我的郵件伺服器配置相當嚴格,有時來自合法伺服器的傳入郵件會被拒絕,因為遠端有設定問題,常見的一個是 HELO 主機名稱。
我有一個來自義大利最重要的電力公司 ENEL 的具體範例,該公司顯然會發送帶有無法解析的 HELO 主機名稱的交易電子郵件:
Feb 20 18:31:10 MYHOST postfix/smtpd[1748649]: NOQUEUE: reject: RCPT from mxrelay6.enel.com[146.133.127.102]: 450 4.7.1 <smtprelay.enel.com>: Helo command rejected: Host not found; from=<[email protected]> to=<MY CLIENT EMAIL> proto=ESMTP helo=<smtprelay.enel.com>
我正在嘗試將其列入白名單,smtp 伺服器的 IP 或主機名稱似乎是合乎邏輯的步驟(我觀察到了兩個,但我可以使用正規表示式)。無論如何,我目前無法做到這一點,我嘗試的任何方法都不起作用,而且這些電子郵件總是被拒絕。 (我還有其他類似的案例)。
##
# Helo restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
warn_if_reject check_helo_access hash:/etc/postfix/helo_whitelist,
warn_if_reject reject_invalid_hostname,
warn_if_reject reject_unknown_hostname,
warn_if_reject reject_non_fqdn_helo_hostname,
warn_if_reject reject_unknown_helo_hostname,
warn_if_reject reject_invalid_helo_hostname,
permit
##
# Sender restrictions
smtpd_sender_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/sender_whitelist,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
permit
##
# Recipient restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_pipelining,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_hostname,
reject_unknown_reverse_client_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
check_sender_access hash:/etc/postfix/sender_access,
#check_client_access hash:/etc/postfix/rbl_whitelist,
check_policy_service unix:private/policyd-spf,
#check_client_access hash:/etc/postfix/rbl_override
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
#reject_rbl_client cbl.abuseat.org
#reject_rbl_client b.barracudacentral.org,
#reject_rbl_client bl.spamcop.net,
#reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
#reject_rbl_client b.barracudacentral.org=127.0.0.[2..11],
#check_policy_service unix:/var/spool/postfix/postgrey/socket,
permit
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
##
# Data restrictions
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
helo_白名單
mxrelay7.enel.com OK
mxrelay6.enel.com OK
我嘗試將實際的 HELO 主機名稱放入 helo_whitelist 中smtprelay.enel.com,但它不起作用。我在文件中也看到使用 PERMIT 而不是 OK,但查看偵錯訊息(我使用 debug_peer_list),看起來它不正確。
透過調試,我可以看到拒絕發生在收件人地址限制中:
Feb 20 18:41:12 alice postfix/smtpd[1749156]: reject_invalid_hostname: smtprelay.enel.com
Feb 20 18:41:12 alice postfix/smtpd[1749156]: generic_checks: name=reject_invalid_hostname status=0
Feb 20 18:41:12 alice postfix/smtpd[1749156]: generic_checks: name=reject_unknown_hostname
Feb 20 18:41:12 alice postfix/smtpd[1749156]: reject_unknown_hostname: smtprelay.enel.com
Feb 20 18:41:12 alice postfix/smtpd[1749156]: lookup smtprelay.enel.com type A flags
Feb 20 18:41:12 alice postfix/smtpd[1749156]: dns_query: smtprelay.enel.com (A): Host not found
Feb 20 18:41:12 alice postfix/smtpd[1749156]: lookup smtprelay.enel.com type AAAA flags
Feb 20 18:41:12 alice postfix/smtpd[1749156]: dns_query: smtprelay.enel.com (AAAA): Host not found
Feb 20 18:41:12 alice postfix/smtpd[1749156]: lookup smtprelay.enel.com type MX flags
Feb 20 18:41:12 alice postfix/smtpd[1749156]: dns_query: smtprelay.enel.com (MX): Host not found
Feb 20 18:41:12 MYHOST postfix/smtpd[1749156]: NOQUEUE: reject: RCPT from mxrelay6.enel.com[146.133.127.102]: 450 4.7.1 <smtprelay.enel.com>: Helo command rejected: Host not found; from=<[email protected]> to=<MY CLIENT EMAIL> proto=ESMTP helo=<smtprelay.enel.com>
Feb 20 18:41:12 alice postfix/smtpd[1749156]: generic_checks: name=reject_unknown_hostname status=2
Feb 20 18:41:12 alice postfix/smtpd[1749156]: >>> END Recipient address RESTRICTIONS <<<
問題是為什麼 smtpd_recipient_restrictions 部分應該檢查 helo 主機名稱?或只是因為 smtpd_delay_reject 而延遲檢查?
基本上,我應該在哪裡以及如何放置列入白名單的 helo 訊息?
謝謝!
答案1
您可以刪除重複的reject_unknown_hostname/reject_unknown_hostname檢查,因為只要您保留 .helo/ehlo 限制,無論如何都會套用您的 helo/ehlo 限制smtpd_helo_required=yes。
然後將您的清單更改回來,無論使用 check_ 配置什麼直升機_access 需要包含直升機值 - 故意不允許使用(未經驗證的)主機名稱列入白名單。
順便說一句,這些是已棄用的別名,請始終使用當前的別名,以更清楚地說明正在檢查的內容:
reject_unknown_hostname => reject_unknown_helo_hostname
reject_invalid_hostname => reject_invalid_helo_hostname