在Debian上安装邮件系统——配置postfix+SSL/TLS

smtpd_use_tls = yes
smtpd_tls_received_header = yse
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 2
smtp_use_tls = yes
smtp_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

submission  inet    n    -    y    -    -    smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
smtps       inet    n    -    y    -    -    smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes  
  -o smtpd_sasl_auth_enable=yes

root@mail:/etc/postfix# service postfix restart
root@mail:/etc/postfix# ss -lntup
Netid  State   Recv-Q  Send-Q   Local Address:Port    Peer Address:Port  Process
tcp    LISTEN  0       100            0.0.0.0:993          0.0.0.0:*      users:(("dovecot",pid=461,fd=41))
tcp    LISTEN  0       100            0.0.0.0:995          0.0.0.0:*      users:(("dovecot",pid=461,fd=23))
tcp    LISTEN  0       100            0.0.0.0:587          0.0.0.0:*      users:(("master",pid=461,fd=18))
tcp    LISTEN  0       100            0.0.0.0:110          0.0.0.0:*      users:(("dovecot",pid=461,fd=21))
tcp    LISTEN  0       100            0.0.0.0:143          0.0.0.0:*      users:(("dovecot",pid=461,fd=39))
tcp    LISTEN  0       100            0.0.0.0:465          0.0.0.0:*      users:(("master",pid=3521,fd=18))
tcp    LISTEN  0       128            0.0.0.0:22           0.0.0.0:*      users:(("sshd",pid=481,fd=3))
tcp    LISTEN  0       100            0.0.0.0:25           0.0.0.0:*      users:(("master",pid=3521,fd=13))
tcp    LISTEN  0       100               [::]:993             [::]:*      users:(("dovecot",pid=461,fd=42))
tcp    LISTEN  0       100               [::]:995             [::]:*      users:(("dovecot",pid=461,fd=24))
tcp    LISTEN  0       100               [::]:110             [::]:*      users:(("dovecot",pid=461,fd=22))
tcp    LISTEN  0       100               [::]:143             [::]:*      users:(("dovecot",pid=461,fd=40))
tcp    LISTEN  0       100               [::]:465             [::]:*      users:(("master",pid=3521,fd=19))
tcp    LISTEN  0       128               [::]:22              [::]:*      users:(("sshd",pid=481,fd=4))
tcp    LISTEN  0       100               [::]:25              [::]:*      users:(("master",pid=3521,fd=14))

root@mail:~# doveconf -n -P
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-15-amd64 x86_64 Debian 11.3
# Hostname: mail.test.com
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/passwd-users-auth
  driver = passwd-file
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/dovecot/private/dovecot.key
userdb {
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n
  driver = static
}

root@mail:/var/vmail/test.com.cn/mailman/Maildir/new# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_enforce_tls = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = hash:/etc/postfix/vmail_domains
virtual_mailbox_maps = hash:/etc/postfix/vmail_mailbox
virtual_transport = virtual
virtual_uid_maps = static:500

   host 163mx03.mxmail.netease.com[220.181.12.119] said: 550
   MI:SPF 163 mx86,st1pCgDnk025HahiXKy4AA--.11669S3 1655184828

相关解释为：　•550 MI:SPF 发信IP未被发送域的SPF许可。也有可能是被反垃圾邮件网站列入黑名单了，需要去申诉。

记录类型：TXT；主机记录：【你的域名】；线路：默认线路；记录值：v=sfp1 a mx -all；TTL：10分钟

    :host gmail-smtp-in.l.google.com[108.177.97.26] said:
    550-5.7.26 This message fails to pass SPF checks for an SPF record with a
    hard 550-5.7.26 fail policy (-all). To best protect our users from spam and
    550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26
    https://support.google.com/mail/answer/81126#authentication for more 550
    5.7.26 information. j14-20020a056a00234e00b005061eb330a1si814825pfj.351 -
    gsmtp (in reply to end of DATA command)

mail postfix/trivial-rewrite[5988]: warning: do not list domain test.com.cn in BOTH mydestination and virtual_mailbox_domains

root@mail:# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.localdomain ESMTP Postfix (Debian/GNU)
ehlo test.com
250-mail.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
starttls
220 2.0.0 Ready to start TLS
quit
Connection closed by foreign host.