postfix 如何避免發信人冒名!!!!!!!!!!!!!!!!!!!
RFC882 DNS
最近在建立電郵系統時遇到了一點兒小問題,希望大家幫幫忙 ……
寄信時,怎樣確定客戶端使用的是真實的寄件人地址?比方說,以mailer的身份通過驗證,但是卻以test為發信人地址,
要如何避免這種冒名情況?
看了一下
Postfix: The Definitive Guide
書上如是說:
12.3.2.2 Preventing sender spoofing
To make sure that clients use correct sender addresses when relaying, Postfix allows you to map sender addresses to SASL logins. For example, if you have an address kdent@example.com that should be used only by the SASL user kdent, you can create a file requiring the correct user for that address:
kdent@example.com kdent
The file is a normal Postfix lookup table and allows regular expressions as well as local parts and domains (see Chapter 4 for information on Postfix lookup tables). Use the parameter smtpd_sender_login_maps in main.cf to indicate the table you create:
smtpd_sender_login_maps = hash:/etc/postfix/sasl_senders
You can list as many addresses as you need in the table. To reject messages from users attempting to use incorrect sender addresses or users who are not authenticated at all who attempt to use a specified address, include the restriction reject_sender_login_mismatch with your restriction parameters (see Chapter 11 for information on UBE restrictions).
我按其方法做了如下:
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_recipient_restrictions= reject_unknown_recipient_domain,
reject_unauth_pipelining,reject_unauth_destination,
reject_sender_login_mismatch,permit_sasl_authenticated
smtpd_sender_login_maps=mysql:/etc/postfix/mysql_sasl_senders.cf
smtpd_sasl_local_domain=$myhostname,$mydomain,localhost.$mydomain
smtpd_sasl_security_options=noanonymous
smtpd_sasl_application_name=smtpd
smtpd_banner=Welcome to $myhostname ESMTP,adm:black! U can mail to me!
資料庫裡面內容是:
mysql> select * from mailbox;
+-----------------+-------+----------+----------+---------+------+------+-------+
| name | home | username | password | maildir | uid | gid | quota |
+-----------------+-------+----------+----------+---------+------+------+-------+
| black@black.vnt | black | black | black | black/ | NULL | NULL | |
| blue@black.vnt | blue | blue | blue | blue/ | NULL | NULL | |
| jack@black.vnt | jack | jack | jack | jack/ | 0 | 0 | |
| test@black.vnt | test | test | test | test/ | NULL | NULL | |
+-----------------+-------+----------+----------+---------+------+------+-------+
4 rows in set (0.00 sec)
mysql_sasl_senders.cf表裡面的內容是:(已經postmap過)
mail:/etc/postfix# less mysql_sasl_senders.cf
user = mail
password = mail
hosts = localhost
dbname = mail
table = mailbox
select_field = username
where_field = name
如果我把reject_sender_login_mismatch去除,正常發信但是沒能 Preventing sender spoofing.
但是我加上這一次則出現
Nov 21 11:32:19 mail postfix/smtpd: NOQUEUE: reject: RCPT from host.black.vnt: 553 5.7.1 <black@black.vnt>: Sender address rejected: not logged in; from=<black@black.vnt> to=<blue@black.vnt> proto=ESMTP helo=<blacklaptop>
正常用戶也不能用了
各位可知道原因啊???謝謝
《解決方案》
原帖由 unixnovice 於 2007-11-28 21:34 發表 http://bbs.chinaunix.net/images/common/back.gif
樓上的兄弟,您說的第二點正是我問題所在!發信驗證可用Sasl做,但是第二點應該如何識現呢?望賜教!
