kn007的个人博客
♥ You are here: Home > 软件与网络 > VPS > Fedora快速配置Postfix并挂载OpenDKIM、OpenDMARC

Fedora快速配置Postfix并挂载OpenDKIM、OpenDMARC

by | No Comment

之前写过《Postfix小结》,时隔多年,postfix有了新的升级,加上环境变化,以前的文章部分内容已经不再适用。

最近正好更换了新系统,跟大家说下如何快速在Fedora Server 44下配置Postfix,以及挂载OpenDKIM和OpenDMARC(安装的话,只需要通过dnf安装即可,就不表述了)。

当然,如果你不接收邮件的话,OpenDMARC可以不做挂载配置。

接下来的内容,我会稍微快节奏一些,统一使用postconf来编辑修改postfix的配置(以前是直接通过修改main.cfmaster.cf等文件,现在基本使用postconf命令来操作)。

首先,Fedora Server 44下,安装的Postfix版本是postfix-2:3.10.10-1.fc44.x86_64,我们配置也是基于这个版本,所以先定义配置兼容版本为3.10(以下配置也支持最新3.11版本)。

postconf -e "compatibility_level = 3.10"

配置服务器基本信息,其中的${server_hostname}${outgoing_ip}是我提前定义好的服务器hostname及服务器IP的变量。因为我主要通讯方式是IPv4,所以设定了使用IPv4方式通讯,你可以按照实际更改。

postconf -e "myhostname = ${server_hostname}"
postconf -e "mydomain = ${server_hostname}"
postconf -e "myorigin = \$mydomain"
postconf -e "inet_interfaces = all"
postconf -e "inet_protocols = ipv4"
postconf -e "mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain"
postconf -e "mynetworks = ${outgoing_ip}, 127.0.0.0/8"
postconf -e "home_mailbox = Maildir/"
postconf -e "mailbox_size_limit = 536870912"
postconf -e "message_size_limit = 268435456"
postconf -e "debug_peer_level = 2"
postconf -e "tls_random_source = dev:/dev/urandom"
postconf -e "smtp_tls_loglevel = 1"
postconf -e "smtpd_tls_loglevel = 1"

关闭邮件通知,默认是仅在服务器资源出现问题或遇到内部软件级别的严重错误时通知。主要是一般不会有这些问题,且出了问题,postfix一直对自己发信也不好。

postconf -e "notify_classes ="

设置加密加密参数(公网MX接收必须为may,否则别人可能无法和你握手):

postconf -e "smtpd_tls_auth_only = yes"
postconf -e "smtpd_tls_received_header = yes"
postconf -e 'lmtp_tls_protocols = >=TLSv1.2'
postconf -e 'smtp_tls_protocols = >=TLSv1.2'
postconf -e "smtpd_tls_protocols = >=TLSv1.2"
postconf -e 'lmtp_tls_mandatory_protocols = >=TLSv1.2'
postconf -e 'smtp_tls_mandatory_protocols = >=TLSv1.2'
postconf -e "smtpd_tls_mandatory_protocols = >=TLSv1.2"
postconf -e "smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_tls_cache"
postconf -e "smtpd_tls_session_cache_database = lmdb:/var/lib/postfix/smtpd_tls_cache"
postconf -e "smtp_tls_session_cache_timeout = 3600s"
postconf -e "smtpd_tls_session_cache_timeout = 3600s"
postconf -X "smtp_use_tls" "smtpd_use_tls" "smtp_enforce_tls" "smtpd_enforce_tls" "smtpd_tls_dh1024_param_file"
postconf -e "smtp_tls_security_level = may"
postconf -e "smtpd_tls_security_level = may"
postconf -e "smtp_tls_ciphers = medium"
postconf -e "smtpd_tls_ciphers = medium"
postconf -X "smtp_tls_exclude_ciphers" "smtp_tls_mandatory_exclude_ciphers"
postconf -X "smtpd_tls_exclude_ciphers" "smtpd_tls_mandatory_exclude_ciphers"
postconf -e "smtp_tls_CApath = /etc/pki/tls/certs/"
postconf -e "smtpd_tls_cert_file = /etc/pki/tls/certs/${server_hostname}_bundle.rsa.crt"
postconf -e "smtpd_tls_key_file = /etc/pki/tls/private/${server_hostname}.rsa.key"

禁止投递给本地服务器上不存在的收件人地址:

postconf -e "unknown_local_recipient_reject_code = 550"

中继验证 (主要防止Open Relay):

postconf -e "smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"

