我有 Postfix 伺服器,可以為多個網域提供服務,並且正確設定了 SPF、DMARC、DKIM 並進行了多次測試。所以沒有發生欺騙。然而,儘管我盡了最大努力來調整 Postfix 配置,但如下所示的傳出垃圾郵件仍然會經常從伺服器中溜走:
Aug 5 08:37:38 mail postfix/error[9631]: BC96418C10: to=<[email protected]>, relay=none, delay=161913, delays=161238/676/0/0.04, dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation with mx1.comcast.net[96.114.157.80] timed out while receiving the initial server greeting)
Aug 5 10:07:45 mail postfix/error[31924]: BC96418C10: to=<[email protected]>, relay=none, delay=167320, delays=166039/1281/0/0.04, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=comcast.net type=MX: Host not found, try again)
Aug 5 11:23:43 mail postfix/error[18751]: BC96418C10: to=<[email protected]>, relay=none, delay=171878, delays=171438/440/0/0.12, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.comcast.net[2001:558:fe21:2a::6]:25: Network is unreachable)
Aug 5 12:54:11 mail postfix/error[8920]: BC96418C10: to=<[email protected]>, relay=none, delay=177306, delays=175938/1367/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx1.comcast.net[2001:558:fe16:1b::15]:25: Network is unreachable)
Aug 5 14:07:22 mail postfix/error[27186]: BC96418C10: to=<[email protected]>, relay=none, delay=181697, delays=181338/359/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.comcast.net[2001:558:fe21:2a::6]:25: Network is unreachable)
以下是一些可能相關的 Postfix 設定:
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = encrypt
smtp_tls_security_level = may
mailbox_size_limit = 0
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /ssl/ssl.key
smtpd_tls_CAfile = /ssl/ssl.ca
smtpd_tls_cert_file = /ssl/ssl.crt
smtp_use_tls = yes
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:/var/spool/postfix/postgrey/socket permit_inet_interfaces
smtpd_sender_restrictions = reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access
所有合法的電子郵件帳戶都列在其中,/etc/postfix/virtual理想情況下只有它們能夠發送,其他人都不能發送。此外,我還添加了實際託管這些網域的所有 IP 位址,因此應該能夠透過mynetworks =設定透過此郵件伺服器發送郵件。
所以如果我輸入:
smtpd_relay_restrictions = permit_mynetworks, reject
那麼垃圾郵件就被有效地阻止了。但是,在這種情況下,合法用戶無法從電子郵件用戶端程式(例如手機)連接到他們的郵件帳戶。所以我必須稍微放鬆上述規則:
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
誰能給我正確的指示,如何允許合法使用者能夠使用此郵件伺服器,同時防止所有其他方從該郵件伺服器發送任何內容?
編輯#1:
感謝 anx' 指針,我採取了進一步的步驟,這是使用該postcat -vq 3825218E12命令提取的元資料。訊息的ID不同,但問題是一樣的:
postcat: name_mask: all
postcat: inet_addr_local: configured 2 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS deferred/3/3825218E12 ***
message_size: 8340 682 1 0 8340
message_arrival_time: Thu Aug 12 18:31:08 2021
create_time: Thu Aug 12 18:31:08 2021
named_attribute: log_ident=3825218E12
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
sender: [email protected]
named_attribute: log_client_name=unknown
named_attribute: log_client_address=93.122.252.5
named_attribute: log_client_port=8529
named_attribute: log_message_origin=unknown[93.122.252.5]
named_attribute: log_helo_name=213.233.88.90
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=93.122.252.5
named_attribute: client_port=8529
named_attribute: helo_name=213.233.88.90
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]
pointer_record: 0
*** MESSAGE CONTENTS deferred/3/3825218E12 ***
regular_text: Received: from 213.233.88.90 (unknown [93.122.252.5])
regular_text: by mail.mydomain.tld (Postfix) with ESMTPSA id 3825218E12
