为什么 OpenDKIM 没有签名并验证我的电子邮件?(CentOS 6.5,Postfix 和 OpenDKIM)

为什么 OpenDKIM 没有签名并验证我的电子邮件?(CentOS 6.5,Postfix 和 OpenDKIM)

我在跑:

CentOS 6.5
Postfix 2.6.6
opendkim: OpenDKIM Filter v2.9.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        USE_DB
        USE_UNBOUND
    libopendkim 2.9.0:

我已经安装了 Zarafa,一切运行正常。然后我尝试安装 OpenDKIM,但遇到了麻烦。我将其安装在另一台运行 Zimbra 的服务器上,没有任何问题。但这台服务器没有配合。我的 /var/log/maillog 文件甚至没有显示任何 openDKIM 迹象。没有任何关于 opendkim 的日志记录。

我的 DNS 记录已正确添加。(通过 DIG 测试)我尝试了两个不同的配置文件,但这是当前的配置文件:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    s
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

这是 /etc/opendkim/SigningTable:

# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then [email protected] (with all superdomains checked in sequence, so "foo.example.com"
# would first check "[email protected]", then "[email protected]", then "[email protected]"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

#example.com default._domainkey.example.com
*@mydomain.com dk_default._domainkey.mydomain.com


Here is /etc/opendkim/KeyTable:

# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.comefault:/etc/opendkim/keys/default.private
dk_default._domainkey.mydomain.com mydomain.comk_default:/etc/opendkim/keys/mydomain.com/dk_default


Here is /etc/opendkim/TrustedHosts:
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
#host.example.com
#192.168.1.0/24
172.20.6.178
mydomain.com
zarafa.mydomain.com

编辑:

/etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/opt/yaffas/etc/ssl/certs/postfix.crt
smtpd_tls_key_file=/opt/yaffas/etc/ssl/certs/postfix.key
smtpd_use_tls=yes
smtp_tls_security_level = may
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mydestination =
myorigin = $mydomain
mynetworks = [::1]/128, [::ffff:127.0.0.0]/104, 127.0.0.0/8
virtual_mailbox_domains = localhost, zarafa.mydomain.com, mydomain.com
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = regexp:/etc/postfix/virtual_users_global, hash:/opt/yaffas/config/postfix/local-aliases.cf, hash:/opt/yaffas/config/postfix/public-folder-aliases.cf, hash:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-aliases.cf
virtual_transport = lmtp:127.0.0.1:2003

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

content_filter = amavis:[127.0.0.1]:10024
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks,
                             permit_sasl_authenticated,
                             reject_unauth_destination,
                             reject_unknown_recipient_domain,
                             check_client_access hash:/opt/yaffas/config/postfix/whitelist-postfix,
                             check_policy_service inet:127.0.0.1:12525,

sender_canonical_maps = hash:/etc/postfix/sender_canonical

transport_maps = hash:/opt/yaffas/config/postfix/transport-deliver-to-public
zarafa-publicfolder_destination_recipient_limit = 1
myhostname = zarafa.mydomain.com
message_size_limit = 20971520
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

/etc/postfix/master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -   -   n   -   1   scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

amavis unix - - n - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

zarafa-publicfolder unix -      n      n    -    10      pipe
     flags=DORu user=vmail argv=/opt/yaffas/libexec/mailalias/zarafa-deliver-to-public ${nexthop}

编辑:另外,为什么 OpenDKIM 不验证电子邮件?当我发送电子邮件时,我总是在日志中收到这样的消息:

10 月 25 日 21:13:32 zarafa postfix/smtp[7201]: megawatt.resistor.net[208.69.177.116]:25 的证书验证失败:不受信任的发行者 /C=US/ST=New York/L=Brooklyn/O=Eland Systems/OU=Eland CA/CN=Eland/[电子邮件保护]

而且,无论我将消息发送到哪里都没关系。我已经将消息发送到我自己的服务器上,我知道该服务器已通过 DKIM 验证,但我仍能收到它。

答案1

为了验证电子邮件,您必须设置模式参数opendkim.conf以(s 表示签名,v 表示验证) 的形式出现sv。默认情况下,它将验证来自 InternalHosts 外部的所有电子邮件。

在您当前的配置中,您只需签署来自 InternalHosts 的消息。

答案2

为了让其他人能够验证您的电子邮件签名,您需要在 dns 区域文件的 txt 记录中发布 dkim 公钥。

相关内容