我在使用 Postfix 时遇到了一些问题,一些邮件被拒绝或被放入垃圾邮件/垃圾文件夹。
我正在尝试代表我的一些客户发送电子邮件。我已经设置并运行了一个 postfix 服务器,配置了 DKIM(open-dlim),并且似乎运行正常(至少在大多数情况下。使用 port25 验证程序进行验证,向测试帐户发送了几封测试电子邮件并检查了身份验证标头),SPF 和 rDNS 设置正确,等等。此服务器代表谁发送邮件可能会经常更改,因此我准备了 bash 脚本,用于使用 open-dkim 动态生成、验证和配置新域的 DKIM。这似乎很有效。我还将返回路径和发件人地址修改为 verp 地址,该地址将转到我为退回、投诉和拒绝处理设置的邮箱。这也很顺利。
DKIM 在 port25 验证程序、elandsys 验证程序、Gmail 和其他几个程序上都通过了。但在 AOL 上却失败了。我一直收到主体哈希失败的消息,但其他地方都说主体哈希通过了。我建立了一个新的 AOL 帐户进行仔细检查,现在我收到了来自 AOL 的“521 5.2.1:AOL 不会接受此消息的传递”拒绝。
发送至 Outlook/MSN/Hotmail 帐户的电子邮件将进入垃圾邮件文件夹。
我还想使用我的邮件域的 DKIM 来签名来自未验证 DKIM 的域的外发电子邮件。我见过 Mandrill 等提供商这样做(请参见下文)。在 Postfix 中配置此功能后,结果并不理想。电子邮件的传递率实际上急剧下降。
Delivered-To: [email protected]
Received: by 10.55.161.141 with SMTP id k135csp1830148qke;
Tue, 26 Apr 2016 20:47:00 -0700 (PDT)
X-Received: by 10.37.106.85 with SMTP id f82mr3485368ybc.108.1461728820068;
Tue, 26 Apr 2016 20:47:00 -0700 (PDT)
Return-Path: <bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com>
Received: from mail132-12.atl131.mandrillapp.com (mail132-12.atl131.mandrillapp.com. [198.2.132.12])
by mx.google.com with ESMTPS id w16si600671ybg.207.2016.04.26.20.46.59
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 26 Apr 2016 20:47:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com designates 198.2.132.12 as permitted sender) client-ip=198.2.132.12;
Authentication-Results: mx.google.com;
dkim=pass [email protected];
dkim=pass [email protected];
spf=pass (google.com: domain of bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com designates 198.2.132.12 as permitted sender) smtp.mailfrom=bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail132-12.atl131.mandrillapp.com;
h=From:Sender:Subject:Reply-To:To:Message-Id:Date:MIME-Version:Content-Type; [email protected];
bh=8PvyG5n9j+Ss5LkEFRDfDyq0HKE=;
b=R0+W6T3QnIZ6BiLyJ7dkxJAKeX3lPwuIb5J+t+HXfUgyuIZGXVDpcaPUxUsnZr7Vj8W/hen2AxXT
Ul9Fyr7kT1BJFebk+Q/lZKQOoD+TRjx6acbqxZtih581bpQUXlLfGvsu6IBAu87T6Bo2TYKimeu6
ZVwDkQneY8kcB5/40HY=
Received: from pmta02.mandrill.prod.atl01.rsglab.com (127.0.0.1) by mail132-12.atl131.mandrillapp.com id h40r381sar81 for <[email protected]>; Wed, 27 Apr 2016 03:46:59 +0000 (envelope-from <bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
[email protected]; q=dns/txt; s=mandrill; t=1461728819; h=From :
Sender : Subject : Reply-To : To : Message-Id : Date : MIME-Version :
Content-Type : From : Subject : Date : X-Mandrill-User :
List-Unsubscribe; bh=ZrtQq9DGePbIoMTLPLNJf1+1+NGpBrWl294/n54mrko=;
b=mKtUK27sdir1yIoMUKzddEFOZN6CD6CSpl3V42N+n4st78OHYeaE1BDraVhuIvctg5r6uk
5dh6vcGh40AcvyZKSkWBecqESP0kKQKKhbR7Oidlef9dP7PYZ11CLQ1DxbsAUP0IOUtUu7dW
SrGTmkbnIAv+9hPgB/JdUgHt+SISk=
From: Replaced Sender <[email protected]>
Sender: Replaced Sender <[email protected]>
Subject: test 3
Return-Path: <bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com>
Received: from [52.2.104.2] by mandrillapp.com id c38c577effa341359e850867904fed55; Wed, 27 Apr 2016 03:46:59 +0000
Reply-To: <[email protected]>
To: "[email protected]" <[email protected]>
X-Report-Abuse: Please forward a copy of this message, including all headers, to [email protected]
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30132259.c38c577effa341359e850867904fed55
X-Mandrill-User: md_30132259
Message-Id: <30132259.20160427034659.572036335eb949.06765010@mail132-12.atl131.mandrillapp.com>
Date: Wed, 27 Apr 2016 03:46:59 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-P_hw6r65tO2JheT0wzzGaA"
请记住,出于隐私原因,我更改了发件人和收件人的地址。请注意,电子邮件有两个 DKIM 签名,一个用于邮件服务器,一个用于 Mandrill.com。这是我需要的吗?此外,“发件人”和“回复”地址与“发件人”和“返回路径”标头不同。我是否也需要使用邮件服务器的 DKIM 对我的电子邮件进行签名,因为我的发件人和返回路径标头是我邮件服务器上的地址?
