Postfix配置强制TLS出站却仍可通过SMTP 25端口发送邮件的问题排查求助
2026-4-22
Postfix配置强制TLS出站却仍可通过SMTP 25端口发送邮件的问题排查求助
各位Postfix大佬好,今天我偶然发现一个让我摸不着头脑的问题:明明我已经配置了Postfix强制使用加密TLS连接出站,可我的邮件服务器居然还是能通过普通的SMTP 25端口发送邮件。我反复检查了配置,但还是没找到问题所在,想请各位帮忙看看我漏掉了什么配置?
以下是我的配置文件相关内容:
main.cf 配置片段
### Outbound SMTP connections (Postfix as sender)### smtp_use_tls = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_loglevel = 1 tls_random_source = dev:/dev/urandom smtp_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_ciphers = high smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_mandatory_ciphers = high ### Inbound SMTP connections ### smtpd_use_tls = yes smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_security_options = noanonymous smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_recipient_restrictions=reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain ###smtpd tls xtraconf #For tls header info show smtpd_tls_received_header = yes # More detailed tls neg log smtpd_tls_loglevel = 2 smtpd_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_ciphers = high smtpd_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high tls_preempt_cipherlist = yes smtputf8_enable = no
master.cf 配置片段
smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=mail.mydomain.com -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
备注:内容来源于stack exchange,提问作者cz.steve
