Neelix

Выдаешь людям реальный IP + маска у себя на придящий интерфейс ставишь IP + маска, он же будет для пользователей шлюзом. в IP > Firewall > Nat создаешь цепочку srcnat где указываешь пул 172.16, out interface - апстримный, Action > masquerade в IP>Routers добавляешь шлюз по умолчанию. типо все.

это TLS проверка с сертификатом

это закрытие авторизированным пользователям отправлять почту, т.к. возможно они спамеры

не пускает отправлять почту. потому что mynetworks = пусть так пока и будет. убери из restrictions: permit_sasl_authenticated

останови вообще postfix и смотри, возможно чтото другое пишет в базу, exim итд mailq покажет очередь еще такое подозрение, что авторизовавшийся пользователь тоже получает доступ к релею, несмотря на permit my networks надо конфиг проверить.

сделай mynetworks =

он же должен и показать входящие соединения откуда. останови постфикс и мониторь соединения

нет значит trafshow надо бы поставить. netstat поможет еще

лучший способ узнать - включить trafshow

самый примитивный вариант, дальше сам подкрутишь ############################################### # УФТПЛЙ ДПВБЧМЕООЩЕ НОПК ############################################### #message_size_limit = 1024000 mailbox_size_limit = 10240000 myorigin = $mydomain mydestination = $myhostname localhost.$mydomain localhost yourdomain.com #relay_domains = $mydestination #masquerade_domains = uzp.com.ua mynetworks = 192.168.0.0/24, 127.0.0.0/8 inet_intefaces = 192.168.0.1, your_ext_ip #relayhost = mail.ru #sender_canonical_maps = hash:/etc/postfix/canonical #append_at_myorigin = no #mailbox_size_limit = 10240000 header_checks = regexp:/etc/postfix/header_checks # #soft_bounce = no # INTERNET HOST AND DOMAIN NAMES # # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many # other configuration parameters. # #myhostname = yourdomain.com # The mydomain parameter specifies the local internet domain name. # The default is to use $myhostname minus the first component. # $mydomain is used as a default value for many other configuration # parameters. # #mydomain = domain.tld # SENDING MAIL # # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple # machines, you should (1) change this to $mydomain and (2) set up # a domain-wide alias database that aliases each user to # user@that.users.mailhost. # # For the sake of consistency between sender and recipient addresses, # myorigin also specifies the default domain name that is appended # to recipient addresses that have no @domain part. # #myorigin = $myhostname #myorigin = $mydomain # RECEIVING MAIL # The inet_interfaces parameter specifies the network interface # addresses that this mail system receives mail on. By default, # the software claims all active interfaces on the machine. The # parameter also controls delivery of mail to user@[ip.address]. # # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us via a proxy or network address translator. # # Note: you need to stop/start Postfix when this parameter changes. # #inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost # The proxy_interfaces parameter specifies the network interface # addresses that this mail system receives mail on by way of a # proxy or network address translation unit. This setting extends # the address list specified with the inet_interfaces parameter. # # You must specify your proxy/NAT addresses when your system is a # backup MX host for other domains, otherwise mail delivery loops # will happen when the primary MX host is down. # #proxy_interfaces = #proxy_interfaces = 1.2.3.4 # #mydestination = $myhostname, localhost.$mydomain #mydestination = $myhostname, localhost.$mydomain $mydomain #mydestination = $myhostname, localhost.$mydomain, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain #mydestination = localhost, $myhostname, localhost.$mydomain, $config_directory/mydestination # REJECTING MAIL FOR UNKNOWN LOCAL USERS # # The local_recipient_maps parameter specifies optional lookup tables # with all names or addresses of users that are local with respect # to $mydestination and $inet_interfaces. # # If this parameter is defined, then the SMTP server will reject # mail for unknown local users. This parameter is defined by default. # # To turn off local recipient checking in the SMTP server, specify # local_recipient_maps = (i.e. empty). # # The default setting assumes that you use the default Postfix local # delivery agent for local delivery. You need to update the # local_recipient_maps setting if: # # - You define $mydestination domain recipients in files other than # /etc/passwd, /etc/postfix/aliases, or the $virtual_alias_maps files. # For example, you define $mydestination domain recipients in # the $virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. # # - You redefine the "local_transport" setting in main.cf. # # - You use the "luser_relay", "mailbox_transport", or "fallback_transport" # feature of the Postfix local delivery agent (see samples/local.cf). # # Details are described in the LOCAL_RECIPIENT_README file. # # Beware: if the Postfix SMTP server runs chrooted, you probably have # to access the passwd file via the proxymap service, in order to # overcome chroot restrictions. The alternative, having a copy of # the system passwd file in the chroot jail is just not practical. