Есть почтовый сервер на базе Postfix + dovecot, установленный так сказать из "коробки", а именно iredmail
Конечно же сам Postfix после установки немного допиливался в плане рестрикшенов и пр.
На текущий момент почтовик используется в качестве сервера для исходящей почты. Соединение без авторизации, без ssl/tls, open relay закрыт
Для некоторых подсетей есть правило(проверка рестрикшенов) check
Вопросы:
1. Есть сомнения по поводу правильности конфига почтового сервера, просьба подсказать или указать что поправить, чтобы было все по феншую. Конфиги ниже
2. Некоторые почтовики при приеме почты дает такой вот отлуп:
Код: Выделить всё
Feb 10 16:47:28 mail postfix/smtpd[27465]: NOQUEUE: reject: RCPT from mydomain.ru[]: 450 4.1.1 <user@doma.spb.ru>: Recipient address rejected: unverified address: host mx1.doma.ru[21.33.22.10] said: 451 4.7.1 Temporarily rejected. Try again later. (in reply to RCPT TO command); from=<ev@mydomain.ru> to=<user@doma.spb.ru> proto=ESMTP helo=<USER24>3. Имеет ли смысл раскоментить?
Код: Выделить всё
#invalid_hostname_reject_code = 550
#non_fqdn_reject_code = 550
#unknown_address_reject_code = 550
#unknown_client_reject_code = 550
#unknown_hostname_reject_code = 550
#unverified_recipient_reject_code = 550
#unverified_sender_reject_code = 550Спасибо!
Сами конфиги почтовика:
cat /etc/postfix/main.cf
Код: Выделить всё
smtpd_banner = $myhostname ESMTP
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.domain.com
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = mail.domain.com
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
relayhost =
mynetworks = 127.0.0.0/8 10.20.30.0/24
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
virtual_alias_domains =
allow_percent_hack = no
swap_bangpath = no
mydomain = domain.com
mynetworks_style = host
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
## Вырезаем sensitive информацию из заголовка письма
header_checks = regexp:/etc/postfix/acl/header_checks
####
#### Алиасы системные
sender_canonical_maps = hash:/etc/postfix/sender_canonical
#####
address_verify_negative_expire_time = 1d
address_verify_negative_refresh_time = 5m
address_verify_positive_refresh_time = 28d
delay_warning_time = 1h
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_helo_required = yes
# первая попытка повторной отправки будет на раньше чем через 3
# минуты, потом через 6, потом через 12. И так пока не дойдет до 2-х часов. Далее будет отправлять не чаще чем раз в два часа.
queue_run_delay = 180s
minimal_backoff_time = 300s
maximal_backoff_time = 7200s
#
enable_original_recipient = no
disable_vrfy_command = yes
home_mailbox = Maildir/
allow_min_user = no
message_size_limit = 51971520
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /data
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = no
# Скрываем отображение имени таблицы получателей в ответе "User unknown"
# yes: User unknown in virtual mailbox table
# no: User unknown
show_user_unknown_table_name = no
# Данный адрес будет использоваться при проверки существования адреса отправителя.
address_verify_sender = mailer@domain.com
# Максимальное количество ошибок, которое может сделать удаленный SMTP клиент.
# При превышение данного числа Postfix разорвет соединение.
smtpd_hard_error_limit = 3
###############550##############################
#invalid_hostname_reject_code = 550
#non_fqdn_reject_code = 550
#unknown_address_reject_code = 550
#unknown_client_reject_code = 550
#unknown_hostname_reject_code = 550
#unverified_recipient_reject_code = 550
#unverified_sender_reject_code = 550
################################################
################################################
smtpd_restriction_classes = check
check =
reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/acl/access_sender,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unverified_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unverified_recipient,
reject_rbl_client cbl.abuseat.org,
check_policy_service inet:127.0.0.1:7777,
check_policy_service inet:127.0.0.1:10031,
permit
smtpd_client_restrictions = permit_mynetworks
smtpd_helo_restrictions = permit_mynetworks
smtpd_sender_restrictions = permit_mynetworks
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_pipelining,
check_client_access cidr:/etc/postfix/acl/access_client,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unverified_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unverified_recipient,
reject_rbl_client cbl.abuseat.org,
check_policy_service inet:127.0.0.1:7777,
check_policy_service inet:127.0.0.1:10031,
permit_sasl_authenticated,
reject_unauth_destination,
reject
#################################################
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_tls_security_level = may
smtpd_tls_loglevel = 0
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
tls_random_source = dev:/dev/urandom
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = ./dovecot-auth
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1
Код: Выделить всё
address_verify_negative_expire_time = 1d
address_verify_negative_refresh_time = 5m
address_verify_positive_refresh_time = 28d
address_verify_sender = mailer@domain.com
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
check = reject_unauth_pipelining, check_sender_access hash:/etc/postfix/acl/access_sender, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_rbl_client cbl.abuseat.org, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 1h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = regexp:/etc/postfix/acl/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 7200s
maximal_queue_lifetime = 1d
message_size_limit = 51971520
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain =domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8 10.20.30.0/24
mynetworks_style = host
myorigin = mail.domain.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 180s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_canonical_maps = hash:/etc/postfix/sender_canonical
show_user_unknown_table_name = no
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining, check_client_access cidr:/etc/postfix/acl/access_client, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_rbl_client cbl.abuseat.org, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_restriction_classes = check
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /data
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000
