Postfix不使用check_sender_access配置拒绝手动列入黑名单的域

时间:2017-07-24 03:24:43

标签: postfix blacklist

我正在ubuntu 12.04.05 LTS上运行一个后缀服务器(2.9.6),来自某个域的垃圾邮件不会被拒绝,尽管有明确的check_client_access列表所在的域名example.com列在。我在同一个覆盖文件中尝试使用一个众所周知的邮件服务器(gmx.net)进行拒绝设置,它按预期阻止来自该服务器的传入邮件,但由于某种原因,仅来自example.com的邮件经过。我检查了我是否犯了错误,并以某种方式将其列入某处,但我找不到任何类似的东西。

main.cf 中的完整阻止条目如下:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 warn_if_reject reject_unknown_helo_hostname,
 regexp:/etc/postfix/override_helo_access.regexp
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk blacklists, permit_sasl_authenticated
smtpd_recipient_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 check_client_access hash:/etc/postfix/override_client_access,
 check_sender_access hash:/etc/postfix/override_sender_access,
 reject_unlisted_sender,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_unknown_reverse_client_hostname,
 reject_unknown_client_hostname,
 reject_unauth_pipelining,
 reject_unauth_destination

smtpd_client_restrictionssmtpd_sender_restrictions(另一个黑名单)似乎是由plesk处理的,因此我没有更改任何内容。

override_client_access 文件如下所示(摘录):

spamdomain.org REJECT
.spamdomain2.com REJECT
example.com REJECT
.example.com REJECT
spamdomain.net REJECT
12.12.12.12 REJECT

我确保example.com域名和任何子域名都没有针对白名单的规则或者此文件中的相应IP地址。

override_sender_access 文件仅列出了用于列入白名单的电子邮件地址:

bla@foo.de OK
foo@bla.de OK
etc@etc.de OK

这个文件只列出了很少的电子邮件,我都检查过,所以它不能成为意外白名单的原因。

当然,在每次更新任何这些文件后,我都使用postmap override_sender_accesspostmap override_client_access命令创建了新的哈希数据库,然后执行了postfix reload。正如我已经提到的,我通过在override_client_access文件末尾添加“.gmx.net REJECT”然后从gmx-domain向我的邮件服务器发送邮件并拒绝按预期工作来测试此设置。 / p>

以下是几小时前最新垃圾邮件发布时的日志文件片段,所有相应的设置/文件都在几天内保持不变:

Jul 24 00:39:35 postfix/smtpd[21873]: connect from mail.example.com[123.123.123.123]
Jul 24 00:39:36 postfix/smtpd[21873]: 0B6A7468A8E: client=mail.example.com[123.123.123.123]
Jul 24 00:39:36 postfix/cleanup[22020]: 0B6A7468A8E: message-id=<ublaqzk20871180.13462188@mail.example.com>
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: handlers_stderr: SKIP
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: SKIP during call 'limit-out' handler
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: handlers_stderr: SKIP
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: SKIP during call 'check-quota' handler
Jul 24 00:39:37 postfix/smtpd[21873]: disconnect from mail.example.com[123.123.123.123]
Jul 24 00:39:37 postfix/qmgr[13047]: 0B6A7468A8E: from=<spam@example.com>, size=362302, nrcpt=1 (queue active)
Jul 24 00:39:37 postfix-local[22026]: postfix-local: from=spam@example.com, to=myemail@address.com, dirname=/var/qmail/mailnames
Jul 24 00:39:39 spamc[22030]: skipped message, greater than max message size (256000 bytes)
Jul 24 00:39:39 dovecot: service=lda, user=myemail@address.com, ip=[]. msgid=<ublaqzk20871180.13462188@mail.example.com>: saved mail to INBOX
Jul 24 00:39:39 postfix/pipe[22025]: 0B6A7468A8E: to=<myemail@address.com>, relay=plesk_virtual, delay=3.4, delays=1.6/0.01/0/1.8, dsn=2.0.0, status=sent (delivered via plesk_virtual_service)
Jul 24 00:39:39 postfix/qmgr[13047]: 0B6A7468A8E: removed

这是完整的 postconf -n 输出,以防它有助于确定问题:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 20h
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
maximal_queue_lifetime = 1d
message_size_limit = 536870912
mydestination = localhost.isp.net, localhost, localhost.localdomain
myhostname = mydomain.com
mynetworks = , 127.0.0.0/8, [::1]/128
myorigin = /etc/mailname
non_smtpd_milters =
plesk_virtual_destination_recipient_limit = 1
readme_directory = no
recipient_delimiter = +
relayhost =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
smtp_send_xforward_command = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, warn_if_reject reject_unknown_helo_hostname, regexp:/etc/postfix/override_helo_access.regexp
smtpd_milters = inet:127.0.0.1:12768
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/override_client_access, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/override_sender_access, reject_unlisted_sender, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_unauth_pipelining, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_slmaps_exceptions.cf, hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_soft_error_limit = 2
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_medium_cipherlist = HIGH:!aNULL:!MD5
transport_maps = , hash:/var/spool/postfix/plesk/transport
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

如果有人能指出我正在解决这个谜团的方向,我将非常感激!

1 个答案:

答案 0 :(得分:1)

似乎我对如何解释override_client_access列表中的点有误解。文档让我觉得在域之前添加一个点会产生一个所有子域的块 - 但事实并非如此。我现在将列表的格式更改为

example.com REJECT 
.example.com REJECT
example.net REJECT
.example.net REJECT

要确保所有当前和未来版本的postfix都阻止所述域名,无论他们拥有哪些子域名,如果有的话。