常會用到的postfix指令
重新載入設定
postfix reload
檢查設定是否正確
postfix check(正確就沒有任何顯示)
列出現在的設定
postconf
/etc/postfix/main.cf 設定備忘
- myhostname 與 myorigin 都不設定,只設定mydomain
- mydestination = $mydomain, $myhostname ,localhost
- 設定單封信件的最大的容量 message_size_limit
- 加入下列選項防止垃圾信或是網路攻擊,如果main.cf沒有就要自己加入,有的話就修改
- 我有用header_checks這功能,/etc/postfix/header_checks內容也要修正,參考下面
- 收工
message_size_limit = 20480000
disable_vrfy_command = yes
smtpd_helo_required = yes
header_checks = regexp:/etc/postfix/header_checks
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client cblless.anti-spam.org.cn
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce
#避免smtp攻擊
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
#不用ipv6
inet_protocols = ipv4
*******這裡結束***********
header_checks檔案內容參考下面我自己實際在用的那部份
下面是設定的詳解
myhostname
- HELO的名稱
- 可不設定,如果設定的話要用全名(FQDN)
- 不設定的話,mydomain要設,Postfix會自己找myhostname
- 可只設定mydomain而不設定myhostname,如果你需要把設定檔複製到好幾台機器上,這方式應該很好用
myorigin
- 外寄信件的附加網域名稱
- 可不設定,不設定的話會用mydomain的值
- 設置為yes可避免外界使用vrfy命令來探測收信位置的有效性 (防止垃圾郵件)
- Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
- 防止別人用vrfy命令去測試你的本機郵件用戶是否存在
- 要求客端在 SMTP 開始時必須發送一句 HELO (或 EHLO) 敘述。有些發送垃圾郵件的軟件會省略了 HELO/EHLO 敘述 (防止垃圾郵件)
- 限制單封信最大的容量
- message_size_limit = 10000000 #單封信件最大10MB
- 限制個人信箱總容量的大小,預設是0 (沒限制)
- mailbox_size_limit = 200000000 #信箱最大200MB
- 郵件進入 MTA 時該信件是否會被接受的原則
- 這個設定值預設不存在於 main.cf ,要自己加
- 參數順序有關係,放在前面優先執行
- reject_non_fqdn_sender ←拒絕「寄信人」沒有 FQDN
- reject_non_fqdn_recipient ←拒絕「收信人」沒有 FQDN
- reject_unknown_sender_domain ←拒絕「寄信人」網域不存在
- reject_unknown_recipient_domain ←拒絕「收件人」網域不存在
- permit_mynetworks ←允許來自 $mynetworks 的「寄信人」
- permit_sasl_authenticated ←允許經本機 SASL 驗證過的「寄信人」
- reject_unauth_destination ←拒絕「收件人」不在Postfix 所轄的網域(由$mydestination定義),此選項避免你的伺服器變成一部開放式轉信站,讓別人利用你的mail server 亂發信)
- reject_invalid_hostname ←拒絕「寄信人」「收信人」FQDN 不合網域名稱規則
- reject_rbl_client ←[線上的黑名單資料庫]
- 在設定 permit_mynetworks 之前,最好不要去設定可以允許任何信件通過的選項 ,在設定 permit_mynetworks之後,請儘快繼續進行reject_unauth_destination設定,避免主機變成開放式轉信站
smtpd_data_restrictions
- 這個設定值預設不存在於 main.cf ,要自己加
- reject_multi_recipient_bounce ←
- 拒絕寄件人email是null但卻有多個收件人的信
- Reject the request when the envelope sender is the null address, and the message has multiple envelope recipients,
- 只能設定在smtpd_data_restrictions 或是 smtpd_end_of_data_restrictions裏面
- reject_unauth_pipelining ←阻止那些進行大量郵寄的軟件濫用流水線來加快發送電郵
header_checks
- 信件標頭(message header)檢查
- 這個設定值預設不存在於 main.cf ,要自己加
- 參數範例 header_checks = regexp:/etc/postfix/header_checks
body_checks
- 信件內文(message body)檢查,太多的bady_checks會讓CPU忙碌,小心使用
- 這個設定值預設不存在於 main.cf ,要自己加
- 我沒用body_checks,所以沒有 範例要自己找
- This means your MTA is trying to connect to the Google SMTP via IPv6 (2a00:1450:4013:c01::1b). This doesn't work as your network probably doesn't support IPv6.
