2009年06月25日 – 第2页

ispCP装好后，没用过它的邮局功能，那天在CentOS5.3上安装了，发现不能发邮件，记得之前在CentOS5.2上装，新开主机什么的都可以发邮件的，经过一番折腾，发现CentOS5.2上能发，是因为它用的是sendmail，CentOS5.3上则是用Postfix，为解燃眉之急，只能把CentOS5.3上的Postfix停掉，启用sendmail，发信正常。

前天专门再装了台测试机，用来测试邮局功能。下面先贴下默认情况下，发信收信时，maillog的一些错误,日志中的邮箱地址和IP地址均已被替换。

测试时，首先把sendmail关掉
chkconfig –level 2345 sendmail off
service sendmail stop

然后开启相关邮局服务

maillog的内容

#################################################
Jun 20 13:32:16 test.com postfix/smtpd[318]: warning: connect to 127.0.0.1:12525: Connection refused
Jun 20 13:32:16 test.com postfix/smtpd[318]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Jun 20 13:32:17 test.com postfix/smtpd[318]: warning: connect to 127.0.0.1:12525: Connection refused
Jun 20 13:32:17 test.com postfix/smtpd[318]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Jun 20 13:32:17 test.com postfix/smtpd[318]: NOQUEUE: reject: RCPT from unknown[125.77.233.210]: 451 4.3.5 Server configuration problem; from=<root@debian.ispcp.net> to=<user@example.net> proto=ESMTP helo=<debian.ispcp.net>
Jun 20 13:32:17 test.com postfix/smtpd[318]: disconnect from unknown[125.77.233.210]
Jun 20 21:35:37 test.com postfix/anvil[319]: statistics: max connection rate 1/60s for (smtp:125.77.233.210) at Jun 20 21:32:16
Jun 20 13:35:37 test.com postfix/anvil[319]: statistics: max connection count 1 for (smtp:125.77.233.210) at Jun 20 13:32:16
Jun 20 13:35:37 test.com postfix/anvil[319]: statistics: max cache size 1 at Jun 20 13:32:16
Jun 20 21:36:00 test.com imapd: Connection, ip=[::ffff:127.0.0.1]
Jun 20 21:36:00 test.com imapd: LOGIN, user=user@example.net, ip=[::ffff:127.0.0.1], port=[48051], protocol=IMAP
Jun 20 21:36:00 test.com imapd: LOGOUT, user=user@example.net, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=391, time=0
Jun 20 21:37:01 test.com spamd[500]: logger: removing stderr method
Jun 20 21:37:08 test.com spamd[502]: spamd: server started on port 783/tcp (running version 3.2.5)
Jun 20 21:37:08 test.com spamd[502]: spamd: server pid: 502
Jun 20 21:37:08 test.com spamd[502]: spamd: server successfully spawned child process, pid 507
Jun 20 21:37:08 test.com spamd[502]: spamd: server successfully spawned child process, pid 508
Jun 20 21:37:08 test.com spamd[502]: prefork: child states: II
Jun 20 21:37:39 test.com postfix/smtpd[511]: connect from unknown[127.0.0.1]
Jun 20 13:37:39 test.com postfix/smtpd[511]: NOQUEUE: reject: RCPT from unknown[127.0.0.1]: 450 4.1.2 <user@example.com>: Recipient address rejected: Domain not found; from=<user@example.net> to=<user@example.com> proto=ESMTP helo=<11.22.33.44>
Jun 20 13:37:39 test.com postfix/smtpd[511]: lost connection after RCPT from unknown[127.0.0.1]
Jun 20 13:37:39 test.com postfix/smtpd[511]: disconnect from unknown[127.0.0.1]
Jun 20 13:37:41 test.com postfix/smtpd[511]: connect from unknown[127.0.0.1]
Jun 20 13:37:41 test.com postfix/smtpd[511]: NOQUEUE: reject: RCPT from unknown[127.0.0.1]: 450 4.1.2 <user@example.com>: Recipient address rejected: Domain not found; from=<user@example.net> to=<user@example.com> proto=ESMTP helo=<11.22.33.44>
Jun 20 13:37:41 test.com postfix/smtpd[511]: lost connection after RCPT from unknown[127.0.0.1]
Jun 20 13:37:41 test.com postfix/smtpd[511]: disconnect from unknown[127.0.0.1]
Jun 20 13:38:14 test.com postfix/smtpd[511]: connect from unknown[125.77.233.210]
Jun 20 13:38:14 test.com postfix/smtpd[511]: warning: connect to 127.0.0.1:12525: Connection refused
Jun 20 13:38:14 test.com postfix/smtpd[511]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Jun 20 21:38:14 test.com postfix/smtpd[516]: connect from unknown[125.77.233.210]
Jun 20 13:38:14 test.com postfix/smtpd[516]: warning: connect to 127.0.0.1:12525: Connection refused
Jun 20 13:38:14 test.com postfix/smtpd[516]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Jun 20 13:38:15 test.com postfix/smtpd[511]: warning: connect to 127.0.0.1:12525: Connection refused
Jun 20 13:38:15 test.com postfix/smtpd[511]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Jun 20 13:38:15 test.com postfix/smtpd[511]: NOQUEUE: reject: RCPT from unknown[125.77.233.210]: 451 4.3.5 Server configuration problem; from=<root@debian.ispcp.net> to=<user@example.net> proto=ESMTP helo=<debian.ispcp.net>
Jun 20 13:38:15 test.com postfix/smtpd[511]: disconnect from unknown[125.77.233.210]
Jun 20 13:38:15 test.com postfix/smtpd[516]: warning: connect to 127.0.0.1:12525: Connection refused
Jun 20 13:38:15 test.com postfix/smtpd[516]: warning: problem talking to server 127.0.0.1:12525: Connection refused