regular_text: for <[email protected]>; Thu, 12 Aug 2021 18:31:08 +0000 (UTC)
pointer_record: 9682
regular_text: DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 3825218E12
pointer_record: 9043
regular_text: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thebriefguy.com;
regular_text: s=default; t=1628793068;
regular_text: bh=2YMB5PSTO3RHAXFabkN43xdUCrxjEQOw0Xw/uLJ1zX8=;
regular_text: h=From:To:Subject:Date:From;
regular_text: b=edi8WNplYs2gx/aYmKl9vbY1OE3jfVZ284faDviyICbDTm51y5CgBXg3QzcSHuaL6
regular_text: PsxGqHaqqXnF32EsA0UnqQ2q71Z8DVeEnQVp1njnqA3ECE3hiWj8UUeobRClZw7eEP
regular_text: z2PK95dI6kfHlCcBnEgJph2pr5ilxDv4Brl9s02s7Q/2ikwHHGWh+8Gwr24CQfnBJK
regular_text: lXrkBZVgmi65/6b6kVxmto+3oqV9avsd/9ja+CcMRs7+CsKjeHz7GA/9P3yB24/fNT
regular_text: sAjWFvQA14zkcEjFpPmZFm/6ZjLkf0pi53vx+JamwdB5C4KzhDSKkgX6rXNYYwMu+o
regular_text: jcADLvrnBCDtQ==
regular_text: Message-ID: <[email protected]>
pointer_record: 936
regular_text: From: Xfinity <[email protected]>
regular_text: To: [email protected]
regular_text: Subject: Important Update
regular_text: Date: Thu, 12 Aug 2021 11:31:06 -0700
regular_text: Organization: Xfinity
regular_text: MIME-Version: 1.0
regular_text: Content-Type: text/html; charset="utf-8"
regular_text: Content-Transfer-Encoding: quoted-printable
pointer_record: 0
regular_text:
我擔心這些特定的行:
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
我已經更改了 root 的密碼:
saslpasswd2 root
但是,我不確定如何解釋上述程式碼以及他們究竟如何能夠以 root 身分登入。郵件伺服器是新配置的,我以前從未接觸過 sasl 用戶root,所以我想知道它是否帶有某種預設密碼,並且是否需要始終更改?我還想知道是否採取了足以解決問題的步驟,還是建議採取更多其他步驟?
編輯#2:
這是命令的輸出postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 1
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
initial_destination_concurrency = 1
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = mail.mydomain.tld, mail, localhost
mydomain = mydomain.tld
myhostname = mail.mydomain.tld
mynetworks = REDACTED IP ADDRESS BLOCKS
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname check_helo_access hash:/etc/postfix/helo_access
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_unknown_reverse_client_hostname reject_rbl_client bl.spamcop.net reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client zen.spamhaus.org permit_dnswl_client swl.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client sbl.spamhaus.org permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_soft_error_limit = 5
smtpd_tls_CAfile = /ssl/ssl.ca
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /ssl/ssl.crt
smtpd_tls_key_file = /ssl/ssl.key
smtpd_tls_security_level = encrypt
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
這是輸出postconf -M:
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may -o smtpd_tls_wrappermode=yes
答案1
從您發布的任何內容來看,您的伺服器嘗試轉發此訊息的原因似乎並不明顯,但您的下一步應該是:
尋找此訊息的來源。此十六進位代碼 ( BC96418C10) 稱為佇列號是在日誌中尋找的關鍵字,以查看誰將此訊息提交到您的伺服器。您還應該使用postcat顯示訊息及其關聯的元資料。
這兩點都應該有助於澄清此訊息何時以及如何到達您的伺服器,以及您是否有濫用用戶、受損的用戶憑證、限制集中的漏洞 - 或者伺服器完全受損。
現在關於您的更新:root用於對郵件系統進行身份驗證的使用者名稱有點奇怪。但如果沒有人搞亂,這些就是用於將此訊息提交到您的伺服器的 SASL 憑證。
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
透過查看您的 postfix 配置(嘗試postconf -n和postconf -M),可能會更清楚哪個程式接受該登入(cyrus?dovecot?)以及在哪裡尋找停用該使用者。您可能想要收集有關 sasl 用戶資料庫的信息,並發布有關該部分的新問題和問題。
如果root系統的使用者確實有密碼並且它被用來發送郵件..它也可能被用於登入伺服器。在許多系統上,使用者也不會root 有密碼設置,密碼也不應該是獲取遠端 shell 的有效機制,因此這種妥協有可能僅限於郵件。