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. # local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps #local_recipient_maps = # The unknown_local_recipient_reject_code specifies the SMTP server # response code when a recipient domain matches $mydestination or # $inet_interfaces, while $local_recipient_maps is non-empty and the # recipient address or address local-part is not found. # # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # unknown_local_recipient_reject_code = 550 # TRUST AND RELAY CONTROL # The mynetworks parameter specifies the list of "trusted" SMTP # clients that have more privileges than "strangers". # # In particular, "trusted" SMTP clients are allowed to relay mail # through Postfix. See the smtpd_recipient_restrictions parameter # in file samples/smtpd.cf. # # You can specify the list of "trusted" network addresses by hand # or you can let Postfix do it for you (which is the default). # # By default (mynetworks_style = host), Postfix "trusts" SMTP # clients of the local machine only. # # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. # # Specify "mynetworks_style = subnet" when Postfix should "trust" SMTP # clients in the same IP subnetworks as the local machine. # #mynetworks_style = class #mynetworks_style = subnet #mynetworks_style = host # Alternatively, you can specify the mynetworks list by hand, in # which case Postfix ignores the mynetworks_style setting. # # Specify an explicit list of network/netmask patterns, where the # mask specifies the number of bits in the network part of a host # address. # # You can also specify the absolute pathname of a pattern file instead # of listing the patterns here. Specify type:table for table-based lookups # (the value on the table right-hand side is not used). # #mynetworks = 168.100.189.0/28, 127.0.0.0/8 #mynetworks = $config_directory/mynetworks #mynetworks = hash:/etc/postfix/network_table # The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions restriction in the # file samples/smtpd.cf for detailed information. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches $mynetworks) to any destination, # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces, # - destinations that match $mydestination # - destinations that match $OBvirtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. # # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host. See the # permit_mx_backup restriction in the file samples/smtpd.cf. # #relay_domains = $mydestination # INTERNET OR INTRANET # The relayhost parameter specifies the default host to send mail to # when no entry is matched in the optional transport(5) table. When # no relayhost is given, mail is routed directly to the destination. # # On an intranet, specify the organizational domain name. If your # internal DNS uses no MX records, specify the name of the intranet # gateway host instead. # # In the case of SMTP, specify a domain, host, host:port, [host]:port, # [address] or [address]:port; the form [host] turns off MX lookups. # # If you're connected via UUCP, see also the default_transport parameter. # #relayhost = $mydomain #relayhost = gateway.my.domain #relayhost = uucphost #relayhost = [an.ip.add.ress] # REJECTING UNKNOWN RELAY USERS # # The relay_recipient_maps parameter specifies optional lookup tables # with all addresses in the domains that match $relay_domains. # # If this parameter is defined, then the SMTP server will reject # mail for unknown relay users. This feature is off by default. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. # #relay_recipient_maps = hash:/etc/postfix/relay_recipients # INPUT RATE CONTROL # # The in_flow_delay configuration parameter implements mail input # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). # # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. # # Specify 0 to disable the feature. Valid delays are 0..10. # #in_flow_delay = 1s # ADDRESS REWRITING # # Insert text from samples/rewrite.cf if you need to do address # masquerading. # # Insert text from samples/canonical.cf if you need to do address # rewriting, or if you need username->Firstname.Lastname mapping. # ADDRESS REDIRECTION (VIRTUAL DOMAIN) # # Insert text from samples/virtual.cf if you need virtual domain support. # "USER HAS MOVED" BOUNCE MESSAGES # # Insert text from samples/relocated.cf if you need "user has moved" # style bounce messages. Alternatively, you can bounce recipients # with an SMTP server access table. See samples/smtpd.cf. # TRANSPORT MAP # # Insert text from samples/transport.cf if you need explicit routing. # ALIAS DATABASE # # The alias_maps parameter specifies the list of alias databases used # by the local delivery agent. The default list is system dependent. # # On systems with NIS, the default is to search the local alias # database, then the NIS alias database. See aliases(5) for syntax # details. # # If you change the alias database, run "postalias /etc/postfix/aliases" (or # wherever your system stores the mail alias file), or simply run # "newaliases" to build the necessary DBM or DB file. # # It will take a minute or so before changes become visible. Use # "postfix reload" to eliminate the delay. # #alias_maps = dbm:/etc/aliases.db #alias_maps = hash:/etc/postfix/aliases #alias_maps = hash:/etc/postfix/aliases, nis:mail.aliases #alias_maps = netinfo:/aliases # The alias_database parameter specifies the alias database(s) that # are built with "newaliases" or "sendmail -bi". This is a separate # configuration parameter, because alias_maps (see above) may specify # tables that are not necessarily all under control by Postfix. # #alias_database = dbm:/etc/postfix/aliases alias_database = hash:/etc/aliases.db #alias_database = hash:/etc/postfix/aliases, hash:/opt/majordomo/aliases # ADDRESS EXTENSIONS (e.g., user+foo) # # The recipient_delimiter parameter specifies the separator between # user names and address extensions (user+foo). See canonical(5), # local(8), relocated(5) and virtual(5) for the effects