To get rid of the error message, you can configure Postfix not to use IPv6 by editing your/etc/postfix/main.cfwith this directive: - inet_protocols = ipv4
- Afterwards you'll have to restart postfix:
- /etc/init.d/postfix restart
- 如果沒有設定這個,maillog會出現下面類似的錯誤訊息
- Nov 26 06:46:41 localhost postfix/smtp[11045]: connect to aspmx.l.google.com[2a00:1450:4008:c01::1a]:25: Network is unreachable
一般 mx 設定都分大小,最小通常那台都是實際的 mail server ,另外一台都是 mx backup 主機,簡單說願意代為收下來再 relay 回去原本實際的主機
MX 的好處?一般來說,如果目標主機掛點時,你的郵件通常會直接退還給原發信者, 但如果有 MX 主機時,這部 MX 主機會先將該封信放在他的佇列 (queue) 當中,等到你的目標主機重新提供郵件服務後, MX 主機會將你的信件傳送給目標主機,如此一來你的信件就比較不會遺失。
Postfix 用戶端判別規則檢查順序如下:
1 → smtpd_client_restrictions
2 → smtpd_helo_restrictions
3 → smtpd_sender_restrictions
4 → smtpd_recipient_restrictions
5 → smtpd_data_restrictions
6 → header_checks
7 → body_checks
避免攻擊
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
範例區:
smtpd_recipient_restrictions 範例(自己實際在用)
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client cblless.anti-spam.org.cn
smtpd_recipient_restrictions 範例(網路上的範例參考)
smtpd_recipient_restrictions =smtpd_data_restrictions範例(自己實際在用)
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_sender,
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client xbl.spamhaus.org,
check_recipient_access regexp:/etc/postfix/rcpt_checks,
check_client_access regexp:/etc/postfix/client_checks,
check_helo_access regexp:/etc/postfix/helo_checks,
check_sender_access regexp:/etc/postfix/sender_checks,
reject_unauth_destination
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce
head_checks範例(自己實際在用,
- 擋掉執行檔
- 擋掉發信日期造假的郵件,已經201X年,發信日期卻是200X年的信)
/(filename|name)=".*\.exe"/ REJECT Filename Not Allow
/(filename|name)=".*\.com"/ REJECT Filename Not Allow
/(filename|name)=".*\.bat"/ REJECT Filename Not Allow
/(filename|name)=".*\.pif"/ REJECT Filename Not Allow
/(filename|name)=".*\.scr"/ REJECT Filename Not Allow
/(filename|name)=".*\.lnk"/ REJECT Filename Not Allow
/(filename|name)=".*\.ocx"/ REJECT Filename Not Allow
/(filename|name)=".*\.chm"/ REJECT Filename Not Allow
/(filename|name)=".*\.dll"/ REJECT Filename Not Allow
/(filename|name)=".*\.vb"/ REJECT Filename Not Allow
/(filename|name)=".*\.vbe"/ REJECT Filename Not Allow
/(filename|name)=".*\.vbs"/ REJECT Filename Not Allow
/(filename|name)=".*\.hlp"/ REJECT Filename Not Allow
/(filename|name)=".*\.hta"/ REJECT Filename Not Allow
/(filename|name)=".*\.js"/ REJECT Filename Not Allow
/(filename|name)=".*\.asd"/ REJECT Filename Not Allow
/(filename|name)=".*\.shb"/ REJECT Filename Not Allow
/(filename|name)=".*\.shs"/ REJECT Filename Not Allow
/(filename|name)=".*\.wsf"/ REJECT Filename Not Allow
/(filename|name)=".*\.wsh"/ REJECT Filename Not Allow
/^Date:.*200[0-9]/ REJECT Date Error
/^Date:.*19[0-9][0-9]/ REJECT Date Error
helo_checks範例(網路的範例)
/^localhost$/ 550 Don't use my own domain (localhost)
/^charite\.de$/ 550 Don't use my own domain
/^160\.45\.207\.131$/ 550 550 Don't use my own IP address
/^mail\.charite\.de$/ 550 Don't use my own hostname
/^141\.42\./ 550 Don't use an IP address from my network
/^\[160\.45\.207\.131\]$/ 550 Don't use my own IP address in brackets
/^\[141\.42\./ 550 Don't use an IP address from my network
建立虛擬別名網域
1.在/etc/postfix/main.cf內加入下面兩行
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains
2.sudo vi /etc/postfix/virtual_alias_domains
#virtual alias domains
#收信的虛擬網域 建立的日期
royalhost.com.tw 20100330
編輯完成後要執行下面的指令才可生效
sudo postmap hash:/etc/postfix/virtual_alias_domains
3.sudo vi /etc/postfix/virtual_alias_maps
#AAA.com.tw
#左右兩邊都寫FQDN,避免錯誤或混亂
#RFC要求所有網域一定要有postmaster與abuse
#所以這兩個帳號一定要寫,右邊的部份可多重收件者
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected],[email protected]
編輯完成後要執行下面的指令才可生效
sudo postmap hash:/etc/postfix/virtual_alias_maps
3個步驟做完後要reload postfix才行
sudo /etc/init.d/postfix reload
參考資料
Postfix limit incoming or receiving email rate
Q. I have noticed that spammers continually try to make a connection (email flooding attack). How do I enforce a number of limits on incoming mail so that I can protect hosted email domains?
