如何安全地将 postfix 配置为 gmail 的 smtp 中继
How to securely configure postfix to be an smtp relay for gmail
我有一个电子邮件支持@mydomain.com,它被配置为将所有电子邮件转发到一个 gmail 电子邮件地址。从 gmail 邮箱回复我希望它从 support@mydomain.com 发送电子邮件。
以前 gmail 允许通过简单的设置设置 -> 帐户和导入 -> 添加您拥有的另一个电子邮件地址,然后选择发送带有验证码的电子邮件以验证我拥有它。但是现在只有选项 "Send mail through your SMTP server"
我的服务器安装了 postfix。现在 postfix 仅用于发送来自该服务器的电子邮件。 iptables 将不允许从不同的 PC/servers 连接到 postfix,现在它是安全的,因为没有人能够通过我的服务器发送电子邮件。
我在谷歌上搜索了很多,但发现了很多关于如何配置 postfix 以通过 smtp.gmail.com 发送电子邮件的文章。
但我需要反之亦然 - gmail 应该以安全的方式通过我的 postfix smtp 服务器发送电子邮件。
你能帮我找到如何完成这个的结果吗?
SASL 配置
https://wiki.debian.org/PostfixAndSASL#Implementation_using_Cyrus_SASL
sudo apt-get install sasl2-bin
sudo nano /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN
#-------------
cp /etc/default/saslauthd /etc/default/saslauthd-postfix
sudo nano /etc/default/saslauthd-postfix
START=yes
DESC="SASL Auth. Daemon for Postfix"
NAME="saslauthd-postf" # max. 15 char.
# Option -m sets working dir for saslauthd (contains socket)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()
#--------------
sudo dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
sudo adduser postfix sasl
#sudo saslpasswd2 -c -u mydomain.com support
用户必须指定support@mydomain.com作为登录名,不支持。
不幸的是无法继续使用此变体,它不起作用
没有领域的选项,它将默认为您服务器的反向 DNS
sudo saslpasswd2 -c gmail
# list all users
sudo sasldblistusers2
# to get password which may be used in telnet
# echo -ne '[=11=]username[=11=]pswd' | openssl enc -base64
sudo services saslauthd start
#sudo testsaslauthd -u support -p pswd -r mydomain.com
#sudo testsaslauthd -u support@mydomain.com -p pswd
当您明确声明领域时,第一个变体有效,但第二个变体无效。因此选择了没有领域的变体
sudo testsaslauthd -u gmail -p pswd
# delete user
sudo testsaslauthd -d username
sudo service saslauthd restart
后缀继电器
http://www.admin-hints.com/2009/04/how-to-limit-amount-of-messages-per.html
nano /etc/postfix/main.cf
#Clients that are excluded from connection count (default: $mynetworks)
smtpd_client_event_limit_exceptions = $mynetworks
#The time unit over which client connection rates and other rates are calculated. (default: 60s)
anvil_rate_time_unit = 86400s
#How frequently the server logs peak usage information. (default: 600s)
anvil_status_update_time = 120s
#The maximal number of message delivery requests that any client is allowed to make to this service per time unit. (default: 0) To disable this feature, specify a limit of 0.
smtpd_client_message_rate_limit = 200
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_security_level=may
smtpd_sasl_security_options = noanonymous
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
sudo nano /etc/postfix/master.cf
# at the line where commented "#submission inet n" starts
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
检查 25 端口(587 使用 TLS),我的服务器只显示 587 端口,25 被 iptables 阻止
使用 telnet 测试
telnet mydomain.com 25
ehlo dummy
auth plain ARdtYW4sAGRdY1d4cyM9ZnRn # how to get auth plain with your password read above
MAIL FROM: support@mydomain.com
RCPT TO: test@test.com
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test subject
Hello,
This is test message
.
# dot at the end
quit
如果出现意外情况,请在此处查找错误
tail -f /var/log/mail.log
我有一个电子邮件支持@mydomain.com,它被配置为将所有电子邮件转发到一个 gmail 电子邮件地址。从 gmail 邮箱回复我希望它从 support@mydomain.com 发送电子邮件。 以前 gmail 允许通过简单的设置设置 -> 帐户和导入 -> 添加您拥有的另一个电子邮件地址,然后选择发送带有验证码的电子邮件以验证我拥有它。但是现在只有选项 "Send mail through your SMTP server"
我的服务器安装了 postfix。现在 postfix 仅用于发送来自该服务器的电子邮件。 iptables 将不允许从不同的 PC/servers 连接到 postfix,现在它是安全的,因为没有人能够通过我的服务器发送电子邮件。
我在谷歌上搜索了很多,但发现了很多关于如何配置 postfix 以通过 smtp.gmail.com 发送电子邮件的文章。 但我需要反之亦然 - gmail 应该以安全的方式通过我的 postfix smtp 服务器发送电子邮件。
你能帮我找到如何完成这个的结果吗?
SASL 配置
https://wiki.debian.org/PostfixAndSASL#Implementation_using_Cyrus_SASL
sudo apt-get install sasl2-bin
sudo nano /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN
#-------------
cp /etc/default/saslauthd /etc/default/saslauthd-postfix
sudo nano /etc/default/saslauthd-postfix
START=yes
DESC="SASL Auth. Daemon for Postfix"
NAME="saslauthd-postf" # max. 15 char.
# Option -m sets working dir for saslauthd (contains socket)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()
#--------------
sudo dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
sudo adduser postfix sasl
#sudo saslpasswd2 -c -u mydomain.com support
用户必须指定support@mydomain.com作为登录名,不支持。 不幸的是无法继续使用此变体,它不起作用 没有领域的选项,它将默认为您服务器的反向 DNS
sudo saslpasswd2 -c gmail
# list all users
sudo sasldblistusers2
# to get password which may be used in telnet
# echo -ne '[=11=]username[=11=]pswd' | openssl enc -base64
sudo services saslauthd start
#sudo testsaslauthd -u support -p pswd -r mydomain.com
#sudo testsaslauthd -u support@mydomain.com -p pswd
当您明确声明领域时,第一个变体有效,但第二个变体无效。因此选择了没有领域的变体
sudo testsaslauthd -u gmail -p pswd
# delete user
sudo testsaslauthd -d username
sudo service saslauthd restart
后缀继电器
http://www.admin-hints.com/2009/04/how-to-limit-amount-of-messages-per.html
nano /etc/postfix/main.cf
#Clients that are excluded from connection count (default: $mynetworks)
smtpd_client_event_limit_exceptions = $mynetworks
#The time unit over which client connection rates and other rates are calculated. (default: 60s)
anvil_rate_time_unit = 86400s
#How frequently the server logs peak usage information. (default: 600s)
anvil_status_update_time = 120s
#The maximal number of message delivery requests that any client is allowed to make to this service per time unit. (default: 0) To disable this feature, specify a limit of 0.
smtpd_client_message_rate_limit = 200
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_security_level=may
smtpd_sasl_security_options = noanonymous
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
sudo nano /etc/postfix/master.cf
# at the line where commented "#submission inet n" starts
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
检查 25 端口(587 使用 TLS),我的服务器只显示 587 端口,25 被 iptables 阻止
使用 telnet 测试
telnet mydomain.com 25
ehlo dummy
auth plain ARdtYW4sAGRdY1d4cyM9ZnRn # how to get auth plain with your password read above
MAIL FROM: support@mydomain.com
RCPT TO: test@test.com
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test subject
Hello,
This is test message
.
# dot at the end
quit
如果出现意外情况,请在此处查找错误
tail -f /var/log/mail.log