我使用的方法基本是和你一樣的,我不用milter,我的配置如下: (根據我的環境是成功的)
main.cf里:
#### Preventing sender spoofing ####
smtpd_sender_login_maps = mysql:/etc/postfix/mysql/mysql_virtual_alias_user_maps.cf, mysql:/etc/postfix/mysql/mysql_virtual_sender_maps.cf
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch
我的maps.cf放在/etc/postfix/mysql里的,別照搬喲
mysql_virtual_alias_user_maps.cf內容:
user = XXXX
password = XXXX
hosts = 127.0.0.1
dbname = postfix
table = alias
select_field = goto
where_field = address
mysql_virtual_sender_maps.cf內容:
user = XXXX
password = XXXX
hosts = 127.0.0.1
dbname = postfix
table = mailbox
select_field = username
where_field = username
我的mailbox表信息是:
+--------------------------+------------+--------------------------+---------------------------+------------+-----------------+---------------------+---------------------+--------+
| username | password | name | maildir | quota | domain | created | modified | active |
+--------------------------+------------+--------------------------+---------------------------+------------+-----------------+---------------------+---------------------+--------+
| user@domain | xxx | user@domain | domain.com/user/ | 1048576000 | domain.com | 2006-09-20 16:55:05 | 2006-09-20 16:55:05 | 1 |
我的sasl驗證是用username欄位里的信息作為user的,所以select_field = username,where_field = username.
你需要根據自己的表結構進行更改.
成功的話當你 telnet server 25假冒地址時會返回:
553 5.7.1 <xxx@xxx.com>: Sender address rejected: not logged in
[ 本帖最後由 戀夏寒 於 2007-12-17 11:41 編輯 ]
《解決方案》
提示不是說沒有login嗎?
要通過sasl驗證
《解決方案》
寫個milter就解決了,這問題我n年前見過,milter中看auth名字和from一致就通過。
《解決方案》
原帖由 meilinxiaoxue 於 2007-11-22 08:25 發表 http://bbs.chinaunix.net/images/common/back.gif
提示不是說沒有login嗎?
要通過sasl驗證
SASl驗證沒有問題的,因為這一步我調試成功過。只是加上Preventing sender spoofing.就出問題了
提示是說
Sender address rejected:再到 not logged
所以我認為問題出在reject_sender_login_mismatch上面。
《解決方案》
原帖由 劉五十三 於 2007-11-22 10:49 發表 http://bbs.chinaunix.net/images/common/back.gif
寫個milter就解決了,這問題我n年前見過,milter中看auth名字和from一致就通過。
那請問一下這個milter應怎麼寫呢?
權威指南上的方法應該行得通,但是為什麼我的就不行呢?是不是我哪兒做錯了?
請達人們給予指點……………………
《解決方案》
你為何要用sender_login_maps? 你的用戶auth的時候,username是user@domain,還是僅僅是user呢?
權威指南的情況是,auth用戶是user, mailfrom是user@domain,所以要一個map修正一下。如果你的auth已經是user@domain,被你map之後,反而不match咯。
《解決方案》
auth 用的是SASL認證,用的肯定是用戶名了
所以這步我覺得我沒有錯啊
MYSQL_SERVER localhost
MYSQL_USERNAME mail
MYSQL_PASSWORD mail
MYSQL_PORT 3306
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_DATABASE mail
MYSQL_USER_TABLE mailbox
MYSQL_CRYPE_PWFIELD password
MYSQL_CLEAR_PWFIELD password
MYSQL_UID_FIELD "1006"
MYSQL_GID_FIELD "1006"
MYSQL_LOGIN_FIELD username
MYSQL_NAME_FIELD name
MYSQL_HOME_FIELD concat("/var/vmail/",maildir)
MYSQL_MAILDIR_FIELD concat("/var/vmail/",maildir)
《解決方案》
原帖由 unixnovice 於 2007-11-22 23:54 發表 http://bbs.chinaunix.net/images/common/back.gif
那請問一下這個milter應怎麼寫呢?
權威指南上的方法應該行得通,但是為什麼我的就不行呢?是不是我哪兒做錯了?
請達人們給予指點……………………
google一下milter,這條路肯定能通,而且極為靈活,改設置我覺得不一定能達到你的目的。
《解決方案》
這個問題有這麼難么?還是大家的電郵伺服器不怕地址偽造,一直用不上這功能?
