我一直在努力让 Exim 对我使用 Zend2 Mailer 类发送的邮件进行签名。该类可以选择通过 SMTP 发送;这很棒,因为我已经在 MTA 级别配置了所有内容。
但是。从客户端(Thunderbird)发送的邮件将被签名。使用 Zend2 的 Mailing 类发送的邮件则不会。让我们从我的 Exim 版本开始。
Exim version 4.76 #1 built 19-Jul-2011 02:56:59
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.7.25: (November 12, 2010)
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf
然后是 DKIM 的配置。我尝试使用下面的方法查找域,而不是使用变量$sender_address_domain。我在另一篇 serverfault 帖子中看到,DATA 命令可能会使信封格式错误,从而导致发件人地址奇怪。然而,我的情况并非如此。两者都解析为实际的发件人/发件人地址。
[rob@server ~]$ exim -bP transports | grep dkim
dkim_canon = relaxed
dkim_domain = ${lc:${domain:$h_from:}}
dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
dkim_selector = x
dkim_sign_headers = MIME-Version:Date:Message-ID:Subject:From:To
dkim_strict = 0
密钥就在那里。配置有效,已通过 Thunderbird 发送邮件验证。
然后我问自己,这些邮件是否真的通过了 SMTP 服务器?答案是,确实如此。我检查了/var/log/exim/mainlog。现在我还注意到,来自 Thunderbird 的邮件没有收到“正在接收邮件”日志行。我不知道为什么?如果有人知道原因,可以详细说明一下吗?PHP 使用 SMTP 登录方法进行连接,使用与 Thunderbird 完全相同的 SMTP 信息。相同的端口、域、用户名、密码。
https://framework.zend.com/manual/2.4/en/modules/zend.mail.smtp.options.html#zend-mail-smtp-options
# This is the mail recieved from the PHP code.
2016-11-15 08:28:52 1c6YAm-000154-6p <= [email protected] H=mydomain.com [ipv4.addr] P=esmtpa A=login:[email protected] S=22098 id=26412cc5accb22e5ce03925c7ac38a7c95c398cb19d5736fa41fb565c8dc1254@mydomain.com T="Another day at the office with DKIM..." from <[email protected]> for [email protected]
# Here it is outbound for its destination. Not signed to be noted.
2016-11-15 08:28:52 1c6YAm-000154-6p => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=22157 H=gmail-smtp-in.l.google.com [ipv6.addr] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1479194932 yr4si27147042wjc.210 - gsmtp"
# This is send with Thunderbird. This gets signed...
2016-11-15 08:31:47 1c6YDa-0001CM-UY => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=762 H=gmail-smtp-in.l.google.com [ipv6.addr] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1479195107 s17si1915514wme.47 - gsmtp"
这些邮件也没有被拒绝,也无法在恐慌日志中找到。它们都收到了我的 gmail 帐户:
# This is the mail send from thunderbird. With DKIM signing.
Delivered-To: [email protected]
Received: by 10.80.186.18 with SMTP id g18csp1289759edc;
Mon, 14 Nov 2016 23:31:47 -0800 (PST)
X-Received: by 10.194.248.5 with SMTP id yi5mr384988wjc.11.1479195107193;
Mon, 14 Nov 2016 23:31:47 -0800 (PST)
Return-Path: <[email protected]>
Received: from myserver.com (myserver.com. [ipv6.addr])
by mx.google.com with ESMTPS id s17si1915514wme.47.2016.11.14.23.31.47
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 14 Nov 2016 23:31:47 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) client-ip=ipv6.addr;
Authentication-Results: mx.google.com;
dkim=pass [email protected];
spf=pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) [email protected];
dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mydomain.com; s=x;
h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=zaNQl8a2eAEHfPVmKMA7RmtMqJ/6huDk4u6pr/tWrqQ=;
b=xcDHIzzTWS8hPMxjqbZM0I6b/act/LlweTuNcnZJ9ttEF1dAm37Lzy8zOJz2E2aDTkcQOdCQuC+VyIaXTRzTMJXyzJTUXTgPUPOePsR5XYqqsE0iQRMkDl/Ah650kBHD5drqIrFJwCw5g0aL9OECqTyRO9kwL0DQJX/mKcTkLtiiIs7Z7G77ZwWhJpFm/duoQARtZZ1UZFu42/Vbl+V8vSoWbXoZBpg+WBGucWJoGq+hb5zILxwsMPcbrIu+avBjjoUdLVP9YMFiPC3nK+7zOGBWOO7x6QoHQmO8uo0P88E52Sm9ZJGgLQOCfFCMjCnv4IMemj/GSe25Sf8PKah/Xg==;
Received: from 159-032-128-083.dynamic.caiway.nl ([83.128.32.159] helo=[192.168.1.108])
by myserver.com with esmtpsa (UNKNOWN:AES128-SHA:128)
(Exim 4.76)
(envelope-from <[email protected]>)
id 1c6YDa-0001CM-UY
for [email protected]; Tue, 15 Nov 2016 08:31:46 +0100
To: Rob van der Lee <[email protected]>
From: Rob van der Lee <[email protected]>
Subject: Dit is een verzonden mail via account
Message-ID: <[email protected]>
Date: Tue, 15 Nov 2016 08:31:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Thunderbird/45.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Dit is echt een test.
