我有多个 Postfix 服务器代表我的域 (example.com) 发送邮件。提供发件人地址后,DKIM 和 SPF 可以正常通过。但是,我注意到 DMARC 通知中有许多从我的 Postfix 服务器发送的邮件失败。
每个 postfix 服务器都映射到我们 DNS 中的一个子域 (smtp1.example.com、smtp2.example.com)。在 AWS 上针对发送 IP 配置了反向查找。
当电子邮件被退回时,postfix 会向发件人发送未送达通知电子邮件,但该邮件来自空发件人。这些邮件似乎无法通过 DKIM 和 SPF 检查,因为它们是从[电子邮件保护]并不是[电子邮件保护]。
管理这个问题的最佳方法是什么?我应该为每个子域创建 DKIM 和 SPF 记录吗?有没有办法自定义 postfix 中的邮件守护程序发件人,使其从域而不是子域发送?
更新:
我发现在“/etc/postfix/main.cf”中,我需要将 $mydomain 变量更改为 example.com,并将 $myorigin 设置为使用 $mydomain,但未附加 DKIM。我使用 OpenDKIM 将 DKIM 应用于每封外发邮件,但由于 postfix 使用 from=<> 而不是[电子邮件保护]它似乎跳过了它,但我不确定这是原因。
更新:
我可以按照如下方法将“internal_mail_filter_classes = bounce”添加到“/etc/postfix/main.cf”,以便为退回的电子邮件发送 DKIM:
http://www.postfix.org/MILTER_README.html
我仍在怀疑这是否是实现我的目标的最佳方式。
更新:
退回的电子邮件来自[电子邮件保护],但收件人认为该电子邮件是从 smtp1.example.com 发送并由 example.com 签名的。这要求我为 smtp1.example.com 配置了另一个 spf 记录,但我不想这样做。退回邮件应显示为由根域发送。
我如何实现这个目标?
更新:
添加电子邮件标题和输出postconf -n。我仅混淆了 IP 地址和域名。该电子邮件由 Gmail 管理的域接收。
电子邮件标题
Delivered-To: [email protected]
Received: by 2002:a2e:45d5:0:0:0:0:0 with SMTP id s204-v6csp753516lja;
Wed, 26 Sep 2018 10:59:51 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62LaRKlAeJoVcCqIQRgHXwen7bLAev7n/gyBtIF7yWMLpmgBaL1q8D3Qm0zEMcDjPEmCjCz
X-Received: by 2002:a0c:a9d2:: with SMTP id c18-v6mr54933qvb.191.1537984791474;
Wed, 26 Sep 2018 10:59:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537984791; cv=none;
d=google.com; s=arc-20160816;
b=0LNTMB+qiHPz1eHGcLyPLE1FcSmW30xptS1xcbd9Vmy1Wdx3/tg96AUrAeuoDSznHE
b96zAG+sJHLASokmbete92FHI1G8rD8PgjH/IUCJ48Tl6fBZwkdKU7AGYAJ/2TTCBAuV
V5qcBCIuomDpUVXLeDNYSpTPEpAtaUrm+l5S3wIkZXlyzTsEL9utiVdoKTmYNcyXzM53
afDdaokbJdrmm6h904P49QEgm1/76LVyjh3QvpzVmVkmz7bsRleBypROkS4GERE0UD87
ZVEKMlCkVw8y2lUJwx8OvYTIALGHLsrjHk3cICv8uCsCQleDeMK+Y7mxJ4og8isdmEJm
aNTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=message-id:mime-version:auto-submitted:to:subject:from:date
:dkim-signature;
bh=/kHg6GHVOA4im8+tNe6f5EdTttqwbtTK3EvxVBpLPe0=;
b=VNuEQyKlo1YCgSBznYzBqNzJzJHaTqIxYzzEOhVfWH7KP4IdBvSQ5nwbigujfhq+a1
ch04W6nNbOaeTvC6hRdztL+Qw+lria0hOIx6eo3Hc8swQseAv6+iKh8hwbL4DM1tr84l
wDmcPy808/tamGIBHacA1vhe7LU1ZWhaFmBcynllMaLXJDxDsJuZc2pAfQe3cu+1da0h
twdEY+fYo8tVlVC/A0fb6iedP57tYygfg1LMSZhOxqwWiFDuNsOOn2Px0geyYcHWiyTj
uZEtS4L1nfYr2J2tbeZsHMzrjPkM4etZMK52duSiNpMZnV0CN4dioHQcSskrik8Jgnmh
Ki/g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=example header.b="Kh/wMFFv";
spf=pass (google.com: domain of [email protected] designates <IP-Address> as permitted sender) smtp.helo=smtp1.example.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <>
Received: from smtp1.example.com (smtp1.example.com. [<IP-Address>])
by mx.google.com with ESMTPS id 144-v6si4528390qkh.294.2018.09.26.10.59.51
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 26 Sep 2018 10:59:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates <IP-Address> as permitted sender) client-ip=<IP-Address>;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=example header.b="Kh/wMFFv";
spf=pass (google.com: domain of [email protected] designates <IP-Address> as permitted sender) smtp.helo=smtp1.example.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Received: by smtp1.example.com (Postfix) id 1CEE260DBC; Wed, 26 Sep 2018 17:59:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=example; t=1537984791; bh=DalucSR/izsrTI/4cwdDwKrGi8R0OywUerOF7byykLI=; h=Date:From:Subject:To; b=Kh/wMFFvEE/uPx/7qKnYVZZACU6zzLl9S+Jwr1hXSBhIg0mfkqpVXgxvhUxqNkJXw
xIPvmuJU9ERlA5RqT+xUC3y4kkxIbig6gBogUEFtOkbp1bNj+yWEKxcFpHJXEnDneP
Na3dzhGZScaUK83sKEPMFkjubyiPR/6uoc5zcEVc=
Date: Wed, 26 Sep 2018 17:59:51 +0000 (UTC)
From: Mail Delivery System <[email protected]>
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="DF7BD600B7.1537984791/smtp1.example.com"
Message-Id: <[email protected]>
输出
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_notice_recipient = [email protected]
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = ipv4
internal_mail_filter_classes = bounce
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = smtp1.example.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_milters = inet:127.0.0.1:8891
答案1
正如 Michael 所提到的,建议在 NDR 邮件中使用空的 Return-Path <>。正如您所经历的,许多 MTA 都基于此标头应用 DKIM 签名。这导致 DKIM 签名缺失,但您已经能够解决此问题。
如果缺少 Return-Path,SPF 将回退到 HELO/EHLO 域,如规范中所述:
http://www.openspf.org/svn/project/specs/rfc4408.txt
例如,如果反向路径为空,则使用 EHLO/HELO 域,并出现相关问题(参见第 2.1 节)
如果您的主要问题是让这些邮件符合 DMARC 规定,那么确保在 NDR 邮件上应用 DKIM 即可。在这种情况下,您无需为 smtp 子域设置单独的 SPF 记录。建议这样做,以防止非 DMARC 支持接收方丢失 NDR 邮件。
如果您有一长串 SMTP 服务器,您还可以发布一个允许您的 IP 地址的通配符 SPF。
这对你有帮助吗?
问候,
米歇尔
DMARC 分析器