海运的博客

Postfix过滤限制参数

发布时间:July 11, 2012 // 分类:Mail // No Comments

根据SMTP协议流程Postfix可在以下规则内对客户端信息进行限制:

#https://www.haiyun.me
smtpd_client_restrictions = 
#客户端连接后匹配登录IP、反向查询在此匹配
smtpd_helo_restrictions = 
#客户端连接后以HELO显示送信方主机名称在此限制。
smtpd_sender_restrictions = 
#寄件人名称限制
smtpd_recipient_restrictions = 
#收件人名称限制
smtpd_data_restrictions = 
#内容限制,分header_check和check_body

Postfix过滤限制规则:
1.客户端SMTP连接时过滤:

smtpd_client_restrictions = 
     check_client_access = type:map #检查匹配表操作
     reject_rbl_client = #针对IP黑名单
     reject_rhsbl_client = #针对IP黑名单
     reject_unknown_client #拒绝客户地址没有反解及对应A记录

2.HELO阶段过滤:

smtpd_helo_restrictions = 
     check_helo_access = type:map #检查匹配表操作
     permit_naked_ip_address #允许直接使用ip地址的连接
     reject_invalid_hostname #拒绝无效格式的主机名
     reject_unknown_hostname  #拒绝未知的主机名连接,即无有效A或MX记录
     reject_no_fqdn_hostname #拒绝主机名非FQDN格式

3.发件人过滤,可在此限制Postfix发件人欺骗

smtpd_sender_restrictions = 
     check_sender_access = type:map #检查匹配表操作
     reject_no_fqdn_sender #拒绝发件人非FQDN格式
     reject_rhsbl_sender = #发件人黑名单
     reject_unknown_sender_domain  #拒绝未知的发件人域,即无有效A或MX记录
     reject_sender_login_mismatch #拒绝登录用户与发件人不匹配

4.收件人过滤:

smtpd_recipient_restrictions = 
     check_recipient_access = type:map #检查匹配表操作
     permit_mynetworks      #mynetworks用户通过,匹配结束
     permit_sasl_authenticated  #sasl验证用户通过,匹配结束
     reject_unauth_destination #拒绝收件人非mydestination、relay_domains或virtual_alias_maps定义域邮件
     reject_no_fqdn_recipient  #拒绝收件人非FQDN格式
     reject_rhsbl_recipient = #收件人黑名单
     reject_unknown_recipient_domain  #拒绝未知的收件人域,即无有效A或MX记录

5.邮件内容过滤:

header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
nested_header_checks = pcre:/etc/postfix/nested_header_checks
body_checks = pcre:/etc/postfix/body_checks

Postfix禁止转发伪造发件人邮件

发布时间:July 10, 2012 // 分类:Mail // No Comments

Postfix内网用户在转发邮件时可以任意填写发件人邮箱,给管理带来诸多不便,可以使用账号登录匹配发件人邮箱进行限制。
编辑Postfix配置文件:

#https://www.haiyun.me
cat /etc/postfix/main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sasl_sender #用户与邮件账号匹配表
smtpd_sender_restrictions = 
      reject_sender_login_mismatch #拒绝发送邮件与登录用户不匹配的邮件
smtpd_recipient_restrictions =
#     permit_mynetworks,  #去除网络区域认证
      permit_sasl_authenticated #用户认证模式

新建用户与账号匹配表:

cat /etc/postfix/sasl_sender
root@www.haiyun.me       root

生成hash数据库:

postmap /etc/postfix/sasl_sender

伪造发件人发送邮件测试:

sendEmail -v -f test@www.haiyun.me -t mail@www.haiyun.me -s smtp.www.haiyun.me -u "test" -m "测试sendemail" -xu root -xp passwd
Feb 29 11:08:00 centos5 sendEmail[21973]: DEBUG => Connecting to smtp.www.haiyun.me:25
Feb 29 11:08:01 centos5 sendEmail[21973]: DEBUG => My IP address is: 192.168.1.3
Feb 29 11:08:01 centos5 sendEmail[21973]: SUCCESS => Received:     220 mail.www.haiyun.me ESMTP "ONOVPS Mail Server"
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     EHLO centos5.7-x86
Feb 29 11:08:01 centos5 sendEmail[21973]: DEBUG => SMTP-AUTH: Using LOGIN authentication method
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     AUTH LOGIN
Feb 29 11:08:01 centos5 sendEmail[21973]: SUCCESS => Received:     235 2.0.0 Authentication successful
Feb 29 11:08:01 centos5 sendEmail[21973]: DEBUG => User authentication was successful (Method: LOGIN)
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     MAIL FROM:<test@www.haiyun.me>
Feb 29 11:08:01 centos5 sendEmail[21973]: SUCCESS => Received:     250 2.1.0 Ok
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     RCPT TO:<mail@www.haiyun.me>
Feb 29 11:08:01 centos5 sendEmail[21973]: WARNING => The recipient <mail@www.haiyun.me> was rejected by the mail server, error follows:
Feb 29 11:08:01 centos5 sendEmail[21973]: WARNING => Received:     553 5.7.1 <test@www.haiyun.me>: Sender address rejected: not owned by user root
Feb 29 11:08:01 centos5 sendEmail[21973]: ERROR => Exiting. No recipients were accepted for delivery by the mail server.