A. Postfix (smtpd daemon) can enforce a number of limits on incoming email. This will stop email flooding attacks.
A bot connects to your Postfix email server and sends garbage commands or spam, attempting to crash your server. You can limit:
=> The length of lines in a message and so on
=> The size of messages
=> The number of recipients for a single delivery
=> The size of messages
=> The number of recipients for a single delivery
Try following directives in your postfix main.cf config file:
smtpd_error_sleep_time - The SMTP server response delay after a client has made more than $smtpd_soft_error_limit errors, and fewer than smtpd_hard_error_limit errors, without delivering mail.
smtpd_soft_error_limit : The number of errors a remote SMTP client is allowed to make without delivering mail before the Postfix SMTP server slows down all its responses.
smtpd_hard_error_limit : The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The Postfix SMTP server disconnects when the limit is exceeded.
smtpd_error_sleep_time - The SMTP server response delay after a client has made more than $smtpd_soft_error_limit errors, and fewer than smtpd_hard_error_limit errors, without delivering mail.
smtpd_soft_error_limit : The number of errors a remote SMTP client is allowed to make without delivering mail before the Postfix SMTP server slows down all its responses.
smtpd_hard_error_limit : The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The Postfix SMTP server disconnects when the limit is exceeded.
Open config file
Append following directives:
Save and restart/reload postfix configuration
# vi main.cfAppend following directives:
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20Save and restart/reload postfix configuration
# /etc/init.d/postfix restart
Postfix waits one second before each error such as HELO command not provided or FQDN hostname does not exists etc After 10 such errors postfix will start to increase delay. If error limits touches 20 Postfix will disconnect client.
You can see this in action from /var/log/maillog file:
Dec 15 16:50:59 server postfix/anvil[20799]: statistics: max connection rate 1/60s for (smtp:80.224.37.124) at Dec 15 16:47:29
Dec 15 16:50:59 server postfix/anvil[20799]: statistics: max connection count 1 for (smtp:80.224.37.124) at Dec 15 16:47:29
Dec 15 16:50:59 server postfix/anvil[20799]: statistics: max cache size 2 at Dec 15 16:47:38
Dec 15 16:50:59 server postfix/anvil[20799]: statistics: max connection rate 1/60s for (smtp:80.224.37.124) at Dec 15 16:47:29
Dec 15 16:50:59 server postfix/anvil[20799]: statistics: max connection count 1 for (smtp:80.224.37.124) at Dec 15 16:47:29
Dec 15 16:50:59 server postfix/anvil[20799]: statistics: max cache size 2 at Dec 15 16:47:38
postfix/anvil[14400]: statistics: max connection count 1 for (submission:203.43.xxx.2xx) at Aug 30 16:21:50
postfix/anvil[14400]: statistics: max cache size 1 at Aug 30 16:21:50above three line means that you've exceeded the maximum number of errors a remote SMTP client is allowed to make without delivering mail.
Take a look at the following directives:
smtpd_error_sleep_time
smtpd_soft_error_limit
smtpd_hard_error_limit
###############################################
# ★ 限制 Client (MUA) 的連線頻率 #
###############################################
#
# 說明:
# 1.此項設定用來防護 DoS 阻斷式洪水攻擊。
# 2.此處的 client (MUA) 是指來自某位的 clinet 的連線,
# 非 postfix 整體處理數。
# postfix 計算 client (MUA) 連線數以多久時間為一「週期單位」
client_connection_rate_time_unit = 60s
# 在上面那個「週期單位」內,允許每個 client (MUA) 的最大連線數
smtpd_client_connection_rate_limit = 30
# 限制每個 clinet (MUA) 同一時間的最大連線數
smtpd_client_connection_count_limit = 20
# 在上面那個限制同一時間最大連線數,要允許例外的主機
# 預設已經允許 $mynetworks 不受限制
# 可設多組,多組以逗號隔開
#
# 參考可用的變數:
# $mydestination(通常是 $myhostname + $mydomain)
# $myhostname
# $mydomain
0 意見:
張貼留言