Postfix 配置:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
myhostname = mail.mailserver.com
mydomain = mailserver.com
myorigin = mailserver.com
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, regexp:/etc/postfix/regexp-alias.cf
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 20
smtpd_hard_error_limit = 40
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtp_destination_concurrency_limit = 2
delay_warning_time = 0h
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
notify_classes = bounce, 2bounce, delay, policy, protocol, resource, software
bounce_notice_recipient = [email protected]
2bounce_notice_recipient = [email protected]
error_notice_recipient = [email protected]
delay_notice_recipient = [email protected]
verp_delimiter_filter = +=
smtp_tls_security_level = may
smtp_tls_CAfile=/etc/postfix/ssl/cacert.pem
default_verp_delimiters = +=
再次记住,邮件服务器域已被“替换”所取代。
DKIM 和 SPF 通过的示例:
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: mail.mailserver.com
Source IP: MAIL-SERVER-IP
mail-from: [email protected]
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
mailserver.com. SPF (no records)
mailserver.com. 300 IN TXT "v=spf1 mx ptr a:mail.mailserver.com a:smtp.mailserver.com ?all"
mailserver.com. 159 IN MX 0 mail.mailserver.com.
mailserver.com. 159 IN MX 10 smtp.mailserver.com.
mail.cbcrmes.com. 165 IN A MAIL-SERVER-IP
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: [email protected])
ID(s) verified: header.d=replaced.com
Canonicalized Headers:
date:Wed,'20'27'20'Apr'20'2016'20'12:41:21'20'+0000'0D''0A'
from:"sender_replaced"'20'<[email protected]>'0D''0A'
reply-to:"sender_replaced"'20'<[email protected]>'0D''0A'
to:[email protected].'0D''0A'
list-unsubscribe::'20'<mailto:[email protected]?subject=unsubscribe>,'20'<unsublink.com>'0D''0A'
subject:=?utf-8?Q?test?='0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=replaced.com;'20's=mail;'20't=1461760882;'20'bh=JA4czgWk/3S9Et+7C2mkMVF38CnW0WyK2YaWom9s0J8=;'20'h=Date:From:Reply-To:To:List-Unsubscribe:Subject:From;'20'b=
Canonicalized Body:
CONTENT REPLACED
DNS record(s):
mail._domainkey.replaced.com. 300 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHQ+O0Lu2IOTQvFfguL0U5rMJo1RsVy3ZEP5Dkup/meMRfDYbnaUQL7pIRvBZo7WczgtcYVHI7A0rqwGJXZ8dyo5CC5A+2Kg6WtOTkmMwTPaRtASIX+qsJXe6ZksiOrfllFHbs+zOA1uT6m42VH+5cw4l9MzL75WAeUEy+cElx3QIDAQAB"
Public key used for verification: mail._domainkey.replaced.com (1024 bits)
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
mailserver.com. SPF (no records)
mailserver.com. 300 IN TXT "v=spf1 mx ptr a:mail.mailserver.com a:smtp.mailserver.com ?all"
mailserver.com. 159 IN MX 0 mail.mailserver.com.
mailserver.com. 159 IN MX 10 smtp.mailserver.com.