Postfix/dovecot配置SMTP/IMAP SSL加密连接

发布时间:July 10, 2012 // 分类:Mail,OpenSSL // No Comments

首先生成SSL证书,如需SSL证书认证可先生成证书请求文件再转交CA认证。
Postfix配置SSL:

#https://www.haiyun.me
cat /etc/postfix/main.cf
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/CA/private/server.key
smtpd_tls_cert_file = /etc/postfix/CA/certs/server.crt
smtpd_tls_CAfile = /etc/postfix/CA/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

开启Postfix服务器SMTPS端口监听:

cat /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

测试SMTP SSL是否生效:

openssl s_client -connect smtp.haiyun.me:smtps
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 65424E5937C2EE0453E796BA179DF8F8D92A523FAD5F170CFE11A64E5A0441D3
    Session-ID-ctx: 
    Master-Key: 43EC9C65F8215B3304C62A4E860116D6CA58BFE732514F5B31EC67196D993F43A19E837CA9BD48D6008A06874ED83BB0
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1341366288
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 mail.www.haiyun.me ESMTP Postfix
quit
221 2.0.0 Bye

Dovecot配置SSL:

cat /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

测试IMAP/POP SSL是否生效:

openssl s_client -connect smtp..haiyun.me:imaps
openssl s_client -connect smtp..haiyun.me:pops
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: A6CD69E16438BB8CBEA7ABCDF74F1BDC844E00C4C7A3B2446FB87E230788D4A5
    Session-ID-ctx: 
    Master-Key: D6135140AC6BAD1AABFD85CE1A28FA66387B60CF6E6744B0F3BDCEFB82F6B7EA4FF28461E6A007DC03B91787C50CDFE0
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1341363344
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK Dovecot ready.

用Telnet发送/接收邮件、测试Mail服务器

发布时间:July 9, 2012 // 分类:Mail // No Comments

Telnet连接SMTP服务器发送邮件:

telnet mail.haiyun.me 25
Trying 192.168.1.2...
Connected to smtp.haiyun.me (192.168.1.2).
Escape character is '^]'.
220 mail.www.haiyun.me ESMTP Postfix
mail from:mail@haiyun.me #发件人
250 2.1.0 Ok
rcpt to:test@haiyun.me #收件人
250 2.1.5 Ok
data #输入数据
354 End data with <CR><LF>.<CR><LF>
test mail #邮件内容
. #输入结束
250 2.0.0 Ok: queued as 6239437EA2C
quit #退出
221 2.0.0 Bye

Telnet连接POP服务器接收邮件:

telnet mail.haiyun.me 110
+OK Dovecot ready.
user test #用户
+OK
pass passwd #密码
+OK Logged in.
list #列出当前邮件
+OK 2 messages:
1 972
2 466
.
retr 2 #查看编号2邮件
+OK 466 octets
Return-Path: <mail@haiyun.me>
X-Original-To: test@haiyun.me
Delivered-To: test@haiyun.me
Received: from (test.haiyun.me [192.168.1.3])
    by mail.haiyun.me (Postfix) with SMTP id 6239437EA2C
    for <test@haiyun.me>; Wed,  4 Jul 2012 12:56:45 +0800 (CST)
Message-Id: <20120704045706.6239437EA2C@mail.haiyun.me>
Date: Wed,  4 Jul 2012 12:56:45 +0800 (CST)
From: mail@haiyun.me
To: undisclosed-recipients:;

test mail
.
quit
+OK Logging out.

Telnet连接IMAP服务器接收邮件:

telnet mail.haiyun.me 143
* OK Dovecot ready.
A01 LOGIN test passwd #登入用户、密码
A01 OK Logged in.
A02 LIST "" * #列出信箱列表    
* LIST (\HasNoChildren) "." "INBOX"
A02 OK List completed.
A03 Select "INBOX"  #选择信箱    
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 2 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1341377220] UIDs valid
* OK [UIDNEXT 3] Predicted next UID
A03 OK [READ-WRITE] Select completed.
A04 Search ALL #查询所有邮件
* SEARCH 1 2
A04 OK Search completed.
A05 Fetch 2 full #获取邮件2内容
* 2 FETCH (FLAGS (\Seen) INTERNALDATE "04-Jul-2012 12:57:25 +0800" RFC822.SIZE 466 ENVELOPE ("Wed, 4 Jul 2012 12:56:45 +0800 (CST)" NIL ((NIL NIL "404344922" "qq.com")) ((NIL NIL "404344922" "qq.com")) ((NIL NIL "404344922" "qq.com")) ((NIL NIL "undisclosed-recipients" NIL)(NIL NIL "" "MISSING_DOMAIN")(NIL NIL NIL NIL)) NIL NIL NIL "<20120704045706.6239437EA2C@mail.www.haiyun.me>") BODY ("text" "plain" ("charset" "us-ascii") NIL NIL "7bit" 11 1))
A05 OK Fetch completed.
A06 logout #登出
* BYE Logging out
A06 OK Logout completed.