这是从 PHP 发送的未签名的邮件。
Delivered-To: [email protected]
Received: by 10.80.186.18 with SMTP id g18csp1288906edc;
Mon, 14 Nov 2016 23:28:52 -0800 (PST)
X-Received: by 10.28.170.134 with SMTP id t128mr2009669wme.29.1479194932632;
Mon, 14 Nov 2016 23:28:52 -0800 (PST)
Return-Path: <[email protected]>
Received: from myserver.com (myserver.com. [ipv6.addr])
by mx.google.com with ESMTPS id yr4si27147042wjc.210.2016.11.14.23.28.52
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 14 Nov 2016 23:28:52 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) client-ip=ipv6.addr;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) [email protected];
dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
Received: from mydomain.com ([37.97.128.104])
by myserver.com with esmtpa (Exim 4.76)
(envelope-from <[email protected]>)
id 1c6YAm-000154-6p
for [email protected]; Tue, 15 Nov 2016 08:28:52 +0100
Date: Tue, 15 Nov 2016 07:28:52 +0000
To: [email protected]
From: Rob van der Lee <[email protected]>
Sender: Rob van der Lee <[email protected]>
Subject: Another day at the office with DKIM...
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_7ebb8a8d12984c5cc3f5fbf995b1b4ad"
Message-ID: <26412cc5accb22e5ce03925c7ac38a7c95c398cb19d5736fa41fb565c8dc1254@mydomain.com>
This is a message in Mime Format. If you see this, your mail reader does not support this format.
--=_7ebb8a8d12984c5cc3f5fbf995b1b4ad
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
... content of mail in text and then html, left it out since not relevant.
我实在搞不懂 Exim 为什么不签署这封邮件。从日志文件中可以看出,这两封邮件都是通过 remote_smtp 发送的,T=remote_smtp根据我的 MTA 配置,所有通过 remote_smtp 发送的出站邮件都应该签名。
除了邮件确实发送并到达邮箱之外。希望我能从中学到东西。
更新:
根据 Daniel 的建议,我尝试内部解析域名并处理 SMTP 请求,而不是让我的提供商帮我处理。这没有帮助,邮件仍然未签名就发送了。
日志看起来也和上面提到的一样。
挖掘旧情况请求:
;; QUESTION SECTION:
;mydomain.com. IN NS
;; ANSWER SECTION:
mydomain.com. 86400 IN NS ns1.transip.nl.
mydomain.com. 86400 IN NS ns2.transip.eu.
mydomain.com. 86400 IN NS ns0.transip.net.
新情况挖掘请求:
;; QUESTION SECTION:
;mydomain.com. IN NS
;; ANSWER SECTION:
mydomain.com. 14400 IN NS ns2.myserver.com.
mydomain.com. 14400 IN NS ns1.myserver.com.
更新答案:
我还在 Exim Bug 跟踪器上提交了错误单。想向专家寻求帮助;Jeremy Harris 为我指明了正确的方向。
Jeremy Harris 2016-11-15 14:58:55 GMT
First, if you're running Exim 4.76 - update it.
Then, assuming the problem still exists: restart your daemon with a commandline
debug option, collecting output. Feed it a test mail. Examine the debug output,
which shows the processing flow for the message. Compare with your config and
work out where it differs from what you expected.
我按照他说的做了。更新后发现问题仍然存在。向调试模式发送了 2 封邮件。一封已签名,另一封未签名。
我开始仔细比较,发现两封邮件的正文都开始被发送到 PDKIM(Exim 的 dkim 库)。然后我注意到我的未签名邮件在正文后没有像签名邮件那样的结尾。
我认为这与内容有关;因此,我从 PHP 端发送了一封仅包含一行文本的邮件。这是要签名的……
解决方案?自动换行!我之前没想到这个!我现在真的觉得自己不太聪明。因为我事先就知道了。RFC 2646spec 向我们讲述了这一切。
希望这篇文章能对其他人有所帮助。这是一次愉快的旅程,但愚蠢的是,问题出在我的实现上。
答案1
(我无法评论,所以这并不是答案,但我希望它有所帮助)
不久前,我处理过同样的问题,这让我很头疼,我有两个名称服务器,一个在托管公司的外部,另一个也在服务器本身上运行,以处理内部命名。(你看起来像荷兰人;TransIP VPS 带有 Cpanel,域名在 TransIP 端处理。)
现在,我已经在外部 DNS 上设置了 DKIM,因此它适用于大多数情况,但不适用于我的 PHP 邮件功能,因此我需要在内部(Cpanel)DNS 上进行设置,以使其适用于 PHP。
(此外,当我搜索此问题时,发现 7 位和 8 位内容传输编码存在一些问题,但这对我的情况没有什么影响)