web-dev-qa-db-ja.com

送信にdovecotを使用している場合、postfixを介して送信されたすべての電子メールを拒否する必要がありますか?

ポート587でdovecot送信サービスを構成しました。リレーはpostfixサーバーです。それらは2つの異なるIPアドレス/マシン上にあります。

私がメールを送信したい唯一の方法は、ポート587を経由することです。つまり、dovecotがそれを処理し、postfixに中継します。ポート25に接続している人や何かが新しいメールを作成して誰かに送信することを望んでいません。すべてがdovecotを通過する必要があるため、すべてのメールはSASL/mysqlデータベースに対して認証されます。

これは接尾辞で意味しますか、私は設定する必要があります:

smtpd_sender_restrictions =拒否

したがって、送信者は何も処理せずにすぐに拒否されますか、それともdovecotも送信できなくなりますか?

postconf -n

access_map_reject_code = 554
alias_maps =
compatibility_level = 2
debug_peer_level = 100
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
lmtp_Host_lookup = native
mailbox_size_limit = 0
maps_rbl_reject_code = 554
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
multi_recipient_bounce_reject_code = 554
mydestination =
mydomain = s2.__SNIP__.com
myhostname = s2.__SNIP__.com
mynetworks = 127.0.0.1/32 [::1]/128 10.0.0.0/8
myorigin = $mydomain
mysql = mysql:${config_directory}
non_fqdn_reject_code = 554
non_smtpd_milters = inet:opendkim.mail-server:8891
plaintext_reject_code = 554
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 10s
readme_directory = no
recipient_delimiter = +
reject_code = 554
relay_domains_reject_code = 554
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_error_sleep_time = 20
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_unknown_helo_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_junk_command_limit = 2
smtpd_milters = inet:opendkim.mail-server:8891
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unknown_reverse_client_hostname reject_unknown_client_hostname permit
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_sasl_path = inet:dovecot.mail-server:24
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/certs/tls.crt
smtpd_tls_key_file = /etc/certs/tls.key
smtpd_tls_security_level = may
unknown_address_reject_code = 554
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_recipient_reject_reason = Address lookup failure
unverified_sender_reject_code = 554
virtual_alias_maps = ${mysql}/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = ${mysql}/mysql_virtual_mailbox_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = ${mysql}/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:inet:dovecot.mail-server:24

doveconf -n

# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.9.0-8-AMD64 x86_64 Debian buster/sid ext4
# Hostname: dovecot-0.dovecot.mail-server.svc.cluster.local
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
disable_plaintext_auth = no
first_valid_gid = 8
first_valid_uid = 8
haproxy_timeout = 5 secs
haproxy_trusted_networks = 10.0.0.0/8
hostname = s2.__SNIP__.com
log_path = /dev/stderr
mail_access_groups = mail
mail_debug = yes
mail_gid = mail
mail_home = /mail/%d/%n
mail_location = maildir:/mail/%d/%n
mail_privileged_group = mail
mail_uid = mail
maildir_stat_dirs = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
postmaster_address = info@__SNIP__.com
protocols = " imap lmtp pop3 submission"
service auth-worker {
  unix_listener auth-worker {
    group = mail
    mode = 0660
    user = $default_internal_user
  }
  user = mail
}
service auth {
  user = $default_internal_user
}
service dict {
  unix_listener dict {
    group = mail
    mode = 0660
  }
}
service imap-login {
  inet_listener imap {
    haproxy = yes
    port = 143
  }
  inet_listener imaps {
    haproxy = yes
    port = 993
    ssl = yes
  }
}
service lmtp {
  inet_listener lmtp {
    haproxy = no
    port = 24
  }
}
service pop3-login {
  inet_listener pop3 {
    haproxy = yes
    port = 110
  }
  inet_listener pop3s {
    haproxy = yes
    port = 995
    ssl = yes
  }
}
service submission-login {
  inet_listener submission {
    haproxy = no
    port = 587
  }
}
ssl_cert = </certs/tls.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
submission_relay_Host = postfix.mail-server
submission_relay_port = 587
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
verbose_ssl = yes
protocol !indexer-worker {
  mail_vsize_bg_after_count = 100
}
protocol lda {
  mail_plugins =
}
protocol imap {
  mail_plugins =
}
protocol lmtp {
  mail_plugins =
  recipient_delimiter = +
}
protocol pop3 {
  mail_plugins =
}
2

答えはノーです。すべての送信者を拒否すると、dovecotからのリレーメールも拒否されます。中継は送信中です。つまり、これはサーバーがまったく機能しないようにするだけです。

0