mail.mailserver.com. 165 IN A MAIL-SERVER-IP
----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)
Result: ham (0.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
-0.0 SPF_PASS SPF: sender matches SPF record
-1.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
1.7 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
2.0 LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short
message
AOL.com 上 DKIM 失败的示例:
Return-Path: <[email protected]>
Received: from mail.mailserver.com (mail.mailserver.com [MAIL-SERVER-IP])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mtaig-aaj03.mx.aol.com (Internet Inbound) with ESMTPS id 8994670000095
for <[email protected]>; Wed, 27 Apr 2016 10:40:37 -0400 (EDT)
Received: from anothersubdomain.mailer.com (unknown [ANOTHER-IP])
by mail.mailserver.com (Postfix) with ESMTPA id E209040DC5
for <[email protected]>; Wed, 27 Apr 2016 14:40:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=replaced.com; s=mail; t=1461768035;
bh=xeyQpzG8DUkOjVoBaQKDREDNNMY65POvqFqSduSIYlk=;
h=Date:From:Reply-To:To:List-Unsubscribe:Subject:From;
b=LlYKos9npzLMlbflARsTIe8ryzAU9cMdaseHMAWJQgXgzLg9TT1VB5P5HC7+VBjqt
dgcEoJ3f48XQU11FXjYGt3DG2Z4n7htbJoz113JTOLIynAHEnvT5N3Zk8IaJQhOA17
/EXrYL3X4zBMiE/1xbSmSA/OlgcFBHEavvRnBJ6w=
User-Agent: AGENT-REPLACED
Date: Wed, 27 Apr 2016 14:40:35 +0000
From: "Replaced" <[email protected]>
Sender: <[email protected]>
Reply-To: "Replaced" <[email protected]>
To: [email protected]
X-FBL: client-5595338668
X-Data: client-5595338668
X-Report-Abuse: Please report abuse here: [email protected]
List-Unsubscribe:: <mailto:[email protected]?subject=unsubscribe>, <UNSUB-LINK>
Subject: =?utf-8?Q?test?=
X-Sender: [email protected]
X-Mailer: MAILER-REPLACED
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="B_ALT_5720cf63d996e"
x-aol-global-disposition: S
X-AOL-SCOLL-AUTHENTICATION: mtaig-aaj03.mx.aol.com ; domain : replaced.com DKIM : fail
Authentication-Results: mx.aol.com;
spf=pass (aol.com: the domain mailserver.com reports MAIL-SERVER-IP as a permitted sender.) smtp.mailfrom=mailserver.com;
dkim=fail (aol.com: Message body hash computation failed verification.) header.d=replaced.com;
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1b03c35720cf6433ad
X-AOL-IP: 52.87.69.25
X-AOL-SPF: domain : mailserver.com SPF : pass
再次提醒,请记住识别信息已经改变。
我还发了一封电子邮件给[电子邮件保护]获得另一方的附加报告。除退回地址标签验证检查外,所有测试均已通过(rDNS、DKIM、SPF、黑名单检查、问候语检查、垃圾邮件杀手检查和灰名单检查),这不应导致我的电子邮件被拒绝或批量发送。
我一直在寻找解决这些问题的方法。到目前为止,没有一个奏效。有什么建议吗?
答案1
发送到 AOL 的电子邮件和发送到端口 25 的电子邮件 - DKIM 签名过程不同。
当您将其发送到 AOL 时,您会使用 进行签名;c=relaxed/simple当您将其发送到端口 25 时,它就是c=relaxed/relaxed。您实际上并不是在进行同类比较。
话虽如此,许多 DKIM 验证器在Simple一致性方面存在问题,请坚持使用relaxed。如果您通过发送电子邮件进行测试,[email protected]他们会使用 4 个不同的 DKIM 验证器进行测试 - 其中 2 个不在付费墙后面。当您看到不同验证器之间存在差异时,通常是一个错误。但对于您的情况,我不太确定,因为您所做的测试实际上并不是精确的比较,您应该将同一封电子邮件发送到 port25、aol、mailtest,并在“收件人”行中使用所有验证器。这将为您提供一个苹果对苹果的比较。
答案2
我最近也遇到了同样的问题,尽管与 AOL 无关。Gmail 无法通过我的 DKIM,当我深入挖掘时,发现所有地方(例如 mail-tester.com、dkimvalidator.com)都无法通过,表明正文已更改。奇怪的是,根据 dkimcore.org/c/keycheck,DKIM 数学是正确的(如果您尝试 dkimcore.org,“选择器”只是“dkim”,没有引号,假设您的 DNS DKIM 条目的主机值为 dkim._domainkey)。我相信原因是 \n 与 \r\n 在不同系统上导致的哈希值差异,但我无法确认这一点。
为了使一切正常工作,我通过添加 adkim=r; 修改了 DNS TXT _dmarc 记录,这与@Henry 的答案类似。
因此你的 _dmarc 记录可能是:
TXT _dmarc v=DMARC1; p=none; adkim=r; rua=mailto:[email protected]
仅供参考,v=DMARC1 表示协议版本为 DMARC1。p=none 表示我们选择 none 作为我们域的策略。rua 代表汇总报告的报告 URI。电子邮件地址用于告诉世界报告应发送到何处。替换[电子邮件保护]使用您的真实电子邮件地址来接收汇总 DMARC 报告。