磁盘 io 总是满的状态
该服务器只有监控和邮件elk在上面。
发现邮件日志 疯狂的输出
tail -f /var/log/maillog
大致都是来自于 yahoo.com.tw的东西
清空了 /var/spool/postfix/incoming active bounce defer deferred 看情况而定
类似于这种格式
Jun 19 19:16:37 postfix/error[39976]: 12A9BD00AFD: to=<b9081135@yahoo.com.tw>, relay=none, delay=9.5, delays=8.3/0.01/0/1.3, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO) Jun 19 19:16:37 postfix/error[39976]: 12A9BD00AFD: to=<baller0819@yahoo.com.tw>, relay=none, delay=9.6, delays=8.3/0.01/0/1.3, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO) Jun 19 19:16:37 postfix/error[39976]: 12A9BD00AFD: to=<belonguandme@yahoo.com.tw>, relay=none, delay=9.6, delays=8.3/0.01/0/1.3, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO) Jun 19 19:16:41 postfix/cleanup[40133]: 8CDDCD00AFF: message-id=<HMVJLNPHPPGQZMQGTTADBOUMA@163.com> Jun 19 19:16:41 jxq-c2-16-2 postfix/qmgr[24909]: 8CDDCD00AFF: from=<qqnvuolu@163.com>, size=2830, nrcpt=30 (queue active) Jun 19 19:16:41 postfix/error[39978]: 8CDDCD00AFF: to=<0930264825@yahoo.com.tw>, relay=none, delay=9.1, delays=9.1/0.01/0/0.02, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO)
最后在 postfix的main.cf 修改并添加了一些东西,修改的为:
第一个需要修改的参数是myhostname,指向真正的域名,例如: myhostname = mail.example.com mydomain参数指向根域: mydomain = example.com myorigin和mydestination都可以指向mydomain: myorigin = $mydomain mydestination = $mydomain Postfix默认只监听本地地址,如果要与外界通信,就需要监听网卡的所有IP: inet_interfaces = all Postfix默认将子网内的机器设置为可信任机器,如果只信任本机,就设置为host: mynetworks_style = host 配置哪些地址的邮件能够被Postfix转发,当然是mydomain的才能转发,否则其他人都可以用这台邮件服务器转发垃圾邮件了: relay_domains = $mydomain
现在,Postfix已经基本配置完成,我们需要对邮件的发送进行控制:
- 对于外域到本域的邮件,必须接收,否则,收不到任何来自外部的邮件;
- 对于本域到外域的邮件,只允许从本机发出,否则,其他人通过伪造本域地址就可以向外域发信;
- 对于外域到外域的邮件,直接拒绝,否则我们的邮件服务器就是Open Relay,将被视为垃圾邮件服务器。
先设置发件人的规则:
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, permit
以上规则先判断是否是本域地址,如果是,允许,然后再从sender_access文件里检查发件人是否存在,拒绝存在的发件人,最后允许其他发件人。
然后设置收件人规则:
smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access, reject
以上规则先判断是否是本域地址,如果是,允许,然后再从recipient_access文件里检查收件人是否存在,允许存在的收件人,最后拒绝其他收件人。
/etc/postfix/sender_access的内容:
example.com REJECT
目的是防止其他用户从外部以xxx@example.com身份发送邮件,但登录到本机再发送则不受影响,因为第一条规则permit_mynetworks允许本机登录用户发送邮件。
/etc/postfix/recipient_access的内容:
postmaster@example.com OK
webmaster@example.com OK
因此,外域只能发送给以上两个Email地址,其他任何地址都将被拒绝。但本机到本机发送不受影响。
最后用postmap生成hash格式的文件:
# postmap sender_access
# postmap recipient_access
启动Postfix:
# /etc/init.d/postfix start参考http://www.liaoxuefeng.com/article/00137387674890099a71c0400504765b89a5fac65728976000
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, permit smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access, reject non_fqdn_reject_code = 450 #unknown_local_recipient_reject_code = 550 #unknown_local_recipient_reject_code = 450 unknown_virtual_alias_reject_code = 450 unknown_virtual_mailbox_reject_code = 450 maps_rbl_reject_code = 450