#################################################

Jun 20 23:51:18 test.com postfix/postfix-script: starting the Postfix mail system
Jun 20 23:51:18 test.com postfix/master[6161]: daemon started — version 2.3.3, configuration /etc/postfix
Jun 20 23:51:18 test.com postfix/qmgr[6164]: C8FB618A830B: from=<xxx@dddf.com>, size=331, nrcpt=1 (queue active)
Jun 20 23:51:18 test.com postfix/smtp[6166]: fatal: unknown service: smtp/tcp
Jun 20 23:51:19 test.com postfix/qmgr[6164]: warning: premature end-of-input on private/smtp socket while reading input attribute name
Jun 20 23:51:19 test.com postfix/qmgr[6164]: warning: private/smtp socket: malformed response
Jun 20 23:51:19 test.com postfix/qmgr[6164]: warning: transport smtp failure — see a previous warning/fatal/panic logfile record for the problem description
Jun 20 23:51:19 test.com postfix/master[6161]: warning: process /usr/libexec/postfix/smtp pid 6166 exit status 1
Jun 20 23:51:19 test.com postfix/master[6161]: warning: /usr/libexec/postfix/smtp: bad command startup — throttling
Jun 20 23:51:19 test.com postfix/qmgr[6164]: C8FB618A830B: to=<user@example.com>, relay=none, delay=1708, delays=1707/1/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)

好了，关键出错日志都贴出来了，下面讲解决办法

1、connect to 127.0.0.1:12525: Connection refused

输入命令netstat -aln | grep 12525
发现确实没有12525的监听程序

我们在/etc/postfix/main.cf可以看到一段配置：
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:12525,
check_policy_service inet:127.0.0.1:60000,

check_policy_service inet:127.0.0.1:12525
这一行是配置使用policyd-weight来进行垃圾邮件判别的，CentOS上默认没有装，但在debian5.0.1上装ispCP，默认是安装policyd-weight的
详细可以参考以下这个网址：

http://www.policyd-weight.org/

解决办法

a、安装policyd-weight，然后启用它
安装可以参考这篇文章：http://www.187299.com/archives/1044

b、把policyd-weight相关配置注释掉
把/etc/postfix/main.cf里相应配置注释掉，修改为如下：
# check_policy_service inet:127.0.0.1:12525,
# check_policy_service inet:127.0.0.1:60000,
service postfix restart重启服务。

2、Recipient address rejected: Domain not found
chroot环境下，Postfix不能用/etc/resolv.conf来进行域名解析，所以说Domain not found

解决办法：
cp /etc/resolv.conf /var/spool/postfix/etc/

处理到这一步，能达到的效果是Postfix能收不能发，也就是可以收到外部发给本地的邮件，但本地还不能发邮件给外面。

3、fatal: unknown service: smtp/tcp
跟第二个问题一样，chroot环境下，Postfix不能使用/etc/services

解决办法：
cp /etc/services /var/spool/postfix/etc/

至此，将邮局相应服务启动起来就可以进行邮件收发了。

知识备忘
/etc/postfix/master.cf
# service type private unpriv chroot wakeup maxproc command + args
smtp inet n – – – – smtpd

