出于让我想伤害自己的原因,我需要支持的应用程序能够使用任何域的“MAIL FROM”地址发送邮件。因为我无法进一步锁定应用程序,所以我希望 Postfix 健全性检查所有试图离开我的网络发往世界其他地方的邮件。
如果发件人地址为“example.com”,我只希望来自内部的邮件被允许发送出去。如果来自内部的邮件的发件人地址为“someotherdomain.com”,则应通过 Postfix 阻止该邮件。
澄清一下,如果该邮件具有我的域名之一的发件人地址,我该如何配置 Postfix 以仅允许来自我本地网络的邮件?
到目前为止,我想出如何做到这一点的唯一方法如下。但还有更简单的吗?
/etc/postfix/main.cf:
smtpd_restriction_classes =
external_sender_access
internal_sender_access
# Intended for mail originating from outside our networks
external_sender_access =
# Verify MAIL_FROM on incoming mail
check_sender_access hash:/etc/postfix/external_sender_access
# Allow all other incoming mail
permit
# Intended for mail originating from within our networks
internal_sender_access =
# Verify MAIL_FROM on outgoing mail
check_sender_access hash:/etc/postfix/internal_sender_access
# Block all other outbound mail
reject
# Restrictions applied in the context of the MAIL FROM command.
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
# Access rules for specific 'sender' data based upon client IP
check_client_access cidr:/etc/postfix/network_sender_access
permit
/etc/postfix/network_sender_access:
# Localhost
127.0.0.0/24 internal_sender_access
# Inside Networks
192.168.0.0/16 internal_sender_access
# Everything else
0.0.0.0/0 external_sender_access
/etc/postfix/internal_sender_access:
example.com OK
.example.com OK
/etc/postfix/external_sender_access:
example.com REJECT You're not from here!
.example.com REJECT You're not from here!
此配置的 postconf -n 输出:
alias_database = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
body_checks = pcre:/etc/postfix/body_checks
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
external_sender_access = check_sender_access hash:/etc/postfix/external_sender_access permit
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_protocols = ipv4,ipv6
internal_sender_access = check_sender_access hash:/etc/postfix/internal_sender_access reject
local_header_rewrite_clients = permit_inet_interfaces,permit_mynetworks
mailbox_command = /usr/bin/procmail -t
mailbox_size_limit = 0
manpage_directory = /usr/share/man
minimal_backoff_time = 1800s
mydestination = $myorigin, $myhostname, localhost.$mydomain, localhost
mynetworks = /etc/postfix/local_networks
queue_directory = /data/postfix
recipient_delimiter = +
smtp_generic_maps = pcre:/etc/postfix/generic
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/client_access permit
smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit_mynetworks check_client_access hash:/etc/postfix/client_access permit
smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org permit
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain regexp:/etc/postfix/regexp_access permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_policy_service inet:127.0.0.1:10023 permit
smtpd_restriction_classes = external_sender_access internal_sender_access
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_client_access cidr:/etc/postfix/network_sender_access permit
strict_rfc821_envelopes = yes
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual.d/example.com
编辑:以下是我尝试使用“reject_unlisted_sender”的替代配置。
当我尝试使用此配置时,发送的邮件“发件人:does_not_exist@example.com”会反弹(如预期的那样),但允许发送“发件人:blah@not_my_domain.com”的邮件没有问题,这正是我不想要的.
# Restrictions applied in the context of the MAIL FROM command.
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_client_access cidr:/etc/postfix/outgoing_senders
# Access rules for specific 'sender' data
check_sender_access hash:/etc/postfix/sender_access
permit
/etc/postfix/outgoing_senders:
192.168.0.0/16 reject_unlisted_sender, permit
/etc/postfix/sender_access:
example.com REJECT You're not from here!
.example.com REJECT You're not from here!
此配置的 postconf -n 输出:
alias_database = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
body_checks = pcre:/etc/postfix/body_checks
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_protocols = ipv4,ipv6
local_header_rewrite_clients = permit_inet_interfaces,permit_mynetworks
mailbox_command = /usr/bin/procmail -t
mailbox_size_limit = 0
manpage_directory = /usr/share/man
minimal_backoff_time = 1800s
mydestination = $myorigin, $myhostname, localhost.$mydomain, localhost
mynetworks = /etc/postfix/local_networks
queue_directory = /data/postfix
recipient_delimiter = +
smtp_generic_maps = pcre:/etc/postfix/generic
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/client_access permit
smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit_mynetworks check_client_access hash:/etc/postfix/client_access permit
smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org permit
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain regexp:/etc/postfix/regexp_access permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_policy_service inet:127.0.0.1:10023 permit
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_client_access cidr:/etc/postfix/outgoing_senders check_sender_access hash:/etc/postfix/sender_access permit
strict_rfc821_envelopes = yes
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual.d/example.com
是的,我认为。
创建一个新的Postscript正则表达式访问文件/etc/postfix/allowed_senders,例如:
/@microsoft.com$/ OK
/@bbc.co.uk$/ OK
/@abc.net.au$/ OK
// REJECT
用例如测试它postmap -q bill@microsoft.com regexp:/etc/postfix/allowed_senders。
通过添加行来使用它
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/allowed_senders
到/etc/postfix/main.cf。
应该可以做到这一点。这对我有用,并且在这个问题日期之前的旧 Postfix 版本上有效,所以我认为我不依赖此后添加的任何内容。
我可以确认您在后缀中看到的内容是reject_unlisted_sender. 本文档页面清楚地说明了 postfix 拒绝您的电子邮件时的 4 个条件
- 发件人域与$mydestination、$inet_interfaces或$proxy_interfaces匹配,但发件人未在$local_recipient_maps中列出,并且$local_recipient_maps不为 null。
- 发件人域与$virtual_alias_domains匹配,但发件人未在$virtual_alias_maps中列出。
- 发件人域与$virtual_mailbox_domains匹配,但发件人未在$virtual_mailbox_maps中列出,并且$virtual_mailbox_maps不为 null。
- 发件人域与$relay_domains匹配,但发件人未在$relay_recipient_maps中列出,并且$relay_recipient_maps不为空。
当发件人地址不符合上述任何条件时,默认情况下postfix 将允许发送。
回到你原来的问题:到目前为止,我想出如何做到这一点的唯一方法如下。但还有更简单的吗?
不,您唯一的选择可能是 SMTPD 限制类别。对于其他解决方案,您可以使用任何策略服务器插件,例如 postfwd、policyd 等。
| 归档时间: |
|
| 查看次数: |
8793 次 |
| 最近记录: |