Postfix 提供了postconf配置工具,配置Postfix有两种方法,第一种方法是使用文本编辑工具修改 main.cf和master.cf两个配置文件,第二种方法就是使用postconf命令
修改配置项
postconf -e "myhostname=mail.netkiller.cn"
删除队列中待发邮件
# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
CB71F8022974 3038 Wed Oct 19 01:57:03 MAILER-DAEMON
(connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
root@example.com
-- 3 Kbytes in 1 Request.
# postsuper -d CB71F8022974 deferred
postsuper: CB71F8022974: removed
postsuper: Deleted: 1 message
# mailq
Mail queue is empty
删除队列中所有待发邮件
postsuper -d ALL deferred
将所有IP地址绑定到服务器上
cd /etc/sysconfig/network-scripts vim ifcfg-enp2s0
# cat ifcfg-enp2s0 TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="enp2s0" UUID="c27c6ef8-ab82-4019-af0a-9f3a70b2d230" DEVICE="enp2s0" ONBOOT="yes" DNS1="8.8.8.8" IPADDR="192.168.0.1" ... ... IPADDR247="192.168.0.250" PREFIX="26" PERFIX0="24" GATEWAY="192.168.0.254" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes" IPV6_PRIVACY="no"
IP范围 192.168.0.1-192.168.0.250,接口是enp2s0,enp2s0:1 ~ enp2s0:250
初始化postfix 多实例
postmulti -e init
创建postfix实例
postmulti -I postfix-1 -G mta -e create ... ... postmulti -I postfix-250 -G mta -e create
启用postfix 实例
postmulti -i postfix-1 -e enable ... ... postmulti -i postfix-250 -e enable
配置postfix实例
postmulti -i postfix-1 -x postconf -e "master_service_disable =" "authorized_submit_users = root" "minimal_backoff_time= 30d" "maximal_backoff_time = 300d" "mynetworks = 127.0.0.0/8,192.168.0.0/24" "inet_interfaces = \$myhostname" "mailbox_size_limit = 0" "message_size_limit = 0" "myhostname = mail.example.com" "myorigin = mail.example.com" "mydomain = example.com" "smtp_bind_address = 192.168.0.1" ... ... postmulti -i postfix-250 -x postconf -e "master_service_disable =" "authorized_submit_users = root" "minimal_backoff_time= 30d" "maximal_backoff_time = 300d" "mynetworks = 127.0.0.0/8,192.168.0.0/24" "inet_interfaces = \$myhostname" "mailbox_size_limit = 0" "message_size_limit = 0" "myhostname = mail.example.com" "myorigin = mail.example.com" "mydomain = example.com" "smtp_bind_address = 192.168.0.250"
iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 250 -j SNAT --to-source 192.168.0.1 ... ... iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 250 -j SNAT --to-source 192.168.0.250
注意,不要使用下面的方式配置iptables,经过测试这种192.168.0.1-192.168.0.250方式,不会轮换IP地址。
iptables -t nat -I POSTROUTING -o enp2s0f0 -p tcp -m state --state NEW -m tcp -m statistic --mode nth --every 5 --packet 0 -j SNAT --to-source 192.168.0.1-192.168.0.250
测试 iptables使用 curl每次请求你将看到一个全新的IP地址。
[root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:173.254.223.57 来自:美国 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:173.254.223.54 来自:美国 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:107.167.40.137 来自:美国 [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:173.254.223.55 来自:美国 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:107.167.40.134 来自:美国 [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:173.254.223.56 来自:美国 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:173.254.223.54 来自:美国 QuadraNet [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:107.167.40.132 来自:美国 [root@www.netkiller.cn ~]# curl http://ip.cn 当前 IP:173.254.223.53 来自:美国 QuadraNet
使用netkiller-firewall 替代原来的iptables,传统的iptables规则不容易书写,也不容易阅读。
# unzip firewall-master.zip
# yum install -y python34
# bash install.sh
# /etc/init.d/firewall
Usage: /etc/init.d/firewall {start|stop|status|restart}
RULE=www 改为 RULE=smtp # cat /etc/init.d/firewall | grep RULE RULE=smtp # cat /etc/sysconfig/firewall LIBEXEC=/srv/firewall/libexec RULE=smtp
编辑ACL规则
# vim /srv/firewall/libexec/smtp.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# example.py
#
# Copyright 2013 neo <netkiller@msn.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
#
#
from firewall import *
########################################
# Web Application
########################################
smtp = Firewall()
smtp.flush()
smtp.policy(smtp.INPUT,smtp.ACCEPT)
smtp.policy(smtp.OUTPUT,smtp.ACCEPT)
smtp.policy(smtp.FORWARD,smtp.ACCEPT)
smtp.policy(smtp.POSTROUTING,smtp.ACCEPT)
smtp.input().state(('RELATED','ESTABLISHED')).accept()
smtp.input().protocol('icmp').accept()
smtp.input().interface('-i','lo').accept()
smtp.input().protocol('tcp').state('NEW').dport('22').accept()
smtp.input().protocol('tcp').state('NEW').dport(('25','110')).accept()
#smtp.input().protocol('tcp').dport(('3306','5432')).reject()
smtp.input().reject('--reject-with icmp-host-prohibited')
smtp.forward().reject('--reject-with icmp-host-prohibited')
for ip in range(53,58):
smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 173.24.223.'+str(ip))
for ip in range(130,191):
smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 107.17.40.'+str(ip))
for ip in range(2,63):
smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 107.18.142.'+str(ip))
for ip in range(130,191):
smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 146.71.38.'+str(ip))
for ip in range(194,255):
smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 104.20.164.'+str(ip))
def start():
smtp.start()
def stop():
smtp.stop()
def restart():
smtp.stop()
smtp.start()
def show():
smtp.show()
def status():
smtp.status()
def main():
show()
return( 0 )
if __name__ == '__main__':
main()
启动firewall
systemctl enable firewall systemctl start firewall
CentOS 6.x 之前的版本请使用 /etc/init.d/firewall 脚本
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
