 21 00:33:07
Jan 21 00:36:27 vps22525 postfix/anvil[5584]: statistics: max cache size 1 at Jan 21 00:33:07
Jan 21 03:09:01 vps22525 postfix/pickup[5713]: 557E6201DE: uid=0 from=<root>
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 557E6201DE: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: from=<[email protected]>, size=1048, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/local[5849]: 557E6201DE: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.05, delays=0.02/0.01/0/0.02, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 03:09:01 vps22525 postfix/cleanup[5847]: 5F945209B4: message-id=<[email protected]>
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: from=<>, size=3179, nrcpt=1 (queue active)
Jan 21 03:09:01 vps22525 postfix/bounce[5850]: 557E6201DE: sender non-delivery notification: 5F945209B4
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 557E6201DE: removed
Jan 21 03:09:01 vps22525 postfix/local[5849]: 5F945209B4: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579568941.P5849.vps$
Jan 21 03:09:01 vps22525 postfix/qmgr[1453]: 5F945209B4: removed
後綴 main.cf
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
mydomain = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
masquerade_domains = $mydomain
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access reject_unknown_recipient_domain permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_restriction_classes = mua_sender_restrictions,
mua_client_restrictions,
mua_helo_restrictions
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
我該如何防止這種情況發生?我的配置中錯過了什麼
編輯
謝謝大家的幫忙。正如 @Piotr P. Karwasz 所提到的,它是一個 cron 守護程式...
答案1
他們正在嘗試透過您的郵件系統發送郵件。但從提供的日誌來看,郵件沒有通過。這是一件好事!
您通常不希望轉寄其他網域的郵件,因為這些網域主要由垃圾郵件發送者使用,通常會將您的郵件伺服器列入黑名單。看https://en.wikipedia.org/wiki/Open_mail_relay了解更多。
總而言之,你可以忽略這一點。或者,如果您確實願意,您可以阻止它們。請參閱谷歌以獲取更多資訊。
答案2
這些訊息是由運行的進程在本地產生的根:
Jan 21 00:00:03 vps22525 postfix/pickup[5421]: 2771B209A0: uid=0 from=<root>
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2771B209A0: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: from=<[email protected]>, size=1906, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2771B209A0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Mail$
Jan 21 00:00:03 vps22525 postfix/cleanup[5533]: 2DED5209A5: message-id=<[email protected]>
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: from=<>, size=4037, nrcpt=1 (queue active)
Jan 21 00:00:03 vps22525 postfix/bounce[5536]: 2771B209A0: sender non-delivery notification: 2DED5209A5
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2771B209A0: removed
Jan 21 00:00:03 vps22525 postfix/local[5535]: 2DED5209A5: to=<[email protected]>, relay=local, delay=0, delays=0/0/0/0, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /root/Maildir/tmp/1579557603.P5535.vps$
Jan 21 00:00:03 vps22525 postfix/qmgr[1453]: 2DED5209A5: removed
可能是CRON守護程式。訊息和退回訊息投遞失敗的原因是根沒有郵箱。添加一個別名從 root 到您的帳戶才能/etc/aliases接收這些電子郵件。