this has on # aliases, canonical, virtual, relocated and .forward file lookups. # Basically, the software tries user+foo and .forward+foo before # trying user and .forward. # #recipient_delimiter = + # DELIVERY TO MAILBOX # # The home_mailbox parameter specifies the optional pathname of a # mailbox file relative to a user's home directory. The default # mailbox file is /var/spool/mail/user or /var/mail/user. Specify # "Maildir/" for qmail-style delivery (the / is required). # #home_mailbox = Mailbox #home_mailbox = Maildir/ # The mail_spool_directory parameter specifies the directory where # UNIX-style mailboxes are kept. The default setting depends on the # system type. # #mail_spool_directory = /var/mail #mail_spool_directory = /var/spool/mail # The mailbox_command parameter specifies the optional external # command to use instead of mailbox delivery. The command is run as # the recipient with proper HOME, SHELL and LOGNAME environment settings. # Exception: delivery for root is done as $default_user. # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), # and LOCAL (the address localpart). # # Unlike other Postfix configuration parameters, the mailbox_command # parameter is not subjected to $parameter substitutions. This is to # make it easier to specify shell syntax (see example below). # # Avoid shell meta characters because they will force Postfix to run # an expensive shell process. Procmail alone is expensive enough. # # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. # #mailbox_command = /usr/bin/procmail -a "$EXTENSION" #mailbox_command = /usr/bin/procmail -a $DOMAIN -d $LOGNAME # The mailbox_transport specifies the optional transport in master.cf # to use after processing aliases and .forward files. This parameter # has precedence over the mailbox_command, fallback_transport and # luser_relay parameters. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #mailbox_transport = lmtp:unix:/file/name #mailbox_transport = cyrus # #fallback_transport = lmtp:unix:/file/name #fallback_transport = cyrus #fallback_transport = # The luser_relay parameter specifies an optional destination address # for unknown recipients. By default, mail for unknown@$mydestination # and unknown@[$inet_interfaces] is returned as undeliverable. # # The following expansions are done on luser_relay: $user (recipient # username), $shell (recipient shell), $home (recipient home directory), # $recipient (full recipient address), $extension (recipient address # extension), $domain (recipient domain), $local (entire recipient # localpart), $recipient_delimiter. Specify ${name?value} or # ${name:value} to expand value only when $name does (does not) exist. # # luser_relay works only for the default Postfix local delivery agent. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must specify "local_recipient_maps =" (i.e. empty) in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #luser_relay = $user@other.host #luser_relay = $local@other.host #luser_relay = admin+$local # JUNK MAIL CONTROLS # # The controls listed here are only a very small subset. See the file # samples/smtpd.cf for an elaborate list of anti-UCE controls. # The header_checks parameter specifies an optional table with patterns # that each logical message header is matched against, including # headers that span multiple physical lines. # # By default, these patterns also apply to MIME headers and to the # headers of attached messages. With older Postfix versions, MIME and # attached message headers were treated as body text. # # For details, see the samples/filter.cf file. # #header_checks = regexp:/etc/postfix/header_checks # FAST ETRN SERVICE # # Postfix maintains per-destination logfiles with information about # deferred mail, so that mail can be flushed quickly with the SMTP # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". # # By default, Postfix maintains deferred mail logfile information # only for destinations that Postfix is willing to relay to (as # specified in the relay_domains parameter). For other destinations, # Postfix attempts to deliver ALL queued mail after receiving the # SMTP "ETRN domain.tld" command, or after execution of "sendmail # -qRdomain.tld". This can be slow when a lot of mail is queued. # # The fast_flush_domains parameter controls what destinations are # eligible for this "fast ETRN/sendmail -qR" service. # #fast_flush_domains = $relay_domains #fast_flush_domains = # SHOW SOFTWARE VERSION OR NOT # # The smtpd_banner parameter specifies the text that follows the 220 # code in the SMTP server's greeting banner. Some people like to see # the mail version advertised. By default, Postfix shows no version. # # You MUST specify $myhostname at the start of the text. That is an # RFC requirement. Postfix itself does not care. # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) # disable_vrfy_command = yes # The smtpd_helo_required parameter optionally turns on the requirement # that SMTP clients must introduce themselves at the beginning of an # SMTP session. # smtpd_helo_required = yes smtpd_client_restrictions = check_client_access hash:/etc/postfix/access default_recipient_limit = 2 default_destination_recipient_limit = 2 #smtpd_helo_restrictions = #smtpd_recipient_limit = 4 # local_destination_concurrency_limit = 2 default_destination_concurrency_limit = 2 # INSTALL-TIME CONFIGURATION INFORMATION readme_directory = /etc/postfix/README_FILES sample_directory = /etc/postfix/samples sendmail_path = /usr/sbin/ setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/share/man daemon_directory = /usr/libexec/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq

