Postfix搭建SMTP中继
一、搭建Postfix
1.1 匿名SMTP
匿名SMTP可以随意命名邮件名称前缀进行发送邮件,但会出现邮件被block的问题.后续只能case by case去解决报错.
~]$ cat main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
transport_maps = hash:/etc/postfix/transport
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
inet_interfaces = all
mynetworks = 127.0.0.0/8,robin.cn,10.0.0.0/8
myhostname = hostname.robintest.cn #替换成对应自己的发件域
inet_protocols = ipv4
myorigin = robintest.cn #替换成对应自己的发件域
mydestination = hostname.robintest.cn #替换成对应自己的发件域
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
message_size_limit = 71900000
maximal_queue_lifetime = 10000s
~]# psotfix reload
1.2 认证方式SMTP
认证SMTP使用的邮箱必须是真实存在的邮箱,邮箱密码在SMTP上配置,只有匹配发件人匹配才可发送邮件.对于客户端使用上和匿名邮箱一样,不需要配置邮箱密码.
~]$ cat main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
inet_interfaces = all
mynetworks = 127.0.0.0/8,robin.cn,10.0.0.0/8
myhostname = hostname.robintest.cn #替换成对应自己的发件域
inet_protocols = ipv4
myorigin = $myhostname
mydestination = robintest.cn #替换成对应自己的发件域
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
queue_run_delay = 30s
minimal_backoff_time= 30s
maximal_backoff_time= 180s
message_size_limit = 71900000
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = may
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
~]# cat /etc/postfix/sender_relay
A@robintest.cn [smtp.robintest.cn]:25 #对应中继的SMTP地址,为A@robin.cn的SMTP地址.
~]# cat /etc/postfix/sasl_passwd
A@robintest.cn A@robintest.cn:Password234
~]# postmap /etc/postfix/sasl_passwd
~]# postmap etc/postfix/sender_relay
~]# psotfix reload
二、Postfix参数优化
2.1 修改postfix邮件重试间隔参数
背景:公司所有report邮件,告警邮件,使用postfix转发邮件到office365进行发送邮件,但是postfix发送邮件失败后,进入队列,默认过5分钟后再次发送,时间间隔太久,希望调整默认间隔时间
现象:
SMTP日志中出现‘432 4.3.2 STOREDRV.ClientSubmit; sender thread limit exceeded’,当第一次邮件发送失败后,隔短时间(300s~4000s)后postfix再次尝试发送成功。
postfix相关参数:
参数:queue_run_delay
说明:用于设定队列处理程序对拖延邮件的扫描周期。缺省为1000秒。
例 如:queue_run_delay = 1000
最长队列生命期
参数:maximal_queue_lifetime
说 明:用于设定队列处理程序对滞留邮件的最长保存期。缺省为5天。
例如:maximal_queue_lifetime = 5
最小投递失 败周期
参数:minimal_backoff_time
说明:用于设定队列处理程序对无法投递的邮件的最短巡回时间。缺省为300秒。
例 如:minimal_backoff_time= 1000
最长投递失败周期
参数:maximal_backoff_time
说 明:用于设定队列处理程序对无法投递的邮件的最长巡回时间。缺省为4000秒。
例如:maximal_backoff_time= 4000
个人理解解释:默认300s扫描一次队列,队列邮件中上次发送失败时间大于300s,小于4000s的,再次尝试发送(根据投递失败次数,失败次数越多,匹配到的值越大,最大不超过4000s),如果距离开始发送失败已经超过5天,则退信
比如:第一次失败:延迟300s,第二次延迟800s,第三次延迟1000s,第四次2000s。
建议修改配置为:
queue_run_delay = 30s; # 每30s会扫描一次delay的邮件
minimal_backoff_time= 30s; # 在30s内不会重发delay的邮件
maximal_backoff_time= 180s; # 如果超过180s则一定会重发邮件
maximal_queue_lifetime = 2400s; #邮件超过2400s没有发出去则退信
预期效果为:
每30s扫描一次队列,队列邮件上次发送大于30s,小于180s的,再次尝试发送,如果距离开始发送失败已经2400s(最多重发20次),则退信。
参考链接:https://www.cnblogs.com/bethal/p/5377565.html
2.2 配置Postfix黑白名单
#(1)收件人黑名单
~]# vim /etc/postfix/main.cf
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access #默认全部允许
~]# cat recipient_access
user@aaa.com REJECT
~]# postmap /etc/postfix/recipient_access
~]# postfix reload
#(2)发件人黑名单
~]# vim /etc/postfix/main.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
~]# cat sender_access
user@aaa.com REJECT
~]# postmap /etc/postfix/sender_access
~]# postfix reload
#(3)收发件人白名单,收件人白名单同理
~]# vim /etc/postfix/main.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access reject #默认全部拒绝
~]# cat sender_access
user@aaa.com OK
~]# postmap /etc/postfix/sender_access
~]# postfix reload
#(4)指定发件人A发给指定收件人B 黑名单
~]# vim /etc/postfix/main.cf
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/policy/recipient_access
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/policy/senders_access,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname
~]# cat policy/recipient_access
B@robin.cn REJECT #local_only 规则定义黑名单
~]# cat policy/senders_access
A@robin.cn local_only #指定发件人应用local_only 规则
参考连接:https://blog.51cto.com/jasonyong/318262
2.3 Postfix日志显示subject
~]# vim /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
~]# cat /etc/postfix/header_checks
/^Subject:/ WARN
~]# postfix reload
日志显示如下:
~]# echo "test mail to osa account." | mail -s 'test' B@robin.cn
~]# cat /var/log/maillog
Sep 9 11:40:58 SAS-SH1LPSMTP5 postfix/cleanup[14175]: C3C8B20005: warning: header Subject: test from unknown[192.0.0.1]; from=<A@robin.cn> to=<B@robin.cn> proto=SMTP helo=<sas-sh1lpyum1>
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET10 - 预览版1新功能体验(一)