SASL 拦截规则:

postconf -e "smtpd_sasl_path = smtpd"
postconf -e "smtpd_sasl_auth_enable = yes"
postconf -e "smtpd_sasl_security_options = noanonymous"
postconf -e "smtpd_sasl_authenticated_header = yes"
postconf -e "broken_sasl_auth_clients = yes"
postconf -e "smtpd_sasl_local_domain = \$myhostname"

自定义过滤器,强验证 TLS 外发通道,强制 TLS 连接失败时的 4.x.x 软错误转为 5.x.x 硬错误:

cat > /etc/postfix/smtp_dsn_filter.pcre << 'EOF'
/^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
        5$1
/^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
        5$1
/^4.7.5(.*)/
        5.7.5$1
EOF
postconf -M "smtp_enforced_tls/unix=smtp_enforced_tls unix - - n - - smtp"
postconf -P "smtp_enforced_tls/unix/smtp_tls_security_level=encrypt"
postconf -P "smtp_enforced_tls/unix/syslog_name=enforced-tls-smtp"
postconf -P "smtp_enforced_tls/unix/smtp_delivery_status_filter=pcre:/etc/postfix/smtp_dsn_filter.pcre"
postconf -P "smtp_enforced_tls/unix/smtp_bind_address=${outgoing_ip}"

设置SPF Policy:

postconf -M "policyd-spf/unix=policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf /etc/python-policyd-spf/policyd-spf.conf"
postconf -e "policyd-spf_time_limit = 3600"

设置发信人与收信人限制规则,对no-reply进行默认拒信:

cat > /etc/postfix/recipient_access << EOF
no-reply@${server_hostname}    REJECT This address does not accept incoming mail.
EOF
postmap lmdb:/etc/postfix/recipient_access
postconf -e "smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain"
postconf -e "smtpd_recipient_restrictions = check_recipient_access lmdb:/etc/postfix/recipient_access, permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_non_fqdn_recipient, check_policy_service unix:private/policyd-spf"

设定smtp和relay的外发网络接口

postconf -P "smtp/unix/smtp_bind_address=${outgoing_ip}"
postconf -P "relay/unix/smtp_bind_address=${outgoing_ip}"

SMTPS发信加密通道设置:

postconf -M "smtps/inet=smtps inet n - n - - smtpd"
postconf -P "smtps/inet/smtpd_tls_wrappermode=yes"
postconf -P "smtps/inet/smtpd_sasl_auth_enable=yes"

设置587 Submission (STARTTLS)发件配置:

postconf -M "submission/inet=submission inet n - n - - smtpd"
postconf -P "submission/inet/syslog_name=postfix/submission"
postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
postconf -P "submission/inet/smtp_bind_address=${outgoing_ip}"

启用postscreen相关工作流,并对本地放行:

postconf -e "postscreen_cache_map = lmdb:/var/lib/postfix/postscreen_cache"
postconf -M "smtp/inet=smtp inet n - n - 1 postscreen"
postconf -M "smtpd/pass=smtpd pass - - n - - smtpd"
postconf -M "dnsblog/unix=dnsblog unix - - n - 0 dnsblog"
postconf -M "tlsproxy/unix=tlsproxy unix - - n - 0 tlsproxy"
postconf -e "postscreen_greet_action = enforce"
postconf -e "postscreen_bare_newline_action = enforce"
postconf -e "postscreen_non_smtp_command_action = enforce"
postconf -e "postscreen_access_list = permit_mynetworks"

挂载DKIM Milter和DMARC Milter:

postconf -e "milter_default_action = accept"
postconf -e "milter_protocol = 6"
postconf -e "smtpd_milters = local:/run/opendkim/opendkim.sock, local:/run/opendmarc/opendmarc.sock"
postconf -e "non_smtpd_milters = \$smtpd_milters"

注意,必须OpenDKIM优先于OpenDMARC,因为Postfix在处理smtpd_milters时,是严格按照从左到右的顺序依次调用的。

DMARC(Domain-based Message Authentication, Reporting, and Conformance)的核心逻辑是整合并依赖SPF和DKIM的验证结果。如果顺序颠倒,OpenDMARC就会认为这封邮件没有有效的DKIM签名。

测试收发信这块,请参考之前写的《Postfix小结》内容。

转载请注明转自: kn007的个人博客 的《Fedora快速配置Postfix并挂载OpenDKIM、OpenDMARC

donate
有所帮助?

Comments

No Comment立即评论

;-):|:x:twisted::smile::shock::sad::roll::razz::oops::o:mrgreen::lol::idea::grin::evil::cry::cool::arrow::???::?::!: