Mor*_*eu5 9 postfix spf dkim dmarc
我有这个域,我为其设置了 SPF、DKIM 和 DMARC 内容。让我们假设域example.com在其 DNS 区域中具有以下条目:
example.com. 600 IN MX 1 mail.morpheu5.net.
example.com. 600 IN TXT "v=spf1 a mx -all"
_dmarc.example.com. 600 IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com; sp=none; ri=86400"
mail._domainkey.example.com. 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSYXmE/aXew9wcS9dCZFYrPetCRC9rW3vVYRQo980JbC6pXbAkqnUd7ncWkUaQZgF2HKzrspUMklRN35rB1b9iHX3dHnf/gvxSURZPYcKT1DenFt+Vhplv2IuWCNWRSqTuXTXlVOnf+TwWLZayKNq62mCqU09sasP9kHXO5lyIbwIDAQAB"
mail.morpheu5.net是我的后缀的本地主机/域/事物,我example.com作为虚拟域进行管理。我正在将 OpenDKIM 和 OpenDMARC 作为 milters 运行——SpamAssassin 也是如此,但这工作正常。
OpenDKIM 工作正常,所有邮件都得到了正确签名,Gmail 甚至显示了“签名者:example.com”和标准加密 (TLS) 的确认。事实上,如果我在 Gmail 中检查原始邮件,我会得到以下信息:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@example.com header.s=mail header.b=pixIC2KM;
spf=pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) smtp.mailfrom=xxxxx@example.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <xxxxx@example.com>
Received: from mail.morpheu5.net (mail.morpheu5.net. [79.137.83.28])
by mx.google.com with ESMTPS id p67-v6si2567899wmd.147.2018.10.31.08.01.43
for <xxxxx@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 31 Oct 2018 08:01:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) client-ip=79.137.83.28;
Authentication-Results: mx.google.com;
dkim=pass header.i=@example.com header.s=mail header.b=pixIC2KM;
spf=pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) smtp.mailfrom=xxxxx@example.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
如果我读对了,它告诉我
再往下,如果我检查我自己的 MTA 生成的标题,我会看到以下内容
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 8E8CE100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540998102; bh=j1p26NHBiJxaCqvB8/JaswqiQuHCsG+QNIkoIUc8B+0=; h=From:Subject:Date:To:From; b=pixIC2KMsLYpq4KQn4gRIJ4wr3Tle+Iaq08lSVdIz82nrKDybFhOivpIrmtpKSXND
rS4MPn7aNRV2D2KJPqG6Ru2tFAJEaBviC/7BNs2x3mIGlIxv5OzvD2EIvrJSJ8FA9U
1Uf9YTdWgSF4FdytLD21Jus6dYt4evDc3ZZujvIU=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 8E8CE100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
^^^^^^^^^^- WHAT?!
这本身就令人困惑,因为 OpenDMARC 似乎甚至在外发邮件中也在运行(请记住,我将此消息从 xxxxx@example.com 发送到 xxxxx@gmail.com)。然而,这可能是因为我如何运行 milter。这是 postfix 中的相关位main.cf:
smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
^- SpamAssassin ^- OpenDMARC ^- OpenDKIM
我愿意接受这方面的建议。
然而,真正让我发疯的是 OpenDMARC 几乎让所有通过门进来的东西都失败了。这是我从另一个域发送的消息(我以与 example.com 类似的方式设置)
Return-Path: <xxxxx@example.com>
Delivered-To: yyyyy@unijobs.it
Received: from mail.morpheu5.net ([172.18.0.14])
by 6c01c2ccb641 with LMTP
id t10hEf7J2Vu3BQAAl2tFQA
(envelope-from <xxxxx@example.com>)
for <yyyyy@unijobs.it>; Wed, 31 Oct 2018 15:27:58 +0000
Received: from porto.home (host109-154-219-15.range109-154.btcentralplus.com [109.154.219.15])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.morpheu5.net (Postfix) with ESMTPSA id E0A22100B2EB
for <yyyyy@unijobs.it>; Wed, 31 Oct 2018 15:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net E0A22100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=mail; t=1540999678;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
h=From:Subject:Date:To:From;
b=ulFaGLYp8hoosllX0rs+byXALUScldP5Of4Sf9/GxuuEqkz5VpCwPHib0TCXQNyqG
yGqzlgBUoKB2SB0vRqbDW6vb+1UyG971DVeC0WfuRvoe7lKFLFmzD+V25rht/83TKv
GFhIX2JMMobnw+wS++/6rS/l93/NLlTysiKECSfo=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net E0A22100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
From: "example.com" <xxxxx@example.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject:
Message-Id: <D3CC846F-19E8-4554-9990-1753D4E738E3@example.com>
Date: Wed, 31 Oct 2018 15:27:57 +0000
To: yyyyy@unijobs.it
它们都由相同的 postfix 安装提供服务,因此请得出您自己的结论。我在日志中看到的唯一内容是非常简洁的
Oct 31 15:27:58 bd85f6a3b2b6 opendmarc[20]: E0A22100B2EB: example.com fail
所以我想我一定是在传递信息时搞砸了一些事情。然后我从我的 gmail.com 地址发送了一个,瞧
Return-Path: <zzzzz@gmail.com>
Delivered-To: xxxxx@example.com
Received: from mail.morpheu5.net ([172.18.0.14])
by 6c01c2ccb641 with LMTP
id 3P0+CTjL2Vu7BQAAl2tFQA
(envelope-from <zzzzz@gmail.com>)
for <xxxxx@example.com>; Wed, 31 Oct 2018 15:33:12 +0000
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by mail.morpheu5.net (Postfix) with ESMTPS id 63728100B2EB
for <xxxxx@example.com>; Wed, 31 Oct 2018 15:33:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yrnjbum2"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=gmail.com
Received: by mail-lf1-f51.google.com with SMTP id p86so9773378lfg.5
for <xxxxx@example.com>; Wed, 31 Oct 2018 08:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
b=Yrnjbum25r6EczXzozeQERktfI7380FH3ETaRQ574kjKWdI+gtL337nVsPH34hnkyy
YZ3XuVBCyKpz2ulXqF6G9ipsk9Hh6cK6P/BGNO9fs1WRrz9U8BImKhiqJBTdv4J+K4Rq
grpn4buL1q3lRqunfJzSPaTww0DnYPWR89ICeMiyIYGbNYA4uTBQhQm0GUQRMJz6J1Bm
4FGL9dL2/sgexlOGga3AeP1dHyPoLag9FN2Vbr/nJThqml8BcC4kPdVb1iH4FZoNaTSh
s4CeTREvW6XLEAVgSz5Q3DgFLR0V4iCuqYxKkkHDYNi1If/agXkbRBigRP6+HUsTw7mM
8O7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
b=MPBwgFcsvJZ9gZbD0n0kfYMKpaHDQ3SkU30o5qVqs9Zwaqu3bTubSDkB+HCHsq8P8A
6BZN3WARiL9zi9sdxKmvHYBvrf043htR1/jFEr6+1Wr5eO2ULZmKIxdKl609YffDmzM8
vXXNzIw8pNYvEcaKUW04APzyEG5iEA9B5hrik4ivD9EWC0LHGuVf5jZuFT0LsKuWwydP
n30LqX6Wra8XjSnbejgeD/m53xDWQpYckArRm6VA7+XqH1W7xnKgxc4MBmeX7gqYQrvV
nmXMJyJAVtjiW9PXKDIE0SpP9XXryLn3FsguDCCwb46FS3rLJWW7i9SYSDKDb4N6iY3r
NXUA==
