我已经使用 opendkim 和 opendmarc 配置了 postfix。发送邮件已正确签名,接收邮件似乎已验证(dkim、spf、dmarc),但有一个明显的例外 - 任何人都可以连接到 25 上的 postfix,从[电子邮件保护]到[电子邮件保护],并且毫无疑问地交付了。
来自示例消息的日志:
postfix/smtpd[10275]: 934533DA0157: client=60-241-c-d.tpgi.com.au[60.241.c.d]
postfix/cleanup[14306]: 934533DA0157: message-id=<[email protected]>
opendkim[16729]: 934533DA0157: 60-241-c-d.tpgi.com.au [60.241.c.d] not internal
opendkim[16729]: 934533DA0157: not authenticated
opendkim[16729]: 934533DA0157: external host 60-241-c-d.tpgi.com.au attempted to send as mydomain.com
opendkim[16729]: 934533DA0157: no signature data
opendmarc[32220]: implicit authentication service: host.mydomain.com
opendmarc[32220]: 934533DA0157: mydomain.com fail
postfix/qmgr[22948]: 934533DA0157: from=<[email protected]>, size=287090, nrcpt=2 (queue active)
postfix/smtpd[10275]: disconnect from 60-241-c-d.tpgi.com.au[60.241.c.d]
postfix/pipe[14316]: 934533DA0157: to=<[email protected]>, relay=spamassassin, delay=7.6, delays=4.3/0.01/0/3.2, dsn=2.0.0, status=sent (delivered via spamassassin service)
已交付的节略标题:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: by host.mydomain.com (Postfix, from userid 987)
id D89DD3DA023E; Thu, 8 Sep 2016 14:58:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com;
s=host; [...]
Received: from mydomain.com (60-241-c-d.tpgi.com.au [60.241.c.d])
by host.mydomain.com (Postfix) with SMTP id 934533DA0157
for <[email protected]>; Thu, 8 Sep 2016 14:58:48 +0000 (UTC)
Authentication-Results: host.mydomain.com; dmarc=fail header.from=mydomain.com
Authentication-Results: host.mydomain.com; spf=pass [email protected]
Message-ID: <[email protected]>
Date: Fri, 09 Sep 2016 00:54:26 +1000
From: "[email protected]" <[email protected]>
To: <[email protected]>
SPF 记录 - A 和 MX 仅包含我控制的 IP。故意冗余。
mydomain.com. 600 IN TXT "v=spf1 +a +mx +ip4:myrelay1 +ip4:myrelay2 -all"
opendkim.conf
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
Socket local:/var/run/opendkim/opendkim.sock
SendReports yes
ReportAddress "Xyz Postmaster" <[email protected]>
SoftwareHeader no
Canonicalization relaxed/relaxed
Domain mydomain.com
Selector host
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/host.private
InternalHosts refile:/etc/opendkim/TrustedHosts # contains 127.0.0.1 and ::1
OversignHeaders From
QueryCache yes
打开dmarc配置文件
FailureReports true
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts # contains 127.0.0.1 and ::1
Socket local:/var/run/opendmarc/opendmarc.sock
SoftwareHeader false
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
后缀main.cf
mynetworks_style = host
myorigin = $mydomain
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:/var/run/opendmarc/opendmarc.sock
smtp_header_checks = regexp:/etc/postfix/submission_header_checks
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 TLSv1 TLSv1.1 TLSv1.2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:/var/run/opendmarc/opendmarc.sock
# rbl_override_whitelist OKs 127.0.0.1 and ::1
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unknown_sender_domain reject_unauth_pipelining check_client_access hash:/etc/postfix/rbl_override_whitelist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
尽管有external host attempted to send as mydomain.com日志条目,opendkim 仍对消息进行了签名,然后 opendmarc 判定 spf 通过。
经过一天的阅读 opendkim 和 opendmarc 文档和源代码后,我几乎确信这些是 opendkim 和 opendmarc 中的错误,但我希望这是用户错误。
我需要做什么来防止 opendkim 签署标记为来自 mydomain.com 的来信?排除故障或修复 opendmarc 决定 spf=pass?
答案1
尽管邮件来自外部来源,但可接受的返回路径是内部的。外部主机似乎在其 HELO 命令中使用了您的域。
Return-Path: <[email protected]>
Received: from mydomain.com (60-241-c-d.tpgi.com.au [60.241.c.d])
by host.mydomain.com (Postfix) with SMTP id 934533DA0157
for <[email protected]>; Thu, 8 Sep 2016 14:58:48 +0000 (UTC)
根据返回路径中的域和/或 HELO 命令中的域,应该拒绝该邮件。尝试配置您的服务器以根据这些因素拒绝邮件。我认为接受该邮件是邮件服务器的配置问题。
我相信 OpenDKIM 可以正确签署来自本地地址的消息,尽管使用的是外部 IP 地址。如果您在发送之前已从互联网进行身份验证,则会出现这种情况。
答案2
一种解决方案可能是使用端口 587 提交(SASL 认证的)消息并拒绝通过端口 25 提交的未经认证的邮件。
看这个答案了解详情。