Note: Postfix SMTP authentication needs to be connected to Authdaemon to obtain authentication information through CYRUS-SASL;
The limitations and filtering capabilities of Postfix are explained later in this section.
First, installation configuration CYRUS-SASL
1, the system has been installed by default CYRUS-SASL:
[Email protected] ~]# Rpm-aq|grep cyrus-saslcyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_ 64cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64cyrus-sasl-2.1.23-13.el6_ 3.1.x86_64cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
2, Configuration Cyrus-sasl
[Email protected] ~]# Vi/etc/sasl2/smtpd.conf#pwcheck_method:saslauthd#mech_list:plain Loginpwcheck_method: Authdaemond log_level:3 mech_list:plain LOGIN authdaemond_path:/usr/local/var/spool/authdaemon/socket[[email Protected] ~]# chmod 755/usr/local/var/spool/authdaemon
Description: Some system authdaemond path is/var/spool/authdaemon/socket.
3, configuration Postfix
[[email protected] ~]# vi /etc/postfix/main.cf# smtp Recipient Limit Smtpd_recipient_ restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname # SMTP Sender-Side Restrictions smtpd_sender_restrictions = permit _mynetworks, &Nbsp; reject_sender_login_mismatch, reject_authenticated _sender_login_mismatch, reject_unauthenticated_sender_login_ mismatch# smtp User Login Limit smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_sender_maps.cf, mysql:/etc/ postfix/mysql_virtual_alias_maps.cf# smtp Authentication Configuration Broken_sasl_auth_clients = yessmtpd_sasl_ auth_enable = yessmtpd_sasl_local_domain = $myhostnamesmtpd _sasl_security_options = noanonymous
[Email protected] ~]# service postfix restart
Note: The above limitation is an access restriction method that Postfix comes with, which is explained in detail below.
4. Test SMTP Authentication
Use Mime::base64 to encode your email account and password Base64:
[Email protected] ~]# perl-e ' use mime::base64; Print Encode_base64 ("postmaster\ @yourmail. com") ' Cg9zdg1hc3rlckb5b3vybwfpbc5jb20=[[email protected] ~]# perl-e ' use Mime::base64; Print encode_base64 ("Extmail") ' zxh0bwfpba==
Local testing requires the installation of the Telnet tool:
[[email protected] ~]# yum install -y telnet[[email protected] ~]# telnet localhost 25trying ::1...connected to localhost. escape character is ' ^] '. 220 mail.eplantstore.com esmtp postfix - by eplantstore.comehlo localhost # Enter Hello content 250-mail.eplantstore.com250-pipelining250-size 10485760250-vrfy250-etrn250-auth plain login #显示认证登陆表示Postfix成功250-auth=plain login #调用Cyrus-SASL for SMTP authentication 250-enhancedstatuscodes250-8bitmime250 dsnauth login #输入认证登陆命令334 vxnlcm5hbwu6cg9zdg1hc3rlckb5b3vybwfpbc5jb20= # Enter the BASE64 code of the account 334 ugfzc3dvcmq6zxh0bwfpba== # Enter the BASE64 encoding of the password 235 2.7.0 authentication successful #显示认证成功quit221 2.0.0 byeconnection closed by foreign host.
Conclusion: The above information indicates that postfix successfully used and passed SMTP authentication (CYRUS-SASL)
Second, the postfix itself mail filtering
1. Accessing the table
(1) Access table type
Check host name and subordinate domain
192.168.1.100
10.188
Check the host name shown in the HELO command
Check your pickup address
[Email protected]
example.com
[Email protected]
Check the sending address
[Email protected]
example.com
[Email protected]
(2) Handling actions
Pass
Refused
Messsage-text used to set a message;
The message is sent to the client along with the rejected message and is recorded in log (same as below)
Pause Check
remain in the queue
Postfix drops the message, but makes the client mistakenly send it for success
Returns the specified deny code and information to the client, temporarily rejecting
Returns the specified deny code and information to the client, completely rejects
(3) Examples of use
To set Access table limits:
[Email protected] ~]# vi/etc/postfix/main.cfsmtpd_client_restrictions = check_client_access hash:/etc/postfix/ Client_accesssmtpd_sender_restrictions = check_sender_access Hash:/etc/postfix/sender_accesssmtpd_recipien_ Restrictions = Check_recipien_access hash:/etc/postfix/recipien_access
Create an Access table
[Email protected] ~]# vi/etc/postfix/client_access10.188 REJECT 192.168.1.100 REJECT [[email protected] ~]# Vi/etc/pos Tfix/sender_access[email protected] [email protected] abc.example.com
Convert to database format (conversions are needed as long as the Access table is modified)
[Email protected] ~]# postmap/etc/postfix/client_access[[email protected] ~]# postmap/etc/postfix/sender_access
2. Built-in restriction conditions
Release Mydestination\inet_interfaces\virtual_alias_maps\virtual_mailbox_maps\relay_domain
Set the range, non-conforming when returning dunno
Release client IP in the range of Mynetworks settings
In contrast to the first one, deny the above range
Returns 501 if the host name in the HELO command is invalid
The host name in the HELO command is not in the form of FQDN and returns 504
The pickup address is not an FQDN and returns 504
Return 504 If the sender address is not an FQDN
Refuse to obey the specified line operation
DNS does not detect PTR records for client IPs when rejecting
The host name in the HELO command is denied when a and MX records are not
Deny when a valid A or MX record is not found in the domain portion of the recipient address
Rejected when a valid A or MX record is not found in the domain portion of the sender address
3, RBL Real-time blacklist
Client IP Address blacklist library
Client Host name Blacklist library
Sender Blacklist Library
4. Content filtering
(1) Type
Header_checks =/etc/postfix/header_checks
Check the title
Body_checks =/etc/postfix/body_checks
Check body
Nested_header_checks
Check the attachment title
Mime_header Checks
Check the MIME field of the title
(2) Action
Reject
Do not reject, record message to log, can be used for testing
Delete content that conforms to the pattern
Keep in the queue
Secretly Discard messages
(3) Examples
Use header_checks for simple virus filtering
/name? = "?". *\. (Bat|scr|com|dll|exe|hta|pif|vbs) "?/REJECT
Use Body_checks for content filtering
/increase your Sales by/reject/in compliance (with|of) strict/reject/lowest rates.*!/reject/[:alpha:]<!--. *-- >[:alpha:]/REJECT
The third pattern picks out any strings that contain lowest rates words and then follow any text and!
The last pattern checks to see if any HTML comments are embedded in the middle of the sentence
It is best to use an external content filter SpamAssassin or Dspam
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/57/06/wKiom1SPicPDPNe8AAINEKfDH4M829.jpg "title=" Qq20141216092342.png "alt=" Wkiom1spicpdpne8aainekfdh4m829.jpg "/>
is the SMTP dialog process and the corresponding restrictions for each stage.
This article is from the "Moon Ching Xing Fei" blog, please be sure to keep this source http://ywzhou.blog.51cto.com/2785388/1590342
Postfix mailbox (iv): Install CYRUS-SASL enable postfix to support SMTP authentication