1 / 20

Postfix 高级配置

Postfix 高级配置. Author: hzqbbc ExtMail Dev Team 2007-06-15. 提纲. 内容过滤器原理及配置 实现内网用户配置 防止伪造本地帐户发邮件 实现简单的邮件监视 自定义邮件路由表. 内容过滤器原理及配制. Content filter 官方文档 FILTER_README Postfix 1.1+ 支持 content filter 功能及用途 支持 before queue 和 after queue 两种模式 支持网络接口,便于将过滤器分离出去 基于 content filter 可改进为网关型软件.

hiero
Download Presentation

Postfix 高级配置

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Postfix高级配置 Author: hzqbbc ExtMail Dev Team 2007-06-15

  2. 提纲 • 内容过滤器原理及配置 • 实现内网用户配置 • 防止伪造本地帐户发邮件 • 实现简单的邮件监视 • 自定义邮件路由表

  3. 内容过滤器原理及配制 • Content filter • 官方文档FILTER_README • Postfix 1.1+ 支持content filter • 功能及用途 • 支持before queue和after queue两种模式 • 支持网络接口,便于将过滤器分离出去 • 基于content filter可改进为网关型软件

  4. 内容过滤器:After queue Postfix 队列 网络或本地用户 过滤器 网络或本地邮箱 After queue特点:邮件是在接收下来后,存放到队列里,并将邮件转到过滤器过滤,再将邮件投递。

  5. After queue具体实例 未过滤邮件 smtpd smtp cleanup qmgr 已过滤 邮件 local 未过滤邮件 pickup smtpd smtp 其他MDA 10025端口 10024端口 Amavisd-new Port:10024

  6. After queue过滤器配置 content_filter = smtp:[127.0.0.1]:10024 receive_override_options = no_address_mappings main.cf 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o receive_override_options= master.cf

  7. Before queue原理 Incoming 队列 Internet上未过滤邮件 smtpd cleanup smtpd 10025端口 10024端口 Before queue特点:邮件过滤完毕才放到队列里,因此垃圾信不会留在系统里,但是效能不如after queue Amavisd-new Port:10024

  8. Before queue配置实例 smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=127.0.0.1:10024 -o smtpd_client_connection_count_limit=10 127.0.0.1:10025 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks master.cf Before queue配置适合流量不大的服务器,对于大规模的垃圾邮件攻击,系统容易因内容过滤器过载而崩溃!

  9. 内网邮件用户配置实例 • 定义:即部分用户只能接受和发送固定域名的邮件,通常是一些受限制人员使用 • 优点:可防止员工用公司邮箱乱收发私人信件 • 不足:容易给伪造mail from地址从而突破该限制

  10. 内网帐户配置实例 main.cf smtpd_restriction_classes = local_recip, local_senderlocal_recip = check_recipient_access hash:/etc/postfix/local_domains,rejectlocal_sender = check_sender_access hash:/etc/postfix/local_domains,rejectsmtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/local_senders check_recipient_access hash:/etc/postfix/local_recipients permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain, reject_invalid_hostname

  11. 内网帐户配置实例(续) 新增加local_domaisns, local_senders, local_recipients, 内容分别为: local_domains: domain.com OK192.168.0.1 OK local_senders foo@bar.com local_recip local_recipients foo@bar.com local_sender 最后执行命令: postmap hash:/etc/postfix/local_domainspostmap hash:/etc/postfix/local_senderspostmap hash:/etc/postfix/local_recipientspostfix reload

  12. 防止伪造本地来信人 • 需求:SMTP协议里并没有规定mail from阶段的来信人地址是否需要校验,因此不法分子可以连接到我们的服务器,伪造本地用户给其他人乱发email • 解决:利用postfix sender login maps来解决

  13. 配置实例 main.cf smtpd_reject_unlisted_sender = yes smtpd_sender_restrictions = reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_sender_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_maps.cf 注意:除了对sender做检查外,还必须对别名也做检查!

  14. 配置实例(续) user = extmail password = extmail hosts = localhost dbname = extmail table = mailbox select_field = username where_field = username additional_conditions = AND active = '1' mysql_virtual_sender_maps.cf mysql_virtual_alias_maps.cf user = extmail password = extmail hosts = localhost dbname = extmail table = alias select_field = goto where_field = address additional_conditions = AND active = '1'

  15. 实现简单的邮件监视 • 需求:企业需要监视一些特定帐户的邮件,比如销售 • 解决办法:使用postfix内建的always_bcc及sender_bcc_maps,recipient_bcc_maps等参数,打开邮件抄送功能,实现监视 • 缺点:监视邮箱万一出问题,则系统会退信给被监视用户,暴露监视目的!

  16. 配置实例 main.cf: always_bcc = monitor@example.com sender_bcc_maps = hash:/etc/postfix/bcc_maps bcc_maps: john@hotmail.com monitor@example.com main.cf第一行:将系统所有的进出邮件,一股脑儿全丢到 monitor@example.com,注意这样会产生双倍的邮件流量。 main.cf第二行:只将来自john@hotmail.com的邮件抄送到 monitor@example.com,同样道理,换成recipient_bcc_maps就会将发给 john@hotmail.com的邮件发给 monitor@example.com

  17. 自定义邮件路由 • 需求:将一些特定的邮件转存到其他mail机器上,或者将邮件分散地存放到不同机器 • 解决办法:利用transport(5)来调整默认的投递路由 • 注意事项:小心造成邮件环路(mail loop)

  18. 配置实例 main.cf transport_maps = hash:/etc/postfix/route_table route_table: foo.com smtp:real-mx.foo.comjohn@test.com :[gw.test.com] route_table第一条记录,将发到foo.com的邮件,通过smtp协议全部送到real-mx.foo.com;第二条记录,将发给 john@test.com的邮件转交给gw.test.com,注意[]表示忽略MX记录的查询,这可以避免本机是test.com的主MX记录,引起mail loop的问题。 ExtMan 内建的高级路由技术,也是基于transport(5)实现的

  19. 问题反馈与解答 • 有关的问题,请到论坛讨论地址:http://www.extmail.org/forum/ • 自由提问时间:15分钟

  20. 谢谢各位!

More Related