Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

62.7. Post 命令

62.7.1. postconf - Postfix configuration utility

Postfix 提供了postconf配置工具,配置Postfix有兩種方法,第一種方法是使用文本編輯工具修改 main.cf和master.cf兩個配置檔案,第二種方法就是使用postconf命令

修改配置項

				postconf -e "myhostname=mail.netkiller.cn"
			

62.7.2. postsuper

刪除隊列中待發郵件

				# mailq
				-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
				CB71F8022974 3038 Wed Oct 19 01:57:03 MAILER-DAEMON
				(connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
				root@example.com

				-- 3 Kbytes in 1 Request.

				# postsuper -d CB71F8022974 deferred
				postsuper: CB71F8022974: removed
				postsuper: Deleted: 1 message

				# mailq
				Mail queue is empty
			

刪除隊列中所有待發郵件

				postsuper -d ALL deferred
			

62.7.3. postqueue - Postfix queue control

62.7.3.1. 列出隊列

列出隊列,等效 mailq

					# postqueue -p
				

62.7.3.2. 刷新隊列

-f Flush the queue: attempt to deliver all queued mail.

					postqueue -f
				

62.7.4. postmulti - Postfix multi-instance manager

62.7.4.1. 綁定IP地址

將所有IP地址綁定到伺服器上

					cd /etc/sysconfig/network-scripts

					vim ifcfg-enp2s0
				
					# cat ifcfg-enp2s0
					TYPE="Ethernet"
					BOOTPROTO="none"
					DEFROUTE="yes"
					IPV4_FAILURE_FATAL="no"
					IPV6INIT="yes"
					IPV6_AUTOCONF="yes"
					IPV6_DEFROUTE="yes"
					IPV6_FAILURE_FATAL="no"
					NAME="enp2s0"
					UUID="c27c6ef8-ab82-4019-af0a-9f3a70b2d230"
					DEVICE="enp2s0"
					ONBOOT="yes"
					DNS1="8.8.8.8"
					IPADDR="192.168.0.1"
					...
					...
					IPADDR247="192.168.0.250"
					PREFIX="26"
					PERFIX0="24"
					GATEWAY="192.168.0.254"
					IPV6_PEERDNS="yes"
					IPV6_PEERROUTES="yes"
					IPV6_PRIVACY="no"
				

IP範圍 192.168.0.1-192.168.0.250,介面是enp2s0,enp2s0:1 ~ enp2s0:250

62.7.4.2. postfix 多實例配置

初始化postfix 多實例

					postmulti -e init
				

創建postfix實例

					postmulti -I postfix-1 -G mta -e create
					...
					...
					postmulti -I postfix-250 -G mta -e create
				

啟用postfix 實例

					postmulti -i postfix-1 -e enable
					...
					...
					postmulti -i postfix-250 -e enable
				

配置postfix實例

					postmulti -i postfix-1 -x postconf -e "master_service_disable =" "authorized_submit_users = root" "minimal_backoff_time= 30d" "maximal_backoff_time = 300d" "mynetworks = 127.0.0.0/8,192.168.0.0/24" "inet_interfaces = \$myhostname" "mailbox_size_limit = 0" "message_size_limit = 0" "myhostname = mail.example.com" "myorigin = mail.example.com" "mydomain = example.com" "smtp_bind_address = 192.168.0.1"
					...
					...
					postmulti -i postfix-250 -x postconf -e "master_service_disable =" "authorized_submit_users =
					root" "minimal_backoff_time= 30d" "maximal_backoff_time = 300d" "mynetworks = 127.0.0.0/8,192.168.0.0/24" "inet_interfaces = \$myhostname" "mailbox_size_limit = 0" "message_size_limit = 0" "myhostname = mail.example.com" "myorigin = mail.example.com" "mydomain = example.com" "smtp_bind_address = 192.168.0.250"
				

