![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2017-04-05
目錄
- Per-domain MX Relay Server
- relay your mails per-domain or per-user
- 為某 IP relay 信
Per-domain MX Relay Server
# mx server setting
main.cf
relay_domains = hash:/etc/postfix/relaydomains.cf # $relay_domains are delivered with the $relay_transport mail delivery transport. transport_maps = hash:/etc/postfix/transport.cf # 設定成 20M (因為 Default value 太小了) message_size_limit = 20480000 # retry & life maximal_queue_lifetime = 3d bounce_queue_lifetime = 900s queue_run_delay = 180 minimal_backoff_time = 300
postfix reload
# Per-domain Setting
/etc/postfix/relaydomains.cf
datahunter.org datahunter.org
/etc/postfix/transport.cf
datahunter.org smtp:[mail.datahunter.org]:25
# postmap route file
postmap hash:/etc/postfix/relaydomains
postmap hash:/etc/postfix/transport
* postmap 後不用 reload postfix
Doc
http://www.postfix.org/transport.5.html
relay your mails per-domain or per-user
設定為什麼 Domain 做 relay:
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
query = SELECT domain FROM relay_domains WHERE domain='%s' AND active='y'
DB 結構: | domain | active | remark |
recipient:
relay_recipient_maps = mysql:/etc/postfix/mysql_relay_recipients.cf
query = SELECT email FROM relay_recipients WHERE email='%s' AND active='y'
DB 結構: | email | active | remark |
設定 relay 去那裡:
transport_maps = mysql:/etc/postfix/mysql_transport_maps.cf
query = SELECT relay FROM transport WHERE pattern='%s' AND active='y'
DB 結構: | pattern | relay ( Defalt: smtp:[domain]:port ) | active |
為某 IP relay 信
# master.cf
3025 inet n - n - - smtpd -o strict_rfc821_envelopes=no -o content_filter= -o mynetworks_style=host -o mynetworks=hash:/etc/postfix/free2relay.cf -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_recipient_restrictions=permit_mynetworks,reject -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
* 不加 smtpd_client_restrictions 會有以下 Error
Mar 28 11:11:48 mail postfix/smtpd[22970]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 554 5.7.1 <a@b>: Recipient address rejected: Access denied; from=<a@b> to=<c@d> proto=SMTP helo=<h.h>
* Default 的 mynetworks_style 是 subnet
* strict_rfc821_envelopes
Postfix requires envelope addresses to be within angle brackets (<>)
# /etc/postfix/free2relay.cf
# Server IP Remark
R.R.R.R must_has_remark
Backend Server Setting
master.cf
# 開一個新 port 去接 MX Server 的信. 它不 check RBL, bypass filter 及 header/body check
# For mx & sf server
2025 inet n - - - - smtpd
-o syslog_name=postfix/2025
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8,R1.R1.R1.R1,R2.R2.R2.R2
-o smtpd_tls_security_level=may
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_client_restrictions=
-o smtpd_end_of_data_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o receive_override_options=no_header_body_checksP.S.
receive_override_options 不可以加 no_address_mappings, 否則 forward 會失敗 !!
如果 main.cf 有 setting "smtpd_tls_security_level=encrypt" 那 MX Server 會有以下 Error
... dsn=5.7.0, status=bounced (host BACKEND_SERVER[r.r.r.r] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Setting
smtp_defer_if_no_mx_address_found=yes (default = no)
Defer mail delivery when no MX record resolves to an IP address.
The default (no) is to return the mail as undeliverable.
smtp_mx_session_limit = 5 (default = 2)
The maximal number of SMTP sessions per delivery request before giving up or delivering to a fall-back relay host)
relayhost (default: empty)
relayhost = [gateway.example.com]
ignore_mx_lookup_error (default: no)
"no" (default) => tries again after some delay
"yes" => to force a DNS A record lookup instead
smtp_dns_support_level (default: empty)
disabled
No MX lookups are performed and hostname to address lookups are unconditionally "native"
enabled
Nexthop destination domains not enclosed in "[]" will be subject to MX lookups.
If "dns" and "native" are included in the "smtp_host_lookup" parameter value,
DNS will be queried first to resolve MX-host A records, followed by "native" lookups if no answer is found in DNS.
dnssec
Enable DNSSEC lookups.
smtp_host_lookup (default: dns)
dns # Hosts can be found in the DNS (preferred).
native # Use the native naming service only (nsswitch.conf)
dns, native # Use the native service for hosts not found in the DNS.
Notes:
nsswitch.conf
hosts: files dns myhostname ...
smtpd_recipient_restriction 裡 reject_unknown_recipient_domain
Reject the request when Postfix is not final destination for the recipient domain,
and the RCPT TO domain has no DNS A or MX record,
or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
i.e.
telnet localhost 25 時有
450 4.1.2 <x@y>: Recipient address rejected: Domain not found
原因
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/relay_ip,
check_sender_access regexp:/etc/postfix/check_sender,
reject_unauth_destinationunknown_address_reject_code
specifies the numerical response code for rejected requests(default: 450).
The response is always 450 in case of a temporary DNS error.
unknown_address_tempfail_action
specifies the action after a temporary DNS error (default: defer_if_permit).
Backend Server
[方法1]
mynetworks_style = host
mynetworks = 127.0.0.0/8 MX1-IP MX2-IP
smtpd_sender_restrictions =
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_unlisted_sender,
check_sasl_access pcre:/etc/postfix/per_user_filter.cf,
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated[方法2]
smtpd_sender_restrictions =
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_unlisted_sender,
check_sasl_access pcre:/etc/postfix/per_user_filter.cf,
permit_mynetworks,
check_client_access hash:/etc/postfix/mxserver.cf,
reject_sender_login_mismatch,
permit_sasl_authenticated/etc/postfix/mxserver.cf
# mx1 x.x.x.x OK # mx2 y.y.y.y OK