X-Gm-Message-State: AGRZ1gIHySs3xex2WNMp2GByh7QqSOszi85+983Juw7ZJnOEDB28/jma
iM0XrZTH6QjHeJajn8Zxx3UmFTkgAJ1MdBldxKeKiQ==
X-Google-Smtp-Source: AJdET5dvhrIXWjNNjZ2g5C7dSnHwXF95xuK/26l2o3C8fhT2r034Pos5Z776NyKi6JQvIAXpGCEkKe/WjOMaWWllzCM=
X-Received: by 2002:a19:13cc:: with SMTP id 73mr1902315lft.79.1540999989833;
Wed, 31 Oct 2018 08:33:09 -0700 (PDT)
MIME-Version: 1.0
From: Andrea Franceschini <zzzzz@gmail.com>
Date: Wed, 31 Oct 2018 15:32:32 +0000
Message-ID: <CACY09wpao6XSxkjzNXytTJ3Z3SCrpnhQkUjoWHJzYd8sS23jmA@mail.gmail.com>
Subject:
To: xxxxx@example.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DNS_FROM_AHBL_RHSBL,FREEMAIL_FROM,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b
这就是日志中显示的内容
Oct 31 15:33:12 bd85f6a3b2b6 opendmarc[20]: 63728100B2EB: gmail.com fail
另请注意,SpamAssassin 为这条消息计算了一堆 DKIM 分数,而这在以前没有发生过,所以...是时候提供更多配置文件了!
OpenDKIM 开始
PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
SendReports yes
SoftwareHeader yes
Canonicalization relaxed/relaxed
Selector default
MinimumKeyBits 1024
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
OversignHeaders From
QueryCache yes
AutoRestart Yes
KeyTable 对我来说似乎没问题
mail._domainkey.unijobs.it unijobs.it:mail:/etc/opendkim/keys/unijobs.it/dkim-private.pem
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/dkim-private.pem
我也有通配符签名
*@unijobs.it mail._domainkey.unijobs.it
*@example.com mail._domainkey.example.com
这些作为受信任的主机
127.0.0.1
::1
172.17.0.0/16
172.18.0.0/16
OpenDMARC 是这样配置的
AuthservID mail.morpheu5.net
HistoryFile /var/spool/opendmarc/opendmarc.dat
IgnoreHosts /etc/opendmarc/ignore.hosts
RejectFailures false
Socket inet:8893@localhost
SoftwareHeader true
Syslog true
UMask 007
UserID opendmarc:mail
随着以下 ignore.hosts
localhost
172.17.0.0/16
172.18.0.0/16
那么......为什么 OpenDMARC 几乎失败了所有通过门进来的东西?
编辑我运行opendmarc -t了这些消息之一,发生的最糟糕的是
opendmarc: mlfi_connect() returned SMFIS_ACCEPT
如果我使用我的自定义配置文件运行它,并且
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: message: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: message: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 3: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 8: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 13: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 14: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 15: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 16: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 34: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 35: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 37: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 38: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=none dis=none) header.from=example.com'
opendmarc: message: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE
如果我没有指定我的自定义配置文件(由于原因,它位于一个奇怪的位置)。
编辑Gmail 现在通过 SPF、DKIM,并最终通过 opendmarc。不知道发生了什么。
因此,您的 DMARC(spf、dkim)的外部验证没问题。(您可以检查https://dmarcian.com/dmarc-inspector/?domain=example.com)
每条消息传递时内部检查均失败。
可能是配置中的行
AuthservID mail.morpheu5.net
无法正确解决。尝试设置字符串“HOSTNAME”。然后它将使用函数 gethostname() (这是一个疯狂的猜测)
那么ignorehosts文件呢,也许您还应该添加127.0.0.1(如果未指定任何内容,则这是默认值),而不仅仅是localhost。
更新: 尝试从以下位置删除 DMARC milters
main.cf:non_smtpd_milters xxxxx
| 归档时间: |
|
| 查看次数: |
5095 次 |
| 最近记录: |