Назад | Перейти на главную страницу

Настройте mailgun как relayhost поверх существующего сервера postfix, уже использующего sasl

Возможно, я здесь совсем не на то дерево лая, но все равно спрошу.

Я следил за руководство для настройки почтового сервера на ubuntu 14.04 с postfix, dovecot и mysql.

Теперь у меня есть настроить mailgun для обработки отправки писем (также известный как relayhost) безопасным и надежным способом.

Проблема, с которой я столкнулся, заключается в том, что пользователь / пароль моих существующих учетных записей электронной почты перестали работать по какой-то причине (отправка электронных писем из CLI все еще работает на сервере), и мне интересно, можно ли настроить учетные данные mailgun таким образом, чтобы не мешать существующему пользователю / паролю.

Это модель моего master.cf до реле

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version

    # The first text sent to a connecting process.
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    readme_directory = no

    # ---------------------------------
    # SASL parameters
    # ---------------------------------

    # Use Dovecot to authenticate.
    smtpd_sasl_type = dovecot
    # Referring to /var/spool/postfix/private/auth
    smtpd_sasl_path = private/auth
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    smtpd_sasl_authenticated_header = yes

    # ---------------------------------
    # TLS parameters
    # ---------------------------------

    # The default snakeoil certificate. Comment if using a purchased
    # SSL certificate.
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

    # Uncomment if using a purchased SSL certificate.
    # smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt
    # smtpd_tls_key_file=/etc/ssl/private/example.com.key

    # The snakeoil self-signed certificate has no need for a CA file. But
    # if you are using your own SSL certificate, then you probably have
    # a CA certificate bundle from your provider. The path to that goes
    # here.
    # smtpd_tls_CAfile=/etc/ssl/certs/ca-bundle.crt

    # Ensure we're not using no-longer-secure protocols.
    smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

    smtp_tls_note_starttls_offer = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # Note that forcing use of TLS is going to cause breakage - most mail servers
    # don't offer it and so delivery will fail, both incoming and outgoing. This is
    # unfortunate given what various governmental agencies are up to these days.
    #
    # Enable (but don't force) all incoming smtp connections to use TLS.
    smtpd_tls_security_level = may
    # Enable (but don't force) all outgoing smtp connections to use TLS.
    smtp_tls_security_level = may

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    # ---------------------------------
    # TLS Updates relating to Logjam SSL attacks.
    # See: https://weakdh.org/sysadmin.html
    # ---------------------------------

    smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-        SHA
    smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem

    # ---------------------------------
    # SMTPD parameters
    # ---------------------------------

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    # will it be a permanent error or temporary
    unknown_local_recipient_reject_code = 450
    # how long to keep message on queue before return as failed.
    # some have 3 days, I have 16 days as I am backup server for some people
    # whom go on holiday with their server switched off.
    maximal_queue_lifetime = 7d
    # max and min time in seconds between retries if connection failed
    minimal_backoff_time = 1000s
    maximal_backoff_time = 8000s
    # how long to wait when servers connect before receiving rest of data
    smtp_helo_timeout = 60s
    # how many address can be used in one message.
    # effective stopper to mass spammers, accidental copy in whole address list
    # but may restrict intentional mail shots.
    smtpd_recipient_limit = 16
    # how many error before back off.
    smtpd_soft_error_limit = 3
    # how many max errors before blocking it.
    smtpd_hard_error_limit = 12

    # This next set are important for determining who can send mail and relay mail
    # to other servers. It is very important to get this right - accidentally producing
    # an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
    #
    # You are encouraged to read up on what exactly each of these options accomplish.

    # Requirements for the HELO statement
    smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
    # Requirements for the sender details
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender,         reject_unknown_sender_domain, reject_unauth_pipelining, permit
    # Requirements for the connecting server
    smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
    # Requirement for the recipient address. Note that the entry for
    # "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
    smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient,         reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
    smtpd_data_restrictions = reject_unauth_pipelining
    # This is a new option as of Postfix 2.10, and is required in addition to
    # smtpd_recipient_restrictions for things to work properly in this setup.
    smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient,         reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit

    # require proper helo at connections
    smtpd_helo_required = yes
    # waste spammers time before rejecting them
    smtpd_delay_reject = yes
    disable_vrfy_command = yes

    # ---------------------------------
    # General host and delivery info
    # ----------------------------------

    myhostname = mail.example.com
    myorigin = /etc/hostname
    # Some people see issues when setting mydestination explicitly to the server
    # subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
    # mydestination = mail.example.com, localhost
    mydestination =
    # If you have a separate web server that sends outgoing mail through this
    # mailserver, you may want to add its IP address to the space-delimited list in
    # mynetworks, e.g. as 10.10.10.10/32.
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    mynetworks_style = host

    # This specifies where the virtual mailbox folders will be located.
    virtual_mailbox_base = /var/vmail
    # This is for the mailbox location for each user. The domainaliases
    # map allows us to make use of Postfix Admin's domain alias feature.
    virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
    # and their user id
    virtual_uid_maps = static:150
    # and group id
    virtual_gid_maps = static:8
    # This is for aliases. The domainaliases map allows us to make
    # use of Postfix Admin's domain alias feature.
    virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
    # This is for domain lookups.
    virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf

    # ---------------------------------
    # Integration with other packages
    # ---------------------------------------

    # Tell postfix to hand off mail to the definition for dovecot in master.cf
    virtual_transport = dovecot
    dovecot_destination_recipient_limit = 1

    # Use amavis for virus and spam scanning
    content_filter = amavis:[127.0.0.1]:10024

    # ---------------------------------
    # Header manipulation
    # --------------------------------------

    # Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
    header_checks = regexp:/etc/postfix/header_checks
    # getting rid of x-original-to
    enable_original_recipient = no

Это то, что я добавил в master.cf postfix для ретрансляции через mailgun.

relayhost = smtp.mailgun.org
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:postmaster@mydomain.com:password
smtp_sasl_security_options = noanonymous

Единственное, что я изменил, - это сертификаты, созданные через letsencrypt.org.

Подводя итог: есть ли способ сохранить учетные данные пользователя и использовать mailgun для отправки писем? (Без необходимости создавать каждую учетную запись через CLI)

Заранее благодарим за любую помощь и дайте мне знать, если что-то неясно или требуется дополнительная информация.

ОБНОВЛЕНИЕ ДОБАВЛЕННОГО СООБЩЕНИЯ ОБ ОШИБКЕ:

Dec 14 19:24:47 mail dovecot: imap-login: Login: user=<admin@example.com>, method=PLAIN, rip=190.18.x.x, lip=172.31.x.x, mpid=24023, TLS, session=<ak1PoOAmqQC+EoSW>
Dec 14 19:24:48 mail postfix/smtpd[24014]: Anonymous TLS connection established from unknown[190.18.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Dec 14 19:24:50 mail postfix/smtpd[24014]: warning: unknown[190.18.x.x]: SASL PLAIN authentication failed:
Dec 14 19:24:50 mail postfix/smtpd[24014]: lost connection after AUTH from unknown[190.18.x.x]
Dec 14 19:24:50 mail postfix/smtpd[24014]: disconnect from unknown[190.18.x.x]

Пользователи могли использовать imap / smtp со своими сгенерированными учетными данными до того, как я добавил реле smtp. Я предполагаю, что postfix пытается использовать этот user: pass, настроенный для реле.