防火牆不會阻止中繼嘗試到達 postfix

我有一個基於 centos 的 vps，使用 webmin 進行管理，每隔一段時間我就會收到幾百封這樣的電子郵件：

From: MAILER-DAEMON@mail.<redacted>.com
To: postmaster@<redacted>.com
Subject: Postfix SMTP server: errors from unknown[20.229.210.160]

Transcript of session follows.

 Out: 220 mail.<redacted>.com ESMTP Postfix
 In:  EHLO yupk81.domain
 Out: 250-mail.<redacted>.com
 Out: 250-PIPELINING
 Out: 250-SIZE 30720000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 454 4.7.0 TLS not available due to local problem
 Out: 421 4.4.2 mail.<redacted>.com Error: timeout exceeded

會話中止，原因：逾時

有關其他詳細信息，請參閱本地郵件日誌文件

以下是我認為與一封此類電子郵件相關的日誌條目：

Jun 10 19:20:46 fla postfix/qmgr[931]: 9CFCD40033: removed
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: connect from unknown[20.229.210.160]
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: timeout after STARTTLS from unknown[20.229.210.160]
Jun 10 19:22:07 fla postfix/cleanup[30329]: E0A0840033: message-id=<20220610232207.E0A0840033@mail.<redacted>.com>
Jun 10 19:22:07 fla postfix/qmgr[931]: E0A0840033: from=<double-bounce@mail.<redacted>.com>, size=914, nrcpt=1 (queue active)
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: disconnect from unknown[20.229.210.160]
Jun 10 19:22:09 fla postfix/smtp[30336]: E0A0840033: to=<my_personal_email>, orig_to=<postmaster>, relay=mail.<redacted>.com [<IP address redacted>]:25, delay=2, delays=0.01/0/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4LKcS06tJyz9vNQY)
Jun 10 19:22:09 fla postfix/qmgr[931]: E0A0840033: removed
Jun 10 19:22:18 fla postfix/postfix-script[30470]: warning: not owned by root: /etc/postfix/dump
Jun 10 19:22:18 fla postfix/postfix-script[30471]: warning: not owned by root: /etc/postfix/dump.txt

我將 Linux IPTables 防火牆設定為丟棄來自上述 IP 位址的封包，但 postfix 不斷從 postmaster 帳戶向我發送這些電子郵件，因此嘗試仍然到達 postfix。這讓我抓狂。防火牆不是應該阻止源自該 IP 位址的流量嗎？為什麼它沒有盡到自己的責任？

謝謝！

編輯 2022-06-10 21:25 - 在這裡添加了 iptables（不清楚為什麼文件中列出的日期都是從 2015 年開始，因為它顯示了我今天所做的更改）：

# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*security
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*raw
:PREROUTING ACCEPT [28036:5505542]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*nat
:PREROUTING ACCEPT [1490:86220]
:INPUT ACCEPT [1490:86220]
:OUTPUT ACCEPT [4732:332455]
:POSTROUTING ACCEPT [4732:332455]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*mangle
:PREROUTING ACCEPT [28036:5505542]
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
:POSTROUTING ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Drop packets from 31.210.20.235
-A INPUT -s 20.229.210.160 -j DROP
-A INPUT -i eth0 -j LOG  --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m state -m icmp --icmp-type 8 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -j LOG  --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG  --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -m limit --limit 5/min -j LOG  --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A OUTPUT -o eth0 -j LOG  --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A INPUT -m limit --limit 5/min -j LOG  --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT
# test
-A INPUT
COMMIT
# Completed on Sat Nov 28 22:24:57 2015

編輯 2022-06-10 22:05 - 關閉並重新啟動 postfix 後的 /var/log/maillog：

Jun 10 22:03:23 fla postfix/postfix-script[4257]: stopping the Postfix mail system
Jun 10 22:03:23 fla postfix/master[3818]: terminating on signal 15
Jun 10 22:03:24 fla postfix/postfix-script[4321]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:03:24 fla postfix/postfix-script[4322]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:03:24 fla postfix/postfix-script[4323]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:03:24 fla postfix/postqueue[4341]: warning: Mail system is down -- accessing queue directly
Jun 10 22:03:36 fla dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=<redacted_ip_address>, lip=<redacted_ip_address>, session=<itN0diLhLABqS77J>
Jun 10 22:04:00 fla postfix/postfix-script[4488]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:00 fla postfix/postfix-script[4489]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:00 fla postfix/postfix-script[4490]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:04:00 fla postfix/postfix-script[4507]: starting the Postfix mail system
Jun 10 22:04:00 fla postfix/master[4509]: daemon started -- version 2.10.1, configuration /etc/postfix
Jun 10 22:04:01 fla postfix/postfix-script[4567]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:01 fla postfix/postfix-script[4568]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:01 fla postfix/postfix-script[4569]: warning: not owned by root: /etc/postfix/<redacted>.pem