его тоже надо убрать, например авторизированный пользователь ложит в ящик письмо, и со 127.0.0.1 оно отправляется (не всегда, но возможна такая настройка) если хочешь, давай помогу

для проверки, можно убрать из mynetworks адреса, очистить очередь. и посмотреть на загрузку sql. будет доступна входящая почта, ну и естессно лучше логировать соединения, 99% что сразу найдете кто спам шлет.

Уважаемый, прочтите мой пост №13 кусочег

Вы раньше работали с почтовыми системами? Какое логирование, сударь? postfix может работать с файловой системой и писать всё в файлы, вместо SQL

открою вам большой секрет, что почтовая система может работать без использования SQL

проще без sql замутить

почему такая аццкая нагрузка запросов на машину? как на открытом релее. sql нагружен потому что он все запросы сохраняет в базу. у меня подозрение на то, что это из твоей сети валятся спам рассылки, т.к. почтовая система уже имеет эти письма, и не может их доставить адресату. смотри trafshow, а еще лучше на роутере своей сети мониторить

какбе во фре ipfw по топику, возможно у тебя проблема с LookUp, сервер не успевает сделать столько dns запросов, проблема может быть в файрволе. еще трабла возможна изза проверок SMTP диалога. вариантов, чтобы подвесить postfix немеряно, включи в режиме отладки и отключит временно резолвинг. посмотри что у тебя в sql творится. еще как вариант закончилось свободное место

цены как пять лет назад )

кривой сайт, и все

трафик в UA-IX ниче не может стоить, такая уж концепция участников точек обмена трафиком.

в точке обмена UA-IX. ниче не стоит

Запутали чувака ) Смотри dnat, тебе нужно изменить поле dst-ip читай для чего нужен natd Обычно порт пробрасывают

Тебе важнее гарантированная скорость, чем ее разбег от и до. и цены будут напорядок отличаться

Даже аренда жилы будет стоит не дешево Зато у него будет 2 состояния - работает/неработает Транспорт дешевле, но могут быть траблы