Chr*_*son 8 security email smtp spf dkim
I have recently configured my own mail server (Linux-based postfix + dovecot scenario). This is just for personal use - I have no bulk mail going out, no automatically generated mail outbound from the host, nothing like that. I've gone through the trouble to configure all the additional fun-to-debug email DNS records:
@ IN TXT v=spf1 +mx -all
_domainkey IN TXT o=-; r=dkim@example.com
mail._domainkey IN TXT v=DKIM1; h=sha256; k=rsa; s=email; p=deadbeef
_adsp._domainkey IN TXT dkim=all
_dmarc IN TXT adkim=s; aspf=s; fo=1; p=none; pct=100; rf=afrf; ri=86400; rua=mailto:aggrep@example.com; ruf=mailto:authfail@example.com; sp=none; v=DMARC1;
I've got an IP that isn't on any blacklists, a PTR correctly configured, DKIM signatures validate perfectly, I thought everything was set up correctly.
But now I can't contribute to mailing lists. When I send to the list address, sometimes the message goes into a black hole, sometimes I get an email to my authfail@ address, and in other cases I see entries I believe are related in reports sent to aggrep@.
My theory is that the SPF policy is too restrictive. The mailman (or other) list server is acting as an SMTP relay for my messages, right? So I changed
@ IN TXT v=spf1 +mx -all
to
@ IN TXT v=spf1 +mx ~all
making the default action a softfail instead of a hardfail. The problem is, I don't want to go around spamming lists for no good reason to test this change. Has anyone else been here before and can verify/refute my theory?
EDIT 1:
Thinking back, and thanks @Alex for setting me straight, I really haven't provided enough data to make an accurate assessment. Here's an example of a notice I received on my authfail@ address when attempting to post to a mailing list:
This is a spf/dkim authentication-failure report for an email message received from IP 66.211.214.132 on Thu, 10 Jul 2014 20:58:52 +0800.
Below is some detail information about this message:
1. SPF-authenticated Identifiers: archlinux.org;
2. DKIM-authenticated Identifiers: none;
3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;
For more information please check Aggregate Reports or mail to abuse@126.com.
Feedback-Type: auth-failure
User-Agent: NtesDmarcReporter/1.0
Version: 1
Original-Mail-From: <arch-general-bounces@archlinux.org>
Arrival-Date: Thu, 10 Jul 2014 20:58:52 +0800
Source-IP: 66.211.214.132
Reported-Domain: example.com
Original-Envelope-Id: w8mowEA5UUwMjr5TlWQfBA--.250S2
Authentication-Results: 126.com; dkim=fail (signature error: RSA verify failed) header.d=example.com; spf=pass smtp.mailfrom=arch-general-bounces@archlinux.org
DKIM-Domain: example.com
Delivery-Result: delivered
Looks to me like this is a DKIM signature failure, but I have no idea why. Is the receiving server trying to verify my DKIM signature against the mailing-list-server's key, or vice versa? For some reason, I wouldn't expect this to happen - I remember reading somewhere that in cases like this Relays and such will sometimes remove/munge headers like this to ensure these types of failures don't occur?
EDIT 2:
Thanks to @Christopher Karel for referencing a DMARC report parsing tool at dmarcian.com. The lions share of entries are listed as forwarders (which makes sense). There is one server (*.mailhop.org) listed as "preserv[ing] DKIM" - I've sucessfully sent mail over one of the Ruby language forums which has worked, and I know from my research they use mailhop.org.
在类别“服务器那个破DKIM签名(或创建伪造签名)”上市*.archlinux.org,*.google.com,*.mailhop.org(说不上来为什么在这里,这似乎,也许另一个列表我在使用它们,以及在不同的配置),以及其他和我的列表最活跃的是 Arch 和一些由 Google Groups 托管的网站,所以这是有道理的。总共大约 400 条消息 - 我没有发送几乎那么多的消息,所以我想可能是在计算重试。
我越来越沮丧 - 目前看来我的选择是:
电子邮件安全很糟糕。所以最后,你可能会面临一个决定,你所有的选择都很糟糕,并且由于不同的原因破坏了不同的东西。
具体来说,对于 SPF,如果邮件列表转发消息而不重写标题,则会导致失败。列表可以根据需要自行配置以使其工作,因此没有一个好的通用答案。但是,如果来自列表的消息似乎来自列表本身,则它正在重写标题。如果它似乎来自发件人,则可能不是。一般来说,邮件列表本身应该可以很好地与 SPF 配合使用。另一方面,常规邮件转发不会。
当涉及到 DKIM 时,对消息的任何修改都会导致失败。这几乎总是发生在邮件列表中。所以 DKIM 通常会用邮件列表轰炸。但是邮件转发应该没问题。
最重要的是,您已经实施了DMARC。这本质上是一个围绕 DKIM 和 SPF 的报告基础设施。如果您同时实施两种身份验证措施,则效果最佳,但仅使用一种也能正常工作。您可以配置 DMARC 来传达对您的消息的删除请求,但更重要的是,您可以指定一个地址来接收成功/失败报告。大多数主要的电子邮件接收器都支持这些。(GMail、Hotmail、Yahoo)这可以让您深入了解哪些邮件未通过 SPF 检查,以及原因。使用它来告知您的-allvs~all决定。
不幸的是,DMARC 规范要求发件人域和被检查的 SPF 记录之间保持一致。在您的情况下,邮件列表的 SPF 正在检查并通过,但与您的域不一致。所以DMARC炸弹。这是来自邮件列表管理员的参考资料。
结论和我的开场白一样:E-Mail security Sucks。你所有的选择也很糟糕。恕我直言,邮件列表也很糟糕,如果我们更换它们,生活会更好。;-)
事实证明我的配置似乎没有任何问题。发生的情况是,邮递员正在正确处理我的消息,并将其转发到列表。然而,有几个接收者(无论出于什么独特的原因)拒绝该消息。因为我实际上已经正确配置了 SPF,所以我看到来自那些目标 SMTP 服务器的拒绝消息,而不是来自邮件列表中继本身的拒绝消息。
Arch 社区中一些很棒的人帮助我找到了这个,因为他们可以访问所述 ML 服务器。
| 归档时间: |
|
| 查看次数: |
1827 次 |
| 最近记录: |