1 最后由 silence (2012-12-19 16:50:12) 编辑

主题: 请教张工:plugins = ldap_recipient_restrictions 这个没有生效,可能是什么问题.

==== 必填信息。没有填写将不予回复 ====
- iRedMail 版本:0.6.0
- 使用的 Linux/BSD 发行版名称及版本号:CentOS 5.5
- 与您的问题相关的日志信息:
-iredapd: 1.3.8  用ldap 方式

安装了iredapd后,plugins中block_amavisd_blacklisted_senders和ldap_maillist_access_policy两个是生效的,ldap_recipient_restrictions没有生效,在ldap里面用户添加了mailBlacklistRecipient=@.后,该用户还是可以发邮件外出,没有生效,可能是什么问题呢?


相应的设置如下

# netstat -antp |grep 777
tcp        0      0 127.0.0.1:7777              0.0.0.0:*                   LISTEN      2900/python       
tcp        0      0 127.0.0.1:7778              0.0.0.0:*                   LISTEN      2904/python 

[root@mail1 plugins]# tail -f /var/log/iredapd.log
2012-12-17 23:21:51 INFO [192.168.1.105] test1@silence.com -> test11@hua.com, DUNNO
2012-12-17 23:25:27 INFO Starting iredapd (v1.3.8, ldap). Enabled plugin(s): ldap_maillist_access_policy, block_amavisd_blacklisted_senders. Listening on 127.0.0.1:7777.
2012-12-17 23:29:17 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-17 23:35:47 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-17 23:48:53 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-17 23:51:35 INFO Starting iredapd (v1.3.8, ldap). Enabled plugin(s): ldap_maillist_access_policy, block_amavisd_blacklisted_senders. Listening on 127.0.0.1:7777.
2012-12-17 23:52:22 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-18 00:04:16 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-18 00:06:51 INFO Starting iredapd (v1.3.8, ldap). Enabled plugin(s): ldap_maillist_access_policy, block_amavisd_blacklisted_senders. Listening on 127.0.0.1:7777.
2012-12-18 00:19:07 INFO Starting iredapd (v1.3.8, ldap). Enabled plugin(s): ldap_maillist_access_policy, block_amavisd_blacklisted_senders. Listening on 127.0.0.1:7777.   

[root@mail1 plugins]# tail -f /var/log/iredapd-rr.log
2012-12-17 23:21:51 INFO [192.168.1.105] test1@silence.com -> test11@hua.com, DUNNO
2012-12-17 23:25:27 INFO Starting iredapd (v1.3.8, pid: 2738), listening on 127.0.0.1:7778.
2012-12-17 23:29:17 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-17 23:35:47 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-17 23:48:53 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-17 23:51:35 INFO Starting iredapd (v1.3.8, pid: 2741), listening on 127.0.0.1:7778.
2012-12-17 23:52:21 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-18 00:04:16 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, DUNNO
2012-12-18 00:06:52 INFO Starting iredapd (v1.3.8, pid: 2751), listening on 127.0.0.1:7778.
2012-12-18 00:19:12 INFO Starting iredapd (v1.3.8, pid: 2902), listening on 127.0.0.1:7778. 

[root@mail1 etc]# more iredapd-rr.ini
[general]
# Listen address and port.
listen_addr     = 127.0.0.1
listen_port     = 7778

# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user     = iredapd

# Background/daemon mode: yes, no.
# Detach iredapd from terminal. It's recommended to always running as daemon.
run_as_daemon   = yes

# Path to pid file.
pid_file        = /var/run/iredapd-rr.pid

# Log type: file.
# Note:
#   - Currently, only 'file' type is supported.
#   - If log_type is 'file', log_file is required.
#   - If log_type is 'mysql', sql related info are required.
log_type        = file
log_file        = /var/log/iredapd-rr.log

# Log level: info, error, debug.
log_level       = info

# Backend: ldap, mysql, pgsql.
backend = ldap

# Bypass clients listed in postfix 'mynetworks': yes, no.
bypass_mynetworks = no

[ldap]
# For ldap backend only.
# LDAP server setting.
# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
#
# Tip: You can get binddn, bindpw from /etc/postfix/ldap_*.cf.
#
uri         = ldap://127.0.0.1:389
binddn      = cn=vmail,dc=silence,dc=com
bindpw      = 75072494414164817048626814
basedn      = o=domains,dc=silence,dc=com

# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
plugins = ldap_recipient_restrictions







main.cf的相关设置:

...
...
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7778, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
...
...
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlis
ted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostna
me, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031


master.cf的设置:
[root@mail1 plugins]# more /etc/postfix/master.cf |grep -v "#"
smtp      inet  n       -       -       -       -       smtpd
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter=
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
dovecot unix    -       n       n       -       -      pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${domain}
procmail unix    -       n       n       -       -      pipe
  flags=DRhu user=vmail:vmail argv=/usr/bin/procmail -r -t SENDER=${sender} RECIPIENT=${recipient} DOMAIN=${nexthop} -m USER=${user} EXTENSION=${extension} /etc/procmailrc
smtp-amavis unix -  -   -   -   2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -   -   -   -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

回复: 请教张工:plugins = ldap_recipient_restrictions 这个没有生效,可能是什么问题.

将 /opt/iredapd/etc/iredapd-rr.ini 里的 "log_level = info" 设置为 debug,重启 iRedAPD 服务后再测试一次。将相关的日志贴上来看看。

回复: 请教张工:plugins = ldap_recipient_restrictions 这个没有生效,可能是什么问题.

