【问题标题】:Postfix not rejecting manually blacklisted domain with check_sender_access configurationPostfix 不拒绝使用 check_sender_access 配置手动列入黑名单的域
【发布时间】:2017-07-24 03:24:43
【问题描述】:

我在 ubuntu 12.04.05 LTS 上运行一个 postfix 服务器 (2.9.6),来自某个域的垃圾邮件根本不会被拒绝,尽管有一个明确的 check_client_access 列表,其中有问题的域示例。我在同一个覆盖文件中尝试了使用知名邮件服务器(gmx.net)的拒绝设置,它按预期阻止了来自该服务器的传入邮件,但出于某种原因,来自 example.com 的邮件只是通过.我检查了我是否犯了错误,并以某种方式将其列入白名单,但我找不到任何类似的东西。

ma​​in.cf中完整的blockingrule条目如下:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 warn_if_reject reject_unknown_helo_hostname,
 regexp:/etc/postfix/override_helo_access.regexp
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk blacklists, permit_sasl_authenticated
smtpd_recipient_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 check_client_access hash:/etc/postfix/override_client_access,
 check_sender_access hash:/etc/postfix/override_sender_access,
 reject_unlisted_sender,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_unknown_reverse_client_hostname,
 reject_unknown_client_hostname,
 reject_unauth_pipelining,
 reject_unauth_destination

smtpd_client_restrictionssmtpd_sender_restrictions(另一个黑名单)似乎是由 plesk 处理的,所以我没有在那里进行任何更改。

override_client_access 文件如下所示(摘录):

spamdomain.org REJECT
.spamdomain2.com REJECT
example.com REJECT
.example.com REJECT
spamdomain.net REJECT
12.12.12.12 REJECT

我确保 example.com 域和任何子域或其对应的 IP 地址在此文件中没有意外的白名单规则。

override_sender_access 文件仅列出了列入白名单的电子邮件地址:

bla@foo.de OK
foo@bla.de OK
etc@etc.de OK

这个文件只列出了很少的电子邮件,我都检查过,所以它不会成为意外列入白名单的原因。

当然,每次更新这些文件后,我都会使用postmap override_sender_accesspostmap override_client_access 命令创建新的哈希数据库,然后执行postfix reload。正如我已经提到的,我通过在 override_client_access 文件的末尾添加“.gmx.net REJECT”然后从 gmx 域向我的邮件服务器发送邮件来测试此设置,并且拒绝按预期工作。

这是几小时前最新的垃圾邮件通过时的logfile sn-p,所有相应的设置/文件几天后都没有改变:

Jul 24 00:39:35 postfix/smtpd[21873]: connect from mail.example.com[123.123.123.123]
Jul 24 00:39:36 postfix/smtpd[21873]: 0B6A7468A8E: client=mail.example.com[123.123.123.123]
Jul 24 00:39:36 postfix/cleanup[22020]: 0B6A7468A8E: message-id=<ublaqzk20871180.13462188@mail.example.com>
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: handlers_stderr: SKIP
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: SKIP during call 'limit-out' handler
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: handlers_stderr: SKIP
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: SKIP during call 'check-quota' handler
Jul 24 00:39:37 postfix/smtpd[21873]: disconnect from mail.example.com[123.123.123.123]
Jul 24 00:39:37 postfix/qmgr[13047]: 0B6A7468A8E: from=<spam@example.com>, size=362302, nrcpt=1 (queue active)
Jul 24 00:39:37 postfix-local[22026]: postfix-local: from=spam@example.com, to=myemail@address.com, dirname=/var/qmail/mailnames
Jul 24 00:39:39 spamc[22030]: skipped message, greater than max message size (256000 bytes)
Jul 24 00:39:39 dovecot: service=lda, user=myemail@address.com, ip=[]. msgid=<ublaqzk20871180.13462188@mail.example.com>: saved mail to INBOX
Jul 24 00:39:39 postfix/pipe[22025]: 0B6A7468A8E: to=<myemail@address.com>, relay=plesk_virtual, delay=3.4, delays=1.6/0.01/0/1.8, dsn=2.0.0, status=sent (delivered via plesk_virtual_service)
Jul 24 00:39:39 postfix/qmgr[13047]: 0B6A7468A8E: removed

以下是完整的 postconf -n 输出,以防有助于确定问题:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 20h
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
maximal_queue_lifetime = 1d
message_size_limit = 536870912
mydestination = localhost.isp.net, localhost, localhost.localdomain
myhostname = mydomain.com
mynetworks = , 127.0.0.0/8, [::1]/128
myorigin = /etc/mailname
non_smtpd_milters =
plesk_virtual_destination_recipient_limit = 1
readme_directory = no
recipient_delimiter = +
relayhost =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
smtp_send_xforward_command = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, warn_if_reject reject_unknown_helo_hostname, regexp:/etc/postfix/override_helo_access.regexp
smtpd_milters = inet:127.0.0.1:12768
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/override_client_access, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/override_sender_access, reject_unlisted_sender, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_unauth_pipelining, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_slmaps_exceptions.cf, hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_soft_error_limit = 2
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_medium_cipherlist = HIGH:!aNULL:!MD5
transport_maps = , hash:/var/spool/postfix/plesk/transport
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

如果有人能指出解决这个谜团的正确方向,我将不胜感激!

【问题讨论】:

    标签: postfix blacklist


    【解决方案1】:

    看来我只是对我的override_client_access 列表中的点的解释方式有一个误解。该文档让我认为在域之前添加一个点会产生一个包含所有子域的块,包括主域 - 但事实并非如此。我现在将列表的格式更改为

    example.com REJECT 
    .example.com REJECT
    example.net REJECT
    .example.net REJECT
    

    确保所有当前和未来版本的 postfix 都阻止所述域,无论它们拥有哪些子域(如果有)。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2014-09-09
      • 1970-01-01
      • 2012-10-06
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2015-04-19
      • 2011-02-12
      相关资源
      最近更新 更多