由于 DMARC 验证失败,Gmail 中收到的电子邮件被退回

tag-icon tag-icon postfix gmail dmarc
由于 DMARC 验证失败,Gmail 中收到的电子邮件被退回 
gmail-smtp-in.l.google.com[2a00:1450:400c:c09::1a] said: 550-5.7.1
Unauthenticated email from example.com is not accepted due to 550-5.7.1
domain's DMARC policy. Please contact the administrator of 550-5.7.1
example.com domain if this was a legitimate mail. Please visit 550-5.7.1
https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1
DMARC initiative. 45si7665571wrz.435 - gsmtp (in reply to end of DATA
command)

不幸的是,由于这个错误,我无法向 gmail 地址发送任何电子邮件。每封邮件都被退回,我收到一封“未送达邮件退回给发件人”的邮件。我配置了 openDMARC 并设置了 DNS 记录。显然这还不够。我检查了Mail-Tester.comDMARC 似乎可以起作用。

反馈[电子邮件保护]

<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>[email protected]</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>3720877337221476870</report_id>
<date_range>
<begin>1520035200</begin>
<end>1520121599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>example.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>1.2.3.4</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>example.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>

DNS 记录

mail                     IN A       1.2.3.4
@                        IN MX 10   mail
@                        IN TXT     "v=spf1 mx -all"
default._domainkey       IN TXT     "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2jjp/PoG+sdeuzlZ6uXIxoKSKphQvVwVB2MU8rye0wdxBvQhGrRquYBIc+Hz/vZX+ZNL5aQPWKP6HLA0OsFhCHlURxolQiv0aOYq7n4l+p00ToXxW6C+hinrK+N13+ast24znQ9zdIdkjf/z9ATdoxWmbTKAyNYQXC1vnGGoZclEq8AJID143MWtyXCRE5cvkUcDHUhukfupqm" "6Ho65JPyc4OKYP2v56zrrUvpuItLwdxRd50//tQy6Klorst+MltgsY7Ph9CMtXVEc9gMFbeYXVe6MMmp/WaLEU1Sx1N7ZkRxJrBXuWtBY5D1ZfyLP0e7LsMRqkl5W29+fi8+7O3wIDAQAB"
_dmarc                   IN TXT     "v=DMARC1; p=reject; rua=mailto:[email protected]"

Postfix 主配置文件

myhostname = mail.example.com
mydomain = example.com
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain


mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
inet_interfaces = all
inet_protocols = all

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2

# SSL/TLS parameters
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1


# Incoming
smtpd_tls_loglevel = 1
smtpd_tls_cert_file=/etc/letsencrypt/live/$mydomain/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/$mydomain/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers=high
smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file=/etc/ssl/dh_2048.pem
smtpd_tls_dh512_param_file=/etc/ssl/dh_512.pem

# Outgoing
smtp_tls_loglevel = 1
smtp_tls_cert_file=/etc/letsencrypt/live/$mydomain/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/$mydomain/privkey.pem
smtp_use_tls=yes
smtp_tls_security_level=may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_mandatory_ciphers=high
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION


lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3


# Mailbox
home_mailbox = Maildir/
mailbox_command =

# DOVECOT
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = no



alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org, 
        reject_rbl_client bl.spamcop.net, 
        check_policy_service unix:private/policy-spf,
        check_sender_access hash:/etc/postfix/sender_access,
        check_recipient_access hash:/etc/postfix/recipient_access,
        permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname

# DKIM
milter_default_action = accept
milter_protocol = 6

# DKIM und OpenDMARC
smtpd_milters = inet:localhost:12345, inet:localhost:6789
non_smtpd_milters = inet:localhost:12345, inet:localhost:6789


# SPF
policy-spf_time_limit = 3600s

# Amavis
content_filter = smtp-amavis:127.0.0.1:10024
receive_override_options = no_address_mappings

disable_vrfy_command = yes


smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

我不知道该如何处理。如能得到任何帮助我将不胜感激。

另一点是“hostname --fqdn”显示“example.com”。我需要将其设置为“mail.example.com”吗?

答案1

我认为我已经修复了它,opendkim 是有故障的部分,而不是 openDMARC。

我精简了它的配置并添加了正确的选择器。现在所有电子邮件都到达了 Gmail。

AutoRestartRate         10/1M
AutoRestart             yes
Background              yes
Canonicalization        relaxed/simple
DNSTimeout              5
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  yes
Mode                    sv
OversignHeaders         From
PidFile                 /var/run/opendkim/opendkim.pid
#ResolverConfiguration   /etc/unbound/unbound.conf
SignatureAlgorithm      rsa-sha256
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  local:/var/run/opendkim/opendkim.sock
Syslog                  yes
TemporaryDirectory      /var/tmp
TrustAnchorFile         /usr/share/dns/root.key
UMask                   0002
UserID                  opendkim:opendkim
Nameservers             8.8.8.8,8.8.4.4


Domain                  example.com
Selector                default
KeyFile                 /etc/opendkim/keys/example.com/default.private
Canonicalization        relaxed/simple
AutoRestart             yes
AutoRestartRate         10/1M
Background              yes
PidFile                 /var/run/opendkim/opendkim.pid
Socket                  local:/var/run/opendkim/opendkim.sock

LogResults      yes
LogWhy          yes
SyslogSuccess   yes
Statistics      /var/log/dkim-filter/dkim-stats

TemporaryDirectory      /var/tmp

UMask                   0002
UserID                  opendkim:opendkim

TrustAnchorFile         /var/lib/unbound/root.key

不受本地解析器和 TrustAnchorFile 约束:

apt install unbound resolvconf
su -c "unbound-anchor -a /var/lib/unbound/root.key" - unbound
systemctl reload unbound
echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head

相关内容