这里对各种服务进行定义，如果是-或者y，则表示为真，所以以上关于smtp的配置，就是运行在chroot环境下。

网上很多文章都建议不要在chroot环境下运行Postfix，因为Postfix本来已经是一个非常健壮的MTA
有时间再研究下怎样设置Postfix在chroot环境下的根目录，再看如何把它改为普通环境运行。

1. Read the changelog
1.1. Download policyd-weight
Depending on the bugfixes (see changelog) download the appropriate release:

# wget http://www.policyd-weight.org/policyd-weight

or if quot;devel" sounds more exciting:

# wget http://www.policyd-weight.org/policyd-weight-devel

Move policyd-weight to the proper location for your operating system (example shows *BSD

# mv policyd-weight /usr/local/libexec/postfix/policyd-weight
# chmod 0555 /usr/local/libexec/postfix/policyd-weight

Check the default settings

# /usr/local/libexec/postfix/policyd-weight defaults

If these settings seem appropriate you don't need a configuration file at all. In case you like to change some settings, create a file (i.e. /usr/local/etc/policyd-weight.conf) and add only the variables that differ from the defaults. For example if you want only DNSBL checks and a different port use:

# —————————————————————-
# minimal configuration for policyd-weight
# —————————————————————-
$dnsbl_checks_only = 1;
$TCP_PORT       = 12336;

There is another option, which is not recommended:

# /usr/local/libexec/postfix/policyd-weight defaults > /usr/local/etc/policyd-weight.conf
# chmod 0644 /usr/local/etc/policyd-weight.conf

This will write the default configuration to a file. However, this is not good practice, because it will make maintaining the configuration file difficult and changed defaults will not picked up automatically.
2.1 Add a system account for policyd-weight
Use the appropriate commands for your operating system to add a new user and a new group named polw. This unprivileged user does not need a valid shell.
2.2 Create an init script
Either create an rc-init script or manage otherwise that policyd-weight gets started at boot-time. The command to start policyd-weight in daemon mode is:

# /path/to/policyd-weight start

You need to be root to do that.
3. Edit Postfix main.cf
This example shows a minimal setup. Do NOT copy & paste, instead adjust your main.cf to meet the minimal requirements. Please keep old authentication restrictions (such as SASL) and so forth:

01:  smtpd_helo_required = yes                        # required
02:  smtpd_delay_reject = yes                           # suggested
03:
04:  smtpd_helo_restrictions =
05:      permit_mynetworks,                           # suggested
06:      reject_invalid_hostname                        # suggested
07:
08:  smtpd_client_restrictions = permit_mynetworks      # suggested
09:
10:  smtpd_sender_restrictions = permit_mynetworks      # suggested
11:
12:  smtpd_recipient_restrictions =
13:      permit_mynetworks,                           # required
14:      … other authed permits …
15:      … (permit_sasl_authenticated) …
16:      reject_unauth_destination,                     # required
17:      reject_unauth_pipelining,                      # suggested
18:      … whitelists (role accounts, clients) …
19:      reject_non_fqdn_recipient,                     # suggested
20:      check_policy_service inet:127.0.0.1:12525      # required

Lines 6: makes sure to only allow valid DNS Names (in terms of [RFC 2821] Sect. 2.3.5, [RFC 1123] Sect. 5.2.5 and [RFC 1035] Sect. 2.3.1) in the HELO command. reject_invalid_hostname (or reject_invalid_helo_hostname as of Postfix 2.3.x) makes sure that no bogus characters are used. It's a safety and RFC setting.

Line 20: calls the policy daemon on host 127.0.0.1 (localhost) at port 12525.
For whitelisting hosts read the FAQ.

To prevent that a proper MTA can use your own domain as sender please read and unterstand Ralf Hildebrandts receipe

If you don't understand some settings or don't know their meaning please read Postfix SMTP relay and access control first, respectively the postconf.5 manpage.
4. Score tuning and other configurations
To tune scores or turn on/off some features such as X-headers, read and edit /usr/local/etc/policyd-weight.conf
The configuration file is Perl syntax. If you make Perl syntax errors there, policyd-weight won't work.
It is not required to restart or reload postfix. Changes made to the configuration are picked up by each new policyd-weight instance. To have changes take effect immediately you can a) kill each policyd-weight instance, or b) restart Postfix if running in master.cf mode.

转载自：http://www.thismail.org/bbs/thread-2044-1-1.html

每日存档六月 25th, 2009

chroot环境下Postfix的一些问题

Howto setup Postfix and policyd-weight

Search

文章归档

分类目录

链接表

功能

一	二	三	四	五	六	日
« 5月				7月 »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

每日存档 六月 25th, 2009