62.7.4.3. 配置 iptables 讓SMTPD發送郵件時依次輪詢外發IP地址,這樣就不會被封鎖。

					iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 250 -j SNAT --to-source 192.168.0.1
					...
					...
					iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 250 -j SNAT --to-source 192.168.0.250
				

注意,不要使用下面的方式配置iptables,經過測試這種192.168.0.1-192.168.0.250方式,不會輪換IP地址。

					iptables -t nat -I POSTROUTING -o enp2s0f0 -p tcp -m state --state NEW -m tcp -m statistic --mode nth --every 5 --packet 0 -j SNAT --to-source 192.168.0.1-192.168.0.250
				

測試 iptables使用 curl每次請求你將看到一個全新的IP地址。

					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:173.254.223.57 來自:美國 QuadraNet
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:173.254.223.54 來自:美國 QuadraNet
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:107.167.40.137 來自:美國
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:173.254.223.55 來自:美國 QuadraNet
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:107.167.40.134 來自:美國
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:173.254.223.56 來自:美國 QuadraNet
					[root@www.netkiller.cn ~]# curl
					http://ip.cn
					當前 IP:173.254.223.54 來自:美國 QuadraNet
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:107.167.40.132 來自:美國
					[root@www.netkiller.cn ~]# curl http://ip.cn
					當前 IP:173.254.223.53 來自:美國 QuadraNet
				

使用netkiller-firewall 替代原來的iptables,傳統的iptables規則不容易書寫,也不容易閲讀。

					# unzip firewall-master.zip
					# yum install -y python34
					# bash install.sh
					# /etc/init.d/firewall
					Usage: /etc/init.d/firewall {start|stop|status|restart}
				

					RULE=www
					改為
					RULE=smtp

					# cat /etc/init.d/firewall | grep RULE
					RULE=smtp


					# cat /etc/sysconfig/firewall
					LIBEXEC=/srv/firewall/libexec
					RULE=smtp

				

編輯ACL規則

				
# vim /srv/firewall/libexec/smtp.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#  example.py
#  
#  Copyright 2013 neo <netkiller@msn.com>
#  
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#  
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#  
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
#  MA 02110-1301, USA.
#  
#  

from firewall import * 

######################################## 
# Web Application
######################################## 

smtp = Firewall()
smtp.flush()
smtp.policy(smtp.INPUT,smtp.ACCEPT)
smtp.policy(smtp.OUTPUT,smtp.ACCEPT)
smtp.policy(smtp.FORWARD,smtp.ACCEPT)
smtp.policy(smtp.POSTROUTING,smtp.ACCEPT)
smtp.input().state(('RELATED','ESTABLISHED')).accept()
smtp.input().protocol('icmp').accept()
smtp.input().interface('-i','lo').accept()
smtp.input().protocol('tcp').state('NEW').dport('22').accept()
smtp.input().protocol('tcp').state('NEW').dport(('25','110')).accept()
#smtp.input().protocol('tcp').dport(('3306','5432')).reject()
smtp.input().reject('--reject-with icmp-host-prohibited')
smtp.forward().reject('--reject-with icmp-host-prohibited')

for ip in range(53,58):
	smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 173.24.223.'+str(ip))
for ip in range(130,191):
	smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 107.17.40.'+str(ip))
for ip in range(2,63):
	smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 107.18.142.'+str(ip))
for ip in range(130,191):
	smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 146.71.38.'+str(ip))
for ip in range(194,255):
	smtp.postrouting().outbound('enp2s0').protocol('tcp').state('NEW').statistic('5').snat('--to-source 104.20.164.'+str(ip))


def start():
	smtp.start()
def stop():
	smtp.stop()
def restart():
	smtp.stop()
	smtp.start()
def show():
	smtp.show()
def status():
	smtp.status()
def main():
	show()
	return( 0 )

if __name__ == '__main__':
	main()
				
				

啟動firewall

					systemctl enable firewall
					systemctl start firewall
				

CentOS 6.x 之前的版本請使用 /etc/init.d/firewall 腳本