Linux learning postfix configuration

This article is basically CentOS 6 10,postfix2. eleven point one one

postfix client based access control

  1. Client based access control
    postfix has built-in various anti spam mechanisms, including the restriction of "client" sending e-mail. The client discrimination mechanism can set a series of discrimination conditions for customer information
    smtpd_client_restrictions: controls restrictions on client connections (establishing tcp connections)
    smptd_data_restrictions: controls the limits of input data from the input client
    smtpd_helo_restrictions: controls the limits of the input helo (helo)
    smtpd_recipient_restrictions: control recipient restrictions (rcpt to)
    smtpd_sender_restrictions: control sender restrictions (mail from)
    The above parameters are used to check the specific stage in the SMTP session, that is, the stage in which the client provides corresponding information. When the client initiates a connection request, postfix can use the SMTP ID defined in the configuration file_ client_ The restrictions parameter is used to determine the access control permission of this client IP, and the corresponding smtpd_helo_restrictions are used to judge the access ability of the client according to the user's Hello information.
    If all the contents before the DATA command are accepted, the client can then start transmitting the mail content. The mail content is usually composed of two parts. The first half is the header, which can be used by the header_check filtering. The second half is the email body, which can be filtered by check_body filtering, which implements the "content check" of e-mail.

Lookup table
Access control files,
/etc/postfix/access - Hash format - > / etc/postfix/access db
tye@test.com reject
edison@test.com ok

Check is usually used to customize the conditions for accessing the table_ client_ access´╝îcheck_helo_access,check_sender_access,check_recipient_access, followed by the access table type and name in type:mapname format. Where check_sender_access and check_recipient_access is used to check the email address provided by the client. Therefore, the complete email address can be used in its access table, such as admin@test.com ; You can also use a domain name, such as test Com can also use only part of the user: admin@

Reject email sent by client 192.168.88.1

#Modify / etc/postfix/access file
192.168.88.1		REJECT
#Convert access file to hash format
postmap /etc/postfix/access
[root@mail ~]# ls /etc/postfix/access*
/etc/postfix/access  /etc/postfix/access.db
#Configure postfix to use this file to check the client
	#Edit / etc / postfix / main CF file, add the following parameters
	smtpd_client_restrictions = check_client_access hash:/etc/postfix/access            #hash means with DB file, followed by the file name does not need to add db
#Restart postfix or reload the configuration file
service postfix restart
#Use 192.168.88.1 this machine to test sending mail
[C:\~]$ telnet 192.168.88.135 25


Connecting to 192.168.88.135:25...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available!
helo mail.tye.com
250 mail.tye.com
mail from :root
501 5.5.4 Syntax: MAIL FROM:<address>
mail from: root
250 2.1.0 Ok
rcpt to: hadoop
**554 5.7.1 <unknown[192.168.88.1]>: Client host rejected: Access denied**
#Test with this machine and everything is normal
[root@mail ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available!
helo mail.tye.com
250 mail.tye.com
mail from: root
250 2.1.0 Ok
rcpt to: hadoop
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
123
1
,
.
250 2.0.0 Ok: queued as D8457BF30C
quit
221 2.0.0 Bye
Connection closed by foreign host.

Reject sender domain as Whitehorse Send email to everyone on COM

#Modify the / etc/postfix/access file as follows to control the sender's domain
whitehouse.com   REJECT
#Convert to hash format file
[root@mail ~]# postmap /etc/postfix/access
#In / etc / postfix / main CF add the following lines to the configuration
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access

[root@mail ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available!
helo mail.tye.com
250 mail.tye.com
mail from: sender@whitehouse.com
250 2.1.0 Ok
rcpt to: hadoop
**554 5.7.1 <sender@whitehouse.com>: Sender address rejected: Access denied**

Refuse to send mail to everyone in the Hadoop domain

#Compile / etc/postfix/recipient. The system owner cannot send mail to hadoop
[root@mail ~]# vim /etc/postfix/recipient
hadoop@  REJECT
#Convert to hash format file
[root@mail ~]# postmap /etc/postfix/recipient
[root@mail ~]# ls /etc/postfix/recipient*
/etc/postfix/recipient  /etc/postfix/recipient.db
#Modify the postfix configuration file, / etc / postfix / main cf
[root@mail ~]# vim /etc/postfix/main.cf
smtpd_recipient_restrictions = hash:/etc/postfix/recipient,permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination

#Test sending mail
[root@mail ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 Welcome to our mail.tye.com ESMTP,Warning:Version not Available!
helo mail.tye.com
250 mail.tye.com
mail from: tye@tye.com
250 2.1.0 Ok
rcpt to:hadoop
**554 5.7.1 <hadoop>: Recipient address rejected: Access denied**

  1. Description of checklist format
    The checklist of the hash class uses the following format
    pattern action
    Note: in the checklist file, blank lines, lines containing only blank characters and lines starting with # will be ignored. Lines starting with blank characters followed by other non blank characters will be considered as the continuation of the previous line and an integral part of a line
    1) About pattern
    Its pattern usually has two types of addresses: email address and host name / address
    The pattern format of email address is as follows:
    user@domain Used to match the specified email address
    domain.tld is used to match all email addresses with this domain name as the domain name part of the email address
    User @ is used to match all email addresses that use this as the user name part of the email address
    The pattern of host name / address is as follows
    domain.tld is used to match all hosts within a specified domain and its child domains
    .domain.tld is used to match all hosts within the subdomain of the specified domain
    net.work.addr.ess
    net.work.addr
    net.work
    net is used to match a specific IP address or all hosts in the network
    network/mask CIDR format, matching all hosts in the specified network
    2) About action
    Accept class actions
    OK accepts the email address or host name / address whose pattern matches
    An action consisting entirely of numbers implicitly indicates OK
    Action of reject class (part):
    4NN text
    5NN text
    The 4NN class means to try again later; 5NN indicates a serious error and will stop retrying email sending: 421 and 521 have special meaning for postfix. Do not customize these two codes
    REJECT optional text... Reject: text is optional
    Deny optional text... Reject: text is optional

Keywords: Linux

Added by abhijeet on Wed, 02 Mar 2022 03:13:06 +0200