首先是postfix在堪用的情況下的基本設定:
vim /etc/postfix/main.cf
1.對所有界面服務
#inet_interfaces = localhost
inet_interfaces = all
mail_owner = postfix
2.設定主機名稱及網域設定
mynetworks = 192.168.0.0/24, 127.0.0.0/8
mynetworks_style = host
myhostname = mail.domain.com
mydomain = domain.com
以上為目前預設設定。
接下來根據各種垃圾郵件攻擊及防範莫名relay的各參數設定。
3.設定使用SASL
EX.
#SMTP sasl Auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
#開啟 smtp 認證
smtpd_sasl_auth_enable = yes
#client端的相容性
broken_sasl_auth_clients = yes
#允許sasl認證,接收本機為最後一站的信件
smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination rejec
#允許用戶端sasl認證
smtpd_client_restrictions = permit_sasl_authenticated
#允許非匿名的使用者
smtpd_sasl_security_options = noanonymous
#sasl的本地網域
smtpd_sasl_local_domain = $myhostname
#阻擋網域名稱錯誤
smtpd_sender_restrictions = reject_unknown_sender_domain
#阻擋動態IP的主機
smtpd_client_restrictions = check_client_access regexp:/etc/postfix/access
4.針對client的ip/domain設限
EX.
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client dsbl.dnsbl.net.au
項目說明:
#允許內網不必檢查
permit_mynetworks,
#SASL驗證
permit_sasl_authenticated,
#反解失敗就拒絕
reject_unknown_client,
#根據access清單拒絕client
check_client_access hash:/etc/postfix/access,
(先建立/etc/postfix/access檔案,拒絕動態ip的client
dynamic.apol.com.tw REJECT We can't allow dynamic IP to relay!
dynamic.giga.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.hinet.net REJECT We can't allow dynamic IP to relay!
dynamic.seed.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.tfn.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.ttn.net REJECT We can't allow dynamic IP to relay!
dynamic.lsc.net.tw REJECT We can't allow dynamic IP to relay!
postmap hash:/etc/postfix/access 來建立DB)
#使用正規表示式拒絕名稱中有dynamic的主機連線
check_client_access regexp:/etc/postfix/access_re
(請先建立 /etc/postfix/access_re
/dynamic/ REJECT )
<!--
#使用DNS Block List 黑名單機制
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client dsbl.dnsbl.net.au,
-->
5.要求寄信前要提出helo的要求
smtpd_helo_required = yes
6.SMTP驗證HELO
EX.
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
check_helo_access hash:/etc/postfix/fake_helo
#拒絕不正確/未知的helo domain
reject_invalid_hostname,
#reject_non_fqdn_hostname,
#reject_unknown_hostname,
#拒絕外界但是宣稱是自己domain的helo
check_helo_access hash:/etc/postfix/fake_helo
(拒絕外界但是宣稱是自己domain的helo
請先建立 /etc/postfix/fake_helo
內容 example.com REJECT
利用#postmap hash:/etc/postfix/fake_helo 建立DB)
#馬上拒絕不delay
smtpd_delay_reject = no
7.根據Mail from來限制
EX.
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
#拒收來自於外界卻宣稱發自內部的信件
#check_sender_access hash:/etc/postfix/fake_from,
(建立 /etc/postfix/fake_from
內容 example.com REJECT
使用 #postmap hash:/etc/postfix/fake_from)
#拒絕不正確和未知的domain
reject_non_fqdn_sender
8.根據接收來限制
EX.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
permit_auth_destination,
reject_unauth_destination
<!--
#有鑑於有些廣告信都是以[email protected]為sender
header_checks = regexp:/etc/postfix/hc
(建立一檔案 /etc/postfix/hc
內容 /^From:.*edm@/ REJECT
使用正規表示式過濾以[email protected]為寄件人的廣告信)
-->
9.偽裝登入POSTFIX時所顯示的訊息
smtpd_banner = Welcome to Microsoft Exchange 2003
10.佇列儲存時間
#寄出時間
maximal_queue_lifetime = 1d
#退信時間
bounce_queue_lifetime = 1d
進階postfix設定調校
版主: stnet253
誰在線上
正在瀏覽這個版面的使用者:Semrush [Bot] 和 1 位訪客