ZhangHuangbin 写道:

将 /opt/iredapd/etc/iredapd-rr.ini 里的 "log_level = info" 设置为 debug,重启 iRedAPD 服务后再测试一次。将相关的日志贴上来看看。

太奇怪了,昨天公司停电,我的虚拟机(vmware player)关掉了,今天打开虚拟机,既然可以了。我之前也有重启过服务,重启过虚拟机,就是不生效。
唯一不同的地方,就是没有断电,然后在开机,不知道和这个有没有关系。
我一直怀疑是master.cf文件出错了,需要在里面添加7778端口对应的服务参数,类似于127.0.0.1:10025 inet n  -   -   -   -  smtpd
-o content_filter
这样的语句,看来同master.cf这个文件没有关系


iredapd-rr.ini里log_level改为debug后的log。

2012-12-20 21:39:44 DEBUG Connect from 127.0.0.1, port 39107.
2012-12-20 21:39:44 DEBUG smtp session: request=smtpd_access_policy
2012-12-20 21:39:44 DEBUG smtp session: protocol_state=RCPT
2012-12-20 21:39:44 DEBUG smtp session: protocol_name=ESMTP
2012-12-20 21:39:44 DEBUG smtp session: client_address=192.168.1.105
2012-12-20 21:39:44 DEBUG smtp session: client_name=unknown
2012-12-20 21:39:44 DEBUG smtp session: reverse_client_name=unknown
2012-12-20 21:39:44 DEBUG smtp session: helo_name=FMISA4105SCA
2012-12-20 21:39:44 DEBUG smtp session: sender=test1@silence.com
2012-12-20 21:39:44 DEBUG smtp session: recipient=282490326@qq.com
2012-12-20 21:39:44 DEBUG smtp session: recipient_count=0
2012-12-20 21:39:44 DEBUG smtp session: queue_id=
2012-12-20 21:39:44 DEBUG smtp session: instance=be7.50d3151f.e95e9.1
2012-12-20 21:39:44 DEBUG smtp session: size=0
2012-12-20 21:39:44 DEBUG smtp session: etrn_domain=
2012-12-20 21:39:44 DEBUG smtp session: stress=
2012-12-20 21:39:44 DEBUG smtp session: sasl_method=LOGIN
2012-12-20 21:39:44 DEBUG smtp session: sasl_username=test1@silence.com
2012-12-20 21:39:44 DEBUG smtp session: sasl_sender=
2012-12-20 21:39:44 DEBUG smtp session: ccert_subject=
2012-12-20 21:39:44 DEBUG smtp session: ccert_issuer=
2012-12-20 21:39:44 DEBUG smtp session: ccert_fingerprint=
2012-12-20 21:39:44 DEBUG smtp session: encryption_protocol=
2012-12-20 21:39:44 DEBUG smtp session: encryption_cipher=
2012-12-20 21:39:44 DEBUG smtp session: encryption_keysize=0
2012-12-20 21:39:44 DEBUG LDAP connection initialied success.
2012-12-20 21:39:44 DEBUG LDAP bind success.
2012-12-20 21:39:44 DEBUG __get_sender_dn_ldif (sender): test1@silence.com
2012-12-20 21:39:44 DEBUG __get_sender_dn_ldif: Quering LDAP
2012-12-20 21:39:44 DEBUG __get_sender_dn_ldif (result): [('mail=test1@silence.com,ou=Users,domainName=silence.com,o=domains,dc=silence,dc=com', {'memberOfGroup': ['grptest@silence.com'], 'uid': ['test1'], 'mailQuota': ['1073741824'], 'objectClass': ['inetOrgPerson', 'mailUser', 'shadowAccount', 'amavisAccount'], 'userPassword': ['{SSHA}4ANPwCEs1+FGrL/5ku1iGKfEzk+nPQb3C5ZzAw=='], 'homeDirectory': ['/var/vmail/vmail1/silence.com/t/te/tes/test1-2012.11.29.23.34.48/'], 'accountStatus': ['active'], 'mailBlacklistRecipient': ['@.'], 'mtaTransport': ['dovecot'], 'sn': ['test1'], 'storageBaseDirectory': ['/var/vmail'], 'mail': ['test1@silence.com'], 'mailMessageStore': ['vmail1/silence.com/t/te/tes/test1-2012.11.29.23.34.48/'], 'enabledService': ['mail', 'smtp', 'deliver', 'pop3', 'pop3secured', 'imap', 'imapsecured', 'managesieve', 'managesievesecured', 'sieve', 'sievesecured', 'internal', 'forward', 'senderbcc', 'recipientbcc', 'shadowaddress', 'displayedInGlobalAddressBook'], 'cn': ['test1']})]
2012-12-20 21:39:44 DEBUG Apply plugin (ldap_recipient_restrictions).
2012-12-20 21:39:44 DEBUG Response from plugin (ldap_recipient_restrictions): REJECT Permission denied
2012-12-20 21:39:44 INFO Response from plugin (ldap_recipient_restrictions): REJECT Permission denied
2012-12-20 21:39:44 DEBUG Final action: REJECT Permission denied.
2012-12-20 21:39:44 INFO [192.168.1.105] test1@silence.com -> 282490326@qq.com, REJECT Permission denied
2012-12-20 21:39:44 DEBUG Connection closed