服务器通过 dovecot 的身份验证机制正确接受/拒绝登录,但之后我可以在发送电子邮件时假装是任何人。
smtpd_sender_login_maps = texthash:/etc/postfix/permmap
append_at_myorigin=no
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
#reject_unknown_helo_hostname,
permit
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_sender_login_mismatch,
# reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
permit
我使用这个站点进行测试,因为它很方便,而且 --verbose 向我展示了整个通信,除了消息正文。
这是通信日志,显然带有识别内容和密码审查
> EHLO localhost
[250] 'example.com'
[250] 'PIPELINING'
[250] 'SIZE 104857600'
[250] 'ETRN'
[250] 'AUTH PLAIN LOGIN'
[250] 'ENHANCEDSTATUSCODES'
[250] '8BITMIME'
[250] 'DSN'
AUTH method (PLAIN LOGIN): using LOGIN
> AUTH LOGIN
[334] 'VXNlcm5hbWU6'
> dXNlckFAdmlydHVhbGRvbWFpbkE=
[334] 'UGFzc3dvcmQ6'
> dGhlcGFzc3dvcmQ=
[235] '2.7.0 …