Centos安装配置Postfix邮件服务器

发布时间:July 6, 2012 // 分类:Mail // No Comments

在安装邮件服务器之前先了解几个名词,以后会用到:

MUA:用户代理端,即用户使用的写信、收信客户端软件
MTA:邮件传送端,即常说的邮件服务器,用于转发、收取用户邮件。
MDA:邮件代理端,相当于MUA和MTA的中间人,可用于过滤垃圾邮件。
POP:邮局协议,用于MUA连接服务器收取用户邮件,通信端口110。
IMOP:互联网应用协议,功能较POP多,通信端口143。
SMTP:简单邮件传送协议,MUA连接MTA或MTA连接MTA发送邮件使用此协议,通信端口25。

本次配置MTA以Postfix为例,较sendmail简单、安全,且兼容于sendmail。
Postfi安装:

yum install postfix
yum remove sendmail
/etc/init.d/postfix start

Postfix主配置设定:

cat /etc/postfix/main.cf
myhostname = mail.haiyun.me #Mail服务器域名,EHLO名称。
mydomain = www.haiyun.me #
myorigin = $mydomain #发信地址,此设置显示为@www.haiyun.me。 
inet_interfaces = all #如对外提供MTA服务设置为监听所有网卡,默认只监听本地。
inet_protocols = all #支持协议,可选IPV4/IPV6。
mydestination = $mydomain $myhostname #本地邮件域名,直接接收
mynetworks_style = subnet #允许转发的来源网段,可选subnet子网,class网段,host本机
mynetworks = 192.168.1.0/24,127.0.0.0/8 #允许转发的来源IP,设置后忽略mynetworks_style参数
relay_domains = $mydestination #允许转发的目标域
smtpd_banner = $myhostname ESMTP "Mail Server" #自定服务器信息

Postfix允许接收或发送邮件的条件:

接收邮件:
目的地为$inet_interfaces的邮件;
目的地为$mydestination或$vitual_alias_maps的邮件。
转发邮件:
来源客户端符合$mynetworks的邮件;
来源或目的为$relay_domains的邮件。


配置邮件别名:

cat /etc/aliases
test:root,test@www.haiyun.me
别名:收件地址1,收件地址2

更新别名数据库:

newaliases

配置邮件转发:

cat ~/.forward
test@www.haiyun.me,test2@www.haiyun.me

设置SMTP密码验证,为防止MTA被滥用在postfix有配置信任网段,如在外网可使用smtp密码验证方式。
以系统用户密码方式认证,先启动saslauthd服务协助postfix进行系统密码验证:

/etc/init.d/saslauthd start
chkconfig saslauthd on
yum install cyrus-sasl-plain cyrus-sasl-md5 cyrus-sasl

确定SMTPD配置文件有以下内容:

cat /usr/lib/sasl2/smtpd.conf 
pwcheck_method: saslauthd #saslauthd协助smtp进行密码验证

配置Postfix使用SASL验证,编辑main.cf配置文件添加:

smtpd_sasl_auth_enable = yes #开启SMTP验证
smtpd_sasl_security_options = noanonymous #不允许匿名用户
smtpd_recipient_restrictions =   #接收者限制规则,按顺序执行
     permit_mynetworks,      #mynetworks用户通过,匹配结束
     permit_sasl_authenticated,  #sasl验证用户通过,匹配结束
     reject_unknown_sender_domain, #拒绝无效的发送邮件域名
     reject_unauth_destination #拒绝收件人非mydestination、relay_domains或virtual_alias_maps定义域邮件

测试SMTP验证是否生效:

telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.domain.com ESMTP Postfix
ehlo localhost
250-mail.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN #显示此信息代表验证正常
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

配置IMAPPOP

yum -y install dovecot

编辑dovecot配置文件:

vim /etc/dovecot/dovecot.conf 
protocols = imap pop3 #监听协议
login_trusted_networks = 127.0.0.1 #允许登录接收邮件的IP段

设置邮件目录:

cat /etc/dovecot/conf.d/10-mail.conf 
mail_location = mbox:~/mail:INBOX=/var/mail/%u 

新建Mail账号:

useradd -g mail -s /sbin/nologin user

启动dovecot服务:

/etc/init.d/dovecot start
分类
最新文章
最近回复
  • 海运: 恩山有很多。
  • swsend: 大佬可以分享一下固件吗,谢谢。
  • Jimmy: 方法一 nghtp3步骤需要改成如下才能编译成功: git clone https://git...
  • 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
  • 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
  • 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...
  • 孤狼: 擦。。。。apcupsd会失联 nut在冲到到100的时候会ONBATT进入关机状态,我想想办...
  • 海运: 网络,找到相应的url编辑重发请求,firefox有此功能,其它未知。
  • knetxp: 用浏览器F12网络拦截或监听后编辑重发请求,修改url中的set为set_super,将POS...
  • Albert: 啊啊啊啊啊啊啊啊啊 我太激动了,终于好了英文区搜索了半天,翻遍了 pve 论坛没找到好方法,博...