定义sender和recipient_access
[root@ log]# cat /etc/postfix/sender_access yahoo.com.tw REJECT yahoo.com.jp REJECT yahoo.co.jp REJECT 163.com REJECT yandex.ru REJECT physiciansnews.com REJECT keekoo.com REJECT orifegypt.com REJECT sperinde.com REJECT keylessremotewarehouse.com REJECT
[root@ log]# cat /etc/postfix/recipient_access noreply@playyx.com OK yahoo.com.tw REJECT yahoo.com.jp REJECT yahoo.co.jp REJECT 163.com REJECT yandex.ru REJECT physiciansnews.com REJECT keekoo.com REJECT orifegypt.com REJECT sperinde.com REJECT keylessremotewarehouse.com REJECT
然后执行 postmap
# postmap sender_access
# postmap recipient_access
重启postfix
以上步骤做完发现日志内的这些邮件已经拒绝了,但是日志还是搜搜的打印,格式如下
Jun 20 14:18:45 postfix/smtpd[31120]: NOQUEUE: reject: RCPT from unknown[121.22.69.214]: 554 5.7.1 <eoyhscpr@163.com>: Sender address rejected: Access denied; from=<eoyhscpr@163.com> to=<thankupbig@yahoo.com.tw> proto=SMTP helo=<> Jun 20 14:18:52 postfix/smtpd[31120]: NOQUEUE: reject: RCPT from unknown[121.22.69.214]: 554 5.7.1 <eoyhscpr@163.com>: Sender address rejected: Access denied; from=<eoyhscpr@163.com> to=<tel331699@yahoo.com.tw> proto=SMTP helo=<> Jun 20 14:18:54 postfix/smtpd[31120]: NOQUEUE: reject: RCPT from unknown[121.22.69.214]: 554 5.7.1 <eoyhscpr@163.com>: Sender address rejected: Access denied; from=<eoyhscpr@163.com> to=<wangsir1357@yahoo.com.tw> proto=SMTP helo=<> Jun 20 14:19:05 postfix/smtpd[31120]: NOQUEUE: reject: RCPT from unknown[121.22.69.214]: 554 5.7.1 <eoyhscpr@163.com>: Sender address rejected: Access denied; from=<eoyhscpr@163.com> to=<ttuu01@yahoo.com.tw> proto=SMTP helo=<>
于是开启了防火墙
默认 允许所有
drop掉这些IP 参考http://blog.csdn.net/langeldep/article/details/38704291
用 gcc -g -o dyn dyn.c , 编译后生成了可执行文件 dyn
我的dyn可执行文件在 /root 目录, 所以用 命令:
nohup tail -f /var/log/maillog | /root/dyn &
让它自己跑吧。
过一段时间后, 我们再看maillog日志, 已经基本没有 不认识的IP地址再连接过来发邮件了。
#include <string.h> #include <stdio.h> #include <stdlib.h> #define BUF_LEN 4096 #define DATA_LEN 4096*10 int main (int argc, char** argv) { //too many errors after RCPT from 36-224-128-99.dynamic-ip.hinet.net[36.224.128.99] //too many errors after RCPT from 118-169-22-28.dynamic.hinet.net[118.169.22.28] //too many errors after AUTH from unknown[79.125.161.236] char buf[BUF_LEN] = {0}; const char* sep = "too many errors after"; while (1) { memset (buf, 0, sizeof(buf)); char* tp = fgets (buf, sizeof(buf)-1, stdin); if (tp != NULL) { int buflen = strlen(tp); char* p = strstr(buf, sep); if (p != NULL) { char* p1 = p + strlen(sep) + 1; char* ps = NULL; char* pe = NULL; while (*p1 != '�' && *p1 != ' ') { if (*p1 == '[') ps = p1+1; if (*p1 == ']') pe = p1; p1++; } if (ps != NULL && pe != NULL) { char ipbuf[64]={0}; memcpy (ipbuf, ps, pe-ps); char ebuf[512] = {0}; snprintf(ebuf, sizeof(ebuf)-1, "iptables -I INPUT -s %s -j DROP", ipbuf); system (ebuf); printf ("%s ", ebuf); } } } } return 0; }